--- /dev/null
+From 91740fc8242b4f260cfa4d4536d8551804777fae Mon Sep 17 00:00:00 2001
+From: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Date: Tue, 26 Feb 2019 11:34:13 +0900
+Subject: ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
+
+From: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+
+commit 91740fc8242b4f260cfa4d4536d8551804777fae upstream.
+
+In the current cpuidle implementation for i.MX6q, the CPU that sets
+'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always
+the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of
+"WAIT", if the other CPU wakes up and enters IDLE state of "WFI"
+istead of "WAIT", this CPU can not wake up at expired time.
+ Because, in the case of "WFI", the CPU must be waked up by the local
+timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer
+is stopped, when all CPUs execute "wfi" instruction. As a result, the
+local timer interrupt is not fired.
+ In this situation, this CPU will wake up by IRQ different from local
+timer. (e.g. broacast timer)
+
+So, this fix changes CPU to return to 'WAIT_CLOCKED'.
+
+Signed-off-by: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-imx/cpuidle-imx6q.c | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+--- a/arch/arm/mach-imx/cpuidle-imx6q.c
++++ b/arch/arm/mach-imx/cpuidle-imx6q.c
+@@ -16,30 +16,23 @@
+ #include "cpuidle.h"
+ #include "hardware.h"
+
+-static atomic_t master = ATOMIC_INIT(0);
+-static DEFINE_SPINLOCK(master_lock);
++static int num_idle_cpus = 0;
++static DEFINE_SPINLOCK(cpuidle_lock);
+
+ static int imx6q_enter_wait(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv, int index)
+ {
+- if (atomic_inc_return(&master) == num_online_cpus()) {
+- /*
+- * With this lock, we prevent other cpu to exit and enter
+- * this function again and become the master.
+- */
+- if (!spin_trylock(&master_lock))
+- goto idle;
++ spin_lock(&cpuidle_lock);
++ if (++num_idle_cpus == num_online_cpus())
+ imx6_set_lpm(WAIT_UNCLOCKED);
+- cpu_do_idle();
+- imx6_set_lpm(WAIT_CLOCKED);
+- spin_unlock(&master_lock);
+- goto done;
+- }
++ spin_unlock(&cpuidle_lock);
+
+-idle:
+ cpu_do_idle();
+-done:
+- atomic_dec(&master);
++
++ spin_lock(&cpuidle_lock);
++ if (num_idle_cpus-- == num_online_cpus())
++ imx6_set_lpm(WAIT_CLOCKED);
++ spin_unlock(&cpuidle_lock);
+
+ return index;
+ }
--- /dev/null
+From 139a56170de67101791d6e6c8e940c6328393fe9 Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Mon, 18 Mar 2019 17:45:20 +0200
+Subject: btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+commit 139a56170de67101791d6e6c8e940c6328393fe9 upstream.
+
+qgroup_rsv_size is calculated as the product of
+outstanding_extent * fs_info->nodesize. The product is calculated with
+32 bit precision since both variables are defined as u32. Yet
+qgroup_rsv_size expects a 64 bit result.
+
+Avoid possible multiplication overflow by casting outstanding_extent to
+u64. Such overflow would in the worst case (64K nodesize) require more
+than 65536 extents, which is quite large and i'ts not likely that it
+would happen in practice.
+
+Fixes-coverity-id: 1435101
+Fixes: ff6bc37eb7f6 ("btrfs: qgroup: Use independent and accurate per inode qgroup rsv")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -5872,7 +5872,7 @@ static void btrfs_calculate_inode_block_
+ *
+ * This is overestimating in most cases.
+ */
+- qgroup_rsv_size = outstanding_extents * fs_info->nodesize;
++ qgroup_rsv_size = (u64)outstanding_extents * fs_info->nodesize;
+
+ spin_lock(&block_rsv->lock);
+ block_rsv->size = reserve_size;
--- /dev/null
+From 0cc068e6ee59c1fffbfa977d8bf868b7551d80ac Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Thu, 7 Mar 2019 15:40:50 +0100
+Subject: btrfs: don't report readahead errors and don't update statistics
+
+From: David Sterba <dsterba@suse.com>
+
+commit 0cc068e6ee59c1fffbfa977d8bf868b7551d80ac upstream.
+
+As readahead is an optimization, all errors are usually filtered out,
+but still properly handled when the real read call is done. The commit
+5e9d398240b2 ("btrfs: readpages() should submit IO as read-ahead") added
+REQ_RAHEAD to readpages() because that's only used for readahead
+(despite what one would expect from the callback name).
