--- /dev/null
+From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:50:58 -0500
+Subject: ALSA: firewire: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream.
+
+In iso_packets_buffer_init(), 'b->packets' is allocated through
+kmalloc_array(). Then, the aligned packet size is checked. If it is
+larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
+However, the allocated 'b->packets' is not deallocated on this path,
+leading to a memory leak.
+
+To fix the above issue, free 'b->packets' before returning the error code.
+
+Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: <stable@vger.kernel.org> # v2.6.39+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/packets-buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/packets-buffer.c
++++ b/sound/firewire/packets-buffer.c
+@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p
+ packets_per_page = PAGE_SIZE / packet_size;
+ if (WARN_ON(!packets_per_page)) {
+ err = -EINVAL;
+- goto error;
++ goto err_packets;
+ }
+ pages = DIV_ROUND_UP(count, packets_per_page);
+
--- /dev/null
+From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Aug 2019 14:03:56 +0200
+Subject: ALSA: hda - Don't override global PCM hw info flag
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream.
+
+The commit bfcba288b97f ("ALSA - hda: Add support for link audio time
+reporting") introduced the conditional PCM hw info setup, but it
+overwrites the global azx_pcm_hw object. This will cause a problem if
+any other HD-audio controller, as it'll inherit the same bit flag
+although another controller doesn't support that feature.
+
+Fix the bug by setting the PCM hw info flag locally.
+
+Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -598,11 +598,9 @@ static int azx_pcm_open(struct snd_pcm_s
+ }
+ runtime->private_data = azx_dev;
+
+- if (chip->gts_present)
+- azx_pcm_hw.info = azx_pcm_hw.info |
+- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
+-
+ runtime->hw = azx_pcm_hw;
++ if (chip->gts_present)
++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
+ runtime->hw.channels_min = hinfo->channels_min;
+ runtime->hw.channels_max = hinfo->channels_max;
+ runtime->hw.formats = hinfo->formats;
--- /dev/null
+From c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Aug 2019 17:31:48 +0200
+Subject: ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db upstream.
+
+A long-time problem on the recent AMD chip (X370, X470, B450, etc with
+PCI ID 1022:1457) with Realtek codecs is the crackled or distorted
+sound for capture streams, as well as occasional playback hiccups.
+After lengthy debugging sessions, the workarounds we've found are like
+the following:
+
+- Set up the proper driver caps for this controller, similar as the
+ other AMD controller.
+
+- Correct the DMA position reporting with the fixed FIFO size, which
+ is similar like as workaround used for VIA chip set.
+
+- Even after the position correction, PulseAudio still shows
+ mysterious stalls of playback streams when a capture is triggered in
+ timer-scheduled mode. Since we have no clear way to eliminate the
+ stall, pass the BATCH PCM flag for PA to suppress the tsched mode as
+ a temporary workaround.
+
+This patch implements the workarounds. For the driver caps, it
+defines a new preset, AXZ_DCAPS_PRESET_AMD_SB. It enables the FIFO-
+corrected position reporting (corresponding to the new position_fix=6)
+and enforces the SNDRV_PCM_INFO_BATCH flag.
+
+Note that the current implementation is merely a workaround.
+Hopefully we'll find a better alternative in future, especially about
+removing the BATCH flag hack again.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 7 ++++
+ sound/pci/hda/hda_controller.h | 2 -
+ sound/pci/hda/hda_intel.c | 63 ++++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 70 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -613,6 +613,13 @@ static int azx_pcm_open(struct snd_pcm_s
+ 20,
+ 178000000);
+
++ /* by some reason, the playback stream stalls on PulseAudio with
++ * tsched=1 when a capture stream triggers. Until we figure out the
++ * real cause, disable tsched mode by telling the PCM info flag.
++ */
++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND)
++ runtime->hw.info |= SNDRV_PCM_INFO_BATCH;
++
+ if (chip->align_buffer_size)
+ /* constrain buffer sizes to be multiple of 128
+ bytes. This is more efficient in terms of memory
+--- a/sound/pci/hda/hda_controller.h
++++ b/sound/pci/hda/hda_controller.h
+@@ -31,7 +31,7 @@
+ /* 14 unused */
+ #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */
+ #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */
+-/* 17 unused */
++#define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */
+ #define AZX_DCAPS_NO_64BIT (1 << 18) /* No 64bit address */
+ #define AZX_DCAPS_SYNC_WRITE (1 << 19) /* sync each cmd write */
+ #define AZX_DCAPS_OLD_SSYNC (1 << 20) /* Old SSYNC reg for ICH */
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -64,6 +64,7 @@ enum {
+ POS_FIX_VIACOMBO,
+ POS_FIX_COMBO,
+ POS_FIX_SKL,
++ POS_FIX_FIFO,
+ };
+
+ /* Defines for ATI HD Audio support in SB450 south bridge */
+@@ -135,7 +136,7 @@ module_param_array(model, charp, NULL, 0
+ MODULE_PARM_DESC(model, "Use the given board model.");
+ module_param_array(position_fix, int, NULL, 0444);
+ MODULE_PARM_DESC(position_fix, "DMA pointer read method."
