--- /dev/null
+From 93408f2a45084cd829437e76ca93e3bfc11abdff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 16:52:37 -0800
+Subject: drm: limit to INT_MAX in create_blob ioctl
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ]
+
+The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
+("uaccess: disallow > INT_MAX copy sizes")
+
+Code itself should have been fine as-is.
+
+Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
+Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_property.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
+index 78e630771214..9decd981d94e 100644
+--- a/drivers/gpu/drm/drm_property.c
++++ b/drivers/gpu/drm/drm_property.c
+@@ -540,7 +540,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
+ struct drm_property_blob *blob;
+ int ret;
+
+- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
++ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
+ return ERR_PTR(-EINVAL);
+
+ blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From 7e10875c25468e16b134fbb0b1308e1793a6646f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 10:52:52 +0200
+Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a
+ bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ]
+
+Place the declaration of struct nouveau_conn_atom above that of
+struct nouveau_connector. This commit makes no changes to the moved
+block what so ever, it just moves it up a bit.
+
+This is a preparation patch to fix some issues with connector handling
+on pre nv50 displays (which do not use atomic modesetting).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++----------
+ 1 file changed, 55 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h
+index dc7454e7f19a..b46e99f7641e 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.h
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h
+@@ -29,6 +29,7 @@
+
+ #include <nvif/notify.h>
+
++#include <drm/drm_crtc.h>
+ #include <drm/drm_edid.h>
+ #include <drm/drm_encoder.h>
+ #include <drm/drm_dp_helper.h>
+@@ -37,6 +38,60 @@
+
+ struct nvkm_i2c_port;
+
++#define nouveau_conn_atom(p) \
++ container_of((p), struct nouveau_conn_atom, state)
++
++struct nouveau_conn_atom {
++ struct drm_connector_state state;
++
++ struct {
++ /* The enum values specifically defined here match nv50/gf119
++ * hw values, and the code relies on this.
++ */
++ enum {
++ DITHERING_MODE_OFF = 0x00,
++ DITHERING_MODE_ON = 0x01,
++ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
++ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
++ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
++ DITHERING_MODE_AUTO
++ } mode;
++ enum {
++ DITHERING_DEPTH_6BPC = 0x00,
++ DITHERING_DEPTH_8BPC = 0x02,
++ DITHERING_DEPTH_AUTO
++ } depth;
++ } dither;
++
++ struct {
++ int mode; /* DRM_MODE_SCALE_* */
++ struct {
++ enum {
++ UNDERSCAN_OFF,
++ UNDERSCAN_ON,
++ UNDERSCAN_AUTO,
++ } mode;
++ u32 hborder;
++ u32 vborder;
++ } underscan;
++ bool full;
++ } scaler;
++
++ struct {
++ int color_vibrance;
++ int vibrant_hue;
++ } procamp;
++
++ union {
++ struct {
++ bool dither:1;
++ bool scaler:1;
++ bool procamp:1;
++ };
++ u8 mask;
++ } set;
++};
++
+ struct nouveau_connector {
+ struct drm_connector base;
+ enum dcb_connector_type type;
+@@ -111,61 +166,6 @@ extern int nouveau_ignorelid;
+ extern int nouveau_duallink;
+ extern int nouveau_hdmimhz;
+
+-#include <drm/drm_crtc.h>
+-#define nouveau_conn_atom(p) \
+- container_of((p), struct nouveau_conn_atom, state)
+-
+-struct nouveau_conn_atom {
+- struct drm_connector_state state;
+-
+- struct {
+- /* The enum values specifically defined here match nv50/gf119
+- * hw values, and the code relies on this.
+- */
+- enum {
+- DITHERING_MODE_OFF = 0x00,
+- DITHERING_MODE_ON = 0x01,
+- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
+- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
+- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
+- DITHERING_MODE_AUTO
+- } mode;
+- enum {
+- DITHERING_DEPTH_6BPC = 0x00,
+- DITHERING_DEPTH_8BPC = 0x02,
+- DITHERING_DEPTH_AUTO
+- } depth;
+- } dither;
+-
+- struct {
+- int mode; /* DRM_MODE_SCALE_* */
+- struct {
+- enum {
+- UNDERSCAN_OFF,
+- UNDERSCAN_ON,
+- UNDERSCAN_AUTO,
+- } mode;
+- u32 hborder;
+- u32 vborder;
+- } underscan;
+- bool full;
+- } scaler;
+-
+- struct {
+- int color_vibrance;
+- int vibrant_hue;
+- } procamp;
+-
+- union {
+- struct {
+- bool dither:1;
+- bool scaler:1;
+- bool procamp:1;
+- };
+- u8 mask;
+- } set;
+-};
+-
+ void nouveau_conn_attach_properties(struct drm_connector *);
+ void nouveau_conn_reset(struct drm_connector *);
+ struct drm_connector_state *
+--
+2.20.1
+
--- /dev/null
+From e3c9e18ddf02531b59886e59a865b02673511768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:12:13 +0200
+Subject: IB/mlx4: Follow mirror sequence of device add during device removal
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ]
+
+Current code device add sequence is:
+
+ib_register_device()
+ib_mad_init()
+init_sriov_init()
+register_netdev_notifier()
+
+Therefore, the remove sequence should be,
+
+unregister_netdev_notifier()
+close_sriov()
+mad_cleanup()
+ib_unregister_device()
+
+However it is not above.
+Hence, make do above remove sequence.
