--- /dev/null
+From 2f9f4566838c22c6201bade83fb74f8580f1a827 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Apr 2019 18:04:17 +0200
+Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
+
+[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ]
+
+The snd_seq_ioctl_get_subscription() retrieves the port subscriber
+information as a pointer, while the object isn't protected, hence it
+may be deleted before the actual reference. This race was spotted by
+syzkaller and may lead to a UAF.
+
+The fix is simply copying the data in the lookup function that
+performs in the rwsem to protect against the deletion.
+
+Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 10 ++--------
+ sound/core/seq/seq_ports.c | 13 ++++++++-----
+ sound/core/seq/seq_ports.h | 5 +++--
+ 3 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index b3280e81bfd1..8599f2937ac1 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1900,20 +1900,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client,
+ int result;
+ struct snd_seq_client *sender = NULL;
+ struct snd_seq_client_port *sport = NULL;
+- struct snd_seq_subscribers *p;
+
+ result = -EINVAL;
+ if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL)
+ goto __end;
+ if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL)
+ goto __end;
+- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest);
+- if (p) {
+- result = 0;
+- *subs = p->info;
+- } else
+- result = -ENOENT;
+-
++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest,
++ subs);
+ __end:
+ if (sport)
+ snd_seq_port_unlock(sport);
+diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
+index da31aa8e216e..16289aefb443 100644
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector,
+
+
+ /* get matched subscriber */
+-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
+- struct snd_seq_addr *dest_addr)
++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
++ struct snd_seq_addr *dest_addr,
++ struct snd_seq_port_subscribe *subs)
+ {
+- struct snd_seq_subscribers *s, *found = NULL;
++ struct snd_seq_subscribers *s;
++ int err = -ENOENT;
+
+ down_read(&src_grp->list_mutex);
+ list_for_each_entry(s, &src_grp->list_head, src_list) {
+ if (addr_match(dest_addr, &s->info.dest)) {
+- found = s;
++ *subs = s->info;
++ err = 0;
+ break;
+ }
+ }
+ up_read(&src_grp->list_mutex);
+- return found;
++ return err;
+ }
+
+ /*
+diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h
+index 26bd71f36c41..06003b36652e 100644
+--- a/sound/core/seq/seq_ports.h
++++ b/sound/core/seq/seq_ports.h
+@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port,
+ struct snd_seq_port_subscribe *info);
+
+ /* get matched subscriber */
+-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
+- struct snd_seq_addr *dest_addr);
++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
++ struct snd_seq_addr *dest_addr,
++ struct snd_seq_port_subscribe *subs);
+
+ #endif
+--
+2.20.1
+
--- /dev/null
+From a41a3a0f3a60fd49690d01da4aac8cd824ac2b25 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Apr 2019 17:35:22 +0200
+Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex
+
+[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
+
+ALSA OSS sequencer calls the ioctl function indirectly via
+snd_seq_kernel_client_ctl(). While we already applied the protection
+against races between the normal ioctls and writes via the client's
+ioctl_mutex, this code path was left untouched. And this seems to be
+the cause of still remaining some rare UAF as spontaneously triggered
+by syzkaller.
+
+For the sake of robustness, wrap the ioctl_mutex also for the call via
+snd_seq_kernel_client_ctl(), too.
+
+Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 38e7deab6384..b3280e81bfd1 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ {
+ const struct ioctl_handler *handler;
+ struct snd_seq_client *client;
++ int err;
+
+ client = clientptr(clientid);
+ if (client == NULL)
+ return -ENXIO;
+
+ for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
+- if (handler->cmd == cmd)
+- return handler->func(client, arg);
++ if (handler->cmd == cmd) {
++ mutex_lock(&client->ioctl_mutex);
++ err = handler->func(client, arg);
++ mutex_unlock(&client->ioctl_mutex);
++ return err;
++ }
+ }
+
+ pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
+--
+2.20.1
+
--- /dev/null
+From 29f47500aa1e8acc19ad1bba8c409f60ed971019 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 14 May 2019 14:30:06 +0530
+Subject: arm64/mm: Inhibit huge-vmap with ptdump
+
+[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ]
+
+The arm64 ptdump code can race with concurrent modification of the
+kernel page tables. At the time this was added, this was sound as:
+
+* Modifications to leaf entries could result in stale information being
+ logged, but would not result in a functional problem.
+
+* Boot time modifications to non-leaf entries (e.g. freeing of initmem)
+ were performed when the ptdump code cannot be invoked.
+
+* At runtime, modifications to non-leaf entries only occurred in the
+ vmalloc region, and these were strictly additive, as intermediate
+ entries were never freed.
+
+However, since commit:
+
+ commit 324420bf91f6 ("arm64: add support for ioremap() block mappings")
+
+... it has been possible to create huge mappings in the vmalloc area at
+runtime, and as part of this existing intermediate levels of table my be
+removed and freed.
+
+It's possible for the ptdump code to race with this, and continue to
+walk tables which have been freed (and potentially poisoned or
+reallocated). As a result of this, the ptdump code may dereference bogus
+addresses, which could be fatal.
+
+Since huge-vmap is a TLB and memory optimization, we can disable it when
+the runtime ptdump code is in use to avoid this problem.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings")
+Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/mmu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
+index e97f018ff740..ece9490e3018 100644
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -936,13 +936,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
+
+ int __init arch_ioremap_pud_supported(void)
+ {
+- /* only 4k granule supports level 1 block mappings */
+- return IS_ENABLED(CONFIG_ARM64_4K_PAGES);
++ /*
++ * Only 4k granule supports level 1 block mappings.
++ * SW table walks can't handle removal of intermediate entries.
++ */
++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) &&
++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+ int __init arch_ioremap_pmd_supported(void)
+ {
+- return 1;
++ /* See arch_ioremap_pud_supported() */
++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+ int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot)
+--
+2.20.1
+
--- /dev/null
+From 151b413ebc0531bcfea660157f02043c5e308542 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 14 May 2019 12:25:28 +0100
+Subject: arm64: Print physical address of page table base in show_pte()
+
+[ Upstream commit 48caebf7e1313eb9f0a06fe59a07ac05b38a5806 ]
+
+When dumping the page table in response to an unexpected kernel page
+fault, we print the virtual (hashed) address of the page table base, but
+display physical addresses for everything else.
+
+Make the page table dumping code in show_pte() consistent, by printing
+the page table base pointer as a physical address.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/fault.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 9a6099a2c633..f637447e96b0 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -171,9 +171,10 @@ void show_pte(unsigned long addr)
+ return;
+ }
+
+- pr_alert("%s pgtable: %luk pages, %u-bit VAs, pgdp = %p\n",
++ pr_alert("%s pgtable: %luk pages, %u-bit VAs, pgdp=%016lx\n",
+ mm == &init_mm ? "swapper" : "user", PAGE_SIZE / SZ_1K,
+- mm == &init_mm ? VA_BITS : (int) vabits_user, mm->pgd);
++ mm == &init_mm ? VA_BITS : (int)vabits_user,
++ (unsigned long)virt_to_phys(mm->pgd));
+ pgdp = pgd_offset(mm, addr);
+ pgd = READ_ONCE(*pgdp);
+ pr_alert("[%016lx] pgd=%016llx", addr, pgd_val(pgd));
+--
+2.20.1
+
--- /dev/null
+From 662b852b4005ff137912d2d2ac796b19e7315a6a Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 13 May 2019 07:19:55 -0700
+Subject: bpf: sockmap fix msg->sg.size account on ingress skb
+
+[ Upstream commit cabede8b4f2b746232aa25730a0b752de1cb82ca ]
+
+When converting a skb to msg->sg we forget to set the size after the
+latest ktls/tls code conversion. This patch can be reached by doing
+a redir into ingress path from BPF skb sock recv hook. Then trying to
+read the size fails.
+
+Fix this by setting the size.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 49d1efa329d7..93bffaad2135 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -411,6 +411,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb)
+ sk_mem_charge(sk, skb->len);
+ copied = skb->len;
+ msg->sg.start = 0;
++ msg->sg.size = copied;
+ msg->sg.end = num_sge == MAX_MSG_FRAGS ? 0 : num_sge;
+ msg->skb = skb;
+
+--
+2.20.1
+
--- /dev/null
+From af686f5de9fa74073720af567f3702472e671115 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 13 May 2019 07:19:19 -0700
+Subject: bpf: sockmap, only stop/flush strp if it was enabled at some point
+
+[ Upstream commit 014894360ec95abe868e94416b3dd6569f6e2c0c ]
+
+If we try to call strp_done on a parser that has never been
+initialized, because the sockmap user is only using TX side for
+example we get the following error.
+
+ [ 883.422081] WARNING: CPU: 1 PID: 208 at kernel/workqueue.c:3030 __flush_work+0x1ca/0x1e0
+ ...
+ [ 883.422095] Workqueue: events sk_psock_destroy_deferred
+ [ 883.422097] RIP: 0010:__flush_work+0x1ca/0x1e0
+
+This had been wrapped in a 'if (psock->parser.enabled)' logic which
+was broken because the strp_done() was never actually being called
+because we do a strp_stop() earlier in the tear down logic will
+set parser.enabled to false. This could result in a use after free
+if work was still in the queue and was resolved by the patch here,
+1d79895aef18f ("sk_msg: Always cancel strp work before freeing the
+psock"). However, calling strp_stop(), done by the patch marked in
+the fixes tag, only is useful if we never initialized a strp parser
+program and never initialized the strp to start with. Because if
+we had initialized a stream parser strp_stop() would have been called
+by sk_psock_drop() earlier in the tear down process. By forcing the
+strp to stop we get past the WARNING in strp_done that checks
+the stopped flag but calling cancel_work_sync on work that has never
+been initialized is also wrong and generates the warning above.
+
+To fix check if the parser program exists. If the program exists
+then the strp work has been initialized and must be sync'd and
+cancelled before free'ing any structures. If no program exists we
+never initialized the stream parser in the first place so skip the
+sync/cancel logic implemented by strp_done.
+
+Finally, remove the strp_done its not needed and in the case where we
+are using the stream parser has already been called.
+
+Fixes: e8e3437762ad9 ("bpf: Stop the psock parser before canceling its work")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index cc94d921476c..49d1efa329d7 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -554,8 +554,10 @@ static void sk_psock_destroy_deferred(struct work_struct *gc)
+ struct sk_psock *psock = container_of(gc, struct sk_psock, gc);
+
+ /* No sk_callback_lock since already detached. */
+- strp_stop(&psock->parser.strp);
+- strp_done(&psock->parser.strp);
++
++ /* Parser has been stopped */
++ if (psock->progs.skb_parser)
++ strp_done(&psock->parser.strp);
+
+ cancel_work_sync(&psock->work);
+
+--
+2.20.1
+
--- /dev/null
+From 4409871ad3026f4ce3f62a8b6f3fbdf33054b68d Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 13 May 2019 07:19:37 -0700
+Subject: bpf: sockmap remove duplicate queue free
+
+[ Upstream commit c42253cc88206fd0e9868c8b2fd7f9e79f9e0e03 ]
+
+In tcp bpf remove we free the cork list and purge the ingress msg
+list. However we do this before the ref count reaches zero so it
+could be possible some other access is in progress. In this case
+(tcp close and/or tcp_unhash) we happen to also hold the sock
+lock so no path exists but lets fix it otherwise it is extremely
+fragile and breaks the reference counting rules. Also we already
+check the cork list and ingress msg queue and free them once the
+ref count reaches zero so its wasteful to check twice.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 1bb7321a256d..4a619c85daed 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -528,8 +528,6 @@ static void tcp_bpf_remove(struct sock *sk, struct sk_psock *psock)
+ {
+ struct sk_psock_link *link;
+
+- sk_psock_cork_free(psock);
+- __sk_psock_purge_ingress_msg(psock);
+ while ((link = sk_psock_link_pop(psock))) {
+ sk_psock_unlink(sk, link);
+ sk_psock_free_link(link);
+--
+2.20.1
+
--- /dev/null
+From 9bdf427b20037a68242b648ddbc4eb56cc66e405 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 13 May 2019 21:42:03 -0700
+Subject: bpf, tcp: correctly handle DONT_WAIT flags and timeo == 0
+
+[ Upstream commit 5fa2ca7c4a3fc176f31b495e1a704862d8188b53 ]
+
+The tcp_bpf_wait_data() routine needs to check timeo != 0 before
+calling sk_wait_event() otherwise we may see unexpected stalls
+on receiver.