+
+This causes a flood of messages and inflated read error stats, so skip
+reporting in case it's readahead.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202403
+Reported-by: LimeTech <tomm@lime-technology.com>
+Fixes: 5e9d398240b2 ("btrfs: readpages() should submit IO as read-ahead")
+CC: stable@vger.kernel.org # 4.19+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/volumes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -6051,7 +6051,7 @@ static void btrfs_end_bio(struct bio *bi
+ if (bio_op(bio) == REQ_OP_WRITE)
+ btrfs_dev_stat_inc_and_print(dev,
+ BTRFS_DEV_STAT_WRITE_ERRS);
+- else
++ else if (!(bio->bi_opf & REQ_RAHEAD))
+ btrfs_dev_stat_inc_and_print(dev,
+ BTRFS_DEV_STAT_READ_ERRS);
+ if (bio->bi_opf & REQ_PREFLUSH)
--- /dev/null
+From 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 19 Mar 2019 17:18:13 +0000
+Subject: Btrfs: fix assertion failure on fsync with NO_HOLES enabled
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b upstream.
+
+Back in commit a89ca6f24ffe4 ("Btrfs: fix fsync after truncate when
+no_holes feature is enabled") I added an assertion that is triggered when
+an inline extent is found to assert that the length of the (uncompressed)
+data the extent represents is the same as the i_size of the inode, since
+that is true most of the time I couldn't find or didn't remembered about
+any exception at that time. Later on the assertion was expanded twice to
+deal with a case of a compressed inline extent representing a range that
+matches the sector size followed by an expanding truncate, and another
+case where fallocate can update the i_size of the inode without adding
+or updating existing extents (if the fallocate range falls entirely within
+the first block of the file). These two expansion/fixes of the assertion
+were done by commit 7ed586d0a8241 ("Btrfs: fix assertion on fsync of
+regular file when using no-holes feature") and commit 6399fb5a0b69a
+("Btrfs: fix assertion failure during fsync in no-holes mode").
+These however missed the case where an falloc expands the i_size of an
+inode to exactly the sector size and inline extent exists, for example:
+
+ $ mkfs.btrfs -f -O no-holes /dev/sdc
+ $ mount /dev/sdc /mnt
+
+ $ xfs_io -f -c "pwrite -S 0xab 0 1096" /mnt/foobar
+ wrote 1096/1096 bytes at offset 0
+ 1 KiB, 1 ops; 0.0002 sec (4.448 MiB/sec and 4255.3191 ops/sec)
+
+ $ xfs_io -c "falloc 1096 3000" /mnt/foobar
+ $ xfs_io -c "fsync" /mnt/foobar
+ Segmentation fault
+
+ $ dmesg
+ [701253.602385] assertion failed: len == i_size || (len == fs_info->sectorsize && btrfs_file_extent_compression(leaf, extent) != BTRFS_COMPRESS_NONE) || (len < i_size && i_size < fs_info->sectorsize), file: fs/btrfs/tree-log.c, line: 4727
+ [701253.602962] ------------[ cut here ]------------
+ [701253.603224] kernel BUG at fs/btrfs/ctree.h:3533!
+ [701253.603503] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
+ [701253.603774] CPU: 2 PID: 7192 Comm: xfs_io Tainted: G W 5.0.0-rc8-btrfs-next-45 #1
+ [701253.604054] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [701253.604650] RIP: 0010:assfail.constprop.23+0x18/0x1a [btrfs]
+ (...)
+ [701253.605591] RSP: 0018:ffffbb48c186bc48 EFLAGS: 00010286
+ [701253.605914] RAX: 00000000000000de RBX: ffff921d0a7afc08 RCX: 0000000000000000
+ [701253.606244] RDX: 0000000000000000 RSI: ffff921d36b16868 RDI: ffff921d36b16868
+ [701253.606580] RBP: ffffbb48c186bcf0 R08: 0000000000000000 R09: 0000000000000000
+ [701253.606913] R10: 0000000000000003 R11: 0000000000000000 R12: ffff921d05d2de18
+ [701253.607247] R13: ffff921d03b54000 R14: 0000000000000448 R15: ffff921d059ecf80
+ [701253.607769] FS: 00007f14da906700(0000) GS:ffff921d36b00000(0000) knlGS:0000000000000000
+ [701253.608163] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [701253.608516] CR2: 000056087ea9f278 CR3: 00000002268e8001 CR4: 00000000003606e0
+ [701253.608880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [701253.609250] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [701253.609608] Call Trace:
+ [701253.609994] btrfs_log_inode+0xdfb/0xe40 [btrfs]
+ [701253.610383] btrfs_log_inode_parent+0x2be/0xa60 [btrfs]
+ [701253.610770] ? do_raw_spin_unlock+0x49/0xc0
+ [701253.611150] btrfs_log_dentry_safe+0x4a/0x70 [btrfs]
+ [701253.611537] btrfs_sync_file+0x3b2/0x440 [btrfs]
+ [701253.612010] ? do_sysinfo+0xb0/0xf0
+ [701253.612552] do_fsync+0x38/0x60
+ [701253.612988] __x64_sys_fsync+0x10/0x20
+ [701253.613360] do_syscall_64+0x60/0x1b0
+ [701253.613733] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [701253.614103] RIP: 0033:0x7f14da4e66d0
+ (...)