+- "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+).");
++ "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+, 6 = FIFO).");
+ module_param_array(bdl_pos_adj, int, NULL, 0644);
+ MODULE_PARM_DESC(bdl_pos_adj, "BDL position adjustment offset.");
+ module_param_array(probe_mask, int, NULL, 0444);
+@@ -332,6 +333,11 @@ enum {
+ #define AZX_DCAPS_PRESET_ATI_HDMI_NS \
+ (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF)
+
++/* quirks for AMD SB */
++#define AZX_DCAPS_PRESET_AMD_SB \
++ (AZX_DCAPS_NO_TCSEL | AZX_DCAPS_SYNC_WRITE | AZX_DCAPS_AMD_WORKAROUND |\
++ AZX_DCAPS_SNOOP_TYPE(ATI) | AZX_DCAPS_PM_RUNTIME)
++
+ /* quirks for Nvidia */
+ #define AZX_DCAPS_PRESET_NVIDIA \
+ (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\
+@@ -841,6 +847,49 @@ static unsigned int azx_via_get_position
+ return bound_pos + mod_dma_pos;
+ }
+
++#define AMD_FIFO_SIZE 32
++
++/* get the current DMA position with FIFO size correction */
++static unsigned int azx_get_pos_fifo(struct azx *chip, struct azx_dev *azx_dev)
++{
++ struct snd_pcm_substream *substream = azx_dev->core.substream;
++ struct snd_pcm_runtime *runtime = substream->runtime;
++ unsigned int pos, delay;
++
++ pos = snd_hdac_stream_get_pos_lpib(azx_stream(azx_dev));
++ if (!runtime)
++ return pos;
++
++ runtime->delay = AMD_FIFO_SIZE;
++ delay = frames_to_bytes(runtime, AMD_FIFO_SIZE);
++ if (azx_dev->insufficient) {
++ if (pos < delay) {
++ delay = pos;
++ runtime->delay = bytes_to_frames(runtime, pos);
++ } else {
++ azx_dev->insufficient = 0;
++ }
++ }
++
++ /* correct the DMA position for capture stream */
++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
++ if (pos < delay)
++ pos += azx_dev->core.bufsize;
++ pos -= delay;
++ }
++
++ return pos;
++}
++
++static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev,
++ unsigned int pos)
++{
++ struct snd_pcm_substream *substream = azx_dev->core.substream;
++
++ /* just read back the calculated value in the above */
++ return substream->runtime->delay;
++}
++
+ static unsigned int azx_skl_get_dpib_pos(struct azx *chip,
+ struct azx_dev *azx_dev)
+ {
+@@ -1417,6 +1466,7 @@ static int check_position_fix(struct azx
+ case POS_FIX_VIACOMBO:
+ case POS_FIX_COMBO:
+ case POS_FIX_SKL:
++ case POS_FIX_FIFO:
+ return fix;
+ }
+
+@@ -1433,6 +1483,10 @@ static int check_position_fix(struct azx
+ dev_dbg(chip->card->dev, "Using VIACOMBO position fix\n");
+ return POS_FIX_VIACOMBO;
+ }
++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) {
++ dev_dbg(chip->card->dev, "Using FIFO position fix\n");
++ return POS_FIX_FIFO;
++ }
+ if (chip->driver_caps & AZX_DCAPS_POSFIX_LPIB) {
+ dev_dbg(chip->card->dev, "Using LPIB position fix\n");
+ return POS_FIX_LPIB;
+@@ -1453,6 +1507,7 @@ static void assign_position_fix(struct a
+ [POS_FIX_VIACOMBO] = azx_via_get_position,
+ [POS_FIX_COMBO] = azx_get_pos_lpib,
+ [POS_FIX_SKL] = azx_get_pos_skl,
++ [POS_FIX_FIFO] = azx_get_pos_fifo,
+ };
+
+ chip->get_position[0] = chip->get_position[1] = callbacks[fix];
+@@ -1467,6 +1522,9 @@ static void assign_position_fix(struct a
+ azx_get_delay_from_lpib;
+ }
+
++ if (fix == POS_FIX_FIFO)
++ chip->get_delay[0] = chip->get_delay[1] =
++ azx_get_delay_from_fifo;
+ }
+
+ /*
+@@ -2444,6 +2502,9 @@ static const struct pci_device_id azx_id
+ /* AMD Hudson */
+ { PCI_DEVICE(0x1022, 0x780d),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
++ /* AMD, X370 & co */
++ { PCI_DEVICE(0x1022, 0x1457),
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
+ /* AMD Stoney */
+ { PCI_DEVICE(0x1022, 0x157a),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
--- /dev/null
+From 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Wed, 7 Aug 2019 04:08:51 -0500
+Subject: ALSA: hiface: fix multiple memory leak bugs
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 upstream.
+
+In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
+on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
+hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
+kzalloc(). However, if hiface_pcm_init_urb() fails, both 'rt' and
+'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
+Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.
+
+To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.
+
+Fixes: a91c3fb2f842 ("Add M2Tech hiFace USB-SPDIF driver")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/hiface/pcm.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/hiface/pcm.c
++++ b/sound/usb/hiface/pcm.c
+@@ -600,14 +600,13 @@ int hiface_pcm_init(struct hiface_chip *
+ ret = hiface_pcm_init_urb(&rt->out_urbs[i], chip, OUT_EP,
+ hiface_pcm_out_urb_handler);
+ if (ret < 0)
+- return ret;
++ goto error;
+ }
+
+ ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, &pcm);
+ if (ret < 0) {
+- kfree(rt);
+ dev_err(&chip->dev->dev, "Cannot create pcm instance\n");
+- return ret;
++ goto error;
+ }
+
+ pcm->private_data = rt;
+@@ -620,4 +619,10 @@ int hiface_pcm_init(struct hiface_chip *
+
+ chip->pcm = rt;
+ return 0;
++
++error:
++ for (i = 0; i < PCM_N_URBS; i++)
++ kfree(rt->out_urbs[i].buffer);
++ kfree(rt);
++ return ret;
+ }
--- /dev/null
+From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Wed, 31 Jul 2019 10:54:47 -0400
+Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix by using kzalloc() instead of kmalloc() on the affected buffers.
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -841,7 +841,7 @@ static int pcan_usb_fd_init(struct peak_
+ goto err_out;
+
+ /* allocate command buffer once for all for the interface */
+- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE,
++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE,
+ GFP_KERNEL);
+ if (!pdev->cmd_buffer_addr)
+ goto err_out_1;
--- /dev/null
+From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Wed, 31 Jul 2019 10:54:47 -0400
+Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix by using kzalloc() instead of kmalloc() on the affected buffers.
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com
+Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+@@ -494,7 +494,7 @@ static int pcan_usb_pro_drv_loaded(struc
+ u8 *buffer;
+ int err;
+
+- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
--- /dev/null
+From d75996dd022b6d83bd14af59b2775b1aa639e4b9 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Fri, 2 Aug 2019 15:29:56 -0400
+Subject: dax: dax_layout_busy_page() should not unmap cow pages
+
+From: Vivek Goyal <vgoyal@redhat.com>
+
+commit d75996dd022b6d83bd14af59b2775b1aa639e4b9 upstream.
+
+Vivek:
+
+ "As of now dax_layout_busy_page() calls unmap_mapping_range() with last
+ argument as 1, which says even unmap cow pages. I am wondering who needs
+ to get rid of cow pages as well.
+
+ I noticed one interesting side affect of this. I mount xfs with -o dax and
+ mmaped a file with MAP_PRIVATE and wrote some data to a page which created
+ cow page. Then I called fallocate() on that file to zero a page of file.
+ fallocate() called dax_layout_busy_page() which unmapped cow pages as well
+ and then I tried to read back the data I wrote and what I get is old
+ data from persistent memory. I lost the data I had written. This
+ read basically resulted in new fault and read back the data from
+ persistent memory.
