From 9f58c71b372fe7ca2b76a4e6ae869e168d51e893 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 15 Sep 2020 09:57:23 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	drm-i915-gvt-do-not-check-len-max_len-for-lri.patch
	drm-msm-disable-preemption-on-all-5xx-targets.patch
	drm-msm-split-the-a5xx-preemption-record.patch
	drm-tve200-stabilize-enable-disable.patch
	mmc-sdhci-of-esdhc-don-t-walk-device-tree-on-every-interrupt.patch
	mmc-sdio-use-mmc_pre_req-mmc_post_req.patch
	rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch
---
 ...gvt-do-not-check-len-max_len-for-lri.patch |  43 +++++++
 ...isable-preemption-on-all-5xx-targets.patch |  33 ++++++
 ...msm-split-the-a5xx-preemption-record.patch |  93 +++++++++++++++
 .../drm-tve200-stabilize-enable-disable.patch |  90 +++++++++++++++
 ...-walk-device-tree-on-every-interrupt.patch |  61 ++++++++++
 ...mc-sdio-use-mmc_pre_req-mmc_post_req.patch | 107 ++++++++++++++++++
 ..._sys_admin-for-mapping-and-unmapping.patch |  79 +++++++++++++
 queue-5.4/series                              |   7 ++
 8 files changed, 513 insertions(+)
 create mode 100644 queue-5.4/drm-i915-gvt-do-not-check-len-max_len-for-lri.patch
 create mode 100644 queue-5.4/drm-msm-disable-preemption-on-all-5xx-targets.patch
 create mode 100644 queue-5.4/drm-msm-split-the-a5xx-preemption-record.patch
 create mode 100644 queue-5.4/drm-tve200-stabilize-enable-disable.patch
 create mode 100644 queue-5.4/mmc-sdhci-of-esdhc-don-t-walk-device-tree-on-every-interrupt.patch
 create mode 100644 queue-5.4/mmc-sdio-use-mmc_pre_req-mmc_post_req.patch
 create mode 100644 queue-5.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch

diff --git a/queue-5.4/drm-i915-gvt-do-not-check-len-max_len-for-lri.patch b/queue-5.4/drm-i915-gvt-do-not-check-len-max_len-for-lri.patch
new file mode 100644
index 00000000000..e1449927cef
--- /dev/null
+++ b/queue-5.4/drm-i915-gvt-do-not-check-len-max_len-for-lri.patch
@@ -0,0 +1,43 @@
+From dbafc67307ec06036b25b223a251af03fe07969a Mon Sep 17 00:00:00 2001
+From: Yan Zhao <yan.y.zhao@intel.com>
+Date: Wed, 18 Mar 2020 13:48:26 +0800
+Subject: drm/i915/gvt: do not check len & max_len for lri
+
+From: Yan Zhao <yan.y.zhao@intel.com>
+
+commit dbafc67307ec06036b25b223a251af03fe07969a upstream.
+
+lri ususally of variable len and far exceeding 127 dwords.
+
+Fixes: 00a33be40634 ("drm/i915/gvt: Add valid length check for MI variable commands")
+Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20200304095121.21609-1-yan.y.zhao@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/cmd_parser.c |   12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
++++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
+@@ -963,18 +963,6 @@ static int cmd_handler_lri(struct parser
+ 	int i, ret = 0;
+ 	int cmd_len = cmd_length(s);
+ 	struct intel_gvt *gvt = s->vgpu->gvt;
+-	u32 valid_len = CMD_LEN(1);
+-
+-	/*
+-	 * Official intel docs are somewhat sloppy , check the definition of
+-	 * MI_LOAD_REGISTER_IMM.
