fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/bcache-remove-redundant-list_head-journal-from-run_c.patch b/queue-4.19/bcache-remove-redundant-list_head-journal-from-run_c.patch
new file mode 100644 (file)
index 0000000..5da3d02
--- /dev/null
+++ b/queue-4.19/bcache-remove-redundant-list_head-journal-from-run_c.patch
@@ -0,0 +1,41 @@
+From 840d1b50d9b7a348cbdd442df98ecdc14e7cffd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2019 22:02:25 +0800
+Subject: bcache: remove redundant LIST_HEAD(journal) from run_cache_set()
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit cdca22bcbc64fc83dadb8d927df400a8d86ddabb ]
+
+Commit 95f18c9d1310 ("bcache: avoid potential memleak of list of
+journal_replay(s) in the CACHE_SYNC branch of run_cache_set") forgets
+to remove the original define of LIST_HEAD(journal), which makes
+the change no take effect. This patch removes redundant variable
+LIST_HEAD(journal) from run_cache_set(), to make Shenghui's fix
+working.
+
+Fixes: 95f18c9d1310 ("bcache: avoid potential memleak of list of journal_replay(s) in the CACHE_SYNC branch of run_cache_set")
+Reported-by: Juha Aatrokoski <juha.aatrokoski@aalto.fi>
+Cc: Shenghui Wang <shhuiw@foxmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index e6c7a84bb1dfd..2321643974dab 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1768,7 +1768,6 @@ static int run_cache_set(struct cache_set *c)
+       set_gc_sectors(c);
+ 
+       if (CACHE_SYNC(&c->sb)) {
+-              LIST_HEAD(journal);
+               struct bkey *k;
+               struct jset *j;
+ 
+-- 
+2.20.1
+

diff --git a/queue-4.19/blk-mq-change-gfp-flags-to-gfp_noio-in-blk_mq_reallo.patch b/queue-4.19/blk-mq-change-gfp-flags-to-gfp_noio-in-blk_mq_reallo.patch
new file mode 100644 (file)
index 0000000..6ec657d
--- /dev/null
+++ b/queue-4.19/blk-mq-change-gfp-flags-to-gfp_noio-in-blk_mq_reallo.patch
@@ -0,0 +1,129 @@
+From 64c1cd03a68d6b087958cab4c3aa574f282de011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Oct 2018 18:07:26 +0800
+Subject: blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs
+
+From: Jianchao Wang <jianchao.w.wang@oracle.com>
+
+[ Upstream commit 5b202853ffbc54b29f23c4b1b5f3948efab489a2 ]
+
+blk_mq_realloc_hw_ctxs could be invoked during update hw queues.
+At the momemt, IO is blocked. Change the gfp flags from GFP_KERNEL
+to GFP_NOIO to avoid forever hang during memory allocation in
+blk_mq_realloc_hw_ctxs.
+
+Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c  |  2 +-
+ block/blk-flush.c |  6 +++---
+ block/blk-mq.c    | 17 ++++++++++-------
+ block/blk.h       |  2 +-
+ 4 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index af635f878f966..074ae9376189b 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1165,7 +1165,7 @@ int blk_init_allocated_queue(struct request_queue *q)
+ {
+       WARN_ON_ONCE(q->mq_ops);
+ 
+-      q->fq = blk_alloc_flush_queue(q, NUMA_NO_NODE, q->cmd_size);
++      q->fq = blk_alloc_flush_queue(q, NUMA_NO_NODE, q->cmd_size, GFP_KERNEL);
+       if (!q->fq)
+               return -ENOMEM;
+ 
+diff --git a/block/blk-flush.c b/block/blk-flush.c
+index 76487948a27fa..87fc49daa2b49 100644
+--- a/block/blk-flush.c
++++ b/block/blk-flush.c
+@@ -566,12 +566,12 @@ int blkdev_issue_flush(struct block_device *bdev, gfp_t gfp_mask,
+ EXPORT_SYMBOL(blkdev_issue_flush);
+ 
+ struct blk_flush_queue *blk_alloc_flush_queue(struct request_queue *q,
+-              int node, int cmd_size)
++              int node, int cmd_size, gfp_t flags)
+ {
+       struct blk_flush_queue *fq;
+       int rq_sz = sizeof(struct request);
+ 
+-      fq = kzalloc_node(sizeof(*fq), GFP_KERNEL, node);
++      fq = kzalloc_node(sizeof(*fq), flags, node);
+       if (!fq)
+               goto fail;
+ 
+@@ -579,7 +579,7 @@ struct blk_flush_queue *blk_alloc_flush_queue(struct request_queue *q,
+               spin_lock_init(&fq->mq_flush_lock);
+ 
+       rq_sz = round_up(rq_sz + cmd_size, cache_line_size());
+-      fq->flush_rq = kzalloc_node(rq_sz, GFP_KERNEL, node);
++      fq->flush_rq = kzalloc_node(rq_sz, flags, node);
+       if (!fq->flush_rq)
+               goto fail_rq;
+ 
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 455fda99255a4..9dfafee65bce2 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2198,12 +2198,12 @@ static int blk_mq_init_hctx(struct request_queue *q,
+        * runtime
+        */
+       hctx->ctxs = kmalloc_array_node(nr_cpu_ids, sizeof(void *),
+-                                      GFP_KERNEL, node);
++                      GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY, node);
+       if (!hctx->ctxs)
+               goto unregister_cpu_notifier;
+ 
+-      if (sbitmap_init_node(&hctx->ctx_map, nr_cpu_ids, ilog2(8), GFP_KERNEL,
+-                            node))
++      if (sbitmap_init_node(&hctx->ctx_map, nr_cpu_ids, ilog2(8),
++                              GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY, node))
+               goto free_ctxs;
+ 
+       hctx->nr_ctx = 0;
+@@ -2216,7 +2216,8 @@ static int blk_mq_init_hctx(struct request_queue *q,
+           set->ops->init_hctx(hctx, set->driver_data, hctx_idx))
+               goto free_bitmap;
+ 
+-      hctx->fq = blk_alloc_flush_queue(q, hctx->numa_node, set->cmd_size);
++      hctx->fq = blk_alloc_flush_queue(q, hctx->numa_node, set->cmd_size,
++                      GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY);
+       if (!hctx->fq)
+               goto exit_hctx;
+ 
+@@ -2530,12 +2531,14 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
+ 
+               node = blk_mq_hw_queue_to_node(q->mq_map, i);
+               hctxs[i] = kzalloc_node(blk_mq_hw_ctx_size(set),
+-                                      GFP_KERNEL, node);
++                              GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY,
++                              node);
+               if (!hctxs[i])
+                       break;
+ 
+-              if (!zalloc_cpumask_var_node(&hctxs[i]->cpumask, GFP_KERNEL,
+-                                              node)) {
++              if (!zalloc_cpumask_var_node(&hctxs[i]->cpumask,
++                                      GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY,
++                                      node)) {
+                       kfree(hctxs[i]);
+                       hctxs[i] = NULL;
+                       break;
+diff --git a/block/blk.h b/block/blk.h
+index 977d4b5d968d5..11e4ca2f2cd46 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -124,7 +124,7 @@ static inline void __blk_get_queue(struct request_queue *q)
+ }
+ 
+ struct blk_flush_queue *blk_alloc_flush_queue(struct request_queue *q,
+-              int node, int cmd_size);
++              int node, int cmd_size, gfp_t flags);
+ void blk_free_flush_queue(struct blk_flush_queue *q);
+ 
+ int blk_init_rl(struct request_list *rl, struct request_queue *q,
+-- 
+2.20.1
+

