--- /dev/null
+From 56a0b978d42f58c7e3ba715cf65af487d427524d Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 15 Oct 2019 22:07:31 +0800
+Subject: ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
+
+From: John Garry <john.garry@huawei.com>
+
+commit 56a0b978d42f58c7e3ba715cf65af487d427524d upstream.
+
+When enabling KASAN and DEBUG_TEST_DRIVER_REMOVE, I find this KASAN
+warning:
+
+[ 20.872057] BUG: KASAN: use-after-free in pcc_data_alloc+0x40/0xb8
+[ 20.878226] Read of size 4 at addr ffff00236cdeb684 by task swapper/0/1
+[ 20.884826]
+[ 20.886309] CPU: 19 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00009-ge7f7df3db5bf-dirty #289
+[ 20.894994] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
+[ 20.903505] Call trace:
+[ 20.905942] dump_backtrace+0x0/0x200
+[ 20.909593] show_stack+0x14/0x20
+[ 20.912899] dump_stack+0xd4/0x130
+[ 20.916291] print_address_description.isra.9+0x6c/0x3b8
+[ 20.921592] __kasan_report+0x12c/0x23c
+[ 20.925417] kasan_report+0xc/0x18
+[ 20.928808] __asan_load4+0x94/0xb8
+[ 20.932286] pcc_data_alloc+0x40/0xb8
+[ 20.935938] acpi_cppc_processor_probe+0x4e8/0xb08
+[ 20.940717] __acpi_processor_start+0x48/0xb0
+[ 20.945062] acpi_processor_start+0x40/0x60
+[ 20.949235] really_probe+0x118/0x548
+[ 20.952887] driver_probe_device+0x7c/0x148
+[ 20.957059] device_driver_attach+0x94/0xa0
+[ 20.961231] __driver_attach+0xa4/0x110
+[ 20.965055] bus_for_each_dev+0xe8/0x158
+[ 20.968966] driver_attach+0x30/0x40
+[ 20.972531] bus_add_driver+0x234/0x2f0
+[ 20.976356] driver_register+0xbc/0x1d0
+[ 20.980182] acpi_processor_driver_init+0x40/0xe4
+[ 20.984875] do_one_initcall+0xb4/0x254
+[ 20.988700] kernel_init_freeable+0x24c/0x2f8
+[ 20.993047] kernel_init+0x10/0x118
+[ 20.996524] ret_from_fork+0x10/0x18
+[ 21.000087]
+[ 21.001567] Allocated by task 1:
+[ 21.004785] save_stack+0x28/0xc8
+[ 21.008089] __kasan_kmalloc.isra.9+0xbc/0xd8
+[ 21.012435] kasan_kmalloc+0xc/0x18
+[ 21.015913] pcc_data_alloc+0x94/0xb8
+[ 21.019564] acpi_cppc_processor_probe+0x4e8/0xb08
+[ 21.024343] __acpi_processor_start+0x48/0xb0
+[ 21.028689] acpi_processor_start+0x40/0x60
+[ 21.032860] really_probe+0x118/0x548
+[ 21.036512] driver_probe_device+0x7c/0x148
+[ 21.040684] device_driver_attach+0x94/0xa0
+[ 21.044855] __driver_attach+0xa4/0x110
+[ 21.048680] bus_for_each_dev+0xe8/0x158
+[ 21.052591] driver_attach+0x30/0x40
+[ 21.056155] bus_add_driver+0x234/0x2f0
+[ 21.059980] driver_register+0xbc/0x1d0
+[ 21.063805] acpi_processor_driver_init+0x40/0xe4
+[ 21.068497] do_one_initcall+0xb4/0x254
+[ 21.072322] kernel_init_freeable+0x24c/0x2f8
+[ 21.076667] kernel_init+0x10/0x118
+[ 21.080144] ret_from_fork+0x10/0x18
+[ 21.083707]
+[ 21.085186] Freed by task 1:
+[ 21.088056] save_stack+0x28/0xc8
+[ 21.091360] __kasan_slab_free+0x118/0x180
+[ 21.095445] kasan_slab_free+0x10/0x18
+[ 21.099183] kfree+0x80/0x268
+[ 21.102139] acpi_cppc_processor_exit+0x1a8/0x1b8
+[ 21.106832] acpi_processor_stop+0x70/0x80
+[ 21.110917] really_probe+0x174/0x548
+[ 21.114568] driver_probe_device+0x7c/0x148
+[ 21.118740] device_driver_attach+0x94/0xa0
+[ 21.122912] __driver_attach+0xa4/0x110
+[ 21.126736] bus_for_each_dev+0xe8/0x158
+[ 21.130648] driver_attach+0x30/0x40
+[ 21.134212] bus_add_driver+0x234/0x2f0
+[ 21.0x10/0x18
+[ 21.161764]
+[ 21.163244] The buggy address belongs to the object at ffff00236cdeb600
+[ 21.163244] which belongs to the cache kmalloc-256 of size 256
+[ 21.175750] The buggy address is located 132 bytes inside of
+[ 21.175750] 256-byte region [ffff00236cdeb600, ffff00236cdeb700)
+[ 21.187473] The buggy address belongs to the page:
+[ 21.192254] page:fffffe008d937a00 refcount:1 mapcount:0 mapping:ffff002370c0fa00 index:0x0 compound_mapcount: 0
+[ 21.202331] flags: 0x1ffff00000010200(slab|head)
+[ 21.206940] raw: 1ffff00000010200 dead000000000100 dead000000000122 ffff002370c0fa00
+[ 21.214671] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
+[ 21.222400] page dumped because: kasan: bad access detected
+[ 21.227959]
+[ 21.229438] Memory state around the buggy address:
+[ 21.234218] ffff00236cdeb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 21.241427] ffff00236cdeb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 21.248637] >ffff00236cdeb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 21.255845] ^
+[ 21.259062] ffff00236cdeb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 21.266272] ffff00236cdeb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 21.273480] ==================================================================
+
+It seems that global pcc_data[pcc_ss_id] can be freed in
+acpi_cppc_processor_exit(), but we may later reference this value, so
+NULLify it when freed.