+
+ This sounds wrong. Are there any users which need to unmap cow pages
+ as well? If not, I am proposing changing it to not unmap cow pages.
+
+ I noticed this while while writing virtio_fs code where when I tried
+ to reclaim a memory range and that corrupted the executable and I
+ was running from virtio-fs and program got segment violation."
+
+Dan:
+
+ "In fact the unmap_mapping_range() in this path is only to synchronize
+ against get_user_pages_fast() and force it to call back into the
+ filesystem to re-establish the mapping. COW pages should be left
+ untouched by dax_layout_busy_page()."
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5fac7408d828 ("mm, fs, dax: handle layout changes to pinned dax mappings")
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Link: https://lore.kernel.org/r/20190802192956.GA3032@redhat.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dax.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -601,7 +601,7 @@ struct page *dax_layout_busy_page(struct
+ * guaranteed to either see new references or prevent new
+ * references from being established.
+ */
+- unmap_mapping_range(mapping, 0, 0, 1);
++ unmap_mapping_range(mapping, 0, 0, 0);
+
+ xas_lock_irq(&xas);
+ xas_for_each(&xas, entry, ULONG_MAX) {
--- /dev/null
+From 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee Mon Sep 17 00:00:00 2001
+From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Date: Fri, 12 Jul 2019 11:19:38 +0300
+Subject: drm/i915: Fix wrong escape clock divisor init for GLK
+
+From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+
+commit 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee upstream.
+
+According to Bspec clock divisor registers in GeminiLake
+should be initialized by shifting 1(<<) to amount of correspondent
+divisor. While i915 was writing all this time that value as is.
+
+Surprisingly that it by accident worked, until we met some issues
+with Microtech Etab.
+
+v2: Added Fixes tag and cc
+v3: Added stable to cc as well.
+
+Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Reviewed-by: Vandita Kulkarni <vandita.kulkarni@intel.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108826
+Fixes: bcc657004841 ("drm/i915/glk: Program txesc clock divider for GLK")
+Cc: Deepak M <m.deepak@intel.com>
+Cc: Madhav Chauhan <madhav.chauhan@intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: intel-gfx@lists.freedesktop.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com
+(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/vlv_dsi_pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/vlv_dsi_pll.c
++++ b/drivers/gpu/drm/i915/vlv_dsi_pll.c
+@@ -394,8 +394,8 @@ static void glk_dsi_program_esc_clock(st
+ else
+ txesc2_div = 10;
+
+- I915_WRITE(MIPIO_TXESC_CLK_DIV1, txesc1_div & GLK_TX_ESC_CLK_DIV1_MASK);
+- I915_WRITE(MIPIO_TXESC_CLK_DIV2, txesc2_div & GLK_TX_ESC_CLK_DIV2_MASK);
++ I915_WRITE(MIPIO_TXESC_CLK_DIV1, (1 << (txesc1_div - 1)) & GLK_TX_ESC_CLK_DIV1_MASK);
++ I915_WRITE(MIPIO_TXESC_CLK_DIV2, (1 << (txesc2_div - 1)) & GLK_TX_ESC_CLK_DIV2_MASK);
+ }
+
+ /* Program BXT Mipi clocks and dividers */
--- /dev/null
+From a95a4f3f2702b55a89393bf0f1b2b3d79e0f7da2 Mon Sep 17 00:00:00 2001
+From: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
+Date: Thu, 1 Aug 2019 08:53:24 +0100
+Subject: hwmon: (lm75) Fixup tmp75b clr_mask
+
+From: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
+
+commit a95a4f3f2702b55a89393bf0f1b2b3d79e0f7da2 upstream.
+
+The configuration register of the tmp75b sensor is 16bit long, however
+the first byte is reserved, so there is not no need to take care of it.
+
+Because the order of the bytes is little endian and it is only necessary
+to write one byte, the desired bits must be shifted into a 8 bit range.
+
+Fixes: 39abe9d88b30 ("hwmon: (lm75) Add support for TMP75B")
+Cc: stable@vger.kernel.org
+Signed-off-by: Iker Perez del Palomar Sustatxa <iker.perez@codethink.co.uk>
+Link: https://lore.kernel.org/r/20190801075324.4638-1-iker.perez@codethink.co.uk
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/lm75.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm75.c
++++ b/drivers/hwmon/lm75.c
+@@ -343,7 +343,7 @@ lm75_probe(struct i2c_client *client, co
+ data->sample_time = MSEC_PER_SEC / 2;
+ break;
+ case tmp75b: /* not one-shot mode, Conversion rate 37Hz */
+- clr_mask |= 1 << 15 | 0x3 << 13;
++ clr_mask |= 1 << 7 | 0x3 << 5;
+ data->resolution = 12;
+ data->sample_time = MSEC_PER_SEC / 37;
+ break;
--- /dev/null
+From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 26 Jul 2019 08:00:49 -0700
+Subject: hwmon: (nct7802) Fix wrong detection of in4 presence
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream.
+
+The code to detect if in4 is present is wrong; if in4 is not present,
+the in4_input sysfs attribute is still present.
+
+In detail:
+
+- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug).
+- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input
+ file under /sys and the "sensors" command displays in4_input.
+ But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep.
+
+Fix is_visible function to detect and report in4_input visibility
+as expected.
+
+Reported-by: Gilles Buloz <Gilles.Buloz@kontron.com>
+Cc: Gilles Buloz <Gilles.Buloz@kontron.com>
+Cc: stable@vger.kernel.org
+Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/nct7802.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -704,7 +704,7 @@ static struct attribute *nct7802_in_attr
+ &sensor_dev_attr_in3_alarm.dev_attr.attr,
+ &sensor_dev_attr_in3_beep.dev_attr.attr,
+
+- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */
++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */
+ &sensor_dev_attr_in4_min.dev_attr.attr,
+ &sensor_dev_attr_in4_max.dev_attr.attr,
+ &sensor_dev_attr_in4_alarm.dev_attr.attr,
+@@ -730,9 +730,9 @@ static umode_t nct7802_in_is_visible(str
+
+ if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */
+ return 0;
+- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */
++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */
+ return 0;
+- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */
++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */
+ return 0;
+
+ return attr->mode;
--- /dev/null
+From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 21 Jul 2019 14:02:27 +0300
+Subject: iwlwifi: don't unmap as page memory that was mapped as single
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream.
+
+In order to remember how to unmap a memory (as single or
+as page), we maintain a bit per Transmit Buffer (TBs) in
+the meta data (structure iwl_cmd_meta).
