--- /dev/null
+From 44d7b82482226df8546b461ecb57df640e45d0de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 10:42:25 +0800
+Subject: md: raid1: check rdev before reference in raid1_sync_request func
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ]
+
+In raid1_sync_request func, rdev should be checked before reference.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index abb99515068b..096f3a2ba524 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2630,7 +2630,7 @@ static sector_t sync_request(struct mddev *mddev, sector_t sector_nr, int *skipp
+ write_targets++;
+ }
+ }
+- if (bio->bi_end_io) {
++ if (rdev && bio->bi_end_io) {
+ atomic_inc(&rdev->nr_pending);
+ bio->bi_iter.bi_sector = sector_nr + rdev->data_offset;
+ bio->bi_bdev = rdev->bdev;
+--
+2.20.1
+
--- /dev/null
+From 28933e5af59b546e9e9459ae3c467a949e738257 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 01:21:31 +0200
+Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ]
+
+Right now devfreq_dev_release will print a warning and abort the rest of
+the cleanup if the devfreq instance is not part of the global
+devfreq_list. But this is a valid scenario, for example it can happen if
+the governor can't be found or on any other init error that happens
+after device_register.
+
+Initialize devfreq->node to an empty list head in devfreq_add_device so
+that list_del becomes a safe noop inside devfreq_dev_release and we can
+continue the rest of the cleanup.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 4f6fc1cfd7da..f01f7434df8e 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -396,11 +396,6 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
+ static void _remove_devfreq(struct devfreq *devfreq)
+ {
+ mutex_lock(&devfreq_list_lock);
+- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) {
+- mutex_unlock(&devfreq_list_lock);
+- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n");
+- return;
+- }
+ list_del(&devfreq->node);
+ mutex_unlock(&devfreq_list_lock);
+
+@@ -472,6 +467,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
+ devfreq->dev.parent = dev;
+ devfreq->dev.class = devfreq_class;
+ devfreq->dev.release = devfreq_dev_release;
++ INIT_LIST_HEAD(&devfreq->node);
+ devfreq->profile = profile;
+ strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN);
+ devfreq->previous_freq = profile->initial_freq;
+--
+2.20.1
+
--- /dev/null
+From bcbf3ed2b4bcbd9e065cf5617e5557ce5fce48d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:24:26 +0800
+Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ]
+
+The driver forgets to call unregister_pernet_subsys() in the error path
+of cma_init().
+Add the missed call to fix it.
+
+Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 8ad9c6b04769..5ed9b5f8a037 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4109,6 +4109,7 @@ static int __init cma_init(void)
+ unregister_netdevice_notifier(&cma_nb);
+ rdma_addr_unregister_client(&addr_client);
+ ib_sa_unregister_client(&sa_client);
++ unregister_pernet_subsys(&cma_pernet_operations);
+ err_wq:
+ destroy_workqueue(cma_wq);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From c3d90845cb684ab8ac7bb614aa0103cfdf55d077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jan 2020 13:27:14 -0500
+Subject: Revert "perf report: Add warning when libunwind not compiled in"
+
+This reverts commit 59b706ce44dbfd35a428f2cbad47794ce5dce1eb.
+
+This change depends on more changes that didn't exist in 4.9 and older.
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index 0f7ebac1846b..f256fac1e722 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -285,13 +285,6 @@ static int report__setup_sample_type(struct report *rep)
+ PERF_SAMPLE_BRANCH_ANY))
+ rep->nonany_branch_mode = true;
+
+-#ifndef HAVE_LIBUNWIND_SUPPORT
+- if (dwarf_callchain_users) {
+- ui__warning("Please install libunwind development packages "
+- "during the perf build.\n");
+- }
+-#endif
+-
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e1cd6dd70d3e77e60a839e683296660e9813f534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 10:26:41 +0100
+Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ]
+
+Function perf_event_ever_overflow() and perf_event_account_interrupt()
+are called every time samples are processed by the interrupt handler.
+However function perf_event_account_interrupt() has checks to avoid being
+flooded with interrupts (more then 1000 samples are received per
+task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is
+added to the perf data. The perf subsystem limit calculation is:
+
+ maximum sample frequency := 100000 --> 1 samples per 10 us
+ task_tick = 10ms = 10000us --> 1000 samples per task_tick
+
+The work flow is
+
+measurement_alert() uses SDBT head and each SBDT points to 511
+ SDB pages, each with 126 sample entries. After processing 8 SBDs
+ and for each valid sample calling:
+
+ perf_event_overflow()
+ perf_event_account_interrupts()
+
+there is a considerable amount of samples being dropped, especially when
+the sample frequency is very high and near the 100000 limit.
