--- /dev/null
+From b7f839d292948142eaab77cedd031aad0bfec872 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 2 Jun 2020 17:22:48 -0400
+Subject: drm/amdgpu/display: use blanked rather than plane state for sync groups
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit b7f839d292948142eaab77cedd031aad0bfec872 upstream.
+
+We may end up with no planes set yet, depending on the ordering, but we
+should have the proper blanking state which is either handled by either
+DPG or TG depending on the hardware generation. Check both to determine
+the proper blanked state.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/issues/781
+Fixes: 5fc0cbfad45648 ("drm/amd/display: determine if a pipe is synced by plane state")
+Cc: nicholas.kazlauskas@amd.com
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -1011,9 +1011,17 @@ static void program_timing_sync(
+ }
+ }
+
+- /* set first pipe with plane as master */
++ /* set first unblanked pipe as master */
+ for (j = 0; j < group_size; j++) {
+- if (pipe_set[j]->plane_state) {
++ bool is_blanked;
++
++ if (pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked)
++ is_blanked =
++ pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked(pipe_set[j]->stream_res.opp);
++ else
++ is_blanked =
++ pipe_set[j]->stream_res.tg->funcs->is_blanked(pipe_set[j]->stream_res.tg);
++ if (!is_blanked) {
+ if (j == 0)
+ break;
+
+@@ -1034,9 +1042,17 @@ static void program_timing_sync(
+ status->timing_sync_info.master = false;
+
+ }
+- /* remove any other pipes with plane as they have already been synced */
++ /* remove any other unblanked pipes as they have already been synced */
+ for (j = j + 1; j < group_size; j++) {
+- if (pipe_set[j]->plane_state) {
++ bool is_blanked;
++
++ if (pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked)
++ is_blanked =
++ pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked(pipe_set[j]->stream_res.opp);
++ else
++ is_blanked =
++ pipe_set[j]->stream_res.tg->funcs->is_blanked(pipe_set[j]->stream_res.tg);
++ if (!is_blanked) {
+ group_size--;
+ pipe_set[j] = pipe_set[group_size];
+ j--;
--- /dev/null
+From 790243d3bf78f9830a3b2ffbca1ed0f528295d48 Mon Sep 17 00:00:00 2001
+From: Sandeep Raghuraman <sandy.8925@gmail.com>
+Date: Thu, 11 Jun 2020 01:36:26 +0530
+Subject: drm/amdgpu: Replace invalid device ID with a valid device ID
+
+From: Sandeep Raghuraman <sandy.8925@gmail.com>
+
+commit 790243d3bf78f9830a3b2ffbca1ed0f528295d48 upstream.
+
+Initializes Powertune data for a specific Hawaii card by fixing what
+looks like a typo in the code. The device ID 66B1 is not a supported
+device ID for this driver, and is not mentioned elsewhere. 67B1 is a
+valid device ID, and is a Hawaii Pro GPU.
+
+I have tested on my R9 390 which has device ID 67B1, and it works
+fine without problems.
+
+Signed-off-by: Sandeep Raghuraman <sandy.8925@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c
+@@ -239,7 +239,7 @@ static void ci_initialize_power_tune_def
+
+ switch (dev_id) {
+ case 0x67BA:
+- case 0x66B1:
++ case 0x67B1:
+ smu_data->power_tune_defaults = &defaults_hawaii_pro;
+ break;
+ case 0x67B8:
--- /dev/null
+From d6ddbd5c97d1b9156646ac5c42b8851edd664ee2 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Thu, 7 May 2020 11:06:40 +0200
+Subject: drm/ast: Don't check new mode if CRTC is being disabled
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit d6ddbd5c97d1b9156646ac5c42b8851edd664ee2 upstream.
+
+Suspending failed because there's no mode if the CRTC is being
+disabled. Early-out in this case. This fixes runtime PM for ast.
