--- /dev/null
+From ac4e424732c2aa97b441f67169bf63540f1a70f3 Mon Sep 17 00:00:00 2001
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Tue, 30 Jul 2019 14:38:51 +0100
+Subject: afs: Fix loop index mixup in afs_deliver_vl_get_entry_by_name_u()
+
+[ Upstream commit 4a46fdba449a5cd890271df5a9e23927d519ed00 ]
+
+afs_deliver_vl_get_entry_by_name_u() scans through the vl entry
+received from the volume location server and builds a return list
+containing the sites that are currently valid. When assigning
+values for the return list, the index into the vl entry (i) is used
+rather than the one for the new list (entry->nr_server). If all
+sites are usable, this works out fine as the indices will match.
+If some sites are not valid, for example if AFS_VLSF_DONTUSE is
+set, fs_mask and the uuid will be set for the wrong return site.
+
+Fix this by using entry->nr_server as the index into the arrays
+being filled in rather than i.
+
+This can lead to EDESTADDRREQ errors if none of the returned sites
+have a valid fs_mask.
+
+Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/vlclient.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/fs/afs/vlclient.c b/fs/afs/vlclient.c
+index d7e0fd3c00df9..cfb0ac4bd039e 100644
+--- a/fs/afs/vlclient.c
++++ b/fs/afs/vlclient.c
+@@ -56,23 +56,24 @@ static int afs_deliver_vl_get_entry_by_name_u(struct afs_call *call)
+ struct afs_uuid__xdr *xdr;
+ struct afs_uuid *uuid;
+ int j;
++ int n = entry->nr_servers;
+
+ tmp = ntohl(uvldb->serverFlags[i]);
+ if (tmp & AFS_VLSF_DONTUSE ||
+ (new_only && !(tmp & AFS_VLSF_NEWREPSITE)))
+ continue;
+ if (tmp & AFS_VLSF_RWVOL) {
+- entry->fs_mask[i] |= AFS_VOL_VTM_RW;
++ entry->fs_mask[n] |= AFS_VOL_VTM_RW;
+ if (vlflags & AFS_VLF_BACKEXISTS)
+- entry->fs_mask[i] |= AFS_VOL_VTM_BAK;
++ entry->fs_mask[n] |= AFS_VOL_VTM_BAK;
+ }
+ if (tmp & AFS_VLSF_ROVOL)
+- entry->fs_mask[i] |= AFS_VOL_VTM_RO;
+- if (!entry->fs_mask[i])
++ entry->fs_mask[n] |= AFS_VOL_VTM_RO;
++ if (!entry->fs_mask[n])
+ continue;
+
+ xdr = &uvldb->serverNumber[i];
+- uuid = (struct afs_uuid *)&entry->fs_server[i];
++ uuid = (struct afs_uuid *)&entry->fs_server[n];
+ uuid->time_low = xdr->time_low;
+ uuid->time_mid = htons(ntohl(xdr->time_mid));
+ uuid->time_hi_and_version = htons(ntohl(xdr->time_hi_and_version));
+--
+2.20.1
+
--- /dev/null
+From 2634c19f3141657470347f6858cdbf93ffbff6cf Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 30 Jul 2019 14:38:52 +0100
+Subject: afs: Fix missing dentry data version updating
+
+[ Upstream commit 9dd0b82ef530cdfe805c9f7079c99e104be59a14 ]
+
+In the in-kernel afs filesystem, the d_fsdata dentry field is used to hold
+the data version of the parent directory when it was created or when
+d_revalidate() last caused it to be updated. This is compared to the
+->invalid_before field in the directory inode, rather than the actual data
+version number, thereby allowing changes due to local edits to be ignored.
+Only if the server data version gets bumped unexpectedly (eg. by a
+competing client), do we need to revalidate stuff.
+
+However, the d_fsdata field should also be updated if an rpc op is
+performed that modifies that particular dentry. Such ops return the
+revised data version of the directory(ies) involved, so we should use that.
+
+This is particularly problematic for rename, since a dentry from one
+directory may be moved directly into another directory (ie. mv a/x b/x).
+It would then be sporting the wrong data version - and if this is in the
+future, for the destination directory, revalidations would be missed,
+leading to foreign renames and hard-link deletion being missed.
+
+Fix this by the following means:
+
+ (1) Return the data version number from operations that read the directory
+ contents - if they issue the read. This starts in afs_dir_iterate()
+ and is used, ignored or passed back by its callers.
+
+ (2) In afs_lookup*(), set the dentry version to the version returned by
+ (1) before d_splice_alias() is called and the dentry published.
+
+ (3) In afs_d_revalidate(), set the dentry version to that returned from
+ (1) if an rpc call was issued. This means that if a parallel
+ procedure, such as mkdir(), modifies the directory, we won't
+ accidentally use the data version from that.
+
+ (4) In afs_{mkdir,create,link,symlink}(), set the new dentry's version to
+ the directory data version before d_instantiate() is called.
+
+ (5) In afs_{rmdir,unlink}, update the target dentry's version to the
+ directory data version as soon as we've updated the directory inode.
+
+ (6) In afs_rename(), we need to unhash the old dentry before we start so
+ that we don't get afs_d_revalidate() reverting the version change in
+ cross-directory renames.
+
+ We then need to set both the old and the new dentry versions the data
+ version of the new directory before we call d_move() as d_move() will
+ rehash them.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dir.c | 84 +++++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 70 insertions(+), 14 deletions(-)
+
+diff --git a/fs/afs/dir.c b/fs/afs/dir.c
+index b87b41721eaa8..9620f19308f58 100644
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -441,7 +441,7 @@ static int afs_dir_iterate_block(struct afs_vnode *dvnode,
+ * iterate through the data blob that lists the contents of an AFS directory
+ */
+ static int afs_dir_iterate(struct inode *dir, struct dir_context *ctx,
+- struct key *key)
++ struct key *key, afs_dataversion_t *_dir_version)
+ {
+ struct afs_vnode *dvnode = AFS_FS_I(dir);
+ struct afs_xdr_dir_page *dbuf;
+@@ -461,6 +461,7 @@ static int afs_dir_iterate(struct inode *dir, struct dir_context *ctx,
+ req = afs_read_dir(dvnode, key);
+ if (IS_ERR(req))
+ return PTR_ERR(req);
++ *_dir_version = req->data_version;
+
+ /* round the file position up to the next entry boundary */
+ ctx->pos += sizeof(union afs_xdr_dirent) - 1;
+@@ -515,7 +516,10 @@ out:
+ */
+ static int afs_readdir(struct file *file, struct dir_context *ctx)
+ {
+- return afs_dir_iterate(file_inode(file), ctx, afs_file_key(file));
++ afs_dataversion_t dir_version;
++
++ return afs_dir_iterate(file_inode(file), ctx, afs_file_key(file),
++ &dir_version);
+ }
+
+ /*
+@@ -556,7 +560,8 @@ static int afs_lookup_one_filldir(struct dir_context *ctx, const char *name,
+ * - just returns the FID the dentry name maps to if found
+ */
+ static int afs_do_lookup_one(struct inode *dir, struct dentry *dentry,
+- struct afs_fid *fid, struct key *key)
++ struct afs_fid *fid, struct key *key,
++ afs_dataversion_t *_dir_version)
+ {
+ struct afs_super_info *as = dir->i_sb->s_fs_info;
+ struct afs_lookup_one_cookie cookie = {
+@@ -569,7 +574,7 @@ static int afs_do_lookup_one(struct inode *dir, struct dentry *dentry,
+ _enter("{%lu},%p{%pd},", dir->i_ino, dentry, dentry);
+
+ /* search the directory */
+- ret = afs_dir_iterate(dir, &cookie.ctx, key);
++ ret = afs_dir_iterate(dir, &cookie.ctx, key, _dir_version);
+ if (ret < 0) {
+ _leave(" = %d [iter]", ret);
+ return ret;
+@@ -643,6 +648,7 @@ static struct inode *afs_do_lookup(struct inode *dir, struct dentry *dentry,
+ struct afs_server *server;
+ struct afs_vnode *dvnode = AFS_FS_I(dir), *vnode;
+ struct inode *inode = NULL, *ti;
++ afs_dataversion_t data_version = READ_ONCE(dvnode->status.data_version);
+ int ret, i;
+
+ _enter("{%lu},%p{%pd},", dir->i_ino, dentry, dentry);
+@@ -670,12 +676,14 @@ static struct inode *afs_do_lookup(struct inode *dir, struct dentry *dentry,
+ cookie->fids[i].vid = as->volume->vid;
+
+ /* search the directory */
+- ret = afs_dir_iterate(dir, &cookie->ctx, key);
++ ret = afs_dir_iterate(dir, &cookie->ctx, key, &data_version);
+ if (ret < 0) {
+ inode = ERR_PTR(ret);
+ goto out;
+ }
+
++ dentry->d_fsdata = (void *)(unsigned long)data_version;
++
+ inode = ERR_PTR(-ENOENT);
+ if (!cookie->found)
+ goto out;
+@@ -969,7 +977,8 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags)
+ struct dentry *parent;
+ struct inode *inode;
+ struct key *key;
+- long dir_version, de_version;
++ afs_dataversion_t dir_version;
++ long de_version;
+ int ret;
+
+ if (flags & LOOKUP_RCU)
+@@ -1015,20 +1024,20 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags)
+ * on a 32-bit system, we only have 32 bits in the dentry to store the
+ * version.
+ */
+- dir_version = (long)dir->status.data_version;
++ dir_version = dir->status.data_version;
+ de_version = (long)dentry->d_fsdata;
+- if (de_version == dir_version)
++ if (de_version == (long)dir_version)
+ goto out_valid_noupdate;
+
+- dir_version = (long)dir->invalid_before;
+- if (de_version - dir_version >= 0)
++ dir_version = dir->invalid_before;
++ if (de_version - (long)dir_version >= 0)
+ goto out_valid;
+
+ _debug("dir modified");
+ afs_stat_v(dir, n_reval);
+
+ /* search the directory for this vnode */
+- ret = afs_do_lookup_one(&dir->vfs_inode, dentry, &fid, key);
++ ret = afs_do_lookup_one(&dir->vfs_inode, dentry, &fid, key, &dir_version);
+ switch (ret) {
+ case 0:
+ /* the filename maps to something */
+@@ -1081,7 +1090,7 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags)
+ }
+
+ out_valid:
+- dentry->d_fsdata = (void *)dir_version;
++ dentry->d_fsdata = (void *)(unsigned long)dir_version;
+ out_valid_noupdate:
+ dput(parent);
+ key_put(key);
+@@ -1187,6 +1196,20 @@ static void afs_prep_for_new_inode(struct afs_fs_cursor *fc,
+ iget_data->cb_s_break = fc->cbi->server->cb_s_break;
+ }
+
++/*
++ * Note that a dentry got changed. We need to set d_fsdata to the data version
++ * number derived from the result of the operation. It doesn't matter if
++ * d_fsdata goes backwards as we'll just revalidate.
++ */
++static void afs_update_dentry_version(struct afs_fs_cursor *fc,
++ struct dentry *dentry,
++ struct afs_status_cb *scb)
++{
++ if (fc->ac.error == 0)
++ dentry->d_fsdata =
++ (void *)(unsigned long)scb->status.data_version;
++}
++
+ /*
+ * create a directory on an AFS filesystem
+ */
+@@ -1229,6 +1252,7 @@ static int afs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
+ afs_check_for_remote_deletion(&fc, dvnode);
+ afs_vnode_commit_status(&fc, dvnode, fc.cb_break,
+ &data_version, &scb[0]);
++ afs_update_dentry_version(&fc, dentry, &scb[0]);
+ afs_vnode_new_inode(&fc, dentry, &iget_data, &scb[1]);
+ ret = afs_end_vnode_operation(&fc);
+ if (ret < 0)
+@@ -1321,6 +1345,7 @@ static int afs_rmdir(struct inode *dir, struct dentry *dentry)
+
+ afs_vnode_commit_status(&fc, dvnode, fc.cb_break,
+ &data_version, scb);
++ afs_update_dentry_version(&fc, dentry, scb);
+ ret = afs_end_vnode_operation(&fc);
+ if (ret == 0) {
+ afs_dir_remove_subdir(dentry);
+@@ -1462,6 +1487,7 @@ static int afs_unlink(struct inode *dir, struct dentry *dentry)
+ &data_version, &scb[0]);
+ afs_vnode_commit_status(&fc, vnode, fc.cb_break_2,
+ &data_version_2, &scb[1]);
++ afs_update_dentry_version(&fc, dentry, &scb[0]);
+ ret = afs_end_vnode_operation(&fc);
+ if (ret == 0 && !(scb[1].have_status || scb[1].have_error))
+ ret = afs_dir_remove_link(dvnode, dentry, key);
+@@ -1530,6 +1556,7 @@ static int afs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
+ afs_check_for_remote_deletion(&fc, dvnode);
+ afs_vnode_commit_status(&fc, dvnode, fc.cb_break,
+ &data_version, &scb[0]);
++ afs_update_dentry_version(&fc, dentry, &scb[0]);
+ afs_vnode_new_inode(&fc, dentry, &iget_data, &scb[1]);
+ ret = afs_end_vnode_operation(&fc);
+ if (ret < 0)
+@@ -1611,6 +1638,7 @@ static int afs_link(struct dentry *from, struct inode *dir,
+ afs_vnode_commit_status(&fc, vnode, fc.cb_break_2,
+ NULL, &scb[1]);
+ ihold(&vnode->vfs_inode);
++ afs_update_dentry_version(&fc, dentry, &scb[0]);
+ d_instantiate(dentry, &vnode->vfs_inode);
+
+ mutex_unlock(&vnode->io_lock);
+@@ -1690,6 +1718,7 @@ static int afs_symlink(struct inode *dir, struct dentry *dentry,
+ afs_check_for_remote_deletion(&fc, dvnode);
+ afs_vnode_commit_status(&fc, dvnode, fc.cb_break,
+ &data_version, &scb[0]);
++ afs_update_dentry_version(&fc, dentry, &scb[0]);
+ afs_vnode_new_inode(&fc, dentry, &iget_data, &scb[1]);
+ ret = afs_end_vnode_operation(&fc);
+ if (ret < 0)
+@@ -1795,6 +1824,17 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ }
+ }
+
++ /* This bit is potentially nasty as there's a potential race with
++ * afs_d_revalidate{,_rcu}(). We have to change d_fsdata on the dentry
++ * to reflect it's new parent's new data_version after the op, but
++ * d_revalidate may see old_dentry between the op having taken place
++ * and the version being updated.
++ *
++ * So drop the old_dentry for now to make other threads go through
++ * lookup instead - which we hold a lock against.
++ */
++ d_drop(old_dentry);
++
+ ret = -ERESTARTSYS;
+ if (afs_begin_vnode_operation(&fc, orig_dvnode, key, true)) {
+ afs_dataversion_t orig_data_version;
+@@ -1806,7 +1846,7 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if (orig_dvnode != new_dvnode) {
+ if (mutex_lock_interruptible_nested(&new_dvnode->io_lock, 1) < 0) {
+ afs_end_vnode_operation(&fc);
+- goto error_rehash;
++ goto error_rehash_old;
+ }
+ new_data_version = new_dvnode->status.data_version + 1;
+ } else {
+@@ -1831,7 +1871,7 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ }
+ ret = afs_end_vnode_operation(&fc);
+ if (ret < 0)
+- goto error_rehash;
++ goto error_rehash_old;
+ }
+
+ if (ret == 0) {
+@@ -1857,10 +1897,26 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ drop_nlink(new_inode);
+ spin_unlock(&new_inode->i_lock);
+ }
++
++ /* Now we can update d_fsdata on the dentries to reflect their
++ * new parent's data_version.
++ *
++ * Note that if we ever implement RENAME_EXCHANGE, we'll have
++ * to update both dentries with opposing dir versions.
++ */
++ if (new_dvnode != orig_dvnode) {
++ afs_update_dentry_version(&fc, old_dentry, &scb[1]);
++ afs_update_dentry_version(&fc, new_dentry, &scb[1]);
++ } else {
++ afs_update_dentry_version(&fc, old_dentry, &scb[0]);
++ afs_update_dentry_version(&fc, new_dentry, &scb[0]);
++ }
+ d_move(old_dentry, new_dentry);
+ goto error_tmp;
+ }
+
++error_rehash_old:
++ d_rehash(new_dentry);
+ error_rehash:
+ if (rehash)
+ d_rehash(rehash);
+--
+2.20.1
+
--- /dev/null
+From a23f1a676169b400c826b56450f0e03582badf9c Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 30 Jul 2019 14:38:51 +0100
+Subject: afs: Fix off-by-one in afs_rename() expected data version calculation
+
+[ Upstream commit 37c0bbb3326674940e657118306ac52364314523 ]
+
+When afs_rename() calculates the expected data version of the target
+directory in a cross-directory rename, it doesn't increment it as it
+should, so it always thinks that the target inode is unexpectedly modified
+on the server.
+
+Fixes: a58823ac4589 ("afs: Fix application of status and callback to be under same lock")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/afs/dir.c b/fs/afs/dir.c
+index da9563d62b327..9750ac70f8ffb 100644
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -1807,7 +1807,7 @@ static int afs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ afs_end_vnode_operation(&fc);
+ goto error_rehash;
+ }
+- new_data_version = new_dvnode->status.data_version;
++ new_data_version = new_dvnode->status.data_version + 1;
+ } else {
+ new_data_version = orig_data_version;
+ new_scb = &scb[0];
+--
+2.20.1
+
--- /dev/null
+From 709382a072aab8aefe511606606ab9aeb580354b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 30 Jul 2019 14:38:51 +0100
+Subject: afs: Fix the CB.ProbeUuid service handler to reply correctly
+
+[ Upstream commit 2067b2b3f4846402a040286135f98f46f8919939 ]
+
+Fix the service handler function for the CB.ProbeUuid RPC call so that it
+replies in the correct manner - that is an empty reply for success and an
+abort of 1 for failure.
+
+Putting 0 or 1 in an integer in the body of the reply should result in the
+fileserver throwing an RX_PROTOCOL_ERROR abort and discarding its record of
+the client; older servers, however, don't necessarily check that all the
+data got consumed, and so might incorrectly think that they got a positive
+response and associate the client with the wrong host record.
+
+If the client is incorrectly associated, this will result in callbacks
+intended for a different client being delivered to this one and then, when
+the other client connects and responds positively, all of the callback
+promises meant for the client that issued the improper response will be
+lost and it won't receive any further change notifications.
