--- /dev/null
+From e9abc611a941d4051cde1d94b2ab7473fdb50102 Mon Sep 17 00:00:00 2001
+From: Jonas Karlman <jonas@kwiboo.se>
+Date: Wed, 20 Feb 2019 22:40:06 +0000
+Subject: drm/rockchip: vop: reset scale mode when win is disabled
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+commit e9abc611a941d4051cde1d94b2ab7473fdb50102 upstream.
+
+NV12 framebuffers produced by the VPU shows distorted on RK3288
+after win has been disabled when scaling is active.
+
+This issue can be reproduced using a 1080p modeset by:
+- Scale a 1280x720 NV12 framebuffer to 1920x1080 on win0
+- Disable win0
+- Display a 1920x1080 NV12 framebuffer without scaling on win0
+- Output will now show the framebuffer distorted
+
+And by:
+- Scale a 1280x720 NV12 framebuffer to 1920x1080
+- Change to a 720p modeset (win gets disabled and scaling reset to none)
+- Output will now show the framebuffer distorted
+
+Fix this by setting scale mode to none when win is disabled.
+
+Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/AM3PR03MB0966DE3E19BACE07328CD637AC7D0@AM3PR03MB0966.eurprd03.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -511,6 +511,18 @@ static void vop_core_clks_disable(struct
+ clk_disable(vop->hclk);
+ }
+
++static void vop_win_disable(struct vop *vop, const struct vop_win_data *win)
++{
++ if (win->phy->scl && win->phy->scl->ext) {
++ VOP_SCL_SET_EXT(vop, win, yrgb_hor_scl_mode, SCALE_NONE);
++ VOP_SCL_SET_EXT(vop, win, yrgb_ver_scl_mode, SCALE_NONE);
++ VOP_SCL_SET_EXT(vop, win, cbcr_hor_scl_mode, SCALE_NONE);
++ VOP_SCL_SET_EXT(vop, win, cbcr_ver_scl_mode, SCALE_NONE);
++ }
++
++ VOP_WIN_SET(vop, win, enable, 0);
++}
++
+ static int vop_enable(struct drm_crtc *crtc)
+ {
+ struct vop *vop = to_vop(crtc);
+@@ -556,7 +568,7 @@ static int vop_enable(struct drm_crtc *c
+ struct vop_win *vop_win = &vop->win[i];
+ const struct vop_win_data *win = vop_win->data;
+
+- VOP_WIN_SET(vop, win, enable, 0);
++ vop_win_disable(vop, win);
+ }
+ spin_unlock(&vop->reg_lock);
+
+@@ -700,7 +712,7 @@ static void vop_plane_atomic_disable(str
+
+ spin_lock(&vop->reg_lock);
+
+- VOP_WIN_SET(vop, win, enable, 0);
++ vop_win_disable(vop, win);
+
+ spin_unlock(&vop->reg_lock);
+ }
+@@ -1476,7 +1488,7 @@ static int vop_initial(struct vop *vop)
+ int channel = i * 2 + 1;
+
+ VOP_WIN_SET(vop, win, channel, (channel + 1) << 4 | channel);
+- VOP_WIN_SET(vop, win, enable, 0);
++ vop_win_disable(vop, win);
+ VOP_WIN_SET(vop, win, gate, 1);
+ }
+
--- /dev/null
+From 73601ea5b7b18eb234219ae2adf77530f389da79 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 28 Mar 2019 20:43:30 -0700
+Subject: fs/open.c: allow opening only regular files during execve()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 73601ea5b7b18eb234219ae2adf77530f389da79 upstream.
+
+syzbot is hitting lockdep warning [1] due to trying to open a fifo
+during an execve() operation. But we don't need to open non regular
+files during an execve() operation, for all files which we will need are
+the executable file itself and the interpreter programs like /bin/sh and
+ld-linux.so.2 .
+
+Since the manpage for execve(2) says that execve() returns EACCES when
+the file or a script interpreter is not a regular file, and the manpage
+for uselib(2) says that uselib() can return EACCES, and we use
+FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non
+regular file is requested with FMODE_EXEC set.
+
+Since this deadlock followed by khungtaskd warnings is trivially
+reproducible by a local unprivileged user, and syzbot's frequent crash
+due to this deadlock defers finding other bugs, let's workaround this
+deadlock until we get a chance to find a better solution.