+
+Also remove the useless setting of data "pcc_channel_acquired", which
+we're about to free.
+
+Fixes: 85b1407bf6d2 ("ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/cppc_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -909,8 +909,8 @@ void acpi_cppc_processor_exit(struct acp
+ pcc_data[pcc_ss_id]->refcount--;
+ if (!pcc_data[pcc_ss_id]->refcount) {
+ pcc_mbox_free_channel(pcc_data[pcc_ss_id]->pcc_channel);
+- pcc_data[pcc_ss_id]->pcc_channel_acquired = 0;
+ kfree(pcc_data[pcc_ss_id]);
++ pcc_data[pcc_ss_id] = NULL;
+ }
+ }
+ }
--- /dev/null
+From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001
+From: Junya Monden <jmonden@jp.adit-jv.com>
+Date: Wed, 16 Oct 2019 14:42:55 +0200
+Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
+
+From: Junya Monden <jmonden@jp.adit-jv.com>
+
+commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream.
+
+Unlike other format-related DAI parameters, rdai->bit_clk_inv flag
+is not properly re-initialized when setting format for new stream
+processing. The inversion, if requested, is then applied not to default,
+but to a previous value, which leads to SCKP bit in SSICR register being
+set incorrectly.
+Fix this by re-setting the flag to its initial value, determined by format.
+
+Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior")
+Cc: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Cc: Jiada Wang <jiada_wang@mentor.com>
+Cc: Timo Wischer <twischer@de.adit-jv.com>
+Cc: stable@vger.kernel.org # v3.17+
+Signed-off-by: Junya Monden <jmonden@jp.adit-jv.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -674,6 +674,7 @@ static int rsnd_soc_dai_set_fmt(struct s
+ }
+
+ /* set format */
++ rdai->bit_clk_inv = 0;
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+ rdai->sys_delay = 0;
--- /dev/null
+From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:32 +0100
+Subject: cfg80211: wext: avoid copying malformed SSIDs
+
+From: Will Deacon <will@kernel.org>
+
+commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream.
+
+Ensure the SSID element is bounds-checked prior to invoking memcpy()
+with its length field, when copying to userspace.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org
+[adjust commit log a bit]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-sme.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/wext-sme.c
++++ b/net/wireless/wext-sme.c
+@@ -202,6 +202,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ struct iw_point *data, char *ssid)
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
++ int ret = 0;
+
+ /* call only for station! */
+ if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
+@@ -219,7 +220,10 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ if (ie) {
+ data->flags = 1;
+ data->length = ie[1];
+- memcpy(ssid, ie + 2, data->length);
++ if (data->length > IW_ESSID_MAX_SIZE)
++ ret = -EINVAL;
++ else
++ memcpy(ssid, ie + 2, data->length);
+ }
+ rcu_read_unlock();
+ } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
+@@ -229,7 +233,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ }
+ wdev_unlock(wdev);
+
+- return 0;
++ return ret;
+ }
+
+ int cfg80211_mgd_wext_siwap(struct net_device *dev,
--- /dev/null
+From 641fe2e9387a36f9ee01d7c69382d1fe147a5e98 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Fri, 18 Oct 2019 20:19:16 -0700
+Subject: drivers/base/memory.c: don't access uninitialized memmaps in soft_offline_page_store()
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 641fe2e9387a36f9ee01d7c69382d1fe147a5e98 upstream.
+
+Uninitialized memmaps contain garbage and in the worst case trigger kernel
+BUGs, especially with CONFIG_PAGE_POISONING. They should not get touched.
+
+Right now, when trying to soft-offline a PFN that resides on a memory
+block that was never onlined, one gets a misleading error with
+CONFIG_PAGE_POISONING:
+
+ :/# echo 5637144576 > /sys/devices/system/memory/soft_offline_page
+ [ 23.097167] soft offline: 0x150000 page already poisoned
+
+But the actual result depends on the garbage in the memmap.
+
+soft_offline_page() can only work with online pages, it returns -EIO in
+case of ZONE_DEVICE. Make sure to only forward pages that are online
+(iow, managed by the buddy) and, therefore, have an initialized memmap.
+
+Add a check against pfn_to_online_page() and similarly return -EIO.
+
+Link: http://lkml.kernel.org/r/20191010141200.8985-1-david@redhat.com
+Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") [visible after d0dc12e86b319]
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: <stable@vger.kernel.org> [4.13+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -554,6 +554,9 @@ store_soft_offline_page(struct device *d
+ pfn >>= PAGE_SHIFT;
+ if (!pfn_valid(pfn))
+ return -ENXIO;
++ /* Only online pages can be soft-offlined (esp., not ZONE_DEVICE). */
++ if (!pfn_to_online_page(pfn))
++ return -EIO;
+ ret = soft_offline_page(pfn_to_page(pfn), 0);
+ return ret == 0 ? count : ret;
+ }
--- /dev/null
+From 984d7a929ad68b7be9990fc9c5cfa5d5c9fc7942 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 10 Oct 2019 18:28:17 +0200
+Subject: drm/amdgpu: Bail earlier when amdgpu.cik_/si_support is not set to 1
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 984d7a929ad68b7be9990fc9c5cfa5d5c9fc7942 upstream.
+
+Bail from the pci_driver probe function instead of from the drm_driver
+load function.
+
+This avoid /dev/dri/card0 temporarily getting registered and then
+unregistered again, sending unwanted add / remove udev events to
+userspace.
