--- /dev/null
+From d239380196c4e27a26fa4bea73d2bf994c14ec2d Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Thu, 19 Dec 2019 13:15:38 +0000
+Subject: ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit d239380196c4e27a26fa4bea73d2bf994c14ec2d upstream.
+
+ath10k_pci_dump_memory_reg() will try to access memory of type
+ATH10K_MEM_REGION_TYPE_IOREG however, if a hardware restart is in progress
+this can crash a system.
+
+Individual ioread32() time has been observed to jump from 15-20 ticks to >
+80k ticks followed by a secure-watchdog bite and a system reset.
+
+Work around this corner case by only issuing the read transaction when the
+driver state is ATH10K_STATE_ON.
+
+Tested-on: QCA9988 PCI 10.4-3.9.0.2-00044
+
+Fixes: 219cc084c6706 ("ath10k: add memory dump support QCA9984")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -1604,11 +1604,22 @@ static int ath10k_pci_dump_memory_reg(st
+ {
+ struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
+ u32 i;
++ int ret;
++
++ mutex_lock(&ar->conf_mutex);
++ if (ar->state != ATH10K_STATE_ON) {
++ ath10k_warn(ar, "Skipping pci_dump_memory_reg invalid state\n");
++ ret = -EIO;
++ goto done;
++ }
+
+ for (i = 0; i < region->len; i += 4)
+ *(u32 *)(buf + i) = ioread32(ar_pci->mem + region->start + i);
+
+- return region->len;
++ ret = region->len;
++done:
++ mutex_unlock(&ar->conf_mutex);
++ return ret;
+ }
+
+ /* if an error happened returns < 0, otherwise the length */
+@@ -1704,7 +1715,11 @@ static void ath10k_pci_dump_memory(struc
+ count = ath10k_pci_dump_memory_sram(ar, current_region, buf);
+ break;
+ case ATH10K_MEM_REGION_TYPE_IOREG:
+- count = ath10k_pci_dump_memory_reg(ar, current_region, buf);
++ ret = ath10k_pci_dump_memory_reg(ar, current_region, buf);
++ if (ret < 0)
++ break;
++
++ count = ret;
+ break;
+ default:
+ ret = ath10k_pci_dump_memory_generic(ar, current_region, buf);
--- /dev/null
+From ea660ad7c1c476fd6e5e3b17780d47159db71dea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?H=C3=A5kon=20Bugge?= <haakon.bugge@oracle.com>
+Date: Thu, 23 Jan 2020 16:55:21 +0100
+Subject: IB/mlx4: Fix leak in id_map_find_del
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Håkon Bugge <haakon.bugge@oracle.com>
+
+commit ea660ad7c1c476fd6e5e3b17780d47159db71dea upstream.
+
+Using CX-3 virtual functions, either from a bare-metal machine or
+pass-through from a VM, MAD packets are proxied through the PF driver.
+
+Since the VF drivers have separate name spaces for MAD Transaction Ids
+(TIDs), the PF driver has to re-map the TIDs and keep the book keeping in
+a cache.
+
+Following the RDMA Connection Manager (CM) protocol, it is clear when an
+entry has to evicted from the cache. When a DREP is sent from
+mlx4_ib_multiplex_cm_handler(), id_map_find_del() is called. Similar when
+a REJ is received by the mlx4_ib_demux_cm_handler(), id_map_find_del() is
+called.
+
+This function wipes out the TID in use from the IDR or XArray and removes
+the id_map_entry from the table.
+
+In short, it does everything except the topping of the cake, which is to
+remove the entry from the list and free it. In other words, for the REJ
+case enumerated above, one id_map_entry will be leaked.
+
+For the other case above, a DREQ has been received first. The reception of
+the DREQ will trigger queuing of a delayed work to delete the
+id_map_entry, for the case where the VM doesn't send back a DREP.
+
+In the normal case, the VM _will_ send back a DREP, and id_map_find_del()
+will be called.
+
+But this scenario introduces a secondary leak. First, when the DREQ is
+received, a delayed work is queued. The VM will then return a DREP, which
+will call id_map_find_del(). As stated above, this will free the TID used
+from the XArray or IDR. Now, there is window where that particular TID can
+be re-allocated, lets say by an outgoing REQ. This TID will later be wiped
+out by the delayed work, when the function id_map_ent_timeout() is
+called. But the id_map_entry allocated by the outgoing REQ will not be
+de-allocated, and we have a leak.
+
+Both leaks are fixed by removing the id_map_find_del() function and only
+using schedule_delayed(). Of course, a check in schedule_delayed() to see
+if the work already has been queued, has been added.
+
+Another benefit of always using the delayed version for deleting entries,
+is that we do get a TimeWait effect; a TID no longer in use, will occupy
+the XArray or IDR for CM_CLEANUP_CACHE_TIMEOUT time, without any ability
+of being re-used for that time period.
+
+Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization")
+Link: https://lore.kernel.org/r/20200123155521.1212288-1-haakon.bugge@oracle.com
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Manjunath Patil <manjunath.b.patil@oracle.com>
+Reviewed-by: Rama Nichanamatlu <rama.nichanamatlu@oracle.com>
+Reviewed-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/cm.c | 29 +++--------------------------
+ 1 file changed, 3 insertions(+), 26 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/cm.c
++++ b/drivers/infiniband/hw/mlx4/cm.c
+@@ -186,23 +186,6 @@ out:
+ kfree(ent);
+ }
+
+-static void id_map_find_del(struct ib_device *ibdev, int pv_cm_id)
+-{
+- struct mlx4_ib_sriov *sriov = &to_mdev(ibdev)->sriov;
+- struct rb_root *sl_id_map = &sriov->sl_id_map;
+- struct id_map_entry *ent, *found_ent;
+-
+- spin_lock(&sriov->id_map_lock);
+- ent = xa_erase(&sriov->pv_id_table, pv_cm_id);
+- if (!ent)
+- goto out;
+- found_ent = id_map_find_by_sl_id(ibdev, ent->slave_id, ent->sl_cm_id);
+- if (found_ent && found_ent == ent)
+- rb_erase(&found_ent->node, sl_id_map);
+-out:
+- spin_unlock(&sriov->id_map_lock);
+-}
+-
+ static void sl_id_map_add(struct ib_device *ibdev, struct id_map_entry *new)
+ {
+ struct rb_root *sl_id_map = &to_mdev(ibdev)->sriov.sl_id_map;
+@@ -294,7 +277,7 @@ static void schedule_delayed(struct ib_d
+ spin_lock(&sriov->id_map_lock);
+ spin_lock_irqsave(&sriov->going_down_lock, flags);
+ /*make sure that there is no schedule inside the scheduled work.*/
+- if (!sriov->is_going_down) {
++ if (!sriov->is_going_down && !id->scheduled_delete) {
+ id->scheduled_delete = 1;
+ schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
+ }
+@@ -341,9 +324,6 @@ cont:
+
+ if (mad->mad_hdr.attr_id == CM_DREQ_ATTR_ID)
+ schedule_delayed(ibdev, id);
+- else if (mad->mad_hdr.attr_id == CM_DREP_ATTR_ID)
+- id_map_find_del(ibdev, pv_cm_id);
+-
+ return 0;
+ }
+
+@@ -382,12 +362,9 @@ int mlx4_ib_demux_cm_handler(struct ib_d
+ *slave = id->slave_id;
+ set_remote_comm_id(mad, id->sl_cm_id);
+
+- if (mad->mad_hdr.attr_id == CM_DREQ_ATTR_ID)
++ if (mad->mad_hdr.attr_id == CM_DREQ_ATTR_ID ||
++ mad->mad_hdr.attr_id == CM_REJ_ATTR_ID)
+ schedule_delayed(ibdev, id);
+- else if (mad->mad_hdr.attr_id == CM_REJ_ATTR_ID ||
+- mad->mad_hdr.attr_id == CM_DREP_ATTR_ID) {
+- id_map_find_del(ibdev, (int) pv_cm_id);
+- }
+
+ return 0;
+ }
--- /dev/null
+From eaad647e5cc27f7b46a27f3b85b14c4c8a64bffa Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 15 Jan 2020 10:50:50 +0200
+Subject: IB/mlx4: Fix memory leak in add_gid error flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit eaad647e5cc27f7b46a27f3b85b14c4c8a64bffa upstream.