+
+Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
+index 0299c0642de8..7e73a1a6cb67 100644
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -3073,16 +3073,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr)
+ ibdev->ib_active = false;
+ flush_workqueue(wq);
+
+- mlx4_ib_close_sriov(ibdev);
+- mlx4_ib_mad_cleanup(ibdev);
+- ib_unregister_device(&ibdev->ib_dev);
+- mlx4_ib_diag_cleanup(ibdev);
+ if (ibdev->iboe.nb.notifier_call) {
+ if (unregister_netdevice_notifier(&ibdev->iboe.nb))
+ pr_warn("failure unregistering notifier\n");
+ ibdev->iboe.nb.notifier_call = NULL;
+ }
+
++ mlx4_ib_close_sriov(ibdev);
++ mlx4_ib_mad_cleanup(ibdev);
++ ib_unregister_device(&ibdev->ib_dev);
++ mlx4_ib_diag_cleanup(ibdev);
++
+ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_count);
+ kfree(ibdev->ib_uc_qpns_bitmap);
+--
+2.20.1
+
--- /dev/null
+From 18bad2346349099016ad888c0dd541ac07d1a71f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 09:55:46 +0100
+Subject: iio: adc: max9611: Fix too short conversion time delay
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ]
+
+As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature
+reading in probe"), max9611 initialization sometimes fails on the
+Salvator-X(S) development board with:
+
+ max9611 4-007f: Invalid value received from ADC 0x8000: aborting
+ max9611: probe of 4-007f failed with error -5
+
+The max9611 driver tests communications with the chip by reading the die
+temperature during the probe function, which returns an invalid value.
+
+According to the datasheet, the typical ADC conversion time is 2 ms, but
+no minimum or maximum values are provided. Maxim Technical Support
+confirmed this was tested with temperature Ta=25 degreeC, and promised
+to inform me if a maximum/minimum value is available (they didn't get
+back to me, so I assume it is not).
+
+However, the driver assumes a 1 ms conversion time. Usually the
+usleep_range() call returns after more than 1.8 ms, hence it succeeds.
+When it returns earlier, the data register may be read too early, and
+the previous measurement value will be returned. After boot, this is
+the temperature POR (power-on reset) value, causing the failure above.
+
+Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs.
+
+Note that this issue has always been present, but it was exposed by the
+aformentioned commit.
+
+Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/max9611.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
+index 33be07c78b96..8649a61c50bc 100644
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -92,6 +92,12 @@
+ #define MAX9611_TEMP_SCALE_NUM 1000000
+ #define MAX9611_TEMP_SCALE_DIV 2083
+
++/*
++ * Conversion time is 2 ms (typically) at Ta=25 degreeC
++ * No maximum value is known, so play it safe.
++ */
++#define MAX9611_CONV_TIME_US_RANGE 3000, 3300
++
+ struct max9611_dev {
+ struct device *dev;
+ struct i2c_client *i2c_client;
+@@ -239,11 +245,9 @@ static int max9611_read_single(struct max9611_dev *max9611,
+ return ret;
+ }
+
+- /*
+- * need a delay here to make register configuration
+- * stabilize. 1 msec at least, from empirical testing.
+- */
+- usleep_range(1000, 2000);
++ /* need a delay here to make register configuration stabilize. */
++
++ usleep_range(MAX9611_CONV_TIME_US_RANGE);
+
+ ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr);
+ if (ret < 0) {
+@@ -511,7 +515,7 @@ static int max9611_init(struct max9611_dev *max9611)
+ MAX9611_REG_CTRL2, 0);
+ return ret;
+ }
+- usleep_range(1000, 2000);
++ usleep_range(MAX9611_CONV_TIME_US_RANGE);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 5666efbb046b1a7b756bfec784d941110ba2b871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 10:42:25 +0800
+Subject: md: raid1: check rdev before reference in raid1_sync_request func
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ]
+
+In raid1_sync_request func, rdev should be checked before reference.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index f46ac9db9edb..0a9d623b13c2 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2749,7 +2749,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr,
+ write_targets++;
+ }
+ }
+- if (bio->bi_end_io) {
++ if (rdev && bio->bi_end_io) {
+ atomic_inc(&rdev->nr_pending);
+ bio->bi_iter.bi_sector = sector_nr + rdev->data_offset;
+ bio_set_dev(bio, rdev->bdev);
+--
+2.20.1
+
--- /dev/null
+From a90188b5dc5b5ccd625e5377721fa0a5729757ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 20:58:56 -0700
+Subject: net: make socket read/write_iter() honor IOCB_NOWAIT
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ]
+
+The socket read/write helpers only look at the file O_NONBLOCK. not
+the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2
+and io_uring that rely on not having the file itself marked nonblocking,
+but rather the iocb itself.
+
+Cc: netdev@vger.kernel.org
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index aab65277314d..5b134a6b6216 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -891,7 +891,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ .msg_iocb = iocb};
+ ssize_t res;
+
+- if (file->f_flags & O_NONBLOCK)
++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
+ msg.msg_flags = MSG_DONTWAIT;
+
+ if (iocb->ki_pos != 0)
+@@ -916,7 +916,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ if (iocb->ki_pos != 0)
+ return -ESPIPE;
+
+- if (file->f_flags & O_NONBLOCK)
++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
+ msg.msg_flags = MSG_DONTWAIT;
+
+ if (sock->type == SOCK_SEQPACKET)
+--
+2.20.1
+
--- /dev/null
+From 69df41625cd9eaffc4d75058cdd387752e493dcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 15:15:26 -0800
+Subject: nvme_fc: add module to ops template to allow module references
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ]
+
+In nvme-fc: it's possible to have connected active controllers
+and as no references are taken on the LLDD, the LLDD can be
+unloaded. The controller would enter a reconnect state and as
+long as the LLDD resumed within the reconnect timeout, the
+controller would resume. But if a namespace on the controller
+is the root device, allowing the driver to unload can be problematic.