+ [701253.615250] RSP: 002b:00007fffa670fdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
+ [701253.615647] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f14da4e66d0
+ [701253.616047] RDX: 000056087ea9c260 RSI: 000056087ea9c260 RDI: 0000000000000003
+ [701253.616450] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000010
+ [701253.616854] R10: 000000000000009b R11: 0000000000000246 R12: 000056087ea9c260
+ [701253.617257] R13: 000056087ea9c240 R14: 0000000000000000 R15: 000056087ea9dd10
+ (...)
+ [701253.619941] ---[ end trace e088d74f132b6da5 ]---
+
+Updating the assertion again to allow for this particular case would result
+in a meaningless assertion, plus there is currently no risk of logging
+content that would result in any corruption after a log replay if the size
+of the data encoded in an inline extent is greater than the inode's i_size
+(which is not currently possibe either with or without compression),
+therefore just remove the assertion.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4685,15 +4685,8 @@ static int btrfs_log_trailing_hole(struc
+ struct btrfs_file_extent_item);
+
+ if (btrfs_file_extent_type(leaf, extent) ==
+- BTRFS_FILE_EXTENT_INLINE) {
+- len = btrfs_file_extent_ram_bytes(leaf, extent);
+- ASSERT(len == i_size ||
+- (len == fs_info->sectorsize &&
+- btrfs_file_extent_compression(leaf, extent) !=
+- BTRFS_COMPRESS_NONE) ||
+- (len < i_size && i_size < fs_info->sectorsize));
++ BTRFS_FILE_EXTENT_INLINE)
+ return 0;
+- }
+
+ len = btrfs_file_extent_num_bytes(leaf, extent);
+ /* Last extent goes beyond i_size, no need to log a hole. */
--- /dev/null
+From bf504110bc8aa05df48b0e5f0aa84bfb81e0574b Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 4 Mar 2019 14:06:12 +0000
+Subject: Btrfs: fix incorrect file size after shrinking truncate and fsync
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit bf504110bc8aa05df48b0e5f0aa84bfb81e0574b upstream.
+
+If we do a shrinking truncate against an inode which is already present
+in the respective log tree and then rename it, as part of logging the new
+name we end up logging an inode item that reflects the old size of the
+file (the one which we previously logged) and not the new smaller size.
+The decision to preserve the size previously logged was added by commit
+1a4bcf470c886b ("Btrfs: fix fsync data loss after adding hard link to
+inode") in order to avoid data loss after replaying the log. However that
+decision is only needed for the case the logged inode size is smaller then
+the current size of the inode, as explained in that commit's change log.
+If the current size of the inode is smaller then the previously logged
+size, we know a shrinking truncate happened and therefore need to use
+that smaller size.
+
+Example to trigger the problem:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ xfs_io -f -c "pwrite -S 0xab 0 8000" /mnt/foo
+ $ xfs_io -c "fsync" /mnt/foo
+ $ xfs_io -c "truncate 3000" /mnt/foo
+
+ $ mv /mnt/foo /mnt/bar
+ $ xfs_io -c "fsync" /mnt/bar
+
+ <power failure>
+
+ $ mount /dev/sdb /mnt
+ $ od -t x1 -A d /mnt/bar
+ 0000000 ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab ab
+ *
+ 0008000
+
+Once we rename the file, we log its name (and inode item), and because
+the inode was already logged before in the current transaction, we log it
+with a size of 8000 bytes because that is the size we previously logged
+(with the first fsync). As part of the rename, besides logging the inode,
+we do also sync the log, which is done since commit d4682ba03ef618
+("Btrfs: sync log after logging new name"), so the next fsync against our
+inode is effectively a no-op, since no new changes happened since the
+rename operation. Even if did not sync the log during the rename
+operation, the same problem (fize size of 8000 bytes instead of 3000
+bytes) would be visible after replaying the log if the log ended up
+getting synced to disk through some other means, such as for example by
+fsyncing some other modified file. In the example above the fsync after
+the rename operation is there just because not every filesystem may
+guarantee logging/journalling the inode (and syncing the log/journal)
+during the rename operation, for example it is needed for f2fs, but not
+for ext4 and xfs.