+
+Fixes: 9396d496d745 ("afs: support the CB.ProbeUuid RPC op")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cmservice.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
+index 3451be03667f0..00033a481ba05 100644
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -502,18 +502,14 @@ static void SRXAFSCB_ProbeUuid(struct work_struct *work)
+ struct afs_call *call = container_of(work, struct afs_call, work);
+ struct afs_uuid *r = call->request;
+
+- struct {
+- __be32 match;
+- } reply;
+-
+ _enter("");
+
+ if (memcmp(r, &call->net->uuid, sizeof(call->net->uuid)) == 0)
+- reply.match = htonl(0);
++ afs_send_empty_reply(call);
+ else
+- reply.match = htonl(1);
++ rxrpc_kernel_abort_call(call->net->socket, call->rxcall,
++ 1, 1, "K-1");
+
+- afs_send_simple_reply(call, &reply, sizeof(reply));
+ afs_put_call(call);
+ _leave("");
+ }
+--
+2.20.1
+
--- /dev/null
+From d1638ee8791d004f41e336977c9a8661a5ad3da3 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 30 Jul 2019 14:38:51 +0100
+Subject: afs: Only update d_fsdata if different in afs_d_revalidate()
+
+[ Upstream commit 5dc84855b0fc7e1db182b55c5564fd539d6eff92 ]
+
+In the in-kernel afs filesystem, d_fsdata is set with the data version of
+the parent directory. afs_d_revalidate() will update this to the current
+directory version, but it shouldn't do this if it the value it read from
+d_fsdata is the same as no lock is held and cmpxchg() is not used.
+
+Fix the code to only change the value if it is different from the current
+directory version.
+
+Fixes: 260a980317da ("[AFS]: Add "directory write" support.")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/afs/dir.c b/fs/afs/dir.c
+index 9750ac70f8ffb..b87b41721eaa8 100644
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -1018,7 +1018,7 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags)
+ dir_version = (long)dir->status.data_version;
+ de_version = (long)dentry->d_fsdata;
+ if (de_version == dir_version)
+- goto out_valid;
++ goto out_valid_noupdate;
+
+ dir_version = (long)dir->invalid_before;
+ if (de_version - dir_version >= 0)
+@@ -1082,6 +1082,7 @@ static int afs_d_revalidate(struct dentry *dentry, unsigned int flags)
+
+ out_valid:
+ dentry->d_fsdata = (void *)dir_version;
++out_valid_noupdate:
+ dput(parent);
+ key_put(key);
+ _leave(" = 1 [valid]");
+--
+2.20.1
+
--- /dev/null
+From b19f546cd1320bbc124a5cc037dde0d16bb8a3a3 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Mon, 12 Aug 2019 16:02:25 +0100
+Subject: arm64: cpufeature: Don't treat granule sizes as strict
+
+[ Upstream commit 5717fe5ab38f9ccb32718bcb03bea68409c9cce4 ]
+
+If a CPU doesn't support the page size for which the kernel is
+configured, then we will complain and refuse to bring it online. For
+secondary CPUs (and the boot CPU on a system booting with EFI), we will
+also print an error identifying the mismatch.
+
+Consequently, the only time that the cpufeature code can detect a
+granule size mismatch is for a granule other than the one that is
+currently being used. Although we would rather such systems didn't
+exist, we've unfortunately lost that battle and Kevin reports that
+on his amlogic S922X (odroid-n2 board) we end up warning and taining
+with defconfig because 16k pages are not supported by all of the CPUs.
+
+In such a situation, we don't actually care about the feature mismatch,
+particularly now that KVM only exposes the sanitised view of the CPU
+registers (commit 93390c0a1b20 - "arm64: KVM: Hide unsupported AArch64
+CPU features from guests"). Treat the granule fields as non-strict and
+let Kevin run without a tainted kernel.
+
+Cc: Marc Zyngier <maz@kernel.org>
+Reported-by: Kevin Hilman <khilman@baylibre.com>
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+[catalin.marinas@arm.com: changelog updated with KVM sanitised regs commit]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cpufeature.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
+index ae63eedea1c12..68faf535f40a3 100644
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -184,9 +184,17 @@ static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = {
+ };
+
+ static const struct arm64_ftr_bits ftr_id_aa64mmfr0[] = {
+- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN4_SHIFT, 4, ID_AA64MMFR0_TGRAN4_NI),
+- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN64_SHIFT, 4, ID_AA64MMFR0_TGRAN64_NI),
+- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN16_SHIFT, 4, ID_AA64MMFR0_TGRAN16_NI),
++ /*
++ * We already refuse to boot CPUs that don't support our configured
++ * page size, so we can only detect mismatches for a page size other
++ * than the one we're currently using. Unfortunately, SoCs like this
++ * exist in the wild so, even though we don't like it, we'll have to go
++ * along with it and treat them as non-strict.
++ */
++ S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN4_SHIFT, 4, ID_AA64MMFR0_TGRAN4_NI),
++ S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN64_SHIFT, 4, ID_AA64MMFR0_TGRAN64_NI),
++ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_TGRAN16_SHIFT, 4, ID_AA64MMFR0_TGRAN16_NI),
++
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_BIGENDEL0_SHIFT, 4, 0),
+ /* Linux shouldn't care about secure memory */
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64MMFR0_SNSMEM_SHIFT, 4, 0),
+--
+2.20.1
+
--- /dev/null
+From 83ef8e36870de5f4a983392315a4c6f851cc9542 Mon Sep 17 00:00:00 2001
+From: zhengbin <zhengbin13@huawei.com>
+Date: Mon, 8 Jul 2019 20:42:18 +0800
+Subject: auxdisplay: panel: need to delete scan_timer when misc_register fails
+ in panel_attach
+
+[ Upstream commit b33d567560c1aadf3033290d74d4fd67af47aa61 ]
+
+In panel_attach, if misc_register fails, we need to delete scan_timer,
+which was setup in keypad_init->init_scan_timer.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/panel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/auxdisplay/panel.c b/drivers/auxdisplay/panel.c
+index e06de63497cf8..e6bd727da503a 100644
+--- a/drivers/auxdisplay/panel.c
++++ b/drivers/auxdisplay/panel.c
+@@ -1617,6 +1617,8 @@ static void panel_attach(struct parport *port)
+ return;
+
+ err_lcd_unreg:
++ if (scan_timer.function)
++ del_timer_sync(&scan_timer);
+ if (lcd.enabled)
+ charlcd_unregister(lcd.charlcd);
+ err_unreg_device:
+--
+2.20.1
+
--- /dev/null
+From 5a0acb5097a8c72bf26c533bbc7058a2523962cc Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 28 May 2019 16:21:54 +0800
+Subject: btrfs: trim: Check the range passed into to prevent overflow
+
+[ Upstream commit 07301df7d2fc220d3de5f7ad804dcb941400cb00 ]
+
+Normally the range->len is set to default value (U64_MAX), but when it's
+not default value, we should check if the range overflows.
+
+And if it overflows, return -EINVAL before doing anything.
+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 5faf057f6f37f..b8f4720879021 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -11226,6 +11226,7 @@ int btrfs_trim_fs(struct btrfs_fs_info *fs_info, struct fstrim_range *range)
+ struct btrfs_device *device;
+ struct list_head *devices;
+ u64 group_trimmed;
++ u64 range_end = U64_MAX;
+ u64 start;
+ u64 end;
+ u64 trimmed = 0;
+@@ -11235,16 +11236,23 @@ int btrfs_trim_fs(struct btrfs_fs_info *fs_info, struct fstrim_range *range)
+ int dev_ret = 0;
+ int ret = 0;
+
++ /*
++ * Check range overflow if range->len is set.
++ * The default range->len is U64_MAX.
++ */
++ if (range->len != U64_MAX &&
++ check_add_overflow(range->start, range->len, &range_end))
++ return -EINVAL;
++
+ cache = btrfs_lookup_first_block_group(fs_info, range->start);
+ for (; cache; cache = next_block_group(cache)) {
+- if (cache->key.objectid >= (range->start + range->len)) {
++ if (cache->key.objectid >= range_end) {
+ btrfs_put_block_group(cache);
+ break;
+ }
+
+ start = max(range->start, cache->key.objectid);
+- end = min(range->start + range->len,
+- cache->key.objectid + cache->key.offset);
++ end = min(range_end, cache->key.objectid + cache->key.offset);
+
+ if (end - start >= range->minlen) {
+ if (!block_group_cache_done(cache)) {
+--
+2.20.1
+
--- /dev/null
+From c40dcc2229debb94f1348f8ae261f98c9994af96 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Mon, 5 Aug 2019 17:51:53 +0200
+Subject: dma-direct: don't truncate dma_required_mask to bus addressing
+ capabilities
+
+[ Upstream commit d8ad55538abe443919e20e0bb996561bca9cad84 ]
+
+The dma required_mask needs to reflect the actual addressing capabilities
+needed to handle the whole system RAM. When truncated down to the bus
+addressing capabilities dma_addressing_limited() will incorrectly signal
+no limitations for devices which are restricted by the bus_dma_mask.
+
+Fixes: b4ebe6063204 (dma-direct: implement complete bus_dma_mask handling)
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Tested-by: Atish Patra <atish.patra@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/direct.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
+index 2c2772e9702ab..9912be7a970de 100644
+--- a/kernel/dma/direct.c
++++ b/kernel/dma/direct.c
+@@ -55,9 +55,6 @@ u64 dma_direct_get_required_mask(struct device *dev)
+ {
+ u64 max_dma = phys_to_dma_direct(dev, (max_pfn - 1) << PAGE_SHIFT);
+
+- if (dev->bus_dma_mask && dev->bus_dma_mask < max_dma)
+- max_dma = dev->bus_dma_mask;
+-
+ return (1ULL << (fls64(max_dma) - 1)) * 2 - 1;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8ffbf568daeecddba333a814e6f2879e749b1736 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 12 Jul 2019 11:13:30 +0200
+Subject: dmaengine: ste_dma40: fix unneeded variable warning
+
+[ Upstream commit 5d6fb560729a5d5554e23db8d00eb57cd0021083 ]
+
+clang-9 points out that there are two variables that depending on the
+configuration may only be used in an ARRAY_SIZE() expression but not
+referenced:
+
+drivers/dma/ste_dma40.c:145:12: error: variable 'd40_backup_regs' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration]
+static u32 d40_backup_regs[] = {
+ ^
+drivers/dma/ste_dma40.c:214:12: error: variable 'd40_backup_regs_chan' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration]
+static u32 d40_backup_regs_chan[] = {
+
+Mark these __maybe_unused to shut up the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20190712091357.744515-1-arnd@arndb.de
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ste_dma40.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c
+index 89d710899010d..de8bfd9a76e9e 100644
+--- a/drivers/dma/ste_dma40.c
++++ b/drivers/dma/ste_dma40.c
+@@ -142,7 +142,7 @@ enum d40_events {
+ * when the DMA hw is powered off.
+ * TODO: Add save/restore of D40_DREG_GCC on dma40 v3 or later, if that works.
+ */
+-static u32 d40_backup_regs[] = {
++static __maybe_unused u32 d40_backup_regs[] = {
+ D40_DREG_LCPA,
+ D40_DREG_LCLA,
+ D40_DREG_PRMSE,
+@@ -211,7 +211,7 @@ static u32 d40_backup_regs_v4b[] = {
+
+ #define BACKUP_REGS_SZ_V4B ARRAY_SIZE(d40_backup_regs_v4b)
+
+-static u32 d40_backup_regs_chan[] = {
++static __maybe_unused u32 d40_backup_regs_chan[] = {
+ D40_CHAN_REG_SSCFG,
+ D40_CHAN_REG_SSELT,
+ D40_CHAN_REG_SSPTR,
+--
+2.20.1
+
--- /dev/null
+From d7024cfc18bd15978b8f7529d735061f9b1d7464 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Mon, 29 Jul 2019 10:08:49 +0800
+Subject: dmaengine: stm32-mdma: Fix a possible null-pointer dereference in
+ stm32_mdma_irq_handler()
+
+[ Upstream commit 39c71a5b8212f4b502d9a630c6706ac723abd422 ]
+
+In stm32_mdma_irq_handler(), chan is checked on line 1368.
+When chan is NULL, it is still used on line 1369:
+ dev_err(chan2dev(chan), "MDMA channel not initialized\n");
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, "dev_dbg(mdma2dev(dmadev), ...)" is used instead.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver")
+Link: https://lore.kernel.org/r/20190729020849.17971-1-baijiaju1990@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/stm32-mdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
+index d6e919d3936a2..1311de74bfdde 100644
+--- a/drivers/dma/stm32-mdma.c
++++ b/drivers/dma/stm32-mdma.c
+@@ -1366,7 +1366,7 @@ static irqreturn_t stm32_mdma_irq_handler(int irq, void *devid)
+
+ chan = &dmadev->chan[id];
+ if (!chan) {
+- dev_err(chan2dev(chan), "MDMA channel not initialized\n");
++ dev_dbg(mdma2dev(dmadev), "MDMA channel not initialized\n");
+ goto exit;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 760685c852e1f729d3c74f7eb255b8f0b8c8c9c2 Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Wed, 11 Apr 2018 09:27:39 +0800
+Subject: drm/ast: Fixed reboot test may cause system hanged
+
+[ Upstream commit 05b439711f6ff8700e8660f97a1179650778b9cb ]
+
+There is another thread still access standard VGA I/O while loading drm driver.
+Disable standard VGA I/O decode to avoid this issue.
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Reviewed-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1523410059-18415-1-git-send-email-yc_chen@aspeedtech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_main.c | 5 ++++-
+ drivers/gpu/drm/ast/ast_mode.c | 2 +-
+ drivers/gpu/drm/ast/ast_post.c | 2 +-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c
+index 2854399856ba0..4aebe21e6ad9f 100644
+--- a/drivers/gpu/drm/ast/ast_main.c
++++ b/drivers/gpu/drm/ast/ast_main.c
+@@ -131,8 +131,8 @@ static int ast_detect_chip(struct drm_device *dev, bool *need_post)
+
+
+ /* Enable extended register access */
+- ast_enable_mmio(dev);
+ ast_open_key(ast);
++ ast_enable_mmio(dev);
+
+ /* Find out whether P2A works or whether to use device-tree */
+ ast_detect_config_mode(dev, &scu_rev);
+@@ -576,6 +576,9 @@ void ast_driver_unload(struct drm_device *dev)
+ {
+ struct ast_private *ast = dev->dev_private;
+
++ /* enable standard VGA decode */
++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa1, 0x04);
++
+ ast_release_firmware(dev);
+ kfree(ast->dp501_fw_addr);
+ ast_mode_fini(dev);
+diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c
+index 97fed0627d1c8..74da15a3341a8 100644
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -601,7 +601,7 @@ static int ast_crtc_mode_set(struct drm_crtc *crtc,
+ return -EINVAL;
+ ast_open_key(ast);
+
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xa1, 0xff, 0x04);
++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa1, 0x06);
+
+ ast_set_std_reg(crtc, adjusted_mode, &vbios_mode);
+ ast_set_crtc_reg(crtc, adjusted_mode, &vbios_mode);
+diff --git a/drivers/gpu/drm/ast/ast_post.c b/drivers/gpu/drm/ast/ast_post.c
+index f7d421359d564..c1d1ac51d1c20 100644
+--- a/drivers/gpu/drm/ast/ast_post.c
++++ b/drivers/gpu/drm/ast/ast_post.c
+@@ -46,7 +46,7 @@ void ast_enable_mmio(struct drm_device *dev)
+ {
+ struct ast_private *ast = dev->dev_private;
+
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xa1, 0xff, 0x04);
++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa1, 0x06);
+ }
+
+
+--
+2.20.1
+
--- /dev/null
+From 967745eb5a0df59d16f9360730f4c17f0c01dd47 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Mon, 10 Jun 2019 16:57:38 +0300
+Subject: drm/bridge: tfp410: fix memleak in get_modes()
+
+[ Upstream commit c08f99c39083ab55a9c93b3e93cef48711294dad ]
+
+We don't free the edid blob allocated by the call to drm_get_edid(),
+causing a memleak. Fix this by calling kfree(edid) at the end of the
+get_modes().
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190610135739.6077-1-tomi.valkeinen@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-tfp410.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/ti-tfp410.c b/drivers/gpu/drm/bridge/ti-tfp410.c
+index 3a8af9978ebdf..791f164bdadc8 100644
+--- a/drivers/gpu/drm/bridge/ti-tfp410.c
++++ b/drivers/gpu/drm/bridge/ti-tfp410.c
+@@ -66,7 +66,12 @@ static int tfp410_get_modes(struct drm_connector *connector)
+
+ drm_connector_update_edid_property(connector, edid);
+
+- return drm_add_edid_modes(connector, edid);
++ ret = drm_add_edid_modes(connector, edid);
++
++ kfree(edid);
++
++ return ret;
++
+ fallback:
+ /* No EDID, fallback on the XGA standard modes */
+ ret = drm_add_modes_noedid(connector, 1920, 1200);
+--
+2.20.1
+
--- /dev/null
+From a0e2c392b6bea1846c2a267a4f9b927b2e6bd423 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Fri, 9 Aug 2019 17:27:21 +0200
+Subject: drm/scheduler: use job count instead of peek
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit e1b4ce25dbc93ab0cb8ed0f236a3b9ff7b03802c ]
+
+The spsc_queue_peek function is accessing queue->head which belongs to
+the consumer thread and shouldn't be accessed by the producer
+
+This is fixing a rare race condition when destroying entities.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Acked-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Monk.liu@amd.com
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
+index 35ddbec1375ae..671c90f34ede6 100644
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -95,7 +95,7 @@ static bool drm_sched_entity_is_idle(struct drm_sched_entity *entity)
+ rmb(); /* for list_empty to work without lock */
+
+ if (list_empty(&entity->list) ||
+- spsc_queue_peek(&entity->job_queue) == NULL)
++ spsc_queue_count(&entity->job_queue) == 0)
+ return true;
+
+ return false;
+@@ -281,7 +281,7 @@ void drm_sched_entity_fini(struct drm_sched_entity *entity)
+ /* Consumption of existing IBs wasn't completed. Forcefully
+ * remove them here.
+ */
+- if (spsc_queue_peek(&entity->job_queue)) {
++ if (spsc_queue_count(&entity->job_queue)) {
+ if (sched) {
+ /* Park the kernel for a moment to make sure it isn't processing
+ * our enity.
+--
+2.20.1
+
--- /dev/null
+From 79a60dcc4d94cb645bec9ff38875b33ad38d0571 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Tue, 30 Jul 2019 14:38:51 +0100
+Subject: fs: afs: Fix a possible null-pointer dereference in afs_put_read()
+
+[ Upstream commit a6eed4ab5dd4bfb696c1a3f49742b8d1846a66a0 ]
+
+In afs_read_dir(), there is an if statement on line 255 to check whether
+req->pages is NULL:
+ if (!req->pages)
+ goto error;
+
+If req->pages is NULL, afs_put_read() on line 337 is executed.