+
+In procedure mlx4_ib_add_gid(), if the driver is unable to update the FW
+gid table, there is a memory leak in the driver's copy of the gid table:
+the gid entry's context buffer is not freed.
+
+If such an error occurs, free the entry's context buffer, and mark the
+entry as available (by setting its context pointer to NULL).
+
+Fixes: e26be1bfef81 ("IB/mlx4: Implement ib_device callbacks")
+Link: https://lore.kernel.org/r/20200115085050.73746-1-leon@kernel.org
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/main.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -246,6 +246,13 @@ static int mlx4_ib_update_gids(struct gi
+ return mlx4_ib_update_gids_v1(gids, ibdev, port_num);
+ }
+
++static void free_gid_entry(struct gid_entry *entry)
++{
++ memset(&entry->gid, 0, sizeof(entry->gid));
++ kfree(entry->ctx);
++ entry->ctx = NULL;
++}
++
+ static int mlx4_ib_add_gid(const struct ib_gid_attr *attr, void **context)
+ {
+ struct mlx4_ib_dev *ibdev = to_mdev(attr->device);
+@@ -306,6 +313,8 @@ static int mlx4_ib_add_gid(const struct
+ GFP_ATOMIC);
+ if (!gids) {
+ ret = -ENOMEM;
++ *context = NULL;
++ free_gid_entry(&port_gid_table->gids[free]);
+ } else {
+ for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) {
+ memcpy(&gids[i].gid, &port_gid_table->gids[i].gid, sizeof(union ib_gid));
+@@ -317,6 +326,12 @@ static int mlx4_ib_add_gid(const struct
+
+ if (!ret && hw_update) {
+ ret = mlx4_ib_update_gids(gids, ibdev, attr->port_num);
++ if (ret) {
++ spin_lock_bh(&iboe->lock);
++ *context = NULL;
++ free_gid_entry(&port_gid_table->gids[free]);
++ spin_unlock_bh(&iboe->lock);
++ }
+ kfree(gids);
+ }
+
+@@ -346,10 +361,7 @@ static int mlx4_ib_del_gid(const struct
+ if (!ctx->refcount) {
+ unsigned int real_index = ctx->real_index;
+
+- memset(&port_gid_table->gids[real_index].gid, 0,
+- sizeof(port_gid_table->gids[real_index].gid));
+- kfree(port_gid_table->gids[real_index].ctx);
+- port_gid_table->gids[real_index].ctx = NULL;
++ free_gid_entry(&port_gid_table->gids[real_index]);
+ hw_update = 1;
+ }
+ }
--- /dev/null
+From 0fbb37dd82998b5c83355997b3bdba2806968ac7 Mon Sep 17 00:00:00 2001
+From: Sergey Gorenko <sergeygo@mellanox.com>
+Date: Wed, 15 Jan 2020 13:30:55 +0000
+Subject: IB/srp: Never use immediate data if it is disabled by a user
+
+From: Sergey Gorenko <sergeygo@mellanox.com>
+
+commit 0fbb37dd82998b5c83355997b3bdba2806968ac7 upstream.
+
+Some SRP targets that do not support specification SRP-2, put the garbage
+to the reserved bits of the SRP login response. The problem was not
+detected for a long time because the SRP initiator ignored those bits. But
+now one of them is used as SRP_LOGIN_RSP_IMMED_SUPP. And it causes a
+critical error on the target when the initiator sends immediate data.
+
+The ib_srp module has a use_imm_date parameter to enable or disable
+immediate data manually. But it does not help in the above case, because
+use_imm_date is ignored at handling the SRP login response. The problem is
+definitely caused by a bug on the target side, but the initiator's
+behavior also does not look correct. The initiator should not use
+immediate data if use_imm_date is disabled by a user.
+
+This commit adds an additional checking of use_imm_date at the handling of
+SRP login response to avoid unexpected use of immediate data.
+
+Fixes: 882981f4a411 ("RDMA/srp: Add support for immediate data")
+Link: https://lore.kernel.org/r/20200115133055.30232-1-sergeygo@mellanox.com
+Signed-off-by: Sergey Gorenko <sergeygo@mellanox.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -2536,7 +2536,8 @@ static void srp_cm_rep_handler(struct ib
+ if (lrsp->opcode == SRP_LOGIN_RSP) {
+ ch->max_ti_iu_len = be32_to_cpu(lrsp->max_ti_iu_len);
+ ch->req_lim = be32_to_cpu(lrsp->req_lim_delta);
+- ch->use_imm_data = lrsp->rsp_flags & SRP_LOGIN_RSP_IMMED_SUPP;
++ ch->use_imm_data = srp_use_imm_data &&
++ (lrsp->rsp_flags & SRP_LOGIN_RSP_IMMED_SUPP);
+ ch->max_it_iu_len = srp_max_it_iu_len(target->cmd_sg_cnt,
+ ch->use_imm_data);
+ WARN_ON_ONCE(ch->max_it_iu_len >
--- /dev/null
+From cc4255eff523f25187bb95561642941de0e57497 Mon Sep 17 00:00:00 2001
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Fri, 31 Jan 2020 15:45:27 +0200
+Subject: iwlwifi: mvm: avoid use after free for pmsr request
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+commit cc4255eff523f25187bb95561642941de0e57497 upstream.
+
+When a FTM request is aborted, the driver sends the abort command to
+the fw and waits for a response. When the response arrives, the driver
+calls cfg80211_pmsr_complete() for that request.
+However, cfg80211 frees the requested data immediately after sending
+the abort command, so this may lead to use after free.
+
+Fix it by clearing the request data in the driver when the abort
+command arrives and ignoring the fw notification that will come
+afterwards.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Fixes: fc36ffda3267 ("iwlwifi: mvm: support FTM initiator")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
+ * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2019 Intel Corporation
++ * Copyright (C) 2020 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -30,6 +31,7 @@
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
+ * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2019 Intel Corporation
++ * Copyright (C) 2020 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -389,6 +391,8 @@ void iwl_mvm_ftm_abort(struct iwl_mvm *m
+ if (req != mvm->ftm_initiator.req)
+ return;
+
++ iwl_mvm_ftm_reset(mvm);
++
+ if (iwl_mvm_send_cmd_pdu(mvm, iwl_cmd_id(TOF_RANGE_ABORT_CMD,
+ LOCATION_GROUP, 0),
+ 0, sizeof(cmd), &cmd))
+@@ -502,7 +506,6 @@ void iwl_mvm_ftm_range_resp(struct iwl_m
+ lockdep_assert_held(&mvm->mutex);
+
+ if (!mvm->ftm_initiator.req) {
+- IWL_ERR(mvm, "Got FTM response but have no request?\n");
+ return;
+ }
+
--- /dev/null
+From 118b6292195cfb86a9f43cb65610fc6d980c65f4 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Mon, 6 Jan 2020 15:25:06 -0500
+Subject: NFS: Fix fix of show_nfs_errors
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 118b6292195cfb86a9f43cb65610fc6d980c65f4 upstream.
+
+Casting a negative value to an unsigned long is not the same as
+converting it to its absolute value.
+
+Fixes: 96650e2effa2 ("NFS: Fix show_nfs_errors macros again")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4trace.h | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+--- a/fs/nfs/nfs4trace.h
++++ b/fs/nfs/nfs4trace.h
+@@ -352,7 +352,7 @@ DECLARE_EVENT_CLASS(nfs4_clientid_event,
+ ),
+
+ TP_fast_assign(
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __assign_str(dstaddr, clp->cl_hostname);
+ ),
+
+@@ -432,7 +432,8 @@ TRACE_EVENT(nfs4_sequence_done,
+ __entry->target_highest_slotid =
+ res->sr_target_highest_slotid;
+ __entry->status_flags = res->sr_status_flags;
+- __entry->error = res->sr_status;
++ __entry->error = res->sr_status < 0 ?
