--- /dev/null
+From e1a00b5b253a4f97216b9a33199a863987075162 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Tue, 10 Sep 2019 22:51:52 +0900
+Subject: ALSA: firewire-tascam: check intermediate state of clock status and retry
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit e1a00b5b253a4f97216b9a33199a863987075162 upstream.
+
+2 bytes in MSB of register for clock status is zero during intermediate
+state after changing status of sampling clock in models of TASCAM FireWire
+series. The duration of this state differs depending on cases. During the
+state, it's better to retry reading the register for current status of
+the clock.
+
+In current implementation, the intermediate state is checked only when
+getting current sampling transmission frequency, then retry reading.
+This care is required for the other operations to read the register.
+
+This commit moves the codes of check and retry into helper function
+commonly used for operations to read the register.
+
+Fixes: e453df44f0d6 ("ALSA: firewire-tascam: add PCM functionality")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20190910135152.29800-3-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/tascam/tascam-stream.c | 42 ++++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/sound/firewire/tascam/tascam-stream.c
++++ b/sound/firewire/tascam/tascam-stream.c
+@@ -8,20 +8,37 @@
+ #include <linux/delay.h>
+ #include "tascam.h"
+
++#define CLOCK_STATUS_MASK 0xffff0000
++#define CLOCK_CONFIG_MASK 0x0000ffff
++
+ #define CALLBACK_TIMEOUT 500
+
+ static int get_clock(struct snd_tscm *tscm, u32 *data)
+ {
++ int trial = 0;
+ __be32 reg;
+ int err;
+
+- err = snd_fw_transaction(tscm->unit, TCODE_READ_QUADLET_REQUEST,
+- TSCM_ADDR_BASE + TSCM_OFFSET_CLOCK_STATUS,
+- ®, sizeof(reg), 0);
+- if (err >= 0)
++ while (trial++ < 5) {
++ err = snd_fw_transaction(tscm->unit, TCODE_READ_QUADLET_REQUEST,
++ TSCM_ADDR_BASE + TSCM_OFFSET_CLOCK_STATUS,
++ ®, sizeof(reg), 0);
++ if (err < 0)
++ return err;
++
+ *data = be32_to_cpu(reg);
++ if (*data & CLOCK_STATUS_MASK)
++ break;
++
++ // In intermediate state after changing clock status.
++ msleep(50);
++ }
+
+- return err;
++ // Still in the intermediate state.
++ if (trial >= 5)
++ return -EAGAIN;
++
++ return 0;
+ }
+
+ static int set_clock(struct snd_tscm *tscm, unsigned int rate,
+@@ -34,7 +51,7 @@ static int set_clock(struct snd_tscm *ts
+ err = get_clock(tscm, &data);
+ if (err < 0)
+ return err;
+- data &= 0x0000ffff;
++ data &= CLOCK_CONFIG_MASK;
+
+ if (rate > 0) {
+ data &= 0x000000ff;
+@@ -79,17 +96,14 @@ static int set_clock(struct snd_tscm *ts
+
+ int snd_tscm_stream_get_rate(struct snd_tscm *tscm, unsigned int *rate)
+ {
+- u32 data = 0x0;
+- unsigned int trials = 0;
++ u32 data;
+ int err;
+
+- while (data == 0x0 || trials++ < 5) {
+- err = get_clock(tscm, &data);
+- if (err < 0)
+- return err;
++ err = get_clock(tscm, &data);
++ if (err < 0)
++ return err;
+
+- data = (data & 0xff000000) >> 24;
+- }
++ data = (data & 0xff000000) >> 24;
+
+ /* Check base rate. */
+ if ((data & 0x0f) == 0x01)
--- /dev/null
+From 2617120f4de6d0423384e0e86b14c78b9de84d5a Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Tue, 10 Sep 2019 22:51:51 +0900
+Subject: ALSA: firewire-tascam: handle error code when getting current source of clock
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 2617120f4de6d0423384e0e86b14c78b9de84d5a upstream.
+
+The return value of snd_tscm_stream_get_clock() is ignored. This commit
+checks the value and handle error.
+
+Fixes: e453df44f0d6 ("ALSA: firewire-tascam: add PCM functionality")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20190910135152.29800-2-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/tascam/tascam-pcm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/firewire/tascam/tascam-pcm.c
++++ b/sound/firewire/tascam/tascam-pcm.c
+@@ -56,6 +56,9 @@ static int pcm_open(struct snd_pcm_subst
+ goto err_locked;
+
+ err = snd_tscm_stream_get_clock(tscm, &clock);
++ if (err < 0)
++ goto err_locked;
++
+ if (clock != SND_TSCM_CLOCK_INTERNAL ||
+ amdtp_stream_pcm_running(&tscm->rx_stream) ||
+ amdtp_stream_pcm_running(&tscm->tx_stream)) {
--- /dev/null
+From f9f5518a38684e031d913f40482721ff553f5ba2 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Wed, 28 Aug 2019 13:33:50 -0500
+Subject: ARM: dts: logicpd-torpedo-baseboard: Fix missing video
+
+From: Adam Ford <aford173@gmail.com>
+
+commit f9f5518a38684e031d913f40482721ff553f5ba2 upstream.
