--- /dev/null
+From f5f7ab168b9a60e12a4b8f2bb6fcc91321dc23c1 Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Sun, 4 Oct 2020 19:04:22 +0100
+Subject: 9P: Cast to loff_t before multiplying
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit f5f7ab168b9a60e12a4b8f2bb6fcc91321dc23c1 upstream.
+
+On 32-bit systems, this multiplication will overflow for files larger
+than 4GB.
+
+Link: http://lkml.kernel.org/r/20201004180428.14494-2-willy@infradead.org
+Cc: stable@vger.kernel.org
+Fixes: fb89b45cdfdc ("9P: introduction of a new cache=mmap model.")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -624,9 +624,9 @@ static void v9fs_mmap_vm_close(struct vm
+ struct writeback_control wbc = {
+ .nr_to_write = LONG_MAX,
+ .sync_mode = WB_SYNC_ALL,
+- .range_start = vma->vm_pgoff * PAGE_SIZE,
++ .range_start = (loff_t)vma->vm_pgoff * PAGE_SIZE,
+ /* absolute end, byte at end included */
+- .range_end = vma->vm_pgoff * PAGE_SIZE +
++ .range_end = (loff_t)vma->vm_pgoff * PAGE_SIZE +
+ (vma->vm_end - vma->vm_start - 1),
+ };
+
--- /dev/null
+From c403c3a2fbe24d4ed33e10cabad048583ebd4edf Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Sun, 4 Oct 2020 19:04:24 +0100
+Subject: ceph: promote to unsigned long long before shifting
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit c403c3a2fbe24d4ed33e10cabad048583ebd4edf upstream.
+
+On 32-bit systems, this shift will overflow for files larger than 4GB.
+
+Cc: stable@vger.kernel.org
+Fixes: 61f68816211e ("ceph: check caps in filemap_fault and page_mkwrite")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/addr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -1443,7 +1443,7 @@ static int ceph_filemap_fault(struct vm_
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_file_info *fi = vma->vm_file->private_data;
+ struct page *pinned_page = NULL;
+- loff_t off = vmf->pgoff << PAGE_SHIFT;
++ loff_t off = (loff_t)vmf->pgoff << PAGE_SHIFT;
+ int want, got, ret;
+ sigset_t oldset;
+
--- /dev/null
+From c4aa8dff6091cc9536aeb255e544b0b4ba29faf4 Mon Sep 17 00:00:00 2001
+From: Madhav Chauhan <madhav.chauhan@amd.com>
+Date: Fri, 16 Oct 2020 18:03:07 +0530
+Subject: drm/amdgpu: don't map BO in reserved region
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Madhav Chauhan <madhav.chauhan@amd.com>
+
+commit c4aa8dff6091cc9536aeb255e544b0b4ba29faf4 upstream.
+
+2MB area is reserved at top inside VM.
+
+Suggested-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Madhav Chauhan <madhav.chauhan@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+@@ -551,6 +551,7 @@ int amdgpu_gem_va_ioctl(struct drm_devic
+ struct ww_acquire_ctx ticket;
+ struct list_head list;
+ uint64_t va_flags;
++ uint64_t vm_size;
+ int r = 0;
+
+ if (args->va_address < AMDGPU_VA_RESERVED_SIZE) {
+@@ -561,6 +562,15 @@ int amdgpu_gem_va_ioctl(struct drm_devic
+ return -EINVAL;
+ }
+
++ vm_size = adev->vm_manager.max_pfn * AMDGPU_GPU_PAGE_SIZE;
++ vm_size -= AMDGPU_VA_RESERVED_SIZE;
++ if (args->va_address + args->map_size > vm_size) {
++ dev_dbg(&dev->pdev->dev,
++ "va_address 0x%llx is in top reserved area 0x%llx\n",
++ args->va_address + args->map_size, vm_size);
++ return -EINVAL;
++ }
++
+ if ((args->flags & ~valid_flags) && (args->flags & ~prt_flags)) {
+ dev_err(&dev->pdev->dev, "invalid flags combination 0x%08X\n",
+ args->flags);
--- /dev/null
+From fea456d82c19d201c21313864105876deabe148b Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 20 Oct 2020 08:22:53 +1000
+Subject: drm/ttm: fix eviction valuable range check.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit fea456d82c19d201c21313864105876deabe148b upstream.