+
+Fix this scenario by, when logging a new name (which is triggered by
+rename and link operations), using the current size of the inode instead
+of the previously logged inode size.
+
+A test case for fstests follows soon.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202695
+CC: stable@vger.kernel.org # 4.4+
+Reported-by: Seulbae Kim <seulbae@gatech.edu>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4504,6 +4504,19 @@ static int logged_inode_size(struct btrf
+ item = btrfs_item_ptr(path->nodes[0], path->slots[0],
+ struct btrfs_inode_item);
+ *size_ret = btrfs_inode_size(path->nodes[0], item);
++ /*
++ * If the in-memory inode's i_size is smaller then the inode
++ * size stored in the btree, return the inode's i_size, so
++ * that we get a correct inode size after replaying the log
++ * when before a power failure we had a shrinking truncate
++ * followed by addition of a new name (rename / new hard link).
++ * Otherwise return the inode size from the btree, to avoid
++ * data loss when replaying a log due to previously doing a
++ * write that expands the inode's size and logging a new name
++ * immediately after.
++ */
++ if (*size_ret > inode->vfs_inode.i_size)
++ *size_ret = inode->vfs_inode.i_size;
+ }
+
+ btrfs_release_path(path);
--- /dev/null
+From 3897b6f0a859288c22fb793fad11ec2327e60fcd Mon Sep 17 00:00:00 2001
+From: Andrea Righi <andrea.righi@canonical.com>
+Date: Thu, 14 Mar 2019 08:56:28 +0100
+Subject: btrfs: raid56: properly unmap parity page in finish_parity_scrub()
+
+From: Andrea Righi <andrea.righi@canonical.com>
+
+commit 3897b6f0a859288c22fb793fad11ec2327e60fcd upstream.
+
+Parity page is incorrectly unmapped in finish_parity_scrub(), triggering
+a reference counter bug on i386, i.e.:
+
+ [ 157.662401] kernel BUG at mm/highmem.c:349!
+ [ 157.666725] invalid opcode: 0000 [#1] SMP PTI
+
+The reason is that kunmap(p_page) was completely left out, so we never
+did an unmap for the p_page and the loop unmapping the rbio page was
+iterating over the wrong number of stripes: unmapping should be done
+with nr_data instead of rbio->real_stripes.
+
+Test case to reproduce the bug:
+
+ - create a raid5 btrfs filesystem:
+ # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde
+
+ - mount it:
+ # mount /dev/sdb /mnt
+
+ - run btrfs scrub in a loop:
+ # while :; do btrfs scrub start -BR /mnt; done
+
+BugLink: https://bugs.launchpad.net/bugs/1812845
+Fixes: 5a6ac9eacb49 ("Btrfs, raid56: support parity scrub on raid56")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/raid56.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/raid56.c
++++ b/fs/btrfs/raid56.c
+@@ -2429,8 +2429,9 @@ static noinline void finish_parity_scrub
+ bitmap_clear(rbio->dbitmap, pagenr, 1);
+ kunmap(p);
+
+- for (stripe = 0; stripe < rbio->real_stripes; stripe++)
++ for (stripe = 0; stripe < nr_data; stripe++)
+ kunmap(page_in_rbio(rbio, stripe, pagenr, 0));
++ kunmap(p_page);
+ }
+
+ __free_page(p_page);
--- /dev/null
+From 2cc8334270e281815c3850c3adea363c51f21e0d Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 6 Mar 2019 17:13:04 -0500
+Subject: btrfs: remove WARN_ON in log_dir_items
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 2cc8334270e281815c3850c3adea363c51f21e0d upstream.
+
+When Filipe added the recursive directory logging stuff in
+2f2ff0ee5e430 ("Btrfs: fix metadata inconsistencies after directory
+fsync") he specifically didn't take the directory i_mutex for the
+children directories that we need to log because of lockdep. This is
+generally fine, but can lead to this WARN_ON() tripping if we happen to
+run delayed deletion's in between our first search and our second search
+of dir_item/dir_indexes for this directory. We expect this to happen,
+so the WARN_ON() isn't necessary. Drop the WARN_ON() and add a comment
+so we know why this case can happen.
+
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3532,9 +3532,16 @@ static noinline int log_dir_items(struct
+ }
+ btrfs_release_path(path);
+
+- /* find the first key from this transaction again */
++ /*
++ * Find the first key from this transaction again. See the note for
++ * log_new_dir_dentries, if we're logging a directory recursively we
++ * won't be holding its i_mutex, which means we can modify the directory
++ * while we're logging it. If we remove an entry between our first
++ * search and this search we'll not find the key again and can just
++ * bail.
