--- /dev/null
+From d35bd764e6899a7bea71958f08d16cea5bfa1919 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 19 Jun 2020 11:51:34 -0400
+Subject: dm writecache: add cond_resched to loop in persistent_memory_claim()
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d35bd764e6899a7bea71958f08d16cea5bfa1919 upstream.
+
+Add cond_resched() to a loop that fills in the mapper memory area
+because the loop can be executed many times.
+
+Fixes: 48debafe4f2fe ("dm: add writecache target")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -281,6 +281,8 @@ static int persistent_memory_claim(struc
+ while (daa-- && i < p) {
+ pages[i++] = pfn_t_to_page(pfn);
+ pfn.val++;
++ if (!(i & 15))
++ cond_resched();
+ }
+ } while (i < p);
+ wc->memory_map = vmap(pages, p, VM_MAP, PAGE_KERNEL);
--- /dev/null
+From 39495b12ef1cf602e6abd350dce2ef4199906531 Mon Sep 17 00:00:00 2001
+From: Huaisheng Ye <yehs1@lenovo.com>
+Date: Fri, 12 Jun 2020 23:59:11 +0800
+Subject: dm writecache: correct uncommitted_block when discarding uncommitted entry
+
+From: Huaisheng Ye <yehs1@lenovo.com>
+
+commit 39495b12ef1cf602e6abd350dce2ef4199906531 upstream.
+
+When uncommitted entry has been discarded, correct wc->uncommitted_block
+for getting the exact number.
+
+Fixes: 48debafe4f2fe ("dm: add writecache target")
+Cc: stable@vger.kernel.org
+Signed-off-by: Huaisheng Ye <yehs1@lenovo.com>
+Acked-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -811,6 +811,8 @@ static void writecache_discard(struct dm
+ writecache_wait_for_ios(wc, WRITE);
+ discarded_something = true;
+ }
++ if (!writecache_entry_is_committed(wc, e))
++ wc->uncommitted_blocks--;
+ writecache_free_entry(wc, e);
+ }
+
--- /dev/null
+From 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Mon, 22 Jun 2020 23:31:22 +0300
+Subject: drm/radeon: fix fb_div check in ni_init_smc_spll_table()
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 upstream.
+
+clk_s is checked twice in a row in ni_init_smc_spll_table().
+fb_div should be checked instead.
+
+Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/ni_dpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/ni_dpm.c
++++ b/drivers/gpu/drm/radeon/ni_dpm.c
+@@ -2126,7 +2126,7 @@ static int ni_init_smc_spll_table(struct
+ if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT))
+ ret = -EINVAL;
+
+- if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT))
++ if (fb_div & ~(SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_SHIFT))
+ ret = -EINVAL;
+
+ if (clk_v & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_SHIFT))
--- /dev/null
+From 5f9af404eec82981c4345c9943be48422234e7ab Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 18 May 2020 22:16:46 +0200
+Subject: drm: rcar-du: Fix build error
+
+From: Daniel Gomez <dagmcr@gmail.com>
+
+commit 5f9af404eec82981c4345c9943be48422234e7ab upstream.
+
+Select DRM_KMS_HELPER dependency.