+
+[1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce
+
+Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>
+Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org> [4.9+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/open.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f
+ return 0;
+ }
+
++ /* Any file opened for execve()/uselib() has to be a regular file. */
++ if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) {
++ error = -EACCES;
++ goto cleanup_file;
++ }
++
+ if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
+ error = get_write_access(inode);
+ if (unlikely(error))
--- /dev/null
+From 0a352554da69b02f75ca3389c885c741f1f63235 Mon Sep 17 00:00:00 2001
+From: Nicolas Boichat <drinkcat@chromium.org>
+Date: Thu, 28 Mar 2019 20:43:46 -0700
+Subject: iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging
+
+From: Nicolas Boichat <drinkcat@chromium.org>
+
+commit 0a352554da69b02f75ca3389c885c741f1f63235 upstream.
+
+IOMMUs using ARMv7 short-descriptor format require page tables (level 1
+and 2) to be allocated within the first 4GB of RAM, even on 64-bit
+systems.
+
+For level 1/2 pages, ensure GFP_DMA32 is used if CONFIG_ZONE_DMA32 is
+defined (e.g. on arm64 platforms).
+
+For level 2 pages, allocate a slab cache in SLAB_CACHE_DMA32. Note that
+we do not explicitly pass GFP_DMA[32] to kmem_cache_zalloc, as this is
+not strictly necessary, and would cause a warning in mm/sl*b.c, as we
+did not update GFP_SLAB_BUG_MASK.
+
+Also, print an error when the physical address does not fit in
+32-bit, to make debugging easier in the future.
+
+Link: http://lkml.kernel.org/r/20181210011504.122604-3-drinkcat@chromium.org
+Fixes: ad67f5a6545f ("arm64: replace ZONE_DMA with ZONE_DMA32")
+Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Hsin-Yi Wang <hsinyi@chromium.org>
+Cc: Huaisheng Ye <yehs1@lenovo.com>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Sasha Levin <Alexander.Levin@microsoft.com>
+Cc: Tomasz Figa <tfiga@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Yingjoe Chen <yingjoe.chen@mediatek.com>
+Cc: Yong Wu <yong.wu@mediatek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/io-pgtable-arm-v7s.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/iommu/io-pgtable-arm-v7s.c
++++ b/drivers/iommu/io-pgtable-arm-v7s.c
+@@ -161,6 +161,14 @@
+
+ #define ARM_V7S_TCR_PD1 BIT(5)
+
++#ifdef CONFIG_ZONE_DMA32
++#define ARM_V7S_TABLE_GFP_DMA GFP_DMA32
++#define ARM_V7S_TABLE_SLAB_FLAGS SLAB_CACHE_DMA32
++#else
++#define ARM_V7S_TABLE_GFP_DMA GFP_DMA
++#define ARM_V7S_TABLE_SLAB_FLAGS SLAB_CACHE_DMA
++#endif
++
+ typedef u32 arm_v7s_iopte;
+
+ static bool selftest_running;
+@@ -198,13 +206,16 @@ static void *__arm_v7s_alloc_table(int l
+ void *table = NULL;
+
+ if (lvl == 1)
+- table = (void *)__get_dma_pages(__GFP_ZERO, get_order(size));
++ table = (void *)__get_free_pages(
++ __GFP_ZERO | ARM_V7S_TABLE_GFP_DMA, get_order(size));
+ else if (lvl == 2)
+- table = kmem_cache_zalloc(data->l2_tables, gfp | GFP_DMA);
++ table = kmem_cache_zalloc(data->l2_tables, gfp);
+ phys = virt_to_phys(table);
+- if (phys != (arm_v7s_iopte)phys)
++ if (phys != (arm_v7s_iopte)phys) {
+ /* Doesn't fit in PTE */
++ dev_err(dev, "Page table does not fit in PTE: %pa", &phys);
+ goto out_free;
++ }
+ if (table && !(cfg->quirks & IO_PGTABLE_QUIRK_NO_DMA)) {
+ dma = dma_map_single(dev, table, size, DMA_TO_DEVICE);
+ if (dma_mapping_error(dev, dma))
+@@ -733,7 +744,7 @@ static struct io_pgtable *arm_v7s_alloc_
+ data->l2_tables = kmem_cache_create("io-pgtable_armv7s_l2",
+ ARM_V7S_TABLE_SIZE(2),
+ ARM_V7S_TABLE_SIZE(2),
+- SLAB_CACHE_DMA, NULL);
++ ARM_V7S_TABLE_SLAB_FLAGS, NULL);
+ if (!data->l2_tables)
+ goto out_free_data;
+
--- /dev/null
+From 54a7151b1496cddbb7a83546b7998103e98edc88 Mon Sep 17 00:00:00 2001
+From: Fredrik Noring <noring@nocrew.org>
+Date: Wed, 27 Mar 2019 19:12:50 +0100
+Subject: kbuild: modversions: Fix relative CRC byte order interpretation
+
+From: Fredrik Noring <noring@nocrew.org>
+
+commit 54a7151b1496cddbb7a83546b7998103e98edc88 upstream.