+
+This was adding size to start, but pfn and start are in pages,
+so it should be using num_pages.
+
+Not sure this fixes anything in the real world, just noticed it
+during refactoring.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Cc: stable@vger.kernel.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20201019222257.1684769-2-airlied@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -721,7 +721,7 @@ bool ttm_bo_eviction_valuable(struct ttm
+ /* Don't evict this BO if it's outside of the
+ * requested placement range
+ */
+- if (place->fpfn >= (bo->mem.start + bo->mem.size) ||
++ if (place->fpfn >= (bo->mem.start + bo->mem.num_pages) ||
+ (place->lpfn && place->lpfn <= bo->mem.start))
+ return false;
+
--- /dev/null
+From c9e87161cc621cbdcfc472fa0b2d81c63780c8f5 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Sat, 29 Aug 2020 10:54:02 +0800
+Subject: ext4: fix error handling code in add_new_gdb
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit c9e87161cc621cbdcfc472fa0b2d81c63780c8f5 upstream.
+
+When ext4_journal_get_write_access() fails, we should
+terminate the execution flow and release n_group_desc,
+iloc.bh, dind and gdb_bh.
+
+Cc: stable@kernel.org
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Link: https://lore.kernel.org/r/20200829025403.3139-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -837,8 +837,10 @@ static int add_new_gdb(handle_t *handle,
+
+ BUFFER_TRACE(dind, "get_write_access");
+ err = ext4_journal_get_write_access(handle, dind);
+- if (unlikely(err))
++ if (unlikely(err)) {
+ ext4_std_error(sb, err);
++ goto errout;
++ }
+
+ /* ext4_reserve_inode_write() gets a reference on the iloc */
+ err = ext4_reserve_inode_write(handle, inode, &iloc);
--- /dev/null
+From 1322181170bb01bce3c228b82ae3d5c6b793164f Mon Sep 17 00:00:00 2001
+From: Luo Meng <luomeng12@huawei.com>
+Date: Tue, 20 Oct 2020 09:36:31 +0800
+Subject: ext4: fix invalid inode checksum
+
+From: Luo Meng <luomeng12@huawei.com>
+
+commit 1322181170bb01bce3c228b82ae3d5c6b793164f upstream.
+
+During the stability test, there are some errors:
+ ext4_lookup:1590: inode #6967: comm fsstress: iget: checksum invalid.
+
+If the inode->i_iblocks too big and doesn't set huge file flag, checksum
+will not be recalculated when update the inode information to it's buffer.
+If other inode marks the buffer dirty, then the inconsistent inode will
+be flushed to disk.
+
+Fix this problem by checking i_blocks in advance.
+
+Cc: stable@kernel.org
+Signed-off-by: Luo Meng <luomeng12@huawei.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Link: https://lore.kernel.org/r/20201020013631.3796673-1-luomeng12@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5135,6 +5135,12 @@ static int ext4_do_update_inode(handle_t
+ if (ext4_test_inode_state(inode, EXT4_STATE_NEW))
+ memset(raw_inode, 0, EXT4_SB(inode->i_sb)->s_inode_size);
+
++ err = ext4_inode_blocks_set(handle, raw_inode, ei);
++ if (err) {
++ spin_unlock(&ei->i_raw_lock);
++ goto out_brelse;
++ }
++
+ raw_inode->i_mode = cpu_to_le16(inode->i_mode);
+ i_uid = i_uid_read(inode);
+ i_gid = i_gid_read(inode);
+@@ -5168,11 +5174,6 @@ static int ext4_do_update_inode(handle_t
+ EXT4_INODE_SET_XTIME(i_atime, inode, raw_inode);
+ EXT4_EINODE_SET_XTIME(i_crtime, ei, raw_inode);
+
+- err = ext4_inode_blocks_set(handle, raw_inode, ei);
+- if (err) {
+- spin_unlock(&ei->i_raw_lock);
+- goto out_brelse;
+- }
+ raw_inode->i_dtime = cpu_to_le32(ei->i_dtime);
+ raw_inode->i_flags = cpu_to_le32(ei->i_flags & 0xFFFFFFFF);
+ if (likely(!test_opt2(inode->i_sb, HURD_COMPAT)))
--- /dev/null
+From cb8d53d2c97369029cc638c9274ac7be0a316c75 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 22 Sep 2020 09:24:56 -0700
+Subject: ext4: fix leaking sysfs kobject after failed mount
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit cb8d53d2c97369029cc638c9274ac7be0a316c75 upstream.