+We maintain a bitmap: 1 bit per TB.
+If the TB is set, we will free the memory as a page.
+This bitmap was never cleared. Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+@@ -435,6 +435,8 @@ static void iwl_pcie_tfd_unmap(struct iw
+ DMA_TO_DEVICE);
+ }
+
++ meta->tbs = 0;
++
+ if (trans->cfg->use_tfh) {
+ struct iwl_tfh_tfd *tfd_fh = (void *)tfd;
+
--- /dev/null
+From 39bd984c203e86f3109b49c2a2e20677c4d3ab65 Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Mon, 24 Jun 2019 22:29:33 +0300
+Subject: iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 39bd984c203e86f3109b49c2a2e20677c4d3ab65 upstream.
+
+Firmware versions before 41 don't support the GEO_TX_POWER_LIMIT
+command, and sending it to the firmware will cause a firmware crash.
+We allow this via debugfs, so we need to return an error value in case
+it's not supported.
+
+This had already been fixed during init, when we send the command if
+the ACPI WGDS table is present. Fix it also for the other,
+userspace-triggered case.
+
+Cc: stable@vger.kernel.org
+Fixes: 7fe90e0e3d60 ("iwlwifi: mvm: refactor geo init")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -874,6 +874,17 @@ int iwl_mvm_sar_select_profile(struct iw
+ return iwl_mvm_send_cmd_pdu(mvm, REDUCE_TX_POWER_CMD, 0, len, &cmd);
+ }
+
++static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm)
++{
++ /*
++ * The GEO_TX_POWER_LIMIT command is not supported on earlier
++ * firmware versions. Unfortunately, we don't have a TLV API
++ * flag to rely on, so rely on the major version which is in
++ * the first byte of ucode_ver.
++ */
++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41;
++}
++
+ int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm)
+ {
+ struct iwl_geo_tx_power_profiles_resp *resp;
+@@ -889,6 +900,9 @@ int iwl_mvm_get_sar_geo_profile(struct i
+ .data = { &geo_cmd },
+ };
+
++ if (!iwl_mvm_sar_geo_support(mvm))
++ return -EOPNOTSUPP;
++
+ ret = iwl_mvm_send_cmd(mvm, &cmd);
+ if (ret) {
+ IWL_ERR(mvm, "Failed to get geographic profile info %d\n", ret);
+@@ -914,13 +928,7 @@ static int iwl_mvm_sar_geo_init(struct i
+ int ret, i, j;
+ u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT);
+
+- /*
+- * This command is not supported on earlier firmware versions.
+- * Unfortunately, we don't have a TLV API flag to rely on, so
+- * rely on the major version which is in the first byte of
+- * ucode_ver.
+- */
+- if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41)
++ if (!iwl_mvm_sar_geo_support(mvm))
+ return 0;
+
+ ret = iwl_mvm_sar_get_wgds_table(mvm);
--- /dev/null
+From 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 22 Jul 2019 13:02:25 +0300
+Subject: iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 upstream.
+
+Accessing the hdr of an skb that was consumed already isn't
+a good idea.
+First ask if the skb is a QoS packet, then keep that data
+on stack, and then consume the skb.
+This was spotted by KASAN.
+
+Cc: stable@vger.kernel.org
+Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -831,6 +831,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
+ unsigned int tcp_payload_len;
+ unsigned int mss = skb_shinfo(skb)->gso_size;
+ bool ipv4 = (skb->protocol == htons(ETH_P_IP));
++ bool qos = ieee80211_is_data_qos(hdr->frame_control);
+ u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0;
+
+ skb_shinfo(skb)->gso_size = num_subframes * mss;
+@@ -864,7 +865,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *s
+ if (tcp_payload_len > mss) {
+ skb_shinfo(tmp)->gso_size = mss;
+ } else {
+- if (ieee80211_is_data_qos(hdr->frame_control)) {
++ if (qos) {
+ u8 *qc;
+
+ if (ipv4)
--- /dev/null
+From ba3224db78034435e9ff0247277cce7c7bb1756c Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 22 Jul 2019 12:47:27 +0300
+Subject: iwlwifi: mvm: fix an out-of-bound access
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ba3224db78034435e9ff0247277cce7c7bb1756c upstream.
+
+The index for the elements of the ACPI object we dereference
+was static. This means that if we called the function twice
+we wouldn't start from 3 again, but rather from the latest
+index we reached in the previous call.
+This was dutifully reported by KASAN.
+
+Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -753,7 +753,7 @@ static int iwl_mvm_sar_get_ewrd_table(st
+
+ for (i = 0; i < n_profiles; i++) {
+ /* the tables start at element 3 */
+- static int pos = 3;
++ int pos = 3;
+
+ /* The EWRD profiles officially go from 2 to 4, but we
+ * save them in sar_profiles[1-3] (because we don't
--- /dev/null
+From f5a47fae6aa3eb06f100e701d2342ee56b857bee Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Fri, 19 Jul 2019 12:21:59 +0300
+Subject: iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit f5a47fae6aa3eb06f100e701d2342ee56b857bee upstream.
+
+We erroneously added a check for FW API version 41 before sending
+GEO_TX_POWER_LIMIT, but this was already implemented in version 38.
+Additionally, it was cherry-picked to older versions, namely 17, 26
+and 29, so check for those as well.
+
+Cc: stable@vger.kernel.org
+Fixes: eca1e56ceedd ("iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -880,9 +880,14 @@ static bool iwl_mvm_sar_geo_support(stru
+ * The GEO_TX_POWER_LIMIT command is not supported on earlier
+ * firmware versions. Unfortunately, we don't have a TLV API
+ * flag to rely on, so rely on the major version which is in
+- * the first byte of ucode_ver.
++ * the first byte of ucode_ver. This was implemented
++ * initially on version 38 and then backported to 36, 29 and
++ * 17.
+ */
+- return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41;
++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 ||
++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 ||
++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 ||
++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17;
+ }
+
+ int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm)
--- /dev/null
+From 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Fri, 2 Aug 2019 10:28:32 +0100
+Subject: KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c upstream.
+
+Since commit commit 328e56647944 ("KVM: arm/arm64: vgic: Defer
+touching GICH_VMCR to vcpu_load/put"), we leave ICH_VMCR_EL2 (or
+its GICv2 equivalent) loaded as long as we can, only syncing it
+back when we're scheduled out.