+In afs_put_read(), req->pages[i] is used on line 195.
+Thus, a possible null-pointer dereference may occur in this case.
+
+To fix this possible bug, an if statement is added in afs_put_read() to
+check req->pages.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Fixes: f3ddee8dc4e2 ("afs: Fix directory handling")
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/file.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/fs/afs/file.c b/fs/afs/file.c
+index 8fd7d3b9a1b1f..87beabc7114ee 100644
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -191,11 +191,13 @@ void afs_put_read(struct afs_read *req)
+ int i;
+
+ if (refcount_dec_and_test(&req->usage)) {
+- for (i = 0; i < req->nr_pages; i++)
+- if (req->pages[i])
+- put_page(req->pages[i]);
+- if (req->pages != req->array)
+- kfree(req->pages);
++ if (req->pages) {
++ for (i = 0; i < req->nr_pages; i++)
++ if (req->pages[i])
++ put_page(req->pages[i]);
++ if (req->pages != req->array)
++ kfree(req->pages);
++ }
+ kfree(req);
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From db8d8d1f134db6d721f8fa7e5b7841cdeb328d04 Mon Sep 17 00:00:00 2001
+From: Ben Segal <bpsegal20@gmail.com>
+Date: Thu, 1 Aug 2019 23:22:20 +0000
+Subject: habanalabs: fix completion queue handling when host is BE
+
+[ Upstream commit 4e87334a0ef43663019dbaf3638ad10fd8c3320c ]
+
+This patch fix the CQ irq handler to work in hosts with BE architecture.
+It adds the correct endian-swapping macros around the relevant memory
+accesses.
+
+Signed-off-by: Ben Segal <bpsegal20@gmail.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/irq.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/irq.c b/drivers/misc/habanalabs/irq.c
+index ea9f72ff456cf..199791b57caf2 100644
+--- a/drivers/misc/habanalabs/irq.c
++++ b/drivers/misc/habanalabs/irq.c
+@@ -80,8 +80,7 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg)
+ struct hl_cs_job *job;
+ bool shadow_index_valid;
+ u16 shadow_index;
+- u32 *cq_entry;
+- u32 *cq_base;
++ struct hl_cq_entry *cq_entry, *cq_base;
+
+ if (hdev->disabled) {
+ dev_dbg(hdev->dev,
+@@ -90,29 +89,29 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg)
+ return IRQ_HANDLED;
+ }
+
+- cq_base = (u32 *) (uintptr_t) cq->kernel_address;
++ cq_base = (struct hl_cq_entry *) (uintptr_t) cq->kernel_address;
+
+ while (1) {
+- bool entry_ready = ((cq_base[cq->ci] & CQ_ENTRY_READY_MASK)
++ bool entry_ready = ((le32_to_cpu(cq_base[cq->ci].data) &
++ CQ_ENTRY_READY_MASK)
+ >> CQ_ENTRY_READY_SHIFT);
+
+ if (!entry_ready)
+ break;
+
+- cq_entry = (u32 *) &cq_base[cq->ci];
++ cq_entry = (struct hl_cq_entry *) &cq_base[cq->ci];
+
+- /*
+- * Make sure we read CQ entry contents after we've
++ /* Make sure we read CQ entry contents after we've
+ * checked the ownership bit.
+ */
+ dma_rmb();
+
+- shadow_index_valid =
+- ((*cq_entry & CQ_ENTRY_SHADOW_INDEX_VALID_MASK)
++ shadow_index_valid = ((le32_to_cpu(cq_entry->data) &
++ CQ_ENTRY_SHADOW_INDEX_VALID_MASK)
+ >> CQ_ENTRY_SHADOW_INDEX_VALID_SHIFT);
+
+- shadow_index = (u16)
+- ((*cq_entry & CQ_ENTRY_SHADOW_INDEX_MASK)
++ shadow_index = (u16) ((le32_to_cpu(cq_entry->data) &
++ CQ_ENTRY_SHADOW_INDEX_MASK)
+ >> CQ_ENTRY_SHADOW_INDEX_SHIFT);
+
+ queue = &hdev->kernel_queues[cq->hw_queue_id];
+@@ -122,8 +121,7 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg)
+ queue_work(hdev->cq_wq, &job->finish_work);
+ }
+
+- /*
+- * Update ci of the context's queue. There is no
++ /* Update ci of the context's queue. There is no
+ * need to protect it with spinlock because this update is
+ * done only inside IRQ and there is a different IRQ per
+ * queue
+@@ -131,7 +129,8 @@ irqreturn_t hl_irq_handler_cq(int irq, void *arg)
+ queue->ci = hl_queue_inc_ptr(queue->ci);
+
+ /* Clear CQ entry ready bit */
+- cq_base[cq->ci] &= ~CQ_ENTRY_READY_MASK;
++ cq_entry->data = cpu_to_le32(le32_to_cpu(cq_entry->data) &
++ ~CQ_ENTRY_READY_MASK);
+
+ cq->ci = hl_cq_inc_ptr(cq->ci);
+
+--
+2.20.1
+
--- /dev/null
+From 561236a585cafbb2346b8b94764c3a57c6ecb043 Mon Sep 17 00:00:00 2001
+From: Ben Segal <bpsegal20@gmail.com>
+Date: Wed, 7 Aug 2019 13:54:54 +0000
+Subject: habanalabs: fix device IRQ unmasking for BE host
+
+[ Upstream commit b421d83a3947369fd5718824aecfaebe1efbf7ed ]
+
+When unmasking IRQs inside the ASIC, the driver passes an array of all the
+IRQ to unmask. The ASIC's CPU is working in LE so when running in a BE
+host, the driver needs to do the proper endianness swapping when preparing
+this array.
+
+In addition, this patch also fixes the endianness of a couple of kernel log
+debug messages that print values of packets
+
+Signed-off-by: Ben Segal <bpsegal20@gmail.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/goya/goya.c | 33 +++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
+index 9216cc3599178..ac6b252a1ddcb 100644
+--- a/drivers/misc/habanalabs/goya/goya.c
++++ b/drivers/misc/habanalabs/goya/goya.c
+@@ -3311,9 +3311,11 @@ static int goya_validate_dma_pkt_no_mmu(struct hl_device *hdev,
+ int rc;
+
+ dev_dbg(hdev->dev, "DMA packet details:\n");
+- dev_dbg(hdev->dev, "source == 0x%llx\n", user_dma_pkt->src_addr);
+- dev_dbg(hdev->dev, "destination == 0x%llx\n", user_dma_pkt->dst_addr);
+- dev_dbg(hdev->dev, "size == %u\n", user_dma_pkt->tsize);
++ dev_dbg(hdev->dev, "source == 0x%llx\n",
++ le64_to_cpu(user_dma_pkt->src_addr));
++ dev_dbg(hdev->dev, "destination == 0x%llx\n",
++ le64_to_cpu(user_dma_pkt->dst_addr));
++ dev_dbg(hdev->dev, "size == %u\n", le32_to_cpu(user_dma_pkt->tsize));
+
+ ctl = le32_to_cpu(user_dma_pkt->ctl);
+ user_dir = (ctl & GOYA_PKT_LIN_DMA_CTL_DMA_DIR_MASK) >>
+@@ -3342,9 +3344,11 @@ static int goya_validate_dma_pkt_mmu(struct hl_device *hdev,
+ struct packet_lin_dma *user_dma_pkt)
+ {
+ dev_dbg(hdev->dev, "DMA packet details:\n");
+- dev_dbg(hdev->dev, "source == 0x%llx\n", user_dma_pkt->src_addr);
+- dev_dbg(hdev->dev, "destination == 0x%llx\n", user_dma_pkt->dst_addr);
+- dev_dbg(hdev->dev, "size == %u\n", user_dma_pkt->tsize);
++ dev_dbg(hdev->dev, "source == 0x%llx\n",
++ le64_to_cpu(user_dma_pkt->src_addr));
++ dev_dbg(hdev->dev, "destination == 0x%llx\n",
++ le64_to_cpu(user_dma_pkt->dst_addr));
++ dev_dbg(hdev->dev, "size == %u\n", le32_to_cpu(user_dma_pkt->tsize));
+
+ /*
+ * WA for HW-23.
+@@ -3384,7 +3388,8 @@ static int goya_validate_wreg32(struct hl_device *hdev,
+
+ dev_dbg(hdev->dev, "WREG32 packet details:\n");
+ dev_dbg(hdev->dev, "reg_offset == 0x%x\n", reg_offset);
+- dev_dbg(hdev->dev, "value == 0x%x\n", wreg_pkt->value);
++ dev_dbg(hdev->dev, "value == 0x%x\n",
++ le32_to_cpu(wreg_pkt->value));
+
+ if (reg_offset != (mmDMA_CH_0_WR_COMP_ADDR_LO & 0x1FFF)) {
+ dev_err(hdev->dev, "WREG32 packet with illegal address 0x%x\n",
+@@ -4252,6 +4257,8 @@ static int goya_unmask_irq_arr(struct hl_device *hdev, u32 *irq_arr,
+ size_t total_pkt_size;
+ long result;
+ int rc;
++ int irq_num_entries, irq_arr_index;
++ __le32 *goya_irq_arr;
+
+ total_pkt_size = sizeof(struct armcp_unmask_irq_arr_packet) +
+ irq_arr_size;
+@@ -4269,8 +4276,16 @@ static int goya_unmask_irq_arr(struct hl_device *hdev, u32 *irq_arr,
+ if (!pkt)
+ return -ENOMEM;
+
+- pkt->length = cpu_to_le32(irq_arr_size / sizeof(irq_arr[0]));
+- memcpy(&pkt->irqs, irq_arr, irq_arr_size);
++ irq_num_entries = irq_arr_size / sizeof(irq_arr[0]);
++ pkt->length = cpu_to_le32(irq_num_entries);
++
++ /* We must perform any necessary endianness conversation on the irq
++ * array being passed to the goya hardware
++ */
++ for (irq_arr_index = 0, goya_irq_arr = (__le32 *) &pkt->irqs;
++ irq_arr_index < irq_num_entries ; irq_arr_index++)
++ goya_irq_arr[irq_arr_index] =
++ cpu_to_le32(irq_arr[irq_arr_index]);
+
+ pkt->armcp_pkt.ctl = cpu_to_le32(ARMCP_PACKET_UNMASK_RAZWI_IRQ_ARRAY <<
+ ARMCP_PKT_CTL_OPCODE_SHIFT);
+--
+2.20.1
+
--- /dev/null
+From 07f81e664b3629f81ef22d0493a0cf2bb8c41ced Mon Sep 17 00:00:00 2001
+From: Tomer Tayar <ttayar@habana.ai>
+Date: Sun, 4 Aug 2019 07:03:41 +0000
+Subject: habanalabs: fix DRAM usage accounting on context tear down
+
+[ Upstream commit c8113756ba27298d6e95403c087dc5881b419a99 ]
+
+The patch fix the DRAM usage accounting by adding a missing update of
+the DRAM memory consumption, when a context is being torn down without an
+organized release of the allocated memory.
+
+Signed-off-by: Tomer Tayar <ttayar@habana.ai>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/memory.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c
+index 693877e37fd87..924a438ba9736 100644
+--- a/drivers/misc/habanalabs/memory.c
++++ b/drivers/misc/habanalabs/memory.c
+@@ -1629,6 +1629,8 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx)
+ dev_dbg(hdev->dev,
+ "page list 0x%p of asid %d is still alive\n",
+ phys_pg_list, ctx->asid);
++ atomic64_sub(phys_pg_list->total_size,
++ &hdev->dram_used_mem);
+ free_phys_pg_pack(hdev, phys_pg_list);
+ idr_remove(&vm->phys_pg_pack_handles, i);
+ }
+--
+2.20.1
+
--- /dev/null
+From d1c78176f130bd079233a217dce88d201ee258d2 Mon Sep 17 00:00:00 2001
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Thu, 8 Aug 2019 15:45:58 +0300
+Subject: habanalabs: fix endianness handling for internal QMAN submission
+
+[ Upstream commit b9040c99414ba5b85090595a61abc686a5dbb388 ]
+
+The PQs of internal H/W queues (QMANs) can be located in different memory
+areas for different ASICs. Therefore, when writing PQEs, we need to use
+the correct function according to the location of the PQ. e.g. if the PQ
+is located in the device's memory (SRAM or DRAM), we need to use
+memcpy_toio() so it would work in architectures that have separate
+address ranges for IO memory.
+
+This patch makes the code that writes the PQE to be ASIC-specific so we
+can handle this properly per ASIC.
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Tested-by: Ben Segal <bpsegal20@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/goya/goya.c | 7 ++++---
+ drivers/misc/habanalabs/goya/goyaP.h | 2 +-
+ drivers/misc/habanalabs/habanalabs.h | 9 +++++++--
+ drivers/misc/habanalabs/hw_queue.c | 14 +++++---------
+ 4 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
+index 0644fd7742057..9216cc3599178 100644
+--- a/drivers/misc/habanalabs/goya/goya.c
++++ b/drivers/misc/habanalabs/goya/goya.c
+@@ -2716,9 +2716,10 @@ void goya_ring_doorbell(struct hl_device *hdev, u32 hw_queue_id, u32 pi)
+ GOYA_ASYNC_EVENT_ID_PI_UPDATE);
+ }
+
+-void goya_flush_pq_write(struct hl_device *hdev, u64 *pq, u64 exp_val)
++void goya_pqe_write(struct hl_device *hdev, __le64 *pqe, struct hl_bd *bd)
+ {
+- /* Not needed in Goya */
++ /* The QMANs are on the SRAM so need to copy to IO space */
++ memcpy_toio((void __iomem *) pqe, bd, sizeof(struct hl_bd));
+ }
+
+ static void *goya_dma_alloc_coherent(struct hl_device *hdev, size_t size,
+@@ -4784,7 +4785,7 @@ static const struct hl_asic_funcs goya_funcs = {
+ .resume = goya_resume,
+ .cb_mmap = goya_cb_mmap,
+ .ring_doorbell = goya_ring_doorbell,
+- .flush_pq_write = goya_flush_pq_write,
++ .pqe_write = goya_pqe_write,
+ .asic_dma_alloc_coherent = goya_dma_alloc_coherent,
+ .asic_dma_free_coherent = goya_dma_free_coherent,
+ .get_int_queue_base = goya_get_int_queue_base,
+diff --git a/drivers/misc/habanalabs/goya/goyaP.h b/drivers/misc/habanalabs/goya/goyaP.h
+index c83cab0d641e2..e2040fd331ca1 100644
+--- a/drivers/misc/habanalabs/goya/goyaP.h
++++ b/drivers/misc/habanalabs/goya/goyaP.h
+@@ -170,7 +170,7 @@ int goya_late_init(struct hl_device *hdev);
+ void goya_late_fini(struct hl_device *hdev);
+
+ void goya_ring_doorbell(struct hl_device *hdev, u32 hw_queue_id, u32 pi);
+-void goya_flush_pq_write(struct hl_device *hdev, u64 *pq, u64 exp_val);
++void goya_pqe_write(struct hl_device *hdev, __le64 *pqe, struct hl_bd *bd);
+ void goya_update_eq_ci(struct hl_device *hdev, u32 val);
+ void goya_restore_phase_topology(struct hl_device *hdev);
+ int goya_context_switch(struct hl_device *hdev, u32 asid);
+diff --git a/drivers/misc/habanalabs/habanalabs.h b/drivers/misc/habanalabs/habanalabs.h
+index adef7d9d7488a..d56ab65d5b2a4 100644
+--- a/drivers/misc/habanalabs/habanalabs.h
++++ b/drivers/misc/habanalabs/habanalabs.h
+@@ -449,7 +449,11 @@ enum hl_pll_frequency {
+ * @resume: handles IP specific H/W or SW changes for resume.
+ * @cb_mmap: maps a CB.
+ * @ring_doorbell: increment PI on a given QMAN.
+- * @flush_pq_write: flush PQ entry write if necessary, WARN if flushing failed.
++ * @pqe_write: Write the PQ entry to the PQ. This is ASIC-specific
++ * function because the PQs are located in different memory areas
++ * per ASIC (SRAM, DRAM, Host memory) and therefore, the method of
++ * writing the PQE must match the destination memory area
++ * properties.
+ * @asic_dma_alloc_coherent: Allocate coherent DMA memory by calling
+ * dma_alloc_coherent(). This is ASIC function because
+ * its implementation is not trivial when the driver
+@@ -518,7 +522,8 @@ struct hl_asic_funcs {
+ int (*cb_mmap)(struct hl_device *hdev, struct vm_area_struct *vma,
+ u64 kaddress, phys_addr_t paddress, u32 size);
+ void (*ring_doorbell)(struct hl_device *hdev, u32 hw_queue_id, u32 pi);
+- void (*flush_pq_write)(struct hl_device *hdev, u64 *pq, u64 exp_val);
++ void (*pqe_write)(struct hl_device *hdev, __le64 *pqe,
++ struct hl_bd *bd);
+ void* (*asic_dma_alloc_coherent)(struct hl_device *hdev, size_t size,
+ dma_addr_t *dma_handle, gfp_t flag);
+ void (*asic_dma_free_coherent)(struct hl_device *hdev, size_t size,
+diff --git a/drivers/misc/habanalabs/hw_queue.c b/drivers/misc/habanalabs/hw_queue.c
+index 2894d89759334..bb76794747279 100644
+--- a/drivers/misc/habanalabs/hw_queue.c
++++ b/drivers/misc/habanalabs/hw_queue.c
+@@ -290,23 +290,19 @@ static void int_hw_queue_schedule_job(struct hl_cs_job *job)
+ struct hl_device *hdev = job->cs->ctx->hdev;
+ struct hl_hw_queue *q = &hdev->kernel_queues[job->hw_queue_id];
+ struct hl_bd bd;
+- u64 *pi, *pbd = (u64 *) &bd;
++ __le64 *pi;
+
+ bd.ctl = 0;
+- bd.len = __cpu_to_le32(job->job_cb_size);
+- bd.ptr = __cpu_to_le64((u64) (uintptr_t) job->user_cb);
++ bd.len = cpu_to_le32(job->job_cb_size);
++ bd.ptr = cpu_to_le64((u64) (uintptr_t) job->user_cb);
+
+- pi = (u64 *) (uintptr_t) (q->kernel_address +
++ pi = (__le64 *) (uintptr_t) (q->kernel_address +
+ ((q->pi & (q->int_queue_len - 1)) * sizeof(bd)));
+
+- pi[0] = pbd[0];
+- pi[1] = pbd[1];
+-
+ q->pi++;
+ q->pi &= ((q->int_queue_len << 1) - 1);
+
+- /* Flush PQ entry write. Relevant only for specific ASICs */
+- hdev->asic_funcs->flush_pq_write(hdev, pi, pbd[0]);
++ hdev->asic_funcs->pqe_write(hdev, pi, &bd);
+
+ hdev->asic_funcs->ring_doorbell(hdev, q->hw_queue_id, q->pi);
+ }
+--
+2.20.1
+
--- /dev/null
+From 2d16394741442fc3250cd63c6ceed547230dcfbd Mon Sep 17 00:00:00 2001
+From: Ben Segal <bpsegal20@gmail.com>
+Date: Thu, 1 Aug 2019 23:20:32 +0000
+Subject: habanalabs: fix endianness handling for packets from user
+
+[ Upstream commit 213ad5ad016a0da975b35f54e8cd236c3b04724b ]
+
+Packets that arrive from the user and need to be parsed by the driver are
+assumed to be in LE format.
