--- /dev/null
+From 5a68a5f030e285e954e6896fc0a72ac24941cfd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Sep 2019 12:44:17 +0800
+Subject: arm64: armv8_deprecated: Checking return value for memory allocation
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+[ Upstream commit 3e7c93bd04edfb0cae7dad1215544c9350254b8f ]
+
+There are no return value checking when using kzalloc() and kcalloc() for
+memory allocation. so add it.
+
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/armv8_deprecated.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
+index 2ec09debc2bb1..ca158be21f833 100644
+--- a/arch/arm64/kernel/armv8_deprecated.c
++++ b/arch/arm64/kernel/armv8_deprecated.c
+@@ -174,6 +174,9 @@ static void __init register_insn_emulation(struct insn_emulation_ops *ops)
+ struct insn_emulation *insn;
+
+ insn = kzalloc(sizeof(*insn), GFP_KERNEL);
++ if (!insn)
++ return;
++
+ insn->ops = ops;
+ insn->min = INSN_UNDEF;
+
+@@ -233,6 +236,8 @@ static void __init register_insn_emulation_sysctl(void)
+
+ insns_sysctl = kcalloc(nr_insn_emulated + 1, sizeof(*sysctl),
+ GFP_KERNEL);
++ if (!insns_sysctl)
++ return;
+
+ raw_spin_lock_irqsave(&insn_emulation_lock, flags);
+ list_for_each_entry(insn, &insn_emulation, node) {
+--
+2.20.1
+
--- /dev/null
+From ee66c2f1dce5796914d03764f2b61d63ffe3c586 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 12:12:08 +0100
+Subject: arm64: cpufeature: Effectively expose FRINT capability to userspace
+
+From: Julien Grall <julien.grall@arm.com>
+
+[ Upstream commit 7230f7e99fecc684180322b056fad3853d1029d3 ]
+
+The HWCAP framework will detect a new capability based on the sanitized
+version of the ID registers.
+
+Sanitization is based on a whitelist, so any field not described will end
+up to be zeroed.
+
+At the moment, ID_AA64ISAR1_EL1.FRINTTS is not described in
+ftr_id_aa64isar1. This means the field will be zeroed and therefore the
+userspace will not be able to see the HWCAP even if the hardware
+supports the feature.
+
+This can be fixed by describing the field in ftr_id_aa64isar1.
+
+Fixes: ca9503fc9e98 ("arm64: Expose FRINT capabilities to userspace")
+Signed-off-by: Julien Grall <julien.grall@arm.com>
+Cc: mark.brown@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cpufeature.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
+index 9323bcc40a58a..cabebf1a79768 100644
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -136,6 +136,7 @@ static const struct arm64_ftr_bits ftr_id_aa64isar0[] = {
+
+ static const struct arm64_ftr_bits ftr_id_aa64isar1[] = {
+ ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_SB_SHIFT, 4, 0),
++ ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_FRINTTS_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_PTR_AUTH),
+ FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_GPI_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_PTR_AUTH),
+--
+2.20.1
+
--- /dev/null
+From 2b418f3c3228828812fbf4096fd3bb294c88ab56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 14:08:13 +0100
+Subject: arm64: Default to building compat vDSO with clang when
+ CONFIG_CC_IS_CLANG
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit 24ee01a927bfe56c66429ec4b1df6955a814adc8 ]
+
+Rather than force the use of GCC for the compat cross-compiler, instead
+extract the target from CROSS_COMPILE_COMPAT and pass it to clang if the
+main compiler is clang.
+
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index 9743b50bdee7d..5858d6e449268 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -47,7 +47,11 @@ $(warning Detected assembler with broken .inst; disassembly will be unreliable)
+ endif
+ endif
+
++ifeq ($(CONFIG_CC_IS_CLANG), y)
++COMPATCC ?= $(CC) --target=$(notdir $(CROSS_COMPILE_COMPAT:%-=%))
++else
+ COMPATCC ?= $(CROSS_COMPILE_COMPAT)gcc
++endif
+ export COMPATCC
+
+ ifeq ($(CONFIG_GENERIC_COMPAT_VDSO), y)
+--
+2.20.1
+
--- /dev/null
+From c43eb2c6e5699fc3ec60f6390be797754c87f8d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 18:01:27 +0100
+Subject: arm64: Fix incorrect irqflag restore for priority masking for compat
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit f46f27a576cc3b1e3d45ea50bc06287aa46b04b2 ]
+
+Commit bd82d4bd2188 ("arm64: Fix incorrect irqflag restore for priority
+masking") added a macro to the entry.S call paths that leave the
+PSTATE.I bit set. This tells the pPNMI masking logic that interrupts
+are masked by the CPU, not by the PMR. This value is read back by
+local_daif_save().
+
+Commit bd82d4bd2188 added this call to el0_svc, as el0_svc_handler
+is called with interrupts masked. el0_svc_compat was missed, but should
+be covered in the same way as both of these paths end up in
+el0_svc_common(), which expects to unmask interrupts.
+
+Fixes: bd82d4bd2188 ("arm64: Fix incorrect irqflag restore for priority masking")
+Signed-off-by: James Morse <james.morse@arm.com>
+Cc: Julien Thierry <julien.thierry.kdev@gmail.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index 109894bd31948..239f6841a7412 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -775,6 +775,7 @@ el0_sync_compat:
+ b.ge el0_dbg
+ b el0_inv
+ el0_svc_compat:
++ gic_prio_kentry_setup tmp=x1
+ mov x0, sp
+ bl el0_svc_compat_handler
+ b ret_to_user
+--
+2.20.1
+
--- /dev/null
+From 1137a62cd86a5bb0bc16d17578addc92b60ca6bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 10:49:35 +0100
+Subject: arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1
+ #1542419
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit dd8a1f13488438c6c220b7cafa500baaf21a6e53 ]
+
+CPUs affected by Neoverse-N1 #1542419 may execute a stale instruction if
+it was recently modified. The affected sequence requires freshly written
+instructions to be executable before a branch to them is updated.
+
+There are very few places in the kernel that modify executable text,
+all but one come with sufficient synchronisation:
+ * The module loader's flush_module_icache() calls flush_icache_range(),
+ which does a kick_all_cpus_sync()
+ * bpf_int_jit_compile() calls flush_icache_range().
+ * Kprobes calls aarch64_insn_patch_text(), which does its work in
+ stop_machine().
+ * static keys and ftrace both patch between nops and branches to
+ existing kernel code (not generated code).
+
+The affected sequence is the interaction between ftrace and modules.
+The module PLT is cleaned using __flush_icache_range() as the trampoline
+shouldn't be executable until we update the branch to it.
+
+Drop the double-underscore so that this path runs kick_all_cpus_sync()
+too.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/ftrace.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c
+index 1717732579742..06e56b4703153 100644
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -121,10 +121,16 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr)
+
+ /*
+ * Ensure updated trampoline is visible to instruction
+- * fetch before we patch in the branch.
++ * fetch before we patch in the branch. Although the
++ * architecture doesn't require an IPI in this case,
++ * Neoverse-N1 erratum #1542419 does require one
++ * if the TLB maintenance in module_enable_ro() is
++ * skipped due to rodata_enabled. It doesn't seem worth
++ * it to make it conditional given that this is
++ * certainly not a fast-path.
+ */
+- __flush_icache_range((unsigned long)&dst[0],
+- (unsigned long)&dst[1]);
++ flush_icache_range((unsigned long)&dst[0],
++ (unsigned long)&dst[1]);
+ }
+ addr = (unsigned long)dst;
+ #else /* CONFIG_ARM64_MODULE_PLTS */
+--
+2.20.1
+
--- /dev/null
+From e4fc12c4e5d5e763c4a93a285dc926d1944f1562 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 18:48:34 +0100
+Subject: arm64: vdso32: Detect binutils support for dmb ishld
+
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+
+[ Upstream commit 0df2c90eba60791148cee1823c0bf5fc66e3465c ]
+
+Older versions of binutils (prior to 2.24) do not support the "ISHLD"
+option for memory barrier instructions, which leads to a build failure
+when assembling the vdso32 library.
+
+Add a compilation time mechanism that detects if binutils supports those
+instructions and configure the kernel accordingly.
+
+Cc: Will Deacon <will@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/vdso/compat_barrier.h | 2 +-
+ arch/arm64/kernel/vdso32/Makefile | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/vdso/compat_barrier.h b/arch/arm64/include/asm/vdso/compat_barrier.h
+index fb60a88b5ed41..3fd8fd6d8fc25 100644
+--- a/arch/arm64/include/asm/vdso/compat_barrier.h
++++ b/arch/arm64/include/asm/vdso/compat_barrier.h
+@@ -20,7 +20,7 @@
+
+ #define dmb(option) __asm__ __volatile__ ("dmb " #option : : : "memory")
+
+-#if __LINUX_ARM_ARCH__ >= 8
++#if __LINUX_ARM_ARCH__ >= 8 && defined(CONFIG_AS_DMB_ISHLD)
+ #define aarch32_smp_mb() dmb(ish)
+ #define aarch32_smp_rmb() dmb(ishld)
+ #define aarch32_smp_wmb() dmb(ishst)
+diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile
+index 19e0d3115ffe0..77aa613403747 100644
+--- a/arch/arm64/kernel/vdso32/Makefile
++++ b/arch/arm64/kernel/vdso32/Makefile
+@@ -15,6 +15,8 @@ cc32-disable-warning = $(call try-run,\
+ $(COMPATCC) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1)))
+ cc32-ldoption = $(call try-run,\
+ $(COMPATCC) $(1) -nostdlib -x c /dev/null -o "$$TMP",$(1),$(2))
++cc32-as-instr = $(call try-run,\
++ printf "%b\n" "$(1)" | $(COMPATCC) $(VDSO_AFLAGS) -c -x assembler -o "$$TMP" -,$(2),$(3))
+
+ # We cannot use the global flags to compile the vDSO files, the main reason
+ # being that the 32-bit compiler may be older than the main (64-bit) compiler
+@@ -53,6 +55,7 @@ endif
+ VDSO_CAFLAGS += -fPIC -fno-builtin -fno-stack-protector
+ VDSO_CAFLAGS += -DDISABLE_BRANCH_PROFILING
+
++
+ # Try to compile for ARMv8. If the compiler is too old and doesn't support it,
+ # fall back to v7. There is no easy way to check for what architecture the code
+ # is being compiled, so define a macro specifying that (see arch/arm/Makefile).
+@@ -89,6 +92,12 @@ VDSO_CFLAGS += -Wno-int-to-pointer-cast
+ VDSO_AFLAGS := $(VDSO_CAFLAGS)
+ VDSO_AFLAGS += -D__ASSEMBLY__
+
++# Check for binutils support for dmb ishld
++dmbinstr := $(call cc32-as-instr,dmb ishld,-DCONFIG_AS_DMB_ISHLD=1)
++
++VDSO_CFLAGS += $(dmbinstr)
++VDSO_AFLAGS += $(dmbinstr)
++
+ VDSO_LDFLAGS := $(VDSO_CPPFLAGS)
+ # From arm vDSO Makefile
+ VDSO_LDFLAGS += -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-soname=linux-vdso.so.1
+--
+2.20.1
+
--- /dev/null
+From d22a08926e65d8d4878cc2cefda12621440aa6a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 15:44:45 +0100
+Subject: arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit c71e88c437962c1ec43d4d23a0ebf4c9cf9bee0d ]
+
+KBUILD_CPPFLAGS is defined differently depending on whether the main
+compiler is clang or not. This means that it is not possible to build
+the compat vDSO with GCC if the rest of the kernel is built with clang.
+
+Define VDSO_CPPFLAGS directly to break this dependency and allow a clang
+kernel to build a compat vDSO with GCC:
+
+ $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \
+ CROSS_COMPILE_COMPAT=arm-linux-gnueabihf- CC=clang \
+ COMPATCC=arm-linux-gnueabihf-gcc
+
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/vdso32/Makefile | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile
+index 77aa613403747..aa171b043287b 100644
+--- a/arch/arm64/kernel/vdso32/Makefile
++++ b/arch/arm64/kernel/vdso32/Makefile
+@@ -25,11 +25,9 @@ cc32-as-instr = $(call try-run,\
+ # arm64 one.
+ # As a result we set our own flags here.
+
+-# From top-level Makefile
+-# NOSTDINC_FLAGS
+-VDSO_CPPFLAGS := -nostdinc -isystem $(shell $(COMPATCC) -print-file-name=include)
++# KBUILD_CPPFLAGS and NOSTDINC_FLAGS from top-level Makefile
++VDSO_CPPFLAGS := -D__KERNEL__ -nostdinc -isystem $(shell $(COMPATCC) -print-file-name=include)
+ VDSO_CPPFLAGS += $(LINUXINCLUDE)
+-VDSO_CPPFLAGS += $(KBUILD_CPPFLAGS)
+
+ # Common C and assembly flags
+ # From top-level Makefile
+--
+2.20.1
+
--- /dev/null
+From c3a5502bee58f4af5dd690f7925c83cfe0f08690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 18:48:33 +0100
+Subject: arm64: vdso32: Fix broken compat vDSO build warnings
+
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+
+[ Upstream commit e0de01aafc3dd7b73308106b056ead2d48391905 ]
+
+The .config file and the generated include/config/auto.conf can
+end up out of sync after a set of commands since
+CONFIG_CROSS_COMPILE_COMPAT_VDSO is not updated correctly.
+
+The sequence can be reproduced as follows:
+
+$ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- defconfig
+[...]
+$ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- menuconfig
+[set CONFIG_CROSS_COMPILE_COMPAT_VDSO="arm-linux-gnueabihf-"]
+$ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-
+
+Which results in:
+
+arch/arm64/Makefile:62: CROSS_COMPILE_COMPAT not defined or empty,
+the compat vDSO will not be built
+
+even though the compat vDSO has been built:
+
+$ file arch/arm64/kernel/vdso32/vdso.so
+arch/arm64/kernel/vdso32/vdso.so: ELF 32-bit LSB pie executable, ARM,
+EABI5 version 1 (SYSV), dynamically linked,
+BuildID[sha1]=c67f6c786f2d2d6f86c71f708595594aa25247f6, stripped
+
+A similar case that involves changing the configuration parameter
+multiple times can be reconducted to the same family of problems.
+
+Remove the use of CONFIG_CROSS_COMPILE_COMPAT_VDSO altogether and
+instead rely on the cross-compiler prefix coming from the environment
+via CROSS_COMPILE_COMPAT, much like we do for the rest of the kernel.
+
+Cc: Will Deacon <will@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 2 +-
+ arch/arm64/Makefile | 18 +++++-------------
+ arch/arm64/kernel/vdso32/Makefile | 2 --
+ 3 files changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index e8cf562838716..f63b824cdc2d3 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -111,7 +111,7 @@ config ARM64
+ select GENERIC_STRNLEN_USER
+ select GENERIC_TIME_VSYSCALL
+ select GENERIC_GETTIMEOFDAY
+- select GENERIC_COMPAT_VDSO if (!CPU_BIG_ENDIAN && COMPAT)
++ select GENERIC_COMPAT_VDSO if (!CPU_BIG_ENDIAN && COMPAT && "$(CROSS_COMPILE_COMPAT)" != "")
+ select HANDLE_DOMAIN_IRQ
+ select HARDIRQS_SW_RESEND
+ select HAVE_PCI
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index 61de992bbea3f..9743b50bdee7d 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -47,20 +47,12 @@ $(warning Detected assembler with broken .inst; disassembly will be unreliable)
+ endif
+ endif
+
++COMPATCC ?= $(CROSS_COMPILE_COMPAT)gcc
++export COMPATCC
++
+ ifeq ($(CONFIG_GENERIC_COMPAT_VDSO), y)
+- CROSS_COMPILE_COMPAT ?= $(CONFIG_CROSS_COMPILE_COMPAT_VDSO:"%"=%)
+-
+- ifeq ($(CONFIG_CC_IS_CLANG), y)
+- $(warning CROSS_COMPILE_COMPAT is clang, the compat vDSO will not be built)
+- else ifeq ($(strip $(CROSS_COMPILE_COMPAT)),)
+- $(warning CROSS_COMPILE_COMPAT not defined or empty, the compat vDSO will not be built)
+- else ifeq ($(shell which $(CROSS_COMPILE_COMPAT)gcc 2> /dev/null),)
+- $(error $(CROSS_COMPILE_COMPAT)gcc not found, check CROSS_COMPILE_COMPAT)
+- else
+- export CROSS_COMPILE_COMPAT
+- export CONFIG_COMPAT_VDSO := y
+- compat_vdso := -DCONFIG_COMPAT_VDSO=1
+- endif
++ export CONFIG_COMPAT_VDSO := y
++ compat_vdso := -DCONFIG_COMPAT_VDSO=1
+ endif
+
+ KBUILD_CFLAGS += -mgeneral-regs-only $(lseinstr) $(brokengasinst) $(compat_vdso)
+diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile
+index 1fba0776ed40e..19e0d3115ffe0 100644
+--- a/arch/arm64/kernel/vdso32/Makefile
++++ b/arch/arm64/kernel/vdso32/Makefile
+@@ -8,8 +8,6 @@
+ ARCH_REL_TYPE_ABS := R_ARM_JUMP_SLOT|R_ARM_GLOB_DAT|R_ARM_ABS32
+ include $(srctree)/lib/vdso/Makefile
+
+-COMPATCC := $(CROSS_COMPILE_COMPAT)gcc
+-
+ # Same as cc-*option, but using COMPATCC instead of CC
+ cc32-option = $(call try-run,\
+ $(COMPATCC) $(1) -c -x c /dev/null -o "$$TMP",$(1),$(2))
+--
+2.20.1
+
--- /dev/null
+From a33d565ab5782dfe1ba4fc984c06a2032f766f86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jul 2019 16:24:19 +0100
+Subject: Btrfs: fix inode cache block reserve leak on failure to allocate data
+ space
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 29d47d00e0ae61668ee0c5d90bef2893c8abbafa ]
+
+If we failed to allocate the data extent(s) for the inode space cache, we
+were bailing out without releasing the previously reserved metadata. This
+was triggering the following warnings when unmounting a filesystem:
+
+ $ cat -n fs/btrfs/inode.c
+ (...)
+ 9268 void btrfs_destroy_inode(struct inode *inode)
+ 9269 {
+ (...)
+ 9276 WARN_ON(BTRFS_I(inode)->block_rsv.reserved);
+ 9277 WARN_ON(BTRFS_I(inode)->block_rsv.size);
+ (...)
+ 9281 WARN_ON(BTRFS_I(inode)->csum_bytes);
+ 9282 WARN_ON(BTRFS_I(inode)->defrag_bytes);
+ (...)
+
+Several fstests test cases triggered this often, such as generic/083,
+generic/102, generic/172, generic/269 and generic/300 at least, producing
+stack traces like the following in dmesg/syslog:
+
+ [82039.079546] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9276 btrfs_destroy_inode+0x203/0x270 [btrfs]
+ (...)
+ [82039.081543] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1
+ [82039.081912] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [82039.082673] RIP: 0010:btrfs_destroy_inode+0x203/0x270 [btrfs]
+ (...)
+ [82039.083913] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010206
+ [82039.084320] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002
+ [82039.084736] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8dde29b34660
+ [82039.085156] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000
+ [82039.085578] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0
+ [82039.086000] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000
+ [82039.086416] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000
+ [82039.086837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [82039.087253] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0
+ [82039.087672] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [82039.088089] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [82039.088504] Call Trace:
+ [82039.088918] destroy_inode+0x3b/0x70
+ [82039.089340] btrfs_free_fs_root+0x16/0xa0 [btrfs]
+ [82039.089768] btrfs_free_fs_roots+0xd8/0x160 [btrfs]
+ [82039.090183] ? wait_for_completion+0x65/0x1a0
+ [82039.090607] close_ctree+0x172/0x370 [btrfs]
+ [82039.091021] generic_shutdown_super+0x6c/0x110
+ [82039.091427] kill_anon_super+0xe/0x30
+ [82039.091832] btrfs_kill_super+0x12/0xa0 [btrfs]
+ [82039.092233] deactivate_locked_super+0x3a/0x70
+ [82039.092636] cleanup_mnt+0x3b/0x80
+ [82039.093039] task_work_run+0x93/0xc0
+ [82039.093457] exit_to_usermode_loop+0xfa/0x100
+ [82039.093856] do_syscall_64+0x162/0x1d0
+ [82039.094244] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [82039.094634] RIP: 0033:0x7f8db8fbab37
+ (...)
+ [82039.095876] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ [82039.096290] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37
+ [82039.096700] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240
+ [82039.097110] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015
+ [82039.097522] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64
+ [82039.097937] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0
+ [82039.098350] irq event stamp: 0
+ [82039.098750] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ [82039.099150] hardirqs last disabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.099545] softirqs last enabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.099925] softirqs last disabled at (0): [<0000000000000000>] 0x0
+ [82039.100292] ---[ end trace f2521afa616ddccc ]---
+ [82039.100707] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9277 btrfs_destroy_inode+0x1ac/0x270 [btrfs]
+ (...)
+ [82039.103050] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1
+ [82039.103428] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [82039.104203] RIP: 0010:btrfs_destroy_inode+0x1ac/0x270 [btrfs]
+ (...)
+ [82039.105461] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010206
+ [82039.105866] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002
+ [82039.106270] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8dde29b34660
+ [82039.106673] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000
+ [82039.107078] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0
+ [82039.107487] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000
+ [82039.107894] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000
+ [82039.108309] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [82039.108723] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0
+ [82039.109146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [82039.109567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [82039.109989] Call Trace:
+ [82039.110405] destroy_inode+0x3b/0x70
+ [82039.110830] btrfs_free_fs_root+0x16/0xa0 [btrfs]
+ [82039.111257] btrfs_free_fs_roots+0xd8/0x160 [btrfs]
+ [82039.111675] ? wait_for_completion+0x65/0x1a0
+ [82039.112101] close_ctree+0x172/0x370 [btrfs]
+ [82039.112519] generic_shutdown_super+0x6c/0x110
+ [82039.112988] kill_anon_super+0xe/0x30
+ [82039.113439] btrfs_kill_super+0x12/0xa0 [btrfs]
+ [82039.113861] deactivate_locked_super+0x3a/0x70
+ [82039.114278] cleanup_mnt+0x3b/0x80
+ [82039.114685] task_work_run+0x93/0xc0
+ [82039.115083] exit_to_usermode_loop+0xfa/0x100
+ [82039.115476] do_syscall_64+0x162/0x1d0
+ [82039.115863] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [82039.116254] RIP: 0033:0x7f8db8fbab37
+ (...)
+ [82039.117463] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ [82039.117882] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37
+ [82039.118330] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240
+ [82039.118743] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015
+ [82039.119159] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64
+ [82039.119574] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0
+ [82039.119987] irq event stamp: 0
+ [82039.120387] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ [82039.120787] hardirqs last disabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.121182] softirqs last enabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.121563] softirqs last disabled at (0): [<0000000000000000>] 0x0
+ [82039.121933] ---[ end trace f2521afa616ddccd ]---
+ [82039.122353] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9278 btrfs_destroy_inode+0x1bc/0x270 [btrfs]
+ (...)
+ [82039.124606] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1
+ [82039.125008] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [82039.125801] RIP: 0010:btrfs_destroy_inode+0x1bc/0x270 [btrfs]
+ (...)
+ [82039.126998] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010202
+ [82039.127399] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002
+ [82039.127803] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8dde29b34660
+ [82039.128206] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000
+ [82039.128611] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0
+ [82039.129020] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000
+ [82039.129428] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000
+ [82039.129846] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [82039.130261] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0
+ [82039.130684] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [82039.131142] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [82039.131561] Call Trace:
+ [82039.131990] destroy_inode+0x3b/0x70
+ [82039.132417] btrfs_free_fs_root+0x16/0xa0 [btrfs]
+ [82039.132844] btrfs_free_fs_roots+0xd8/0x160 [btrfs]
+ [82039.133262] ? wait_for_completion+0x65/0x1a0
+ [82039.133688] close_ctree+0x172/0x370 [btrfs]
+ [82039.134157] generic_shutdown_super+0x6c/0x110
+ [82039.134575] kill_anon_super+0xe/0x30
+ [82039.134997] btrfs_kill_super+0x12/0xa0 [btrfs]
+ [82039.135415] deactivate_locked_super+0x3a/0x70
+ [82039.135832] cleanup_mnt+0x3b/0x80
+ [82039.136239] task_work_run+0x93/0xc0
+ [82039.136637] exit_to_usermode_loop+0xfa/0x100
+ [82039.137029] do_syscall_64+0x162/0x1d0
+ [82039.137418] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [82039.137812] RIP: 0033:0x7f8db8fbab37
+ (...)
+ [82039.139059] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ [82039.139475] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37
+ [82039.139890] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240
+ [82039.140302] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015
+ [82039.140719] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64
+ [82039.141138] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0
+ [82039.141597] irq event stamp: 0
+ [82039.142043] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ [82039.142443] hardirqs last disabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.142839] softirqs last enabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.143220] softirqs last disabled at (0): [<0000000000000000>] 0x0
+ [82039.143588] ---[ end trace f2521afa616ddcce ]---
+ [82039.167472] WARNING: CPU: 3 PID: 13167 at fs/btrfs/extent-tree.c:10120 btrfs_free_block_groups+0x30d/0x460 [btrfs]
+ (...)
+ [82039.173800] CPU: 3 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1
+ [82039.174847] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [82039.177031] RIP: 0010:btrfs_free_block_groups+0x30d/0x460 [btrfs]
+ (...)
+ [82039.180397] RSP: 0018:ffffac0b426a7dd8 EFLAGS: 00010206
+ [82039.181574] RAX: ffff8de010a1db40 RBX: ffff8de010a1db40 RCX: 0000000000170014
+ [82039.182711] RDX: ffff8ddff4380040 RSI: ffff8de010a1da58 RDI: 0000000000000246
+ [82039.183817] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000
+ [82039.184925] R10: ffff8de036404380 R11: ffffffffb8a5ea00 R12: ffff8de010a1b2b8
+ [82039.186090] R13: ffff8de010a1b2b8 R14: 0000000000000000 R15: dead000000000100
+ [82039.187208] FS: 00007f8db96d12c0(0000) GS:ffff8de036b80000(0000) knlGS:0000000000000000
+ [82039.188345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [82039.189481] CR2: 00007fb044005170 CR3: 00000002315cc006 CR4: 00000000003606e0
+ [82039.190674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [82039.191829] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [82039.192978] Call Trace:
+ [82039.194160] close_ctree+0x19a/0x370 [btrfs]
+ [82039.195315] generic_shutdown_super+0x6c/0x110
+ [82039.196486] kill_anon_super+0xe/0x30
+ [82039.197645] btrfs_kill_super+0x12/0xa0 [btrfs]
+ [82039.198696] deactivate_locked_super+0x3a/0x70
+ [82039.199619] cleanup_mnt+0x3b/0x80
+ [82039.200559] task_work_run+0x93/0xc0
+ [82039.201505] exit_to_usermode_loop+0xfa/0x100
+ [82039.202436] do_syscall_64+0x162/0x1d0
+ [82039.203339] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [82039.204091] RIP: 0033:0x7f8db8fbab37
+ (...)
+ [82039.206360] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ [82039.207132] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37
+ [82039.207906] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240
+ [82039.208621] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015
+ [82039.209285] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64
+ [82039.209984] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0
+ [82039.210642] irq event stamp: 0
+ [82039.211306] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ [82039.211971] hardirqs last disabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.212643] softirqs last enabled at (0): [<ffffffffb7884ff2>] copy_process.part.33+0x7f2/0x1f00
+ [82039.213304] softirqs last disabled at (0): [<0000000000000000>] 0x0
+ [82039.213875] ---[ end trace f2521afa616ddccf ]---
+
+Fix this by releasing the reserved metadata on failure to allocate data
+extent(s) for the inode cache.