+
+To avoid the high amount of samples being dropped near the end of a
+task_tick time frame, increment the sampling interval in case of
+dropped events. The CPU Measurement sampling facility on the s390
+supports only intervals, specifiing how many CPU cycles have to be
+executed before a sample is generated. Increase the interval when the
+samples being generated hit the task_tick limit.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 7490c52b2715..01766671fa2a 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1306,6 +1306,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ if (sampl_overflow)
+ OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) +
+ sampl_overflow, 1 + num_sdb);
++
++ /* Perf_event_overflow() and perf_event_account_interrupt() limit
++ * the interrupt rate to an upper limit. Roughly 1000 samples per
++ * task tick.
++ * Hitting this limit results in a large number
++ * of throttled REF_REPORT_THROTTLE entries and the samples
++ * are dropped.
++ * Slightly increase the interval to avoid hitting this limit.
++ */
++ if (event_overflow) {
++ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10);
++ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n",
++ __func__,
++ DIV_ROUND_UP(SAMPL_RATE(hwc), 10));
++ }
++
+ if (sampl_overflow || event_overflow)
+ debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: "
+ "overflow stats: sample=%llu event=%llu\n",
+--
+2.20.1
+
--- /dev/null
+From 8c54cdfd6199aabbd65d71764794f2835d321731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 15:24:25 +0100
+Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ]
+
+The s390 CPU Measurement sampling facility has an overflow condition
+which fires when all entries in a SBD are used.
+The measurement alert interrupt is triggered and reads out all samples
+in this SDB. It then tests the successor SDB, if this SBD is not full,
+the interrupt handler does not read any samples at all from this SDB
+The design waits for the hardware to fill this SBD and then trigger
+another meassurement alert interrupt.
+
+This scheme works nicely until
+an perf_event_overflow() function call discards the sample due to
+a too high sampling rate.
+The interrupt handler has logic to read out a partially filled SDB
+when the perf event overflow condition in linux common code is met.
+This causes the CPUM sampling measurement hardware and the PMU
+device driver to operate on the same SBD's trailer entry.
+This should not happen.
+
+This can be seen here using this trace:
+ cpumsf_pmu_add: tear:0xb5286000
+ hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 1. interrupt
+ hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 2. interrupt
+ ... this goes on fine until...
+ hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0
+ perf_push_sample1: overflow
+ one or more samples read from the IRQ handler are rejected by
+ perf_event_overflow() and the IRQ handler advances to the next SDB
+ and modifies the trailer entry of a partially filled SDB.
+ hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1
+ timestamp: 14:32:52.519953
+
+Next time the IRQ handler is called for this SDB the trailer entry shows
+an overflow count of 19 missed entries.
+ hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1
+ timestamp: 14:32:52.970058
+
+Remove access to a follow on SDB when event overflow happened.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 01766671fa2a..4a76b381d25a 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1294,12 +1294,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ */
+ if (flush_all && done)
+ break;
+-
+- /* If an event overflow happened, discard samples by
+- * processing any remaining sample-data-blocks.
+- */
+- if (event_overflow)
+- flush_all = 1;
+ }
+
+ /* Account sample overflows in the event hardware structure */
+--
+2.20.1
+
--- /dev/null
+From 9d2144a8379f3a14ec0b86f0e209d236cabf906c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 12:45:09 +0300
+Subject: scsi: iscsi: qla4xxx: fix double free in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ]
+
+On this error path we call qla4xxx_mem_free() and then the caller also
+calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a
+couple double frees:
+
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed
+
+Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx")
+Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index d220b4f691c7..f714d5f917d1 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -4285,7 +4285,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha)
+ return QLA_SUCCESS;
+
+ mem_alloc_error_exit:
+- qla4xxx_mem_free(ha);
+ return QLA_ERROR;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 03d0a03da9180036ee5cfb70d4f872850ea5af27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:11:18 +0800
+Subject: scsi: libsas: stop discovering if oob mode is disconnected
+
+From: Jason Yan <yanaijie@huawei.com>
+
+[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ]
+
+The discovering of sas port is driven by workqueue in libsas. When libsas
+is processing port events or phy events in workqueue, new events may rise
+up and change the state of some structures such as asd_sas_phy. This may
+cause some problems such as follows:
+
+==>thread 1 ==>thread 2
+
+ ==>phy up
+ ==>phy_up_v3_hw()
+ ==>oob_mode = SATA_OOB_MODE;
+ ==>phy down quickly
+ ==>hisi_sas_phy_down()
+ ==>sas_ha->notify_phy_event()
+ ==>sas_phy_disconnected()
+ ==>oob_mode = OOB_NOT_CONNECTED
+==>workqueue wakeup
+==>sas_form_port()
+ ==>sas_discover_domain()
+ ==>sas_get_port_device()
+ ==>oob_mode is OOB_NOT_CONNECTED and device
+ is wrongly taken as expander
+
+This at last lead to the panic when libsas trying to issue a command to
+discover the device.