+
+ext4_unregister_sysfs() only deletes the kobject. The reference to it
+needs to be put separately, like ext4_put_super() does.
+
+This addresses the syzbot report
+"memory leak in kobject_set_name_vargs (3)"
+(https://syzkaller.appspot.com/bug?extid=9f864abad79fae7c17e1).
+
+Reported-by: syzbot+9f864abad79fae7c17e1@syzkaller.appspotmail.com
+Fixes: 72ba74508b28 ("ext4: release sysfs kobject when failing to enable quotas on mount")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Link: https://lore.kernel.org/r/20200922162456.93657-1-ebiggers@kernel.org
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4505,6 +4505,7 @@ cantfind_ext4:
+
+ failed_mount8:
+ ext4_unregister_sysfs(sb);
++ kobject_put(&sbi->s_kobj);
+ failed_mount7:
+ ext4_unregister_li_request(sb);
+ failed_mount6:
--- /dev/null
+From acaa532687cdc3a03757defafece9c27aa667546 Mon Sep 17 00:00:00 2001
+From: Constantine Sapuntzakis <costa@purestorage.com>
+Date: Mon, 14 Sep 2020 10:10:14 -0600
+Subject: ext4: fix superblock checksum calculation race
+
+From: Constantine Sapuntzakis <costa@purestorage.com>
+
+commit acaa532687cdc3a03757defafece9c27aa667546 upstream.
+
+The race condition could cause the persisted superblock checksum
+to not match the contents of the superblock, causing the
+superblock to be considered corrupt.
+
+An example of the race follows. A first thread is interrupted in the
+middle of a checksum calculation. Then, another thread changes the
+superblock, calculates a new checksum, and sets it. Then, the first
+thread resumes and sets the checksum based on the older superblock.
+
+To fix, serialize the superblock checksum calculation using the buffer
+header lock. While a spinlock is sufficient, the buffer header is
+already there and there is precedent for locking it (e.g. in
+ext4_commit_super).
+
+Tested the patch by booting up a kernel with the patch, creating
+a filesystem and some files (including some orphans), and then
+unmounting and remounting the file system.
+
+Cc: stable@kernel.org
+Signed-off-by: Constantine Sapuntzakis <costa@purestorage.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Suggested-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20200914161014.22275-1-costa@purestorage.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -200,7 +200,18 @@ void ext4_superblock_csum_set(struct sup
+ if (!ext4_has_metadata_csum(sb))
+ return;
+
++ /*
++ * Locking the superblock prevents the scenario
++ * where:
++ * 1) a first thread pauses during checksum calculation.
++ * 2) a second thread updates the superblock, recalculates
++ * the checksum, and updates s_checksum
++ * 3) the first thread resumes and finishes its checksum calculation
++ * and updates s_checksum with a potentially stale or torn value.
++ */
++ lock_buffer(EXT4_SB(sb)->s_sbh);
+ es->s_checksum = ext4_superblock_csum(sb, es);
++ unlock_buffer(EXT4_SB(sb)->s_sbh);
+ }
+
+ void *ext4_kvmalloc(size_t size, gfp_t flags)
--- /dev/null
+From 7404840d87557c4092bf0272bce5e0354c774bf9 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 17 Oct 2020 16:13:37 -0700
+Subject: ia64: fix build error with !COREDUMP
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 7404840d87557c4092bf0272bce5e0354c774bf9 upstream.