+
+Fix commit 56067812d5b0 ("kbuild: modversions: add infrastructure for
+emitting relative CRCs") where CRCs are interpreted in host byte order
+rather than proper kernel byte order. The bug is conditional on
+CONFIG_MODULE_REL_CRCS.
+
+For example, when loading a BE module into a BE kernel compiled with a LE
+system, the error "disagrees about version of symbol module_layout" is
+produced. A message such as "Found checksum D7FA6856 vs module 5668FAD7"
+will be given with debug enabled, which indicates an obvious endian
+problem within __kcrctab within the kernel image.
+
+The general solution is to use the macro TO_NATIVE, as is done in
+similar cases throughout modpost.c. With this correction it has been
+verified that a BE kernel compiled with a LE system accepts BE modules.
+
+This change has also been verified with a LE kernel compiled with a LE
+system, in which case TO_NATIVE returns its value unmodified since the
+byte orders match. This is by far the common case.
+
+Fixes: 56067812d5b0 ("kbuild: modversions: add infrastructure for emitting relative CRCs")
+Signed-off-by: Fredrik Noring <noring@nocrew.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/mod/modpost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -640,7 +640,7 @@ static void handle_modversions(struct mo
+ info->sechdrs[sym->st_shndx].sh_offset -
+ (info->hdr->e_type != ET_REL ?
+ info->sechdrs[sym->st_shndx].sh_addr : 0);
+- crc = *crcp;
++ crc = TO_NATIVE(*crcp);
+ }
+ sym_update_crc(symname + strlen("__crc_"), mod, crc,
+ export);
--- /dev/null
+From e6a9467ea14bae8691b0f72c500510c42ea8edb8 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 28 Mar 2019 20:43:38 -0700
+Subject: ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit e6a9467ea14bae8691b0f72c500510c42ea8edb8 upstream.
+
+ocfs2_reflink_inodes_lock() can swap the inode1/inode2 variables so that
+we always grab cluster locks in order of increasing inode number.
+
+Unfortunately, we forget to swap the inode record buffer head pointers
+when we've done this, which leads to incorrect bookkeepping when we're
+trying to make the two inodes have the same refcount tree.
+
+This has the effect of causing filesystem shutdowns if you're trying to
+reflink data from inode 100 into inode 97, where inode 100 already has a
+refcount tree attached and inode 97 doesn't. The reflink code decides
+to copy the refcount tree pointer from 100 to 97, but uses inode 97's
+inode record to open the tree root (which it doesn't have) and blows up.
+This issue causes filesystem shutdowns and metadata corruption!