+
+Specifically this avoids triggering the (userspace) bug fixed by this
+plymouth merge-request:
+https://gitlab.freedesktop.org/plymouth/plymouth/merge_requests/59
+
+Note that despite that being a userspace bug, not sending unnecessary
+udev events is a good idea in general.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1490490
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 35 ++++++++++++++++++++++++++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 35 --------------------------------
+ 2 files changed, 35 insertions(+), 35 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -841,6 +841,41 @@ static int amdgpu_pci_probe(struct pci_d
+ if (ret == -EPROBE_DEFER)
+ return ret;
+
++#ifdef CONFIG_DRM_AMDGPU_SI
++ if (!amdgpu_si_support) {
++ switch (flags & AMD_ASIC_MASK) {
++ case CHIP_TAHITI:
++ case CHIP_PITCAIRN:
++ case CHIP_VERDE:
++ case CHIP_OLAND:
++ case CHIP_HAINAN:
++ dev_info(&pdev->dev,
++ "SI support provided by radeon.\n");
++ dev_info(&pdev->dev,
++ "Use radeon.si_support=0 amdgpu.si_support=1 to override.\n"
++ );
++ return -ENODEV;
++ }
++ }
++#endif
++#ifdef CONFIG_DRM_AMDGPU_CIK
++ if (!amdgpu_cik_support) {
++ switch (flags & AMD_ASIC_MASK) {
++ case CHIP_KAVERI:
++ case CHIP_BONAIRE:
++ case CHIP_HAWAII:
++ case CHIP_KABINI:
++ case CHIP_MULLINS:
++ dev_info(&pdev->dev,
++ "CIK support provided by radeon.\n");
++ dev_info(&pdev->dev,
++ "Use radeon.cik_support=0 amdgpu.cik_support=1 to override.\n"
++ );
++ return -ENODEV;
++ }
++ }
++#endif
++
+ /* Get rid of things like offb */
+ ret = amdgpu_kick_out_firmware_fb(pdev);
+ if (ret)
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+@@ -87,41 +87,6 @@ int amdgpu_driver_load_kms(struct drm_de
+ struct amdgpu_device *adev;
+ int r, acpi_status;
+
+-#ifdef CONFIG_DRM_AMDGPU_SI
+- if (!amdgpu_si_support) {
+- switch (flags & AMD_ASIC_MASK) {
+- case CHIP_TAHITI:
+- case CHIP_PITCAIRN:
+- case CHIP_VERDE:
+- case CHIP_OLAND:
+- case CHIP_HAINAN:
+- dev_info(dev->dev,
+- "SI support provided by radeon.\n");
+- dev_info(dev->dev,
+- "Use radeon.si_support=0 amdgpu.si_support=1 to override.\n"
+- );
+- return -ENODEV;
+- }
+- }
+-#endif
+-#ifdef CONFIG_DRM_AMDGPU_CIK
+- if (!amdgpu_cik_support) {
+- switch (flags & AMD_ASIC_MASK) {
+- case CHIP_KAVERI:
+- case CHIP_BONAIRE:
+- case CHIP_HAWAII:
+- case CHIP_KABINI:
+- case CHIP_MULLINS:
+- dev_info(dev->dev,
+- "CIK support provided by radeon.\n");
+- dev_info(dev->dev,
+- "Use radeon.cik_support=0 amdgpu.cik_support=1 to override.\n"
+- );
+- return -ENODEV;
+- }
+- }
+-#endif
+-
+ adev = kzalloc(sizeof(struct amdgpu_device), GFP_KERNEL);
+ if (adev == NULL) {
+ return -ENOMEM;
--- /dev/null
+From 11bcf5f78905b90baae8fb01e16650664ed0cb00 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 2 Apr 2019 11:30:37 +0800
+Subject: drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 11bcf5f78905b90baae8fb01e16650664ed0cb00 upstream.
+
+Another panel that needs 6BPC quirk.
+
+BugLink: https://bugs.launchpad.net/bugs/1819968
+Cc: <stable@vger.kernel.org> # v4.8+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190402033037.21877-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -166,6 +166,9 @@ static const struct edid_quirk {
+ /* Medion MD 30217 PG */
+ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
+
++ /* Lenovo G50 */
++ { "SDC", 18514, EDID_QUIRK_FORCE_6BPC },
++
+ /* Panel in Samsung NP700G7A-S01PL notebook reports 6bpc */
+ { "SEC", 0xd033, EDID_QUIRK_FORCE_8BPC },
+
--- /dev/null
+From 941f2f72dbbe0cf8c2d6e0b180a8021a0ec477fa Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Thu, 12 Sep 2019 20:38:54 +0200
+Subject: drm/ttm: Restore ttm prefaulting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Hellstrom <thellstrom@vmware.com>
+
+commit 941f2f72dbbe0cf8c2d6e0b180a8021a0ec477fa upstream.
+
+Commit 4daa4fba3a38 ("gpu: drm: ttm: Adding new return type vm_fault_t")
+broke TTM prefaulting. Since vmf_insert_mixed() typically always returns
+VM_FAULT_NOPAGE, prefaulting stops after the second PTE.
+
+Restore (almost) the original behaviour. Unfortunately we can no longer
+with the new vm_fault_t return type determine whether a prefaulting
+PTE insertion hit an already populated PTE, and terminate the insertion
+loop. Instead we continue with the pre-determined number of prefaults.
+
+Fixes: 4daa4fba3a38 ("gpu: drm: ttm: Adding new return type vm_fault_t")
+Cc: Souptick Joarder <jrdr.linux@gmail.com>
+Cc: Christian König <christian.koenig@amd.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/330387/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo_vm.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
+@@ -273,15 +273,13 @@ static vm_fault_t ttm_bo_vm_fault(struct
+ else
+ ret = vmf_insert_pfn(&cvma, address, pfn);
+
+- /*
+- * Somebody beat us to this PTE or prefaulting to
+- * an already populated PTE, or prefaulting error.