+
+Fix linkage error when CONFIG_BINFMT_ELF is selected but CONFIG_COREDUMP
+is not:
+
+ ia64-linux-ld: arch/ia64/kernel/elfcore.o: in function `elf_core_write_extra_phdrs':
+ elfcore.c:(.text+0x172): undefined reference to `dump_emit'
+ ia64-linux-ld: arch/ia64/kernel/elfcore.o: in function `elf_core_write_extra_data':
+ elfcore.c:(.text+0x2b2): undefined reference to `dump_emit'
+
+Fixes: 1fcccbac89f5 ("elf coredump: replace ELF_CORE_EXTRA_* macros by functions")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200819064146.12529-1-krzk@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/ia64/kernel/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/ia64/kernel/Makefile
++++ b/arch/ia64/kernel/Makefile
+@@ -43,7 +43,7 @@ endif
+ obj-$(CONFIG_INTEL_IOMMU) += pci-dma.o
+ obj-$(CONFIG_SWIOTLB) += pci-swiotlb.o
+
+-obj-$(CONFIG_BINFMT_ELF) += elfcore.o
++obj-$(CONFIG_ELF_CORE) += elfcore.o
+
+ # fp_emulate() expects f2-f5,f16-f31 to contain the user-level state.
+ CFLAGS_traps.o += -mfixed-range=f2-f5,f16-f31
--- /dev/null
+From 28e1581c3b4ea5f98530064a103c6217bedeea73 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Wed, 7 Oct 2020 20:06:48 +0200
+Subject: libceph: clear con->out_msg on Policy::stateful_server faults
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 28e1581c3b4ea5f98530064a103c6217bedeea73 upstream.
+
+con->out_msg must be cleared on Policy::stateful_server
+(!CEPH_MSG_CONNECT_LOSSY) faults. Not doing so botches the
+reconnection attempt, because after writing the banner the
+messenger moves on to writing the data section of that message
+(either from where it got interrupted by the connection reset or
+from the beginning) instead of writing struct ceph_msg_connect.
+This results in a bizarre error message because the server
+sends CEPH_MSGR_TAG_BADPROTOVER but we think we wrote struct
+ceph_msg_connect:
+
+ libceph: mds0 (1)172.21.15.45:6828 socket error on write
+ ceph: mds0 reconnect start
+ libceph: mds0 (1)172.21.15.45:6829 socket closed (con state OPEN)
+ libceph: mds0 (1)172.21.15.45:6829 protocol version mismatch, my 32 != server's 32
+ libceph: mds0 (1)172.21.15.45:6829 protocol version mismatch
+
+AFAICT this bug goes back to the dawn of the kernel client.
+The reason it survived for so long is that only MDS sessions
+are stateful and only two MDS messages have a data section:
+CEPH_MSG_CLIENT_RECONNECT (always, but reconnecting is rare)
+and CEPH_MSG_CLIENT_REQUEST (only when xattrs are involved).
+The connection has to get reset precisely when such message
+is being sent -- in this case it was the former.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/47723
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -3007,6 +3007,11 @@ static void con_fault(struct ceph_connec
+ ceph_msg_put(con->in_msg);
+ con->in_msg = NULL;
+ }
++ if (con->out_msg) {
++ BUG_ON(con->out_msg->con != con);
++ ceph_msg_put(con->out_msg);
++ con->out_msg = NULL;
++ }
+
+ /* Requeue anything that hasn't been acked */
+ list_splice_init(&con->out_sent, &con->out_queue);
--- /dev/null
+From 6fcd5ddc3b1467b3586972ef785d0d926ae4cdf4 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Mon, 28 Sep 2020 22:11:35 +0200
+Subject: perf python scripting: Fix printable strings in python3 scripts
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit 6fcd5ddc3b1467b3586972ef785d0d926ae4cdf4 upstream.
+
+Hagen reported broken strings in python3 tracepoint scripts:
+
+ make PYTHON=python3
+ perf record -e sched:sched_switch -a -- sleep 5
+ perf script --gen-script py
+ perf script -s ./perf-script.py
+
+ [..]
+ sched__sched_switch 7 563231.759525792 0 swapper prev_comm=bytearray(b'swapper/7\x00\x00\x00\x00\x00\x00\x00'), prev_pid=0, prev_prio=120, prev_state=, next_comm=bytearray(b'mutex-thread-co\x00'),
+
+The problem is in the is_printable_array function that does not take the
+zero byte into account and claim such string as not printable, so the
+code will create byte array instead of string.