+
+A previous commit removed the panel-dpi driver, which made the
+Torpedo video stop working because it relied on the dpi driver
+for setting video timings. Now that the simple-panel driver is
+available in omap2plus, this patch migrates the Torpedo dev kits
+to use a similar panel and remove the manual timing requirements.
+
+Fixes: 8bf4b1621178 ("drm/omap: Remove panel-dpi driver")
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/logicpd-torpedo-baseboard.dtsi | 37 +++--------------------
+ 1 file changed, 6 insertions(+), 31 deletions(-)
+
+--- a/arch/arm/boot/dts/logicpd-torpedo-baseboard.dtsi
++++ b/arch/arm/boot/dts/logicpd-torpedo-baseboard.dtsi
+@@ -108,7 +108,6 @@
+ &dss {
+ status = "ok";
+ vdds_dsi-supply = <&vpll2>;
+- vdda_video-supply = <&video_reg>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&dss_dpi_pins1>;
+ port {
+@@ -124,44 +123,20 @@
+ display0 = &lcd0;
+ };
+
+- video_reg: video_reg {
+- pinctrl-names = "default";
+- pinctrl-0 = <&panel_pwr_pins>;
+- compatible = "regulator-fixed";
+- regulator-name = "fixed-supply";
+- regulator-min-microvolt = <3300000>;
+- regulator-max-microvolt = <3300000>;
+- gpio = <&gpio5 27 GPIO_ACTIVE_HIGH>; /* gpio155, lcd INI */
+- };
+-
+ lcd0: display {
+- compatible = "panel-dpi";
++ /* This isn't the exact LCD, but the timings meet spec */
++ /* To make it work, set CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=4 */
++ compatible = "newhaven,nhd-4.3-480272ef-atxl";
+ label = "15";
+- status = "okay";
+- /* default-on; */
+ pinctrl-names = "default";
+-
++ pinctrl-0 = <&panel_pwr_pins>;
++ backlight = <&bl>;
++ enable-gpios = <&gpio5 27 GPIO_ACTIVE_HIGH>;
+ port {
+ lcd_in: endpoint {
+ remote-endpoint = <&dpi_out>;
+ };
+ };
+-
+- panel-timing {
+- clock-frequency = <9000000>;
+- hactive = <480>;
+- vactive = <272>;
+- hfront-porch = <3>;
+- hback-porch = <2>;
+- hsync-len = <42>;
+- vback-porch = <3>;
+- vfront-porch = <4>;
+- vsync-len = <11>;
+- hsync-active = <0>;
+- vsync-active = <0>;
+- de-active = <1>;
+- pixelclk-active = <1>;
+- };
+ };
+
+ bl: backlight {
--- /dev/null
+From 4957eccf979b025286b39388fd1a60cde601a10a Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Wed, 28 Aug 2019 13:33:49 -0500
+Subject: ARM: omap2plus_defconfig: Fix missing video
+
+From: Adam Ford <aford173@gmail.com>
+
+commit 4957eccf979b025286b39388fd1a60cde601a10a upstream.
+
+When the panel-dpi driver was removed, the simple-panels driver
+was never enabled, so anyone who used the panel-dpi driver lost
+video, and those who used it inconjunction with simple-panels
+would have to manually enable CONFIG_DRM_PANEL_SIMPLE.
+
+This patch makes CONFIG_DRM_PANEL_SIMPLE a module in the same
+way the deprecated panel-dpi was.
+
+Fixes: 8bf4b1621178 ("drm/omap: Remove panel-dpi driver")
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/configs/omap2plus_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/configs/omap2plus_defconfig
++++ b/arch/arm/configs/omap2plus_defconfig
+@@ -363,6 +363,7 @@ CONFIG_DRM_OMAP_PANEL_TPO_TD028TTEC1=m
+ CONFIG_DRM_OMAP_PANEL_TPO_TD043MTEA1=m
+ CONFIG_DRM_OMAP_PANEL_NEC_NL8048HL11=m
+ CONFIG_DRM_TILCDC=m
++CONFIG_DRM_PANEL_SIMPLE=m
+ CONFIG_FB=y
+ CONFIG_FIRMWARE_EDID=y
+ CONFIG_FB_MODE_HELPERS=y
--- /dev/null
+From f8659d68e2bee5b86a1beaf7be42d942e1fc81f4 Mon Sep 17 00:00:00 2001
+From: Ira Weiny <ira.weiny@intel.com>
+Date: Wed, 11 Sep 2019 07:30:53 -0400
+Subject: IB/hfi1: Define variables as unsigned long to fix KASAN warning
+
+From: Ira Weiny <ira.weiny@intel.com>
+
+commit f8659d68e2bee5b86a1beaf7be42d942e1fc81f4 upstream.
+
+Define the working variables to be unsigned long to be compatible with
+for_each_set_bit and change types as needed.
+
+While we are at it remove unused variables from a couple of functions.