+
+This patch fix all the places where the code handles these packets and use
+the correct endianness macros to handle them, as the driver handles the
+packets in CPU format (LE or BE depending on the arch).
+
+Signed-off-by: Ben Segal <bpsegal20@gmail.com>
+Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/goya/goya.c | 32 +++++++++++--------
+ .../habanalabs/include/goya/goya_packets.h | 13 ++++++++
+ 2 files changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
+index 02d116b01a1a2..0644fd7742057 100644
+--- a/drivers/misc/habanalabs/goya/goya.c
++++ b/drivers/misc/habanalabs/goya/goya.c
+@@ -3425,12 +3425,13 @@ static int goya_validate_cb(struct hl_device *hdev,
+ while (cb_parsed_length < parser->user_cb_size) {
+ enum packet_id pkt_id;
+ u16 pkt_size;
+- void *user_pkt;
++ struct goya_packet *user_pkt;
+
+- user_pkt = (void *) (uintptr_t)
++ user_pkt = (struct goya_packet *) (uintptr_t)
+ (parser->user_cb->kernel_address + cb_parsed_length);
+
+- pkt_id = (enum packet_id) (((*(u64 *) user_pkt) &
++ pkt_id = (enum packet_id) (
++ (le64_to_cpu(user_pkt->header) &
+ PACKET_HEADER_PACKET_ID_MASK) >>
+ PACKET_HEADER_PACKET_ID_SHIFT);
+
+@@ -3450,7 +3451,8 @@ static int goya_validate_cb(struct hl_device *hdev,
+ * need to validate here as well because patch_cb() is
+ * not called in MMU path while this function is called
+ */
+- rc = goya_validate_wreg32(hdev, parser, user_pkt);
++ rc = goya_validate_wreg32(hdev,
++ parser, (struct packet_wreg32 *) user_pkt);
+ break;
+
+ case PACKET_WREG_BULK:
+@@ -3478,10 +3480,10 @@ static int goya_validate_cb(struct hl_device *hdev,
+ case PACKET_LIN_DMA:
+ if (is_mmu)
+ rc = goya_validate_dma_pkt_mmu(hdev, parser,
+- user_pkt);
++ (struct packet_lin_dma *) user_pkt);
+ else
+ rc = goya_validate_dma_pkt_no_mmu(hdev, parser,
+- user_pkt);
++ (struct packet_lin_dma *) user_pkt);
+ break;
+
+ case PACKET_MSG_LONG:
+@@ -3654,15 +3656,16 @@ static int goya_patch_cb(struct hl_device *hdev,
+ enum packet_id pkt_id;
+ u16 pkt_size;
+ u32 new_pkt_size = 0;
+- void *user_pkt, *kernel_pkt;
++ struct goya_packet *user_pkt, *kernel_pkt;
+
+- user_pkt = (void *) (uintptr_t)
++ user_pkt = (struct goya_packet *) (uintptr_t)
+ (parser->user_cb->kernel_address + cb_parsed_length);
+- kernel_pkt = (void *) (uintptr_t)
++ kernel_pkt = (struct goya_packet *) (uintptr_t)
+ (parser->patched_cb->kernel_address +
+ cb_patched_cur_length);
+
+- pkt_id = (enum packet_id) (((*(u64 *) user_pkt) &
++ pkt_id = (enum packet_id) (
++ (le64_to_cpu(user_pkt->header) &
+ PACKET_HEADER_PACKET_ID_MASK) >>
+ PACKET_HEADER_PACKET_ID_SHIFT);
+
+@@ -3677,15 +3680,18 @@ static int goya_patch_cb(struct hl_device *hdev,
+
+ switch (pkt_id) {
+ case PACKET_LIN_DMA:
+- rc = goya_patch_dma_packet(hdev, parser, user_pkt,
+- kernel_pkt, &new_pkt_size);
++ rc = goya_patch_dma_packet(hdev, parser,
++ (struct packet_lin_dma *) user_pkt,
++ (struct packet_lin_dma *) kernel_pkt,
++ &new_pkt_size);
+ cb_patched_cur_length += new_pkt_size;
+ break;
+
+ case PACKET_WREG_32:
+ memcpy(kernel_pkt, user_pkt, pkt_size);
+ cb_patched_cur_length += pkt_size;
+- rc = goya_validate_wreg32(hdev, parser, kernel_pkt);
++ rc = goya_validate_wreg32(hdev, parser,
++ (struct packet_wreg32 *) kernel_pkt);
+ break;
+
+ case PACKET_WREG_BULK:
+diff --git a/drivers/misc/habanalabs/include/goya/goya_packets.h b/drivers/misc/habanalabs/include/goya/goya_packets.h
+index a14407b975e4e..ef54bad205099 100644
+--- a/drivers/misc/habanalabs/include/goya/goya_packets.h
++++ b/drivers/misc/habanalabs/include/goya/goya_packets.h
+@@ -52,6 +52,19 @@ enum goya_dma_direction {
+ #define GOYA_PKT_CTL_MB_SHIFT 31
+ #define GOYA_PKT_CTL_MB_MASK 0x80000000
+
++/* All packets have, at least, an 8-byte header, which contains
++ * the packet type. The kernel driver uses the packet header for packet
++ * validation and to perform any necessary required preparation before
++ * sending them off to the hardware.
++ */
++struct goya_packet {
++ __le64 header;
++ /* The rest of the packet data follows. Use the corresponding
++ * packet_XXX struct to deference the data, based on packet type
++ */
++ u8 contents[0];
++};
++
+ struct packet_nop {
+ __le32 reserved;
+ __le32 ctl;
+--
+2.20.1
+
--- /dev/null
+From 395819d93fa31137f8eb511a4c0ccce9356fd8f4 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 8 Aug 2019 21:54:17 +0200
+Subject: i2c: emev2: avoid race when unregistering slave client
+
+[ Upstream commit d7437fc0d8291181debe032671a289b6bd93f46f ]
+
+After we disabled interrupts, there might still be an active one
+running. Sync before clearing the pointer to the slave device.
+
+Fixes: c31d0a00021d ("i2c: emev2: add slave support")
+Reported-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-emev2.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-emev2.c b/drivers/i2c/busses/i2c-emev2.c
+index 35b302d983e0d..959d4912ec0d5 100644
+--- a/drivers/i2c/busses/i2c-emev2.c
++++ b/drivers/i2c/busses/i2c-emev2.c
+@@ -69,6 +69,7 @@ struct em_i2c_device {
+ struct completion msg_done;
+ struct clk *sclk;
+ struct i2c_client *slave;
++ int irq;
+ };
+
+ static inline void em_clear_set_bit(struct em_i2c_device *priv, u8 clear, u8 set, u8 reg)
+@@ -339,6 +340,12 @@ static int em_i2c_unreg_slave(struct i2c_client *slave)
+
+ writeb(0, priv->base + I2C_OFS_SVA0);
+
++ /*
++ * Wait for interrupt to finish. New slave irqs cannot happen because we
++ * cleared the slave address and, thus, only extension codes will be
++ * detected which do not use the slave ptr.
++ */
++ synchronize_irq(priv->irq);
+ priv->slave = NULL;
+
+ return 0;
+@@ -355,7 +362,7 @@ static int em_i2c_probe(struct platform_device *pdev)
+ {
+ struct em_i2c_device *priv;
+ struct resource *r;
+- int irq, ret;
++ int ret;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+@@ -390,8 +397,8 @@ static int em_i2c_probe(struct platform_device *pdev)
+
+ em_i2c_reset(&priv->adap);
+
+- irq = platform_get_irq(pdev, 0);
+- ret = devm_request_irq(&pdev->dev, irq, em_i2c_irq_handler, 0,
++ priv->irq = platform_get_irq(pdev, 0);
++ ret = devm_request_irq(&pdev->dev, priv->irq, em_i2c_irq_handler, 0,
+ "em_i2c", priv);
+ if (ret)
+ goto err_clk;
+@@ -401,7 +408,8 @@ static int em_i2c_probe(struct platform_device *pdev)
+ if (ret)
+ goto err_clk;
+
+- dev_info(&pdev->dev, "Added i2c controller %d, irq %d\n", priv->adap.nr, irq);
++ dev_info(&pdev->dev, "Added i2c controller %d, irq %d\n", priv->adap.nr,
++ priv->irq);
+
+ return 0;
+
+--
+2.20.1
+
--- /dev/null
+From a477c280a5629f0e37a4427d5ff0a4a99ead2d61 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 8 Aug 2019 21:39:10 +0200
+Subject: i2c: rcar: avoid race when unregistering slave client
+
+[ Upstream commit 7b814d852af6944657c2961039f404c4490771c0 ]
+
+After we disabled interrupts, there might still be an active one
+running. Sync before clearing the pointer to the slave device.
+
+Fixes: de20d1857dd6 ("i2c: rcar: add slave support")
+Reported-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-rcar.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
+index d39a4606f72d3..531c01100b560 100644
+--- a/drivers/i2c/busses/i2c-rcar.c
++++ b/drivers/i2c/busses/i2c-rcar.c
+@@ -139,6 +139,7 @@ struct rcar_i2c_priv {
+ enum dma_data_direction dma_direction;
+
+ struct reset_control *rstc;
++ int irq;
+ };
+
+ #define rcar_i2c_priv_to_dev(p) ((p)->adap.dev.parent)
+@@ -861,9 +862,11 @@ static int rcar_unreg_slave(struct i2c_client *slave)
+
+ WARN_ON(!priv->slave);
+
++ /* disable irqs and ensure none is running before clearing ptr */
+ rcar_i2c_write(priv, ICSIER, 0);
+ rcar_i2c_write(priv, ICSCR, 0);
+
++ synchronize_irq(priv->irq);
+ priv->slave = NULL;
+
+ pm_runtime_put(rcar_i2c_priv_to_dev(priv));
+@@ -918,7 +921,7 @@ static int rcar_i2c_probe(struct platform_device *pdev)
+ struct i2c_adapter *adap;
+ struct device *dev = &pdev->dev;
+ struct i2c_timings i2c_t;
+- int irq, ret;
++ int ret;
+
+ /* Otherwise logic will break because some bytes must always use PIO */
+ BUILD_BUG_ON_MSG(RCAR_MIN_DMA_LEN < 3, "Invalid min DMA length");
+@@ -984,10 +987,10 @@ static int rcar_i2c_probe(struct platform_device *pdev)
+ pm_runtime_put(dev);
+
+
+- irq = platform_get_irq(pdev, 0);
+- ret = devm_request_irq(dev, irq, rcar_i2c_irq, 0, dev_name(dev), priv);
++ priv->irq = platform_get_irq(pdev, 0);
++ ret = devm_request_irq(dev, priv->irq, rcar_i2c_irq, 0, dev_name(dev), priv);
+ if (ret < 0) {
+- dev_err(dev, "cannot get irq %d\n", irq);
++ dev_err(dev, "cannot get irq %d\n", priv->irq);
+ goto out_pm_disable;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1daabdc0f33cd8e294ffcf5ef95e08b07cb3a099 Mon Sep 17 00:00:00 2001
+From: Yishai Hadas <yishaih@mellanox.com>
+Date: Mon, 5 Aug 2019 11:30:10 +0300
+Subject: IB/mlx5: Fix implicit MR release flow
+
+[ Upstream commit f591822c3cf314442819486f45ff7dc1f690e0c0 ]
+
+Once implicit MR is being called to be released by
+ib_umem_notifier_release() its leaves were marked as "dying".
+
+However, when dereg_mr()->mlx5_ib_free_implicit_mr()->mr_leaf_free() is
+called, it skips running the mr_leaf_free_action (i.e. umem_odp->work)
+when those leaves were marked as "dying".
+
+As such ib_umem_release() for the leaves won't be called and their MRs
+will be leaked as well.
+
+When an application exits/killed without calling dereg_mr we might hit the
+above flow.
+
+This fatal scenario is reported by WARN_ON() upon
+mlx5_ib_dealloc_ucontext() as ibcontext->per_mm_list is not empty, the
+call trace can be seen below.
+
+Originally the "dying" mark as part of ib_umem_notifier_release() was
+introduced to prevent pagefault_mr() from returning a success response
+once this happened. However, we already have today the completion
+mechanism so no need for that in those flows any more. Even in case a
+success response will be returned the firmware will not find the pages and
+an error will be returned in the following call as a released mm will
+cause ib_umem_odp_map_dma_pages() to permanently fail mmget_not_zero().
+
+Fix the above issue by dropping the "dying" from the above flows. The
+other flows that are using "dying" are still needed it for their
+synchronization purposes.
+
+ WARNING: CPU: 1 PID: 7218 at
+ drivers/infiniband/hw/mlx5/main.c:2004
+ mlx5_ib_dealloc_ucontext+0x84/0x90 [mlx5_ib]
+ CPU: 1 PID: 7218 Comm: ibv_rc_pingpong Tainted: G E
+ 5.2.0-rc6+ #13
+ Call Trace:
+ uverbs_destroy_ufile_hw+0xb5/0x120 [ib_uverbs]
+ ib_uverbs_close+0x1f/0x80 [ib_uverbs]
+ __fput+0xbe/0x250
+ task_work_run+0x88/0xa0
+ do_exit+0x2cb/0xc30
+ ? __fput+0x14b/0x250
+ do_group_exit+0x39/0xb0
+ get_signal+0x191/0x920
+ ? _raw_spin_unlock_bh+0xa/0x20
+ ? inet_csk_accept+0x229/0x2f0
+ do_signal+0x36/0x5e0
+ ? put_unused_fd+0x5b/0x70
+ ? __sys_accept4+0x1a6/0x1e0
+ ? inet_hash+0x35/0x40
+ ? release_sock+0x43/0x90
+ ? _raw_spin_unlock_bh+0xa/0x20
+ ? inet_listen+0x9f/0x120
+ exit_to_usermode_loop+0x5c/0xc6
+ do_syscall_64+0x182/0x1b0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 81713d3788d2 ("IB/mlx5: Add implicit MR support")
+Link: https://lore.kernel.org/r/20190805083010.21777-1-leon@kernel.org
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/umem_odp.c | 4 ----
+ drivers/infiniband/hw/mlx5/odp.c | 24 +++++++++---------------
+ 2 files changed, 9 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c
+index e4b13a32692a9..5e5f7dd82c50d 100644
+--- a/drivers/infiniband/core/umem_odp.c
++++ b/drivers/infiniband/core/umem_odp.c
+@@ -114,10 +114,6 @@ static int ib_umem_notifier_release_trampoline(struct ib_umem_odp *umem_odp,
+ * prevent any further fault handling on this MR.
+ */
+ ib_umem_notifier_start_account(umem_odp);
+- umem_odp->dying = 1;
+- /* Make sure that the fact the umem is dying is out before we release
+- * all pending page faults. */
+- smp_wmb();
+ complete_all(&umem_odp->notifier_completion);
+ umem->context->invalidate_range(umem_odp, ib_umem_start(umem),
+ ib_umem_end(umem));
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index f6e5351ba4d50..fda3dfd6f87b6 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -581,7 +581,6 @@ static int pagefault_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr,
+ u32 flags)
+ {
+ int npages = 0, current_seq, page_shift, ret, np;
+- bool implicit = false;
+ struct ib_umem_odp *odp_mr = to_ib_umem_odp(mr->umem);
+ bool downgrade = flags & MLX5_PF_FLAGS_DOWNGRADE;
+ bool prefetch = flags & MLX5_PF_FLAGS_PREFETCH;
+@@ -596,7 +595,6 @@ static int pagefault_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr,
+ if (IS_ERR(odp))
+ return PTR_ERR(odp);
+ mr = odp->private;
+- implicit = true;
+ } else {
+ odp = odp_mr;
+ }
+@@ -684,19 +682,15 @@ next_mr:
+
+ out:
+ if (ret == -EAGAIN) {
+- if (implicit || !odp->dying) {
+- unsigned long timeout =
+- msecs_to_jiffies(MMU_NOTIFIER_TIMEOUT);
+-
+- if (!wait_for_completion_timeout(
+- &odp->notifier_completion,
+- timeout)) {
+- mlx5_ib_warn(dev, "timeout waiting for mmu notifier. seq %d against %d. notifiers_count=%d\n",
+- current_seq, odp->notifiers_seq, odp->notifiers_count);
+- }
+- } else {
+- /* The MR is being killed, kill the QP as well. */
+- ret = -EFAULT;
++ unsigned long timeout = msecs_to_jiffies(MMU_NOTIFIER_TIMEOUT);
++
++ if (!wait_for_completion_timeout(&odp->notifier_completion,
++ timeout)) {
++ mlx5_ib_warn(
++ dev,
++ "timeout waiting for mmu notifier. seq %d against %d. notifiers_count=%d\n",
++ current_seq, odp->notifiers_seq,
++ odp->notifiers_count);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 783b756d8b4b74e0c231b2ca3c2a0569bdc9a3a7 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 29 Jul 2019 17:46:00 +0100
+Subject: iommu/dma: Handle SG length overflow better
+
+[ Upstream commit ab2cbeb0ed301a9f0460078e91b09f39958212ef ]
+
+Since scatterlist dimensions are all unsigned ints, in the relatively
+rare cases where a device's max_segment_size is set to UINT_MAX, then
+the "cur_len + s_length <= max_len" check in __finalise_sg() will always
+return true. As a result, the corner case of such a device mapping an
+excessively large scatterlist which is mergeable to or beyond a total
+length of 4GB can lead to overflow and a bogus truncated dma_length in
+the resulting segment.
+
+As we already assume that any single segment must be no longer than
+max_len to begin with, this can easily be addressed by reshuffling the
+comparison.
