--- /dev/null
+From d0f6ba2ef2c1c95069509e71402e7d6d43452512 Mon Sep 17 00:00:00 2001
+From: Vincent Duvert <vincent.ldev@duvert.net>
+Date: Sun, 2 Aug 2020 07:06:51 +0200
+Subject: appletalk: Fix atalk_proc_init() return path
+
+From: Vincent Duvert <vincent.ldev@duvert.net>
+
+commit d0f6ba2ef2c1c95069509e71402e7d6d43452512 upstream.
+
+Add a missing return statement to atalk_proc_init so it doesn't return
+-ENOMEM when successful. This allows the appletalk module to load
+properly.
+
+Fixes: e2bcd8b0ce6e ("appletalk: use remove_proc_subtree to simplify procfs code")
+Link: https://www.downtowndougbrown.com/2020/08/hacking-up-a-fix-for-the-broken-appletalk-kernel-module-in-linux-5-1-and-newer/
+Reported-by: Christopher KOBAYASHI <chris@disavowed.jp>
+Reported-by: Doug Brown <doug@downtowndougbrown.com>
+Signed-off-by: Vincent Duvert <vincent.ldev@duvert.net>
+[lukas: add missing tags]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v5.1+
+Cc: Yue Haibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/appletalk/atalk_proc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -231,6 +231,8 @@ int __init atalk_proc_init(void)
+
+ return 0;
+
++ return 0;
++
+ out:
+ remove_proc_subtree("atalk", init_net.proc_net);
+ return -ENOMEM;
--- /dev/null
+From 5fe48867856367142d91a82f2cbf7a57a24cbb70 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Sat, 25 Jul 2020 20:00:16 +0800
+Subject: bcache: allocate meta data pages as compound pages
+
+From: Coly Li <colyli@suse.de>
+
+commit 5fe48867856367142d91a82f2cbf7a57a24cbb70 upstream.
+
+There are some meta data of bcache are allocated by multiple pages,
+and they are used as bio bv_page for I/Os to the cache device. for
+example cache_set->uuids, cache->disk_buckets, journal_write->data,
+bset_tree->data.
+
+For such meta data memory, all the allocated pages should be treated
+as a single memory block. Then the memory management and underlying I/O
+code can treat them more clearly.
+
+This patch adds __GFP_COMP flag to all the location allocating >0 order
+pages for the above mentioned meta data. Then their pages are treated
+as compound pages now.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bset.c | 2 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/journal.c | 4 ++--
+ drivers/md/bcache/super.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/bcache/bset.c
++++ b/drivers/md/bcache/bset.c
+@@ -322,7 +322,7 @@ int bch_btree_keys_alloc(struct btree_ke
+
+ b->page_order = page_order;
+
+- t->data = (void *) __get_free_pages(gfp, b->page_order);
++ t->data = (void *) __get_free_pages(__GFP_COMP|gfp, b->page_order);
+ if (!t->data)
+ goto err;
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -785,7 +785,7 @@ int bch_btree_cache_alloc(struct cache_s
+ mutex_init(&c->verify_lock);
+
+ c->verify_ondisk = (void *)
+- __get_free_pages(GFP_KERNEL, ilog2(bucket_pages(c)));
++ __get_free_pages(GFP_KERNEL|__GFP_COMP, ilog2(bucket_pages(c)));
+
+ c->verify_data = mca_bucket_alloc(c, &ZERO_KEY, GFP_KERNEL);
+
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -999,8 +999,8 @@ int bch_journal_alloc(struct cache_set *
+ j->w[1].c = c;
+
+ if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) ||
+- !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) ||
+- !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)))
++ !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)) ||
++ !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)))
+ return -ENOMEM;
+
+ return 0;
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1775,7 +1775,7 @@ void bch_cache_set_unregister(struct cac
+ }
+
+ #define alloc_bucket_pages(gfp, c) \
+- ((void *) __get_free_pages(__GFP_ZERO|gfp, ilog2(bucket_pages(c))))
++ ((void *) __get_free_pages(__GFP_ZERO|__GFP_COMP|gfp, ilog2(bucket_pages(c))))
+
+ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
+ {
--- /dev/null
+From 7a1481267999c02abf4a624515c1b5c7c1fccbd6 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Sat, 25 Jul 2020 20:00:22 +0800
+Subject: bcache: fix overflow in offset_to_stripe()
+
+From: Coly Li <colyli@suse.de>
+
+commit 7a1481267999c02abf4a624515c1b5c7c1fccbd6 upstream.
+
+offset_to_stripe() returns the stripe number (in type unsigned int) from
+an offset (in type uint64_t) by the following calculation,
+ do_div(offset, d->stripe_size);
+For large capacity backing device (e.g. 18TB) with small stripe size
+(e.g. 4KB), the result is 4831838208 and exceeds UINT_MAX. The actual
+returned value which caller receives is 536870912, due to the overflow.
+
+Indeed in bcache_device_init(), bcache_device->nr_stripes is limited in
+range [1, INT_MAX]. Therefore all valid stripe numbers in bcache are
+in range [0, bcache_dev->nr_stripes - 1].
+
+This patch adds a upper limition check in offset_to_stripe(): the max
+valid stripe number should be less than bcache_device->nr_stripes. If
+the calculated stripe number from do_div() is equal to or larger than
+bcache_device->nr_stripe, -EINVAL will be returned. (Normally nr_stripes
+is less than INT_MAX, exceeding upper limitation doesn't mean overflow,
+therefore -EOVERFLOW is not used as error code.)
+
+This patch also changes nr_stripes' type of struct bcache_device from
+'unsigned int' to 'int', and return value type of offset_to_stripe()
+from 'unsigned int' to 'int', to match their exact data ranges.
+
+All locations where bcache_device->nr_stripes and offset_to_stripe() are
+referenced also get updated for the above type change.
+
+Reported-and-tested-by: Ken Raeburn <raeburn@redhat.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1783075
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bcache.h | 2 +-
+ drivers/md/bcache/writeback.c | 14 +++++++++-----
+ drivers/md/bcache/writeback.h | 19 +++++++++++++++++--
+ 3 files changed, 27 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -264,7 +264,7 @@ struct bcache_device {
+ #define BCACHE_DEV_UNLINK_DONE 2
+ #define BCACHE_DEV_WB_RUNNING 3
+ #define BCACHE_DEV_RATE_DW_RUNNING 4
+- unsigned int nr_stripes;
++ int nr_stripes;
+ unsigned int stripe_size;
+ atomic_t *stripe_sectors_dirty;
+ unsigned long *full_dirty_stripes;
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -523,15 +523,19 @@ void bcache_dev_sectors_dirty_add(struct
+ uint64_t offset, int nr_sectors)
+ {
+ struct bcache_device *d = c->devices[inode];
+- unsigned int stripe_offset, stripe, sectors_dirty;
++ unsigned int stripe_offset, sectors_dirty;
++ int stripe;
+
+ if (!d)
+ return;
+
++ stripe = offset_to_stripe(d, offset);
++ if (stripe < 0)
++ return;
++
+ if (UUID_FLASH_ONLY(&c->uuids[inode]))
+ atomic_long_add(nr_sectors, &c->flash_dev_dirty_sectors);
+
+- stripe = offset_to_stripe(d, offset);
+ stripe_offset = offset & (d->stripe_size - 1);
+
+ while (nr_sectors) {
+@@ -571,12 +575,12 @@ static bool dirty_pred(struct keybuf *bu
+ static void refill_full_stripes(struct cached_dev *dc)
+ {
+ struct keybuf *buf = &dc->writeback_keys;
+- unsigned int start_stripe, stripe, next_stripe;
++ unsigned int start_stripe, next_stripe;
++ int stripe;
+ bool wrapped = false;
+
+ stripe = offset_to_stripe(&dc->disk, KEY_OFFSET(&buf->last_scanned));
+-
+- if (stripe >= dc->disk.nr_stripes)
++ if (stripe < 0)
+ stripe = 0;
+
+ start_stripe = stripe;
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -52,10 +52,22 @@ static inline uint64_t bcache_dev_sector
+ return ret;
+ }
+
+-static inline unsigned int offset_to_stripe(struct bcache_device *d,
++static inline int offset_to_stripe(struct bcache_device *d,
+ uint64_t offset)
+ {
+ do_div(offset, d->stripe_size);
++
++ /* d->nr_stripes is in range [1, INT_MAX] */
++ if (unlikely(offset >= d->nr_stripes)) {
++ pr_err("Invalid stripe %llu (>= nr_stripes %d).\n",
++ offset, d->nr_stripes);
++ return -EINVAL;
++ }
++
++ /*
++ * Here offset is definitly smaller than INT_MAX,
++ * return it as int will never overflow.
++ */
+ return offset;
+ }
+
+@@ -63,7 +75,10 @@ static inline bool bcache_dev_stripe_dir
+ uint64_t offset,
+ unsigned int nr_sectors)
+ {
+- unsigned int stripe = offset_to_stripe(&dc->disk, offset);
++ int stripe = offset_to_stripe(&dc->disk, offset);
++
++ if (stripe < 0)
++ return false;
+
+ while (1) {
+ if (atomic_read(dc->disk.stripe_sectors_dirty + stripe))
--- /dev/null
+From 02e37571f9e79022498fd0525c073b07e9d9ac69 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Aug 2020 12:31:56 -0400
+Subject: ceph: handle zero-length feature mask in session messages
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 02e37571f9e79022498fd0525c073b07e9d9ac69 upstream.
+
+Most session messages contain a feature mask, but the MDS will
+routinely send a REJECT message with one that is zero-length.
+
+Commit 0fa8263367db ("ceph: fix endianness bug when handling MDS
+session feature bits") fixed the decoding of the feature mask,
+but failed to account for the MDS sending a zero-length feature
+mask. This causes REJECT message decoding to fail.
+
+Skip trying to decode a feature mask if the word count is zero.