+
+This was found because of the following KASAN warning:
+ ==================================================================
+ BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70
+ Read of size 8 at addr ffff888362d778d0 by task kworker/u308:2/1889
+
+ CPU: 21 PID: 1889 Comm: kworker/u308:2 Tainted: G W 5.3.0-rc2-mm1+ #2
+ Hardware name: Intel Corporation W2600CR/W2600CR, BIOS SE5C600.86B.02.04.0003.102320141138 10/23/2014
+ Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
+ Call Trace:
+ dump_stack+0x9a/0xf0
+ ? find_first_bit+0x19/0x70
+ print_address_description+0x6c/0x332
+ ? find_first_bit+0x19/0x70
+ ? find_first_bit+0x19/0x70
+ __kasan_report.cold.6+0x1a/0x3b
+ ? find_first_bit+0x19/0x70
+ kasan_report+0xe/0x12
+ find_first_bit+0x19/0x70
+ pma_get_opa_portstatus+0x5cc/0xa80 [hfi1]
+ ? ret_from_fork+0x3a/0x50
+ ? pma_get_opa_port_ectrs+0x200/0x200 [hfi1]
+ ? stack_trace_consume_entry+0x80/0x80
+ hfi1_process_mad+0x39b/0x26c0 [hfi1]
+ ? __lock_acquire+0x65e/0x21b0
+ ? clear_linkup_counters+0xb0/0xb0 [hfi1]
+ ? check_chain_key+0x1d7/0x2e0
+ ? lock_downgrade+0x3a0/0x3a0
+ ? match_held_lock+0x2e/0x250
+ ib_mad_recv_done+0x698/0x15e0 [ib_core]
+ ? clear_linkup_counters+0xb0/0xb0 [hfi1]
+ ? ib_mad_send_done+0xc80/0xc80 [ib_core]
+ ? mark_held_locks+0x79/0xa0
+ ? _raw_spin_unlock_irqrestore+0x44/0x60
+ ? rvt_poll_cq+0x1e1/0x340 [rdmavt]
+ __ib_process_cq+0x97/0x100 [ib_core]
+ ib_cq_poll_work+0x31/0xb0 [ib_core]
+ process_one_work+0x4ee/0xa00
+ ? pwq_dec_nr_in_flight+0x110/0x110
+ ? do_raw_spin_lock+0x113/0x1d0
+ worker_thread+0x57/0x5a0
+ ? process_one_work+0xa00/0xa00
+ kthread+0x1bb/0x1e0
+ ? kthread_create_on_node+0xc0/0xc0
+ ret_from_fork+0x3a/0x50
+
+ The buggy address belongs to the page:
+ page:ffffea000d8b5dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
+ flags: 0x17ffffc0000000()
+ raw: 0017ffffc0000000 0000000000000000 ffffea000d8b5dc8 0000000000000000
+ raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ addr ffff888362d778d0 is located in stack of task kworker/u308:2/1889 at offset 32 in frame:
+ pma_get_opa_portstatus+0x0/0xa80 [hfi1]
+
+ this frame has 1 object:
+ [32, 36) 'vl_select_mask'
+
+ Memory state around the buggy address:
+ ffff888362d77780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff888362d77800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffff888362d77880: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 00 00
+ ^
+ ffff888362d77900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff888362d77980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2
+
+ ==================================================================
+
+Cc: <stable@vger.kernel.org>
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Link: https://lore.kernel.org/r/20190911113053.126040.47327.stgit@awfm-01.aw.intel.com
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/mad.c | 45 ++++++++++++++++-----------------------
+ 1 file changed, 19 insertions(+), 26 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/mad.c
++++ b/drivers/infiniband/hw/hfi1/mad.c
+@@ -2326,7 +2326,7 @@ struct opa_port_status_req {
+ __be32 vl_select_mask;
+ };
+
+-#define VL_MASK_ALL 0x000080ff
++#define VL_MASK_ALL 0x00000000000080ffUL
+
+ struct opa_port_status_rsp {
+ __u8 port_num;
+@@ -2625,15 +2625,14 @@ static int pma_get_opa_classportinfo(str
+ }
+
+ static void a0_portstatus(struct hfi1_pportdata *ppd,
+- struct opa_port_status_rsp *rsp, u32 vl_select_mask)
++ struct opa_port_status_rsp *rsp)
+ {
+ if (!is_bx(ppd->dd)) {
+ unsigned long vl;
+ u64 sum_vl_xmit_wait = 0;
+- u32 vl_all_mask = VL_MASK_ALL;
++ unsigned long vl_all_mask = VL_MASK_ALL;
+
+- for_each_set_bit(vl, (unsigned long *)&(vl_all_mask),
+- 8 * sizeof(vl_all_mask)) {
++ for_each_set_bit(vl, &vl_all_mask, BITS_PER_LONG) {
+ u64 tmp = sum_vl_xmit_wait +
+ read_port_cntr(ppd, C_TX_WAIT_VL,
+ idx_from_vl(vl));
+@@ -2730,12 +2729,12 @@ static int pma_get_opa_portstatus(struct
+ (struct opa_port_status_req *)pmp->data;
+ struct hfi1_devdata *dd = dd_from_ibdev(ibdev);
+ struct opa_port_status_rsp *rsp;
+- u32 vl_select_mask = be32_to_cpu(req->vl_select_mask);
++ unsigned long vl_select_mask = be32_to_cpu(req->vl_select_mask);
+ unsigned long vl;
+ size_t response_data_size;
+ u32 nports = be32_to_cpu(pmp->mad_hdr.attr_mod) >> 24;
+ u8 port_num = req->port_num;
+- u8 num_vls = hweight32(vl_select_mask);
++ u8 num_vls = hweight64(vl_select_mask);
+ struct _vls_pctrs *vlinfo;
+ struct hfi1_ibport *ibp = to_iport(ibdev, port);
+ struct hfi1_pportdata *ppd = ppd_from_ibp(ibp);
+@@ -2770,7 +2769,7 @@ static int pma_get_opa_portstatus(struct
+
+ hfi1_read_link_quality(dd, &rsp->link_quality_indicator);
+
+- rsp->vl_select_mask = cpu_to_be32(vl_select_mask);
++ rsp->vl_select_mask = cpu_to_be32((u32)vl_select_mask);
+ rsp->port_xmit_data = cpu_to_be64(read_dev_cntr(dd, C_DC_XMIT_FLITS,
+ CNTR_INVALID_VL));
+ rsp->port_rcv_data = cpu_to_be64(read_dev_cntr(dd, C_DC_RCV_FLITS,
+@@ -2841,8 +2840,7 @@ static int pma_get_opa_portstatus(struct
+ * So in the for_each_set_bit() loop below, we don't need
+ * any additional checks for vl.
