--- /dev/null
+From c1d3ad84eae35414b6b334790048406bd6301b12 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Wed, 28 Aug 2019 16:11:10 -0500
+Subject: cfg80211: Purge frame registrations on iftype change
+
+From: Denis Kenzior <denkenz@gmail.com>
+
+commit c1d3ad84eae35414b6b334790048406bd6301b12 upstream.
+
+Currently frame registrations are not purged, even when changing the
+interface type. This can lead to potentially weird situations where
+frames possibly not allowed on a given interface type remain registered
+due to the type switching happening after registration.
+
+The kernel currently relies on userspace apps to actually purge the
+registrations themselves, this is not something that the kernel should
+rely on.
+
+Add a call to cfg80211_mlme_purge_registrations() to forcefully remove
+any registrations left over prior to switching the iftype.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Kenzior <denkenz@gmail.com>
+Link: https://lore.kernel.org/r/20190828211110.15005-1-denkenz@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -930,6 +930,7 @@ int cfg80211_change_iface(struct cfg8021
+ }
+
+ cfg80211_process_rdev_events(rdev);
++ cfg80211_mlme_purge_registrations(dev->ieee80211_ptr);
+ }
+
+ err = rdev_change_virtual_intf(rdev, dev, ntype, params);
--- /dev/null
+From 63d37fb4ce5ae7bf1e58f906d1bf25f036fe79b2 Mon Sep 17 00:00:00 2001
+From: Murphy Zhou <jencce.kernel@gmail.com>
+Date: Sat, 21 Sep 2019 19:26:00 +0800
+Subject: CIFS: fix max ea value size
+
+From: Murphy Zhou <jencce.kernel@gmail.com>
+
+commit 63d37fb4ce5ae7bf1e58f906d1bf25f036fe79b2 upstream.
+
+It should not be larger then the slab max buf size. If user
+specifies a larger size, it passes this check and goes
+straightly to SMB2_set_info_init performing an insecure memcpy.
+
+Signed-off-by: Murphy Zhou <jencce.kernel@gmail.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/xattr.c
++++ b/fs/cifs/xattr.c
+@@ -31,7 +31,7 @@
+ #include "cifs_fs_sb.h"
+ #include "cifs_unicode.h"
+
+-#define MAX_EA_VALUE_SIZE 65535
++#define MAX_EA_VALUE_SIZE CIFSMaxBufSize
+ #define CIFS_XATTR_CIFS_ACL "system.cifs_acl"
+ #define CIFS_XATTR_ATTRIB "cifs.dosattrib" /* full name: user.cifs.dosattrib */
+ #define CIFS_XATTR_CREATETIME "cifs.creationtime" /* user.cifs.creationtime */
--- /dev/null
+From a016e2794fc3a245a91946038dd8f34d65e53cc3 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Thu, 26 Sep 2019 12:31:20 -0700
+Subject: CIFS: Fix oplock handling for SMB 2.1+ protocols
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit a016e2794fc3a245a91946038dd8f34d65e53cc3 upstream.
+
+There may be situations when a server negotiates SMB 2.1
+protocol version or higher but responds to a CREATE request
+with an oplock rather than a lease.
+
+Currently the client doesn't handle such a case correctly:
+when another CREATE comes in the server sends an oplock
+break to the initial CREATE and the client doesn't send
+an ack back due to a wrong caching level being set (READ
+instead of RWH). Missing an oplock break ack makes the
+server wait until the break times out which dramatically
+increases the latency of the second CREATE.
+
+Fix this by properly detecting oplocks when using SMB 2.1
+protocol version and higher.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2398,6 +2398,11 @@ smb21_set_oplock_level(struct cifsInodeI
+ if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE)
+ return;
+
++ /* Check if the server granted an oplock rather than a lease */
++ if (oplock & SMB2_OPLOCK_LEVEL_EXCLUSIVE)
++ return smb2_set_oplock_level(cinode, oplock, epoch,
++ purge_cache);
++
+ if (oplock & SMB2_LEASE_READ_CACHING_HE) {
+ new_oplock |= CIFS_CACHE_READ_FLG;
+ strcat(message, "R");
--- /dev/null
+From 8619e5bdeee8b2c685d686281f2d2a6017c4bc15 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 26 Aug 2019 22:13:25 +0900
+Subject: /dev/mem: Bail out upon SIGKILL.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 8619e5bdeee8b2c685d686281f2d2a6017c4bc15 upstream.