+
+Cc: stable@vger.kernel.org
+URL: https://tracker.ceph.com/issues/46823
+Fixes: 0fa8263367db ("ceph: fix endianness bug when handling MDS session feature bits")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/mds_client.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -3270,8 +3270,10 @@ static void handle_session(struct ceph_m
+ goto bad;
+ /* version >= 3, feature bits */
+ ceph_decode_32_safe(&p, end, len, bad);
+- ceph_decode_64_safe(&p, end, features, bad);
+- p += len - sizeof(features);
++ if (len) {
++ ceph_decode_64_safe(&p, end, features, bad);
++ p += len - sizeof(features);
++ }
+ }
+
+ mutex_lock(&mdsc->mutex);
--- /dev/null
+From b748fc7a8763a5b3f8149f12c45711cd73ef8176 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 28 Jul 2020 10:34:20 -0400
+Subject: ceph: set sec_context xattr on symlink creation
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit b748fc7a8763a5b3f8149f12c45711cd73ef8176 upstream.
+
+Symlink inodes should have the security context set in their xattrs on
+creation. We already set the context on creation, but we don't attach
+the pagelist. The effect is that symlink inodes don't get an SELinux
+context set on them at creation, so they end up unlabeled instead of
+inheriting the proper context. Make it do so.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/dir.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -924,6 +924,10 @@ static int ceph_symlink(struct inode *di
+ req->r_num_caps = 2;
+ req->r_dentry_drop = CEPH_CAP_FILE_SHARED | CEPH_CAP_AUTH_EXCL;
+ req->r_dentry_unless = CEPH_CAP_FILE_EXCL;
++ if (as_ctx.pagelist) {
++ req->r_pagelist = as_ctx.pagelist;
++ as_ctx.pagelist = NULL;
++ }
+ err = ceph_mdsc_do_request(mdsc, dir, req);
+ if (!err && !req->r_reply_info.head->is_dentry)
+ err = ceph_handle_notrace_create(dir, dentry);
--- /dev/null
+From 3a5139f1c5bb76d69756fb8f13fffa173e261153 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Tue, 11 Aug 2020 18:32:03 -0700
+Subject: cma: don't quit at first error when activating reserved areas
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 3a5139f1c5bb76d69756fb8f13fffa173e261153 upstream.
+
+The routine cma_init_reserved_areas is designed to activate all
+reserved cma areas. It quits when it first encounters an error.
+This can leave some areas in a state where they are reserved but
+not activated. There is no feedback to code which performed the
+reservation. Attempting to allocate memory from areas in such a
+state will result in a BUG.
+
+Modify cma_init_reserved_areas to always attempt to activate all
+areas. The called routine, cma_activate_area is responsible for
+leaving the area in a valid state. No one is making active use
+of returned error codes, so change the routine to void.
+
+How to reproduce: This example uses kernelcore, hugetlb and cma
+as an easy way to reproduce. However, this is a more general cma
+issue.
+
+Two node x86 VM 16GB total, 8GB per node
+Kernel command line parameters, kernelcore=4G hugetlb_cma=8G
+Related boot time messages,
+ hugetlb_cma: reserve 8192 MiB, up to 4096 MiB per node
+ cma: Reserved 4096 MiB at 0x0000000100000000
+ hugetlb_cma: reserved 4096 MiB on node 0
+ cma: Reserved 4096 MiB at 0x0000000300000000
+ hugetlb_cma: reserved 4096 MiB on node 1
+ cma: CMA area hugetlb could not be activated
+
+ # echo 8 > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ ...
+ Call Trace:
+ bitmap_find_next_zero_area_off+0x51/0x90
+ cma_alloc+0x1a5/0x310
+ alloc_fresh_huge_page+0x78/0x1a0
+ alloc_pool_huge_page+0x6f/0xf0
+ set_max_huge_pages+0x10c/0x250
+ nr_hugepages_store_common+0x92/0x120
+ ? __kmalloc+0x171/0x270
+ kernfs_fop_write+0xc1/0x1a0
+ vfs_write+0xc7/0x1f0
+ ksys_write+0x5f/0xe0
+ do_syscall_64+0x4d/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c64be2bb1c6e ("drivers: add Contiguous Memory Allocator")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Acked-by: Barry Song <song.bao.hua@hisilicon.com>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Michal Nazarewicz <mina86@mina86.com>
+Cc: Kyungmin Park <kyungmin.park@samsung.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200730163123.6451-1-mike.kravetz@oracle.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/cma.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -93,17 +93,15 @@ static void cma_clear_bitmap(struct cma
+ mutex_unlock(&cma->lock);
+ }
+
+-static int __init cma_activate_area(struct cma *cma)
++static void __init cma_activate_area(struct cma *cma)
+ {
+ unsigned long base_pfn = cma->base_pfn, pfn = base_pfn;
+ unsigned i = cma->count >> pageblock_order;
+ struct zone *zone;
+
+ cma->bitmap = bitmap_zalloc(cma_bitmap_maxno(cma), GFP_KERNEL);
+- if (!cma->bitmap) {
+- cma->count = 0;
+- return -ENOMEM;
+- }
++ if (!cma->bitmap)
++ goto out_error;
+
+ WARN_ON_ONCE(!pfn_valid(pfn));
+ zone = page_zone(pfn_to_page(pfn));
+@@ -133,25 +131,22 @@ static int __init cma_activate_area(stru
+ spin_lock_init(&cma->mem_head_lock);
+ #endif
+
+- return 0;
++ return;
+
+ not_in_zone:
+- pr_err("CMA area %s could not be activated\n", cma->name);
+ bitmap_free(cma->bitmap);
++out_error:
+ cma->count = 0;
+- return -EINVAL;
++ pr_err("CMA area %s could not be activated\n", cma->name);
++ return;
+ }
+
+ static int __init cma_init_reserved_areas(void)
+ {
+ int i;
+
+- for (i = 0; i < cma_area_count; i++) {
+- int ret = cma_activate_area(&cma_areas[i]);
+-
+- if (ret)
+- return ret;
+- }
++ for (i = 0; i < cma_area_count; i++)
++ cma_activate_area(&cma_areas[i]);
+
+ return 0;
+ }
--- /dev/null
+From 654888327e9f655a9d55ad477a9583e90e8c9b5c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 8 Jul 2020 15:27:01 +0200
+Subject: driver core: Avoid binding drivers to dead devices
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 654888327e9f655a9d55ad477a9583e90e8c9b5c upstream.
+
+Commit 3451a495ef24 ("driver core: Establish order of operations for
+device_add and device_del via bitflag") sought to prevent asynchronous
+driver binding to a device which is being removed. It added a
+per-device "dead" flag which is checked in the following code paths:
+
+* asynchronous binding in __driver_attach_async_helper()
+* synchronous binding in device_driver_attach()
+* asynchronous binding in __device_attach_async_helper()
+
+It did *not* check the flag upon:
+
+* synchronous binding in __device_attach()
+
+However __device_attach() may also be called asynchronously from:
+
+deferred_probe_work_func()
+ bus_probe_device()
+ device_initial_probe()
+ __device_attach()
+
+So if the commit's intention was to check the "dead" flag in all
+asynchronous code paths, then a check is also necessary in
+__device_attach(). Add the missing check.
+
+Fixes: 3451a495ef24 ("driver core: Establish order of operations for device_add and device_del via bitflag")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v5.1+
+Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Link: https://lore.kernel.org/r/de88a23a6fe0ef70f7cfd13c8aea9ab51b4edab6.1594214103.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/dd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -846,7 +846,9 @@ static int __device_attach(struct device
+ int ret = 0;
+
+ device_lock(dev);
+- if (dev->driver) {
++ if (dev->p->dead) {
++ goto out_unlock;
++ } else if (dev->driver) {
+ if (device_is_bound(dev)) {
+ ret = 1;
+ goto out_unlock;
--- /dev/null
+From bc2fbaa4d3808aef82dd1064a8e61c16549fe956 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 20 Apr 2020 16:02:21 -0400
+Subject: ext2: fix missing percpu_counter_inc
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bc2fbaa4d3808aef82dd1064a8e61c16549fe956 upstream.
+
+sbi->s_freeinodes_counter is only decreased by the ext2 code, it is never
+increased. This patch fixes it.
+
+Note that sbi->s_freeinodes_counter is only used in the algorithm that
+tries to find the group for new allocations, so this bug is not easily
+visible (the only visibility is that the group finding algorithm selects
+inoptinal result).
+
+Link: https://lore.kernel.org/r/alpine.LRH.2.02.2004201538300.19436@file01.intranet.prod.int.rdu2.redhat.com
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/ialloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext2/ialloc.c
++++ b/fs/ext2/ialloc.c
+@@ -80,6 +80,7 @@ static void ext2_release_inode(struct su
+ if (dir)
+ le16_add_cpu(&desc->bg_used_dirs_count, -1);
+ spin_unlock(sb_bgl_lock(EXT2_SB(sb), group));
++ percpu_counter_inc(&EXT2_SB(sb)->s_freeinodes_counter);
+ if (dir)
+ percpu_counter_dec(&EXT2_SB(sb)->s_dirs_counter);
+ mark_buffer_dirty(bh);
+@@ -528,7 +529,7 @@ got:
+ goto fail;
+ }
+
+- percpu_counter_add(&sbi->s_freeinodes_counter, -1);
++ percpu_counter_dec(&sbi->s_freeinodes_counter);
+ if (S_ISDIR(mode))
+ percpu_counter_inc(&sbi->s_dirs_counter);
+
--- /dev/null
+From 8a224ffb3f52b0027f6b7279854c71a31c48fc97 Mon Sep 17 00:00:00 2001
+From: Chengming Zhou <zhouchengming@bytedance.com>
+Date: Wed, 29 Jul 2020 02:05:53 +0800
+Subject: ftrace: Setup correct FTRACE_FL_REGS flags for module
+
+From: Chengming Zhou <zhouchengming@bytedance.com>
+
+commit 8a224ffb3f52b0027f6b7279854c71a31c48fc97 upstream.
+
+When module loaded and enabled, we will use __ftrace_replace_code
+for module if any ftrace_ops referenced it found. But we will get
+wrong ftrace_addr for module rec in ftrace_get_addr_new, because
+rec->flags has not been setup correctly. It can cause the callback
+function of a ftrace_ops has FTRACE_OPS_FL_SAVE_REGS to be called
+with pt_regs set to NULL.
+So setup correct FTRACE_FL_REGS flags for rec when we call
+referenced_filters to find ftrace_ops references it.