+To reload the driver, it may require new io to the boot device,
+and as it's no longer connected we get into a catch-22 that
+eventually fails, and the system locks up.
+
+Fix this issue by taking a module reference for every connected
+controller (which is what the core layer did to the transport
+module). Reference is cleared when the controller is removed.
+
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/fc.c | 14 ++++++++++++--
+ drivers/nvme/target/fcloop.c | 1 +
+ drivers/scsi/lpfc/lpfc_nvme.c | 2 ++
+ drivers/scsi/qla2xxx/qla_nvme.c | 1 +
+ include/linux/nvme-fc-driver.h | 4 ++++
+ 5 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index 058d542647dd..9e4d2ecf736d 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -337,7 +337,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo,
+ !template->ls_req || !template->fcp_io ||
+ !template->ls_abort || !template->fcp_abort ||
+ !template->max_hw_queues || !template->max_sgl_segments ||
+- !template->max_dif_sgl_segments || !template->dma_boundary) {
++ !template->max_dif_sgl_segments || !template->dma_boundary ||
++ !template->module) {
+ ret = -EINVAL;
+ goto out_reghost_failed;
+ }
+@@ -1762,6 +1763,7 @@ nvme_fc_ctrl_free(struct kref *ref)
+ {
+ struct nvme_fc_ctrl *ctrl =
+ container_of(ref, struct nvme_fc_ctrl, ref);
++ struct nvme_fc_lport *lport = ctrl->lport;
+ unsigned long flags;
+
+ if (ctrl->ctrl.tagset) {
+@@ -1787,6 +1789,7 @@ nvme_fc_ctrl_free(struct kref *ref)
+ if (ctrl->ctrl.opts)
+ nvmf_free_options(ctrl->ctrl.opts);
+ kfree(ctrl);
++ module_put(lport->ops->module);
+ }
+
+ static void
+@@ -2765,10 +2768,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
+ goto out_fail;
+ }
+
++ if (!try_module_get(lport->ops->module)) {
++ ret = -EUNATCH;
++ goto out_free_ctrl;
++ }
++
+ idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL);
+ if (idx < 0) {
+ ret = -ENOSPC;
+- goto out_free_ctrl;
++ goto out_mod_put;
+ }
+
+ ctrl->ctrl.opts = opts;
+@@ -2915,6 +2923,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
+ out_free_ida:
+ put_device(ctrl->dev);
+ ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum);
++out_mod_put:
++ module_put(lport->ops->module);
+ out_free_ctrl:
+ kfree(ctrl);
+ out_fail:
+diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
+index 096523d8dd42..b8fe8702065b 100644
+--- a/drivers/nvme/target/fcloop.c
++++ b/drivers/nvme/target/fcloop.c
+@@ -693,6 +693,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport)
+ #define FCLOOP_DMABOUND_4G 0xFFFFFFFF
+
+ static struct nvme_fc_port_template fctemplate = {
++ .module = THIS_MODULE,
+ .localport_delete = fcloop_localport_delete,
+ .remoteport_delete = fcloop_remoteport_delete,
+ .create_queue = fcloop_create_queue,
+diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
+index fcf4b4175d77..af937b91765e 100644
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -1591,6 +1591,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport,
+
+ /* Declare and initialization an instance of the FC NVME template. */
+ static struct nvme_fc_port_template lpfc_nvme_template = {
++ .module = THIS_MODULE,
++
+ /* initiator-based functions */
+ .localport_delete = lpfc_nvme_localport_delete,
+ .remoteport_delete = lpfc_nvme_remoteport_delete,
+diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
+index 6b33a1f24f56..7dceed021236 100644
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -578,6 +578,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport)
+ }
+
+ static struct nvme_fc_port_template qla_nvme_fc_transport = {
++ .module = THIS_MODULE,
+ .localport_delete = qla_nvme_localport_delete,
+ .remoteport_delete = qla_nvme_remoteport_delete,
+ .create_queue = qla_nvme_alloc_queue,
+diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h
+index a726f96010d5..e9c3b98df3e2 100644
+--- a/include/linux/nvme-fc-driver.h
++++ b/include/linux/nvme-fc-driver.h
+@@ -279,6 +279,8 @@ struct nvme_fc_remote_port {
+ *
+ * Host/Initiator Transport Entrypoints/Parameters:
+ *
++ * @module: The LLDD module using the interface
++ *
+ * @localport_delete: The LLDD initiates deletion of a localport via
+ * nvme_fc_deregister_localport(). However, the teardown is
+ * asynchronous. This routine is called upon the completion of the
+@@ -392,6 +394,8 @@ struct nvme_fc_remote_port {
+ * Value is Mandatory. Allowed to be zero.
+ */
+ struct nvme_fc_port_template {
++ struct module *module;
++
+ /* initiator-based functions */
+ void (*localport_delete)(struct nvme_fc_local_port *);
+ void (*remoteport_delete)(struct nvme_fc_remote_port *);
+--
+2.20.1
+
--- /dev/null
+From fbe3ea017e744cafc916389045066c98fee3d23d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 01:21:31 +0200
+Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ]
+
+Right now devfreq_dev_release will print a warning and abort the rest of
+the cleanup if the devfreq instance is not part of the global
+devfreq_list. But this is a valid scenario, for example it can happen if
+the governor can't be found or on any other init error that happens
+after device_register.