++ -res->sr_status : 0;
+ ),
+ TP_printk(
+ "error=%ld (%s) session=0x%08x slot_nr=%u seq_nr=%u "
+@@ -566,7 +567,7 @@ TRACE_EVENT(nfs4_xdr_status,
+ TP_PROTO(
+ const struct xdr_stream *xdr,
+ u32 op,
+- int error
++ u32 error
+ ),
+
+ TP_ARGS(xdr, op, error),
+@@ -756,7 +757,7 @@ TRACE_EVENT(nfs4_close,
+ __entry->fileid = NFS_FILEID(inode);
+ __entry->fhandle = nfs_fhandle_hash(NFS_FH(inode));
+ __entry->fmode = (__force unsigned int)state->state;
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->stateid_seq =
+ be32_to_cpu(args->stateid.seqid);
+ __entry->stateid_hash =
+@@ -821,7 +822,7 @@ DECLARE_EVENT_CLASS(nfs4_lock_event,
+ TP_fast_assign(
+ const struct inode *inode = state->inode;
+
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->cmd = cmd;
+ __entry->type = request->fl_type;
+ __entry->start = request->fl_start;
+@@ -893,7 +894,7 @@ TRACE_EVENT(nfs4_set_lock,
+ TP_fast_assign(
+ const struct inode *inode = state->inode;
+
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->cmd = cmd;
+ __entry->type = request->fl_type;
+ __entry->start = request->fl_start;
+@@ -989,7 +990,7 @@ TRACE_EVENT(nfs4_delegreturn_exit,
+ TP_fast_assign(
+ __entry->dev = res->server->s_dev;
+ __entry->fhandle = nfs_fhandle_hash(args->fhandle);
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->stateid_seq =
+ be32_to_cpu(args->stateid->seqid);
+ __entry->stateid_hash =
+@@ -1029,7 +1030,7 @@ DECLARE_EVENT_CLASS(nfs4_test_stateid_ev
+ TP_fast_assign(
+ const struct inode *inode = state->inode;
+
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->dev = inode->i_sb->s_dev;
+ __entry->fileid = NFS_FILEID(inode);
+ __entry->fhandle = nfs_fhandle_hash(NFS_FH(inode));
+@@ -1131,7 +1132,7 @@ TRACE_EVENT(nfs4_lookupp,
+ TP_fast_assign(
+ __entry->dev = inode->i_sb->s_dev;
+ __entry->ino = NFS_FILEID(inode);
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ ),
+
+ TP_printk(
+@@ -1167,7 +1168,7 @@ TRACE_EVENT(nfs4_rename,
+ __entry->dev = olddir->i_sb->s_dev;
+ __entry->olddir = NFS_FILEID(olddir);
+ __entry->newdir = NFS_FILEID(newdir);
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __assign_str(oldname, oldname->name);
+ __assign_str(newname, newname->name);
+ ),
+@@ -1258,7 +1259,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_e
+ __entry->dev = inode->i_sb->s_dev;
+ __entry->fileid = NFS_FILEID(inode);
+ __entry->fhandle = nfs_fhandle_hash(NFS_FH(inode));
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->stateid_seq =
+ be32_to_cpu(stateid->seqid);
+ __entry->stateid_hash =
+@@ -1314,7 +1315,7 @@ DECLARE_EVENT_CLASS(nfs4_getattr_event,
+ __entry->valid = fattr->valid;
+ __entry->fhandle = nfs_fhandle_hash(fhandle);
+ __entry->fileid = (fattr->valid & NFS_ATTR_FATTR_FILEID) ? fattr->fileid : 0;
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ ),
+
+ TP_printk(
+@@ -1361,7 +1362,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_callback_
+ ),
+
+ TP_fast_assign(
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->fhandle = nfs_fhandle_hash(fhandle);
+ if (!IS_ERR_OR_NULL(inode)) {
+ __entry->fileid = NFS_FILEID(inode);
+@@ -1418,7 +1419,7 @@ DECLARE_EVENT_CLASS(nfs4_inode_stateid_c
+ ),
+
+ TP_fast_assign(
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->fhandle = nfs_fhandle_hash(fhandle);
+ if (!IS_ERR_OR_NULL(inode)) {
+ __entry->fileid = NFS_FILEID(inode);
+@@ -1721,7 +1722,7 @@ TRACE_EVENT(nfs4_layoutget,
+ __entry->iomode = args->iomode;
+ __entry->offset = args->offset;
+ __entry->count = args->length;
+- __entry->error = error;
++ __entry->error = error < 0 ? -error : 0;
+ __entry->stateid_seq =
+ be32_to_cpu(state->stateid.seqid);
+ __entry->stateid_hash =
--- /dev/null
+From 474c4f306eefbb21b67ebd1de802d005c7d7ecdc Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 30 Dec 2019 16:32:38 +0100
+Subject: nfs: NFS_SWAP should depend on SWAP
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc upstream.
+
+If CONFIG_SWAP=n, it does not make much sense to offer the user the
+option to enable support for swapping over NFS, as that will still fail
+at run time:
+
+ # swapon /swap
+ swapon: /swap: swapon failed: Function not implemented
+
+Fix this by adding a dependency on CONFIG_SWAP.
+
+Fixes: a564b8f0398636ba ("nfs: enable swap on NFS")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/Kconfig
++++ b/fs/nfs/Kconfig
+@@ -90,7 +90,7 @@ config NFS_V4
+ config NFS_SWAP
+ bool "Provide swap over NFS support"
+ default n
+- depends on NFS_FS
++ depends on NFS_FS && SWAP
+ select SUNRPC_SWAP
+ help
+ This option enables swapon to work on files located on NFS mounts.
--- /dev/null
+From 221203ce6406273cf00e5c6397257d986c003ee6 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Mon, 6 Jan 2020 15:25:04 -0500
+Subject: NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 221203ce6406273cf00e5c6397257d986c003ee6 upstream.
+
+Instead of making assumptions about the commit verifier contents, change
+the commit code to ensure we always check that the verifier was set
+by the XDR code.
+
+Fixes: f54bcf2ecee9 ("pnfs: Prepare for flexfiles by pulling out common code")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/direct.c | 4 ++--
+ fs/nfs/nfs3xdr.c | 5 ++++-
+ fs/nfs/nfs4xdr.c | 5 ++++-
+ fs/nfs/pnfs_nfs.c | 7 +++----
+ fs/nfs/write.c | 4 +++-
+ 5 files changed, 16 insertions(+), 9 deletions(-)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -245,10 +245,10 @@ static int nfs_direct_cmp_commit_data_ve
+ data->ds_commit_index);
+
+ /* verifier not set so always fail */
+- if (verfp->committed < 0)
++ if (verfp->committed < 0 || data->res.verf->committed <= NFS_UNSTABLE)
+ return 1;
+
+- return nfs_direct_cmp_verf(verfp, &data->verf);
++ return nfs_direct_cmp_verf(verfp, data->res.verf);
+ }
+
+ /**
+--- a/fs/nfs/nfs3xdr.c
++++ b/fs/nfs/nfs3xdr.c
+@@ -2338,6 +2338,7 @@ static int nfs3_xdr_dec_commit3res(struc
+ void *data)
+ {
+ struct nfs_commitres *result = data;
++ struct nfs_writeverf *verf = result->verf;
+ enum nfs_stat status;
+ int error;
+
+@@ -2350,7 +2351,9 @@ static int nfs3_xdr_dec_commit3res(struc
+ result->op_status = status;
+ if (status != NFS3_OK)
+ goto out_status;
+- error = decode_writeverf3(xdr, &result->verf->verifier);
++ error = decode_writeverf3(xdr, &verf->verifier);
++ if (!error)
++ verf->committed = NFS_FILE_SYNC;
+ out:
+ return error;
+ out_status:
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -4316,11 +4316,14 @@ static int decode_write_verifier(struct
+
+ static int decode_commit(struct xdr_stream *xdr, struct nfs_commitres *res)
+ {
++ struct nfs_writeverf *verf = res->verf;
+ int status;
+
+ status = decode_op_hdr(xdr, OP_COMMIT);
+ if (!status)
+- status = decode_write_verifier(xdr, &res->verf->verifier);
++ status = decode_write_verifier(xdr, &verf->verifier);
++ if (!status)
++ verf->committed = NFS_FILE_SYNC;
+ return status;
+ }
+
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -31,12 +31,11 @@ EXPORT_SYMBOL_GPL(pnfs_generic_rw_releas
+ /* Fake up some data that will cause nfs_commit_release to retry the writes. */
+ void pnfs_generic_prepare_to_resend_writes(struct nfs_commit_data *data)
+ {
+- struct nfs_page *first = nfs_list_entry(data->pages.next);
++ struct nfs_writeverf *verf = data->res.verf;
+
+ data->task.tk_status = 0;
+- memcpy(&data->verf.verifier, &first->wb_verf,
+- sizeof(data->verf.verifier));
+- data->verf.verifier.data[0]++; /* ensure verifier mismatch */
++ memset(&verf->verifier, 0, sizeof(verf->verifier));
++ verf->committed = NFS_UNSTABLE;
+ }
+ EXPORT_SYMBOL_GPL(pnfs_generic_prepare_to_resend_writes);
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1837,6 +1837,7 @@ static void nfs_commit_done(struct rpc_t
+
+ static void nfs_commit_release_pages(struct nfs_commit_data *data)
+ {
++ const struct nfs_writeverf *verf = data->res.verf;
+ struct nfs_page *req;
+ int status = data->task.tk_status;
+ struct nfs_commit_info cinfo;
+@@ -1864,7 +1865,8 @@ static void nfs_commit_release_pages(str
+
+ /* Okay, COMMIT succeeded, apparently. Check the verifier
+ * returned by the server against all stored verfs. */
+- if (!nfs_write_verifier_cmp(&req->wb_verf, &data->verf.verifier)) {
++ if (verf->committed > NFS_UNSTABLE &&
++ !nfs_write_verifier_cmp(&req->wb_verf, &verf->verifier)) {
+ /* We have a match */
+ if (req->wb_page)
+ nfs_inode_remove_request(req);
--- /dev/null
+From 0df68ced55443243951d02cc497be31fadf28173 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Mon, 6 Jan 2020 15:25:00 -0500
+Subject: NFS: Revalidate the file size on a fatal write error
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 0df68ced55443243951d02cc497be31fadf28173 upstream.