+
+Arika did all the leg work here I just formatted, posted and ran
+a few tests.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Reported-by: Arika Chen <eaglesora@gmail.com>
+Suggested-by: Arika Chen <eaglesora@gmail.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 4a619c85daed..3d1e15401384 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -27,7 +27,10 @@ static int tcp_bpf_wait_data(struct sock *sk, struct sk_psock *psock,
+ int flags, long timeo, int *err)
+ {
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+- int ret;
++ int ret = 0;
++
++ if (!timeo)
++ return ret;
+
+ add_wait_queue(sk_sleep(sk), &wait);
+ sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+--
+2.20.1
+
--- /dev/null
+From bf2a66120205154abca5ec854086948651ffba16 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Fri, 12 Apr 2019 15:45:06 +0800
+Subject: Drivers: misc: fix out-of-bounds access in function
+ param_set_kgdbts_var
+
+[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ]
+
+There is an out-of-bounds access to "config[len - 1]" array when the
+variable "len" is zero.
+
+See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug
+in param_set_kgdboc_var()") for details.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/kgdbts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
+index de20bdaa148d..8b01257783dd 100644
+--- a/drivers/misc/kgdbts.c
++++ b/drivers/misc/kgdbts.c
+@@ -1135,7 +1135,7 @@ static void kgdbts_put_char(u8 chr)
+ static int param_set_kgdbts_var(const char *kmessage,
+ const struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdbts: config string too long\n");
+@@ -1155,7 +1155,7 @@ static int param_set_kgdbts_var(const char *kmessage,
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ /* Go and configure with the new params. */
+--
+2.20.1
+
--- /dev/null
+From bcb9a8b14ff683afd38f6efd5a246559165db8d1 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 13 May 2019 17:53:03 +0100
+Subject: drivers/perf: arm_spe: Don't error on high-order pages for aux buf
+
+[ Upstream commit 14ae42a6f0b13130a97d94d23481128961de5d38 ]
+
+Since commit 5768402fd9c6 ("perf/ring_buffer: Use high order allocations
+for AUX buffers optimistically"), the perf core tends to back aux buffer
+allocations with high-order pages with the order encoded in the
+PagePrivate data. The Arm SPE driver explicitly rejects such pages,
+causing the perf tool to fail with:
+
+ | failed to mmap with 12 (Cannot allocate memory)
+
+In actual fact, we can simply treat these pages just like any other
+since the perf core takes care to populate the page array appropriately.
+In theory we could try to map with PMDs where possible, but for now,
+let's just get things working again.
+
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 5768402fd9c6 ("perf/ring_buffer: Use high order allocations for AUX buffers optimistically")
+Reported-by: Hanjun Guo <guohanjun@huawei.com>
+Tested-by: Hanjun Guo <guohanjun@huawei.com>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_spe_pmu.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c
+index 7cb766dafe85..e120f933412a 100644
+--- a/drivers/perf/arm_spe_pmu.c
++++ b/drivers/perf/arm_spe_pmu.c
+@@ -855,16 +855,8 @@ static void *arm_spe_pmu_setup_aux(struct perf_event *event, void **pages,
+ if (!pglist)
+ goto out_free_buf;
+
+- for (i = 0; i < nr_pages; ++i) {
+- struct page *page = virt_to_page(pages[i]);
+-
+- if (PagePrivate(page)) {
+- pr_warn("unexpected high-order page for auxbuf!");
+- goto out_free_pglist;
+- }
+-
++ for (i = 0; i < nr_pages; ++i)
+ pglist[i] = virt_to_page(pages[i]);
+- }
+
+ buf->base = vmap(pglist, nr_pages, VM_MAP, PAGE_KERNEL);
+ if (!buf->base)
+--
+2.20.1
+
--- /dev/null
+From 3a5aa17c1b74d208dc911d224278abe72b6f0c83 Mon Sep 17 00:00:00 2001
+From: Flora Cui <flora.cui@amd.com>
+Date: Fri, 17 May 2019 11:33:56 +0800
+Subject: drm/amdgpu: keep stolen memory on picasso
+
+[ Upstream commit 379109351f4f6f2405cf54e7a296055f589c3ad1 ]
+
+otherwise screen corrupts during modprobe.
+
+Signed-off-by: Flora Cui <flora.cui@amd.com>
+Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+index 2fe8397241ea..1611bef19a2c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+@@ -715,6 +715,7 @@ static bool gmc_v9_0_keep_stolen_memory(struct amdgpu_device *adev)
+ case CHIP_VEGA10:
+ return true;
+ case CHIP_RAVEN:
++ return (adev->pdev->device == 0x15d8);
+ case CHIP_VEGA12:
+ case CHIP_VEGA20:
+ default:
+--
+2.20.1
+
--- /dev/null
+From 2d0d70b4430c8475a4dd13564dcd480ac7a35a7e Mon Sep 17 00:00:00 2001
+From: Claudiu Manoil <claudiu.manoil@nxp.com>
+Date: Wed, 15 May 2019 19:08:56 +0300
+Subject: enetc: Fix NULL dma address unmap for Tx BD extensions
+
+[ Upstream commit f4a0be84d73ec648628bf8094600ceb73cb6073f ]
+
+For the unlikely case of TxBD extensions (i.e. ptp)
+the driver tries to unmap the tx_swbd corresponding
+to the extension, which is bogus as it has no buffer
+attached.
+
+Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
+index 5bb9eb35d76d..491475d87736 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc.c
+@@ -313,7 +313,9 @@ static bool enetc_clean_tx_ring(struct enetc_bdr *tx_ring, int napi_budget)
+ while (bds_to_clean && tx_frm_cnt < ENETC_DEFAULT_TX_WORK) {
+ bool is_eof = !!tx_swbd->skb;
+
+- enetc_unmap_tx_buff(tx_ring, tx_swbd);
++ if (likely(tx_swbd->dma))
++ enetc_unmap_tx_buff(tx_ring, tx_swbd);
++
+ if (is_eof) {
+ napi_consume_skb(tx_swbd->skb, napi_budget);
+ tx_swbd->skb = NULL;
+--
+2.20.1
+
--- /dev/null
+From 03cfc9275efe2c2c4c7f73100bcecd891b79c64d Mon Sep 17 00:00:00 2001
+From: Randall Huang <huangrandall@google.com>
+Date: Thu, 11 Apr 2019 16:26:46 +0800
+Subject: f2fs: fix to avoid accessing xattr across the boundary
+
+[ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ]
+
+When we traverse xattr entries via __find_xattr(),
+if the raw filesystem content is faked or any hardware failure occurs,
+out-of-bound error can be detected by KASAN.
+Fix the issue by introducing boundary check.
+
+[ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
+[ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task
+[ 38.402935] c7 1827 Call trace:
+[ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
+[ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c
+[ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
+[ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
+[ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
+[ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
+[ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
+[ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
+[ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
+[ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
+[ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
+[ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
+[ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
+[ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
+[ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
+[ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
+[ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
+[ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
+[ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
+[ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
+[ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
+[ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
+
+Signed-off-by: Randall Huang <huangrandall@google.com>
+[Jaegeuk Kim: Fix wrong ending boundary]
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/xattr.c | 36 +++++++++++++++++++++++++++---------
+ fs/f2fs/xattr.h | 2 ++
+ 2 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index 848a785abe25..e791741d193b 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -202,12 +202,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index)
+ return handler;
+ }
+
+-static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index,
+- size_t len, const char *name)
++static struct f2fs_xattr_entry *__find_xattr(void *base_addr,
++ void *last_base_addr, int index,
++ size_t len, const char *name)
+ {
+ struct f2fs_xattr_entry *entry;
+
+ list_for_each_xattr(entry, base_addr) {
++ if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
++ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr)
++ return NULL;
++
+ if (entry->e_name_index != index)
+ continue;
+ if (entry->e_name_len != len)
+@@ -297,20 +302,22 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
+ const char *name, struct f2fs_xattr_entry **xe,
+ void **base_addr, int *base_size)
+ {
+- void *cur_addr, *txattr_addr, *last_addr = NULL;
++ void *cur_addr, *txattr_addr, *last_txattr_addr;
++ void *last_addr = NULL;
+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+- unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
+ unsigned int inline_size = inline_xattr_size(inode);
+ int err = 0;
+
+- if (!size && !inline_size)
++ if (!xnid && !inline_size)
+ return -ENODATA;
+
+- *base_size = inline_size + size + XATTR_PADDING_SIZE;
++ *base_size = XATTR_SIZE(xnid, inode) + XATTR_PADDING_SIZE;
+ txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS);
+ if (!txattr_addr)
+ return -ENOMEM;
+
++ last_txattr_addr = (void *)txattr_addr + XATTR_SIZE(xnid, inode);
++
+ /* read from inline xattr */
+ if (inline_size) {
+ err = read_inline_xattr(inode, ipage, txattr_addr);
+@@ -337,7 +344,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
+ else
+ cur_addr = txattr_addr;
+
+- *xe = __find_xattr(cur_addr, index, len, name);
++ *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name);
++ if (!*xe) {
++ err = -EFAULT;
++ goto out;
++ }
+ check:
+ if (IS_XATTR_LAST_ENTRY(*xe)) {
+ err = -ENODATA;
+@@ -581,7 +592,8 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ struct page *ipage, int flags)
+ {
+ struct f2fs_xattr_entry *here, *last;
+- void *base_addr;
++ void *base_addr, *last_base_addr;
++ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+ int found, newsize;
+ size_t len;
+ __u32 new_hsize;
+@@ -605,8 +617,14 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (error)
+ return error;
+
++ last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
++
+ /* find entry with wanted name. */
+- here = __find_xattr(base_addr, index, len, name);
++ here = __find_xattr(base_addr, last_base_addr, index, len, name);
++ if (!here) {
++ error = -EFAULT;
++ goto exit;
++ }
+
+ found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1;
+
+diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h
+index 9172ee082ca8..a90920e2f949 100644
+--- a/fs/f2fs/xattr.h
++++ b/fs/f2fs/xattr.h
+@@ -71,6 +71,8 @@ struct f2fs_xattr_entry {
+ entry = XATTR_NEXT_ENTRY(entry))
+ #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer))
+ #define XATTR_PADDING_SIZE (sizeof(__u32))
++#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \
++ (inline_xattr_size(i)))
+ #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \
+ VALID_XATTR_BLOCK_SIZE)
+
+--
+2.20.1
+
--- /dev/null
+From 38ae241a4c470941c75d4cce01b0d01ff329c52e Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Wed, 22 May 2019 18:47:05 +0100
+Subject: KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid
+ instrumentation
+
+[ Upstream commit 623e1528d4090bd1abaf93ec46f047dee9a6fb32 ]
+
+KVM has helpers to handle the condition codes of trapped aarch32
+instructions. These are marked __hyp_text and used from HYP, but they
+aren't built by the 'hyp' Makefile, which has all the runes to avoid ASAN
+and KCOV instrumentation.
+
+Move this code to a new hyp/aarch32.c to avoid a hyp-panic when starting
+an aarch32 guest on a host built with the ASAN/KCOV debug options.
