--- /dev/null
+From ae8413191ca1369cd498e21c13cd195b5d430a00 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Tue, 30 Jul 2019 17:23:48 -0400
+Subject: arm64/efi: fix variable 'si' set but not used
+
+[ Upstream commit f1d4836201543e88ebe70237e67938168d5fab19 ]
+
+GCC throws out this warning on arm64.
+
+drivers/firmware/efi/libstub/arm-stub.c: In function 'efi_entry':
+drivers/firmware/efi/libstub/arm-stub.c:132:22: warning: variable 'si'
+set but not used [-Wunused-but-set-variable]
+
+Fix it by making free_screen_info() a static inline function.
+
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/efi.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h
+index 7ed320895d1f4..f52a2968a3b69 100644
+--- a/arch/arm64/include/asm/efi.h
++++ b/arch/arm64/include/asm/efi.h
+@@ -94,7 +94,11 @@ static inline unsigned long efi_get_max_initrd_addr(unsigned long dram_base,
+ ((protocol##_t *)instance)->f(instance, ##__VA_ARGS__)
+
+ #define alloc_screen_info(x...) &screen_info
+-#define free_screen_info(x...)
++
++static inline void free_screen_info(efi_system_table_t *sys_table_arg,
++ struct screen_info *si)
++{
++}
+
+ /* redeclare as 'hidden' so the compiler will generate relative references */
+ extern struct screen_info screen_info __attribute__((__visibility__("hidden")));
+--
+2.20.1
+
--- /dev/null
+From 334ae484440ad89104eb7b202529d04f30c23a20 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Wed, 31 Jul 2019 16:05:45 -0400
+Subject: arm64/mm: fix variable 'pud' set but not used
+
+[ Upstream commit 7d4e2dcf311d3b98421d1f119efe5964cafa32fc ]
+
+GCC throws a warning,
+
+arch/arm64/mm/mmu.c: In function 'pud_free_pmd_page':
+arch/arm64/mm/mmu.c:1033:8: warning: variable 'pud' set but not used
+[-Wunused-but-set-variable]
+ pud_t pud;
+ ^~~
+
+because pud_table() is a macro and compiled away. Fix it by making it a
+static inline function and for pud_sect() as well.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/pgtable.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index ea423db393644..2214a403f39b9 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -419,8 +419,8 @@ extern pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn,
+ PMD_TYPE_SECT)
+
+ #if defined(CONFIG_ARM64_64K_PAGES) || CONFIG_PGTABLE_LEVELS < 3
+-#define pud_sect(pud) (0)
+-#define pud_table(pud) (1)
++static inline bool pud_sect(pud_t pud) { return false; }
++static inline bool pud_table(pud_t pud) { return true; }
+ #else
+ #define pud_sect(pud) ((pud_val(pud) & PUD_TYPE_MASK) == \
+ PUD_TYPE_SECT)
+--
+2.20.1
+
--- /dev/null
+From bc60eda03f3ee8730ed82bc3ff108a455a9e79cd Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 25 Jul 2019 17:16:05 +0900
+Subject: arm64: unwind: Prohibit probing on return_address()
+
+[ Upstream commit ee07b93e7721ccd5d5b9fa6f0c10cb3fe2f1f4f9 ]
+
+Prohibit probing on return_address() and subroutines which
+is called from return_address(), since the it is invoked from
+trace_hardirqs_off() which is also kprobe blacklisted.
+
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/return_address.c | 3 +++
+ arch/arm64/kernel/stacktrace.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/arch/arm64/kernel/return_address.c b/arch/arm64/kernel/return_address.c
+index 933adbc0f654d..0311fe52c8ffb 100644
+--- a/arch/arm64/kernel/return_address.c
++++ b/arch/arm64/kernel/return_address.c
+@@ -11,6 +11,7 @@
+
+ #include <linux/export.h>
+ #include <linux/ftrace.h>
++#include <linux/kprobes.h>
+
+ #include <asm/stack_pointer.h>
+ #include <asm/stacktrace.h>
+@@ -32,6 +33,7 @@ static int save_return_addr(struct stackframe *frame, void *d)
+ return 0;
+ }
+ }
++NOKPROBE_SYMBOL(save_return_addr);
+
+ void *return_address(unsigned int level)
+ {
+@@ -55,3 +57,4 @@ void *return_address(unsigned int level)
+ return NULL;
+ }
+ EXPORT_SYMBOL_GPL(return_address);
++NOKPROBE_SYMBOL(return_address);
+diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
+index 4989f7ea1e599..bb482ec044b61 100644
+--- a/arch/arm64/kernel/stacktrace.c
++++ b/arch/arm64/kernel/stacktrace.c
+@@ -18,6 +18,7 @@
+ #include <linux/kernel.h>
+ #include <linux/export.h>
+ #include <linux/ftrace.h>
++#include <linux/kprobes.h>
+ #include <linux/sched.h>
+ #include <linux/sched/debug.h>
+ #include <linux/sched/task_stack.h>
+@@ -85,6 +86,7 @@ int notrace unwind_frame(struct task_struct *tsk, struct stackframe *frame)
+
+ return 0;
+ }
++NOKPROBE_SYMBOL(unwind_frame);
+
+ void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame,
+ int (*fn)(struct stackframe *, void *), void *data)
+@@ -99,6 +101,7 @@ void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame,
+ break;
+ }
+ }
++NOKPROBE_SYMBOL(walk_stackframe);
+
+ #ifdef CONFIG_STACKTRACE
+ struct stack_trace_data {
+--
+2.20.1
+
--- /dev/null
+From 853af149a5ca4fdbcdb87c367620f0d11e2f7d9b Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Fri, 2 Aug 2019 21:49:19 -0700
+Subject: asm-generic: fix -Wtype-limits compiler warnings
+
+[ Upstream commit cbedfe11347fe418621bd188d58a206beb676218 ]
+
+Commit d66acc39c7ce ("bitops: Optimise get_order()") introduced a
+compilation warning because "rx_frag_size" is an "ushort" while
+PAGE_SHIFT here is 16.
+
+The commit changed the get_order() to be a multi-line macro where
+compilers insist to check all statements in the macro even when
+__builtin_constant_p(rx_frag_size) will return false as "rx_frag_size"
+is a module parameter.
+
+In file included from ./arch/powerpc/include/asm/page_64.h:107,
+ from ./arch/powerpc/include/asm/page.h:242,
+ from ./arch/powerpc/include/asm/mmu.h:132,
+ from ./arch/powerpc/include/asm/lppaca.h:47,
+ from ./arch/powerpc/include/asm/paca.h:17,
+ from ./arch/powerpc/include/asm/current.h:13,
+ from ./include/linux/thread_info.h:21,
+ from ./arch/powerpc/include/asm/processor.h:39,
+ from ./include/linux/prefetch.h:15,
+ from drivers/net/ethernet/emulex/benet/be_main.c:14:
+drivers/net/ethernet/emulex/benet/be_main.c: In function 'be_rx_cqs_create':
+./include/asm-generic/getorder.h:54:9: warning: comparison is always
+true due to limited range of data type [-Wtype-limits]
+ (((n) < (1UL << PAGE_SHIFT)) ? 0 : \
+ ^
+drivers/net/ethernet/emulex/benet/be_main.c:3138:33: note: in expansion
+of macro 'get_order'
+ adapter->big_page_size = (1 << get_order(rx_frag_size)) * PAGE_SIZE;
+ ^~~~~~~~~
+
+Fix it by moving all of this multi-line macro into a proper function,
+and killing __get_order() off.
+
+[akpm@linux-foundation.org: remove __get_order() altogether]
+[cai@lca.pw: v2]
+ Link: http://lkml.kernel.org/r/1564000166-31428-1-git-send-email-cai@lca.pw
+Link: http://lkml.kernel.org/r/1563914986-26502-1-git-send-email-cai@lca.pw
+Fixes: d66acc39c7ce ("bitops: Optimise get_order()")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Jakub Jelinek <jakub@redhat.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: James Y Knight <jyknight@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/asm-generic/getorder.h | 50 ++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 30 deletions(-)
+
+diff --git a/include/asm-generic/getorder.h b/include/asm-generic/getorder.h
+index c64bea7a52beb..e9f20b813a699 100644
+--- a/include/asm-generic/getorder.h
++++ b/include/asm-generic/getorder.h
+@@ -7,24 +7,6 @@
+ #include <linux/compiler.h>
+ #include <linux/log2.h>
+
+-/*
+- * Runtime evaluation of get_order()
+- */
+-static inline __attribute_const__
+-int __get_order(unsigned long size)
+-{
+- int order;
+-
+- size--;
+- size >>= PAGE_SHIFT;
+-#if BITS_PER_LONG == 32
+- order = fls(size);
+-#else
+- order = fls64(size);
+-#endif
+- return order;
+-}
+-
+ /**
+ * get_order - Determine the allocation order of a memory size
+ * @size: The size for which to get the order
+@@ -43,19 +25,27 @@ int __get_order(unsigned long size)
+ * to hold an object of the specified size.
+ *
+ * The result is undefined if the size is 0.
+- *
+- * This function may be used to initialise variables with compile time
+- * evaluations of constants.