+
+Initialize devfreq->node to an empty list head in devfreq_add_device so
+that list_del becomes a safe noop inside devfreq_dev_release and we can
+continue the rest of the cleanup.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index dc9c0032c97b..7b510ef1d0dd 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -484,11 +484,6 @@ static void devfreq_dev_release(struct device *dev)
+ struct devfreq *devfreq = to_devfreq(dev);
+
+ mutex_lock(&devfreq_list_lock);
+- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) {
+- mutex_unlock(&devfreq_list_lock);
+- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n");
+- return;
+- }
+ list_del(&devfreq->node);
+ mutex_unlock(&devfreq_list_lock);
+
+@@ -547,6 +542,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
+ devfreq->dev.parent = dev;
+ devfreq->dev.class = devfreq_class;
+ devfreq->dev.release = devfreq_dev_release;
++ INIT_LIST_HEAD(&devfreq->node);
+ devfreq->profile = profile;
+ strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN);
+ devfreq->previous_freq = profile->initial_freq;
+--
+2.20.1
+
--- /dev/null
+From 78cc38697c1aae9181f6afb6e615254a5f8f77f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 15:39:12 +0100
+Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
+
+From: Andy Whitcroft <apw@canonical.com>
+
+[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ]
+
+When looking for a bit by number we make use of the cached result from the
+preceding lookup to speed up operation. Firstly we check if the requested
+pfn is within the cached zone and if not lookup the new zone. We then
+check if the offset for that pfn falls within the existing cached node.
+This happens regardless of whether the node is within the zone we are
+now scanning. With certain memory layouts it is possible for this to
+false trigger creating a temporary alias for the pfn to a different bit.
+This leads the hibernation code to free memory which it was never allocated
+with the expected fallout.
+
+Ensure the zone we are scanning matches the cached zone before considering
+the cached node.
+
+Deep thanks go to Andrea for many, many, many hours of hacking and testing
+that went into cornering this bug.
+
+Reported-by: Andrea Righi <andrea.righi@canonical.com>
+Tested-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/snapshot.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+index 0972a8e09d08..ff2aabb70de9 100644
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -734,8 +734,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn,
+ * We have found the zone. Now walk the radix tree to find the leaf node
+ * for our PFN.
+ */
++
++ /*
++ * If the zone we wish to scan is the the current zone and the
++ * pfn falls into the current node then we do not need to walk
++ * the tree.
++ */
+ node = bm->cur.node;
+- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
++ if (zone == bm->cur.zone &&
++ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
+ goto node_found;
+
+ node = zone->rtree;
+--
+2.20.1
+
--- /dev/null
+From 0e7c6236880b835e5a2ab6825bf68f63e07ef8fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:24:26 +0800
+Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ]
+
+The driver forgets to call unregister_pernet_subsys() in the error path
+of cma_init().
+Add the missed call to fix it.
+
+Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index f698c6a28c14..fc4630e4acdd 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4568,6 +4568,7 @@ static int __init cma_init(void)
+ unregister_netdevice_notifier(&cma_nb);
+ rdma_addr_unregister_client(&addr_client);
+ ib_sa_unregister_client(&sa_client);
++ unregister_pernet_subsys(&cma_pernet_operations);
+ err_wq:
+ destroy_workqueue(cma_wq);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From fcd13ed27a0b8c96a0b0e59ddb8c4fe4fdd06a69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 20:03:20 -0600
+Subject: rxe: correctly calculate iCRC for unaligned payloads
+
+From: Steve Wise <larrystevenwise@gmail.com>
+
+[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ]
+
+If RoCE PDUs being sent or received contain pad bytes, then the iCRC
+is miscalculated, resulting in PDUs being emitted by RXE with an incorrect
+iCRC, as well as ingress PDUs being dropped due to erroneously detecting
+a bad iCRC in the PDU. The fix is to include the pad bytes, if any,
+in iCRC computations.
+
+Note: This bug has caused broken on-the-wire compatibility with actual
+hardware RoCE devices since the soft-RoCE driver was first put into the
+mainstream kernel. Fixing it will create an incompatibility with the
+original soft-RoCE devices, but is necessary to be compatible with real
+hardware devices.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Signed-off-by: Steve Wise <larrystevenwise@gmail.com>
+Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 2 +-
+ drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++
+ drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c
+index 83412df726a5..b7098f7bb30e 100644
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -393,7 +393,7 @@ int rxe_rcv(struct sk_buff *skb)
+
+ calc_icrc = rxe_icrc_hdr(pkt, skb);
+ calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt),
+- payload_size(pkt));
++ payload_size(pkt) + bth_pad(pkt));
+ calc_icrc = (__force u32)cpu_to_be32(~calc_icrc);
+ if (unlikely(calc_icrc != pack_icrc)) {
+ if (skb->protocol == htons(ETH_P_IPV6))
+diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c
+index 9fd4f04df3b3..e6785b1ea85f 100644
+--- a/drivers/infiniband/sw/rxe/rxe_req.c
++++ b/drivers/infiniband/sw/rxe/rxe_req.c
+@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe,
+ if (err)
+ return err;
+ }
++ if (bth_pad(pkt)) {
++ u8 *pad = payload_addr(pkt) + paylen;
++
++ memset(pad, 0, bth_pad(pkt));
++ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt));
++ }
+ }
+ p = payload_addr(pkt) + paylen + bth_pad(pkt);
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
+index 9207682b7a2e..a07a29b48863 100644
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -738,6 +738,13 @@ static enum resp_states read_reply(struct rxe_qp *qp,
+ if (err)
+ pr_err("Failed copying memory\n");
+
++ if (bth_pad(&ack_pkt)) {
++ struct rxe_dev *rxe = to_rdev(qp->ibqp.device);
++ u8 *pad = payload_addr(&ack_pkt) + payload;
++
++ memset(pad, 0, bth_pad(&ack_pkt));
++ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt));
++ }
+ p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt);
+ *p = ~icrc;
+
+--
+2.20.1
+
--- /dev/null
+From 09efba5c9c53440a33d2ff7bd56b67eeee97f93b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 10:26:41 +0100
+Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ]
+
+Function perf_event_ever_overflow() and perf_event_account_interrupt()
+are called every time samples are processed by the interrupt handler.