+
+There is a small snag with that though: kvm_vgic_vcpu_pending_irq(),
+which is indirectly called from kvm_vcpu_check_block(), needs to
+evaluate the guest's view of ICC_PMR_EL1. At the point were we
+call kvm_vcpu_check_block(), the vcpu is still loaded, and whatever
+changes to PMR is not visible in memory until we do a vcpu_put().
+
+Things go really south if the guest does the following:
+
+ mov x0, #0 // or any small value masking interrupts
+ msr ICC_PMR_EL1, x0
+
+ [vcpu preempted, then rescheduled, VMCR sampled]
+
+ mov x0, #ff // allow all interrupts
+ msr ICC_PMR_EL1, x0
+ wfi // traps to EL2, so samping of VMCR
+
+ [interrupt arrives just after WFI]
+
+Here, the hypervisor's view of PMR is zero, while the guest has enabled
+its interrupts. kvm_vgic_vcpu_pending_irq() will then say that no
+interrupts are pending (despite an interrupt being received) and we'll
+block for no reason. If the guest doesn't have a periodic interrupt
+firing once it has blocked, it will stay there forever.
+
+To avoid this unfortuante situation, let's resync VMCR from
+kvm_arch_vcpu_blocking(), ensuring that a following kvm_vcpu_check_block()
+will observe the latest value of PMR.
+
+This has been found by booting an arm64 Linux guest with the pseudo NMI
+feature, and thus using interrupt priorities to mask interrupts instead
+of the usual PSTATE masking.
+
+Cc: stable@vger.kernel.org # 4.12
+Fixes: 328e56647944 ("KVM: arm/arm64: vgic: Defer touching GICH_VMCR to vcpu_load/put")
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/kvm/arm_vgic.h | 1 +
+ virt/kvm/arm/arm.c | 11 +++++++++++
+ virt/kvm/arm/vgic/vgic-v2.c | 9 ++++++++-
+ virt/kvm/arm/vgic/vgic-v3.c | 7 ++++++-
+ virt/kvm/arm/vgic/vgic.c | 11 +++++++++++
+ virt/kvm/arm/vgic/vgic.h | 2 ++
+ 6 files changed, 39 insertions(+), 2 deletions(-)
+
+--- a/include/kvm/arm_vgic.h
++++ b/include/kvm/arm_vgic.h
+@@ -350,6 +350,7 @@ int kvm_vgic_vcpu_pending_irq(struct kvm
+
+ void kvm_vgic_load(struct kvm_vcpu *vcpu);
+ void kvm_vgic_put(struct kvm_vcpu *vcpu);
++void kvm_vgic_vmcr_sync(struct kvm_vcpu *vcpu);
+
+ #define irqchip_in_kernel(k) (!!((k)->arch.vgic.in_kernel))
+ #define vgic_initialized(k) ((k)->arch.vgic.initialized)
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -323,6 +323,17 @@ int kvm_cpu_has_pending_timer(struct kvm
+
+ void kvm_arch_vcpu_blocking(struct kvm_vcpu *vcpu)
+ {
++ /*
++ * If we're about to block (most likely because we've just hit a
++ * WFI), we need to sync back the state of the GIC CPU interface
++ * so that we have the lastest PMR and group enables. This ensures
++ * that kvm_arch_vcpu_runnable has up-to-date data to decide
++ * whether we have pending interrupts.
++ */
++ preempt_disable();
++ kvm_vgic_vmcr_sync(vcpu);
++ preempt_enable();
++
+ kvm_vgic_v4_enable_doorbell(vcpu);
+ }
+
+--- a/virt/kvm/arm/vgic/vgic-v2.c
++++ b/virt/kvm/arm/vgic/vgic-v2.c
+@@ -484,10 +484,17 @@ void vgic_v2_load(struct kvm_vcpu *vcpu)
+ kvm_vgic_global_state.vctrl_base + GICH_APR);
+ }
+
+-void vgic_v2_put(struct kvm_vcpu *vcpu)
++void vgic_v2_vmcr_sync(struct kvm_vcpu *vcpu)
+ {
+ struct vgic_v2_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v2;
+
+ cpu_if->vgic_vmcr = readl_relaxed(kvm_vgic_global_state.vctrl_base + GICH_VMCR);
++}
++
++void vgic_v2_put(struct kvm_vcpu *vcpu)
++{
++ struct vgic_v2_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v2;
++
++ vgic_v2_vmcr_sync(vcpu);
+ cpu_if->vgic_apr = readl_relaxed(kvm_vgic_global_state.vctrl_base + GICH_APR);
+ }
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -662,12 +662,17 @@ void vgic_v3_load(struct kvm_vcpu *vcpu)
+ __vgic_v3_activate_traps(vcpu);
+ }
+
+-void vgic_v3_put(struct kvm_vcpu *vcpu)
++void vgic_v3_vmcr_sync(struct kvm_vcpu *vcpu)
+ {
+ struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3;
+
+ if (likely(cpu_if->vgic_sre))
+ cpu_if->vgic_vmcr = kvm_call_hyp_ret(__vgic_v3_read_vmcr);
++}
++
++void vgic_v3_put(struct kvm_vcpu *vcpu)
++{
++ vgic_v3_vmcr_sync(vcpu);
+
+ kvm_call_hyp(__vgic_v3_save_aprs, vcpu);
+
+--- a/virt/kvm/arm/vgic/vgic.c
++++ b/virt/kvm/arm/vgic/vgic.c
+@@ -919,6 +919,17 @@ void kvm_vgic_put(struct kvm_vcpu *vcpu)
+ vgic_v3_put(vcpu);
+ }
+
++void kvm_vgic_vmcr_sync(struct kvm_vcpu *vcpu)
++{
++ if (unlikely(!irqchip_in_kernel(vcpu->kvm)))
++ return;
++
++ if (kvm_vgic_global_state.type == VGIC_V2)
++ vgic_v2_vmcr_sync(vcpu);
++ else
++ vgic_v3_vmcr_sync(vcpu);
++}
++
+ int kvm_vgic_vcpu_pending_irq(struct kvm_vcpu *vcpu)
+ {
+ struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
+--- a/virt/kvm/arm/vgic/vgic.h
++++ b/virt/kvm/arm/vgic/vgic.h
+@@ -193,6 +193,7 @@ int vgic_register_dist_iodev(struct kvm
+ void vgic_v2_init_lrs(void);
+ void vgic_v2_load(struct kvm_vcpu *vcpu);
+ void vgic_v2_put(struct kvm_vcpu *vcpu);
++void vgic_v2_vmcr_sync(struct kvm_vcpu *vcpu);
+
+ void vgic_v2_save_state(struct kvm_vcpu *vcpu);
+ void vgic_v2_restore_state(struct kvm_vcpu *vcpu);
+@@ -223,6 +224,7 @@ bool vgic_v3_check_base(struct kvm *kvm)
+
+ void vgic_v3_load(struct kvm_vcpu *vcpu);
+ void vgic_v3_put(struct kvm_vcpu *vcpu);
++void vgic_v3_vmcr_sync(struct kvm_vcpu *vcpu);
+
+ bool vgic_has_its(struct kvm *kvm);
+ int kvm_vgic_register_its_device(void);
--- /dev/null
+From 17e433b54393a6269acbcb792da97791fe1592d8 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Mon, 5 Aug 2019 10:03:19 +0800
+Subject: KVM: Fix leak vCPU's VMCS value into other pCPU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream.