+
+Fixes: 021234ef3752f ("KVM: arm64: Make kvm_condition_valid32() accessible from EL2")
+Fixes: 8cebe750c4d9a ("arm64: KVM: Make kvm_skip_instr32 available to HYP")
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kvm/hyp/Makefile | 1 +
+ arch/arm64/kvm/hyp/Makefile | 1 +
+ virt/kvm/arm/aarch32.c | 121 --------------------------------
+ virt/kvm/arm/hyp/aarch32.c | 136 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 138 insertions(+), 121 deletions(-)
+ create mode 100644 virt/kvm/arm/hyp/aarch32.c
+
+diff --git a/arch/arm/kvm/hyp/Makefile b/arch/arm/kvm/hyp/Makefile
+index d2b5ec9c4b92..ba88b1eca93c 100644
+--- a/arch/arm/kvm/hyp/Makefile
++++ b/arch/arm/kvm/hyp/Makefile
+@@ -11,6 +11,7 @@ CFLAGS_ARMV7VE :=$(call cc-option, -march=armv7ve)
+
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o
++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o
+
+ obj-$(CONFIG_KVM_ARM_HOST) += tlb.o
+ obj-$(CONFIG_KVM_ARM_HOST) += cp15-sr.o
+diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile
+index 82d1904328ad..ea710f674cb6 100644
+--- a/arch/arm64/kvm/hyp/Makefile
++++ b/arch/arm64/kvm/hyp/Makefile
+@@ -10,6 +10,7 @@ KVM=../../../../virt/kvm
+
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o
+ obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o
++obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/aarch32.o
+
+ obj-$(CONFIG_KVM_ARM_HOST) += vgic-v2-cpuif-proxy.o
+ obj-$(CONFIG_KVM_ARM_HOST) += sysreg-sr.o
+diff --git a/virt/kvm/arm/aarch32.c b/virt/kvm/arm/aarch32.c
+index 5abbe9b3c652..6880236974b8 100644
+--- a/virt/kvm/arm/aarch32.c
++++ b/virt/kvm/arm/aarch32.c
+@@ -25,127 +25,6 @@
+ #include <asm/kvm_emulate.h>
+ #include <asm/kvm_hyp.h>
+
+-/*
+- * stolen from arch/arm/kernel/opcodes.c
+- *
+- * condition code lookup table
+- * index into the table is test code: EQ, NE, ... LT, GT, AL, NV
+- *
+- * bit position in short is condition code: NZCV
+- */
+-static const unsigned short cc_map[16] = {
+- 0xF0F0, /* EQ == Z set */
+- 0x0F0F, /* NE */
+- 0xCCCC, /* CS == C set */
+- 0x3333, /* CC */
+- 0xFF00, /* MI == N set */
+- 0x00FF, /* PL */
+- 0xAAAA, /* VS == V set */
+- 0x5555, /* VC */
+- 0x0C0C, /* HI == C set && Z clear */
+- 0xF3F3, /* LS == C clear || Z set */
+- 0xAA55, /* GE == (N==V) */
+- 0x55AA, /* LT == (N!=V) */
+- 0x0A05, /* GT == (!Z && (N==V)) */
+- 0xF5FA, /* LE == (Z || (N!=V)) */
+- 0xFFFF, /* AL always */
+- 0 /* NV */
+-};
+-
+-/*
+- * Check if a trapped instruction should have been executed or not.
+- */
+-bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu)
+-{
+- unsigned long cpsr;
+- u32 cpsr_cond;
+- int cond;
+-
+- /* Top two bits non-zero? Unconditional. */
+- if (kvm_vcpu_get_hsr(vcpu) >> 30)
+- return true;
+-
+- /* Is condition field valid? */
+- cond = kvm_vcpu_get_condition(vcpu);
+- if (cond == 0xE)
+- return true;
+-
+- cpsr = *vcpu_cpsr(vcpu);
+-
+- if (cond < 0) {
+- /* This can happen in Thumb mode: examine IT state. */
+- unsigned long it;
+-
+- it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3);
+-
+- /* it == 0 => unconditional. */
+- if (it == 0)
+- return true;
+-
+- /* The cond for this insn works out as the top 4 bits. */
+- cond = (it >> 4);
+- }
+-
+- cpsr_cond = cpsr >> 28;
+-
+- if (!((cc_map[cond] >> cpsr_cond) & 1))
+- return false;
+-
+- return true;
+-}
+-
+-/**
+- * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block
+- * @vcpu: The VCPU pointer
+- *
+- * When exceptions occur while instructions are executed in Thumb IF-THEN
+- * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have
+- * to do this little bit of work manually. The fields map like this:
+- *
+- * IT[7:0] -> CPSR[26:25],CPSR[15:10]
+- */
+-static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu)
+-{
+- unsigned long itbits, cond;
+- unsigned long cpsr = *vcpu_cpsr(vcpu);
+- bool is_arm = !(cpsr & PSR_AA32_T_BIT);
+-
+- if (is_arm || !(cpsr & PSR_AA32_IT_MASK))
+- return;
+-
+- cond = (cpsr & 0xe000) >> 13;
+- itbits = (cpsr & 0x1c00) >> (10 - 2);
+- itbits |= (cpsr & (0x3 << 25)) >> 25;
+-
+- /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */
+- if ((itbits & 0x7) == 0)
+- itbits = cond = 0;
+- else
+- itbits = (itbits << 1) & 0x1f;
+-
+- cpsr &= ~PSR_AA32_IT_MASK;
+- cpsr |= cond << 13;
+- cpsr |= (itbits & 0x1c) << (10 - 2);
+- cpsr |= (itbits & 0x3) << 25;
+- *vcpu_cpsr(vcpu) = cpsr;
+-}
+-
+-/**
+- * kvm_skip_instr - skip a trapped instruction and proceed to the next
+- * @vcpu: The vcpu pointer
+- */
+-void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr)
+-{
+- bool is_thumb;
+-
+- is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT);
+- if (is_thumb && !is_wide_instr)
+- *vcpu_pc(vcpu) += 2;
+- else
+- *vcpu_pc(vcpu) += 4;
+- kvm_adjust_itstate(vcpu);
+-}
+-
+ /*
+ * Table taken from ARMv8 ARM DDI0487B-B, table G1-10.
+ */
+diff --git a/virt/kvm/arm/hyp/aarch32.c b/virt/kvm/arm/hyp/aarch32.c
+new file mode 100644
+index 000000000000..d31f267961e7
+--- /dev/null
++++ b/virt/kvm/arm/hyp/aarch32.c
+@@ -0,0 +1,136 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Hyp portion of the (not much of an) Emulation layer for 32bit guests.
++ *
++ * Copyright (C) 2012,2013 - ARM Ltd
++ * Author: Marc Zyngier <marc.zyngier@arm.com>
++ *
++ * based on arch/arm/kvm/emulate.c
++ * Copyright (C) 2012 - Virtual Open Systems and Columbia University
++ * Author: Christoffer Dall <c.dall@virtualopensystems.com>
++ */
++
++#include <linux/kvm_host.h>
++#include <asm/kvm_emulate.h>
++#include <asm/kvm_hyp.h>
++
++/*
++ * stolen from arch/arm/kernel/opcodes.c
++ *
++ * condition code lookup table
++ * index into the table is test code: EQ, NE, ... LT, GT, AL, NV
++ *
++ * bit position in short is condition code: NZCV
++ */
++static const unsigned short cc_map[16] = {
++ 0xF0F0, /* EQ == Z set */
++ 0x0F0F, /* NE */
++ 0xCCCC, /* CS == C set */
++ 0x3333, /* CC */
++ 0xFF00, /* MI == N set */
++ 0x00FF, /* PL */
++ 0xAAAA, /* VS == V set */
++ 0x5555, /* VC */
++ 0x0C0C, /* HI == C set && Z clear */
++ 0xF3F3, /* LS == C clear || Z set */
++ 0xAA55, /* GE == (N==V) */
++ 0x55AA, /* LT == (N!=V) */
++ 0x0A05, /* GT == (!Z && (N==V)) */
++ 0xF5FA, /* LE == (Z || (N!=V)) */
++ 0xFFFF, /* AL always */
++ 0 /* NV */
++};
++
++/*
++ * Check if a trapped instruction should have been executed or not.
++ */
++bool __hyp_text kvm_condition_valid32(const struct kvm_vcpu *vcpu)
++{
++ unsigned long cpsr;
++ u32 cpsr_cond;
++ int cond;
++
++ /* Top two bits non-zero? Unconditional. */
++ if (kvm_vcpu_get_hsr(vcpu) >> 30)
++ return true;
++
++ /* Is condition field valid? */
++ cond = kvm_vcpu_get_condition(vcpu);
++ if (cond == 0xE)
++ return true;
++
++ cpsr = *vcpu_cpsr(vcpu);
++
++ if (cond < 0) {
++ /* This can happen in Thumb mode: examine IT state. */
++ unsigned long it;
++
++ it = ((cpsr >> 8) & 0xFC) | ((cpsr >> 25) & 0x3);
++
++ /* it == 0 => unconditional. */
++ if (it == 0)
++ return true;
++
++ /* The cond for this insn works out as the top 4 bits. */
++ cond = (it >> 4);
++ }
++
++ cpsr_cond = cpsr >> 28;
++
++ if (!((cc_map[cond] >> cpsr_cond) & 1))
++ return false;
++
++ return true;
++}
++
++/**
++ * adjust_itstate - adjust ITSTATE when emulating instructions in IT-block
++ * @vcpu: The VCPU pointer
++ *
++ * When exceptions occur while instructions are executed in Thumb IF-THEN
++ * blocks, the ITSTATE field of the CPSR is not advanced (updated), so we have
++ * to do this little bit of work manually. The fields map like this:
++ *
++ * IT[7:0] -> CPSR[26:25],CPSR[15:10]
++ */
++static void __hyp_text kvm_adjust_itstate(struct kvm_vcpu *vcpu)
++{
++ unsigned long itbits, cond;
++ unsigned long cpsr = *vcpu_cpsr(vcpu);
++ bool is_arm = !(cpsr & PSR_AA32_T_BIT);
++
++ if (is_arm || !(cpsr & PSR_AA32_IT_MASK))
++ return;
++
++ cond = (cpsr & 0xe000) >> 13;
++ itbits = (cpsr & 0x1c00) >> (10 - 2);
++ itbits |= (cpsr & (0x3 << 25)) >> 25;
++
++ /* Perform ITAdvance (see page A2-52 in ARM DDI 0406C) */
++ if ((itbits & 0x7) == 0)
++ itbits = cond = 0;
++ else
++ itbits = (itbits << 1) & 0x1f;
++
++ cpsr &= ~PSR_AA32_IT_MASK;
++ cpsr |= cond << 13;
++ cpsr |= (itbits & 0x1c) << (10 - 2);
++ cpsr |= (itbits & 0x3) << 25;
++ *vcpu_cpsr(vcpu) = cpsr;
++}
++
++/**
++ * kvm_skip_instr - skip a trapped instruction and proceed to the next
++ * @vcpu: The vcpu pointer
++ */
++void __hyp_text kvm_skip_instr32(struct kvm_vcpu *vcpu, bool is_wide_instr)
++{
++ bool is_thumb;
++
++ is_thumb = !!(*vcpu_cpsr(vcpu) & PSR_AA32_T_BIT);
++ if (is_thumb && !is_wide_instr)
++ *vcpu_pc(vcpu) += 2;
++ else
++ *vcpu_pc(vcpu) += 4;
++ kvm_adjust_itstate(vcpu);
++}
+--
+2.20.1
+
--- /dev/null
+From 506ed6b5845a3959a44ed79033587723a263d177 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Mon, 20 May 2019 16:18:06 +0800
+Subject: KVM: LAPIC: Fix lapic_timer_advance_ns parameter overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 0e6edceb8f18a4e31526d83e6099fef1f29c3af5 ]
+
+After commit c3941d9e0 (KVM: lapic: Allow user to disable adaptive tuning of
+timer advancement), '-1' enables adaptive tuning starting from default
+advancment of 1000ns. However, we should expose an int instead of an overflow
+uint module parameter.