+
+Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
+Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/dma-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
+index 379318266468c..8c02d2283d647 100644
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -710,7 +710,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
+ * - and wouldn't make the resulting output segment too long
+ */
+ if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
+- (cur_len + s_length <= max_len)) {
++ (max_len - cur_len >= s_length)) {
+ /* ...then concatenate it with the previous one */
+ cur_len += s_length;
+ } else {
+--
+2.20.1
+
--- /dev/null
+From dea939de3f5fb867092c28f581fa82d7a361f5c4 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 26 Aug 2019 10:31:14 -0400
+Subject: lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop
+
+[ Upstream commit 99143f82a255e7f054bead8443462fae76dd829e ]
+
+While reviewing another read_slowpath patch, both Will and I noticed
+another missing ACQUIRE, namely:
+
+ X = 0;
+
+ CPU0 CPU1
+
+ rwsem_down_read()
+ for (;;) {
+ set_current_state(TASK_UNINTERRUPTIBLE);
+
+ X = 1;
+ rwsem_up_write();
+ rwsem_mark_wake()
+ atomic_long_add(adjustment, &sem->count);
+ smp_store_release(&waiter->task, NULL);
+
+ if (!waiter.task)
+ break;
+
+ ...
+ }
+
+ r = X;
+
+Allows 'r == 0'.
+
+Reported-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/rwsem-xadd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c
+index 397dedc58432d..385ebcfc31a6d 100644
+--- a/kernel/locking/rwsem-xadd.c
++++ b/kernel/locking/rwsem-xadd.c
+@@ -485,8 +485,10 @@ __rwsem_down_read_failed_common(struct rw_semaphore *sem, int state)
+ /* wait to be given the lock */
+ while (true) {
+ set_current_state(state);
+- if (!waiter.task)
++ if (!smp_load_acquire(&waiter.task)) {
++ /* Orders against rwsem_mark_wake()'s smp_store_release() */
+ break;
++ }
+ if (signal_pending_state(state, current)) {
+ raw_spin_lock_irq(&sem->wait_lock);
+ if (waiter.task)
+--
+2.20.1
+
--- /dev/null
+From 7821081f49e389a4076f193231fd6521e0abcd9e Mon Sep 17 00:00:00 2001
+From: Jan Stancek <jstancek@redhat.com>
+Date: Mon, 26 Aug 2019 10:31:13 -0400
+Subject: locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue
+ is empty
+
+[ Upstream commit e1b98fa316648420d0434d9ff5b92ad6609ba6c3 ]
+
+LTP mtest06 has been observed to occasionally hit "still mapped when
+deleted" and following BUG_ON on arm64.
+
+The extra mapcount originated from pagefault handler, which handled
+pagefault for vma that has already been detached. vma is detached
+under mmap_sem write lock by detach_vmas_to_be_unmapped(), which
+also invalidates vmacache.
+
+When the pagefault handler (under mmap_sem read lock) calls
+find_vma(), vmacache_valid() wrongly reports vmacache as valid.
+
+After rwsem down_read() returns via 'queue empty' path (as of v5.2),
+it does so without an ACQUIRE on sem->count:
+
+ down_read()
+ __down_read()
+ rwsem_down_read_failed()
+ __rwsem_down_read_failed_common()
+ raw_spin_lock_irq(&sem->wait_lock);
+ if (list_empty(&sem->wait_list)) {
+ if (atomic_long_read(&sem->count) >= 0) {
+ raw_spin_unlock_irq(&sem->wait_lock);
+ return sem;
+
+The problem can be reproduced by running LTP mtest06 in a loop and
+building the kernel (-j $NCPUS) in parallel. It does reproduces since
+v4.20 on arm64 HPE Apollo 70 (224 CPUs, 256GB RAM, 2 nodes). It
+triggers reliably in about an hour.
+
+The patched kernel ran fine for 10+ hours.
+
+Signed-off-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Will Deacon <will@kernel.org>
+Acked-by: Waiman Long <longman@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: dbueso@suse.de
+Fixes: 4b486b535c33 ("locking/rwsem: Exit read lock slowpath if queue empty & no writer")
+Link: https://lkml.kernel.org/r/50b8914e20d1d62bb2dee42d342836c2c16ebee7.1563438048.git.jstancek@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/rwsem-xadd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c
+index 0b1f779572402..397dedc58432d 100644
+--- a/kernel/locking/rwsem-xadd.c
++++ b/kernel/locking/rwsem-xadd.c
+@@ -454,6 +454,8 @@ __rwsem_down_read_failed_common(struct rw_semaphore *sem, int state)
+ * been set in the count.
+ */
+ if (atomic_long_read(&sem->count) >= 0) {
++ /* Provide lock ACQUIRE */
++ smp_acquire__after_ctrl_dep();
+ raw_spin_unlock_irq(&sem->wait_lock);
+ rwsem_set_reader_owned(sem);
+ lockevent_inc(rwsem_rlock_fast);
+--
+2.20.1
+
--- /dev/null
+From fb0492fa524586a99ae5204ac6e93704750ea779 Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Wed, 31 Jul 2019 17:35:34 -0600
+Subject: nvme-core: Fix extra device_put() call on error path
+
+[ Upstream commit 8c36e66fb407ce076535a7db98ab9f6d720b866a ]
+
+In the error path for nvme_init_subsystem(), nvme_put_subsystem()
+will call device_put(), but it will get called again after the
+mutex_unlock().
+
+The device_put() only needs to be called if device_add() fails.
+
+This bug caused a KASAN use-after-free error when adding and
+removing subsytems in a loop:
+
+ BUG: KASAN: use-after-free in device_del+0x8d9/0x9a0
+ Read of size 8 at addr ffff8883cdaf7120 by task multipathd/329
+
+ CPU: 0 PID: 329 Comm: multipathd Not tainted 5.2.0-rc6-vmlocalyes-00019-g70a2b39005fd-dirty #314
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+ Call Trace:
+ dump_stack+0x7b/0xb5
+ print_address_description+0x6f/0x280
+ ? device_del+0x8d9/0x9a0
+ __kasan_report+0x148/0x199
+ ? device_del+0x8d9/0x9a0
+ ? class_release+0x100/0x130
+ ? device_del+0x8d9/0x9a0
+ kasan_report+0x12/0x20
+ __asan_report_load8_noabort+0x14/0x20
+ device_del+0x8d9/0x9a0
+ ? device_platform_notify+0x70/0x70
+ nvme_destroy_subsystem+0xf9/0x150
+ nvme_free_ctrl+0x280/0x3a0
+ device_release+0x72/0x1d0
+ kobject_put+0x144/0x410
+ put_device+0x13/0x20
+ nvme_free_ns+0xc4/0x100
+ nvme_release+0xb3/0xe0
+ __blkdev_put+0x549/0x6e0
+ ? kasan_check_write+0x14/0x20
+ ? bd_set_size+0xb0/0xb0
+ ? kasan_check_write+0x14/0x20
+ ? mutex_lock+0x8f/0xe0
+ ? __mutex_lock_slowpath+0x20/0x20
+ ? locks_remove_file+0x239/0x370
+ blkdev_put+0x72/0x2c0
+ blkdev_close+0x8d/0xd0
+ __fput+0x256/0x770
+ ? _raw_read_lock_irq+0x40/0x40
+ ____fput+0xe/0x10
+ task_work_run+0x10c/0x180
+ ? filp_close+0xf7/0x140
+ exit_to_usermode_loop+0x151/0x170
+ do_syscall_64+0x240/0x2e0
+ ? prepare_exit_to_usermode+0xd5/0x190
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f5a79af05d7
+ Code: 00 00 0f 05 48 3d 00 f0 ff ff 77 3f c3 66 0f 1f 44 00 00 53 89 fb 48 83 ec 10 e8 c4 fb ff ff 89 df 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2b 89 d7 89 44 24 0c e8 06 fc ff ff 8b 44 24
+ RSP: 002b:00007f5a7799c810 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+ RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00007f5a79af05d7
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
+ RBP: 00007f5a58000f98 R08: 0000000000000002 R09: 00007f5a7935ee80
+ R10: 0000000000000000 R11: 0000000000000293 R12: 000055e432447240
+ R13: 0000000000000000 R14: 0000000000000001 R15: 000055e4324a9cf0
+
+ Allocated by task 1236:
+ save_stack+0x21/0x80
+ __kasan_kmalloc.constprop.6+0xab/0xe0
+ kasan_kmalloc+0x9/0x10
+ kmem_cache_alloc_trace+0x102/0x210
+ nvme_init_identify+0x13c3/0x3820
+ nvme_loop_configure_admin_queue+0x4fa/0x5e0
+ nvme_loop_create_ctrl+0x469/0xf40
+ nvmf_dev_write+0x19a3/0x21ab
+ __vfs_write+0x66/0x120
+ vfs_write+0x154/0x490
+ ksys_write+0x104/0x240
+ __x64_sys_write+0x73/0xb0
+ do_syscall_64+0xa5/0x2e0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ Freed by task 329:
+ save_stack+0x21/0x80
+ __kasan_slab_free+0x129/0x190
+ kasan_slab_free+0xe/0x10
+ kfree+0xa7/0x200
+ nvme_release_subsystem+0x49/0x60
+ device_release+0x72/0x1d0
+ kobject_put+0x144/0x410
+ put_device+0x13/0x20
+ klist_class_dev_put+0x31/0x40
+ klist_put+0x8f/0xf0
+ klist_del+0xe/0x10
+ device_del+0x3a7/0x9a0
+ nvme_destroy_subsystem+0xf9/0x150
+ nvme_free_ctrl+0x280/0x3a0
+ device_release+0x72/0x1d0
+ kobject_put+0x144/0x410
+ put_device+0x13/0x20
+ nvme_free_ns+0xc4/0x100
+ nvme_release+0xb3/0xe0
+ __blkdev_put+0x549/0x6e0
+ blkdev_put+0x72/0x2c0
+ blkdev_close+0x8d/0xd0
+ __fput+0x256/0x770
+ ____fput+0xe/0x10
+ task_work_run+0x10c/0x180
+ exit_to_usermode_loop+0x151/0x170
+ do_syscall_64+0x240/0x2e0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 32fd90c40768 ("nvme: change locking for the per-subsystem controller list")
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by : Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index ab1a2b1ec3637..dfbd5872f4422 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2440,6 +2440,7 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id)
+ if (ret) {
+ dev_err(ctrl->device,
+ "failed to register subsystem device.\n");
++ put_device(&subsys->dev);
+ goto out_unlock;
+ }
+ ida_init(&subsys->ns_ida);
+@@ -2462,7 +2463,6 @@ out_put_subsystem:
+ nvme_put_subsystem(subsys);
+ out_unlock:
+ mutex_unlock(&nvme_subsystems_lock);
+- put_device(&subsys->dev);
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d23522a34d117b5b9732dd4e81bbb89da8834224 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 31 Jul 2019 11:00:26 -0700
+Subject: nvme: fix a possible deadlock when passthru commands sent to a
+ multipath device
+
+[ Upstream commit b9156daeb1601d69007b7e50efcf89d69d72ec1d ]
+
+When the user issues a command with side effects, we will end up freezing
+the namespace request queue when updating disk info (and the same for
+the corresponding mpath disk node).
+
+However, we are not freezing the mpath node request queue,
+which means that mpath I/O can still come in and block on blk_queue_enter
+(called from nvme_ns_head_make_request -> direct_make_request).
+
+This is a deadlock, because blk_queue_enter will block until the inner
+namespace request queue is unfroze, but that process is blocked because
+the namespace revalidation is trying to update the mpath disk info
+and freeze its request queue (which will never complete because
+of the I/O that is blocked on blk_queue_enter).
+
+Fix this by freezing all the subsystem nsheads request queues before
+executing the passthru command. Given that these commands are infrequent
+we should not worry about this temporary I/O freeze to keep things sane.
+
+Here is the matching hang traces:
+--
+[ 374.465002] INFO: task systemd-udevd:17994 blocked for more than 122 seconds.
+[ 374.472975] Not tainted 5.2.0-rc3-mpdebug+ #42
+[ 374.478522] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 374.487274] systemd-udevd D 0 17994 1 0x00000000
+[ 374.493407] Call Trace:
+[ 374.496145] __schedule+0x2ef/0x620
+[ 374.500047] schedule+0x38/0xa0
+[ 374.503569] blk_queue_enter+0x139/0x220
+[ 374.507959] ? remove_wait_queue+0x60/0x60
+[ 374.512540] direct_make_request+0x60/0x130
+[ 374.517219] nvme_ns_head_make_request+0x11d/0x420 [nvme_core]
+[ 374.523740] ? generic_make_request_checks+0x307/0x6f0
+[ 374.529484] generic_make_request+0x10d/0x2e0
+[ 374.534356] submit_bio+0x75/0x140
+[ 374.538163] ? guard_bio_eod+0x32/0xe0
+[ 374.542361] submit_bh_wbc+0x171/0x1b0
+[ 374.546553] block_read_full_page+0x1ed/0x330
+[ 374.551426] ? check_disk_change+0x70/0x70
+[ 374.556008] ? scan_shadow_nodes+0x30/0x30
+[ 374.560588] blkdev_readpage+0x18/0x20
+[ 374.564783] do_read_cache_page+0x301/0x860
+[ 374.569463] ? blkdev_writepages+0x10/0x10
+[ 374.574037] ? prep_new_page+0x88/0x130
+[ 374.578329] ? get_page_from_freelist+0xa2f/0x1280
+[ 374.583688] ? __alloc_pages_nodemask+0x179/0x320
+[ 374.588947] read_cache_page+0x12/0x20
+[ 374.593142] read_dev_sector+0x2d/0xd0
+[ 374.597337] read_lba+0x104/0x1f0
+[ 374.601046] find_valid_gpt+0xfa/0x720
+[ 374.605243] ? string_nocheck+0x58/0x70
+[ 374.609534] ? find_valid_gpt+0x720/0x720
+[ 374.614016] efi_partition+0x89/0x430
+[ 374.618113] ? string+0x48/0x60
+[ 374.621632] ? snprintf+0x49/0x70
+[ 374.625339] ? find_valid_gpt+0x720/0x720
+[ 374.629828] check_partition+0x116/0x210
+[ 374.634214] rescan_partitions+0xb6/0x360
+[ 374.638699] __blkdev_reread_part+0x64/0x70
+[ 374.643377] blkdev_reread_part+0x23/0x40
+[ 374.647860] blkdev_ioctl+0x48c/0x990
+[ 374.651956] block_ioctl+0x41/0x50
+[ 374.655766] do_vfs_ioctl+0xa7/0x600
+[ 374.659766] ? locks_lock_inode_wait+0xb1/0x150
+[ 374.664832] ksys_ioctl+0x67/0x90
+[ 374.668539] __x64_sys_ioctl+0x1a/0x20
+[ 374.672732] do_syscall_64+0x5a/0x1c0
+[ 374.676828] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[ 374.738474] INFO: task nvmeadm:49141 blocked for more than 123 seconds.
+[ 374.745871] Not tainted 5.2.0-rc3-mpdebug+ #42
+[ 374.751419] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 374.760170] nvmeadm D 0 49141 36333 0x00004080
+[ 374.766301] Call Trace:
+[ 374.769038] __schedule+0x2ef/0x620
+[ 374.772939] schedule+0x38/0xa0
+[ 374.776452] blk_mq_freeze_queue_wait+0x59/0x100
+[ 374.781614] ? remove_wait_queue+0x60/0x60
+[ 374.786192] blk_mq_freeze_queue+0x1a/0x20
+[ 374.790773] nvme_update_disk_info.isra.57+0x5f/0x350 [nvme_core]
+[ 374.797582] ? nvme_identify_ns.isra.50+0x71/0xc0 [nvme_core]
+[ 374.804006] __nvme_revalidate_disk+0xe5/0x110 [nvme_core]
+[ 374.810139] nvme_revalidate_disk+0xa6/0x120 [nvme_core]
+[ 374.816078] ? nvme_submit_user_cmd+0x11e/0x320 [nvme_core]
+[ 374.822299] nvme_user_cmd+0x264/0x370 [nvme_core]
+[ 374.827661] nvme_dev_ioctl+0x112/0x1d0 [nvme_core]
+[ 374.833114] do_vfs_ioctl+0xa7/0x600
+[ 374.837117] ? __audit_syscall_entry+0xdd/0x130
+[ 374.842184] ksys_ioctl+0x67/0x90
+[ 374.845891] __x64_sys_ioctl+0x1a/0x20
+[ 374.850082] do_syscall_64+0x5a/0x1c0
+[ 374.854178] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+--
+
+Reported-by: James Puthukattukaran <james.puthukattukaran@oracle.com>
+Tested-by: James Puthukattukaran <james.puthukattukaran@oracle.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 5 +++++
+ drivers/nvme/host/multipath.c | 30 ++++++++++++++++++++++++++++++
+ drivers/nvme/host/nvme.h | 12 ++++++++++++
+ 3 files changed, 47 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index dfbd5872f4422..05301b94e2fa0 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1268,6 +1268,9 @@ static u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
+ */
+ if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK)) {
+ mutex_lock(&ctrl->scan_lock);
++ mutex_lock(&ctrl->subsys->lock);
++ nvme_mpath_start_freeze(ctrl->subsys);
++ nvme_mpath_wait_freeze(ctrl->subsys);
+ nvme_start_freeze(ctrl);
+ nvme_wait_freeze(ctrl);
+ }
+@@ -1298,6 +1301,8 @@ static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects)
+ nvme_update_formats(ctrl);
+ if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK)) {
+ nvme_unfreeze(ctrl);
++ nvme_mpath_unfreeze(ctrl->subsys);
++ mutex_unlock(&ctrl->subsys->lock);
+ mutex_unlock(&ctrl->scan_lock);
+ }
+ if (effects & NVME_CMD_EFFECTS_CCC)
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index e942b3e840687..dafb9e4aa1237 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -12,6 +12,36 @@ module_param(multipath, bool, 0444);
+ MODULE_PARM_DESC(multipath,
+ "turn on native support for multiple controllers per subsystem");
+
++void nvme_mpath_unfreeze(struct nvme_subsystem *subsys)
++{
++ struct nvme_ns_head *h;
++
++ lockdep_assert_held(&subsys->lock);
++ list_for_each_entry(h, &subsys->nsheads, entry)
++ if (h->disk)
++ blk_mq_unfreeze_queue(h->disk->queue);
++}
++
++void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys)
++{
++ struct nvme_ns_head *h;
++
++ lockdep_assert_held(&subsys->lock);
++ list_for_each_entry(h, &subsys->nsheads, entry)
++ if (h->disk)
++ blk_mq_freeze_queue_wait(h->disk->queue);
++}
++
++void nvme_mpath_start_freeze(struct nvme_subsystem *subsys)
++{
++ struct nvme_ns_head *h;
++
++ lockdep_assert_held(&subsys->lock);
++ list_for_each_entry(h, &subsys->nsheads, entry)
++ if (h->disk)
++ blk_freeze_queue_start(h->disk->queue);
++}
++
+ /*
+ * If multipathing is enabled we need to always use the subsystem instance
+ * number for numbering our devices to avoid conflicts between subsystems that
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 7391cd0a7739e..b8b45822f7be0 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -477,6 +477,9 @@ static inline bool nvme_ctrl_use_ana(struct nvme_ctrl *ctrl)
+ return ctrl->ana_log_buf != NULL;
+ }
+
++void nvme_mpath_unfreeze(struct nvme_subsystem *subsys);
++void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys);
++void nvme_mpath_start_freeze(struct nvme_subsystem *subsys);
+ void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
+ struct nvme_ctrl *ctrl, int *flags);
+ void nvme_failover_req(struct request *req);
+@@ -555,6 +558,15 @@ static inline void nvme_mpath_uninit(struct nvme_ctrl *ctrl)
+ static inline void nvme_mpath_stop(struct nvme_ctrl *ctrl)
+ {
+ }
++static inline void nvme_mpath_unfreeze(struct nvme_subsystem *subsys)
++{
++}
++static inline void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys)
++{
++}
++static inline void nvme_mpath_start_freeze(struct nvme_subsystem *subsys)
++{
++}
+ #endif /* CONFIG_NVME_MULTIPATH */
+
+ #ifdef CONFIG_NVM
+--
+2.20.1
+
--- /dev/null
+From 04987d1f22a86717b4bd72b16a72c4e0029e95b5 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Thu, 25 Jul 2019 11:56:57 -0700
+Subject: nvme: fix controller removal race with scan work
+
+[ Upstream commit 0157ec8dad3c8fc9bc9790f76e0831ffdaf2e7f0 ]
+
+With multipath enabled, nvme_scan_work() can read from the device
+(through nvme_mpath_add_disk()) and hang [1]. However, with fabrics,
+once ctrl->state is set to NVME_CTRL_DELETING, the reads will hang
+(see nvmf_check_ready()) and the mpath stack device make_request
+will block if head->list is not empty. However, when the head->list
+consistst of only DELETING/DEAD controllers, we should actually not
+block, but rather fail immediately.
