--- /dev/null
+From c5ef1d91ec9747606fddf9f084257902d9f21780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 10:32:13 -0800
+Subject: 6pack,mkiss: fix possible deadlock
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d ]
+
+We got another syzbot report [1] that tells us we must use
+write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
+
+[1]
+
+WARNING: inconsistent lock state
+5.5.0-rc1-syzkaller #0 Not tainted
+--------------------------------
+inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
+syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
+ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+{HARDIRQ-ON-W} state was registered at:
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
+ _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
+ sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
+ tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
+ tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
+ tiocsetd drivers/tty/tty_io.c:2337 [inline]
+ tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ file_ioctl fs/ioctl.c:545 [inline]
+ do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
+ __do_sys_ioctl fs/ioctl.c:756 [inline]
+ __se_sys_ioctl fs/ioctl.c:754 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+irq event stamp: 3946
+hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
+hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
+hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
+softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
+softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
+softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(disc_data_lock);
+ <Interrupt>
+ lock(disc_data_lock);
+
+ *** DEADLOCK ***
+
+5 locks held by syz-executor826/9605:
+ #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+ #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
+ #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
+ #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
+
+stack backtrace:
+CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
+ valid_state kernel/locking/lockdep.c:3112 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
+ mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
+ mark_usage kernel/locking/lockdep.c:3554 [inline]
+ __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
+ lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
+ __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
+ _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
+ sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
+ sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
+ tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
+ tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
+ tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
+ uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
+ serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
+ serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
+ serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
+ serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
+ serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
+ __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
+ handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
+ handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
+ handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
+ generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
+ do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
+ </IRQ>
+RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
+RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
+Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
+RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
+RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
+RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
+RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
+R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
+R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
+ mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
+ __mutex_lock_common kernel/locking/mutex.c:962 [inline]
+ __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
+ tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
+ tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
+ __fput+0x2ff/0x890 fs/file_table.c:280
+ ____fput+0x16/0x20 fs/file_table.c:313
+ task_work_run+0x145/0x1c0 kernel/task_work.c:113
+ exit_task_work include/linux/task_work.h:22 [inline]
+ do_exit+0x8e7/0x2ef0 kernel/exit.c:797
+ do_group_exit+0x135/0x360 kernel/exit.c:895
+ __do_sys_exit_group kernel/exit.c:906 [inline]
+ __se_sys_exit_group kernel/exit.c:904 [inline]
+ __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x43fef8
+Code: Bad RIP value.
+RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
+RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
+RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
+R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
+R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
+index 23281aeeb222..71d6629e65c9 100644
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -654,10 +654,10 @@ static void sixpack_close(struct tty_struct *tty)
+ {
+ struct sixpack *sp;
+
+- write_lock_bh(&disc_data_lock);
++ write_lock_irq(&disc_data_lock);
+ sp = tty->disc_data;
+ tty->disc_data = NULL;
+- write_unlock_bh(&disc_data_lock);
++ write_unlock_irq(&disc_data_lock);
+ if (!sp)
+ return;
+
+diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
+index c5bfa19ddb93..deef14215110 100644
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -773,10 +773,10 @@ static void mkiss_close(struct tty_struct *tty)
+ {
+ struct mkiss *ax;
+
+- write_lock_bh(&disc_data_lock);
++ write_lock_irq(&disc_data_lock);
+ ax = tty->disc_data;
+ tty->disc_data = NULL;
+- write_unlock_bh(&disc_data_lock);
++ write_unlock_irq(&disc_data_lock);
+
+ if (!ax)
+ return;
+--
+2.20.1
+
--- /dev/null
+From f5f3421bca51084c7ae0ab0cba9761caa3769712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 15:04:43 +0000
+Subject: afs: Fix afs_find_server lookups for ipv4 peers
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 9bd0160d12370a076e44f8d1320cde9c83f2c647 ]
+
+afs_find_server tries to find a server that has an address that
+matches the transport address of an rxrpc peer. The code assumes
+that the transport address is always ipv6, with ipv4 represented
+as ipv4 mapped addresses, but that's not the case. If the transport
+family is AF_INET, srx->transport.sin6.sin6_addr.s6_addr32[] will
+be beyond the actual ipv4 address and will always be 0, and all
+ipv4 addresses will be seen as matching.
+
+As a result, the first ipv4 address seen on any server will be
+considered a match, and the server returned may be the wrong one.
+
+One of the consequences is that callbacks received over ipv4 will
+only be correctly applied for the server that happens to have the
+first ipv4 address on the fs_addresses4 list. Callbacks over ipv4
+from all other servers are dropped, causing the client to serve stale
+data.
+
+This is fixed by looking at the transport family, and comparing ipv4
+addresses based on a sockaddr_in structure rather than a sockaddr_in6.
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/server.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/fs/afs/server.c b/fs/afs/server.c
+index 64d440aaabc0..ca8115ba1724 100644
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -32,18 +32,11 @@ static void afs_dec_servers_outstanding(struct afs_net *net)
+ struct afs_server *afs_find_server(struct afs_net *net,
+ const struct sockaddr_rxrpc *srx)
+ {
+- const struct sockaddr_in6 *a = &srx->transport.sin6, *b;
+ const struct afs_addr_list *alist;
+ struct afs_server *server = NULL;
+ unsigned int i;
+- bool ipv6 = true;
+ int seq = 0, diff;
+
+- if (srx->transport.sin6.sin6_addr.s6_addr32[0] == 0 ||
+- srx->transport.sin6.sin6_addr.s6_addr32[1] == 0 ||
+- srx->transport.sin6.sin6_addr.s6_addr32[2] == htonl(0xffff))
+- ipv6 = false;
+-
+ rcu_read_lock();
+
+ do {
+@@ -52,7 +45,8 @@ struct afs_server *afs_find_server(struct afs_net *net,
+ server = NULL;
+ read_seqbegin_or_lock(&net->fs_addr_lock, &seq);
+
+- if (ipv6) {
++ if (srx->transport.family == AF_INET6) {
++ const struct sockaddr_in6 *a = &srx->transport.sin6, *b;
+ hlist_for_each_entry_rcu(server, &net->fs_addresses6, addr6_link) {
+ alist = rcu_dereference(server->addresses);
+ for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) {
+@@ -68,15 +62,16 @@ struct afs_server *afs_find_server(struct afs_net *net,
+ }
+ }
+ } else {
++ const struct sockaddr_in *a = &srx->transport.sin, *b;
+ hlist_for_each_entry_rcu(server, &net->fs_addresses4, addr4_link) {
+ alist = rcu_dereference(server->addresses);
+ for (i = 0; i < alist->nr_ipv4; i++) {
+- b = &alist->addrs[i].transport.sin6;
+- diff = ((u16 __force)a->sin6_port -
+- (u16 __force)b->sin6_port);
++ b = &alist->addrs[i].transport.sin;
++ diff = ((u16 __force)a->sin_port -
++ (u16 __force)b->sin_port);
+ if (diff == 0)
+- diff = ((u32 __force)a->sin6_addr.s6_addr32[3] -
+- (u32 __force)b->sin6_addr.s6_addr32[3]);
++ diff = ((u32 __force)a->sin_addr.s_addr -
++ (u32 __force)b->sin_addr.s_addr);
+ if (diff == 0)
+ goto found;
+ }
+--
+2.20.1
+
--- /dev/null
+From 027f1e83e3e34d4d805d18e6b83904ee2fdd5bfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2019 08:56:04 +0000
+Subject: afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 1da4bd9f9d187f53618890d7b66b9628bbec3c70 ]
+
+Fix the lookup method on the dynamic root directory such that creation
+calls, such as mkdir, open(O_CREAT), symlink, etc. fail with EOPNOTSUPP
+rather than failing with some odd error (such as EEXIST).
+
+lookup() itself tries to create automount directories when it is invoked.
+These are cached locally in RAM and not committed to storage.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Tested-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 4150280509ff..7503899c0a1b 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -136,6 +136,9 @@ static struct dentry *afs_dynroot_lookup(struct inode *dir, struct dentry *dentr
+
+ ASSERTCMP(d_inode(dentry), ==, NULL);
+
++ if (flags & LOOKUP_CREATE)
++ return ERR_PTR(-EOPNOTSUPP);
++
+ if (dentry->d_name.len >= AFSNAMEMAX) {
+ _leave(" = -ENAMETOOLONG");
+ return ERR_PTR(-ENAMETOOLONG);
+--
+2.20.1
+
--- /dev/null
+From fdda4bfe34c1d2284972d3c1e6c2a4d3bfb89c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 15:04:45 +0000
+Subject: afs: Fix mountpoint parsing
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 158d58335393af3956a9c06f0816ee75ed1f1447 ]
+
+Each AFS mountpoint has strings that define the target to be mounted. This
+is required to end in a dot that is supposed to be stripped off. The
+string can include suffixes of ".readonly" or ".backup" - which are
+supposed to come before the terminal dot. To add to the confusion, the "fs
+lsmount" afs utility does not show the terminal dot when displaying the
+string.
+
+The kernel mount source string parser, however, assumes that the terminal
+dot marks the suffix and that the suffix is always "" and is thus ignored.
+In most cases, there is no suffix and this is not a problem - but if there
+is a suffix, it is lost and this affects the ability to mount the correct
+volume.
+
+The command line mount command, on the other hand, is expected not to
+include a terminal dot - so the problem doesn't arise there.
+
+Fix this by making sure that the dot exists and then stripping it when
+passing the string to the mount configuration.
+
+Fixes: bec5eb614130 ("AFS: Implement an autocell mount capability [ver #2]")
+Reported-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Tested-by: Jonathan Billings <jsbillings@jsbillings.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/mntpt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c
+index f532d6d3bd28..79bc5f1338ed 100644
+--- a/fs/afs/mntpt.c
++++ b/fs/afs/mntpt.c
+@@ -126,7 +126,7 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt)
+ if (src_as->cell)
+ ctx->cell = afs_get_cell(src_as->cell);
+
+- if (size > PAGE_SIZE - 1)
++ if (size < 2 || size > PAGE_SIZE - 1)
+ return -EINVAL;
+
+ page = read_mapping_page(d_inode(mntpt)->i_mapping, 0, NULL);
+@@ -140,7 +140,9 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt)
+ }
+
+ buf = kmap(page);
+- ret = vfs_parse_fs_string(fc, "source", buf, size);
++ ret = -EINVAL;
++ if (buf[size - 1] == '.')
++ ret = vfs_parse_fs_string(fc, "source", buf, size - 1);
+ kunmap(page);
+ put_page(page);
+ if (ret < 0)
+--
+2.20.1
+
--- /dev/null
+From e34439c64b0aa19cd3526fda1ba3366299f92d32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 15:04:45 +0000
+Subject: afs: Fix SELinux setting security label on /afs
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ]
+
+Make the AFS dynamic root superblock R/W so that SELinux can set the
+security label on it. Without this, upgrades to, say, the Fedora
+filesystem-afs RPM fail if afs is mounted on it because the SELinux label
+can't be (re-)applied.
+
+It might be better to make it possible to bypass the R/O check for LSM
+label application through setxattr.
+
+Fixes: 4d673da14533 ("afs: Support the AFS dynamic root")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: selinux@vger.kernel.org
+cc: linux-security-module@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/super.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/afs/super.c b/fs/afs/super.c
+index 488641b1a418..d9a6036b70b9 100644
+--- a/fs/afs/super.c
++++ b/fs/afs/super.c
+@@ -448,7 +448,6 @@ static int afs_fill_super(struct super_block *sb, struct afs_fs_context *ctx)
+ /* allocate the root inode and dentry */
+ if (as->dyn_root) {
+ inode = afs_iget_pseudo_dir(sb, true);
+- sb->s_flags |= SB_RDONLY;
+ } else {
+ sprintf(sb->s_id, "%llu", as->volume->vid);
+ afs_activate_volume(as->volume);
+--
+2.20.1
+
--- /dev/null
+From f5a58a678524e042bbd48c372a4d0f20e189ff09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 15:38:48 +0800
+Subject: ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound
+ to a driver
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit bacd861452d2be86a4df341b12e32db7dac8021e ]
+
+Nvidia proprietary driver doesn't support runtime power management, so
+when a user only wants to use the integrated GPU, it's a common practice
+to let dGPU not to bind any driver, and let its upstream port to be
+runtime suspended. At the end of runtime suspension the port uses
+platform power management to disable power through _OFF method of power
+resource, which is listed by _PR3.
+
+After commit b516ea586d71 ("PCI: Enable NVIDIA HDA controllers"), when
+the dGPU comes with an HDA function, the HDA won't be suspended if the
+dGPU is unbound, so the power resource can't be turned off by its
+upstream port driver.
+
+Commit 37a3a98ef601 ("ALSA: hda - Enable runtime PM only for
+discrete GPU") only allows HDA to be runtime suspended once GPU is
+bound, to keep APU's HDA working.
+
+However, HDA on dGPU isn't that useful if dGPU is not bound to any
+driver. So let's relax the runtime suspend requirement for dGPU's HDA
+function, to disable the power source to save lots of power.
+
+BugLink: https://bugs.launchpad.net/bugs/1840835
+Fixes: b516ea586d71 ("PCI: Enable NVIDIA HDA controllers")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Link: https://lore.kernel.org/r/20191018073848.14590-2-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 86a416cdeb29..4e757aa9d322 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1280,11 +1280,17 @@ static void init_vga_switcheroo(struct azx *chip)
+ {
+ struct hda_intel *hda = container_of(chip, struct hda_intel, chip);
+ struct pci_dev *p = get_bound_vga(chip->pci);
++ struct pci_dev *parent;
+ if (p) {
+ dev_info(chip->card->dev,
+ "Handle vga_switcheroo audio client\n");
+ hda->use_vga_switcheroo = 1;
+- chip->bus.keep_power = 1; /* cleared in either gpu_bound op or codec probe */
++
++ /* cleared in either gpu_bound op or codec probe, or when its
++ * upstream port has _PR3 (i.e. dGPU).
++ */
++ parent = pci_upstream_bridge(p);
++ chip->bus.keep_power = parent ? !pci_pr3_present(parent) : 1;
+ chip->driver_caps |= AZX_DCAPS_PM_RUNTIME;
+ pci_dev_put(p);
+ }
+--
+2.20.1
+
--- /dev/null
+From 46fcbdec3a81d7e919d1f14369b6b4666a3cf781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2019 16:12:24 +0100
+Subject: ALSA: hda - Downgrade error message for single-cmd fallback
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 475feec0c41ad71cb7d02f0310e56256606b57c5 ]
+
+We made the error message for the CORB/RIRB communication clearer by
+upgrading to dev_WARN() so that user can notice better. But this
+struck us like a boomerang: now it caught syzbot and reported back as
+a fatal issue although it's not really any too serious bug that worth
+for stopping the whole system.
+
+OK, OK, let's be softy, downgrade it to the standard dev_err() again.
+
+Fixes: dd65f7e19c69 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly")
+Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_controller.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
+index 6387c7e90918..76b507058cb4 100644
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -884,7 +884,7 @@ static int azx_rirb_get_response(struct hdac_bus *bus, unsigned int addr,
+ return -EAGAIN; /* give a chance to retry */
+ }
+
+- dev_WARN(chip->card->dev,
++ dev_err(chip->card->dev,
+ "azx_get_response timeout, switching to single_cmd mode: last cmd=0x%08x\n",
+ bus->last_cmd[addr]);
+ chip->single_cmd = 1;
+--
+2.20.1
+
--- /dev/null
+From 76d5b940fc543ee0e49d01a25051855aa818bdde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 15:40:27 +0100
+Subject: ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+[ Upstream commit d2cd795c4ece1a24fda170c35eeb4f17d9826cbb ]
+
+The auto-parser assigns the bass speaker to DAC3 (NID 0x06) which
+is without the volume control. I do not see a reason to use DAC2,
+because the shared output to all speakers produces the sufficient
+and well balanced sound. The stereo support is enough for this
+purpose (laptop).
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Link: https://lore.kernel.org/r/20191129144027.14765-1-perex@perex.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index e849cf681e23..62a471b5fc87 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5547,6 +5547,16 @@ static void alc295_fixup_disable_dac3(struct hda_codec *codec,
+ }
+ }
+
++/* force NID 0x17 (Bass Speaker) to DAC1 to share it with the main speaker */
++static void alc285_fixup_speaker2_to_dac1(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ hda_nid_t conn[1] = { 0x02 };
++ snd_hda_override_conn_list(codec, 0x17, 1, conn);
++ }
++}
++
+ /* Hook to update amp GPIO4 for automute */
+ static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
+ struct hda_jack_callback *jack)
+@@ -5849,6 +5859,7 @@ enum {
+ ALC225_FIXUP_DISABLE_MIC_VREF,
+ ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC295_FIXUP_DISABLE_DAC3,
++ ALC285_FIXUP_SPEAKER2_TO_DAC1,
+ ALC280_FIXUP_HP_HEADSET_MIC,
+ ALC221_FIXUP_HP_FRONT_MIC,
+ ALC292_FIXUP_TPT460,
+@@ -6652,6 +6663,10 @@ static const struct hda_fixup alc269_fixups[] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc295_fixup_disable_dac3,
+ },
++ [ALC285_FIXUP_SPEAKER2_TO_DAC1] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_speaker2_to_dac1,
++ },
+ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -7241,6 +7256,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+@@ -7425,6 +7441,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
+ {.id = ALC255_FIXUP_DELL_SPK_NOISE, .name = "dell-spk-noise"},
+ {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc225-dell1"},
+ {.id = ALC295_FIXUP_DISABLE_DAC3, .name = "alc295-disable-dac3"},
++ {.id = ALC285_FIXUP_SPEAKER2_TO_DAC1, .name = "alc285-speaker2-to-dac1"},
+ {.id = ALC280_FIXUP_HP_HEADSET_MIC, .name = "alc280-hp-headset"},
+ {.id = ALC221_FIXUP_HP_FRONT_MIC, .name = "alc221-hp-mic"},
+ {.id = ALC298_FIXUP_SPK_VOLUME, .name = "alc298-spk-volume"},
+--
+2.20.1
+
--- /dev/null
+From 6a1114718441eb10dd9c449bb88c3381a76f4d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 14:12:15 +0800
+Subject: ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit e79c22695abd3b75a6aecf4ea4b9607e8d82c49c ]
+
+Dell has new platform which has dual speaker connecting.
+They want dual speaker which use same dac for output.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/229c7efa2b474a16b7d8a916cd096b68@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index e1229dbad6b2..dfcd0e611068 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5896,6 +5896,8 @@ enum {
+ ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
+ ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
+ ALC294_FIXUP_ASUS_INTSPK_GPIO,
++ ALC289_FIXUP_DELL_SPK2,
++ ALC289_FIXUP_DUAL_SPK,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -6993,6 +6995,21 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC
+ },
++ [ALC289_FIXUP_DELL_SPK2] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x17, 0x90170130 }, /* bass spk */
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE
++ },
++ [ALC289_FIXUP_DUAL_SPK] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_speaker2_to_dac1,
++ .chained = true,
++ .chain_id = ALC289_FIXUP_DELL_SPK2
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -7065,6 +7082,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
++ SND_PCI_QUIRK(0x1028, 0x097e, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
++ SND_PCI_QUIRK(0x1028, 0x097d, "Dell Precision", ALC289_FIXUP_DUAL_SPK),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
+--
+2.20.1
+
--- /dev/null
+From 6b91eff7123bb5c616205d2a776103ccf2d80ec9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2019 11:11:18 +0800
+Subject: ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC
+
+From: Chris Chiu <chiu@endlessm.com>
+
+[ Upstream commit 48e01504cf5315cbe6de9b7412e792bfcc3dd9e1 ]
+
+ASUS reported that there's an bass speaker in addition to internal
+speaker and it uses DAC 0x02. It was not enabled in the commit
+436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS
+UX431FLC") which only enables the amplifier and the front speaker.
+This commit enables the bass speaker on top of the aforementioned
+work to improve the acoustic experience.
+
+Fixes: 436e25505f34 ("ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC")
+Signed-off-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191230031118.95076-1-chiu@endlessm.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 38 +++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 20 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index dfcd0e611068..e849cf681e23 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5893,11 +5893,12 @@ enum {
+ ALC256_FIXUP_ASUS_HEADSET_MIC,
+ ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+ ALC299_FIXUP_PREDATOR_SPK,
+- ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
+ ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE,
+- ALC294_FIXUP_ASUS_INTSPK_GPIO,
+ ALC289_FIXUP_DELL_SPK2,
+ ALC289_FIXUP_DUAL_SPK,
++ ALC294_FIXUP_SPK2_TO_DAC1,
++ ALC294_FIXUP_ASUS_DUAL_SPK,
++
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -6968,16 +6969,6 @@ static const struct hda_fixup alc269_fixups[] = {
+ { }
+ }
+ },
+- [ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC] = {
+- .type = HDA_FIXUP_PINS,
+- .v.pins = (const struct hda_pintbl[]) {
+- { 0x14, 0x411111f0 }, /* disable confusing internal speaker */
+- { 0x19, 0x04a11150 }, /* use as headset mic, without its own jack detect */
+- { }
+- },
+- .chained = true,
+- .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+- },
+ [ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -6988,13 +6979,6 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
+ },
+- [ALC294_FIXUP_ASUS_INTSPK_GPIO] = {
+- .type = HDA_FIXUP_FUNC,
+- /* The GPIO must be pulled to initialize the AMP */
+- .v.func = alc_fixup_gpio4,
+- .chained = true,
+- .chain_id = ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC
+- },
+ [ALC289_FIXUP_DELL_SPK2] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -7010,6 +6994,20 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC289_FIXUP_DELL_SPK2
+ },
++ [ALC294_FIXUP_SPK2_TO_DAC1] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc285_fixup_speaker2_to_dac1,
++ .chained = true,
++ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC
++ },
++ [ALC294_FIXUP_ASUS_DUAL_SPK] = {
++ .type = HDA_FIXUP_FUNC,
++ /* The GPIO must be pulled to initialize the AMP */
++ .v.func = alc_fixup_gpio4,
++ .chained = true,
++ .chain_id = ALC294_FIXUP_SPK2_TO_DAC1
++ },
++
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -7171,7 +7169,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK),
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
+- SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_INTSPK_GPIO),
++ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK),
+ SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
+ SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
+--
+2.20.1
+
--- /dev/null
+From 77f9ee718e4ebb132f391efdd5be26601ea5f8c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Dec 2019 07:05:48 +0800
+Subject: block: add bio_truncate to fix guard_bio_eod
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 85a8ce62c2eabe28b9d76ca4eecf37922402df93 ]
+
+Some filesystem, such as vfat, may send bio which crosses device boundary,
+and the worse thing is that the IO request starting within device boundaries
+can contain more than one segment past EOD.
+
+Commit dce30ca9e3b6 ("fs: fix guard_bio_eod to check for real EOD errors")
+tries to fix this issue by returning -EIO for this situation. However,
+this way lets fs user code lose chance to handle -EIO, then sync_inodes_sb()
+may hang for ever.
+
+Also the current truncating on last segment is dangerous by updating the
+last bvec, given bvec table becomes not immutable any more, and fs bio
+users may not retrieve the truncated pages via bio_for_each_segment_all() in
+its .end_io callback.
+
+Fixes this issue by supporting multi-segment truncating. And the
+approach is simpler:
+
+- just update bio size since block layer can make correct bvec with
+the updated bio size. Then bvec table becomes really immutable.