+
+Fixes: 69fe2d75dd91d0 ("btrfs: make the delalloc block rsv per inode")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode-map.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c
+index 2e8bb402050b9..10a73c97f8966 100644
+--- a/fs/btrfs/inode-map.c
++++ b/fs/btrfs/inode-map.c
+@@ -485,6 +485,7 @@ again:
+ prealloc, prealloc, &alloc_hint);
+ if (ret) {
+ btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc, true);
++ btrfs_delalloc_release_metadata(BTRFS_I(inode), prealloc, true);
+ goto out_put;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 97383fcd65a00254e6e9f467ac9ac0e0ae66beda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2019 14:34:51 +0800
+Subject: btrfs: qgroup: Always free PREALLOC META reserve in
+ btrfs_delalloc_release_extents()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 8702ba9396bf7bbae2ab93c94acd4bd37cfa4f09 ]
+
+[Background]
+Btrfs qgroup uses two types of reserved space for METADATA space,
+PERTRANS and PREALLOC.
+
+PERTRANS is metadata space reserved for each transaction started by
+btrfs_start_transaction().
+While PREALLOC is for delalloc, where we reserve space before joining a
+transaction, and finally it will be converted to PERTRANS after the
+writeback is done.
+
+[Inconsistency]
+However there is inconsistency in how we handle PREALLOC metadata space.
+
+The most obvious one is:
+In btrfs_buffered_write():
+ btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes, true);
+
+We always free qgroup PREALLOC meta space.
+
+While in btrfs_truncate_block():
+ btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, (ret != 0));
+
+We only free qgroup PREALLOC meta space when something went wrong.
+
+[The Correct Behavior]
+The correct behavior should be the one in btrfs_buffered_write(), we
+should always free PREALLOC metadata space.
+
+The reason is, the btrfs_delalloc_* mechanism works by:
+- Reserve metadata first, even it's not necessary
+ In btrfs_delalloc_reserve_metadata()
+
+- Free the unused metadata space
+ Normally in:
+ btrfs_delalloc_release_extents()
+ |- btrfs_inode_rsv_release()
+ Here we do calculation on whether we should release or not.
+
+E.g. for 64K buffered write, the metadata rsv works like:
+
+/* The first page */
+reserve_meta: num_bytes=calc_inode_reservations()
+free_meta: num_bytes=0
+total: num_bytes=calc_inode_reservations()
+/* The first page caused one outstanding extent, thus needs metadata
+ rsv */
+
+/* The 2nd page */
+reserve_meta: num_bytes=calc_inode_reservations()
+free_meta: num_bytes=calc_inode_reservations()
+total: not changed
+/* The 2nd page doesn't cause new outstanding extent, needs no new meta
+ rsv, so we free what we have reserved */
+
+/* The 3rd~16th pages */
+reserve_meta: num_bytes=calc_inode_reservations()
+free_meta: num_bytes=calc_inode_reservations()
+total: not changed (still space for one outstanding extent)
+
+This means, if btrfs_delalloc_release_extents() determines to free some
+space, then those space should be freed NOW.
+So for qgroup, we should call btrfs_qgroup_free_meta_prealloc() other
+than btrfs_qgroup_convert_reserved_meta().
+
+The good news is:
+- The callers are not that hot
+ The hottest caller is in btrfs_buffered_write(), which is already
+ fixed by commit 336a8bb8e36a ("btrfs: Fix wrong
+ btrfs_delalloc_release_extents parameter"). Thus it's not that
+ easy to cause false EDQUOT.
+
+- The trans commit in advance for qgroup would hide the bug
+ Since commit f5fef4593653 ("btrfs: qgroup: Make qgroup async transaction
+ commit more aggressive"), when btrfs qgroup metadata free space is slow,
+ it will try to commit transaction and free the wrongly converted
+ PERTRANS space, so it's not that easy to hit such bug.
+
+[FIX]
+So to fix the problem, remove the @qgroup_free parameter for
+btrfs_delalloc_release_extents(), and always pass true to
+btrfs_inode_rsv_release().
+
+Reported-by: Filipe Manana <fdmanana@suse.com>
+Fixes: 43b18595d660 ("btrfs: qgroup: Use separate meta reservation type for delalloc")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 3 +--
+ fs/btrfs/delalloc-space.c | 6 ++----
+ fs/btrfs/file.c | 7 +++----
+ fs/btrfs/inode-map.c | 4 ++--
+ fs/btrfs/inode.c | 12 ++++++------
+ fs/btrfs/ioctl.c | 6 ++----
+ fs/btrfs/relocation.c | 9 ++++-----
+ 7 files changed, 20 insertions(+), 27 deletions(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index e7a1ec075c652..180749080fd85 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2758,8 +2758,7 @@ int btrfs_subvolume_reserve_metadata(struct btrfs_root *root,
+ int nitems, bool use_global_rsv);
+ void btrfs_subvolume_release_metadata(struct btrfs_fs_info *fs_info,
+ struct btrfs_block_rsv *rsv);
+-void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes,
+- bool qgroup_free);
++void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes);
+
+ int btrfs_delalloc_reserve_metadata(struct btrfs_inode *inode, u64 num_bytes);
+ int btrfs_inc_block_group_ro(struct btrfs_block_group_cache *cache);
+diff --git a/fs/btrfs/delalloc-space.c b/fs/btrfs/delalloc-space.c
+index 934521fe7e71d..8d2bb28ff5e0e 100644
+--- a/fs/btrfs/delalloc-space.c
++++ b/fs/btrfs/delalloc-space.c
+@@ -407,7 +407,6 @@ void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes,
+ * btrfs_delalloc_release_extents - release our outstanding_extents
+ * @inode: the inode to balance the reservation for.
+ * @num_bytes: the number of bytes we originally reserved with
+- * @qgroup_free: do we need to free qgroup meta reservation or convert them.
+ *
+ * When we reserve space we increase outstanding_extents for the extents we may
+ * add. Once we've set the range as delalloc or created our ordered extents we
+@@ -415,8 +414,7 @@ void btrfs_delalloc_release_metadata(struct btrfs_inode *inode, u64 num_bytes,
+ * temporarily tracked outstanding_extents. This _must_ be used in conjunction
+ * with btrfs_delalloc_reserve_metadata.
+ */
+-void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes,
+- bool qgroup_free)
++void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes)
+ {
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+ unsigned num_extents;
+@@ -430,7 +428,7 @@ void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes,
+ if (btrfs_is_testing(fs_info))
+ return;
+
+- btrfs_inode_rsv_release(inode, qgroup_free);
++ btrfs_inode_rsv_release(inode, true);
+ }
+
+ /**
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index d68add0bf3462..a8a2adaf222f4 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -1692,7 +1692,7 @@ again:
+ force_page_uptodate);
+ if (ret) {
+ btrfs_delalloc_release_extents(BTRFS_I(inode),
+- reserve_bytes, true);
++ reserve_bytes);
+ break;
+ }
+
+@@ -1704,7 +1704,7 @@ again:
+ if (extents_locked == -EAGAIN)
+ goto again;
+ btrfs_delalloc_release_extents(BTRFS_I(inode),
+- reserve_bytes, true);
++ reserve_bytes);
+ ret = extents_locked;
+ break;
+ }
+@@ -1772,8 +1772,7 @@ again:
+ else
+ free_extent_state(cached_state);
+
+- btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes,
+- true);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes);
+ if (ret) {
+ btrfs_drop_pages(pages, num_pages);
+ break;
+diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c
+index 10a73c97f8966..e2f49615c4297 100644
+--- a/fs/btrfs/inode-map.c
++++ b/fs/btrfs/inode-map.c
+@@ -484,13 +484,13 @@ again:
+ ret = btrfs_prealloc_file_range_trans(inode, trans, 0, 0, prealloc,
+ prealloc, prealloc, &alloc_hint);
+ if (ret) {
+- btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc, true);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc);
+ btrfs_delalloc_release_metadata(BTRFS_I(inode), prealloc, true);
+ goto out_put;
+ }
+
+ ret = btrfs_write_out_ino_cache(root, trans, path, inode);
+- btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc, false);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), prealloc);
+ out_put:
+ iput(inode);
+ out_release:
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index b3453adb214da..1b85278471f62 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -2167,7 +2167,7 @@ again:
+
+ ClearPageChecked(page);
+ set_page_dirty(page);
+- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, false);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE);
+ out:
+ unlock_extent_cached(&BTRFS_I(inode)->io_tree, page_start, page_end,
+ &cached_state);
+@@ -4912,7 +4912,7 @@ again:
+ if (!page) {
+ btrfs_delalloc_release_space(inode, data_reserved,
+ block_start, blocksize, true);
+- btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, true);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize);
+ ret = -ENOMEM;
+ goto out;
+ }
+@@ -4980,7 +4980,7 @@ out_unlock:
+ if (ret)
+ btrfs_delalloc_release_space(inode, data_reserved, block_start,
+ blocksize, true);
+- btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, (ret != 0));
++ btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize);
+ unlock_page(page);
+ put_page(page);
+ out:
+@@ -8685,7 +8685,7 @@ static ssize_t btrfs_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
+ } else if (ret >= 0 && (size_t)ret < count)
+ btrfs_delalloc_release_space(inode, data_reserved,
+ offset, count - (size_t)ret, true);
+- btrfs_delalloc_release_extents(BTRFS_I(inode), count, false);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), count);
+ }
+ out:
+ if (wakeup)
+@@ -9038,7 +9038,7 @@ again:
+ unlock_extent_cached(io_tree, page_start, page_end, &cached_state);
+
+ if (!ret2) {
+- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, true);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE);
+ sb_end_pagefault(inode->i_sb);
+ extent_changeset_free(data_reserved);
+ return VM_FAULT_LOCKED;
+@@ -9047,7 +9047,7 @@ again:
+ out_unlock:
+ unlock_page(page);
+ out:
+- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE, (ret != 0));
++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE);
+ btrfs_delalloc_release_space(inode, data_reserved, page_start,
+ reserved_space, (ret != 0));
+ out_noreserve:
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 818f7ec8bb0ee..8dad66df74ed7 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1360,8 +1360,7 @@ again:
+ unlock_page(pages[i]);
+ put_page(pages[i]);
+ }
+- btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT,
+- false);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT);
+ extent_changeset_free(data_reserved);
+ return i_done;
+ out:
+@@ -1372,8 +1371,7 @@ out:
+ btrfs_delalloc_release_space(inode, data_reserved,
+ start_index << PAGE_SHIFT,
+ page_cnt << PAGE_SHIFT, true);
+- btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT,
+- true);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT);
+ extent_changeset_free(data_reserved);
+ return ret;
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 074947bebd165..572314aebdf11 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3277,7 +3277,7 @@ static int relocate_file_extent_cluster(struct inode *inode,
+ btrfs_delalloc_release_metadata(BTRFS_I(inode),
+ PAGE_SIZE, true);
+ btrfs_delalloc_release_extents(BTRFS_I(inode),
+- PAGE_SIZE, true);
++ PAGE_SIZE);
+ ret = -ENOMEM;
+ goto out;
+ }
+@@ -3298,7 +3298,7 @@ static int relocate_file_extent_cluster(struct inode *inode,
+ btrfs_delalloc_release_metadata(BTRFS_I(inode),
+ PAGE_SIZE, true);
+ btrfs_delalloc_release_extents(BTRFS_I(inode),
+- PAGE_SIZE, true);
++ PAGE_SIZE);
+ ret = -EIO;
+ goto out;
+ }
+@@ -3327,7 +3327,7 @@ static int relocate_file_extent_cluster(struct inode *inode,
+ btrfs_delalloc_release_metadata(BTRFS_I(inode),
+ PAGE_SIZE, true);
+ btrfs_delalloc_release_extents(BTRFS_I(inode),
+- PAGE_SIZE, true);
++ PAGE_SIZE);
+
+ clear_extent_bits(&BTRFS_I(inode)->io_tree,
+ page_start, page_end,
+@@ -3343,8 +3343,7 @@ static int relocate_file_extent_cluster(struct inode *inode,
+ put_page(page);
+
+ index++;
+- btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE,
+- false);
++ btrfs_delalloc_release_extents(BTRFS_I(inode), PAGE_SIZE);
+ balance_dirty_pages_ratelimited(inode->i_mapping);
+ btrfs_throttle(fs_info);
+ }
+--
+2.20.1
+
--- /dev/null
+From 7525c1e17f3beec8a324e2de3608b8609fc14d46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2019 12:30:19 +0900
+Subject: btrfs: silence maybe-uninitialized warning in clone_range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Austin Kim <austindh.kim@gmail.com>
+
+[ Upstream commit 431d39887d6273d6d84edf3c2eab09f4200e788a ]
+
+GCC throws warning message as below:
+
+‘clone_src_i_size’ may be used uninitialized in this function
+[-Wmaybe-uninitialized]
+ #define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0)
+ ^
+fs/btrfs/send.c:5088:6: note: ‘clone_src_i_size’ was declared here
+ u64 clone_src_i_size;
+ ^
+The clone_src_i_size is only used as call-by-reference
+in a call to get_inode_info().
+
+Silence the warning by initializing clone_src_i_size to 0.
+
+Note that the warning is a false positive and reported by older versions
+of GCC (eg. 7.x) but not eg 9.x. As there have been numerous people, the
+patch is applied. Setting clone_src_i_size to 0 does not otherwise make
+sense and would not do any action in case the code changes in the future.
+
+Signed-off-by: Austin Kim <austindh.kim@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ add note ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index c3c0c064c25da..91c702b4cae9d 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5070,7 +5070,7 @@ static int clone_range(struct send_ctx *sctx,
+ struct btrfs_path *path;
+ struct btrfs_key key;
+ int ret;
+- u64 clone_src_i_size;
++ u64 clone_src_i_size = 0;
+
+ /*
+ * Prevent cloning from a zero offset with a length matching the sector
+--
+2.20.1
+
--- /dev/null
+From c92060628669f9fe2a77e32eab40a308414eacfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 06:14:17 -0400
+Subject: dm snapshot: introduce account_start_copy() and account_end_copy()
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit a2f83e8b0c82c9500421a26c49eb198b25fcdea3 ]
+
+This simple refactoring moves code for modifying the semaphore cow_count
+into separate functions to prepare for changes that will extend these
+methods to provide for a more sophisticated mechanism for COW
+throttling.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Nikos Tsironis <ntsironis@arrikto.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-snap.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index f150f5c5492b9..da3bd1794ee05 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -1512,6 +1512,16 @@ static void snapshot_dtr(struct dm_target *ti)
+ kfree(s);
+ }
+
++static void account_start_copy(struct dm_snapshot *s)
++{
++ down(&s->cow_count);
++}
++
++static void account_end_copy(struct dm_snapshot *s)
++{
++ up(&s->cow_count);
++}
++
+ /*
+ * Flush a list of buffers.
+ */
+@@ -1732,7 +1742,7 @@ static void copy_callback(int read_err, unsigned long write_err, void *context)
+ rb_link_node(&pe->out_of_order_node, parent, p);
+ rb_insert_color(&pe->out_of_order_node, &s->out_of_order_tree);
+ }
+- up(&s->cow_count);
++ account_end_copy(s);
+ }
+
+ /*
+@@ -1756,7 +1766,7 @@ static void start_copy(struct dm_snap_pending_exception *pe)
+ dest.count = src.count;
+
+ /* Hand over to kcopyd */
+- down(&s->cow_count);
++ account_start_copy(s);
+ dm_kcopyd_copy(s->kcopyd_client, &src, 1, &dest, 0, copy_callback, pe);
+ }
+
+@@ -1776,7 +1786,7 @@ static void start_full_bio(struct dm_snap_pending_exception *pe,
+ pe->full_bio = bio;
+ pe->full_bio_end_io = bio->bi_end_io;
+
+- down(&s->cow_count);
++ account_start_copy(s);
+ callback_data = dm_kcopyd_prepare_callback(s->kcopyd_client,
+ copy_callback, pe);
+
+@@ -1866,7 +1876,7 @@ static void zero_callback(int read_err, unsigned long write_err, void *context)
+ struct bio *bio = context;
+ struct dm_snapshot *s = bio->bi_private;
+
+- up(&s->cow_count);
++ account_end_copy(s);
+ bio->bi_status = write_err ? BLK_STS_IOERR : 0;
+ bio_endio(bio);
+ }
+@@ -1880,7 +1890,7 @@ static void zero_exception(struct dm_snapshot *s, struct dm_exception *e,
+ dest.sector = bio->bi_iter.bi_sector;
+ dest.count = s->store->chunk_size;
+
+- down(&s->cow_count);
++ account_start_copy(s);
+ WARN_ON_ONCE(bio->bi_private);
+ bio->bi_private = s;
+ dm_kcopyd_zero(s->kcopyd_client, 1, &dest, 0, zero_callback, bio);
+--
+2.20.1
+
--- /dev/null
+From e89ce656306dba9fab02d8452fbf95dd78b5be09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 06:15:53 -0400
+Subject: dm snapshot: rework COW throttling to fix deadlock
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit b21555786f18cd77f2311ad89074533109ae3ffa ]
+
+Commit 721b1d98fb517a ("dm snapshot: Fix excessive memory usage and
+workqueue stalls") introduced a semaphore to limit the maximum number of
+in-flight kcopyd (COW) jobs.
+
+The implementation of this throttling mechanism is prone to a deadlock:
+
+1. One or more threads write to the origin device causing COW, which is
+ performed by kcopyd.
+
+2. At some point some of these threads might reach the s->cow_count
+ semaphore limit and block in down(&s->cow_count), holding a read lock
+ on _origins_lock.
+
+3. Someone tries to acquire a write lock on _origins_lock, e.g.,
+ snapshot_ctr(), which blocks because the threads at step (2) already
+ hold a read lock on it.
+
+4. A COW operation completes and kcopyd runs dm-snapshot's completion
+ callback, which ends up calling pending_complete().
+ pending_complete() tries to resubmit any deferred origin bios. This
+ requires acquiring a read lock on _origins_lock, which blocks.
+
+ This happens because the read-write semaphore implementation gives
+ priority to writers, meaning that as soon as a writer tries to enter
+ the critical section, no readers will be allowed in, until all
+ writers have completed their work.
+
+ So, pending_complete() waits for the writer at step (3) to acquire
+ and release the lock. This writer waits for the readers at step (2)
+ to release the read lock and those readers wait for
+ pending_complete() (the kcopyd thread) to signal the s->cow_count
+ semaphore: DEADLOCK.
+
+The above was thoroughly analyzed and documented by Nikos Tsironis as
+part of his initial proposal for fixing this deadlock, see:
+https://www.redhat.com/archives/dm-devel/2019-October/msg00001.html
+
+Fix this deadlock by reworking COW throttling so that it waits without
+holding any locks. Add a variable 'in_progress' that counts how many
+kcopyd jobs are running. A function wait_for_in_progress() will sleep if
+'in_progress' is over the limit. It drops _origins_lock in order to
+avoid the deadlock.
+
+Reported-by: Guruswamy Basavaiah <guru2018@gmail.com>
+Reported-by: Nikos Tsironis <ntsironis@arrikto.com>
+Reviewed-by: Nikos Tsironis <ntsironis@arrikto.com>
+Tested-by: Nikos Tsironis <ntsironis@arrikto.com>
+Fixes: 721b1d98fb51 ("dm snapshot: Fix excessive memory usage and workqueue stalls")
+Cc: stable@vger.kernel.org # v5.0+
+Depends-on: 4a3f111a73a8c ("dm snapshot: introduce account_start_copy() and account_end_copy()")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-snap.c | 78 ++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 64 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index da3bd1794ee05..4fb1a40e68a08 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -18,7 +18,6 @@
+ #include <linux/vmalloc.h>
+ #include <linux/log2.h>
+ #include <linux/dm-kcopyd.h>
+-#include <linux/semaphore.h>
+
+ #include "dm.h"
+
+@@ -107,8 +106,8 @@ struct dm_snapshot {
+ /* The on disk metadata handler */
+ struct dm_exception_store *store;
+
+- /* Maximum number of in-flight COW jobs. */
+- struct semaphore cow_count;
++ unsigned in_progress;
++ struct wait_queue_head in_progress_wait;
+
+ struct dm_kcopyd_client *kcopyd_client;
+
+@@ -162,8 +161,8 @@ struct dm_snapshot {
+ */
+ #define DEFAULT_COW_THRESHOLD 2048
+
+-static int cow_threshold = DEFAULT_COW_THRESHOLD;
+-module_param_named(snapshot_cow_threshold, cow_threshold, int, 0644);
++static unsigned cow_threshold = DEFAULT_COW_THRESHOLD;
++module_param_named(snapshot_cow_threshold, cow_threshold, uint, 0644);
+ MODULE_PARM_DESC(snapshot_cow_threshold, "Maximum number of chunks being copied on write");
+
+ DECLARE_DM_KCOPYD_THROTTLE_WITH_MODULE_PARM(snapshot_copy_throttle,
+@@ -1327,7 +1326,7 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ goto bad_hash_tables;
+ }
+
+- sema_init(&s->cow_count, (cow_threshold > 0) ? cow_threshold : INT_MAX);
++ init_waitqueue_head(&s->in_progress_wait);
+
+ s->kcopyd_client = dm_kcopyd_client_create(&dm_kcopyd_throttle);
+ if (IS_ERR(s->kcopyd_client)) {
+@@ -1509,17 +1508,54 @@ static void snapshot_dtr(struct dm_target *ti)
+
+ dm_put_device(ti, s->origin);
+
++ WARN_ON(s->in_progress);
++
+ kfree(s);
+ }
+
+ static void account_start_copy(struct dm_snapshot *s)
+ {
+- down(&s->cow_count);
++ spin_lock(&s->in_progress_wait.lock);
++ s->in_progress++;
++ spin_unlock(&s->in_progress_wait.lock);
+ }
+
+ static void account_end_copy(struct dm_snapshot *s)
+ {
+- up(&s->cow_count);
++ spin_lock(&s->in_progress_wait.lock);
++ BUG_ON(!s->in_progress);
++ s->in_progress--;
++ if (likely(s->in_progress <= cow_threshold) &&
++ unlikely(waitqueue_active(&s->in_progress_wait)))
++ wake_up_locked(&s->in_progress_wait);
++ spin_unlock(&s->in_progress_wait.lock);
++}
++
++static bool wait_for_in_progress(struct dm_snapshot *s, bool unlock_origins)
++{
++ if (unlikely(s->in_progress > cow_threshold)) {
++ spin_lock(&s->in_progress_wait.lock);
++ if (likely(s->in_progress > cow_threshold)) {
++ /*
++ * NOTE: this throttle doesn't account for whether
++ * the caller is servicing an IO that will trigger a COW
++ * so excess throttling may result for chunks not required
++ * to be COW'd. But if cow_threshold was reached, extra
++ * throttling is unlikely to negatively impact performance.
++ */
++ DECLARE_WAITQUEUE(wait, current);
++ __add_wait_queue(&s->in_progress_wait, &wait);
++ __set_current_state(TASK_UNINTERRUPTIBLE);
++ spin_unlock(&s->in_progress_wait.lock);
++ if (unlock_origins)
++ up_read(&_origins_lock);
++ io_schedule();
++ remove_wait_queue(&s->in_progress_wait, &wait);
++ return false;
++ }
++ spin_unlock(&s->in_progress_wait.lock);
++ }
++ return true;
+ }
+
+ /*
+@@ -1537,7 +1573,7 @@ static void flush_bios(struct bio *bio)
+ }
+ }
+
+-static int do_origin(struct dm_dev *origin, struct bio *bio);
++static int do_origin(struct dm_dev *origin, struct bio *bio, bool limit);
+
+ /*
+ * Flush a list of buffers.
+@@ -1550,7 +1586,7 @@ static void retry_origin_bios(struct dm_snapshot *s, struct bio *bio)
+ while (bio) {
+ n = bio->bi_next;
+ bio->bi_next = NULL;
+- r = do_origin(s->origin, bio);
++ r = do_origin(s->origin, bio, false);
+ if (r == DM_MAPIO_REMAPPED)
+ generic_make_request(bio);
+ bio = n;
+@@ -1926,6 +1962,11 @@ static int snapshot_map(struct dm_target *ti, struct bio *bio)
+ if (!s->valid)
+ return DM_MAPIO_KILL;
+
++ if (bio_data_dir(bio) == WRITE) {
++ while (unlikely(!wait_for_in_progress(s, false)))
++ ; /* wait_for_in_progress() has slept */
++ }
++
+ down_read(&s->lock);
+ dm_exception_table_lock(&lock);
+
+@@ -2122,7 +2163,7 @@ redirect_to_origin:
+
+ if (bio_data_dir(bio) == WRITE) {
+ up_write(&s->lock);
+- return do_origin(s->origin, bio);
++ return do_origin(s->origin, bio, false);
+ }
+
+ out_unlock:
+@@ -2497,15 +2538,24 @@ next_snapshot:
+ /*
+ * Called on a write from the origin driver.
+ */
+-static int do_origin(struct dm_dev *origin, struct bio *bio)
++static int do_origin(struct dm_dev *origin, struct bio *bio, bool limit)
+ {
+ struct origin *o;
+ int r = DM_MAPIO_REMAPPED;
+
++again:
+ down_read(&_origins_lock);
+ o = __lookup_origin(origin->bdev);
+- if (o)
++ if (o) {
++ if (limit) {
++ struct dm_snapshot *s;
++ list_for_each_entry(s, &o->snapshots, list)
++ if (unlikely(!wait_for_in_progress(s, true)))
++ goto again;
++ }
++
+ r = __origin_write(&o->snapshots, bio->bi_iter.bi_sector, bio);
++ }
+ up_read(&_origins_lock);
+
+ return r;
+@@ -2618,7 +2668,7 @@ static int origin_map(struct dm_target *ti, struct bio *bio)
+ dm_accept_partial_bio(bio, available_sectors);
+
+ /* Only tell snapshots if this is a write */
+- return do_origin(o->dev, bio);
++ return do_origin(o->dev, bio, true);
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From ba30f27176440b5010d47ccde1ef507a51a83fff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 11:53:37 +0200
+Subject: drm/amdgpu: fix memory leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@amd.com>
+
+[ Upstream commit 083164dbdb17c5ea4ad92c1782b59c9d75567790 ]
+
+cleanup error handling code and make sure temporary info array
+with the handles are freed by amdgpu_bo_list_put() on
+idr_replace()'s failure.