+
+In addition, before we go ahead and remove the namespaces, make sure
+to clear the current path and kick the requeue list so that the
+request will fast fail upon requeuing.
+
+[1]:
+--
+ INFO: task kworker/u4:3:166 blocked for more than 120 seconds.
+ Not tainted 5.2.0-rc6-vmlocalyes-00005-g808c8c2dc0cf #316
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ kworker/u4:3 D 0 166 2 0x80004000
+ Workqueue: nvme-wq nvme_scan_work
+ Call Trace:
+ __schedule+0x851/0x1400
+ schedule+0x99/0x210
+ io_schedule+0x21/0x70
+ do_read_cache_page+0xa57/0x1330
+ read_cache_page+0x4a/0x70
+ read_dev_sector+0xbf/0x380
+ amiga_partition+0xc4/0x1230
+ check_partition+0x30f/0x630
+ rescan_partitions+0x19a/0x980
+ __blkdev_get+0x85a/0x12f0
+ blkdev_get+0x2a5/0x790
+ __device_add_disk+0xe25/0x1250
+ device_add_disk+0x13/0x20
+ nvme_mpath_set_live+0x172/0x2b0
+ nvme_update_ns_ana_state+0x130/0x180
+ nvme_set_ns_ana_state+0x9a/0xb0
+ nvme_parse_ana_log+0x1c3/0x4a0
+ nvme_mpath_add_disk+0x157/0x290
+ nvme_validate_ns+0x1017/0x1bd0
+ nvme_scan_work+0x44d/0x6a0
+ process_one_work+0x7d7/0x1240
+ worker_thread+0x8e/0xff0
+ kthread+0x2c3/0x3b0
+ ret_from_fork+0x35/0x40
+
+ INFO: task kworker/u4:1:1034 blocked for more than 120 seconds.
+ Not tainted 5.2.0-rc6-vmlocalyes-00005-g808c8c2dc0cf #316
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ kworker/u4:1 D 0 1034 2 0x80004000
+ Workqueue: nvme-delete-wq nvme_delete_ctrl_work
+ Call Trace:
+ __schedule+0x851/0x1400
+ schedule+0x99/0x210
+ schedule_timeout+0x390/0x830
+ wait_for_completion+0x1a7/0x310
+ __flush_work+0x241/0x5d0
+ flush_work+0x10/0x20
+ nvme_remove_namespaces+0x85/0x3d0
+ nvme_do_delete_ctrl+0xb4/0x1e0
+ nvme_delete_ctrl_work+0x15/0x20
+ process_one_work+0x7d7/0x1240
+ worker_thread+0x8e/0xff0
+ kthread+0x2c3/0x3b0
+ ret_from_fork+0x35/0x40
+--
+
+Reported-by: Logan Gunthorpe <logang@deltatee.com>
+Tested-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 7 ++++++
+ drivers/nvme/host/multipath.c | 46 ++++++++++++++++++++++++++++++-----
+ drivers/nvme/host/nvme.h | 9 +++++--
+ 3 files changed, 54 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 05301b94e2fa0..601509b3251ae 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3529,6 +3529,13 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl)
+ struct nvme_ns *ns, *next;
+ LIST_HEAD(ns_list);
+
++ /*
++ * make sure to requeue I/O to all namespaces as these
++ * might result from the scan itself and must complete
++ * for the scan_work to make progress
++ */
++ nvme_mpath_clear_ctrl_paths(ctrl);
++
+ /* prevent racing with ns scanning */
+ flush_work(&ctrl->scan_work);
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index dafb9e4aa1237..747c0d4f9ff5b 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -134,18 +134,34 @@ static const char *nvme_ana_state_names[] = {
+ [NVME_ANA_CHANGE] = "change",
+ };
+
+-void nvme_mpath_clear_current_path(struct nvme_ns *ns)
++bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
+ {
+ struct nvme_ns_head *head = ns->head;
++ bool changed = false;
+ int node;
+
+ if (!head)
+- return;
++ goto out;
+
+ for_each_node(node) {
+- if (ns == rcu_access_pointer(head->current_path[node]))
++ if (ns == rcu_access_pointer(head->current_path[node])) {
+ rcu_assign_pointer(head->current_path[node], NULL);
++ changed = true;
++ }
+ }
++out:
++ return changed;
++}
++
++void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl)
++{
++ struct nvme_ns *ns;
++
++ mutex_lock(&ctrl->scan_lock);
++ list_for_each_entry(ns, &ctrl->namespaces, list)
++ if (nvme_mpath_clear_current_path(ns))
++ kblockd_schedule_work(&ns->head->requeue_work);
++ mutex_unlock(&ctrl->scan_lock);
+ }
+
+ static struct nvme_ns *__nvme_find_path(struct nvme_ns_head *head, int node)
+@@ -248,6 +264,24 @@ inline struct nvme_ns *nvme_find_path(struct nvme_ns_head *head)
+ return ns;
+ }
+
++static bool nvme_available_path(struct nvme_ns_head *head)
++{
++ struct nvme_ns *ns;
++
++ list_for_each_entry_rcu(ns, &head->list, siblings) {
++ switch (ns->ctrl->state) {
++ case NVME_CTRL_LIVE:
++ case NVME_CTRL_RESETTING:
++ case NVME_CTRL_CONNECTING:
++ /* fallthru */
++ return true;
++ default:
++ break;
++ }
++ }
++ return false;
++}
++
+ static blk_qc_t nvme_ns_head_make_request(struct request_queue *q,
+ struct bio *bio)
+ {
+@@ -274,14 +308,14 @@ static blk_qc_t nvme_ns_head_make_request(struct request_queue *q,
+ disk_devt(ns->head->disk),
+ bio->bi_iter.bi_sector);
+ ret = direct_make_request(bio);
+- } else if (!list_empty_careful(&head->list)) {
+- dev_warn_ratelimited(dev, "no path available - requeuing I/O\n");
++ } else if (nvme_available_path(head)) {
++ dev_warn_ratelimited(dev, "no usable path - requeuing I/O\n");
+
+ spin_lock_irq(&head->requeue_lock);
+ bio_list_add(&head->requeue_list, bio);
+ spin_unlock_irq(&head->requeue_lock);
+ } else {
+- dev_warn_ratelimited(dev, "no path - failing I/O\n");
++ dev_warn_ratelimited(dev, "no available path - failing I/O\n");
+
+ bio->bi_status = BLK_STS_IOERR;
+ bio_endio(bio);
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index b8b45822f7be0..81215ca32671a 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -490,7 +490,8 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head);
+ int nvme_mpath_init(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id);
+ void nvme_mpath_uninit(struct nvme_ctrl *ctrl);
+ void nvme_mpath_stop(struct nvme_ctrl *ctrl);
+-void nvme_mpath_clear_current_path(struct nvme_ns *ns);
++bool nvme_mpath_clear_current_path(struct nvme_ns *ns);
++void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl);
+ struct nvme_ns *nvme_find_path(struct nvme_ns_head *head);
+
+ static inline void nvme_mpath_check_last_path(struct nvme_ns *ns)
+@@ -538,7 +539,11 @@ static inline void nvme_mpath_add_disk(struct nvme_ns *ns,
+ static inline void nvme_mpath_remove_disk(struct nvme_ns_head *head)
+ {
+ }
+-static inline void nvme_mpath_clear_current_path(struct nvme_ns *ns)
++static inline bool nvme_mpath_clear_current_path(struct nvme_ns *ns)
++{
++ return false;
++}
++static inline void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl)
+ {
+ }
+ static inline void nvme_mpath_check_last_path(struct nvme_ns *ns)
+--
+2.20.1
+
--- /dev/null
+From b113b3d25810b79ec9a380e4b4e7b1f26761c0b8 Mon Sep 17 00:00:00 2001
+From: Anthony Iliopoulos <ailiopoulos@suse.com>
+Date: Mon, 29 Jul 2019 14:40:40 +0200
+Subject: nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns
+
+[ Upstream commit fab7772bfbcfe8fb8e3e352a6a8fcaf044cded17 ]
+
+When CONFIG_NVME_MULTIPATH is set, only the hidden gendisk associated
+with the per-controller ns is run through revalidate_disk when a
+rescan is triggered, while the visible blockdev never gets its size
+(bdev->bd_inode->i_size) updated to reflect any capacity changes that
+may have occurred.
+
+This prevents online resizing of nvme block devices and in extension of
+any filesystems atop that will are unable to expand while mounted, as
+userspace relies on the blockdev size for obtaining the disk capacity
+(via BLKGETSIZE/64 ioctls).
+
+Fix this by explicitly revalidating the actual namespace gendisk in
+addition to the per-controller gendisk, when multipath is enabled.
+
+Signed-off-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 5deb4deb38209..ab1a2b1ec3637 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1668,6 +1668,7 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id)
+ if (ns->head->disk) {
+ nvme_update_disk_info(ns->head->disk, ns, id);
+ blk_queue_stack_limits(ns->head->disk->queue, ns->queue);
++ revalidate_disk(ns->head->disk);
+ }
+ #endif
+ }
+--
+2.20.1
+
--- /dev/null
+From f28f059b2a4b7e70d4a8871c120d70a4d43663fa Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Mon, 29 Jul 2019 16:34:52 -0600
+Subject: nvme-pci: Fix async probe remove race
+
+[ Upstream commit bd46a90634302bfe791e93ad5496f98f165f7ae0 ]
+
+Ensure the controller is not in the NEW state when nvme_probe() exits.
+This will always allow a subsequent nvme_remove() to set the state to
+DELETING, fixing a potential race between the initial asynchronous probe
+and device removal.
+
+Reported-by: Li Zhong <lizhongfs@gmail.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index f9959eaaa185e..09ffd21d18096 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2712,7 +2712,7 @@ static void nvme_async_probe(void *data, async_cookie_t cookie)
+ {
+ struct nvme_dev *dev = data;
+
+- nvme_reset_ctrl_sync(&dev->ctrl);
++ flush_work(&dev->ctrl.reset_work);
+ flush_work(&dev->ctrl.scan_work);
+ nvme_put_ctrl(&dev->ctrl);
+ }
+@@ -2778,6 +2778,7 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev));
+
++ nvme_reset_ctrl(&dev->ctrl);
+ nvme_get_ctrl(&dev->ctrl);
+ async_schedule(nvme_async_probe, dev);
+
+--
+2.20.1
+
--- /dev/null
+From d297bea0cb9157d8ad1ecd849f31a29cdb35a3b6 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Fri, 26 Jul 2019 10:29:49 -0700
+Subject: nvme-rdma: fix possible use-after-free in connect error flow
+
+[ Upstream commit d94211b8bad3787e0655a67284105f57db728cb1 ]
+
+When start_queue fails, we need to make sure to drain the
+queue cq before freeing the rdma resources because we might
+still race with the completion path. Have start_queue() error
+path safely stop the queue.
+
+--
+[30371.808111] nvme nvme1: Failed reconnect attempt 11
+[30371.808113] nvme nvme1: Reconnecting in 10 seconds...
+[...]
+[30382.069315] nvme nvme1: creating 4 I/O queues.
+[30382.257058] nvme nvme1: Connect Invalid SQE Parameter, qid 4
+[30382.257061] nvme nvme1: failed to connect queue: 4 ret=386
+[30382.305001] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+[30382.305022] IP: qedr_poll_cq+0x8a3/0x1170 [qedr]
+[30382.305028] PGD 0 P4D 0
+[30382.305037] Oops: 0000 [#1] SMP PTI
+[...]
+[30382.305153] Call Trace:
+[30382.305166] ? __switch_to_asm+0x34/0x70
+[30382.305187] __ib_process_cq+0x56/0xd0 [ib_core]
+[30382.305201] ib_poll_handler+0x26/0x70 [ib_core]
+[30382.305213] irq_poll_softirq+0x88/0x110
+[30382.305223] ? sort_range+0x20/0x20
+[30382.305232] __do_softirq+0xde/0x2c6
+[30382.305241] ? sort_range+0x20/0x20
+[30382.305249] run_ksoftirqd+0x1c/0x60
+[30382.305258] smpboot_thread_fn+0xef/0x160
+[30382.305265] kthread+0x113/0x130
+[30382.305273] ? kthread_create_worker_on_cpu+0x50/0x50
+[30382.305281] ret_from_fork+0x35/0x40
+--
+
+Reported-by: Nicolas Morey-Chaisemartin <NMoreyChaisemartin@suse.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 97f668a39ae1c..7b074323bcdf2 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -562,13 +562,17 @@ out_destroy_cm_id:
+ return ret;
+ }
+
++static void __nvme_rdma_stop_queue(struct nvme_rdma_queue *queue)
++{
++ rdma_disconnect(queue->cm_id);
++ ib_drain_qp(queue->qp);
++}
++
+ static void nvme_rdma_stop_queue(struct nvme_rdma_queue *queue)
+ {
+ if (!test_and_clear_bit(NVME_RDMA_Q_LIVE, &queue->flags))
+ return;
+-
+- rdma_disconnect(queue->cm_id);
+- ib_drain_qp(queue->qp);
++ __nvme_rdma_stop_queue(queue);
+ }
+
+ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue)
+@@ -607,11 +611,13 @@ static int nvme_rdma_start_queue(struct nvme_rdma_ctrl *ctrl, int idx)
+ else
+ ret = nvmf_connect_admin_queue(&ctrl->ctrl);
+
+- if (!ret)
++ if (!ret) {
+ set_bit(NVME_RDMA_Q_LIVE, &queue->flags);
+- else
++ } else {
++ __nvme_rdma_stop_queue(queue);
+ dev_info(ctrl->ctrl.device,
+ "failed to connect queue: %d ret=%d\n", idx, ret);
++ }
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 05903dd4c96d0eb06ea7a6ce6e3f246e3fa87d3d Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Wed, 31 Jul 2019 17:35:33 -0600
+Subject: nvmet-file: fix nvmet_file_flush() always returning an error
+
+[ Upstream commit cfc1a1af56200362d1508b82b9a3cc3acb2eae0c ]
+
+Presently, nvmet_file_flush() always returns a call to
+errno_to_nvme_status() but that helper doesn't take into account the
+case when errno=0. So nvmet_file_flush() always returns an error code.
+
+All other callers of errno_to_nvme_status() check for success before
+calling it.
+
+To fix this, ensure errno_to_nvme_status() returns success if the
+errno is zero. This should prevent future mistakes like this from
+happening.
+
+Fixes: c6aa3542e010 ("nvmet: add error log support for file backend")
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index e4db9a4411681..396cbc7ea3532 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -43,6 +43,9 @@ inline u16 errno_to_nvme_status(struct nvmet_req *req, int errno)
+ u16 status;
+
+ switch (errno) {
++ case 0:
++ status = NVME_SC_SUCCESS;
++ break;
+ case -ENOSPC:
+ req->error_loc = offsetof(struct nvme_rw_command, length);
+ status = NVME_SC_CAP_EXCEEDED | NVME_SC_DNR;
+--
+2.20.1
+
--- /dev/null
+From cccaea7f9069c7f847210c74686db5b9b36c3d2c Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Wed, 31 Jul 2019 17:35:31 -0600
+Subject: nvmet: Fix use-after-free bug when a port is removed
+
+[ Upstream commit 3aed86731ee2b23e4dc4d2c6d943d33992cd551b ]
+
+When a port is removed through configfs, any connected controllers
+are still active and can still send commands. This causes a
+use-after-free bug which is detected by KASAN for any admin command
+that dereferences req->port (like in nvmet_execute_identify_ctrl).
+
+To fix this, disconnect all active controllers when a subsystem is
+removed from a port. This ensures there are no active controllers
+when the port is eventually removed.