diff --git a/queue-4.19/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch b/queue-4.19/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch
new file mode 100644 (file)
index 0000000..30f52c9
--- /dev/null
+++ b/queue-4.19/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch
@@ -0,0 +1,61 @@
+From 3f09a62efe0082d4a51a6f9f6d014feff83ebf40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2019 20:36:55 +0800
+Subject: blk-mq: move cancel of requeue_work to the front of blk_exit_queue
+
+From: zhengbin <zhengbin13@huawei.com>
+
+[ Upstream commit e26cc08265dda37d2acc8394604f220ef412299d ]
+
+blk_exit_queue will free elevator_data, while blk_mq_requeue_work
+will access it. Move cancel of requeue_work to the front of
+blk_exit_queue to avoid use-after-free.
+
+blk_exit_queue                blk_mq_requeue_work
+  __elevator_exit               blk_mq_run_hw_queues
+    blk_mq_exit_sched             blk_mq_run_hw_queue
+      dd_exit_queue                 blk_mq_hctx_has_pending
+        kfree(elevator_data)          blk_mq_sched_has_work
+                                        dd_has_work
+
+Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c    | 2 --
+ block/blk-sysfs.c | 3 +++
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 9dfafee65bce2..7ea85ec52026e 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2461,8 +2461,6 @@ void blk_mq_release(struct request_queue *q)
+       struct blk_mq_hw_ctx *hctx;
+       unsigned int i;
+ 
+-      cancel_delayed_work_sync(&q->requeue_work);
+-
+       /* hctx kobj stays in hctx */
+       queue_for_each_hw_ctx(q, hctx, i) {
+               if (!hctx)
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index 3772671cf2bc5..bab47a17b96f4 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -836,6 +836,9 @@ static void __blk_release_queue(struct work_struct *work)
+ 
+       blk_free_queue_stats(q->stats);
+ 
++      if (q->mq_ops)
++              cancel_delayed_work_sync(&q->requeue_work);
++
+       blk_exit_rl(q, &q->root_rl);
+ 
+       if (q->queue_tags)
+-- 
+2.20.1
+

