--- /dev/null
+From de86d65d1c962782541bbeb94ef9a430aeb1a4d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Oct 2020 15:02:15 +0800
+Subject: cfg80211: regulatory: Fix inconsistent format argument
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit db18d20d1cb0fde16d518fb5ccd38679f174bc04 ]
+
+Fix follow warning:
+[net/wireless/reg.c:3619]: (warning) %d in format string (no. 2)
+requires 'int' but the argument type is 'unsigned int'.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Link: https://lore.kernel.org/r/20201009070215.63695-1-yebin10@huawei.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index a649763b854d5..04da31c52d092 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2759,7 +2759,7 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd)
+ power_rule = ®_rule->power_rule;
+
+ if (reg_rule->flags & NL80211_RRF_AUTO_BW)
+- snprintf(bw, sizeof(bw), "%d KHz, %d KHz AUTO",
++ snprintf(bw, sizeof(bw), "%d KHz, %u KHz AUTO",
+ freq_range->max_bandwidth_khz,
+ reg_get_max_bandwidth(rd, reg_rule));
+ else
+--
+2.27.0
+
--- /dev/null
+From bc239e8077695983c71291b8f55c9725a379b3de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 15:29:59 +0800
+Subject: drm/amdgpu: perform srbm soft reset always on SDMA resume
+
+From: Evan Quan <evan.quan@amd.com>
+
+[ Upstream commit 253475c455eb5f8da34faa1af92709e7bb414624 ]
+
+This can address the random SDMA hang after pci config reset
+seen on Hawaii.
+
+Signed-off-by: Evan Quan <evan.quan@amd.com>
+Tested-by: Sandeep Raghuraman <sandy.8925@gmail.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
+index cb952acc71339..2934443fbd4dc 100644
+--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
+@@ -1053,22 +1053,19 @@ static int cik_sdma_soft_reset(void *handle)
+ {
+ u32 srbm_soft_reset = 0;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+- u32 tmp = RREG32(mmSRBM_STATUS2);
++ u32 tmp;
+
+- if (tmp & SRBM_STATUS2__SDMA_BUSY_MASK) {
+- /* sdma0 */
+- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET);
+- tmp |= SDMA0_F32_CNTL__HALT_MASK;
+- WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp);
+- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK;
+- }
+- if (tmp & SRBM_STATUS2__SDMA1_BUSY_MASK) {
+- /* sdma1 */
+- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET);
+- tmp |= SDMA0_F32_CNTL__HALT_MASK;
+- WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp);
+- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK;
+- }
++ /* sdma0 */
++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET);
++ tmp |= SDMA0_F32_CNTL__HALT_MASK;
++ WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp);
++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK;
++
++ /* sdma1 */
++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET);
++ tmp |= SDMA0_F32_CNTL__HALT_MASK;
++ WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp);
++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK;
+
+ if (srbm_soft_reset) {
+ tmp = RREG32(mmSRBM_SOFT_RESET);
+--
+2.27.0
+
--- /dev/null
+From cf58151164a280a301744c4e82ecf3220fefde88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 13:42:18 -0500
+Subject: gfs2: check for live vs. read-only file system in gfs2_fitrim
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit c5c68724696e7d2f8db58a5fce3673208d35c485 ]
+
+Before this patch, gfs2_fitrim was not properly checking for a "live" file
+system. If the file system had something to trim and the file system
+was read-only (or spectator) it would start the trim, but when it starts
+the transaction, gfs2_trans_begin returns -EROFS (read-only file system)
+and it errors out. However, if the file system was already trimmed so
+there's no work to do, it never called gfs2_trans_begin. That code is
+bypassed so it never returns the error. Instead, it returns a good
+return code with 0 work. All this makes for inconsistent behavior:
+The same fstrim command can return -EROFS in one case and 0 in another.