+
+syzbot found that a thread can stall for minutes inside read_mem() or
+write_mem() after that thread was killed by SIGKILL [1]. Reading from
+iomem areas of /dev/mem can be slow, depending on the hardware.
+While reading 2GB at one read() is legal, delaying termination of killed
+thread for minutes is bad. Thus, allow reading/writing /dev/mem and
+/dev/kmem to be preemptible and killable.
+
+ [ 1335.912419][T20577] read_mem: sz=4096 count=2134565632
+ [ 1335.943194][T20577] read_mem: sz=4096 count=2134561536
+ [ 1335.978280][T20577] read_mem: sz=4096 count=2134557440
+ [ 1336.011147][T20577] read_mem: sz=4096 count=2134553344
+ [ 1336.041897][T20577] read_mem: sz=4096 count=2134549248
+
+Theoretically, reading/writing /dev/mem and /dev/kmem can become
+"interruptible". But this patch chose "killable". Future patch will make
+them "interruptible" so that we can revert to "killable" if some program
+regressed.
+
+[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>
+Link: https://lore.kernel.org/r/1566825205-10703-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/mem.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -97,6 +97,13 @@ void __weak unxlate_dev_mem_ptr(phys_add
+ }
+ #endif
+
++static inline bool should_stop_iteration(void)
++{
++ if (need_resched())
++ cond_resched();
++ return fatal_signal_pending(current);
++}
++
+ /*
+ * This funcion reads the *physical* memory. The f_pos points directly to the
+ * memory location.
+@@ -175,6 +182,8 @@ static ssize_t read_mem(struct file *fil
+ p += sz;
+ count -= sz;
+ read += sz;
++ if (should_stop_iteration())
++ break;
+ }
+ kfree(bounce);
+
+@@ -251,6 +260,8 @@ static ssize_t write_mem(struct file *fi
+ p += sz;
+ count -= sz;
+ written += sz;
++ if (should_stop_iteration())
++ break;
+ }
+
+ *ppos += written;
+@@ -468,6 +479,10 @@ static ssize_t read_kmem(struct file *fi
+ read += sz;
+ low_count -= sz;
+ count -= sz;
++ if (should_stop_iteration()) {
++ count = 0;
++ break;
++ }
+ }
+ }
+
+@@ -492,6 +507,8 @@ static ssize_t read_kmem(struct file *fi
+ buf += sz;
+ read += sz;
+ p += sz;
++ if (should_stop_iteration())
++ break;
+ }
+ free_page((unsigned long)kbuf);
+ }
+@@ -544,6 +561,8 @@ static ssize_t do_write_kmem(unsigned lo
+ p += sz;
+ count -= sz;
+ written += sz;
++ if (should_stop_iteration())
++ break;
+ }
+
+ *ppos += written;
+@@ -595,6 +614,8 @@ static ssize_t write_kmem(struct file *f
+ buf += sz;
+ virtr += sz;
+ p += sz;
++ if (should_stop_iteration())
++ break;
+ }
+ free_page((unsigned long)kbuf);
+ }
--- /dev/null
+From c1e8220bd316d8ae8e524df39534b8a412a45d5e Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 23 Aug 2019 22:38:00 -0400
+Subject: ext4: fix punch hole for inline_data file systems
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c1e8220bd316d8ae8e524df39534b8a412a45d5e upstream.
+
+If a program attempts to punch a hole on an inline data file, we need
+to convert it to a normal file first.