diff --git a/queue-4.19/bpf-libbpf-retry-loading-program-on-eagain.patch b/queue-4.19/bpf-libbpf-retry-loading-program-on-eagain.patch
new file mode 100644 (file)
index 0000000..5d0a8cf
--- /dev/null
+++ b/queue-4.19/bpf-libbpf-retry-loading-program-on-eagain.patch
@@ -0,0 +1,73 @@
+From 07c9af98a421f9662a0bebd735cd9e3fdc6e00a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jan 2019 13:58:00 +0000
+Subject: bpf: libbpf: retry loading program on EAGAIN
+
+From: Lorenz Bauer <lmb@cloudflare.com>
+
+[ Upstream commit 86edaed379632e216a97e6bcef9f498b64522d50 ]
+
+Commit c3494801cd17 ("bpf: check pending signals while
+verifying programs") makes it possible for the BPF_PROG_LOAD
+to fail with EAGAIN. Retry unconditionally in this case.
+
+Fixes: c3494801cd17 ("bpf: check pending signals while verifying programs")
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
+index dd0b68d1f4be0..482025b728399 100644
+--- a/tools/lib/bpf/bpf.c
++++ b/tools/lib/bpf/bpf.c
+@@ -75,6 +75,17 @@ static inline int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr,
+       return syscall(__NR_bpf, cmd, attr, size);
+ }
+ 
++static inline int sys_bpf_prog_load(union bpf_attr *attr, unsigned int size)
++{
++      int fd;
++
++      do {
++              fd = sys_bpf(BPF_PROG_LOAD, attr, size);
++      } while (fd < 0 && errno == EAGAIN);
++
++      return fd;
++}
++
+ int bpf_create_map_xattr(const struct bpf_create_map_attr *create_attr)
+ {
+       __u32 name_len = create_attr->name ? strlen(create_attr->name) : 0;
+@@ -218,7 +229,7 @@ int bpf_load_program_xattr(const struct bpf_load_program_attr *load_attr,
+       memcpy(attr.prog_name, load_attr->name,
+              min(name_len, BPF_OBJ_NAME_LEN - 1));
+ 
+-      fd = sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
++      fd = sys_bpf_prog_load(&attr, sizeof(attr));
+       if (fd >= 0 || !log_buf || !log_buf_sz)
+               return fd;
+ 
+@@ -227,7 +238,7 @@ int bpf_load_program_xattr(const struct bpf_load_program_attr *load_attr,
+       attr.log_size = log_buf_sz;
+       attr.log_level = 1;
+       log_buf[0] = 0;
+-      return sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
++      return sys_bpf_prog_load(&attr, sizeof(attr));
+ }
+ 
+ int bpf_load_program(enum bpf_prog_type type, const struct bpf_insn *insns,
+@@ -268,7 +279,7 @@ int bpf_verify_program(enum bpf_prog_type type, const struct bpf_insn *insns,
+       attr.kern_version = kern_version;
+       attr.prog_flags = strict_alignment ? BPF_F_STRICT_ALIGNMENT : 0;
+ 
+-      return sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
++      return sys_bpf_prog_load(&attr, sizeof(attr));
+ }
+ 
+ int bpf_map_update_elem(int fd, const void *key, const void *value,
+-- 
+2.20.1
+

diff --git a/queue-4.19/dm-zoned-fix-invalid-memory-access.patch b/queue-4.19/dm-zoned-fix-invalid-memory-access.patch
new file mode 100644 (file)
index 0000000..99965f8
--- /dev/null
+++ b/queue-4.19/dm-zoned-fix-invalid-memory-access.patch
@@ -0,0 +1,59 @@
+From 855a8b238d9681e7bcb291b4d25f557cfc922583 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 02:41:17 -0400
+Subject: dm zoned: fix invalid memory access
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 0c8e9c2d668278652af028c3cc068c65f66342f4 ]
+
+Commit 75d66ffb48efb30f2dd42f041ba8b39c5b2bd115 ("dm zoned: properly
+handle backing device failure") triggers a coverity warning:
+
+*** CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
+/drivers/md/dm-zoned-target.c: 137 in dmz_submit_bio()
+131             clone->bi_private = bioctx;
+132
+133             bio_advance(bio, clone->bi_iter.bi_size);
+134
+135             refcount_inc(&bioctx->ref);
+136             generic_make_request(clone);
+>>>     CID 1452808:  Memory - illegal accesses  (USE_AFTER_FREE)
+>>>     Dereferencing freed pointer "clone".
+137             if (clone->bi_status == BLK_STS_IOERR)
+138                     return -EIO;
+139
+140             if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
+141                     zone->wp_block += nr_blocks;
+142
+
+The "clone" bio may be processed and freed before the check
+"clone->bi_status == BLK_STS_IOERR" - so this check can access invalid
+memory.
+
+Fixes: 75d66ffb48efb3 ("dm zoned: properly handle backing device failure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-zoned-target.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
+index 1030c42add05f..3dd668f694051 100644
+--- a/drivers/md/dm-zoned-target.c
++++ b/drivers/md/dm-zoned-target.c
+@@ -133,8 +133,6 @@ static int dmz_submit_bio(struct dmz_target *dmz, struct dm_zone *zone,
+ 
+       atomic_inc(&bioctx->ref);
+       generic_make_request(clone);
+-      if (clone->bi_status == BLK_STS_IOERR)
+-              return -EIO;
+ 
+       if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone))
+               zone->wp_block += nr_blocks;
+-- 
+2.20.1
+

diff --git a/queue-4.19/f2fs-check-all-the-data-segments-against-all-node-on.patch b/queue-4.19/f2fs-check-all-the-data-segments-against-all-node-on.patch
new file mode 100644 (file)
index 0000000..ab1b638
--- /dev/null
+++ b/queue-4.19/f2fs-check-all-the-data-segments-against-all-node-on.patch
@@ -0,0 +1,44 @@
+From eab35dccc9573cb1ebe159a314665523bacbebc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Aug 2019 15:40:45 -0700
+Subject: f2fs: check all the data segments against all node ones
+
+From: Surbhi Palande <f2fsnewbie@gmail.com>
+
+[ Upstream commit 1166c1f2f69117ad254189ca781287afa6e550b6 ]
+
+As a part of the sanity checking while mounting, distinct segment number
+assignment to data and node segments is verified. Fixing a small bug in
+this verification between node and data segments. We need to check all
+the data segments with all the node segments.
+
+Fixes: 042be0f849e5f ("f2fs: fix to do sanity check with current segment number")
+Signed-off-by: Surbhi Palande <csurbhi@gmail.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 1871031e2d5eb..e9ab4b39d4eef 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2413,11 +2413,11 @@ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi)
+               }
+       }
+       for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
+-              for (j = i; j < NR_CURSEG_DATA_TYPE; j++) {
++              for (j = 0; j < NR_CURSEG_DATA_TYPE; j++) {
+                       if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
+                               le32_to_cpu(ckpt->cur_data_segno[j])) {
+                               f2fs_msg(sbi->sb, KERN_ERR,
+-                                      "Data segment (%u) and Data segment (%u)"
++                                      "Node segment (%u) and Data segment (%u)"
+                                       " has the same segno: %u", i, j,
+                                       le32_to_cpu(ckpt->cur_node_segno[i]));
+                               return 1;
+-- 
+2.20.1
+