+- */
+-
+- if (unlikely((ret == VM_FAULT_NOPAGE && i > 0)))
+- break;
+- else if (unlikely(ret & VM_FAULT_ERROR))
+- goto out_io_unlock;
++ /* Never error on prefaulted PTEs */
++ if (unlikely((ret & VM_FAULT_ERROR))) {
++ if (i == 0)
++ goto out_io_unlock;
++ else
++ break;
++ }
+
+ address += PAGE_SIZE;
+ if (unlikely(++page_offset >= page_last))
--- /dev/null
+From aad5f69bc161af489dbb5934868bd347282f0764 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Fri, 18 Oct 2019 20:19:20 -0700
+Subject: fs/proc/page.c: don't access uninitialized memmaps in fs/proc/page.c
+
+From: David Hildenbrand <david@redhat.com>
+
+commit aad5f69bc161af489dbb5934868bd347282f0764 upstream.
+
+There are three places where we access uninitialized memmaps, namely:
+- /proc/kpagecount
+- /proc/kpageflags
+- /proc/kpagecgroup
+
+We have initialized memmaps either when the section is online or when the
+page was initialized to the ZONE_DEVICE. Uninitialized memmaps contain
+garbage and in the worst case trigger kernel BUGs, especially with
+CONFIG_PAGE_POISONING.
+
+For example, not onlining a DIMM during boot and calling /proc/kpagecount
+with CONFIG_PAGE_POISONING:
+
+ :/# cat /proc/kpagecount > tmp.test
+ BUG: unable to handle page fault for address: fffffffffffffffe
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 114616067 P4D 114616067 PUD 114618067 PMD 0
+ Oops: 0000 [#1] SMP NOPTI
+ CPU: 0 PID: 469 Comm: cat Not tainted 5.4.0-rc1-next-20191004+ #11
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.4
+ RIP: 0010:kpagecount_read+0xce/0x1e0
+ Code: e8 09 83 e0 3f 48 0f a3 02 73 2d 4c 89 e7 48 c1 e7 06 48 03 3d ab 51 01 01 74 1d 48 8b 57 08 480
+ RSP: 0018:ffffa14e409b7e78 EFLAGS: 00010202
+ RAX: fffffffffffffffe RBX: 0000000000020000 RCX: 0000000000000000
+ RDX: 0000000000000001 RSI: 00007f76b5595000 RDI: fffff35645000000
+ RBP: 00007f76b5595000 R08: 0000000000000001 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000140000
+ R13: 0000000000020000 R14: 00007f76b5595000 R15: ffffa14e409b7f08
+ FS: 00007f76b577d580(0000) GS:ffff8f41bd400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: fffffffffffffffe CR3: 0000000078960000 CR4: 00000000000006f0
+ Call Trace:
+ proc_reg_read+0x3c/0x60
+ vfs_read+0xc5/0x180
+ ksys_read+0x68/0xe0
+ do_syscall_64+0x5c/0xa0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+For now, let's drop support for ZONE_DEVICE from the three pseudo files
+in order to fix this. To distinguish offline memory (with garbage
+memmap) from ZONE_DEVICE memory with properly initialized memmaps, we
+would have to check get_dev_pagemap() and pfn_zone_device_reserved()
+right now. The usage of both (especially, special casing devmem) is
+frowned upon and needs to be reworked.
+
+The fundamental issue we have is:
+
+ if (pfn_to_online_page(pfn)) {
+ /* memmap initialized */
+ } else if (pfn_valid(pfn)) {
+ /*
+ * ???
+ * a) offline memory. memmap garbage.
+ * b) devmem: memmap initialized to ZONE_DEVICE.
+ * c) devmem: reserved for driver. memmap garbage.
+ * (d) devmem: memmap currently initializing - garbage)
+ */
+ }
+
+We'll leave the pfn_zone_device_reserved() check in stable_page_flags()
+in place as that function is also used from memory failure. We now no
+longer dump information about pages that are not in use anymore -
+offline.
+
+Link: http://lkml.kernel.org/r/20191009142435.3975-2-david@redhat.com
+Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") [visible after d0dc12e86b319]
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reported-by: Qian Cai <cai@lca.pw>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Toshiki Fukasawa <t-fukasawa@vx.jp.nec.com>
+Cc: Pankaj gupta <pagupta@redhat.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Anthony Yznaga <anthony.yznaga@oracle.com>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Cc: <stable@vger.kernel.org> [4.13+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/page.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+--- a/fs/proc/page.c
++++ b/fs/proc/page.c
+@@ -42,10 +42,12 @@ static ssize_t kpagecount_read(struct fi
+ return -EINVAL;
+
+ while (count > 0) {
+- if (pfn_valid(pfn))
+- ppage = pfn_to_page(pfn);
+- else
+- ppage = NULL;
++ /*
++ * TODO: ZONE_DEVICE support requires to identify
++ * memmaps that were actually initialized.
++ */
++ ppage = pfn_to_online_page(pfn);
++
+ if (!ppage || PageSlab(ppage))
+ pcount = 0;
+ else
+@@ -216,10 +218,11 @@ static ssize_t kpageflags_read(struct fi
+ return -EINVAL;
+
+ while (count > 0) {
+- if (pfn_valid(pfn))
+- ppage = pfn_to_page(pfn);
+- else
+- ppage = NULL;
++ /*
++ * TODO: ZONE_DEVICE support requires to identify
++ * memmaps that were actually initialized.
++ */
++ ppage = pfn_to_online_page(pfn);
+
+ if (put_user(stable_page_flags(ppage), out)) {
+ ret = -EFAULT;
+@@ -261,10 +264,11 @@ static ssize_t kpagecgroup_read(struct f
+ return -EINVAL;
+
+ while (count > 0) {
+- if (pfn_valid(pfn))
+- ppage = pfn_to_page(pfn);
+- else
+- ppage = NULL;
++ /*
++ * TODO: ZONE_DEVICE support requires to identify
++ * memmaps that were actually initialized.
++ */
++ ppage = pfn_to_online_page(pfn);
+
+ if (ppage)
+ ino = page_cgroup_ino(ppage);
--- /dev/null
+From afce285b859cea91c182015fc9858ea58c26cd0e Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Mon, 16 Sep 2019 12:45:48 -0700
+Subject: Input: da9063 - fix capability and drop KEY_SLEEP
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+commit afce285b859cea91c182015fc9858ea58c26cd0e upstream.