+
+Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+index 7bcf86c619995..61e38e43ad1d5 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+@@ -270,7 +270,7 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data,
+
+ r = amdgpu_bo_create_list_entry_array(&args->in, &info);
+ if (r)
+- goto error_free;
++ return r;
+
+ switch (args->in.operation) {
+ case AMDGPU_BO_LIST_OP_CREATE:
+@@ -283,8 +283,7 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data,
+ r = idr_alloc(&fpriv->bo_list_handles, list, 1, 0, GFP_KERNEL);
+ mutex_unlock(&fpriv->bo_list_lock);
+ if (r < 0) {
+- amdgpu_bo_list_put(list);
+- return r;
++ goto error_put_list;
+ }
+
+ handle = r;
+@@ -306,9 +305,8 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data,
+ mutex_unlock(&fpriv->bo_list_lock);
+
+ if (IS_ERR(old)) {
+- amdgpu_bo_list_put(list);
+ r = PTR_ERR(old);
+- goto error_free;
++ goto error_put_list;
+ }
+
+ amdgpu_bo_list_put(old);
+@@ -325,8 +323,10 @@ int amdgpu_bo_list_ioctl(struct drm_device *dev, void *data,
+
+ return 0;
+
++error_put_list:
++ amdgpu_bo_list_put(list);
++
+ error_free:
+- if (info)
+- kvfree(info);
++ kvfree(info);
+ return r;
+ }
+--
+2.20.1
+
--- /dev/null
+From 4b50d02df8140693871466c88304cb47e5cb265d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 18:58:58 +0200
+Subject: efi/cper: Fix endianness of PCIe class code
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 6fb9367a15d1a126d222d738b2702c7958594a5f ]
+
+The CPER parser assumes that the class code is big endian, but at least
+on this edk2-derived Intel Purley platform it's little endian:
+
+ efi: EFI v2.50 by EDK II BIOS ID:PLYDCRB1.86B.0119.R05.1701181843
+ DMI: Intel Corporation PURLEY/PURLEY, BIOS PLYDCRB1.86B.0119.R05.1701181843 01/18/2017
+
+ {1}[Hardware Error]: device_id: 0000:5d:00.0
+ {1}[Hardware Error]: slot: 0
+ {1}[Hardware Error]: secondary_bus: 0x5e
+ {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2030
+ {1}[Hardware Error]: class_code: 000406
+ ^^^^^^ (should be 060400)
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Matthew Garrett <mjg59@google.com>
+Cc: Octavian Purdila <octavian.purdila@intel.com>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Scott Talbert <swt@techie.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: linux-integrity@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191002165904.8819-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index addf0749dd8b6..b1af0de2e1008 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -381,7 +381,7 @@ static void cper_print_pcie(const char *pfx, const struct cper_sec_pcie *pcie,
+ printk("%s""vendor_id: 0x%04x, device_id: 0x%04x\n", pfx,
+ pcie->device_id.vendor_id, pcie->device_id.device_id);
+ p = pcie->device_id.class_code;
+- printk("%s""class_code: %02x%02x%02x\n", pfx, p[0], p[1], p[2]);
++ printk("%s""class_code: %02x%02x%02x\n", pfx, p[2], p[1], p[0]);
+ }
+ if (pcie->validation_bits & CPER_PCIE_VALID_SERIAL_NUMBER)
+ printk("%s""serial number: 0x%04x, 0x%04x\n", pfx,
+--
+2.20.1
+
--- /dev/null
+From 163456fc9ef0470ee7c441236f2118bce788a1c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 18:59:04 +0200
+Subject: efi/x86: Do not clean dummy variable in kexec path
+
+From: Dave Young <dyoung@redhat.com>
+
+[ Upstream commit 2ecb7402cfc7f22764e7bbc80790e66eadb20560 ]
+
+kexec reboot fails randomly in UEFI based KVM guest. The firmware
+just resets while calling efi_delete_dummy_variable(); Unfortunately
+I don't know how to debug the firmware, it is also possible a potential
+problem on real hardware as well although nobody reproduced it.
+
+The intention of the efi_delete_dummy_variable is to trigger garbage collection
+when entering virtual mode. But SetVirtualAddressMap can only run once
+for each physical reboot, thus kexec_enter_virtual_mode() is not necessarily
+a good place to clean a dummy object.
+
+Drop the efi_delete_dummy_variable so that kexec reboot can work.
+
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Matthew Garrett <mjg59@google.com>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Lukas Wunner <lukas@wunner.de>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Octavian Purdila <octavian.purdila@intel.com>
+Cc: Peter Jones <pjones@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Scott Talbert <swt@techie.net>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: linux-integrity@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191002165904.8819-8-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/efi.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index a7189a3b4d70f..3304f61538a26 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -894,9 +894,6 @@ static void __init kexec_enter_virtual_mode(void)
+
+ if (efi_enabled(EFI_OLD_MEMMAP) && (__supported_pte_mask & _PAGE_NX))
+ runtime_code_page_mkexec();
+-
+- /* clean DUMMY object */
+- efi_delete_dummy_variable();
+ #endif
+ }
+
+--
+2.20.1
+
--- /dev/null
+From f56bf5ffe3b7301dc696fe802ee67c35eb64e2af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 16:34:13 +0900
+Subject: fs: cifs: mute -Wunused-const-variable message
+
+From: Austin Kim <austindh.kim@gmail.com>
+
+[ Upstream commit dd19c106a36690b47bb1acc68372f2b472b495b8 ]
+
+After 'Initial git repository build' commit,
+'mapping_table_ERRHRD' variable has not been used.
+
+So 'mapping_table_ERRHRD' const variable could be removed
+to mute below warning message:
+
+ fs/cifs/netmisc.c:120:40: warning: unused variable 'mapping_table_ERRHRD' [-Wunused-const-variable]
+ static const struct smb_to_posix_error mapping_table_ERRHRD[] = {
+ ^
+Signed-off-by: Austin Kim <austindh.kim@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/netmisc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
+index ed92958e842d3..657f409d4de06 100644
+--- a/fs/cifs/netmisc.c
++++ b/fs/cifs/netmisc.c
+@@ -117,10 +117,6 @@ static const struct smb_to_posix_error mapping_table_ERRSRV[] = {
+ {0, 0}
+ };
+
+-static const struct smb_to_posix_error mapping_table_ERRHRD[] = {
+- {0, 0}
+-};
+-
+ /*
+ * Convert a string containing text IPv4 or IPv6 address to binary form.
+ *
+--
+2.20.1
+
--- /dev/null
+From 28ed5bacd805458cd2315df327009c051f027250 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:54 -0700
+Subject: fs: ocfs2: fix a possible null-pointer dereference in
+ ocfs2_write_end_nolock()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 583fee3e12df0e6f1f66f063b989d8e7fed0e65a ]
+
+In ocfs2_write_end_nolock(), there are an if statement on lines 1976,
+2047 and 2058, to check whether handle is NULL:
+
+ if (handle)
+
+When handle is NULL, it is used on line 2045:
+
+ ocfs2_update_inode_fsync_trans(handle, inode, 1);
+ oi->i_sync_tid = handle->h_transaction->t_tid;
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, handle is checked before calling
+ocfs2_update_inode_fsync_trans().
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Link: http://lkml.kernel.org/r/20190726033705.32307-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/aops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index 3e0a93e799ea1..9b827143a3504 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -2042,7 +2042,8 @@ out_write_size:
+ inode->i_mtime = inode->i_ctime = current_time(inode);
+ di->i_mtime = di->i_ctime = cpu_to_le64(inode->i_mtime.tv_sec);
+ di->i_mtime_nsec = di->i_ctime_nsec = cpu_to_le32(inode->i_mtime.tv_nsec);
+- ocfs2_update_inode_fsync_trans(handle, inode, 1);
++ if (handle)
++ ocfs2_update_inode_fsync_trans(handle, inode, 1);
+ }
+ if (handle)
+ ocfs2_journal_dirty(handle, wc->w_di_bh);
+--
+2.20.1
+
--- /dev/null
+From be436659a4196bac557079a5cd241763ce933b41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:57 -0700
+Subject: fs: ocfs2: fix a possible null-pointer dereference in
+ ocfs2_info_scan_inode_alloc()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 2abb7d3b12d007c30193f48bebed781009bebdd2 ]
+
+In ocfs2_info_scan_inode_alloc(), there is an if statement on line 283
+to check whether inode_alloc is NULL:
+
+ if (inode_alloc)
+
+When inode_alloc is NULL, it is used on line 287:
+
+ ocfs2_inode_lock(inode_alloc, &bh, 0);
+ ocfs2_inode_lock_full_nested(inode, ...)
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, inode_alloc is checked on line 286.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Link: http://lkml.kernel.org/r/20190726033717.32359-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
+index d6f7b299eb236..efeea208fdebd 100644
+--- a/fs/ocfs2/ioctl.c
++++ b/fs/ocfs2/ioctl.c
+@@ -283,7 +283,7 @@ static int ocfs2_info_scan_inode_alloc(struct ocfs2_super *osb,
+ if (inode_alloc)
+ inode_lock(inode_alloc);
+
+- if (o2info_coherent(&fi->ifi_req)) {
++ if (inode_alloc && o2info_coherent(&fi->ifi_req)) {
+ status = ocfs2_inode_lock(inode_alloc, &bh, 0);
+ if (status < 0) {
+ mlog_errno(status);
+--
+2.20.1
+
--- /dev/null
+From 84e51ae620f429d7705e9268313ef697260e98fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:50 -0700
+Subject: fs: ocfs2: fix possible null-pointer dereferences in
+ ocfs2_xa_prepare_entry()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d ]
+
+In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to
+check whether loc->xl_entry is NULL:
+
+ if (loc->xl_entry)
+
+When loc->xl_entry is NULL, it is used on line 2158:
+
+ ocfs2_xa_add_entry(loc, name_hash);
+ loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
+ loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
+
+and line 2164:
+
+ ocfs2_xa_add_namevalue(loc, xi);
+ loc->xl_entry->xe_value_size = cpu_to_le64(xi->xi_value_len);
+ loc->xl_entry->xe_name_len = xi->xi_name_len;
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry()
+abnormally returns with -EINVAL.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+[akpm@linux-foundation.org: remove now-unused ocfs2_xa_add_entry()]
+Link: http://lkml.kernel.org/r/20190726101447.9153-1-baijiaju1990@gmail.com
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/xattr.c | 56 ++++++++++++++++++++----------------------------
+ 1 file changed, 23 insertions(+), 33 deletions(-)
+
+diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
+index 90c830e3758e2..d8507972ee135 100644
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -1490,18 +1490,6 @@ static int ocfs2_xa_check_space(struct ocfs2_xa_loc *loc,
+ return loc->xl_ops->xlo_check_space(loc, xi);
+ }
+
+-static void ocfs2_xa_add_entry(struct ocfs2_xa_loc *loc, u32 name_hash)
+-{
+- loc->xl_ops->xlo_add_entry(loc, name_hash);
+- loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
+- /*
+- * We can't leave the new entry's xe_name_offset at zero or
+- * add_namevalue() will go nuts. We set it to the size of our
+- * storage so that it can never be less than any other entry.
+- */
+- loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
+-}
+-
+ static void ocfs2_xa_add_namevalue(struct ocfs2_xa_loc *loc,
+ struct ocfs2_xattr_info *xi)
+ {
+@@ -2133,29 +2121,31 @@ static int ocfs2_xa_prepare_entry(struct ocfs2_xa_loc *loc,
+ if (rc)
+ goto out;
+
+- if (loc->xl_entry) {
+- if (ocfs2_xa_can_reuse_entry(loc, xi)) {
+- orig_value_size = loc->xl_entry->xe_value_size;
+- rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
+- if (rc)
+- goto out;
+- goto alloc_value;
+- }
++ if (!loc->xl_entry) {
++ rc = -EINVAL;
++ goto out;
++ }
+
+- if (!ocfs2_xattr_is_local(loc->xl_entry)) {
+- orig_clusters = ocfs2_xa_value_clusters(loc);
+- rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
+- if (rc) {
+- mlog_errno(rc);
+- ocfs2_xa_cleanup_value_truncate(loc,
+- "overwriting",
+- orig_clusters);
+- goto out;
+- }
++ if (ocfs2_xa_can_reuse_entry(loc, xi)) {
++ orig_value_size = loc->xl_entry->xe_value_size;
++ rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
++ if (rc)
++ goto out;
++ goto alloc_value;
++ }
++
++ if (!ocfs2_xattr_is_local(loc->xl_entry)) {
++ orig_clusters = ocfs2_xa_value_clusters(loc);
++ rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
++ if (rc) {
++ mlog_errno(rc);
++ ocfs2_xa_cleanup_value_truncate(loc,
++ "overwriting",
++ orig_clusters);
++ goto out;
+ }
+- ocfs2_xa_wipe_namevalue(loc);
+- } else
+- ocfs2_xa_add_entry(loc, name_hash);
++ }
++ ocfs2_xa_wipe_namevalue(loc);
+
+ /*
+ * If we get here, we have a blank entry. Fill it. We grow our
+--
+2.20.1
+
--- /dev/null
+From 2b388607b5254e3ea2f94489c11ec93b3256a872 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 14:28:23 +0200
+Subject: gpio: max77620: Use correct unit for debounce times
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit fffa6af94894126994a7600c6f6f09b892e89fa9 ]
+
+The gpiod_set_debounce() function takes the debounce time in
+microseconds. Adjust the switch/case values in the MAX77620 GPIO to use
+the correct unit.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20191002122825.3948322-1-thierry.reding@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-max77620.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-max77620.c b/drivers/gpio/gpio-max77620.c
+index b7d89e30131e2..06e8caaafa811 100644
+--- a/drivers/gpio/gpio-max77620.c
++++ b/drivers/gpio/gpio-max77620.c
+@@ -192,13 +192,13 @@ static int max77620_gpio_set_debounce(struct max77620_gpio *mgpio,
+ case 0:
+ val = MAX77620_CNFG_GPIO_DBNC_None;
+ break;
+- case 1 ... 8:
++ case 1000 ... 8000:
+ val = MAX77620_CNFG_GPIO_DBNC_8ms;
+ break;
+- case 9 ... 16:
++ case 9000 ... 16000:
+ val = MAX77620_CNFG_GPIO_DBNC_16ms;
+ break;
+- case 17 ... 32:
++ case 17000 ... 32000:
+ val = MAX77620_CNFG_GPIO_DBNC_32ms;
+ break;
+ default:
+--
+2.20.1
+
--- /dev/null
+From 775a63b666a7c82704fde781929a2fb3575b86e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2019 02:56:34 +0000
+Subject: HID: hyperv: Use in-place iterator API in the channel callback
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 6a297c90efa68b2864483193b8bfb0d19478600c ]
+
+Simplify the ring buffer handling with the in-place API.
+
+Also avoid the dynamic allocation and the memory leak in the channel
+callback function.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Acked-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-hyperv.c | 56 +++++++---------------------------------
+ 1 file changed, 10 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c
+index 7795831d37c21..f363163200759 100644
+--- a/drivers/hid/hid-hyperv.c
++++ b/drivers/hid/hid-hyperv.c
+@@ -314,60 +314,24 @@ static void mousevsc_on_receive(struct hv_device *device,
+
+ static void mousevsc_on_channel_callback(void *context)
+ {
+- const int packet_size = 0x100;
+- int ret;
+ struct hv_device *device = context;
+- u32 bytes_recvd;
+- u64 req_id;
+ struct vmpacket_descriptor *desc;
+- unsigned char *buffer;
+- int bufferlen = packet_size;
+-
+- buffer = kmalloc(bufferlen, GFP_ATOMIC);
+- if (!buffer)
+- return;
+-
+- do {
+- ret = vmbus_recvpacket_raw(device->channel, buffer,
+- bufferlen, &bytes_recvd, &req_id);
+-
+- switch (ret) {
+- case 0:
+- if (bytes_recvd <= 0) {
+- kfree(buffer);
+- return;
+- }
+- desc = (struct vmpacket_descriptor *)buffer;
+-
+- switch (desc->type) {
+- case VM_PKT_COMP:
+- break;
+-
+- case VM_PKT_DATA_INBAND:
+- mousevsc_on_receive(device, desc);
+- break;
+-
+- default:
+- pr_err("unhandled packet type %d, tid %llx len %d\n",
+- desc->type, req_id, bytes_recvd);
+- break;
+- }
+
++ foreach_vmbus_pkt(desc, device->channel) {
++ switch (desc->type) {
++ case VM_PKT_COMP:
+ break;
+
+- case -ENOBUFS:
+- kfree(buffer);
+- /* Handle large packet */
+- bufferlen = bytes_recvd;
+- buffer = kmalloc(bytes_recvd, GFP_ATOMIC);
+-
+- if (!buffer)
+- return;
++ case VM_PKT_DATA_INBAND:
++ mousevsc_on_receive(device, desc);
++ break;
+
++ default:
++ pr_err("Unhandled packet type %d, tid %llx len %d\n",
++ desc->type, desc->trans_id, desc->len8 * 8);
+ break;
+ }
+- } while (1);
+-
++ }
+ }
+
+ static int mousevsc_connect_to_vsp(struct hv_device *device)
+--
+2.20.1
+
--- /dev/null
+From 615f90e75f961343ea9170b5135c49efe389beee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2019 12:54:10 +0200
+Subject: iio: adc: meson_saradc: Fix memory allocation order
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit de10ac47597e7a3596b27631d0d5ce5f48d2c099 ]
+
+meson_saradc's irq handler uses priv->regmap so make sure that it is
+allocated before the irq get enabled.
+
+This also fixes crash when CONFIG_DEBUG_SHIRQ is enabled, as device
+managed resources are freed in the inverted order they had been
+allocated, priv->regmap was freed before the spurious fake irq that
+CONFIG_DEBUG_SHIRQ adds called the handler.
+
+Fixes: 3af109131b7eb8 ("iio: adc: meson-saradc: switch from polling to interrupt mode")
+Reported-by: Elie Roudninski <xademax@gmail.com>
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Tested-by: Elie ROUDNINSKI <xademax@gmail.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/meson_saradc.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/adc/meson_saradc.c b/drivers/iio/adc/meson_saradc.c
+index 7b28d045d2719..7b27306330a35 100644
+--- a/drivers/iio/adc/meson_saradc.c
++++ b/drivers/iio/adc/meson_saradc.c
+@@ -1219,6 +1219,11 @@ static int meson_sar_adc_probe(struct platform_device *pdev)
+ if (IS_ERR(base))
+ return PTR_ERR(base);
+
++ priv->regmap = devm_regmap_init_mmio(&pdev->dev, base,
++ priv->param->regmap_config);
++ if (IS_ERR(priv->regmap))
++ return PTR_ERR(priv->regmap);
++
+ irq = irq_of_parse_and_map(pdev->dev.of_node, 0);
+ if (!irq)
+ return -EINVAL;
+@@ -1228,11 +1233,6 @@ static int meson_sar_adc_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- priv->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+- priv->param->regmap_config);
+- if (IS_ERR(priv->regmap))
+- return PTR_ERR(priv->regmap);
+-
+ priv->clkin = devm_clk_get(&pdev->dev, "clkin");
+ if (IS_ERR(priv->clkin)) {
+ dev_err(&pdev->dev, "failed to get clkin\n");
+--
+2.20.1
+
--- /dev/null
+From bd6147afbc7644d3a192d6c988c5e1f5603fe966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2019 07:29:41 +0200
+Subject: iio: fix center temperature of bmc150-accel-core
+
+From: Pascal Bouwmann <bouwmann@tau-tec.de>
+
+[ Upstream commit 6c59a962e081df6d8fe43325bbfabec57e0d4751 ]
+
+The center temperature of the supported devices stored in the constant
+BMC150_ACCEL_TEMP_CENTER_VAL is not 24 degrees but 23 degrees.
+
+It seems that some datasheets were inconsistent on this value leading
+to the error. For most usecases will only make minor difference so
+not queued for stable.
+
+Signed-off-by: Pascal Bouwmann <bouwmann@tau-tec.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bmc150-accel-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/accel/bmc150-accel-core.c b/drivers/iio/accel/bmc150-accel-core.c
+index cf6c0e3a83d38..121b4e89f038c 100644
+--- a/drivers/iio/accel/bmc150-accel-core.c
++++ b/drivers/iio/accel/bmc150-accel-core.c
+@@ -117,7 +117,7 @@
+ #define BMC150_ACCEL_SLEEP_1_SEC 0x0F
+
+ #define BMC150_ACCEL_REG_TEMP 0x08
+-#define BMC150_ACCEL_TEMP_CENTER_VAL 24
++#define BMC150_ACCEL_TEMP_CENTER_VAL 23
+
+ #define BMC150_ACCEL_AXIS_TO_REG(axis) (BMC150_ACCEL_REG_XOUT_L + (axis * 2))
+ #define BMC150_AUTO_SUSPEND_DELAY_MS 2000
+--
+2.20.1
+
--- /dev/null
+From ae520d7305b8430db0f8606613a4febcc308d1d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 10:56:35 -0500
+Subject: iio: imu: adis16400: fix memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 9c0530e898f384c5d279bfcebd8bb17af1105873 ]
+
+In adis_update_scan_mode_burst, if adis->buffer allocation fails release
+the adis->xfer.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis_buffer.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
+index f446ff4978091..4998a89d083d5 100644
+--- a/drivers/iio/imu/adis_buffer.c
++++ b/drivers/iio/imu/adis_buffer.c
+@@ -35,8 +35,11 @@ static int adis_update_scan_mode_burst(struct iio_dev *indio_dev,
+ return -ENOMEM;
+
+ adis->buffer = kzalloc(burst_length + sizeof(u16), GFP_KERNEL);
+- if (!adis->buffer)
++ if (!adis->buffer) {
++ kfree(adis->xfer);
++ adis->xfer = NULL;
+ return -ENOMEM;
++ }
+
+ tx = adis->buffer + burst_length;
+ tx[0] = ADIS_READ_REG(adis->burst->reg_cmd);
+--
+2.20.1
+
--- /dev/null
+From 29b912645d78aa1e79d8ceb6f74ed256ccb8c1be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 10:50:02 -0500
+Subject: iio: imu: adis16400: release allocated memory on failure
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit ab612b1daf415b62c58e130cb3d0f30b255a14d0 ]
+
+In adis_update_scan_mode, if allocation for adis->buffer fails,
+previously allocated adis->xfer needs to be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis_buffer.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
+index 9ac8356d9a954..f446ff4978091 100644
+--- a/drivers/iio/imu/adis_buffer.c
++++ b/drivers/iio/imu/adis_buffer.c
+@@ -78,8 +78,11 @@ int adis_update_scan_mode(struct iio_dev *indio_dev,
+ return -ENOMEM;
+
+ adis->buffer = kcalloc(indio_dev->scan_bytes, 2, GFP_KERNEL);
+- if (!adis->buffer)
++ if (!adis->buffer) {
++ kfree(adis->xfer);
++ adis->xfer = NULL;
+ return -ENOMEM;
++ }
+
+ rx = adis->buffer;
+ tx = rx + scan_count;
+--
+2.20.1
+
--- /dev/null
+From 0ef787e88c3754246fa46048876b7d6d91566407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2019 00:01:29 +0200
+Subject: iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit fdb828e2c71a09bb9e865f41b015597c5f671705 ]
+
+i2c controller available in st_lsm6dsx series performs i2c slave
+configuration using accel clock as trigger.
+st_lsm6dsx_shub_wait_complete routine is used to wait the controller has
+carried out the requested configuration. However if the accel sensor is not
+enabled we should not use its configured odr to estimate a proper timeout
+
+Fixes: c91c1c844ebd ("iio: imu: st_lsm6dsx: add i2c embedded controller support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_shub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_shub.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_shub.c
+index 66fbcd94642d4..4c754a02717b3 100644
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_shub.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_shub.c
+@@ -92,9 +92,11 @@ static const struct st_lsm6dsx_ext_dev_settings st_lsm6dsx_ext_dev_table[] = {
+ static void st_lsm6dsx_shub_wait_complete(struct st_lsm6dsx_hw *hw)
+ {
+ struct st_lsm6dsx_sensor *sensor;
++ u16 odr;
+
+ sensor = iio_priv(hw->iio_devs[ST_LSM6DSX_ID_ACC]);
+- msleep((2000U / sensor->odr) + 1);
++ odr = (hw->enable_mask & BIT(ST_LSM6DSX_ID_ACC)) ? sensor->odr : 13;
++ msleep((2000U / odr) + 1);
+ }
+
+ /**
+--
+2.20.1
+
--- /dev/null
+From fd19d7d2bbf33d26d139b6dc4a6c495c44fc7a36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2019 09:20:46 -0600
+Subject: io_uring: fix up O_NONBLOCK handling for sockets
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 491381ce07ca57f68c49c79a8a43da5b60749e32 ]
+
+We've got two issues with the non-regular file handling for non-blocking
+IO:
+
+1) We don't want to re-do a short read in full for a non-regular file,
+ as we can't just read the data again.
+2) For non-regular files that don't support non-blocking IO attempts,
+ we need to punt to async context even if the file is opened as
+ non-blocking. Otherwise the caller always gets -EAGAIN.
+
+Add two new request flags to handle these cases. One is just a cache
+of the inode S_ISREG() status, the other tells io_uring that we always
+need to punt this request to async context, even if REQ_F_NOWAIT is set.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hrvoje Zeba <zeba.hrvoje@gmail.com>
+Tested-by: Hrvoje Zeba <zeba.hrvoje@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 57 +++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 39 insertions(+), 18 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index ed223c33dd898..59925b6583ba0 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -338,6 +338,8 @@ struct io_kiocb {
+ #define REQ_F_LINK 64 /* linked sqes */
+ #define REQ_F_LINK_DONE 128 /* linked sqes done */
+ #define REQ_F_FAIL_LINK 256 /* fail rest of links */
++#define REQ_F_ISREG 2048 /* regular file */
++#define REQ_F_MUST_PUNT 4096 /* must be punted even for NONBLOCK */
+ u64 user_data;
+ u32 result;
+ u32 sequence;
+@@ -885,26 +887,26 @@ static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events,
+ return ret;
+ }
+
+-static void kiocb_end_write(struct kiocb *kiocb)
++static void kiocb_end_write(struct io_kiocb *req)
+ {
+- if (kiocb->ki_flags & IOCB_WRITE) {
+- struct inode *inode = file_inode(kiocb->ki_filp);
++ /*
++ * Tell lockdep we inherited freeze protection from submission
++ * thread.
++ */
++ if (req->flags & REQ_F_ISREG) {
++ struct inode *inode = file_inode(req->file);
+
+- /*
+- * Tell lockdep we inherited freeze protection from submission
+- * thread.
+- */
+- if (S_ISREG(inode->i_mode))
+- __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
+- file_end_write(kiocb->ki_filp);
++ __sb_writers_acquired(inode->i_sb, SB_FREEZE_WRITE);
+ }
++ file_end_write(req->file);
+ }
+
+ static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
+ {
+ struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
+
+- kiocb_end_write(kiocb);
++ if (kiocb->ki_flags & IOCB_WRITE)
++ kiocb_end_write(req);
+
+ if ((req->flags & REQ_F_LINK) && res != req->result)
+ req->flags |= REQ_F_FAIL_LINK;
+@@ -916,7 +918,8 @@ static void io_complete_rw_iopoll(struct kiocb *kiocb, long res, long res2)
+ {
+ struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw);
+
+- kiocb_end_write(kiocb);
++ if (kiocb->ki_flags & IOCB_WRITE)
++ kiocb_end_write(req);
+
+ if ((req->flags & REQ_F_LINK) && res != req->result)
+ req->flags |= REQ_F_FAIL_LINK;
+@@ -1030,8 +1033,17 @@ static int io_prep_rw(struct io_kiocb *req, const struct sqe_submit *s,
+ if (!req->file)
+ return -EBADF;
+
+- if (force_nonblock && !io_file_supports_async(req->file))
+- force_nonblock = false;
++ if (S_ISREG(file_inode(req->file)->i_mode))
++ req->flags |= REQ_F_ISREG;
++
++ /*
++ * If the file doesn't support async, mark it as REQ_F_MUST_PUNT so
++ * we know to async punt it even if it was opened O_NONBLOCK
++ */
++ if (force_nonblock && !io_file_supports_async(req->file)) {
++ req->flags |= REQ_F_MUST_PUNT;
++ return -EAGAIN;
++ }
+
+ kiocb->ki_pos = READ_ONCE(sqe->off);
+ kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
+@@ -1052,7 +1064,8 @@ static int io_prep_rw(struct io_kiocb *req, const struct sqe_submit *s,
+ return ret;
+
+ /* don't allow async punt if RWF_NOWAIT was requested */
+- if (kiocb->ki_flags & IOCB_NOWAIT)
++ if ((kiocb->ki_flags & IOCB_NOWAIT) ||
++ (req->file->f_flags & O_NONBLOCK))
+ req->flags |= REQ_F_NOWAIT;
+
+ if (force_nonblock)
+@@ -1286,7 +1299,9 @@ static int io_read(struct io_kiocb *req, const struct sqe_submit *s,
+ * need async punt anyway, so it's more efficient to do it
+ * here.