+
+After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a
+five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs
+on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting
+in the VMs after stress testing:
+
+ INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073)
+ Call Trace:
+ flush_tlb_mm_range+0x68/0x140
+ tlb_flush_mmu.part.75+0x37/0xe0
+ tlb_finish_mmu+0x55/0x60
+ zap_page_range+0x142/0x190
+ SyS_madvise+0x3cd/0x9c0
+ system_call_fastpath+0x1c/0x21
+
+swait_active() sustains to be true before finish_swait() is called in
+kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account
+by kvm_vcpu_on_spin() loop greatly increases the probability condition
+kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv
+is enabled the yield-candidate vCPU's VMCS RVI field leaks(by
+vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current
+VMCS.
+
+This patch fixes it by checking conservatively a subset of events.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Marc Zyngier <Marc.Zyngier@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop)
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/powerpc.c | 5 +++++
+ arch/x86/include/asm/kvm_host.h | 1 +
+ arch/x86/kvm/svm.c | 6 ++++++
+ arch/x86/kvm/vmx/vmx.c | 6 ++++++
+ arch/x86/kvm/x86.c | 16 ++++++++++++++++
+ include/linux/kvm_host.h | 1 +
+ virt/kvm/kvm_main.c | 25 ++++++++++++++++++++++++-
+ 7 files changed, 59 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -50,6 +50,11 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
+ return !!(v->arch.pending_exceptions) || kvm_request_pending(v);
+ }
+
++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ return kvm_arch_vcpu_runnable(vcpu);
++}
++
+ bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)
+ {
+ return false;
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1169,6 +1169,7 @@ struct kvm_x86_ops {
+ int (*update_pi_irte)(struct kvm *kvm, unsigned int host_irq,
+ uint32_t guest_irq, bool set);
+ void (*apicv_post_state_restore)(struct kvm_vcpu *vcpu);
++ bool (*dy_apicv_has_pending_interrupt)(struct kvm_vcpu *vcpu);
+
+ int (*set_hv_timer)(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc,
+ bool *expired);
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -5167,6 +5167,11 @@ static void svm_deliver_avic_intr(struct
+ kvm_vcpu_wake_up(vcpu);
+ }
+
++static bool svm_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu)
++{
++ return false;
++}
++
+ static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi)
+ {
+ unsigned long flags;
+@@ -7264,6 +7269,7 @@ static struct kvm_x86_ops svm_x86_ops __
+
+ .pmu_ops = &amd_pmu_ops,
+ .deliver_posted_interrupt = svm_deliver_avic_intr,
++ .dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt,
+ .update_pi_irte = svm_update_pi_irte,
+ .setup_mce = svm_setup_mce,
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -6096,6 +6096,11 @@ static int vmx_sync_pir_to_irr(struct kv
+ return max_irr;
+ }
+
++static bool vmx_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu)
++{
++ return pi_test_on(vcpu_to_pi_desc(vcpu));
++}
++
+ static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
+ {
+ if (!kvm_vcpu_apicv_active(vcpu))
+@@ -7662,6 +7667,7 @@ static struct kvm_x86_ops vmx_x86_ops __
+ .guest_apic_has_interrupt = vmx_guest_apic_has_interrupt,
+ .sync_pir_to_irr = vmx_sync_pir_to_irr,
+ .deliver_posted_interrupt = vmx_deliver_posted_interrupt,
++ .dy_apicv_has_pending_interrupt = vmx_dy_apicv_has_pending_interrupt,
+
+ .set_tss_addr = vmx_set_tss_addr,
+ .set_identity_map_addr = vmx_set_identity_map_addr,
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -9641,6 +9641,22 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
+ return kvm_vcpu_running(vcpu) || kvm_vcpu_has_events(vcpu);
+ }
+
++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ if (READ_ONCE(vcpu->arch.pv.pv_unhalted))
++ return true;
++
++ if (kvm_test_request(KVM_REQ_NMI, vcpu) ||
++ kvm_test_request(KVM_REQ_SMI, vcpu) ||
++ kvm_test_request(KVM_REQ_EVENT, vcpu))
++ return true;
++
++ if (vcpu->arch.apicv_active && kvm_x86_ops->dy_apicv_has_pending_interrupt(vcpu))
++ return true;
++
++ return false;
++}
++
+ bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)
+ {
+ return vcpu->arch.preempted_in_kernel;
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -871,6 +871,7 @@ void kvm_arch_check_processor_compat(voi
+ int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu);
+ bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu);
+ int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu);
++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu);
+
+ #ifndef __KVM_HAVE_ARCH_VM_ALLOC
+ /*
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2475,6 +2475,29 @@ static bool kvm_vcpu_eligible_for_direct
+ #endif
+ }
+
++/*
++ * Unlike kvm_arch_vcpu_runnable, this function is called outside
++ * a vcpu_load/vcpu_put pair. However, for most architectures
++ * kvm_arch_vcpu_runnable does not require vcpu_load.
++ */
++bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ return kvm_arch_vcpu_runnable(vcpu);
++}
++
++static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ if (kvm_arch_dy_runnable(vcpu))
++ return true;
++
++#ifdef CONFIG_KVM_ASYNC_PF
++ if (!list_empty_careful(&vcpu->async_pf.done))
++ return true;
++#endif
++
++ return false;
++}
++
+ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode)
+ {
+ struct kvm *kvm = me->kvm;
+@@ -2504,7 +2527,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m
+ continue;
+ if (vcpu == me)
+ continue;
+- if (swait_active(&vcpu->wq) && !kvm_arch_vcpu_runnable(vcpu))
++ if (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu))
+ continue;
+ if (yield_to_kernel_mode && !kvm_arch_vcpu_in_kernel(vcpu))
+ continue;
--- /dev/null
+From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 26 Jul 2019 15:47:58 -0700
+Subject: mac80211: don't WARN on short WMM parameters from AP
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream.