+
+If we suffer a fatal error upon writing a file, which causes us to
+need to revalidate the entire mapping, then we should also revalidate
+the file size.
+
+Fixes: d2ceb7e57086 ("NFS: Don't use page_file_mapping after removing the page")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/write.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -243,7 +243,15 @@ out:
+ /* A writeback failed: mark the page as bad, and invalidate the page cache */
+ static void nfs_set_pageerror(struct address_space *mapping)
+ {
++ struct inode *inode = mapping->host;
++
+ nfs_zap_mapping(mapping->host, mapping);
++ /* Force file size revalidation */
++ spin_lock(&inode->i_lock);
++ NFS_I(inode)->cache_validity |= NFS_INO_REVAL_FORCED |
++ NFS_INO_REVAL_PAGECACHE |
++ NFS_INO_INVALID_SIZE;
++ spin_unlock(&inode->i_lock);
+ }
+
+ static void nfs_mapping_set_error(struct page *page, int error)
--- /dev/null
+From 2e577f0faca4640348c398cb85d60a1eedac4b1e Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
+Date: Wed, 4 Dec 2019 15:13:54 -0500
+Subject: NFSD fixing possible null pointer derefering in copy offload
+
+From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
+
+commit 2e577f0faca4640348c398cb85d60a1eedac4b1e upstream.
+
+Static checker revealed possible error path leading to possible
+NULL pointer dereferencing.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: e0639dc5805a: ("NFSD introduce async copy feature")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1223,7 +1223,8 @@ static void cleanup_async_copy(struct nf
+ {
+ nfs4_free_cp_state(copy);
+ nfsd_file_put(copy->nf_dst);
+- nfsd_file_put(copy->nf_src);
++ if (copy->cp_intra)
++ nfsd_file_put(copy->nf_src);
+ spin_lock(©->cp_clp->async_lock);
+ list_del(©->copies);
+ spin_unlock(©->cp_clp->async_lock);
--- /dev/null
+From 387122478775be5d9816c34aa29de53d0b926835 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Sun, 26 Jan 2020 17:31:13 -0500
+Subject: NFSv4: pnfs_roc() must use cred_fscmp() to compare creds
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 387122478775be5d9816c34aa29de53d0b926835 upstream.
+
+When comparing two 'struct cred' for equality w.r.t. behaviour under
+filesystem access, we need to use cred_fscmp().
+
+Fixes: a52458b48af1 ("NFS/NFSD/SUNRPC: replace generic creds with 'struct cred'.")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1425,7 +1425,7 @@ retry:
+ /* lo ref dropped in pnfs_roc_release() */
+ layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &iomode);
+ /* If the creds don't match, we can't compound the layoutreturn */
+- if (!layoutreturn || cred != lo->plh_lc_cred)
++ if (!layoutreturn || cred_fscmp(cred, lo->plh_lc_cred) != 0)
+ goto out_noroc;
+
+ roc = layoutreturn;
--- /dev/null
+From 924491f2e476f7234d722b24171a4daff61bbe13 Mon Sep 17 00:00:00 2001
+From: Robert Milkowski <rmilkowski@gmail.com>
+Date: Tue, 28 Jan 2020 08:37:47 +0000
+Subject: NFSv4: try lease recovery on NFS4ERR_EXPIRED
+
+From: Robert Milkowski <rmilkowski@gmail.com>
+
+commit 924491f2e476f7234d722b24171a4daff61bbe13 upstream.
+
+Currently, if an nfs server returns NFS4ERR_EXPIRED to open(),
+we return EIO to applications without even trying to recover.
+
+Fixes: 272289a3df72 ("NFSv4: nfs4_do_handle_exception() handle revoke/expiry of a single stateid")
+Signed-off-by: Robert Milkowski <rmilkowski@gmail.com>
+Reviewed-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3187,6 +3187,11 @@ static struct nfs4_state *nfs4_do_open(s
+ exception.retry = 1;
+ continue;
+ }
++ if (status == -NFS4ERR_EXPIRED) {
++ nfs4_schedule_lease_recovery(server->nfs_client);
++ exception.retry = 1;
++ continue;
++ }
+ if (status == -EAGAIN) {
+ /* We must have found a delegation */
+ exception.retry = 1;
--- /dev/null
+From 7dc2993a9e51dd2eee955944efec65bef90265b7 Mon Sep 17 00:00:00 2001
+From: Robert Milkowski <rmilkowski@gmail.com>
+Date: Thu, 30 Jan 2020 09:43:25 +0000
+Subject: NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals
+
+From: Robert Milkowski <rmilkowski@gmail.com>
+
+commit 7dc2993a9e51dd2eee955944efec65bef90265b7 upstream.
+
+Currently, each time nfs4_do_fsinfo() is called it will do an implicit
+NFS4 lease renewal, which is not compliant with the NFS4 specification.
+This can result in a lease being expired by an NFS server.
+
+Commit 83ca7f5ab31f ("NFS: Avoid PUTROOTFH when managing leases")
+introduced implicit client lease renewal in nfs4_do_fsinfo(),
+which can result in the NFSv4.0 lease to expire on a server side,
+and servers returning NFS4ERR_EXPIRED or NFS4ERR_STALE_CLIENTID.
+
+This can easily be reproduced by frequently unmounting a sub-mount,
+then stat'ing it to get it mounted again, which will delay or even
+completely prevent client from sending RENEW operations if no other
+NFS operations are issued. Eventually nfs server will expire client's
+lease and return an error on file access or next RENEW.
+
+This can also happen when a sub-mount is automatically unmounted
+due to inactivity (after nfs_mountpoint_expiry_timeout), then it is
+mounted again via stat(). This can result in a short window during
+which client's lease will expire on a server but not on a client.
+This specific case was observed on production systems.
+
+This patch removes the implicit lease renewal from nfs4_do_fsinfo().