+
+- zero all truncated segments for read bio
+
+Cc: Carlos Maiolino <cmaiolino@redhat.com>
+Cc: linux-fsdevel@vger.kernel.org
+Fixed-by: dce30ca9e3b6 ("fs: fix guard_bio_eod to check for real EOD errors")
+Reported-by: syzbot+2b9e54155c8c25d8d165@syzkaller.appspotmail.com
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bio.c | 39 +++++++++++++++++++++++++++++++++++++++
+ fs/buffer.c | 25 +------------------------
+ include/linux/bio.h | 1 +
+ 3 files changed, 41 insertions(+), 24 deletions(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index 43df756b68c4..c822ceb7c4de 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -535,6 +535,45 @@ void zero_fill_bio_iter(struct bio *bio, struct bvec_iter start)
+ }
+ EXPORT_SYMBOL(zero_fill_bio_iter);
+
++void bio_truncate(struct bio *bio, unsigned new_size)
++{
++ struct bio_vec bv;
++ struct bvec_iter iter;
++ unsigned int done = 0;
++ bool truncated = false;
++
++ if (new_size >= bio->bi_iter.bi_size)
++ return;
++
++ if (bio_data_dir(bio) != READ)
++ goto exit;
++
++ bio_for_each_segment(bv, bio, iter) {
++ if (done + bv.bv_len > new_size) {
++ unsigned offset;
++
++ if (!truncated)
++ offset = new_size - done;
++ else
++ offset = 0;
++ zero_user(bv.bv_page, offset, bv.bv_len - offset);
++ truncated = true;
++ }
++ done += bv.bv_len;
++ }
++
++ exit:
++ /*
++ * Don't touch bvec table here and make it really immutable, since
++ * fs bio user has to retrieve all pages via bio_for_each_segment_all
++ * in its .end_bio() callback.
++ *
++ * It is enough to truncate bio by updating .bi_size since we can make
++ * correct bvec with the updated .bi_size for drivers.
++ */
++ bio->bi_iter.bi_size = new_size;
++}
++
+ /**
+ * bio_put - release a reference to a bio
+ * @bio: bio to release reference to
+diff --git a/fs/buffer.c b/fs/buffer.c
+index 86a38b979323..7744488f7bde 100644
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -2994,8 +2994,6 @@ static void end_bio_bh_io_sync(struct bio *bio)
+ void guard_bio_eod(int op, struct bio *bio)
+ {
+ sector_t maxsector;
+- struct bio_vec *bvec = bio_last_bvec_all(bio);
+- unsigned truncated_bytes;
+ struct hd_struct *part;
+
+ rcu_read_lock();
+@@ -3021,28 +3019,7 @@ void guard_bio_eod(int op, struct bio *bio)
+ if (likely((bio->bi_iter.bi_size >> 9) <= maxsector))
+ return;
+
+- /* Uhhuh. We've got a bio that straddles the device size! */
+- truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9);
+-
+- /*
+- * The bio contains more than one segment which spans EOD, just return
+- * and let IO layer turn it into an EIO
+- */
+- if (truncated_bytes > bvec->bv_len)
+- return;
+-
+- /* Truncate the bio.. */
+- bio->bi_iter.bi_size -= truncated_bytes;
+- bvec->bv_len -= truncated_bytes;
+-
+- /* ..and clear the end of the buffer for reads */
+- if (op == REQ_OP_READ) {
+- struct bio_vec bv;
+-
+- mp_bvec_last_segment(bvec, &bv);
+- zero_user(bv.bv_page, bv.bv_offset + bv.bv_len,
+- truncated_bytes);
+- }
++ bio_truncate(bio, maxsector << 9);
+ }
+
+ static int submit_bh_wbc(int op, int op_flags, struct buffer_head *bh,
+diff --git a/include/linux/bio.h b/include/linux/bio.h
+index 3cdb84cdc488..853d92ceee64 100644
+--- a/include/linux/bio.h
++++ b/include/linux/bio.h
+@@ -470,6 +470,7 @@ extern struct bio *bio_copy_user_iov(struct request_queue *,
+ gfp_t);
+ extern int bio_uncopy_user(struct bio *);
+ void zero_fill_bio_iter(struct bio *bio, struct bvec_iter iter);
++void bio_truncate(struct bio *bio, unsigned new_size);
+
+ static inline void zero_fill_bio(struct bio *bio)
+ {
+--
+2.20.1
+
--- /dev/null
+From 6e83ba3ad217cf16d6d10315a67915fcbc9751d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 16:30:04 -0500
+Subject: drm/amd/display: Change the delay time before enabling FEC
+
+From: Leo (Hanghong) Ma <hanghong.ma@amd.com>
+
+[ Upstream commit 28fa24ad14e8f7d23c62283eaf9c79b4fd165c16 ]
+
+[why]
+DP spec requires 1000 symbols delay between the end of link training
+and enabling FEC in the stream. Currently we are using 1 miliseconds
+delay which is not accurate.
+
+[how]
+One lane RBR should have the maximum time for transmitting 1000 LL
+codes which is 6.173 us. So using 7 microseconds delay instead of
+1 miliseconds.
+
+Signed-off-by: Leo (Hanghong) Ma <hanghong.ma@amd.com>
+Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
+Reviewed-by: Nikola Cornij <Nikola.Cornij@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+index 5a583707d198..0ab890c927ec 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+@@ -3492,7 +3492,14 @@ void dp_set_fec_enable(struct dc_link *link, bool enable)
+ if (link_enc->funcs->fec_set_enable &&
+ link->dpcd_caps.fec_cap.bits.FEC_CAPABLE) {
+ if (link->fec_state == dc_link_fec_ready && enable) {
+- msleep(1);
++ /* Accord to DP spec, FEC enable sequence can first
++ * be transmitted anytime after 1000 LL codes have
++ * been transmitted on the link after link training
++ * completion. Using 1 lane RBR should have the maximum
++ * time for transmitting 1000 LL codes which is 6.173 us.
++ * So use 7 microseconds delay instead.
++ */
++ udelay(7);
+ link_enc->funcs->fec_set_enable(link_enc, true);
+ link->fec_state = dc_link_fec_enabled;
+ } else if (link->fec_state == dc_link_fec_enabled && !enable) {
+--
+2.20.1
+
--- /dev/null
+From 011554e3fc35bce137da03d816ec8d443360643e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 17:18:20 -0500
+Subject: drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI
+ dongle
+
+From: David Galiffi <David.Galiffi@amd.com>
+
+[ Upstream commit a51d9f8fe756beac51ce26ef54195da00a260d13 ]
+
+[Why]
+In dc_link_is_dp_sink_present, if dal_ddc_open fails, then
+dal_gpio_destroy_ddc is called, destroying pin_data and pin_clock. They
+are created only on dc_construct, and next aux access will cause a panic.
+
+[How]
+Instead of calling dal_gpio_destroy_ddc, call dal_ddc_close.
+
+Signed-off-by: David Galiffi <David.Galiffi@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+index 067f5579f452..793aa8e8ec9a 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -373,7 +373,7 @@ bool dc_link_is_dp_sink_present(struct dc_link *link)
+
+ if (GPIO_RESULT_OK != dal_ddc_open(
+ ddc, GPIO_MODE_INPUT, GPIO_DDC_CONFIG_TYPE_MODE_I2C)) {
+- dal_gpio_destroy_ddc(&ddc);
++ dal_ddc_close(ddc);
+
+ return present;
+ }
+--
+2.20.1
+
--- /dev/null
+From c0a5f0491459e1f6e383355df62ca06d0183a7e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 13:06:48 -0500
+Subject: drm/amd/display: Map DSC resources 1-to-1 if numbers of OPPs and DSCs
+ are equal
+
+From: Nikola Cornij <nikola.cornij@amd.com>
+
+[ Upstream commit a1fc44b609b4e9c0941f0e4a1fc69d367af5ab69 ]
+
+[why]
+On ASICs where number of DSCs is the same as OPPs there's no need
+for DSC resource management. Mappping 1-to-1 fixes mode-set- or S3-
+-related issues for such platforms.
+
+[how]
+Map DSC resources 1-to-1 to pipes only if number of OPPs is the same
+as number of DSCs. This will still keep other ASICs working.
+A follow-up patch to fix mode-set issues on those ASICs will be
+required if testing shows issues with mode set.
+
+Signed-off-by: Nikola Cornij <nikola.cornij@amd.com>
+Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+index 78b2cc2e122f..3b7769a3e67e 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+@@ -1419,13 +1419,20 @@ enum dc_status dcn20_build_mapped_resource(const struct dc *dc, struct dc_state
+
+ static void acquire_dsc(struct resource_context *res_ctx,
+ const struct resource_pool *pool,
+- struct display_stream_compressor **dsc)
++ struct display_stream_compressor **dsc,
++ int pipe_idx)
+ {
+ int i;
+
+ ASSERT(*dsc == NULL);
+ *dsc = NULL;
+
++ if (pool->res_cap->num_dsc == pool->res_cap->num_opp) {
++ *dsc = pool->dscs[pipe_idx];
++ res_ctx->is_dsc_acquired[pipe_idx] = true;
++ return;
++ }
++
+ /* Find first free DSC */
+ for (i = 0; i < pool->res_cap->num_dsc; i++)
+ if (!res_ctx->is_dsc_acquired[i]) {
+@@ -1468,7 +1475,7 @@ static enum dc_status add_dsc_to_stream_resource(struct dc *dc,
+ if (pipe_ctx->stream != dc_stream)
+ continue;
+
+- acquire_dsc(&dc_ctx->res_ctx, pool, &pipe_ctx->stream_res.dsc);
++ acquire_dsc(&dc_ctx->res_ctx, pool, &pipe_ctx->stream_res.dsc, i);
+
+ /* The number of DSCs can be less than the number of pipes */
+ if (!pipe_ctx->stream_res.dsc) {
+@@ -1669,7 +1676,7 @@ static bool dcn20_split_stream_for_odm(
+ next_odm_pipe->stream_res.opp = pool->opps[next_odm_pipe->pipe_idx];
+ #ifdef CONFIG_DRM_AMD_DC_DSC_SUPPORT
+ if (next_odm_pipe->stream->timing.flags.DSC == 1) {
+- acquire_dsc(res_ctx, pool, &next_odm_pipe->stream_res.dsc);
++ acquire_dsc(res_ctx, pool, &next_odm_pipe->stream_res.dsc, next_odm_pipe->pipe_idx);
+ ASSERT(next_odm_pipe->stream_res.dsc);
+ if (next_odm_pipe->stream_res.dsc == NULL)
+ return false;
+--
+2.20.1
+
--- /dev/null
+From 6f94d734112feb364ec1f47440cb9c509009894c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 18:03:59 -0500
+Subject: drm/amd/display: Reset steer fifo before unblanking the stream
+
+From: Nikola Cornij <nikola.cornij@amd.com>
+
+[ Upstream commit 87de6cb2f28153bc74d0a001ca099c29453e145f ]
+
+[why]
+During mode transition steer fifo could overflow. Quite often it
+recovers by itself, but sometimes it doesn't.
+
+[how]
+Add steer fifo reset before unblanking the stream. Also add a short
+delay when resetting dig resync fifo to make sure register writes
+don't end up back-to-back, in which case the HW might miss the reset
+request.
+
+Signed-off-by: Nikola Cornij <nikola.cornij@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/dcn20/dcn20_stream_encoder.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c
+index 5ab9d6240498..e95025b1d14d 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_stream_encoder.c
+@@ -492,15 +492,23 @@ void enc2_stream_encoder_dp_unblank(
+ DP_VID_N_MUL, n_multiply);
+ }
+
+- /* set DIG_START to 0x1 to reset FIFO */
++ /* make sure stream is disabled before resetting steer fifo */
++ REG_UPDATE(DP_VID_STREAM_CNTL, DP_VID_STREAM_ENABLE, false);
++ REG_WAIT(DP_VID_STREAM_CNTL, DP_VID_STREAM_STATUS, 0, 10, 5000);
+
++ /* set DIG_START to 0x1 to reset FIFO */
+ REG_UPDATE(DIG_FE_CNTL, DIG_START, 1);
++ udelay(1);
+
+ /* write 0 to take the FIFO out of reset */
+
+ REG_UPDATE(DIG_FE_CNTL, DIG_START, 0);
+
+- /* switch DP encoder to CRTC data */
++ /* switch DP encoder to CRTC data, but reset it the fifo first. It may happen
++ * that it overflows during mode transition, and sometimes doesn't recover.
++ */
++ REG_UPDATE(DP_STEER_FIFO, DP_STEER_FIFO_RESET, 1);
++ udelay(10);
+
+ REG_UPDATE(DP_STEER_FIFO, DP_STEER_FIFO_RESET, 0);
+
+--
+2.20.1
+
--- /dev/null
+From fcdd32b1fee3cdbc610da955400cfaeb4c69bcf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2019 12:04:25 -0500
+Subject: drm/amd/display: update dispclk and dppclk vco frequency
+
+From: Eric Yang <Eric.Yang2@amd.com>
+
+[ Upstream commit 44ce6c3dc8479bb3ed68df13b502b0901675e7d6 ]
+
+Value obtained from DV is not allowing 8k60 CTA mode with DSC to
+pass, after checking real value being used in hw, find out that
+correct value is 3600, which will allow that mode.
+
+Signed-off-by: Eric Yang <Eric.Yang2@amd.com>
+Reviewed-by: Tony Cheng <Tony.Cheng@amd.com>
+Acked-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+index de182185fe1f..b0e5e64df212 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+@@ -258,7 +258,7 @@ struct _vcs_dpi_soc_bounding_box_st dcn2_1_soc = {
+ .vmm_page_size_bytes = 4096,
+ .dram_clock_change_latency_us = 23.84,
+ .return_bus_width_bytes = 64,
+- .dispclk_dppclk_vco_speed_mhz = 3550,
++ .dispclk_dppclk_vco_speed_mhz = 3600,
+ .xfc_bus_transport_time_us = 4,
+ .xfc_xbuf_latency_tolerance_us = 4,
+ .use_urgent_burst_bw = 1,
+--
+2.20.1
+
--- /dev/null
+From 2645e9176bd2243df4f1768b0c8315b16509f3e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 12:08:58 +0100
+Subject: drm/amdgpu: add cache flush workaround to gfx8 emit_fence
+
+From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+
+[ Upstream commit bf26da927a1cd57c9deb2db29ae8cf276ba8b17b ]
+
+The same workaround is used for gfx7.
+Both PAL and Mesa use it for gfx8 too, so port this commit to
+gfx_v8_0_ring_emit_fence_gfx.
+
+Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
+index 87dd55e9d72b..cc88ba76a8d4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c
+@@ -6184,7 +6184,23 @@ static void gfx_v8_0_ring_emit_fence_gfx(struct amdgpu_ring *ring, u64 addr,
+ bool write64bit = flags & AMDGPU_FENCE_FLAG_64BIT;
+ bool int_sel = flags & AMDGPU_FENCE_FLAG_INT;
+
+- /* EVENT_WRITE_EOP - flush caches, send int */
++ /* Workaround for cache flush problems. First send a dummy EOP
++ * event down the pipe with seq one below.
++ */
++ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4));
++ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN |
++ EOP_TC_ACTION_EN |
++ EOP_TC_WB_ACTION_EN |
++ EVENT_TYPE(CACHE_FLUSH_AND_INV_TS_EVENT) |
++ EVENT_INDEX(5)));
++ amdgpu_ring_write(ring, addr & 0xfffffffc);
++ amdgpu_ring_write(ring, (upper_32_bits(addr) & 0xffff) |
++ DATA_SEL(1) | INT_SEL(0));
++ amdgpu_ring_write(ring, lower_32_bits(seq - 1));
++ amdgpu_ring_write(ring, upper_32_bits(seq - 1));
++
++ /* Then send the real EOP event down the pipe:
++ * EVENT_WRITE_EOP - flush caches, send int */
+ amdgpu_ring_write(ring, PACKET3(PACKET3_EVENT_WRITE_EOP, 4));
+ amdgpu_ring_write(ring, (EOP_TCL1_ACTION_EN |
+ EOP_TC_ACTION_EN |
+@@ -6926,7 +6942,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = {
+ 5 + /* COND_EXEC */
+ 7 + /* PIPELINE_SYNC */
+ VI_FLUSH_GPU_TLB_NUM_WREG * 5 + 9 + /* VM_FLUSH */
+- 8 + /* FENCE for VM_FLUSH */
++ 12 + /* FENCE for VM_FLUSH */
+ 20 + /* GDS switch */
+ 4 + /* double SWITCH_BUFFER,
+ the first COND_EXEC jump to the place just
+@@ -6938,7 +6954,7 @@ static const struct amdgpu_ring_funcs gfx_v8_0_ring_funcs_gfx = {
+ 31 + /* DE_META */
+ 3 + /* CNTX_CTRL */
+ 5 + /* HDP_INVL */
+- 8 + 8 + /* FENCE x2 */
++ 12 + 12 + /* FENCE x2 */
+ 2, /* SWITCH_BUFFER */
+ .emit_ib_size = 4, /* gfx_v8_0_ring_emit_ib_gfx */
+ .emit_ib = gfx_v8_0_ring_emit_ib_gfx,
+--
+2.20.1
+
--- /dev/null
+From ce4755a7b4069d0b224656b951e16ae62d833067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 15:51:16 +0800
+Subject: drm/amdgpu: add check before enabling/disabling broadcast mode
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 6e807535dae5dbbd53bcc5e81047a20bf5eb08ea ]
+
+When security violation from new vbios happens, data fabric is
+risky to stop working. So prevent the direct access to DF
+mmFabricConfigAccessControl from the new vbios and onwards.
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/df_v3_6.c | 38 ++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
+index 5850c8e34caa..97d11d792351 100644
+--- a/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
++++ b/drivers/gpu/drm/amd/amdgpu/df_v3_6.c
+@@ -261,23 +261,29 @@ static void df_v3_6_update_medium_grain_clock_gating(struct amdgpu_device *adev,
+ {
+ u32 tmp;
+
+- /* Put DF on broadcast mode */
+- adev->df_funcs->enable_broadcast_mode(adev, true);
+-
+- if (enable && (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG)) {
+- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater);
+- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
+- tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY;
+- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp);
+- } else {
+- tmp = RREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater);
+- tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
+- tmp |= DF_V3_6_MGCG_DISABLE;
+- WREG32_SOC15(DF, 0, mmDF_PIE_AON0_DfGlobalClkGater, tmp);
+- }
++ if (adev->cg_flags & AMD_CG_SUPPORT_DF_MGCG) {
++ /* Put DF on broadcast mode */
++ adev->df_funcs->enable_broadcast_mode(adev, true);
++
++ if (enable) {
++ tmp = RREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater);
++ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
++ tmp |= DF_V3_6_MGCG_ENABLE_15_CYCLE_DELAY;
++ WREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater, tmp);
++ } else {
++ tmp = RREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater);
++ tmp &= ~DF_PIE_AON0_DfGlobalClkGater__MGCGMode_MASK;
++ tmp |= DF_V3_6_MGCG_DISABLE;
++ WREG32_SOC15(DF, 0,
++ mmDF_PIE_AON0_DfGlobalClkGater, tmp);
++ }
+
+- /* Exit broadcast mode */
+- adev->df_funcs->enable_broadcast_mode(adev, false);
++ /* Exit broadcast mode */
++ adev->df_funcs->enable_broadcast_mode(adev, false);
++ }
+ }
+
+ static void df_v3_6_get_clockgating_state(struct amdgpu_device *adev,
+--
+2.20.1
+
--- /dev/null
+From fdf2d58245df964bac125677d8887126cb486e20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 22:07:49 -0500
+Subject: drm/amdgpu: add header line for power profile on Arcturus
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 14891c316ca7e15d81dba78f30fb630e3f9ee2c9 ]
+
+So the output is consistent with other asics.
+
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/powerplay/arcturus_ppt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c b/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c
+index d493a3f8c07a..b68bf8dcfa78 100644
+--- a/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c
++++ b/drivers/gpu/drm/amd/powerplay/arcturus_ppt.c
+@@ -1388,12 +1388,17 @@ static int arcturus_get_power_profile_mode(struct smu_context *smu,
+ "VR",
+ "COMPUTE",
+ "CUSTOM"};
++ static const char *title[] = {
++ "PROFILE_INDEX(NAME)"};
+ uint32_t i, size = 0;
+ int16_t workload_type = 0;
+
+ if (!smu->pm_enabled || !buf)
+ return -EINVAL;
+
++ size += sprintf(buf + size, "%16s\n",
++ title[0]);
++
+ for (i = 0; i <= PP_SMC_POWER_PROFILE_CUSTOM; i++) {
+ /*
+ * Conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT
+--
+2.20.1
+
--- /dev/null
+From eeadcb8d51ef273f82916a08b6f9487bccb0ba79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2019 16:52:37 -0800
+Subject: drm: limit to INT_MAX in create_blob ioctl
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c ]
+
+The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb
+("uaccess: disallow > INT_MAX copy sizes")
+
+Code itself should have been fine as-is.
+
+Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com
+Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_property.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c
+index 892ce636ef72..6ee04803c362 100644
+--- a/drivers/gpu/drm/drm_property.c
++++ b/drivers/gpu/drm/drm_property.c
+@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length,
+ struct drm_property_blob *blob;
+ int ret;
+
+- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob))
++ if (!length || length > INT_MAX - sizeof(struct drm_property_blob))
+ return ERR_PTR(-EINVAL);
+
+ blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From b97a2a59f2db1b36b5804a182637a29ed74da180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2019 14:02:52 +0100
+Subject: drm/mcde: dsi: Fix invalid pointer dereference if panel cannot be
+ found
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit c131280c03bd1c225c2e64e9ef75873ffca3d96e ]
+
+The "panel" pointer is not reset to NULL if of_drm_find_panel()
+returns an error. Therefore we later assume that a panel was found,
+and try to dereference the error pointer, resulting in:
+
+ mcde-dsi a0351000.dsi: failed to find panel try bridge (4294966779)
+ Unable to handle kernel paging request at virtual address fffffe03
+ PC is at drm_panel_bridge_add.part.0+0x10/0x5c
+ LR is at mcde_dsi_bind+0x120/0x464
+ ...
+
+Reset "panel" to NULL to avoid this problem.
+Also change the format string of the error to %ld to print
+the negative errors correctly. The crash above then becomes:
+
+ mcde-dsi a0351000.dsi: failed to find panel try bridge (-517)
+ mcde-dsi a0351000.dsi: no panel or bridge
+ ...
+
+Fixes: 5fc537bfd000 ("drm/mcde: Add new driver for ST-Ericsson MCDE")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191118130252.170324-1-stephan@gerhold.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mcde/mcde_dsi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mcde/mcde_dsi.c b/drivers/gpu/drm/mcde/mcde_dsi.c
+index f9c9e32b299c..35bb825d1918 100644
+--- a/drivers/gpu/drm/mcde/mcde_dsi.c
++++ b/drivers/gpu/drm/mcde/mcde_dsi.c
+@@ -935,11 +935,13 @@ static int mcde_dsi_bind(struct device *dev, struct device *master,
+ for_each_available_child_of_node(dev->of_node, child) {
+ panel = of_drm_find_panel(child);
+ if (IS_ERR(panel)) {
+- dev_err(dev, "failed to find panel try bridge (%lu)\n",
++ dev_err(dev, "failed to find panel try bridge (%ld)\n",
+ PTR_ERR(panel));
++ panel = NULL;
++
+ bridge = of_drm_find_bridge(child);
+ if (IS_ERR(bridge)) {
+- dev_err(dev, "failed to find bridge (%lu)\n",
++ dev_err(dev, "failed to find bridge (%ld)\n",
+ PTR_ERR(bridge));
+ return PTR_ERR(bridge);
+ }
+--
+2.20.1
+
--- /dev/null
+From cf7856331b93eff7c828c3fcda48fa8ede71ac50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 10:52:53 +0200
+Subject: drm/nouveau: Fix drm-core using atomic code-paths on pre-nv50
+ hardware
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 64d17f25dcad518461ccf0c260544e1e379c5b35 ]
+
+We do not support atomic modesetting on pre-nv50 hardware, but until now
+our connector code was setting drm_connector->state on pre-nv50 hardware.