+
+Link: http://lkml.kernel.org/r/20190312214910.GK20533@magnolia
+Fixes: 29ac8e856cb369 ("ocfs2: implement the VFS clone_range, copy_range, and dedupe_range features")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <joseph.qi@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/refcounttree.c | 42 ++++++++++++++++++++++++------------------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+--- a/fs/ocfs2/refcounttree.c
++++ b/fs/ocfs2/refcounttree.c
+@@ -4719,22 +4719,23 @@ out:
+
+ /* Lock an inode and grab a bh pointing to the inode. */
+ int ocfs2_reflink_inodes_lock(struct inode *s_inode,
+- struct buffer_head **bh1,
++ struct buffer_head **bh_s,
+ struct inode *t_inode,
+- struct buffer_head **bh2)
++ struct buffer_head **bh_t)
+ {
+- struct inode *inode1;
+- struct inode *inode2;
++ struct inode *inode1 = s_inode;
++ struct inode *inode2 = t_inode;
+ struct ocfs2_inode_info *oi1;
+ struct ocfs2_inode_info *oi2;
++ struct buffer_head *bh1 = NULL;
++ struct buffer_head *bh2 = NULL;
+ bool same_inode = (s_inode == t_inode);
++ bool need_swap = (inode1->i_ino > inode2->i_ino);
+ int status;
+
+ /* First grab the VFS and rw locks. */
+ lock_two_nondirectories(s_inode, t_inode);
+- inode1 = s_inode;
+- inode2 = t_inode;
+- if (inode1->i_ino > inode2->i_ino)
++ if (need_swap)
+ swap(inode1, inode2);
+
+ status = ocfs2_rw_lock(inode1, 1);
+@@ -4757,17 +4758,13 @@ int ocfs2_reflink_inodes_lock(struct ino
+ trace_ocfs2_double_lock((unsigned long long)oi1->ip_blkno,
+ (unsigned long long)oi2->ip_blkno);
+
+- if (*bh1)
+- *bh1 = NULL;
+- if (*bh2)
+- *bh2 = NULL;
+-
+ /* We always want to lock the one with the lower lockid first. */
+ if (oi1->ip_blkno > oi2->ip_blkno)
+ mlog_errno(-ENOLCK);
+
+ /* lock id1 */
+- status = ocfs2_inode_lock_nested(inode1, bh1, 1, OI_LS_REFLINK_TARGET);
++ status = ocfs2_inode_lock_nested(inode1, &bh1, 1,
++ OI_LS_REFLINK_TARGET);
+ if (status < 0) {
+ if (status != -ENOENT)
+ mlog_errno(status);
+@@ -4776,15 +4773,25 @@ int ocfs2_reflink_inodes_lock(struct ino
+
+ /* lock id2 */
+ if (!same_inode) {
+- status = ocfs2_inode_lock_nested(inode2, bh2, 1,
++ status = ocfs2_inode_lock_nested(inode2, &bh2, 1,
+ OI_LS_REFLINK_TARGET);
+ if (status < 0) {
+ if (status != -ENOENT)
+ mlog_errno(status);
+ goto out_cl1;
+ }
+- } else
+- *bh2 = *bh1;
++ } else {
++ bh2 = bh1;
++ }
++
++ /*
++ * If we swapped inode order above, we have to swap the buffer heads
++ * before passing them back to the caller.
++ */
++ if (need_swap)
++ swap(bh1, bh2);
++ *bh_s = bh1;
++ *bh_t = bh2;
+
+ trace_ocfs2_double_lock_end(
+ (unsigned long long)oi1->ip_blkno,
+@@ -4794,8 +4801,7 @@ int ocfs2_reflink_inodes_lock(struct ino
+
+ out_cl1:
+ ocfs2_inode_unlock(inode1, 1);
+- brelse(*bh1);
+- *bh1 = NULL;
++ brelse(bh1);
+ out_rw2:
+ ocfs2_rw_unlock(inode2, 1);
+ out_i2:
--- /dev/null
+From c14a57264399efd39514a2329c591a4b954246d8 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 25 Mar 2019 10:01:46 -0700
+Subject: scsi: sd: Fix a race between closing an sd device and sd I/O
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit c14a57264399efd39514a2329c591a4b954246d8 upstream.
+
+The scsi_end_request() function calls scsi_cmd_to_driver() indirectly and
+hence needs the disk->private_data pointer. Avoid that that pointer is
+cleared before all affected I/O requests have finished. This patch avoids
+that the following crash occurs:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+Call trace:
+ scsi_mq_uninit_cmd+0x1c/0x30
+ scsi_end_request+0x7c/0x1b8
+ scsi_io_completion+0x464/0x668
+ scsi_finish_command+0xbc/0x160
+ scsi_eh_flush_done_q+0x10c/0x170
+ sas_scsi_recover_host+0x84c/0xa98 [libsas]
+ scsi_error_handler+0x140/0x5b0
+ kthread+0x100/0x12c
+ ret_from_fork+0x10/0x18
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Johannes Thumshirn <jthumshirn@suse.de>
+Cc: Jason Yan <yanaijie@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reported-by: Jason Yan <yanaijie@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1398,11 +1398,6 @@ static void sd_release(struct gendisk *d
+ scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW);
+ }
+
+- /*
+- * XXX and what if there are packets in flight and this close()
+- * XXX is followed by a "rmmod sd_mod"?