diff --git a/queue-4.19/initramfs-don-t-free-a-non-existent-initrd.patch b/queue-4.19/initramfs-don-t-free-a-non-existent-initrd.patch
new file mode 100644 (file)
index 0000000..3239b2f
--- /dev/null
+++ b/queue-4.19/initramfs-don-t-free-a-non-existent-initrd.patch
@@ -0,0 +1,50 @@
+From f8c745e6efd35677a3e43605f251922c9e7b92f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 May 2019 14:31:47 -0700
+Subject: initramfs: don't free a non-existent initrd
+
+From: Steven Price <steven.price@arm.com>
+
+[ Upstream commit 5d59aa8f9ce972b472201aed86e904bb75879ff0 ]
+
+Since commit 54c7a8916a88 ("initramfs: free initrd memory if opening
+/initrd.image fails"), the kernel has unconditionally attempted to free
+the initrd even if it doesn't exist.
+
+In the non-existent case this causes a boot-time splat if
+CONFIG_DEBUG_VIRTUAL is enabled due to a call to virt_to_phys() with a
+NULL address.
+
+Instead we should check that the initrd actually exists and only attempt
+to free it if it does.
+
+Link: http://lkml.kernel.org/r/20190516143125.48948-1-steven.price@arm.com
+Fixes: 54c7a8916a88 ("initramfs: free initrd memory if opening /initrd.image fails")
+Signed-off-by: Steven Price <steven.price@arm.com>
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index cd5fb00fcb549..dab8d63459f63 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -524,7 +524,7 @@ static void __init free_initrd(void)
+       unsigned long crashk_start = (unsigned long)__va(crashk_res.start);
+       unsigned long crashk_end   = (unsigned long)__va(crashk_res.end);
+ #endif
+-      if (do_retain_initrd)
++      if (do_retain_initrd || !initrd_start)
+               goto skip;
+ 
+ #ifdef CONFIG_KEXEC_CORE
+-- 
+2.20.1
+

diff --git a/queue-4.19/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch b/queue-4.19/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch
new file mode 100644 (file)
index 0000000..4aba75e
--- /dev/null
+++ b/queue-4.19/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch
@@ -0,0 +1,54 @@
+From 80b9166a154fa8dd452be1e61f91ca68a67d87cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2019 14:56:47 +0100
+Subject: irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit c9c96e30ecaa0aafa225aa1a5392cb7db17c7a82 ]
+
+When allocating a range of LPIs for a Multi-MSI capable device,
+this allocation extended to the closest power of 2.
+
+But on the release path, the interrupts are released one by
+one. This results in not releasing the "extra" range, leaking
+the its_device. Trying to reprobe the device will then fail.
+
+Fix it by releasing the LPIs the same way we allocate them.
+
+Fixes: 8208d1708b88 ("irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size")
+Reported-by: Jiaxing Luo <luojiaxing@huawei.com>
+Tested-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/f5e948aa-e32f-3f74-ae30-31fee06c2a74@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 9ba73e11757d9..e7549a2b1482b 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2514,14 +2514,13 @@ static void its_irq_domain_free(struct irq_domain *domain, unsigned int virq,
+       struct its_node *its = its_dev->its;
+       int i;
+ 
++      bitmap_release_region(its_dev->event_map.lpi_map,
++                            its_get_event_id(irq_domain_get_irq_data(domain, virq)),
++                            get_count_order(nr_irqs));
++
+       for (i = 0; i < nr_irqs; i++) {
+               struct irq_data *data = irq_domain_get_irq_data(domain,
+                                                               virq + i);
+-              u32 event = its_get_event_id(data);
+-
+-              /* Mark interrupt index as unused */
+-              clear_bit(event, its_dev->event_map.lpi_map);
+-
+               /* Nuke the entry in the domain */
+               irq_domain_reset_irq_data(data);
+       }
+-- 
+2.20.1
+

diff --git a/queue-4.19/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch b/queue-4.19/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
new file mode 100644 (file)
index 0000000..e661fe4
--- /dev/null
+++ b/queue-4.19/net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch
@@ -0,0 +1,38 @@
+From 6f53e8e276f742b472bca78d01f319232ca6db2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2019 22:44:51 +0200
+Subject: net/ibmvnic: Fix missing { in __ibmvnic_reset
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit c8dc55956b09b53ccffceb6e3146981210e27821 ]
+
+Commit 1c2977c09499 ("net/ibmvnic: free reset work of removed device from queue")
+adds a } without corresponding { causing build break.
+
+Fixes: 1c2977c09499 ("net/ibmvnic: free reset work of removed device from queue")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Reviewed-by: Juliet Kim <julietk@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index f232943c818bf..aa067a7a72d40 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1999,7 +1999,7 @@ static void __ibmvnic_reset(struct work_struct *work)
+       rwi = get_next_rwi(adapter);
+       while (rwi) {
+               if (adapter->state == VNIC_REMOVING ||
+-                  adapter->state == VNIC_REMOVED)
++                  adapter->state == VNIC_REMOVED) {
+                       kfree(rwi);
+                       rc = EBUSY;
+                       break;
+-- 
+2.20.1
+