+
+Before patch:
+
+/sys/module/kvm/parameters/lapic_timer_advance_ns:4294967295
+
+After patch:
+
+/sys/module/kvm/parameters/lapic_timer_advance_ns:-1
+
+Fixes: c3941d9e0 (KVM: lapic: Allow user to disable adaptive tuning of timer advancement)
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index efc8adf7ca0e..b07868eb1656 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -143,7 +143,7 @@ module_param(tsc_tolerance_ppm, uint, S_IRUGO | S_IWUSR);
+ * tuning, i.e. allows priveleged userspace to set an exact advancement time.
+ */
+ static int __read_mostly lapic_timer_advance_ns = -1;
+-module_param(lapic_timer_advance_ns, uint, S_IRUGO | S_IWUSR);
++module_param(lapic_timer_advance_ns, int, S_IRUGO | S_IWUSR);
+
+ static bool __read_mostly vector_hashing = true;
+ module_param(vector_hashing, bool, S_IRUGO);
+--
+2.20.1
+
--- /dev/null
+From 7f4d21ecf7d8552e66f374576e45f5d20c4cde45 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 11:55:36 +0200
+Subject: KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE
+
+[ Upstream commit db80927ea1977a845230a161df643b48fd1e1ea4 ]
+
+The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE,
+so the correct size must be that plus sizeof(*vmcs12). This could lead
+to KVM reading garbage data from userspace and not reporting an error,
+but is otherwise not sensitive.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 8f6f69c26c35..5fa0c17d0b41 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -5467,7 +5467,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
+ vmcs12->vmcs_link_pointer != -1ull) {
+ struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
+
+- if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12))
++ if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12))
+ return -EINVAL;
+
+ if (copy_from_user(shadow_vmcs12,
+--
+2.20.1
+
--- /dev/null
+From 9b42ad76df55bc578ce4845e931d809ad4098b38 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 24 May 2019 16:06:23 +0200
+Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
+
+[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ]
+
+kselftests exposed a problem in the s390 handling for memory slots.
+Right now we only do proper memory slot handling for creation of new
+memory slots. Neither MOVE, nor DELETION are handled properly. Let us
+implement those.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index c4180ecfbb2a..ee35f1112db9 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -4413,21 +4413,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
+ const struct kvm_memory_slot *new,
+ enum kvm_mr_change change)
+ {
+- int rc;
+-
+- /* If the basics of the memslot do not change, we do not want
+- * to update the gmap. Every update causes several unnecessary
+- * segment translation exceptions. This is usually handled just
+- * fine by the normal fault handler + gmap, but it will also
+- * cause faults on the prefix page of running guest CPUs.
+- */
+- if (old->userspace_addr == mem->userspace_addr &&
+- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr &&
+- old->npages * PAGE_SIZE == mem->memory_size)
+- return;
++ int rc = 0;
+
+- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,
+- mem->guest_phys_addr, mem->memory_size);
++ switch (change) {
++ case KVM_MR_DELETE:
++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,
++ old->npages * PAGE_SIZE);
++ break;
++ case KVM_MR_MOVE:
++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,
++ old->npages * PAGE_SIZE);
++ if (rc)
++ break;
++ /* FALLTHROUGH */
++ case KVM_MR_CREATE:
++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,
++ mem->guest_phys_addr, mem->memory_size);
++ break;
++ case KVM_MR_FLAGS_ONLY:
++ break;
++ default:
++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change);
++ }
+ if (rc)
+ pr_warn("failed to commit memory region\n");
+ return;
+--
+2.20.1
+
--- /dev/null
+From 357d9f15c386a322800efec267109e12b11f20ab Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Thu, 23 May 2019 11:34:05 +0200
+Subject: kvm: selftests: aarch64: dirty_log_test: fix unaligned memslot size
+
+[ Upstream commit bffed38d4fb536c5d5d6c37846a7fb8fde1452fa ]
+
+The memory slot size must be aligned to the host's page size. When
+testing a guest with a 4k page size on a host with a 64k page size,
+then 3 guest pages are not host page size aligned. Since we just need
+a nearly arbitrary number of extra pages to ensure the memslot is not
+aligned to a 64 host-page boundary for this test, then we can use
+16, as that's 64k aligned, but not 64 * 64k aligned.
+
+Fixes: 76d58e0f07ec ("KVM: fix KVM_CLEAR_DIRTY_LOG for memory slots of unaligned size", 2019-04-17)
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/dirty_log_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kvm/dirty_log_test.c b/tools/testing/selftests/kvm/dirty_log_test.c
+index 93f99c6b7d79..a2542ed42819 100644
+--- a/tools/testing/selftests/kvm/dirty_log_test.c
++++ b/tools/testing/selftests/kvm/dirty_log_test.c
+@@ -292,7 +292,7 @@ static void run_test(enum vm_guest_mode mode, unsigned long iterations,
+ * A little more than 1G of guest page sized pages. Cover the
+ * case where the size is not aligned to 64 pages.
+ */
+- guest_num_pages = (1ul << (30 - guest_page_shift)) + 3;
++ guest_num_pages = (1ul << (30 - guest_page_shift)) + 16;
+ host_page_size = getpagesize();
+ host_num_pages = (guest_num_pages * guest_page_size) / host_page_size +
+ !!((guest_num_pages * guest_page_size) % host_page_size);
+--
+2.20.1
+
--- /dev/null
+From e2c681747631ed6a49ba0ca6eb3f07eeb705a0f9 Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Thu, 23 May 2019 13:05:46 +0200
+Subject: kvm: selftests: aarch64: fix default vm mode
+
+[ Upstream commit 55eda003f02f075bab0223a188e548dbf3ac8dfe ]
+
+VM_MODE_P52V48_4K is not a valid mode for AArch64. Replace its
+use in vm_create_default() with a mode that works and represents
+a good AArch64 default. (We didn't ever see a problem with this
+because we don't have any unit tests using vm_create_default(),
+but it's good to get it fixed in advance.)
+
+Reported-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/lib/aarch64/processor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kvm/lib/aarch64/processor.c b/tools/testing/selftests/kvm/lib/aarch64/processor.c
+index e8c42506a09d..fa6cd340137c 100644
+--- a/tools/testing/selftests/kvm/lib/aarch64/processor.c
++++ b/tools/testing/selftests/kvm/lib/aarch64/processor.c
+@@ -226,7 +226,7 @@ struct kvm_vm *vm_create_default(uint32_t vcpuid, uint64_t extra_mem_pages,
+ uint64_t extra_pg_pages = (extra_mem_pages / ptrs_per_4k_pte) * 2;
+ struct kvm_vm *vm;
+
+- vm = vm_create(VM_MODE_P52V48_4K, DEFAULT_GUEST_PHY_PAGES + extra_pg_pages, O_RDWR);
++ vm = vm_create(VM_MODE_P40V48_4K, DEFAULT_GUEST_PHY_PAGES + extra_pg_pages, O_RDWR);
+
+ kvm_vm_elf_load(vm, program_invocation_name, 0, 0);
+ vm_vcpu_add_default(vm, vcpuid, guest_code);
+--
+2.20.1
+
--- /dev/null
+From f814a74c2501910f198d748a47aa3f991541927c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 13:34:51 +0300
+Subject: KVM: selftests: Fix a condition in test_hv_cpuid()
+
+[ Upstream commit be7fcf1d1701a5266dd36eab4978476f63d1bd57 ]
+
+The code is trying to check that all the padding is zeroed out and it
+does this:
+
+ entry->padding[0] == entry->padding[1] == entry->padding[2] == 0
+
+Assume everything is zeroed correctly, then the first comparison is
+true, the next comparison is false and false is equal to zero so the
+overall condition is true. This bug doesn't affect run time very
+badly, but the code should instead just check that all three paddings
+are zero individually.
+
+Also the error message was copy and pasted from an earlier error and it
+wasn't correct.
+
+Fixes: 7edcb7343327 ("KVM: selftests: Add hyperv_cpuid test")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c b/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c
+index 9a21e912097c..63b9fc3fdfbe 100644
+--- a/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c
++++ b/tools/testing/selftests/kvm/x86_64/hyperv_cpuid.c
+@@ -58,9 +58,8 @@ static void test_hv_cpuid(struct kvm_cpuid2 *hv_cpuid_entries,
+ TEST_ASSERT(entry->flags == 0,
+ ".flags field should be zero");
+
+- TEST_ASSERT(entry->padding[0] == entry->padding[1]
+- == entry->padding[2] == 0,
+- ".index field should be zero");
++ TEST_ASSERT(!entry->padding[0] && !entry->padding[1] &&
++ !entry->padding[2], "padding should be zero");
+
+ /*
+ * If needed for debug:
+--
+2.20.1
+
--- /dev/null
+From 0c21fa9d818d8514669278866fe214a06d7430fc Mon Sep 17 00:00:00 2001
+From: Yi Wang <wang.yi59@zte.com.cn>
+Date: Mon, 20 May 2019 12:27:47 +0800
+Subject: kvm: vmx: Fix -Wmissing-prototypes warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 4d259965655c92053f3255aca14d81aab1e21219 ]
+
+We get a warning when build kernel W=1:
+arch/x86/kvm/vmx/vmx.c:6365:6: warning: no previous prototype for ‘vmx_update_host_rsp’ [-Wmissing-prototypes]
+ void vmx_update_host_rsp(struct vcpu_vmx *vmx, unsigned long host_rsp)
+
+Add the missing declaration to fix this.