+-	 */
+-	#define MAX_VALID_LEN 127
+-	if ((cmd_len < valid_len) || (cmd_len > MAX_VALID_LEN)) {
+-		gvt_err("len is not valid:  len=%u  valid_len=%u\n",
+-			cmd_len, valid_len);
+-		return -EFAULT;
+-	}
+ 
+ 	for (i = 1; i < cmd_len; i += 2) {
+ 		if (IS_BROADWELL(gvt->dev_priv) && s->ring_id != RCS0) {
diff --git a/queue-5.4/drm-msm-disable-preemption-on-all-5xx-targets.patch b/queue-5.4/drm-msm-disable-preemption-on-all-5xx-targets.patch
new file mode 100644
index 00000000000..b3a9dbbae47
--- /dev/null
+++ b/queue-5.4/drm-msm-disable-preemption-on-all-5xx-targets.patch
@@ -0,0 +1,33 @@
+From 7b3f3948c8b7053d771acc9f79810cc410f5e2e0 Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Thu, 3 Sep 2020 20:03:12 -0600
+Subject: drm/msm: Disable preemption on all 5xx targets
+
+From: Jordan Crouse <jcrouse@codeaurora.org>
+
+commit 7b3f3948c8b7053d771acc9f79810cc410f5e2e0 upstream.
+
+Temporarily disable preemption on a5xx targets pending some improvements
+to protect the RPTR shadow from being corrupted.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -1451,7 +1451,8 @@ struct msm_gpu *a5xx_gpu_init(struct drm
+ 
+ 	check_speed_bin(&pdev->dev);
+ 
+-	ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 4);
++	/* Restricting nr_rings to 1 to temporarily disable preemption */
++	ret = adreno_gpu_init(dev, pdev, adreno_gpu, &funcs, 1);
+ 	if (ret) {
+ 		a5xx_destroy(&(a5xx_gpu->base.base));
+ 		return ERR_PTR(ret);
diff --git a/queue-5.4/drm-msm-split-the-a5xx-preemption-record.patch b/queue-5.4/drm-msm-split-the-a5xx-preemption-record.patch
new file mode 100644
index 00000000000..1ff794c7885
--- /dev/null
+++ b/queue-5.4/drm-msm-split-the-a5xx-preemption-record.patch
@@ -0,0 +1,93 @@
+From 34221545d2069dc947131f42392fd4cebabe1b39 Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Thu, 3 Sep 2020 20:03:10 -0600
+Subject: drm/msm: Split the a5xx preemption record
+
+From: Jordan Crouse <jcrouse@codeaurora.org>
+
+commit 34221545d2069dc947131f42392fd4cebabe1b39 upstream.
+
+The main a5xx preemption record can be marked as privileged to
+protect it from user access but the counters storage needs to be
+remain unprivileged. Split the buffers and mark the critical memory
+as privileged.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.h     |    1 +
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c |   25 ++++++++++++++++++++-----
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+@@ -31,6 +31,7 @@ struct a5xx_gpu {
+ 	struct msm_ringbuffer *next_ring;
+ 
+ 	struct drm_gem_object *preempt_bo[MSM_GPU_MAX_RINGS];
++	struct drm_gem_object *preempt_counters_bo[MSM_GPU_MAX_RINGS];
+ 	struct a5xx_preempt_record *preempt[MSM_GPU_MAX_RINGS];
+ 	uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
+ 
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -226,19 +226,31 @@ static int preempt_init_ring(struct a5xx
+ 	struct adreno_gpu *adreno_gpu = &a5xx_gpu->base;
+ 	struct msm_gpu *gpu = &adreno_gpu->base;
+ 	struct a5xx_preempt_record *ptr;
+-	struct drm_gem_object *bo = NULL;
+-	u64 iova = 0;
++	void *counters;
++	struct drm_gem_object *bo = NULL, *counters_bo = NULL;
++	u64 iova = 0, counters_iova = 0;
+ 
+ 	ptr = msm_gem_kernel_new(gpu->dev,
+ 		A5XX_PREEMPT_RECORD_SIZE + A5XX_PREEMPT_COUNTER_SIZE,
+-		MSM_BO_UNCACHED, gpu->aspace, &bo, &iova);
++		MSM_BO_UNCACHED | MSM_BO_MAP_PRIV, gpu->aspace, &bo, &iova);
+ 
+ 	if (IS_ERR(ptr))
+ 		return PTR_ERR(ptr);
+ 
++	/* The buffer to store counters needs to be unprivileged */
++	counters = msm_gem_kernel_new(gpu->dev,
++		A5XX_PREEMPT_COUNTER_SIZE,
++		MSM_BO_UNCACHED, gpu->aspace, &counters_bo, &counters_iova);
++	if (IS_ERR(counters)) {