+
+Link: https://lkml.kernel.org/r/20200728180554.65203-1-zhouchengming@bytedance.com
+
+Cc: stable@vger.kernel.org
+Fixes: 8c4f3c3fa9681 ("ftrace: Check module functions being traced on reload")
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6198,8 +6198,11 @@ static int referenced_filters(struct dyn
+ int cnt = 0;
+
+ for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) {
+- if (ops_references_rec(ops, rec))
+- cnt++;
++ if (ops_references_rec(ops, rec)) {
++ cnt++;
++ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS)
++ rec->flags |= FTRACE_FL_REGS;
++ }
+ }
+
+ return cnt;
+@@ -6378,8 +6381,8 @@ void ftrace_module_enable(struct module
+ if (ftrace_start_up)
+ cnt += referenced_filters(rec);
+
+- /* This clears FTRACE_FL_DISABLED */
+- rec->flags = cnt;
++ rec->flags &= ~FTRACE_FL_DISABLED;
++ rec->flags += cnt;
+
+ if (ftrace_start_up && cnt) {
+ int failed = __ftrace_replace_code(rec, 1);
--- /dev/null
+From 34ae204f18519f0920bd50a644abd6fefc8dbfcf Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Tue, 11 Aug 2020 18:31:38 -0700
+Subject: hugetlbfs: remove call to huge_pte_alloc without i_mmap_rwsem
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 34ae204f18519f0920bd50a644abd6fefc8dbfcf upstream.
+
+Commit c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing
+synchronization") requires callers of huge_pte_alloc to hold i_mmap_rwsem
+in at least read mode. This is because the explicit locking in
+huge_pmd_share (called by huge_pte_alloc) was removed. When restructuring
+the code, the call to huge_pte_alloc in the else block at the beginning of
+hugetlb_fault was missed.
+
+Unfortunately, that else clause is exercised when there is no page table
+entry. This will likely lead to a call to huge_pmd_share. If
+huge_pmd_share thinks pmd sharing is possible, it will traverse the
+mapping tree (i_mmap) without holding i_mmap_rwsem. If someone else is
+modifying the tree, bad things such as addressing exceptions or worse
+could happen.
+
+Simply remove the else clause. It should have been removed previously.
+The code following the else will call huge_pte_alloc with the appropriate
+locking.
+
+To prevent this type of issue in the future, add routines to assert that
+i_mmap_rwsem is held, and call these routines in huge pmd sharing
+routines.
+
+Fixes: c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing synchronization")
+Suggested-by: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A.Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/e670f327-5cf9-1959-96e4-6dc7cc30d3d5@oracle.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/fs.h | 10 ++++++++++
+ include/linux/hugetlb.h | 8 +++++---
+ mm/hugetlb.c | 15 +++++++--------
+ mm/rmap.c | 2 +-
+ 4 files changed, 23 insertions(+), 12 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -546,6 +546,16 @@ static inline void i_mmap_unlock_read(st
+ up_read(&mapping->i_mmap_rwsem);
+ }
+
++static inline void i_mmap_assert_locked(struct address_space *mapping)
++{
++ lockdep_assert_held(&mapping->i_mmap_rwsem);
++}
++
++static inline void i_mmap_assert_write_locked(struct address_space *mapping)
++{
++ lockdep_assert_held_write(&mapping->i_mmap_rwsem);
++}
++
+ /*
+ * Might pages of this file be mapped into userspace?
+ */
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -165,7 +165,8 @@ pte_t *huge_pte_alloc(struct mm_struct *
+ unsigned long addr, unsigned long sz);
+ pte_t *huge_pte_offset(struct mm_struct *mm,
+ unsigned long addr, unsigned long sz);
+-int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep);
++int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
++ unsigned long *addr, pte_t *ptep);
+ void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
+ unsigned long *start, unsigned long *end);
+ struct page *follow_huge_addr(struct mm_struct *mm, unsigned long address,
+@@ -204,8 +205,9 @@ static inline struct address_space *huge
+ return NULL;
+ }
+
+-static inline int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr,
+- pte_t *ptep)
++static inline int huge_pmd_unshare(struct mm_struct *mm,
++ struct vm_area_struct *vma,
++ unsigned long *addr, pte_t *ptep)
+ {
+ return 0;
+ }
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3840,7 +3840,7 @@ void __unmap_hugepage_range(struct mmu_g
+ continue;
+
+ ptl = huge_pte_lock(h, mm, ptep);
+- if (huge_pmd_unshare(mm, &address, ptep)) {
++ if (huge_pmd_unshare(mm, vma, &address, ptep)) {
+ spin_unlock(ptl);
+ /*
+ * We just unmapped a page of PMDs by clearing a PUD.
+@@ -4427,10 +4427,6 @@ vm_fault_t hugetlb_fault(struct mm_struc
+ } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry)))
+ return VM_FAULT_HWPOISON_LARGE |
+ VM_FAULT_SET_HINDEX(hstate_index(h));
+- } else {
+- ptep = huge_pte_alloc(mm, haddr, huge_page_size(h));
+- if (!ptep)
+- return VM_FAULT_OOM;
+ }
+
+ /*
+@@ -4907,7 +4903,7 @@ unsigned long hugetlb_change_protection(
+ if (!ptep)
+ continue;
+ ptl = huge_pte_lock(h, mm, ptep);
+- if (huge_pmd_unshare(mm, &address, ptep)) {
++ if (huge_pmd_unshare(mm, vma, &address, ptep)) {
+ pages++;
+ spin_unlock(ptl);
+ shared_pmd = true;
+@@ -5288,12 +5284,14 @@ out:
+ * returns: 1 successfully unmapped a shared pte page
+ * 0 the underlying pte page is not shared, or it is the last user
+ */
+-int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep)
++int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
++ unsigned long *addr, pte_t *ptep)
+ {
+ pgd_t *pgd = pgd_offset(mm, *addr);
+ p4d_t *p4d = p4d_offset(pgd, *addr);
+ pud_t *pud = pud_offset(p4d, *addr);
+
++ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+ BUG_ON(page_count(virt_to_page(ptep)) == 0);
+ if (page_count(virt_to_page(ptep)) == 1)
+ return 0;
+@@ -5311,7 +5309,8 @@ pte_t *huge_pmd_share(struct mm_struct *
+ return NULL;
+ }
+
+-int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep)
++int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
++ unsigned long *addr, pte_t *ptep)
+ {
+ return 0;
+ }
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1458,7 +1458,7 @@ static bool try_to_unmap_one(struct page
+ * do this outside rmap routines.
+ */
+ VM_BUG_ON(!(flags & TTU_RMAP_LOCKED));
+- if (huge_pmd_unshare(mm, &address, pvmw.pte)) {
++ if (huge_pmd_unshare(mm, vma, &address, pvmw.pte)) {
+ /*
+ * huge_pmd_unshare unmapped an entire PMD
+ * page. There is no way of knowing exactly
--- /dev/null
+From 3af9571cd585efafc2facbd8dbd407317ff898cf Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Mon, 20 Jul 2020 17:23:28 +0800
+Subject: irqchip/gic-v4.1: Ensure accessing the correct RD when writing INVALLR
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+commit 3af9571cd585efafc2facbd8dbd407317ff898cf upstream.
+
+The GICv4.1 spec tells us that it's CONSTRAINED UNPREDICTABLE to issue a
+register-based invalidation operation for a vPEID not mapped to that RD,
+or another RD within the same CommonLPIAff group.
+
+To follow this rule, commit f3a059219bc7 ("irqchip/gic-v4.1: Ensure mutual
+exclusion between vPE affinity change and RD access") tried to address the
+race between the RD accesses and the vPE affinity change, but somehow
+forgot to take GICR_INVALLR into account. Let's take the vpe_lock before
+evaluating vpe->col_idx to fix it.
+
+Fixes: f3a059219bc7 ("irqchip/gic-v4.1: Ensure mutual exclusion between vPE affinity change and RD access")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200720092328.708-1-yuzenghui@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3-its.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3974,18 +3974,22 @@ static void its_vpe_4_1_deschedule(struc
+ static void its_vpe_4_1_invall(struct its_vpe *vpe)
+ {
+ void __iomem *rdbase;
++ unsigned long flags;
+ u64 val;
++ int cpu;
+
+ val = GICR_INVALLR_V;
+ val |= FIELD_PREP(GICR_INVALLR_VPEID, vpe->vpe_id);
+
+ /* Target the redistributor this vPE is currently known on */
+- raw_spin_lock(&gic_data_rdist_cpu(vpe->col_idx)->rd_lock);
+- rdbase = per_cpu_ptr(gic_rdists->rdist, vpe->col_idx)->rd_base;
++ cpu = vpe_to_cpuid_lock(vpe, &flags);
++ raw_spin_lock(&gic_data_rdist_cpu(cpu)->rd_lock);
++ rdbase = per_cpu_ptr(gic_rdists->rdist, cpu)->rd_base;
+ gic_write_lpir(val, rdbase + GICR_INVALLR);
+
+ wait_for_syncr(rdbase);
+- raw_spin_unlock(&gic_data_rdist_cpu(vpe->col_idx)->rd_lock);
++ raw_spin_unlock(&gic_data_rdist_cpu(cpu)->rd_lock);
++ vpe_to_cpuid_unlock(vpe, flags);
+ }
+
+ static int its_vpe_4_1_set_vcpu_affinity(struct irq_data *d, void *vcpu_info)
--- /dev/null
+From c9c73a05413ea4a465cae1cb3593b01b190a233f Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 30 Jul 2020 16:51:28 +0800
+Subject: irqchip/loongson-liointc: Fix misuse of gc->mask_cache
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c9c73a05413ea4a465cae1cb3593b01b190a233f upstream.
+
+In gc->mask_cache bits, 1 means enabled and 0 means disabled, but in the
+loongson-liointc driver mask_cache is misused by reverting its meaning.
+This patch fix the bug and update the comments as well.