+ */
+- if (force_nonblock && ret2 > 0 && ret2 < read_size)
++ if (force_nonblock && !(req->flags & REQ_F_NOWAIT) &&
++ (req->flags & REQ_F_ISREG) &&
++ ret2 > 0 && ret2 < read_size)
+ ret2 = -EAGAIN;
+ /* Catch -EAGAIN return for forced non-blocking submission */
+ if (!force_nonblock || ret2 != -EAGAIN) {
+@@ -1353,7 +1368,7 @@ static int io_write(struct io_kiocb *req, const struct sqe_submit *s,
+ * released so that it doesn't complain about the held lock when
+ * we return to userspace.
+ */
+- if (S_ISREG(file_inode(file)->i_mode)) {
++ if (req->flags & REQ_F_ISREG) {
+ __sb_start_write(file_inode(file)->i_sb,
+ SB_FREEZE_WRITE, true);
+ __sb_writers_release(file_inode(file)->i_sb,
+@@ -2096,7 +2111,13 @@ static int io_queue_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,
+ }
+
+ ret = __io_submit_sqe(ctx, req, s, true);
+- if (ret == -EAGAIN && !(req->flags & REQ_F_NOWAIT)) {
++
++ /*
++ * We async punt it if the file wasn't marked NOWAIT, or if the file
++ * doesn't support non-blocking read/write attempts
++ */
++ if (ret == -EAGAIN && (!(req->flags & REQ_F_NOWAIT) ||
++ (req->flags & REQ_F_MUST_PUNT))) {
+ struct io_uring_sqe *sqe_copy;
+
+ sqe_copy = kmalloc(sizeof(*sqe_copy), GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From c934c25c63be67fee7b66b89a48e680d2ef5ad9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2019 18:52:19 +0100
+Subject: kselftest: exclude failed TARGETS from runlist
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit 131b30c94fbc0adb15f911609884dd39dada8f00 ]
+
+A TARGET which failed to be built/installed should not be included in the
+runlist generated inside the run_kselftest.sh script.
+
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
+index 25b43a8c2b159..1779923d7a7b8 100644
+--- a/tools/testing/selftests/Makefile
++++ b/tools/testing/selftests/Makefile
+@@ -198,8 +198,12 @@ ifdef INSTALL_PATH
+ echo " cat /dev/null > \$$logfile" >> $(ALL_SCRIPT)
+ echo "fi" >> $(ALL_SCRIPT)
+
++ @# While building run_kselftest.sh skip also non-existent TARGET dirs:
++ @# they could be the result of a build failure and should NOT be
++ @# included in the generated runlist.
+ for TARGET in $(TARGETS); do \
+ BUILD_TARGET=$$BUILD/$$TARGET; \
++ [ ! -d $$INSTALL_PATH/$$TARGET ] && echo "Skipping non-existent dir: $$TARGET" && continue; \
+ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \
+ echo "cd $$TARGET" >> $(ALL_SCRIPT); \
+ echo -n "run_many" >> $(ALL_SCRIPT); \
+--
+2.20.1
+
--- /dev/null
+From 6e4bf6f6a2591aea20ec30865533cc18c13f9004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 12:59:23 -0700
+Subject: libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 4b0b2b096da9d296e0e5668cdfba8613bd6f5bc8 ]
+
+Unconditionally defining _FORTIFY_SOURCE can break tools that don't work
+with it, such as memory sanitizers:
+
+ https://github.com/google/sanitizers/wiki/AddressSanitizer#faq
+
+Fixes: 4b6ab94eabe4 ("perf subcmd: Create subcmd library")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20190925195924.152834-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/subcmd/Makefile | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/subcmd/Makefile b/tools/lib/subcmd/Makefile
+index ed61fb3a46c08..5b2cd5e58df09 100644
+--- a/tools/lib/subcmd/Makefile
++++ b/tools/lib/subcmd/Makefile
+@@ -20,7 +20,13 @@ MAKEFLAGS += --no-print-directory
+ LIBFILE = $(OUTPUT)libsubcmd.a
+
+ CFLAGS := $(EXTRA_WARNINGS) $(EXTRA_CFLAGS)
+-CFLAGS += -ggdb3 -Wall -Wextra -std=gnu99 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIC
++CFLAGS += -ggdb3 -Wall -Wextra -std=gnu99 -fPIC
++
++ifeq ($(DEBUG),0)
++ ifeq ($(feature-fortify-source), 1)
++ CFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
++ endif
++endif
+
+ ifeq ($(CC_NO_CLANG), 0)
+ CFLAGS += -O3
+--
+2.20.1
+
--- /dev/null
+From 451bc01da4bbe7258aa4377a4479953bc465d061 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 17:10:56 +0200
+Subject: MIPS: fw: sni: Fix out of bounds init of o32 stack
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit efcb529694c3b707dc0471b312944337ba16e4dd ]
+
+Use ARRAY_SIZE to caluculate the top of the o32 stack.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/fw/sni/sniprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/fw/sni/sniprom.c b/arch/mips/fw/sni/sniprom.c
+index 8772617b64cef..80112f2298b68 100644
+--- a/arch/mips/fw/sni/sniprom.c
++++ b/arch/mips/fw/sni/sniprom.c
+@@ -43,7 +43,7 @@
+
+ /* O32 stack has to be 8-byte aligned. */
+ static u64 o32_stk[4096];
+-#define O32_STK &o32_stk[sizeof(o32_stk)]
++#define O32_STK (&o32_stk[ARRAY_SIZE(o32_stk)])
+
+ #define __PROM_O32(fun, arg) fun arg __asm__(#fun); \
+ __asm__(#fun " = call_o32")
+--
+2.20.1
+
--- /dev/null
+From 54a2b67fd80d9a5fe1b976efad4f513b495b58e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 15:12:32 +0200
+Subject: MIPS: include: Mark __cmpxchg as __always_inline
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit 88356d09904bc606182c625575237269aeece22e ]
+
+Commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING
+forcibly") allows compiler to uninline functions marked as 'inline'.
+In cace of cmpxchg this would cause to reference function
+__cmpxchg_called_with_bad_pointer, which is a error case
+for catching bugs and will not happen for correct code, if
+__cmpxchg is inlined.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+[paul.burton@mips.com: s/__cmpxchd/__cmpxchg in subject]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cmpxchg.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/cmpxchg.h b/arch/mips/include/asm/cmpxchg.h
+index c8a47d18f6288..319522fa3a45e 100644
+--- a/arch/mips/include/asm/cmpxchg.h
++++ b/arch/mips/include/asm/cmpxchg.h
+@@ -153,8 +153,9 @@ static inline unsigned long __xchg(volatile void *ptr, unsigned long x,
+ extern unsigned long __cmpxchg_small(volatile void *ptr, unsigned long old,
+ unsigned long new, unsigned int size);
+
+-static inline unsigned long __cmpxchg(volatile void *ptr, unsigned long old,
+- unsigned long new, unsigned int size)
++static __always_inline
++unsigned long __cmpxchg(volatile void *ptr, unsigned long old,
++ unsigned long new, unsigned int size)
+ {
+ switch (size) {
+ case 1:
+--
+2.20.1
+
--- /dev/null
+From 3d9d512843e328fe15df9892520d6138ce7faf7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2019 12:06:00 +0200
+Subject: MIPS: include: Mark __xchg as __always_inline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+
+[ Upstream commit 46f1619500d022501a4f0389f9f4c349ab46bb86 ]
+
+Commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING
+forcibly") allows compiler to uninline functions marked as 'inline'.
+In cace of __xchg this would cause to reference function
+__xchg_called_with_bad_pointer, which is an error case
+for catching bugs and will not happen for correct code, if
+__xchg is inlined.
+
+Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cmpxchg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/cmpxchg.h b/arch/mips/include/asm/cmpxchg.h
+index 319522fa3a45e..2b61052e10c94 100644
+--- a/arch/mips/include/asm/cmpxchg.h
++++ b/arch/mips/include/asm/cmpxchg.h
+@@ -77,8 +77,8 @@ extern unsigned long __xchg_called_with_bad_pointer(void)
+ extern unsigned long __xchg_small(volatile void *ptr, unsigned long val,
+ unsigned int size);
+
+-static inline unsigned long __xchg(volatile void *ptr, unsigned long x,
+- int size)
++static __always_inline
++unsigned long __xchg(volatile void *ptr, unsigned long x, int size)
+ {
+ switch (size) {
+ case 1:
+--
+2.20.1
+
--- /dev/null
+From 7affa871abb1d689155211a0d2d133abe1901cc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 10:27:41 -0500
+Subject: misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit fc739a058d99c9297ef6bfd923b809d85855b9a9 ]
+
+In fastrpc_dma_buf_attach if dma_get_sgtable fails the allocated memory
+for a should be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20190925152742.16258-1-navid.emamdoost@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/fastrpc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
+index 98603e235cf04..a76b6c6fd660f 100644
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -499,6 +499,7 @@ static int fastrpc_dma_buf_attach(struct dma_buf *dmabuf,
+ FASTRPC_PHYS(buffer->phys), buffer->size);
+ if (ret < 0) {
+ dev_err(buffer->dev, "failed to get scatterlist from DMA API\n");
++ kfree(a);
+ return -EINVAL;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 1454bad6d1de1cd413ead7d5905651b6501d74b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 11:44:27 +0530
+Subject: nbd: fix possible sysfs duplicate warning
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit 862488105b84ca744b3d8ff131e0fcfe10644be1 ]
+
+1. nbd_put takes the mutex and drops nbd->ref to 0. It then does
+idr_remove and drops the mutex.
+
+2. nbd_genl_connect takes the mutex. idr_find/idr_for_each fails
+to find an existing device, so it does nbd_dev_add.
+
+3. just before the nbd_put could call nbd_dev_remove or not finished
+totally, but if nbd_dev_add try to add_disk, we can hit:
+
+debugfs: Directory 'nbd1' with parent 'block' already present!
+
+This patch will make sure all the disk add/remove stuff are done
+by holding the nbd_index_mutex lock.
+
+Reported-by: Mike Christie <mchristi@redhat.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 0b727f7432f9e..bd164192045b0 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -230,8 +230,8 @@ static void nbd_put(struct nbd_device *nbd)
+ if (refcount_dec_and_mutex_lock(&nbd->refs,
+ &nbd_index_mutex)) {
+ idr_remove(&nbd_index_idr, nbd->index);
+- mutex_unlock(&nbd_index_mutex);
+ nbd_dev_remove(nbd);
++ mutex_unlock(&nbd_index_mutex);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 9eb694da444b641468d53ec26e693588c7df5cd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2019 14:29:38 +0800
+Subject: nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
+
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 33ea5aaa87cdae0f9af4d6b7ee4f650a1a36fd1d ]
+
+When xfstests testing, there are some WARNING as below:
+
+WARNING: CPU: 0 PID: 6235 at fs/nfs/inode.c:122 nfs_clear_inode+0x9c/0xd8
+Modules linked in:
+CPU: 0 PID: 6235 Comm: umount.nfs
+Hardware name: linux,dummy-virt (DT)
+pstate: 60000005 (nZCv daif -PAN -UAO)
+pc : nfs_clear_inode+0x9c/0xd8
+lr : nfs_evict_inode+0x60/0x78
+sp : fffffc000f68fc00
+x29: fffffc000f68fc00 x28: fffffe00c53155c0
+x27: fffffe00c5315000 x26: fffffc0009a63748
+x25: fffffc000f68fd18 x24: fffffc000bfaaf40
+x23: fffffc000936d3c0 x22: fffffe00c4ff5e20
+x21: fffffc000bfaaf40 x20: fffffe00c4ff5d10
+x19: fffffc000c056000 x18: 000000000000003c
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000040 x14: 0000000000000228
+x13: fffffc000c3a2000 x12: 0000000000000045
+x11: 0000000000000000 x10: 0000000000000000
+x9 : 0000000000000000 x8 : 0000000000000000
+x7 : 0000000000000000 x6 : fffffc00084b027c
+x5 : fffffc0009a64000 x4 : fffffe00c0e77400
+x3 : fffffc000c0563a8 x2 : fffffffffffffffb
+x1 : 000000000000764e x0 : 0000000000000001
+Call trace:
+ nfs_clear_inode+0x9c/0xd8
+ nfs_evict_inode+0x60/0x78
+ evict+0x108/0x380
+ dispose_list+0x70/0xa0
+ evict_inodes+0x194/0x210
+ generic_shutdown_super+0xb0/0x220
+ nfs_kill_super+0x40/0x88
+ deactivate_locked_super+0xb4/0x120
+ deactivate_super+0x144/0x160
+ cleanup_mnt+0x98/0x148
+ __cleanup_mnt+0x38/0x50
+ task_work_run+0x114/0x160
+ do_notify_resume+0x2f8/0x308
+ work_pending+0x8/0x14
+
+The nrequest should be increased/decreased only if PG_INODE_REF flag
+was setted.
+
+But in the nfs_inode_remove_request function, it maybe decrease when
+no PG_INODE_REF flag, this maybe lead nrequests count error.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/write.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 85ca49549b39b..52cab65f91cf0 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -786,7 +786,6 @@ static void nfs_inode_remove_request(struct nfs_page *req)
+ struct nfs_inode *nfsi = NFS_I(inode);
+ struct nfs_page *head;
+
+- atomic_long_dec(&nfsi->nrequests);
+ if (nfs_page_group_sync_on_bit(req, PG_REMOVE)) {
+ head = req->wb_head;
+
+@@ -799,8 +798,10 @@ static void nfs_inode_remove_request(struct nfs_page *req)
+ spin_unlock(&mapping->private_lock);
+ }
+
+- if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags))
++ if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) {
+ nfs_release_request(req);
++ atomic_long_dec(&nfsi->nrequests);
++ }
+ }
+
+ static void
+--
+2.20.1
+
--- /dev/null
+From 339ee08d905911a5d699236baffa73c2b2b37816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2019 09:58:54 -0400
+Subject: NFSv4: Fix leak of clp->cl_acceptor string
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 1047ec868332034d1fbcb2fae19fe6d4cb869ff2 ]
+
+Our client can issue multiple SETCLIENTID operations to the same
+server in some circumstances. Ensure that calls to
+nfs4_proc_setclientid() after the first one do not overwrite the
+previously allocated cl_acceptor string.
+
+unreferenced object 0xffff888461031800 (size 32):
+ comm "mount.nfs", pid 2227, jiffies 4294822467 (age 1407.749s)
+ hex dump (first 32 bytes):
+ 6e 66 73 40 6b 6c 69 6d 74 2e 69 62 2e 31 30 31 nfs@klimt.ib.101
+ 35 67 72 61 6e 67 65 72 2e 6e 65 74 00 00 00 00 5granger.net....
+ backtrace:
+ [<00000000ab820188>] __kmalloc+0x128/0x176
+ [<00000000eeaf4ec8>] gss_stringify_acceptor+0xbd/0x1a7 [auth_rpcgss]
+ [<00000000e85e3382>] nfs4_proc_setclientid+0x34e/0x46c [nfsv4]
+ [<000000003d9cf1fa>] nfs40_discover_server_trunking+0x7a/0xed [nfsv4]
+ [<00000000b81c3787>] nfs4_discover_server_trunking+0x81/0x244 [nfsv4]
+ [<000000000801b55f>] nfs4_init_client+0x1b0/0x238 [nfsv4]
+ [<00000000977daf7f>] nfs4_set_client+0xfe/0x14d [nfsv4]
+ [<0000000053a68a2a>] nfs4_create_server+0x107/0x1db [nfsv4]
+ [<0000000088262019>] nfs4_remote_mount+0x2c/0x59 [nfsv4]
+ [<00000000e84a2fd0>] legacy_get_tree+0x2d/0x4c
+ [<00000000797e947c>] vfs_get_tree+0x20/0xc7
+ [<00000000ecabaaa8>] fc_mount+0xe/0x36
+ [<00000000f15fafc2>] vfs_kern_mount+0x74/0x8d
+ [<00000000a3ff4e26>] nfs_do_root_mount+0x8a/0xa3 [nfsv4]
+ [<00000000d1c2b337>] nfs4_try_mount+0x58/0xad [nfsv4]
+ [<000000004c9bddee>] nfs_fs_mount+0x820/0x869 [nfs]
+
+Fixes: f11b2a1cfbf5 ("nfs4: copy acceptor name from context ... ")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 1406858bae6c9..e1e7d2724b971 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -6058,6 +6058,7 @@ int nfs4_proc_setclientid(struct nfs_client *clp, u32 program,
+ }
+ status = task->tk_status;
+ if (setclientid.sc_cred) {
++ kfree(clp->cl_acceptor);
+ clp->cl_acceptor = rpcauth_stringify_acceptor(setclientid.sc_cred);
+ put_rpccred(setclientid.sc_cred);
+ }
+--
+2.20.1
+
--- /dev/null
+From a3fd6d5f1c888366e5e9d7d7177ae0e9ee616640 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 17:57:47 -0700
+Subject: ocfs2: clear zero in unaligned direct IO
+
+From: Jia Guo <guojia12@huawei.com>
+
+[ Upstream commit 7a243c82ea527cd1da47381ad9cd646844f3b693 ]
+
+Unused portion of a part-written fs-block-sized block is not set to zero
+in unaligned append direct write.This can lead to serious data
+inconsistencies.
+
+Ocfs2 manage disk with cluster size(for example, 1M), part-written in
+one cluster will change the cluster state from UN-WRITTEN to WRITTEN,
+VFS(function dio_zero_block) doesn't do the cleaning because bh's state
+is not set to NEW in function ocfs2_dio_wr_get_block when we write a
+WRITTEN cluster. For example, the cluster size is 1M, file size is 8k
+and we direct write from 14k to 15k, then 12k~14k and 15k~16k will
+contain dirty data.
+
+We have to deal with two cases:
+ 1.The starting position of direct write is outside the file.
+ 2.The starting position of direct write is located in the file.
+
+We need set bh's state to NEW in the first case. In the second case, we
+need mapped twice because bh's state of area out file should be set to
+NEW while area in file not.
+
+[akpm@linux-foundation.org: coding style fixes]
+Link: http://lkml.kernel.org/r/5292e287-8f1a-fd4a-1a14-661e555e0bed@huawei.com
+Signed-off-by: Jia Guo <guojia12@huawei.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <joseph.qi@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/aops.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index a4c905d6b5755..3e0a93e799ea1 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -2139,13 +2139,30 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,
+ struct ocfs2_dio_write_ctxt *dwc = NULL;
+ struct buffer_head *di_bh = NULL;
+ u64 p_blkno;
+- loff_t pos = iblock << inode->i_sb->s_blocksize_bits;
++ unsigned int i_blkbits = inode->i_sb->s_blocksize_bits;
++ loff_t pos = iblock << i_blkbits;
++ sector_t endblk = (i_size_read(inode) - 1) >> i_blkbits;
+ unsigned len, total_len = bh_result->b_size;
+ int ret = 0, first_get_block = 0;
+
+ len = osb->s_clustersize - (pos & (osb->s_clustersize - 1));
+ len = min(total_len, len);
+
++ /*
++ * bh_result->b_size is count in get_more_blocks according to write
++ * "pos" and "end", we need map twice to return different buffer state:
++ * 1. area in file size, not set NEW;
++ * 2. area out file size, set NEW.
++ *
++ * iblock endblk
++ * |--------|---------|---------|---------
++ * |<-------area in file------->|
++ */
++
++ if ((iblock <= endblk) &&
++ ((iblock + ((len - 1) >> i_blkbits)) > endblk))
++ len = (endblk - iblock + 1) << i_blkbits;
++
+ mlog(0, "get block of %lu at %llu:%u req %u\n",
+ inode->i_ino, pos, len, total_len);
+
+@@ -2229,6 +2246,9 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,
+ if (desc->c_needs_zero)
+ set_buffer_new(bh_result);
+
++ if (iblock > endblk)
++ set_buffer_new(bh_result);
++
+ /* May sleep in end_io. It should not happen in a irq context. So defer
+ * it to dio work queue. */
+ set_buffer_defer_completion(bh_result);
+--
+2.20.1
+
--- /dev/null
+From bf8bc3333712fa00cb2eaef32d332912b51fc39f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 16:04:21 -0300
+Subject: perf annotate: Don't return -1 for error when doing BPF disassembly
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 11aad897f6d1a28eae3b7e5b293647c522d65819 ]
+
+Return errno when open_memstream() fails and add two new speciall error
+codes for when an invalid, non BPF file or one without BTF is passed to
+symbol__disassemble_bpf(), so that its callers can rely on
+symbol__strerror_disassemble() to convert that to a human readable error
+message that can help figure out what is wrong, with hints even.
+
+Cc: Russell King - ARM Linux admin <linux@armlinux.org.uk>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Will Deacon <will@kernel.org>
+Link: https://lkml.kernel.org/n/tip-usevw9r2gcipfcrbpaueurw0@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 19 +++++++++++++++----
+ tools/perf/util/annotate.h | 2 ++
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index ab7851ec0ce53..fb8756026a805 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1631,6 +1631,13 @@ int symbol__strerror_disassemble(struct symbol *sym __maybe_unused, struct map *
+ case SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING:
+ scnprintf(buf, buflen, "Problems while parsing the CPUID in the arch specific initialization.");
+ break;
++ case SYMBOL_ANNOTATE_ERRNO__BPF_INVALID_FILE:
++ scnprintf(buf, buflen, "Invalid BPF file: %s.", dso->long_name);
++ break;
++ case SYMBOL_ANNOTATE_ERRNO__BPF_MISSING_BTF:
++ scnprintf(buf, buflen, "The %s BPF file has no BTF section, compile with -g or use pahole -J.",
++ dso->long_name);
++ break;
+ default:
+ scnprintf(buf, buflen, "Internal error: Invalid %d error code\n", errnum);
+ break;
+@@ -1713,13 +1720,13 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ char tpath[PATH_MAX];
+ size_t buf_size;
+ int nr_skip = 0;
+- int ret = -1;
+ char *buf;
+ bfd *bfdf;
++ int ret;
+ FILE *s;
+
+ if (dso->binary_type != DSO_BINARY_TYPE__BPF_PROG_INFO)
+- return -1;
++ return SYMBOL_ANNOTATE_ERRNO__BPF_INVALID_FILE;
+
+ pr_debug("%s: handling sym %s addr %" PRIx64 " len %" PRIx64 "\n", __func__,
+ sym->name, sym->start, sym->end - sym->start);
+@@ -1732,8 +1739,10 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ assert(bfd_check_format(bfdf, bfd_object));
+
+ s = open_memstream(&buf, &buf_size);
+- if (!s)
++ if (!s) {
++ ret = errno;
+ goto out;
++ }
+ init_disassemble_info(&info, s,
+ (fprintf_ftype) fprintf);
+
+@@ -1742,8 +1751,10 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+
+ info_node = perf_env__find_bpf_prog_info(dso->bpf_prog.env,
+ dso->bpf_prog.id);
+- if (!info_node)
++ if (!info_node) {
++ return SYMBOL_ANNOTATE_ERRNO__BPF_MISSING_BTF;
+ goto out;
++ }
+ info_linear = info_node->info_linear;
+ sub_id = dso->bpf_prog.sub_id;
+
+diff --git a/tools/perf/util/annotate.h b/tools/perf/util/annotate.h
+index a1191995fe77e..2004e2cf0211b 100644
+--- a/tools/perf/util/annotate.h
++++ b/tools/perf/util/annotate.h
+@@ -372,6 +372,8 @@ enum symbol_disassemble_errno {
+ SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF,
+ SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING,
+ SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_REGEXP,
++ SYMBOL_ANNOTATE_ERRNO__BPF_INVALID_FILE,
++ SYMBOL_ANNOTATE_ERRNO__BPF_MISSING_BTF,
+
+ __SYMBOL_ANNOTATE_ERRNO__END,
+ };
+--
+2.20.1
+
--- /dev/null
+From 897f8f8a8e9ae5c582098e3f14198c38d8b77529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 15:48:12 -0300
+Subject: perf annotate: Fix arch specific ->init() failure errors
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 42d7a9107d83223a5fcecc6732d626a6c074cbc2 ]
+
+They are called from symbol__annotate() and to propagate errors that can
+help understand the problem make them return what
+symbol__strerror_disassemble() known, i.e. errno codes and other
+annotation specific errors in a special, out of errnos, range.
+
+Reported-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Will Deacon <will@kernel.org>
+Link: https://lkml.kernel.org/n/tip-pqx7srcv7tixgid251aeboj6@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/arm/annotate/instructions.c | 4 ++--
+ tools/perf/arch/arm64/annotate/instructions.c | 4 ++--
+ tools/perf/arch/s390/annotate/instructions.c | 6 ++++--
+ tools/perf/arch/x86/annotate/instructions.c | 6 ++++--
+ tools/perf/util/annotate.c | 6 ++++++
+ tools/perf/util/annotate.h | 2 ++
+ 6 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/tools/perf/arch/arm/annotate/instructions.c b/tools/perf/arch/arm/annotate/instructions.c
+index c7d1a69b894fe..19ac54758c713 100644
+--- a/tools/perf/arch/arm/annotate/instructions.c
++++ b/tools/perf/arch/arm/annotate/instructions.c
+@@ -36,7 +36,7 @@ static int arm__annotate_init(struct arch *arch, char *cpuid __maybe_unused)
+
+ arm = zalloc(sizeof(*arm));
+ if (!arm)
+- return -1;
++ return ENOMEM;
+
+ #define ARM_CONDS "(cc|cs|eq|ge|gt|hi|le|ls|lt|mi|ne|pl|vc|vs)"
+ err = regcomp(&arm->call_insn, "^blx?" ARM_CONDS "?$", REG_EXTENDED);
+@@ -58,5 +58,5 @@ out_free_call:
+ regfree(&arm->call_insn);
+ out_free_arm:
+ free(arm);
+- return -1;
++ return SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_REGEXP;
+ }
+diff --git a/tools/perf/arch/arm64/annotate/instructions.c b/tools/perf/arch/arm64/annotate/instructions.c
+index 8f70a1b282dfb..223e2f161f414 100644
+--- a/tools/perf/arch/arm64/annotate/instructions.c
++++ b/tools/perf/arch/arm64/annotate/instructions.c
+@@ -94,7 +94,7 @@ static int arm64__annotate_init(struct arch *arch, char *cpuid __maybe_unused)
+
+ arm = zalloc(sizeof(*arm));
+ if (!arm)
+- return -1;
++ return ENOMEM;
+
+ /* bl, blr */
+ err = regcomp(&arm->call_insn, "^blr?$", REG_EXTENDED);
+@@ -117,5 +117,5 @@ out_free_call:
+ regfree(&arm->call_insn);
+ out_free_arm:
+ free(arm);
+- return -1;
++ return SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_REGEXP;
+ }
+diff --git a/tools/perf/arch/s390/annotate/instructions.c b/tools/perf/arch/s390/annotate/instructions.c
+index 89bb8f2c54cee..a50e70baf9183 100644
+--- a/tools/perf/arch/s390/annotate/instructions.c
++++ b/tools/perf/arch/s390/annotate/instructions.c
+@@ -164,8 +164,10 @@ static int s390__annotate_init(struct arch *arch, char *cpuid __maybe_unused)
+ if (!arch->initialized) {
+ arch->initialized = true;
+ arch->associate_instruction_ops = s390__associate_ins_ops;
+- if (cpuid)
+- err = s390__cpuid_parse(arch, cpuid);
++ if (cpuid) {
++ if (s390__cpuid_parse(arch, cpuid))
++ err = SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING;
++ }
+ }
+
+ return err;
+diff --git a/tools/perf/arch/x86/annotate/instructions.c b/tools/perf/arch/x86/annotate/instructions.c
+index 44f5aba78210e..7eb5621c021d8 100644
+--- a/tools/perf/arch/x86/annotate/instructions.c
++++ b/tools/perf/arch/x86/annotate/instructions.c
+@@ -196,8 +196,10 @@ static int x86__annotate_init(struct arch *arch, char *cpuid)
+ if (arch->initialized)
+ return 0;
+
+- if (cpuid)
+- err = x86__cpuid_parse(arch, cpuid);
++ if (cpuid) {
++ if (x86__cpuid_parse(arch, cpuid))
++ err = SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING;
++ }
+
+ arch->initialized = true;
+ return err;
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index ca8b517e38fa8..b475449f955ef 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1625,6 +1625,12 @@ int symbol__strerror_disassemble(struct symbol *sym __maybe_unused, struct map *
+ case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF:
+ scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation");
+ break;
++ case SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_REGEXP:
++ scnprintf(buf, buflen, "Problems with arch specific instruction name regular expressions.");
++ break;
++ case SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING:
++ scnprintf(buf, buflen, "Problems while parsing the CPUID in the arch specific initialization.");
++ break;
+ default:
+ scnprintf(buf, buflen, "Internal error: Invalid %d error code\n", errnum);
+ break;
+diff --git a/tools/perf/util/annotate.h b/tools/perf/util/annotate.h
+index 5bc0cf655d377..a1191995fe77e 100644
+--- a/tools/perf/util/annotate.h
++++ b/tools/perf/util/annotate.h
+@@ -370,6 +370,8 @@ enum symbol_disassemble_errno {
+
+ SYMBOL_ANNOTATE_ERRNO__NO_VMLINUX = __SYMBOL_ANNOTATE_ERRNO__START,
+ SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF,
++ SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_CPUID_PARSING,
++ SYMBOL_ANNOTATE_ERRNO__ARCH_INIT_REGEXP,
+
+ __SYMBOL_ANNOTATE_ERRNO__END,
+ };
+--
+2.20.1
+
--- /dev/null
+From 97fc5807493644628248df90fdb8444595f25c08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 15:11:47 -0300
+Subject: perf annotate: Fix the signedness of failure returns
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 28f4417c3333940b242af03d90214f713bbef232 ]
+
+Callers of symbol__annotate() expect a errno value or some other
+extended error value range in symbol__strerror_disassemble() to
+convert to a proper error string, fix it when propagating a failure to
+find the arch specific annotation routines via arch__find(arch_name).