+
+v3:
+ * fixed commit message
+v2:
+ * added Tested-by/Reported-by tags
+ * added Fixes tags and CC (Sam)
+ * improved comment
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reported-by: Cary Garrett <cogarre@gmail.com>
+Tested-by: Cary Garrett <cogarre@gmail.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Fixes: b48e1b6ffd28 ("drm/ast: Add CRTC helpers for atomic modesetting")
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: <stable@vger.kernel.org> # v5.6+
+Link: https://patchwork.freedesktop.org/patch/msgid/20200507090640.21561-1-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -802,6 +802,9 @@ static int ast_crtc_helper_atomic_check(
+ return -EINVAL;
+ }
+
++ if (!state->enable)
++ return 0; /* no mode checks if CRTC is being disabled */
++
+ ast_state = to_ast_crtc_state(state);
+
+ format = ast_state->format;
--- /dev/null
+From a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Fri, 3 Apr 2020 14:08:32 -0400
+Subject: drm/dp_mst: Reformat drm_dp_check_act_status() a bit
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f upstream.
+
+Just add a bit more line wrapping, get rid of some extraneous
+whitespace, remove an unneeded goto label, and move around some variable
+declarations. No functional changes here.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+[this isn't a fix, but it's needed for the fix that comes after this]
+Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
+Cc: Sean Paul <sean@poorly.run>
+Cc: <stable@vger.kernel.org> # v3.17+
+Reviewed-by: Sean Paul <sean@poorly.run>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200406221253.1307209-3-lyude@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -4457,33 +4457,31 @@ fail:
+ */
+ int drm_dp_check_act_status(struct drm_dp_mst_topology_mgr *mgr)
+ {
++ int count = 0, ret;
+ u8 status;
+- int ret;
+- int count = 0;
+
+ do {
+- ret = drm_dp_dpcd_readb(mgr->aux, DP_PAYLOAD_TABLE_UPDATE_STATUS, &status);
+-
++ ret = drm_dp_dpcd_readb(mgr->aux,
++ DP_PAYLOAD_TABLE_UPDATE_STATUS,
++ &status);
+ if (ret < 0) {
+- DRM_DEBUG_KMS("failed to read payload table status %d\n", ret);
+- goto fail;
++ DRM_DEBUG_KMS("failed to read payload table status %d\n",
++ ret);
++ return ret;
+ }
+
+ if (status & DP_PAYLOAD_ACT_HANDLED)
+ break;
+ count++;
+ udelay(100);
+-
+ } while (count < 30);
+
+ if (!(status & DP_PAYLOAD_ACT_HANDLED)) {
+- DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n", status, count);
+- ret = -EINVAL;
+- goto fail;
++ DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n",
++ status, count);
++ return -EINVAL;
+ }
+ return 0;
+-fail:
+- return ret;
+ }
+ EXPORT_SYMBOL(drm_dp_check_act_status);
+
--- /dev/null
+From 61a41097e4bd4bf5d4abf3b3b58d5bf0856ce144 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 16 Apr 2020 09:54:28 +0200
+Subject: drm/nouveau/kms: Fix regression by audio component transition
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 61a41097e4bd4bf5d4abf3b3b58d5bf0856ce144 upstream.
+
+Since the commit 742db30c4ee6 ("drm/nouveau: Add HD-audio component
+notifier support"), the nouveau driver notifies and pokes the HD-audio
+HPD and ELD via audio component, but this seems broken. The culprit
+is the naive assumption that crtc->index corresponds to the HDA pin.
+Actually this rather corresponds to the MST dev_id (alias "pipe" in
+the audio component framework) while the actual port number is given
+from the output ior id number.
+
+This patch corrects the assignment of port and dev_id arguments in the
+audio component ops to recover from the HDMI/DP audio regression.