+
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/vmx.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
+index f879529906b4..9cd72decdfe4 100644
+--- a/arch/x86/kvm/vmx/vmx.h
++++ b/arch/x86/kvm/vmx/vmx.h
+@@ -314,6 +314,7 @@ void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked);
+ void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu);
+ struct shared_msr_entry *find_msr_entry(struct vcpu_vmx *vmx, u32 msr);
+ void pt_update_intercept_for_msr(struct vcpu_vmx *vmx);
++void vmx_update_host_rsp(struct vcpu_vmx *vmx, unsigned long host_rsp);
+
+ #define POSTED_INTR_ON 0
+ #define POSTED_INTR_SN 1
+--
+2.20.1
+
--- /dev/null
+From c688492f62bfa80ecc3d2b966489ef2188bf166a Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 15:34:35 +0200
+Subject: KVM: x86: do not spam dmesg with VMCS/VMCB dumps
+
+[ Upstream commit 6f2f84532c153d32a5e53b6083b06a3e24368d30 ]
+
+Userspace can easily set up invalid processor state in such a way that
+dmesg will be filled with VMCS or VMCB dumps. Disable this by default
+using a module parameter.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm.c | 9 ++++++++-
+ arch/x86/kvm/vmx/vmx.c | 26 +++++++++++++++++++-------
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index ae6e51828a54..aa3b77acfbf9 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -379,6 +379,9 @@ module_param(vgif, int, 0444);
+ static int sev = IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT);
+ module_param(sev, int, 0444);
+
++static bool __read_mostly dump_invalid_vmcb = 0;
++module_param(dump_invalid_vmcb, bool, 0644);
++
+ static u8 rsm_ins_bytes[] = "\x0f\xaa";
+
+ static void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0);
+@@ -4834,6 +4837,11 @@ static void dump_vmcb(struct kvm_vcpu *vcpu)
+ struct vmcb_control_area *control = &svm->vmcb->control;
+ struct vmcb_save_area *save = &svm->vmcb->save;
+
++ if (!dump_invalid_vmcb) {
++ pr_warn_ratelimited("set kvm_amd.dump_invalid_vmcb=1 to dump internal KVM state.\n");
++ return;
++ }
++
+ pr_err("VMCB Control Area:\n");
+ pr_err("%-20s%04x\n", "cr_read:", control->intercept_cr & 0xffff);
+ pr_err("%-20s%04x\n", "cr_write:", control->intercept_cr >> 16);
+@@ -4992,7 +5000,6 @@ static int handle_exit(struct kvm_vcpu *vcpu)
+ kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
+ kvm_run->fail_entry.hardware_entry_failure_reason
+ = svm->vmcb->control.exit_code;
+- pr_err("KVM: FAILED VMRUN WITH VMCB:\n");
+ dump_vmcb(vcpu);
+ return 0;
+ }
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 2b4a3d32c511..cfb8f1ec9a0a 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -114,6 +114,9 @@ static u64 __read_mostly host_xss;
+ bool __read_mostly enable_pml = 1;
+ module_param_named(pml, enable_pml, bool, S_IRUGO);
+
++static bool __read_mostly dump_invalid_vmcs = 0;
++module_param(dump_invalid_vmcs, bool, 0644);
++
+ #define MSR_BITMAP_MODE_X2APIC 1
+ #define MSR_BITMAP_MODE_X2APIC_APICV 2
+
+@@ -5605,15 +5608,24 @@ static void vmx_dump_dtsel(char *name, uint32_t limit)
+
+ void dump_vmcs(void)
+ {
+- u32 vmentry_ctl = vmcs_read32(VM_ENTRY_CONTROLS);
+- u32 vmexit_ctl = vmcs_read32(VM_EXIT_CONTROLS);
+- u32 cpu_based_exec_ctrl = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
+- u32 pin_based_exec_ctrl = vmcs_read32(PIN_BASED_VM_EXEC_CONTROL);
+- u32 secondary_exec_control = 0;
+- unsigned long cr4 = vmcs_readl(GUEST_CR4);
+- u64 efer = vmcs_read64(GUEST_IA32_EFER);
++ u32 vmentry_ctl, vmexit_ctl;
++ u32 cpu_based_exec_ctrl, pin_based_exec_ctrl, secondary_exec_control;
++ unsigned long cr4;
++ u64 efer;
+ int i, n;
+
++ if (!dump_invalid_vmcs) {
++ pr_warn_ratelimited("set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state.\n");
++ return;
++ }
++
++ vmentry_ctl = vmcs_read32(VM_ENTRY_CONTROLS);
++ vmexit_ctl = vmcs_read32(VM_EXIT_CONTROLS);
++ cpu_based_exec_ctrl = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
++ pin_based_exec_ctrl = vmcs_read32(PIN_BASED_VM_EXEC_CONTROL);
++ cr4 = vmcs_readl(GUEST_CR4);
++ efer = vmcs_read64(GUEST_IA32_EFER);
++ secondary_exec_control = 0;
+ if (cpu_has_secondary_exec_ctrls())
+ secondary_exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
+
+--
+2.20.1
+
--- /dev/null
+From 95b64772e0b1538104a28356293609fb973b81b1 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 17:34:30 +0200
+Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs
+
+[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ]
+
+According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of
+each MSR may be written with any value, and the high-order 8 bits are
+sign-extended according to the value of bit 31", but the fixed counters
+in real hardware are limited to the width of the fixed counters ("bits
+beyond the width of the fixed-function counter are reserved and must be
+written as zeros"). Fix KVM to do the same.
+
+Reported-by: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/pmu_intel.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
+index ad7ea81fbfbf..c3f103e2b08e 100644
+--- a/arch/x86/kvm/vmx/pmu_intel.c
++++ b/arch/x86/kvm/vmx/pmu_intel.c
+@@ -240,11 +240,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ }
+ break;
+ default:
+- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) ||
+- (pmc = get_fixed_pmc(pmu, msr))) {
+- if (!msr_info->host_initiated)
+- data = (s64)(s32)data;
+- pmc->counter += data - pmc_read_counter(pmc);
++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) {
++ if (msr_info->host_initiated)
++ pmc->counter = data;
++ else
++ pmc->counter = (s32)data;
++ return 0;
++ } else if ((pmc = get_fixed_pmc(pmu, msr))) {
++ pmc->counter = data;
+ return 0;
+ } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) {
+ if (data == pmc->eventsel)
+--
+2.20.1
+
--- /dev/null
+From fd822f8bf0f622639f35cb923e0bac6e43684c5e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 17:20:40 +0200
+Subject: KVM: x86/pmu: mask the result of rdpmc according to the width of the
+ counters
+
+[ Upstream commit 0e6f467ee28ec97f68c7b74e35ec1601bb1368a7 ]
+
+This patch will simplify the changes in the next, by enforcing the
+masking of the counters to RDPMC and RDMSR.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/pmu.c | 10 +++-------
+ arch/x86/kvm/pmu.h | 3 ++-
+ arch/x86/kvm/pmu_amd.c | 2 +-
+ arch/x86/kvm/vmx/pmu_intel.c | 13 +++++++++----
+ 4 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
+index e39741997893..dd745b58ffd8 100644
+--- a/arch/x86/kvm/pmu.c
++++ b/arch/x86/kvm/pmu.c
+@@ -283,7 +283,7 @@ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data)
+ bool fast_mode = idx & (1u << 31);
+ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ struct kvm_pmc *pmc;
+- u64 ctr_val;
++ u64 mask = fast_mode ? ~0u : ~0ull;
+
+ if (!pmu->version)
+ return 1;
+@@ -291,15 +291,11 @@ int kvm_pmu_rdpmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *data)
+ if (is_vmware_backdoor_pmc(idx))
+ return kvm_pmu_rdpmc_vmware(vcpu, idx, data);
+
+- pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx);
++ pmc = kvm_x86_ops->pmu_ops->msr_idx_to_pmc(vcpu, idx, &mask);
+ if (!pmc)
+ return 1;
+
+- ctr_val = pmc_read_counter(pmc);
+- if (fast_mode)
+- ctr_val = (u32)ctr_val;
+-
+- *data = ctr_val;
++ *data = pmc_read_counter(pmc) & mask;
+ return 0;
+ }
+
+diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h
+index ba8898e1a854..22dff661145a 100644
+--- a/arch/x86/kvm/pmu.h
++++ b/arch/x86/kvm/pmu.h
+@@ -25,7 +25,8 @@ struct kvm_pmu_ops {
+ unsigned (*find_fixed_event)(int idx);
+ bool (*pmc_is_enabled)(struct kvm_pmc *pmc);
+ struct kvm_pmc *(*pmc_idx_to_pmc)(struct kvm_pmu *pmu, int pmc_idx);
+- struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx);
++ struct kvm_pmc *(*msr_idx_to_pmc)(struct kvm_vcpu *vcpu, unsigned idx,
++ u64 *mask);
+ int (*is_valid_msr_idx)(struct kvm_vcpu *vcpu, unsigned idx);
+ bool (*is_valid_msr)(struct kvm_vcpu *vcpu, u32 msr);
+ int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr, u64 *data);
+diff --git a/arch/x86/kvm/pmu_amd.c b/arch/x86/kvm/pmu_amd.c
+index 50fa9450fcf1..d3118088f1cd 100644
+--- a/arch/x86/kvm/pmu_amd.c
++++ b/arch/x86/kvm/pmu_amd.c
+@@ -186,7 +186,7 @@ static int amd_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx)
+ }
+
+ /* idx is the ECX register of RDPMC instruction */
+-static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx)
++static struct kvm_pmc *amd_msr_idx_to_pmc(struct kvm_vcpu *vcpu, unsigned idx, u64 *mask)
+ {
+ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ struct kvm_pmc *counters;
+diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
+index 5ab4a364348e..ad7ea81fbfbf 100644
+--- a/arch/x86/kvm/vmx/pmu_intel.c
++++ b/arch/x86/kvm/vmx/pmu_intel.c
+@@ -126,7 +126,7 @@ static int intel_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx)
+ }
+
+ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu,
+- unsigned idx)
++ unsigned idx, u64 *mask)
+ {
+ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ bool fixed = idx & (1u << 30);
+@@ -138,6 +138,7 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu,
+ if (fixed && idx >= pmu->nr_arch_fixed_counters)
+ return NULL;
+ counters = fixed ? pmu->fixed_counters : pmu->gp_counters;
++ *mask &= pmu->counter_bitmask[fixed ? KVM_PMC_FIXED : KVM_PMC_GP];
+
+ return &counters[idx];
+ }
+@@ -183,9 +184,13 @@ static int intel_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data)
+ *data = pmu->global_ovf_ctrl;
+ return 0;
+ default:
+- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) ||
+- (pmc = get_fixed_pmc(pmu, msr))) {
+- *data = pmc_read_counter(pmc);
++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) {
++ u64 val = pmc_read_counter(pmc);
++ *data = val & pmu->counter_bitmask[KVM_PMC_GP];
++ return 0;
++ } else if ((pmc = get_fixed_pmc(pmu, msr))) {
++ u64 val = pmc_read_counter(pmc);
++ *data = val & pmu->counter_bitmask[KVM_PMC_FIXED];
+ return 0;
+ } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) {
+ *data = pmc->eventsel;
+--
+2.20.1
+
--- /dev/null
+From bbbf480346b86f889617da1160063a74c69afa76 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Thu, 16 May 2019 12:04:53 -0400
+Subject: libnvdimm: Fix compilation warnings with W=1
+
+[ Upstream commit c01dafad77fea8d64c4fdca0a6031c980842ad65 ]
+
+Several places (dimm_devs.c, core.c etc) include label.h but only
+label.c uses NSINDEX_SIGNATURE, so move its definition to label.c
+instead.
+
+In file included from drivers/nvdimm/dimm_devs.c:23:
+drivers/nvdimm/label.h:41:19: warning: 'NSINDEX_SIGNATURE' defined but
+not used [-Wunused-const-variable=]
+
+Also, some places abuse "/**" which is only reserved for the kernel-doc.
+
+drivers/nvdimm/bus.c:648: warning: cannot understand function prototype:
+'struct attribute_group nd_device_attribute_group = '
+drivers/nvdimm/bus.c:677: warning: cannot understand function prototype:
+'struct attribute_group nd_numa_attribute_group = '
+
+Those are just some member assignments for the "struct attribute_group"
+instances and it can't be expressed in the kernel-doc.