+ */
+-#define get_order(n) \
+-( \
+- __builtin_constant_p(n) ? ( \
+- ((n) == 0UL) ? BITS_PER_LONG - PAGE_SHIFT : \
+- (((n) < (1UL << PAGE_SHIFT)) ? 0 : \
+- ilog2((n) - 1) - PAGE_SHIFT + 1) \
+- ) : \
+- __get_order(n) \
+-)
++static inline __attribute_const__ int get_order(unsigned long size)
++{
++ if (__builtin_constant_p(size)) {
++ if (!size)
++ return BITS_PER_LONG - PAGE_SHIFT;
++
++ if (size < (1UL << PAGE_SHIFT))
++ return 0;
++
++ return ilog2((size) - 1) - PAGE_SHIFT + 1;
++ }
++
++ size--;
++ size >>= PAGE_SHIFT;
++#if BITS_PER_LONG == 32
++ return fls(size);
++#else
++ return fls64(size);
++#endif
++}
+
+ #endif /* __ASSEMBLY__ */
+
+--
+2.20.1
+
--- /dev/null
+From 97d941028e0fb6bd23f1a15963f216ee6922dae1 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 31 Jul 2019 14:26:51 +0200
+Subject: ata: libahci: do not complain in case of deferred probe
+
+[ Upstream commit 090bb803708198e5ab6b0046398c7ed9f4d12d6b ]
+
+Retrieving PHYs can defer the probe, do not spawn an error when
+-EPROBE_DEFER is returned, it is normal behavior.
+
+Fixes: b1a9edbda040 ("ata: libahci: allow to use multiple PHYs")
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libahci_platform.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
+index c92c10d553746..5bece9752ed68 100644
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -313,6 +313,9 @@ static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
+ hpriv->phys[port] = NULL;
+ rc = 0;
+ break;
++ case -EPROBE_DEFER:
++ /* Do not complain yet */
++ break;
+
+ default:
+ dev_err(dev,
+--
+2.20.1
+
--- /dev/null
+From 21edac1ffc5ec52dc7f670166024681772003a98 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 29 Jul 2019 09:37:10 +0100
+Subject: Btrfs: fix deadlock between fiemap and transaction commits
+
+[ Upstream commit a6d155d2e363f26290ffd50591169cb96c2a609e ]
+
+The fiemap handler locks a file range that can have unflushed delalloc,
+and after locking the range, it tries to attach to a running transaction.
+If the running transaction started its commit, that is, it is in state
+TRANS_STATE_COMMIT_START, and either the filesystem was mounted with the
+flushoncommit option or the transaction is creating a snapshot for the
+subvolume that contains the file that fiemap is operating on, we end up
+deadlocking. This happens because fiemap is blocked on the transaction,
+waiting for it to complete, and the transaction is waiting for the flushed
+dealloc to complete, which requires locking the file range that the fiemap
+task already locked. The following stack traces serve as an example of
+when this deadlock happens:
+
+ (...)
+ [404571.515510] Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
+ [404571.515956] Call Trace:
+ [404571.516360] ? __schedule+0x3ae/0x7b0
+ [404571.516730] schedule+0x3a/0xb0
+ [404571.517104] lock_extent_bits+0x1ec/0x2a0 [btrfs]
+ [404571.517465] ? remove_wait_queue+0x60/0x60
+ [404571.517832] btrfs_finish_ordered_io+0x292/0x800 [btrfs]
+ [404571.518202] normal_work_helper+0xea/0x530 [btrfs]
+ [404571.518566] process_one_work+0x21e/0x5c0
+ [404571.518990] worker_thread+0x4f/0x3b0
+ [404571.519413] ? process_one_work+0x5c0/0x5c0
+ [404571.519829] kthread+0x103/0x140
+ [404571.520191] ? kthread_create_worker_on_cpu+0x70/0x70
+ [404571.520565] ret_from_fork+0x3a/0x50
+ [404571.520915] kworker/u8:6 D 0 31651 2 0x80004000
+ [404571.521290] Workqueue: btrfs-flush_delalloc btrfs_flush_delalloc_helper [btrfs]
+ (...)
+ [404571.537000] fsstress D 0 13117 13115 0x00004000
+ [404571.537263] Call Trace:
+ [404571.537524] ? __schedule+0x3ae/0x7b0
+ [404571.537788] schedule+0x3a/0xb0
+ [404571.538066] wait_current_trans+0xc8/0x100 [btrfs]
+ [404571.538349] ? remove_wait_queue+0x60/0x60
+ [404571.538680] start_transaction+0x33c/0x500 [btrfs]
+ [404571.539076] btrfs_check_shared+0xa3/0x1f0 [btrfs]
+ [404571.539513] ? extent_fiemap+0x2ce/0x650 [btrfs]
+ [404571.539866] extent_fiemap+0x2ce/0x650 [btrfs]
+ [404571.540170] do_vfs_ioctl+0x526/0x6f0
+ [404571.540436] ksys_ioctl+0x70/0x80
+ [404571.540734] __x64_sys_ioctl+0x16/0x20
+ [404571.540997] do_syscall_64+0x60/0x1d0
+ [404571.541279] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ (...)
+ [404571.543729] btrfs D 0 14210 14208 0x00004000
+ [404571.544023] Call Trace:
+ [404571.544275] ? __schedule+0x3ae/0x7b0
+ [404571.544526] ? wait_for_completion+0x112/0x1a0
+ [404571.544795] schedule+0x3a/0xb0
+ [404571.545064] schedule_timeout+0x1ff/0x390
+ [404571.545351] ? lock_acquire+0xa6/0x190
+ [404571.545638] ? wait_for_completion+0x49/0x1a0
+ [404571.545890] ? wait_for_completion+0x112/0x1a0
+ [404571.546228] wait_for_completion+0x131/0x1a0
+ [404571.546503] ? wake_up_q+0x70/0x70
+ [404571.546775] btrfs_wait_ordered_extents+0x27c/0x400 [btrfs]
+ [404571.547159] btrfs_commit_transaction+0x3b0/0xae0 [btrfs]
+ [404571.547449] ? btrfs_mksubvol+0x4a4/0x640 [btrfs]
+ [404571.547703] ? remove_wait_queue+0x60/0x60
+ [404571.547969] btrfs_mksubvol+0x605/0x640 [btrfs]
+ [404571.548226] ? __sb_start_write+0xd4/0x1c0
+ [404571.548512] ? mnt_want_write_file+0x24/0x50
+ [404571.548789] btrfs_ioctl_snap_create_transid+0x169/0x1a0 [btrfs]
+ [404571.549048] btrfs_ioctl_snap_create_v2+0x11d/0x170 [btrfs]
+ [404571.549307] btrfs_ioctl+0x133f/0x3150 [btrfs]
+ [404571.549549] ? mem_cgroup_charge_statistics+0x4c/0xd0
+ [404571.549792] ? mem_cgroup_commit_charge+0x84/0x4b0
+ [404571.550064] ? __handle_mm_fault+0xe3e/0x11f0
+ [404571.550306] ? do_raw_spin_unlock+0x49/0xc0
+ [404571.550608] ? _raw_spin_unlock+0x24/0x30
+ [404571.550976] ? __handle_mm_fault+0xedf/0x11f0
+ [404571.551319] ? do_vfs_ioctl+0xa2/0x6f0
+ [404571.551659] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]
+ [404571.552087] do_vfs_ioctl+0xa2/0x6f0
+ [404571.552355] ksys_ioctl+0x70/0x80
+ [404571.552621] __x64_sys_ioctl+0x16/0x20
+ [404571.552864] do_syscall_64+0x60/0x1d0
+ [404571.553104] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ (...)
+
+If we were joining the transaction instead of attaching to it, we would
+not risk a deadlock because a join only blocks if the transaction is in a
+state greater then or equals to TRANS_STATE_COMMIT_DOING, and the delalloc
+flush performed by a transaction is done before it reaches that state,
+when it is in the state TRANS_STATE_COMMIT_START. However a transaction
+join is intended for use cases where we do modify the filesystem, and
+fiemap only needs to peek at delayed references from the current
+transaction in order to determine if extents are shared, and, besides
+that, when there is no current transaction or when it blocks to wait for
+a current committing transaction to complete, it creates a new transaction
+without reserving any space. Such unnecessary transactions, besides doing
+unnecessary IO, can cause transaction aborts (-ENOSPC) and unnecessary
+rotation of the precious backup roots.
+
+So fix this by adding a new transaction join variant, named join_nostart,
+which behaves like the regular join, but it does not create a transaction
+when none currently exists or after waiting for a committing transaction
+to complete.