+
+Build error when DRM_KMS_HELPER is not selected:
+
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xd48): undefined reference to `drm_atomic_helper_bridge_duplicate_state'
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xd50): undefined reference to `drm_atomic_helper_bridge_destroy_state'
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xd70): undefined reference to `drm_atomic_helper_bridge_reset'
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xdc8): undefined reference to `drm_atomic_helper_connector_reset'
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xde0): undefined reference to `drm_helper_probe_single_connector_modes'
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xe08): undefined reference to `drm_atomic_helper_connector_duplicate_state'
+drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xe10): undefined reference to `drm_atomic_helper_connector_destroy_state'
+
+Fixes: c6a27fa41fab ("drm: rcar-du: Convert LVDS encoder code to bridge driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rcar-du/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/rcar-du/Kconfig
++++ b/drivers/gpu/drm/rcar-du/Kconfig
+@@ -21,6 +21,7 @@ config DRM_RCAR_DW_HDMI
+ config DRM_RCAR_LVDS
+ tristate "R-Car DU LVDS Encoder Support"
+ depends on DRM && DRM_BRIDGE && OF
++ select DRM_KMS_HELPER
+ select DRM_PANEL
+ select OF_FLATTREE
+ select OF_OVERLAY
--- /dev/null
+From d03727b248d0dae6199569a8d7b629a681154633 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
+Date: Wed, 24 Jun 2020 13:54:08 -0400
+Subject: NFSv4 fix CLOSE not waiting for direct IO compeletion
+
+From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
+
+commit d03727b248d0dae6199569a8d7b629a681154633 upstream.
+
+Figuring out the root case for the REMOVE/CLOSE race and
+suggesting the solution was done by Neil Brown.
+
+Currently what happens is that direct IO calls hold a reference
+on the open context which is decremented as an asynchronous task
+in the nfs_direct_complete(). Before reference is decremented,
+control is returned to the application which is free to close the
+file. When close is being processed, it decrements its reference
+on the open_context but since directIO still holds one, it doesn't
+sent a close on the wire. It returns control to the application
+which is free to do other operations. For instance, it can delete a
+file. Direct IO is finally releasing its reference and triggering
+an asynchronous close. Which races with the REMOVE. On the server,
+REMOVE can be processed before the CLOSE, failing the REMOVE with
+EACCES as the file is still opened.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Suggested-by: Neil Brown <neilb@suse.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/direct.c | 13 +++++++++----
+ fs/nfs/file.c | 1 +
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -396,8 +396,6 @@ static void nfs_direct_complete(struct n
+ {
+ struct inode *inode = dreq->inode;
+
+- inode_dio_end(inode);
+-
+ if (dreq->iocb) {
+ long res = (long) dreq->error;
+ if (dreq->count != 0) {
+@@ -409,7 +407,10 @@ static void nfs_direct_complete(struct n
+
+ complete(&dreq->completion);
+
++ igrab(inode);
+ nfs_direct_req_release(dreq);
++ inode_dio_end(inode);
++ iput(inode);
+ }
+
+ static void nfs_direct_read_completion(struct nfs_pgio_header *hdr)
+@@ -539,8 +540,10 @@ static ssize_t nfs_direct_read_schedule_
+ * generic layer handle the completion.
+ */
+ if (requested_bytes == 0) {
+- inode_dio_end(inode);
++ igrab(inode);
+ nfs_direct_req_release(dreq);
++ inode_dio_end(inode);
++ iput(inode);
+ return result < 0 ? result : -EIO;
+ }
+
+@@ -957,8 +960,10 @@ static ssize_t nfs_direct_write_schedule
+ * generic layer handle the completion.
+ */
+ if (requested_bytes == 0) {
+- inode_dio_end(inode);
++ igrab(inode);
+ nfs_direct_req_release(dreq);
++ inode_dio_end(inode);
++ iput(inode);
+ return result < 0 ? result : -EIO;
+ }
+
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -82,6 +82,7 @@ nfs_file_release(struct inode *inode, st
+ dprintk("NFS: release(%pD2)\n", filp);
+
+ nfs_inc_stats(inode, NFSIOS_VFSRELEASE);
++ inode_dio_wait(inode);
+ nfs_file_clear_open_context(filp);
+ return 0;
+ }
--- /dev/null
+From 8b04013737341442ed914b336cde866b902664ae Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 22 Jun 2020 15:04:15 -0400
+Subject: pNFS/flexfiles: Fix list corruption if the mirror count changes
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 8b04013737341442ed914b336cde866b902664ae upstream.