+- */
+-
+ scsi_disk_put(sdkp);
+ }
+
+@@ -3488,9 +3483,21 @@ static void scsi_disk_release(struct dev
+ {
+ struct scsi_disk *sdkp = to_scsi_disk(dev);
+ struct gendisk *disk = sdkp->disk;
+-
++ struct request_queue *q = disk->queue;
++
+ ida_free(&sd_index_ida, sdkp->index);
+
++ /*
++ * Wait until all requests that are in progress have completed.
++ * This is necessary to avoid that e.g. scsi_end_request() crashes
++ * due to clearing the disk->private_data pointer. Wait from inside
++ * scsi_disk_release() instead of from sd_release() to avoid that
++ * freezing and unfreezing the request queue affects user space I/O
++ * in case multiple processes open a /dev/sd... node concurrently.
++ */
++ blk_mq_freeze_queue(q);
++ blk_mq_unfreeze_queue(q);
++
+ disk->private_data = NULL;
+ put_disk(disk);
+ put_device(&sdkp->device->sdev_gendev);
--- /dev/null
+From 1d5de5bd311be7cd54f02f7cd164f0349a75c876 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Wed, 27 Mar 2019 12:11:52 -0400
+Subject: scsi: sd: Quiesce warning if device does not report optimal I/O size
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 1d5de5bd311be7cd54f02f7cd164f0349a75c876 upstream.
+
+Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple
+of physical block size") split one conditional into several separate
+statements in an effort to provide more accurate warning messages when
+a device reports a nonsensical value. However, this reorganization
+accidentally dropped the precondition of the reported value being
+larger than zero. This lead to a warning getting emitted on devices
+that do not report an optimal I/O size at all.
+
+Remain silent if a device does not report an optimal I/O size.
+
+Fixes: a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of physical block size")
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: <stable@vger.kernel.org>
+Reported-by: Hussam Al-Tayeb <ht990332@gmx.com>
+Tested-by: Hussam Al-Tayeb <ht990332@gmx.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3054,6 +3054,9 @@ static bool sd_validate_opt_xfer_size(st
+ unsigned int opt_xfer_bytes =
+ logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
+
++ if (sdkp->opt_xfer_blocks == 0)
++ return false;
++
+ if (sdkp->opt_xfer_blocks > dev_max) {
+ sd_first_printk(KERN_WARNING, sdkp,
+ "Optimal transfer size %u logical blocks " \
--- /dev/null
+From fe67888fc007a76b81e37da23ce5bd8fb95890b0 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Tue, 26 Mar 2019 14:36:58 +0100
+Subject: scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream.
+
+An already deleted SCSI device can exist on the Scsi_Host and remain there
+because something still holds a reference. A new SCSI device with the same
+H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created. When
+we try to unblock an rport, we still find the deleted SCSI device and
+return early because the zfcp_scsi_dev of that SCSI device is not
+ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if
+the new proper SCSI device would be in good state.
+
+Therefore, skip deleted SCSI devices when iterating the sdevs of the shost.
+[cf. __scsi_device_lookup{_by_target}() or scsi_device_get()]
+
+The following abbreviated trace sequence can indicate such problem:
+
+Area : REC
+Tag : ersfs_3
+LUN : 0x4045400300000000
+WWPN : 0x50050763031bd327
+LUN status : 0x40000000 not ZFCP_STATUS_COMMON_UNBLOCKED
+Ready count : n not incremented yet
+Running count : 0x00000000
+ERP want : 0x01
+ERP need : 0xc1 ZFCP_ERP_ACTION_NONE
+
+Area : REC
+Tag : ersfs_3
+LUN : 0x4045400300000000
+WWPN : 0x50050763031bd327
+LUN status : 0x41000000
+Ready count : n+1
+Running count : 0x00000000
+ERP want : 0x01
+ERP need : 0x01
+
+...
+
+Area : REC
+Level : 4 only with increased trace level
+Tag : ertru_l
+LUN : 0x4045400300000000
+WWPN : 0x50050763031bd327
+LUN status : 0x40000000
+Request ID : 0x0000000000000000
+ERP status : 0x01800000
+ERP step : 0x1000
+ERP action : 0x01
+ERP count : 0x00
+
+NOT followed by a trace record with tag "scpaddy"
+for WWPN 0x50050763031bd327.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
+Cc: <stable@vger.kernel.org> #2.6.32+
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -1341,6 +1341,9 @@ static void zfcp_erp_try_rport_unblock(s
+ struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
+ int lun_status;
+
++ if (sdev->sdev_state == SDEV_DEL ||
++ sdev->sdev_state == SDEV_CANCEL)
++ continue;
+ if (zsdev->port != port)
+ continue;
+ /* LUN under port of interest */
--- /dev/null
+From 242ec1455151267fe35a0834aa9038e4c4670884 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Tue, 26 Mar 2019 14:36:59 +0100
+Subject: scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream.