+
+This was detected using ext4/032 using the adv configuration. Simple
+reproducer:
+
+mke2fs -Fq -t ext4 -O inline_data /dev/vdc
+mount /vdc
+echo "" > /vdc/testfile
+xfs_io -c 'truncate 33554432' /vdc/testfile
+xfs_io -c 'fpunch 0 1048576' /vdc/testfile
+umount /vdc
+e2fsck -fy /dev/vdc
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4265,6 +4265,15 @@ int ext4_punch_hole(struct inode *inode,
+
+ trace_ext4_punch_hole(inode, offset, length, 0);
+
++ ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
++ if (ext4_has_inline_data(inode)) {
++ down_write(&EXT4_I(inode)->i_mmap_sem);
++ ret = ext4_convert_inline_data(inode);
++ up_write(&EXT4_I(inode)->i_mmap_sem);
++ if (ret)
++ return ret;
++ }
++
+ /*
+ * Write out all dirty pages to avoid race conditions
+ * Then release them.
--- /dev/null
+From e3d550c2c4f2f3dba469bc3c4b83d9332b4e99e1 Mon Sep 17 00:00:00 2001
+From: Rakesh Pandit <rakesh@tuxera.com>
+Date: Thu, 22 Aug 2019 22:53:46 -0400
+Subject: ext4: fix warning inside ext4_convert_unwritten_extents_endio
+
+From: Rakesh Pandit <rakesh@tuxera.com>
+
+commit e3d550c2c4f2f3dba469bc3c4b83d9332b4e99e1 upstream.
+
+Really enable warning when CONFIG_EXT4_DEBUG is set and fix missing
+first argument. This was introduced in commit ff95ec22cd7f ("ext4:
+add warning to ext4_convert_unwritten_extents_endio") and splitting
+extents inside endio would trigger it.
+
+Fixes: ff95ec22cd7f ("ext4: add warning to ext4_convert_unwritten_extents_endio")
+Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3748,8 +3748,8 @@ static int ext4_convert_unwritten_extent
+ * illegal.
+ */
+ if (ee_block != map->m_lblk || ee_len > map->m_len) {
+-#ifdef EXT4_DEBUG
+- ext4_warning("Inode (%ld) finished: extent logical block %llu,"
++#ifdef CONFIG_EXT4_DEBUG
++ ext4_warning(inode->i_sb, "Inode (%ld) finished: extent logical block %llu,"
+ " len %u; IO logical block %llu, len %u",
+ inode->i_ino, (unsigned long long)ee_block, ee_len,
+ (unsigned long long)map->m_lblk, map->m_len);
--- /dev/null
+From 78887832e76541f77169a24ac238fccb51059b63 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Tue, 17 Sep 2019 11:54:50 +0200
+Subject: hwrng: core - don't wait on add_early_randomness()
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+commit 78887832e76541f77169a24ac238fccb51059b63 upstream.
+
+add_early_randomness() is called by hwrng_register() when the
+hardware is added. If this hardware and its module are present
+at boot, and if there is no data available the boot hangs until
+data are available and can't be interrupted.
+
+For instance, in the case of virtio-rng, in some cases the host can be
+not able to provide enough entropy for all the guests.
+
+We can have two easy ways to reproduce the problem but they rely on
+misconfiguration of the hypervisor or the egd daemon:
+
+- if virtio-rng device is configured to connect to the egd daemon of the
+host but when the virtio-rng driver asks for data the daemon is not
+connected,
+
+- if virtio-rng device is configured to connect to the egd daemon of the
+host but the egd daemon doesn't provide data.
+
+The guest kernel will hang at boot until the virtio-rng driver provides
+enough data.
+
+To avoid that, call rng_get_data() in non-blocking mode (wait=0)
+from add_early_randomness().