+
+If the mirror count changes in the new layout we pick up inside
+ff_layout_pg_init_write(), then we can end up adding the
+request to the wrong mirror and corrupting the mirror->pg_list.
+
+Fixes: d600ad1f2bdb ("NFS41: pop some layoutget errors to application")
+Cc: stable@vger.kernel.org
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -915,9 +915,8 @@ retry:
+ goto out_mds;
+
+ /* Use a direct mapping of ds_idx to pgio mirror_idx */
+- if (WARN_ON_ONCE(pgio->pg_mirror_count !=
+- FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg)))
+- goto out_mds;
++ if (pgio->pg_mirror_count != FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg))
++ goto out_eagain;
+
+ for (i = 0; i < pgio->pg_mirror_count; i++) {
+ ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true);
+@@ -936,11 +935,15 @@ retry:
+ }
+
+ return;
+-
++out_eagain:
++ pnfs_generic_pg_cleanup(pgio);
++ pgio->pg_error = -EAGAIN;
++ return;
+ out_mds:
+ pnfs_put_lseg(pgio->pg_lseg);
+ pgio->pg_lseg = NULL;
+ nfs_pageio_reset_write_mds(pgio);
++ pgio->pg_error = -EAGAIN;
+ }
+
+ static unsigned int
--- /dev/null
+From 097350d1c6e1f5808cae142006f18a0bbc57018d Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 22 Jun 2020 15:18:15 -0400
+Subject: ring-buffer: Zero out time extend if it is nested and not absolute
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 097350d1c6e1f5808cae142006f18a0bbc57018d upstream.
+
+Currently the ring buffer makes events that happen in interrupts that preempt
+another event have a delta of zero. (Hopefully we can change this soon). But
+this is to deal with the races of updating a global counter with lockless
+and nesting functions updating deltas.
+
+With the addition of absolute time stamps, the time extend didn't follow
+this rule. A time extend can happen if two events happen longer than 2^27
+nanoseconds appart, as the delta time field in each event is only 27 bits.
+If that happens, then a time extend is injected with 2^59 bits of
+nanoseconds to use (18 years). But if the 2^27 nanoseconds happen between
+two events, and as it is writing the event, an interrupt triggers, it will
+see the 2^27 difference as well and inject a time extend of its own. But a
+recent change made the time extend logic not take into account the nesting,
+and this can cause two time extend deltas to happen moving the time stamp
+much further ahead than the current time. This gets all reset when the ring
+buffer moves to the next page, but that can cause time to appear to go
+backwards.
+
+This was observed in a trace-cmd recording, and since the data is saved in a
+file, with trace-cmd report --debug, it was possible to see that this indeed
+did happen!
+
+ bash-52501 110d... 81778.908247: sched_switch: bash:52501 [120] S ==> swapper/110:0 [120] [12770284:0x2e8:64]
+ <idle>-0 110d... 81778.908757: sched_switch: swapper/110:0 [120] R ==> bash:52501 [120] [509947:0x32c:64]
+ TIME EXTEND: delta:306454770 length:0
+ bash-52501 110.... 81779.215212: sched_swap_numa: src_pid=52501 src_tgid=52388 src_ngid=52501 src_cpu=110 src_nid=2 dst_pid=52509 dst_tgid=52388 dst_ngid=52501 dst_cpu=49 dst_nid=1 [0:0x378:48]
+ TIME EXTEND: delta:306458165 length:0
+ bash-52501 110dNh. 81779.521670: sched_wakeup: migration/110:565 [0] success=1 CPU:110 [0:0x3b4:40]
+
+and at the next page, caused the time to go backwards:
+
+ bash-52504 110d... 81779.685411: sched_switch: bash:52504 [120] S ==> swapper/110:0 [120] [8347057:0xfb4:64]
+CPU:110 [SUBBUFFER START] [81779379165886:0x1320000]
+ <idle>-0 110dN.. 81779.379166: sched_wakeup: bash:52504 [120] success=1 CPU:110 [0:0x10:40]
+ <idle>-0 110d... 81779.379167: sched_switch: swapper/110:0 [120] R ==> bash:52504 [120] [1168:0x3c:64]
+
+Link: https://lkml.kernel.org/r/20200622151815.345d1bf5@oasis.local.home
+