+
+Fixes: 83ca7f5ab31f ("NFS: Avoid PUTROOTFH when managing leases")
+Signed-off-by: Robert Milkowski <rmilkowski@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4_fs.h | 4 +---
+ fs/nfs/nfs4proc.c | 12 ++++++++----
+ fs/nfs/nfs4renewd.c | 5 +----
+ fs/nfs/nfs4state.c | 4 +---
+ 4 files changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/nfs/nfs4_fs.h
++++ b/fs/nfs/nfs4_fs.h
+@@ -439,9 +439,7 @@ extern void nfs4_schedule_state_renewal(
+ extern void nfs4_renewd_prepare_shutdown(struct nfs_server *);
+ extern void nfs4_kill_renewd(struct nfs_client *);
+ extern void nfs4_renew_state(struct work_struct *);
+-extern void nfs4_set_lease_period(struct nfs_client *clp,
+- unsigned long lease,
+- unsigned long lastrenewed);
++extern void nfs4_set_lease_period(struct nfs_client *clp, unsigned long lease);
+
+
+ /* nfs4state.c */
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -5024,16 +5024,13 @@ static int nfs4_do_fsinfo(struct nfs_ser
+ struct nfs4_exception exception = {
+ .interruptible = true,
+ };
+- unsigned long now = jiffies;
+ int err;
+
+ do {
+ err = _nfs4_do_fsinfo(server, fhandle, fsinfo);
+ trace_nfs4_fsinfo(server, fhandle, fsinfo->fattr, err);
+ if (err == 0) {
+- nfs4_set_lease_period(server->nfs_client,
+- fsinfo->lease_time * HZ,
+- now);
++ nfs4_set_lease_period(server->nfs_client, fsinfo->lease_time * HZ);
+ break;
+ }
+ err = nfs4_handle_exception(server, err, &exception);
+@@ -6089,6 +6086,7 @@ int nfs4_proc_setclientid(struct nfs_cli
+ .callback_data = &setclientid,
+ .flags = RPC_TASK_TIMEOUT | RPC_TASK_NO_ROUND_ROBIN,
+ };
++ unsigned long now = jiffies;
+ int status;
+
+ /* nfs_client_id4 */
+@@ -6121,6 +6119,9 @@ int nfs4_proc_setclientid(struct nfs_cli
+ clp->cl_acceptor = rpcauth_stringify_acceptor(setclientid.sc_cred);
+ put_rpccred(setclientid.sc_cred);
+ }
++
++ if (status == 0)
++ do_renew_lease(clp, now);
+ out:
+ trace_nfs4_setclientid(clp, status);
+ dprintk("NFS reply setclientid: %d\n", status);
+@@ -8204,6 +8205,7 @@ static int _nfs4_proc_exchange_id(struct
+ struct rpc_task *task;
+ struct nfs41_exchange_id_args *argp;
+ struct nfs41_exchange_id_res *resp;
++ unsigned long now = jiffies;
+ int status;
+
+ task = nfs4_run_exchange_id(clp, cred, sp4_how, NULL);
+@@ -8224,6 +8226,8 @@ static int _nfs4_proc_exchange_id(struct
+ if (status != 0)
+ goto out;
+
++ do_renew_lease(clp, now);
++
+ clp->cl_clientid = resp->clientid;
+ clp->cl_exchange_flags = resp->flags;
+ clp->cl_seqid = resp->seqid;
+--- a/fs/nfs/nfs4renewd.c
++++ b/fs/nfs/nfs4renewd.c
+@@ -138,15 +138,12 @@ nfs4_kill_renewd(struct nfs_client *clp)
+ *
+ * @clp: pointer to nfs_client
+ * @lease: new value for lease period
+- * @lastrenewed: time at which lease was last renewed
+ */
+ void nfs4_set_lease_period(struct nfs_client *clp,
+- unsigned long lease,
+- unsigned long lastrenewed)
++ unsigned long lease)
+ {
+ spin_lock(&clp->cl_lock);
+ clp->cl_lease_time = lease;
+- clp->cl_last_renewal = lastrenewed;
+ spin_unlock(&clp->cl_lock);
+
+ /* Cap maximum reconnect timeout at 1/2 lease period */
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -91,17 +91,15 @@ static int nfs4_setup_state_renewal(stru
+ {
+ int status;
+ struct nfs_fsinfo fsinfo;
+- unsigned long now;
+
+ if (!test_bit(NFS_CS_CHECK_LEASE_TIME, &clp->cl_res_state)) {
+ nfs4_schedule_state_renewal(clp);
+ return 0;
+ }
+
+- now = jiffies;
+ status = nfs4_proc_get_lease_time(clp, &fsinfo);
+ if (status == 0) {
+- nfs4_set_lease_period(clp, fsinfo.lease_time * HZ, now);
++ nfs4_set_lease_period(clp, fsinfo.lease_time * HZ);
+ nfs4_schedule_state_renewal(clp);
+ }
+
--- /dev/null
+From d95f20c4f07020ebc605f3b46af4b6db9eb5fc99 Mon Sep 17 00:00:00 2001
+From: Dongdong Liu <liudongdong3@huawei.com>
+Date: Thu, 23 Jan 2020 16:26:31 +0800
+Subject: PCI/AER: Initialize aer_fifo
+
+From: Dongdong Liu <liudongdong3@huawei.com>
+
+commit d95f20c4f07020ebc605f3b46af4b6db9eb5fc99 upstream.
+
+Previously we did not call INIT_KFIFO() for aer_fifo. This leads to
+kfifo_put() sometimes returning 0 (queue full) when in fact it is not.
+
+It is easy to reproduce the problem by using aer-inject:
+
+ $ aer-inject -s :82:00.0 multiple-corr-nonfatal
+
+The content of the multiple-corr-nonfatal file is as below:
+
+ AER
+ COR RCVR
+ HL 0 1 2 3
+ AER
+ UNCOR POISON_TLP
+ HL 4 5 6 7
+
+Fixes: 27c1ce8bbed7 ("PCI/AER: Use kfifo for tracking events instead of reimplementing it")
+Link: https://lore.kernel.org/r/1579767991-103898-1-git-send-email-liudongdong3@huawei.com
+Signed-off-by: Dongdong Liu <liudongdong3@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pcie/aer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/pcie/aer.c
++++ b/drivers/pci/pcie/aer.c
+@@ -1387,6 +1387,7 @@ static int aer_probe(struct pcie_device
+ return -ENOMEM;
+
+ rpc->rpd = port;
++ INIT_KFIFO(rpc->aer_fifo);
+ set_service_data(dev, rpc);
+
+ status = devm_request_threaded_irq(device, dev->irq, aer_irq, aer_isr,
--- /dev/null
+From 9db8dc6d0785225c42a37be7b44d1b07b31b8957 Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Wed, 8 Jan 2020 14:32:08 -0700
+Subject: PCI: Don't disable bridge BARs when assigning bus resources
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 upstream.
+
+Some PCI bridges implement BARs in addition to bridge windows. For
+example, here's a PLX switch:
+
+ 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI
+ Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca)
+ (prog-if 00 [Normal decode])
+ Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0
+ Memory at 90a00000 (32-bit, non-prefetchable) [size=256K]
+ Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0
+ I/O behind bridge: 00002000-00003fff
+ Memory behind bridge: 90000000-909fffff
+ Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff
+
+Previously, when the kernel assigned resource addresses (with the
+pci=realloc command line parameter, for example) it could clear the struct
+resource corresponding to the BAR. When this happened, lspci would report
+this BAR as "ignored":
+
+ Region 0: Memory at <ignored> (32-bit, non-prefetchable) [size=256K]
+
+This is because the kernel reports a zero start address and zero flags
+in the corresponding sysfs resource file and in /proc/bus/pci/devices.
+Investigation with 'lspci -x', however, shows the BIOS-assigned address
+will still be programmed in the device's BAR registers.
+
+It's clearly a bug that the kernel lost track of the BAR value, but in most
+cases, this still won't result in a visible issue because nothing uses the
+memory, so nothing is affected. However, when an IOMMU is in use, it will
+not reserve this space in the IOVA because the kernel no longer thinks the
+range is valid. (See dmar_init_reserved_ranges() for the Intel
+implementation of this.)
+
+Without the proper reserved range, a DMA mapping may allocate an IOVA that
+matches a bridge BAR, which results in DMA accesses going to the BAR
+instead of the intended RAM.
+
+The problem was in pci_assign_unassigned_root_bus_resources(). When any
+resource from a bridge device fails to get assigned, the code set the
+resource's flags to zero. This makes sense for bridge windows, as they
+will be re-enabled later, but for regular BARs, it makes the kernel
+permanently lose track of the fact that they decode address space.