+ */
+- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask),
+- 8 * sizeof(vl_select_mask)) {
++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) {
+ memset(vlinfo, 0, sizeof(*vlinfo));
+
+ tmp = read_dev_cntr(dd, C_DC_RX_FLIT_VL, idx_from_vl(vl));
+@@ -2883,7 +2881,7 @@ static int pma_get_opa_portstatus(struct
+ vfi++;
+ }
+
+- a0_portstatus(ppd, rsp, vl_select_mask);
++ a0_portstatus(ppd, rsp);
+
+ if (resp_len)
+ *resp_len += response_data_size;
+@@ -2930,16 +2928,14 @@ static u64 get_error_counter_summary(str
+ return error_counter_summary;
+ }
+
+-static void a0_datacounters(struct hfi1_pportdata *ppd, struct _port_dctrs *rsp,
+- u32 vl_select_mask)
++static void a0_datacounters(struct hfi1_pportdata *ppd, struct _port_dctrs *rsp)
+ {
+ if (!is_bx(ppd->dd)) {
+ unsigned long vl;
+ u64 sum_vl_xmit_wait = 0;
+- u32 vl_all_mask = VL_MASK_ALL;
++ unsigned long vl_all_mask = VL_MASK_ALL;
+
+- for_each_set_bit(vl, (unsigned long *)&(vl_all_mask),
+- 8 * sizeof(vl_all_mask)) {
++ for_each_set_bit(vl, &vl_all_mask, BITS_PER_LONG) {
+ u64 tmp = sum_vl_xmit_wait +
+ read_port_cntr(ppd, C_TX_WAIT_VL,
+ idx_from_vl(vl));
+@@ -2994,7 +2990,7 @@ static int pma_get_opa_datacounters(stru
+ u64 port_mask;
+ u8 port_num;
+ unsigned long vl;
+- u32 vl_select_mask;
++ unsigned long vl_select_mask;
+ int vfi;
+ u16 link_width;
+ u16 link_speed;
+@@ -3071,8 +3067,7 @@ static int pma_get_opa_datacounters(stru
+ * So in the for_each_set_bit() loop below, we don't need
+ * any additional checks for vl.
+ */
+- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask),
+- 8 * sizeof(req->vl_select_mask)) {
++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) {
+ memset(vlinfo, 0, sizeof(*vlinfo));
+
+ rsp->vls[vfi].port_vl_xmit_data =
+@@ -3120,7 +3115,7 @@ static int pma_get_opa_datacounters(stru
+ vfi++;
+ }
+
+- a0_datacounters(ppd, rsp, vl_select_mask);
++ a0_datacounters(ppd, rsp);
+
+ if (resp_len)
+ *resp_len += response_data_size;
+@@ -3215,7 +3210,7 @@ static int pma_get_opa_porterrors(struct
+ struct _vls_ectrs *vlinfo;
+ unsigned long vl;
+ u64 port_mask, tmp;
+- u32 vl_select_mask;
++ unsigned long vl_select_mask;
+ int vfi;
+
+ req = (struct opa_port_error_counters64_msg *)pmp->data;
+@@ -3273,8 +3268,7 @@ static int pma_get_opa_porterrors(struct
+ vlinfo = &rsp->vls[0];
+ vfi = 0;
+ vl_select_mask = be32_to_cpu(req->vl_select_mask);
+- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask),
+- 8 * sizeof(req->vl_select_mask)) {
++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) {
+ memset(vlinfo, 0, sizeof(*vlinfo));
+ rsp->vls[vfi].port_vl_xmit_discards =
+ cpu_to_be64(read_port_cntr(ppd, C_SW_XMIT_DSCD_VL,
+@@ -3485,7 +3479,7 @@ static int pma_set_opa_portstatus(struct
+ u32 nports = be32_to_cpu(pmp->mad_hdr.attr_mod) >> 24;
+ u64 portn = be64_to_cpu(req->port_select_mask[3]);
+ u32 counter_select = be32_to_cpu(req->counter_select_mask);
+- u32 vl_select_mask = VL_MASK_ALL; /* clear all per-vl cnts */
++ unsigned long vl_select_mask = VL_MASK_ALL; /* clear all per-vl cnts */
+ unsigned long vl;
+
+ if ((nports != 1) || (portn != 1 << port)) {
+@@ -3579,8 +3573,7 @@ static int pma_set_opa_portstatus(struct
+ if (counter_select & CS_UNCORRECTABLE_ERRORS)
+ write_dev_cntr(dd, C_DC_UNC_ERR, CNTR_INVALID_VL, 0);
+
+- for_each_set_bit(vl, (unsigned long *)&(vl_select_mask),
+- 8 * sizeof(vl_select_mask)) {
++ for_each_set_bit(vl, &vl_select_mask, BITS_PER_LONG) {
+ if (counter_select & CS_PORT_XMIT_DATA)
+ write_port_cntr(ppd, C_TX_FLIT_VL, idx_from_vl(vl), 0);
+
--- /dev/null
+From b2590bdd0b1dfb91737e6cb07ebb47bd74957f7e Mon Sep 17 00:00:00 2001
+From: Kaike Wan <kaike.wan@intel.com>
+Date: Mon, 15 Jul 2019 12:45:46 -0400
+Subject: IB/hfi1: Do not update hcrc for a KDETH packet during fault injection
+
+From: Kaike Wan <kaike.wan@intel.com>
+
+commit b2590bdd0b1dfb91737e6cb07ebb47bd74957f7e upstream.