++ */
+ ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0);
+- if (WARN_ON(ret != 0))
++ if (ret != 0)
+ goto done;
+
+ /*
--- /dev/null
+From 1eec7151ae0e134bd42e3f128066b2ff8da21393 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Fri, 22 Mar 2019 01:05:02 +0100
+Subject: net: dsa: qca8k: remove leftover phy accessors
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit 1eec7151ae0e134bd42e3f128066b2ff8da21393 upstream.
+
+This belated patch implements Andrew Lunn's request of
+"remove the phy_read() and phy_write() functions."
+<https://lore.kernel.org/patchwork/comment/902734/>
+
+While seemingly harmless, this causes the switch's user
+port PHYs to get registered twice. This is because the
+DSA subsystem will create a slave mdio-bus not knowing
+that the qca8k_phy_(read|write) accessors operate on
+the external mdio-bus. So the same "bus" gets effectively
+duplicated.
+
+Cc: stable@vger.kernel.org
+Fixes: 6b93fb46480a ("net-next: dsa: add new driver for qca8xxx family")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/dsa/qca8k.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- a/drivers/net/dsa/qca8k.c
++++ b/drivers/net/dsa/qca8k.c
+@@ -620,22 +620,6 @@ qca8k_adjust_link(struct dsa_switch *ds,
+ qca8k_port_set_status(priv, port, 1);
+ }
+
+-static int
+-qca8k_phy_read(struct dsa_switch *ds, int phy, int regnum)
+-{
+- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
+-
+- return mdiobus_read(priv->bus, phy, regnum);
+-}
+-
+-static int
+-qca8k_phy_write(struct dsa_switch *ds, int phy, int regnum, u16 val)
+-{
+- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
+-
+- return mdiobus_write(priv->bus, phy, regnum, val);
+-}
+-
+ static void
+ qca8k_get_strings(struct dsa_switch *ds, int port, u32 stringset, uint8_t *data)
+ {
+@@ -876,8 +860,6 @@ static const struct dsa_switch_ops qca8k
+ .setup = qca8k_setup,
+ .adjust_link = qca8k_adjust_link,
+ .get_strings = qca8k_get_strings,
+- .phy_read = qca8k_phy_read,
+- .phy_write = qca8k_phy_write,
+ .get_ethtool_stats = qca8k_get_ethtool_stats,
+ .get_sset_count = qca8k_get_sset_count,
+ .get_mac_eee = qca8k_get_mac_eee,
--- /dev/null
+From 4a9be28c45bf02fa0436808bb6c0baeba30e120e Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Tue, 19 Mar 2019 11:33:24 +1100
+Subject: NFS: fix mount/umount race in nlmclnt.
+
+From: NeilBrown <neilb@suse.com>
+
+commit 4a9be28c45bf02fa0436808bb6c0baeba30e120e upstream.
+
+If the last NFSv3 unmount from a given host races with a mount from the
+same host, we can destroy an nlm_host that is still in use.
+
+Specifically nlmclnt_lookup_host() can increment h_count on
+an nlm_host that nlmclnt_release_host() has just successfully called
+refcount_dec_and_test() on.
+Once nlmclnt_lookup_host() drops the mutex, nlm_destroy_host_lock()
+will be called to destroy the nlmclnt which is now in use again.
+
+The cause of the problem is that the dec_and_test happens outside the
+locked region. This is easily fixed by using
+refcount_dec_and_mutex_lock().
+
+Fixes: 8ea6ecc8b075 ("lockd: Create client-side nlm_host cache")
+Cc: stable@vger.kernel.org (v2.6.38+)
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/host.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/lockd/host.c
++++ b/fs/lockd/host.c
+@@ -290,12 +290,11 @@ void nlmclnt_release_host(struct nlm_hos
+
+ WARN_ON_ONCE(host->h_server);
+
+- if (refcount_dec_and_test(&host->h_count)) {
++ if (refcount_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) {
+ WARN_ON_ONCE(!list_empty(&host->h_lockowners));
+ WARN_ON_ONCE(!list_empty(&host->h_granted));
+ WARN_ON_ONCE(!list_empty(&host->h_reclaim));
+
+- mutex_lock(&nlm_host_mutex);
+ nlm_destroy_host_locked(host);
+ mutex_unlock(&nlm_host_mutex);
+ }
--- /dev/null
+From 0cb98abb5bd13b9a636bde603d952d722688b428 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Tue, 19 Mar 2019 12:12:13 -0400
+Subject: NFSv4.1 don't free interrupted slot on open
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit 0cb98abb5bd13b9a636bde603d952d722688b428 upstream.