+
+Since commit f889beaaab1c ("Input: da9063 - report KEY_POWER instead of
+KEY_SLEEP during power key-press") KEY_SLEEP isn't supported anymore. This
+caused input device to not generate any events if "dlg,disable-key-power"
+is set.
+
+Fix this by unconditionally setting KEY_POWER capability, and not
+declaring KEY_SLEEP.
+
+Fixes: f889beaaab1c ("Input: da9063 - report KEY_POWER instead of KEY_SLEEP during power key-press")
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/da9063_onkey.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/input/misc/da9063_onkey.c
++++ b/drivers/input/misc/da9063_onkey.c
+@@ -248,10 +248,7 @@ static int da9063_onkey_probe(struct pla
+ onkey->input->phys = onkey->phys;
+ onkey->input->dev.parent = &pdev->dev;
+
+- if (onkey->key_power)
+- input_set_capability(onkey->input, EV_KEY, KEY_POWER);
+-
+- input_set_capability(onkey->input, EV_KEY, KEY_SLEEP);
++ input_set_capability(onkey->input, EV_KEY, KEY_POWER);
+
+ INIT_DELAYED_WORK(&onkey->work, da9063_poll_on);
+
--- /dev/null
+From 363c53875aef8fce69d4a2d0873919ccc7d9e2ad Mon Sep 17 00:00:00 2001
+From: Evan Green <evgreen@chromium.org>
+Date: Fri, 11 Oct 2019 17:22:09 -0700
+Subject: Input: synaptics-rmi4 - avoid processing unknown IRQs
+
+From: Evan Green <evgreen@chromium.org>
+
+commit 363c53875aef8fce69d4a2d0873919ccc7d9e2ad upstream.
+
+rmi_process_interrupt_requests() calls handle_nested_irq() for
+each interrupt status bit it finds. If the irq domain mapping for
+this bit had not yet been set up, then it ends up calling
+handle_nested_irq(0), which causes a NULL pointer dereference.
+
+There's already code that masks the irq_status bits coming out of the
+hardware with current_irq_mask, presumably to avoid this situation.
+However current_irq_mask seems to more reflect the actual mask set
+in the hardware rather than the IRQs software has set up and registered
+for. For example, in rmi_driver_reset_handler(), the current_irq_mask
+is initialized based on what is read from the hardware. If the reset
+value of this mask enables IRQs that Linux has not set up yet, then
+we end up in this situation.
+
+There appears to be a third unused bitmask that used to serve this
+purpose, fn_irq_bits. Use that bitmask instead of current_irq_mask
+to avoid calling handle_nested_irq() on IRQs that have not yet been
+set up.
+
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Reviewed-by: Andrew Duggan <aduggan@synaptics.com>
+Link: https://lore.kernel.org/r/20191008223657.163366-1-evgreen@chromium.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -149,7 +149,7 @@ static int rmi_process_interrupt_request
+ }
+
+ mutex_lock(&data->irq_mutex);
+- bitmap_and(data->irq_status, data->irq_status, data->current_irq_mask,
++ bitmap_and(data->irq_status, data->irq_status, data->fn_irq_bits,
+ data->irq_count);
+ /*
+ * At this point, irq_status has all bits that are set in the
+@@ -388,6 +388,8 @@ static int rmi_driver_set_irq_bits(struc
+ bitmap_copy(data->current_irq_mask, data->new_irq_mask,
+ data->num_of_irq_regs);
+
++ bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count);
++
+ error_unlock:
+ mutex_unlock(&data->irq_mutex);
+ return error;
+@@ -401,6 +403,8 @@ static int rmi_driver_clear_irq_bits(str
+ struct device *dev = &rmi_dev->dev;
+
+ mutex_lock(&data->irq_mutex);
++ bitmap_andnot(data->fn_irq_bits,
++ data->fn_irq_bits, mask, data->irq_count);
+ bitmap_andnot(data->new_irq_mask,
+ data->current_irq_mask, mask, data->irq_count);
+
--- /dev/null
+From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:31 +0100
+Subject: mac80211: Reject malformed SSID elements
+
+From: Will Deacon <will@kernel.org>
+
+commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream.
+
+Although this shouldn't occur in practice, it's a good idea to bounds
+check the length field of the SSID element prior to using it for things
+like allocations or memcpy operations.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2554,7 +2554,8 @@ struct sk_buff *ieee80211_ap_probereq_ge
+
+ rcu_read_lock();
+ ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
+- if (WARN_ON_ONCE(ssid == NULL))
++ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
++ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
+ ssid_len = 0;
+ else
+ ssid_len = ssid[1];
+@@ -5039,7 +5040,7 @@ int ieee80211_mgd_assoc(struct ieee80211
+
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
+- if (!ssidie) {
++ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) {
+ rcu_read_unlock();
+ kfree(assoc_data);
+ return -EINVAL;
--- /dev/null
+From b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paulburton@kernel.org>
+Date: Fri, 18 Oct 2019 15:38:48 -0700
+Subject: MIPS: tlbex: Fix build_restore_pagemask KScratch restore
+
+From: Paul Burton <paulburton@kernel.org>
+
+commit b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 upstream.
+
+build_restore_pagemask() will restore the value of register $1/$at when
+its restore_scratch argument is non-zero, and aims to do so by filling a
+branch delay slot. Commit 0b24cae4d535 ("MIPS: Add missing EHB in mtc0
+-> mfc0 sequence.") added an EHB instruction (Execution Hazard Barrier)
+prior to restoring $1 from a KScratch register, in order to resolve a
+hazard that can result in stale values of the KScratch register being
+observed. In particular, P-class CPUs from MIPS with out of order
+execution pipelines such as the P5600 & P6600 are affected.
+
+Unfortunately this EHB instruction was inserted in the branch delay slot
+causing the MFC0 instruction which performs the restoration to no longer
+execute along with the branch. The result is that the $1 register isn't
+actually restored, ie. the TLB refill exception handler clobbers it -
+which is exactly the problem the EHB is meant to avoid for the P-class
+CPUs.