+
+When a KDETH packet is subject to fault injection during transmission,
+HCRC is supposed to be omitted from the packet so that the hardware on the
+receiver side would drop the packet. When creating pbc, the PbcInsertHcrc
+field is set to be PBC_IHCRC_NONE if the KDETH packet is subject to fault
+injection, but overwritten with PBC_IHCRC_LKDETH when update_hcrc() is
+called later.
+
+This problem is fixed by not calling update_hcrc() when the packet is
+subject to fault injection.
+
+Fixes: 6b6cf9357f78 ("IB/hfi1: Set PbcInsertHcrc for TID RDMA packets")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190715164546.74174.99296.stgit@awfm-01.aw.intel.com
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -874,16 +874,17 @@ int hfi1_verbs_send_dma(struct rvt_qp *q
+ else
+ pbc |= (ib_is_sc5(sc5) << PBC_DC_INFO_SHIFT);
+
+- if (unlikely(hfi1_dbg_should_fault_tx(qp, ps->opcode)))
+- pbc = hfi1_fault_tx(qp, ps->opcode, pbc);
+ pbc = create_pbc(ppd,
+ pbc,
+ qp->srate_mbps,
+ vl,
+ plen);
+
+- /* Update HCRC based on packet opcode */
+- pbc = update_hcrc(ps->opcode, pbc);
++ if (unlikely(hfi1_dbg_should_fault_tx(qp, ps->opcode)))
++ pbc = hfi1_fault_tx(qp, ps->opcode, pbc);
++ else
++ /* Update HCRC based on packet opcode */
++ pbc = update_hcrc(ps->opcode, pbc);
+ }
+ tx->wqe = qp->s_wqe;
+ ret = build_verbs_tx_desc(tx->sde, len, tx, ahg_info, pbc);
+@@ -1030,12 +1031,12 @@ int hfi1_verbs_send_pio(struct rvt_qp *q
+ else
+ pbc |= (ib_is_sc5(sc5) << PBC_DC_INFO_SHIFT);
+
++ pbc = create_pbc(ppd, pbc, qp->srate_mbps, vl, plen);
+ if (unlikely(hfi1_dbg_should_fault_tx(qp, ps->opcode)))
+ pbc = hfi1_fault_tx(qp, ps->opcode, pbc);
+- pbc = create_pbc(ppd, pbc, qp->srate_mbps, vl, plen);
+-
+- /* Update HCRC based on packet opcode */
+- pbc = update_hcrc(ps->opcode, pbc);
++ else
++ /* Update HCRC based on packet opcode */
++ pbc = update_hcrc(ps->opcode, pbc);
+ }
+ if (cb)
+ iowait_pio_inc(&priv->s_iowait);
--- /dev/null
+From 5d44adebbb7e785939df3db36ac360f5e8b73e44 Mon Sep 17 00:00:00 2001
+From: Danit Goldberg <danitg@mellanox.com>
+Date: Mon, 16 Sep 2019 09:48:18 +0300
+Subject: IB/mlx5: Free mpi in mp_slave mode
+
+From: Danit Goldberg <danitg@mellanox.com>
+
+commit 5d44adebbb7e785939df3db36ac360f5e8b73e44 upstream.
+
+ib_add_slave_port() allocates a multiport struct but never frees it.