+This tripped up xfstests generic/537 which reports the error as:
+
+ +fstrim with unrecovered metadata just ate your filesystem
+
+This patch adds a check for a "live" (iow, active journal, iow, RW)
+file system, and if not, returns the error properly.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index 0958f76ada6a3..9621badb95995 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1371,6 +1371,9 @@ int gfs2_fitrim(struct file *filp, void __user *argp)
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
++ if (!test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags))
++ return -EROFS;
++
+ if (!blk_queue_discard(q))
+ return -EOPNOTSUPP;
+
+--
+2.27.0
+
--- /dev/null
+From f2575c0c8561c8a7ca799927599d7a1eba7fbecd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Oct 2020 10:10:01 -0500
+Subject: gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit d0f17d3883f1e3f085d38572c2ea8edbd5150172 ]
+
+Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling
+return_all_reservations, but return_all_reservations still dereferences
+rgd->rd_bits in __rs_deltree. Fix that by moving the call to kfree below the
+call to return_all_reservations.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index 0a80f66365492..0958f76ada6a3 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -730,9 +730,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
+ }
+
+ gfs2_free_clones(rgd);
++ return_all_reservations(rgd);
+ kfree(rgd->rd_bits);
+ rgd->rd_bits = NULL;
+- return_all_reservations(rgd);
+ kmem_cache_free(gfs2_rgrpd_cachep, rgd);
+ }
+ }
+--
+2.27.0
+
--- /dev/null
+From 5c3a651d7c5afb9178384a1ad6e0aee57fc7d75b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 02:50:02 +0000
+Subject: iommu/amd: Increase interrupt remapping table limit to 512 entries
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+[ Upstream commit 73db2fc595f358460ce32bcaa3be1f0cce4a2db1 ]
+
+Certain device drivers allocate IO queues on a per-cpu basis.
+On AMD EPYC platform, which can support up-to 256 cpu threads,
+this can exceed the current MAX_IRQ_PER_TABLE limit of 256,
+and result in the error message:
+
+ AMD-Vi: Failed to allocate IRTE
+
+This has been observed with certain NVME devices.
+
+AMD IOMMU hardware can actually support upto 512 interrupt
+remapping table entries. Therefore, update the driver to
+match the hardware limit.
+
+Please note that this also increases the size of interrupt remapping
+table to 8KB per device when using the 128-bit IRTE format.
+
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20201015025002.87997-1-suravee.suthikulpanit@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_types.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
+index da3fbf82d1cf4..e19c05d9e84ba 100644
+--- a/drivers/iommu/amd_iommu_types.h
++++ b/drivers/iommu/amd_iommu_types.h
+@@ -383,7 +383,11 @@ extern bool amd_iommu_np_cache;
+ /* Only true if all IOMMUs support device IOTLBs */
+ extern bool amd_iommu_iotlb_sup;
+
+-#define MAX_IRQS_PER_TABLE 256
++/*
++ * AMD IOMMU hardware only support 512 IRTEs despite
++ * the architectural limitation of 2048 entries.
++ */
++#define MAX_IRQS_PER_TABLE 512
+ #define IRQ_TABLE_ALIGNMENT 128
+
+ struct irq_remap_table {
+--
+2.27.0
+
--- /dev/null
+From 6e9e508939e98e0864159eae78ff372104b75a62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Oct 2020 14:17:11 +0200
+Subject: mac80211: always wind down STA state
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit dcd479e10a0510522a5d88b29b8f79ea3467d501 ]
+
+When (for example) an IBSS station is pre-moved to AUTHORIZED
+before it's inserted, and then the insertion fails, we don't
+clean up the fast RX/TX states that might already have been
+created, since we don't go through all the state transitions
+again on the way down.
+
+Do that, if it hasn't been done already, when the station is
+freed. I considered only freeing the fast TX/RX state there,
+but we might add more state so it's more robust to wind down
+the state properly.
+
+Note that we warn if the station was ever inserted, it should
+have been properly cleaned up in that case, and the driver
+will probably not like things happening out of order.