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: dc4e2801d400b ("ring-buffer: Redefine the unimplemented RINGBUF_TYPE_TIME_STAMP")
+Reported-by: Julia Lawall <julia.lawall@inria.fr>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -2333,7 +2333,7 @@ rb_update_event(struct ring_buffer_per_c
+ if (unlikely(info->add_timestamp)) {
+ bool abs = ring_buffer_time_stamp_abs(cpu_buffer->buffer);
+
+- event = rb_add_time_stamp(event, info->delta, abs);
++ event = rb_add_time_stamp(event, abs ? info->delta : delta, abs);
+ length -= RB_LEN_TIME_EXTEND;
+ delta = 0;
+ }
ocfs2-fix-value-of-ocfs2_invalid_slot.patch
ocfs2-fix-panic-on-nfs-server-over-ocfs2.patch
arm64-perf-report-the-pc-value-in-regs_abi_32-mode.patch
+tracing-fix-event-trigger-to-accept-redundant-spaces.patch
+ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch
+drm-rcar-du-fix-build-error.patch
+drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch
+staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch
+sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch
+sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch
+pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch
+nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch
+dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch
+dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch
--- /dev/null
+From b65a2d8c8614386f7e8d38ea150749f8a862f431 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 3 Jun 2020 13:19:58 +0300
+Subject: Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b65a2d8c8614386f7e8d38ea150749f8a862f431 upstream.
+
+The "ie_len" variable is in the 0-255 range and it comes from the
+network. If it's over NDIS_802_11_LENGTH_RATES_EX (16) then that will
+lead to memory corruption.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200603101958.GA1845750@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
++++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+@@ -1856,12 +1856,14 @@ int update_sta_support_rate(struct adapt
+ pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _SUPPORTEDRATES_IE_, &ie_len, var_ie_len);
+ if (!pIE)
+ return _FAIL;
++ if (ie_len > sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates))
++ return _FAIL;
+
+ memcpy(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates, pIE->data, ie_len);
+ supportRateNum = ie_len;
+
+ pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _EXT_SUPPORTEDRATES_IE_, &ie_len, var_ie_len);
+- if (pIE)
++ if (pIE && (ie_len <= sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates) - supportRateNum))
+ memcpy((pmlmeinfo->FW_sta_info[cam_idx].SupportedRates + supportRateNum), pIE->data, ie_len);
+
+ return _SUCCESS;
--- /dev/null
+From b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 1 Jun 2020 11:54:57 +0300
+Subject: sunrpc: fixed rollback in rpc_gssd_dummy_populate()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 upstream.
+
+__rpc_depopulate(gssd_dentry) was lost on error path
+
+cc: stable@vger.kernel.org
+Fixes: commit 4b9a445e3eeb ("sunrpc: create a new dummy pipe for gssd to hold open")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/rpc_pipe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/rpc_pipe.c
++++ b/net/sunrpc/rpc_pipe.c
+@@ -1331,6 +1331,7 @@ rpc_gssd_dummy_populate(struct dentry *r
+ q.len = strlen(gssd_dummy_clnt_dir[0].name);
+ clnt_dentry = d_hash_and_lookup(gssd_dentry, &q);
+ if (!clnt_dentry) {
++ __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1);
+ pipe_dentry = ERR_PTR(-ENOENT);
+ goto out;
+ }
--- /dev/null
+From 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Thu, 25 Jun 2020 11:32:34 -0400
+Subject: SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 upstream.
+
+@subbuf is an output parameter of xdr_buf_subsegment(). A survey of
+call sites shows that @subbuf is always uninitialized before
+xdr_buf_segment() is invoked by callers.