+
+Similarly build_get_pgd_vmalloc() will restore the value of $1/$at when
+its mode argument equals refill_scratch, and suffers from the same
+problem.
+
+Fix this by in both cases moving the EHB earlier in the emitted code.
+There's no reason it needs to immediately precede the MFC0 - it simply
+needs to be between the MTC0 & MFC0.
+
+This bug only affects Cavium Octeon systems which use
+build_fast_tlb_refill_handler().
+
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Fixes: 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 -> mfc0 sequence.")
+Cc: Dmitry Korotin <dkorotin@wavecomp.com>
+Cc: stable@vger.kernel.org # v3.15+
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/tlbex.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/mm/tlbex.c
++++ b/arch/mips/mm/tlbex.c
+@@ -654,6 +654,13 @@ static void build_restore_pagemask(u32 *
+ int restore_scratch)
+ {
+ if (restore_scratch) {
++ /*
++ * Ensure the MFC0 below observes the value written to the
++ * KScratch register by the prior MTC0.
++ */
++ if (scratch_reg >= 0)
++ uasm_i_ehb(p);
++
+ /* Reset default page size */
+ if (PM_DEFAULT_MASK >> 16) {
+ uasm_i_lui(p, tmp, PM_DEFAULT_MASK >> 16);
+@@ -668,12 +675,10 @@ static void build_restore_pagemask(u32 *
+ uasm_i_mtc0(p, 0, C0_PAGEMASK);
+ uasm_il_b(p, r, lid);
+ }
+- if (scratch_reg >= 0) {
+- uasm_i_ehb(p);
++ if (scratch_reg >= 0)
+ UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg);
+- } else {
++ else
+ UASM_i_LW(p, 1, scratchpad_offset(0), 0);
+- }
+ } else {
+ /* Reset default page size */
+ if (PM_DEFAULT_MASK >> 16) {
+@@ -922,6 +927,10 @@ build_get_pgd_vmalloc64(u32 **p, struct
+ }
+ if (mode != not_refill && check_for_high_segbits) {
+ uasm_l_large_segbits_fault(l, *p);
++
++ if (mode == refill_scratch && scratch_reg >= 0)
++ uasm_i_ehb(p);
++
+ /*
+ * We get here if we are an xsseg address, or if we are
+ * an xuseg address above (PGDIR_SHIFT+PGDIR_BITS) boundary.
+@@ -938,12 +947,10 @@ build_get_pgd_vmalloc64(u32 **p, struct
+ uasm_i_jr(p, ptr);
+
+ if (mode == refill_scratch) {
+- if (scratch_reg >= 0) {
+- uasm_i_ehb(p);
++ if (scratch_reg >= 0)
+ UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg);
+- } else {
++ else
+ UASM_i_LW(p, 1, scratchpad_offset(0), 0);
+- }
+ } else {
+ uasm_i_nop(p);
+ }
--- /dev/null
+From 6a0990eaa768dfb7064f06777743acc6d392084b Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 9 Oct 2019 10:35:36 -0700
+Subject: scsi: ch: Make it possible to open a ch device multiple times again
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 6a0990eaa768dfb7064f06777743acc6d392084b upstream.
+
+Clearing ch->device in ch_release() is wrong because that pointer must
+remain valid until ch_remove() is called. This patch fixes the following
+crash the second time a ch device is opened:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000790
+RIP: 0010:scsi_device_get+0x5/0x60
+Call Trace:
+ ch_open+0x4c/0xa0 [ch]
+ chrdev_open+0xa2/0x1c0
+ do_dentry_open+0x13a/0x380
+ path_openat+0x591/0x1470
+ do_filp_open+0x91/0x100
+ do_sys_open+0x184/0x220
+ do_syscall_64+0x5f/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 085e56766f74 ("scsi: ch: add refcounting")
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191009173536.247889-1-bvanassche@acm.org
+Reported-by: Rob Turk <robtu@rtist.nl>
+Suggested-by: Rob Turk <robtu@rtist.nl>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ch.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/ch.c
++++ b/drivers/scsi/ch.c
+@@ -578,7 +578,6 @@ ch_release(struct inode *inode, struct f
+ scsi_changer *ch = file->private_data;
+
+ scsi_device_put(ch->device);
+- ch->device = NULL;
+ file->private_data = NULL;
+ kref_put(&ch->ref, ch_destroy);
+ return 0;
--- /dev/null
+From 8f8fed0cdbbd6cdbf28d9ebe662f45765d2f7d39 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Tue, 1 Oct 2019 16:48:39 +0900
+Subject: scsi: core: save/restore command resid for error handling
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 8f8fed0cdbbd6cdbf28d9ebe662f45765d2f7d39 upstream.
+
+When a non-passthrough command is terminated with CHECK CONDITION, request
+sense is executed by hijacking the command descriptor. Since
+scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() do not save/restore the
+original command resid, the value returned on failure of the original
+command is lost and replaced with the value set by the execution of the
+request sense command. This value may in many instances be unaligned to the
+device sector size, causing sd_done() to print a warning message about the
+incorrect unaligned resid before the command is retried.