+
+Allow the async rpc task for finish and update the open state if needed,
+then free the slot. Otherwise, the async rpc unable to decode the reply.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Fixes: ae55e59da0e4 ("pnfs: Don't release the sequence slot...")
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2909,7 +2909,8 @@ static int _nfs4_open_and_get_state(stru
+ }
+
+ out:
+- nfs4_sequence_free_slot(&opendata->o_res.seq_res);
++ if (!opendata->cancelled)
++ nfs4_sequence_free_slot(&opendata->o_res.seq_res);
+ return ret;
+ }
+
--- /dev/null
+From 86be36f6502c52ddb4b85938145324fd07332da1 Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Fri, 15 Mar 2019 20:21:19 +0530
+Subject: powerpc: bpf: Fix generation of load/store DW instructions
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit 86be36f6502c52ddb4b85938145324fd07332da1 upstream.
+
+Yauheni Kaliuta pointed out that PTR_TO_STACK store/load verifier test
+was failing on powerpc64 BE, and rightfully indicated that the PPC_LD()
+macro is not masking away the last two bits of the offset per the ISA,
+resulting in the generation of 'lwa' instruction instead of the intended
+'ld' instruction.
+
+Segher also pointed out that we can't simply mask away the last two bits
+as that will result in loading/storing from/to a memory location that
+was not intended.
+
+This patch addresses this by using ldx/stdx if the offset is not
+word-aligned. We load the offset into a temporary register (TMP_REG_2)
+and use that as the index register in a subsequent ldx/stdx. We fix
+PPC_LD() macro to mask off the last two bits, but enhance PPC_BPF_LL()
+and PPC_BPF_STL() to factor in the offset value and generate the proper
+instruction sequence. We also convert all existing users of PPC_LD() and
+PPC_STD() to use these macros. All existing uses of these macros have
+been audited to ensure that TMP_REG_2 can be clobbered.
+
+Fixes: 156d0e290e96 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
+Cc: stable@vger.kernel.org # v4.9+
+
+Reported-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/ppc-opcode.h | 2 ++
+ arch/powerpc/net/bpf_jit.h | 17 +++++------------
+ arch/powerpc/net/bpf_jit32.h | 4 ++++
+ arch/powerpc/net/bpf_jit64.h | 20 ++++++++++++++++++++
+ arch/powerpc/net/bpf_jit_comp64.c | 12 ++++++------
+ 5 files changed, 37 insertions(+), 18 deletions(-)
+
+--- a/arch/powerpc/include/asm/ppc-opcode.h
++++ b/arch/powerpc/include/asm/ppc-opcode.h
+@@ -300,6 +300,7 @@
+ /* Misc instructions for BPF compiler */
+ #define PPC_INST_LBZ 0x88000000
+ #define PPC_INST_LD 0xe8000000
++#define PPC_INST_LDX 0x7c00002a
+ #define PPC_INST_LHZ 0xa0000000
+ #define PPC_INST_LWZ 0x80000000
+ #define PPC_INST_LHBRX 0x7c00062c
+@@ -307,6 +308,7 @@
+ #define PPC_INST_STB 0x98000000
+ #define PPC_INST_STH 0xb0000000
+ #define PPC_INST_STD 0xf8000000
++#define PPC_INST_STDX 0x7c00012a
+ #define PPC_INST_STDU 0xf8000001
+ #define PPC_INST_STW 0x90000000
+ #define PPC_INST_STWU 0x94000000
+--- a/arch/powerpc/net/bpf_jit.h
++++ b/arch/powerpc/net/bpf_jit.h
+@@ -51,6 +51,8 @@
+ #define PPC_LIS(r, i) PPC_ADDIS(r, 0, i)
+ #define PPC_STD(r, base, i) EMIT(PPC_INST_STD | ___PPC_RS(r) | \
+ ___PPC_RA(base) | ((i) & 0xfffc))
++#define PPC_STDX(r, base, b) EMIT(PPC_INST_STDX | ___PPC_RS(r) | \
++ ___PPC_RA(base) | ___PPC_RB(b))
+ #define PPC_STDU(r, base, i) EMIT(PPC_INST_STDU | ___PPC_RS(r) | \
+ ___PPC_RA(base) | ((i) & 0xfffc))
+ #define PPC_STW(r, base, i) EMIT(PPC_INST_STW | ___PPC_RS(r) | \
+@@ -65,7 +67,9 @@
+ #define PPC_LBZ(r, base, i) EMIT(PPC_INST_LBZ | ___PPC_RT(r) | \
+ ___PPC_RA(base) | IMM_L(i))