+However function perf_event_account_interrupt() has checks to avoid being
+flooded with interrupts (more then 1000 samples are received per
+task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is
+added to the perf data. The perf subsystem limit calculation is:
+
+ maximum sample frequency := 100000 --> 1 samples per 10 us
+ task_tick = 10ms = 10000us --> 1000 samples per task_tick
+
+The work flow is
+
+measurement_alert() uses SDBT head and each SBDT points to 511
+ SDB pages, each with 126 sample entries. After processing 8 SBDs
+ and for each valid sample calling:
+
+ perf_event_overflow()
+ perf_event_account_interrupts()
+
+there is a considerable amount of samples being dropped, especially when
+the sample frequency is very high and near the 100000 limit.
+
+To avoid the high amount of samples being dropped near the end of a
+task_tick time frame, increment the sampling interval in case of
+dropped events. The CPU Measurement sampling facility on the s390
+supports only intervals, specifiing how many CPU cycles have to be
+executed before a sample is generated. Increase the interval when the
+samples being generated hit the task_tick limit.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 45304085b6ee..95c047bf4a12 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1306,6 +1306,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ if (sampl_overflow)
+ OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) +
+ sampl_overflow, 1 + num_sdb);
++
++ /* Perf_event_overflow() and perf_event_account_interrupt() limit
++ * the interrupt rate to an upper limit. Roughly 1000 samples per
++ * task tick.
++ * Hitting this limit results in a large number
++ * of throttled REF_REPORT_THROTTLE entries and the samples
++ * are dropped.
++ * Slightly increase the interval to avoid hitting this limit.
++ */
++ if (event_overflow) {
++ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10);
++ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n",
++ __func__,
++ DIV_ROUND_UP(SAMPL_RATE(hwc), 10));
++ }
++
+ if (sampl_overflow || event_overflow)
+ debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: "
+ "overflow stats: sample=%llu event=%llu\n",
+--
+2.20.1
+
--- /dev/null
+From 4f9e2408246103467b58266776ddfa5285b0e51a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 15:24:25 +0100
+Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ]
+
+The s390 CPU Measurement sampling facility has an overflow condition
+which fires when all entries in a SBD are used.
+The measurement alert interrupt is triggered and reads out all samples
+in this SDB. It then tests the successor SDB, if this SBD is not full,
+the interrupt handler does not read any samples at all from this SDB
+The design waits for the hardware to fill this SBD and then trigger
+another meassurement alert interrupt.
+
+This scheme works nicely until
+an perf_event_overflow() function call discards the sample due to
+a too high sampling rate.
+The interrupt handler has logic to read out a partially filled SDB
+when the perf event overflow condition in linux common code is met.
+This causes the CPUM sampling measurement hardware and the PMU
+device driver to operate on the same SBD's trailer entry.
+This should not happen.
+
+This can be seen here using this trace:
+ cpumsf_pmu_add: tear:0xb5286000
+ hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 1. interrupt
+ hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 2. interrupt
+ ... this goes on fine until...
+ hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0
+ perf_push_sample1: overflow
+ one or more samples read from the IRQ handler are rejected by
+ perf_event_overflow() and the IRQ handler advances to the next SDB
+ and modifies the trailer entry of a partially filled SDB.
+ hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1
+ timestamp: 14:32:52.519953
+
+Next time the IRQ handler is called for this SDB the trailer entry shows
+an overflow count of 19 missed entries.
+ hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1
+ timestamp: 14:32:52.970058
+
+Remove access to a follow on SDB when event overflow happened.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 95c047bf4a12..b652593d7de6 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1294,12 +1294,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ */
+ if (flush_all && done)
+ break;
+-
+- /* If an event overflow happened, discard samples by
+- * processing any remaining sample-data-blocks.