+
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Fixes: d9e797261933 ("hwrng: add randomness to system from rng...")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hw_random/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -67,7 +67,7 @@ static void add_early_randomness(struct
+ size_t size = min_t(size_t, 16, rng_buffer_size());
+
+ mutex_lock(&reading_mutex);
+- bytes_read = rng_get_data(rng, rng_buffer, size, 1);
++ bytes_read = rng_get_data(rng, rng_buffer, size, 0);
+ mutex_unlock(&reading_mutex);
+ if (bytes_read > 0)
+ add_device_randomness(rng_buffer, bytes_read);
--- /dev/null
+From a71e2ac1f32097fbb2beab098687a7a95c84543e Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Thu, 26 Sep 2019 07:19:09 -0500
+Subject: i2c: riic: Clear NACK in tend isr
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit a71e2ac1f32097fbb2beab098687a7a95c84543e upstream.
+
+The NACKF flag should be cleared in INTRIICNAKI interrupt processing as
+description in HW manual.
+
+This issue shows up quickly when PREEMPT_RT is applied and a device is
+probed that is not plugged in (like a touchscreen controller). The result
+is endless interrupts that halt system boot.
+
+Fixes: 310c18a41450 ("i2c: riic: add driver")
+Cc: stable@vger.kernel.org
+Reported-by: Chien Nguyen <chien.nguyen.eb@rvc.renesas.com>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-riic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/busses/i2c-riic.c
++++ b/drivers/i2c/busses/i2c-riic.c
+@@ -203,6 +203,7 @@ static irqreturn_t riic_tend_isr(int irq
+ if (readb(riic->base + RIIC_ICSR2) & ICSR2_NACKF) {
+ /* We got a NACKIE */
+ readb(riic->base + RIIC_ICDRR); /* dummy read */
++ riic_clear_set_bit(riic, ICSR2_NACKF, 0, RIIC_ICSR2);
+ riic->err = -ENXIO;
+ } else if (riic->bytes_left) {
+ return IRQ_NONE;
--- /dev/null
+From 9d4b45d6af442237560d0bb5502a012baa5234b7 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Tue, 20 Aug 2019 10:21:09 +1000
+Subject: md: don't report active array_state until after revalidate_disk() completes.
+
+From: NeilBrown <neilb@suse.com>
+
+commit 9d4b45d6af442237560d0bb5502a012baa5234b7 upstream.
+
+Until revalidate_disk() has completed, the size of a new md array will
+appear to be zero.
+So we shouldn't report, through array_state, that the array is active
+until that time.
+udev rules check array_state to see if the array is ready. As soon as
+it appear to be zero, fsck can be run. If it find the size to be
+zero, it will fail.
+
+So add a new flag to provide an interlock between do_md_run() and
+array_state_show(). This flag is set while do_md_run() is active and
+it prevents array_state_show() from reporting that the array is
+active.
+
+Before do_md_run() is called, ->pers will be NULL so array is
+definitely not active.
+After do_md_run() is called, revalidate_disk() will have run and the
+array will be completely ready.
+
+We also move various sysfs_notify*() calls out of md_run() into
+do_md_run() after MD_NOT_READY is cleared. This ensure the
+information is ready before the notification is sent.
+
+Prior to v4.12, array_state_show() was called with the
+mddev->reconfig_mutex held, which provided exclusion with do_md_run().
+
+Note that MD_NOT_READY cleared twice. This is deliberate to cover
+both success and error paths with minimal noise.