+
+Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index fef8d7758dae9..8a9bbcfefbca6 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -243,6 +243,24 @@ struct sta_info *sta_info_get_by_idx(struct ieee80211_sub_if_data *sdata,
+ */
+ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
+ {
++ /*
++ * If we had used sta_info_pre_move_state() then we might not
++ * have gone through the state transitions down again, so do
++ * it here now (and warn if it's inserted).
++ *
++ * This will clear state such as fast TX/RX that may have been
++ * allocated during state transitions.
++ */
++ while (sta->sta_state > IEEE80211_STA_NONE) {
++ int ret;
++
++ WARN_ON_ONCE(test_sta_flag(sta, WLAN_STA_INSERTED));
++
++ ret = sta_info_move_state(sta, sta->sta_state - 1);
++ if (WARN_ONCE(ret, "sta_info_move_state() returned %d\n", ret))
++ break;
++ }
++
+ if (sta->rate_ctrl)
+ rate_control_free_sta(sta);
+
+--
+2.27.0
+
--- /dev/null
+From 32857a28da5eff3b520b4ec2329e0af4e68f61fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Oct 2020 13:25:41 +0200
+Subject: mac80211: fix use of skb payload instead of header
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf ]
+
+When ieee80211_skb_resize() is called from ieee80211_build_hdr()
+the skb has no 802.11 header yet, in fact it consist only of the
+payload as the ethernet frame is removed. As such, we're using
+the payload data for ieee80211_is_mgmt(), which is of course
+completely wrong. This didn't really hurt us because these are
+always data frames, so we could only have added more tailroom
+than we needed if we determined it was a management frame and
+sdata->crypto_tx_tailroom_needed_cnt was false.
+
+However, syzbot found that of course there need not be any payload,
+so we're using at best uninitialized memory for the check.
+
+Fix this to pass explicitly the kind of frame that we have instead
+of checking there, by replacing the "bool may_encrypt" argument
+with an argument that can carry the three possible states - it's
+not going to be encrypted, it's a management frame, or it's a data
+frame (and then we check sdata->crypto_tx_tailroom_needed_cnt).
+
+Reported-by: syzbot+32fd1a1bfe355e93f1e2@syzkaller.appspotmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 6216279efc468..eebbddccb47b7 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1847,19 +1847,24 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
+
+ /* device xmit handlers */
+
++enum ieee80211_encrypt {
++ ENCRYPT_NO,
++ ENCRYPT_MGMT,
++ ENCRYPT_DATA,
++};
++
+ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
+ struct sk_buff *skb,
+- int head_need, bool may_encrypt)
++ int head_need,
++ enum ieee80211_encrypt encrypt)
+ {
+ struct ieee80211_local *local = sdata->local;
+- struct ieee80211_hdr *hdr;
+ bool enc_tailroom;
+ int tail_need = 0;
+
+- hdr = (struct ieee80211_hdr *) skb->data;
+- enc_tailroom = may_encrypt &&
+- (sdata->crypto_tx_tailroom_needed_cnt ||
+- ieee80211_is_mgmt(hdr->frame_control));
++ enc_tailroom = encrypt == ENCRYPT_MGMT ||
++ (encrypt == ENCRYPT_DATA &&
++ sdata->crypto_tx_tailroom_needed_cnt);
+
+ if (enc_tailroom) {
+ tail_need = IEEE80211_ENCRYPT_TAILROOM;
+@@ -1892,21 +1897,27 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+ int headroom;
+- bool may_encrypt;
++ enum ieee80211_encrypt encrypt;
+
+- may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT);
++ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)
++ encrypt = ENCRYPT_NO;