+
+Reported-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Will Deacon <will@kernel.org>
+Link: https://lkml.kernel.org/n/tip-o0k6dw7cas0vvmjjvgsyvu1i@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index 6d9642c082e52..2dac51e9e4180 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -2069,7 +2069,7 @@ int symbol__annotate(struct symbol *sym, struct map *map,
+
+ args.arch = arch = arch__find(arch_name);
+ if (arch == NULL)
+- return -ENOTSUP;
++ return ENOTSUP;
+
+ if (parch)
+ *parch = arch;
+--
+2.20.1
+
--- /dev/null
+From 94c8b2e4a2745080b2777089b6647e037f031560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 15:06:01 -0300
+Subject: perf annotate: Propagate perf_env__arch() error
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit a66fa0619a0ae3585ef09e9c33ecfb5c7c6cb72b ]
+
+The callers of symbol__annotate2() use symbol__strerror_disassemble() to
+convert its failure returns into a human readable string, so
+propagate error values from functions it calls, starting with
+perf_env__arch() that when fails the right thing to do is to look at
+'errno' to see why its possible call to uname() failed.
+
+Reported-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Will Deacon <will@kernel.org>
+Link: https://lkml.kernel.org/n/tip-it5d83kyusfhb1q1b0l4pxzs@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index 163536720149b..6d9642c082e52 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -2065,7 +2065,7 @@ int symbol__annotate(struct symbol *sym, struct map *map,
+ int err;
+
+ if (!arch_name)
+- return -1;
++ return errno;
+
+ args.arch = arch = arch__find(arch_name);
+ if (arch == NULL)
+--
+2.20.1
+
--- /dev/null
+From 9ff169becc951f630791b07cfaf2f45750e432eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 15:44:13 -0300
+Subject: perf annotate: Propagate the symbol__annotate() error return
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 211f493b611eef012841f795166c38ec7528738d ]
+
+We were just returning -1 in symbol__annotate() when symbol__annotate()
+failed, propagate its error as it is used later to pass to
+symbol__strerror_disassemble() to present a error message to the user,
+that in some cases were getting:
+
+ "Invalid -1 error code"
+
+Fix it to propagate the error.
+
+Reported-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Will Deacon <will@kernel.org>
+Link: https://lkml.kernel.org/n/tip-0tj89rs9g7nbcyd5skadlvuu@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index 2dac51e9e4180..ca8b517e38fa8 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -2991,7 +2991,7 @@ int symbol__annotate2(struct symbol *sym, struct map *map, struct perf_evsel *ev
+
+ out_free_offsets:
+ zfree(¬es->offsets);
+- return -1;
++ return err;
+ }
+
+ #define ANNOTATION__CFG(n) \
+--
+2.20.1
+
--- /dev/null
+From a39d0a6a75bf37300361da6d3f26467172f09e0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 15:53:33 -0300
+Subject: perf annotate: Return appropriate error code for allocation failures
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 16ed3c1e91159e28b02f11f71ff4ce4cbc6f99e4 ]
+
+We should return errno or the annotation extra range understood by
+symbol__strerror_disassemble() instead of -1, fix it, returning ENOMEM
+instead.
+
+Reported-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>,
+Cc: Will Deacon <will@kernel.org>
+Link: https://lkml.kernel.org/n/tip-8of1cmj3rz0mppfcshc9bbqq@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index b475449f955ef..ab7851ec0ce53 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1662,7 +1662,7 @@ static int dso__disassemble_filename(struct dso *dso, char *filename, size_t fil
+
+ build_id_path = strdup(filename);
+ if (!build_id_path)
+- return -1;
++ return ENOMEM;
+
+ /*
+ * old style build-id cache has name of XX/XXXXXXX.. while
+@@ -2971,7 +2971,7 @@ int symbol__annotate2(struct symbol *sym, struct map *map, struct perf_evsel *ev
+
+ notes->offsets = zalloc(size * sizeof(struct annotation_line *));
+ if (notes->offsets == NULL)
+- return -1;
++ return ENOMEM;
+
+ if (perf_evsel__is_group_event(evsel))
+ nr_pcnt = evsel->nr_members;
+--
+2.20.1
+
--- /dev/null
+From 61177b9e5b1e6a12b2b2b9391198d265d1b4f6c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2019 09:59:49 -0700
+Subject: perf/core: Fix corner case in perf_rotate_context()
+
+From: Song Liu <songliubraving@fb.com>
+
+[ Upstream commit 7fa343b7fdc4f351de4e3f28d5c285937dd1f42f ]
+
+In perf_rotate_context(), when the first cpu flexible event fail to
+schedule, cpu_rotate is 1, while cpu_event is NULL. Since cpu_event is
+NULL, perf_rotate_context will _NOT_ call cpu_ctx_sched_out(), thus
+cpuctx->ctx.is_active will have EVENT_FLEXIBLE set. Then, the next
+perf_event_sched_in() will skip all cpu flexible events because of the
+EVENT_FLEXIBLE bit.
+
+In the next call of perf_rotate_context(), cpu_rotate stays 1, and
+cpu_event stays NULL, so this process repeats. The end result is, flexible
+events on this cpu will not be scheduled (until another event being added
+to the cpuctx).
+
+Here is an easy repro of this issue. On Intel CPUs, where ref-cycles
+could only use one counter, run one pinned event for ref-cycles, one
+flexible event for ref-cycles, and one flexible event for cycles. The
+flexible ref-cycles is never scheduled, which is expected. However,
+because of this issue, the cycles event is never scheduled either.
+
+ $ perf stat -e ref-cycles:D,ref-cycles,cycles -C 5 -I 1000
+
+ time counts unit events
+ 1.000152973 15,412,480 ref-cycles:D
+ 1.000152973 <not counted> ref-cycles (0.00%)
+ 1.000152973 <not counted> cycles (0.00%)
+ 2.000486957 18,263,120 ref-cycles:D
+ 2.000486957 <not counted> ref-cycles (0.00%)
+ 2.000486957 <not counted> cycles (0.00%)
+
+To fix this, when the flexible_active list is empty, try rotate the
+first event in the flexible_groups. Also, rename ctx_first_active() to
+ctx_event_to_rotate(), which is more accurate.
+
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <kernel-team@fb.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 8d5bce0c37fa ("perf/core: Optimize perf_rotate_context() event scheduling")
+Link: https://lkml.kernel.org/r/20191008165949.920548-1-songliubraving@fb.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index c0a6a50e01af6..2ff44d7308dd7 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -3694,11 +3694,23 @@ static void rotate_ctx(struct perf_event_context *ctx, struct perf_event *event)
+ perf_event_groups_insert(&ctx->flexible_groups, event);
+ }
+
++/* pick an event from the flexible_groups to rotate */
+ static inline struct perf_event *
+-ctx_first_active(struct perf_event_context *ctx)
++ctx_event_to_rotate(struct perf_event_context *ctx)
+ {
+- return list_first_entry_or_null(&ctx->flexible_active,
+- struct perf_event, active_list);
++ struct perf_event *event;
++
++ /* pick the first active flexible event */
++ event = list_first_entry_or_null(&ctx->flexible_active,
++ struct perf_event, active_list);
++
++ /* if no active flexible event, pick the first event */
++ if (!event) {
++ event = rb_entry_safe(rb_first(&ctx->flexible_groups.tree),
++ typeof(*event), group_node);
++ }
++
++ return event;
+ }
+
+ static bool perf_rotate_context(struct perf_cpu_context *cpuctx)
+@@ -3723,9 +3735,9 @@ static bool perf_rotate_context(struct perf_cpu_context *cpuctx)
+ perf_pmu_disable(cpuctx->ctx.pmu);
+
+ if (task_rotate)
+- task_event = ctx_first_active(task_ctx);
++ task_event = ctx_event_to_rotate(task_ctx);
+ if (cpu_rotate)
+- cpu_event = ctx_first_active(&cpuctx->ctx);
++ cpu_event = ctx_event_to_rotate(&cpuctx->ctx);
+
+ /*
+ * As per the order given at ctx_resched() first 'pop' task flexible
+--
+2.20.1
+
--- /dev/null
+From 0e41331ae2eae507ae70a0d94257b6064a270dbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2019 14:46:18 -0700
+Subject: perf/core: Rework memory accounting in perf_mmap()
+
+From: Song Liu <songliubraving@fb.com>
+
+[ Upstream commit d44248a41337731a111374822d7d4451b64e73e4 ]
+
+perf_mmap() always increases user->locked_vm. As a result, "extra" could
+grow bigger than "user_extra", which doesn't make sense. Here is an
+example case:
+
+(Note: Assume "user_lock_limit" is very small.)
+
+ | # of perf_mmap calls |vma->vm_mm->pinned_vm|user->locked_vm|
+ | 0 | 0 | 0 |
+ | 1 | user_extra | user_extra |
+ | 2 | 3 * user_extra | 2 * user_extra|
+ | 3 | 6 * user_extra | 3 * user_extra|
+ | 4 | 10 * user_extra | 4 * user_extra|
+
+Fix this by maintaining proper user_extra and extra.
+
+Reviewed-By: Hechao Li <hechaol@fb.com>
+Reported-by: Hechao Li <hechaol@fb.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <kernel-team@fb.com>
+Cc: Jie Meng <jmeng@fb.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190904214618.3795672-1-songliubraving@fb.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index a2a50b668ef32..c0a6a50e01af6 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5585,7 +5585,8 @@ again:
+ * undo the VM accounting.
+ */
+
+- atomic_long_sub((size >> PAGE_SHIFT) + 1, &mmap_user->locked_vm);
++ atomic_long_sub((size >> PAGE_SHIFT) + 1 - mmap_locked,
++ &mmap_user->locked_vm);
+ atomic64_sub(mmap_locked, &vma->vm_mm->pinned_vm);
+ free_uid(mmap_user);
+
+@@ -5729,8 +5730,20 @@ accounting:
+
+ user_locked = atomic_long_read(&user->locked_vm) + user_extra;
+
+- if (user_locked > user_lock_limit)
++ if (user_locked <= user_lock_limit) {
++ /* charge all to locked_vm */
++ } else if (atomic_long_read(&user->locked_vm) >= user_lock_limit) {
++ /* charge all to pinned_vm */
++ extra = user_extra;
++ user_extra = 0;
++ } else {
++ /*
++ * charge locked_vm until it hits user_lock_limit;
++ * charge the rest from pinned_vm
++ */
+ extra = user_locked - user_lock_limit;
++ user_extra -= extra;
++ }
+
+ lock_limit = rlimit(RLIMIT_MEMLOCK);
+ lock_limit >>= PAGE_SHIFT;
+--
+2.20.1
+
--- /dev/null
+From bb57e302ab52847af2d53a9ba15cbe39153ffc65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 16:35:45 -0700
+Subject: perf jevents: Fix period for Intel fixed counters
+
+From: Andi Kleen <ak@linux.intel.com>
+
+[ Upstream commit 6bdfd9f118bd59cf0f85d3bf4b72b586adea17c1 ]
+
+The Intel fixed counters use a special table to override the JSON
+information.
+
+During this override the period information from the JSON file got
+dropped, which results in inst_retired.any and similar running with
+frequency mode instead of a period.
+
+Just specify the expected period in the table.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Link: http://lore.kernel.org/lkml/20190927233546.11533-2-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/pmu-events/jevents.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
+index d413761621b09..fa85e33762f72 100644
+--- a/tools/perf/pmu-events/jevents.c
++++ b/tools/perf/pmu-events/jevents.c
+@@ -449,12 +449,12 @@ static struct fixed {
+ const char *name;
+ const char *event;
+ } fixed[] = {
+- { "inst_retired.any", "event=0xc0" },
+- { "inst_retired.any_p", "event=0xc0" },
+- { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03" },
+- { "cpu_clk_unhalted.thread", "event=0x3c" },
+- { "cpu_clk_unhalted.core", "event=0x3c" },
+- { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1" },
++ { "inst_retired.any", "event=0xc0,period=2000003" },
++ { "inst_retired.any_p", "event=0xc0,period=2000003" },
++ { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03,period=2000003" },
++ { "cpu_clk_unhalted.thread", "event=0x3c,period=2000003" },
++ { "cpu_clk_unhalted.core", "event=0x3c,period=2000003" },
++ { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1,period=2000003" },
+ { NULL, NULL},
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 595c12f3a2498dce58294d8684a99de5fac3aaf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Sep 2019 01:39:00 +0000
+Subject: perf map: Fix overlapped map handling
+
+From: Steve MacLean <Steve.MacLean@microsoft.com>
+
+[ Upstream commit ee212d6ea20887c0ef352be8563ca13dbf965906 ]
+
+Whenever an mmap/mmap2 event occurs, the map tree must be updated to add a new
+entry. If a new map overlaps a previous map, the overlapped section of the
+previous map is effectively unmapped, but the non-overlapping sections are
+still valid.
+
+maps__fixup_overlappings() is responsible for creating any new map entries from
+the previously overlapped map. It optionally creates a before and an after map.
+
+When creating the after map the existing code failed to adjust the map.pgoff.
+This meant the new after map would incorrectly calculate the file offset
+for the ip. This results in incorrect symbol name resolution for any ip in the
+after region.
+
+Make maps__fixup_overlappings() correctly populate map.pgoff.
+
+Add an assert that new mapping matches old mapping at the beginning of
+the after map.
+
+Committer-testing:
+
+Validated correct parsing of libcoreclr.so symbols from .NET Core 3.0 preview9
+(which didn't strip symbols).
+
+Preparation:
+
+ ~/dotnet3.0-preview9/dotnet new webapi -o perfSymbol
+ cd perfSymbol
+ ~/dotnet3.0-preview9/dotnet publish
+ perf record ~/dotnet3.0-preview9/dotnet \
+ bin/Debug/netcoreapp3.0/publish/perfSymbol.dll
+ ^C
+
+Before:
+
+ perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\
+ grep libcoreclr.so | head -n 4
+ dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \
+ r-xp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.705249: 250000 cpu-clock: \
+ 7fe6159a1f99 [unknown] \
+ (.../3.0.0-preview9-19423-09/libcoreclr.so)
+
+After:
+
+ perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\
+ grep libcoreclr.so | head -n 4
+ dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \
+ r-xp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+ dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \
+ [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \
+ rwxp .../3.0.0-preview9-19423-09/libcoreclr.so
+
+All the [unknown] symbols were resolved.
+
+Signed-off-by: Steve MacLean <Steve.MacLean@Microsoft.com>
+Tested-by: Brian Robbins <brianrob@microsoft.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Eric Saint-Etienne <eric.saint.etienne@oracle.com>
+Cc: John Keeping <john@metanate.com>
+Cc: John Salem <josalem@microsoft.com>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Tom McDonald <thomas.mcdonald@microsoft.com>
+Link: http://lore.kernel.org/lkml/BN8PR21MB136270949F22A6A02335C238F7800@BN8PR21MB1362.namprd21.prod.outlook.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/map.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index 7666206d06fa7..f18113581cf03 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include "symbol.h"
++#include <assert.h>
+ #include <errno.h>
+ #include <inttypes.h>
+ #include <limits.h>
+@@ -847,6 +848,8 @@ static int maps__fixup_overlappings(struct maps *maps, struct map *map, FILE *fp
+ }
+
+ after->start = map->end;
++ after->pgoff += map->end - pos->start;
++ assert(pos->map_ip(pos, map->end) == after->map_ip(after, map->end));
+ __map_groups__insert(pos->groups, after);
+ if (verbose >= 2 && !use_browser)
+ map__fprintf(after, fp);
+--
+2.20.1
+
--- /dev/null
+From 7384b1c231fceb32515c29c1d0d0ce58d748d950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 16:35:44 -0700
+Subject: perf script brstackinsn: Fix recovery from LBR/binary mismatch
+
+From: Andi Kleen <ak@linux.intel.com>
+
+[ Upstream commit e98df280bc2a499fd41d7f9e2d6733884de69902 ]
+
+When the LBR data and the instructions in a binary do not match the loop
+printing instructions could get confused and print a long stream of
+bogus <bad> instructions.
+
+The problem was that if the instruction decoder cannot decode an
+instruction it ilen wasn't initialized, so the loop going through the
+basic block would continue with the previous value.
+
+Harden the code to avoid such problems:
+
+- Make sure ilen is always freshly initialized and is 0 for bad
+ instructions.
+
+- Do not overrun the code buffer while printing instructions
+
+- Print a warning message if the final jump is not on an instruction
+ boundary.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Link: http://lore.kernel.org/lkml/20190927233546.11533-1-andi@firstfloor.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index 0140ddb8dd0bd..c14a1cdad80c0 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -1054,7 +1054,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ continue;
+
+ insn = 0;
+- for (off = 0;; off += ilen) {
++ for (off = 0; off < (unsigned)len; off += ilen) {
+ uint64_t ip = start + off;
+
+ printed += ip__fprintf_sym(ip, thread, x.cpumode, x.cpu, &lastsym, attr, fp);
+@@ -1065,6 +1065,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ printed += print_srccode(thread, x.cpumode, ip);
+ break;
+ } else {
++ ilen = 0;
+ printed += fprintf(fp, "\t%016" PRIx64 "\t%s\n", ip,
+ dump_insn(&x, ip, buffer + off, len - off, &ilen));
+ if (ilen == 0)
+@@ -1074,6 +1075,8 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ insn++;
+ }
+ }
++ if (off != (unsigned)len)
++ printed += fprintf(fp, "\tmismatch of LBR data and executable\n");
+ }
+
+ /*
+@@ -1114,6 +1117,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ goto out;
+ }
+ for (off = 0; off <= end - start; off += ilen) {
++ ilen = 0;
+ printed += fprintf(fp, "\t%016" PRIx64 "\t%s\n", start + off,
+ dump_insn(&x, start + off, buffer + off, len - off, &ilen));
+ if (ilen == 0)
+--
+2.20.1
+
--- /dev/null
+From c6ea6bedb12edf7726036646e324a94e4577e1b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 12:59:24 -0700
+Subject: perf tests: Avoid raising SEGV using an obvious NULL dereference
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit e3e2cf3d5b1fe800b032e14c0fdcd9a6fb20cf3b ]
+
+An optimized build such as:
+
+ make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-O3
+
+will turn the dereference operation into a ud2 instruction, raising a
+SIGILL rather than a SIGSEGV. Use raise(..) for correctness and clarity.
+
+Similar issues were addressed in Numfor Mbiziwo-Tiapo's patch:
+
+ https://lkml.org/lkml/2019/7/8/1234
+
+Committer testing:
+
+Before:
+
+ [root@quaco ~]# perf test hooks
+ 55: perf hooks : Ok
+ [root@quaco ~]# perf test -v hooks
+ 55: perf hooks :
+ --- start ---
+ test child forked, pid 17092
+ SIGSEGV is observed as expected, try to recover.
+ Fatal error (SEGFAULT) in perf hook 'test'
+ test child finished with 0
+ ---- end ----
+ perf hooks: Ok
+ [root@quaco ~]#
+
+After:
+
+ [root@quaco ~]# perf test hooks
+ 55: perf hooks : Ok
+ [root@quaco ~]# perf test -v hooks
+ 55: perf hooks :
+ --- start ---
+ test child forked, pid 17909
+ SIGSEGV is observed as expected, try to recover.
+ Fatal error (SEGFAULT) in perf hook 'test'
+ test child finished with 0
+ ---- end ----
+ perf hooks: Ok
+ [root@quaco ~]#
+
+Fixes: a074865e60ed ("perf tools: Introduce perf hooks")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: http://lore.kernel.org/lkml/20190925195924.152834-2-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/perf-hooks.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/perf/tests/perf-hooks.c b/tools/perf/tests/perf-hooks.c
+index a693bcf017ea2..44c16fd11bf6e 100644
+--- a/tools/perf/tests/perf-hooks.c
++++ b/tools/perf/tests/perf-hooks.c
+@@ -20,12 +20,11 @@ static void sigsegv_handler(int sig __maybe_unused)
+ static void the_hook(void *_hook_flags)
+ {
+ int *hook_flags = _hook_flags;
+- int *p = NULL;
+
+ *hook_flags = 1234;
+
+ /* Generate a segfault, test perf_hooks__recover */
+- *p = 0;
++ raise(SIGSEGV);
+ }
+
+ int test__perf_hooks(struct test *test __maybe_unused, int subtest __maybe_unused)
+--
+2.20.1
+
--- /dev/null
+From e651912d805350520335975dd58cfa817f09340b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 10:55:34 -0300
+Subject: perf tools: Propagate get_cpuid() error
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit f67001a4a08eb124197ed4376941e1da9cf94b42 ]
+
+For consistency, propagate the exact cause for get_cpuid() to have
+failed.
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lkml.kernel.org/n/tip-9ig269f7ktnhh99g4l15vpu2@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/powerpc/util/header.c | 3 ++-
+ tools/perf/arch/s390/util/header.c | 9 +++++----
+ tools/perf/arch/x86/util/header.c | 3 ++-
+ tools/perf/builtin-kvm.c | 7 ++++---
+ 4 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/tools/perf/arch/powerpc/util/header.c b/tools/perf/arch/powerpc/util/header.c
+index 0b242664f5ea7..e46be9ef5a688 100644
+--- a/tools/perf/arch/powerpc/util/header.c
++++ b/tools/perf/arch/powerpc/util/header.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <sys/types.h>
++#include <errno.h>
+ #include <unistd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -31,7 +32,7 @@ get_cpuid(char *buffer, size_t sz)
+ buffer[nb-1] = '\0';
+ return 0;
+ }
+- return -1;
++ return ENOBUFS;
+ }
+
+ char *
+diff --git a/tools/perf/arch/s390/util/header.c b/tools/perf/arch/s390/util/header.c
+index 8b0b018d896ab..7933f6871c818 100644
+--- a/tools/perf/arch/s390/util/header.c
++++ b/tools/perf/arch/s390/util/header.c
+@@ -8,6 +8,7 @@
+ */
+
+ #include <sys/types.h>
++#include <errno.h>
+ #include <unistd.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -54,7 +55,7 @@ int get_cpuid(char *buffer, size_t sz)
+
+ sysinfo = fopen(SYSINFO, "r");
+ if (sysinfo == NULL)
+- return -1;
++ return errno;
+
+ while ((read = getline(&line, &line_sz, sysinfo)) != -1) {
+ if (!strncmp(line, SYSINFO_MANU, strlen(SYSINFO_MANU))) {
+@@ -89,7 +90,7 @@ int get_cpuid(char *buffer, size_t sz)
+
+ /* Missing manufacturer, type or model information should not happen */
+ if (!manufacturer[0] || !type[0] || !model[0])
+- return -1;
++ return EINVAL;
+
+ /*
+ * Scan /proc/service_levels and return the CPU-MF counter facility
+@@ -133,14 +134,14 @@ skip_sysinfo:
+ else
+ nbytes = snprintf(buffer, sz, "%s,%s,%s", manufacturer, type,
+ model);
+- return (nbytes >= sz) ? -1 : 0;
++ return (nbytes >= sz) ? ENOBUFS : 0;
+ }
+
+ char *get_cpuid_str(struct perf_pmu *pmu __maybe_unused)
+ {
+ char *buf = malloc(128);
+
+- if (buf && get_cpuid(buf, 128) < 0)
++ if (buf && get_cpuid(buf, 128))
+ zfree(&buf);
+ return buf;
+ }
+diff --git a/tools/perf/arch/x86/util/header.c b/tools/perf/arch/x86/util/header.c
+index af9a9f2600be4..a089af60906a0 100644
+--- a/tools/perf/arch/x86/util/header.c
++++ b/tools/perf/arch/x86/util/header.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <sys/types.h>
++#include <errno.h>
+ #include <unistd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -57,7 +58,7 @@ __get_cpuid(char *buffer, size_t sz, const char *fmt)
+ buffer[nb-1] = '\0';
+ return 0;
+ }
+- return -1;
++ return ENOBUFS;
+ }
+
+ int
+diff --git a/tools/perf/builtin-kvm.c b/tools/perf/builtin-kvm.c
+index b33c834891208..44ff3ea1da23f 100644
+--- a/tools/perf/builtin-kvm.c
++++ b/tools/perf/builtin-kvm.c
+@@ -699,14 +699,15 @@ static int process_sample_event(struct perf_tool *tool,
+
+ static int cpu_isa_config(struct perf_kvm_stat *kvm)
+ {
+- char buf[64], *cpuid;
++ char buf[128], *cpuid;
+ int err;
+
+ if (kvm->live) {
+ err = get_cpuid(buf, sizeof(buf));
+ if (err != 0) {
+- pr_err("Failed to look up CPU type\n");
+- return err;
++ pr_err("Failed to look up CPU type: %s\n",
++ str_error_r(err, buf, sizeof(buf)));
++ return -err;
+ }
+ cpuid = buf;
+ } else
+--
+2.20.1
+
--- /dev/null
+From d9ef1197a5ab7d021999407475a5ac254e17ada7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2019 18:57:41 +0000
+Subject: perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+[ Upstream commit df4d29732fdad43a51284f826bec3e6ded177540 ]
+
+It turns out that the NMI latency workaround from commit:
+
+ 6d3edaae16c6 ("x86/perf/amd: Resolve NMI latency issues for active PMCs")
+
+ends up being too conservative and results in the perf NMI handler claiming
+NMIs too easily on AMD hardware when the NMI watchdog is active.