+
+Fixes: 03628cdbc64db6 ("Btrfs: do not start a transaction during fiemap")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.c | 2 +-
+ fs/btrfs/transaction.c | 22 ++++++++++++++++++----
+ fs/btrfs/transaction.h | 3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index ac6c383d63140..19855659f6503 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1485,7 +1485,7 @@ int btrfs_check_shared(struct btrfs_root *root, u64 inum, u64 bytenr)
+ goto out;
+ }
+
+- trans = btrfs_attach_transaction(root);
++ trans = btrfs_join_transaction_nostart(root);
+ if (IS_ERR(trans)) {
+ if (PTR_ERR(trans) != -ENOENT && PTR_ERR(trans) != -EROFS) {
+ ret = PTR_ERR(trans);
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index f1ca53a3ff0bf..26317bca56499 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -28,15 +28,18 @@ static const unsigned int btrfs_blocked_trans_types[TRANS_STATE_MAX] = {
+ [TRANS_STATE_COMMIT_START] = (__TRANS_START | __TRANS_ATTACH),
+ [TRANS_STATE_COMMIT_DOING] = (__TRANS_START |
+ __TRANS_ATTACH |
+- __TRANS_JOIN),
++ __TRANS_JOIN |
++ __TRANS_JOIN_NOSTART),
+ [TRANS_STATE_UNBLOCKED] = (__TRANS_START |
+ __TRANS_ATTACH |
+ __TRANS_JOIN |
+- __TRANS_JOIN_NOLOCK),
++ __TRANS_JOIN_NOLOCK |
++ __TRANS_JOIN_NOSTART),
+ [TRANS_STATE_COMPLETED] = (__TRANS_START |
+ __TRANS_ATTACH |
+ __TRANS_JOIN |
+- __TRANS_JOIN_NOLOCK),
++ __TRANS_JOIN_NOLOCK |
++ __TRANS_JOIN_NOSTART),
+ };
+
+ void btrfs_put_transaction(struct btrfs_transaction *transaction)
+@@ -531,7 +534,8 @@ again:
+ ret = join_transaction(fs_info, type);
+ if (ret == -EBUSY) {
+ wait_current_trans(fs_info);
+- if (unlikely(type == TRANS_ATTACH))
++ if (unlikely(type == TRANS_ATTACH ||
++ type == TRANS_JOIN_NOSTART))
+ ret = -ENOENT;
+ }
+ } while (ret == -EBUSY);
+@@ -647,6 +651,16 @@ struct btrfs_trans_handle *btrfs_join_transaction_nolock(struct btrfs_root *root
+ BTRFS_RESERVE_NO_FLUSH, true);
+ }
+
++/*
++ * Similar to regular join but it never starts a transaction when none is
++ * running or after waiting for the current one to finish.
++ */
++struct btrfs_trans_handle *btrfs_join_transaction_nostart(struct btrfs_root *root)
++{
++ return start_transaction(root, 0, TRANS_JOIN_NOSTART,
++ BTRFS_RESERVE_NO_FLUSH, true);
++}
++
+ /*
+ * btrfs_attach_transaction() - catch the running transaction
+ *
+diff --git a/fs/btrfs/transaction.h b/fs/btrfs/transaction.h
+index 4cbb1b55387dc..c1d34cc704722 100644
+--- a/fs/btrfs/transaction.h
++++ b/fs/btrfs/transaction.h
+@@ -97,11 +97,13 @@ struct btrfs_transaction {
+ #define __TRANS_JOIN (1U << 11)
+ #define __TRANS_JOIN_NOLOCK (1U << 12)
+ #define __TRANS_DUMMY (1U << 13)
++#define __TRANS_JOIN_NOSTART (1U << 14)
+
+ #define TRANS_START (__TRANS_START | __TRANS_FREEZABLE)
+ #define TRANS_ATTACH (__TRANS_ATTACH)
+ #define TRANS_JOIN (__TRANS_JOIN | __TRANS_FREEZABLE)
+ #define TRANS_JOIN_NOLOCK (__TRANS_JOIN_NOLOCK)
++#define TRANS_JOIN_NOSTART (__TRANS_JOIN_NOSTART)
+
+ #define TRANS_EXTWRITERS (__TRANS_START | __TRANS_ATTACH)
+
+@@ -187,6 +189,7 @@ struct btrfs_trans_handle *btrfs_start_transaction_fallback_global_rsv(
+ int min_factor);
+ struct btrfs_trans_handle *btrfs_join_transaction(struct btrfs_root *root);
+ struct btrfs_trans_handle *btrfs_join_transaction_nolock(struct btrfs_root *root);
++struct btrfs_trans_handle *btrfs_join_transaction_nostart(struct btrfs_root *root);
+ struct btrfs_trans_handle *btrfs_attach_transaction(struct btrfs_root *root);
+ struct btrfs_trans_handle *btrfs_attach_transaction_barrier(
+ struct btrfs_root *root);
+--
+2.20.1
+
--- /dev/null
+From 4f0ca8d939d3c8de2adef2b81ef8a021d8cffd8d Mon Sep 17 00:00:00 2001
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Date: Tue, 25 Jun 2019 12:10:02 +0300
+Subject: clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1
+
+[ Upstream commit 1573eebeaa8055777eb753f9b4d1cbe653380c38 ]
+
+In clk_generated_determine_rate(), if the divisor is greater than
+GENERATED_MAX_DIV + 1, then the wrong best_rate will be returned.
+If clk_generated_set_rate() will be called later with this wrong
+rate, it will return -EINVAL, so the generated clock won't change
+its value. Do no let the divisor be greater than GENERATED_MAX_DIV + 1.
+
+Fixes: 8c7aa6328947 ("clk: at91: clk-generated: remove useless divisor loop")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-generated.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c
+index 33481368740e7..113152425a95d 100644
+--- a/drivers/clk/at91/clk-generated.c
++++ b/drivers/clk/at91/clk-generated.c
+@@ -153,6 +153,8 @@ static int clk_generated_determine_rate(struct clk_hw *hw,
+ continue;
+
+ div = DIV_ROUND_CLOSEST(parent_rate, req->rate);
++ if (div > GENERATED_MAX_DIV + 1)
++ div = GENERATED_MAX_DIV + 1;
+
+ clk_generated_best_diff(req, parent, parent_rate, div,
+ &best_diff, &best_rate);
+--
+2.20.1
+
--- /dev/null
+From be4472c63d676c1c6c2edc713b56da4992d49d97 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 11 Jul 2019 15:03:59 +0200
+Subject: clk: renesas: cpg-mssr: Fix reset control race condition
+
+[ Upstream commit e1f1ae8002e4b06addc52443fcd975bbf554ae92 ]
+
+The module reset code in the Renesas CPG/MSSR driver uses
+read-modify-write (RMW) operations to write to a Software Reset Register
+(SRCRn), and simple writes to write to a Software Reset Clearing
+Register (SRSTCLRn), as was mandated by the R-Car Gen2 and Gen3 Hardware
+User's Manuals.
+
+However, this may cause a race condition when two devices are reset in
+parallel: if the reset for device A completes in the middle of the RMW
+operation for device B, device A may be reset again, causing subtle
+failures (e.g. i2c timeouts):
+
+ thread A thread B
+ -------- --------
+
+ val = SRCRn
+ val |= bit A
+ SRCRn = val
+
+ delay
+
+ val = SRCRn (bit A is set)
+
+ SRSTCLRn = bit A
+ (bit A in SRCRn is cleared)
+
+ val |= bit B
+ SRCRn = val (bit A and B are set)
+
+This can be reproduced on e.g. Salvator-XS using:
+
+ $ while true; do i2cdump -f -y 4 0x6A b > /dev/null; done &
+ $ while true; do i2cdump -f -y 2 0x10 b > /dev/null; done &
+
+ i2c-rcar e6510000.i2c: error -110 : 40000002
+ i2c-rcar e66d8000.i2c: error -110 : 40000002
+
+According to the R-Car Gen3 Hardware Manual Errata for Rev.
+0.80 of Feb 28, 2018, reflected in Rev. 1.00 of the R-Car Gen3 Hardware
+User's Manual, writes to SRCRn do not require read-modify-write cycles.
+
+Note that the R-Car Gen2 Hardware User's Manual has not been updated
+yet, and still says a read-modify-write sequence is required. According
+to the hardware team, the reset hardware block is the same on both R-Car
+Gen2 and Gen3, though.
+
+Hence fix the issue by replacing the read-modify-write operations on
+SRCRn by simple writes.