+
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/bus.c | 4 ++--
+ drivers/nvdimm/label.c | 2 ++
+ drivers/nvdimm/label.h | 2 --
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
+index 7bbff0af29b2..99d5892ea98a 100644
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -642,7 +642,7 @@ static struct attribute *nd_device_attributes[] = {
+ NULL,
+ };
+
+-/**
++/*
+ * nd_device_attribute_group - generic attributes for all devices on an nd bus
+ */
+ struct attribute_group nd_device_attribute_group = {
+@@ -671,7 +671,7 @@ static umode_t nd_numa_attr_visible(struct kobject *kobj, struct attribute *a,
+ return a->mode;
+ }
+
+-/**
++/*
+ * nd_numa_attribute_group - NUMA attributes for all devices on an nd bus
+ */
+ struct attribute_group nd_numa_attribute_group = {
+diff --git a/drivers/nvdimm/label.c b/drivers/nvdimm/label.c
+index 2030805aa216..edf278067e72 100644
+--- a/drivers/nvdimm/label.c
++++ b/drivers/nvdimm/label.c
+@@ -25,6 +25,8 @@ static guid_t nvdimm_btt2_guid;
+ static guid_t nvdimm_pfn_guid;
+ static guid_t nvdimm_dax_guid;
+
++static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0";
++
+ static u32 best_seq(u32 a, u32 b)
+ {
+ a &= NSINDEX_SEQ_MASK;
+diff --git a/drivers/nvdimm/label.h b/drivers/nvdimm/label.h
+index e9a2ad3c2150..4bb7add39580 100644
+--- a/drivers/nvdimm/label.h
++++ b/drivers/nvdimm/label.h
+@@ -38,8 +38,6 @@ enum {
+ ND_NSINDEX_INIT = 0x1,
+ };
+
+-static const char NSINDEX_SIGNATURE[] = "NAMESPACE_INDEX\0";
+-
+ /**
+ * struct nd_namespace_index - label set superblock
+ * @sig: NAMESPACE_INDEX\0
+--
+2.20.1
+
--- /dev/null
+From 1c8d723db3d30a0a959ea31a1b390d044b49df16 Mon Sep 17 00:00:00 2001
+From: Luca Ceresoli <luca@lucaceresoli.net>
+Date: Tue, 14 May 2019 15:23:07 +0200
+Subject: net: macb: fix error format in dev_err()
+
+[ Upstream commit f413cbb332a0b5251a790f396d0eb4ebcade5dec ]
+
+Errors are negative numbers. Using %u shows them as very large positive
+numbers such as 4294967277 that don't make sense. Use the %d format
+instead, and get a much nicer -19.
+
+Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
+Fixes: b48e0bab142f ("net: macb: Migrate to devm clock interface")
+Fixes: 93b31f48b3ba ("net/macb: unify clock management")
+Fixes: 421d9df0628b ("net/macb: merge at91_ether driver into macb driver")
+Fixes: aead88bd0e99 ("net: ethernet: macb: Add support for rx_clk")
+Fixes: f5473d1d44e4 ("net: macb: Support clock management for tsu_clk")
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index a6535e226d84..d005ed12b4d1 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3377,7 +3377,7 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk,
+ if (!err)
+ err = -ENODEV;
+
+- dev_err(&pdev->dev, "failed to get macb_clk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to get macb_clk (%d)\n", err);
+ return err;
+ }
+
+@@ -3386,7 +3386,7 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk,
+ if (!err)
+ err = -ENODEV;
+
+- dev_err(&pdev->dev, "failed to get hclk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to get hclk (%d)\n", err);
+ return err;
+ }
+
+@@ -3404,31 +3404,31 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk,
+
+ err = clk_prepare_enable(*pclk);
+ if (err) {
+- dev_err(&pdev->dev, "failed to enable pclk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to enable pclk (%d)\n", err);
+ return err;
+ }
+
+ err = clk_prepare_enable(*hclk);
+ if (err) {
+- dev_err(&pdev->dev, "failed to enable hclk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to enable hclk (%d)\n", err);
+ goto err_disable_pclk;
+ }
+
+ err = clk_prepare_enable(*tx_clk);
+ if (err) {
+- dev_err(&pdev->dev, "failed to enable tx_clk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to enable tx_clk (%d)\n", err);
+ goto err_disable_hclk;
+ }
+
+ err = clk_prepare_enable(*rx_clk);
+ if (err) {
+- dev_err(&pdev->dev, "failed to enable rx_clk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to enable rx_clk (%d)\n", err);
+ goto err_disable_txclk;
+ }
+
+ err = clk_prepare_enable(*tsu_clk);
+ if (err) {
+- dev_err(&pdev->dev, "failed to enable tsu_clk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to enable tsu_clk (%d)\n", err);
+ goto err_disable_rxclk;
+ }
+
+@@ -3902,7 +3902,7 @@ static int at91ether_clk_init(struct platform_device *pdev, struct clk **pclk,
+
+ err = clk_prepare_enable(*pclk);
+ if (err) {
+- dev_err(&pdev->dev, "failed to enable pclk (%u)\n", err);
++ dev_err(&pdev->dev, "failed to enable pclk (%d)\n", err);
+ return err;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 8da0498a5a8d71bd1167254ec9175effbea92d6d Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Thu, 16 May 2019 19:30:07 -0700
+Subject: nvme: fix memory leak for power latency tolerance
+
+[ Upstream commit 510a405d945bc985abc513fafe45890cac34fafa ]
+
+Unconditionally hide device pm latency tolerance when uninitializing
+the controller to ensure all qos resources are released so that we're
+not leaking this memory. This is safe to call if none were allocated in
+the first place, or were previously freed.
+
+Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions")
+Suggested-by: Keith Busch <keith.busch@intel.com>
+Tested-by: David Milburn <dmilburn@redhat.com>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+[changelog]
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 23c90382a515..35d2202ee2fd 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3699,6 +3699,7 @@ EXPORT_SYMBOL_GPL(nvme_start_ctrl);
+
+ void nvme_uninit_ctrl(struct nvme_ctrl *ctrl)
+ {
++ dev_pm_qos_hide_latency_tolerance(ctrl->device);
+ cdev_device_del(&ctrl->cdev, ctrl->device);
+ }
+ EXPORT_SYMBOL_GPL(nvme_uninit_ctrl);
+--
+2.20.1
+
--- /dev/null
+From 5058ab089148342cfcee79ed39f01707e9747b32 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 02:47:33 -0700
+Subject: nvme: fix srcu locking on error return in nvme_get_ns_from_disk
+
+[ Upstream commit 100c815cbd56480b3e31518475b04719c363614a ]
+
+If we can't get a namespace don't leak the SRCU lock. nvme_ioctl was
+working around this, but nvme_pr_command wasn't handling this properly.
+Just do what callers would usually expect.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 8782d86a8ca3..e29c395f44d2 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1362,9 +1362,14 @@ static struct nvme_ns *nvme_get_ns_from_disk(struct gendisk *disk,
+ {
+ #ifdef CONFIG_NVME_MULTIPATH
+ if (disk->fops == &nvme_ns_head_ops) {
++ struct nvme_ns *ns;
++
+ *head = disk->private_data;
+ *srcu_idx = srcu_read_lock(&(*head)->srcu);
+- return nvme_find_path(*head);
++ ns = nvme_find_path(*head);
++ if (!ns)
++ srcu_read_unlock(&(*head)->srcu, *srcu_idx);
++ return ns;
+ }
+ #endif
+ *head = NULL;
+@@ -1411,9 +1416,9 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+
+ ns = nvme_get_ns_from_disk(bdev->bd_disk, &head, &srcu_idx);
+ if (unlikely(!ns))
+- ret = -EWOULDBLOCK;
+- else
+- ret = nvme_ns_ioctl(ns, cmd, arg);
++ return -EWOULDBLOCK;
++
++ ret = nvme_ns_ioctl(ns, cmd, arg);
+ nvme_put_ns_from_disk(head, srcu_idx);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 3c525a2cb2cd69dda285dd8a7de0bf7a7d9e5038 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 02:47:35 -0700
+Subject: nvme: merge nvme_ns_ioctl into nvme_ioctl
+
+[ Upstream commit 90ec611adcf20b96d0c2b7166497d53e4301a57f ]
+
+Merge the two functions to make future changes a little easier.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 47 ++++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index decc0b3a3854..8b77e6a05f4b 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1383,32 +1383,11 @@ static void nvme_put_ns_from_disk(struct nvme_ns_head *head, int idx)
+ srcu_read_unlock(&head->srcu, idx);
+ }
+
+-static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg)
+-{
+- switch (cmd) {
+- case NVME_IOCTL_ID:
+- force_successful_syscall_return();
+- return ns->head->ns_id;
+- case NVME_IOCTL_ADMIN_CMD:
+- return nvme_user_cmd(ns->ctrl, NULL, (void __user *)arg);
+- case NVME_IOCTL_IO_CMD:
+- return nvme_user_cmd(ns->ctrl, ns, (void __user *)arg);
+- case NVME_IOCTL_SUBMIT_IO:
+- return nvme_submit_io(ns, (void __user *)arg);
+- default:
+- if (ns->ndev)
+- return nvme_nvm_ioctl(ns, cmd, arg);
+- if (is_sed_ioctl(cmd))
+- return sed_ioctl(ns->ctrl->opal_dev, cmd,
+- (void __user *) arg);
+- return -ENOTTY;
+- }
+-}
+-
+ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct nvme_ns_head *head = NULL;
++ void __user *argp = (void __user *)arg;
+ struct nvme_ns *ns;
+ int srcu_idx, ret;
+
+@@ -1416,7 +1395,29 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ if (unlikely(!ns))
+ return -EWOULDBLOCK;
+
+- ret = nvme_ns_ioctl(ns, cmd, arg);
++ switch (cmd) {
++ case NVME_IOCTL_ID:
++ force_successful_syscall_return();
++ ret = ns->head->ns_id;
++ break;
++ case NVME_IOCTL_ADMIN_CMD:
++ ret = nvme_user_cmd(ns->ctrl, NULL, argp);
++ break;
++ case NVME_IOCTL_IO_CMD:
++ ret = nvme_user_cmd(ns->ctrl, ns, argp);
++ break;
++ case NVME_IOCTL_SUBMIT_IO:
++ ret = nvme_submit_io(ns, argp);
++ break;
++ default:
++ if (ns->ndev)
++ ret = nvme_nvm_ioctl(ns, cmd, arg);
++ else if (is_sed_ioctl(cmd))
++ ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp);
++ else
++ ret = -ENOTTY;
++ }
++
+ nvme_put_ns_from_disk(head, srcu_idx);
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 1884f20ae78c8129d6f332ac7e6b83da60beee1c Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 14 May 2019 14:07:38 -0600
+Subject: nvme-pci: Fix controller freeze wait disabling
+
+[ Upstream commit e43269e6e5c49d7fec599e6bba71963935b0e4ba ]
+
+If a controller disabling didn't start a freeze, don't wait for the
+operation to complete.
+
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 372d3f4a106a..f20da2e3da2c 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2400,7 +2400,7 @@ static void nvme_pci_disable(struct nvme_dev *dev)
+
+ static void nvme_dev_disable(struct nvme_dev *dev, bool shutdown)
+ {
+- bool dead = true;
++ bool dead = true, freeze = false;
+ struct pci_dev *pdev = to_pci_dev(dev->dev);
+
+ mutex_lock(&dev->shutdown_lock);
+@@ -2408,8 +2408,10 @@ static void nvme_dev_disable(struct nvme_dev *dev, bool shutdown)
+ u32 csts = readl(dev->bar + NVME_REG_CSTS);
+
+ if (dev->ctrl.state == NVME_CTRL_LIVE ||
+- dev->ctrl.state == NVME_CTRL_RESETTING)
++ dev->ctrl.state == NVME_CTRL_RESETTING) {
++ freeze = true;
+ nvme_start_freeze(&dev->ctrl);
++ }
+ dead = !!((csts & NVME_CSTS_CFS) || !(csts & NVME_CSTS_RDY) ||
+ pdev->error_state != pci_channel_io_normal);
+ }
+@@ -2418,10 +2420,8 @@ static void nvme_dev_disable(struct nvme_dev *dev, bool shutdown)
+ * Give the controller a chance to complete all entered requests if
+ * doing a safe shutdown.
+ */
+- if (!dead) {
+- if (shutdown)
+- nvme_wait_freeze_timeout(&dev->ctrl, NVME_IO_TIMEOUT);
+- }
++ if (!dead && shutdown && freeze)
++ nvme_wait_freeze_timeout(&dev->ctrl, NVME_IO_TIMEOUT);
+
+ nvme_stop_queues(&dev->ctrl);
+
+--
+2.20.1
+
--- /dev/null
+From 252341c53dcf124dec4b843bef71b2476f397f69 Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 21 May 2019 10:56:43 -0600
+Subject: nvme-pci: use blk-mq mapping for unmanaged irqs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit cb9e0e5006064a807b5d722c7e3c42f307193792 ]
+
+If a device is providing a single IRQ vector, the IO queue will share
+that vector with the admin queue. This is an unmanaged vector, so does
+not have a valid PCI IRQ affinity. Avoid trying to extract a managed
+affinity in this case and let blk-mq set up the cpu:queue mapping instead.