+
+[183047.614035] Unable to handle kernel NULL pointer dereference at
+virtual address 0000000000000058
+[183047.622896] Mem abort info:
+[183047.625762] ESR = 0x96000004
+[183047.628893] Exception class = DABT (current EL), IL = 32 bits
+[183047.634888] SET = 0, FnV = 0
+[183047.638015] EA = 0, S1PTW = 0
+[183047.641232] Data abort info:
+[183047.644189] ISV = 0, ISS = 0x00000004
+[183047.648100] CM = 0, WnR = 0
+[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
+00000000b7df67be
+[183047.657834] [0000000000000058] pgd=0000000000000000
+[183047.662789] Internal error: Oops: 96000004 [#1] SMP
+[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
+0x00000000417c4974)
+[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
+W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
+[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
+BIOS 0.15 10/22/2019
+[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
+[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
+[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
+[183047.717153] sp : ffff00000f28ba60
+[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
+[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
+[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
+[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
+[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
+[183047.747464] x19: 0000000000f80800 x18: 0000000000000010
+[183047.752848] x17: 0000000000000000 x16: 0000000000000000
+[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
+[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
+[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
+[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
+[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
+[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
+[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
+[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
+[183047.801307] Call trace:
+[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
+[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
+[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
+[183047.826757] smp_execute_task_sg+0xec/0x218
+[183047.831013] smp_execute_task+0x74/0xa0
+[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8
+[183047.839959] sas_discover_root_expander+0x90/0x160
+[183047.844822] sas_discover_domain+0x1b8/0x1e8
+[183047.849164] process_one_work+0x1b4/0x3f8
+[183047.853246] worker_thread+0x54/0x470
+[183047.856981] kthread+0x134/0x138
+[183047.860283] ret_from_fork+0x10/0x18
+[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
+[183047.870097] kernel fault(0x1) notification starting on CPU 0
+[183047.875828] kernel fault(0x1) notification finished on CPU 0
+[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
+hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
+[183047.892418] ---[ end trace 4cc26083fc11b783 ]---
+[183047.897107] Kernel panic - not syncing: Fatal exception
+[183047.902403] kernel fault(0x5) notification starting on CPU 0
+[183047.908134] kernel fault(0x5) notification finished on CPU 0
+[183047.913865] SMP: stopping secondary CPUs
+[183047.917861] Kernel Offset: disabled
+[183047.921422] CPU features: 0x2,a2a00a38
+[183047.925243] Memory Limit: none
+[183047.928372] kernel reboot(0x2) notification starting on CPU 0
+[183047.934190] kernel reboot(0x2) notification finished on CPU 0
+[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
+]---
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com
+Reported-by: Gao Chuan <gaochuan4@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_discover.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c
+index 60de66252fa2..b200edc665a5 100644
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -97,12 +97,21 @@ static int sas_get_port_device(struct asd_sas_port *port)
+ else
+ dev->dev_type = SAS_SATA_DEV;
+ dev->tproto = SAS_PROTOCOL_SATA;
+- } else {
++ } else if (port->oob_mode == SAS_OOB_MODE) {
+ struct sas_identify_frame *id =
+ (struct sas_identify_frame *) dev->frame_rcvd;
+ dev->dev_type = id->dev_type;
+ dev->iproto = id->initiator_bits;
+ dev->tproto = id->target_bits;
++ } else {
++ /* If the oob mode is OOB_NOT_CONNECTED, the port is
++ * disconnected due to race with PHY down. We cannot
++ * continue to discover this port
++ */
++ sas_put_device(dev);
++ pr_warn("Port %016llx is disconnected when discovering\n",
++ SAS_ADDR(port->attached_sas_addr));
++ return -ENODEV;
+ }
+
+ sas_init_dev(dev);
+--
+2.20.1
+
--- /dev/null
+From 23a936ed67446d3b9121f98aa6a7a5ed20bb803f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 03:22:46 +0000
+Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
+
+From: Bo Wu <wubo40@huawei.com>
+
+[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ]
+
+When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf,
+dd_data should be freed before return SLI_CONFIG_HANDLED.