+
+Fixes: dbb152267908c4b2c3639492a ("irqchip: Add driver for Loongson I/O Local Interrupt Controller")
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1596099090-23516-4-git-send-email-chenhc@lemote.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-loongson-liointc.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/irqchip/irq-loongson-liointc.c
++++ b/drivers/irqchip/irq-loongson-liointc.c
+@@ -60,7 +60,7 @@ static void liointc_chained_handle_irq(s
+ if (!pending) {
+ /* Always blame LPC IRQ if we have that bug */
+ if (handler->priv->has_lpc_irq_errata &&
+- (handler->parent_int_map & ~gc->mask_cache &
++ (handler->parent_int_map & gc->mask_cache &
+ BIT(LIOINTC_ERRATA_IRQ)))
+ pending = BIT(LIOINTC_ERRATA_IRQ);
+ else
+@@ -132,11 +132,11 @@ static void liointc_resume(struct irq_ch
+ irq_gc_lock_irqsave(gc, flags);
+ /* Disable all at first */
+ writel(0xffffffff, gc->reg_base + LIOINTC_REG_INTC_DISABLE);
+- /* Revert map cache */
++ /* Restore map cache */
+ for (i = 0; i < LIOINTC_CHIP_IRQ; i++)
+ writeb(priv->map_cache[i], gc->reg_base + i);
+- /* Revert mask cache */
+- writel(~gc->mask_cache, gc->reg_base + LIOINTC_REG_INTC_ENABLE);
++ /* Restore mask cache */
++ writel(gc->mask_cache, gc->reg_base + LIOINTC_REG_INTC_ENABLE);
+ irq_gc_unlock_irqrestore(gc, flags);
+ }
+
+@@ -244,7 +244,7 @@ int __init liointc_of_init(struct device
+ ct->chip.irq_mask_ack = irq_gc_mask_disable_reg;
+ ct->chip.irq_set_type = liointc_set_type;
+
+- gc->mask_cache = 0xffffffff;
++ gc->mask_cache = 0;
+ priv->gc = gc;
+
+ for (i = 0; i < LIOINTC_NUM_PARENT; i++) {
--- /dev/null
+From 723a80dafed5c95889d48baab9aa433a6ffa0b4e Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 6 Aug 2020 23:26:15 -0700
+Subject: khugepaged: collapse_pte_mapped_thp() flush the right range
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 723a80dafed5c95889d48baab9aa433a6ffa0b4e upstream.
+
+pmdp_collapse_flush() should be given the start address at which the huge
+page is mapped, haddr: it was given addr, which at that point has been
+used as a local variable, incremented to the end address of the extent.
+
+Found by source inspection while chasing a hugepage locking bug, which I
+then could not explain by this. At first I thought this was very bad;
+then saw that all of the page translations that were not flushed would
+actually still point to the right pages afterwards, so harmless; then
+realized that I know nothing of how different architectures and models
+cache intermediate paging structures, so maybe it matters after all -
+particularly since the page table concerned is immediately freed.
+
+Much easier to fix than to think about.
+
+Fixes: 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: <stable@vger.kernel.org> [5.4+]
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021204390.27773@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/khugepaged.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1403,7 +1403,7 @@ void collapse_pte_mapped_thp(struct mm_s
+
+ /* step 4: collapse pmd */
+ ptl = pmd_lock(vma->vm_mm, pmd);
+- _pmd = pmdp_collapse_flush(vma, addr, pmd);
++ _pmd = pmdp_collapse_flush(vma, haddr, pmd);
+ spin_unlock(ptl);
+ mm_dec_nr_ptes(mm);
+ pte_free(mm, pmd_pgtable(_pmd));
--- /dev/null
+From 119a5fc16105b2b9383a6e2a7800b2ef861b2975 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Thu, 6 Aug 2020 23:26:18 -0700
+Subject: khugepaged: collapse_pte_mapped_thp() protect the pmd lock
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 119a5fc16105b2b9383a6e2a7800b2ef861b2975 upstream.
+
+When retract_page_tables() removes a page table to make way for a huge
+pmd, it holds huge page lock, i_mmap_lock_write, mmap_write_trylock and
+pmd lock; but when collapse_pte_mapped_thp() does the same (to handle the
+case when the original mmap_write_trylock had failed), only
+mmap_write_trylock and pmd lock are held.
+
+That's not enough. One machine has twice crashed under load, with "BUG:
+spinlock bad magic" and GPF on 6b6b6b6b6b6b6b6b. Examining the second
+crash, page_vma_mapped_walk_done()'s spin_unlock of pvmw->ptl (serving
+page_referenced() on a file THP, that had found a page table at *pmd)
+discovers that the page table page and its lock have already been freed by
+the time it comes to unlock.
+
+Follow the example of retract_page_tables(), but we only need one of huge
+page lock or i_mmap_lock_write to secure against this: because it's the
+narrower lock, and because it simplifies collapse_pte_mapped_thp() to know
+the hpage earlier, choose to rely on huge page lock here.
+
+Fixes: 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP")
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: <stable@vger.kernel.org> [5.4+]
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021213070.27773@eggly.anvils
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/khugepaged.c | 44 +++++++++++++++++++-------------------------
+ 1 file changed, 19 insertions(+), 25 deletions(-)
+
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -1313,7 +1313,7 @@ void collapse_pte_mapped_thp(struct mm_s
+ {
+ unsigned long haddr = addr & HPAGE_PMD_MASK;
+ struct vm_area_struct *vma = find_vma(mm, haddr);
+- struct page *hpage = NULL;
++ struct page *hpage;
+ pte_t *start_pte, *pte;
+ pmd_t *pmd, _pmd;
+ spinlock_t *ptl;
+@@ -1333,9 +1333,17 @@ void collapse_pte_mapped_thp(struct mm_s
+ if (!hugepage_vma_check(vma, vma->vm_flags | VM_HUGEPAGE))
+ return;
+
++ hpage = find_lock_page(vma->vm_file->f_mapping,
++ linear_page_index(vma, haddr));
++ if (!hpage)
++ return;
++
++ if (!PageHead(hpage))
++ goto drop_hpage;
++
+ pmd = mm_find_pmd(mm, haddr);
+ if (!pmd)
+- return;
++ goto drop_hpage;
+
+ start_pte = pte_offset_map_lock(mm, pmd, haddr, &ptl);
+
+@@ -1354,30 +1362,11 @@ void collapse_pte_mapped_thp(struct mm_s
+
+ page = vm_normal_page(vma, addr, *pte);
+
+- if (!page || !PageCompound(page))
+- goto abort;
+-
+- if (!hpage) {
+- hpage = compound_head(page);
+- /*
+- * The mapping of the THP should not change.
+- *
+- * Note that uprobe, debugger, or MAP_PRIVATE may
+- * change the page table, but the new page will
+- * not pass PageCompound() check.
+- */
+- if (WARN_ON(hpage->mapping != vma->vm_file->f_mapping))
+- goto abort;
+- }
+-
+ /*
+- * Confirm the page maps to the correct subpage.
+- *
+- * Note that uprobe, debugger, or MAP_PRIVATE may change
+- * the page table, but the new page will not pass
+- * PageCompound() check.
++ * Note that uprobe, debugger, or MAP_PRIVATE may change the
++ * page table, but the new page will not be a subpage of hpage.
+ */
+- if (WARN_ON(hpage + i != page))
++ if (hpage + i != page)
+ goto abort;
+ count++;
+ }
+@@ -1396,7 +1385,7 @@ void collapse_pte_mapped_thp(struct mm_s
+ pte_unmap_unlock(start_pte, ptl);
+
+ /* step 3: set proper refcount and mm_counters. */
+- if (hpage) {
++ if (count) {
+ page_ref_sub(hpage, count);
+ add_mm_counter(vma->vm_mm, mm_counter_file(hpage), -count);
+ }
+@@ -1407,10 +1396,15 @@ void collapse_pte_mapped_thp(struct mm_s
+ spin_unlock(ptl);
+ mm_dec_nr_ptes(mm);
+ pte_free(mm, pmd_pgtable(_pmd));
++
++drop_hpage:
++ unlock_page(hpage);
++ put_page(hpage);
+ return;
+
+ abort:
+ pte_unmap_unlock(start_pte, ptl);
++ goto drop_hpage;
+ }
+
+ static int khugepaged_collapse_pte_mapped_thps(struct mm_slot *mm_slot)
--- /dev/null
+From 0cb2f1372baa60af8456388a574af6133edd7d80 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Tue, 28 Jul 2020 14:45:36 +0800
+Subject: kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 0cb2f1372baa60af8456388a574af6133edd7d80 upstream.
+
+We found a case of kernel panic on our server. The stack trace is as
+follows(omit some irrelevant information):
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ RIP: 0010:kprobe_ftrace_handler+0x5e/0xe0
+ RSP: 0018:ffffb512c6550998 EFLAGS: 00010282
+ RAX: 0000000000000000 RBX: ffff8e9d16eea018 RCX: 0000000000000000
+ RDX: ffffffffbe1179c0 RSI: ffffffffc0535564 RDI: ffffffffc0534ec0
+ RBP: ffffffffc0534ec1 R08: ffff8e9d1bbb0f00 R09: 0000000000000004
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff8e9d1f797060 R14: 000000000000bacc R15: ffff8e9ce13eca00
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000080 CR3: 00000008453d0005 CR4: 00000000003606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ ftrace_ops_assist_func+0x56/0xe0
+ ftrace_call+0x5/0x34
+ tcpa_statistic_send+0x5/0x130 [ttcp_engine]
+
+The tcpa_statistic_send is the function being kprobed. After analysis,
+the root cause is that the fourth parameter regs of kprobe_ftrace_handler
+is NULL. Why regs is NULL? We use the crash tool to analyze the kdump.
+
+ crash> dis tcpa_statistic_send -r
+ <tcpa_statistic_send>: callq 0xffffffffbd8018c0 <ftrace_caller>
+
+The tcpa_statistic_send calls ftrace_caller instead of ftrace_regs_caller.
+So it is reasonable that the fourth parameter regs of kprobe_ftrace_handler
+is NULL. In theory, we should call the ftrace_regs_caller instead of the
+ftrace_caller. After in-depth analysis, we found a reproducible path.
+
+ Writing a simple kernel module which starts a periodic timer. The
+ timer's handler is named 'kprobe_test_timer_handler'. The module
+ name is kprobe_test.ko.
+
+ 1) insmod kprobe_test.ko
+ 2) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}'
+ 3) echo 0 > /proc/sys/kernel/ftrace_enabled
+ 4) rmmod kprobe_test
+ 5) stop step 2) kprobe
+ 6) insmod kprobe_test.ko
+ 7) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}'
+
+We mark the kprobe as GONE but not disarm the kprobe in the step 4).
+The step 5) also do not disarm the kprobe when unregister kprobe. So
+we do not remove the ip from the filter. In this case, when the module
+loads again in the step 6), we will replace the code to ftrace_caller
+via the ftrace_module_enable(). When we register kprobe again, we will
+not replace ftrace_caller to ftrace_regs_caller because the ftrace is
+disabled in the step 3). So the step 7) will trigger kernel panic. Fix
+this problem by disarming the kprobe when the module is going away.