+- */
+- if (event_overflow)
+- flush_all = 1;
+ }
+
+ /* Account sample overflows in the event hardware structure */
+--
+2.20.1
+
--- /dev/null
+From 3b2b39f7da31939caad9d33fe448d852fe018d0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 12:45:09 +0300
+Subject: scsi: iscsi: qla4xxx: fix double free in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ]
+
+On this error path we call qla4xxx_mem_free() and then the caller also
+calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a
+couple double frees:
+
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed
+
+Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx")
+Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 4421f9bdfcf7..b0ad60565fe9 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -4285,7 +4285,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha)
+ return QLA_SUCCESS;
+
+ mem_alloc_error_exit:
+- qla4xxx_mem_free(ha);
+ return QLA_ERROR;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 783ba3a800ea73851f553fe2b1255c87b7671743 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:11:18 +0800
+Subject: scsi: libsas: stop discovering if oob mode is disconnected
+
+From: Jason Yan <yanaijie@huawei.com>
+
+[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ]
+
+The discovering of sas port is driven by workqueue in libsas. When libsas
+is processing port events or phy events in workqueue, new events may rise
+up and change the state of some structures such as asd_sas_phy. This may
+cause some problems such as follows:
+
+==>thread 1 ==>thread 2
+
+ ==>phy up
+ ==>phy_up_v3_hw()
+ ==>oob_mode = SATA_OOB_MODE;
+ ==>phy down quickly
+ ==>hisi_sas_phy_down()
+ ==>sas_ha->notify_phy_event()
+ ==>sas_phy_disconnected()
+ ==>oob_mode = OOB_NOT_CONNECTED
+==>workqueue wakeup
+==>sas_form_port()
+ ==>sas_discover_domain()
+ ==>sas_get_port_device()
+ ==>oob_mode is OOB_NOT_CONNECTED and device
+ is wrongly taken as expander
+
+This at last lead to the panic when libsas trying to issue a command to
+discover the device.
+
+[183047.614035] Unable to handle kernel NULL pointer dereference at
+virtual address 0000000000000058
+[183047.622896] Mem abort info:
+[183047.625762] ESR = 0x96000004
+[183047.628893] Exception class = DABT (current EL), IL = 32 bits
+[183047.634888] SET = 0, FnV = 0
+[183047.638015] EA = 0, S1PTW = 0
+[183047.641232] Data abort info:
+[183047.644189] ISV = 0, ISS = 0x00000004
+[183047.648100] CM = 0, WnR = 0
+[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
+00000000b7df67be
+[183047.657834] [0000000000000058] pgd=0000000000000000
+[183047.662789] Internal error: Oops: 96000004 [#1] SMP
+[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
+0x00000000417c4974)
+[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
+W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
+[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
+BIOS 0.15 10/22/2019
+[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
+[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
+[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
+[183047.717153] sp : ffff00000f28ba60
+[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
+[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
+[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
+[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
+[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
+[183047.747464] x19: 0000000000f80800 x18: 0000000000000010
+[183047.752848] x17: 0000000000000000 x16: 0000000000000000
+[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
+[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
+[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
+[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
+[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
+[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
+[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
+[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
+[183047.801307] Call trace:
+[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
+[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
+[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
+[183047.826757] smp_execute_task_sg+0xec/0x218
+[183047.831013] smp_execute_task+0x74/0xa0
+[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8
+[183047.839959] sas_discover_root_expander+0x90/0x160
+[183047.844822] sas_discover_domain+0x1b8/0x1e8
+[183047.849164] process_one_work+0x1b4/0x3f8
+[183047.853246] worker_thread+0x54/0x470
+[183047.856981] kthread+0x134/0x138
+[183047.860283] ret_from_fork+0x10/0x18
+[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
+[183047.870097] kernel fault(0x1) notification starting on CPU 0
+[183047.875828] kernel fault(0x1) notification finished on CPU 0
+[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
+hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
+[183047.892418] ---[ end trace 4cc26083fc11b783 ]---
+[183047.897107] Kernel panic - not syncing: Fatal exception
+[183047.902403] kernel fault(0x5) notification starting on CPU 0
+[183047.908134] kernel fault(0x5) notification finished on CPU 0
+[183047.913865] SMP: stopping secondary CPUs
+[183047.917861] Kernel Offset: disabled
+[183047.921422] CPU features: 0x2,a2a00a38
+[183047.925243] Memory Limit: none
+[183047.928372] kernel reboot(0x2) notification starting on CPU 0
+[183047.934190] kernel reboot(0x2) notification finished on CPU 0
+[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
+]---
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com
+Reported-by: Gao Chuan <gaochuan4@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_discover.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c
+index 60de66252fa2..b200edc665a5 100644
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -97,12 +97,21 @@ static int sas_get_port_device(struct asd_sas_port *port)
+ else
+ dev->dev_type = SAS_SATA_DEV;
+ dev->tproto = SAS_PROTOCOL_SATA;
+- } else {
++ } else if (port->oob_mode == SAS_OOB_MODE) {
+ struct sas_identify_frame *id =
+ (struct sas_identify_frame *) dev->frame_rcvd;
+ dev->dev_type = id->dev_type;
+ dev->iproto = id->initiator_bits;
+ dev->tproto = id->target_bits;
++ } else {
++ /* If the oob mode is OOB_NOT_CONNECTED, the port is
++ * disconnected due to race with PHY down. We cannot
++ * continue to discover this port
++ */
++ sas_put_device(dev);
++ pr_warn("Port %016llx is disconnected when discovering\n",
++ SAS_ADDR(port->attached_sas_addr));
++ return -ENODEV;
+ }
+
+ sas_init_dev(dev);
+--
+2.20.1
+
--- /dev/null
+From 0728be1910195a2f4abaebc43ef783f2ffba5e09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 03:22:46 +0000
+Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
+
+From: Bo Wu <wubo40@huawei.com>
+
+[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ]
+
+When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf,
+dd_data should be freed before return SLI_CONFIG_HANDLED.
+
+When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in
+job_error tag.