+
+This causes the core to enter atomic modesetting paths in at least:
+
+1. drm_connector_get_encoder(), returning connector->state->best_encoder
+which is always 0, causing us to always report 0 as encoder_id in
+the drmModeConnector struct returned by drmModeGetConnector().
+
+2. drm_encoder_get_crtc(), returning NULL because uses_atomic get set,
+causing us to always report 0 as crtc_id in the drmModeEncoder struct
+returned by drmModeGetEncoder()
+
+Which in turn confuses userspace, at least plymouth thinks that the pipe
+has changed because of this and tries to reconfigure it unnecessarily.
+
+More in general we should not set drm_connector->state in the non-atomic
+code as this violates the drm-core's expectations.
+
+This commit fixes this by using a nouveau_conn_atom struct embedded in the
+nouveau_connector struct for property handling in the non-atomic case.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1706557
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.c | 28 +++++++++++++++------
+ drivers/gpu/drm/nouveau/nouveau_connector.h | 6 +++++
+ 2 files changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
+index a442a955f98c..eb31c5b6c8e9 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
+@@ -245,14 +245,22 @@ nouveau_conn_atomic_duplicate_state(struct drm_connector *connector)
+ void
+ nouveau_conn_reset(struct drm_connector *connector)
+ {
++ struct nouveau_connector *nv_connector = nouveau_connector(connector);
+ struct nouveau_conn_atom *asyc;
+
+- if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL))))
+- return;
++ if (drm_drv_uses_atomic_modeset(connector->dev)) {
++ if (WARN_ON(!(asyc = kzalloc(sizeof(*asyc), GFP_KERNEL))))
++ return;
++
++ if (connector->state)
++ nouveau_conn_atomic_destroy_state(connector,
++ connector->state);
++
++ __drm_atomic_helper_connector_reset(connector, &asyc->state);
++ } else {
++ asyc = &nv_connector->properties_state;
++ }
+
+- if (connector->state)
+- nouveau_conn_atomic_destroy_state(connector, connector->state);
+- __drm_atomic_helper_connector_reset(connector, &asyc->state);
+ asyc->dither.mode = DITHERING_MODE_AUTO;
+ asyc->dither.depth = DITHERING_DEPTH_AUTO;
+ asyc->scaler.mode = DRM_MODE_SCALE_NONE;
+@@ -276,8 +284,14 @@ void
+ nouveau_conn_attach_properties(struct drm_connector *connector)
+ {
+ struct drm_device *dev = connector->dev;
+- struct nouveau_conn_atom *armc = nouveau_conn_atom(connector->state);
+ struct nouveau_display *disp = nouveau_display(dev);
++ struct nouveau_connector *nv_connector = nouveau_connector(connector);
++ struct nouveau_conn_atom *armc;
++
++ if (drm_drv_uses_atomic_modeset(connector->dev))
++ armc = nouveau_conn_atom(connector->state);
++ else
++ armc = &nv_connector->properties_state;
+
+ /* Init DVI-I specific properties. */
+ if (connector->connector_type == DRM_MODE_CONNECTOR_DVII)
+@@ -749,9 +763,9 @@ static int
+ nouveau_connector_set_property(struct drm_connector *connector,
+ struct drm_property *property, uint64_t value)
+ {
+- struct nouveau_conn_atom *asyc = nouveau_conn_atom(connector->state);
+ struct nouveau_connector *nv_connector = nouveau_connector(connector);
+ struct nouveau_encoder *nv_encoder = nv_connector->detected_encoder;
++ struct nouveau_conn_atom *asyc = &nv_connector->properties_state;
+ struct drm_encoder *encoder = to_drm_encoder(nv_encoder);
+ int ret;
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h
+index de9588420884..de84fb4708c7 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.h
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h
+@@ -118,6 +118,12 @@ struct nouveau_connector {
+ #ifdef CONFIG_DRM_NOUVEAU_BACKLIGHT
+ struct nouveau_backlight *backlight;
+ #endif
++ /*
++ * Our connector property code expects a nouveau_conn_atom struct
++ * even on pre-nv50 where we do not support atomic. This embedded
++ * version gets used in the non atomic modeset case.
++ */
++ struct nouveau_conn_atom properties_state;
+ };
+
+ static inline struct nouveau_connector *nouveau_connector(
+--
+2.20.1
+
--- /dev/null
+From 60100303df3b576c5bf4933d1b254a8c0b7c41eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 12:15:44 +1000
+Subject: drm/nouveau/kms/nv50-: fix panel scaling
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 3d1890ef8023e61934e070021b06cc9f417260c0 ]
+
+Under certain circumstances, encoder atomic_check() can be entered
+without adjusted_mode having been reset to the same as mode, which
+confuses the scaling logic and can lead to a misprogrammed display.
+
+Fix this by checking against the user-provided mode directly.
+
+Link: https://bugs.freedesktop.org/show_bug.cgi?id=108615
+Link: https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/464
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/dispnv50/disp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c
+index b5b1a34f896f..d735ea7e2d88 100644
+--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
+@@ -326,9 +326,9 @@ nv50_outp_atomic_check_view(struct drm_encoder *encoder,
+ * same size as the native one (e.g. different
+ * refresh rate)
+ */
+- if (adjusted_mode->hdisplay == native_mode->hdisplay &&
+- adjusted_mode->vdisplay == native_mode->vdisplay &&
+- adjusted_mode->type & DRM_MODE_TYPE_DRIVER)
++ if (mode->hdisplay == native_mode->hdisplay &&
++ mode->vdisplay == native_mode->vdisplay &&
++ mode->type & DRM_MODE_TYPE_DRIVER)
+ break;
+ mode = native_mode;
+ asyc->scaler.full = true;
+--
+2.20.1
+
--- /dev/null
+From 84bf4989b2af05e88ebfd0efaddf6506ddfcce57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2019 10:52:52 +0200
+Subject: drm/nouveau: Move the declaration of struct nouveau_conn_atom up a
+ bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 37a68eab4cd92b507c9e8afd760fdc18e4fecac6 ]
+
+Place the declaration of struct nouveau_conn_atom above that of
+struct nouveau_connector. This commit makes no changes to the moved
+block what so ever, it just moves it up a bit.
+
+This is a preparation patch to fix some issues with connector handling
+on pre nv50 displays (which do not use atomic modesetting).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_connector.h | 110 ++++++++++----------
+ 1 file changed, 55 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.h b/drivers/gpu/drm/nouveau/nouveau_connector.h
+index f43a8d63aef8..de9588420884 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_connector.h
++++ b/drivers/gpu/drm/nouveau/nouveau_connector.h
+@@ -29,6 +29,7 @@
+
+ #include <nvif/notify.h>
+
++#include <drm/drm_crtc.h>
+ #include <drm/drm_edid.h>
+ #include <drm/drm_encoder.h>
+ #include <drm/drm_dp_helper.h>
+@@ -44,6 +45,60 @@ struct dcb_output;
+ struct nouveau_backlight;
+ #endif
+
++#define nouveau_conn_atom(p) \
++ container_of((p), struct nouveau_conn_atom, state)
++
++struct nouveau_conn_atom {
++ struct drm_connector_state state;
++
++ struct {
++ /* The enum values specifically defined here match nv50/gf119
++ * hw values, and the code relies on this.
++ */
++ enum {
++ DITHERING_MODE_OFF = 0x00,
++ DITHERING_MODE_ON = 0x01,
++ DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
++ DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
++ DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
++ DITHERING_MODE_AUTO
++ } mode;
++ enum {
++ DITHERING_DEPTH_6BPC = 0x00,
++ DITHERING_DEPTH_8BPC = 0x02,
++ DITHERING_DEPTH_AUTO
++ } depth;
++ } dither;
++
++ struct {
++ int mode; /* DRM_MODE_SCALE_* */
++ struct {
++ enum {
++ UNDERSCAN_OFF,
++ UNDERSCAN_ON,
++ UNDERSCAN_AUTO,
++ } mode;
++ u32 hborder;
++ u32 vborder;
++ } underscan;
++ bool full;
++ } scaler;
++
++ struct {
++ int color_vibrance;
++ int vibrant_hue;
++ } procamp;
++
++ union {
++ struct {
++ bool dither:1;
++ bool scaler:1;
++ bool procamp:1;
++ };
++ u8 mask;
++ } set;
++};
++
+ struct nouveau_connector {
+ struct drm_connector base;
+ enum dcb_connector_type type;
+@@ -121,61 +176,6 @@ extern int nouveau_ignorelid;
+ extern int nouveau_duallink;
+ extern int nouveau_hdmimhz;
+
+-#include <drm/drm_crtc.h>
+-#define nouveau_conn_atom(p) \
+- container_of((p), struct nouveau_conn_atom, state)
+-
+-struct nouveau_conn_atom {
+- struct drm_connector_state state;
+-
+- struct {
+- /* The enum values specifically defined here match nv50/gf119
+- * hw values, and the code relies on this.
+- */
+- enum {
+- DITHERING_MODE_OFF = 0x00,
+- DITHERING_MODE_ON = 0x01,
+- DITHERING_MODE_DYNAMIC2X2 = 0x10 | DITHERING_MODE_ON,
+- DITHERING_MODE_STATIC2X2 = 0x18 | DITHERING_MODE_ON,
+- DITHERING_MODE_TEMPORAL = 0x20 | DITHERING_MODE_ON,
+- DITHERING_MODE_AUTO
+- } mode;
+- enum {
+- DITHERING_DEPTH_6BPC = 0x00,
+- DITHERING_DEPTH_8BPC = 0x02,
+- DITHERING_DEPTH_AUTO
+- } depth;
+- } dither;
+-
+- struct {
+- int mode; /* DRM_MODE_SCALE_* */
+- struct {
+- enum {
+- UNDERSCAN_OFF,
+- UNDERSCAN_ON,
+- UNDERSCAN_AUTO,
+- } mode;
+- u32 hborder;
+- u32 vborder;
+- } underscan;
+- bool full;
+- } scaler;
+-
+- struct {
+- int color_vibrance;
+- int vibrant_hue;
+- } procamp;
+-
+- union {
+- struct {
+- bool dither:1;
+- bool scaler:1;
+- bool procamp:1;
+- };
+- u8 mask;
+- } set;
+-};
+-
+ void nouveau_conn_attach_properties(struct drm_connector *);
+ void nouveau_conn_reset(struct drm_connector *);
+ struct drm_connector_state *
+--
+2.20.1
+
--- /dev/null
+From 9351bf844bf4a5c26b3f27ad2a1d8a163b59284a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:12:13 +0200
+Subject: IB/mlx4: Follow mirror sequence of device add during device removal
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 89f988d93c62384758b19323c886db917a80c371 ]
+
+Current code device add sequence is:
+
+ib_register_device()
+ib_mad_init()
+init_sriov_init()
+register_netdev_notifier()
+
+Therefore, the remove sequence should be,
+
+unregister_netdev_notifier()
+close_sriov()
+mad_cleanup()
+ib_unregister_device()
+
+However it is not above.
+Hence, make do above remove sequence.
+
+Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
+index 8d2f1e38b891..907d99822bf0 100644
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -3008,16 +3008,17 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr)
+ ibdev->ib_active = false;
+ flush_workqueue(wq);
+
+- mlx4_ib_close_sriov(ibdev);
+- mlx4_ib_mad_cleanup(ibdev);
+- ib_unregister_device(&ibdev->ib_dev);
+- mlx4_ib_diag_cleanup(ibdev);
+ if (ibdev->iboe.nb.notifier_call) {
+ if (unregister_netdevice_notifier(&ibdev->iboe.nb))
+ pr_warn("failure unregistering notifier\n");
+ ibdev->iboe.nb.notifier_call = NULL;
+ }
+
++ mlx4_ib_close_sriov(ibdev);
++ mlx4_ib_mad_cleanup(ibdev);
++ ib_unregister_device(&ibdev->ib_dev);
++ mlx4_ib_diag_cleanup(ibdev);
++
+ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_count);
+ kfree(ibdev->ib_uc_qpns_bitmap);
+--
+2.20.1
+
--- /dev/null
+From 51d569c6ca8b22b64df0d97c873e811d004ee9e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:12:14 +0200
+Subject: IB/mlx5: Fix steering rule of drop and count
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+[ Upstream commit ed9085fed9d95d5921582e3c8474f3736c5d2782 ]
+
+There are two flow rule destinations: QP and packet. While users are
+setting DROP packet rule, the QP should not be set as a destination.
+
+Fixes: 3b3233fbf02e ("IB/mlx5: Add flow counters binding support")
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Reviewed-by: Raed Salem <raeds@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-4-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 831539419c30..e1cfbedefcbc 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -3548,10 +3548,6 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
+ }
+
+ INIT_LIST_HEAD(&handler->list);
+- if (dst) {
+- memcpy(&dest_arr[0], dst, sizeof(*dst));
+- dest_num++;
+- }
+
+ for (spec_index = 0; spec_index < flow_attr->num_of_specs; spec_index++) {
+ err = parse_flow_attr(dev->mdev, spec,
+@@ -3564,6 +3560,11 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
+ ib_flow += ((union ib_flow_spec *)ib_flow)->size;
+ }
+
++ if (dst && !(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP)) {
++ memcpy(&dest_arr[0], dst, sizeof(*dst));
++ dest_num++;
++ }
++
+ if (!flow_is_multicast_only(flow_attr))
+ set_underlay_qp(dev, spec, underlay_qpn);
+
+@@ -3604,10 +3605,8 @@ static struct mlx5_ib_flow_handler *_create_flow_rule(struct mlx5_ib_dev *dev,
+ }
+
+ if (flow_act.action & MLX5_FLOW_CONTEXT_ACTION_DROP) {
+- if (!(flow_act.action & MLX5_FLOW_CONTEXT_ACTION_COUNT)) {
++ if (!dest_num)
+ rule_dst = NULL;
+- dest_num = 0;
+- }
+ } else {
+ if (is_egress)
+ flow_act.action |= MLX5_FLOW_CONTEXT_ACTION_ALLOW;
+--
+2.20.1
+
--- /dev/null
+From a917781c642d12c4c88bb8b15908dfdfca3ba6fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 09:55:46 +0100
+Subject: iio: adc: max9611: Fix too short conversion time delay
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 9fd229c478fbf77c41c8528aa757ef14210365f6 ]
+
+As of commit b9ddd5091160793e ("iio: adc: max9611: Fix temperature
+reading in probe"), max9611 initialization sometimes fails on the
+Salvator-X(S) development board with:
+
+ max9611 4-007f: Invalid value received from ADC 0x8000: aborting
+ max9611: probe of 4-007f failed with error -5
+
+The max9611 driver tests communications with the chip by reading the die
+temperature during the probe function, which returns an invalid value.
+
+According to the datasheet, the typical ADC conversion time is 2 ms, but
+no minimum or maximum values are provided. Maxim Technical Support
+confirmed this was tested with temperature Ta=25 degreeC, and promised
+to inform me if a maximum/minimum value is available (they didn't get
+back to me, so I assume it is not).
+
+However, the driver assumes a 1 ms conversion time. Usually the
+usleep_range() call returns after more than 1.8 ms, hence it succeeds.
+When it returns earlier, the data register may be read too early, and
+the previous measurement value will be returned. After boot, this is
+the temperature POR (power-on reset) value, causing the failure above.
+
+Fix this by increasing the delay from 1000-2000 µs to 3000-3300 µs.
+
+Note that this issue has always been present, but it was exposed by the
+aformentioned commit.
+
+Fixes: 69780a3bbc0b1e7e ("iio: adc: Add Maxim max9611 ADC driver")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/max9611.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
+index da073d72f649..e480529b3f04 100644
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -89,6 +89,12 @@
+ #define MAX9611_TEMP_SCALE_NUM 1000000
+ #define MAX9611_TEMP_SCALE_DIV 2083
+
++/*
++ * Conversion time is 2 ms (typically) at Ta=25 degreeC
++ * No maximum value is known, so play it safe.
++ */
++#define MAX9611_CONV_TIME_US_RANGE 3000, 3300
++
+ struct max9611_dev {
+ struct device *dev;
+ struct i2c_client *i2c_client;
+@@ -236,11 +242,9 @@ static int max9611_read_single(struct max9611_dev *max9611,
+ return ret;
+ }
+
+- /*
+- * need a delay here to make register configuration
+- * stabilize. 1 msec at least, from empirical testing.
+- */
+- usleep_range(1000, 2000);
++ /* need a delay here to make register configuration stabilize. */
++
++ usleep_range(MAX9611_CONV_TIME_US_RANGE);
+
+ ret = i2c_smbus_read_word_swapped(max9611->i2c_client, reg_addr);
+ if (ret < 0) {
+@@ -507,7 +511,7 @@ static int max9611_init(struct max9611_dev *max9611)
+ MAX9611_REG_CTRL2, 0);
+ return ret;
+ }
+- usleep_range(1000, 2000);
++ usleep_range(MAX9611_CONV_TIME_US_RANGE);
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 432ef297b2112e54d9689535355d287d2a3390af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 11:21:15 +0800
+Subject: iio: st_accel: Fix unused variable warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 0163c1c521ff8b09cd8ca395003cc00178161d77 ]
+
+drivers/iio/accel/st_accel_core.c:1005:44: warning:
+ mount_matrix_ext_info defined but not used [-Wunused-const-variable=]
+
+Using stub helper while CONFIG_ACPI is disabled to fix it.
+
+Suggested-by: Ladislav Michl <ladis@linux-mips.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/st_accel_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c
+index 2e37f8a6d8cf..be661396095c 100644
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -993,6 +993,7 @@ static const struct iio_trigger_ops st_accel_trigger_ops = {
+ #define ST_ACCEL_TRIGGER_OPS NULL
+ #endif
+
++#ifdef CONFIG_ACPI
+ static const struct iio_mount_matrix *
+ get_mount_matrix(const struct iio_dev *indio_dev,
+ const struct iio_chan_spec *chan)
+@@ -1013,7 +1014,6 @@ static const struct iio_chan_spec_ext_info mount_matrix_ext_info[] = {
+ static int apply_acpi_orientation(struct iio_dev *indio_dev,
+ struct iio_chan_spec *channels)
+ {
+-#ifdef CONFIG_ACPI
+ struct st_sensor_data *adata = iio_priv(indio_dev);
+ struct acpi_buffer buffer = {ACPI_ALLOCATE_BUFFER, NULL};
+ struct acpi_device *adev;
+@@ -1141,10 +1141,14 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev,
+ out:
+ kfree(buffer.pointer);
+ return ret;
++}
+ #else /* !CONFIG_ACPI */
++static int apply_acpi_orientation(struct iio_dev *indio_dev,
++ struct iio_chan_spec *channels)
++{
+ return 0;
+-#endif
+ }
++#endif
+
+ /*
+ * st_accel_get_settings() - get sensor settings from device name
+--
+2.20.1
+
--- /dev/null
+From 1f07ee43f7bcaadce17dcb240d1f2520bcc00deb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 10:30:42 -0800
+Subject: inetpeer: fix data-race in inet_putpeer / inet_putpeer
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 ]
+
+We need to explicitely forbid read/store tearing in inet_peer_gc()
+and inet_putpeer().
+
+The following syzbot report reminds us about inet_putpeer()
+running without a lock held.
+
+BUG: KCSAN: data-race in inet_putpeer / inet_putpeer
+
+write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0:
+ inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
+ ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
+ inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
+ __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
+ rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
+ rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
+ rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0xbb/0xe0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
+ native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
+ arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
+ default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x1af/0x280 kernel/sched/idle.c:263
+
+write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1:
+ inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
+ ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
+ inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
+ __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
+ rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
+ rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
+ rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
+ __do_softirq+0x115/0x33f kernel/softirq.c:292
+ run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
+ smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 4b9d9be839fd ("inetpeer: remove unused list")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inetpeer.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index be778599bfed..ff327a62c9ce 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -160,7 +160,12 @@ static void inet_peer_gc(struct inet_peer_base *base,
+ base->total / inet_peer_threshold * HZ;
+ for (i = 0; i < gc_cnt; i++) {
+ p = gc_stack[i];
+- delta = (__u32)jiffies - p->dtime;
++
++ /* The READ_ONCE() pairs with the WRITE_ONCE()
++ * in inet_putpeer()
++ */
++ delta = (__u32)jiffies - READ_ONCE(p->dtime);
++
+ if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
+ gc_stack[i] = NULL;
+ }
+@@ -237,7 +242,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer);
+
+ void inet_putpeer(struct inet_peer *p)
+ {
+- p->dtime = (__u32)jiffies;
++ /* The WRITE_ONCE() pairs with itself (we run lockless)
++ * and the READ_ONCE() in inet_peer_gc()
++ */
++ WRITE_ONCE(p->dtime, (__u32)jiffies);
+
+ if (refcount_dec_and_test(&p->refcnt))
+ call_rcu(&p->rcu, inetpeer_free_rcu);
+--
+2.20.1
+
--- /dev/null
+From 3d13ba62594638924f247bf1fa1aa40c82b0fb44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 09:26:29 -0700
+Subject: io_uring: io_allocate_scq_urings() should return a sane state
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit eb065d301e8c83643367bdb0898becc364046bda ]
+
+We currently rely on the ring destroy on cleaning things up in case of
+failure, but io_allocate_scq_urings() can leave things half initialized
+if only parts of it fails.
+
+Be nice and return with either everything setup in success, or return an
+error with things nicely cleaned up.
+
+Reported-by: syzbot+0d818c0d39399188f393@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index a340147387ec..74e786578c77 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -3773,12 +3773,18 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
+ ctx->cq_entries = rings->cq_ring_entries;
+
+ size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
+- if (size == SIZE_MAX)
++ if (size == SIZE_MAX) {
++ io_mem_free(ctx->rings);
++ ctx->rings = NULL;
+ return -EOVERFLOW;
++ }
+
+ ctx->sq_sqes = io_mem_alloc(size);
+- if (!ctx->sq_sqes)
++ if (!ctx->sq_sqes) {
++ io_mem_free(ctx->rings);
++ ctx->rings = NULL;
+ return -ENOMEM;
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9b985a08c93dc91440ad5304e66771d0fcd34500 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 10:42:25 +0800
+Subject: md: raid1: check rdev before reference in raid1_sync_request func
+
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+[ Upstream commit 028288df635f5a9addd48ac4677b720192747944 ]
+
+In raid1_sync_request func, rdev should be checked before reference.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index bb29aeefcbd0..c7137f50bd1d 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2781,7 +2781,7 @@ static sector_t raid1_sync_request(struct mddev *mddev, sector_t sector_nr,
+ write_targets++;
+ }
+ }
+- if (bio->bi_end_io) {
++ if (rdev && bio->bi_end_io) {
+ atomic_inc(&rdev->nr_pending);
+ bio->bi_iter.bi_sector = sector_nr + rdev->data_offset;
+ bio_set_dev(bio, rdev->bdev);
+--
+2.20.1
+
--- /dev/null
+From 4c99dcab0fb9bef57dfba73ebf4dfc54941af6f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 17:50:22 -0800
+Subject: mm: drop mmap_sem before calling balance_dirty_pages() in write fault
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+[ Upstream commit 89b15332af7c0312a41e50846819ca6613b58b4c ]
+
+One of our services is observing hanging ps/top/etc under heavy write
+IO, and the task states show this is an mmap_sem priority inversion:
+
+A write fault is holding the mmap_sem in read-mode and waiting for
+(heavily cgroup-limited) IO in balance_dirty_pages():
+
+ balance_dirty_pages+0x724/0x905
+ balance_dirty_pages_ratelimited+0x254/0x390
+ fault_dirty_shared_page.isra.96+0x4a/0x90
+ do_wp_page+0x33e/0x400
+ __handle_mm_fault+0x6f0/0xfa0
+ handle_mm_fault+0xe4/0x200
+ __do_page_fault+0x22b/0x4a0
+ page_fault+0x45/0x50
+
+Somebody tries to change the address space, contending for the mmap_sem in
+write-mode:
+
+ call_rwsem_down_write_failed_killable+0x13/0x20
+ do_mprotect_pkey+0xa8/0x330
+ SyS_mprotect+0xf/0x20
+ do_syscall_64+0x5b/0x100
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+The waiting writer locks out all subsequent readers to avoid lock
+starvation, and several threads can be seen hanging like this:
+
+ call_rwsem_down_read_failed+0x14/0x30
+ proc_pid_cmdline_read+0xa0/0x480
+ __vfs_read+0x23/0x140
+ vfs_read+0x87/0x130
+ SyS_read+0x42/0x90
+ do_syscall_64+0x5b/0x100
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+To fix this, do what we do for cache read faults already: drop the
+mmap_sem before calling into anything IO bound, in this case the
+balance_dirty_pages() function, and return VM_FAULT_RETRY.