+Don't leak memory, free the allocated mpi struct during driver unload.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE")
+Link: https://lore.kernel.org/r/20190916064818.19823-3-leon@kernel.org
+Signed-off-by: Danit Goldberg <danitg@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -6959,6 +6959,7 @@ static void mlx5_ib_remove(struct mlx5_c
+ mlx5_ib_unbind_slave_port(mpi->ibdev, mpi);
+ list_del(&mpi->list);
+ mutex_unlock(&mlx5_ib_multiport_mutex);
++ kfree(mpi);
+ return;
+ }
+
--- /dev/null
+From fddbfeece9c7882cc47754c7da460fe427e3e85b Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Tue, 24 Sep 2019 13:30:57 +0300
+Subject: iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW version 36
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit fddbfeece9c7882cc47754c7da460fe427e3e85b upstream.
+
+The intention was to have the GEO_TX_POWER_LIMIT command in FW version
+36 as well, but not all 8000 family got this feature enabled. The
+8000 family is the only one using version 36, so skip this version
+entirely. If we try to send this command to the firmwares that do not
+support it, we get a BAD_COMMAND response from the firmware.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=204151.
+
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -887,11 +887,13 @@ static bool iwl_mvm_sar_geo_support(stru
+ * firmware versions. Unfortunately, we don't have a TLV API
+ * flag to rely on, so rely on the major version which is in
+ * the first byte of ucode_ver. This was implemented
+- * initially on version 38 and then backported to 36, 29 and
+- * 17.
++ * initially on version 38 and then backported to29 and 17.
++ * The intention was to have it in 36 as well, but not all
++ * 8000 family got this feature enabled. The 8000 family is
++ * the only one using version 36, so skip this version
++ * entirely.
+ */
+ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 ||
+- IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 ||
+ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 ||
+ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17;
+ }
--- /dev/null
+From c9dccacfccc72c32692eedff4a27a4b0833a2afd Mon Sep 17 00:00:00 2001
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Thu, 11 Jul 2019 16:29:37 +0200
+Subject: printk: Do not lose last line in kmsg buffer dump
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+commit c9dccacfccc72c32692eedff4a27a4b0833a2afd upstream.
+
+kmsg_dump_get_buffer() is supposed to select all the youngest log
+messages which fit into the provided buffer. It determines the correct
+start index by using msg_print_text() with a NULL buffer to calculate
+the size of each entry. However, when performing the actual writes,
+msg_print_text() only writes the entry to the buffer if the written len
+is lesser than the size of the buffer. So if the lengths of the
+selected youngest log messages happen to precisely fill up the provided
+buffer, the last log message is not included.
+
+We don't want to modify msg_print_text() to fill up the buffer and start
+returning a length which is equal to the size of the buffer, since
+callers of its other users, such as kmsg_dump_get_line(), depend upon
+the current behaviour.
+
+Instead, fix kmsg_dump_get_buffer() to compensate for this.
+
+For example, with the following two final prints:
+
+[ 6.427502] AAAAAAAAAAAAA
+[ 6.427769] BBBBBBBB12345
+
+A dump of a 64-byte buffer filled by kmsg_dump_get_buffer(), before this
+patch:
+
+ 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 35 32 32 31 39 37 <0>[ 6.522197
+ 00000010: 5d 20 41 41 41 41 41 41 41 41 41 41 41 41 41 0a ] AAAAAAAAAAAAA.
+ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
+After this patch:
+
+ 00000000: 3c 30 3e 5b 20 20 20 20 36 2e 34 35 36 36 37 38 <0>[ 6.456678
+ 00000010: 5d 20 42 42 42 42 42 42 42 42 31 32 33 34 35 0a ] BBBBBBBB12345.
+ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
+Link: http://lkml.kernel.org/r/20190711142937.4083-1-vincent.whitchurch@axis.com
+Fixes: e2ae715d66bf4bec ("kmsg - kmsg_dump() use iterator to receive log buffer content")
+To: rostedt@goodmis.org
+Cc: linux-kernel@vger.kernel.org
+Cc: <stable@vger.kernel.org> # v3.5+
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -3274,7 +3274,7 @@ bool kmsg_dump_get_buffer(struct kmsg_du
+ /* move first record forward until length fits into the buffer */
+ seq = dumper->cur_seq;
+ idx = dumper->cur_idx;
+- while (l > size && seq < dumper->next_seq) {
++ while (l >= size && seq < dumper->next_seq) {
+ struct printk_log *msg = log_from_idx(idx);
+
+ l -= msg_print_text(msg, true, time, NULL, 0);
--- /dev/null
+From 60f2c82ed20bde57c362e66f796cf9e0e38a6dbb Mon Sep 17 00:00:00 2001
+From: Joonwon Kang <kjw1627@gmail.com>
+Date: Sun, 28 Jul 2019 00:58:41 +0900
+Subject: randstruct: Check member structs in is_pure_ops_struct()
+
+From: Joonwon Kang <kjw1627@gmail.com>
+
+commit 60f2c82ed20bde57c362e66f796cf9e0e38a6dbb upstream.
+
+While no uses in the kernel triggered this case, it was possible to have
+a false negative where a struct contains other structs which contain only
+function pointers because of unreachable code in is_pure_ops_struct().