++ else if (ieee80211_is_mgmt(hdr->frame_control))
++ encrypt = ENCRYPT_MGMT;
++ else
++ encrypt = ENCRYPT_DATA;
+
+ headroom = local->tx_headroom;
+- if (may_encrypt)
++ if (encrypt != ENCRYPT_NO)
+ headroom += sdata->encrypt_headroom;
+ headroom -= skb_headroom(skb);
+ headroom = max_t(int, 0, headroom);
+
+- if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
++ if (ieee80211_skb_resize(sdata, skb, headroom, encrypt)) {
+ ieee80211_free_txskb(&local->hw, skb);
+ return;
+ }
+
++ /* reload after potential resize */
+ hdr = (struct ieee80211_hdr *) skb->data;
+ info->control.vif = &sdata->vif;
+
+@@ -2688,7 +2699,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
+ head_need += sdata->encrypt_headroom;
+ head_need += local->tx_headroom;
+ head_need = max_t(int, 0, head_need);
+- if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
++ if (ieee80211_skb_resize(sdata, skb, head_need, ENCRYPT_DATA)) {
+ ieee80211_free_txskb(&local->hw, skb);
+ skb = NULL;
+ return ERR_PTR(-ENOMEM);
+@@ -3313,7 +3324,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
+ if (unlikely(ieee80211_skb_resize(sdata, skb,
+ max_t(int, extra_head + hw_headroom -
+ skb_headroom(skb), 0),
+- false))) {
++ ENCRYPT_NO))) {
+ kfree_skb(skb);
+ return true;
+ }
+--
+2.27.0
+
--- /dev/null
+From 50be43790f13fcc83bca8a9f9e59f44fb1fd4af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Oct 2020 07:31:24 +0000
+Subject: scsi: hpsa: Fix memory leak in hpsa_init_one()
+
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+
+[ Upstream commit af61bc1e33d2c0ec22612b46050f5b58ac56a962 ]
+
+When hpsa_scsi_add_host() fails, h->lastlogicals is leaked since it is
+missing a free() in the error handler.
+
+Fix this by adding free() when hpsa_scsi_add_host() fails.
+
+Link: https://lore.kernel.org/r/20201027073125.14229-1-keitasuzuki.park@sslab.ics.keio.ac.jp
+Tested-by: Don Brace <don.brace@microchip.com>
+Acked-by: Don Brace <don.brace@microchip.com>
+Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index b82df8cdf9626..7f1d6d52d48bd 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -8937,7 +8937,7 @@ reinit_after_soft_reset:
+ /* hook into SCSI subsystem */
+ rc = hpsa_scsi_add_host(h);
+ if (rc)
+- goto clean7; /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
++ goto clean8; /* lastlogicals, perf, sg, cmd, irq, shost, pci, lu, aer/h */
+
+ /* Monitor the controller for firmware lockups */
+ h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL;
+@@ -8949,6 +8949,8 @@ reinit_after_soft_reset:
+ h->heartbeat_sample_interval);
+ return 0;
+
++clean8: /* lastlogicals, perf, sg, cmd, irq, shost, pci, lu, aer/h */
++ kfree(h->lastlogicals);
+ clean7: /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
+ hpsa_free_performant_mode(h);
+ h->access.set_intr_mask(h, HPSA_INTR_OFF);
+--
+2.27.0
+
--- /dev/null
+From 8a3cc8c8ecab314f8bcff1e204b9c2f76b6fd938 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 12:45:59 +0200
+Subject: scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 5faf50e9e9fdc2117c61ff7e20da49cd6a29e0ca ]
+
+alua_bus_detach() might be running concurrently with alua_rtpg_work(), so
+we might trip over h->sdev == NULL and call BUG_ON(). The correct way of
+handling it is to not set h->sdev to NULL in alua_bus_detach(), and call
+rcu_synchronize() before the final delete to ensure that all concurrent
+threads have left the critical section. Then we can get rid of the
+BUG_ON() and replace it with a simple if condition.