+
+Fixes: 742db30c4ee6 ("drm/nouveau: Add HD-audio component notifier support")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207223
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/dispnv50/disp.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
+@@ -482,15 +482,16 @@ nv50_dac_create(struct drm_connector *co
+ * audio component binding for ELD notification
+ */
+ static void
+-nv50_audio_component_eld_notify(struct drm_audio_component *acomp, int port)
++nv50_audio_component_eld_notify(struct drm_audio_component *acomp, int port,
++ int dev_id)
+ {
+ if (acomp && acomp->audio_ops && acomp->audio_ops->pin_eld_notify)
+ acomp->audio_ops->pin_eld_notify(acomp->audio_ops->audio_ptr,
+- port, -1);
++ port, dev_id);
+ }
+
+ static int
+-nv50_audio_component_get_eld(struct device *kdev, int port, int pipe,
++nv50_audio_component_get_eld(struct device *kdev, int port, int dev_id,
+ bool *enabled, unsigned char *buf, int max_bytes)
+ {
+ struct drm_device *drm_dev = dev_get_drvdata(kdev);
+@@ -506,7 +507,8 @@ nv50_audio_component_get_eld(struct devi
+ nv_encoder = nouveau_encoder(encoder);
+ nv_connector = nouveau_encoder_connector_get(nv_encoder);
+ nv_crtc = nouveau_crtc(encoder->crtc);
+- if (!nv_connector || !nv_crtc || nv_crtc->index != port)
++ if (!nv_connector || !nv_crtc || nv_encoder->or != port ||
++ nv_crtc->index != dev_id)
+ continue;
+ *enabled = drm_detect_monitor_audio(nv_connector->edid);
+ if (*enabled) {
+@@ -600,7 +602,8 @@ nv50_audio_disable(struct drm_encoder *e
+
+ nvif_mthd(&disp->disp->object, 0, &args, sizeof(args));
+
+- nv50_audio_component_eld_notify(drm->audio.component, nv_crtc->index);
++ nv50_audio_component_eld_notify(drm->audio.component, nv_encoder->or,
++ nv_crtc->index);
+ }
+
+ static void
+@@ -634,7 +637,8 @@ nv50_audio_enable(struct drm_encoder *en
+ nvif_mthd(&disp->disp->object, 0, &args,
+ sizeof(args.base) + drm_eld_size(args.data));
+
+- nv50_audio_component_eld_notify(drm->audio.component, nv_crtc->index);
++ nv50_audio_component_eld_notify(drm->audio.component, nv_encoder->or,
++ nv_crtc->index);
+ }
+
+ /******************************************************************************
--- /dev/null
+From 80e5f89da3ab949fbbf1cae01dfaea29f5483a75 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 31 Mar 2020 14:18:08 +0800
+Subject: drm/qxl: Use correct notify port address when creating cursor ring
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 80e5f89da3ab949fbbf1cae01dfaea29f5483a75 upstream.
+
+The command ring and cursor ring use different notify port addresses
+definition: QXL_IO_NOTIFY_CMD and QXL_IO_NOTIFY_CURSOR. However, in
+qxl_device_init() we use QXL_IO_NOTIFY_CMD to create both command ring
+and cursor ring. This doesn't cause any problems now, because QEMU's
+behaviors on QXL_IO_NOTIFY_CMD and QXL_IO_NOTIFY_CURSOR are the same.
+However, QEMU's behavior may be change in future, so let's fix it.
+
+P.S.: In the X.org QXL driver, the notify port address of cursor ring
+ is correct.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Cc: <stable@vger.kernel.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1585635488-17507-1-git-send-email-chenhc@lemote.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/qxl/qxl_kms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/qxl/qxl_kms.c
++++ b/drivers/gpu/drm/qxl/qxl_kms.c
+@@ -218,7 +218,7 @@ int qxl_device_init(struct qxl_device *q
+ &(qdev->ram_header->cursor_ring_hdr),
+ sizeof(struct qxl_command),
+ QXL_CURSOR_RING_SIZE,
+- qdev->io_base + QXL_IO_NOTIFY_CMD,
++ qdev->io_base + QXL_IO_NOTIFY_CURSOR,
+ false,
+ &qdev->cursor_event);
+
--- /dev/null
+From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 16 Jun 2020 18:42:49 -0600
+Subject: io_uring: acquire 'mm' for task_work for SQPOLL
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 9d8426a09195e2dcf2aa249de2aaadd792d491c7 ]
+
+If we're unlucky with timing, we could be running task_work after
+having dropped the memory context in the sq thread. Since dropping
+the context requires a runnable task state, we cannot reliably drop
+it as part of our check-for-work loop in io_sq_thread(). Instead,
+abstract out the mm acquire for the sq thread into a helper, and call
+it from the async task work handler.