+
+Committer testing:
+
+After this fix:
+
+sched__sched_switch 3 484522.497072626 1158680 kworker/3:0-eve prev_comm=kworker/3:0, prev_pid=1158680, prev_prio=120, prev_state=I, next_comm=swapper/3, next_pid=0, next_prio=120
+Sample: {addr=0, cpu=3, datasrc=84410401, datasrc_decode=N/A|SNP N/A|TLB N/A|LCK N/A, ip=18446744071841817196, period=1, phys_addr=0, pid=1158680, tid=1158680, time=484522497072626, transaction=0, values=[(0, 0)], weight=0}
+
+sched__sched_switch 4 484522.497085610 1225814 perf prev_comm=perf, prev_pid=1225814, prev_prio=120, prev_state=, next_comm=migration/4, next_pid=30, next_prio=0
+Sample: {addr=0, cpu=4, datasrc=84410401, datasrc_decode=N/A|SNP N/A|TLB N/A|LCK N/A, ip=18446744071841817196, period=1, phys_addr=0, pid=1225814, tid=1225814, time=484522497085610, transaction=0, values=[(0, 0)], weight=0}
+
+Fixes: 249de6e07458 ("perf script python: Fix string vs byte array resolving")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Tested-by: Hagen Paul Pfeifer <hagen@jauu.net>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20200928201135.3633850-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/print_binary.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/print_binary.c
++++ b/tools/perf/util/print_binary.c
+@@ -48,7 +48,7 @@ int is_printable_array(char *p, unsigned
+
+ len--;
+
+- for (i = 0; i < len; i++) {
++ for (i = 0; i < len && p[i]; i++) {
+ if (!isprint(p[i]) && !isspace(p[i]))
+ return 0;
+ }
--- /dev/null
+From 0a1754b2a97efa644aa6e84d1db5b17c42251483 Mon Sep 17 00:00:00 2001
+From: Qiujun Huang <hqjagain@gmail.com>
+Date: Mon, 19 Oct 2020 22:22:42 +0800
+Subject: ring-buffer: Return 0 on success from ring_buffer_resize()
+
+From: Qiujun Huang <hqjagain@gmail.com>
+
+commit 0a1754b2a97efa644aa6e84d1db5b17c42251483 upstream.
+
+We don't need to check the new buffer size, and the return value
+had confused resize_buffer_duplicate_size().
+...
+ ret = ring_buffer_resize(trace_buf->buffer,
+ per_cpu_ptr(size_buf->data,cpu_id)->entries, cpu_id);
+ if (ret == 0)
+ per_cpu_ptr(trace_buf->data, cpu_id)->entries =
+ per_cpu_ptr(size_buf->data, cpu_id)->entries;
+...
+
+Link: https://lkml.kernel.org/r/20201019142242.11560-1-hqjagain@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: d60da506cbeb3 ("tracing: Add a resize function to make one buffer equivalent to another buffer")
+Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -1625,18 +1625,18 @@ int ring_buffer_resize(struct ring_buffe
+ {
+ struct ring_buffer_per_cpu *cpu_buffer;
+ unsigned long nr_pages;
+- int cpu, err = 0;
++ int cpu, err;
+
+ /*
+ * Always succeed at resizing a non-existent buffer:
+ */
+ if (!buffer)
+- return size;
++ return 0;
+
+ /* Make sure the requested buffer exists */
+ if (cpu_id != RING_BUFFER_ALL_CPUS &&
+ !cpumask_test_cpu(cpu_id, buffer->cpumask))
+- return size;
++ return 0;
+
+ nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
+
+@@ -1776,7 +1776,7 @@ int ring_buffer_resize(struct ring_buffe
+ }
+
+ mutex_unlock(&buffer->mutex);
+- return size;
++ return 0;
+
+ out_err:
+ for_each_buffer_cpu(buffer, cpu) {
nfsv4.2-support-exchgid4_flag_supp_fence_ops-4.2-exchange_id-flag.patch
nfsd-add-missing-nfsv2-.pc_func-methods.patch
ubifs-dent-fix-some-potential-memory-leaks-while-iterating-entries.patch
+perf-python-scripting-fix-printable-strings-in-python3-scripts.patch
+ubi-check-kthread_should_stop-after-the-setting-of-task-state.patch
+ia64-fix-build-error-with-coredump.patch
+drm-amdgpu-don-t-map-bo-in-reserved-region.patch
+ceph-promote-to-unsigned-long-long-before-shifting.patch
+libceph-clear-con-out_msg-on-policy-stateful_server-faults.patch
+9p-cast-to-loff_t-before-multiplying.patch
+ring-buffer-return-0-on-success-from-ring_buffer_resize.patch
+vringh-fix-__vringh_iov-when-riov-and-wiov-are-different.patch
+ext4-fix-leaking-sysfs-kobject-after-failed-mount.patch
+ext4-fix-error-handling-code-in-add_new_gdb.patch
+ext4-fix-invalid-inode-checksum.patch
+ext4-fix-superblock-checksum-calculation-race.patch
+drm-ttm-fix-eviction-valuable-range-check.patch
--- /dev/null
+From d005f8c6588efcfbe88099b6edafc6f58c84a9c1 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 1 Jun 2020 17:12:31 +0800
+Subject: ubi: check kthread_should_stop() after the setting of task state
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit d005f8c6588efcfbe88099b6edafc6f58c84a9c1 upstream.