+
+Fix this problem by saving the original command residual in struct
+scsi_eh_save using scsi_eh_prep_cmnd() and restoring it in
+scsi_eh_restore_cmnd(). In addition, to make sure that the request sense
+command is executed with a correctly initialized command structure, also
+reset the residual to 0 in scsi_eh_prep_cmnd() after saving the original
+command value in struct scsi_eh_save.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191001074839.1994-1-damien.lemoal@wdc.com
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_error.c | 3 +++
+ include/scsi/scsi_eh.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -970,6 +970,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd
+ ses->sdb = scmd->sdb;
+ ses->next_rq = scmd->request->next_rq;
+ ses->result = scmd->result;
++ ses->resid_len = scmd->req.resid_len;
+ ses->underflow = scmd->underflow;
+ ses->prot_op = scmd->prot_op;
+ ses->eh_eflags = scmd->eh_eflags;
+@@ -981,6 +982,7 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd
+ memset(&scmd->sdb, 0, sizeof(scmd->sdb));
+ scmd->request->next_rq = NULL;
+ scmd->result = 0;
++ scmd->req.resid_len = 0;
+
+ if (sense_bytes) {
+ scmd->sdb.length = min_t(unsigned, SCSI_SENSE_BUFFERSIZE,
+@@ -1034,6 +1036,7 @@ void scsi_eh_restore_cmnd(struct scsi_cm
+ scmd->sdb = ses->sdb;
+ scmd->request->next_rq = ses->next_rq;
+ scmd->result = ses->result;
++ scmd->req.resid_len = ses->resid_len;
+ scmd->underflow = ses->underflow;
+ scmd->prot_op = ses->prot_op;
+ scmd->eh_eflags = ses->eh_eflags;
+--- a/include/scsi/scsi_eh.h
++++ b/include/scsi/scsi_eh.h
+@@ -32,6 +32,7 @@ extern int scsi_ioctl_reset(struct scsi_
+ struct scsi_eh_save {
+ /* saved state */
+ int result;
++ unsigned int resid_len;
+ int eh_eflags;
+ enum dma_data_direction data_direction;
+ unsigned underflow;
--- /dev/null
+From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 15 Oct 2019 21:05:56 +0800
+Subject: scsi: core: try to get module before removing device
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream.
+
+We have a test case like block/001 in blktests, which will create a scsi
+device by loading scsi_debug module and then try to delete the device by
+sysfs interface. At the same time, it may remove the scsi_debug module.
+
+And getting a invalid paging request BUG_ON as following:
+
+[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8
+[ 34.629189] Oops: 0000 [#1] SMP PTI
+[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473
+[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0
+[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0
+[ 34.644545] Call Trace:
+[ 34.644907] scsi_host_dev_release+0x6b/0x1f0
+[ 34.645511] device_release+0x74/0x110
+[ 34.646046] kobject_put+0x116/0x390
+[ 34.646559] put_device+0x17/0x30
+[ 34.647041] scsi_target_dev_release+0x2b/0x40
+[ 34.647652] device_release+0x74/0x110
+[ 34.648186] kobject_put+0x116/0x390
+[ 34.648691] put_device+0x17/0x30
+[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360
+[ 34.649953] execute_in_process_context+0x29/0x80
+[ 34.650603] scsi_device_dev_release+0x20/0x30
+[ 34.651221] device_release+0x74/0x110
+[ 34.651732] kobject_put+0x116/0x390
+[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50
+[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f
+[ 34.653579] dev_attr_store+0x1b/0x40
+[ 34.654103] sysfs_kf_write+0x3d/0x60
+[ 34.654603] kernfs_fop_write+0x174/0x250
+[ 34.655165] __vfs_write+0x1f/0x60
+[ 34.655639] vfs_write+0xc7/0x280
+[ 34.656117] ksys_write+0x6d/0x140
+[ 34.656591] __x64_sys_write+0x1e/0x30
+[ 34.657114] do_syscall_64+0xb1/0x400
+[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 34.658335] RIP: 0033:0x7f156f337130
+
+During deleting scsi target, the scsi_debug module have been removed. Then,
+sdebug_driver_template belonged to the module cannot be accessd, resulting
+in scsi_proc_hostdir_rm() BUG_ON.
+
+To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to
+increase refcount of module, avoiding the module been removed.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_sysfs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -723,6 +723,14 @@ sdev_store_delete(struct device *dev, st
+ const char *buf, size_t count)
+ {
+ struct kernfs_node *kn;
++ struct scsi_device *sdev = to_scsi_device(dev);
++
++ /*
++ * We need to try to get module, avoiding the module been removed
++ * during delete.
++ */
++ if (scsi_device_get(sdev))
++ return -ENODEV;
+
+ kn = sysfs_break_active_protection(&dev->kobj, &attr->attr);
+ WARN_ON_ONCE(!kn);
+@@ -737,9 +745,10 @@ sdev_store_delete(struct device *dev, st
+ * state into SDEV_DEL.
+ */
+ device_remove_file(dev, attr);
+- scsi_remove_device(to_scsi_device(dev));
++ scsi_remove_device(sdev);
+ if (kn)
+ sysfs_unbreak_active_protection(kn);
++ scsi_device_put(sdev);
+ return count;
+ };
+ static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete);
--- /dev/null
+From 21e3d6c81179bbdfa279efc8de456c34b814cfd2 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 3 Sep 2019 12:18:39 +0200
+Subject: scsi: sd: Ignore a failure to sync cache due to lack of authorization
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 21e3d6c81179bbdfa279efc8de456c34b814cfd2 upstream.
+
+I've got a report about a UAS drive enclosure reporting back Sense: Logical
+unit access not authorized if the drive it holds is password protected.
+While the drive is obviously unusable in that state as a mass storage
+device, it still exists as a sd device and when the system is asked to
+perform a suspend of the drive, it will be sent a SYNCHRONIZE CACHE. If
+that fails due to password protection, the error must be ignored.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190903101840.16483-1-oneukum@suse.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1646,7 +1646,8 @@ static int sd_sync_cache(struct scsi_dis
+ /* we need to evaluate the error return */
+ if (scsi_sense_valid(sshdr) &&
+ (sshdr->asc == 0x3a || /* medium not present */
+- sshdr->asc == 0x20)) /* invalid command */
++ sshdr->asc == 0x20 || /* invalid command */
++ (sshdr->asc == 0x74 && sshdr->ascq == 0x71))) /* drive is password locked */
+ /* this is no error here */
+ return 0;
+
--- /dev/null
+From 2190168aaea42c31bff7b9a967e7b045f07df095 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Tue, 1 Oct 2019 12:49:49 +0200
+Subject: scsi: zfcp: fix reaction on bit error threshold notification
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 2190168aaea42c31bff7b9a967e7b045f07df095 upstream.