+
+Link: https://lkml.kernel.org/r/20200728064536.24405-1-songmuchun@bytedance.com
+
+Cc: stable@vger.kernel.org
+Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Co-developed-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kprobes.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2104,6 +2104,13 @@ static void kill_kprobe(struct kprobe *p
+ * the original probed function (which will be freed soon) any more.
+ */
+ arch_remove_kprobe(p);
++
++ /*
++ * The module is going away. We should disarm the kprobe which
++ * is using ftrace.
++ */
++ if (kprobe_ftrace(p))
++ disarm_kprobe_ftrace(p);
+ }
+
+ /* Disable one kprobe */
--- /dev/null
+From 5981fe5b0529ba25d95f37d7faa434183ad618c5 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 3 Aug 2020 11:02:10 +0200
+Subject: mac80211: fix misplaced while instead of if
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5981fe5b0529ba25d95f37d7faa434183ad618c5 upstream.
+
+This never was intended to be a 'while' loop, it should've
+just been an 'if' instead of 'while'. Fix this.
+
+I noticed this while applying another patch from Ben that
+intended to fix a busy loop at this spot.
+
+Cc: stable@vger.kernel.org
+Fixes: b16798f5b907 ("mac80211: mark station unauthorized before key removal")
+Reported-by: Ben Greear <greearb@candelatech.com>
+Link: https://lore.kernel.org/r/20200803110209.253009ae41ff.I3522aad099392b31d5cf2dcca34cbac7e5832dde@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/sta_info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1050,7 +1050,7 @@ static void __sta_info_destroy_part2(str
+ might_sleep();
+ lockdep_assert_held(&local->sta_mtx);
+
+- while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
++ if (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
+ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
+ WARN_ON_ONCE(ret);
+ }
--- /dev/null
+From a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef Mon Sep 17 00:00:00 2001
+From: ChangSyun Peng <allenpeng@synology.com>
+Date: Fri, 31 Jul 2020 17:50:17 +0800
+Subject: md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
+
+From: ChangSyun Peng <allenpeng@synology.com>
+
+commit a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef upstream.
+
+In degraded raid5, we need to read parity to do reconstruct-write when
+data disks fail. However, we can not read parity from
+handle_stripe_dirtying() in force reconstruct-write mode.
+
+Reproducible Steps:
+
+1. Create degraded raid5
+mdadm -C /dev/md2 --assume-clean -l5 -n3 /dev/sda2 /dev/sdb2 missing
+2. Set rmw_level to 0
+echo 0 > /sys/block/md2/md/rmw_level
+3. IO to raid5
+
+Now some io may be stuck in raid5. We can use handle_stripe_fill() to read
+the parity in this situation.
+
+Cc: <stable@vger.kernel.org> # v4.4+
+Reviewed-by: Alex Wu <alexwu@synology.com>
+Reviewed-by: BingJing Chang <bingjingc@synology.com>
+Reviewed-by: Danny Shih <dannyshih@synology.com>
+Signed-off-by: ChangSyun Peng <allenpeng@synology.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -3604,6 +3604,7 @@ static int need_this_block(struct stripe
+ * is missing/faulty, then we need to read everything we can.
+ */
+ if (sh->raid_conf->level != 6 &&
++ sh->raid_conf->rmw_level != PARITY_DISABLE_RMW &&
+ sh->sector < sh->raid_conf->mddev->recovery_cp)
+ /* reconstruct-write isn't being forced */
+ return 0;
+@@ -4839,7 +4840,7 @@ static void handle_stripe(struct stripe_
+ * or to load a block that is being partially written.
+ */
+ if (s.to_read || s.non_overwrite
+- || (conf->level == 6 && s.to_write && s.failed)
++ || (s.to_write && s.failed)
+ || (s.syncing && (s.uptodate + s.compute < disks))
+ || s.replacing
+ || s.expanding)
--- /dev/null
+From 9cce844abf07b683cff5f0273977d5f8d0af94c7 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 16 Jul 2020 18:40:23 +0800
+Subject: MIPS: CPU#0 is not hotpluggable
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 9cce844abf07b683cff5f0273977d5f8d0af94c7 upstream.
+
+Now CPU#0 is not hotpluggable on MIPS, so prevent to create /sys/devices
+/system/cpu/cpu0/online which confuses some user-space tools.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/topology.c
++++ b/arch/mips/kernel/topology.c
+@@ -20,7 +20,7 @@ static int __init topology_init(void)
+ for_each_present_cpu(i) {
+ struct cpu *c = &per_cpu(cpu_devices, i);
+
+- c->hotpluggable = 1;
++ c->hotpluggable = !!i;
+ ret = register_cpu(c, i);
+ if (ret)
+ printk(KERN_WARNING "topology_init: register_cpu %d "
--- /dev/null
+From 0889a67a9e7a56ba39af223d536630b20b877fda Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 27 Jul 2020 20:11:28 +0200
+Subject: MIPS: qi_lb60: Fix routing to audio amplifier
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 0889a67a9e7a56ba39af223d536630b20b877fda upstream.
+
+The ROUT (right channel output of audio codec) was connected to INL
+(left channel of audio amplifier) instead of INR (right channel of audio
+amplifier).
+
+Fixes: 8ddebad15e9b ("MIPS: qi_lb60: Migrate to devicetree")
+Cc: stable@vger.kernel.org # v5.3
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/dts/ingenic/qi_lb60.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/boot/dts/ingenic/qi_lb60.dts
++++ b/arch/mips/boot/dts/ingenic/qi_lb60.dts
+@@ -69,7 +69,7 @@
+ "Speaker", "OUTL",
+ "Speaker", "OUTR",
+ "INL", "LOUT",
+- "INL", "ROUT";
++ "INR", "ROUT";
+
+ simple-audio-card,aux-devs = <&>;
+
--- /dev/null
+From 6c86a3029ce3b44597526909f2e39a77a497f640 Mon Sep 17 00:00:00 2001
+From: Mike Rapoport <rppt@kernel.org>
+Date: Wed, 5 Aug 2020 15:51:41 +0300
+Subject: MIPS: SGI-IP27: always enable NUMA in Kconfig
+
+From: Mike Rapoport <rppt@linux.ibm.com>
+
+commit 6c86a3029ce3b44597526909f2e39a77a497f640 upstream.
+
+When a configuration has NUMA disabled and SGI_IP27 enabled, the build
+fails:
+
+ CC kernel/bounds.s
+ CC arch/mips/kernel/asm-offsets.s
+In file included from arch/mips/include/asm/topology.h:11,
+ from include/linux/topology.h:36,
+ from include/linux/gfp.h:9,
+ from include/linux/slab.h:15,
+ from include/linux/crypto.h:19,
+ from include/crypto/hash.h:11,
+ from include/linux/uio.h:10,
+ from include/linux/socket.h:8,
+ from include/linux/compat.h:15,
+ from arch/mips/kernel/asm-offsets.c:12:
+include/linux/topology.h: In function 'numa_node_id':
+arch/mips/include/asm/mach-ip27/topology.h:16:27: error: implicit declaration of function 'cputonasid'; did you mean 'cpu_vpe_id'? [-Werror=implicit-function-declaration]
+ #define cpu_to_node(cpu) (cputonasid(cpu))
+ ^~~~~~~~~~
+include/linux/topology.h:119:9: note: in expansion of macro 'cpu_to_node'
+ return cpu_to_node(raw_smp_processor_id());
+ ^~~~~~~~~~~
+include/linux/topology.h: In function 'cpu_cpu_mask':
+arch/mips/include/asm/mach-ip27/topology.h:19:7: error: implicit declaration of function 'hub_data' [-Werror=implicit-function-declaration]
+ &hub_data(node)->h_cpus)
+ ^~~~~~~~
+include/linux/topology.h:210:9: note: in expansion of macro 'cpumask_of_node'
+ return cpumask_of_node(cpu_to_node(cpu));
+ ^~~~~~~~~~~~~~~
+arch/mips/include/asm/mach-ip27/topology.h:19:21: error: invalid type argument of '->' (have 'int')
+ &hub_data(node)->h_cpus)
+ ^~
+include/linux/topology.h:210:9: note: in expansion of macro 'cpumask_of_node'
+ return cpumask_of_node(cpu_to_node(cpu));
+ ^~~~~~~~~~~~~~~
+
+Before switch from discontigmem to sparsemem, there always was
+CONFIG_NEED_MULTIPLE_NODES=y because it was selected by DISCONTIGMEM.
+Without DISCONTIGMEM it is possible to have SPARSEMEM without NUMA for
+SGI_IP27 and as many things there rely on custom node definition, the
+build breaks.
+
+As Thomas noted "... there are right now too many places in IP27 code,
+which assumes NUMA enabled", the simplest solution would be to always
+enable NUMA for SGI-IP27 builds.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 397dc00e249e ("mips: sgi-ip27: switch from DISCONTIGMEM to SPARSEMEM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -722,6 +722,7 @@ config SGI_IP27
+ select SYS_SUPPORTS_NUMA
+ select SYS_SUPPORTS_SMP
+ select MIPS_L1_CACHE_SHIFT_7
++ select NUMA
+ help
+ This are the SGI Origin 200, Origin 2000 and Onyx 2 Graphics
+ workstations. To compile a Linux kernel that runs on these, say Y
--- /dev/null
+From 75802ca66354a39ab8e35822747cd08b3384a99a Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Thu, 6 Aug 2020 23:26:11 -0700
+Subject: mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 75802ca66354a39ab8e35822747cd08b3384a99a upstream.
+
+This is found by code observation only.
+
+Firstly, the worst case scenario should assume the whole range was covered
+by pmd sharing. The old algorithm might not work as expected for ranges
+like (1g-2m, 1g+2m), where the adjusted range should be (0, 1g+2m) but the
+expected range should be (0, 2g).
+
+Since at it, remove the loop since it should not be required. With that,
+the new code should be faster too when the invalidating range is huge.
+
+Mike said:
+
+: With range (1g-2m, 1g+2m) within a vma (0, 2g) the existing code will only
+: adjust to (0, 1g+2m) which is incorrect.
+:
+: We should cc stable. The original reason for adjusting the range was to
+: prevent data corruption (getting wrong page). Since the range is not
+: always adjusted correctly, the potential for corruption still exists.