+
+Change pci_assign_unassigned_root_bus_resources() and
+pci_assign_unassigned_bridge_resources() so they only clear "res->flags"
+for bridge *windows*, not bridge BARs.
+
+Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)")
+Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com
+[bhelgaas: commit log, check for pci_is_bridge()]
+Reported-by: Kit Chow <kchow@gigaio.com>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/setup-bus.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -1785,12 +1785,18 @@ again:
+ /* Restore size and flags */
+ list_for_each_entry(fail_res, &fail_head, list) {
+ struct resource *res = fail_res->res;
++ int idx;
+
+ res->start = fail_res->start;
+ res->end = fail_res->end;
+ res->flags = fail_res->flags;
+- if (fail_res->dev->subordinate)
+- res->flags = 0;
++
++ if (pci_is_bridge(fail_res->dev)) {
++ idx = res - &fail_res->dev->resource[0];
++ if (idx >= PCI_BRIDGE_RESOURCES &&
++ idx <= PCI_BRIDGE_RESOURCE_END)
++ res->flags = 0;
++ }
+ }
+ free_list(&fail_head);
+
+@@ -2037,12 +2043,18 @@ again:
+ /* Restore size and flags */
+ list_for_each_entry(fail_res, &fail_head, list) {
+ struct resource *res = fail_res->res;
++ int idx;
+
+ res->start = fail_res->start;
+ res->end = fail_res->end;
+ res->flags = fail_res->flags;
+- if (fail_res->dev->subordinate)
+- res->flags = 0;
++
++ if (pci_is_bridge(fail_res->dev)) {
++ idx = res - &fail_res->dev->resource[0];
++ if (idx >= PCI_BRIDGE_RESOURCES &&
++ idx <= PCI_BRIDGE_RESOURCE_END)
++ res->flags = 0;
++ }
+ }
+ free_list(&fail_head);
+
--- /dev/null
+From 8c386cc817878588195dde38e919aa6ba9409d58 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Mon, 25 Nov 2019 13:52:52 -0600
+Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 8c386cc817878588195dde38e919aa6ba9409d58 upstream.
+
+In the implementation of pci_iov_add_virtfn() the allocated virtfn is
+leaked if pci_setup_device() fails. The error handling is not calling
+pci_stop_and_remove_bus_device(). Change the goto label to failed2.
+
+Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()")
+Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/iov.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -187,10 +187,10 @@ int pci_iov_add_virtfn(struct pci_dev *d
+ sprintf(buf, "virtfn%u", id);
+ rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf);
+ if (rc)
+- goto failed2;
++ goto failed1;
+ rc = sysfs_create_link(&virtfn->dev.kobj, &dev->dev.kobj, "physfn");
+ if (rc)
+- goto failed3;
++ goto failed2;
+
+ kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE);
+
+@@ -198,11 +198,10 @@ int pci_iov_add_virtfn(struct pci_dev *d
+
+ return 0;
+
+-failed3:
+- sysfs_remove_link(&dev->dev.kobj, buf);
+ failed2:
+- pci_stop_and_remove_bus_device(virtfn);
++ sysfs_remove_link(&dev->dev.kobj, buf);
+ failed1:
++ pci_stop_and_remove_bus_device(virtfn);
+ pci_dev_put(dev);
+ failed0:
+ virtfn_remove_bus(dev->bus, bus);
--- /dev/null
+From 9375646b4cf03aee81bc6c305aa18cc80b682796 Mon Sep 17 00:00:00 2001
+From: Logan Gunthorpe <logang@deltatee.com>
+Date: Mon, 6 Jan 2020 12:03:27 -0700
+Subject: PCI/switchtec: Fix vep_vector_number ioread width
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+commit 9375646b4cf03aee81bc6c305aa18cc80b682796 upstream.
+
+vep_vector_number is actually a 16 bit register which should be read with
+ioread16() instead of ioread32().
+
+Fixes: 080b47def5e5 ("MicroSemi Switchtec management interface driver")
+Link: https://lore.kernel.org/r/20200106190337.2428-3-logang@deltatee.com
+Reported-by: Doug Meyer <dmeyer@gigaio.com>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/switch/switchtec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -1276,7 +1276,7 @@ static int switchtec_init_isr(struct swi
+ if (nvecs < 0)
+ return nvecs;
+
+- event_irq = ioread32(&stdev->mmio_part_cfg->vep_vector_number);
++ event_irq = ioread16(&stdev->mmio_part_cfg->vep_vector_number);
+ if (event_irq < 0 || event_irq >= nvecs)
+ return -EFAULT;
+
--- /dev/null
+From aa82130a22f77c1aa5794703730304d035a0c1f4 Mon Sep 17 00:00:00 2001
+From: Wesley Sheng <wesley.sheng@microchip.com>
+Date: Mon, 6 Jan 2020 12:03:26 -0700
+Subject: PCI/switchtec: Use dma_set_mask_and_coherent()
+
+From: Wesley Sheng <wesley.sheng@microchip.com>
+
+commit aa82130a22f77c1aa5794703730304d035a0c1f4 upstream.
+
+Use dma_set_mask_and_coherent() instead of dma_set_coherent_mask() as the
+Switchtec hardware fully supports 64bit addressing and we should set both
+the streaming and coherent masks the same.
+
+[logang@deltatee.com: reworked commit message]
+Fixes: aff614c6339c ("switchtec: Set DMA coherent mask")
+Link: https://lore.kernel.org/r/20200106190337.2428-2-logang@deltatee.com
+Signed-off-by: Wesley Sheng <wesley.sheng@microchip.com>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/switch/switchtec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -1349,7 +1349,7 @@ static int switchtec_init_pci(struct swi
+ if (rc)
+ return rc;
+
+- rc = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(64));
++ rc = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64));
+ if (rc)
+ return rc;
+
--- /dev/null
+From 21a92676e1fe292acb077b13106b08c22ed36b14 Mon Sep 17 00:00:00 2001
+From: Marcel Ziswiler <marcel@ziswiler.com>
+Date: Tue, 7 Jan 2020 09:14:02 +0100
+Subject: PCI: tegra: Fix afi_pex2_ctrl reg offset for Tegra30
+
+From: Marcel Ziswiler <marcel@ziswiler.com>
+
+commit 21a92676e1fe292acb077b13106b08c22ed36b14 upstream.
+
+Fix AFI_PEX2_CTRL reg offset for Tegra30 by moving it from the Tegra20
+SoC struct where it erroneously got added. This fixes the AFI_PEX2_CTRL
+reg offset being uninitialised subsequently failing to bring up the
+third PCIe port.
+
+Fixes: adb2653b3d2e ("PCI: tegra: Add AFI_PEX2_CTRL reg offset as part of SoC struct")
+Signed-off-by: Marcel Ziswiler <marcel@ziswiler.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Andrew Murray <andrew.murray@arm.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/controller/pci-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/controller/pci-tegra.c
++++ b/drivers/pci/controller/pci-tegra.c
+@@ -2499,7 +2499,6 @@ static const struct tegra_pcie_soc tegra
+ .num_ports = 2,
+ .ports = tegra20_pcie_ports,
+ .msi_base_shift = 0,
+- .afi_pex2_ctrl = 0x128,
+ .pads_pll_ctl = PADS_PLL_CTL_TEGRA20,
+ .tx_ref_sel = PADS_PLL_CTL_TXCLKREF_DIV10,
+ .pads_refclk_cfg0 = 0xfa5cfa5c,
+@@ -2528,6 +2527,7 @@ static const struct tegra_pcie_soc tegra
+ .num_ports = 3,
+ .ports = tegra30_pcie_ports,
+ .msi_base_shift = 8,
++ .afi_pex2_ctrl = 0x128,
+ .pads_pll_ctl = PADS_PLL_CTL_TEGRA30,
+ .tx_ref_sel = PADS_PLL_CTL_TXCLKREF_BUF_EN,
+ .pads_refclk_cfg0 = 0xfa5cfa5c,
--- /dev/null
+From b4fb4cc5ba83b20dae13cef116c33648e81d2f44 Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Sun, 26 Jan 2020 16:26:46 +0200
+Subject: RDMA/cma: Fix unbalanced cm_id reference count during address resolve
+
+From: Parav Pandit <parav@mellanox.com>
+
+commit b4fb4cc5ba83b20dae13cef116c33648e81d2f44 upstream.