+
+Link: https://lore.kernel.org/r/1600167537-12509-1-git-send-email-jitendra.khasdev@oracle.com
+Link: https://lore.kernel.org/r/20200924104559.26753-1-hare@suse.de
+Cc: Brian Bunker <brian@purestorage.com>
+Acked-by: Brian Bunker <brian@purestorage.com>
+Tested-by: Jitendra Khasdev <jitendra.khasdev@oracle.com>
+Reviewed-by: Jitendra Khasdev <jitendra.khasdev@oracle.com>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 60c288526355a..2bc3dc6244a5e 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -657,8 +657,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
+ rcu_read_lock();
+ list_for_each_entry_rcu(h,
+ &tmp_pg->dh_list, node) {
+- /* h->sdev should always be valid */
+- BUG_ON(!h->sdev);
++ if (!h->sdev)
++ continue;
+ h->sdev->access_state = desc[0];
+ }
+ rcu_read_unlock();
+@@ -704,7 +704,8 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
+ pg->expiry = 0;
+ rcu_read_lock();
+ list_for_each_entry_rcu(h, &pg->dh_list, node) {
+- BUG_ON(!h->sdev);
++ if (!h->sdev)
++ continue;
+ h->sdev->access_state =
+ (pg->state & SCSI_ACCESS_STATE_MASK);
+ if (pg->pref)
+@@ -1149,7 +1150,6 @@ static void alua_bus_detach(struct scsi_device *sdev)
+ spin_lock(&h->pg_lock);
+ pg = h->pg;
+ rcu_assign_pointer(h->pg, NULL);
+- h->sdev = NULL;
+ spin_unlock(&h->pg_lock);
+ if (pg) {
+ spin_lock_irq(&pg->lock);
+@@ -1158,6 +1158,7 @@ static void alua_bus_detach(struct scsi_device *sdev)
+ kref_put(&pg->kref, release_port_group);
+ }
+ sdev->handler_data = NULL;
++ synchronize_rcu();
+ kfree(h);
+ }
+
+--
+2.27.0
+
i40e-memory-leak-in-i40e_config_iwarp_qvlist.patch
geneve-add-transport-ports-in-route-lookup-for-genev.patch
ath9k_htc-use-appropriate-rs_datalen-type.patch
+usb-gadget-goku_udc-fix-potential-crashes-in-probe.patch
+gfs2-free-rd_bits-later-in-gfs2_clear_rgrpd-to-fix-u.patch
+gfs2-check-for-live-vs.-read-only-file-system-in-gfs.patch
+scsi-hpsa-fix-memory-leak-in-hpsa_init_one.patch
+drm-amdgpu-perform-srbm-soft-reset-always-on-sdma-re.patch
+mac80211-fix-use-of-skb-payload-instead-of-header.patch
+mac80211-always-wind-down-sta-state.patch
+cfg80211-regulatory-fix-inconsistent-format-argument.patch
+scsi-scsi_dh_alua-avoid-crash-during-alua_bus_detach.patch
+iommu-amd-increase-interrupt-remapping-table-limit-t.patch
--- /dev/null
+From f4e76bc2d3b8c4b9be9706c95bbfec967610946a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 18:01:55 +0300
+Subject: usb: gadget: goku_udc: fix potential crashes in probe
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 0d66e04875c5aae876cf3d4f4be7978fa2b00523 ]
+
+goku_probe() goes to error label "err" and invokes goku_remove()
+in case of failures of pci_enable_device(), pci_resource_start()
+and ioremap(). goku_remove() gets a device from
+pci_get_drvdata(pdev) and works with it without any checks, in
+particular it dereferences a corresponding pointer. But
+goku_probe() did not set this device yet. So, one can expect
+various crashes. The patch moves setting the device just after
+allocation of memory for it.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Reported-by: Pavel Andrianov <andrianov@ispras.ru>
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/goku_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c
+index 5107987bd3538..d363224dce6f5 100644
+--- a/drivers/usb/gadget/udc/goku_udc.c
++++ b/drivers/usb/gadget/udc/goku_udc.c
+@@ -1772,6 +1772,7 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ goto err;
+ }
+
++ pci_set_drvdata(pdev, dev);
+ spin_lock_init(&dev->lock);
+ dev->pdev = pdev;
+ dev->gadget.ops = &goku_ops;
+@@ -1805,7 +1806,6 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ }
+ dev->regs = (struct goku_udc_regs __iomem *) base;
+
+- pci_set_drvdata(pdev, dev);
+ INFO(dev, "%s\n", driver_desc);
+ INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr());
+ INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base);
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