+:
+: However, I am fairly confident that adjust_range_if_pmd_sharing_possible
+: is only gong to be called in two cases:
+:
+: 1) for a single page
+: 2) for range == entire vma
+:
+: In those cases, the current code should produce the correct results.
+:
+: To be safe, let's just cc stable.
+
+Fixes: 017b1660df89 ("mm: migration: fix migration of huge PMD shared pages")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200730201636.74778-1-peterx@redhat.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5201,25 +5201,21 @@ static bool vma_shareable(struct vm_area
+ void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
+ unsigned long *start, unsigned long *end)
+ {
+- unsigned long check_addr;
++ unsigned long a_start, a_end;
+
+ if (!(vma->vm_flags & VM_MAYSHARE))
+ return;
+
+- for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) {
+- unsigned long a_start = check_addr & PUD_MASK;
+- unsigned long a_end = a_start + PUD_SIZE;
++ /* Extend the range to be PUD aligned for a worst case scenario */
++ a_start = ALIGN_DOWN(*start, PUD_SIZE);
++ a_end = ALIGN(*end, PUD_SIZE);
+
+- /*
+- * If sharing is possible, adjust start/end if necessary.
+- */
+- if (range_in_vma(vma, a_start, a_end)) {
+- if (a_start < *start)
+- *start = a_start;
+- if (a_end > *end)
+- *end = a_end;
+- }
+- }
++ /*
++ * Intersect the range with the vma range, since pmd sharing won't be
++ * across vma after all
++ */
++ *start = max(vma->vm_start, a_start);
++ *end = min(vma->vm_end, a_end);
+ }
+
+ /*
--- /dev/null
+From b4223a510e2ab1bf0f971d50af7c1431014b25ad Mon Sep 17 00:00:00 2001
+From: Jia He <justin.he@arm.com>
+Date: Tue, 11 Aug 2020 18:32:20 -0700
+Subject: mm/memory_hotplug: fix unpaired mem_hotplug_begin/done
+
+From: Jia He <justin.he@arm.com>
+
+commit b4223a510e2ab1bf0f971d50af7c1431014b25ad upstream.
+
+When check_memblock_offlined_cb() returns failed rc(e.g. the memblock is
+online at that time), mem_hotplug_begin/done is unpaired in such case.
+
+Therefore a warning:
+ Call Trace:
+ percpu_up_write+0x33/0x40
+ try_remove_memory+0x66/0x120
+ ? _cond_resched+0x19/0x30
+ remove_memory+0x2b/0x40
+ dev_dax_kmem_remove+0x36/0x72 [kmem]
+ device_release_driver_internal+0xf0/0x1c0
+ device_release_driver+0x12/0x20
+ bus_remove_device+0xe1/0x150
+ device_del+0x17b/0x3e0
+ unregister_dev_dax+0x29/0x60
+ devm_action_release+0x15/0x20
+ release_nodes+0x19a/0x1e0
+ devres_release_all+0x3f/0x50
+ device_release_driver_internal+0x100/0x1c0
+ driver_detach+0x4c/0x8f
+ bus_remove_driver+0x5c/0xd0
+ driver_unregister+0x31/0x50
+ dax_pmem_exit+0x10/0xfe0 [dax_pmem]
+
+Fixes: f1037ec0cc8a ("mm/memory_hotplug: fix remove_memory() lockdep splat")
+Signed-off-by: Jia He <justin.he@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Cc: <stable@vger.kernel.org> [5.6+]
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Chuhong Yuan <hslester96@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
+Cc: Kaly Xin <Kaly.Xin@arm.com>
+Cc: Logan Gunthorpe <logang@deltatee.com>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rich Felker <dalias@libc.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Link: http://lkml.kernel.org/r/20200710031619.18762-3-justin.he@arm.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory_hotplug.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1745,7 +1745,7 @@ static int __ref try_remove_memory(int n
+ */
+ rc = walk_memory_blocks(start, size, NULL, check_memblock_offlined_cb);
+ if (rc)
+- goto done;
++ return rc;
+
+ /* remove memmap entry */
+ firmware_map_remove(start, start + size, "System RAM");
+@@ -1765,9 +1765,8 @@ static int __ref try_remove_memory(int n
+
+ try_offline_node(nid);
+
+-done:
+ mem_hotplug_done();
+- return rc;
++ return 0;
+ }
+
+ /**
--- /dev/null
+From a6f23d14ec7d7d02220ad8bb2774be3322b9aeec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Thu, 6 Aug 2020 23:22:18 -0700
+Subject: mm/page_counter.c: fix protection usage propagation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+commit a6f23d14ec7d7d02220ad8bb2774be3322b9aeec upstream.
+
+When workload runs in cgroups that aren't directly below root cgroup and
+their parent specifies reclaim protection, it may end up ineffective.
+
+The reason is that propagate_protected_usage() is not called in all
+hierarchy up. All the protected usage is incorrectly accumulated in the
+workload's parent. This means that siblings_low_usage is overestimated
+and effective protection underestimated. Even though it is transitional
+phenomenon (uncharge path does correct propagation and fixes the wrong
+children_low_usage), it can undermine the intended protection
+unexpectedly.
+
+We have noticed this problem while seeing a swap out in a descendant of a
+protected memcg (intermediate node) while the parent was conveniently
+under its protection limit and the memory pressure was external to that
+hierarchy. Michal has pinpointed this down to the wrong
+siblings_low_usage which led to the unwanted reclaim.
+
+The fix is simply updating children_low_usage in respective ancestors also
+in the charging path.
+
+Fixes: 230671533d64 ("mm: memory.low hierarchical behavior")
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: <stable@vger.kernel.org> [4.18+]
+Link: http://lkml.kernel.org/r/20200803153231.15477-1-mhocko@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_counter.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/page_counter.c
++++ b/mm/page_counter.c
+@@ -72,7 +72,7 @@ void page_counter_charge(struct page_cou
+ long new;
+
+ new = atomic_long_add_return(nr_pages, &c->usage);
+- propagate_protected_usage(counter, new);
++ propagate_protected_usage(c, new);
+ /*
+ * This is indeed racy, but we can live with some
+ * inaccuracy in the watermark.
+@@ -116,7 +116,7 @@ bool page_counter_try_charge(struct page
+ new = atomic_long_add_return(nr_pages, &c->usage);
+ if (new > c->max) {
+ atomic_long_sub(nr_pages, &c->usage);
+- propagate_protected_usage(counter, new);
++ propagate_protected_usage(c, new);
+ /*
+ * This is racy, but we can live with some
+ * inaccuracy in the failcnt.
+@@ -125,7 +125,7 @@ bool page_counter_try_charge(struct page
+ *fail = c;
+ goto failed;
+ }
+- propagate_protected_usage(counter, new);
++ propagate_protected_usage(c, new);
+ /*
+ * Just like with failcnt, we can live with some
+ * inaccuracy in the watermark.
--- /dev/null
+From 4a93025cbe4a0b19d1a25a2d763a3d2018bad0d9 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 6 Aug 2020 23:17:13 -0700
+Subject: mm/shuffle: don't move pages between zones and don't read garbage memmaps
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 4a93025cbe4a0b19d1a25a2d763a3d2018bad0d9 upstream.
+
+Especially with memory hotplug, we can have offline sections (with a
+garbage memmap) and overlapping zones. We have to make sure to only touch
+initialized memmaps (online sections managed by the buddy) and that the
+zone matches, to not move pages between zones.
+
+To test if this can actually happen, I added a simple
+
+ BUG_ON(page_zone(page_i) != page_zone(page_j));
+
+right before the swap. When hotplugging a 256M DIMM to a 4G x86-64 VM and
+onlining the first memory block "online_movable" and the second memory
+block "online_kernel", it will trigger the BUG, as both zones (NORMAL and
+MOVABLE) overlap.
+
+This might result in all kinds of weird situations (e.g., double
+allocations, list corruptions, unmovable allocations ending up in the
+movable zone).
+
+Fixes: e900a918b098 ("mm: shuffle initial free memory to improve memory-side-cache utilization")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Wei Yang <richard.weiyang@linux.alibaba.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: <stable@vger.kernel.org> [5.2+]
+Link: http://lkml.kernel.org/r/20200624094741.9918-2-david@redhat.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shuffle.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/mm/shuffle.c
++++ b/mm/shuffle.c
+@@ -58,25 +58,25 @@ module_param_call(shuffle, shuffle_store
+ * For two pages to be swapped in the shuffle, they must be free (on a
+ * 'free_area' lru), have the same order, and have the same migratetype.
+ */
+-static struct page * __meminit shuffle_valid_page(unsigned long pfn, int order)
++static struct page * __meminit shuffle_valid_page(struct zone *zone,
++ unsigned long pfn, int order)
+ {
+- struct page *page;
++ struct page *page = pfn_to_online_page(pfn);
+
+ /*
+ * Given we're dealing with randomly selected pfns in a zone we
+ * need to ask questions like...
+ */
+
+- /* ...is the pfn even in the memmap? */
+- if (!pfn_valid_within(pfn))
++ /* ... is the page managed by the buddy? */
++ if (!page)
+ return NULL;
+
+- /* ...is the pfn in a present section or a hole? */
+- if (!pfn_in_present_section(pfn))
++ /* ... is the page assigned to the same zone? */
++ if (page_zone(page) != zone)
+ return NULL;
+
+ /* ...is the page free and currently on a free_area list? */
+- page = pfn_to_page(pfn);
+ if (!PageBuddy(page))
+ return NULL;
+
+@@ -123,7 +123,7 @@ void __meminit __shuffle_zone(struct zon
+ * page_j randomly selected in the span @zone_start_pfn to
+ * @spanned_pages.
+ */
+- page_i = shuffle_valid_page(i, order);
++ page_i = shuffle_valid_page(z, i, order);
+ if (!page_i)
+ continue;
+
+@@ -137,7 +137,7 @@ void __meminit __shuffle_zone(struct zon
+ j = z->zone_start_pfn +
+ ALIGN_DOWN(get_random_long() % z->spanned_pages,
+ order_pages);
+- page_j = shuffle_valid_page(j, order);
++ page_j = shuffle_valid_page(z, j, order);
+ if (page_j && page_j != page_i)
+ break;
+ }
--- /dev/null
+From d9539752d23283db4692384a634034f451261e29 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 9 Jun 2020 16:11:29 -0700
+Subject: net/compat: Add missing sock updates for SCM_RIGHTS
+
+From: Kees Cook <keescook@chromium.org>
+
+commit d9539752d23283db4692384a634034f451261e29 upstream.