+
+This has an impact, for example, on the hpwdt (HPE watchdog timer) module.
+This module can produce an NMI that is used to reset the system. It
+registers an NMI handler for the NMI_UNKNOWN type and relies on the fact
+that nothing has claimed an NMI so that its handler will be invoked when
+the watchdog device produces an NMI. After the referenced commit, the
+hpwdt module is unable to process its generated NMI if the NMI watchdog is
+active, because the current NMI latency mitigation results in the NMI
+being claimed by the perf NMI handler.
+
+Update the AMD perf NMI latency mitigation workaround to, instead, use a
+window of time. Whenever a PMC is handled in the perf NMI handler, set a
+timestamp which will act as a perf NMI window. Any NMIs arriving within
+that window will be claimed by perf. Anything outside that window will
+not be claimed by perf. The value for the NMI window is set to 100 msecs.
+This is a conservative value that easily covers any NMI latency in the
+hardware. While this still results in a window in which the hpwdt module
+will not receive its NMI, the window is now much, much smaller.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Jerry Hoemann <jerry.hoemann@hpe.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 6d3edaae16c6 ("x86/perf/amd: Resolve NMI latency issues for active PMCs")
+Link: https://lkml.kernel.org/r/Message-ID:
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/core.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
+index e7d35f60d53fc..64c3e70b0556b 100644
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -5,12 +5,14 @@
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/delay.h>
++#include <linux/jiffies.h>
+ #include <asm/apicdef.h>
+ #include <asm/nmi.h>
+
+ #include "../perf_event.h"
+
+-static DEFINE_PER_CPU(unsigned int, perf_nmi_counter);
++static DEFINE_PER_CPU(unsigned long, perf_nmi_tstamp);
++static unsigned long perf_nmi_window;
+
+ static __initconst const u64 amd_hw_cache_event_ids
+ [PERF_COUNT_HW_CACHE_MAX]
+@@ -641,11 +643,12 @@ static void amd_pmu_disable_event(struct perf_event *event)
+ * handler when multiple PMCs are active or PMC overflow while handling some
+ * other source of an NMI.
+ *
+- * Attempt to mitigate this by using the number of active PMCs to determine
+- * whether to return NMI_HANDLED if the perf NMI handler did not handle/reset
+- * any PMCs. The per-CPU perf_nmi_counter variable is set to a minimum of the
+- * number of active PMCs or 2. The value of 2 is used in case an NMI does not
+- * arrive at the LAPIC in time to be collapsed into an already pending NMI.
++ * Attempt to mitigate this by creating an NMI window in which un-handled NMIs
++ * received during this window will be claimed. This prevents extending the
++ * window past when it is possible that latent NMIs should be received. The
++ * per-CPU perf_nmi_tstamp will be set to the window end time whenever perf has
++ * handled a counter. When an un-handled NMI is received, it will be claimed
++ * only if arriving within that window.
+ */
+ static int amd_pmu_handle_irq(struct pt_regs *regs)
+ {
+@@ -663,21 +666,19 @@ static int amd_pmu_handle_irq(struct pt_regs *regs)
+ handled = x86_pmu_handle_irq(regs);
+
+ /*
+- * If a counter was handled, record the number of possible remaining
+- * NMIs that can occur.
++ * If a counter was handled, record a timestamp such that un-handled
++ * NMIs will be claimed if arriving within that window.
+ */
+ if (handled) {
+- this_cpu_write(perf_nmi_counter,
+- min_t(unsigned int, 2, active));
++ this_cpu_write(perf_nmi_tstamp,
++ jiffies + perf_nmi_window);
+
+ return handled;
+ }
+
+- if (!this_cpu_read(perf_nmi_counter))
++ if (time_after(jiffies, this_cpu_read(perf_nmi_tstamp)))
+ return NMI_DONE;
+
+- this_cpu_dec(perf_nmi_counter);
+-
+ return NMI_HANDLED;
+ }
+
+@@ -909,6 +910,9 @@ static int __init amd_core_pmu_init(void)
+ if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE))
+ return 0;
+
++ /* Avoid calulating the value each time in the NMI handler */
++ perf_nmi_window = msecs_to_jiffies(100);
++
+ switch (boot_cpu_data.x86) {
+ case 0x15:
+ pr_cont("Fam15h ");
+--
+2.20.1
+
--- /dev/null
+From bcebd2c90524f778c5d7e5f11350de849343a585 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2019 10:11:51 +0300
+Subject: RDMA/cm: Fix memory leak in cm_add/remove_one
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 94635c36f3854934a46d9e812e028d4721bbb0e6 ]
+
+In the process of moving the debug counters sysfs entries, the commit
+mentioned below eliminated the cm_infiniband sysfs directory.
+
+This sysfs directory was tied to the cm_port object allocated in procedure
+cm_add_one().
+
+Before the commit below, this cm_port object was freed via a call to
+kobject_put(port->kobj) in procedure cm_remove_port_fs().
+
+Since port no longer uses its kobj, kobject_put(port->kobj) was eliminated.
+This, however, meant that kfree was never called for the cm_port buffers.
+
+Fix this by adding explicit kfree(port) calls to functions cm_add_one()
+and cm_remove_one().
+
+Note: the kfree call in the first chunk below (in the cm_add_one error
+flow) fixes an old, undetected memory leak.
+
+Fixes: c87e65cfb97c ("RDMA/cm: Move debug counters to be under relevant IB device")
+Link: https://lore.kernel.org/r/20190916071154.20383-2-leon@kernel.org
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index da10e6ccb43cd..5920c0085d35b 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -4399,6 +4399,7 @@ error2:
+ error1:
+ port_modify.set_port_cap_mask = 0;
+ port_modify.clr_port_cap_mask = IB_PORT_CM_SUP;
++ kfree(port);
+ while (--i) {
+ if (!rdma_cap_ib_cm(ib_device, i))
+ continue;
+@@ -4407,6 +4408,7 @@ error1:
+ ib_modify_port(ib_device, port->port_num, 0, &port_modify);
+ ib_unregister_mad_agent(port->mad_agent);
+ cm_remove_port_fs(port);
++ kfree(port);
+ }
+ free:
+ kfree(cm_dev);
+@@ -4460,6 +4462,7 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data)
+ spin_unlock_irq(&cm.state_lock);
+ ib_unregister_mad_agent(cur_mad_agent);
+ cm_remove_port_fs(port);
++ kfree(port);
+ }
+
+ kfree(cm_dev);
+--
+2.20.1
+
--- /dev/null
+From 19e3008160b5291d383d655b3cf8e7058976aeb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Aug 2019 11:10:44 +0200
+Subject: RDMA/core: Fix an error handling path in 'res_get_common_doit()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ab59ca3eb4e7059727df85eee68bda169d26c8f8 ]
+
+According to surrounding error paths, it is likely that 'goto err_get;' is
+expected here. Otherwise, a call to 'rdma_restrack_put(res);' would be
+missing.
+
+Fixes: c5dfe0ea6ffa ("RDMA/nldev: Add resource tracker doit callback")
+Link: https://lore.kernel.org/r/20190818091044.8845-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index 020c269765584..91e2cc9ddb9f8 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -1230,7 +1230,7 @@ static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!msg) {
+ ret = -ENOMEM;
+- goto err;
++ goto err_get;
+ }
+
+ nlh = nlmsg_put(msg, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
+--
+2.20.1
+
--- /dev/null
+From ea82fe391df105d569e46ffa4532c951f8e0c18f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 09:45:42 -0500
+Subject: RDMA/hfi1: Prevent memory leak in sdma_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 34b3be18a04ecdc610aae4c48e5d1b799d8689f6 ]
+
+In sdma_init if rhashtable_init fails the allocated memory for
+tmp_sdma_rht should be released.
+
+Fixes: 5a52a7acf7e2 ("IB/hfi1: NULL pointer dereference when freeing rhashtable")
+Link: https://lore.kernel.org/r/20190925144543.10141-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
+index 2395fd4233a7e..2ed7bfd5feea6 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -1526,8 +1526,11 @@ int sdma_init(struct hfi1_devdata *dd, u8 port)
+ }
+
+ ret = rhashtable_init(tmp_sdma_rht, &sdma_rht_params);
+- if (ret < 0)
++ if (ret < 0) {
++ kfree(tmp_sdma_rht);
+ goto bail;
++ }
++
+ dd->sdma_rht = tmp_sdma_rht;
+
+ dd_dev_info(dd, "SDMA num_sdma: %u\n", dd->num_sdma);
+--
+2.20.1
+
--- /dev/null
+From 485370a39a8a3d8ea3a8a315896a7d3df336e2ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 13:11:19 +0530
+Subject: RDMA/iw_cxgb4: fix SRQ access from dump_qp()
+
+From: Potnuri Bharat Teja <bharat@chelsio.com>
+
+[ Upstream commit 91724c1e5afe45b64970036170659726e7dc5cff ]
+
+dump_qp() is wrongly trying to dump SRQ structures as QP when SRQ is used
+by the application. This patch matches the QPID before dumping them. Also
+removes unwanted SRQ id addition to QP id xarray.
+
+Fixes: 2f43129127e6 ("cxgb4: Convert qpidr to XArray")
+Link: https://lore.kernel.org/r/20190930074119.20046-1-bharat@chelsio.com
+Signed-off-by: Rahul Kundu <rahul.kundu@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/device.c | 7 +++++--
+ drivers/infiniband/hw/cxgb4/qp.c | 10 +---------
+ 2 files changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c
+index a8b9548bd1a26..599340c1f0b82 100644
+--- a/drivers/infiniband/hw/cxgb4/device.c
++++ b/drivers/infiniband/hw/cxgb4/device.c
+@@ -242,10 +242,13 @@ static void set_ep_sin6_addrs(struct c4iw_ep *ep,
+ }
+ }
+
+-static int dump_qp(struct c4iw_qp *qp, struct c4iw_debugfs_data *qpd)
++static int dump_qp(unsigned long id, struct c4iw_qp *qp,
++ struct c4iw_debugfs_data *qpd)
+ {
+ int space;
+ int cc;
++ if (id != qp->wq.sq.qid)
++ return 0;
+
+ space = qpd->bufsize - qpd->pos - 1;
+ if (space == 0)
+@@ -350,7 +353,7 @@ static int qp_open(struct inode *inode, struct file *file)
+
+ xa_lock_irq(&qpd->devp->qps);
+ xa_for_each(&qpd->devp->qps, index, qp)
+- dump_qp(qp, qpd);
++ dump_qp(index, qp, qpd);
+ xa_unlock_irq(&qpd->devp->qps);
+
+ qpd->buf[qpd->pos++] = 0;
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index eb9368be28c1d..bbcac539777a2 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -2737,15 +2737,11 @@ int c4iw_create_srq(struct ib_srq *ib_srq, struct ib_srq_init_attr *attrs,
+ if (CHELSIO_CHIP_VERSION(rhp->rdev.lldi.adapter_type) > CHELSIO_T6)
+ srq->flags = T4_SRQ_LIMIT_SUPPORT;
+
+- ret = xa_insert_irq(&rhp->qps, srq->wq.qid, srq, GFP_KERNEL);
+- if (ret)
+- goto err_free_queue;
+-
+ if (udata) {
+ srq_key_mm = kmalloc(sizeof(*srq_key_mm), GFP_KERNEL);
+ if (!srq_key_mm) {
+ ret = -ENOMEM;
+- goto err_remove_handle;
++ goto err_free_queue;
+ }
+ srq_db_key_mm = kmalloc(sizeof(*srq_db_key_mm), GFP_KERNEL);
+ if (!srq_db_key_mm) {
+@@ -2789,8 +2785,6 @@ err_free_srq_db_key_mm:
+ kfree(srq_db_key_mm);
+ err_free_srq_key_mm:
+ kfree(srq_key_mm);
+-err_remove_handle:
+- xa_erase_irq(&rhp->qps, srq->wq.qid);
+ err_free_queue:
+ free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
+ srq->wr_waitp);
+@@ -2813,8 +2807,6 @@ void c4iw_destroy_srq(struct ib_srq *ibsrq, struct ib_udata *udata)
+ rhp = srq->rhp;
+
+ pr_debug("%s id %d\n", __func__, srq->wq.qid);
+-
+- xa_erase_irq(&rhp->qps, srq->wq.qid);
+ ucontext = rdma_udata_to_drv_context(udata, struct c4iw_ucontext,
+ ibucontext);
+ free_srq_queue(srq, ucontext ? &ucontext->uctx : &rhp->rdev.uctx,
+--
+2.20.1
+
--- /dev/null
+From 3c13c0bbe438f1a7a124798c9b14627a942f5378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 16:16:54 -0700
+Subject: RDMA/iwcm: Fix a lock inversion issue
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit b66f31efbdad95ec274345721d99d1d835e6de01 ]
+
+This patch fixes the lock inversion complaint:
+
+============================================
+WARNING: possible recursive locking detected
+5.3.0-rc7-dbg+ #1 Not tainted
+--------------------------------------------
+kworker/u16:6/171 is trying to acquire lock:
+00000000035c6e6c (&id_priv->handler_mutex){+.+.}, at: rdma_destroy_id+0x78/0x4a0 [rdma_cm]
+
+but task is already holding lock:
+00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm]
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&id_priv->handler_mutex);
+ lock(&id_priv->handler_mutex);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+3 locks held by kworker/u16:6/171:
+ #0: 00000000e2eaa773 ((wq_completion)iw_cm_wq){+.+.}, at: process_one_work+0x472/0xac0
+ #1: 000000001efd357b ((work_completion)(&work->work)#3){+.+.}, at: process_one_work+0x476/0xac0
+ #2: 00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm]
+
+stack backtrace:
+CPU: 3 PID: 171 Comm: kworker/u16:6 Not tainted 5.3.0-rc7-dbg+ #1
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Workqueue: iw_cm_wq cm_work_handler [iw_cm]
+Call Trace:
+ dump_stack+0x8a/0xd6
+ __lock_acquire.cold+0xe1/0x24d
+ lock_acquire+0x106/0x240
+ __mutex_lock+0x12e/0xcb0
+ mutex_lock_nested+0x1f/0x30
+ rdma_destroy_id+0x78/0x4a0 [rdma_cm]
+ iw_conn_req_handler+0x5c9/0x680 [rdma_cm]
+ cm_work_handler+0xe62/0x1100 [iw_cm]
+ process_one_work+0x56d/0xac0
+ worker_thread+0x7a/0x5d0
+ kthread+0x1bc/0x210
+ ret_from_fork+0x24/0x30
+
+This is not a bug as there are actually two lock classes here.
+
+Link: https://lore.kernel.org/r/20190930231707.48259-3-bvanassche@acm.org
+Fixes: de910bd92137 ("RDMA/cma: Simplify locking needed for serialization of callbacks")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index a68d0ccf67a43..2e48b59926c19 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2396,9 +2396,10 @@ static int iw_conn_req_handler(struct iw_cm_id *cm_id,
+ conn_id->cm_id.iw = NULL;
+ cma_exch(conn_id, RDMA_CM_DESTROYING);
+ mutex_unlock(&conn_id->handler_mutex);
++ mutex_unlock(&listen_id->handler_mutex);
+ cma_deref_id(conn_id);
+ rdma_destroy_id(&conn_id->id);
+- goto out;
++ return ret;
+ }
+
+ mutex_unlock(&conn_id->handler_mutex);
+--
+2.20.1
+
--- /dev/null
+From 77caeb94a2b162f7f814fccb191887c87ca405c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 12:38:21 -0300
+Subject: RDMA/mlx5: Add missing synchronize_srcu() for MW cases
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+[ Upstream commit 0417791536ae1e28d7f0418f1d20048ec4d3c6cf ]
+
+While MR uses live as the SRCU 'update', the MW case uses the xarray
+directly, xa_erase() causes the MW to become inaccessible to the pagefault
+thread.
+
+Thus whenever a MW is removed from the xarray we must synchronize_srcu()
+before freeing it.
+
+This must be done before freeing the mkey as re-use of the mkey while the
+pagefault thread is using the stale mkey is undesirable.
+
+Add the missing synchronizes to MW and DEVX indirect mkey and delete the
+bogus protection against double destroy in mlx5_core_destroy_mkey()
+
+Fixes: 534fd7aac56a ("IB/mlx5: Manage indirection mkey upon DEVX flow for ODP")
+Fixes: 6aec21f6a832 ("IB/mlx5: Page faults handling infrastructure")
+Link: https://lore.kernel.org/r/20191001153821.23621-7-jgg@ziepe.ca
+Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 58 ++++++--------------
+ drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 -
+ drivers/infiniband/hw/mlx5/mr.c | 21 +++++--
+ drivers/net/ethernet/mellanox/mlx5/core/mr.c | 8 +--
+ 4 files changed, 33 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index af5bbb35c0589..ef7ba0133d28a 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -1275,29 +1275,6 @@ static int devx_handle_mkey_create(struct mlx5_ib_dev *dev,
+ return 0;
+ }
+
+-static void devx_free_indirect_mkey(struct rcu_head *rcu)
+-{
+- kfree(container_of(rcu, struct devx_obj, devx_mr.rcu));
+-}
+-
+-/* This function to delete from the radix tree needs to be called before
+- * destroying the underlying mkey. Otherwise a race might occur in case that
+- * other thread will get the same mkey before this one will be deleted,
+- * in that case it will fail via inserting to the tree its own data.
+- *
+- * Note:
+- * An error in the destroy is not expected unless there is some other indirect
+- * mkey which points to this one. In a kernel cleanup flow it will be just
+- * destroyed in the iterative destruction call. In a user flow, in case
+- * the application didn't close in the expected order it's its own problem,
+- * the mkey won't be part of the tree, in both cases the kernel is safe.
+- */
+-static void devx_cleanup_mkey(struct devx_obj *obj)
+-{
+- xa_erase(&obj->ib_dev->mdev->priv.mkey_table,
+- mlx5_base_mkey(obj->devx_mr.mmkey.key));
+-}
+-
+ static void devx_cleanup_subscription(struct mlx5_ib_dev *dev,
+ struct devx_event_subscription *sub)
+ {
+@@ -1339,8 +1316,16 @@ static int devx_obj_cleanup(struct ib_uobject *uobject,
+ int ret;
+
+ dev = mlx5_udata_to_mdev(&attrs->driver_udata);
+- if (obj->flags & DEVX_OBJ_FLAGS_INDIRECT_MKEY)
+- devx_cleanup_mkey(obj);
++ if (obj->flags & DEVX_OBJ_FLAGS_INDIRECT_MKEY) {
++ /*
++ * The pagefault_single_data_segment() does commands against
++ * the mmkey, we must wait for that to stop before freeing the
++ * mkey, as another allocation could get the same mkey #.
++ */
++ xa_erase(&obj->ib_dev->mdev->priv.mkey_table,
++ mlx5_base_mkey(obj->devx_mr.mmkey.key));
++ synchronize_srcu(&dev->mr_srcu);
++ }
+
+ if (obj->flags & DEVX_OBJ_FLAGS_DCT)
+ ret = mlx5_core_destroy_dct(obj->ib_dev->mdev, &obj->core_dct);
+@@ -1359,12 +1344,6 @@ static int devx_obj_cleanup(struct ib_uobject *uobject,
+ devx_cleanup_subscription(dev, sub_entry);
+ mutex_unlock(&devx_event_table->event_xa_lock);
+
+- if (obj->flags & DEVX_OBJ_FLAGS_INDIRECT_MKEY) {
+- call_srcu(&dev->mr_srcu, &obj->devx_mr.rcu,
+- devx_free_indirect_mkey);
+- return ret;
+- }
+-
+ kfree(obj);
+ return ret;
+ }
+@@ -1468,26 +1447,21 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_OBJ_CREATE)(
+ &obj_id);
+ WARN_ON(obj->dinlen > MLX5_MAX_DESTROY_INBOX_SIZE_DW * sizeof(u32));
+
+- if (obj->flags & DEVX_OBJ_FLAGS_INDIRECT_MKEY) {
+- err = devx_handle_mkey_indirect(obj, dev, cmd_in, cmd_out);
+- if (err)
+- goto obj_destroy;
+- }
+-
+ err = uverbs_copy_to(attrs, MLX5_IB_ATTR_DEVX_OBJ_CREATE_CMD_OUT, cmd_out, cmd_out_len);
+ if (err)
+- goto err_copy;
++ goto obj_destroy;
+
+ if (opcode == MLX5_CMD_OP_CREATE_GENERAL_OBJECT)
+ obj_type = MLX5_GET(general_obj_in_cmd_hdr, cmd_in, obj_type);
+-
+ obj->obj_id = get_enc_obj_id(opcode | obj_type << 16, obj_id);
+
++ if (obj->flags & DEVX_OBJ_FLAGS_INDIRECT_MKEY) {
++ err = devx_handle_mkey_indirect(obj, dev, cmd_in, cmd_out);
++ if (err)
++ goto obj_destroy;
++ }
+ return 0;
+
+-err_copy:
+- if (obj->flags & DEVX_OBJ_FLAGS_INDIRECT_MKEY)
+- devx_cleanup_mkey(obj);
+ obj_destroy:
+ if (obj->flags & DEVX_OBJ_FLAGS_DCT)
+ mlx5_core_destroy_dct(obj->ib_dev->mdev, &obj->core_dct);
+diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h
+index 9ae587b74b121..43c7353b98123 100644
+--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h
++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h
+@@ -638,7 +638,6 @@ struct mlx5_ib_mw {
+ struct mlx5_ib_devx_mr {
+ struct mlx5_core_mkey mmkey;
+ int ndescs;
+- struct rcu_head rcu;
+ };
+
+ struct mlx5_ib_umr_context {
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 96c8a6835592d..c15d05f61cc7b 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -1970,14 +1970,25 @@ free:
+
+ int mlx5_ib_dealloc_mw(struct ib_mw *mw)
+ {
++ struct mlx5_ib_dev *dev = to_mdev(mw->device);
+ struct mlx5_ib_mw *mmw = to_mmw(mw);
+ int err;
+
+- err = mlx5_core_destroy_mkey((to_mdev(mw->device))->mdev,
+- &mmw->mmkey);
+- if (!err)
+- kfree(mmw);
+- return err;
++ if (IS_ENABLED(CONFIG_INFINIBAND_ON_DEMAND_PAGING)) {
++ xa_erase(&dev->mdev->priv.mkey_table,
++ mlx5_base_mkey(mmw->mmkey.key));
++ /*
++ * pagefault_single_data_segment() may be accessing mmw under
++ * SRCU if the user bound an ODP MR to this MW.
++ */
++ synchronize_srcu(&dev->mr_srcu);
++ }
++
++ err = mlx5_core_destroy_mkey(dev->mdev, &mmw->mmkey);
++ if (err)
++ return err;
++ kfree(mmw);
++ return 0;
+ }
+
+ int mlx5_ib_check_mr_status(struct ib_mr *ibmr, u32 check_mask,
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mr.c b/drivers/net/ethernet/mellanox/mlx5/core/mr.c
+index 9231b39d18b21..c501bf2a02521 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/mr.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/mr.c
+@@ -112,17 +112,11 @@ int mlx5_core_destroy_mkey(struct mlx5_core_dev *dev,
+ u32 out[MLX5_ST_SZ_DW(destroy_mkey_out)] = {0};
+ u32 in[MLX5_ST_SZ_DW(destroy_mkey_in)] = {0};
+ struct xarray *mkeys = &dev->priv.mkey_table;
+- struct mlx5_core_mkey *deleted_mkey;
+ unsigned long flags;
+
+ xa_lock_irqsave(mkeys, flags);
+- deleted_mkey = __xa_erase(mkeys, mlx5_base_mkey(mkey->key));
++ __xa_erase(mkeys, mlx5_base_mkey(mkey->key));
+ xa_unlock_irqrestore(mkeys, flags);
+- if (!deleted_mkey) {
+- mlx5_core_dbg(dev, "failed xarray delete of mkey 0x%x\n",
+- mlx5_base_mkey(mkey->key));
+- return -ENOENT;
+- }
+
+ MLX5_SET(destroy_mkey_in, in, opcode, MLX5_CMD_OP_DESTROY_MKEY);
+ MLX5_SET(destroy_mkey_in, in, mkey_index, mlx5_mkey_to_idx(mkey->key));
+--
+2.20.1
+
--- /dev/null
+From 9fcc15bb17eb3749c37a78a46451c42e31e458ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 12:38:16 -0300
+Subject: RDMA/mlx5: Do not allow rereg of a ODP MR
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+[ Upstream commit 880505cfef1d086d18b59d2920eb2160429ffa1f ]
+
+This code is completely broken, the umem of a ODP MR simply cannot be
+discarded without a lot more locking, nor can an ODP mkey be blithely
+destroyed via destroy_mkey().
+
+Fixes: 6aec21f6a832 ("IB/mlx5: Page faults handling infrastructure")
+Link: https://lore.kernel.org/r/20191001153821.23621-2-jgg@ziepe.ca
+Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 3401f5f6792e6..c4ba8838d2c46 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -1423,6 +1423,9 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start,
+ if (!mr->umem)
+ return -EINVAL;
+
++ if (is_odp_mr(mr))
++ return -EOPNOTSUPP;
++
+ if (flags & IB_MR_REREG_TRANS) {
+ addr = virt_addr;
+ len = length;
+@@ -1468,8 +1471,6 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start,
+ }
+
+ mr->allocated_from_cache = 0;
+- if (IS_ENABLED(CONFIG_INFINIBAND_ON_DEMAND_PAGING))
+- mr->live = 1;
+ } else {
+ /*
+ * Send a UMR WQE
+@@ -1498,7 +1499,6 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *ib_mr, int flags, u64 start,
+
+ set_mr_fields(dev, mr, npages, len, access_flags);
+
+- update_odp_mr(mr);
+ return 0;
+
+ err:
+--
+2.20.1
+
--- /dev/null
+From 7a4669e6de59a30b34cb6db73f9a48f34780a880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 12:38:19 -0300
+Subject: RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+[ Upstream commit aa116b810ac9077a263ed8679fb4d595f180e0eb ]
+
+During destroy setting live = 0 and then synchronize_srcu() prevents
+num_pending_prefetch from incrementing, and also, ensures that all work
+holding that count is queued on the WQ. Testing before causes races of the
+form:
+
+ CPU0 CPU1
+ dereg_mr()
+ mlx5_ib_advise_mr_prefetch()
+ srcu_read_lock()
+ num_pending_prefetch_inc()
+ if (!live)
+ live = 0
+ atomic_read() == 0
+ // skip flush_workqueue()
+ atomic_inc()
+ queue_work();
+ srcu_read_unlock()
+ WARN_ON(atomic_read()) // Fails
+
+Swap the order so that the synchronize_srcu() prevents this.
+
+Fixes: a6bc3875f176 ("IB/mlx5: Protect against prefetch of invalid MR")
+Link: https://lore.kernel.org/r/20191001153821.23621-5-jgg@ziepe.ca
+Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index c4ba8838d2c46..96c8a6835592d 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -1591,13 +1591,14 @@ static void dereg_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
+ */
+ mr->live = 0;
+
++ /* Wait for all running page-fault handlers to finish. */
++ synchronize_srcu(&dev->mr_srcu);
++
+ /* dequeue pending prefetch requests for the mr */
+ if (atomic_read(&mr->num_pending_prefetch))
+ flush_workqueue(system_unbound_wq);
+ WARN_ON(atomic_read(&mr->num_pending_prefetch));
+
+- /* Wait for all running page-fault handlers to finish. */
+- synchronize_srcu(&dev->mr_srcu);
+ /* Destroy all page mappings */
+ if (umem_odp->page_list)
+ mlx5_ib_invalidate_range(umem_odp,
+--
+2.20.1
+
--- /dev/null
+From 653c1ba04ee00aaf6e6026ba6c841c312f1ad858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 14:56:27 +0300
+Subject: RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error
+ path
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 594e6c5d41ed2471ab0b90f3f0b66cdf618b7ac9 ]
+
+Properly unwind QP counter rebinding in case of failure.