+
+Reported-by: Yao Lihua <Lihua.Yao@desay-svautomotive.com>
+Fixes: 6197aa65c4905532 ("clk: renesas: cpg-mssr: Add support for reset control")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Linh Phung <linh.phung.jy@renesas.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/renesas-cpg-mssr.c | 16 ++--------------
+ 1 file changed, 2 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c
+index f4b013e9352d9..24485bee9b49e 100644
+--- a/drivers/clk/renesas/renesas-cpg-mssr.c
++++ b/drivers/clk/renesas/renesas-cpg-mssr.c
+@@ -535,17 +535,11 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
+ unsigned int reg = id / 32;
+ unsigned int bit = id % 32;
+ u32 bitmask = BIT(bit);
+- unsigned long flags;
+- u32 value;
+
+ dev_dbg(priv->dev, "reset %u%02u\n", reg, bit);
+
+ /* Reset module */
+- spin_lock_irqsave(&priv->rmw_lock, flags);
+- value = readl(priv->base + SRCR(reg));
+- value |= bitmask;
+- writel(value, priv->base + SRCR(reg));
+- spin_unlock_irqrestore(&priv->rmw_lock, flags);
++ writel(bitmask, priv->base + SRCR(reg));
+
+ /* Wait for at least one cycle of the RCLK clock (@ ca. 32 kHz) */
+ udelay(35);
+@@ -562,16 +556,10 @@ static int cpg_mssr_assert(struct reset_controller_dev *rcdev, unsigned long id)
+ unsigned int reg = id / 32;
+ unsigned int bit = id % 32;
+ u32 bitmask = BIT(bit);
+- unsigned long flags;
+- u32 value;
+
+ dev_dbg(priv->dev, "assert %u%02u\n", reg, bit);
+
+- spin_lock_irqsave(&priv->rmw_lock, flags);
+- value = readl(priv->base + SRCR(reg));
+- value |= bitmask;
+- writel(value, priv->base + SRCR(reg));
+- spin_unlock_irqrestore(&priv->rmw_lock, flags);
++ writel(bitmask, priv->base + SRCR(reg));
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From fa8b8eb152d60086901164a386a98b584d923f0b Mon Sep 17 00:00:00 2001
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Date: Thu, 18 Jul 2019 13:36:16 +0800
+Subject: clk: sprd: Select REGMAP_MMIO to avoid compile errors
+
+[ Upstream commit c9a67cbb5189e966c70451562b2ca4c3876ab546 ]
+
+Make REGMAP_MMIO selected to avoid undefined reference to regmap symbols.
+
+Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sprd/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/sprd/Kconfig b/drivers/clk/sprd/Kconfig
+index 87892471eb96c..bad8099832d48 100644
+--- a/drivers/clk/sprd/Kconfig
++++ b/drivers/clk/sprd/Kconfig
+@@ -2,6 +2,7 @@ config SPRD_COMMON_CLK
+ tristate "Clock support for Spreadtrum SoCs"
+ depends on ARCH_SPRD || COMPILE_TEST
+ default ARCH_SPRD
++ select REGMAP_MMIO
+
+ if SPRD_COMMON_CLK
+
+--
+2.20.1
+
--- /dev/null
+From dc1f574fd1cfa146336edd1989099e0f224a8df9 Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Sat, 27 Jul 2019 17:30:30 +0800
+Subject: drm/amdgpu: fix a potential information leaking bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 929e571c04c285861e0bb049a396a2bdaea63282 ]
+
+Coccinelle reports a path that the array "data" is never initialized.
+The path skips the checks in the conditional branches when either
+of callback functions, read_wave_vgprs and read_wave_sgprs, is not
+registered. Later, the uninitialized "data" array is read
+in the while-loop below and passed to put_user().
+
+Fix the path by allocating the array with kcalloc().
+
+The patch is simplier than adding a fall-back branch that explicitly
+calls memset(data, 0, ...). Also it does not need the multiplication
+1024*sizeof(*data) as the size parameter for memset() though there is
+no risk of integer overflow.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Reviewed-by: Chunming Zhou <david1.zhou@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+index f5fb93795a69a..65cecfdd9b454 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -707,7 +707,7 @@ static ssize_t amdgpu_debugfs_gpr_read(struct file *f, char __user *buf,
+ thread = (*pos & GENMASK_ULL(59, 52)) >> 52;
+ bank = (*pos & GENMASK_ULL(61, 60)) >> 60;
+
+- data = kmalloc_array(1024, sizeof(*data), GFP_KERNEL);
++ data = kcalloc(1024, sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+--
+2.20.1
+
--- /dev/null
+From bcafd68523ba9503f07c09e0dddc0ee243787ddd Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 29 Jul 2019 15:12:16 +0800
+Subject: drm/bridge: lvds-encoder: Fix build error while
+ CONFIG_DRM_KMS_HELPER=m
+
+[ Upstream commit f4cc743a98136df3c3763050a0e8223b52d9a960 ]
+
+If DRM_LVDS_ENCODER=y but CONFIG_DRM_KMS_HELPER=m,
+build fails:
+
+drivers/gpu/drm/bridge/lvds-encoder.o: In function `lvds_encoder_probe':
+lvds-encoder.c:(.text+0x155): undefined reference to `devm_drm_panel_bridge_add'
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: dbb58bfd9ae6 ("drm/bridge: Fix lvds-encoder since the panel_bridge rework.")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190729071216.27488-1-yuehaibing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/bridge/Kconfig b/drivers/gpu/drm/bridge/Kconfig
+index bf6cad6c9178b..7a3e5a8f6439b 100644
+--- a/drivers/gpu/drm/bridge/Kconfig
++++ b/drivers/gpu/drm/bridge/Kconfig
+@@ -46,6 +46,7 @@ config DRM_DUMB_VGA_DAC
+ config DRM_LVDS_ENCODER
+ tristate "Transparent parallel to LVDS encoder support"
+ depends on OF
++ select DRM_KMS_HELPER
+ select DRM_PANEL_BRIDGE
+ help
+ Support for transparent parallel to LVDS encoders that don't require
+--
+2.20.1
+
--- /dev/null
+From e341ac1fdcfaa90cca7c0498aaf43b7ee854b7f7 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 22 Jul 2019 23:25:35 +0100
+Subject: drm/exynos: fix missing decrement of retry counter
+
+[ Upstream commit 1bbbab097a05276e312dd2462791d32b21ceb1ee ]
+
+Currently the retry counter is not being decremented, leading to a
+potential infinite spin if the scalar_reads don't change state.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: 280e54c9f614 ("drm/exynos: scaler: Reset hardware before starting the operation")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_scaler.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_scaler.c b/drivers/gpu/drm/exynos/exynos_drm_scaler.c
+index 0ddb6eec7b113..df228436a03d9 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_scaler.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_scaler.c
+@@ -108,12 +108,12 @@ static inline int scaler_reset(struct scaler_context *scaler)
+ scaler_write(SCALER_CFG_SOFT_RESET, SCALER_CFG);
+ do {
+ cpu_relax();
+- } while (retry > 1 &&
++ } while (--retry > 1 &&
+ scaler_read(SCALER_CFG) & SCALER_CFG_SOFT_RESET);
+ do {
+ cpu_relax();
+ scaler_write(1, SCALER_INT_EN);
+- } while (retry > 0 && scaler_read(SCALER_INT_EN) != 1);
++ } while (--retry > 0 && scaler_read(SCALER_INT_EN) != 1);
+
+ return retry ? 0 : -EIO;
+ }
+--
+2.20.1
+
--- /dev/null
+From 9cda6791568e042c84e867e8d10bc8df116cb184 Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Date: Wed, 26 Jun 2019 11:00:15 -0700
+Subject: drm: msm: Fix add_gpu_components
+
+[ Upstream commit 9ca7ad6c7706edeae331c1632d0c63897418ebad ]
+
+add_gpu_components() adds found GPU nodes from the DT to the match list,
+regardless of the status of the nodes. This is a problem, because if the
+nodes are disabled, they should not be on the match list because they will
+not be matched. This prevents display from initing if a GPU node is
+defined, but it's status is disabled.
+
+Fix this by checking the node's status before adding it to the match list.
+
+Fixes: dc3ea265b856 (drm/msm: Drop the gpu binding)
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190626180015.45242-1-jeffrey.l.hugo@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index ed9a3a1e50efb..dbfd2c006f740 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -1284,7 +1284,8 @@ static int add_gpu_components(struct device *dev,
+ if (!np)
+ return 0;
+
+- drm_of_component_match_add(dev, matchptr, compare_of, np);
++ if (of_device_is_available(np))
++ drm_of_component_match_add(dev, matchptr, compare_of, np);
+
+ of_node_put(np);
+
+--
+2.20.1
+
--- /dev/null
+From 06935f1b34141c8581abc5751744e43133fe5d57 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian@brauner.io>
+Date: Mon, 29 Jul 2019 17:48:24 +0200
+Subject: exit: make setting exit_state consistent
+
+[ Upstream commit 30b692d3b390c6fe78a5064be0c4bbd44a41be59 ]
+
+Since commit b191d6491be6 ("pidfd: fix a poll race when setting exit_state")
+we unconditionally set exit_state to EXIT_ZOMBIE before calling into
+do_notify_parent(). This was done to eliminate a race when querying
+exit_state in do_notify_pidfd().
+Back then we decided to do the absolute minimal thing to fix this and
+not touch the rest of the exit_notify() function where exit_state is
+set.
+Since this fix has not caused any issues change the setting of
+exit_state to EXIT_DEAD in the autoreap case to account for the fact hat
+exit_state is set to EXIT_ZOMBIE unconditionally. This fix was planned
+but also explicitly requested in [1] and makes the whole code more
+consistent.