+
+In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN
+on bad WMM parameters from buggy APs"), an AP may not transmit a
+fully-formed WMM IE. For example, it may miss or repeat an Access
+Category. The above loop won't catch that and will instead leave one of
+the four ACs zeroed out. This triggers the following warning in
+drv_conf_tx()
+
+ wlan0: invalid CW_min/CW_max: 0/0
+
+and it may leave one of the hardware queues unconfigured. If we detect
+such a case, let's just print a warning and fall back to the defaults.
+
+Tested with a hacked version of hostapd, intentionally corrupting the
+IEs in hostapd_eid_wmm().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2041,6 +2041,16 @@ ieee80211_sta_wmm_params(struct ieee8021
+ ieee80211_regulatory_limit_wmm_params(sdata, ¶ms[ac], ac);
+ }
+
++ /* WMM specification requires all 4 ACIs. */
++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ if (params[ac].cw_min == 0) {
++ sdata_info(sdata,
++ "AP has invalid WMM params (missing AC %d), using defaults\n",
++ ac);
++ return false;
++ }
++ }
++
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ mlme_dbg(sdata,
+ "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
--- /dev/null
+From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 24 Jul 2019 12:46:34 -0700
+Subject: mwifiex: fix 802.11n/WPA detection
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit df612421fe2566654047769c6852ffae1a31df16 upstream.
+
+Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant
+vendor IEs") adjusted the ieee_types_vendor_header struct, which
+inadvertently messed up the offsets used in
+mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring
+mwifiex_is_rsn_oui_present().
+
+As it stands, commit 63d7ef36103d breaks compatibility with WPA (not
+WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is
+not supported by AP" case in mwifiex_is_network_compatible().
+
+Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/main.h | 1 +
+ drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -124,6 +124,7 @@ enum {
+
+ #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S)
+
++#define WPA_GTK_OUI_OFFSET 2
+ #define RSN_GTK_OUI_OFFSET 2
+
+ #define MWIFIEX_OUI_NOT_PRESENT 0
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie
+ u8 ret = MWIFIEX_OUI_NOT_PRESENT;
+
+ if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) {
+- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data;
++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data +
++ WPA_GTK_OUI_OFFSET);
+ oui = &mwifiex_wpa_oui[cipher][0];
+ ret = mwifiex_search_oui_in_ie(iebody, oui);
+ if (ret)
--- /dev/null
+From e3c8dc761ead061da2220ee8f8132f729ac3ddfe Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 29 Jul 2019 18:25:00 +0100
+Subject: NFSv4: Check the return value of update_open_stateid()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit e3c8dc761ead061da2220ee8f8132f729ac3ddfe upstream.
+
+Ensure that we always check the return value of update_open_stateid()
+so that we can retry if the update of local state failed. This fixes
+infinite looping on state recovery.
+
+Fixes: e23008ec81ef3 ("NFSv4 reduce attribute requests for open reclaim")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v3.7+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1878,8 +1878,9 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+ if (data->o_res.delegation_type != 0)
+ nfs4_opendata_check_deleg(data, state);
+ update:
+- update_open_stateid(state, &data->o_res.stateid, NULL,
+- data->o_arg.fmode);
++ if (!update_open_stateid(state, &data->o_res.stateid,
++ NULL, data->o_arg.fmode))
++ return ERR_PTR(-EAGAIN);
+ refcount_inc(&state->count);
+
+ return state;
+@@ -1944,8 +1945,11 @@ _nfs4_opendata_to_nfs4_state(struct nfs4
+
+ if (data->o_res.delegation_type != 0)
+ nfs4_opendata_check_deleg(data, state);
+- update_open_stateid(state, &data->o_res.stateid, NULL,
+- data->o_arg.fmode);
++ if (!update_open_stateid(state, &data->o_res.stateid,
++ NULL, data->o_arg.fmode)) {
++ nfs4_put_open_state(state);
++ state = ERR_PTR(-EAGAIN);
++ }
+ out:
+ nfs_release_seqid(data->o_arg.seqid);
+ return state;
--- /dev/null
+From 09a54f0ebfe263bc27c90bbd80187b9a93283887 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 3 Aug 2019 10:28:18 -0400
+Subject: NFSv4: Fix an Oops in nfs4_do_setattr
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 09a54f0ebfe263bc27c90bbd80187b9a93283887 upstream.
+
+If the user specifies an open mode of 3, then we don't have a NFSv4 state
+attached to the context, and so we Oops when we try to dereference it.
+
+Reported-by: Olga Kornievskaia <aglo@umich.edu>
+Fixes: 29b59f9416937 ("NFSv4: change nfs4_do_setattr to take...")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.10: 991eedb1371dc: NFSv4: Only pass the...
+Cc: stable@vger.kernel.org # v4.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3175,7 +3175,7 @@ static int _nfs4_do_setattr(struct inode
+
+ if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) {
+ /* Use that stateid */
+- } else if (ctx != NULL) {
++ } else if (ctx != NULL && ctx->state) {
+ struct nfs_lock_context *l_ctx;
+ if (!nfs4_valid_open_stateid(ctx->state))
+ return -EBADF;
--- /dev/null
+From 5eb8d18ca0e001c6055da2b7f30d8f6dca23a44f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Fri, 19 Jul 2019 14:08:37 -0400
+Subject: NFSv4: Fix delegation state recovery
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 5eb8d18ca0e001c6055da2b7f30d8f6dca23a44f upstream.
+
+Once we clear the NFS_DELEGATED_STATE flag, we're telling
+nfs_delegation_claim_opens() that we're done recovering all open state
+for that stateid, so we really need to ensure that we test for all
+open modes that are currently cached and recover them before exiting
+nfs4_open_delegation_recall().