+
+On excessive bit errors for the FCP channel ingress fibre path, the channel
+notifies us. Previously, we only emitted a kernel message and a trace
+record. Since performance can become suboptimal with I/O timeouts due to
+bit errors, we now stop using an FCP device by default on channel
+notification so multipath on top can timely failover to other paths. A new
+module parameter zfcp.ber_stop can be used to get zfcp old behavior.
+
+User explanation of new kernel message:
+
+ * Description:
+ * The FCP channel reported that its bit error threshold has been exceeded.
+ * These errors might result from a problem with the physical components
+ * of the local fibre link into the FCP channel.
+ * The problem might be damage or malfunction of the cable or
+ * cable connection between the FCP channel and
+ * the adjacent fabric switch port or the point-to-point peer.
+ * Find details about the errors in the HBA trace for the FCP device.
+ * The zfcp device driver closed down the FCP device
+ * to limit the performance impact from possible I/O command timeouts.
+ * User action:
+ * Check for problems on the local fibre link, ensure that fibre optics are
+ * clean and functional, and all cables are properly plugged.
+ * After the repair action, you can manually recover the FCP device by
+ * writing "0" into its "failed" sysfs attribute.
+ * If recovery through sysfs is not possible, set the CHPID of the device
+ * offline and back online on the service element.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org> #2.6.30+
+Link: https://lore.kernel.org/r/20191001104949.42810-1-maier@linux.ibm.com
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_fsf.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_fsf.c
++++ b/drivers/s390/scsi/zfcp_fsf.c
+@@ -21,6 +21,11 @@
+
+ struct kmem_cache *zfcp_fsf_qtcb_cache;
+
++static bool ber_stop = true;
++module_param(ber_stop, bool, 0600);
++MODULE_PARM_DESC(ber_stop,
++ "Shuts down FCP devices for FCP channels that report a bit-error count in excess of its threshold (default on)");
++
+ static void zfcp_fsf_request_timeout_handler(struct timer_list *t)
+ {
+ struct zfcp_fsf_req *fsf_req = from_timer(fsf_req, t, timer);
+@@ -230,10 +235,15 @@ static void zfcp_fsf_status_read_handler
+ case FSF_STATUS_READ_SENSE_DATA_AVAIL:
+ break;
+ case FSF_STATUS_READ_BIT_ERROR_THRESHOLD:
+- dev_warn(&adapter->ccw_device->dev,
+- "The error threshold for checksum statistics "
+- "has been exceeded\n");
+ zfcp_dbf_hba_bit_err("fssrh_3", req);
++ if (ber_stop) {
++ dev_warn(&adapter->ccw_device->dev,
++ "All paths over this FCP device are disused because of excessive bit errors\n");
++ zfcp_erp_adapter_shutdown(adapter, 0, "fssrh_b");
++ } else {
++ dev_warn(&adapter->ccw_device->dev,
++ "The error threshold for checksum statistics has been exceeded\n");
++ }
+ break;
+ case FSF_STATUS_READ_LINK_DOWN:
+ zfcp_fsf_status_read_link_down(req);
usb-ldusb-fix-memleak-on-disconnect.patch
usb-usblp-fix-use-after-free-on-disconnect.patch
usb-ldusb-fix-read-info-leaks.patch
+mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch
+staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch
+scsi-zfcp-fix-reaction-on-bit-error-threshold-notification.patch
+scsi-sd-ignore-a-failure-to-sync-cache-due-to-lack-of-authorization.patch
+scsi-core-save-restore-command-resid-for-error-handling.patch
+scsi-core-try-to-get-module-before-removing-device.patch
+scsi-ch-make-it-possible-to-open-a-ch-device-multiple-times-again.patch
+input-da9063-fix-capability-and-drop-key_sleep.patch
+input-synaptics-rmi4-avoid-processing-unknown-irqs.patch
+asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch
+acpi-cppc-set-pcc_data-to-null-in-acpi_cppc_processor_exit.patch
+cfg80211-wext-avoid-copying-malformed-ssids.patch
+mac80211-reject-malformed-ssid-elements.patch
+drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch
+drm-ttm-restore-ttm-prefaulting.patch
+drm-amdgpu-bail-earlier-when-amdgpu.cik_-si_support-is-not-set-to-1.patch
+drivers-base-memory.c-don-t-access-uninitialized-memmaps-in-soft_offline_page_store.patch
+fs-proc-page.c-don-t-access-uninitialized-memmaps-in-fs-proc-page.c.patch
--- /dev/null
+From 153c5d8191c26165dbbd2646448ca7207f7796d0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 14 Oct 2019 12:02:01 +0100
+Subject: staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 153c5d8191c26165dbbd2646448ca7207f7796d0 upstream.
+
+Currently the exit return path when sme->key_idx >= NUM_WEPKEYS is via
+label 'exit' and this checks if result is non-zero, however result has
+not been initialized and contains garbage. Fix this by replacing the
+goto with a return with the error code.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: 0ca6d8e74489 ("Staging: wlan-ng: replace switch-case statements with macro")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191014110201.9874-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlan-ng/cfg80211.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/wlan-ng/cfg80211.c
++++ b/drivers/staging/wlan-ng/cfg80211.c
+@@ -476,10 +476,8 @@ static int prism2_connect(struct wiphy *
+ /* Set the encryption - we only support wep */
+ if (is_wep) {
+ if (sme->key) {
+- if (sme->key_idx >= NUM_WEPKEYS) {
+- err = -EINVAL;
+- goto exit;
+- }
++ if (sme->key_idx >= NUM_WEPKEYS)
++ return -EINVAL;
+
+ result = prism2_domibset_uint32(wlandev,
+ DIDmib_dot11smt_dot11PrivacyTable_dot11WEPDefaultKeyID,
projects / thirdparty / kernel / stable-queue.git / commitdiff