+
+/* References */
+[1]: https://lore.kernel.org/lkml/CAHk-=wigcxGFR2szue4wavJtH5cYTTeNES=toUBVGsmX0rzX+g@mail.gmail.com
+
+Signed-off-by: Christian Brauner <christian@brauner.io>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/exit.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index e10de9836dd77..1c1633cc197e6 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -732,9 +732,10 @@ static void exit_notify(struct task_struct *tsk, int group_dead)
+ autoreap = true;
+ }
+
+- tsk->exit_state = autoreap ? EXIT_DEAD : EXIT_ZOMBIE;
+- if (tsk->exit_state == EXIT_DEAD)
++ if (autoreap) {
++ tsk->exit_state = EXIT_DEAD;
+ list_add(&tsk->ptrace_entry, &dead);
++ }
+
+ /* mt-exec, de_thread() is waiting for group leader */
+ if (unlikely(tsk->signal->notify_count < 0))
+--
+2.20.1
+
--- /dev/null
+From 93d36161124f08bc359fa761d90ed3028954db78 Mon Sep 17 00:00:00 2001
+From: "Luck, Tony" <tony.luck@intel.com>
+Date: Tue, 30 Jul 2019 21:39:57 -0700
+Subject: IB/core: Add mitigation for Spectre V1
+
+[ Upstream commit 61f259821dd3306e49b7d42a3f90fb5a4ff3351b ]
+
+Some processors may mispredict an array bounds check and
+speculatively access memory that they should not. With
+a user supplied array index we like to play things safe
+by masking the value with the array size before it is
+used as an index.
+
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20190731043957.GA1600@agluck-desk2.amr.corp.intel.com
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/user_mad.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
+index c34a6852d691f..a18f3f8ad77fe 100644
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -49,6 +49,7 @@
+ #include <linux/sched.h>
+ #include <linux/semaphore.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+
+@@ -868,11 +869,14 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg)
+
+ if (get_user(id, arg))
+ return -EFAULT;
++ if (id >= IB_UMAD_MAX_AGENTS)
++ return -EINVAL;
+
+ mutex_lock(&file->port->file_mutex);
+ mutex_lock(&file->mutex);
+
+- if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) {
++ id = array_index_nospec(id, IB_UMAD_MAX_AGENTS);
++ if (!__get_agent(file, id)) {
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.20.1
+
--- /dev/null
+From a2a22cbe81ade2b7f5417df2d1b6ef0446ab895f Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Thu, 1 Aug 2019 15:14:49 +0300
+Subject: IB/mad: Fix use-after-free in ib mad completion handling
+
+[ Upstream commit 770b7d96cfff6a8bf6c9f261ba6f135dc9edf484 ]
+
+We encountered a use-after-free bug when unloading the driver:
+
+[ 3562.116059] BUG: KASAN: use-after-free in ib_mad_post_receive_mads+0xddc/0xed0 [ib_core]
+[ 3562.117233] Read of size 4 at addr ffff8882ca5aa868 by task kworker/u13:2/23862
+[ 3562.118385]
+[ 3562.119519] CPU: 2 PID: 23862 Comm: kworker/u13:2 Tainted: G OE 5.1.0-for-upstream-dbg-2019-05-19_16-44-30-13 #1
+[ 3562.121806] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014
+[ 3562.123075] Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
+[ 3562.124383] Call Trace:
+[ 3562.125640] dump_stack+0x9a/0xeb
+[ 3562.126911] print_address_description+0xe3/0x2e0
+[ 3562.128223] ? ib_mad_post_receive_mads+0xddc/0xed0 [ib_core]
+[ 3562.129545] __kasan_report+0x15c/0x1df
+[ 3562.130866] ? ib_mad_post_receive_mads+0xddc/0xed0 [ib_core]
+[ 3562.132174] kasan_report+0xe/0x20
+[ 3562.133514] ib_mad_post_receive_mads+0xddc/0xed0 [ib_core]
+[ 3562.134835] ? find_mad_agent+0xa00/0xa00 [ib_core]
+[ 3562.136158] ? qlist_free_all+0x51/0xb0
+[ 3562.137498] ? mlx4_ib_sqp_comp_worker+0x1970/0x1970 [mlx4_ib]
+[ 3562.138833] ? quarantine_reduce+0x1fa/0x270
+[ 3562.140171] ? kasan_unpoison_shadow+0x30/0x40
+[ 3562.141522] ib_mad_recv_done+0xdf6/0x3000 [ib_core]
+[ 3562.142880] ? _raw_spin_unlock_irqrestore+0x46/0x70
+[ 3562.144277] ? ib_mad_send_done+0x1810/0x1810 [ib_core]
+[ 3562.145649] ? mlx4_ib_destroy_cq+0x2a0/0x2a0 [mlx4_ib]
+[ 3562.147008] ? _raw_spin_unlock_irqrestore+0x46/0x70
+[ 3562.148380] ? debug_object_deactivate+0x2b9/0x4a0
+[ 3562.149814] __ib_process_cq+0xe2/0x1d0 [ib_core]
+[ 3562.151195] ib_cq_poll_work+0x45/0xf0 [ib_core]
+[ 3562.152577] process_one_work+0x90c/0x1860
+[ 3562.153959] ? pwq_dec_nr_in_flight+0x320/0x320
+[ 3562.155320] worker_thread+0x87/0xbb0
+[ 3562.156687] ? __kthread_parkme+0xb6/0x180
+[ 3562.158058] ? process_one_work+0x1860/0x1860
+[ 3562.159429] kthread+0x320/0x3e0
+[ 3562.161391] ? kthread_park+0x120/0x120
+[ 3562.162744] ret_from_fork+0x24/0x30
+...
+[ 3562.187615] Freed by task 31682:
+[ 3562.188602] save_stack+0x19/0x80
+[ 3562.189586] __kasan_slab_free+0x11d/0x160
+[ 3562.190571] kfree+0xf5/0x2f0
+[ 3562.191552] ib_mad_port_close+0x200/0x380 [ib_core]
+[ 3562.192538] ib_mad_remove_device+0xf0/0x230 [ib_core]
+[ 3562.193538] remove_client_context+0xa6/0xe0 [ib_core]
+[ 3562.194514] disable_device+0x14e/0x260 [ib_core]
+[ 3562.195488] __ib_unregister_device+0x79/0x150 [ib_core]
+[ 3562.196462] ib_unregister_device+0x21/0x30 [ib_core]
+[ 3562.197439] mlx4_ib_remove+0x162/0x690 [mlx4_ib]
+[ 3562.198408] mlx4_remove_device+0x204/0x2c0 [mlx4_core]
+[ 3562.199381] mlx4_unregister_interface+0x49/0x1d0 [mlx4_core]
+[ 3562.200356] mlx4_ib_cleanup+0xc/0x1d [mlx4_ib]
+[ 3562.201329] __x64_sys_delete_module+0x2d2/0x400
+[ 3562.202288] do_syscall_64+0x95/0x470
+[ 3562.203277] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The problem was that the MAD PD was deallocated before the MAD CQ.
+There was completion work pending for the CQ when the PD got deallocated.
+When the mad completion handling reached procedure
+ib_mad_post_receive_mads(), we got a use-after-free bug in the following
+line of code in that procedure:
+ sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey;
+(the pd pointer in the above line is no longer valid, because the
+pd has been deallocated).
+
+We fix this by allocating the PD before the CQ in procedure
+ib_mad_port_open(), and deallocating the PD after freeing the CQ
+in procedure ib_mad_port_close().
+
+Since the CQ completion work queue is flushed during ib_free_cq(),
+no completions will be pending for that CQ when the PD is later
+deallocated.
+
+Note that freeing the CQ before deallocating the PD is the practice
+in the ULPs.
+
+Fixes: 4be90bc60df4 ("IB/mad: Remove ib_get_dma_mr calls")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20190801121449.24973-1-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/mad.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
+index ef459f2f2eeb8..7586c1dd73f19 100644
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -3182,18 +3182,18 @@ static int ib_mad_port_open(struct ib_device *device,
+ if (has_smi)
+ cq_size *= 2;
+
++ port_priv->pd = ib_alloc_pd(device, 0);
++ if (IS_ERR(port_priv->pd)) {
++ dev_err(&device->dev, "Couldn't create ib_mad PD\n");
++ ret = PTR_ERR(port_priv->pd);
++ goto error3;
++ }
++
+ port_priv->cq = ib_alloc_cq(port_priv->device, port_priv, cq_size, 0,
+ IB_POLL_WORKQUEUE);
+ if (IS_ERR(port_priv->cq)) {
+ dev_err(&device->dev, "Couldn't create ib_mad CQ\n");
+ ret = PTR_ERR(port_priv->cq);
+- goto error3;
+- }
+-
+- port_priv->pd = ib_alloc_pd(device, 0);
+- if (IS_ERR(port_priv->pd)) {
+- dev_err(&device->dev, "Couldn't create ib_mad PD\n");
+- ret = PTR_ERR(port_priv->pd);
+ goto error4;
+ }
+
+@@ -3236,11 +3236,11 @@ error8:
+ error7:
+ destroy_mad_qp(&port_priv->qp_info[0]);
+ error6:
+- ib_dealloc_pd(port_priv->pd);
+-error4:
+ ib_free_cq(port_priv->cq);
+ cleanup_recv_queue(&port_priv->qp_info[1]);
+ cleanup_recv_queue(&port_priv->qp_info[0]);
++error4:
++ ib_dealloc_pd(port_priv->pd);
+ error3:
+ kfree(port_priv);
+
+@@ -3270,8 +3270,8 @@ static int ib_mad_port_close(struct ib_device *device, int port_num)
+ destroy_workqueue(port_priv->wq);
+ destroy_mad_qp(&port_priv->qp_info[1]);
+ destroy_mad_qp(&port_priv->qp_info[0]);
+- ib_dealloc_pd(port_priv->pd);
+ ib_free_cq(port_priv->cq);
++ ib_dealloc_pd(port_priv->pd);
+ cleanup_recv_queue(&port_priv->qp_info[1]);
+ cleanup_recv_queue(&port_priv->qp_info[0]);
+ /* XXX: Handle deallocation of MAD registration tables */
+--
+2.20.1
+
--- /dev/null
+From 17ca65d269f9ae7aedc3726dc424e36b788fd850 Mon Sep 17 00:00:00 2001
+From: Guy Levi <guyle@mellanox.com>
+Date: Wed, 31 Jul 2019 11:19:29 +0300
+Subject: IB/mlx5: Fix MR registration flow to use UMR properly
+
+[ Upstream commit e5366d309a772fef264ec85e858f9ea46f939848 ]
+
+Driver shouldn't allow to use UMR to register a MR when
+umr_modify_atomic_disabled is set. Otherwise it will always end up with a
+failure in the post send flow which sets the UMR WQE to modify atomic access
+right.