+
+Cc: stable@vger.kernel.org # v5.7
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4302,6 +4302,28 @@ static void io_async_queue_proc(struct f
+ __io_queue_proc(&pt->req->apoll->poll, pt, head);
+ }
+
++static void io_sq_thread_drop_mm(struct io_ring_ctx *ctx)
++{
++ struct mm_struct *mm = current->mm;
++
++ if (mm) {
++ unuse_mm(mm);
++ mmput(mm);
++ }
++}
++
++static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
++ struct io_kiocb *req)
++{
++ if (io_op_defs[req->opcode].needs_mm && !current->mm) {
++ if (unlikely(!mmget_not_zero(ctx->sqo_mm)))
++ return -EFAULT;
++ use_mm(ctx->sqo_mm);
++ }
++
++ return 0;
++}
++
+ static void io_async_task_func(struct callback_head *cb)
+ {
+ struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
+@@ -4333,12 +4355,17 @@ static void io_async_task_func(struct ca
+ if (canceled) {
+ kfree(apoll);
+ io_cqring_ev_posted(ctx);
++end_req:
+ req_set_fail_links(req);
+ io_double_put_req(req);
+ return;
+ }
+
+ __set_current_state(TASK_RUNNING);
++ if (io_sq_thread_acquire_mm(ctx, req)) {
++ io_cqring_add_event(req, -EFAULT);
++ goto end_req;
++ }
+ mutex_lock(&ctx->uring_lock);
+ __io_queue_sqe(req, NULL);
+ mutex_unlock(&ctx->uring_lock);
+@@ -5897,11 +5924,8 @@ static int io_init_req(struct io_ring_ct
+ if (unlikely(req->opcode >= IORING_OP_LAST))
+ return -EINVAL;
+
+- if (io_op_defs[req->opcode].needs_mm && !current->mm) {
+- if (unlikely(!mmget_not_zero(ctx->sqo_mm)))
+- return -EFAULT;
+- use_mm(ctx->sqo_mm);
+- }
++ if (unlikely(io_sq_thread_acquire_mm(ctx, req)))
++ return -EFAULT;
+
+ sqe_flags = READ_ONCE(sqe->flags);
+ /* enforce forwards compatibility on users */
+@@ -6011,16 +6035,6 @@ fail_req:
+ return submitted;
+ }
+
+-static inline void io_sq_thread_drop_mm(struct io_ring_ctx *ctx)
+-{
+- struct mm_struct *mm = current->mm;
+-
+- if (mm) {
+- unuse_mm(mm);
+- mmput(mm);
+- }
+-}
+-
+ static int io_sq_thread(void *data)
+ {
+ struct io_ring_ctx *ctx = data;
--- /dev/null
+From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST
+From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+Date: Tue, 16 Jun 2020 02:06:38 +0800
+Subject: io_uring: add memory barrier to synchronize io_kiocb's result and iopoll_completed
+
+From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+
+[ Upstream commit bbde017a32b32d2fa8d5fddca25fade20132abf8 ]
+
+In io_complete_rw_iopoll(), stores to io_kiocb's result and iopoll
+completed are two independent store operations, to ensure that once
+iopoll_completed is ture and then req->result must been perceived by
+the cpu executing io_do_iopoll(), proper memory barrier should be used.