+
+There are some execution paths through xdr_buf_subsegment() that do
+not set all of the fields in @subbuf, leaving some pointer fields
+containing garbage addresses. Subsequent processing of that buffer
+then results in a page fault.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xdr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/xdr.c
++++ b/net/sunrpc/xdr.c
+@@ -1036,6 +1036,7 @@ xdr_buf_subsegment(struct xdr_buf *buf,
+ base = 0;
+ } else {
+ base -= buf->head[0].iov_len;
++ subbuf->head[0].iov_base = buf->head[0].iov_base;
+ subbuf->head[0].iov_len = 0;
+ }
+
+@@ -1048,6 +1049,8 @@ xdr_buf_subsegment(struct xdr_buf *buf,
+ base = 0;
+ } else {
+ base -= buf->page_len;
++ subbuf->pages = buf->pages;
++ subbuf->page_base = 0;
+ subbuf->page_len = 0;
+ }
+
+@@ -1059,6 +1062,7 @@ xdr_buf_subsegment(struct xdr_buf *buf,
+ base = 0;
+ } else {
+ base -= buf->tail[0].iov_len;
++ subbuf->tail[0].iov_base = buf->tail[0].iov_base;
+ subbuf->tail[0].iov_len = 0;
+ }
+
--- /dev/null
+From 6784beada631800f2c5afd567e5628c843362cee Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 20 Jun 2020 12:46:03 +0900
+Subject: tracing: Fix event trigger to accept redundant spaces
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 6784beada631800f2c5afd567e5628c843362cee upstream.
+
+Fix the event trigger to accept redundant spaces in
+the trigger input.
+
+For example, these return -EINVAL
+
+echo " traceon" > events/ftrace/print/trigger
+echo "traceon if common_pid == 0" > events/ftrace/print/trigger
+echo "disable_event:kmem:kmalloc " > events/ftrace/print/trigger
+
+But these are hard to find what is wrong.
+
+To fix this issue, use skip_spaces() to remove spaces
+in front of actual tokens, and set NULL if there is no
+token.
+
+Link: http://lkml.kernel.org/r/159262476352.185015.5261566783045364186.stgit@devnote2
+
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 85f2b08268c0 ("tracing: Add basic event trigger framework")
+Reviewed-by: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -211,11 +211,17 @@ static int event_trigger_regex_open(stru
+
+ static int trigger_process_regex(struct trace_event_file *file, char *buff)
+ {
+- char *command, *next = buff;
++ char *command, *next;
+ struct event_command *p;
+ int ret = -EINVAL;
+
++ next = buff = skip_spaces(buff);
+ command = strsep(&next, ": \t");
++ if (next) {
++ next = skip_spaces(next);
++ if (!*next)
++ next = NULL;
++ }
+ command = (command[0] != '!') ? command : command + 1;
+
+ mutex_lock(&trigger_cmd_mutex);
+@@ -624,8 +630,14 @@ event_trigger_callback(struct event_comm
+ int ret;
+
+ /* separate the trigger from the filter (t:n [if filter]) */
+- if (param && isdigit(param[0]))
++ if (param && isdigit(param[0])) {
+ trigger = strsep(¶m, " \t");
++ if (param) {
++ param = skip_spaces(param);
++ if (!*param)
++ param = NULL;
++ }
++ }
+
+ trigger_ops = cmd_ops->get_trigger_ops(cmd, trigger);
+
+@@ -1361,6 +1373,11 @@ int event_enable_trigger_func(struct eve
+ trigger = strsep(¶m, " \t");
+ if (!trigger)
+ return -EINVAL;
++ if (param) {
++ param = skip_spaces(param);
++ if (!*param)
++ param = NULL;
++ }
+
+ system = strsep(&trigger, ":");
+ if (!trigger)
projects / thirdparty / kernel / stable-queue.git / commitdiff