+
+Trying to rebind the counter after unbiding it is not going to work
+reliably, move the unbind to the end so it doesn't have to be unwound.
+
+Fixes: b389327df905 ("RDMA/nldev: Allow counter manual mode configration through RDMA netlink")
+Link: https://lore.kernel.org/r/20191002115627.16740-1-leon@kernel.org
+Reviewed-by: Mark Zhang <markz@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index 91e2cc9ddb9f8..f42e856f30729 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -1787,10 +1787,6 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+
+ cntn = nla_get_u32(tb[RDMA_NLDEV_ATTR_STAT_COUNTER_ID]);
+ qpn = nla_get_u32(tb[RDMA_NLDEV_ATTR_RES_LQPN]);
+- ret = rdma_counter_unbind_qpn(device, port, qpn, cntn);
+- if (ret)
+- goto err_unbind;
+-
+ if (fill_nldev_handle(msg, device) ||
+ nla_put_u32(msg, RDMA_NLDEV_ATTR_PORT_INDEX, port) ||
+ nla_put_u32(msg, RDMA_NLDEV_ATTR_STAT_COUNTER_ID, cntn) ||
+@@ -1799,13 +1795,15 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto err_fill;
+ }
+
++ ret = rdma_counter_unbind_qpn(device, port, qpn, cntn);
++ if (ret)
++ goto err_fill;
++
+ nlmsg_end(msg, nlh);
+ ib_device_put(device);
+ return rdma_nl_unicast(msg, NETLINK_CB(skb).portid);
+
+ err_fill:
+- rdma_counter_bind_qpn(device, port, qpn, cntn);
+-err_unbind:
+ nlmsg_free(msg);
+ err:
+ ib_device_put(device);
+--
+2.20.1
+
--- /dev/null
+From 8b2f4a748eb0d2651e94e5ebcd8deb80305d48c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2019 15:41:12 +0530
+Subject: RDMA/siw: Fix serialization issue in write_space()
+
+From: Krishnamraju Eraparaju <krishna2@chelsio.com>
+
+[ Upstream commit df791c54d627bae53c9be3be40a69594c55de487 ]
+
+In siw_qp_llp_write_space(), 'sock' members should be accessed with
+sk_callback_lock held, otherwise, it could race with
+siw_sk_restore_upcalls(). And this could cause "NULL deref" panic. Below
+panic is due to the NULL cep returned from sk_to_cep(sk):
+
+ Call Trace:
+ <IRQ> siw_qp_llp_write_space+0x11/0x40 [siw]
+ tcp_check_space+0x4c/0xf0
+ tcp_rcv_established+0x52b/0x630
+ tcp_v4_do_rcv+0xf4/0x1e0
+ tcp_v4_rcv+0x9b8/0xab0
+ ip_protocol_deliver_rcu+0x2c/0x1c0
+ ip_local_deliver_finish+0x44/0x50
+ ip_local_deliver+0x6b/0xf0
+ ? ip_protocol_deliver_rcu+0x1c0/0x1c0
+ ip_rcv+0x52/0xd0
+ ? ip_rcv_finish_core.isra.14+0x390/0x390
+ __netif_receive_skb_one_core+0x83/0xa0
+ netif_receive_skb_internal+0x73/0xb0
+ napi_gro_frags+0x1ff/0x2b0
+ t4_ethrx_handler+0x4a7/0x740 [cxgb4]
+ process_responses+0x2c9/0x590 [cxgb4]
+ ? t4_sge_intr_msix+0x1d/0x30 [cxgb4]
+ ? handle_irq_event_percpu+0x51/0x70
+ ? handle_irq_event+0x41/0x60
+ ? handle_edge_irq+0x97/0x1a0
+ napi_rx_handler+0x14/0xe0 [cxgb4]
+ net_rx_action+0x2af/0x410
+ __do_softirq+0xda/0x2a8
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq+0x50/0x60
+ __local_bh_enable_ip+0x50/0x60
+ ip_finish_output2+0x18f/0x520
+ ip_output+0x6e/0xf0
+ ? __ip_finish_output+0x1f0/0x1f0
+ __ip_queue_xmit+0x14f/0x3d0
+ ? __slab_alloc+0x4b/0x58
+ __tcp_transmit_skb+0x57d/0xa60
+ tcp_write_xmit+0x23b/0xfd0
+ __tcp_push_pending_frames+0x2e/0xf0
+ tcp_sendmsg_locked+0x939/0xd50
+ tcp_sendmsg+0x27/0x40
+ sock_sendmsg+0x57/0x80
+ siw_tx_hdt+0x894/0xb20 [siw]
+ ? find_busiest_group+0x3e/0x5b0
+ ? common_interrupt+0xa/0xf
+ ? common_interrupt+0xa/0xf
+ ? common_interrupt+0xa/0xf
+ siw_qp_sq_process+0xf1/0xe60 [siw]
+ ? __wake_up_common_lock+0x87/0xc0
+ siw_sq_resume+0x33/0xe0 [siw]
+ siw_run_sq+0xac/0x190 [siw]
+ ? remove_wait_queue+0x60/0x60
+ kthread+0xf8/0x130
+ ? siw_sq_resume+0xe0/0xe0 [siw]
+ ? kthread_bind+0x10/0x10
+ ret_from_fork+0x35/0x40
+
+Fixes: f29dd55b0236 ("rdma/siw: queue pair methods")
+Link: https://lore.kernel.org/r/20190923101112.32685-1-krishna2@chelsio.com
+Signed-off-by: Krishnamraju Eraparaju <krishna2@chelsio.com>
+Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_qp.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c
+index 430314c8abd94..52d402f39df93 100644
+--- a/drivers/infiniband/sw/siw/siw_qp.c
++++ b/drivers/infiniband/sw/siw/siw_qp.c
+@@ -182,12 +182,19 @@ void siw_qp_llp_close(struct siw_qp *qp)
+ */
+ void siw_qp_llp_write_space(struct sock *sk)
+ {
+- struct siw_cep *cep = sk_to_cep(sk);
++ struct siw_cep *cep;
+
+- cep->sk_write_space(sk);
++ read_lock(&sk->sk_callback_lock);
++
++ cep = sk_to_cep(sk);
++ if (cep) {
++ cep->sk_write_space(sk);
+
+- if (!test_bit(SOCK_NOSPACE, &sk->sk_socket->flags))
+- (void)siw_sq_start(cep->qp);
++ if (!test_bit(SOCK_NOSPACE, &sk->sk_socket->flags))
++ (void)siw_sq_start(cep->qp);
++ }
++
++ read_unlock(&sk->sk_callback_lock);
+ }
+
+ static int siw_qp_readq_init(struct siw_qp *qp, int irq_size, int orq_size)
+--
+2.20.1
+
--- /dev/null
+From 8e6eb29bfc27b43f3ba4d09e4b4cc6fecf33ad2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2019 08:45:14 +0800
+Subject: riscv: avoid kernel hangs when trapped in BUG()
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+[ Upstream commit 8b04825ed205da38754f86f4c07ea8600d8c2a65 ]
+
+When the CONFIG_GENERIC_BUG is disabled by disabling CONFIG_BUG, if a
+kernel thread is trapped by BUG(), the whole system will be in the
+loop that infinitely handles the ebreak exception instead of entering the
+die function. To fix this problem, the do_trap_break() will always call
+the die() to deal with the break exception as the type of break is
+BUG_TRAP_TYPE_BUG.
+
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/traps.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
+index 424eb72d56b10..055a937aca70a 100644
+--- a/arch/riscv/kernel/traps.c
++++ b/arch/riscv/kernel/traps.c
+@@ -124,23 +124,23 @@ static inline unsigned long get_break_insn_length(unsigned long pc)
+
+ asmlinkage void do_trap_break(struct pt_regs *regs)
+ {
+-#ifdef CONFIG_GENERIC_BUG
+ if (!user_mode(regs)) {
+ enum bug_trap_type type;
+
+ type = report_bug(regs->sepc, regs);
+ switch (type) {
++#ifdef CONFIG_GENERIC_BUG
+ case BUG_TRAP_TYPE_NONE:
+ break;
+ case BUG_TRAP_TYPE_WARN:
+ regs->sepc += get_break_insn_length(regs->sepc);
+ break;
+ case BUG_TRAP_TYPE_BUG:
++#endif /* CONFIG_GENERIC_BUG */
++ default:
+ die(regs, "Kernel BUG");
+ }
+ }
+-#endif /* CONFIG_GENERIC_BUG */
+-
+ force_sig_fault(SIGTRAP, TRAP_BRKPT, (void __user *)(regs->sepc));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 2632145a6c67fb5660d14892919785118dc6cc4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2019 08:45:15 +0800
+Subject: riscv: avoid sending a SIGTRAP to a user thread trapped in WARN()
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+[ Upstream commit e0c0fc18f10d5080cddde0e81505fd3e952c20c4 ]
+
+On RISC-V, when the kernel runs code on behalf of a user thread, and the
+kernel executes a WARN() or WARN_ON(), the user thread will be sent
+a bogus SIGTRAP. Fix the RISC-V kernel code to not send a SIGTRAP when
+a WARN()/WARN_ON() is executed.
+
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+[paul.walmsley@sifive.com: fixed subject]
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
+index 055a937aca70a..82f42a55451eb 100644
+--- a/arch/riscv/kernel/traps.c
++++ b/arch/riscv/kernel/traps.c
+@@ -134,7 +134,7 @@ asmlinkage void do_trap_break(struct pt_regs *regs)
+ break;
+ case BUG_TRAP_TYPE_WARN:
+ regs->sepc += get_break_insn_length(regs->sepc);
+- break;
++ return;
+ case BUG_TRAP_TYPE_BUG:
+ #endif /* CONFIG_GENERIC_BUG */
+ default:
+--
+2.20.1
+
--- /dev/null
+From 5870580f8ee2841a56124f1d180cc3f031549fe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2019 08:45:16 +0800
+Subject: riscv: Correct the handling of unexpected ebreak in do_trap_break()
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+[ Upstream commit 8bb0daef64e5a92db63ad1d3bbf9e280a7b3612a ]
+
+For the kernel space, all ebreak instructions are determined at compile
+time because the kernel space debugging module is currently unsupported.
+Hence, it should be treated as a bug if an ebreak instruction which does
+not belong to BUG_TRAP_TYPE_WARN or BUG_TRAP_TYPE_BUG is executed in
+kernel space. For the userspace, debugging module or user problem may
+intentionally insert an ebreak instruction to trigger a SIGTRAP signal.
+To approach the above two situations, the do_trap_break() will direct
+the BUG_TRAP_TYPE_NONE ebreak exception issued in kernel space to die()
+and will send a SIGTRAP to the trapped process only when the ebreak is
+in userspace.
+
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+[paul.walmsley@sifive.com: fixed checkpatch issue]
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/traps.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
+index 82f42a55451eb..93742df9067fb 100644
+--- a/arch/riscv/kernel/traps.c
++++ b/arch/riscv/kernel/traps.c
+@@ -130,8 +130,6 @@ asmlinkage void do_trap_break(struct pt_regs *regs)
+ type = report_bug(regs->sepc, regs);
+ switch (type) {
+ #ifdef CONFIG_GENERIC_BUG
+- case BUG_TRAP_TYPE_NONE:
+- break;
+ case BUG_TRAP_TYPE_WARN:
+ regs->sepc += get_break_insn_length(regs->sepc);
+ return;
+@@ -140,8 +138,10 @@ asmlinkage void do_trap_break(struct pt_regs *regs)
+ default:
+ die(regs, "Kernel BUG");
+ }
++ } else {
++ force_sig_fault(SIGTRAP, TRAP_BRKPT,
++ (void __user *)(regs->sepc));
+ }
+- force_sig_fault(SIGTRAP, TRAP_BRKPT, (void __user *)(regs->sepc));
+ }
+
+ #ifdef CONFIG_GENERIC_BUG
+--
+2.20.1
+
--- /dev/null
+From 33ef2c5563ded3af7b262267f3c4d3bc26c27abd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 17:38:02 +0200
+Subject: s390/cio: fix virtio-ccw DMA without PV
+
+From: Halil Pasic <pasic@linux.ibm.com>
+
+[ Upstream commit 05668e1d74b84c53fbe0f28565e4c9502a6b8a67 ]
+
+Commit 37db8985b211 ("s390/cio: add basic protected virtualization
+support") breaks virtio-ccw devices with VIRTIO_F_IOMMU_PLATFORM for non
+Protected Virtualization (PV) guests. The problem is that the dma_mask
+of the ccw device, which is used by virtio core, gets changed from 64 to
+31 bit, because some of the DMA allocations do require 31 bit
+addressable memory. For PV the only drawback is that some of the virtio
+structures must end up in ZONE_DMA because we have the bounce the
+buffers mapped via DMA API anyway.
+
+But for non PV guests we have a problem: because of the 31 bit mask
+guests bigger than 2G are likely to try bouncing buffers. The swiotlb
+however is only initialized for PV guests, because we don't want to
+bounce anything for non PV guests. The first such map kills the guest.
+
+Since the DMA API won't allow us to specify for each allocation whether
+we need memory from ZONE_DMA (31 bit addressable) or any DMA capable
+memory will do, let us use coherent_dma_mask (which is used for
+allocations) to force allocating form ZONE_DMA while changing dma_mask
+to DMA_BIT_MASK(64) so that at least the streaming API will regard
+the whole memory DMA capable.
+
+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
+Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Suggested-by: Robin Murphy <robin.murphy@arm.com>
+Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
+Link: https://lore.kernel.org/lkml/20190930153803.7958-1-pasic@linux.ibm.com
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/cio.h | 1 +
+ drivers/s390/cio/css.c | 7 ++++++-
+ drivers/s390/cio/device.c | 2 +-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
+index ba7d2480613b9..dcdaba689b20c 100644
+--- a/drivers/s390/cio/cio.h
++++ b/drivers/s390/cio/cio.h
+@@ -113,6 +113,7 @@ struct subchannel {
+ enum sch_todo todo;
+ struct work_struct todo_work;
+ struct schib_config config;
++ u64 dma_mask;
+ char *driver_override; /* Driver name to force a match */
+ } __attribute__ ((aligned(8)));
+
+diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
+index 1fbfb0a93f5f1..831850435c23b 100644
+--- a/drivers/s390/cio/css.c
++++ b/drivers/s390/cio/css.c
+@@ -232,7 +232,12 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,
+ * belong to a subchannel need to fit 31 bit width (e.g. ccw).
+ */
+ sch->dev.coherent_dma_mask = DMA_BIT_MASK(31);
+- sch->dev.dma_mask = &sch->dev.coherent_dma_mask;
++ /*
++ * But we don't have such restrictions imposed on the stuff that
++ * is handled by the streaming API.
++ */
++ sch->dma_mask = DMA_BIT_MASK(64);
++ sch->dev.dma_mask = &sch->dma_mask;
+ return sch;
+
+ err:
+diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
+index c421899be20f2..027ef1dde5a7a 100644
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -710,7 +710,7 @@ static struct ccw_device * io_subchannel_allocate_dev(struct subchannel *sch)
+ if (!cdev->private)
+ goto err_priv;
+ cdev->dev.coherent_dma_mask = sch->dev.coherent_dma_mask;
+- cdev->dev.dma_mask = &cdev->dev.coherent_dma_mask;
++ cdev->dev.dma_mask = sch->dev.dma_mask;
+ dma_pool = cio_gp_dma_create(&cdev->dev, 1);
+ if (!dma_pool)
+ goto err_dma_pool;
+--
+2.20.1
+
--- /dev/null
+From af6111e7add5679f0ad5927d0d51d9d0a3ea0abe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2019 17:02:32 +0200
+Subject: s390/uaccess: avoid (false positive) compiler warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+[ Upstream commit 062795fcdcb2d22822fb42644b1d76a8ad8439b3 ]
+
+Depending on inlining decisions by the compiler, __get/put_user_fn
+might become out of line. Then the compiler is no longer able to tell
+that size can only be 1,2,4 or 8 due to the check in __get/put_user
+resulting in false positives like
+
+./arch/s390/include/asm/uaccess.h: In function ‘__put_user_fn’:
+./arch/s390/include/asm/uaccess.h:113:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 113 | return rc;
+ | ^~
+./arch/s390/include/asm/uaccess.h: In function ‘__get_user_fn’:
+./arch/s390/include/asm/uaccess.h:143:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 143 | return rc;
+ | ^~
+
+These functions are supposed to be always inlined. Mark it as such.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/uaccess.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
+index bd2fd9a7821da..a470f1fa9f2af 100644
+--- a/arch/s390/include/asm/uaccess.h
++++ b/arch/s390/include/asm/uaccess.h
+@@ -83,7 +83,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n);
+ __rc; \
+ })
+
+-static inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
++static __always_inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
+ {
+ unsigned long spec = 0x010000UL;
+ int rc;
+@@ -113,7 +113,7 @@ static inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
+ return rc;
+ }
+
+-static inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size)
++static __always_inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size)
+ {
+ unsigned long spec = 0x01UL;
+ int rc;
+--
+2.20.1
+
--- /dev/null
+From f29ed0830a0c361e2a3b6c6b03335507f880e7aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2019 17:12:43 -0700
+Subject: sched/fair: Scale bandwidth quota and period without losing
+ quota/period ratio precision
+
+From: Xuewei Zhang <xueweiz@google.com>
+
+[ Upstream commit 4929a4e6faa0f13289a67cae98139e727f0d4a97 ]
+
+The quota/period ratio is used to ensure a child task group won't get
+more bandwidth than the parent task group, and is calculated as:
+
+ normalized_cfs_quota() = [(quota_us << 20) / period_us]
+
+If the quota/period ratio was changed during this scaling due to
+precision loss, it will cause inconsistency between parent and child
+task groups.
+
+See below example:
+
+A userspace container manager (kubelet) does three operations:
+
+ 1) Create a parent cgroup, set quota to 1,000us and period to 10,000us.
+ 2) Create a few children cgroups.
+ 3) Set quota to 1,000us and period to 10,000us on a child cgroup.
+
+These operations are expected to succeed. However, if the scaling of
+147/128 happens before step 3, quota and period of the parent cgroup
+will be changed:
+
+ new_quota: 1148437ns, 1148us
+ new_period: 11484375ns, 11484us
+
+And when step 3 comes in, the ratio of the child cgroup will be
+104857, which will be larger than the parent cgroup ratio (104821),
+and will fail.
+
+Scaling them by a factor of 2 will fix the problem.
+
+Tested-by: Phil Auld <pauld@redhat.com>
+Signed-off-by: Xuewei Zhang <xueweiz@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Phil Auld <pauld@redhat.com>
+Cc: Anton Blanchard <anton@ozlabs.org>
+Cc: Ben Segall <bsegall@google.com>
+Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Cc: Juri Lelli <juri.lelli@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vincent Guittot <vincent.guittot@linaro.org>
+Fixes: 2e8e19226398 ("sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup")
+Link: https://lkml.kernel.org/r/20191004001243.140897-1-xueweiz@google.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 86cfc5d5129ce..16b5d29bd7300 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4995,20 +4995,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
+ if (++count > 3) {
+ u64 new, old = ktime_to_ns(cfs_b->period);
+
+- new = (old * 147) / 128; /* ~115% */
+- new = min(new, max_cfs_quota_period);
+-
+- cfs_b->period = ns_to_ktime(new);
+-
+- /* since max is 1s, this is limited to 1e9^2, which fits in u64 */
+- cfs_b->quota *= new;
+- cfs_b->quota = div64_u64(cfs_b->quota, old);
+-
+- pr_warn_ratelimited(
+- "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
+- smp_processor_id(),
+- div_u64(new, NSEC_PER_USEC),
+- div_u64(cfs_b->quota, NSEC_PER_USEC));
++ /*
++ * Grow period by a factor of 2 to avoid losing precision.
++ * Precision loss in the quota/period ratio can cause __cfs_schedulable
++ * to fail.
++ */
++ new = old * 2;
++ if (new < max_cfs_quota_period) {
++ cfs_b->period = ns_to_ktime(new);
++ cfs_b->quota *= 2;
++
++ pr_warn_ratelimited(
++ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us = %lld, cfs_quota_us = %lld)\n",
++ smp_processor_id(),
++ div_u64(new, NSEC_PER_USEC),
++ div_u64(cfs_b->quota, NSEC_PER_USEC));
++ } else {
++ pr_warn_ratelimited(
++ "cfs_period_timer[cpu%d]: period too short, but cannot scale up without losing precision (cfs_period_us = %lld, cfs_quota_us = %lld)\n",
++ smp_processor_id(),
++ div_u64(old, NSEC_PER_USEC),
++ div_u64(cfs_b->quota, NSEC_PER_USEC));
++ }
+
+ /* reset count so we don't come right back in here */
+ count = 0;
+--
+2.20.1
+
--- /dev/null
+From 864384e58e0f0d227c8a759b12884d62d465ae03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 23:42:42 +0200
+Subject: sched/vtime: Fix guest/system mis-accounting on task switch
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 68e7a4d66b0ce04bf18ff2ffded5596ab3618585 ]
+
+vtime_account_system() assumes that the target task to account cputime
+to is always the current task. This is most often true indeed except on
+task switch where we call:
+
+ vtime_common_task_switch(prev)
+ vtime_account_system(prev)
+
+Here prev is the scheduling-out task where we account the cputime to. It
+doesn't match current that is already the scheduling-in task at this
+stage of the context switch.
+
+So we end up checking the wrong task flags to determine if we are
+accounting guest or system time to the previous task.
+
+As a result the wrong task is used to check if the target is running in
+guest mode. We may then spuriously account or leak either system or
+guest time on task switch.
+
+Fix this assumption and also turn vtime_guest_enter/exit() to use the
+task passed in parameter as well to avoid future similar issues.
+
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wanpeng Li <wanpengli@tencent.com>
+Fixes: 2a42eb9594a1 ("sched/cputime: Accumulate vtime on top of nsec clocksource")
+Link: https://lkml.kernel.org/r/20190925214242.21873-1-frederic@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cputime.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c
+index 2305ce89a26cf..46ed4e1383e21 100644
+--- a/kernel/sched/cputime.c
++++ b/kernel/sched/cputime.c
+@@ -740,7 +740,7 @@ void vtime_account_system(struct task_struct *tsk)
+
+ write_seqcount_begin(&vtime->seqcount);
+ /* We might have scheduled out from guest path */
+- if (current->flags & PF_VCPU)
++ if (tsk->flags & PF_VCPU)
+ vtime_account_guest(tsk, vtime);
+ else
+ __vtime_account_system(tsk, vtime);
+@@ -783,7 +783,7 @@ void vtime_guest_enter(struct task_struct *tsk)
+ */
+ write_seqcount_begin(&vtime->seqcount);
+ __vtime_account_system(tsk, vtime);
+- current->flags |= PF_VCPU;
++ tsk->flags |= PF_VCPU;
+ write_seqcount_end(&vtime->seqcount);
+ }
+ EXPORT_SYMBOL_GPL(vtime_guest_enter);
+@@ -794,7 +794,7 @@ void vtime_guest_exit(struct task_struct *tsk)
+
+ write_seqcount_begin(&vtime->seqcount);
+ vtime_account_guest(tsk, vtime);
+- current->flags &= ~PF_VCPU;
++ tsk->flags &= ~PF_VCPU;
+ write_seqcount_end(&vtime->seqcount);
+ }
+ EXPORT_SYMBOL_GPL(vtime_guest_exit);
+--
+2.20.1
+
--- /dev/null
+From ee123f476c05b30fb73d192c0e7546efd803727a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 11:06:44 -0700
+Subject: selftests/kselftest/runner.sh: Add 45 second timeout per test
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 852c8cbf34d3b3130a05c38064dd98614f97d3a8 ]
+
+Commit a745f7af3cbd ("selftests/harness: Add 30 second timeout per
+test") solves the problem of kselftest_harness.h-using binary tests
+possibly hanging forever. However, scripts and other binaries can still
+hang forever. This adds a global timeout to each test script run.
+
+To make this configurable (e.g. as needed in the "rtc" test case),
+include a new per-test-directory "settings" file (similar to "config")
+that can contain kselftest-specific settings. The first recognized field
+is "timeout".
+
+Additionally, this splits the reporting for timeouts into a specific
+"TIMEOUT" not-ok (and adds exit code reporting in the remaining case).
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest/runner.sh | 36 +++++++++++++++++++--
+ tools/testing/selftests/rtc/settings | 1 +
+ 2 files changed, 34 insertions(+), 3 deletions(-)
+ create mode 100644 tools/testing/selftests/rtc/settings
+
+diff --git a/tools/testing/selftests/kselftest/runner.sh b/tools/testing/selftests/kselftest/runner.sh
+index 00c9020bdda8b..84de7bc74f2cf 100644
+--- a/tools/testing/selftests/kselftest/runner.sh
++++ b/tools/testing/selftests/kselftest/runner.sh
+@@ -3,9 +3,14 @@
+ #
+ # Runs a set of tests in a given subdirectory.
+ export skip_rc=4
++export timeout_rc=124
+ export logfile=/dev/stdout
+ export per_test_logging=
+
++# Defaults for "settings" file fields:
++# "timeout" how many seconds to let each test run before failing.
++export kselftest_default_timeout=45
++
+ # There isn't a shell-agnostic way to find the path of a sourced file,
+ # so we must rely on BASE_DIR being set to find other tools.
+ if [ -z "$BASE_DIR" ]; then
+@@ -24,6 +29,16 @@ tap_prefix()
+ fi
+ }
+
++tap_timeout()
++{
++ # Make sure tests will time out if utility is available.
++ if [ -x /usr/bin/timeout ] ; then
++ /usr/bin/timeout "$kselftest_timeout" "$1"
++ else
++ "$1"
++ fi
++}
++
+ run_one()
+ {
+ DIR="$1"
+@@ -32,6 +47,18 @@ run_one()
+
+ BASENAME_TEST=$(basename $TEST)
+
++ # Reset any "settings"-file variables.
++ export kselftest_timeout="$kselftest_default_timeout"
++ # Load per-test-directory kselftest "settings" file.
++ settings="$BASE_DIR/$DIR/settings"
++ if [ -r "$settings" ] ; then
++ while read line ; do
++ field=$(echo "$line" | cut -d= -f1)
++ value=$(echo "$line" | cut -d= -f2-)
++ eval "kselftest_$field"="$value"
++ done < "$settings"
++ fi
++
+ TEST_HDR_MSG="selftests: $DIR: $BASENAME_TEST"
+ echo "# $TEST_HDR_MSG"
+ if [ ! -x "$TEST" ]; then
+@@ -44,14 +71,17 @@ run_one()
+ echo "not ok $test_num $TEST_HDR_MSG"
+ else
+ cd `dirname $TEST` > /dev/null
+- (((((./$BASENAME_TEST 2>&1; echo $? >&3) |
++ ((((( tap_timeout ./$BASENAME_TEST 2>&1; echo $? >&3) |
+ tap_prefix >&4) 3>&1) |
+ (read xs; exit $xs)) 4>>"$logfile" &&
+ echo "ok $test_num $TEST_HDR_MSG") ||
+- (if [ $? -eq $skip_rc ]; then \
++ (rc=$?; \
++ if [ $rc -eq $skip_rc ]; then \
+ echo "not ok $test_num $TEST_HDR_MSG # SKIP"
++ elif [ $rc -eq $timeout_rc ]; then \
++ echo "not ok $test_num $TEST_HDR_MSG # TIMEOUT"
+ else
+- echo "not ok $test_num $TEST_HDR_MSG"
++ echo "not ok $test_num $TEST_HDR_MSG # exit=$rc"
+ fi)
+ cd - >/dev/null
+ fi
+diff --git a/tools/testing/selftests/rtc/settings b/tools/testing/selftests/rtc/settings
+new file mode 100644
+index 0000000000000..ba4d85f74cd6b
+--- /dev/null
++++ b/tools/testing/selftests/rtc/settings
+@@ -0,0 +1 @@
++timeout=90
+--
+2.20.1
+
--- /dev/null
+From 59e17421efeb4696418a05a58433d0c855c979bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 11:33:12 -0500
+Subject: serial: 8250_omap: Fix gpio check for auto RTS/CTS
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit fc64f7abbef2dae7ee4c94702fb3cf9a2be5431a ]
+
+There are two checks to see if the manual gpio is configured, but
+these the check is seeing if the structure is NULL instead it
+should check to see if there are CTS and/or RTS pins defined.