+
+And in io_do_iopoll(), we check whether req->result is EAGAIN, if it is,
+we'll need to issue this io request using io-wq again. In order to just
+issue a single smp_rmb() on the completion side, move the re-submit work
+to io_iopoll_complete().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+[axboe: don't set ->iopoll_completed for -EAGAIN retry]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 53 +++++++++++++++++++++++++++++------------------------
+ 1 file changed, 29 insertions(+), 24 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1690,6 +1690,18 @@ static int io_put_kbuf(struct io_kiocb *
+ return cflags;
+ }
+
++static void io_iopoll_queue(struct list_head *again)
++{
++ struct io_kiocb *req;
++
++ do {
++ req = list_first_entry(again, struct io_kiocb, list);
++ list_del(&req->list);
++ refcount_inc(&req->refs);
++ io_queue_async_work(req);
++ } while (!list_empty(again));
++}
++
+ /*
+ * Find and free completed poll iocbs
+ */
+@@ -1698,12 +1710,21 @@ static void io_iopoll_complete(struct io
+ {
+ struct req_batch rb;
+ struct io_kiocb *req;
++ LIST_HEAD(again);
++
++ /* order with ->result store in io_complete_rw_iopoll() */
++ smp_rmb();
+
+ rb.to_free = rb.need_iter = 0;
+ while (!list_empty(done)) {
+ int cflags = 0;
+
+ req = list_first_entry(done, struct io_kiocb, list);
++ if (READ_ONCE(req->result) == -EAGAIN) {
++ req->iopoll_completed = 0;
++ list_move_tail(&req->list, &again);
++ continue;
++ }
+ list_del(&req->list);
+
+ if (req->flags & REQ_F_BUFFER_SELECTED)
+@@ -1721,18 +1742,9 @@ static void io_iopoll_complete(struct io
+ if (ctx->flags & IORING_SETUP_SQPOLL)
+ io_cqring_ev_posted(ctx);
+ io_free_req_many(ctx, &rb);
+-}
+
+-static void io_iopoll_queue(struct list_head *again)
+-{
+- struct io_kiocb *req;
+-
+- do {
+- req = list_first_entry(again, struct io_kiocb, list);
+- list_del(&req->list);
+- refcount_inc(&req->refs);
+- io_queue_async_work(req);
+- } while (!list_empty(again));
++ if (!list_empty(&again))
++ io_iopoll_queue(&again);
+ }
+
+ static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events,
+@@ -1740,7 +1752,6 @@ static int io_do_iopoll(struct io_ring_c
+ {
+ struct io_kiocb *req, *tmp;
+ LIST_HEAD(done);
+- LIST_HEAD(again);
+ bool spin;
+ int ret;
+
+@@ -1766,13 +1777,6 @@ static int io_do_iopoll(struct io_ring_c
+ if (!list_empty(&done))
+ break;
+
+- if (req->result == -EAGAIN) {
+- list_move_tail(&req->list, &again);
+- continue;
+- }
+- if (!list_empty(&again))
+- break;
+-
+ ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin);
+ if (ret < 0)
+ break;
+@@ -1785,9 +1789,6 @@ static int io_do_iopoll(struct io_ring_c
+ if (!list_empty(&done))
+ io_iopoll_complete(ctx, nr_events, &done);
+
+- if (!list_empty(&again))
+- io_iopoll_queue(&again);
+-
+ return ret;
+ }
+
+@@ -1938,9 +1939,13 @@ static void io_complete_rw_iopoll(struct
+
+ if (res != -EAGAIN && res != req->result)
+ req_set_fail_links(req);
+- req->result = res;
+- if (res != -EAGAIN)
++
++ WRITE_ONCE(req->result, res);
++ /* order with io_poll_complete() checking ->result */
++ if (res != -EAGAIN) {
++ smp_wmb();
+ WRITE_ONCE(req->iopoll_completed, 1);
++ }
+ }
+
+ /*
-From 2d7d67920e5c8e0854df23ca77da2dd5880ce5dd Mon Sep 17 00:00:00 2001
+From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST
From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Date: Tue, 16 Jun 2020 02:06:37 +0800
Subject: io_uring: don't fail links for EAGAIN error in IOPOLL mode
From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
-commit 2d7d67920e5c8e0854df23ca77da2dd5880ce5dd upstream.
+[ Upstream commit 2d7d67920e5c8e0854df23ca77da2dd5880ce5dd ]
In IOPOLL mode, for EAGAIN error, we'll try to submit io request
again using io-wq, so don't fail rest of links if this io request
Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
fs/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
-@@ -1937,7 +1937,7 @@ static void io_complete_rw_iopoll(struct
+@@ -1936,7 +1936,7 @@ static void io_complete_rw_iopoll(struct
if (kiocb->ki_flags & IOCB_WRITE)
kiocb_end_write(req);
--- /dev/null
+From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST
+From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+Date: Thu, 11 Jun 2020 23:39:36 +0800
+Subject: io_uring: fix io_kiocb.flags modification race in IOPOLL mode
+
+From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+
+[ Upstream commit 65a6543da386838f935d2f03f452c5c0acff2a68 ]
+
+While testing io_uring in arm, we found sometimes io_sq_thread() keeps
+polling io requests even though there are not inflight io requests in
+block layer. After some investigations, found a possible race about
+io_kiocb.flags, see below race codes:
+ 1) in the end of io_write() or io_read()
+ req->flags &= ~REQ_F_NEED_CLEANUP;
+ kfree(iovec);
+ return ret;
+
+ 2) in io_complete_rw_iopoll()
+ if (res != -EAGAIN)
+ req->flags |= REQ_F_IOPOLL_COMPLETED;
+
+In IOPOLL mode, io requests still maybe completed by interrupt, then
+above codes are not safe, concurrent modifications to req->flags, which
+is not protected by lock or is not atomic modifications. I also had
+disassemble io_complete_rw_iopoll() in arm:
+ req->flags |= REQ_F_IOPOLL_COMPLETED;
+ 0xffff000008387b18 <+76>: ldr w0, [x19,#104]
+ 0xffff000008387b1c <+80>: orr w0, w0, #0x1000
+ 0xffff000008387b20 <+84>: str w0, [x19,#104]
+
+Seems that the "req->flags |= REQ_F_IOPOLL_COMPLETED;" is load and
+modification, two instructions, which obviously is not atomic.