++		msm_gem_kernel_put(bo, gpu->aspace, true);
++		return PTR_ERR(counters);
++	}
++
+ 	msm_gem_object_set_name(bo, "preempt");
++	msm_gem_object_set_name(counters_bo, "preempt_counters");
+ 
+ 	a5xx_gpu->preempt_bo[ring->id] = bo;
++	a5xx_gpu->preempt_counters_bo[ring->id] = counters_bo;
+ 	a5xx_gpu->preempt_iova[ring->id] = iova;
+ 	a5xx_gpu->preempt[ring->id] = ptr;
+ 
+@@ -249,7 +261,7 @@ static int preempt_init_ring(struct a5xx
+ 	ptr->data = 0;
+ 	ptr->cntl = MSM_GPU_RB_CNTL_DEFAULT;
+ 	ptr->rptr_addr = rbmemptr(ring, rptr);
+-	ptr->counter = iova + A5XX_PREEMPT_RECORD_SIZE;
++	ptr->counter = counters_iova;
+ 
+ 	return 0;
+ }
+@@ -260,8 +272,11 @@ void a5xx_preempt_fini(struct msm_gpu *g
+ 	struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu);
+ 	int i;
+ 
+-	for (i = 0; i < gpu->nr_rings; i++)
++	for (i = 0; i < gpu->nr_rings; i++) {
+ 		msm_gem_kernel_put(a5xx_gpu->preempt_bo[i], gpu->aspace, true);
++		msm_gem_kernel_put(a5xx_gpu->preempt_counters_bo[i],
++			gpu->aspace, true);
++	}
+ }
+ 
+ void a5xx_preempt_init(struct msm_gpu *gpu)
diff --git a/queue-5.4/drm-tve200-stabilize-enable-disable.patch b/queue-5.4/drm-tve200-stabilize-enable-disable.patch
new file mode 100644
index 00000000000..4f08e05d197
--- /dev/null
+++ b/queue-5.4/drm-tve200-stabilize-enable-disable.patch
@@ -0,0 +1,90 @@
+From f71800228dc74711c3df43854ce7089562a3bc2d Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Thu, 20 Aug 2020 22:31:44 +0200
+Subject: drm/tve200: Stabilize enable/disable
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit f71800228dc74711c3df43854ce7089562a3bc2d upstream.
+
+The TVE200 will occasionally print a bunch of lost interrupts
+and similar dmesg messages, sometimes during boot and sometimes
+after disabling and coming back to enablement. This is probably
+because the hardware is left in an unknown state by the boot
+loader that displays a logo.
+
+This can be fixed by bringing the controller into a known state
+by resetting the controller while enabling it. We retry reset 5
+times like the vendor driver does. We also put the controller
+into reset before de-clocking it and clear all interrupts before
+enabling the vblank IRQ.
+
+This makes the video enable/disable/enable cycle rock solid
+on the D-Link DIR-685. Tested extensively.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: stable@vger.kernel.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20200820203144.271081-1-linus.walleij@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/tve200/tve200_display.c |   22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/tve200/tve200_display.c
++++ b/drivers/gpu/drm/tve200/tve200_display.c
+@@ -14,6 +14,7 @@
+ #include <linux/version.h>
+ #include <linux/dma-buf.h>
+ #include <linux/of_graph.h>
++#include <linux/delay.h>
+ 
+ #include <drm/drm_fb_cma_helper.h>
+ #include <drm/drm_fourcc.h>
+@@ -130,9 +131,25 @@ static void tve200_display_enable(struct
+ 	struct drm_connector *connector = priv->connector;
+ 	u32 format = fb->format->format;
+ 	u32 ctrl1 = 0;
++	int retries;
+ 
+ 	clk_prepare_enable(priv->clk);
+ 
++	/* Reset the TVE200 and wait for it to come back online */
++	writel(TVE200_CTRL_4_RESET, priv->regs + TVE200_CTRL_4);
++	for (retries = 0; retries < 5; retries++) {
++		usleep_range(30000, 50000);
++		if (readl(priv->regs + TVE200_CTRL_4) & TVE200_CTRL_4_RESET)
++			continue;
++		else
++			break;
++	}
++	if (retries == 5 &&
++	    readl(priv->regs + TVE200_CTRL_4) & TVE200_CTRL_4_RESET) {
++		dev_err(drm->dev, "can't get hardware out of reset\n");
++		return;
++	}
++
+ 	/* Function 1 */
+ 	ctrl1 |= TVE200_CTRL_CSMODE;
+ 	/* Interlace mode for CCIR656: parameterize? */