+ #define PPC_LD(r, base, i) EMIT(PPC_INST_LD | ___PPC_RT(r) | \
+- ___PPC_RA(base) | IMM_L(i))
++ ___PPC_RA(base) | ((i) & 0xfffc))
++#define PPC_LDX(r, base, b) EMIT(PPC_INST_LDX | ___PPC_RT(r) | \
++ ___PPC_RA(base) | ___PPC_RB(b))
+ #define PPC_LWZ(r, base, i) EMIT(PPC_INST_LWZ | ___PPC_RT(r) | \
+ ___PPC_RA(base) | IMM_L(i))
+ #define PPC_LHZ(r, base, i) EMIT(PPC_INST_LHZ | ___PPC_RT(r) | \
+@@ -85,17 +89,6 @@
+ ___PPC_RA(a) | ___PPC_RB(b))
+ #define PPC_BPF_STDCX(s, a, b) EMIT(PPC_INST_STDCX | ___PPC_RS(s) | \
+ ___PPC_RA(a) | ___PPC_RB(b))
+-
+-#ifdef CONFIG_PPC64
+-#define PPC_BPF_LL(r, base, i) do { PPC_LD(r, base, i); } while(0)
+-#define PPC_BPF_STL(r, base, i) do { PPC_STD(r, base, i); } while(0)
+-#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0)
+-#else
+-#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0)
+-#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0)
+-#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0)
+-#endif
+-
+ #define PPC_CMPWI(a, i) EMIT(PPC_INST_CMPWI | ___PPC_RA(a) | IMM_L(i))
+ #define PPC_CMPDI(a, i) EMIT(PPC_INST_CMPDI | ___PPC_RA(a) | IMM_L(i))
+ #define PPC_CMPW(a, b) EMIT(PPC_INST_CMPW | ___PPC_RA(a) | \
+--- a/arch/powerpc/net/bpf_jit32.h
++++ b/arch/powerpc/net/bpf_jit32.h
+@@ -123,6 +123,10 @@ DECLARE_LOAD_FUNC(sk_load_byte_msh);
+ #define PPC_NTOHS_OFFS(r, base, i) PPC_LHZ_OFFS(r, base, i)
+ #endif
+
++#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0)
++#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0)
++#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0)
++
+ #define SEEN_DATAREF 0x10000 /* might call external helpers */
+ #define SEEN_XREG 0x20000 /* X reg is used */
+ #define SEEN_MEM 0x40000 /* SEEN_MEM+(1<<n) = use mem[n] for temporary
+--- a/arch/powerpc/net/bpf_jit64.h
++++ b/arch/powerpc/net/bpf_jit64.h
+@@ -68,6 +68,26 @@ static const int b2p[] = {
+ /* PPC NVR range -- update this if we ever use NVRs below r27 */
+ #define BPF_PPC_NVR_MIN 27
+
++/*
++ * WARNING: These can use TMP_REG_2 if the offset is not at word boundary,
++ * so ensure that it isn't in use already.
++ */
++#define PPC_BPF_LL(r, base, i) do { \
++ if ((i) % 4) { \
++ PPC_LI(b2p[TMP_REG_2], (i)); \
++ PPC_LDX(r, base, b2p[TMP_REG_2]); \
++ } else \
++ PPC_LD(r, base, i); \
++ } while(0)
++#define PPC_BPF_STL(r, base, i) do { \
++ if ((i) % 4) { \
++ PPC_LI(b2p[TMP_REG_2], (i)); \
++ PPC_STDX(r, base, b2p[TMP_REG_2]); \
++ } else \
++ PPC_STD(r, base, i); \
++ } while(0)
++#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0)
++
+ #define SEEN_FUNC 0x1000 /* might call external helpers */
+ #define SEEN_STACK 0x2000 /* uses BPF stack */
+ #define SEEN_TAILCALL 0x4000 /* uses tail calls */
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -226,7 +226,7 @@ static void bpf_jit_emit_tail_call(u32 *
+ * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
+ * goto out;
+ */
+- PPC_LD(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
++ PPC_BPF_LL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
+ PPC_CMPLWI(b2p[TMP_REG_1], MAX_TAIL_CALL_CNT);
+ PPC_BCC(COND_GT, out);
+
+@@ -239,7 +239,7 @@ static void bpf_jit_emit_tail_call(u32 *
+ /* prog = array->ptrs[index]; */
+ PPC_MULI(b2p[TMP_REG_1], b2p_index, 8);
+ PPC_ADD(b2p[TMP_REG_1], b2p[TMP_REG_1], b2p_bpf_array);
+- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs));
++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs));
+
+ /*
+ * if (prog == NULL)
+@@ -249,7 +249,7 @@ static void bpf_jit_emit_tail_call(u32 *
+ PPC_BCC(COND_EQ, out);
+
+ /* goto *(prog->bpf_func + prologue_size); */
+- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func));