+
+Link: http://lkml.kernel.org/r/20190924194238.GA29030@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/filemap.c | 21 ---------------------
+ mm/internal.h | 21 +++++++++++++++++++++
+ mm/memory.c | 38 +++++++++++++++++++++++++++-----------
+ 3 files changed, 48 insertions(+), 32 deletions(-)
+
+diff --git a/mm/filemap.c b/mm/filemap.c
+index 85b7d087eb45..1f5731768222 100644
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2329,27 +2329,6 @@ EXPORT_SYMBOL(generic_file_read_iter);
+
+ #ifdef CONFIG_MMU
+ #define MMAP_LOTSAMISS (100)
+-static struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf,
+- struct file *fpin)
+-{
+- int flags = vmf->flags;
+-
+- if (fpin)
+- return fpin;
+-
+- /*
+- * FAULT_FLAG_RETRY_NOWAIT means we don't want to wait on page locks or
+- * anything, so we only pin the file and drop the mmap_sem if only
+- * FAULT_FLAG_ALLOW_RETRY is set.
+- */
+- if ((flags & (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT)) ==
+- FAULT_FLAG_ALLOW_RETRY) {
+- fpin = get_file(vmf->vma->vm_file);
+- up_read(&vmf->vma->vm_mm->mmap_sem);
+- }
+- return fpin;
+-}
+-
+ /*
+ * lock_page_maybe_drop_mmap - lock the page, possibly dropping the mmap_sem
+ * @vmf - the vm_fault for this fault.
+diff --git a/mm/internal.h b/mm/internal.h
+index 0d5f720c75ab..7dd7fbb577a9 100644
+--- a/mm/internal.h
++++ b/mm/internal.h
+@@ -362,6 +362,27 @@ vma_address(struct page *page, struct vm_area_struct *vma)
+ return max(start, vma->vm_start);
+ }
+
++static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf,
++ struct file *fpin)
++{
++ int flags = vmf->flags;
++
++ if (fpin)
++ return fpin;
++
++ /*
++ * FAULT_FLAG_RETRY_NOWAIT means we don't want to wait on page locks or
++ * anything, so we only pin the file and drop the mmap_sem if only
++ * FAULT_FLAG_ALLOW_RETRY is set.
++ */
++ if ((flags & (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT)) ==
++ FAULT_FLAG_ALLOW_RETRY) {
++ fpin = get_file(vmf->vma->vm_file);
++ up_read(&vmf->vma->vm_mm->mmap_sem);
++ }
++ return fpin;
++}
++
+ #else /* !CONFIG_MMU */
+ static inline void clear_page_mlock(struct page *page) { }
+ static inline void mlock_vma_page(struct page *page) { }
+diff --git a/mm/memory.c b/mm/memory.c
+index b1ca51a079f2..cb7c940cf800 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2227,10 +2227,11 @@ static vm_fault_t do_page_mkwrite(struct vm_fault *vmf)
+ *
+ * The function expects the page to be locked and unlocks it.
+ */
+-static void fault_dirty_shared_page(struct vm_area_struct *vma,
+- struct page *page)
++static vm_fault_t fault_dirty_shared_page(struct vm_fault *vmf)
+ {
++ struct vm_area_struct *vma = vmf->vma;
+ struct address_space *mapping;
++ struct page *page = vmf->page;
+ bool dirtied;
+ bool page_mkwrite = vma->vm_ops && vma->vm_ops->page_mkwrite;
+
+@@ -2245,16 +2246,30 @@ static void fault_dirty_shared_page(struct vm_area_struct *vma,
+ mapping = page_rmapping(page);
+ unlock_page(page);
+
++ if (!page_mkwrite)
++ file_update_time(vma->vm_file);
++
++ /*
++ * Throttle page dirtying rate down to writeback speed.
++ *
++ * mapping may be NULL here because some device drivers do not
++ * set page.mapping but still dirty their pages
++ *
++ * Drop the mmap_sem before waiting on IO, if we can. The file
++ * is pinning the mapping, as per above.
++ */
+ if ((dirtied || page_mkwrite) && mapping) {
+- /*
+- * Some device drivers do not set page.mapping
+- * but still dirty their pages
+- */
++ struct file *fpin;
++
++ fpin = maybe_unlock_mmap_for_io(vmf, NULL);
+ balance_dirty_pages_ratelimited(mapping);
++ if (fpin) {
++ fput(fpin);
++ return VM_FAULT_RETRY;
++ }
+ }
+
+- if (!page_mkwrite)
+- file_update_time(vma->vm_file);
++ return 0;
+ }
+
+ /*
+@@ -2497,6 +2512,7 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf)
+ __releases(vmf->ptl)
+ {
+ struct vm_area_struct *vma = vmf->vma;
++ vm_fault_t ret = VM_FAULT_WRITE;
+
+ get_page(vmf->page);
+
+@@ -2520,10 +2536,10 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf)
+ wp_page_reuse(vmf);
+ lock_page(vmf->page);
+ }
+- fault_dirty_shared_page(vma, vmf->page);
++ ret |= fault_dirty_shared_page(vmf);
+ put_page(vmf->page);
+
+- return VM_FAULT_WRITE;
++ return ret;
+ }
+
+ /*
+@@ -3567,7 +3583,7 @@ static vm_fault_t do_shared_fault(struct vm_fault *vmf)
+ return ret;
+ }
+
+- fault_dirty_shared_page(vma, vmf->page);
++ ret |= fault_dirty_shared_page(vmf);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1c5962db0d352d89fe81b97e97f78ef1a49a95eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2019 18:49:43 -0800
+Subject: net: add a READ_ONCE() in skb_peek_tail()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 ]
+
+skb_peek_tail() can be used without protection of a lock,
+as spotted by KCSAN [1]
+
+In order to avoid load-stearing, add a READ_ONCE()
+
+Note that the corresponding WRITE_ONCE() are already there.
+
+[1]
+BUG: KCSAN: data-race in sk_wait_data / skb_queue_tail
+
+read to 0xffff8880b36a4118 of 8 bytes by task 20426 on cpu 1:
+ skb_peek_tail include/linux/skbuff.h:1784 [inline]
+ sk_wait_data+0x15b/0x250 net/core/sock.c:2477
+ kcm_wait_data+0x112/0x1f0 net/kcm/kcmsock.c:1103
+ kcm_recvmsg+0xac/0x320 net/kcm/kcmsock.c:1130
+ sock_recvmsg_nosec net/socket.c:871 [inline]
+ sock_recvmsg net/socket.c:889 [inline]
+ sock_recvmsg+0x92/0xb0 net/socket.c:885
+ ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
+ do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
+ __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
+ __do_sys_recvmmsg net/socket.c:2703 [inline]
+ __se_sys_recvmmsg net/socket.c:2696 [inline]
+ __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+write to 0xffff8880b36a4118 of 8 bytes by task 451 on cpu 0:
+ __skb_insert include/linux/skbuff.h:1852 [inline]
+ __skb_queue_before include/linux/skbuff.h:1958 [inline]
+ __skb_queue_tail include/linux/skbuff.h:1991 [inline]
+ skb_queue_tail+0x7e/0xc0 net/core/skbuff.c:3145
+ kcm_queue_rcv_skb+0x202/0x310 net/kcm/kcmsock.c:206
+ kcm_rcv_strparser+0x74/0x4b0 net/kcm/kcmsock.c:370
+ __strp_recv+0x348/0xf50 net/strparser/strparser.c:309
+ strp_recv+0x84/0xa0 net/strparser/strparser.c:343
+ tcp_read_sock+0x174/0x5c0 net/ipv4/tcp.c:1639
+ strp_read_sock+0xd4/0x140 net/strparser/strparser.c:366
+ do_strp_work net/strparser/strparser.c:414 [inline]
+ strp_work+0x9a/0xe0 net/strparser/strparser.c:423
+ process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
+ worker_thread+0xa0/0x800 kernel/workqueue.c:2415
+ kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 451 Comm: kworker/u4:3 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: kstrp strp_work
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 1ba6e2cc2725..6ae88b0c1c31 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1795,7 +1795,7 @@ static inline struct sk_buff *skb_peek_next(struct sk_buff *skb,
+ */
+ static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_)
+ {
+- struct sk_buff *skb = list_->prev;
++ struct sk_buff *skb = READ_ONCE(list_->prev);
+
+ if (skb == (struct sk_buff *)list_)
+ skb = NULL;
+@@ -1861,7 +1861,9 @@ static inline void __skb_insert(struct sk_buff *newsk,
+ struct sk_buff *prev, struct sk_buff *next,
+ struct sk_buff_head *list)
+ {
+- /* see skb_queue_empty_lockless() for the opposite READ_ONCE() */
++ /* See skb_queue_empty_lockless() and skb_peek_tail()
++ * for the opposite READ_ONCE()
++ */
+ WRITE_ONCE(newsk->next, next);
+ WRITE_ONCE(newsk->prev, prev);
+ WRITE_ONCE(next->prev, newsk);
+--
+2.20.1
+
--- /dev/null
+From 15f9df4df4c421d435834131ea300a82bc5212b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2019 10:34:47 -0800
+Subject: net: icmp: fix data-race in cmp_global_allow()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit bbab7ef235031f6733b5429ae7877bfa22339712 ]
+
+This code reads two global variables without protection
+of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
+avoid load/store-tearing and better document the intent.
+
+KCSAN reported :
+BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow
+
+read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
+ icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
+ icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
+ icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
+ icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
+ icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
+ ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
+ dst_link_failure include/net/dst.h:419 [inline]
+ vti_xmit net/ipv4/ip_vti.c:243 [inline]
+ vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
+ __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4434 [inline]
+ xmit_one net/core/dev.c:3280 [inline]
+ dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
+ __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
+ neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+ dst_output include/net/dst.h:436 [inline]
+ ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
+
+write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
+ icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
+ icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
+ icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
+ icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
+ icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
+ ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
+ dst_link_failure include/net/dst.h:419 [inline]
+ vti_xmit net/ipv4/ip_vti.c:243 [inline]
+ vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
+ __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4434 [inline]
+ xmit_one net/core/dev.c:3280 [inline]
+ dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
+ __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
+ dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
+ neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
+ __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
+ __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
+ ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/icmp.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 4298aae74e0e..ac95ba78b903 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -249,10 +249,11 @@ bool icmp_global_allow(void)
+ bool rc = false;
+
+ /* Check if token bucket is empty and cannot be refilled
+- * without taking the spinlock.
++ * without taking the spinlock. The READ_ONCE() are paired
++ * with the following WRITE_ONCE() in this same function.
+ */
+- if (!icmp_global.credit) {
+- delta = min_t(u32, now - icmp_global.stamp, HZ);
++ if (!READ_ONCE(icmp_global.credit)) {
++ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ);
+ if (delta < HZ / 50)
+ return false;
+ }
+@@ -262,14 +263,14 @@ bool icmp_global_allow(void)
+ if (delta >= HZ / 50) {
+ incr = sysctl_icmp_msgs_per_sec * delta / HZ ;
+ if (incr)
+- icmp_global.stamp = now;
++ WRITE_ONCE(icmp_global.stamp, now);
+ }
+ credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst);
+ if (credit) {
+ credit--;
+ rc = true;
+ }
+- icmp_global.credit = credit;
++ WRITE_ONCE(icmp_global.credit, credit);
+ spin_unlock(&icmp_global.lock);
+ return rc;
+ }
+--
+2.20.1
+
--- /dev/null
+From 19320c0773dbd8aef83d32a40d02a2a2b92859fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2019 20:58:56 -0700
+Subject: net: make socket read/write_iter() honor IOCB_NOWAIT
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit ebfcd8955c0b52eb793bcbc9e71140e3d0cdb228 ]
+
+The socket read/write helpers only look at the file O_NONBLOCK. not
+the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2
+and io_uring that rely on not having the file itself marked nonblocking,
+but rather the iocb itself.
+
+Cc: netdev@vger.kernel.org
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index d7a106028f0e..ca8de9e1582d 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -955,7 +955,7 @@ static ssize_t sock_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ .msg_iocb = iocb};
+ ssize_t res;
+
+- if (file->f_flags & O_NONBLOCK)
++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
+ msg.msg_flags = MSG_DONTWAIT;
+
+ if (iocb->ki_pos != 0)
+@@ -980,7 +980,7 @@ static ssize_t sock_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ if (iocb->ki_pos != 0)
+ return -ESPIPE;
+
+- if (file->f_flags & O_NONBLOCK)
++ if (file->f_flags & O_NONBLOCK || (iocb->ki_flags & IOCB_NOWAIT))
+ msg.msg_flags = MSG_DONTWAIT;
+
+ if (sock->type == SOCK_SEQPACKET)
+--
+2.20.1
+
--- /dev/null
+From f1b1b7b8dfcadb131fd0205339a035923001ffea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 22:35:58 +0100
+Subject: net/smc: add fallback check to connect()
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+[ Upstream commit 86434744fedf0cfe07a9eee3f4632c0e25c1d136 ]
+
+FASTOPEN setsockopt() or sendmsg() may switch the SMC socket to fallback
+mode. Once fallback mode is active, the native TCP socket functions are
+called. Nevertheless there is a small race window, when FASTOPEN
+setsockopt/sendmsg runs in parallel to a connect(), and switch the
+socket into fallback mode before connect() takes the sock lock.
+Make sure the SMC-specific connect setup is omitted in this case.
+
+This way a syzbot-reported refcount problem is fixed, triggered by
+different threads running non-blocking connect() and FASTOPEN_KEY
+setsockopt.
+
+Reported-by: syzbot+96d3f9ff6a86d37e44c8@syzkaller.appspotmail.com
+Fixes: 6d6dd528d5af ("net/smc: fix refcount non-blocking connect() -part 2")
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 737b49909a7a..6a6d3b2aa5a9 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -854,6 +854,8 @@ static int smc_connect(struct socket *sock, struct sockaddr *addr,
+ goto out;
+
+ sock_hold(&smc->sk); /* sock put in passive closing */
++ if (smc->use_fallback)
++ goto out;
+ if (flags & O_NONBLOCK) {
+ if (schedule_work(&smc->connect_work))
+ smc->connect_nonblock = 1;
+@@ -1716,8 +1718,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ sk->sk_err = smc->clcsock->sk->sk_err;
+ sk->sk_error_report(sk);
+ }
+- if (rc)
+- return rc;
+
+ if (optlen < sizeof(int))
+ return -EINVAL;
+@@ -1725,6 +1725,8 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ return -EFAULT;
+
+ lock_sock(sk);
++ if (rc || smc->use_fallback)
++ goto out;
+ switch (optname) {
+ case TCP_ULP:
+ case TCP_FASTOPEN:
+@@ -1736,15 +1738,14 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP;
+ } else {
+- if (!smc->use_fallback)
+- rc = -EINVAL;
++ rc = -EINVAL;
+ }
+ break;
+ case TCP_NODELAY:
+ if (sk->sk_state != SMC_INIT &&
+ sk->sk_state != SMC_LISTEN &&
+ sk->sk_state != SMC_CLOSED) {
+- if (val && !smc->use_fallback)
++ if (val)
+ mod_delayed_work(system_wq, &smc->conn.tx_work,
+ 0);
+ }
+@@ -1753,7 +1754,7 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ if (sk->sk_state != SMC_INIT &&
+ sk->sk_state != SMC_LISTEN &&
+ sk->sk_state != SMC_CLOSED) {
+- if (!val && !smc->use_fallback)
++ if (!val)
+ mod_delayed_work(system_wq, &smc->conn.tx_work,
+ 0);
+ }
+@@ -1764,6 +1765,7 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ default:
+ break;
+ }
++out:
+ release_sock(sk);
+
+ return rc;
+--
+2.20.1
+
--- /dev/null
+From 86285eb4d1b0620873b82ad4ecdaf5a7d4188d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 14:43:39 -0800
+Subject: netfilter: bridge: make sure to pull arp header in
+ br_nf_forward_arp()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5604285839aaedfb23ebe297799c6e558939334d ]
+
+syzbot is kind enough to remind us we need to call skb_may_pull()
+
+BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
+ __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
+ br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
+ nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
+ nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
+ nf_hook include/linux/netfilter.h:260 [inline]
+ NF_HOOK include/linux/netfilter.h:303 [inline]
+ __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
+ br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
+ br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
+ nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
+ br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
+ __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
+ __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
+ __netif_receive_skb net/core/dev.c:5043 [inline]
+ process_backlog+0x610/0x13c0 net/core/dev.c:5874
+ napi_poll net/core/dev.c:6311 [inline]
+ net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
+ __do_softirq+0x4a1/0x83a kernel/softirq.c:293
+ do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
+ </IRQ>
+ do_softirq kernel/softirq.c:338 [inline]
+ __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
+ local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
+ rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
+ __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
+ packet_snd net/packet/af_packet.c:2959 [inline]
+ packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45a679
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
+RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
+R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
+ kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
+ kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
+ slab_alloc_node mm/slub.c:2773 [inline]
+ __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
+ sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
+ packet_alloc_skb net/packet/af_packet.c:2807 [inline]
+ packet_snd net/packet/af_packet.c:2902 [inline]
+ packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ __sys_sendto+0xc44/0xc70 net/socket.c:1952
+ __do_sys_sendto net/socket.c:1964 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:1960
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
+ do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index af7800103e51..59980ecfc962 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -662,6 +662,9 @@ static unsigned int br_nf_forward_arp(void *priv,
+ nf_bridge_pull_encap_header(skb);
+ }
+
++ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
++ return NF_DROP;
++
+ if (arp_hdr(skb)->ar_pln != 4) {
+ if (is_vlan_arp(skb, state->net))
+ nf_bridge_push_encap_header(skb);
+--
+2.20.1
+
--- /dev/null
+From 3670e8a23ad4883e633af4c7e7c25347d99eadee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2019 03:49:25 +0100
+Subject: netfilter: ebtables: compat: reject all padding in matches/watchers
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe ]
+
+syzbot reported following splat:
+
+BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
+
+CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
+ compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
+ compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
+ compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
+ [..]
+
+Because padding isn't considered during computation of ->buf_user_offset,
+"total" is decremented by fewer bytes than it should.
+
+Therefore, the first part of
+
+if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
+
+will pass, -- it should not have. This causes oob access:
+entry->next_offset is past the vmalloced size.
+
+Reject padding and check that computed user offset (sum of ebt_entry
+structure plus all individual matches/watchers/targets) is same
+value that userspace gave us as the offset of the next entry.
+
+Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 4096d8a74a2b..e1256e03a9a8 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1867,7 +1867,7 @@ static int ebt_buf_count(struct ebt_entries_buf_state *state, unsigned int sz)
+ }
+
+ static int ebt_buf_add(struct ebt_entries_buf_state *state,
+- void *data, unsigned int sz)
++ const void *data, unsigned int sz)
+ {
+ if (state->buf_kern_start == NULL)
+ goto count_only;
+@@ -1901,7 +1901,7 @@ enum compat_mwt {
+ EBT_COMPAT_TARGET,
+ };
+
+-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
+ enum compat_mwt compat_mwt,
+ struct ebt_entries_buf_state *state,
+ const unsigned char *base)
+@@ -1979,22 +1979,23 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
+ /* return size of all matches, watchers or target, including necessary
+ * alignment and padding.
+ */
+-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32,
+ unsigned int size_left, enum compat_mwt type,
+ struct ebt_entries_buf_state *state, const void *base)
+ {
++ const char *buf = (const char *)match32;
+ int growth = 0;
+- char *buf;
+
+ if (size_left == 0)
+ return 0;
+
+- buf = (char *) match32;
+-
+- while (size_left >= sizeof(*match32)) {
++ do {
+ struct ebt_entry_match *match_kern;
+ int ret;
+
++ if (size_left < sizeof(*match32))
++ return -EINVAL;
++
+ match_kern = (struct ebt_entry_match *) state->buf_kern_start;
+ if (match_kern) {
+ char *tmp;
+@@ -2031,22 +2032,18 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
+ if (match_kern)
+ match_kern->match_size = ret;
+
+- /* rule should have no remaining data after target */
+- if (type == EBT_COMPAT_TARGET && size_left)
+- return -EINVAL;
+-
+ match32 = (struct compat_ebt_entry_mwt *) buf;
+- }
++ } while (size_left);
+
+ return growth;
+ }
+
+ /* called for all ebt_entry structures. */
+-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base,
+ unsigned int *total,
+ struct ebt_entries_buf_state *state)
+ {
+- unsigned int i, j, startoff, new_offset = 0;
++ unsigned int i, j, startoff, next_expected_off, new_offset = 0;
+ /* stores match/watchers/targets & offset of next struct ebt_entry: */
+ unsigned int offsets[4];
+ unsigned int *offsets_update = NULL;
+@@ -2132,11 +2129,13 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
+ return ret;
+ }
+
+- startoff = state->buf_user_offset - startoff;
++ next_expected_off = state->buf_user_offset - startoff;
++ if (next_expected_off != entry->next_offset)
++ return -EINVAL;
+
+- if (WARN_ON(*total < startoff))
++ if (*total < entry->next_offset)
+ return -EINVAL;
+- *total -= startoff;
++ *total -= entry->next_offset;
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 16b14ed4cecd27699ad7cab6ea353608bf8e5fe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 00:59:29 +0100
+Subject: netfilter: nft_tproxy: Fix port selector on Big Endian
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 8cb4ec44de42b99b92399b4d1daf3dc430ed0186 ]
+
+On Big Endian architectures, u16 port value was extracted from the wrong
+parts of u32 sreg_port, just like commit 10596608c4d62 ("netfilter:
+nf_tables: fix mismatch in big-endian system") describes.
+
+Fixes: 4ed8eb6570a49 ("netfilter: nf_tables: Add native tproxy support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Florian Westphal <fw@strlen.de>
+Acked-by: MĂ¡tĂ© Eckl <ecklm94@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tproxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
+index f92a82c73880..95980154ef02 100644
+--- a/net/netfilter/nft_tproxy.c
++++ b/net/netfilter/nft_tproxy.c
+@@ -50,7 +50,7 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
+ taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
+
+ if (priv->sreg_port)
+- tport = regs->data[priv->sreg_port];
++ tport = nft_reg_load16(®s->data[priv->sreg_port]);
+ if (!tport)
+ tport = hp->dest;
+
+@@ -117,7 +117,7 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
+ taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);
+
+ if (priv->sreg_port)
+- tport = regs->data[priv->sreg_port];
++ tport = nft_reg_load16(®s->data[priv->sreg_port]);
+ if (!tport)
+ tport = hp->dest;
+
+--
+2.20.1
+
--- /dev/null
+From 7a7b13b86fea8ee24d2c1b4c2d1e5ae7a3a037ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 09:59:37 -0800
+Subject: nvme-fc: fix double-free scenarios on hw queues
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit c869e494ef8b5846d9ba91f1e922c23cd444f0c1 ]
+
+If an error occurs on one of the ios used for creating an
+association, the creating routine has error paths that are
+invoked by the command failure and the error paths will free
+up the controller resources created to that point.