+
+Add missed sock updates to compat path via a new helper, which will be
+used more in coming patches. (The net/core/scm.c code is left as-is here
+to assist with -stable backports for the compat path.)
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Sargun Dhillon <sargun@sargun.me>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly")
+Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly")
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sock.h | 4 ++++
+ net/compat.c | 1 +
+ net/core/sock.c | 21 +++++++++++++++++++++
+ 3 files changed, 26 insertions(+)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -890,6 +890,8 @@ static inline int sk_memalloc_socks(void
+ {
+ return static_branch_unlikely(&memalloc_socks_key);
+ }
++
++void __receive_sock(struct file *file);
+ #else
+
+ static inline int sk_memalloc_socks(void)
+@@ -897,6 +899,8 @@ static inline int sk_memalloc_socks(void
+ return 0;
+ }
+
++static inline void __receive_sock(struct file *file)
++{ }
+ #endif
+
+ static inline gfp_t sk_gfp_mask(const struct sock *sk, gfp_t gfp_mask)
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -307,6 +307,7 @@ void scm_detach_fds_compat(struct msghdr
+ break;
+ }
+ /* Bump the usage count and install the file. */
++ __receive_sock(fp[i]);
+ fd_install(new_fd, get_file(fp[i]));
+ }
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2753,6 +2753,27 @@ int sock_no_mmap(struct file *file, stru
+ }
+ EXPORT_SYMBOL(sock_no_mmap);
+
++/*
++ * When a file is received (via SCM_RIGHTS, etc), we must bump the
++ * various sock-based usage counts.
++ */
++void __receive_sock(struct file *file)
++{
++ struct socket *sock;
++ int error;
++
++ /*
++ * The resulting value of "error" is ignored here since we only
++ * need to take action when the file is a socket and testing
++ * "sock" for NULL is sufficient.
++ */
++ sock = sock_from_file(file, &error);
++ if (sock) {
++ sock_update_netprioidx(&sock->sk->sk_cgrp_data);
++ sock_update_classid(&sock->sk->sk_cgrp_data);
++ }
++}
++
+ ssize_t sock_no_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags)
+ {
+ ssize_t res;
--- /dev/null
+From df43dd526e6609769ae513a81443c7aa727c8ca3 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 12 Aug 2020 20:37:23 +0100
+Subject: net: ethernet: stmmac: Disable hardware multicast filter
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit df43dd526e6609769ae513a81443c7aa727c8ca3 upstream.
+
+The IPQ806x does not appear to have a functional multicast ethernet
+address filter. This was observed as a failure to correctly receive IPv6
+packets on a LAN to the all stations address. Checking the vendor driver
+shows that it does not attempt to enable the multicast filter and
+instead falls back to receiving all multicast packets, internally
+setting ALLMULTI.
+
+Use the new fallback support in the dwmac1000 driver to correctly
+achieve the same with the mainline IPQ806x driver. Confirmed to fix IPv6
+functionality on an RB3011 router.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -351,6 +351,7 @@ static int ipq806x_gmac_probe(struct pla
+ plat_dat->has_gmac = true;
+ plat_dat->bsp_priv = gmac;
+ plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed;
++ plat_dat->multicast_filter_bins = 0;
+
+ err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+ if (err)
--- /dev/null
+From 592d751c1e174df5ff219946908b005eb48934b3 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 12 Aug 2020 20:37:01 +0100
+Subject: net: stmmac: dwmac1000: provide multicast filter fallback
+
+From: Jonathan McDowell <noodles@earth.li>
+
+commit 592d751c1e174df5ff219946908b005eb48934b3 upstream.
+
+If we don't have a hardware multicast filter available then instead of
+silently failing to listen for the requested ethernet broadcast
+addresses fall back to receiving all multicast packets, in a similar
+fashion to other drivers with no multicast filter.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -164,6 +164,9 @@ static void dwmac1000_set_filter(struct
+ value = GMAC_FRAME_FILTER_PR | GMAC_FRAME_FILTER_PCF;
+ } else if (dev->flags & IFF_ALLMULTI) {
+ value = GMAC_FRAME_FILTER_PM; /* pass all multi */
++ } else if (!netdev_mc_empty(dev) && (mcbitslog2 == 0)) {
++ /* Fall back to all multicast if we've no filter */
++ value = GMAC_FRAME_FILTER_PM;
+ } else if (!netdev_mc_empty(dev)) {
+ struct netdev_hw_addr *ha;
+
--- /dev/null
+From 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 6 Aug 2020 23:18:02 -0700
+Subject: ocfs2: change slot number type s16 to u16
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 upstream.
+
+Dan Carpenter reported the following static checker warning.
+
+ fs/ocfs2/super.c:1269 ocfs2_parse_options() warn: '(-1)' 65535 can't fit into 32767 'mopt->slot'
+ fs/ocfs2/suballoc.c:859 ocfs2_init_inode_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_inode_steal_slot'
+ fs/ocfs2/suballoc.c:867 ocfs2_init_meta_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_meta_steal_slot'
+
+That's because OCFS2_INVALID_SLOT is (u16)-1. Slot number in ocfs2 can be
+never negative, so change s16 to u16.
+
+Fixes: 9277f8334ffc ("ocfs2: fix value of OCFS2_INVALID_SLOT")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Gang He <ghe@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200627001259.19757-1-junxiao.bi@oracle.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/ocfs2.h | 4 ++--
+ fs/ocfs2/suballoc.c | 4 ++--
+ fs/ocfs2/super.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/ocfs2.h
++++ b/fs/ocfs2/ocfs2.h
+@@ -326,8 +326,8 @@ struct ocfs2_super
+ spinlock_t osb_lock;
+ u32 s_next_generation;
+ unsigned long osb_flags;
+- s16 s_inode_steal_slot;
+- s16 s_meta_steal_slot;
++ u16 s_inode_steal_slot;
++ u16 s_meta_steal_slot;
+ atomic_t s_num_inodes_stolen;
+ atomic_t s_num_meta_stolen;
+
+--- a/fs/ocfs2/suballoc.c
++++ b/fs/ocfs2/suballoc.c
+@@ -879,9 +879,9 @@ static void __ocfs2_set_steal_slot(struc
+ {
+ spin_lock(&osb->osb_lock);
+ if (type == INODE_ALLOC_SYSTEM_INODE)
+- osb->s_inode_steal_slot = slot;
++ osb->s_inode_steal_slot = (u16)slot;
+ else if (type == EXTENT_ALLOC_SYSTEM_INODE)
+- osb->s_meta_steal_slot = slot;
++ osb->s_meta_steal_slot = (u16)slot;
+ spin_unlock(&osb->osb_lock);
+ }
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -78,7 +78,7 @@ struct mount_options
+ unsigned long commit_interval;
+ unsigned long mount_opt;
+ unsigned int atime_quantum;
+- signed short slot;
++ unsigned short slot;
+ int localalloc_opt;
+ unsigned int resv_level;
+ int dir_resv_level;
+@@ -1334,7 +1334,7 @@ static int ocfs2_parse_options(struct su
+ goto bail;
+ }
+ if (option)
+- mopt->slot = (s16)option;
++ mopt->slot = (u16)option;
+ break;
+ case Opt_commit:
+ if (match_int(&args[0], &option)) {
--- /dev/null
+From 4969f8a073977123504609d7310b42a588297aa4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 9 Jun 2020 16:21:38 -0700
+Subject: pidfd: Add missing sock updates for pidfd_getfd()
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 4969f8a073977123504609d7310b42a588297aa4 upstream.
+
+The sock counting (sock_update_netprioidx() and sock_update_classid())
+was missing from pidfd's implementation of received fd installation. Add
+a call to the new __receive_sock() helper.
+
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Sargun Dhillon <sargun@sargun.me>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/pid.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -42,6 +42,7 @@
+ #include <linux/sched/signal.h>
+ #include <linux/sched/task.h>
+ #include <linux/idr.h>
++#include <net/sock.h>
+
+ struct pid init_struct_pid = {
+ .count = REFCOUNT_INIT(1),
+@@ -624,10 +625,12 @@ static int pidfd_getfd(struct pid *pid,
+ }
+
+ ret = get_unused_fd_flags(O_CLOEXEC);
+- if (ret < 0)
++ if (ret < 0) {
+ fput(file);
+- else
++ } else {
++ __receive_sock(file);
+ fd_install(ret, file);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 89c140bbaeee7a55ed0360a88f294ead2b95201b Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@ozlabs.org>
+Date: Wed, 15 Jul 2020 10:08:20 +1000
+Subject: pseries: Fix 64 bit logical memory block panic
+
+From: Anton Blanchard <anton@ozlabs.org>
+
+commit 89c140bbaeee7a55ed0360a88f294ead2b95201b upstream.
+
+Booting with a 4GB LMB size causes us to panic:
+
+ qemu-system-ppc64: OS terminated: OS panic:
+ Memory block size not suitable: 0x0
+
+Fix pseries_memory_block_size() to handle 64 bit LMBs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anton Blanchard <anton@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200715000820.1255764-1-anton@ozlabs.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -27,7 +27,7 @@ static bool rtas_hp_event;
+ unsigned long pseries_memory_block_size(void)
+ {
+ struct device_node *np;
+- unsigned int memblock_size = MIN_MEMORY_BLOCK_SIZE;
++ u64 memblock_size = MIN_MEMORY_BLOCK_SIZE;
+ struct resource r;
+
+ np = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory");
--- /dev/null
+From e4d05028a07f505a08802a6d1b11674c149df2b3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 10 Jul 2020 10:29:41 -0700
+Subject: selftests/seccomp: Set NNP for TSYNC ESRCH flag test
+
+From: Kees Cook <keescook@chromium.org>
+
+commit e4d05028a07f505a08802a6d1b11674c149df2b3 upstream.
+
+The TSYNC ESRCH flag test will fail for regular users because NNP was
+not set yet. Add NNP setting.