+
+Fixes: b7b17c9b67e5 ("md: remove mddev_lock() from md_attr_show()")
+Cc: stable@vger.kernel.org (v4.12++)
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 11 +++++++----
+ drivers/md/md.h | 3 +++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -4123,7 +4123,7 @@ array_state_show(struct mddev *mddev, ch
+ {
+ enum array_state st = inactive;
+
+- if (mddev->pers)
++ if (mddev->pers && !test_bit(MD_NOT_READY, &mddev->flags))
+ switch(mddev->ro) {
+ case 1:
+ st = readonly;
+@@ -5678,9 +5678,6 @@ int md_run(struct mddev *mddev)
+ md_update_sb(mddev, 0);
+
+ md_new_event(mddev);
+- sysfs_notify_dirent_safe(mddev->sysfs_state);
+- sysfs_notify_dirent_safe(mddev->sysfs_action);
+- sysfs_notify(&mddev->kobj, NULL, "degraded");
+ return 0;
+
+ abort:
+@@ -5694,6 +5691,7 @@ static int do_md_run(struct mddev *mddev
+ {
+ int err;
+
++ set_bit(MD_NOT_READY, &mddev->flags);
+ err = md_run(mddev);
+ if (err)
+ goto out;
+@@ -5714,9 +5712,14 @@ static int do_md_run(struct mddev *mddev
+
+ set_capacity(mddev->gendisk, mddev->array_sectors);
+ revalidate_disk(mddev->gendisk);
++ clear_bit(MD_NOT_READY, &mddev->flags);
+ mddev->changed = 1;
+ kobject_uevent(&disk_to_dev(mddev->gendisk)->kobj, KOBJ_CHANGE);
++ sysfs_notify_dirent_safe(mddev->sysfs_state);
++ sysfs_notify_dirent_safe(mddev->sysfs_action);
++ sysfs_notify(&mddev->kobj, NULL, "degraded");
+ out:
++ clear_bit(MD_NOT_READY, &mddev->flags);
+ return err;
+ }
+
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -243,6 +243,9 @@ enum mddev_flags {
+ MD_UPDATING_SB, /* md_check_recovery is updating the metadata
+ * without explicitly holding reconfig_mutex.
+ */
++ MD_NOT_READY, /* do_md_run() is active, so 'array_state'
++ * must not report that array is ready yet
++ */
+ };
+
+ enum mddev_sb_flags {
--- /dev/null
+From 480523feae581ab714ba6610388a3b4619a2f695 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Tue, 20 Aug 2019 10:21:09 +1000
+Subject: md: only call set_in_sync() when it is expected to succeed.
+
+From: NeilBrown <neilb@suse.com>
+
+commit 480523feae581ab714ba6610388a3b4619a2f695 upstream.
+
+Since commit 4ad23a976413 ("MD: use per-cpu counter for
+writes_pending"), set_in_sync() is substantially more expensive: it
+can wait for a full RCU grace period which can be 10s of milliseconds.
+
+So we should only call it when the cost is justified.
+
+md_check_recovery() currently calls set_in_sync() every time it finds
+anything to do (on non-external active arrays). For an array
+performing resync or recovery, this will be quite often.
+Each call will introduce a delay to the md thread, which can noticeable
+affect IO submission latency.
+
+In md_check_recovery() we only need to call set_in_sync() if
+'safemode' was non-zero at entry, meaning that there has been not
+recent IO. So we save this "safemode was nonzero" state, and only
+call set_in_sync() if it was non-zero.
+
+This measurably reduces mean and maximum IO submission latency during
+resync/recovery.
+
+Reported-and-tested-by: Jack Wang <jinpu.wang@cloud.ionos.com>
+Fixes: 4ad23a976413 ("MD: use per-cpu counter for writes_pending")
+Cc: stable@vger.kernel.org (v4.12+)
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8807,6 +8807,7 @@ void md_check_recovery(struct mddev *mdd
+
+ if (mddev_trylock(mddev)) {
+ int spares = 0;
++ bool try_set_sync = mddev->safemode != 0;
+
+ if (!mddev->external && mddev->safemode == 1)
+ mddev->safemode = 0;
+@@ -8852,7 +8853,7 @@ void md_check_recovery(struct mddev *mdd
+ }
+ }
+
+- if (!mddev->external && !mddev->in_sync) {
++ if (try_set_sync && !mddev->external && !mddev->in_sync) {
+ spin_lock(&mddev->lock);
+ set_in_sync(mddev);
+ spin_unlock(&mddev->lock);
--- /dev/null
+From 143f6e733b73051cd22dcb80951c6c929da413ce Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Mon, 8 Jul 2019 10:14:32 +0800
+Subject: md/raid6: Set R5_ReadError when there is read failure on parity disk
+
+From: Xiao Ni <xni@redhat.com>
+
+commit 143f6e733b73051cd22dcb80951c6c929da413ce upstream.
+
+7471fb77ce4d ("md/raid6: Fix anomily when recovering a single device in
+RAID6.") avoids rereading P when it can be computed from other members.