+
+When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in
+job_error tag.
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
+index 05dcc2abd541..99f06ac7bf4c 100644
+--- a/drivers/scsi/lpfc/lpfc_bsg.c
++++ b/drivers/scsi/lpfc/lpfc_bsg.c
+@@ -4352,12 +4352,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct fc_bsg_job *job,
+ phba->mbox_ext_buf_ctx.seqNum++;
+ nemb_tp = phba->mbox_ext_buf_ctx.nembType;
+
+- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
+- if (!dd_data) {
+- rc = -ENOMEM;
+- goto job_error;
+- }
+-
+ pbuf = (uint8_t *)dmabuf->virt;
+ size = job->request_payload.payload_len;
+ sg_copy_to_buffer(job->request_payload.sg_list,
+@@ -4394,6 +4388,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct fc_bsg_job *job,
+ "2968 SLI_CONFIG ext-buffer wr all %d "
+ "ebuffers received\n",
+ phba->mbox_ext_buf_ctx.numBuf);
++
++ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
++ if (!dd_data) {
++ rc = -ENOMEM;
++ goto job_error;
++ }
++
+ /* mailbox command structure for base driver */
+ pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (!pmboxq) {
+@@ -4441,6 +4442,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct fc_bsg_job *job,
+ return SLI_CONFIG_HANDLED;
+
+ job_error:
++ if (pmboxq)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
+ lpfc_bsg_dma_page_free(phba, dmabuf);
+ kfree(dd_data);
+
+--
+2.20.1
+
--- /dev/null
+From 50328a236ec1d3af4c65c5b7ece684425c0e7465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:56 +0300
+Subject: scsi: qla2xxx: Don't call qlt_async_event twice
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ]
+
+MBA_PORT_UPDATE generates duplicate log lines in target mode because
+qlt_async_event is called twice. Drop the calls within the case as the
+function will be called right after the switch statement.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvel.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index 440d79e6aea5..dc7cef6ff829 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -966,8 +966,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ ql_dbg(ql_dbg_async, vha, 0x5011,
+ "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n",
+ mb[1], mb[2], mb[3]);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+ }
+
+@@ -988,8 +986,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+ set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
+ set_bit(VP_CONFIG_OK, &vha->vp_flags);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+
+ case MBA_RSCN_UPDATE: /* State Change Registration */
+--
+2.20.1
+
--- /dev/null
+pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch
+rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch
+scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch
+scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch
+scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
+scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch
+usb-gadget-fix-wrong-endpoint-desc.patch
+md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch
+s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch
+s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch
+xen-balloon-fix-ballooned-page-accounting-without-ho.patch
+xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch
+taskstats-fix-data-race.patch
+revert-perf-report-add-warning-when-libunwind-not-co.patch
--- /dev/null
+From 932848011855279c40333043cd69b87294aa9428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 13:48:09 +0200
+Subject: taskstats: fix data-race
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ]
+
+When assiging and testing taskstats in taskstats_exit() there's a race
+when setting up and reading sig->stats when a thread-group with more
+than one thread exits:
+
+write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
+ taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
+ taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ get_signal+0x2a2/0x1320 kernel/signal.c:2734
+ do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
+ exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
+ taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
+ taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ __do_sys_exit_group kernel/exit.c:994 [inline]
+ __se_sys_exit_group kernel/exit.c:992 [inline]
+ __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
+ do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by using smp_load_acquire() and smp_store_release().
+
+Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
+Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Marco Elver <elver@google.com>
+Reviewed-by: Will Deacon <will@kernel.org>
+Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/taskstats.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 21f82c29c914..0737a50380d7 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -582,25 +582,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
+ static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
+ {
+ struct signal_struct *sig = tsk->signal;
+- struct taskstats *stats;
++ struct taskstats *stats_new, *stats;
+
+- if (sig->stats || thread_group_empty(tsk))
+- goto ret;
++ /* Pairs with smp_store_release() below. */
++ stats = smp_load_acquire(&sig->stats);
++ if (stats || thread_group_empty(tsk))
++ return stats;
+
+ /* No problem if kmem_cache_zalloc() fails */
+- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
+
+ spin_lock_irq(&tsk->sighand->siglock);
+- if (!sig->stats) {
+- sig->stats = stats;
+- stats = NULL;
++ stats = sig->stats;
++ if (!stats) {
++ /*
++ * Pairs with smp_store_release() above and order the
++ * kmem_cache_zalloc().