+
+This patch uses checks for those individual pins instead of
+checking for the structure itself to restore auto RTS/CTS.
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
+Link: https://lore.kernel.org/r/20191006163314.23191-2-aford173@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index 3ef65cbd2478a..e4b08077f8757 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -141,7 +141,7 @@ static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
+
+ serial8250_do_set_mctrl(port, mctrl);
+
+- if (!up->gpios) {
++ if (!mctrl_gpio_to_gpiod(up->gpios, UART_GPIO_RTS)) {
+ /*
+ * Turn off autoRTS if RTS is lowered and restore autoRTS
+ * setting if RTS is raised
+@@ -456,7 +456,8 @@ static void omap_8250_set_termios(struct uart_port *port,
+ up->port.status &= ~(UPSTAT_AUTOCTS | UPSTAT_AUTORTS | UPSTAT_AUTOXOFF);
+
+ if (termios->c_cflag & CRTSCTS && up->port.flags & UPF_HARD_FLOW &&
+- !up->gpios) {
++ !mctrl_gpio_to_gpiod(up->gpios, UART_GPIO_RTS) &&
++ !mctrl_gpio_to_gpiod(up->gpios, UART_GPIO_CTS)) {
+ /* Enable AUTOCTS (autoRTS is enabled when RTS is raised) */
+ up->port.status |= UPSTAT_AUTOCTS | UPSTAT_AUTORTS;
+ priv->efr |= UART_EFR_CTS;
+--
+2.20.1
+
--- /dev/null
+From d69f2298df140af3b65979d5455ea869e0e1db9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2019 11:33:11 -0500
+Subject: serial: mctrl_gpio: Check for NULL pointer
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 37e3ab00e4734acc15d96b2926aab55c894f4d9c ]
+
+When using mctrl_gpio_to_gpiod, it dereferences gpios into a single
+requested GPIO. This dereferencing can break if gpios is NULL,
+so this patch adds a NULL check before dereferencing it. If
+gpios is NULL, this function will also return NULL.
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
+Link: https://lore.kernel.org/r/20191006163314.23191-1-aford173@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial_mctrl_gpio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c
+index 2b400189be911..54c43e02e3755 100644
+--- a/drivers/tty/serial/serial_mctrl_gpio.c
++++ b/drivers/tty/serial/serial_mctrl_gpio.c
+@@ -61,6 +61,9 @@ EXPORT_SYMBOL_GPL(mctrl_gpio_set);
+ struct gpio_desc *mctrl_gpio_to_gpiod(struct mctrl_gpios *gpios,
+ enum mctrl_gpio_idx gidx)
+ {
++ if (gpios == NULL)
++ return NULL;
++
+ return gpios->gpio[gidx];
+ }
+ EXPORT_SYMBOL_GPL(mctrl_gpio_to_gpiod);
+--
+2.20.1
+
--- /dev/null
+From 8b69e0be66c462ed6b963f853142d01678290b42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2019 07:59:23 +0200
+Subject: serial/sifive: select SERIAL_EARLYCON
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7e2a165de5a52003d10a611ee3884cdb5c44e8cd ]
+
+The sifive serial driver implements earlycon support, but unless
+another driver is built in that supports earlycon support it won't
+be usable. Explicitly select SERIAL_EARLYCON instead.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Paul Walmsley <paul.walmsley@sifive.com>
+Link: https://lore.kernel.org/r/20190910055923.28384-1-hch@lst.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
+index 3083dbae35f7e..3b436ccd29dad 100644
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -1075,6 +1075,7 @@ config SERIAL_SIFIVE_CONSOLE
+ bool "Console on SiFive UART"
+ depends on SERIAL_SIFIVE=y
+ select SERIAL_CORE_CONSOLE
++ select SERIAL_EARLYCON
+ help
+ Select this option if you would like to use a SiFive UART as the
+ system console.
+--
+2.20.1
+
--- /dev/null
+io_uring-fix-up-o_nonblock-handling-for-sockets.patch
+dm-snapshot-introduce-account_start_copy-and-account.patch
+dm-snapshot-rework-cow-throttling-to-fix-deadlock.patch
+btrfs-fix-inode-cache-block-reserve-leak-on-failure-.patch
+btrfs-qgroup-always-free-prealloc-meta-reserve-in-bt.patch
+iio-adc-meson_saradc-fix-memory-allocation-order.patch
+iio-fix-center-temperature-of-bmc150-accel-core.patch
+libsubcmd-make-_fortify_source-defines-dependent-on-.patch
+perf-tests-avoid-raising-segv-using-an-obvious-null-.patch
+perf-map-fix-overlapped-map-handling.patch
+perf-script-brstackinsn-fix-recovery-from-lbr-binary.patch
+perf-jevents-fix-period-for-intel-fixed-counters.patch
+perf-tools-propagate-get_cpuid-error.patch
+perf-annotate-propagate-perf_env__arch-error.patch
+perf-annotate-fix-the-signedness-of-failure-returns.patch
+perf-annotate-propagate-the-symbol__annotate-error-r.patch
+perf-annotate-fix-arch-specific-init-failure-errors.patch
+perf-annotate-return-appropriate-error-code-for-allo.patch
+perf-annotate-don-t-return-1-for-error-when-doing-bp.patch
+staging-rtl8188eu-fix-null-dereference-when-kzalloc-.patch
+rdma-siw-fix-serialization-issue-in-write_space.patch
+rdma-hfi1-prevent-memory-leak-in-sdma_init.patch
+rdma-iw_cxgb4-fix-srq-access-from-dump_qp.patch
+rdma-iwcm-fix-a-lock-inversion-issue.patch
+hid-hyperv-use-in-place-iterator-api-in-the-channel-.patch
+kselftest-exclude-failed-targets-from-runlist.patch
+selftests-kselftest-runner.sh-add-45-second-timeout-.patch
+nfs-fix-nfsi-nrequests-count-error-on-nfs_inode_remo.patch
+arm64-cpufeature-effectively-expose-frint-capability.patch
+arm64-fix-incorrect-irqflag-restore-for-priority-mas.patch
+arm64-ftrace-ensure-synchronisation-in-plt-setup-for.patch
+tty-serial-owl-fix-the-link-time-qualifier-of-owl_ua.patch
+tty-serial-rda-fix-the-link-time-qualifier-of-rda_ua.patch
+serial-sifive-select-serial_earlycon.patch
+tty-n_hdlc-fix-build-on-sparc.patch
+misc-fastrpc-prevent-memory-leak-in-fastrpc_dma_buf_.patch
+rdma-core-fix-an-error-handling-path-in-res_get_comm.patch
+rdma-cm-fix-memory-leak-in-cm_add-remove_one.patch
+rdma-nldev-reshuffle-the-code-to-avoid-need-to-rebin.patch
+rdma-mlx5-do-not-allow-rereg-of-a-odp-mr.patch
+rdma-mlx5-order-num_pending_prefetch-properly-with-s.patch
+rdma-mlx5-add-missing-synchronize_srcu-for-mw-cases.patch
+gpio-max77620-use-correct-unit-for-debounce-times.patch
+fs-cifs-mute-wunused-const-variable-message.patch
+arm64-vdso32-fix-broken-compat-vdso-build-warnings.patch
+arm64-vdso32-detect-binutils-support-for-dmb-ishld.patch
+serial-mctrl_gpio-check-for-null-pointer.patch
+serial-8250_omap-fix-gpio-check-for-auto-rts-cts.patch
+arm64-default-to-building-compat-vdso-with-clang-whe.patch
+arm64-vdso32-don-t-use-kbuild_cppflags-unconditional.patch
+efi-cper-fix-endianness-of-pcie-class-code.patch
+efi-x86-do-not-clean-dummy-variable-in-kexec-path.patch
+mips-include-mark-__cmpxchg-as-__always_inline.patch
+riscv-avoid-kernel-hangs-when-trapped-in-bug.patch
+riscv-avoid-sending-a-sigtrap-to-a-user-thread-trapp.patch
+riscv-correct-the-handling-of-unexpected-ebreak-in-d.patch
+x86-xen-return-from-panic-notifier.patch
+ocfs2-clear-zero-in-unaligned-direct-io.patch
+fs-ocfs2-fix-possible-null-pointer-dereferences-in-o.patch
+fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch
+fs-ocfs2-fix-a-possible-null-pointer-dereference-in-.patch-19879
+btrfs-silence-maybe-uninitialized-warning-in-clone_r.patch
+arm64-armv8_deprecated-checking-return-value-for-mem.patch
+x86-cpu-add-comet-lake-to-the-intel-cpu-models-heade.patch
+sched-fair-scale-bandwidth-quota-and-period-without-.patch
+sched-vtime-fix-guest-system-mis-accounting-on-task-.patch
+perf-core-rework-memory-accounting-in-perf_mmap.patch
+perf-core-fix-corner-case-in-perf_rotate_context.patch
+perf-x86-amd-change-fix-nmi-latency-mitigation-to-us.patch
+drm-amdgpu-fix-memory-leak.patch
+iio-imu-adis16400-release-allocated-memory-on-failur.patch
+iio-imu-adis16400-fix-memory-leak.patch
+iio-imu-st_lsm6dsx-fix-waitime-for-st_lsm6dsx-i2c-co.patch
+mips-include-mark-__xchg-as-__always_inline.patch
+mips-fw-sni-fix-out-of-bounds-init-of-o32-stack.patch
+s390-cio-fix-virtio-ccw-dma-without-pv.patch
+virt-vbox-fix-memory-leak-in-hgcm_call_preprocess_li.patch
+nbd-fix-possible-sysfs-duplicate-warning.patch
+nfsv4-fix-leak-of-clp-cl_acceptor-string.patch
+sunrpc-fix-race-to-sk_err-after-xs_error_report.patch
+s390-uaccess-avoid-false-positive-compiler-warnings.patch
+tracing-initialize-iter-seq-after-zeroing-in-tracing.patch
--- /dev/null
+From f6765b6ef73ec23f2d6f282e9af5f9ad2f787ba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2019 14:44:15 -0700
+Subject: staging: rtl8188eu: fix null dereference when kzalloc fails
+
+From: Connor Kuehl <connor.kuehl@canonical.com>
+
+[ Upstream commit 955c1532a34305f2f780b47f0c40cc7c65500810 ]
+
+If kzalloc() returns NULL, the error path doesn't stop the flow of
+control from entering rtw_hal_read_chip_version() which dereferences the
+null pointer. Fix this by adding a 'goto' to the error path to more
+gracefully handle the issue and avoid proceeding with initialization
+steps that we're no longer prepared to handle.
+
+Also update the debug message to be more consistent with the other debug
+messages in this function.
+
+Addresses-Coverity: ("Dereference after null check")
+
+Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
+Link: https://lore.kernel.org/r/20190927214415.899-1-connor.kuehl@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+index 664d93a7f90df..4fac9dca798e8 100644
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -348,8 +348,10 @@ static struct adapter *rtw_usb_if1_init(struct dvobj_priv *dvobj,
+ }
+
+ padapter->HalData = kzalloc(sizeof(struct hal_data_8188e), GFP_KERNEL);
+- if (!padapter->HalData)
+- DBG_88E("cant not alloc memory for HAL DATA\n");
++ if (!padapter->HalData) {
++ DBG_88E("Failed to allocate memory for HAL data\n");
++ goto free_adapter;
++ }
+
+ /* step read_chip_version */
+ rtw_hal_read_chip_version(padapter);
+--
+2.20.1
+
--- /dev/null
+From e18b22ef311b4d9a59f7657fddb4cfd527ca32e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2019 10:40:55 -0400
+Subject: SUNRPC: fix race to sk_err after xs_error_report
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit af84537dbd1b39505d1f3d8023029b4a59666513 ]
+
+Since commit 4f8943f80883 ("SUNRPC: Replace direct task wakeups from
+softirq context") there has been a race to the value of the sk_err if both
+XPRT_SOCK_WAKE_ERROR and XPRT_SOCK_WAKE_DISCONNECT are set. In that case,
+we may end up losing the sk_err value that existed when xs_error_report was
+called.
+
+Fix this by reverting to the previous behavior: instead of using SO_ERROR
+to retrieve the value at a later time (which might also return sk_err_soft),
+copy the sk_err value onto struct sock_xprt, and use that value to wake
+pending tasks.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: 4f8943f80883 ("SUNRPC: Replace direct task wakeups from softirq context")
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/xprtsock.h | 1 +
+ net/sunrpc/xprtsock.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h
+index 7638dbe7bc500..a940de03808dd 100644
+--- a/include/linux/sunrpc/xprtsock.h
++++ b/include/linux/sunrpc/xprtsock.h
+@@ -61,6 +61,7 @@ struct sock_xprt {
+ struct mutex recv_mutex;
+ struct sockaddr_storage srcaddr;
+ unsigned short srcport;
++ int xprt_err;
+
+ /*
+ * UDP socket buffer size parameters
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index e2176c167a579..4e0b5bed6c737 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1243,19 +1243,21 @@ static void xs_error_report(struct sock *sk)
+ {
+ struct sock_xprt *transport;
+ struct rpc_xprt *xprt;
+- int err;
+
+ read_lock_bh(&sk->sk_callback_lock);
+ if (!(xprt = xprt_from_sock(sk)))
+ goto out;
+
+ transport = container_of(xprt, struct sock_xprt, xprt);
+- err = -sk->sk_err;
+- if (err == 0)
++ transport->xprt_err = -sk->sk_err;
++ if (transport->xprt_err == 0)
+ goto out;
+ dprintk("RPC: xs_error_report client %p, error=%d...\n",
+- xprt, -err);
+- trace_rpc_socket_error(xprt, sk->sk_socket, err);
++ xprt, -transport->xprt_err);
++ trace_rpc_socket_error(xprt, sk->sk_socket, transport->xprt_err);
++
++ /* barrier ensures xprt_err is set before XPRT_SOCK_WAKE_ERROR */
++ smp_mb__before_atomic();
+ xs_run_error_worker(transport, XPRT_SOCK_WAKE_ERROR);
+ out:
+ read_unlock_bh(&sk->sk_callback_lock);
+@@ -2470,7 +2472,6 @@ static void xs_wake_write(struct sock_xprt *transport)
+ static void xs_wake_error(struct sock_xprt *transport)
+ {
+ int sockerr;
+- int sockerr_len = sizeof(sockerr);
+
+ if (!test_bit(XPRT_SOCK_WAKE_ERROR, &transport->sock_state))
+ return;
+@@ -2479,9 +2480,7 @@ static void xs_wake_error(struct sock_xprt *transport)
+ goto out;
+ if (!test_and_clear_bit(XPRT_SOCK_WAKE_ERROR, &transport->sock_state))
+ goto out;
+- if (kernel_getsockopt(transport->sock, SOL_SOCKET, SO_ERROR,
+- (char *)&sockerr, &sockerr_len) != 0)
+- goto out;
++ sockerr = xchg(&transport->xprt_err, 0);
+ if (sockerr < 0)
+ xprt_wake_pending_tasks(&transport->xprt, sockerr);
+ out:
+--
+2.20.1
+
--- /dev/null
+From edca011f79376d7a705c8acc214cf492612202ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2019 16:21:34 +0200
+Subject: tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
+
+From: Petr Mladek <pmladek@suse.com>
+
+[ Upstream commit d303de1fcf344ff7c15ed64c3f48a991c9958775 ]
+
+A customer reported the following softlockup:
+
+[899688.160002] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [test.sh:16464]
+[899688.160002] CPU: 0 PID: 16464 Comm: test.sh Not tainted 4.12.14-6.23-azure #1 SLE12-SP4
+[899688.160002] RIP: 0010:up_write+0x1a/0x30
+[899688.160002] Kernel panic - not syncing: softlockup: hung tasks
+[899688.160002] RIP: 0010:up_write+0x1a/0x30
+[899688.160002] RSP: 0018:ffffa86784d4fde8 EFLAGS: 00000257 ORIG_RAX: ffffffffffffff12
+[899688.160002] RAX: ffffffff970fea00 RBX: 0000000000000001 RCX: 0000000000000000
+[899688.160002] RDX: ffffffff00000001 RSI: 0000000000000080 RDI: ffffffff970fea00
+[899688.160002] RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000
+[899688.160002] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b59014720d8
+[899688.160002] R13: ffff8b59014720c0 R14: ffff8b5901471090 R15: ffff8b5901470000
+[899688.160002] tracing_read_pipe+0x336/0x3c0
+[899688.160002] __vfs_read+0x26/0x140
+[899688.160002] vfs_read+0x87/0x130
+[899688.160002] SyS_read+0x42/0x90
+[899688.160002] do_syscall_64+0x74/0x160
+
+It caught the process in the middle of trace_access_unlock(). There is
+no loop. So, it must be looping in the caller tracing_read_pipe()
+via the "waitagain" label.
+
+Crashdump analyze uncovered that iter->seq was completely zeroed
+at this point, including iter->seq.seq.size. It means that
+print_trace_line() was never able to print anything and
+there was no forward progress.
+
+The culprit seems to be in the code:
+
+ /* reset all but tr, trace, and overruns */
+ memset(&iter->seq, 0,
+ sizeof(struct trace_iterator) -
+ offsetof(struct trace_iterator, seq));
+
+It was added by the commit 53d0aa773053ab182877 ("ftrace:
+add logic to record overruns"). It was v2.6.27-rc1.
+It was the time when iter->seq looked like:
+
+ struct trace_seq {
+ unsigned char buffer[PAGE_SIZE];
+ unsigned int len;
+ };
+
+There was no "size" variable and zeroing was perfectly fine.
+
+The solution is to reinitialize the structure after or without
+zeroing.
+
+Link: http://lkml.kernel.org/r/20191011142134.11997-1-pmladek@suse.com
+
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 04458ed44a557..a5e27f1c35a1f 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6012,6 +6012,7 @@ waitagain:
+ sizeof(struct trace_iterator) -
+ offsetof(struct trace_iterator, seq));
+ cpumask_clear(iter->started);
++ trace_seq_init(&iter->seq);
+ iter->pos = -1;
+
+ trace_event_read_lock();
+--
+2.20.1
+
--- /dev/null
+From 9c9012e3b3bba6310a4218f0033855a29d73a6d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 19:15:12 -0700
+Subject: tty: n_hdlc: fix build on SPARC
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 47a7e5e97d4edd7b14974d34f0e5a5560fad2915 ]
+
+Fix tty driver build on SPARC by not using __exitdata.
+It appears that SPARC does not support section .exit.data.
+
+Fixes these build errors:
+
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+`.exit.data' referenced in section `.exit.text' of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data' of drivers/tty/n_hdlc.o
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Fixes: 063246641d4a ("format-security: move static strings to const")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/675e7bd9-955b-3ff3-1101-a973b58b5b75@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_hdlc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
+index e55c79eb64309..98361acd3053f 100644
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -968,6 +968,11 @@ static int __init n_hdlc_init(void)
+
+ } /* end of init_module() */
+
++#ifdef CONFIG_SPARC
++#undef __exitdata
++#define __exitdata
++#endif
++
+ static const char hdlc_unregister_ok[] __exitdata =
+ KERN_INFO "N_HDLC: line discipline unregistered\n";
+ static const char hdlc_unregister_fail[] __exitdata =
+--
+2.20.1
+
--- /dev/null
+From 8968da08c2f268e4c383008a394d1971f9944495 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2019 06:11:29 +0200
+Subject: tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6264dab6efd6069f0387efb078a9960b5642377b ]
+
+'exit' functions should be marked as __exit, not __init.
+
+Fixes: fc60a8b675bd ("tty: serial: owl: Implement console driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20190910041129.6978-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/owl-uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c
+index 29a6dc6a8d23c..73fcc6bdb0312 100644
+--- a/drivers/tty/serial/owl-uart.c
++++ b/drivers/tty/serial/owl-uart.c
+@@ -742,7 +742,7 @@ static int __init owl_uart_init(void)
+ return ret;
+ }
+
+-static void __init owl_uart_exit(void)
++static void __exit owl_uart_exit(void)
+ {
+ platform_driver_unregister(&owl_uart_platform_driver);
+ uart_unregister_driver(&owl_uart_driver);
+--
+2.20.1
+
--- /dev/null
+From ee25ae3c07e2c6f9a6775b43493a22cd63f6c26a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2019 06:17:02 +0200
+Subject: tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5080d127127ac5b610b57900774d9559ae55e817 ]
+
+'exit' functions should be marked as __exit, not __init.
+
+Fixes: c10b13325ced ("tty: serial: Add RDA8810PL UART driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20190910041702.7357-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/rda-uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/rda-uart.c b/drivers/tty/serial/rda-uart.c
+index 284623eefaeba..ba5e488a03742 100644
+--- a/drivers/tty/serial/rda-uart.c
++++ b/drivers/tty/serial/rda-uart.c
+@@ -817,7 +817,7 @@ static int __init rda_uart_init(void)
+ return ret;
+ }
+
+-static void __init rda_uart_exit(void)
++static void __exit rda_uart_exit(void)
+ {
+ platform_driver_unregister(&rda_uart_platform_driver);
+ uart_unregister_driver(&rda_uart_driver);
+--
+2.20.1
+
--- /dev/null
+From fc23ccbaeeedd4d769fb632256e42b90ab2da7ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 15:42:22 -0500
+Subject: virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit e0b0cb9388642c104838fac100a4af32745621e2 ]
+
+In hgcm_call_preprocess_linaddr memory is allocated for bounce_buf but
+is not released if copy_form_user fails. In order to prevent memory leak
+in case of failure, the assignment to bounce_buf_ret is moved before the
+error check. This way the allocated bounce_buf will be released by the
+caller.
+
+Fixes: 579db9d45cb4 ("virt: Add vboxguest VMMDEV communication code")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20190930204223.3660-1-navid.emamdoost@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virt/vboxguest/vboxguest_utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/virt/vboxguest/vboxguest_utils.c b/drivers/virt/vboxguest/vboxguest_utils.c
+index 75fd140b02ff8..43c391626a000 100644
+--- a/drivers/virt/vboxguest/vboxguest_utils.c
++++ b/drivers/virt/vboxguest/vboxguest_utils.c
+@@ -220,6 +220,8 @@ static int hgcm_call_preprocess_linaddr(
+ if (!bounce_buf)
+ return -ENOMEM;
+
++ *bounce_buf_ret = bounce_buf;
++
+ if (copy_in) {
+ ret = copy_from_user(bounce_buf, (void __user *)buf, len);
+ if (ret)
+@@ -228,7 +230,6 @@ static int hgcm_call_preprocess_linaddr(
+ memset(bounce_buf, 0, len);
+ }
+
+- *bounce_buf_ret = bounce_buf;
+ hgcm_call_add_pagelist_size(bounce_buf, len, extra);
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 5b86882ad42b30ea703a1d70028629e24109fe4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2019 08:50:02 -0700
+Subject: x86/cpu: Add Comet Lake to the Intel CPU models header
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 8d7c6ac3b2371eb1cbc9925a88f4d10efff374de ]
+
+Comet Lake is the new 10th Gen Intel processor. Add two new CPU model
+numbers to the Intel family list.
+
+The CPU model numbers are not published in the SDM yet but they come
+from an authoritative internal source.
+
+ [ bp: Touch up commit message. ]
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Cc: ak@linux.intel.com
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/1570549810-25049-2-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/intel-family.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
+index 9ae1c0f05fd2d..3525014c71da9 100644
+--- a/arch/x86/include/asm/intel-family.h
++++ b/arch/x86/include/asm/intel-family.h
+@@ -76,6 +76,9 @@
+ #define INTEL_FAM6_TIGERLAKE_L 0x8C
+ #define INTEL_FAM6_TIGERLAKE 0x8D
+
++#define INTEL_FAM6_COMETLAKE 0xA5
++#define INTEL_FAM6_COMETLAKE_L 0xA6
++
+ /* "Small Core" Processors (Atom) */
+
+ #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */
+--
+2.20.1
+
--- /dev/null
+From f70ddde505e5ee6996c628f3bebc343d5e353c97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2019 16:44:41 -0400
+Subject: x86/xen: Return from panic notifier
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+[ Upstream commit c6875f3aacf2a5a913205accddabf0bfb75cac76 ]
+
+Currently execution of panic() continues until Xen's panic notifier
+(xen_panic_event()) is called at which point we make a hypercall that
+never returns.
+
+This means that any notifier that is supposed to be called later as
+well as significant part of panic() code (such as pstore writes from
+kmsg_dump()) is never executed.
+
+There is no reason for xen_panic_event() to be this last point in
+execution since panic()'s emergency_restart() will call into
+xen_emergency_restart() from where we can perform our hypercall.
+
+Nevertheless, we will provide xen_legacy_crash boot option that will
+preserve original behavior during crash. This option could be used,
+for example, if running kernel dumper (which happens after panic
+notifiers) is undesirable.
+
+Reported-by: James Dingwall <james@dingwall.me.uk>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 4 +++
+ arch/x86/xen/enlighten.c | 28 +++++++++++++++++--
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 4c1971960afa3..5ea005c9e2d60 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -5267,6 +5267,10 @@
+ the unplug protocol
+ never -- do not unplug even if version check succeeds
+
++ xen_legacy_crash [X86,XEN]
++ Crash from Xen panic notifier, without executing late
++ panic() code such as dumping handler.
++
+ xen_nopvspin [X86,XEN]
+ Disables the ticketlock slowpath using Xen PV
+ optimizations.
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 750f46ad018a0..205b1176084f5 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -269,19 +269,41 @@ void xen_reboot(int reason)
+ BUG();
+ }
+
++static int reboot_reason = SHUTDOWN_reboot;
++static bool xen_legacy_crash;
+ void xen_emergency_restart(void)
+ {
+- xen_reboot(SHUTDOWN_reboot);
++ xen_reboot(reboot_reason);
+ }
+
+ static int
+ xen_panic_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+- if (!kexec_crash_loaded())
+- xen_reboot(SHUTDOWN_crash);
++ if (!kexec_crash_loaded()) {
++ if (xen_legacy_crash)
++ xen_reboot(SHUTDOWN_crash);
++
++ reboot_reason = SHUTDOWN_crash;
++
++ /*
++ * If panic_timeout==0 then we are supposed to wait forever.
++ * However, to preserve original dom0 behavior we have to drop
++ * into hypervisor. (domU behavior is controlled by its
++ * config file)
++ */
++ if (panic_timeout == 0)
++ panic_timeout = -1;
++ }
+ return NOTIFY_DONE;
+ }
+
++static int __init parse_xen_legacy_crash(char *arg)
++{
++ xen_legacy_crash = true;
++ return 0;
++}
++early_param("xen_legacy_crash", parse_xen_legacy_crash);
++
+ static struct notifier_block xen_panic_block = {
+ .notifier_call = xen_panic_event,
+ .priority = INT_MIN
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