+However, this misses the chance to re-write the right data to P. This
+patch sets R5_ReadError if the re-read fails.
+
+Also, when re-read is skipped, we also missed the chance to reset
+rdev->read_errors to 0. It can fail the disk when there are many read
+errors on P member disk (other disks don't have read error)
+
+V2: upper layer read request don't read parity/Q data. So there is no
+need to consider such situation.
+
+This is Reported-by: kbuild test robot <lkp@intel.com>
+
+Fixes: 7471fb77ce4d ("md/raid6: Fix anomily when recovering a single device in RAID6.")
+Cc: <stable@vger.kernel.org> #4.4+
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -2573,7 +2573,9 @@ static void raid5_end_read_request(struc
+ && !test_bit(R5_ReadNoMerge, &sh->dev[i].flags))
+ retry = 1;
+ if (retry)
+- if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags)) {
++ if (sh->qd_idx >= 0 && sh->pd_idx == i)
++ set_bit(R5_ReadError, &sh->dev[i].flags);
++ else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags)) {
+ set_bit(R5_ReadError, &sh->dev[i].flags);
+ clear_bit(R5_ReadNoMerge, &sh->dev[i].flags);
+ } else
--- /dev/null
+From 6565c182094f69e4ffdece337d395eb7ec760efc Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 11 Sep 2019 17:36:50 +0800
+Subject: quota: fix wrong condition in is_quota_modification()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit 6565c182094f69e4ffdece337d395eb7ec760efc upstream.
+
+Quoted from
+commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+
+" At LSF we decided that if we truncate up from isize we shouldn't trim
+ fallocated blocks that were fallocated with KEEP_SIZE and are past the
+ new i_size. This patch fixes ext4 to do this. "
+
+And generic/092 of fstest have covered this case for long time, however
+is_quota_modification() didn't adjust based on that rule, so that in
+below condition, we will lose to quota block change:
+- fallocate blocks beyond EOF
+- remount
+- truncate(file_path, file_size)
+
+Fix it.
+
+Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com
+Fixes: 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize")
+CC: stable@vger.kernel.org
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/quotaops.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/quotaops.h
++++ b/include/linux/quotaops.h
+@@ -22,7 +22,7 @@ static inline struct quota_info *sb_dqop
+ /* i_mutex must being held */
+ static inline bool is_quota_modification(struct inode *inode, struct iattr *ia)
+ {
+- return (ia->ia_valid & ATTR_SIZE && ia->ia_size != inode->i_size) ||
++ return (ia->ia_valid & ATTR_SIZE) ||
+ (ia->ia_valid & ATTR_UID && !uid_eq(ia->ia_uid, inode->i_uid)) ||
+ (ia->ia_valid & ATTR_GID && !gid_eq(ia->ia_gid, inode->i_gid));
+ }
btrfs-qgroup-fix-the-wrong-target-io_tree-when-freeing-reserved-data-space.patch
btrfs-qgroup-fix-reserved-data-space-leak-if-we-have-multiple-reserve-calls.patch
btrfs-fix-race-setting-up-and-completing-qgroup-rescan-workers.patch
+md-raid6-set-r5_readerror-when-there-is-read-failure-on-parity-disk.patch
+md-don-t-report-active-array_state-until-after-revalidate_disk-completes.patch
+md-only-call-set_in_sync-when-it-is-expected-to-succeed.patch
+cfg80211-purge-frame-registrations-on-iftype-change.patch
+dev-mem-bail-out-upon-sigkill.patch
+ext4-fix-warning-inside-ext4_convert_unwritten_extents_endio.patch
+ext4-fix-punch-hole-for-inline_data-file-systems.patch
+quota-fix-wrong-condition-in-is_quota_modification.patch
+hwrng-core-don-t-wait-on-add_early_randomness.patch
+i2c-riic-clear-nack-in-tend-isr.patch
+cifs-fix-max-ea-value-size.patch
+cifs-fix-oplock-handling-for-smb-2.1-protocols.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