+@@ -230,8 +247,9 @@ static void tve200_display_disable(struc
+ 
+ 	drm_crtc_vblank_off(crtc);
+ 
+-	/* Disable and Power Down */
++	/* Disable put into reset and Power Down */
+ 	writel(0, priv->regs + TVE200_CTRL);
++	writel(TVE200_CTRL_4_RESET, priv->regs + TVE200_CTRL_4);
+ 
+ 	clk_disable_unprepare(priv->clk);
+ }
+@@ -279,6 +297,8 @@ static int tve200_display_enable_vblank(
+ 	struct drm_device *drm = crtc->dev;
+ 	struct tve200_drm_dev_private *priv = drm->dev_private;
+ 
++	/* Clear any IRQs and enable */
++	writel(0xFF, priv->regs + TVE200_INT_CLR);
+ 	writel(TVE200_INT_V_STATUS, priv->regs + TVE200_INT_EN);
+ 	return 0;
+ }
diff --git a/queue-5.4/mmc-sdhci-of-esdhc-don-t-walk-device-tree-on-every-interrupt.patch b/queue-5.4/mmc-sdhci-of-esdhc-don-t-walk-device-tree-on-every-interrupt.patch
new file mode 100644
index 00000000000..715fc9a7e2d
--- /dev/null
+++ b/queue-5.4/mmc-sdhci-of-esdhc-don-t-walk-device-tree-on-every-interrupt.patch
@@ -0,0 +1,61 @@
+From 060522d89705f9d961ef1762dc1468645dd21fbd Mon Sep 17 00:00:00 2001
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Thu, 3 Sep 2020 13:20:29 +1200
+Subject: mmc: sdhci-of-esdhc: Don't walk device-tree on every interrupt
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+commit 060522d89705f9d961ef1762dc1468645dd21fbd upstream.
+
+Commit b214fe592ab7 ("mmc: sdhci-of-esdhc: add erratum eSDHC7 support")
+added code to check for a specific compatible string in the device-tree
+on every esdhc interrupat. Instead of doing this record the quirk in
+struct sdhci_esdhc and lookup the struct in esdhc_irq.
+
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20200903012029.25673-1-chris.packham@alliedtelesis.co.nz
+Fixes: b214fe592ab7 ("mmc: sdhci-of-esdhc: add erratum eSDHC7 support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-of-esdhc.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -81,6 +81,7 @@ struct sdhci_esdhc {
+ 	bool quirk_tuning_erratum_type2;
+ 	bool quirk_ignore_data_inhibit;
+ 	bool quirk_delay_before_data_reset;
++	bool quirk_trans_complete_erratum;
+ 	bool in_sw_tuning;
+ 	unsigned int peripheral_clock;
+ 	const struct esdhc_clk_fixup *clk_fixup;
+@@ -1082,10 +1083,11 @@ static void esdhc_set_uhs_signaling(stru
+ 
+ static u32 esdhc_irq(struct sdhci_host *host, u32 intmask)
+ {
++	struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
++	struct sdhci_esdhc *esdhc = sdhci_pltfm_priv(pltfm_host);
+ 	u32 command;
+ 
+-	if (of_find_compatible_node(NULL, NULL,
+-				"fsl,p2020-esdhc")) {
++	if (esdhc->quirk_trans_complete_erratum) {
+ 		command = SDHCI_GET_CMD(sdhci_readw(host,
+ 					SDHCI_COMMAND));
+ 		if (command == MMC_WRITE_MULTIPLE_BLOCK &&
+@@ -1239,8 +1241,10 @@ static void esdhc_init(struct platform_d
+ 		esdhc->clk_fixup = match->data;
+ 	np = pdev->dev.of_node;
+ 
+-	if (of_device_is_compatible(np, "fsl,p2020-esdhc"))
++	if (of_device_is_compatible(np, "fsl,p2020-esdhc")) {
+ 		esdhc->quirk_delay_before_data_reset = true;
++		esdhc->quirk_trans_complete_erratum = true;
++	}
+ 
+ 	clk = of_clk_get(np, 0);
+ 	if (!IS_ERR(clk)) {
diff --git a/queue-5.4/mmc-sdio-use-mmc_pre_req-mmc_post_req.patch b/queue-5.4/mmc-sdio-use-mmc_pre_req-mmc_post_req.patch
new file mode 100644
index 00000000000..93cdefa5d62
--- /dev/null
+++ b/queue-5.4/mmc-sdio-use-mmc_pre_req-mmc_post_req.patch
@@ -0,0 +1,107 @@
+From f0c393e2104e48c8a881719a8bd37996f71b0aee Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 3 Sep 2020 11:20:07 +0300
+Subject: mmc: sdio: Use mmc_pre_req() / mmc_post_req()
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit f0c393e2104e48c8a881719a8bd37996f71b0aee upstream.