diff --git a/queue-4.19/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch b/queue-4.19/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch
new file mode 100644 (file)
index 0000000..49c63f3
--- /dev/null
+++ b/queue-4.19/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch
@@ -0,0 +1,38 @@
+From d1c23ac53097885f9a083a0c8f3eac19f75d2ab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2019 22:50:20 +0000
+Subject: PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 533ca1feed98b0bf024779a14760694c7cb4d431 ]
+
+The slot must be removed before the pci_dev is removed, otherwise a panic
+can happen due to use-after-free.
+
+Fixes: 15becc2b56c6 ("PCI: hv: Add hv_pci_remove_slots() when we unload the driver")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index 5dadc964ad3b4..5c28498466415 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -2706,8 +2706,8 @@ static int hv_pci_remove(struct hv_device *hdev)
+               /* Remove the bus from PCI's point of view. */
+               pci_lock_rescan_remove();
+               pci_stop_root_bus(hbus->pci_bus);
+-              pci_remove_root_bus(hbus->pci_bus);
+               hv_pci_remove_slots(hbus);
++              pci_remove_root_bus(hbus->pci_bus);
+               pci_unlock_rescan_remove();
+               hbus->state = hv_pcibus_removed;
+       }
+-- 
+2.20.1
+

diff --git a/queue-4.19/revert-drm-amd-powerplay-enable-disable-nbpstate-on-.patch b/queue-4.19/revert-drm-amd-powerplay-enable-disable-nbpstate-on-.patch
new file mode 100644 (file)
index 0000000..d9b5da8
--- /dev/null
+++ b/queue-4.19/revert-drm-amd-powerplay-enable-disable-nbpstate-on-.patch
@@ -0,0 +1,56 @@
+From db39c2b20a28cc5d7c0eb5c03e7bd448386a4382 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Nov 2018 06:50:28 +0000
+Subject: Revert "drm/amd/powerplay: Enable/Disable NBPSTATE on On/OFF of UVD"
+
+From: Shirish S <shirish.s@amd.com>
+
+[ Upstream commit 00fedbe629bfc0a51c07b6e665265ce31d8b6f3c ]
+
+This reverts commit dbd8299c32f6f413f6cfe322fe0308f3cfc577e8.
+
+Reason for revert:
+This patch sends  msg PPSMC_MSG_DisableLowMemoryPstate(0x002e)
+in wrong of sequence to SMU which is before PPSMC_MSG_UVDPowerON (0x0008).
+This leads to SMU failing to service the request as it is
+dependent on UVD to be powered ON, since it accesses UVD
+registers.
+
+This msg should ideally be sent only when the UVD is about to decode
+a 4k video.
+
+Signed-off-by: Shirish S <shirish.s@amd.com>
+Signed-off-by: suresh guttula <suresh.guttula@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c
+index c9a15baf2c10f..0adfc5392cd37 100644
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c
+@@ -1222,17 +1222,14 @@ static int smu8_dpm_force_dpm_level(struct pp_hwmgr *hwmgr,
+ 
+ static int smu8_dpm_powerdown_uvd(struct pp_hwmgr *hwmgr)
+ {
+-      if (PP_CAP(PHM_PlatformCaps_UVDPowerGating)) {
+-              smu8_nbdpm_pstate_enable_disable(hwmgr, true, true);
++      if (PP_CAP(PHM_PlatformCaps_UVDPowerGating))
+               return smum_send_msg_to_smc(hwmgr, PPSMC_MSG_UVDPowerOFF);
+-      }
+       return 0;
+ }
+ 
+ static int smu8_dpm_powerup_uvd(struct pp_hwmgr *hwmgr)
+ {
+       if (PP_CAP(PHM_PlatformCaps_UVDPowerGating)) {
+-              smu8_nbdpm_pstate_enable_disable(hwmgr, false, true);
+               return smum_send_msg_to_smc_with_parameter(
+                       hwmgr,
+                       PPSMC_MSG_UVDPowerON,
+-- 
+2.20.1
+