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
+index 6dde21dc82a3..08ed27b0d4c6 100644
+--- a/drivers/scsi/lpfc/lpfc_bsg.c
++++ b/drivers/scsi/lpfc/lpfc_bsg.c
+@@ -4419,12 +4419,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ phba->mbox_ext_buf_ctx.seqNum++;
+ nemb_tp = phba->mbox_ext_buf_ctx.nembType;
+
+- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
+- if (!dd_data) {
+- rc = -ENOMEM;
+- goto job_error;
+- }
+-
+ pbuf = (uint8_t *)dmabuf->virt;
+ size = job->request_payload.payload_len;
+ sg_copy_to_buffer(job->request_payload.sg_list,
+@@ -4461,6 +4455,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ "2968 SLI_CONFIG ext-buffer wr all %d "
+ "ebuffers received\n",
+ phba->mbox_ext_buf_ctx.numBuf);
++
++ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
++ if (!dd_data) {
++ rc = -ENOMEM;
++ goto job_error;
++ }
++
+ /* mailbox command structure for base driver */
+ pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (!pmboxq) {
+@@ -4509,6 +4510,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ return SLI_CONFIG_HANDLED;
+
+ job_error:
++ if (pmboxq)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
+ lpfc_bsg_dma_page_free(phba, dmabuf);
+ kfree(dd_data);
+
+--
+2.20.1
+
--- /dev/null
+From 3697149a72bee14bb2a12654709abc01de327b75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:56 +0300
+Subject: scsi: qla2xxx: Don't call qlt_async_event twice
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ]
+
+MBA_PORT_UPDATE generates duplicate log lines in target mode because
+qlt_async_event is called twice. Drop the calls within the case as the
+function will be called right after the switch statement.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvel.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index ebca1a470e9b..7f2da56274bd 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1046,8 +1046,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ ql_dbg(ql_dbg_async, vha, 0x5011,
+ "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n",
+ mb[1], mb[2], mb[3]);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+ }
+
+@@ -1065,8 +1063,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+ set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
+ set_bit(VP_CONFIG_OK, &vha->vp_flags);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+
+ case MBA_RSCN_UPDATE: /* State Change Registration */
+--
+2.20.1
+
--- /dev/null
+nvme_fc-add-module-to-ops-template-to-allow-module-r.patch
+iio-adc-max9611-fix-too-short-conversion-time-delay.patch
+pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch
+rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch
+rxe-correctly-calculate-icrc-for-unaligned-payloads.patch
+scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch
+scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch
+scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
+scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch
+drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch
+usb-gadget-fix-wrong-endpoint-desc.patch
+net-make-socket-read-write_iter-honor-iocb_nowait.patch
+md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch
+s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch
+s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch
+ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch
+xen-blkback-prevent-premature-module-unload.patch
+xen-balloon-fix-ballooned-page-accounting-without-ho.patch
+pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch
+xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch
+taskstats-fix-data-race.patch
+drm-limit-to-int_max-in-create_blob-ioctl.patch
--- /dev/null
+From bacf5435a2b1423405902c00da516bea9436bf67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 13:48:09 +0200
+Subject: taskstats: fix data-race
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ]
+
+When assiging and testing taskstats in taskstats_exit() there's a race
+when setting up and reading sig->stats when a thread-group with more
+than one thread exits:
+
+write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
+ taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
+ taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ get_signal+0x2a2/0x1320 kernel/signal.c:2734
+ do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
+ exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
+ taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
+ taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ __do_sys_exit_group kernel/exit.c:994 [inline]
+ __se_sys_exit_group kernel/exit.c:992 [inline]
+ __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
+ do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by using smp_load_acquire() and smp_store_release().
+
+Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
+Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Marco Elver <elver@google.com>
+Reviewed-by: Will Deacon <will@kernel.org>
+Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/taskstats.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 4559e914452b..390c76d4503c 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -568,25 +568,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
+ static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
+ {
+ struct signal_struct *sig = tsk->signal;
+- struct taskstats *stats;
++ struct taskstats *stats_new, *stats;
+
+- if (sig->stats || thread_group_empty(tsk))
+- goto ret;
++ /* Pairs with smp_store_release() below. */
++ stats = smp_load_acquire(&sig->stats);
++ if (stats || thread_group_empty(tsk))
++ return stats;
+
+ /* No problem if kmem_cache_zalloc() fails */
+- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
+
+ spin_lock_irq(&tsk->sighand->siglock);
+- if (!sig->stats) {
+- sig->stats = stats;
+- stats = NULL;
++ stats = sig->stats;
++ if (!stats) {
++ /*
++ * Pairs with smp_store_release() above and order the
++ * kmem_cache_zalloc().
++ */
++ smp_store_release(&sig->stats, stats_new);
++ stats = stats_new;
++ stats_new = NULL;
+ }
+ spin_unlock_irq(&tsk->sighand->siglock);
+
+- if (stats)
+- kmem_cache_free(taskstats_cache, stats);
+-ret:
+- return sig->stats;
++ if (stats_new)
++ kmem_cache_free(taskstats_cache, stats_new);
++
++ return stats;
+ }
+
+ /* Send pid data out on exit */
+--
+2.20.1
+
--- /dev/null
+From dab76427ac2cf1a7528fe926a7b13f59b900610a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 23:34:56 -0800
+Subject: usb: gadget: fix wrong endpoint desc
+
+From: EJ Hsu <ejh@nvidia.com>
+
+[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ]
+
+Gadget driver should always use config_ep_by_speed() to initialize
+usb_ep struct according to usb device's operating speed. Otherwise,
+usb_ep struct may be wrong if usb devcie's operating speed is changed.