+
+To fix this issue, add a new iopoll_completed in io_kiocb to indicate
+whether io request is completed.
+
+Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -513,7 +513,6 @@ enum {
+ REQ_F_INFLIGHT_BIT,
+ REQ_F_CUR_POS_BIT,
+ REQ_F_NOWAIT_BIT,
+- REQ_F_IOPOLL_COMPLETED_BIT,
+ REQ_F_LINK_TIMEOUT_BIT,
+ REQ_F_TIMEOUT_BIT,
+ REQ_F_ISREG_BIT,
+@@ -556,8 +555,6 @@ enum {
+ REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT),
+ /* must not punt to workers */
+ REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT),
+- /* polled IO has completed */
+- REQ_F_IOPOLL_COMPLETED = BIT(REQ_F_IOPOLL_COMPLETED_BIT),
+ /* has linked timeout */
+ REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT),
+ /* timeout request */
+@@ -618,6 +615,8 @@ struct io_kiocb {
+ int cflags;
+ bool needs_fixed_file;
+ u8 opcode;
++ /* polled IO has completed */
++ u8 iopoll_completed;
+
+ u16 buf_index;
+
+@@ -1760,7 +1759,7 @@ static int io_do_iopoll(struct io_ring_c
+ * If we find a request that requires polling, break out
+ * and complete those lists first, if we have entries there.
+ */
+- if (req->flags & REQ_F_IOPOLL_COMPLETED) {
++ if (READ_ONCE(req->iopoll_completed)) {
+ list_move_tail(&req->list, &done);
+ continue;
+ }
+@@ -1941,7 +1940,7 @@ static void io_complete_rw_iopoll(struct
+ req_set_fail_links(req);
+ req->result = res;
+ if (res != -EAGAIN)
+- req->flags |= REQ_F_IOPOLL_COMPLETED;
++ WRITE_ONCE(req->iopoll_completed, 1);
+ }
+
+ /*
+@@ -1974,7 +1973,7 @@ static void io_iopoll_req_issued(struct
+ * For fast devices, IO may have already completed. If it has, add
+ * it to the front so we find it first.
+ */
+- if (req->flags & REQ_F_IOPOLL_COMPLETED)
++ if (READ_ONCE(req->iopoll_completed))
+ list_add(&req->list, &ctx->poll_list);
+ else
+ list_add_tail(&req->list, &ctx->poll_list);
+@@ -2098,6 +2097,7 @@ static int io_prep_rw(struct io_kiocb *r
+ kiocb->ki_flags |= IOCB_HIPRI;
+ kiocb->ki_complete = io_complete_rw_iopoll;
+ req->result = 0;
++ req->iopoll_completed = 0;
+ } else {
+ if (kiocb->ki_flags & IOCB_HIPRI)
+ return -EINVAL;
-From 6f2cc1664db20676069cff27a461ccc97dbfd114 Mon Sep 17 00:00:00 2001
+From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST
From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Date: Thu, 18 Jun 2020 15:01:56 +0800
Subject: io_uring: fix possible race condition against REQ_F_NEED_CLEANUP
From: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
-commit 6f2cc1664db20676069cff27a461ccc97dbfd114 upstream.