+
+But... the io was ultimately determined by an asynchronous
+completion routine that detected the error and which
+unconditionally invokes the error_recovery path which calls
+delete_association. Delete association deletes all outstanding
+io then tears down the controller resources. So the
+create_association thread can be running in parallel with
+the error_recovery thread. What was seen was the LLDD received
+a call to delete a queue, causing the LLDD to do a free of a
+resource, then the transport called the delete queue again
+causing the driver to repeat the free call. The second free
+routine corrupted the allocator. The transport shouldn't be
+making the duplicate call, and the delete queue is just one
+of the resources being freed.
+
+To fix, it is realized that the create_association path is
+completely serialized with one command at a time. So the
+failed io completion will always be seen by the create_association
+path and as of the failure, there are no ios to terminate and there
+is no reason to be manipulating queue freeze states, etc.
+The serialized condition stays true until the controller is
+transitioned to the LIVE state. Thus the fix is to change the
+error recovery path to check the controller state and only
+invoke the teardown path if not already in the CONNECTING state.
+
+Reviewed-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/fc.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index 3f102d9f39b8..59474bd0c728 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2910,10 +2910,22 @@ nvme_fc_reconnect_or_delete(struct nvme_fc_ctrl *ctrl, int status)
+ static void
+ __nvme_fc_terminate_io(struct nvme_fc_ctrl *ctrl)
+ {
+- nvme_stop_keep_alive(&ctrl->ctrl);
++ /*
++ * if state is connecting - the error occurred as part of a
++ * reconnect attempt. The create_association error paths will
++ * clean up any outstanding io.
++ *
++ * if it's a different state - ensure all pending io is
++ * terminated. Given this can delay while waiting for the
++ * aborted io to return, we recheck adapter state below
++ * before changing state.
++ */
++ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING) {
++ nvme_stop_keep_alive(&ctrl->ctrl);
+
+- /* will block will waiting for io to terminate */
+- nvme_fc_delete_association(ctrl);
++ /* will block will waiting for io to terminate */
++ nvme_fc_delete_association(ctrl);
++ }
+
+ if (ctrl->ctrl.state != NVME_CTRL_CONNECTING &&
+ !nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
+--
+2.20.1
+
--- /dev/null
+From e49eb792d36f55c7def0b2106c527eba884eea6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 08:11:17 +0900
+Subject: nvme/pci: Fix read queue count
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 7e4c6b9a5d22485acf009b3c3510a370f096dd54 ]
+
+If nvme.write_queues equals the number of CPUs, the driver had decreased
+the number of interrupts available such that there could only be one read
+queue even if the controller could support more. Remove the interrupt
+count reduction in this case. The driver wouldn't request more IRQs than
+it wants queues anyway.
+
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 29d7427c2b19..14d513087a14 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2060,7 +2060,6 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues)
+ .priv = dev,
+ };
+ unsigned int irq_queues, this_p_queues;
+- unsigned int nr_cpus = num_possible_cpus();
+
+ /*
+ * Poll queues don't need interrupts, but we need at least one IO
+@@ -2071,10 +2070,7 @@ static int nvme_setup_irqs(struct nvme_dev *dev, unsigned int nr_io_queues)
+ this_p_queues = nr_io_queues - 1;
+ irq_queues = 1;
+ } else {
+- if (nr_cpus < nr_io_queues - this_p_queues)
+- irq_queues = nr_cpus + 1;
+- else
+- irq_queues = nr_io_queues - this_p_queues + 1;
++ irq_queues = nr_io_queues - this_p_queues + 1;
+ }
+ dev->io_queues[HCTX_TYPE_POLL] = this_p_queues;
+
+--
+2.20.1
+
--- /dev/null
+From ac8b9feefbf1b7465f501d9a0438c75f2de45440 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 01:51:54 +0900
+Subject: nvme/pci: Fix write and poll queue types
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 3f68baf706ec68c4120867c25bc439c845fe3e17 ]
+
+The number of poll or write queues should never be negative. Use unsigned
+types so that it's not possible to break have the driver not allocate
+any queues.
+
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 869f462e6b6e..29d7427c2b19 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -68,14 +68,14 @@ static int io_queue_depth = 1024;
+ module_param_cb(io_queue_depth, &io_queue_depth_ops, &io_queue_depth, 0644);
+ MODULE_PARM_DESC(io_queue_depth, "set io queue depth, should >= 2");
+
+-static int write_queues;
+-module_param(write_queues, int, 0644);
++static unsigned int write_queues;
++module_param(write_queues, uint, 0644);
+ MODULE_PARM_DESC(write_queues,
+ "Number of queues to use for writes. If not set, reads and writes "
+ "will share a queue set.");
+
+-static int poll_queues;
+-module_param(poll_queues, int, 0644);
++static unsigned int poll_queues;
++module_param(poll_queues, uint, 0644);
+ MODULE_PARM_DESC(poll_queues, "Number of queues to use for polled IO.");
+
+ struct nvme_dev;
+--
+2.20.1
+
--- /dev/null
+From edc0610322567eb8bcf625a8685aa5c584511638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 15:15:26 -0800
+Subject: nvme_fc: add module to ops template to allow module references
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 863fbae929c7a5b64e96b8a3ffb34a29eefb9f8f ]
+
+In nvme-fc: it's possible to have connected active controllers
+and as no references are taken on the LLDD, the LLDD can be
+unloaded. The controller would enter a reconnect state and as
+long as the LLDD resumed within the reconnect timeout, the
+controller would resume. But if a namespace on the controller
+is the root device, allowing the driver to unload can be problematic.
+To reload the driver, it may require new io to the boot device,
+and as it's no longer connected we get into a catch-22 that
+eventually fails, and the system locks up.
+
+Fix this issue by taking a module reference for every connected
+controller (which is what the core layer did to the transport
+module). Reference is cleared when the controller is removed.
+
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/fc.c | 14 ++++++++++++--
+ drivers/nvme/target/fcloop.c | 1 +
+ drivers/scsi/lpfc/lpfc_nvme.c | 2 ++
+ drivers/scsi/qla2xxx/qla_nvme.c | 1 +
+ include/linux/nvme-fc-driver.h | 4 ++++
+ 5 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index 265f89e11d8b..3f102d9f39b8 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -342,7 +342,8 @@ nvme_fc_register_localport(struct nvme_fc_port_info *pinfo,
+ !template->ls_req || !template->fcp_io ||
+ !template->ls_abort || !template->fcp_abort ||
+ !template->max_hw_queues || !template->max_sgl_segments ||
+- !template->max_dif_sgl_segments || !template->dma_boundary) {
++ !template->max_dif_sgl_segments || !template->dma_boundary ||
++ !template->module) {
+ ret = -EINVAL;
+ goto out_reghost_failed;
+ }
+@@ -2015,6 +2016,7 @@ nvme_fc_ctrl_free(struct kref *ref)
+ {
+ struct nvme_fc_ctrl *ctrl =
+ container_of(ref, struct nvme_fc_ctrl, ref);
++ struct nvme_fc_lport *lport = ctrl->lport;
+ unsigned long flags;
+
+ if (ctrl->ctrl.tagset) {
+@@ -2041,6 +2043,7 @@ nvme_fc_ctrl_free(struct kref *ref)
+ if (ctrl->ctrl.opts)
+ nvmf_free_options(ctrl->ctrl.opts);
+ kfree(ctrl);
++ module_put(lport->ops->module);
+ }
+
+ static void
+@@ -3056,10 +3059,15 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
+ goto out_fail;
+ }
+
++ if (!try_module_get(lport->ops->module)) {
++ ret = -EUNATCH;
++ goto out_free_ctrl;
++ }
++
+ idx = ida_simple_get(&nvme_fc_ctrl_cnt, 0, 0, GFP_KERNEL);
+ if (idx < 0) {
+ ret = -ENOSPC;
+- goto out_free_ctrl;
++ goto out_mod_put;
+ }
+
+ ctrl->ctrl.opts = opts;
+@@ -3212,6 +3220,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
+ out_free_ida:
+ put_device(ctrl->dev);
+ ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum);
++out_mod_put:
++ module_put(lport->ops->module);
+ out_free_ctrl:
+ kfree(ctrl);
+ out_fail:
+diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
+index b50b53db3746..1c50af6219f3 100644
+--- a/drivers/nvme/target/fcloop.c
++++ b/drivers/nvme/target/fcloop.c
+@@ -850,6 +850,7 @@ fcloop_targetport_delete(struct nvmet_fc_target_port *targetport)
+ #define FCLOOP_DMABOUND_4G 0xFFFFFFFF
+
+ static struct nvme_fc_port_template fctemplate = {
++ .module = THIS_MODULE,
+ .localport_delete = fcloop_localport_delete,
+ .remoteport_delete = fcloop_remoteport_delete,
+ .create_queue = fcloop_create_queue,
+diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
+index a227e36cbdc2..8e0f03ef346b 100644
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -1976,6 +1976,8 @@ lpfc_nvme_fcp_abort(struct nvme_fc_local_port *pnvme_lport,
+
+ /* Declare and initialization an instance of the FC NVME template. */
+ static struct nvme_fc_port_template lpfc_nvme_template = {
++ .module = THIS_MODULE,
++
+ /* initiator-based functions */
+ .localport_delete = lpfc_nvme_localport_delete,
+ .remoteport_delete = lpfc_nvme_remoteport_delete,
+diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
+index 941aa53363f5..bfcd02fdf2b8 100644
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -610,6 +610,7 @@ static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport)
+ }
+
+ static struct nvme_fc_port_template qla_nvme_fc_transport = {
++ .module = THIS_MODULE,
+ .localport_delete = qla_nvme_localport_delete,
+ .remoteport_delete = qla_nvme_remoteport_delete,
+ .create_queue = qla_nvme_alloc_queue,
+diff --git a/include/linux/nvme-fc-driver.h b/include/linux/nvme-fc-driver.h
+index 10f81629b9ce..6d0d70f3219c 100644
+--- a/include/linux/nvme-fc-driver.h
++++ b/include/linux/nvme-fc-driver.h
+@@ -270,6 +270,8 @@ struct nvme_fc_remote_port {
+ *
+ * Host/Initiator Transport Entrypoints/Parameters:
+ *
++ * @module: The LLDD module using the interface
++ *
+ * @localport_delete: The LLDD initiates deletion of a localport via
+ * nvme_fc_deregister_localport(). However, the teardown is
+ * asynchronous. This routine is called upon the completion of the
+@@ -383,6 +385,8 @@ struct nvme_fc_remote_port {
+ * Value is Mandatory. Allowed to be zero.
+ */
+ struct nvme_fc_port_template {
++ struct module *module;
++
+ /* initiator-based functions */
+ void (*localport_delete)(struct nvme_fc_local_port *);
+ void (*remoteport_delete)(struct nvme_fc_remote_port *);
+--
+2.20.1
+
--- /dev/null
+From e6563a36a9ed46a5c9d9ecd7d26beaf65ddcdda6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2019 15:38:47 +0800
+Subject: PCI: Add a helper to check Power Resource Requirements _PR3 existence
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 52525b7a3cf82adec5c6cf0ecbd23ff228badc94 ]
+
+A driver may want to know the existence of _PR3, to choose different
+runtime suspend behavior. A user will be add in next patch.
+
+This is mostly the same as nouveau_pr3_present().
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20191018073848.14590-1-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 18 ++++++++++++++++++
+ include/linux/pci.h | 2 ++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index a97e2571a527..fcfaadc774ee 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5854,6 +5854,24 @@ int pci_set_vga_state(struct pci_dev *dev, bool decode,
+ return 0;
+ }
+
++#ifdef CONFIG_ACPI
++bool pci_pr3_present(struct pci_dev *pdev)
++{
++ struct acpi_device *adev;
++
++ if (acpi_disabled)
++ return false;
++
++ adev = ACPI_COMPANION(&pdev->dev);
++ if (!adev)
++ return false;
++
++ return adev->power.flags.power_resources &&
++ acpi_has_method(adev->handle, "_PR3");
++}
++EXPORT_SYMBOL_GPL(pci_pr3_present);
++#endif
++
+ /**
+ * pci_add_dma_alias - Add a DMA devfn alias for a device
+ * @dev: the PCI device for which alias is added
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index f9088c89a534..1d15c5d49cdd 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -2310,9 +2310,11 @@ struct irq_domain *pci_host_bridge_acpi_msi_domain(struct pci_bus *bus);
+
+ void
+ pci_msi_register_fwnode_provider(struct fwnode_handle *(*fn)(struct device *));
++bool pci_pr3_present(struct pci_dev *pdev);
+ #else
+ static inline struct irq_domain *
+ pci_host_bridge_acpi_msi_domain(struct pci_bus *bus) { return NULL; }
++static bool pci_pr3_present(struct pci_dev *pdev) { return false; }
+ #endif
+
+ #ifdef CONFIG_EEH
+--
+2.20.1
+
--- /dev/null
+From 3bb9b8ba98d2eb0da0cd2323db178711246577f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2019 16:25:20 +0200
+Subject: PCI: Fix missing inline for pci_pr3_present()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 46b4bff6572b0552b1ee062043621e4b252638d8 ]
+
+The inline prefix was missing in the dummy function pci_pr3_present()
+definition. Fix it.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Fixes: 52525b7a3cf8 ("PCI: Add a helper to check Power Resource Requirements _PR3 existence")
+Link: https://lore.kernel.org/r/201910212111.qHm6OcWx%lkp@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/pci.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 1d15c5d49cdd..be529d311122 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -2314,7 +2314,7 @@ bool pci_pr3_present(struct pci_dev *pdev);
+ #else
+ static inline struct irq_domain *
+ pci_host_bridge_acpi_msi_domain(struct pci_bus *bus) { return NULL; }
+-static bool pci_pr3_present(struct pci_dev *pdev) { return false; }
++static inline bool pci_pr3_present(struct pci_dev *pdev) { return false; }
+ #endif
+
+ #ifdef CONFIG_EEH
+--
+2.20.1
+
--- /dev/null
+From bafed4f6f7f05aa33c604088e867d5ee2808bb2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2019 01:21:31 +0200
+Subject: PM / devfreq: Don't fail devfreq_dev_release if not in list
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit 42a6b25e67df6ee6675e8d1eaf18065bd73328ba ]
+
+Right now devfreq_dev_release will print a warning and abort the rest of
+the cleanup if the devfreq instance is not part of the global
+devfreq_list. But this is a valid scenario, for example it can happen if
+the governor can't be found or on any other init error that happens
+after device_register.
+
+Initialize devfreq->node to an empty list head in devfreq_add_device so
+that list_del becomes a safe noop inside devfreq_dev_release and we can
+continue the rest of the cleanup.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index e185c8846916..ffd2d6b44dfb 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -588,11 +588,6 @@ static void devfreq_dev_release(struct device *dev)
+ struct devfreq *devfreq = to_devfreq(dev);
+
+ mutex_lock(&devfreq_list_lock);
+- if (IS_ERR(find_device_devfreq(devfreq->dev.parent))) {
+- mutex_unlock(&devfreq_list_lock);
+- dev_warn(&devfreq->dev, "releasing devfreq which doesn't exist\n");
+- return;
+- }
+ list_del(&devfreq->node);
+ mutex_unlock(&devfreq_list_lock);
+
+@@ -647,6 +642,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
+ devfreq->dev.parent = dev;
+ devfreq->dev.class = devfreq_class;
+ devfreq->dev.release = devfreq_dev_release;
++ INIT_LIST_HEAD(&devfreq->node);
+ devfreq->profile = profile;
+ strncpy(devfreq->governor_name, governor_name, DEVFREQ_NAME_LEN);
+ devfreq->previous_freq = profile->initial_freq;
+--
+2.20.1
+
--- /dev/null
+From 6a893a68216f3e05a434cdd18cef95a60f9db70d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 23:34:18 +0200
+Subject: PM / devfreq: Fix devfreq_notifier_call returning errno
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit e876e710ede23f670494331e062d643928e4142a ]
+
+Notifier callbacks shouldn't return negative errno but one of the
+NOTIFY_OK/DONE/BAD values.
+
+The OPP core will ignore return values from notifiers but returning a
+value that matches NOTIFY_STOP_MASK will stop the notification chain.
+
+Fix by always returning NOTIFY_OK.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index 3a1484e7a3ae..e5c2afdc7b7f 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -551,26 +551,28 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
+ void *devp)
+ {
+ struct devfreq *devfreq = container_of(nb, struct devfreq, nb);
+- int ret;
++ int err = -EINVAL;
+
+ mutex_lock(&devfreq->lock);
+
+ devfreq->scaling_min_freq = find_available_min_freq(devfreq);
+- if (!devfreq->scaling_min_freq) {
+- mutex_unlock(&devfreq->lock);
+- return -EINVAL;
+- }
++ if (!devfreq->scaling_min_freq)
++ goto out;
+
+ devfreq->scaling_max_freq = find_available_max_freq(devfreq);
+- if (!devfreq->scaling_max_freq) {
+- mutex_unlock(&devfreq->lock);
+- return -EINVAL;
+- }
++ if (!devfreq->scaling_max_freq)
++ goto out;
++
++ err = update_devfreq(devfreq);
+
+- ret = update_devfreq(devfreq);
++out:
+ mutex_unlock(&devfreq->lock);
++ if (err)
++ dev_err(devfreq->dev.parent,
++ "failed to update frequency from OPP notifier (%d)\n",
++ err);
+
+- return ret;
++ return NOTIFY_OK;
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From 12138e840a64b50d4e8f341112abaea61a56632f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2019 23:34:19 +0200
+Subject: PM / devfreq: Set scaling_max_freq to max on OPP notifier error
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+[ Upstream commit e7cc792d00049c874010b398a27c3cc7bc8fef34 ]
+
+The devfreq_notifier_call functions will update scaling_min_freq and
+scaling_max_freq when the OPP table is updated.
+
+If fetching the maximum frequency fails then scaling_max_freq remains
+set to zero which is confusing. Set to ULONG_MAX instead so we don't
+need special handling for this case in other places.
+
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/devfreq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
+index e5c2afdc7b7f..e185c8846916 100644
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -560,8 +560,10 @@ static int devfreq_notifier_call(struct notifier_block *nb, unsigned long type,
+ goto out;
+
+ devfreq->scaling_max_freq = find_available_max_freq(devfreq);
+- if (!devfreq->scaling_max_freq)
++ if (!devfreq->scaling_max_freq) {
++ devfreq->scaling_max_freq = ULONG_MAX;
+ goto out;
++ }
+
+ err = update_devfreq(devfreq);
+
+--
+2.20.1
+
--- /dev/null
+From f42c1ac0c164168a2606e986aa94e52a18bc0184 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 15:39:12 +0100
+Subject: PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
+
+From: Andy Whitcroft <apw@canonical.com>
+
+[ Upstream commit da6043fe85eb5ec621e34a92540735dcebbea134 ]
+
+When looking for a bit by number we make use of the cached result from the
+preceding lookup to speed up operation. Firstly we check if the requested
+pfn is within the cached zone and if not lookup the new zone. We then
+check if the offset for that pfn falls within the existing cached node.
+This happens regardless of whether the node is within the zone we are
+now scanning. With certain memory layouts it is possible for this to
+false trigger creating a temporary alias for the pfn to a different bit.
+This leads the hibernation code to free memory which it was never allocated
+with the expected fallout.
+
+Ensure the zone we are scanning matches the cached zone before considering
+the cached node.
+
+Deep thanks go to Andrea for many, many, many hours of hacking and testing
+that went into cornering this bug.
+
+Reported-by: Andrea Righi <andrea.righi@canonical.com>
+Tested-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/snapshot.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+index 83105874f255..26b9168321e7 100644
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -734,8 +734,15 @@ static int memory_bm_find_bit(struct memory_bitmap *bm, unsigned long pfn,
+ * We have found the zone. Now walk the radix tree to find the leaf node
+ * for our PFN.
+ */
++
++ /*
++ * If the zone we wish to scan is the the current zone and the
++ * pfn falls into the current node then we do not need to walk
++ * the tree.
++ */
+ node = bm->cur.node;
+- if (((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
++ if (zone == bm->cur.zone &&
++ ((pfn - zone->start_pfn) & ~BM_BLOCK_MASK) == bm->cur.node_pfn)
+ goto node_found;
+
+ node = zone->rtree;
+--
+2.20.1
+
--- /dev/null
+From 9188ebae190032d40dd1cda201417c60204e0089 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 00:22:21 +1100
+Subject: powerpc: Fix __clear_user() with KUAP enabled
+
+From: Andrew Donnellan <ajd@linux.ibm.com>
+
+[ Upstream commit 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 ]
+
+The KUAP implementation adds calls in clear_user() to enable and
+disable access to userspace memory. However, it doesn't add these to
+__clear_user(), which is used in the ptrace regset code.
+
+As there's only one direct user of __clear_user() (the regset code),
+and the time taken to set the AMR for KUAP purposes is going to
+dominate the cost of a quick access_ok(), there's not much point
+having a separate path.
+
+Rename __clear_user() to __arch_clear_user(), and make __clear_user()
+just call clear_user().
+
+Reported-by: syzbot+f25ecf4b2982d8c7a640@syzkaller-ppc64.appspotmail.com
+Reported-by: Daniel Axtens <dja@axtens.net>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection")
+Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
+[mpe: Use __arch_clear_user() for the asm version like arm64 & nds32]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191209132221.15328-1-ajd@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/uaccess.h | 9 +++++++--
+ arch/powerpc/lib/string_32.S | 4 ++--
+ arch/powerpc/lib/string_64.S | 6 +++---
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
+index 15002b51ff18..c92fe7fe9692 100644
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -401,7 +401,7 @@ copy_to_user_mcsafe(void __user *to, const void *from, unsigned long n)
+ return n;
+ }
+
+-extern unsigned long __clear_user(void __user *addr, unsigned long size);
++unsigned long __arch_clear_user(void __user *addr, unsigned long size);
+
+ static inline unsigned long clear_user(void __user *addr, unsigned long size)
+ {
+@@ -409,12 +409,17 @@ static inline unsigned long clear_user(void __user *addr, unsigned long size)
+ might_fault();
+ if (likely(access_ok(addr, size))) {
+ allow_write_to_user(addr, size);
+- ret = __clear_user(addr, size);
++ ret = __arch_clear_user(addr, size);
+ prevent_write_to_user(addr, size);
+ }
+ return ret;
+ }
+
++static inline unsigned long __clear_user(void __user *addr, unsigned long size)
++{
++ return clear_user(addr, size);
++}
++
+ extern long strncpy_from_user(char *dst, const char __user *src, long count);
+ extern __must_check long strnlen_user(const char __user *str, long n);
+
+diff --git a/arch/powerpc/lib/string_32.S b/arch/powerpc/lib/string_32.S
+index f69a6aab7bfb..1ddb26394e8a 100644
+--- a/arch/powerpc/lib/string_32.S
++++ b/arch/powerpc/lib/string_32.S
+@@ -17,7 +17,7 @@ CACHELINE_BYTES = L1_CACHE_BYTES
+ LG_CACHELINE_BYTES = L1_CACHE_SHIFT
+ CACHELINE_MASK = (L1_CACHE_BYTES-1)
+
+-_GLOBAL(__clear_user)
++_GLOBAL(__arch_clear_user)
+ /*
+ * Use dcbz on the complete cache lines in the destination
+ * to set them to zero. This requires that the destination
+@@ -87,4 +87,4 @@ _GLOBAL(__clear_user)
+ EX_TABLE(8b, 91b)
+ EX_TABLE(9b, 91b)
+
+-EXPORT_SYMBOL(__clear_user)
++EXPORT_SYMBOL(__arch_clear_user)
+diff --git a/arch/powerpc/lib/string_64.S b/arch/powerpc/lib/string_64.S
+index 507b18b1660e..169872bc0892 100644
+--- a/arch/powerpc/lib/string_64.S
++++ b/arch/powerpc/lib/string_64.S
+@@ -17,7 +17,7 @@ PPC64_CACHES:
+ .section ".text"
+
+ /**
+- * __clear_user: - Zero a block of memory in user space, with less checking.
