--- /dev/null
+From 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Mon, 22 Jun 2020 23:31:22 +0300
+Subject: drm/radeon: fix fb_div check in ni_init_smc_spll_table()
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 upstream.
+
+clk_s is checked twice in a row in ni_init_smc_spll_table().
+fb_div should be checked instead.
+
+Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/ni_dpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/ni_dpm.c
++++ b/drivers/gpu/drm/radeon/ni_dpm.c
+@@ -2128,7 +2128,7 @@ static int ni_init_smc_spll_table(struct
+ if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT))
+ ret = -EINVAL;
+
+- if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT))
++ if (fb_div & ~(SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_SHIFT))
+ ret = -EINVAL;
+
+ if (clk_v & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_SHIFT))
--- /dev/null
+From d03727b248d0dae6199569a8d7b629a681154633 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
+Date: Wed, 24 Jun 2020 13:54:08 -0400
+Subject: NFSv4 fix CLOSE not waiting for direct IO compeletion
+
+From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
+
+commit d03727b248d0dae6199569a8d7b629a681154633 upstream.
+
+Figuring out the root case for the REMOVE/CLOSE race and
+suggesting the solution was done by Neil Brown.
+
+Currently what happens is that direct IO calls hold a reference
+on the open context which is decremented as an asynchronous task
+in the nfs_direct_complete(). Before reference is decremented,
+control is returned to the application which is free to close the
+file. When close is being processed, it decrements its reference
+on the open_context but since directIO still holds one, it doesn't
+sent a close on the wire. It returns control to the application
+which is free to do other operations. For instance, it can delete a
+file. Direct IO is finally releasing its reference and triggering
+an asynchronous close. Which races with the REMOVE. On the server,
+REMOVE can be processed before the CLOSE, failing the REMOVE with
+EACCES as the file is still opened.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Suggested-by: Neil Brown <neilb@suse.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/direct.c | 13 +++++++++----
+ fs/nfs/file.c | 1 +
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -385,8 +385,6 @@ static void nfs_direct_complete(struct n
+ if (write)
+ nfs_zap_mapping(inode, inode->i_mapping);
+
+- inode_dio_end(inode);
+-
+ if (dreq->iocb) {
+ long res = (long) dreq->error;
+ if (!res)
+@@ -396,7 +394,10 @@ static void nfs_direct_complete(struct n
+
+ complete_all(&dreq->completion);
+
++ igrab(inode);
+ nfs_direct_req_release(dreq);
++ inode_dio_end(inode);
++ iput(inode);
+ }
+
+ static void nfs_direct_readpage_release(struct nfs_page *req)
+@@ -537,8 +538,10 @@ static ssize_t nfs_direct_read_schedule_
+ * generic layer handle the completion.
+ */
+ if (requested_bytes == 0) {
+- inode_dio_end(inode);
++ igrab(inode);
+ nfs_direct_req_release(dreq);
++ inode_dio_end(inode);
++ iput(inode);
+ return result < 0 ? result : -EIO;
+ }
+
+@@ -939,8 +942,10 @@ static ssize_t nfs_direct_write_schedule
+ * generic layer handle the completion.
+ */
+ if (requested_bytes == 0) {
+- inode_dio_end(inode);
++ igrab(inode);
+ nfs_direct_req_release(dreq);
++ inode_dio_end(inode);
++ iput(inode);
+ return result < 0 ? result : -EIO;
+ }
+
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -82,6 +82,7 @@ nfs_file_release(struct inode *inode, st
+ dprintk("NFS: release(%pD2)\n", filp);
+
+ nfs_inc_stats(inode, NFSIOS_VFSRELEASE);
++ inode_dio_wait(inode);
+ nfs_file_clear_open_context(filp);
+ return 0;
+ }
--- /dev/null
+From 8b04013737341442ed914b336cde866b902664ae Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 22 Jun 2020 15:04:15 -0400
+Subject: pNFS/flexfiles: Fix list corruption if the mirror count changes
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 8b04013737341442ed914b336cde866b902664ae upstream.
+
+If the mirror count changes in the new layout we pick up inside
+ff_layout_pg_init_write(), then we can end up adding the
+request to the wrong mirror and corrupting the mirror->pg_list.
+
+Fixes: d600ad1f2bdb ("NFS41: pop some layoutget errors to application")
+Cc: stable@vger.kernel.org
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -855,9 +855,8 @@ ff_layout_pg_init_write(struct nfs_pagei
+ goto out_mds;
+
+ /* Use a direct mapping of ds_idx to pgio mirror_idx */
+- if (WARN_ON_ONCE(pgio->pg_mirror_count !=
+- FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg)))
+- goto out_mds;
++ if (pgio->pg_mirror_count != FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg))
++ goto out_eagain;
+
+ for (i = 0; i < pgio->pg_mirror_count; i++) {
+ ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true);
+@@ -869,11 +868,15 @@ ff_layout_pg_init_write(struct nfs_pagei
+ }
+
+ return;
+-
++out_eagain:
++ pnfs_generic_pg_cleanup(pgio);
++ pgio->pg_error = -EAGAIN;
++ return;
+ out_mds:
+ pnfs_put_lseg(pgio->pg_lseg);
+ pgio->pg_lseg = NULL;
+ nfs_pageio_reset_write_mds(pgio);
++ pgio->pg_error = -EAGAIN;
+ }
+
+ static unsigned int
ocfs2-fix-value-of-ocfs2_invalid_slot.patch
ocfs2-fix-panic-on-nfs-server-over-ocfs2.patch
arm64-perf-report-the-pc-value-in-regs_abi_32-mode.patch
+tracing-fix-event-trigger-to-accept-redundant-spaces.patch
+drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch
+sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch
+sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch
+pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch
+nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch
--- /dev/null
+From b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 1 Jun 2020 11:54:57 +0300
+Subject: sunrpc: fixed rollback in rpc_gssd_dummy_populate()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 upstream.