+
+The key point in this patch is that we want to make sure the desc pointer
+in usb_ep struct will be set to NULL when gadget is disconnected.
+This will force it to call config_ep_by_speed() to correctly initialize
+usb_ep struct based on the new operating speed when gadget is
+re-connected later.
+
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: EJ Hsu <ejh@nvidia.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ecm.c | 6 +++++-
+ drivers/usb/gadget/function/f_rndis.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c
+index 4c488d15b6f6..dc99ed94f03d 100644
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -625,8 +625,12 @@ static void ecm_disable(struct usb_function *f)
+
+ DBG(cdev, "ecm deactivated\n");
+
+- if (ecm->port.in_ep->enabled)
++ if (ecm->port.in_ep->enabled) {
+ gether_disconnect(&ecm->port);
++ } else {
++ ecm->port.in_ep->desc = NULL;
++ ecm->port.out_ep->desc = NULL;
++ }
+
+ usb_ep_disable(ecm->notify);
+ ecm->notify->desc = NULL;
+diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
+index c7c5b3ce1d98..2bde68f5d246 100644
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -622,6 +622,7 @@ static void rndis_disable(struct usb_function *f)
+ gether_disconnect(&rndis->port);
+
+ usb_ep_disable(rndis->notify);
++ rndis->notify->desc = NULL;
+ }
+
+ /*-------------------------------------------------------------------------*/
+--
+2.20.1
+
--- /dev/null
+From 1208620481a18b7f28a3d0d8b617abc060dc7ba2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 15:17:50 +0100
+Subject: xen/balloon: fix ballooned page accounting without hotplug enabled
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ]
+
+When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined
+reserve_additional_memory() will set balloon_stats.target_pages to a
+wrong value in case there are still some ballooned pages allocated via
+alloc_xenballooned_pages().
+
+This will result in balloon_process() no longer be triggered when
+ballooned pages are freed in batches.
+
+Reported-by: Nicholas Tsirakis <niko.tsirakis@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 71a6deeb4e71..3f9260af701f 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -401,7 +401,8 @@ static struct notifier_block xen_memory_nb = {
+ #else
+ static enum bp_state reserve_additional_memory(void)
+ {
+- balloon_stats.target_pages = balloon_stats.current_pages;
++ balloon_stats.target_pages = balloon_stats.current_pages +
++ balloon_stats.target_unpopulated;
+ return BP_ECANCELED;
+ }
+ #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
+--
+2.20.1
+
--- /dev/null
+From d6cc178ef07fbe7b748240bf31b0de7cd35c0e24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 14:53:05 +0000
+Subject: xen-blkback: prevent premature module unload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Durrant <pdurrant@amazon.com>
+
+[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ]
+
+Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem
+cache. This cache is destoyed when xen-blkif is unloaded so it is
+necessary to wait for the deferred free routine used for such objects to
+complete. This necessity was missed in commit 14855954f636 "xen-blkback:
+allow module to be cleanly unloaded". This patch fixes the problem by
+taking/releasing extra module references in xen_blkif_alloc/free()
+respectively.
+
+Signed-off-by: Paul Durrant <pdurrant@amazon.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xen-blkback/xenbus.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
+index ed4e80779124..e9fa4a1fc791 100644
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -178,6 +178,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid)
+ blkif->domid = domid;
+ atomic_set(&blkif->refcnt, 1);
+ init_completion(&blkif->drain_complete);
++
++ /*
++ * Because freeing back to the cache may be deferred, it is not
++ * safe to unload the module (and hence destroy the cache) until
++ * this has completed. To prevent premature unloading, take an
++ * extra module reference here and release only when the object
++ * has been freed back to the cache.
++ */
++ __module_get(THIS_MODULE);
+ INIT_WORK(&blkif->free_work, xen_blkif_deferred_free);
+
+ return blkif;
+@@ -327,6 +336,7 @@ static void xen_blkif_free(struct xen_blkif *blkif)
+
+ /* Make sure everything is drained before shutting down */
+ kmem_cache_free(xen_blkif_cachep, blkif);
++ module_put(THIS_MODULE);
+ }
+
+ int __init xen_blkif_interface_init(void)
+--
+2.20.1
+
--- /dev/null
+From 1b48cb08761721f9f0dd662351c14d6d19e55746 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 07:53:15 -0800
+Subject: xfs: fix mount failure crash on invalid iclog memory access
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ]
+
+syzbot (via KASAN) reports a use-after-free in the error path of
+xlog_alloc_log(). Specifically, the iclog freeing loop doesn't
+handle the case of a fully initialized ->l_iclog linked list.
+Instead, it assumes that the list is partially constructed and NULL
+terminated.
+
+This bug manifested because there was no possible error scenario
+after iclog list setup when the original code was added. Subsequent
+code and associated error conditions were added some time later,
+while the original error handling code was never updated. Fix up the
+error loop to terminate either on a NULL iclog or reaching the end
+of the list.
+
+Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index dc95a49d62e7..4e768e606998 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1539,6 +1539,8 @@ xlog_alloc_log(
+ if (iclog->ic_bp)
+ xfs_buf_free(iclog->ic_bp);
+ kmem_free(iclog);
++ if (prev_iclog == log->l_iclog)
++ break;
+ }
+ spinlock_destroy(&log->l_icloglock);
+ xfs_buf_free(log->l_xbuf);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