diff --git a/queue-4.19/revert-f2fs-avoid-out-of-range-memory-access.patch b/queue-4.19/revert-f2fs-avoid-out-of-range-memory-access.patch
new file mode 100644 (file)
index 0000000..ebd915a
--- /dev/null
+++ b/queue-4.19/revert-f2fs-avoid-out-of-range-memory-access.patch
@@ -0,0 +1,61 @@
+From 3386db42d138ce954d427d337c58483e3a8f385c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2019 18:15:48 +0800
+Subject: Revert "f2fs: avoid out-of-range memory access"
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit a37d0862d17411edb67677a580a6f505ec2225f6 ]
+
+As Pavel Machek reported:
+
+"We normally use -EUCLEAN to signal filesystem corruption. Plus, it is
+good idea to report it to the syslog and mark filesystem as "needing
+fsck" if filesystem can do that."
+
+Still we need improve the original patch with:
+- use unlikely keyword
+- add message print
+- return EUCLEAN
+
+However, after rethink this patch, I don't think we should add such
+condition check here as below reasons:
+- We have already checked the field in f2fs_sanity_check_ckpt(),
+- If there is fs corrupt or security vulnerability, there is nothing
+to guarantee the field is integrated after the check, unless we do
+the check before each of its use, however no filesystem does that.
+- We only have similar check for bitmap, which was added due to there
+is bitmap corruption happened on f2fs' runtime in product.
+- There are so many key fields in SB/CP/NAT did have such check
+after f2fs_sanity_check_{sb,cp,..}.
+
+So I propose to revert this unneeded check.
+
+This reverts commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 92f72bb5aff43..8fc3edb6760c2 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -3261,11 +3261,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
+               seg_i = CURSEG_I(sbi, i);
+               segno = le32_to_cpu(ckpt->cur_data_segno[i]);
+               blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
+-              if (blk_off > ENTRIES_IN_SUM) {
+-                      f2fs_bug_on(sbi, 1);
+-                      f2fs_put_page(page, 1);
+-                      return -EFAULT;
+-              }
+               seg_i->next_segno = segno;
+               reset_curseg(sbi, i, 0);
+               seg_i->alloc_type = ckpt->alloc_type[i];
+-- 
+2.20.1
+

diff --git a/queue-4.19/scsi-qla2xxx-remove-all-rports-if-fabric-scan-retry-.patch b/queue-4.19/scsi-qla2xxx-remove-all-rports-if-fabric-scan-retry-.patch
new file mode 100644 (file)
index 0000000..f4bd9e8
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-remove-all-rports-if-fabric-scan-retry-.patch
@@ -0,0 +1,212 @@
+From f2677c2390d82a1aca124130328c715e5d2c60bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Aug 2018 11:24:35 -0700
+Subject: scsi: qla2xxx: Remove all rports if fabric scan retry fails
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+[ Upstream commit 9ba1cb25c151de306d64647e545d34af64f30c19 ]
+
+When all fabric scan retries fail, remove all RPorts, DMA resources for the
+command. Otherwise we have stale Rports.
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 128 +++++++++++++++++-----------------
+ 1 file changed, 64 insertions(+), 64 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
+index 98d936f18b65e..34ff4bbc8de10 100644
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -4045,6 +4045,41 @@ void qla24xx_async_gnnft_done(scsi_qla_host_t *vha, srb_t *sp)
+       }
+ }
+ 
++static int qla2x00_post_gnnft_gpnft_done_work(struct scsi_qla_host *vha,
++    srb_t *sp, int cmd)
++{
++      struct qla_work_evt *e;
++
++      if (cmd != QLA_EVT_GPNFT_DONE && cmd != QLA_EVT_GNNFT_DONE)
++              return QLA_PARAMETER_ERROR;
++
++      e = qla2x00_alloc_work(vha, cmd);
++      if (!e)
++              return QLA_FUNCTION_FAILED;
++
++      e->u.iosb.sp = sp;
++
++      return qla2x00_post_work(vha, e);
++}
++
++static int qla2x00_post_nvme_gpnft_done_work(struct scsi_qla_host *vha,
++    srb_t *sp, int cmd)
++{
++      struct qla_work_evt *e;
++
++      if (cmd != QLA_EVT_GPNFT)
++              return QLA_PARAMETER_ERROR;
++
++      e = qla2x00_alloc_work(vha, cmd);
++      if (!e)
++              return QLA_FUNCTION_FAILED;
++
++      e->u.gpnft.fc4_type = FC4_TYPE_NVME;
++      e->u.gpnft.sp = sp;
++
++      return qla2x00_post_work(vha, e);
++}
++
+ static void qla2x00_find_free_fcp_nvme_slot(struct scsi_qla_host *vha,
+       struct srb *sp)
+ {
+@@ -4145,22 +4180,36 @@ static void qla2x00_async_gpnft_gnnft_sp_done(void *s, int res)
+ {
+       struct srb *sp = s;
+       struct scsi_qla_host *vha = sp->vha;
+-      struct qla_work_evt *e;
+       struct ct_sns_req *ct_req =
+               (struct ct_sns_req *)sp->u.iocb_cmd.u.ctarg.req;
+       u16 cmd = be16_to_cpu(ct_req->command);
+       u8 fc4_type = sp->gen2;
+       unsigned long flags;
++      int rc;
+ 
+       /* gen2 field is holding the fc4type */
+       ql_dbg(ql_dbg_disc, vha, 0xffff,
+           "Async done-%s res %x FC4Type %x\n",
+           sp->name, res, sp->gen2);
+ 
++      sp->rc = res;
+       if (res) {
+               unsigned long flags;
++              const char *name = sp->name;
++
++              /*
++               * We are in an Interrupt context, queue up this
++               * sp for GNNFT_DONE work. This will allow all
++               * the resource to get freed up.
++               */
++              rc = qla2x00_post_gnnft_gpnft_done_work(vha, sp,
++                  QLA_EVT_GNNFT_DONE);
++              if (rc) {
++                      /* Cleanup here to prevent memory leak */
++                      qla24xx_sp_unmap(vha, sp);
++                      sp->free(sp);
++              }
+ 
+-              sp->free(sp);
+               spin_lock_irqsave(&vha->work_lock, flags);
+               vha->scan.scan_flags &= ~SF_SCANNING;
+               vha->scan.scan_retry++;
+@@ -4171,9 +4220,9 @@ static void qla2x00_async_gpnft_gnnft_sp_done(void *s, int res)
+                       set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+                       qla2xxx_wake_dpc(vha);
+               } else {
+-                      ql_dbg(ql_dbg_disc, sp->vha, 0xffff,
+-                          "Async done-%s rescan failed on all retries\n",
+-                          sp->name);
++                      ql_dbg(ql_dbg_disc, vha, 0xffff,
++                          "Async done-%s rescan failed on all retries.\n",
++                          name);
+               }
+               return;
+       }
+@@ -4188,80 +4237,31 @@ static void qla2x00_async_gpnft_gnnft_sp_done(void *s, int res)
+               vha->scan.scan_flags &= ~SF_SCANNING;
+               spin_unlock_irqrestore(&vha->work_lock, flags);
+ 
+-              e = qla2x00_alloc_work(vha, QLA_EVT_GPNFT);
+-              if (!e) {
+-                      /*
+-                       * please ignore kernel warning. Otherwise,
+-                       * we have mem leak.
+-                       */
+-                      if (sp->u.iocb_cmd.u.ctarg.req) {
+-                              dma_free_coherent(&vha->hw->pdev->dev,
+-                                  sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+-                                  sp->u.iocb_cmd.u.ctarg.req,
+-                                  sp->u.iocb_cmd.u.ctarg.req_dma);
+-                              sp->u.iocb_cmd.u.ctarg.req = NULL;
+-                      }
+-                      if (sp->u.iocb_cmd.u.ctarg.rsp) {
+-                              dma_free_coherent(&vha->hw->pdev->dev,
+-                                  sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+-                                  sp->u.iocb_cmd.u.ctarg.rsp,
+-                                  sp->u.iocb_cmd.u.ctarg.rsp_dma);
+-                              sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+-                      }
+-
+-                      ql_dbg(ql_dbg_disc, vha, 0xffff,
+-                          "Async done-%s unable to alloc work element\n",
+-                          sp->name);
+-                      sp->free(sp);
++              sp->rc = res;
++              rc = qla2x00_post_nvme_gpnft_done_work(vha, sp, QLA_EVT_GPNFT);
++              if (!rc) {
++                      qla24xx_sp_unmap(vha, sp);
+                       set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
+                       set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+                       return;
+               }
+-              e->u.gpnft.fc4_type = FC4_TYPE_NVME;
+-              sp->rc = res;
+-              e->u.gpnft.sp = sp;
+-
+-              qla2x00_post_work(vha, e);
+-              return;
+       }
+ 
+       if (cmd == GPN_FT_CMD) {
+               del_timer(&sp->u.iocb_cmd.timer);
+-              e = qla2x00_alloc_work(vha, QLA_EVT_GPNFT_DONE);
++              rc = qla2x00_post_gnnft_gpnft_done_work(vha, sp,
++                  QLA_EVT_GPNFT_DONE);
+       } else {
+-              e = qla2x00_alloc_work(vha, QLA_EVT_GNNFT_DONE);
++              rc = qla2x00_post_gnnft_gpnft_done_work(vha, sp,
++                  QLA_EVT_GNNFT_DONE);
+       }
+ 
+-      if (!e) {
+-              /* please ignore kernel warning. Otherwise, we have mem leak. */
+-              if (sp->u.iocb_cmd.u.ctarg.req) {
+-                      dma_free_coherent(&vha->hw->pdev->dev,
+-                          sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+-                          sp->u.iocb_cmd.u.ctarg.req,
+-                          sp->u.iocb_cmd.u.ctarg.req_dma);
+-                      sp->u.iocb_cmd.u.ctarg.req = NULL;
+-              }
+-              if (sp->u.iocb_cmd.u.ctarg.rsp) {
+-                      dma_free_coherent(&vha->hw->pdev->dev,
+-                          sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+-                          sp->u.iocb_cmd.u.ctarg.rsp,
+-                          sp->u.iocb_cmd.u.ctarg.rsp_dma);
+-                      sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+-              }
+-
+-              ql_dbg(ql_dbg_disc, vha, 0xffff,
+-                  "Async done-%s unable to alloc work element\n",
+-                  sp->name);
+-              sp->free(sp);
++      if (rc) {
++              qla24xx_sp_unmap(vha, sp);
+               set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
+               set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
+               return;
+       }
+-
+-      sp->rc = res;
+-      e->u.iosb.sp = sp;
+-
+-      qla2x00_post_work(vha, e);
+ }
+ 
+ /*
+-- 
+2.20.1
+