++ * __arch_clear_user: - Zero a block of memory in user space, with less checking.
+ * @to: Destination address, in user space.
+ * @n: Number of bytes to zero.
+ *
+@@ -58,7 +58,7 @@ err3; stb r0,0(r3)
+ mr r3,r4
+ blr
+
+-_GLOBAL_TOC(__clear_user)
++_GLOBAL_TOC(__arch_clear_user)
+ cmpdi r4,32
+ neg r6,r3
+ li r0,0
+@@ -181,4 +181,4 @@ err1; dcbz 0,r3
+ cmpdi r4,32
+ blt .Lshort_clear
+ b .Lmedium_clear
+-EXPORT_SYMBOL(__clear_user)
++EXPORT_SYMBOL(__arch_clear_user)
+--
+2.20.1
+
--- /dev/null
+From ac0b13cff6a8d95ea6528d05400e59288cc0c613 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 17:57:50 +0100
+Subject: raid5: need to set STRIPE_HANDLE for batch head
+
+From: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+
+[ Upstream commit a7ede3d16808b8f3915c8572d783530a82b2f027 ]
+
+With commit 6ce220dd2f8ea71d6afc29b9a7524c12e39f374a ("raid5: don't set
+STRIPE_HANDLE to stripe which is in batch list"), we don't want to set
+STRIPE_HANDLE flag for sh which is already in batch list.
+
+However, the stripe which is the head of batch list should set this flag,
+otherwise panic could happen inside init_stripe at BUG_ON(sh->batch_head),
+it is reproducible with raid5 on top of nvdimm devices per Xiao oberserved.
+
+Thanks for Xiao's effort to verify the change.
+
+Fixes: 6ce220dd2f8ea ("raid5: don't set STRIPE_HANDLE to stripe which is in batch list")
+Reported-by: Xiao Ni <xni@redhat.com>
+Tested-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 12a8ce83786e..36cd7c2fbf40 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -5726,7 +5726,7 @@ static bool raid5_make_request(struct mddev *mddev, struct bio * bi)
+ do_flush = false;
+ }
+
+- if (!sh->batch_head)
++ if (!sh->batch_head || sh == sh->batch_head)
+ set_bit(STRIPE_HANDLE, &sh->state);
+ clear_bit(STRIPE_DELAYED, &sh->state);
+ if ((!sh->batch_head || sh == sh->batch_head) &&
+--
+2.20.1
+
--- /dev/null
+From f7c1f5fa311b1d0938a6689b86c3bae27433f8ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:24:26 +0800
+Subject: RDMA/cma: add missed unregister_pernet_subsys in init failure
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 44a7b6759000ac51b92715579a7bba9e3f9245c2 ]
+
+The driver forgets to call unregister_pernet_subsys() in the error path
+of cma_init().
+Add the missed call to fix it.
+
+Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Link: https://lore.kernel.org/r/20191206012426.12744-1-hslester96@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index d78f67623f24..50052e9a1731 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4736,6 +4736,7 @@ static int __init cma_init(void)
+ err:
+ unregister_netdevice_notifier(&cma_nb);
+ ib_sa_unregister_client(&sa_client);
++ unregister_pernet_subsys(&cma_pernet_operations);
+ err_wq:
+ destroy_workqueue(cma_wq);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 5f7e6edbb5cb2d851976aa77fde7fcaefdb3a238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 11:12:12 +0200
+Subject: RDMA/counter: Prevent auto-binding a QP which are not tracked with
+ res
+
+From: Mark Zhang <markz@mellanox.com>
+
+[ Upstream commit 33df2f1929df4a1cb13303e344fbf8a75f0dc41f ]
+
+Some QPs (e.g. XRC QP) are not tracked in kernel, in this case they have
+an invalid res and should not be bound to any dynamically-allocated
+counter in auto mode.
+
+This fixes below call trace:
+BUG: kernel NULL pointer dereference, address: 0000000000000390
+PGD 80000001a7233067 P4D 80000001a7233067 PUD 1a7215067 PMD 0
+Oops: 0000 [#1] SMP PTI
+CPU: 2 PID: 24822 Comm: ibv_xsrq_pingpo Not tainted 5.4.0-rc5+ #21
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
+RIP: 0010:rdma_counter_bind_qp_auto+0x142/0x270 [ib_core]
+Code: e1 48 85 c0 48 89 c2 0f 84 bc 00 00 00 49 8b 06 48 39 42 48 75 d6 40 3a aa 90 00 00 00 75 cd 49 8b 86 00 01 00 00 48 8b 4a 28 <8b> 80 90 03 00 00 39 81 90 03 00 00 75 b4 85 c0 74 b0 48 8b 04 24
+RSP: 0018:ffffc900003f39c0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
+RDX: ffff88820020ec00 RSI: 0000000000000004 RDI: ffffffffffffffc0
+RBP: 0000000000000001 R08: ffff888224149ff0 R09: ffffc900003f3968
+R10: ffffffffffffffff R11: ffff8882249c5848 R12: ffffffffffffffff
+R13: ffff88821d5aca50 R14: ffff8881f7690800 R15: ffff8881ff890000
+FS: 00007fe53a3e1740(0000) GS:ffff888237b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000390 CR3: 00000001a7292006 CR4: 00000000003606a0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _ib_modify_qp+0x3a4/0x3f0 [ib_core]
+ ? lookup_get_idr_uobject.part.8+0x23/0x40 [ib_uverbs]
+ modify_qp+0x322/0x3e0 [ib_uverbs]
+ ib_uverbs_modify_qp+0x43/0x70 [ib_uverbs]
+ ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xb1/0xf0 [ib_uverbs]
+ ib_uverbs_run_method+0x6be/0x760 [ib_uverbs]
+ ? uverbs_disassociate_api+0xd0/0xd0 [ib_uverbs]
+ ib_uverbs_cmd_verbs+0x18d/0x3a0 [ib_uverbs]
+ ? get_acl+0x1a/0x120
+ ? __alloc_pages_nodemask+0x15d/0x2c0
+ ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]
+ do_vfs_ioctl+0xa5/0x610
+ ksys_ioctl+0x60/0x90
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x48/0x110
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 99fa331dc862 ("RDMA/counter: Add "auto" configuration mode support")
+Signed-off-by: Mark Zhang <markz@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Reviewed-by: Ido Kalir <idok@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20191212091214.315005-2-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/counters.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/core/counters.c b/drivers/infiniband/core/counters.c
+index 680ad27f497d..023478107f0e 100644
+--- a/drivers/infiniband/core/counters.c
++++ b/drivers/infiniband/core/counters.c
+@@ -282,6 +282,9 @@ int rdma_counter_bind_qp_auto(struct ib_qp *qp, u8 port)
+ struct rdma_counter *counter;
+ int ret;
+
++ if (!qp->res.valid)
++ return 0;
++
+ if (!rdma_is_port_valid(dev, port))
+ return -EINVAL;
+
+--
+2.20.1
+
--- /dev/null
+From 4ba8d5242d6ac29bc096b5448833e52718aed7e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 17:09:20 -0500
+Subject: Revert "iwlwifi: assign directly to iwl_trans->cfg in QuZ detection"
+
+From: Anders Kaseorg <andersk@mit.edu>
+
+[ Upstream commit db5cce1afc8d2475d2c1c37c2a8267dd0e151526 ]
+
+This reverts commit 968dcfb4905245dc64d65312c0d17692fa087b99.
+
+Both that commit and commit 809805a820c6445f7a701ded24fdc6bbc841d1e4
+attempted to fix the same bug (dead assignments to the local variable
+cfg), but they did so in incompatible ways. When they were both merged,
+independently of each other, the combination actually caused the bug to
+reappear, leading to a firmware crash on boot for some cards.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=205719
+
+Signed-off-by: Anders Kaseorg <andersk@mit.edu>
+Acked-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 +++++++++----------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 040cec17d3ad..b0b7eca1754e 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -1111,18 +1111,18 @@ static int iwl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ /* same thing for QuZ... */
+ if (iwl_trans->hw_rev == CSR_HW_REV_TYPE_QUZ) {
+- if (iwl_trans->cfg == &iwl_ax101_cfg_qu_hr)
+- iwl_trans->cfg = &iwl_ax101_cfg_quz_hr;
+- else if (iwl_trans->cfg == &iwl_ax201_cfg_qu_hr)
+- iwl_trans->cfg = &iwl_ax201_cfg_quz_hr;
+- else if (iwl_trans->cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc;
+- else if (iwl_trans->cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc;
+- else if (iwl_trans->cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc;
+- else if (iwl_trans->cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0)
+- iwl_trans->cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc;
++ if (cfg == &iwl_ax101_cfg_qu_hr)
++ cfg = &iwl_ax101_cfg_quz_hr;
++ else if (cfg == &iwl_ax201_cfg_qu_hr)
++ cfg = &iwl_ax201_cfg_quz_hr;
++ else if (cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0)
++ cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc;
++ else if (cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0)
++ cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc;
++ else if (cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0)
++ cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc;
++ else if (cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0)
++ cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc;
+ }
+
+ #endif
+--
+2.20.1
+
--- /dev/null
+From ecd7705049d0faec686bd67f808efa97abffa8cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2019 20:03:20 -0600
+Subject: rxe: correctly calculate iCRC for unaligned payloads
+
+From: Steve Wise <larrystevenwise@gmail.com>
+
+[ Upstream commit 2030abddec6884aaf5892f5724c48fc340e6826f ]
+
+If RoCE PDUs being sent or received contain pad bytes, then the iCRC
+is miscalculated, resulting in PDUs being emitted by RXE with an incorrect
+iCRC, as well as ingress PDUs being dropped due to erroneously detecting
+a bad iCRC in the PDU. The fix is to include the pad bytes, if any,
+in iCRC computations.
+
+Note: This bug has caused broken on-the-wire compatibility with actual
+hardware RoCE devices since the soft-RoCE driver was first put into the
+mainstream kernel. Fixing it will create an incompatibility with the
+original soft-RoCE devices, but is necessary to be compatible with real
+hardware devices.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Signed-off-by: Steve Wise <larrystevenwise@gmail.com>
+Link: https://lore.kernel.org/r/20191203020319.15036-2-larrystevenwise@gmail.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 2 +-
+ drivers/infiniband/sw/rxe/rxe_req.c | 6 ++++++
+ drivers/infiniband/sw/rxe/rxe_resp.c | 7 +++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c
+index f9a492ed900b..831ad578a7b2 100644
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -389,7 +389,7 @@ void rxe_rcv(struct sk_buff *skb)
+
+ calc_icrc = rxe_icrc_hdr(pkt, skb);
+ calc_icrc = rxe_crc32(rxe, calc_icrc, (u8 *)payload_addr(pkt),
+- payload_size(pkt));
++ payload_size(pkt) + bth_pad(pkt));
+ calc_icrc = (__force u32)cpu_to_be32(~calc_icrc);
+ if (unlikely(calc_icrc != pack_icrc)) {
+ if (skb->protocol == htons(ETH_P_IPV6))
+diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c
+index c5d9b558fa90..e5031172c019 100644
+--- a/drivers/infiniband/sw/rxe/rxe_req.c
++++ b/drivers/infiniband/sw/rxe/rxe_req.c
+@@ -500,6 +500,12 @@ static int fill_packet(struct rxe_qp *qp, struct rxe_send_wqe *wqe,
+ if (err)
+ return err;
+ }
++ if (bth_pad(pkt)) {
++ u8 *pad = payload_addr(pkt) + paylen;
++
++ memset(pad, 0, bth_pad(pkt));
++ crc = rxe_crc32(rxe, crc, pad, bth_pad(pkt));
++ }
+ }
+ p = payload_addr(pkt) + paylen + bth_pad(pkt);
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
+index 1cbfbd98eb22..c4a8195bf670 100644
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -732,6 +732,13 @@ static enum resp_states read_reply(struct rxe_qp *qp,
+ if (err)
+ pr_err("Failed copying memory\n");
+
++ if (bth_pad(&ack_pkt)) {
++ struct rxe_dev *rxe = to_rdev(qp->ibqp.device);
++ u8 *pad = payload_addr(&ack_pkt) + payload;
++
++ memset(pad, 0, bth_pad(&ack_pkt));
++ icrc = rxe_crc32(rxe, icrc, pad, bth_pad(&ack_pkt));
++ }
+ p = payload_addr(&ack_pkt) + payload + bth_pad(&ack_pkt);
+ *p = ~icrc;
+
+--
+2.20.1
+
--- /dev/null
+From 6b19c4e259e8995d85ba2bcf8e422e2468863992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2019 10:26:41 +0100
+Subject: s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 39d4a501a9ef55c57b51e3ef07fc2aeed7f30b3b ]
+
+Function perf_event_ever_overflow() and perf_event_account_interrupt()
+are called every time samples are processed by the interrupt handler.
+However function perf_event_account_interrupt() has checks to avoid being
+flooded with interrupts (more then 1000 samples are received per
+task_tick). Samples are then dropped and a PERF_RECORD_THROTTLED is
+added to the perf data. The perf subsystem limit calculation is:
+
+ maximum sample frequency := 100000 --> 1 samples per 10 us
+ task_tick = 10ms = 10000us --> 1000 samples per task_tick
+
+The work flow is
+
+measurement_alert() uses SDBT head and each SBDT points to 511
+ SDB pages, each with 126 sample entries. After processing 8 SBDs
+ and for each valid sample calling:
+
+ perf_event_overflow()
+ perf_event_account_interrupts()
+
+there is a considerable amount of samples being dropped, especially when
+the sample frequency is very high and near the 100000 limit.
+
+To avoid the high amount of samples being dropped near the end of a
+task_tick time frame, increment the sampling interval in case of
+dropped events. The CPU Measurement sampling facility on the s390
+supports only intervals, specifiing how many CPU cycles have to be
+executed before a sample is generated. Increase the interval when the
+samples being generated hit the task_tick limit.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 3d8b12a9a6ff..8c384e6ea36a 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1312,6 +1312,22 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ if (sampl_overflow)
+ OVERFLOW_REG(hwc) = DIV_ROUND_UP(OVERFLOW_REG(hwc) +
+ sampl_overflow, 1 + num_sdb);
++
++ /* Perf_event_overflow() and perf_event_account_interrupt() limit
++ * the interrupt rate to an upper limit. Roughly 1000 samples per
++ * task tick.
++ * Hitting this limit results in a large number
++ * of throttled REF_REPORT_THROTTLE entries and the samples
++ * are dropped.
++ * Slightly increase the interval to avoid hitting this limit.
++ */
++ if (event_overflow) {
++ SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10);
++ debug_sprintf_event(sfdbg, 1, "%s: rate adjustment %ld\n",
++ __func__,
++ DIV_ROUND_UP(SAMPL_RATE(hwc), 10));
++ }
++
+ if (sampl_overflow || event_overflow)
+ debug_sprintf_event(sfdbg, 4, "hw_perf_event_update: "
+ "overflow stats: sample=%llu event=%llu\n",
+--
+2.20.1
+
--- /dev/null
+From 40558ca2308d63d3bb3a0c495ad4b89fd7dcf363 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2019 15:24:25 +0100
+Subject: s390/cpum_sf: Avoid SBD overflow condition in irq handler
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit 0539ad0b22877225095d8adef0c376f52cc23834 ]
+
+The s390 CPU Measurement sampling facility has an overflow condition
+which fires when all entries in a SBD are used.
+The measurement alert interrupt is triggered and reads out all samples
+in this SDB. It then tests the successor SDB, if this SBD is not full,
+the interrupt handler does not read any samples at all from this SDB
+The design waits for the hardware to fill this SBD and then trigger
+another meassurement alert interrupt.
+
+This scheme works nicely until
+an perf_event_overflow() function call discards the sample due to
+a too high sampling rate.
+The interrupt handler has logic to read out a partially filled SDB
+when the perf event overflow condition in linux common code is met.
+This causes the CPUM sampling measurement hardware and the PMU
+device driver to operate on the same SBD's trailer entry.
+This should not happen.
+
+This can be seen here using this trace:
+ cpumsf_pmu_add: tear:0xb5286000
+ hw_perf_event_update: sdbt 0xb5286000 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 1. interrupt
+ hw_perf_event_update: sdbt 0xb5286008 full 1 over 0 flush_all:0
+ hw_perf_event_update: sdbt 0xb5286008 full 0 over 0 flush_all:0
+ above shows 2. interrupt
+ ... this goes on fine until...
+ hw_perf_event_update: sdbt 0xb5286068 full 1 over 0 flush_all:0
+ perf_push_sample1: overflow
+ one or more samples read from the IRQ handler are rejected by
+ perf_event_overflow() and the IRQ handler advances to the next SDB
+ and modifies the trailer entry of a partially filled SDB.
+ hw_perf_event_update: sdbt 0xb5286070 full 0 over 0 flush_all:1
+ timestamp: 14:32:52.519953
+
+Next time the IRQ handler is called for this SDB the trailer entry shows
+an overflow count of 19 missed entries.
+ hw_perf_event_update: sdbt 0xb5286070 full 1 over 19 flush_all:1
+ timestamp: 14:32:52.970058
+
+Remove access to a follow on SDB when event overflow happened.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 8c384e6ea36a..8ad406f7264a 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1300,12 +1300,6 @@ static void hw_perf_event_update(struct perf_event *event, int flush_all)
+ */
+ if (flush_all && done)
+ break;
+-
+- /* If an event overflow happened, discard samples by
+- * processing any remaining sample-data-blocks.
+- */
+- if (event_overflow)
+- flush_all = 1;
+ }
+
+ /* Account sample overflows in the event hardware structure */
+--
+2.20.1
+
--- /dev/null
+From b30b2ebef8971598796b2c3a7e7ee456b50a440b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2019 13:26:17 +0000
+Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
+
+From: Bo Wu <wubo40@huawei.com>
+
+[ Upstream commit bba340c79bfe3644829db5c852fdfa9e33837d6d ]
+
+In iscsi_if_rx func, after receiving one request through
+iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to
+reply to the request in a do-while loop. If the iscsi_if_send_reply
+function keeps returning -EAGAIN, a deadlock will occur.
+
+For example, a client only send msg without calling recvmsg func, then
+it will result in the watchdog soft lockup. The details are given as
+follows:
+
+ sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
+ retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr);
+ while (1) {
+ state_msg = sendmsg(sock_fd, &msg, 0);
+ //Note: recvmsg(sock_fd, &msg, 0) is not processed here.
+ }
+ close(sock_fd);
+
+watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat:
+curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0
+deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq:
+ TIMER: 992
+ SCHED: 8
+Sample irqstat:
+ irq 2: delta 1003, curr: 3103802, arch_timer
+CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 40400005 (nZcv daif +PAN -UAO)
+pc : __alloc_skb+0x104/0x1b0
+lr : __alloc_skb+0x9c/0x1b0
+sp : ffff000033603a30
+x29: ffff000033603a30 x28: 00000000000002dd
+x27: ffff800b34ced810 x26: ffff800ba7569f00
+x25: 00000000ffffffff x24: 0000000000000000
+x23: ffff800f7c43f600 x22: 0000000000480020
+x21: ffff0000091d9000 x20: ffff800b34eff200
+x19: ffff800ba7569f00 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000000 x14: 0001000101000100
+x13: 0000000101010000 x12: 0101000001010100
+x11: 0001010101010001 x10: 00000000000002dd
+x9 : ffff000033603d58 x8 : ffff800b34eff400
+x7 : ffff800ba7569200 x6 : ffff800b34eff400
+x5 : 0000000000000000 x4 : 00000000ffffffff
+x3 : 0000000000000000 x2 : 0000000000000001
+x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace:
+__alloc_skb+0x104/0x1b0
+iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi]
+netlink_unicast+0x1e0/0x258
+netlink_sendmsg+0x310/0x378
+sock_sendmsg+0x4c/0x70
+sock_write_iter+0x90/0xf0
+__vfs_write+0x11c/0x190
+vfs_write+0xac/0x1c0
+ksys_write+0x6c/0xd8
+__arm64_sys_write+0x24/0x30
+el0_svc_common+0x78/0x130
+el0_svc_handler+0x38/0x78
+el0_svc+0x8/0xc
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 417b868d8735..ed8d9709b9b9 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -24,6 +24,8 @@
+
+ #define ISCSI_TRANSPORT_VERSION "2.0-870"
+
++#define ISCSI_SEND_MAX_ALLOWED 10
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/iscsi.h>
+
+@@ -3682,6 +3684,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ struct nlmsghdr *nlh;
+ struct iscsi_uevent *ev;
+ uint32_t group;
++ int retries = ISCSI_SEND_MAX_ALLOWED;
+
+ nlh = nlmsg_hdr(skb);
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+@@ -3712,6 +3715,10 @@ iscsi_if_rx(struct sk_buff *skb)
+ break;
+ err = iscsi_if_send_reply(portid, nlh->nlmsg_type,
+ ev, sizeof(*ev));
++ if (err == -EAGAIN && --retries < 0) {
++ printk(KERN_WARNING "Send reply failed, error %d\n", err);
++ break;
++ }
+ } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
+ skb_pull(skb, rlen);
+ }
+--
+2.20.1
+
--- /dev/null
+From dd8ad473ac8df32a879cb64cd71d3ad730d8c8cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 12:45:09 +0300
+Subject: scsi: iscsi: qla4xxx: fix double free in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fee92f25777789d73e1936b91472e9c4644457c8 ]
+
+On this error path we call qla4xxx_mem_free() and then the caller also
+calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a
+couple double frees:
+
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed
+drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed
+
+Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx")
+Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 8c674eca09f1..2323432a0edb 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -4275,7 +4275,6 @@ static int qla4xxx_mem_alloc(struct scsi_qla_host *ha)
+ return QLA_SUCCESS;
+
+ mem_alloc_error_exit:
+- qla4xxx_mem_free(ha);
+ return QLA_ERROR;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d326387cddbbeb72db6a0ac5db5a505b69be1d89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2019 09:11:18 +0800
+Subject: scsi: libsas: stop discovering if oob mode is disconnected
+
+From: Jason Yan <yanaijie@huawei.com>
+
+[ Upstream commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f ]
+
+The discovering of sas port is driven by workqueue in libsas. When libsas
+is processing port events or phy events in workqueue, new events may rise
+up and change the state of some structures such as asd_sas_phy. This may
+cause some problems such as follows:
+
+==>thread 1 ==>thread 2
+
+ ==>phy up
+ ==>phy_up_v3_hw()
+ ==>oob_mode = SATA_OOB_MODE;
+ ==>phy down quickly
+ ==>hisi_sas_phy_down()
+ ==>sas_ha->notify_phy_event()
+ ==>sas_phy_disconnected()
+ ==>oob_mode = OOB_NOT_CONNECTED
+==>workqueue wakeup
+==>sas_form_port()
+ ==>sas_discover_domain()
+ ==>sas_get_port_device()
+ ==>oob_mode is OOB_NOT_CONNECTED and device
+ is wrongly taken as expander
+
+This at last lead to the panic when libsas trying to issue a command to
+discover the device.