+[ Upstream commit 6f2cc1664db20676069cff27a461ccc97dbfd114 ]
In io_read() or io_write(), when io request is submitted successfully,
it'll go through the below sequence:
Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
fs/io_uring.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
-@@ -2609,8 +2609,8 @@ copy_iov:
+@@ -2614,8 +2614,8 @@ copy_iov:
}
}
out_free:
return ret;
}
-@@ -2732,8 +2732,8 @@ copy_iov:
+@@ -2737,8 +2737,8 @@ copy_iov:
}
}
out_free:
--- /dev/null
+From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 17 Jun 2020 15:00:04 -0600
+Subject: io_uring: reap poll completions while waiting for refs to drop on exit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 56952e91acc93ed624fe9da840900defb75f1323 ]
+
+If we're doing polled IO and end up having requests being submitted
+async, then completions can come in while we're waiting for refs to
+drop. We need to reap these manually, as nobody else will be looking
+for them.
+
+Break the wait into 1/20th of a second time waits, and check for done
+poll completions if we time out. Otherwise we can have done poll
+completions sitting in ctx->poll_list, which needs us to reap them but
+we're just waiting for them.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -7404,7 +7404,17 @@ static void io_ring_exit_work(struct wor
+ if (ctx->rings)
+ io_cqring_overflow_flush(ctx, true);
+
+- wait_for_completion(&ctx->completions[0]);
++ /*
++ * If we're doing polled IO and end up having requests being
++ * submitted async (out-of-line), then completions can come in while
++ * we're waiting for refs to drop. We need to reap these manually,
++ * as nobody else will be looking for them.
++ */
++ while (!wait_for_completion_timeout(&ctx->completions[0], HZ/20)) {
++ io_iopoll_reap_events(ctx);
++ if (ctx->rings)
++ io_cqring_overflow_flush(ctx, true);
++ }
+ io_ring_ctx_free(ctx);
+ }
+
--- /dev/null
+From aa449a7965a6172a89d48844c313708962216f1f Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Mon, 15 Jun 2020 13:45:48 -0700
+Subject: selinux: fix a double free in cond_read_node()/cond_read_list()
+
+From: Tom Rix <trix@redhat.com>
+
+commit aa449a7965a6172a89d48844c313708962216f1f upstream.
+
+Clang static analysis reports this double free error
+
+security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
+ kfree(node->expr.nodes);
+ ^~~~~~~~~~~~~~~~~~~~~~~
+
+When cond_read_node fails, it calls cond_node_destroy which frees the
+node but does not poison the entry in the node list. So when it
+returns to its caller cond_read_list, cond_read_list deletes the
+partial list. The latest entry in the list will be deleted twice.
+
+So instead of freeing the node in cond_read_node, let list freeing in
+code_read_list handle the freeing the problem node along with all of the
+earlier nodes.
+
+Because cond_read_node no longer does any error handling, the goto's
+the error case are redundant. Instead just return the error code.
+
+Cc: stable@vger.kernel.org
+Fixes: 60abd3181db2 ("selinux: convert cond_list to array")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
+[PM: subject line tweaks]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/conditional.c | 18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+--- a/security/selinux/ss/conditional.c
++++ b/security/selinux/ss/conditional.c
+@@ -392,27 +392,19 @@ static int cond_read_node(struct policyd
+
+ rc = next_entry(buf, fp, sizeof(u32) * 2);
+ if (rc)
+- goto err;
++ return rc;
+
+ expr->expr_type = le32_to_cpu(buf[0]);
+ expr->bool = le32_to_cpu(buf[1]);
+
+- if (!expr_node_isvalid(p, expr)) {
+- rc = -EINVAL;
+- goto err;
+- }
++ if (!expr_node_isvalid(p, expr))
++ return -EINVAL;
+ }
+
+ rc = cond_read_av_list(p, fp, &node->true_list, NULL);
+ if (rc)
+- goto err;
+- rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list);
+- if (rc)
+- goto err;
+- return 0;
+-err:
+- cond_node_destroy(node);
+- return rc;
++ return rc;
++ return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
+ }
+
+ int cond_read_list(struct policydb *p, void *fp)
--- /dev/null
+From 65de50969a77509452ae590e9449b70a22b923bb Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Wed, 10 Jun 2020 14:57:13 -0700
+Subject: selinux: fix double free
+
+From: Tom Rix <trix@redhat.com>
+
+commit 65de50969a77509452ae590e9449b70a22b923bb upstream.