+
+A detach hung is possible when a race occurs between the detach process
+and the ubi background thread. The following sequences outline the race:
+
+ ubi thread: if (list_empty(&ubi->works)...
+
+ ubi detach: set_bit(KTHREAD_SHOULD_STOP, &kthread->flags)
+ => by kthread_stop()
+ wake_up_process()
+ => ubi thread is still running, so 0 is returned
+
+ ubi thread: set_current_state(TASK_INTERRUPTIBLE)
+ schedule()
+ => ubi thread will never be scheduled again
+
+ ubi detach: wait_for_completion()
+ => hung task!
+
+To fix that, we need to check kthread_should_stop() after we set the
+task state, so the ubi thread will either see the stop bit and exit or
+the task state is reset to runnable such that it isn't scheduled out
+indefinitely.
+
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Cc: <stable@vger.kernel.org>
+Fixes: 801c135ce73d5df1ca ("UBI: Unsorted Block Images")
+Reported-by: syzbot+853639d0cb16c31c7a14@syzkaller.appspotmail.com
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1478,6 +1478,19 @@ int ubi_thread(void *u)
+ !ubi->thread_enabled || ubi_dbg_is_bgt_disabled(ubi)) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ spin_unlock(&ubi->wl_lock);
++
++ /*
++ * Check kthread_should_stop() after we set the task
++ * state to guarantee that we either see the stop bit
++ * and exit or the task state is reset to runnable such
++ * that it's not scheduled out indefinitely and detects
++ * the stop bit at kthread_should_stop().
++ */
++ if (kthread_should_stop()) {
++ set_current_state(TASK_RUNNING);
++ break;
++ }
++
+ schedule();
+ continue;
+ }
--- /dev/null
+From 5745bcfbbf89b158416075374254d3c013488f21 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Thu, 8 Oct 2020 22:42:56 +0200
+Subject: vringh: fix __vringh_iov() when riov and wiov are different
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 5745bcfbbf89b158416075374254d3c013488f21 upstream.
+
+If riov and wiov are both defined and they point to different
+objects, only riov is initialized. If the wiov is not initialized
+by the caller, the function fails returning -EINVAL and printing
+"Readable desc 0x... after writable" error message.
+
+This issue happens when descriptors have both readable and writable
+buffers (eg. virtio-blk devices has virtio_blk_outhdr in the readable
+buffer and status as last byte of writable buffer) and we call
+__vringh_iov() to get both type of buffers in two different iovecs.
+
+Let's replace the 'else if' clause with 'if' to initialize both
+riov and wiov if they are not NULL.
+
+As checkpatch pointed out, we also avoid crashing the kernel
+when riov and wiov are both NULL, replacing BUG() with WARN_ON()
+and returning -EINVAL.
+
+Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/20201008204256.162292-1-sgarzare@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vringh.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/vhost/vringh.c
++++ b/drivers/vhost/vringh.c
+@@ -273,13 +273,14 @@ __vringh_iov(struct vringh *vrh, u16 i,
+ desc_max = vrh->vring.num;
+ up_next = -1;
+
++ /* You must want something! */
++ if (WARN_ON(!riov && !wiov))
++ return -EINVAL;
++
+ if (riov)
+ riov->i = riov->used = 0;
+- else if (wiov)
++ if (wiov)
+ wiov->i = wiov->used = 0;
+- else
+- /* You must want something! */
+- BUG();
+
+ for (;;) {
+ void *addr;
projects / thirdparty / kernel / stable-queue.git / commitdiff