+
+Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
+Cc: stable@vger.kernel.org
+Reviewed-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -3257,6 +3257,11 @@ TEST(user_notification_with_tsync)
+ int ret;
+ unsigned int flags;
+
++ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
++ ASSERT_EQ(0, ret) {
++ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
++ }
++
+ /* these were exclusive */
+ flags = SECCOMP_FILTER_FLAG_NEW_LISTENER |
+ SECCOMP_FILTER_FLAG_TSYNC;
pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch
media-venus-fix-multiple-encoder-crash.patch
media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch
+net-ethernet-stmmac-disable-hardware-multicast-filter.patch
+net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch
+irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch
+irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch
+pidfd-add-missing-sock-updates-for-pidfd_getfd.patch
+net-compat-add-missing-sock-updates-for-scm_rights.patch
+selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch
+md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch
+bcache-allocate-meta-data-pages-as-compound-pages.patch
+bcache-fix-overflow-in-offset_to_stripe.patch
+mac80211-fix-misplaced-while-instead-of-if.patch
+appletalk-fix-atalk_proc_init-return-path.patch
+driver-core-avoid-binding-drivers-to-dead-devices.patch
+mips-cpu-0-is-not-hotpluggable.patch
+mips-qi_lb60-fix-routing-to-audio-amplifier.patch
+mips-sgi-ip27-always-enable-numa-in-kconfig.patch
+ext2-fix-missing-percpu_counter_inc.patch
+khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch
+mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch
+khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch
+hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch
+mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch
+ocfs2-change-slot-number-type-s16-to-u16.patch
+mm-page_counter.c-fix-protection-usage-propagation.patch
+cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch
+mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch
+ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch
+kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch
+tracing-hwlat-honor-the-tracing_cpumask.patch
+tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch
+watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch
+watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch
+watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch
+ceph-set-sec_context-xattr-on-symlink-creation.patch
+ceph-handle-zero-length-feature-mask-in-session-messages.patch
+pseries-fix-64-bit-logical-memory-block-panic.patch
--- /dev/null
+From 96b4833b6827a62c295b149213c68b559514c929 Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Thu, 30 Jul 2020 16:23:18 +0800
+Subject: tracing/hwlat: Honor the tracing_cpumask
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit 96b4833b6827a62c295b149213c68b559514c929 upstream.
+
+In calculation of the cpu mask for the hwlat kernel thread, the wrong
+cpu mask is used instead of the tracing_cpumask, this causes the
+tracing/tracing_cpumask useless for hwlat tracer. Fixes it.
+
+Link: https://lkml.kernel.org/r/20200730082318.42584-2-haokexin@gmail.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 0330f7aa8ee6 ("tracing: Have hwlat trace migrate across tracing_cpumask CPUs")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_hwlat.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_hwlat.c
++++ b/kernel/trace/trace_hwlat.c
+@@ -283,6 +283,7 @@ static bool disable_migrate;
+ static void move_to_next_cpu(void)
+ {
+ struct cpumask *current_mask = &save_cpumask;
++ struct trace_array *tr = hwlat_trace;
+ int next_cpu;
+
+ if (disable_migrate)
+@@ -296,7 +297,7 @@ static void move_to_next_cpu(void)
+ goto disable;
+
+ get_online_cpus();
+- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask);
++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask);
+ next_cpu = cpumask_next(smp_processor_id(), current_mask);
+ put_online_cpus();
+
+@@ -373,7 +374,7 @@ static int start_kthread(struct trace_ar
+ /* Just pick the first CPU on first iteration */
+ current_mask = &save_cpumask;
+ get_online_cpus();
+- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask);
++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask);
+ put_online_cpus();
+ next_cpu = cpumask_first(current_mask);
+
--- /dev/null
+From afcab636657421f7ebfa0783a91f90256bba0091 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 4 Aug 2020 20:00:02 -0400
+Subject: tracing: Use trace_sched_process_free() instead of exit() for pid tracing
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit afcab636657421f7ebfa0783a91f90256bba0091 upstream.
+
+On exit, if a process is preempted after the trace_sched_process_exit()
+tracepoint but before the process is done exiting, then when it gets
+scheduled in, the function tracers will not filter it properly against the
+function tracing pid filters.
+
+That is because the function tracing pid filters hooks to the
+sched_process_exit() tracepoint to remove the exiting task's pid from the
+filter list. Because the filtering happens at the sched_switch tracepoint,
+when the exiting task schedules back in to finish up the exit, it will no
+longer be in the function pid filtering tables.
+
+This was noticeable in the notrace self tests on a preemptable kernel, as
+the tests would fail as it exits and preempted after being taken off the
+notrace filter table and on scheduling back in it would not be in the
+notrace list, and then the ending of the exit function would trace. The test
+detected this and would fail.
+
+Cc: stable@vger.kernel.org
+Cc: Namhyung Kim <namhyung@kernel.org>
+Fixes: 1e10486ffee0a ("ftrace: Add 'function-fork' trace option")
+Fixes: c37775d57830a ("tracing: Add infrastructure to allow set_event_pid to follow children"
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 4 ++--
+ kernel/trace/trace_events.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6980,12 +6980,12 @@ void ftrace_pid_follow_fork(struct trace
+ if (enable) {
+ register_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork,
+ tr);
+- register_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit,
++ register_trace_sched_process_free(ftrace_pid_follow_sched_process_exit,
+ tr);
+ } else {
+ unregister_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork,
+ tr);
+- unregister_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit,
++ unregister_trace_sched_process_free(ftrace_pid_follow_sched_process_exit,
+ tr);
+ }
+ }
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -538,12 +538,12 @@ void trace_event_follow_fork(struct trac
+ if (enable) {
+ register_trace_prio_sched_process_fork(event_filter_pid_sched_process_fork,
+ tr, INT_MIN);
+- register_trace_prio_sched_process_exit(event_filter_pid_sched_process_exit,
++ register_trace_prio_sched_process_free(event_filter_pid_sched_process_exit,
+ tr, INT_MAX);
+ } else {
+ unregister_trace_sched_process_fork(event_filter_pid_sched_process_fork,
+ tr);
+- unregister_trace_sched_process_exit(event_filter_pid_sched_process_exit,
++ unregister_trace_sched_process_free(event_filter_pid_sched_process_exit,
+ tr);
+ }
+ }
--- /dev/null
+From 4f39d575844148fbf3081571a1f3b4ae04150958 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 11 Jun 2020 21:17:45 +0200
+Subject: watchdog: f71808e_wdt: clear watchdog timeout occurred flag
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit 4f39d575844148fbf3081571a1f3b4ae04150958 upstream.
+
+The flag indicating a watchdog timeout having occurred normally persists
+till Power-On Reset of the Fintek Super I/O chip. The user can clear it
+by writing a `1' to the bit.
+
+The driver doesn't offer a restart method, so regular system reboot
+might not reset the Super I/O and if the watchdog isn't enabled, we
+won't touch the register containing the bit on the next boot.
+In this case all subsequent regular reboots will be wrongly flagged
+by the driver as being caused by the watchdog.
+
+Fix this by having the flag cleared after read. This is also done by
+other drivers like those for the i6300esb and mpc8xxx_wdt.
+
+Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200611191750.28096-5-a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/f71808e_wdt.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -706,6 +706,13 @@ static int __init watchdog_init(int sioa
+ wdt_conf = superio_inb(sioaddr, F71808FG_REG_WDT_CONF);
+ watchdog.caused_reboot = wdt_conf & BIT(F71808FG_FLAG_WDTMOUT_STS);
+
++ /*
++ * We don't want WDTMOUT_STS to stick around till regular reboot.
++ * Write 1 to the bit to clear it to zero.
++ */
++ superio_outb(sioaddr, F71808FG_REG_WDT_CONF,
++ wdt_conf | BIT(F71808FG_FLAG_WDTMOUT_STS));
++
+ superio_exit(sioaddr);
+
+ err = watchdog_set_timeout(timeout);
--- /dev/null
+From e871e93fb08a619dfc015974a05768ed6880fd82 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 11 Jun 2020 21:17:43 +0200
+Subject: watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit e871e93fb08a619dfc015974a05768ed6880fd82 upstream.
+
+The driver supports populating bootstatus with WDIOF_CARDRESET, but so
+far userspace couldn't portably determine whether absence of this flag
+meant no watchdog reset or no driver support. Or-in the bit to fix this.
+
+Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200611191750.28096-3-a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/f71808e_wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -692,7 +692,8 @@ static int __init watchdog_init(int sioa
+ watchdog.sioaddr = sioaddr;
+ watchdog.ident.options = WDIOC_SETTIMEOUT
+ | WDIOF_MAGICCLOSE
+- | WDIOF_KEEPALIVEPING;
++ | WDIOF_KEEPALIVEPING
++ | WDIOF_CARDRESET;
+
+ snprintf(watchdog.ident.identity,
+ sizeof(watchdog.ident.identity), "%s watchdog",
--- /dev/null
+From 802141462d844f2e6a4d63a12260d79b7afc4c34 Mon Sep 17 00:00:00 2001
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Thu, 11 Jun 2020 21:17:44 +0200
+Subject: watchdog: f71808e_wdt: remove use of wrong watchdog_info option
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+commit 802141462d844f2e6a4d63a12260d79b7afc4c34 upstream.
+
+The flags that should be or-ed into the watchdog_info.options by drivers
+all start with WDIOF_, e.g. WDIOF_SETTIMEOUT, which indicates that the
+driver's watchdog_ops has a usable set_timeout.
+
+WDIOC_SETTIMEOUT was used instead, which expands to 0xc0045706, which
+equals:
+
+ WDIOF_FANFAULT | WDIOF_EXTERN1 | WDIOF_PRETIMEOUT | WDIOF_ALARMONLY |
+ WDIOF_MAGICCLOSE | 0xc0045000
+
+These were so far indicated to userspace on WDIOC_GETSUPPORT.
+As the driver has not yet been migrated to the new watchdog kernel API,
+the constant can just be dropped without substitute.
+
+Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200611191750.28096-4-a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/f71808e_wdt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -690,8 +690,7 @@ static int __init watchdog_init(int sioa
+ * into the module have been registered yet.
+ */
+ watchdog.sioaddr = sioaddr;
+- watchdog.ident.options = WDIOC_SETTIMEOUT
+- | WDIOF_MAGICCLOSE
++ watchdog.ident.options = WDIOF_MAGICCLOSE
+ | WDIOF_KEEPALIVEPING
+ | WDIOF_CARDRESET;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