+
+Fixes: 24311f884189d ("NFSv4: Recovery of recalled read delegations...")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/delegation.c | 2 +-
+ fs/nfs/delegation.h | 2 +-
+ fs/nfs/nfs4proc.c | 25 ++++++++++++-------------
+ 3 files changed, 14 insertions(+), 15 deletions(-)
+
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -153,7 +153,7 @@ again:
+ /* Block nfs4_proc_unlck */
+ mutex_lock(&sp->so_delegreturn_mutex);
+ seq = raw_seqcount_begin(&sp->so_reclaim_seqcount);
+- err = nfs4_open_delegation_recall(ctx, state, stateid, type);
++ err = nfs4_open_delegation_recall(ctx, state, stateid);
+ if (!err)
+ err = nfs_delegation_claim_locks(state, stateid);
+ if (!err && read_seqcount_retry(&sp->so_reclaim_seqcount, seq))
+--- a/fs/nfs/delegation.h
++++ b/fs/nfs/delegation.h
+@@ -63,7 +63,7 @@ void nfs_reap_expired_delegations(struct
+
+ /* NFSv4 delegation-related procedures */
+ int nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred, const nfs4_stateid *stateid, int issync);
+-int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid, fmode_t type);
++int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid);
+ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid);
+ bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags, nfs4_stateid *dst, const struct cred **cred);
+ bool nfs4_refresh_delegation_stateid(nfs4_stateid *dst, struct inode *inode);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2148,12 +2148,10 @@ static int nfs4_handle_delegation_recall
+ case -NFS4ERR_BAD_HIGH_SLOT:
+ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
+ case -NFS4ERR_DEADSESSION:
+- set_bit(NFS_DELEGATED_STATE, &state->flags);
+ nfs4_schedule_session_recovery(server->nfs_client->cl_session, err);
+ return -EAGAIN;
+ case -NFS4ERR_STALE_CLIENTID:
+ case -NFS4ERR_STALE_STATEID:
+- set_bit(NFS_DELEGATED_STATE, &state->flags);
+ /* Don't recall a delegation if it was lost */
+ nfs4_schedule_lease_recovery(server->nfs_client);
+ return -EAGAIN;
+@@ -2174,7 +2172,6 @@ static int nfs4_handle_delegation_recall
+ return -EAGAIN;
+ case -NFS4ERR_DELAY:
+ case -NFS4ERR_GRACE:
+- set_bit(NFS_DELEGATED_STATE, &state->flags);
+ ssleep(1);
+ return -EAGAIN;
+ case -ENOMEM:
+@@ -2190,8 +2187,7 @@ static int nfs4_handle_delegation_recall
+ }
+
+ int nfs4_open_delegation_recall(struct nfs_open_context *ctx,
+- struct nfs4_state *state, const nfs4_stateid *stateid,
+- fmode_t type)
++ struct nfs4_state *state, const nfs4_stateid *stateid)
+ {
+ struct nfs_server *server = NFS_SERVER(state->inode);
+ struct nfs4_opendata *opendata;
+@@ -2202,20 +2198,23 @@ int nfs4_open_delegation_recall(struct n
+ if (IS_ERR(opendata))
+ return PTR_ERR(opendata);
+ nfs4_stateid_copy(&opendata->o_arg.u.delegation, stateid);
+- nfs_state_clear_delegation(state);
+- switch (type & (FMODE_READ|FMODE_WRITE)) {
+- case FMODE_READ|FMODE_WRITE:
+- case FMODE_WRITE:
++ if (!test_bit(NFS_O_RDWR_STATE, &state->flags)) {
+ err = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE);
+ if (err)
+- break;
++ goto out;
++ }
++ if (!test_bit(NFS_O_WRONLY_STATE, &state->flags)) {
+ err = nfs4_open_recover_helper(opendata, FMODE_WRITE);
+ if (err)
+- break;
+- /* Fall through */
+- case FMODE_READ:
++ goto out;
++ }
++ if (!test_bit(NFS_O_RDONLY_STATE, &state->flags)) {
+ err = nfs4_open_recover_helper(opendata, FMODE_READ);
++ if (err)
++ goto out;
+ }
++ nfs_state_clear_delegation(state);
++out:
+ nfs4_opendata_put(opendata);
+ return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err);
+ }
hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
alsa-usb-audio-fix-a-memory-leak-bug.patch
kvm-nsvm-properly-map-nested-vmcb.patch
+can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch
+can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch
+hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch
+hwmon-lm75-fixup-tmp75b-clr_mask.patch
+drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch
+alsa-firewire-fix-a-memory-leak-bug.patch
+alsa-hiface-fix-multiple-memory-leak-bugs.patch
+alsa-hda-don-t-override-global-pcm-hw-info-flag.patch
+alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch
+mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch
+dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch
+smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch
+smb3-send-cap_dfs-capability-during-session-setup.patch
+nfsv4-fix-delegation-state-recovery.patch
+nfsv4-check-the-return-value-of-update_open_stateid.patch
+nfsv4-fix-an-oops-in-nfs4_do_setattr.patch
+kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch
+kvm-arm-arm64-sync-ich_vmcr_el2-back-when-about-to-block.patch
+mwifiex-fix-802.11n-wpa-detection.patch
+iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch
+iwlwifi-mvm-fix-an-out-of-bound-access.patch
+iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm_tx_tso_segment.patch
+iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch
+iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch
--- /dev/null
+From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Mon, 22 Jul 2019 11:34:59 -0700
+Subject: SMB3: Fix deadlock in validate negotiate hits reconnect
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream.
+
+Currently we skip SMB2_TREE_CONNECT command when checking during
+reconnect because Tree Connect happens when establishing
+an SMB session. For SMB 3.0 protocol version the code also calls
+validate negotiate which results in SMB2_IOCL command being sent
+over the wire. This may deadlock on trying to acquire a mutex when
+checking for reconnect. Fix this by skipping SMB2_IOCL command
+when doing the reconnect check.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -252,7 +252,7 @@ smb2_reconnect(__le16 smb2_command, stru
+ if (tcon == NULL)
+ return 0;
+
+- if (smb2_command == SMB2_TREE_CONNECT)
++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
+ return 0;
+
+ if (tcon->tidStatus == CifsExiting) {
--- /dev/null
+From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 25 Jul 2019 18:13:10 -0500
+Subject: smb3: send CAP_DFS capability during session setup
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream.
+
+We had a report of a server which did not do a DFS referral
+because the session setup Capabilities field was set to 0
+(unlike negotiate protocol where we set CAP_DFS). Better to
+send it session setup in the capabilities as well (this also
+more closely matches Windows client behavior).
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1173,7 +1173,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_
+ else
+ req->SecurityMode = 0;
+
++#ifdef CONFIG_CIFS_DFS_UPCALL
++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS);
++#else
+ req->Capabilities = 0;
++#endif /* DFS_UPCALL */
++
+ req->Channel = 0; /* MBZ */
+
+ sess_data->iov[0].iov_base = (char *)req;
projects / thirdparty / kernel / stable-queue.git / commitdiff