+Otherwise we'd hit the following warning when the device is using MSI:
+
+ WARNING: CPU: 4 PID: 7 at drivers/pci/msi.c:1272 pci_irq_get_affinity+0x66/0x80
+ Modules linked in: nvme nvme_core serio_raw
+ CPU: 4 PID: 7 Comm: kworker/u16:0 Tainted: G W 5.2.0-rc1+ #494
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+ Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ RIP: 0010:pci_irq_get_affinity+0x66/0x80
+ Code: 0b 31 c0 c3 83 e2 10 48 c7 c0 b0 83 35 91 74 2a 48 8b 87 d8 03 00 00 48 85 c0 74 0e 48 8b 50 30 48 85 d2 74 05 39 70 14 77 05 <0f> 0b 31 c0 c3 48 63 f6 48 8d 04 76 48 8d 04 c2 f3 c3 48 8b 40 30
+ RSP: 0000:ffffb5abc01d3cc8 EFLAGS: 00010246
+ RAX: ffff9536786a39c0 RBX: 0000000000000000 RCX: 0000000000000080
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9536781ed000
+ RBP: ffff95367346a008 R08: ffff95367d43f080 R09: ffff953678c07800
+ R10: ffff953678164800 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff9536781ed000 R14: 00000000ffffffff R15: ffff95367346a008
+ FS: 0000000000000000(0000) GS:ffff95367d400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fdf814a3ff0 CR3: 000000001a20f000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ blk_mq_pci_map_queues+0x37/0xd0
+ nvme_pci_map_queues+0x80/0xb0 [nvme]
+ blk_mq_alloc_tag_set+0x133/0x2f0
+ nvme_reset_work+0x105d/0x1590 [nvme]
+ process_one_work+0x291/0x530
+ worker_thread+0x218/0x3d0
+ ? process_one_work+0x530/0x530
+ kthread+0x111/0x130
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x1f/0x30
+ ---[ end trace 74587339d93c83c0 ]---
+
+Fixes: 22b5560195bd6 ("nvme-pci: Separate IO and admin queue IRQ vectors")
+Reported-by: Iván Chavero <ichavero@chavero.com.mx>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index f20da2e3da2c..693f2a856200 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -500,7 +500,7 @@ static int nvme_pci_map_queues(struct blk_mq_tag_set *set)
+ * affinity), so use the regular blk-mq cpu mapping
+ */
+ map->queue_offset = qoff;
+- if (i != HCTX_TYPE_POLL)
++ if (i != HCTX_TYPE_POLL && offset)
+ blk_mq_pci_map_queues(map, to_pci_dev(dev->dev), offset);
+ else
+ blk_mq_map_queues(map);
+--
+2.20.1
+
--- /dev/null
+From c1e7f5043239b4a293a630b31a5f45bad1f37a4c Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 11:47:36 +0200
+Subject: nvme: release namespace SRCU protection before performing controller
+ ioctls
+
+[ Upstream commit 5fb4aac756acacf260b9ebd88747251effa3a2f2 ]
+
+Holding the SRCU critical section protecting the namespace list can
+cause deadlocks when using the per-namespace admin passthrough ioctl to
+delete as namespace. Release it earlier when performing per-controller
+ioctls to avoid that.
+
+Reported-by: Kenneth Heitke <kenneth.heitke@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 8b77e6a05f4b..23c90382a515 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1395,14 +1395,31 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ if (unlikely(!ns))
+ return -EWOULDBLOCK;
+
++ /*
++ * Handle ioctls that apply to the controller instead of the namespace
++ * seperately and drop the ns SRCU reference early. This avoids a
++ * deadlock when deleting namespaces using the passthrough interface.
++ */
++ if (cmd == NVME_IOCTL_ADMIN_CMD || is_sed_ioctl(cmd)) {
++ struct nvme_ctrl *ctrl = ns->ctrl;
++
++ nvme_get_ctrl(ns->ctrl);
++ nvme_put_ns_from_disk(head, srcu_idx);
++
++ if (cmd == NVME_IOCTL_ADMIN_CMD)
++ ret = nvme_user_cmd(ctrl, NULL, argp);
++ else
++ ret = sed_ioctl(ctrl->opal_dev, cmd, argp);
++
++ nvme_put_ctrl(ctrl);
++ return ret;
++ }
++
+ switch (cmd) {
+ case NVME_IOCTL_ID:
+ force_successful_syscall_return();
+ ret = ns->head->ns_id;
+ break;
+- case NVME_IOCTL_ADMIN_CMD:
+- ret = nvme_user_cmd(ns->ctrl, NULL, argp);
+- break;
+ case NVME_IOCTL_IO_CMD:
+ ret = nvme_user_cmd(ns->ctrl, ns, argp);
+ break;
+@@ -1412,8 +1429,6 @@ static int nvme_ioctl(struct block_device *bdev, fmode_t mode,
+ default:
+ if (ns->ndev)
+ ret = nvme_nvm_ioctl(ns, cmd, arg);
+- else if (is_sed_ioctl(cmd))
+- ret = sed_ioctl(ns->ctrl->opal_dev, cmd, argp);
+ else
+ ret = -ENOTTY;
+ }
+--
+2.20.1
+
--- /dev/null
+From fad0c55be6b10fbe6b8ad9de9dd4062e8d6be137 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Fri, 17 May 2019 02:47:34 -0700
+Subject: nvme: remove the ifdef around nvme_nvm_ioctl
+
+[ Upstream commit 3f98bcc58cd5f1e4668db289dcab771874cc0920 ]
+
+We already have a proper stub if lightnvm is not enabled, so don't bother
+with the ifdef.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index e29c395f44d2..decc0b3a3854 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1396,10 +1396,8 @@ static int nvme_ns_ioctl(struct nvme_ns *ns, unsigned cmd, unsigned long arg)
+ case NVME_IOCTL_SUBMIT_IO:
+ return nvme_submit_io(ns, (void __user *)arg);
+ default:
+-#ifdef CONFIG_NVM
+ if (ns->ndev)
+ return nvme_nvm_ioctl(ns, cmd, arg);
+-#endif
+ if (is_sed_ioctl(cmd))
+ return sed_ioctl(ns->ctrl->opal_dev, cmd,
+ (void __user *) arg);
+--
+2.20.1
+
--- /dev/null
+From 49e0607b7dd298fdb27cd5ad8e7f8dd81c5a5c08 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 29 Apr 2019 17:01:35 +0200
+Subject: platform/x86: pmc_atom: Add Lex 3I380D industrial PC to
+ critclk_systems DMI table
+
+[ Upstream commit 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 ]
+
+The Lex 3I380D industrial PC has 4 ethernet controllers on board
+which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems
+DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks
+as CLK_CRITICAL and they will not get turned off.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Reported-and-tested-by: Semyon Verchenko <semverchenko@factor-ts.ru>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index c7039f52ad51..a311f48ce7c9 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -398,12 +398,21 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc)
+ */
+ static const struct dmi_system_id critclk_systems[] = {
+ {
++ /* pmc_plt_clk0 is used for an external HSIC USB HUB */
+ .ident = "MPL CEC1x",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"),
+ },
+ },
++ {
++ /* pmc_plt_clk0 - 3 are used for the 4 ethernet controllers */
++ .ident = "Lex 3I380D",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"),
++ },
++ },
+ { /*sentinel*/ }
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 3360ff253cbbb086387fd0288421a13144481d3e Mon Sep 17 00:00:00 2001
+From: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Date: Thu, 2 May 2019 15:03:51 +0200
+Subject: platform/x86: pmc_atom: Add several Beckhoff Automation boards to
+ critclk_systems DMI table
+
+[ Upstream commit d6423bd03031c020121da26c41a26bd5cc6d0da3 ]
+
+There are several Beckhoff Automation industrial PC boards which use
+pmc_plt_clk* clocks for ethernet controllers. This adds affected boards
+to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and
+not turned off.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Signed-off-by: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index a311f48ce7c9..b1d804376237 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -413,6 +413,30 @@ static const struct dmi_system_id critclk_systems[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"),
+ },
+ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB3163",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB3163"),
++ },
++ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB6263",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB6263"),
++ },
++ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB6363",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB6363"),
++ },
++ },
+ { /*sentinel*/ }
+ };
+
+--
+2.20.1
+
--- /dev/null
+From a40a52b3eae3d5b2cfcb6a3c1b48cde900928886 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 11 Apr 2019 19:58:32 +0200
+Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
+
+[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ]
+
+This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32.
+
+The fix attempt was incorrect, leading to the mutex deadlock through
+the close of OSS sequencer client. The proper fix needs more
+consideration, so let's revert it now.
+
+Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
+Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 8599f2937ac1..c99e1b77a45b 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -2337,19 +2337,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ {
+ const struct ioctl_handler *handler;
+ struct snd_seq_client *client;
+- int err;
+
+ client = clientptr(clientid);
+ if (client == NULL)
+ return -ENXIO;
+
+ for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
+- if (handler->cmd == cmd) {
+- mutex_lock(&client->ioctl_mutex);
+- err = handler->func(client, arg);
+- mutex_unlock(&client->ioctl_mutex);
+- return err;
+- }
++ if (handler->cmd == cmd)
++ return handler->func(client, arg);
+ }
+
+ pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
+--
+2.20.1
+
--- /dev/null
+From 5aeafe74b65c7f410609364d3bc7053764db1485 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 4 May 2019 17:48:29 +0100
+Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation
+
+[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ]
+
+Currently an int is being shifted and the result is being cast to a u64
+which leads to undefined behaviour if the shift is more than 31 bits. Fix
+this by casting the integer value 1 to u64 before the shift operation.