+
+Fixes: c8d75a980fab ("IB/mlx5: Respect new UMR capabilities")
+Signed-off-by: Guy Levi <guyle@mellanox.com>
+Reviewed-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Link: https://lore.kernel.org/r/20190731081929.32559-1-leon@kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 9bab4fb65c688..bd1fdadf7ba01 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -51,22 +51,12 @@ static void clean_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr);
+ static void dereg_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr);
+ static int mr_cache_max_order(struct mlx5_ib_dev *dev);
+ static int unreg_umr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr);
+-static bool umr_can_modify_entity_size(struct mlx5_ib_dev *dev)
+-{
+- return !MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled);
+-}
+
+ static bool umr_can_use_indirect_mkey(struct mlx5_ib_dev *dev)
+ {
+ return !MLX5_CAP_GEN(dev->mdev, umr_indirect_mkey_disabled);
+ }
+
+-static bool use_umr(struct mlx5_ib_dev *dev, int order)
+-{
+- return order <= mr_cache_max_order(dev) &&
+- umr_can_modify_entity_size(dev);
+-}
+-
+ static int destroy_mkey(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
+ {
+ int err = mlx5_core_destroy_mkey(dev->mdev, &mr->mmkey);
+@@ -1305,7 +1295,7 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ {
+ struct mlx5_ib_dev *dev = to_mdev(pd->device);
+ struct mlx5_ib_mr *mr = NULL;
+- bool populate_mtts = false;
++ bool use_umr;
+ struct ib_umem *umem;
+ int page_shift;
+ int npages;
+@@ -1338,29 +1328,30 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ if (err < 0)
+ return ERR_PTR(err);
+
+- if (use_umr(dev, order)) {
++ use_umr = !MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled) &&
++ (!MLX5_CAP_GEN(dev->mdev, umr_modify_atomic_disabled) ||
++ !MLX5_CAP_GEN(dev->mdev, atomic));
++
++ if (order <= mr_cache_max_order(dev) && use_umr) {
+ mr = alloc_mr_from_cache(pd, umem, virt_addr, length, ncont,
+ page_shift, order, access_flags);
+ if (PTR_ERR(mr) == -EAGAIN) {
+ mlx5_ib_dbg(dev, "cache empty for order %d\n", order);
+ mr = NULL;
+ }
+- populate_mtts = false;
+ } else if (!MLX5_CAP_GEN(dev->mdev, umr_extended_translation_offset)) {
+ if (access_flags & IB_ACCESS_ON_DEMAND) {
+ err = -EINVAL;
+ pr_err("Got MR registration for ODP MR > 512MB, not supported for Connect-IB\n");
+ goto error;
+ }
+- populate_mtts = true;
++ use_umr = false;
+ }
+
+ if (!mr) {
+- if (!umr_can_modify_entity_size(dev))
+- populate_mtts = true;
+ mutex_lock(&dev->slow_path_mutex);
+ mr = reg_create(NULL, pd, virt_addr, length, umem, ncont,
+- page_shift, access_flags, populate_mtts);
++ page_shift, access_flags, !use_umr);
+ mutex_unlock(&dev->slow_path_mutex);
+ }
+
+@@ -1378,7 +1369,7 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ update_odp_mr(mr);
+ #endif
+
+- if (!populate_mtts) {
++ if (use_umr) {
+ int update_xlt_flags = MLX5_IB_UPD_XLT_ENABLE;
+
+ if (access_flags & IB_ACCESS_ON_DEMAND)
+--
+2.20.1
+
--- /dev/null
+From 407774078446ff6406276d704569a55939f3e0d3 Mon Sep 17 00:00:00 2001
+From: Nianyao Tang <tangnianyao@huawei.com>
+Date: Fri, 26 Jul 2019 17:32:57 +0800
+Subject: irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail
+
+[ Upstream commit 34f8eb92ca053cbba2887bb7e4dbf2b2cd6eb733 ]
+
+In its_vpe_init, when its_alloc_vpe_table fails, we should free
+vpt_page allocated just before, instead of vpe->vpt_page.
+Let's fix it.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Nianyao Tang <tangnianyao@huawei.com>
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index ee30e8965d1be..9ba73e11757d9 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2883,7 +2883,7 @@ static int its_vpe_init(struct its_vpe *vpe)
+
+ if (!its_alloc_vpe_table(vpe_id)) {
+ its_vpe_id_free(vpe_id);
+- its_free_pending_table(vpe->vpt_page);
++ its_free_pending_table(vpt_page);
+ return -ENOMEM;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 2d2e877d3399bf666a78f194d2709095ce3f31cb Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Jul 2019 15:29:05 +0200
+Subject: irqchip/irq-imx-gpcv2: Forward irq type to parent
+
+[ Upstream commit 9a446ef08f3bfc0c3deb9c6be840af2528ef8cf8 ]
+
+The GPCv2 is a stacked IRQ controller below the ARM GIC. It doesn't
+care about the IRQ type itself, but needs to forward the type to the
+parent IRQ controller, so this one can be configured correctly.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-imx-gpcv2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/irq-imx-gpcv2.c b/drivers/irqchip/irq-imx-gpcv2.c
+index 4760307ab43fc..cef8f5e2e8fce 100644
+--- a/drivers/irqchip/irq-imx-gpcv2.c
++++ b/drivers/irqchip/irq-imx-gpcv2.c
+@@ -131,6 +131,7 @@ static struct irq_chip gpcv2_irqchip_data_chip = {
+ .irq_unmask = imx_gpcv2_irq_unmask,
+ .irq_set_wake = imx_gpcv2_irq_set_wake,
+ .irq_retrigger = irq_chip_retrigger_hierarchy,
++ .irq_set_type = irq_chip_set_type_parent,
+ #ifdef CONFIG_SMP
+ .irq_set_affinity = irq_chip_set_affinity_parent,
+ #endif
+--
+2.20.1
+
--- /dev/null
+From 191e93f8ca46672712ca45462d45f5c5566e97e4 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Tue, 30 Jul 2019 09:48:03 -0700
+Subject: kbuild: Check for unknown options with cc-option usage in Kconfig and
+ clang
+
+[ Upstream commit e8de12fb7cde2c85bc31097cd098da79a4818305 ]
+
+If the particular version of clang a user has doesn't enable
+-Werror=unknown-warning-option by default, even though it is the
+default[1], then make sure to pass the option to the Kconfig cc-option
+command so that testing options from Kconfig files works properly.
+Otherwise, depending on the default values setup in the clang toolchain
+we will silently assume options such as -Wmaybe-uninitialized are
+supported by clang, when they really aren't.
+
+A compilation issue only started happening for me once commit
+589834b3a009 ("kbuild: Add -Werror=unknown-warning-option to
+CLANG_FLAGS") was applied on top of commit b303c6df80c9 ("kbuild:
+compute false-positive -Wmaybe-uninitialized cases in Kconfig"). This
+leads kbuild to try and test for the existence of the
+-Wmaybe-uninitialized flag with the cc-option command in
+scripts/Kconfig.include, and it doesn't see an error returned from the
+option test so it sets the config value to Y. Then the Makefile tries to
+pass the unknown option on the command line and
+-Werror=unknown-warning-option catches the invalid option and breaks the
+build. Before commit 589834b3a009 ("kbuild: Add
+-Werror=unknown-warning-option to CLANG_FLAGS") the build works fine,
+but any cc-option test of a warning option in Kconfig files silently
+evaluates to true, even if the warning option flag isn't supported on
+clang.
+
+Note: This doesn't change cc-option usages in Makefiles because those
+use a different rule that includes KBUILD_CFLAGS by default (see the
+__cc-option command in scripts/Kbuild.incluide). The KBUILD_CFLAGS
+variable already has the -Werror=unknown-warning-option flag set. Thanks
+to Doug for pointing out the different rule.