diff --git a/queue-4.19/scsi-qla2xxx-return-switch-command-on-a-timeout.patch b/queue-4.19/scsi-qla2xxx-return-switch-command-on-a-timeout.patch
new file mode 100644 (file)
index 0000000..9525c40
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-return-switch-command-on-a-timeout.patch
@@ -0,0 +1,68 @@
+From a1823cc022bf7ae9dc01083c0036909ae870b51e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Sep 2018 11:02:38 -0700
+Subject: scsi: qla2xxx: Return switch command on a timeout
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+[ Upstream commit ef801f07e7b3cc1786d8ab1b4fdf069cc2a136d2 ]
+
+This patch fixes commit bcc71cc3cde1 ("scsi: qla2xxx: Fix for double
+free of SRB structure") which placed code in wrong routines.
+
+Also updated the use of WARN_ON() to WARN_ON_ONCE() to prevent
+flooding log messages.
+
+Fixes: bcc71cc3cde1 ("scsi: qla2xxx: Fix for double free of SRB structure")
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 39a8f4a671aaa..7c1f36b69bdc3 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -54,7 +54,7 @@ qla2x00_sp_timeout(struct timer_list *t)
+       unsigned long flags;
+       struct qla_hw_data *ha = sp->vha->hw;
+ 
+-      WARN_ON(irqs_disabled());
++      WARN_ON_ONCE(irqs_disabled());
+       spin_lock_irqsave(&ha->hardware_lock, flags);
+       req = sp->qpair->req;
+       req->outstanding_cmds[sp->handle] = NULL;
+@@ -796,6 +796,9 @@ qla24xx_async_gnl_sp_done(void *s, int res)
+           sp->name, res, sp->u.iocb_cmd.u.mbx.in_mb[1],
+           sp->u.iocb_cmd.u.mbx.in_mb[2]);
+ 
++      if (res == QLA_FUNCTION_TIMEOUT)
++              return;
++
+       memset(&ea, 0, sizeof(ea));
+       ea.sp = sp;
+       ea.rc = res;
+@@ -979,17 +982,13 @@ void qla24xx_async_gpdb_sp_done(void *s, int res)
+           "Async done-%s res %x, WWPN %8phC mb[1]=%x mb[2]=%x \n",
+           sp->name, res, fcport->port_name, mb[1], mb[2]);
+ 
+-      fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE);
+-
+-      if (res == QLA_FUNCTION_TIMEOUT)
+-              return;
+-
+       if (res == QLA_FUNCTION_TIMEOUT) {
+               dma_pool_free(sp->vha->hw->s_dma_pool, sp->u.iocb_cmd.u.mbx.in,
+                       sp->u.iocb_cmd.u.mbx.in_dma);
+               return;
+       }
+ 
++      fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE);
+       memset(&ea, 0, sizeof(ea));
+       ea.event = FCME_GPDB_DONE;
+       ea.fcport = fcport;
+-- 
+2.20.1
+