+
+SDHCI changed from using a tasklet to finish requests, to using an IRQ
+thread i.e. commit c07a48c2651965 ("mmc: sdhci: Remove finish_tasklet").
+Because this increased the latency to complete requests, a preparatory
+change was made to complete the request from the IRQ handler if
+possible i.e. commit 19d2f695f4e827 ("mmc: sdhci: Call mmc_request_done()
+from IRQ handler if possible").  That alleviated the situation for MMC
+block devices because the MMC block driver makes use of mmc_pre_req()
+and mmc_post_req() so that successful requests are completed in the IRQ
+handler and any DMA unmapping is handled separately in mmc_post_req().
+However SDIO was still affected, and an example has been reported with
+up to 20% degradation in performance.
+
+Looking at SDIO I/O helper functions, sdio_io_rw_ext_helper() appeared
+to be a possible candidate for making use of asynchronous requests
+within its I/O loops, but analysis revealed that these loops almost
+never iterate more than once, so the complexity of the change would not
+be warrented.
+
+Instead, mmc_pre_req() and mmc_post_req() are added before and after I/O
+submission (mmc_wait_for_req) in mmc_io_rw_extended().  This still has
+the potential benefit of reducing the duration of interrupt handlers, as
+well as addressing the latency issue for SDHCI.  It also seems a more
+reasonable solution than forcing drivers to do everything in the IRQ
+handler.
+
+Reported-by: Dmitry Osipenko <digetx@gmail.com>
+Fixes: c07a48c2651965 ("mmc: sdhci: Remove finish_tasklet")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200903082007.18715-1-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/sdio_ops.c |   39 ++++++++++++++++++++++-----------------
+ 1 file changed, 22 insertions(+), 17 deletions(-)
+
+--- a/drivers/mmc/core/sdio_ops.c
++++ b/drivers/mmc/core/sdio_ops.c
+@@ -121,6 +121,7 @@ int mmc_io_rw_extended(struct mmc_card *
+ 	struct sg_table sgtable;
+ 	unsigned int nents, left_size, i;
+ 	unsigned int seg_size = card->host->max_seg_size;
++	int err;
+ 
+ 	WARN_ON(blksz == 0);
+ 
+@@ -170,28 +171,32 @@ int mmc_io_rw_extended(struct mmc_card *
+ 
+ 	mmc_set_data_timeout(&data, card);
+ 
+-	mmc_wait_for_req(card->host, &mrq);
++	mmc_pre_req(card->host, &mrq);
+ 
+-	if (nents > 1)
+-		sg_free_table(&sgtable);
++	mmc_wait_for_req(card->host, &mrq);
+ 
+ 	if (cmd.error)
+-		return cmd.error;
+-	if (data.error)
+-		return data.error;
+-
+-	if (mmc_host_is_spi(card->host)) {
++		err = cmd.error;
++	else if (data.error)
++		err = data.error;
++	else if (mmc_host_is_spi(card->host))
+ 		/* host driver already reported errors */
+-	} else {
+-		if (cmd.resp[0] & R5_ERROR)
+-			return -EIO;
+-		if (cmd.resp[0] & R5_FUNCTION_NUMBER)
+-			return -EINVAL;
+-		if (cmd.resp[0] & R5_OUT_OF_RANGE)
+-			return -ERANGE;
+-	}
++		err = 0;
++	else if (cmd.resp[0] & R5_ERROR)
++		err = -EIO;
++	else if (cmd.resp[0] & R5_FUNCTION_NUMBER)
++		err = -EINVAL;
++	else if (cmd.resp[0] & R5_OUT_OF_RANGE)
++		err = -ERANGE;
++	else
++		err = 0;
++
++	mmc_post_req(card->host, &mrq, err);
++
++	if (nents > 1)
++		sg_free_table(&sgtable);
+ 
+-	return 0;
++	return err;
+ }
+ 
+ int sdio_reset(struct mmc_host *host)
diff --git a/queue-5.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch b/queue-5.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch
new file mode 100644
index 00000000000..24d35ec7e3c
--- /dev/null
+++ b/queue-5.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch
@@ -0,0 +1,79 @@
+From f44d04e696feaf13d192d942c4f14ad2e117065a Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Thu, 3 Sep 2020 13:24:11 +0200
+Subject: rbd: require global CAP_SYS_ADMIN for mapping and unmapping
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit f44d04e696feaf13d192d942c4f14ad2e117065a upstream.