+
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by : Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/configfs.c | 1 +
+ drivers/nvme/target/core.c | 12 ++++++++++++
+ drivers/nvme/target/nvmet.h | 3 +++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
+index 08dd5af357f7c..3854363118ccf 100644
+--- a/drivers/nvme/target/configfs.c
++++ b/drivers/nvme/target/configfs.c
+@@ -673,6 +673,7 @@ static void nvmet_port_subsys_drop_link(struct config_item *parent,
+
+ found:
+ list_del(&p->entry);
++ nvmet_port_del_ctrls(port, subsys);
+ nvmet_port_disc_changed(port, subsys);
+
+ if (list_empty(&port->subsystems))
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index 7734a6acff851..e4db9a4411681 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -277,6 +277,18 @@ void nvmet_unregister_transport(const struct nvmet_fabrics_ops *ops)
+ }
+ EXPORT_SYMBOL_GPL(nvmet_unregister_transport);
+
++void nvmet_port_del_ctrls(struct nvmet_port *port, struct nvmet_subsys *subsys)
++{
++ struct nvmet_ctrl *ctrl;
++
++ mutex_lock(&subsys->lock);
++ list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry) {
++ if (ctrl->port == port)
++ ctrl->ops->delete_ctrl(ctrl);
++ }
++ mutex_unlock(&subsys->lock);
++}
++
+ int nvmet_enable_port(struct nvmet_port *port)
+ {
+ const struct nvmet_fabrics_ops *ops;
+diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
+index c25d88fc9dec8..b6b0d483e0c50 100644
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -415,6 +415,9 @@ void nvmet_port_send_ana_event(struct nvmet_port *port);
+ int nvmet_register_transport(const struct nvmet_fabrics_ops *ops);
+ void nvmet_unregister_transport(const struct nvmet_fabrics_ops *ops);
+
++void nvmet_port_del_ctrls(struct nvmet_port *port,
++ struct nvmet_subsys *subsys);
++
+ int nvmet_enable_port(struct nvmet_port *port);
+ void nvmet_disable_port(struct nvmet_port *port);
+
+--
+2.20.1
+
--- /dev/null
+From 1be9ecc8fdb7431e29e46195040329553699c20a Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Wed, 31 Jul 2019 17:35:32 -0600
+Subject: nvmet-loop: Flush nvme_delete_wq when removing the port
+
+[ Upstream commit 86b9a63e595ff03f9d0a7b92b6acc231fecefc29 ]
+
+After calling nvme_loop_delete_ctrl(), the controllers will not
+yet be deleted because nvme_delete_ctrl() only schedules work
+to do the delete.
+
+This means a race can occur if a port is removed but there
+are still active controllers trying to access that memory.
+
+To fix this, flush the nvme_delete_wq before returning from
+nvme_loop_remove_port() so that any controllers that might
+be in the process of being deleted won't access a freed port.
+
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by : Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/loop.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
+index 9e211ad6bdd3d..da9cd07461fbb 100644
+--- a/drivers/nvme/target/loop.c
++++ b/drivers/nvme/target/loop.c
+@@ -654,6 +654,14 @@ static void nvme_loop_remove_port(struct nvmet_port *port)
+ mutex_lock(&nvme_loop_ports_mutex);
+ list_del_init(&port->entry);
+ mutex_unlock(&nvme_loop_ports_mutex);
++
++ /*
++ * Ensure any ctrls that are in the process of being
++ * deleted are in fact deleted before we return
++ * and free the port. This is to prevent active
++ * ctrls from using a port after it's freed.
++ */
++ flush_workqueue(nvme_delete_wq);
+ }
+
+ static const struct nvmet_fabrics_ops nvme_loop_ops = {
+--
+2.20.1
+
--- /dev/null
+From 6b4407195774cc3638f143ef16a33f59c6bdb136 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Fri, 9 Aug 2019 10:32:40 +0200
+Subject: omap-dma/omap_vout_vrfb: fix off-by-one fi value
+
+[ Upstream commit d555c34338cae844b207564c482e5a3fb089d25e ]
+
+The OMAP 4 TRM specifies that when using double-index addressing
+the address increases by the ES plus the EI value minus 1 within
+a frame. When a full frame is transferred, the address increases
+by the ES plus the frame index (FI) value minus 1.
+
+The omap-dma code didn't account for the 'minus 1' in the FI register.
+To get correct addressing, add 1 to the src_icg value.
+
+This was found when testing a hacked version of the media m2m-deinterlace.c
+driver on a Pandaboard.
+
+The only other source that uses this feature is omap_vout_vrfb.c,
+and that adds a + 1 when setting the dst_icg. This is a workaround
+for the broken omap-dma.c behavior. So remove the workaround at the
+same time that we fix omap-dma.c.
+
+I tested the omap_vout driver with a Beagle XM board to check that
+the '+ 1' in omap_vout_vrfb.c was indeed a workaround for the omap-dma
+bug.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Link: https://lore.kernel.org/r/952e7f51-f208-9333-6f58-b7ed20d2ea0b@xs4all.nl
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/omap-dma.c | 4 ++--
+ drivers/media/platform/omap/omap_vout_vrfb.c | 3 +--
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
+index ba2489d4ea246..ba27802efcd0a 100644
+--- a/drivers/dma/ti/omap-dma.c
++++ b/drivers/dma/ti/omap-dma.c
+@@ -1234,7 +1234,7 @@ static struct dma_async_tx_descriptor *omap_dma_prep_dma_interleaved(
+ if (src_icg) {
+ d->ccr |= CCR_SRC_AMODE_DBLIDX;
+ d->ei = 1;
+- d->fi = src_icg;
++ d->fi = src_icg + 1;
+ } else if (xt->src_inc) {
+ d->ccr |= CCR_SRC_AMODE_POSTINC;
+ d->fi = 0;
+@@ -1249,7 +1249,7 @@ static struct dma_async_tx_descriptor *omap_dma_prep_dma_interleaved(
+ if (dst_icg) {
+ d->ccr |= CCR_DST_AMODE_DBLIDX;
+ sg->ei = 1;
+- sg->fi = dst_icg;
++ sg->fi = dst_icg + 1;
+ } else if (xt->dst_inc) {
+ d->ccr |= CCR_DST_AMODE_POSTINC;
+ sg->fi = 0;
+diff --git a/drivers/media/platform/omap/omap_vout_vrfb.c b/drivers/media/platform/omap/omap_vout_vrfb.c
+index 29e3f5da59c1f..11ec048929e80 100644
+--- a/drivers/media/platform/omap/omap_vout_vrfb.c
++++ b/drivers/media/platform/omap/omap_vout_vrfb.c
+@@ -253,8 +253,7 @@ int omap_vout_prepare_vrfb(struct omap_vout_device *vout,
+ */
+
+ pixsize = vout->bpp * vout->vrfb_bpp;
+- dst_icg = ((MAX_PIXELS_PER_LINE * pixsize) -
+- (vout->pix.width * vout->bpp)) + 1;
++ dst_icg = MAX_PIXELS_PER_LINE * pixsize - vout->pix.width * vout->bpp;
+
+ xt->src_start = vout->buf_phy_addr[vb->i];
+ xt->dst_start = vout->vrfb_context[vb->i].paddr[0];
+--
+2.20.1
+
--- /dev/null
+From 83be67ff23d2c8c144f36f375ec5efb098eaaeec Mon Sep 17 00:00:00 2001
+From: Paul Walmsley <paul.walmsley@sifive.com>
+Date: Wed, 7 Aug 2019 19:07:34 -0700
+Subject: riscv: fix flush_tlb_range() end address for flush_tlb_page()
+
+[ Upstream commit eb93685847a9055283d05951c1b205e737f38533 ]
+
+The RISC-V kernel implementation of flush_tlb_page() when CONFIG_SMP
+is set is wrong. It passes zero to flush_tlb_range() as the final
+address to flush, but it should be at least 'addr'.
+
+Some other Linux architecture ports use the beginning address to
+flush, plus PAGE_SIZE, as the final address to flush. This might
+flush slightly more than what's needed, but it seems unlikely that
+being more clever would improve anything. So let's just take that
+implementation for now.
+
+While here, convert the macro into a static inline function, primarily
+to avoid unintentional multiple evaluations of 'addr'.
+
+This second version of the patch fixes a coding style issue found by
+Christoph Hellwig <hch@lst.de>.
+
+Reported-by: Andreas Schwab <schwab@suse.de>
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/tlbflush.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h
+index 687dd19735a7e..4d9bbe8438bf6 100644
+--- a/arch/riscv/include/asm/tlbflush.h
++++ b/arch/riscv/include/asm/tlbflush.h
+@@ -53,10 +53,17 @@ static inline void remote_sfence_vma(struct cpumask *cmask, unsigned long start,
+ }
+
+ #define flush_tlb_all() sbi_remote_sfence_vma(NULL, 0, -1)
+-#define flush_tlb_page(vma, addr) flush_tlb_range(vma, addr, 0)
++
+ #define flush_tlb_range(vma, start, end) \
+ remote_sfence_vma(mm_cpumask((vma)->vm_mm), start, (end) - (start))
+-#define flush_tlb_mm(mm) \
++
++static inline void flush_tlb_page(struct vm_area_struct *vma,
++ unsigned long addr)
++{
++ flush_tlb_range(vma, addr, addr + PAGE_SIZE);
++}
++
++#define flush_tlb_mm(mm) \
+ remote_sfence_vma(mm_cpumask(mm), 0, -1)
+
+ #endif /* CONFIG_SMP */
+--
+2.20.1
+
--- /dev/null
+From d66018ceed12604e94d52a9d1d86446bb900fec2 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Tue, 20 Aug 2019 15:41:21 +0200
+Subject: selftests/bpf: install files test_xdp_vlan.sh
+
+[ Upstream commit 3035bb72ee47d494c041465b4add9c6407c832ed ]
+
+When ./test_xdp_vlan_mode_generic.sh runs it complains that it can't
+find file test_xdp_vlan.sh.
+
+ # selftests: bpf: test_xdp_vlan_mode_generic.sh
+ # ./test_xdp_vlan_mode_generic.sh: line 9: ./test_xdp_vlan.sh: No such
+ file or directory
+
+Rework so that test_xdp_vlan.sh gets installed, added to the variable
+TEST_PROGS_EXTENDED.
+
+Fixes: d35661fcf95d ("selftests/bpf: add wrapper scripts for test_xdp_vlan.sh")
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Acked-by: Jesper Dangaard Brouer <jbrouer@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index b9e88ccc289ba..adced69d026e5 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -61,7 +61,8 @@ TEST_PROGS := test_kmod.sh \
+ TEST_PROGS_EXTENDED := with_addr.sh \
+ with_tunnels.sh \
+ tcp_client.py \
+- tcp_server.py
++ tcp_server.py \
++ test_xdp_vlan.sh
+
+ # Compile but not part of 'make run_tests'
+ TEST_GEN_PROGS_EXTENDED = test_libbpf_open test_sock_addr test_skb_cgroup_id_user \
+--
+2.20.1
+
--- /dev/null
+dmaengine-ste_dma40-fix-unneeded-variable-warning.patch
+nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch
+afs-fix-the-cb.probeuuid-service-handler-to-reply-co.patch
+afs-fix-loop-index-mixup-in-afs_deliver_vl_get_entry.patch
+fs-afs-fix-a-possible-null-pointer-dereference-in-af.patch
+afs-fix-off-by-one-in-afs_rename-expected-data-versi.patch
+afs-only-update-d_fsdata-if-different-in-afs_d_reval.patch
+afs-fix-missing-dentry-data-version-updating.patch
+nvmet-fix-use-after-free-bug-when-a-port-is-removed.patch
+nvmet-loop-flush-nvme_delete_wq-when-removing-the-po.patch
+nvmet-file-fix-nvmet_file_flush-always-returning-an-.patch
+nvme-core-fix-extra-device_put-call-on-error-path.patch
+nvme-fix-a-possible-deadlock-when-passthru-commands-.patch
+nvme-rdma-fix-possible-use-after-free-in-connect-err.patch
+nvme-fix-controller-removal-race-with-scan-work.patch
+nvme-pci-fix-async-probe-remove-race.patch
+soundwire-cadence_master-fix-register-definition-for.patch
+soundwire-cadence_master-fix-definitions-for-intstat.patch
+auxdisplay-panel-need-to-delete-scan_timer-when-misc.patch
+btrfs-trim-check-the-range-passed-into-to-prevent-ov.patch
+ib-mlx5-fix-implicit-mr-release-flow.patch
+dmaengine-stm32-mdma-fix-a-possible-null-pointer-der.patch
+omap-dma-omap_vout_vrfb-fix-off-by-one-fi-value.patch
+iommu-dma-handle-sg-length-overflow-better.patch
+dma-direct-don-t-truncate-dma_required_mask-to-bus-a.patch
+usb-gadget-composite-clear-suspended-on-reset-discon.patch
+usb-gadget-mass_storage-fix-races-between-fsg_disabl.patch
+habanalabs-fix-dram-usage-accounting-on-context-tear.patch
+habanalabs-fix-endianness-handling-for-packets-from-.patch
+habanalabs-fix-completion-queue-handling-when-host-i.patch
+habanalabs-fix-endianness-handling-for-internal-qman.patch
+habanalabs-fix-device-irq-unmasking-for-be-host.patch
+xen-blkback-fix-memory-leaks.patch
+arm64-cpufeature-don-t-treat-granule-sizes-as-strict.patch
+riscv-fix-flush_tlb_range-end-address-for-flush_tlb_.patch
+i2c-rcar-avoid-race-when-unregistering-slave-client.patch
+i2c-emev2-avoid-race-when-unregistering-slave-client.patch
+drm-scheduler-use-job-count-instead-of-peek.patch
+drm-ast-fixed-reboot-test-may-cause-system-hanged.patch
+usb-host-fotg2-restart-hcd-after-port-reset.patch
+tools-hv-fixed-python-pep8-flake8-warnings-for-lsvmb.patch
+tools-hv-fix-kvp-and-vss-daemons-exit-code.patch
+locking-rwsem-add-missing-acquire-to-read_slowpath-e.patch
+lcoking-rwsem-add-missing-acquire-to-read_slowpath-s.patch
+watchdog-bcm2835_wdt-fix-module-autoload.patch
+selftests-bpf-install-files-test_xdp_vlan.sh.patch
+drm-bridge-tfp410-fix-memleak-in-get_modes.patch
--- /dev/null
+From 08f4f5558009a3e0eea3a687a014f1f1a38ebc17 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Thu, 25 Jul 2019 18:40:06 -0500
+Subject: soundwire: cadence_master: fix definitions for INTSTAT0/1
+
+[ Upstream commit 664b16589f882202b8fa8149d0074f3159bade76 ]
+
+Two off-by-one errors: INTSTAT0 missed BIT(31) and INTSTAT1 is only
+defined on first 16 bits.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20190725234032.21152-15-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/cadence_master.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
+index 18afb2e21dc9a..57ed2e2024bf4 100644
+--- a/drivers/soundwire/cadence_master.c
++++ b/drivers/soundwire/cadence_master.c
+@@ -95,8 +95,8 @@
+ #define CDNS_MCP_SLAVE_INTMASK0 0x5C
+ #define CDNS_MCP_SLAVE_INTMASK1 0x60
+
+-#define CDNS_MCP_SLAVE_INTMASK0_MASK GENMASK(30, 0)
+-#define CDNS_MCP_SLAVE_INTMASK1_MASK GENMASK(16, 0)
++#define CDNS_MCP_SLAVE_INTMASK0_MASK GENMASK(31, 0)
++#define CDNS_MCP_SLAVE_INTMASK1_MASK GENMASK(15, 0)
+
+ #define CDNS_MCP_PORT_INTSTAT 0x64
+ #define CDNS_MCP_PDI_STAT 0x6C
+--
+2.20.1
+
--- /dev/null
+From b7b1442e51d2f8ddc6ac884d746ab3cec35716a8 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Thu, 25 Jul 2019 18:40:05 -0500
+Subject: soundwire: cadence_master: fix register definition for SLAVE_STATE
+
+[ Upstream commit b07dd9b400981f487940a4d84292d3a0e7cd9362 ]
+
+wrong prefix and wrong macro.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20190725234032.21152-14-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/cadence_master.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
+index 682789bb8ab30..18afb2e21dc9a 100644
+--- a/drivers/soundwire/cadence_master.c
++++ b/drivers/soundwire/cadence_master.c
+@@ -80,8 +80,8 @@
+
+ #define CDNS_MCP_INTSET 0x4C
+
+-#define CDNS_SDW_SLAVE_STAT 0x50
+-#define CDNS_MCP_SLAVE_STAT_MASK BIT(1, 0)
++#define CDNS_MCP_SLAVE_STAT 0x50
++#define CDNS_MCP_SLAVE_STAT_MASK GENMASK(1, 0)
+
+ #define CDNS_MCP_SLAVE_INTSTAT0 0x54
+ #define CDNS_MCP_SLAVE_INTSTAT1 0x58
+--
+2.20.1
+
--- /dev/null
+From 8fecd9182a59893e2e8e167ba09580b7c87b4b89 Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Mon, 6 May 2019 16:50:58 +0000
+Subject: tools: hv: fix KVP and VSS daemons exit code
+
+[ Upstream commit b0995156071b0ff29a5902964a9dc8cfad6f81c0 ]
+
+HyperV KVP and VSS daemons should exit with 0 when the '--help'
+or '-h' flags are used.
+
+Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
+
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: Alessandro Pilotti <apilotti@cloudbasesolutions.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/hv/hv_kvp_daemon.c | 2 ++
+ tools/hv/hv_vss_daemon.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
+index d7e06fe0270ee..0ce50c319cfd6 100644
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -1386,6 +1386,8 @@ int main(int argc, char *argv[])
+ daemonize = 0;
+ break;
+ case 'h':
++ print_usage(argv);
++ exit(0);
+ default:
+ print_usage(argv);
+ exit(EXIT_FAILURE);
+diff --git a/tools/hv/hv_vss_daemon.c b/tools/hv/hv_vss_daemon.c
+index efe1e34dd91b4..8f813f5233d48 100644
+--- a/tools/hv/hv_vss_daemon.c
++++ b/tools/hv/hv_vss_daemon.c
+@@ -218,6 +218,8 @@ int main(int argc, char *argv[])
+ daemonize = 0;
+ break;
+ case 'h':
++ print_usage(argv);
++ exit(0);
+ default:
+ print_usage(argv);
+ exit(EXIT_FAILURE);
+--
+2.20.1
+
--- /dev/null
+From 1f097c6cdb4db5c7a33202b69f04dba884589a45 Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Mon, 6 May 2019 17:27:37 +0000
+Subject: tools: hv: fixed Python pep8/flake8 warnings for lsvmbus
+
+[ Upstream commit 5912e791f3018de0a007c8cfa9cb38c97d3e5f5c ]
+
+Fixed pep8/flake8 python style code for lsvmbus tool.
+
+The TAB indentation was on purpose ignored (pep8 rule W191) to make
+sure the code is complying with the Linux code guideline.