+
+[1] https://clang.llvm.org/docs/DiagnosticsReference.html#wunknown-warning-option
+Cc: Peter Smith <peter.smith@linaro.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Kconfig.include | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Kconfig.include b/scripts/Kconfig.include
+index dad5583451afb..3b2861f47709b 100644
+--- a/scripts/Kconfig.include
++++ b/scripts/Kconfig.include
+@@ -20,7 +20,7 @@ success = $(if-success,$(1),y,n)
+
+ # $(cc-option,<flag>)
+ # Return y if the compiler supports <flag>, n otherwise
+-cc-option = $(success,$(CC) -Werror $(1) -E -x c /dev/null -o /dev/null)
++cc-option = $(success,$(CC) -Werror $(CLANG_FLAGS) $(1) -E -x c /dev/null -o /dev/null)
+
+ # $(ld-option,<flag>)
+ # Return y if the linker supports <flag>, n otherwise
+--
+2.20.1
+
--- /dev/null
+From 58086ce60298e7a68a641816506370d45b1f56c4 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Wed, 31 Jul 2019 00:59:00 +0900
+Subject: kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external
+ modules
+
+[ Upstream commit cb4819934a7f9b87876f11ed05b8624c0114551b ]
+
+KBUILD_EXTRA_SYMBOLS makes sense only when building external modules.
+Moreover, the modpost sets 'external_module' if the -e option is given.
+
+I replaced $(patsubst %, -e %,...) with simpler $(addprefix -e,...)
+while I was here.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.modpost | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost
+index 7d4af0d0accb3..51884c7b80697 100644
+--- a/scripts/Makefile.modpost
++++ b/scripts/Makefile.modpost
+@@ -75,7 +75,7 @@ modpost = scripts/mod/modpost \
+ $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a,) \
+ $(if $(KBUILD_EXTMOD),-i,-o) $(kernelsymfile) \
+ $(if $(KBUILD_EXTMOD),-I $(modulesymfile)) \
+- $(if $(KBUILD_EXTRA_SYMBOLS), $(patsubst %, -e %,$(KBUILD_EXTRA_SYMBOLS))) \
++ $(if $(KBUILD_EXTMOD),$(addprefix -e ,$(KBUILD_EXTRA_SYMBOLS))) \
+ $(if $(KBUILD_EXTMOD),-o $(modulesymfile)) \
+ $(if $(CONFIG_DEBUG_SECTION_MISMATCH),,-S) \
+ $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \
+--
+2.20.1
+
--- /dev/null
+From 06fc556522809a3f6a612a41b0079f092fe18ed9 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 29 Jul 2019 14:47:22 -0700
+Subject: libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
+
+[ Upstream commit 71d6c505b4d9e6f76586350450e785e3d452b346 ]
+
+Jeffrin reported a KASAN issue:
+
+ BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
+ Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
+ ...
+ The buggy address belongs to the variable:
+ cdb.48319+0x0/0x40
+
+Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
+eject_tray()"), this fixes a cdb[] buffer length, this time in
+zpodd_get_mech_type():
+
+We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
+ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
+
+Reported-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
+Fixes: afe759511808c ("libata: identify and init ZPODD devices")
+Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
+Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-zpodd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
+index 173e6f2dd9af0..eefda51f97d35 100644
+--- a/drivers/ata/libata-zpodd.c
++++ b/drivers/ata/libata-zpodd.c
+@@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
+ unsigned int ret;
+ struct rm_feature_desc *desc;
+ struct ata_taskfile tf;
+- static const char cdb[] = { GPCMD_GET_CONFIGURATION,
++ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION,
+ 2, /* only 1 feature descriptor requested */
+ 0, 3, /* 3, removable medium feature */
+ 0, 0, 0,/* reserved */
+--
+2.20.1
+
--- /dev/null
+From 876331a01ac1d7d36340344131fe6e0e00db4022 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 2 Aug 2019 21:48:40 -0700
+Subject: ocfs2: remove set but not used variable 'last_hash'
+
+[ Upstream commit 7bc36e3ce91471b6377c8eadc0a2f220a2280083 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+ fs/ocfs2/xattr.c: In function ocfs2_xattr_bucket_find:
+ fs/ocfs2/xattr.c:3828:6: warning: variable last_hash set but not used [-Wunused-but-set-variable]
+
+It's never used and can be removed.
+
+Link: http://lkml.kernel.org/r/20190716132110.34836-1-yuehaibing@huawei.com
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/xattr.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
+index 3a24ce3deb013..c146e12a8601f 100644
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -3833,7 +3833,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode,
+ u16 blk_per_bucket = ocfs2_blocks_per_xattr_bucket(inode->i_sb);
+ int low_bucket = 0, bucket, high_bucket;
+ struct ocfs2_xattr_bucket *search;
+- u32 last_hash;
+ u64 blkno, lower_blkno = 0;
+
+ search = ocfs2_xattr_bucket_new(inode);
+@@ -3877,8 +3876,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode,
+ if (xh->xh_count)
+ xe = &xh->xh_entries[le16_to_cpu(xh->xh_count) - 1];
+
+- last_hash = le32_to_cpu(xe->xe_name_hash);
+-
+ /* record lower_blkno which may be the insert place. */
+ lower_blkno = blkno;
+
+--
+2.20.1
+
--- /dev/null
+From 3b9822a11a9bea1ee5e5f40e0e208d58f57cea76 Mon Sep 17 00:00:00 2001
+From: Vince Weaver <vincent.weaver@maine.edu>
+Date: Tue, 23 Jul 2019 11:06:01 -0400
+Subject: perf header: Fix divide by zero error if f_header.attr_size==0
+
+[ Upstream commit 7622236ceb167aa3857395f9bdaf871442aa467e ]
+
+So I have been having lots of trouble with hand-crafted perf.data files
+causing segfaults and the like, so I have started fuzzing the perf tool.
+
+First issue found:
+
+If f_header.attr_size is 0 in the perf.data file, then perf will crash
+with a divide-by-zero error.
+
+Committer note:
+
+Added a pr_err() to tell the user why the command failed.
+
+Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1907231100440.14532@macbook-air
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/header.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index a94bd6850a0b2..4a5e1907a7ab3 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -3285,6 +3285,13 @@ int perf_session__read_header(struct perf_session *session)
+ data->file.path);
+ }
+
++ if (f_header.attr_size == 0) {
++ pr_err("ERROR: The %s file's attr size field is 0 which is unexpected.\n"
++ "Was the 'perf record' command properly terminated?\n",
++ data->file.path);
++ return -EINVAL;
++ }
++
+ nr_attrs = f_header.attrs.size / f_header.attr_size;
+ lseek(fd, f_header.attrs.offset, SEEK_SET);
+
+--
+2.20.1
+
--- /dev/null
+From e8d0180d5aa66effccb43b02f003c4edaa6d2341 Mon Sep 17 00:00:00 2001
+From: Numfor Mbiziwo-Tiapo <nums@google.com>
+Date: Wed, 24 Jul 2019 16:44:58 -0700
+Subject: perf header: Fix use of unitialized value warning
+
+[ Upstream commit 20f9781f491360e7459c589705a2e4b1f136bee9 ]
+
+When building our local version of perf with MSAN (Memory Sanitizer) and
+running the perf record command, MSAN throws a use of uninitialized
+value warning in "tools/perf/util/util.c:333:6".
+
+This warning stems from the "buf" variable being passed into "write".
+It originated as the variable "ev" with the type union perf_event*
+defined in the "perf_event__synthesize_attr" function in
+"tools/perf/util/header.c".
+
+In the "perf_event__synthesize_attr" function they allocate space with a malloc
+call using ev, then go on to only assign some of the member variables before
+passing "ev" on as a parameter to the "process" function therefore "ev"
+contains uninitialized memory. Changing the malloc call to zalloc to initialize
+all the members of "ev" which gets rid of the warning.
+
+To reproduce this warning, build perf by running:
+make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-fsanitize=memory\
+ -fsanitize-memory-track-origins"
+
+(Additionally, llvm might have to be installed and clang might have to
+be specified as the compiler - export CC=/usr/bin/clang)
+
+then running:
+tools/perf/perf record -o - ls / | tools/perf/perf --no-pager annotate\
+ -i - --stdio
+
+Please see the cover letter for why false positive warnings may be
+generated.
+
+Signed-off-by: Numfor Mbiziwo-Tiapo <nums@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Drayton <mbd@fb.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lkml.kernel.org/r/20190724234500.253358-2-nums@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/header.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index 4a5e1907a7ab3..54c34c107cab5 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -3372,7 +3372,7 @@ int perf_event__synthesize_attr(struct perf_tool *tool,
+ size += sizeof(struct perf_event_header);
+ size += ids * sizeof(u64);
+
+- ev = malloc(size);
++ ev = zalloc(size);
+
+ if (ev == NULL)
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 1c95a5bdfd068840bbc959c79968fa004fc2edfe Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linux.alibaba.com>
+Date: Fri, 2 Aug 2019 21:48:37 -0700
+Subject: Revert "kmemleak: allow to coexist with fault injection"
+
+[ Upstream commit df9576def004d2cd5beedc00cb6e8901427634b9 ]
+
+When running ltp's oom test with kmemleak enabled, the below warning was
+triggerred since kernel detects __GFP_NOFAIL & ~__GFP_DIRECT_RECLAIM is
+passed in:
+
+ WARNING: CPU: 105 PID: 2138 at mm/page_alloc.c:4608 __alloc_pages_nodemask+0x1c31/0x1d50
+ Modules linked in: loop dax_pmem dax_pmem_core ip_tables x_tables xfs virtio_net net_failover virtio_blk failover ata_generic virtio_pci virtio_ring virtio libata
+ CPU: 105 PID: 2138 Comm: oom01 Not tainted 5.2.0-next-20190710+ #7
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
+ RIP: 0010:__alloc_pages_nodemask+0x1c31/0x1d50
+ ...