+
+__rpc_depopulate(gssd_dentry) was lost on error path
+
+cc: stable@vger.kernel.org
+Fixes: commit 4b9a445e3eeb ("sunrpc: create a new dummy pipe for gssd to hold open")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/rpc_pipe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/rpc_pipe.c
++++ b/net/sunrpc/rpc_pipe.c
+@@ -1347,6 +1347,7 @@ rpc_gssd_dummy_populate(struct dentry *r
+ q.len = strlen(gssd_dummy_clnt_dir[0].name);
+ clnt_dentry = d_hash_and_lookup(gssd_dentry, &q);
+ if (!clnt_dentry) {
++ __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1);
+ pipe_dentry = ERR_PTR(-ENOENT);
+ goto out;
+ }
--- /dev/null
+From 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Thu, 25 Jun 2020 11:32:34 -0400
+Subject: SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 upstream.
+
+@subbuf is an output parameter of xdr_buf_subsegment(). A survey of
+call sites shows that @subbuf is always uninitialized before
+xdr_buf_segment() is invoked by callers.
+
+There are some execution paths through xdr_buf_subsegment() that do
+not set all of the fields in @subbuf, leaving some pointer fields
+containing garbage addresses. Subsequent processing of that buffer
+then results in a page fault.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xdr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/xdr.c
++++ b/net/sunrpc/xdr.c
+@@ -1031,6 +1031,7 @@ xdr_buf_subsegment(struct xdr_buf *buf,
+ base = 0;
+ } else {
+ base -= buf->head[0].iov_len;
++ subbuf->head[0].iov_base = buf->head[0].iov_base;
+ subbuf->head[0].iov_len = 0;
+ }
+
+@@ -1043,6 +1044,8 @@ xdr_buf_subsegment(struct xdr_buf *buf,
+ base = 0;
+ } else {
+ base -= buf->page_len;
++ subbuf->pages = buf->pages;
++ subbuf->page_base = 0;
+ subbuf->page_len = 0;
+ }
+
+@@ -1054,6 +1057,7 @@ xdr_buf_subsegment(struct xdr_buf *buf,
+ base = 0;
+ } else {
+ base -= buf->tail[0].iov_len;
++ subbuf->tail[0].iov_base = buf->tail[0].iov_base;
+ subbuf->tail[0].iov_len = 0;
+ }
+
--- /dev/null
+From 6784beada631800f2c5afd567e5628c843362cee Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 20 Jun 2020 12:46:03 +0900
+Subject: tracing: Fix event trigger to accept redundant spaces
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 6784beada631800f2c5afd567e5628c843362cee upstream.
+
+Fix the event trigger to accept redundant spaces in
+the trigger input.
+
+For example, these return -EINVAL
+
+echo " traceon" > events/ftrace/print/trigger
+echo "traceon if common_pid == 0" > events/ftrace/print/trigger
+echo "disable_event:kmem:kmalloc " > events/ftrace/print/trigger
+
+But these are hard to find what is wrong.
+
+To fix this issue, use skip_spaces() to remove spaces
+in front of actual tokens, and set NULL if there is no
+token.
+
+Link: http://lkml.kernel.org/r/159262476352.185015.5261566783045364186.stgit@devnote2
+
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 85f2b08268c0 ("tracing: Add basic event trigger framework")
+Reviewed-by: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -204,11 +204,17 @@ static int event_trigger_regex_open(stru
+
+ static int trigger_process_regex(struct trace_event_file *file, char *buff)
+ {
+- char *command, *next = buff;
++ char *command, *next;
+ struct event_command *p;
+ int ret = -EINVAL;
+
++ next = buff = skip_spaces(buff);
+ command = strsep(&next, ": \t");
++ if (next) {
++ next = skip_spaces(next);
++ if (!*next)
++ next = NULL;
++ }
+ command = (command[0] != '!') ? command : command + 1;
+
+ mutex_lock(&trigger_cmd_mutex);
+@@ -615,8 +621,14 @@ event_trigger_callback(struct event_comm
+ int ret;
+
+ /* separate the trigger from the filter (t:n [if filter]) */
+- if (param && isdigit(param[0]))
++ if (param && isdigit(param[0])) {
+ trigger = strsep(¶m, " \t");
++ if (param) {
++ param = skip_spaces(param);
++ if (!*param)
++ param = NULL;
++ }
++ }
+
+ trigger_ops = cmd_ops->get_trigger_ops(cmd, trigger);
+
+@@ -1185,6 +1197,11 @@ event_enable_trigger_func(struct event_c
+ trigger = strsep(¶m, " \t");
+ if (!trigger)
+ return -EINVAL;
++ if (param) {
++ param = skip_spaces(param);
++ if (!*param)
++ param = NULL;
++ }
+
+ system = strsep(&trigger, ":");
+ if (!trigger)
projects / thirdparty / kernel / stable-queue.git / commitdiff