+The following command doe not show any warnings now:
+pep8 --ignore=W191 lsvmbus
+flake8 --ignore=W191 lsvmbus
+
+Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
+
+Cc: "K. Y. Srinivasan" <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: Dexuan Cui <decui@microsoft.com>
+Cc: Alessandro Pilotti <apilotti@cloudbasesolutions.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/hv/lsvmbus | 75 +++++++++++++++++++++++++++---------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+diff --git a/tools/hv/lsvmbus b/tools/hv/lsvmbus
+index 55e7374bade0d..099f2c44dbed2 100644
+--- a/tools/hv/lsvmbus
++++ b/tools/hv/lsvmbus
+@@ -4,10 +4,10 @@
+ import os
+ from optparse import OptionParser
+
++help_msg = "print verbose messages. Try -vv, -vvv for more verbose messages"
+ parser = OptionParser()
+-parser.add_option("-v", "--verbose", dest="verbose",
+- help="print verbose messages. Try -vv, -vvv for \
+- more verbose messages", action="count")
++parser.add_option(
++ "-v", "--verbose", dest="verbose", help=help_msg, action="count")
+
+ (options, args) = parser.parse_args()
+
+@@ -21,27 +21,28 @@ if not os.path.isdir(vmbus_sys_path):
+ exit(-1)
+
+ vmbus_dev_dict = {
+- '{0e0b6031-5213-4934-818b-38d90ced39db}' : '[Operating system shutdown]',
+- '{9527e630-d0ae-497b-adce-e80ab0175caf}' : '[Time Synchronization]',
+- '{57164f39-9115-4e78-ab55-382f3bd5422d}' : '[Heartbeat]',
+- '{a9a0f4e7-5a45-4d96-b827-8a841e8c03e6}' : '[Data Exchange]',
+- '{35fa2e29-ea23-4236-96ae-3a6ebacba440}' : '[Backup (volume checkpoint)]',
+- '{34d14be3-dee4-41c8-9ae7-6b174977c192}' : '[Guest services]',
+- '{525074dc-8985-46e2-8057-a307dc18a502}' : '[Dynamic Memory]',
+- '{cfa8b69e-5b4a-4cc0-b98b-8ba1a1f3f95a}' : 'Synthetic mouse',
+- '{f912ad6d-2b17-48ea-bd65-f927a61c7684}' : 'Synthetic keyboard',
+- '{da0a7802-e377-4aac-8e77-0558eb1073f8}' : 'Synthetic framebuffer adapter',
+- '{f8615163-df3e-46c5-913f-f2d2f965ed0e}' : 'Synthetic network adapter',
+- '{32412632-86cb-44a2-9b5c-50d1417354f5}' : 'Synthetic IDE Controller',
+- '{ba6163d9-04a1-4d29-b605-72e2ffb1dc7f}' : 'Synthetic SCSI Controller',
+- '{2f9bcc4a-0069-4af3-b76b-6fd0be528cda}' : 'Synthetic fiber channel adapter',
+- '{8c2eaf3d-32a7-4b09-ab99-bd1f1c86b501}' : 'Synthetic RDMA adapter',
+- '{44c4f61d-4444-4400-9d52-802e27ede19f}' : 'PCI Express pass-through',
+- '{276aacf4-ac15-426c-98dd-7521ad3f01fe}' : '[Reserved system device]',
+- '{f8e65716-3cb3-4a06-9a60-1889c5cccab5}' : '[Reserved system device]',
+- '{3375baf4-9e15-4b30-b765-67acb10d607b}' : '[Reserved system device]',
++ '{0e0b6031-5213-4934-818b-38d90ced39db}': '[Operating system shutdown]',
++ '{9527e630-d0ae-497b-adce-e80ab0175caf}': '[Time Synchronization]',
++ '{57164f39-9115-4e78-ab55-382f3bd5422d}': '[Heartbeat]',
++ '{a9a0f4e7-5a45-4d96-b827-8a841e8c03e6}': '[Data Exchange]',
++ '{35fa2e29-ea23-4236-96ae-3a6ebacba440}': '[Backup (volume checkpoint)]',
++ '{34d14be3-dee4-41c8-9ae7-6b174977c192}': '[Guest services]',
++ '{525074dc-8985-46e2-8057-a307dc18a502}': '[Dynamic Memory]',
++ '{cfa8b69e-5b4a-4cc0-b98b-8ba1a1f3f95a}': 'Synthetic mouse',
++ '{f912ad6d-2b17-48ea-bd65-f927a61c7684}': 'Synthetic keyboard',
++ '{da0a7802-e377-4aac-8e77-0558eb1073f8}': 'Synthetic framebuffer adapter',
++ '{f8615163-df3e-46c5-913f-f2d2f965ed0e}': 'Synthetic network adapter',
++ '{32412632-86cb-44a2-9b5c-50d1417354f5}': 'Synthetic IDE Controller',
++ '{ba6163d9-04a1-4d29-b605-72e2ffb1dc7f}': 'Synthetic SCSI Controller',
++ '{2f9bcc4a-0069-4af3-b76b-6fd0be528cda}': 'Synthetic fiber channel adapter',
++ '{8c2eaf3d-32a7-4b09-ab99-bd1f1c86b501}': 'Synthetic RDMA adapter',
++ '{44c4f61d-4444-4400-9d52-802e27ede19f}': 'PCI Express pass-through',
++ '{276aacf4-ac15-426c-98dd-7521ad3f01fe}': '[Reserved system device]',
++ '{f8e65716-3cb3-4a06-9a60-1889c5cccab5}': '[Reserved system device]',
++ '{3375baf4-9e15-4b30-b765-67acb10d607b}': '[Reserved system device]',
+ }
+
++
+ def get_vmbus_dev_attr(dev_name, attr):
+ try:
+ f = open('%s/%s/%s' % (vmbus_sys_path, dev_name, attr), 'r')
+@@ -52,6 +53,7 @@ def get_vmbus_dev_attr(dev_name, attr):
+
+ return lines
+
++
+ class VMBus_Dev:
+ pass
+
+@@ -66,12 +68,13 @@ for f in os.listdir(vmbus_sys_path):
+
+ chn_vp_mapping = get_vmbus_dev_attr(f, 'channel_vp_mapping')
+ chn_vp_mapping = [c.strip() for c in chn_vp_mapping]
+- chn_vp_mapping = sorted(chn_vp_mapping,
+- key = lambda c : int(c.split(':')[0]))
++ chn_vp_mapping = sorted(
++ chn_vp_mapping, key=lambda c: int(c.split(':')[0]))
+
+- chn_vp_mapping = ['\tRel_ID=%s, target_cpu=%s' %
+- (c.split(':')[0], c.split(':')[1])
+- for c in chn_vp_mapping]
++ chn_vp_mapping = [
++ '\tRel_ID=%s, target_cpu=%s' %
++ (c.split(':')[0], c.split(':')[1]) for c in chn_vp_mapping
++ ]
+ d = VMBus_Dev()
+ d.sysfs_path = '%s/%s' % (vmbus_sys_path, f)
+ d.vmbus_id = vmbus_id
+@@ -85,7 +88,7 @@ for f in os.listdir(vmbus_sys_path):
+ vmbus_dev_list.append(d)
+
+
+-vmbus_dev_list = sorted(vmbus_dev_list, key = lambda d : int(d.vmbus_id))
++vmbus_dev_list = sorted(vmbus_dev_list, key=lambda d: int(d.vmbus_id))
+
+ format0 = '%2s: %s'
+ format1 = '%2s: Class_ID = %s - %s\n%s'
+@@ -95,9 +98,15 @@ for d in vmbus_dev_list:
+ if verbose == 0:
+ print(('VMBUS ID ' + format0) % (d.vmbus_id, d.dev_desc))
+ elif verbose == 1:
+- print (('VMBUS ID ' + format1) % \
+- (d.vmbus_id, d.class_id, d.dev_desc, d.chn_vp_mapping))
++ print(
++ ('VMBUS ID ' + format1) %
++ (d.vmbus_id, d.class_id, d.dev_desc, d.chn_vp_mapping)
++ )
+ else:
+- print (('VMBUS ID ' + format2) % \
+- (d.vmbus_id, d.class_id, d.dev_desc, \
+- d.device_id, d.sysfs_path, d.chn_vp_mapping))
++ print(
++ ('VMBUS ID ' + format2) %
++ (
++ d.vmbus_id, d.class_id, d.dev_desc,
++ d.device_id, d.sysfs_path, d.chn_vp_mapping
++ )
++ )
+--
+2.20.1
+
--- /dev/null
+From 68b86a91c579aa691031bdf2914f7e5cdc5d2fba Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 26 Jul 2019 14:59:03 +1000
+Subject: usb: gadget: composite: Clear "suspended" on reset/disconnect
+
+[ Upstream commit 602fda17c7356bb7ae98467d93549057481d11dd ]
+
+In some cases, one can get out of suspend with a reset or
+a disconnect followed by a reconnect. Previously we would
+leave a stale suspended flag set.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index b8a15840b4ffd..dfcabadeed01b 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1976,6 +1976,7 @@ void composite_disconnect(struct usb_gadget *gadget)
+ * disconnect callbacks?
+ */
+ spin_lock_irqsave(&cdev->lock, flags);
++ cdev->suspended = 0;
+ if (cdev->config)
+ reset_config(cdev);
+ if (cdev->driver->disconnect)
+--
+2.20.1
+
--- /dev/null
+From 66df13b1beb68ea1ac09684c3c011ab8c15b6dd1 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 26 Jul 2019 14:59:04 +1000
+Subject: usb: gadget: mass_storage: Fix races between fsg_disable and
+ fsg_set_alt
+
+[ Upstream commit 4a56a478a525d6427be90753451c40e1327caa1a ]
+
+If fsg_disable() and fsg_set_alt() are called too closely to each
+other (for example due to a quick reset/reconnect), what can happen
+is that fsg_set_alt sets common->new_fsg from an interrupt while
+handle_exception is trying to process the config change caused by
+fsg_disable():
+
+ fsg_disable()
+ ...
+ handle_exception()
+ sets state back to FSG_STATE_NORMAL
+ hasn't yet called do_set_interface()
+ or is inside it.
+
+ ---> interrupt
+ fsg_set_alt
+ sets common->new_fsg
+ queues a new FSG_STATE_CONFIG_CHANGE
+ <---
+
+Now, the first handle_exception can "see" the updated
+new_fsg, treats it as if it was a fsg_set_alt() response,
+call usb_composite_setup_continue() etc...
+
+But then, the thread sees the second FSG_STATE_CONFIG_CHANGE,
+and goes back down the same path, wipes and reattaches a now
+active fsg, and .. calls usb_composite_setup_continue() which
+at this point is wrong.
+
+Not only we get a backtrace, but I suspect the second set_interface
+wrecks some state causing the host to get upset in my case.
+
+This fixes it by replacing "new_fsg" by a "state argument" (same
+principle) which is set in the same lock section as the state
+update, and retrieved similarly.
+
+That way, there is never any discrepancy between the dequeued
+state and the observed value of it. We keep the ability to have
+the latest reconfig operation take precedence, but we guarantee
+that once "dequeued" the argument (new_fsg) will not be clobbered
+by any new event.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_mass_storage.c | 28 +++++++++++++-------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
+index 043f97ad8f226..f2bc8d0370676 100644
+--- a/drivers/usb/gadget/function/f_mass_storage.c
++++ b/drivers/usb/gadget/function/f_mass_storage.c
+@@ -261,7 +261,7 @@ struct fsg_common;
+ struct fsg_common {
+ struct usb_gadget *gadget;
+ struct usb_composite_dev *cdev;
+- struct fsg_dev *fsg, *new_fsg;
++ struct fsg_dev *fsg;
+ wait_queue_head_t io_wait;
+ wait_queue_head_t fsg_wait;
+
+@@ -290,6 +290,7 @@ struct fsg_common {
+ unsigned int bulk_out_maxpacket;
+ enum fsg_state state; /* For exception handling */
+ unsigned int exception_req_tag;
++ void *exception_arg;
+
+ enum data_direction data_dir;
+ u32 data_size;
+@@ -391,7 +392,8 @@ static int fsg_set_halt(struct fsg_dev *fsg, struct usb_ep *ep)
+
+ /* These routines may be called in process context or in_irq */
+
+-static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
++static void __raise_exception(struct fsg_common *common, enum fsg_state new_state,
++ void *arg)
+ {
+ unsigned long flags;
+
+@@ -404,6 +406,7 @@ static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
+ if (common->state <= new_state) {
+ common->exception_req_tag = common->ep0_req_tag;
+ common->state = new_state;
++ common->exception_arg = arg;
+ if (common->thread_task)
+ send_sig_info(SIGUSR1, SEND_SIG_PRIV,
+ common->thread_task);
+@@ -411,6 +414,10 @@ static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
+ spin_unlock_irqrestore(&common->lock, flags);
+ }
+
++static void raise_exception(struct fsg_common *common, enum fsg_state new_state)
++{
++ __raise_exception(common, new_state, NULL);
++}
+
+ /*-------------------------------------------------------------------------*/
+
+@@ -2285,16 +2292,16 @@ reset:
+ static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
+ {
+ struct fsg_dev *fsg = fsg_from_func(f);
+- fsg->common->new_fsg = fsg;
+- raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
++
++ __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, fsg);
+ return USB_GADGET_DELAYED_STATUS;
+ }
+
+ static void fsg_disable(struct usb_function *f)
+ {
+ struct fsg_dev *fsg = fsg_from_func(f);
+- fsg->common->new_fsg = NULL;
+- raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
++
++ __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
+ }
+
+
+@@ -2307,6 +2314,7 @@ static void handle_exception(struct fsg_common *common)
+ enum fsg_state old_state;
+ struct fsg_lun *curlun;
+ unsigned int exception_req_tag;
++ struct fsg_dev *new_fsg;
+
+ /*
+ * Clear the existing signals. Anything but SIGUSR1 is converted
+@@ -2360,6 +2368,7 @@ static void handle_exception(struct fsg_common *common)
+ common->next_buffhd_to_fill = &common->buffhds[0];
+ common->next_buffhd_to_drain = &common->buffhds[0];
+ exception_req_tag = common->exception_req_tag;
++ new_fsg = common->exception_arg;
+ old_state = common->state;
+ common->state = FSG_STATE_NORMAL;
+
+@@ -2413,8 +2422,8 @@ static void handle_exception(struct fsg_common *common)
+ break;
+
+ case FSG_STATE_CONFIG_CHANGE:
+- do_set_interface(common, common->new_fsg);
+- if (common->new_fsg)
++ do_set_interface(common, new_fsg);
++ if (new_fsg)
+ usb_composite_setup_continue(common->cdev);
+ break;
+
+@@ -2989,8 +2998,7 @@ static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
+
+ DBG(fsg, "unbind\n");
+ if (fsg->common->fsg == fsg) {
+- fsg->common->new_fsg = NULL;
+- raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
++ __raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE, NULL);
+ /* FIXME: make interruptible or killable somehow? */
+ wait_event(common->fsg_wait, common->fsg != fsg);
+ }
+--
+2.20.1
+
--- /dev/null
+From 5711fa3fd105dfa9f1b053ddb44e6d7fab313310 Mon Sep 17 00:00:00 2001
+From: Hans Ulli Kroll <ulli.kroll@googlemail.com>
+Date: Sat, 10 Aug 2019 17:04:58 +0200
+Subject: usb: host: fotg2: restart hcd after port reset
+
+[ Upstream commit 777758888ffe59ef754cc39ab2f275dc277732f4 ]
+
+On the Gemini SoC the FOTG2 stalls after port reset
+so restart the HCD after each port reset.
+
+Signed-off-by: Hans Ulli Kroll <ulli.kroll@googlemail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20190810150458.817-1-linus.walleij@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index 0da68df259c86..7bf621d40c5ae 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -1628,6 +1628,10 @@ static int fotg210_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ /* see what we found out */
+ temp = check_reset_complete(fotg210, wIndex, status_reg,
+ fotg210_readl(fotg210, status_reg));
++
++ /* restart schedule */
++ fotg210->command |= CMD_RUN;
++ fotg210_writel(fotg210, fotg210->command, &fotg210->regs->command);
+ }
+
+ if (!(temp & (PORT_RESUME|PORT_RESET))) {
+--
+2.20.1
+
--- /dev/null
+From c2d539c0c461c2a5537c9a24edba346b754492ea Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Wed, 15 May 2019 19:14:18 +0200
+Subject: watchdog: bcm2835_wdt: Fix module autoload
+
+[ Upstream commit 215e06f0d18d5d653d6ea269e4dfc684854d48bf ]
+
+The commit 5e6acc3e678e ("bcm2835-pm: Move bcm2835-watchdog's DT probe
+to an MFD.") broke module autoloading on Raspberry Pi. So add a
+module alias this fix this.
+
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/bcm2835_wdt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/watchdog/bcm2835_wdt.c b/drivers/watchdog/bcm2835_wdt.c
+index 560c1c54c1779..f4937a91e5160 100644
+--- a/drivers/watchdog/bcm2835_wdt.c
++++ b/drivers/watchdog/bcm2835_wdt.c
+@@ -240,6 +240,7 @@ module_param(nowayout, bool, 0);
+ MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started (default="
+ __MODULE_STRING(WATCHDOG_NOWAYOUT) ")");
+
++MODULE_ALIAS("platform:bcm2835-wdt");
+ MODULE_AUTHOR("Lubomir Rintel <lkundrak@v3.sk>");
+ MODULE_DESCRIPTION("Driver for Broadcom BCM2835 watchdog timer");
+ MODULE_LICENSE("GPL");
+--
+2.20.1
+
--- /dev/null
+From e9812cd26c1320693e70844ad22cd5a5375111b5 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sun, 11 Aug 2019 12:23:22 -0500
+Subject: xen/blkback: fix memory leaks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit ae78ca3cf3d9e9f914bfcd0bc5c389ff18b9c2e0 ]
+
+In read_per_ring_refs(), after 'req' and related memory regions are
+allocated, xen_blkif_map() is invoked to map the shared frame, irq, and
+etc. However, if this mapping process fails, no cleanup is performed,
+leading to memory leaks. To fix this issue, invoke the cleanup before
+returning the error.
+
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xen-blkback/xenbus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
+index 3ac6a5d180717..b90dbcd99c03e 100644
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -965,6 +965,7 @@ static int read_per_ring_refs(struct xen_blkif_ring *ring, const char *dir)
+ }
+ }
+
++ err = -ENOMEM;
+ for (i = 0; i < nr_grefs * XEN_BLKIF_REQS_PER_PAGE; i++) {
+ req = kzalloc(sizeof(*req), GFP_KERNEL);
+ if (!req)
+@@ -987,7 +988,7 @@ static int read_per_ring_refs(struct xen_blkif_ring *ring, const char *dir)
+ err = xen_blkif_map(ring, ring_ref, nr_grefs, evtchn);
+ if (err) {
+ xenbus_dev_fatal(dev, err, "mapping ring-ref port %u", evtchn);
+- return err;
++ goto fail;
+ }
+
+ return 0;
+@@ -1007,8 +1008,7 @@ fail:
+ }
+ kfree(req);
+ }
+- return -ENOMEM;
+-
++ return err;
+ }
+
+ static int connect_ring(struct backend_info *be)
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