+ kmemleak_alloc+0x4e/0xb0
+ kmem_cache_alloc+0x2a7/0x3e0
+ mempool_alloc_slab+0x2d/0x40
+ mempool_alloc+0x118/0x2b0
+ bio_alloc_bioset+0x19d/0x350
+ get_swap_bio+0x80/0x230
+ __swap_writepage+0x5ff/0xb20
+
+The mempool_alloc_slab() clears __GFP_DIRECT_RECLAIM, however kmemleak
+has __GFP_NOFAIL set all the time due to d9570ee3bd1d4f2 ("kmemleak:
+allow to coexist with fault injection"). But, it doesn't make any sense
+to have __GFP_NOFAIL and ~__GFP_DIRECT_RECLAIM specified at the same
+time.
+
+According to the discussion on the mailing list, the commit should be
+reverted for short term solution. Catalin Marinas would follow up with
+a better solution for longer term.
+
+The failure rate of kmemleak metadata allocation may increase in some
+circumstances, but this should be expected side effect.
+
+Link: http://lkml.kernel.org/r/1563299431-111710-1-git-send-email-yang.shi@linux.alibaba.com
+Fixes: d9570ee3bd1d4f2 ("kmemleak: allow to coexist with fault injection")
+Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Qian Cai <cai@lca.pw>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/kmemleak.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/kmemleak.c b/mm/kmemleak.c
+index 6c94b6865ac22..5eeabece0c178 100644
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -126,7 +126,7 @@
+ /* GFP bitmask for kmemleak internal allocations */
+ #define gfp_kmemleak_mask(gfp) (((gfp) & (GFP_KERNEL | GFP_ATOMIC)) | \
+ __GFP_NORETRY | __GFP_NOMEMALLOC | \
+- __GFP_NOWARN | __GFP_NOFAIL)
++ __GFP_NOWARN)
+
+ /* scanning area inside a memory block */
+ struct kmemleak_scan_area {
+--
+2.20.1
+
--- /dev/null
+From e4c2cd80e5dd48e89d65684b2c986b4c36d2b23e Mon Sep 17 00:00:00 2001
+From: Don Brace <don.brace@microsemi.com>
+Date: Wed, 24 Jul 2019 17:08:06 -0500
+Subject: scsi: hpsa: correct scsi command status issue after reset
+
+[ Upstream commit eeebce1862970653cdf5c01e98bc669edd8f529a ]
+
+Reviewed-by: Bader Ali - Saleh <bader.alisaleh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hpsa.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c43eccdea65d2..f570b8c5d857c 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2320,6 +2320,8 @@ static int handle_ioaccel_mode2_error(struct ctlr_info *h,
+ case IOACCEL2_SERV_RESPONSE_COMPLETE:
+ switch (c2->error_data.status) {
+ case IOACCEL2_STATUS_SR_TASK_COMP_GOOD:
++ if (cmd)
++ cmd->result = 0;
+ break;
+ case IOACCEL2_STATUS_SR_TASK_COMP_CHK_COND:
+ cmd->result |= SAM_STAT_CHECK_CONDITION;
+@@ -2479,8 +2481,10 @@ static void process_ioaccel2_completion(struct ctlr_info *h,
+
+ /* check for good status */
+ if (likely(c2->error_data.serv_response == 0 &&
+- c2->error_data.status == 0))
++ c2->error_data.status == 0)) {
++ cmd->result = 0;
+ return hpsa_cmd_free_and_done(h, c, cmd);
++ }
+
+ /*
+ * Any RAID offload error results in retry which will use
+@@ -5617,6 +5621,12 @@ static int hpsa_scsi_queue_command(struct Scsi_Host *sh, struct scsi_cmnd *cmd)
+ }
+ c = cmd_tagged_alloc(h, cmd);
+
++ /*
++ * This is necessary because the SML doesn't zero out this field during
++ * error recovery.
++ */
++ cmd->result = 0;
++
+ /*
+ * Call alternate submit routine for I/O accelerated commands.
+ * Retries always go down the normal I/O path.
+--
+2.20.1
+
--- /dev/null
+From 4fd10cafd4d0516ba532494b76f23d6e884bc7f3 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Mon, 29 Jul 2019 16:44:51 +0800
+Subject: scsi: qla2xxx: Fix possible fcport null-pointer dereferences
+
+[ Upstream commit e82f04ec6ba91065fd33a6201ffd7cab840e1475 ]
+
+In qla2x00_alloc_fcport(), fcport is assigned to NULL in the error
+handling code on line 4880:
+ fcport = NULL;
+
+Then fcport is used on lines 4883-4886:
+ INIT_WORK(&fcport->del_work, qla24xx_delete_sess_fn);
+ INIT_WORK(&fcport->reg_work, qla_register_fcport_fn);
+ INIT_LIST_HEAD(&fcport->gnl_entry);
+ INIT_LIST_HEAD(&fcport->list);
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, qla2x00_alloc_fcport() directly returns NULL
+in the error handling code.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index f84f9bf150278..ddce32fe0513a 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -4732,7 +4732,7 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vha, gfp_t flags)
+ ql_log(ql_log_warn, vha, 0xd049,
+ "Failed to allocate ct_sns request.\n");
+ kfree(fcport);
+- fcport = NULL;
++ return NULL;
+ }
+ INIT_WORK(&fcport->del_work, qla24xx_delete_sess_fn);
+ INIT_LIST_HEAD(&fcport->gnl_entry);
+--
+2.20.1
+
input-iforce-add-sanity-checks.patch
net-usb-pegasus-fix-improper-read-if-get_registers-fail.patch
netfilter-ebtables-also-count-base-chain-policies.patch
+clk-at91-generated-truncate-divisor-to-generated_max.patch
+clk-sprd-select-regmap_mmio-to-avoid-compile-errors.patch
+clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch
+xen-pciback-remove-set-but-not-used-variable-old_sta.patch
+irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch
+irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch
+perf-header-fix-divide-by-zero-error-if-f_header.att.patch
+perf-header-fix-use-of-unitialized-value-warning.patch
+libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch
+drm-bridge-lvds-encoder-fix-build-error-while-config.patch
+btrfs-fix-deadlock-between-fiemap-and-transaction-co.patch
+scsi-hpsa-correct-scsi-command-status-issue-after-re.patch
+scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch
+exit-make-setting-exit_state-consistent.patch
+drm-amdgpu-fix-a-potential-information-leaking-bug.patch
+ata-libahci-do-not-complain-in-case-of-deferred-prob.patch
+kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch
+kbuild-check-for-unknown-options-with-cc-option-usag.patch
+arm64-efi-fix-variable-si-set-but-not-used.patch
+arm64-unwind-prohibit-probing-on-return_address.patch
+arm64-mm-fix-variable-pud-set-but-not-used.patch
+ib-core-add-mitigation-for-spectre-v1.patch
+ib-mlx5-fix-mr-registration-flow-to-use-umr-properly.patch
+ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch
+drm-msm-fix-add_gpu_components.patch
+drm-exynos-fix-missing-decrement-of-retry-counter.patch
+revert-kmemleak-allow-to-coexist-with-fault-injectio.patch
+ocfs2-remove-set-but-not-used-variable-last_hash.patch
+asm-generic-fix-wtype-limits-compiler-warnings.patch
--- /dev/null
+From 828752ec6b835a0188c57dc6188335447519f67b Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 24 Jul 2019 22:08:50 +0800
+Subject: xen/pciback: remove set but not used variable 'old_state'
+
+[ Upstream commit 09e088a4903bd0dd911b4f1732b250130cdaffed ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/xen/xen-pciback/conf_space_capability.c: In function pm_ctrl_write:
+drivers/xen/xen-pciback/conf_space_capability.c:119:25: warning:
+ variable old_state set but not used [-Wunused-but-set-variable]
+
+It is never used so can be removed.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xen-pciback/conf_space_capability.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c
+index 73427d8e01161..e5694133ebe57 100644
+--- a/drivers/xen/xen-pciback/conf_space_capability.c
++++ b/drivers/xen/xen-pciback/conf_space_capability.c
+@@ -116,13 +116,12 @@ static int pm_ctrl_write(struct pci_dev *dev, int offset, u16 new_value,
+ {
+ int err;
+ u16 old_value;
+- pci_power_t new_state, old_state;
++ pci_power_t new_state;
+
+ err = pci_read_config_word(dev, offset, &old_value);
+ if (err)
+ goto out;
+
+- old_state = (pci_power_t)(old_value & PCI_PM_CTRL_STATE_MASK);
+ new_state = (pci_power_t)(new_value & PCI_PM_CTRL_STATE_MASK);
+
+ new_value &= PM_OK_BITS;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