+
+Below commit missed the AF_IB and loopback code flow in
+rdma_resolve_addr(). This leads to an unbalanced cm_id refcount in
+cma_work_handler() which puts the refcount which was not incremented prior
+to queuing the work.
+
+A call trace is observed with such code flow:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ [<ffffffff96b67e16>] __mutex_lock_slowpath+0x166/0x1d0
+ [<ffffffff96b6715f>] mutex_lock+0x1f/0x2f
+ [<ffffffffc0beabb5>] cma_work_handler+0x25/0xa0
+ [<ffffffff964b9ebf>] process_one_work+0x17f/0x440
+ [<ffffffff964baf56>] worker_thread+0x126/0x3c0
+
+Hence, hold the cm_id reference when scheduling the resolve work item.
+
+Fixes: 722c7b2bfead ("RDMA/{cma, core}: Avoid callback on rdma_addr_cancel()")
+Link: https://lore.kernel.org/r/20200126142652.104803-2-leon@kernel.org
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -3091,6 +3091,7 @@ static int cma_resolve_loopback(struct r
+ rdma_addr_get_sgid(&id_priv->id.route.addr.dev_addr, &gid);
+ rdma_addr_set_dgid(&id_priv->id.route.addr.dev_addr, &gid);
+
++ atomic_inc(&id_priv->refcount);
+ cma_init_resolve_addr_work(work, id_priv);
+ queue_work(cma_wq, &work->work);
+ return 0;
+@@ -3117,6 +3118,7 @@ static int cma_resolve_ib_addr(struct rd
+ rdma_addr_set_dgid(&id_priv->id.route.addr.dev_addr, (union ib_gid *)
+ &(((struct sockaddr_ib *) &id_priv->id.route.addr.dst_addr)->sib_addr));
+
++ atomic_inc(&id_priv->refcount);
+ cma_init_resolve_addr_work(work, id_priv);
+ queue_work(cma_wq, &work->work);
+ return 0;
--- /dev/null
+From 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Wed, 8 Jan 2020 19:22:03 +0200
+Subject: RDMA/core: Fix locking in ib_uverbs_event_read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 upstream.
+
+This should not be using ib_dev to test for disassociation, during
+disassociation is_closed is set under lock and the waitq is triggered.
+
+Instead check is_closed and be sure to re-obtain the lock to test the
+value after the wait_event returns.
+
+Fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications")
+Link: https://lore.kernel.org/r/1578504126-9400-12-git-send-email-yishaih@mellanox.com
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_main.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -220,7 +220,6 @@ void ib_uverbs_release_file(struct kref
+ }
+
+ static ssize_t ib_uverbs_event_read(struct ib_uverbs_event_queue *ev_queue,
+- struct ib_uverbs_file *uverbs_file,
+ struct file *filp, char __user *buf,
+ size_t count, loff_t *pos,
+ size_t eventsz)
+@@ -238,19 +237,16 @@ static ssize_t ib_uverbs_event_read(stru
+
+ if (wait_event_interruptible(ev_queue->poll_wait,
+ (!list_empty(&ev_queue->event_list) ||
+- /* The barriers built into wait_event_interruptible()
+- * and wake_up() guarentee this will see the null set
+- * without using RCU
+- */
+- !uverbs_file->device->ib_dev)))
++ ev_queue->is_closed)))
+ return -ERESTARTSYS;
+
++ spin_lock_irq(&ev_queue->lock);
++
+ /* If device was disassociated and no event exists set an error */
+- if (list_empty(&ev_queue->event_list) &&
+- !uverbs_file->device->ib_dev)
++ if (list_empty(&ev_queue->event_list) && ev_queue->is_closed) {
++ spin_unlock_irq(&ev_queue->lock);
+ return -EIO;
+-
+- spin_lock_irq(&ev_queue->lock);
++ }
+ }
+
+ event = list_entry(ev_queue->event_list.next, struct ib_uverbs_event, list);
+@@ -285,8 +281,7 @@ static ssize_t ib_uverbs_async_event_rea
+ {
+ struct ib_uverbs_async_event_file *file = filp->private_data;
+
+- return ib_uverbs_event_read(&file->ev_queue, file->uverbs_file, filp,
+- buf, count, pos,
++ return ib_uverbs_event_read(&file->ev_queue, filp, buf, count, pos,
+ sizeof(struct ib_uverbs_async_event_desc));
+ }
+
+@@ -296,9 +291,8 @@ static ssize_t ib_uverbs_comp_event_read
+ struct ib_uverbs_completion_event_file *comp_ev_file =
+ filp->private_data;
+
+- return ib_uverbs_event_read(&comp_ev_file->ev_queue,
+- comp_ev_file->uobj.ufile, filp,
+- buf, count, pos,
++ return ib_uverbs_event_read(&comp_ev_file->ev_queue, filp, buf, count,
++ pos,
+ sizeof(struct ib_uverbs_comp_event_desc));
+ }
+
+@@ -321,7 +315,9 @@ static __poll_t ib_uverbs_event_poll(str
+ static __poll_t ib_uverbs_async_event_poll(struct file *filp,
+ struct poll_table_struct *wait)
+ {
+- return ib_uverbs_event_poll(filp->private_data, filp, wait);
++ struct ib_uverbs_async_event_file *file = filp->private_data;
++
++ return ib_uverbs_event_poll(&file->ev_queue, filp, wait);
+ }
+
+ static __poll_t ib_uverbs_comp_event_poll(struct file *filp,
+@@ -335,9 +331,9 @@ static __poll_t ib_uverbs_comp_event_pol
+
+ static int ib_uverbs_async_event_fasync(int fd, struct file *filp, int on)
+ {
+- struct ib_uverbs_event_queue *ev_queue = filp->private_data;
++ struct ib_uverbs_async_event_file *file = filp->private_data;
+
+- return fasync_helper(fd, filp, on, &ev_queue->async_queue);
++ return fasync_helper(fd, filp, on, &file->ev_queue.async_queue);
+ }
+
+ static int ib_uverbs_comp_event_fasync(int fd, struct file *filp, int on)
--- /dev/null
+From 04db1580b5e48a79e24aa51ecae0cd4b2296ec23 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Mon, 30 Dec 2019 10:24:28 +0800
+Subject: RDMA/i40iw: fix a potential NULL pointer dereference
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 04db1580b5e48a79e24aa51ecae0cd4b2296ec23 upstream.
+
+A NULL pointer can be returned by in_dev_get(). Thus add a corresponding
+check so that a NULL pointer dereference will be avoided at this place.
+
+Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status")
+Link: https://lore.kernel.org/r/1577672668-46499-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
+@@ -1225,6 +1225,8 @@ static void i40iw_add_ipv4_addr(struct i
+ const struct in_ifaddr *ifa;
+
+ idev = in_dev_get(dev);
++ if (!idev)
++ continue;
+ in_dev_for_each_ifa_rtnl(ifa, idev) {
+ i40iw_debug(&iwdev->sc_dev, I40IW_DEBUG_CM,
+ "IP=%pI4, vlan_id=%d, MAC=%pM\n", &ifa->ifa_address,
--- /dev/null
+From a242c36951ecd24bc16086940dbe6b522205c461 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?H=C3=A5kon=20Bugge?= <haakon.bugge@oracle.com>
+Date: Mon, 16 Dec 2019 13:04:36 +0100
+Subject: RDMA/netlink: Do not always generate an ACK for some netlink operations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Håkon Bugge <haakon.bugge@oracle.com>
+
+commit a242c36951ecd24bc16086940dbe6b522205c461 upstream.
+
+In rdma_nl_rcv_skb(), the local variable err is assigned the return value
+of the supplied callback function, which could be one of
+ib_nl_handle_resolve_resp(), ib_nl_handle_set_timeout(), or
+ib_nl_handle_ip_res_resp(). These three functions all return skb->len on
+success.