+
+Signed-off-by: Joonwon Kang <kjw1627@gmail.com>
+Link: https://lore.kernel.org/r/20190727155841.GA13586@host
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/gcc-plugins/randomize_layout_plugin.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -443,13 +443,13 @@ static int is_pure_ops_struct(const_tree
+ if (node == fieldtype)
+ continue;
+
+- if (!is_fptr(fieldtype))
+- return 0;
+-
+- if (code != RECORD_TYPE && code != UNION_TYPE)
++ if (code == RECORD_TYPE || code == UNION_TYPE) {
++ if (!is_pure_ops_struct(fieldtype))
++ return 0;
+ continue;
++ }
+
+- if (!is_pure_ops_struct(fieldtype))
++ if (!is_fptr(fieldtype))
+ return 0;
+ }
+
--- /dev/null
+From 3eca7fc2d8d1275d9cf0c709f0937becbfcf6d96 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 16 Sep 2019 10:11:54 +0300
+Subject: RDMA: Fix double-free in srq creation error flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit 3eca7fc2d8d1275d9cf0c709f0937becbfcf6d96 upstream.
+
+The cited commit introduced a double-free of the srq buffer in the error
+flow of procedure __uverbs_create_xsrq().
+
+The problem is that ib_destroy_srq_user() called in the error flow also
+frees the srq buffer.
+
+Thus, if uverbs_response() fails in __uverbs_create_srq(), the srq buffer
+will be freed twice.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 68e326dea1db ("RDMA: Handle SRQ allocations by IB/core")
+Link: https://lore.kernel.org/r/20190916071154.20383-5-leon@kernel.org
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -3484,7 +3484,8 @@ static int __uverbs_create_xsrq(struct u
+
+ err_copy:
+ ib_destroy_srq_user(srq, uverbs_get_cleared_udata(attrs));
+-
++ /* It was released in ib_destroy_srq_user */
++ srq = NULL;
+ err_free:
+ kfree(srq);
+ err_put:
--- /dev/null
+From b7e9e1fb7a9227be34ad4a5e778022c3164494cf Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 25 Jul 2019 10:05:00 +0800
+Subject: scsi: implement .cleanup_rq callback
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit b7e9e1fb7a9227be34ad4a5e778022c3164494cf upstream.
+
+Implement .cleanup_rq() callback for freeing driver private part
+of the request. Then we can avoid to leak this part if the request isn't
+completed by SCSI, and freed by blk-mq or upper layer(such as dm-rq) finally.
+
+Cc: Ewan D. Milne <emilne@redhat.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Mike Snitzer <snitzer@redhat.com>
+Cc: dm-devel@redhat.com
+Cc: <stable@vger.kernel.org>
+Fixes: 396eaf21ee17 ("blk-mq: improve DM's blk-mq IO merging via blk_insert_cloned_request feedback")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -1089,6 +1089,18 @@ static void scsi_initialize_rq(struct re
+ cmd->retries = 0;
+ }
+
++/*
++ * Only called when the request isn't completed by SCSI, and not freed by
++ * SCSI
++ */
++static void scsi_cleanup_rq(struct request *rq)
++{
++ if (rq->rq_flags & RQF_DONTPREP) {
++ scsi_mq_uninit_cmd(blk_mq_rq_to_pdu(rq));
++ rq->rq_flags &= ~RQF_DONTPREP;
++ }
++}
++
+ /* Add a command to the list used by the aacraid and dpt_i2o drivers */
+ void scsi_add_cmd_to_list(struct scsi_cmnd *cmd)
+ {
+@@ -1821,6 +1833,7 @@ static const struct blk_mq_ops scsi_mq_o
+ .init_request = scsi_mq_init_request,
+ .exit_request = scsi_mq_exit_request,
+ .initialize_rq_fn = scsi_initialize_rq,
++ .cleanup_rq = scsi_cleanup_rq,
+ .busy = scsi_mq_lld_busy,
+ .map_queues = scsi_map_queues,
+ };
--- /dev/null
+From 8b5292bcfcacf15182a77a973a98d310e76fd58b Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 26 Jul 2019 09:07:32 -0700
+Subject: scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 8b5292bcfcacf15182a77a973a98d310e76fd58b upstream.
+
+Relogin fails to move forward due to scan_state flag indicating device is
+not there. Before relogin process, Session delete process accidently
+modified the scan_state flag.