++ */
++ smp_store_release(&sig->stats, stats_new);
++ stats = stats_new;
++ stats_new = NULL;
+ }
+ spin_unlock_irq(&tsk->sighand->siglock);
+
+- if (stats)
+- kmem_cache_free(taskstats_cache, stats);
+-ret:
+- return sig->stats;
++ if (stats_new)
++ kmem_cache_free(taskstats_cache, stats_new);
++
++ return stats;
+ }
+
+ /* Send pid data out on exit */
+--
+2.20.1
+
--- /dev/null
+From c762647d441312f0988bf393734e75bffb836f26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 23:34:56 -0800
+Subject: usb: gadget: fix wrong endpoint desc
+
+From: EJ Hsu <ejh@nvidia.com>
+
+[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ]
+
+Gadget driver should always use config_ep_by_speed() to initialize
+usb_ep struct according to usb device's operating speed. Otherwise,
+usb_ep struct may be wrong if usb devcie's operating speed is changed.
+
+The key point in this patch is that we want to make sure the desc pointer
+in usb_ep struct will be set to NULL when gadget is disconnected.
+This will force it to call config_ep_by_speed() to correctly initialize
+usb_ep struct based on the new operating speed when gadget is
+re-connected later.
+
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: EJ Hsu <ejh@nvidia.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ecm.c | 6 +++++-
+ drivers/usb/gadget/function/f_rndis.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c
+index 7ad60ee41914..4ce19b860289 100644
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -625,8 +625,12 @@ static void ecm_disable(struct usb_function *f)
+
+ DBG(cdev, "ecm deactivated\n");
+
+- if (ecm->port.in_ep->enabled)
++ if (ecm->port.in_ep->enabled) {
+ gether_disconnect(&ecm->port);
++ } else {
++ ecm->port.in_ep->desc = NULL;
++ ecm->port.out_ep->desc = NULL;
++ }
+
+ usb_ep_disable(ecm->notify);
+ ecm->notify->desc = NULL;
+diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
+index e587767e374c..e281af92e084 100644
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -619,6 +619,7 @@ static void rndis_disable(struct usb_function *f)
+ gether_disconnect(&rndis->port);
+
+ usb_ep_disable(rndis->notify);
++ rndis->notify->desc = NULL;
+ }
+
+ /*-------------------------------------------------------------------------*/
+--
+2.20.1
+
--- /dev/null
+From d56aa39af8be6a492457c042f1be8c7f81c78e58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 15:17:50 +0100
+Subject: xen/balloon: fix ballooned page accounting without hotplug enabled
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ]
+
+When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined
+reserve_additional_memory() will set balloon_stats.target_pages to a
+wrong value in case there are still some ballooned pages allocated via
+alloc_xenballooned_pages().
+
+This will result in balloon_process() no longer be triggered when
+ballooned pages are freed in batches.
+
+Reported-by: Nicholas Tsirakis <niko.tsirakis@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index cfab1d24e4bc..1c789056e7e8 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -392,7 +392,8 @@ static struct notifier_block xen_memory_nb = {
+ #else
+ static enum bp_state reserve_additional_memory(void)
+ {
+- balloon_stats.target_pages = balloon_stats.current_pages;
++ balloon_stats.target_pages = balloon_stats.current_pages +
++ balloon_stats.target_unpopulated;
+ return BP_ECANCELED;
+ }
+ #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
+--
+2.20.1
+
--- /dev/null
+From ca641bc5df237e0ac3077ddd48558964d0ebbaa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 07:53:15 -0800
+Subject: xfs: fix mount failure crash on invalid iclog memory access
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ]
+
+syzbot (via KASAN) reports a use-after-free in the error path of
+xlog_alloc_log(). Specifically, the iclog freeing loop doesn't
+handle the case of a fully initialized ->l_iclog linked list.
+Instead, it assumes that the list is partially constructed and NULL
+terminated.
+
+This bug manifested because there was no possible error scenario
+after iclog list setup when the original code was added. Subsequent
+code and associated error conditions were added some time later,
+while the original error handling code was never updated. Fix up the
+error loop to terminate either on a NULL iclog or reaching the end
+of the list.
+
+Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index 73b725f965eb..065aa4752607 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1503,6 +1503,8 @@ xlog_alloc_log(
+ if (iclog->ic_bp)
+ xfs_buf_free(iclog->ic_bp);
+ kmem_free(iclog);
++ if (prev_iclog == log->l_iclog)
++ break;
+ }
+ spinlock_destroy(&log->l_icloglock);
+ xfs_buf_free(log->l_xbuf);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