+
+Suppose more than one non-NPIV FCP device is active on the same channel.
+Send I/O to storage and have some of the pending I/O run into a SCSI
+command timeout, e.g. due to bit errors on the fibre. Now the error
+situation stops. However, we saw FCP requests continue to timeout in the
+channel. The abort will be successful, but the subsequent TUR fails.
+Scsi_eh starts. The LUN reset fails. The target reset fails. The host
+reset only did an FCP device recovery. However, for non-NPIV FCP devices,
+this does not close and reopen ports on the SAN-side if other non-NPIV FCP
+device(s) share the same open ports.
+
+In order to resolve the continuing FCP request timeouts, we need to
+explicitly close and reopen ports on the SAN-side.
+
+This was missing since the beginning of zfcp in v2.6.0 history commit
+ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.").
+
+Note: The FSF requests for forced port reopen could run into FSF request
+timeouts due to other reasons. This would trigger an internal FCP device
+recovery. Pending forced port reopen recoveries would get dismissed. So
+some ports might not get fully reopened during this host reset handler.
+However, subsequent I/O would trigger the above described escalation and
+eventually all ports would be forced reopen to resolve any continuing FCP
+request timeouts due to earlier bit errors.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org> #3.0+
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 14 ++++++++++++++
+ drivers/s390/scsi/zfcp_ext.h | 2 ++
+ drivers/s390/scsi/zfcp_scsi.c | 4 ++++
+ 3 files changed, 20 insertions(+)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -624,6 +624,20 @@ static void zfcp_erp_strategy_memwait(st
+ add_timer(&erp_action->timer);
+ }
+
++void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
++ int clear, char *dbftag)
++{
++ unsigned long flags;
++ struct zfcp_port *port;
++
++ write_lock_irqsave(&adapter->erp_lock, flags);
++ read_lock(&adapter->port_list_lock);
++ list_for_each_entry(port, &adapter->port_list, list)
++ _zfcp_erp_port_forced_reopen(port, clear, dbftag);
++ read_unlock(&adapter->port_list_lock);
++ write_unlock_irqrestore(&adapter->erp_lock, flags);
++}
++
+ static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter,
+ int clear, char *dbftag)
+ {
+--- a/drivers/s390/scsi/zfcp_ext.h
++++ b/drivers/s390/scsi/zfcp_ext.h
+@@ -70,6 +70,8 @@ extern void zfcp_erp_port_reopen(struct
+ char *dbftag);
+ extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *);
+ extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *);
++extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
++ int clear, char *dbftag);
+ extern void zfcp_erp_set_lun_status(struct scsi_device *, u32);
+ extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32);
+ extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *);
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -368,6 +368,10 @@ static int zfcp_scsi_eh_host_reset_handl
+ struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
+ int ret = SUCCESS, fc_ret;
+
++ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) {
++ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p");
++ zfcp_erp_wait(adapter);
++ }
+ zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
+ zfcp_erp_wait(adapter);
+ fc_ret = fc_block_scsi_eh(scpnt);
alsa-hda-realtek-enable-headset-mic-of-asus-p5440ff-with-alc256.patch
alsa-hda-realtek-enable-headset-mic-of-asus-x430un-and-x512dk-with-alc256.patch
alsa-hda-realtek-fix-speakers-on-acer-predator-helios-500-ryzen-laptops.patch
+kbuild-modversions-fix-relative-crc-byte-order-interpretation.patch
+fs-open.c-allow-opening-only-regular-files-during-execve.patch
+ocfs2-fix-inode-bh-swapping-mixup-in-ocfs2_reflink_inodes_lock.patch
+iommu-io-pgtable-arm-v7s-request-dma32-memory-and-improve-debugging.patch
+scsi-sd-fix-a-race-between-closing-an-sd-device-and-sd-i-o.patch
+scsi-sd-quiesce-warning-if-device-does-not-report-optimal-i-o-size.patch
+scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch
+scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv-fcp-devices.patch
+drm-rockchip-vop-reset-scale-mode-when-win-is-disabled.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