+
+[183047.614035] Unable to handle kernel NULL pointer dereference at
+virtual address 0000000000000058
+[183047.622896] Mem abort info:
+[183047.625762] ESR = 0x96000004
+[183047.628893] Exception class = DABT (current EL), IL = 32 bits
+[183047.634888] SET = 0, FnV = 0
+[183047.638015] EA = 0, S1PTW = 0
+[183047.641232] Data abort info:
+[183047.644189] ISV = 0, ISS = 0x00000004
+[183047.648100] CM = 0, WnR = 0
+[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
+00000000b7df67be
+[183047.657834] [0000000000000058] pgd=0000000000000000
+[183047.662789] Internal error: Oops: 96000004 [#1] SMP
+[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
+0x00000000417c4974)
+[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
+W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
+[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
+BIOS 0.15 10/22/2019
+[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
+[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
+[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
+[183047.717153] sp : ffff00000f28ba60
+[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
+[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
+[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
+[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
+[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
+[183047.747464] x19: 0000000000f80800 x18: 0000000000000010
+[183047.752848] x17: 0000000000000000 x16: 0000000000000000
+[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
+[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
+[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
+[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
+[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
+[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
+[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
+[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
+[183047.801307] Call trace:
+[183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
+[183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
+[183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
+[183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
+[183047.826757] smp_execute_task_sg+0xec/0x218
+[183047.831013] smp_execute_task+0x74/0xa0
+[183047.834921] sas_discover_expander.part.7+0x9c/0x5f8
+[183047.839959] sas_discover_root_expander+0x90/0x160
+[183047.844822] sas_discover_domain+0x1b8/0x1e8
+[183047.849164] process_one_work+0x1b4/0x3f8
+[183047.853246] worker_thread+0x54/0x470
+[183047.856981] kthread+0x134/0x138
+[183047.860283] ret_from_fork+0x10/0x18
+[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
+[183047.870097] kernel fault(0x1) notification starting on CPU 0
+[183047.875828] kernel fault(0x1) notification finished on CPU 0
+[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
+hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
+[183047.892418] ---[ end trace 4cc26083fc11b783 ]---
+[183047.897107] Kernel panic - not syncing: Fatal exception
+[183047.902403] kernel fault(0x5) notification starting on CPU 0
+[183047.908134] kernel fault(0x5) notification finished on CPU 0
+[183047.913865] SMP: stopping secondary CPUs
+[183047.917861] Kernel Offset: disabled
+[183047.921422] CPU features: 0x2,a2a00a38
+[183047.925243] Memory Limit: none
+[183047.928372] kernel reboot(0x2) notification starting on CPU 0
+[183047.934190] kernel reboot(0x2) notification finished on CPU 0
+[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
+]---
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com
+Reported-by: Gao Chuan <gaochuan4@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_discover.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c
+index f47b4b281b14..d7302c2052f9 100644
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -81,12 +81,21 @@ static int sas_get_port_device(struct asd_sas_port *port)
+ else
+ dev->dev_type = SAS_SATA_DEV;
+ dev->tproto = SAS_PROTOCOL_SATA;
+- } else {
++ } else if (port->oob_mode == SAS_OOB_MODE) {
+ struct sas_identify_frame *id =
+ (struct sas_identify_frame *) dev->frame_rcvd;
+ dev->dev_type = id->dev_type;
+ dev->iproto = id->initiator_bits;
+ dev->tproto = id->target_bits;
++ } else {
++ /* If the oob mode is OOB_NOT_CONNECTED, the port is
++ * disconnected due to race with PHY down. We cannot
++ * continue to discover this port
++ */
++ sas_put_device(dev);
++ pr_warn("Port %016llx is disconnected when discovering\n",
++ SAS_ADDR(port->attached_sas_addr));
++ return -ENODEV;
+ }
+
+ sas_init_dev(dev);
+--
+2.20.1
+
--- /dev/null
+From 633706a509d6b4104f32d13d7e04daa00d7dc269 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2019 03:22:46 +0000
+Subject: scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
+
+From: Bo Wu <wubo40@huawei.com>
+
+[ Upstream commit 9a1b0b9a6dab452fb0e39fe96880c4faf3878369 ]
+
+When phba->mbox_ext_buf_ctx.seqNum != phba->mbox_ext_buf_ctx.numBuf,
+dd_data should be freed before return SLI_CONFIG_HANDLED.
+
+When lpfc_sli_issue_mbox func return fails, pmboxq should be also freed in
+job_error tag.
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E7A966@DGGEML525-MBS.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_bsg.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
+index 39a736b887b1..6c2b03415a2c 100644
+--- a/drivers/scsi/lpfc/lpfc_bsg.c
++++ b/drivers/scsi/lpfc/lpfc_bsg.c
+@@ -4489,12 +4489,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ phba->mbox_ext_buf_ctx.seqNum++;
+ nemb_tp = phba->mbox_ext_buf_ctx.nembType;
+
+- dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
+- if (!dd_data) {
+- rc = -ENOMEM;
+- goto job_error;
+- }
+-
+ pbuf = (uint8_t *)dmabuf->virt;
+ size = job->request_payload.payload_len;
+ sg_copy_to_buffer(job->request_payload.sg_list,
+@@ -4531,6 +4525,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ "2968 SLI_CONFIG ext-buffer wr all %d "
+ "ebuffers received\n",
+ phba->mbox_ext_buf_ctx.numBuf);
++
++ dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
++ if (!dd_data) {
++ rc = -ENOMEM;
++ goto job_error;
++ }
++
+ /* mailbox command structure for base driver */
+ pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (!pmboxq) {
+@@ -4579,6 +4580,8 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
+ return SLI_CONFIG_HANDLED;
+
+ job_error:
++ if (pmboxq)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
+ lpfc_bsg_dma_page_free(phba, dmabuf);
+ kfree(dd_data);
+
+--
+2.20.1
+
--- /dev/null
+From 69059f09913b171e0aeb97be467cc8baccdd3990 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:58 +0300
+Subject: scsi: qla2xxx: Configure local loop for N2N target
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit fd1de5830a5abaf444cc4312871e02c41e24fdc1 ]
+
+qla2x00_configure_local_loop initializes PLOGI payload for PLOGI ELS using
+Get Parameters mailbox command.
+
+In the case when the driver is running in target mode, the topology is N2N
+and the target port has higher WWPN, LOCAL_LOOP_UPDATE bit is cleared too
+early and PLOGI payload is not initialized by the Get Parameters
+command. That causes a failure of ELS IOCB carrying the PLOGI with 0x15 aka
+Data Underrun error.
+
+LOCAL_LOOP_UPDATE has to be set to initialize PLOGI payload.
+
+Fixes: 48acad099074 ("scsi: qla2xxx: Fix N2N link re-connect")
+Link: https://lore.kernel.org/r/20191125165702.1013-10-r.bolshakov@yadro.com
+Acked-by: Quinn Tran <qutran@marvell.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 5d31e3d52b6b..4e424f1ce5de 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -4927,14 +4927,8 @@ qla2x00_configure_loop(scsi_qla_host_t *vha)
+ set_bit(RSCN_UPDATE, &flags);
+ clear_bit(LOCAL_LOOP_UPDATE, &flags);
+
+- } else if (ha->current_topology == ISP_CFG_N) {
+- clear_bit(RSCN_UPDATE, &flags);
+- if (qla_tgt_mode_enabled(vha)) {
+- /* allow the other side to start the login */
+- clear_bit(LOCAL_LOOP_UPDATE, &flags);
+- set_bit(RELOGIN_NEEDED, &vha->dpc_flags);
+- }
+- } else if (ha->current_topology == ISP_CFG_NL) {
++ } else if (ha->current_topology == ISP_CFG_NL ||
++ ha->current_topology == ISP_CFG_N) {
+ clear_bit(RSCN_UPDATE, &flags);
+ set_bit(LOCAL_LOOP_UPDATE, &flags);
+ } else if (!vha->flags.online ||
+--
+2.20.1
+
--- /dev/null
+From 0ba459bba31c871950b40f852b103916f7fd2f9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:56 +0300
+Subject: scsi: qla2xxx: Don't call qlt_async_event twice
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 2c2f4bed9b6299e6430a65a29b5d27b8763fdf25 ]
+
+MBA_PORT_UPDATE generates duplicate log lines in target mode because
+qlt_async_event is called twice. Drop the calls within the case as the
+function will be called right after the switch statement.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-8-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvel.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index 9204e8467a4e..b3766b1879e3 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1061,8 +1061,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ ql_dbg(ql_dbg_async, vha, 0x5011,
+ "Asynchronous PORT UPDATE ignored %04x/%04x/%04x.\n",
+ mb[1], mb[2], mb[3]);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+ }
+
+@@ -1079,8 +1077,6 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+ set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+ set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
+ set_bit(VP_CONFIG_OK, &vha->vp_flags);
+-
+- qlt_async_event(mb[0], vha, mb);
+ break;
+
+ case MBA_RSCN_UPDATE: /* State Change Registration */
+--
+2.20.1
+
--- /dev/null
+From cb6654fa4596514d61d6350c5c32b12a445eabf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:57:00 +0300
+Subject: scsi: qla2xxx: Don't defer relogin unconditonally
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit dabc5ec915f3a2c657ecfb529cd3d4ec303a4412 ]
+
+qla2x00_configure_local_loop sets RELOGIN_NEEDED bit and calls
+qla24xx_fcport_handle_login to perform the login. This bit triggers a wake
+up of DPC later after a successful login.
+
+The deferred call is not needed if login succeeds, and it's set in
+qla24xx_fcport_handle_login in case of errors, hence it should be safe to
+drop.
+
+Link: https://lore.kernel.org/r/20191125165702.1013-12-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Acked-by: Quinn Tran <qutran@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 4e424f1ce5de..80f276d67c14 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -5045,7 +5045,6 @@ qla2x00_configure_local_loop(scsi_qla_host_t *vha)
+ memcpy(&ha->plogi_els_payld.data,
+ (void *)ha->init_cb,
+ sizeof(ha->plogi_els_payld.data));
+- set_bit(RELOGIN_NEEDED, &vha->dpc_flags);
+ } else {
+ ql_dbg(ql_dbg_init, vha, 0x00d1,
+ "PLOGI ELS param read fail.\n");
+--
+2.20.1
+
--- /dev/null
+From a0299ae0c93c338202d3a38064955fa840a6975f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:53 +0300
+Subject: scsi: qla2xxx: Drop superfluous INIT_WORK of del_work
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 600954e6f2df695434887dfc6a99a098859990cf ]
+
+del_work is already initialized inside qla2x00_alloc_fcport, there's no
+need to overwrite it. Indeed, it might prevent complete traversal of
+workqueue list.
+
+Fixes: a01c77d2cbc45 ("scsi: qla2xxx: Move session delete to driver work queue")
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-5-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 950764ed4ab2..18522ac79d9e 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1265,7 +1265,6 @@ void qlt_schedule_sess_for_deletion(struct fc_port *sess)
+ "Scheduling sess %p for deletion %8phC\n",
+ sess, sess->port_name);
+
+- INIT_WORK(&sess->del_work, qla24xx_delete_sess_fn);
+ WARN_ON(!queue_work(sess->vha->hw->wq, &sess->del_work));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From cc3997700b63bb866dd5cf708443f46244f302eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:57 +0300
+Subject: scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 0334cdea1fba36fad8bdf9516f267ce01de625f7 ]
+
+The size of the buffer is hardcoded as 0x70 or 112 bytes, while the size of
+ELS IOCB is 0x40 and the size of PLOGI payload returned by Get Parameters
+command is 0x74.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-9-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index 44dc97cebb06..bdf1994251b9 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -2684,7 +2684,8 @@ qla24xx_els_logo_iocb(srb_t *sp, struct els_entry_24xx *els_iocb)
+ ql_dbg(ql_dbg_io + ql_dbg_buffer, vha, 0x3073,
+ "PLOGI ELS IOCB:\n");
+ ql_dump_buffer(ql_log_info, vha, 0x0109,
+- (uint8_t *)els_iocb, 0x70);
++ (uint8_t *)els_iocb,
++ sizeof(*els_iocb));
+ } else {
+ els_iocb->control_flags = 1 << 13;
+ els_iocb->tx_byte_count =
+@@ -2850,7 +2851,8 @@ qla24xx_els_dcmd2_iocb(scsi_qla_host_t *vha, int els_opcode,
+
+ ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3073, "PLOGI buffer:\n");
+ ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x0109,
+- (uint8_t *)elsio->u.els_plogi.els_plogi_pyld, 0x70);
++ (uint8_t *)elsio->u.els_plogi.els_plogi_pyld,
++ sizeof(*elsio->u.els_plogi.els_plogi_pyld));
+
+ rval = qla2x00_start_sp(sp);
+ if (rval != QLA_SUCCESS) {
+--
+2.20.1
+
--- /dev/null
+From 951be690ed97503e584a8d8b50a25a9f406fd581 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:57:01 +0300
+Subject: scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit af22f0c7b052c5c203207f1e5ebd6aa65f87c538 ]
+
+PORT UPDATE asynchronous event is generated on the host that issues PLOGI
+ELS (in the case of higher WWPN). In that case, the event shouldn't be
+handled as it sets unwanted DPC flags (i.e. LOOP_RESYNC_NEEDED) that
+trigger link flap.
+
+Ignore the event if the host has higher WWPN, but handle otherwise.
+
+Cc: Quinn Tran <qutran@marvell.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-13-r.bolshakov@yadro.com
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 4d90cf101f5f..eac76e934cbe 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -3920,6 +3920,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
+ vha->d_id.b24 = 0;
+ vha->d_id.b.al_pa = 1;
+ ha->flags.n2n_bigger = 1;
++ ha->flags.n2n_ae = 0;
+
+ id.b.al_pa = 2;
+ ql_dbg(ql_dbg_async, vha, 0x5075,
+@@ -3930,6 +3931,7 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
+ "Format 1: Remote login - Waiting for WWPN %8phC.\n",
+ rptid_entry->u.f1.port_name);
+ ha->flags.n2n_bigger = 0;
++ ha->flags.n2n_ae = 1;
+ }
+ qla24xx_post_newsess_work(vha, &id,
+ rptid_entry->u.f1.port_name,
+@@ -3941,7 +3943,6 @@ qla24xx_report_id_acquisition(scsi_qla_host_t *vha,
+ /* if our portname is higher then initiate N2N login */
+
+ set_bit(N2N_LOGIN_NEEDED, &vha->dpc_flags);
+- ha->flags.n2n_ae = 1;
+ return;
+ break;
+ case TOPO_FL:
+--
+2.20.1
+
--- /dev/null
+From 32df77c20e5476f54eb2d699df3e4ca75e6fd697 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:59 +0300
+Subject: scsi: qla2xxx: Send Notify ACK after N2N PLOGI
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 5e6b01d84b9d20bcd77fc7c4733a2a4149bf220a ]
+
+qlt_handle_login schedules session for deletion even if a login is in
+progress. That causes login bouncing, i.e. a few logins are made before it
+settles down.
+
+Complete the first login by sending Notify Acknowledge IOCB via
+qlt_plogi_ack_unref if the session is pending login completion.
+
+Fixes: 9cd883f07a54 ("scsi: qla2xxx: Fix session cleanup for N2N")
+Cc: Krishna Kant <krishna.kant@purestorage.com>
+Cc: Alexei Potashnik <alexei@purestorage.com>
+Link: https://lore.kernel.org/r/20191125165702.1013-11-r.bolshakov@yadro.com
+Acked-by: Quinn Tran <qutran@marvell.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 18522ac79d9e..74a378a91b71 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -4803,6 +4803,7 @@ static int qlt_handle_login(struct scsi_qla_host *vha,
+
+ switch (sess->disc_state) {
+ case DSC_DELETED:
++ case DSC_LOGIN_PEND:
+ qlt_plogi_ack_unref(vha, pla);
+ break;
+
+--
+2.20.1
+
--- /dev/null
+From 40836029a18f8220825b4f6a97ce547b884b43ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 19:56:51 +0300
+Subject: scsi: qla2xxx: Use explicit LOGO in target mode
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 86196a8fa8a84af1395a28ea0548f2ce6ae9bc22 ]
+
+Target makes implicit LOGO on session teardown. LOGO ELS is not send on the
+wire and initiator is not aware that target no longer wants talking to
+it. Initiator keeps sending I/O requests, target responds with BA_RJT, they
+time out and then initiator sends ABORT TASK (ABTS-LS).
+
+Current behaviour incurs unneeded I/O timeout and can be fixed for some
+initiators by making explicit LOGO on session deletion.
+
+Link: https://lore.kernel.org/r/20191125165702.1013-3-r.bolshakov@yadro.com
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 1 +
+ drivers/scsi/qla2xxx/qla_iocb.c | 16 ++++++++++++----
+ drivers/scsi/qla2xxx/qla_target.c | 1 +
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 1 +
+ 4 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
+index d5386edddaf6..1eb3fe281cc3 100644
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -2401,6 +2401,7 @@ typedef struct fc_port {
+ unsigned int id_changed:1;
+ unsigned int scan_needed:1;
+ unsigned int n2n_flag:1;
++ unsigned int explicit_logout:1;
+
+ struct completion nvme_del_done;
+ uint32_t nvme_prli_service_param;
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index 518eb954cf42..44dc97cebb06 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -2405,11 +2405,19 @@ qla2x00_login_iocb(srb_t *sp, struct mbx_entry *mbx)
+ static void
+ qla24xx_logout_iocb(srb_t *sp, struct logio_entry_24xx *logio)
+ {
++ u16 control_flags = LCF_COMMAND_LOGO;
+ logio->entry_type = LOGINOUT_PORT_IOCB_TYPE;
+- logio->control_flags =
+- cpu_to_le16(LCF_COMMAND_LOGO|LCF_IMPL_LOGO);
+- if (!sp->fcport->keep_nport_handle)
+- logio->control_flags |= cpu_to_le16(LCF_FREE_NPORT);
++
++ if (sp->fcport->explicit_logout) {
++ control_flags |= LCF_EXPL_LOGO|LCF_FREE_NPORT;
++ } else {
++ control_flags |= LCF_IMPL_LOGO;
++
++ if (!sp->fcport->keep_nport_handle)
++ control_flags |= LCF_FREE_NPORT;
++ }
++
++ logio->control_flags = cpu_to_le16(control_flags);
+ logio->nport_handle = cpu_to_le16(sp->fcport->loop_id);
+ logio->port_id[0] = sp->fcport->d_id.b.al_pa;
+ logio->port_id[1] = sp->fcport->d_id.b.area;
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index a9bd0f513316..950764ed4ab2 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1104,6 +1104,7 @@ void qlt_free_session_done(struct work_struct *work)
+ }
+ }
+
++ sess->explicit_logout = 0;
+ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+ sess->free_pending = 0;
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index bab2073c1f72..abe7f79bb789 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -350,6 +350,7 @@ static void tcm_qla2xxx_close_session(struct se_session *se_sess)
+ target_sess_cmd_list_set_waiting(se_sess);
+ spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags);
+
++ sess->explicit_logout = 1;
+ tcm_qla2xxx_put_sess(sess);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 97d940e880223f65b405b8cd37a8d3ea6b75b7a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2019 15:03:44 -0300
+Subject: sctp: fix err handling of stream initialization
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 61d5d4062876e21331c3d0ba4b02dbd50c06a658 ]
+
+The fix on 951c6db954a1 fixed the issued reported there but introduced
+another. When the allocation fails within sctp_stream_init() it is
+okay/necessary to free the genradix. But it is also called when adding
+new streams, from sctp_send_add_streams() and
+sctp_process_strreset_addstrm_in() and in those situations it cannot
+just free the genradix because by then it is a fully operational
+association.
+
+The fix here then is to only free the genradix in sctp_stream_init()
+and on those other call sites move on with what it already had and let
+the subsequent error handling to handle it.
+
+Tested with the reproducers from this report and the previous one,
+with lksctp-tools and sctp-tests.
+
+Reported-by: syzbot+9a1bc632e78a1a98488b@syzkaller.appspotmail.com
+Fixes: 951c6db954a1 ("sctp: fix memleak on err handling of stream initialization")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/stream.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/net/sctp/stream.c b/net/sctp/stream.c
+index 6a30392068a0..c1a100d2fed3 100644
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -84,10 +84,8 @@ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
+ return 0;
+
+ ret = genradix_prealloc(&stream->out, outcnt, gfp);
+- if (ret) {
+- genradix_free(&stream->out);
++ if (ret)
+ return ret;
+- }
+
+ stream->outcnt = outcnt;
+ return 0;
+@@ -102,10 +100,8 @@ static int sctp_stream_alloc_in(struct sctp_stream *stream, __u16 incnt,
+ return 0;
+
+ ret = genradix_prealloc(&stream->in, incnt, gfp);
+- if (ret) {
+- genradix_free(&stream->in);
++ if (ret)
+ return ret;
+- }
+
+ stream->incnt = incnt;
+ return 0;
+@@ -123,7 +119,7 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
+ * a new one with new outcnt to save memory if needed.