++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func));
+ #ifdef PPC64_ELF_ABI_v1
+ /* skip past the function descriptor */
+ PPC_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1],
+@@ -573,7 +573,7 @@ bpf_alu32_trunc:
+ * the instructions generated will remain the
+ * same across all passes
+ */
+- PPC_STD(dst_reg, 1, bpf_jit_stack_local(ctx));
++ PPC_BPF_STL(dst_reg, 1, bpf_jit_stack_local(ctx));
+ PPC_ADDI(b2p[TMP_REG_1], 1, bpf_jit_stack_local(ctx));
+ PPC_LDBRX(dst_reg, 0, b2p[TMP_REG_1]);
+ break;
+@@ -629,7 +629,7 @@ emit_clear:
+ PPC_LI32(b2p[TMP_REG_1], imm);
+ src_reg = b2p[TMP_REG_1];
+ }
+- PPC_STD(src_reg, dst_reg, off);
++ PPC_BPF_STL(src_reg, dst_reg, off);
+ break;
+
+ /*
+@@ -676,7 +676,7 @@ emit_clear:
+ break;
+ /* dst = *(u64 *)(ul) (src + off) */
+ case BPF_LDX | BPF_MEM | BPF_DW:
+- PPC_LD(dst_reg, src_reg, off);
++ PPC_BPF_LL(dst_reg, src_reg, off);
+ break;
+
+ /*
powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch
powerpc-fsl-fix-the-flush-of-branch-predictor.patch
powerpc-security-fix-spectre_v2-reporting.patch
+btrfs-fix-incorrect-file-size-after-shrinking-truncate-and-fsync.patch
+btrfs-remove-warn_on-in-log_dir_items.patch
+btrfs-don-t-report-readahead-errors-and-don-t-update-statistics.patch
+btrfs-raid56-properly-unmap-parity-page-in-finish_parity_scrub.patch
+btrfs-avoid-possible-qgroup_rsv_size-overflow-in-btrfs_calculate_inode_block_rsv_size.patch
+btrfs-fix-assertion-failure-on-fsync-with-no_holes-enabled.patch
+arm-imx6q-cpuidle-fix-bug-that-cpu-might-not-wake-up-at-expected-time.patch
+powerpc-bpf-fix-generation-of-load-store-dw-instructions.patch
+vfio-ccw-only-free-cp-on-final-interrupt.patch
+nfs-fix-mount-umount-race-in-nlmclnt.patch
+nfsv4.1-don-t-free-interrupted-slot-on-open.patch
+net-dsa-qca8k-remove-leftover-phy-accessors.patch
--- /dev/null
+From 50b7f1b7236bab08ebbbecf90521e84b068d7a17 Mon Sep 17 00:00:00 2001
+From: Cornelia Huck <cohuck@redhat.com>
+Date: Mon, 11 Mar 2019 10:59:53 +0100
+Subject: vfio: ccw: only free cp on final interrupt
+
+From: Cornelia Huck <cohuck@redhat.com>
+
+commit 50b7f1b7236bab08ebbbecf90521e84b068d7a17 upstream.
+
+When we get an interrupt for a channel program, it is not
+necessarily the final interrupt; for example, the issuing
+guest may request an intermediate interrupt by specifying
+the program-controlled-interrupt flag on a ccw.
+
+We must not switch the state to idle if the interrupt is not
+yet final; even more importantly, we must not free the translated
+channel program if the interrupt is not yet final, or the host
+can crash during cp rewind.
+
+Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously")
+Cc: stable@vger.kernel.org # v4.12+
+Reviewed-by: Eric Farman <farman@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/cio/vfio_ccw_drv.c
++++ b/drivers/s390/cio/vfio_ccw_drv.c
+@@ -72,20 +72,24 @@ static void vfio_ccw_sch_io_todo(struct
+ {
+ struct vfio_ccw_private *private;
+ struct irb *irb;
++ bool is_final;
+
+ private = container_of(work, struct vfio_ccw_private, io_work);
+ irb = &private->irb;
+
++ is_final = !(scsw_actl(&irb->scsw) &
++ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
+ if (scsw_is_solicited(&irb->scsw)) {
+ cp_update_scsw(&private->cp, &irb->scsw);
+- cp_free(&private->cp);
++ if (is_final)
++ cp_free(&private->cp);
+ }
+ memcpy(private->io_region->irb_area, irb, sizeof(*irb));
+
+ if (private->io_trigger)
+ eventfd_signal(private->io_trigger, 1);
+
+- if (private->mdev)
++ if (private->mdev && is_final)
+ private->state = VFIO_CCW_STATE_IDLE;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