diff --git a/queue-4.19/scsi-qla2xxx-turn-off-iocb-timeout-timer-on-iocb-com.patch b/queue-4.19/scsi-qla2xxx-turn-off-iocb-timeout-timer-on-iocb-com.patch
new file mode 100644 (file)
index 0000000..adbb841
--- /dev/null
+++ b/queue-4.19/scsi-qla2xxx-turn-off-iocb-timeout-timer-on-iocb-com.patch
@@ -0,0 +1,51 @@
+From 8cbb32f0b60670958b1728263a685834983e6bda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Aug 2018 11:24:33 -0700
+Subject: scsi: qla2xxx: Turn off IOCB timeout timer on IOCB completion
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+[ Upstream commit e112761a4f1dcbe9fb9f43f46de7be69d6963b0d ]
+
+Turn off IOCB timeout timer on IOCB completion instead of turning it off in a
+deferred task.  This prevent false alarm if the deferred task is stalled out.
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
+index fc08e46a93ca9..98d936f18b65e 100644
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -4225,10 +4225,13 @@ static void qla2x00_async_gpnft_gnnft_sp_done(void *s, int res)
+               return;
+       }
+ 
+-      if (cmd == GPN_FT_CMD)
++      if (cmd == GPN_FT_CMD) {
++              del_timer(&sp->u.iocb_cmd.timer);
+               e = qla2x00_alloc_work(vha, QLA_EVT_GPNFT_DONE);
+-      else
++      } else {
+               e = qla2x00_alloc_work(vha, QLA_EVT_GNNFT_DONE);
++      }
++
+       if (!e) {
+               /* please ignore kernel warning. Otherwise, we have mem leak. */
+               if (sp->u.iocb_cmd.u.ctarg.req) {
+@@ -4357,7 +4360,6 @@ void qla24xx_async_gpnft_done(scsi_qla_host_t *vha, srb_t *sp)
+ {
+       ql_dbg(ql_dbg_disc, vha, 0xffff,
+           "%s enter\n", __func__);
+-      del_timer(&sp->u.iocb_cmd.timer);
+       qla24xx_async_gnnft(vha, sp, sp->gen2);
+ }
+ 
+-- 
+2.20.1
+

diff --git a/queue-4.19/series b/queue-4.19/series
index 428c031d332d93f592644bc08ae9f8df2e78ed32..1a513d9c449922abc11b8e3498d40cef0de4939c 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -35,3 +35,18 @@ pinctrl-sprd-use-define-directive-for-sprd_pinconf_p.patch
 power-supply-sysfs-ratelimit-property-read-error-mes.patch
 locking-lockdep-add-debug_locks-check-in-__lock_down.patch
 locking-lockdep-add-debug_locks-check-in-__lock_down.patch-13969
+scsi-qla2xxx-turn-off-iocb-timeout-timer-on-iocb-com.patch
+scsi-qla2xxx-remove-all-rports-if-fabric-scan-retry-.patch
+scsi-qla2xxx-return-switch-command-on-a-timeout.patch
+revert-drm-amd-powerplay-enable-disable-nbpstate-on-.patch
+bpf-libbpf-retry-loading-program-on-eagain.patch
+irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch
+f2fs-check-all-the-data-segments-against-all-node-on.patch
+pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch
+bcache-remove-redundant-list_head-journal-from-run_c.patch
+initramfs-don-t-free-a-non-existent-initrd.patch
+blk-mq-change-gfp-flags-to-gfp_noio-in-blk_mq_reallo.patch
+blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch
+revert-f2fs-avoid-out-of-range-memory-access.patch
+dm-zoned-fix-invalid-memory-access.patch
+net-ibmvnic-fix-missing-in-__ibmvnic_reset.patch