+
+Clang's static analysis tool reports these double free memory errors.
+
+security/selinux/ss/services.c:2987:4: warning: Attempt to free released memory [unix.Malloc]
+ kfree(bnames[i]);
+ ^~~~~~~~~~~~~~~~
+security/selinux/ss/services.c:2990:2: warning: Attempt to free released memory [unix.Malloc]
+ kfree(bvalues);
+ ^~~~~~~~~~~~~~
+
+So improve the security_get_bools error handling by freeing these variables
+and setting their return pointers to NULL and the return len to 0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/services.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -2923,8 +2923,12 @@ err:
+ if (*names) {
+ for (i = 0; i < *len; i++)
+ kfree((*names)[i]);
++ kfree(*names);
+ }
+ kfree(*values);
++ *len = 0;
++ *names = NULL;
++ *values = NULL;
+ goto out;
+ }
+
--- /dev/null
+From 8231b0b9c322c894594fb42eb0eb9f93544a6acc Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Wed, 17 Jun 2020 05:40:28 -0700
+Subject: selinux: fix undefined return of cond_evaluate_expr
+
+From: Tom Rix <trix@redhat.com>
+
+commit 8231b0b9c322c894594fb42eb0eb9f93544a6acc upstream.
+
+clang static analysis reports an undefined return
+
+security/selinux/ss/conditional.c:79:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn]
+ return s[0];
+ ^~~~~~~~~~~
+
+static int cond_evaluate_expr( ...
+{
+ u32 i;
+ int s[COND_EXPR_MAXDEPTH];
+
+ for (i = 0; i < expr->len; i++)
+ ...
+
+ return s[0];
+
+When expr->len is 0, the loop which sets s[0] never runs.
+
+So return -1 if the loop never runs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/conditional.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/selinux/ss/conditional.c
++++ b/security/selinux/ss/conditional.c
+@@ -27,6 +27,9 @@ static int cond_evaluate_expr(struct pol
+ int s[COND_EXPR_MAXDEPTH];
+ int sp = -1;
+
++ if (expr->len == 0)
++ return -1;
++
+ for (i = 0; i < expr->len; i++) {
+ struct cond_expr_node *node = &expr->nodes[i];
+
libata-use-per-port-sync-for-detach.patch
drm-encoder_slave-fix-refcouting-error-for-modules.patch
pinctrl-qcom-ipq6018-add-missing-pins-in-qpic-pin-gr.patch
-io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch
-io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch
ext4-fix-partial-cluster-initialization-when-splitting-extent.patch
ext4-avoid-utf8_strncasecmp-with-unstable-name.patch
ext4-jbd2-ensure-panic-by-fix-a-race-between-jbd2-abort-and-ext4-error-handlers.patch
arm64-dts-realtek-rtd129x-use-reserved-memory-for-rpc-regions.patch
arm64-dts-realtek-rtd129x-carve-out-boot-rom-from-memory.patch
sh-convert-iounmap-macros-to-inline-functions.patch
+drm-nouveau-kms-fix-regression-by-audio-component-transition.patch
+drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch
+drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch
+drm-amdgpu-display-use-blanked-rather-than-plane-state-for-sync-groups.patch
+drm-amdgpu-replace-invalid-device-id-with-a-valid-device-id.patch
+selinux-fix-double-free.patch
+selinux-fix-a-double-free-in-cond_read_node-cond_read_list.patch
+selinux-fix-undefined-return-of-cond_evaluate_expr.patch
+drm-ast-don-t-check-new-mode-if-crtc-is-being-disabled.patch
+io_uring-fix-io_kiocb.flags-modification-race-in-iopoll-mode.patch
+io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch
+io_uring-add-memory-barrier-to-synchronize-io_kiocb-s-result-and-iopoll_completed.patch
+io_uring-acquire-mm-for-task_work-for-sqpoll.patch
+io_uring-reap-poll-completions-while-waiting-for-refs-to-drop-on-exit.patch
+io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