+
+[mkp: typos plus corrected Fixes: sha as reported by sfr]
+
+Fixes: 2dee5521028c ("scsi: qla2xxx: Fix login state machine freeze")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 25 ++++++++++++++++++++-----
+ drivers/scsi/qla2xxx/qla_os.c | 1 +
+ drivers/scsi/qla2xxx/qla_target.c | 1 -
+ 3 files changed, 21 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -289,8 +289,13 @@ qla2x00_async_login(struct scsi_qla_host
+ struct srb_iocb *lio;
+ int rval = QLA_FUNCTION_FAILED;
+
+- if (!vha->flags.online)
+- goto done;
++ if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT) ||
++ fcport->loop_id == FC_NO_LOOP_ID) {
++ ql_log(ql_log_warn, vha, 0xffff,
++ "%s: %8phC - not sending command.\n",
++ __func__, fcport->port_name);
++ return rval;
++ }
+
+ sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL);
+ if (!sp)
+@@ -1262,8 +1267,13 @@ int qla24xx_async_gpdb(struct scsi_qla_h
+ struct port_database_24xx *pd;
+ struct qla_hw_data *ha = vha->hw;
+
+- if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT))
++ if (!vha->flags.online || (fcport->flags & FCF_ASYNC_SENT) ||
++ fcport->loop_id == FC_NO_LOOP_ID) {
++ ql_log(ql_log_warn, vha, 0xffff,
++ "%s: %8phC - not sending command.\n",
++ __func__, fcport->port_name);
+ return rval;
++ }
+
+ fcport->disc_state = DSC_GPDB;
+
+@@ -1953,8 +1963,11 @@ qla24xx_handle_plogi_done_event(struct s
+ return;
+ }
+
+- if (fcport->disc_state == DSC_DELETE_PEND)
++ if ((fcport->disc_state == DSC_DELETE_PEND) ||
++ (fcport->disc_state == DSC_DELETED)) {
++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags);
+ return;
++ }
+
+ if (ea->sp->gen2 != fcport->login_gen) {
+ /* target side must have changed it. */
+@@ -6698,8 +6711,10 @@ qla2x00_abort_isp_cleanup(scsi_qla_host_
+ }
+
+ /* Clear all async request states across all VPs. */
+- list_for_each_entry(fcport, &vha->vp_fcports, list)
++ list_for_each_entry(fcport, &vha->vp_fcports, list) {
+ fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT);
++ fcport->scan_state = 0;
++ }
+ spin_lock_irqsave(&ha->vport_slock, flags);
+ list_for_each_entry(vp, &ha->vp_list, list) {
+ atomic_inc(&vp->vref_count);
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -5086,6 +5086,7 @@ void qla24xx_create_new_sess(struct scsi
+ if (fcport) {
+ fcport->id_changed = 1;
+ fcport->scan_state = QLA_FCPORT_FOUND;
++ fcport->chip_reset = vha->hw->base_qpair->chip_reset;
+ memcpy(fcport->node_name, e->u.new_sess.node_name, WWN_SIZE);
+
+ if (pla) {
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1209,7 +1209,6 @@ static void qla24xx_chk_fcp_state(struct
+ sess->logout_on_delete = 0;
+ sess->logo_ack_needed = 0;
+ sess->fw_login_state = DSC_LS_PORT_UNAVAIL;
+- sess->scan_state = 0;
+ }
+ }
+
--- /dev/null
+From 57adf5d4cfd3198aa480e7c94a101fc8c4e6109d Mon Sep 17 00:00:00 2001
+From: Martin Wilck <Martin.Wilck@suse.com>
+Date: Wed, 4 Sep 2019 15:52:29 +0000
+Subject: scsi: scsi_dh_rdac: zero cdb in send_mode_select()
+
+From: Martin Wilck <Martin.Wilck@suse.com>
+
+commit 57adf5d4cfd3198aa480e7c94a101fc8c4e6109d upstream.
+
+cdb in send_mode_select() is not zeroed and is only partially filled in
+rdac_failover_get(), which leads to some random data getting to the
+device. Users have reported storage responding to such commands with
+INVALID FIELD IN CDB. Code before commit 327825574132 was not affected, as
+it called blk_rq_set_block_pc().
+
+Fix this by zeroing out the cdb first.
+
+Identified & fix proposed by HPE.
+
+Fixes: 327825574132 ("scsi_dh_rdac: switch to scsi_execute_req_flags()")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20190904155205.1666-1-martin.wilck@suse.com
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Acked-by: Ales Novak <alnovak@suse.cz>
+Reviewed-by: Shane Seymour <shane.seymour@hpe.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/device_handler/scsi_dh_rdac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/device_handler/scsi_dh_rdac.c
++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c
+@@ -546,6 +546,8 @@ static void send_mode_select(struct work
+ spin_unlock(&ctlr->ms_lock);
+
+ retry:
++ memset(cdb, 0, sizeof(cdb));
++
+ data_size = rdac_failover_get(ctlr, &list, cdb);
+
+ RDAC_LOG(RDAC_LOG_FAILOVER, sdev, "array %s, ctlr %d, "
ax25-enforce-cap_net_raw-for-raw-sockets.patch
ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
nfc-enforce-cap_net_raw-for-raw-sockets.patch
+arm-dts-logicpd-torpedo-baseboard-fix-missing-video.patch
+arm-omap2plus_defconfig-fix-missing-video.patch
+iwlwifi-fw-don-t-send-geo_tx_power_limit-command-to-fw-version-36.patch
+alsa-firewire-tascam-handle-error-code-when-getting-current-source-of-clock.patch
+alsa-firewire-tascam-check-intermediate-state-of-clock-status-and-retry.patch
+scsi-implement-.cleanup_rq-callback.patch
+scsi-scsi_dh_rdac-zero-cdb-in-send_mode_select.patch
+scsi-qla2xxx-fix-relogin-to-prevent-modifying-scan_state-flag.patch
+printk-do-not-lose-last-line-in-kmsg-buffer-dump.patch
+ib-mlx5-free-mpi-in-mp_slave-mode.patch
+ib-hfi1-define-variables-as-unsigned-long-to-fix-kasan-warning.patch
+ib-hfi1-do-not-update-hcrc-for-a-kdeth-packet-during-fault-injection.patch
+rdma-fix-double-free-in-srq-creation-error-flow.patch
+randstruct-check-member-structs-in-is_pure_ops_struct.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