+ */
+ if (outcnt == stream->outcnt)
+- goto in;
++ goto handle_in;
+
+ /* Filter out chunks queued on streams that won't exist anymore */
+ sched->unsched_all(stream);
+@@ -132,24 +128,28 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
+
+ ret = sctp_stream_alloc_out(stream, outcnt, gfp);
+ if (ret)
+- goto out;
++ goto out_err;
+
+ for (i = 0; i < stream->outcnt; i++)
+ SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
+
+-in:
++handle_in:
+ sctp_stream_interleave_init(stream);
+ if (!incnt)
+ goto out;
+
+ ret = sctp_stream_alloc_in(stream, incnt, gfp);
+- if (ret) {
+- sched->free(stream);
+- genradix_free(&stream->out);
+- stream->outcnt = 0;
+- goto out;
+- }
++ if (ret)
++ goto in_err;
++
++ goto out;
+
++in_err:
++ sched->free(stream);
++ genradix_free(&stream->in);
++out_err:
++ genradix_free(&stream->out);
++ stream->outcnt = 0;
+ out:
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-q.patch
+drm-mcde-dsi-fix-invalid-pointer-dereference-if-pane.patch
+nvme_fc-add-module-to-ops-template-to-allow-module-r.patch
+nvme-fc-fix-double-free-scenarios-on-hw-queues.patch
+drm-amdgpu-add-check-before-enabling-disabling-broad.patch
+drm-amdgpu-add-header-line-for-power-profile-on-arct.patch
+drm-amdgpu-add-cache-flush-workaround-to-gfx8-emit_f.patch
+drm-amd-display-map-dsc-resources-1-to-1-if-numbers-.patch
+drm-amd-display-fixed-kernel-panic-when-booting-with.patch
+drm-amd-display-change-the-delay-time-before-enablin.patch
+drm-amd-display-reset-steer-fifo-before-unblanking-t.patch
+drm-amd-display-update-dispclk-and-dppclk-vco-freque.patch
+nvme-pci-fix-write-and-poll-queue-types.patch
+nvme-pci-fix-read-queue-count.patch
+iio-st_accel-fix-unused-variable-warning.patch
+iio-adc-max9611-fix-too-short-conversion-time-delay.patch
+pm-devfreq-fix-devfreq_notifier_call-returning-errno.patch
+pm-devfreq-set-scaling_max_freq-to-max-on-opp-notifi.patch
+pm-devfreq-don-t-fail-devfreq_dev_release-if-not-in-.patch
+afs-fix-afs_find_server-lookups-for-ipv4-peers.patch
+afs-fix-selinux-setting-security-label-on-afs.patch
+rdma-cma-add-missed-unregister_pernet_subsys-in-init.patch
+rxe-correctly-calculate-icrc-for-unaligned-payloads.patch
+scsi-lpfc-fix-memory-leak-on-lpfc_bsg_write_ebuf_set.patch
+scsi-qla2xxx-use-explicit-logo-in-target-mode.patch
+scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch
+scsi-qla2xxx-don-t-call-qlt_async_event-twice.patch
+scsi-qla2xxx-fix-plogi-payload-and-els-iocb-dump-len.patch
+scsi-qla2xxx-configure-local-loop-for-n2n-target.patch
+scsi-qla2xxx-send-notify-ack-after-n2n-plogi.patch
+scsi-qla2xxx-don-t-defer-relogin-unconditonally.patch
+scsi-qla2xxx-ignore-port-update-after-n2n-plogi.patch
+scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
+scsi-libsas-stop-discovering-if-oob-mode-is-disconne.patch
+scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-f.patch
+staging-wlan-ng-add-crc32-dependency-in-kconfig.patch
+drm-nouveau-move-the-declaration-of-struct-nouveau_c.patch
+drm-nouveau-fix-drm-core-using-atomic-code-paths-on-.patch
+drm-nouveau-kms-nv50-fix-panel-scaling.patch
+usb-gadget-fix-wrong-endpoint-desc.patch
+net-make-socket-read-write_iter-honor-iocb_nowait.patch
+afs-fix-mountpoint-parsing.patch
+afs-fix-creation-calls-in-the-dynamic-root-to-fail-w.patch
+raid5-need-to-set-stripe_handle-for-batch-head.patch
+md-raid1-check-rdev-before-reference-in-raid1_sync_r.patch
+s390-cpum_sf-adjust-sampling-interval-to-avoid-hitti.patch
+s390-cpum_sf-avoid-sbd-overflow-condition-in-irq-han.patch
+rdma-counter-prevent-auto-binding-a-qp-which-are-not.patch
+ib-mlx4-follow-mirror-sequence-of-device-add-during-.patch
+ib-mlx5-fix-steering-rule-of-drop-and-count.patch
+xen-blkback-prevent-premature-module-unload.patch
+xen-balloon-fix-ballooned-page-accounting-without-ho.patch
+pm-hibernate-memory_bm_find_bit-tighten-node-optimis.patch
+alsa-hda-realtek-add-bass-speaker-and-fixed-dac-for-.patch
+alsa-hda-realtek-enable-the-bass-speaker-of-asus-ux4.patch
+pci-add-a-helper-to-check-power-resource-requirement.patch
+alsa-hda-allow-hda-to-be-runtime-suspended-when-dgpu.patch
+pci-fix-missing-inline-for-pci_pr3_present.patch
+alsa-hda-fixup-for-the-bass-speaker-on-lenovo-carbon.patch
+tcp-fix-data-race-in-tcp_recvmsg.patch
+inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch
+net-add-a-read_once-in-skb_peek_tail.patch
+net-icmp-fix-data-race-in-cmp_global_allow.patch
+io_uring-io_allocate_scq_urings-should-return-a-sane.patch
+shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dro.patch
+xfs-fix-mount-failure-crash-on-invalid-iclog-memory-.patch
+taskstats-fix-data-race.patch
+drm-limit-to-int_max-in-create_blob-ioctl.patch
+netfilter-bridge-make-sure-to-pull-arp-header-in-br_.patch
+tomoyo-don-t-use-nifty-names-on-sockets.patch
+6pack-mkiss-fix-possible-deadlock.patch
+net-smc-add-fallback-check-to-connect.patch
+powerpc-fix-__clear_user-with-kuap-enabled.patch
+alsa-hda-downgrade-error-message-for-single-cmd-fall.patch
+netfilter-ebtables-compat-reject-all-padding-in-matc.patch
+sctp-fix-err-handling-of-stream-initialization.patch
+netfilter-nft_tproxy-fix-port-selector-on-big-endian.patch
+block-add-bio_truncate-to-fix-guard_bio_eod.patch
+mm-drop-mmap_sem-before-calling-balance_dirty_pages-.patch
--- /dev/null
+From 7088284e1e36561511ab7d5807bfdbfcf989048d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2019 17:50:26 -0800
+Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+[ Upstream commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 ]
+
+syzbot found the following crash:
+
+ BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
+ Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
+
+ CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
+ trace_lock_acquire include/trace/events/lock.h:13 [inline]
+ lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034
+ __do_fault+0x111/0x540 mm/memory.c:3083
+ do_shared_fault mm/memory.c:3535 [inline]
+ do_fault mm/memory.c:3613 [inline]
+ handle_pte_fault mm/memory.c:3840 [inline]
+ __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964
+ handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001
+ do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
+ __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506
+ do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530
+ page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202
+
+It happens if the VMA got unmapped under us while we dropped mmap_sem
+and inode got freed.
+
+Pinning the file if we drop mmap_sem fixes the issue.
+
+Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 7a22e3e03d11..6074714fdbd4 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_fault *vmf)
+ shmem_falloc->waitq &&
+ vmf->pgoff >= shmem_falloc->start &&
+ vmf->pgoff < shmem_falloc->next) {
++ struct file *fpin;
+ wait_queue_head_t *shmem_falloc_waitq;
+ DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
+
+ ret = VM_FAULT_NOPAGE;
+- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
+- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+- /* It's polite to up mmap_sem if we can */
+- up_read(&vma->vm_mm->mmap_sem);
++ fpin = maybe_unlock_mmap_for_io(vmf, NULL);
++ if (fpin)
+ ret = VM_FAULT_RETRY;
+- }
+
+ shmem_falloc_waitq = shmem_falloc->waitq;
+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
+@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_fault *vmf)
+ spin_lock(&inode->i_lock);
+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
+ spin_unlock(&inode->i_lock);
++
++ if (fpin)
++ fput(fpin);
+ return ret;
+ }
+ spin_unlock(&inode->i_lock);
+--
+2.20.1
+
--- /dev/null
+From 666d4ac220958ed5b927ef5b2d7215f07b6932b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2019 12:24:57 +0100
+Subject: staging/wlan-ng: add CRC32 dependency in Kconfig
+
+From: Kay Friedrich <kay.friedrich@fau.de>
+
+[ Upstream commit 2740bd3351cd5a4351f458aabaa1c9b77de3867b ]
+
+wlan-ng uses the function crc32_le,
+but CRC32 wasn't a dependency of wlan-ng
+
+Co-developed-by: Michael Kupfer <michael.kupfer@fau.de>
+Signed-off-by: Michael Kupfer <michael.kupfer@fau.de>
+Signed-off-by: Kay Friedrich <kay.friedrich@fau.de>
+Link: https://lore.kernel.org/r/20191127112457.2301-1-kay.friedrich@fau.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/wlan-ng/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/wlan-ng/Kconfig b/drivers/staging/wlan-ng/Kconfig
+index ac136663fa8e..082c16a31616 100644
+--- a/drivers/staging/wlan-ng/Kconfig
++++ b/drivers/staging/wlan-ng/Kconfig
+@@ -4,6 +4,7 @@ config PRISM2_USB
+ depends on WLAN && USB && CFG80211
+ select WIRELESS_EXT
+ select WEXT_PRIV
++ select CRC32
+ help
+ This is the wlan-ng prism 2.5/3 USB driver for a wide range of
+ old USB wireless devices.
+--
+2.20.1
+
--- /dev/null
+From 746d34d701547cef99f01b060e1782f8a67e07f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 13:48:09 +0200
+Subject: taskstats: fix data-race
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+[ Upstream commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 ]
+
+When assiging and testing taskstats in taskstats_exit() there's a race
+when setting up and reading sig->stats when a thread-group with more
+than one thread exits:
+
+write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0:
+ taskstats_tgid_alloc kernel/taskstats.c:567 [inline]
+ taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ get_signal+0x2a2/0x1320 kernel/signal.c:2734
+ do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815
+ exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159
+ prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
+ do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1:
+ taskstats_tgid_alloc kernel/taskstats.c:559 [inline]
+ taskstats_exit+0xb2/0x717 kernel/taskstats.c:596
+ do_exit+0x2c2/0x18e0 kernel/exit.c:864
+ do_group_exit+0xb4/0x1c0 kernel/exit.c:983
+ __do_sys_exit_group kernel/exit.c:994 [inline]
+ __se_sys_exit_group kernel/exit.c:992 [inline]
+ __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992
+ do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by using smp_load_acquire() and smp_store_release().
+
+Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com
+Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Marco Elver <elver@google.com>
+Reviewed-by: Will Deacon <will@kernel.org>
+Reviewed-by: Andrea Parri <parri.andrea@gmail.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/taskstats.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/taskstats.c b/kernel/taskstats.c
+index 13a0f2e6ebc2..e2ac0e37c4ae 100644
+--- a/kernel/taskstats.c
++++ b/kernel/taskstats.c
+@@ -554,25 +554,33 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
+ static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
+ {
+ struct signal_struct *sig = tsk->signal;
+- struct taskstats *stats;
++ struct taskstats *stats_new, *stats;
+
+- if (sig->stats || thread_group_empty(tsk))
+- goto ret;
++ /* Pairs with smp_store_release() below. */
++ stats = smp_load_acquire(&sig->stats);
++ if (stats || thread_group_empty(tsk))
++ return stats;
+
+ /* No problem if kmem_cache_zalloc() fails */
+- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
+
+ spin_lock_irq(&tsk->sighand->siglock);
+- if (!sig->stats) {
+- sig->stats = stats;
+- stats = NULL;
++ stats = sig->stats;
++ if (!stats) {
++ /*
++ * Pairs with smp_store_release() above and order the
++ * kmem_cache_zalloc().
++ */
++ smp_store_release(&sig->stats, stats_new);
++ stats = stats_new;
++ stats_new = NULL;
+ }
+ spin_unlock_irq(&tsk->sighand->siglock);
+
+- if (stats)
+- kmem_cache_free(taskstats_cache, stats);
+-ret:
+- return sig->stats;
++ if (stats_new)
++ kmem_cache_free(taskstats_cache, stats_new);
++
++ return stats;
+ }
+
+ /* Send pid data out on exit */
+--
+2.20.1
+
--- /dev/null
+From c193c7923faeb60c10fa35404ff8d3501d128c33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2019 12:59:33 -0800
+Subject: tcp: fix data-race in tcp_recvmsg()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a5a7daa52edb5197a3b696afee13ef174dc2e993 ]
+
+Reading tp->recvmsg_inq after socket lock is released
+raises a KCSAN warning [1]
+
+Replace has_tss & has_cmsg by cmsg_flags and make
+sure to not read tp->recvmsg_inq a second time.
+
+[1]
+BUG: KCSAN: data-race in tcp_chrono_stop / tcp_recvmsg
+
+write to 0xffff888126adef24 of 2 bytes by interrupt on cpu 0:
+ tcp_chrono_set net/ipv4/tcp_output.c:2309 [inline]
+ tcp_chrono_stop+0x14c/0x280 net/ipv4/tcp_output.c:2338
+ tcp_clean_rtx_queue net/ipv4/tcp_input.c:3165 [inline]
+ tcp_ack+0x274f/0x3170 net/ipv4/tcp_input.c:3688
+ tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
+ tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
+ tcp_v4_rcv+0x19dc/0x1bb0 net/ipv4/tcp_ipv4.c:1942
+ ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
+ ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
+ NF_HOOK include/linux/netfilter.h:305 [inline]
+ NF_HOOK include/linux/netfilter.h:299 [inline]
+ ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
+ dst_input include/net/dst.h:442 [inline]
+ ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
+ NF_HOOK include/linux/netfilter.h:305 [inline]
+ NF_HOOK include/linux/netfilter.h:299 [inline]
+ ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
+ __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
+ __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
+ netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5214
+ napi_skb_finish net/core/dev.c:5677 [inline]
+ napi_gro_receive+0x28f/0x330 net/core/dev.c:5710
+
+read to 0xffff888126adef25 of 1 bytes by task 7275 on cpu 1:
+ tcp_recvmsg+0x77b/0x1a30 net/ipv4/tcp.c:2187
+ inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
+ sock_recvmsg_nosec net/socket.c:871 [inline]
+ sock_recvmsg net/socket.c:889 [inline]
+ sock_recvmsg+0x92/0xb0 net/socket.c:885
+ sock_read_iter+0x15f/0x1e0 net/socket.c:967
+ call_read_iter include/linux/fs.h:1889 [inline]
+ new_sync_read+0x389/0x4f0 fs/read_write.c:414
+ __vfs_read+0xb1/0xc0 fs/read_write.c:427
+ vfs_read fs/read_write.c:461 [inline]
+ vfs_read+0x143/0x2c0 fs/read_write.c:446
+ ksys_read+0xd5/0x1b0 fs/read_write.c:587
+ __do_sys_read fs/read_write.c:597 [inline]
+ __se_sys_read fs/read_write.c:595 [inline]
+ __x64_sys_read+0x4c/0x60 fs/read_write.c:595
+ do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 7275 Comm: sshd Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: b75eba76d3d7 ("tcp: send in-queue bytes in cmsg upon read")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index d8876f0e9672..e537a4b6531b 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1958,8 +1958,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock,
+ struct sk_buff *skb, *last;
+ u32 urg_hole = 0;
+ struct scm_timestamping_internal tss;
+- bool has_tss = false;
+- bool has_cmsg;
++ int cmsg_flags;
+
+ if (unlikely(flags & MSG_ERRQUEUE))
+ return inet_recv_error(sk, msg, len, addr_len);
+@@ -1974,7 +1973,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock,
+ if (sk->sk_state == TCP_LISTEN)
+ goto out;
+
+- has_cmsg = tp->recvmsg_inq;
++ cmsg_flags = tp->recvmsg_inq ? 1 : 0;
+ timeo = sock_rcvtimeo(sk, nonblock);
+
+ /* Urgent data needs to be handled specially. */
+@@ -2157,8 +2156,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock,
+
+ if (TCP_SKB_CB(skb)->has_rxtstamp) {
+ tcp_update_recv_tstamps(skb, &tss);
+- has_tss = true;
+- has_cmsg = true;
++ cmsg_flags |= 2;
+ }
+ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
+ goto found_fin_ok;
+@@ -2183,10 +2181,10 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock,
+
+ release_sock(sk);
+
+- if (has_cmsg) {
+- if (has_tss)
++ if (cmsg_flags) {
++ if (cmsg_flags & 2)
+ tcp_recv_timestamp(msg, sk, &tss);
+- if (tp->recvmsg_inq) {
++ if (cmsg_flags & 1) {
+ inq = tcp_inq_hint(sk);
+ put_cmsg(msg, SOL_TCP, TCP_CM_INQ, sizeof(inq), &inq);
+ }
+--
+2.20.1
+
--- /dev/null
+From 3754e5dc4a4dfc567d1ec6199ce978ec2e3646c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2019 10:46:51 +0900
+Subject: tomoyo: Don't use nifty names on sockets.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 6f7c41374b62fd80bbd8aae3536c43688c54d95e ]
+
+syzbot is reporting that use of SOCKET_I()->sk from open() can result in
+use after free problem [1], for socket's inode is still reachable via
+/proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
+
+At first I thought that this race condition applies to only open/getattr
+permission checks. But James Morris has pointed out that there are more
+permission checks where this race condition applies to. Thus, get rid of
+tomoyo_get_socket_name() instead of conditionally bypassing permission
+checks on sockets. As a side effect of this patch,
+"socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
+rewritten to "socket:[\$]".
+
+[1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com>
+Reported-by: James Morris <jmorris@namei.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/tomoyo/realpath.c | 32 +-------------------------------
+ 1 file changed, 1 insertion(+), 31 deletions(-)
+
+diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
+index e7832448d721..bf38fc1b59b2 100644
+--- a/security/tomoyo/realpath.c
++++ b/security/tomoyo/realpath.c
+@@ -217,31 +217,6 @@ static char *tomoyo_get_local_path(struct dentry *dentry, char * const buffer,
+ return ERR_PTR(-ENOMEM);
+ }
+
+-/**
+- * tomoyo_get_socket_name - Get the name of a socket.
+- *
+- * @path: Pointer to "struct path".
+- * @buffer: Pointer to buffer to return value in.
+- * @buflen: Sizeof @buffer.
+- *
+- * Returns the buffer.
+- */
+-static char *tomoyo_get_socket_name(const struct path *path, char * const buffer,
+- const int buflen)
+-{
+- struct inode *inode = d_backing_inode(path->dentry);
+- struct socket *sock = inode ? SOCKET_I(inode) : NULL;
+- struct sock *sk = sock ? sock->sk : NULL;
+-
+- if (sk) {
+- snprintf(buffer, buflen, "socket:[family=%u:type=%u:protocol=%u]",
+- sk->sk_family, sk->sk_type, sk->sk_protocol);
+- } else {
+- snprintf(buffer, buflen, "socket:[unknown]");
+- }
+- return buffer;
+-}
+-
+ /**
+ * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root.
+ *
+@@ -279,12 +254,7 @@ char *tomoyo_realpath_from_path(const struct path *path)
+ break;
+ /* To make sure that pos is '\0' terminated. */
+ buf[buf_len - 1] = '\0';
+- /* Get better name for socket. */
+- if (sb->s_magic == SOCKFS_MAGIC) {
+- pos = tomoyo_get_socket_name(path, buf, buf_len - 1);
+- goto encode;
+- }
+- /* For "pipe:[\$]". */
++ /* For "pipe:[\$]" and "socket:[\$]". */
+ if (dentry->d_op && dentry->d_op->d_dname) {
+ pos = dentry->d_op->d_dname(dentry, buf, buf_len - 1);
+ goto encode;
+--
+2.20.1
+
--- /dev/null
+From cf921d6da18a37a7cb82e65ee436eb242037f0a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 23:34:56 -0800
+Subject: usb: gadget: fix wrong endpoint desc
+
+From: EJ Hsu <ejh@nvidia.com>
+
+[ Upstream commit e5b5da96da50ef30abb39cb9f694e99366404d24 ]
+
+Gadget driver should always use config_ep_by_speed() to initialize
+usb_ep struct according to usb device's operating speed. Otherwise,
+usb_ep struct may be wrong if usb devcie's operating speed is changed.
+
+The key point in this patch is that we want to make sure the desc pointer
+in usb_ep struct will be set to NULL when gadget is disconnected.
+This will force it to call config_ep_by_speed() to correctly initialize
+usb_ep struct based on the new operating speed when gadget is
+re-connected later.
+
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: EJ Hsu <ejh@nvidia.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ecm.c | 6 +++++-
+ drivers/usb/gadget/function/f_rndis.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c
+index 6ce044008cf6..460d5d7c984f 100644
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -621,8 +621,12 @@ static void ecm_disable(struct usb_function *f)
+
+ DBG(cdev, "ecm deactivated\n");
+
+- if (ecm->port.in_ep->enabled)
++ if (ecm->port.in_ep->enabled) {
+ gether_disconnect(&ecm->port);
++ } else {
++ ecm->port.in_ep->desc = NULL;
++ ecm->port.out_ep->desc = NULL;
++ }
+
+ usb_ep_disable(ecm->notify);
+ ecm->notify->desc = NULL;
+diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/function/f_rndis.c
+index d48df36622b7..0d8e4a364ca6 100644
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -618,6 +618,7 @@ static void rndis_disable(struct usb_function *f)
+ gether_disconnect(&rndis->port);
+
+ usb_ep_disable(rndis->notify);
++ rndis->notify->desc = NULL;
+ }
+
+ /*-------------------------------------------------------------------------*/
+--
+2.20.1
+
--- /dev/null
+From ddf5815b0a1464fbd0e15e889e101c2a646732e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2019 15:17:50 +0100
+Subject: xen/balloon: fix ballooned page accounting without hotplug enabled
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c673ec61ade89bf2f417960f986bc25671762efb ]
+
+When CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not defined
+reserve_additional_memory() will set balloon_stats.target_pages to a
+wrong value in case there are still some ballooned pages allocated via
+alloc_xenballooned_pages().
+
+This will result in balloon_process() no longer be triggered when
+ballooned pages are freed in batches.
+
+Reported-by: Nicholas Tsirakis <niko.tsirakis@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 5bae515c8e25..bed90d612e48 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -395,7 +395,8 @@ static struct notifier_block xen_memory_nb = {
+ #else
+ static enum bp_state reserve_additional_memory(void)
+ {
+- balloon_stats.target_pages = balloon_stats.current_pages;
++ balloon_stats.target_pages = balloon_stats.current_pages +
++ balloon_stats.target_unpopulated;
+ return BP_ECANCELED;
+ }
+ #endif /* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG */
+--
+2.20.1
+
--- /dev/null
+From 480f9ffd7841dbde86237d087a89fdba634e21ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2019 14:53:05 +0000
+Subject: xen-blkback: prevent premature module unload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Durrant <pdurrant@amazon.com>
+
+[ Upstream commit fa2ac657f9783f0891b2935490afe9a7fd29d3fa ]
+
+Objects allocated by xen_blkif_alloc come from the 'blkif_cache' kmem
+cache. This cache is destoyed when xen-blkif is unloaded so it is
+necessary to wait for the deferred free routine used for such objects to
+complete. This necessity was missed in commit 14855954f636 "xen-blkback:
+allow module to be cleanly unloaded". This patch fixes the problem by
+taking/releasing extra module references in xen_blkif_alloc/free()
+respectively.
+
+Signed-off-by: Paul Durrant <pdurrant@amazon.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xen-blkback/xenbus.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
+index b90dbcd99c03..c4cd68116e7f 100644
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -171,6 +171,15 @@ static struct xen_blkif *xen_blkif_alloc(domid_t domid)
+ blkif->domid = domid;
+ atomic_set(&blkif->refcnt, 1);
+ init_completion(&blkif->drain_complete);
++
++ /*
++ * Because freeing back to the cache may be deferred, it is not
++ * safe to unload the module (and hence destroy the cache) until
++ * this has completed. To prevent premature unloading, take an
++ * extra module reference here and release only when the object
++ * has been freed back to the cache.
++ */
++ __module_get(THIS_MODULE);
+ INIT_WORK(&blkif->free_work, xen_blkif_deferred_free);
+
+ return blkif;
+@@ -320,6 +329,7 @@ static void xen_blkif_free(struct xen_blkif *blkif)
+
+ /* Make sure everything is drained before shutting down */
+ kmem_cache_free(xen_blkif_cachep, blkif);
++ module_put(THIS_MODULE);
+ }
+
+ int __init xen_blkif_interface_init(void)
+--
+2.20.1
+
--- /dev/null
+From 0f1b1b4d60400feda3564064aa7b02c54be7254b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2019 07:53:15 -0800
+Subject: xfs: fix mount failure crash on invalid iclog memory access
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 798a9cada4694ca8d970259f216cec47e675bfd5 ]
+
+syzbot (via KASAN) reports a use-after-free in the error path of
+xlog_alloc_log(). Specifically, the iclog freeing loop doesn't
+handle the case of a fully initialized ->l_iclog linked list.
+Instead, it assumes that the list is partially constructed and NULL
+terminated.
+
+This bug manifested because there was no possible error scenario
+after iclog list setup when the original code was added. Subsequent
+code and associated error conditions were added some time later,
+while the original error handling code was never updated. Fix up the
+error loop to terminate either on a NULL iclog or reaching the end
+of the list.
+
+Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index 641d07f30a27..7b0d9ad8cb1a 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1495,6 +1495,8 @@ xlog_alloc_log(
+ prev_iclog = iclog->ic_next;
+ kmem_free(iclog->ic_data);
+ kmem_free(iclog);
++ if (prev_iclog == log->l_iclog)
++ break;
+ }
+ out_free_log:
+ kmem_free(log);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