+
+rdma_nl_rcv_skb() is merely a copy of netlink_rcv_skb(). The callback
+functions used by the latter have the convention: "Returns 0 on success or
+a negative error code".
+
+In particular, the statement (equal for both functions):
+
+ if (nlh->nlmsg_flags & NLM_F_ACK || err)
+
+implies that rdma_nl_rcv_skb() always will ack a message, independent of
+the NLM_F_ACK being set in nlmsg_flags or not.
+
+The fix could be to change the above statement, but it is better to keep
+the two *_rcv_skb() functions equal in this respect and instead change the
+three callback functions in the rdma subsystem to the correct convention.
+
+Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink")
+Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
+Link: https://lore.kernel.org/r/20191216120436.3204814-1-haakon.bugge@oracle.com
+Suggested-by: Mark Haywood <mark.haywood@oracle.com>
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Tested-by: Mark Haywood <mark.haywood@oracle.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/addr.c | 2 +-
+ drivers/infiniband/core/sa_query.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -139,7 +139,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b
+ if (ib_nl_is_good_ip_resp(nlh))
+ ib_nl_process_good_ip_rsep(nlh);
+
+- return skb->len;
++ return 0;
+ }
+
+ static int ib_nl_ip_send_msg(struct rdma_dev_addr *dev_addr,
+--- a/drivers/infiniband/core/sa_query.c
++++ b/drivers/infiniband/core/sa_query.c
+@@ -1068,7 +1068,7 @@ int ib_nl_handle_set_timeout(struct sk_b
+ }
+
+ settimeout_out:
+- return skb->len;
++ return 0;
+ }
+
+ static inline int ib_nl_is_good_resolve_resp(const struct nlmsghdr *nlh)
+@@ -1139,7 +1139,7 @@ int ib_nl_handle_resolve_resp(struct sk_
+ }
+
+ resp_out:
+- return skb->len;
++ return 0;
+ }
+
+ static void free_sm_ah(struct kref *kref)
--- /dev/null
+From 36798d5ae1af62e830c5e045b2e41ce038690c61 Mon Sep 17 00:00:00 2001
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Tue, 28 Jan 2020 15:56:12 +0200
+Subject: RDMA/umem: Fix ib_umem_find_best_pgsz()
+
+From: Artemy Kovalyov <artemyko@mellanox.com>
+
+commit 36798d5ae1af62e830c5e045b2e41ce038690c61 upstream.
+
+Except for the last entry, the ending iova alignment sets the maximum
+possible page size as the low bits of the iova must be zero when starting
+the next chunk.
+
+Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR")
+Link: https://lore.kernel.org/r/20200128135612.174820-1-leon@kernel.org
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Tested-by: Gal Pressman <galpress@amazon.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/umem.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -166,10 +166,13 @@ unsigned long ib_umem_find_best_pgsz(str
+ * for any address.
+ */
+ mask |= (sg_dma_address(sg) + pgoff) ^ va;
+- if (i && i != (umem->nmap - 1))
+- /* restrict by length as well for interior SGEs */
+- mask |= sg_dma_len(sg);
+ va += sg_dma_len(sg) - pgoff;
++ /* Except for the last entry, the ending iova alignment sets
++ * the maximum possible page size as the low bits of the iova
++ * must be zero when starting the next chunk.
++ */
++ if (i != (umem->nmap - 1))
++ mask |= va;
+ pgoff = 0;
+ }
+ best_pg_bit = rdma_find_pg_bit(mask, pgsz_bitmap);
--- /dev/null
+From ca95c1411198c2d87217c19d44571052cdc94725 Mon Sep 17 00:00:00 2001
+From: Michael Guralnik <michaelgur@mellanox.com>
+Date: Wed, 8 Jan 2020 20:05:35 +0200
+Subject: RDMA/uverbs: Verify MR access flags
+
+From: Michael Guralnik <michaelgur@mellanox.com>
+
+commit ca95c1411198c2d87217c19d44571052cdc94725 upstream.
+
+Verify that MR access flags that are passed from user are all supported
+ones, otherwise an error is returned.
+
+Fixes: 4fca03778351 ("IB/uverbs: Move ib_access_flags and ib_read_counters_flags to uapi")
+Link: https://lore.kernel.org/r/1578506740-22188-6-git-send-email-yishaih@mellanox.com
+Signed-off-by: Michael Guralnik <michaelgur@mellanox.com>
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/rdma/ib_verbs.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -4252,6 +4252,9 @@ static inline int ib_check_mr_access(int
+ !(flags & IB_ACCESS_LOCAL_WRITE))
+ return -EINVAL;
+
++ if (flags & ~IB_ACCESS_SUPPORTED)
++ return -EINVAL;
++
+ return 0;
+ }
+
--- /dev/null
+From b9fc5320212efdfb4e08b825aaa007815fd11d16 Mon Sep 17 00:00:00 2001
+From: Bean Huo <beanhuo@micron.com>
+Date: Mon, 20 Jan 2020 14:08:13 +0100
+Subject: scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails
+
+From: Bean Huo <beanhuo@micron.com>
+
+commit b9fc5320212efdfb4e08b825aaa007815fd11d16 upstream.
+
+A non-zero error value likely being returned by ufshcd_scsi_add_wlus() in
+case of failure of adding the WLs, but ufshcd_probe_hba() doesn't use this
+value, and doesn't report this failure to upper caller. This patch is to
+fix this issue.
+
+Fixes: 2a8fa600445c ("ufs: manually add well known logical units")
+Link: https://lore.kernel.org/r/20200120130820.1737-2-huobean@gmail.com
+Reviewed-by: Asutosh Das <asutoshd@codeaurora.org>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
+Signed-off-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ufs/ufshcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6953,7 +6953,8 @@ static int ufshcd_probe_hba(struct ufs_h
+ ufshcd_init_icc_levels(hba);
+
+ /* Add required well known logical units to scsi mid layer */
+- if (ufshcd_scsi_add_wlus(hba))
++ ret = ufshcd_scsi_add_wlus(hba);
++ if (ret)
+ goto out;
+
+ /* Initialize devfreq after UFS device is detected */
asoc-pcm-update-fe-be-trigger-order-based-on-the-com.patch
hv_sock-remove-the-accept-port-restriction.patch
+ib-mlx4-fix-memory-leak-in-add_gid-error-flow.patch
+ib-srp-never-use-immediate-data-if-it-is-disabled-by-a-user.patch
+ib-mlx4-fix-leak-in-id_map_find_del.patch
+rdma-netlink-do-not-always-generate-an-ack-for-some-netlink-operations.patch
+rdma-i40iw-fix-a-potential-null-pointer-dereference.patch
+rdma-core-fix-locking-in-ib_uverbs_event_read.patch
+rdma-uverbs-verify-mr-access-flags.patch
+rdma-cma-fix-unbalanced-cm_id-reference-count-during-address-resolve.patch
+rdma-umem-fix-ib_umem_find_best_pgsz.patch
+scsi-ufs-fix-ufshcd_probe_hba-reture-value-in-case-ufshcd_scsi_add_wlus-fails.patch
+pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch
+ath10k-pci-only-dump-ath10k_mem_region_type_ioreg-when-safe.patch
+pci-switchtec-use-dma_set_mask_and_coherent.patch
+pci-switchtec-fix-vep_vector_number-ioread-width.patch
+pci-tegra-fix-afi_pex2_ctrl-reg-offset-for-tegra30.patch
+pci-don-t-disable-bridge-bars-when-assigning-bus-resources.patch
+pci-aer-initialize-aer_fifo.patch
+iwlwifi-mvm-avoid-use-after-free-for-pmsr-request.patch
+nfsd-fixing-possible-null-pointer-derefering-in-copy-offload.patch
+nfs-nfs_swap-should-depend-on-swap.patch
+nfs-revalidate-the-file-size-on-a-fatal-write-error.patch
+nfs-pnfs-fix-pnfs_generic_prepare_to_resend_writes.patch
+nfs-fix-fix-of-show_nfs_errors.patch
+nfsv4-pnfs_roc-must-use-cred_fscmp-to-compare-creds.patch
+nfsv4-try-lease-recovery-on-nfs4err_expired.patch
+nfsv4.0-nfs4_do_fsinfo-should-not-do-implicit-lease-renewals.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