+
+It turns out that currently we rely only on sysfs attribute
+permissions:
+
+  $ ll /sys/bus/rbd/{add*,remove*}
+  --w------- 1 root root 4096 Sep  3 20:37 /sys/bus/rbd/add
+  --w------- 1 root root 4096 Sep  3 20:37 /sys/bus/rbd/add_single_major
+  --w------- 1 root root 4096 Sep  3 20:37 /sys/bus/rbd/remove
+  --w------- 1 root root 4096 Sep  3 20:38 /sys/bus/rbd/remove_single_major
+
+This means that images can be mapped and unmapped (i.e. block devices
+can be created and deleted) by a UID 0 process even after it drops all
+privileges or by any process with CAP_DAC_OVERRIDE in its user namespace
+as long as UID 0 is mapped into that user namespace.
+
+Be consistent with other virtual block devices (loop, nbd, dm, md, etc)
+and require CAP_SYS_ADMIN in the initial user namespace for mapping and
+unmapping, and also for dumping the configuration string and refreshing
+the image header.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -5280,6 +5280,9 @@ static ssize_t rbd_config_info_show(stru
+ {
+ 	struct rbd_device *rbd_dev = dev_to_rbd_dev(dev);
+ 
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	return sprintf(buf, "%s\n", rbd_dev->config_info);
+ }
+ 
+@@ -5391,6 +5394,9 @@ static ssize_t rbd_image_refresh(struct
+ 	struct rbd_device *rbd_dev = dev_to_rbd_dev(dev);
+ 	int ret;
+ 
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	ret = rbd_dev_refresh(rbd_dev);
+ 	if (ret)
+ 		return ret;
+@@ -7059,6 +7065,9 @@ static ssize_t do_rbd_add(struct bus_typ
+ 	struct rbd_client *rbdc;
+ 	int rc;
+ 
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	if (!try_module_get(THIS_MODULE))
+ 		return -ENODEV;
+ 
+@@ -7208,6 +7217,9 @@ static ssize_t do_rbd_remove(struct bus_
+ 	bool force = false;
+ 	int ret;
+ 
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	dev_id = -1;
+ 	opt_buf[0] = '\0';
+ 	sscanf(buf, "%d %5s", &dev_id, opt_buf);
diff --git a/queue-5.4/series b/queue-5.4/series
index a9e42a3f623..601d065e126 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -100,3 +100,10 @@ regulator-plug-of_node-leak-in-regulator_register-s-error-path.patch
 regulator-core-fix-slab-out-of-bounds-in-regulator_unlock_recursive.patch
 scsi-target-iscsi-fix-data-digest-calculation.patch
 scsi-target-iscsi-fix-hang-in-iscsit_access_np-when-getting-tpg-np_login_sem.patch
+drm-i915-gvt-do-not-check-len-max_len-for-lri.patch
+drm-tve200-stabilize-enable-disable.patch
+drm-msm-split-the-a5xx-preemption-record.patch
+drm-msm-disable-preemption-on-all-5xx-targets.patch
+mmc-sdio-use-mmc_pre_req-mmc_post_req.patch
+mmc-sdhci-of-esdhc-don-t-walk-device-tree-on-every-interrupt.patch
+rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch
-- 
2.47.3