+
+Addresses-Coverity: ("Bad shift operation")
+Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+index 039328d9ef13..30e6d78e82f0 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+@@ -830,7 +830,7 @@ ret_err_rqe:
+ ((u64)err_entry->data.err_warn_bitmap_hi << 32) |
+ (u64)err_entry->data.err_warn_bitmap_lo;
+ for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) {
+- if (err_warn_bit_map & (u64) (1 << i)) {
++ if (err_warn_bit_map & ((u64)1 << i)) {
+ err_warn = i;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 6374cd0a53bb683cd84cbb822195a4ac585b979e Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 6 May 2019 17:26:49 -0700
+Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ
+
+[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ]
+
+There was a missing qualification of a valid ndlp structure when calling to
+send an RRQ for an abort. Add the check.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index fc077cb87900..965f8a1a8f67 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7338,7 +7338,10 @@ int
+ lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq)
+ {
+ struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport,
+- rrq->nlp_DID);
++ rrq->nlp_DID);
++ if (!ndlp)
++ return 1;
++
+ if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag))
+ return lpfc_issue_els_rrq(rrq->vport, ndlp,
+ rrq->nlp_DID, rrq);
+--
+2.20.1
+
--- /dev/null
+From 9450c00c32b3d1caf45e04ee6be409093cc1db06 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 6 May 2019 17:26:48 -0700
+Subject: scsi: lpfc: correct rcu unlock issue in lpfc_nvme_info_show
+
+[ Upstream commit 79080d349f7f58a2e86c56043a3d04184d5f294a ]
+
+Many of the exit cases were not releasing the rcu read lock. Corrected the
+exit paths.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index f30cb0fb9a82..26a22e41204e 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -338,7 +338,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ phba->sli4_hba.io_xri_max,
+ lpfc_sli4_get_els_iocb_cnt(phba));
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ /* Port state is only one of two values for now. */
+ if (localport->port_id)
+@@ -354,7 +354,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ wwn_to_u64(vport->fc_nodename.u.wwn),
+ localport->port_id, statep);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
+ nrport = NULL;
+@@ -381,39 +381,39 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+
+ /* Tab in to show lport ownership. */
+ if (strlcat(buf, "NVME RPORT ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ if (phba->brd_no >= 10) {
+ if (strlcat(buf, " ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+
+ scnprintf(tmp, sizeof(tmp), "WWPN x%llx ",
+ nrport->port_name);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ scnprintf(tmp, sizeof(tmp), "WWNN x%llx ",
+ nrport->node_name);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ scnprintf(tmp, sizeof(tmp), "DID x%06x ",
+ nrport->port_id);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+
+ /* An NVME rport can have multiple roles. */
+ if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR) {
+ if (strlcat(buf, "INITIATOR ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET) {
+ if (strlcat(buf, "TARGET ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY) {
+ if (strlcat(buf, "DISCSRVC ", PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR |
+ FC_PORT_ROLE_NVME_TARGET |
+@@ -421,12 +421,12 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ scnprintf(tmp, sizeof(tmp), "UNKNOWN ROLE x%x",
+ nrport->port_role);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+
+ scnprintf(tmp, sizeof(tmp), "%s\n", statep);
+ if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
+- goto buffer_done;
++ goto rcu_unlock_buf_done;
+ }
+ rcu_read_unlock();
+
+@@ -488,7 +488,13 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ atomic_read(&lport->cmpl_fcp_err));
+ strlcat(buf, tmp, PAGE_SIZE);
+
+-buffer_done:
++ /* RCU is already unlocked. */
++ goto buffer_done;
++
++ rcu_unlock_buf_done:
++ rcu_read_unlock();
++
++ buffer_done:
+ len = strnlen(buf, PAGE_SIZE);
+
+ if (unlikely(len >= (PAGE_SIZE - 1))) {
+--
+2.20.1
+
--- /dev/null
+From fb16da0c0b6d2b6da2bcfe1e6ff14a2c23bb770a Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 6 May 2019 17:26:47 -0700
+Subject: scsi: lpfc: resolve lockdep warnings
+
+[ Upstream commit e2a8be5696e706a2fce6edd11e5c74ce14cffec0 ]
+
+There were a number of erroneous comments and incorrect older lockdep
+checks that were causing a number of warnings.
+
+Resolve the following:
+
+ - Inconsistent lock state warnings in lpfc_nvme_info_show().
+
+ - Fixed comments and code on sequences where ring lock is now held instead
+ of hbalock.
+
+ - Reworked calling sequences around lpfc_sli_iocbq_lookup(). Rather than
+ locking prior to the routine and have routine guess on what lock, take
+ the lock within the routine. The lockdep check becomes unnecessary.
+
+ - Fixed comments and removed erroneous hbalock checks.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+CC: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 5 ++-
+ drivers/scsi/lpfc/lpfc_sli.c | 84 ++++++++++++++++++++++-------------
+ 2 files changed, 56 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index a09a742d7ec1..f30cb0fb9a82 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -159,6 +159,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+ int i;
+ int len = 0;
+ char tmp[LPFC_MAX_NVME_INFO_TMP_LEN] = {0};
++ unsigned long iflags = 0;
+
+ if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_NVME)) {
+ len = scnprintf(buf, PAGE_SIZE, "NVME Disabled\n");
+@@ -357,11 +358,11 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
+
+ list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
+ nrport = NULL;
+- spin_lock(&vport->phba->hbalock);
++ spin_lock_irqsave(&vport->phba->hbalock, iflags);
+ rport = lpfc_ndlp_get_nrport(ndlp);
+ if (rport)
+ nrport = rport->remoteport;
+- spin_unlock(&vport->phba->hbalock);
++ spin_unlock_irqrestore(&vport->phba->hbalock, iflags);
+ if (!nrport)
+ continue;
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index dc933b6d7800..363b21c4255e 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -994,15 +994,14 @@ lpfc_cleanup_vports_rrqs(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
+ * @ndlp: Targets nodelist pointer for this exchange.
+ * @xritag the xri in the bitmap to test.
+ *
+- * This function is called with hbalock held. This function
+- * returns 0 = rrq not active for this xri
+- * 1 = rrq is valid for this xri.
++ * This function returns:
++ * 0 = rrq not active for this xri
++ * 1 = rrq is valid for this xri.
+ **/
+ int
+ lpfc_test_rrq_active(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
+ uint16_t xritag)
+ {
+- lockdep_assert_held(&phba->hbalock);
+ if (!ndlp)
+ return 0;
+ if (!ndlp->active_rrqs_xri_bitmap)
+@@ -1105,10 +1104,11 @@ out:
+ * @phba: Pointer to HBA context object.
+ * @piocb: Pointer to the iocbq.
+ *
+- * This function is called with the ring lock held. This function
+- * gets a new driver sglq object from the sglq list. If the
+- * list is not empty then it is successful, it returns pointer to the newly
+- * allocated sglq object else it returns NULL.
++ * The driver calls this function with either the nvme ls ring lock
++ * or the fc els ring lock held depending on the iocb usage. This function
++ * gets a new driver sglq object from the sglq list. If the list is not empty
++ * then it is successful, it returns pointer to the newly allocated sglq
++ * object else it returns NULL.
+ **/
+ static struct lpfc_sglq *
+ __lpfc_sli_get_els_sglq(struct lpfc_hba *phba, struct lpfc_iocbq *piocbq)
+@@ -1118,9 +1118,15 @@ __lpfc_sli_get_els_sglq(struct lpfc_hba *phba, struct lpfc_iocbq *piocbq)
+ struct lpfc_sglq *start_sglq = NULL;
+ struct lpfc_io_buf *lpfc_cmd;
+ struct lpfc_nodelist *ndlp;
++ struct lpfc_sli_ring *pring = NULL;
+ int found = 0;
+
+- lockdep_assert_held(&phba->hbalock);
++ if (piocbq->iocb_flag & LPFC_IO_NVME_LS)
++ pring = phba->sli4_hba.nvmels_wq->pring;
++ else
++ pring = lpfc_phba_elsring(phba);
++
++ lockdep_assert_held(&pring->ring_lock);
+
+ if (piocbq->iocb_flag & LPFC_IO_FCP) {
+ lpfc_cmd = (struct lpfc_io_buf *) piocbq->context1;
+@@ -1563,7 +1569,8 @@ lpfc_sli_ring_map(struct lpfc_hba *phba)
+ * @pring: Pointer to driver SLI ring object.
+ * @piocb: Pointer to the driver iocb object.
+ *
+- * This function is called with hbalock held. The function adds the
++ * The driver calls this function with the hbalock held for SLI3 ports or
++ * the ring lock held for SLI4 ports. The function adds the
+ * new iocb to txcmplq of the given ring. This function always returns
+ * 0. If this function is called for ELS ring, this function checks if
+ * there is a vport associated with the ELS command. This function also
+@@ -1573,7 +1580,10 @@ static int
+ lpfc_sli_ringtxcmpl_put(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ struct lpfc_iocbq *piocb)
+ {
+- lockdep_assert_held(&phba->hbalock);
++ if (phba->sli_rev == LPFC_SLI_REV4)
++ lockdep_assert_held(&pring->ring_lock);
++ else
++ lockdep_assert_held(&phba->hbalock);
+
+ BUG_ON(!piocb);
+
+@@ -2970,8 +2980,8 @@ lpfc_sli_process_unsol_iocb(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ *
+ * This function looks up the iocb_lookup table to get the command iocb
+ * corresponding to the given response iocb using the iotag of the
+- * response iocb. This function is called with the hbalock held
+- * for sli3 devices or the ring_lock for sli4 devices.
++ * response iocb. The driver calls this function with the hbalock held
++ * for SLI3 ports or the ring lock held for SLI4 ports.
+ * This function returns the command iocb object if it finds the command
+ * iocb else returns NULL.
+ **/
+@@ -2982,8 +2992,15 @@ lpfc_sli_iocbq_lookup(struct lpfc_hba *phba,
+ {
+ struct lpfc_iocbq *cmd_iocb = NULL;
+ uint16_t iotag;
+- lockdep_assert_held(&phba->hbalock);
++ spinlock_t *temp_lock = NULL;
++ unsigned long iflag = 0;
+
++ if (phba->sli_rev == LPFC_SLI_REV4)
++ temp_lock = &pring->ring_lock;
++ else
++ temp_lock = &phba->hbalock;
++
++ spin_lock_irqsave(temp_lock, iflag);
+ iotag = prspiocb->iocb.ulpIoTag;
+
+ if (iotag != 0 && iotag <= phba->sli.last_iotag) {
+@@ -2993,10 +3010,12 @@ lpfc_sli_iocbq_lookup(struct lpfc_hba *phba,
+ list_del_init(&cmd_iocb->list);
+ cmd_iocb->iocb_flag &= ~LPFC_IO_ON_TXCMPLQ;
+ pring->txcmplq_cnt--;
++ spin_unlock_irqrestore(temp_lock, iflag);
+ return cmd_iocb;
+ }
+ }
+
++ spin_unlock_irqrestore(temp_lock, iflag);
+ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+ "0317 iotag x%x is out of "
+ "range: max iotag x%x wd0 x%x\n",
+@@ -3012,8 +3031,8 @@ lpfc_sli_iocbq_lookup(struct lpfc_hba *phba,
+ * @iotag: IOCB tag.
+ *
+ * This function looks up the iocb_lookup table to get the command iocb
+- * corresponding to the given iotag. This function is called with the
+- * hbalock held.
++ * corresponding to the given iotag. The driver calls this function with
++ * the ring lock held because this function is an SLI4 port only helper.
+ * This function returns the command iocb object if it finds the command
+ * iocb else returns NULL.
+ **/
+@@ -3022,8 +3041,15 @@ lpfc_sli_iocbq_lookup_by_tag(struct lpfc_hba *phba,
+ struct lpfc_sli_ring *pring, uint16_t iotag)
+ {
+ struct lpfc_iocbq *cmd_iocb = NULL;
++ spinlock_t *temp_lock = NULL;
++ unsigned long iflag = 0;
+
+- lockdep_assert_held(&phba->hbalock);
++ if (phba->sli_rev == LPFC_SLI_REV4)
++ temp_lock = &pring->ring_lock;
++ else
++ temp_lock = &phba->hbalock;
++
++ spin_lock_irqsave(temp_lock, iflag);
+ if (iotag != 0 && iotag <= phba->sli.last_iotag) {
+ cmd_iocb = phba->sli.iocbq_lookup[iotag];
+ if (cmd_iocb->iocb_flag & LPFC_IO_ON_TXCMPLQ) {
+@@ -3031,10 +3057,12 @@ lpfc_sli_iocbq_lookup_by_tag(struct lpfc_hba *phba,
+ list_del_init(&cmd_iocb->list);
+ cmd_iocb->iocb_flag &= ~LPFC_IO_ON_TXCMPLQ;
+ pring->txcmplq_cnt--;
++ spin_unlock_irqrestore(temp_lock, iflag);
+ return cmd_iocb;
+ }
+ }
+
++ spin_unlock_irqrestore(temp_lock, iflag);
+ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+ "0372 iotag x%x lookup error: max iotag (x%x) "
+ "iocb_flag x%x\n",
+@@ -3068,17 +3096,7 @@ lpfc_sli_process_sol_iocb(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ int rc = 1;
+ unsigned long iflag;
+
+- /* Based on the iotag field, get the cmd IOCB from the txcmplq */
+- if (phba->sli_rev == LPFC_SLI_REV4)
+- spin_lock_irqsave(&pring->ring_lock, iflag);
+- else
+- spin_lock_irqsave(&phba->hbalock, iflag);
+ cmdiocbp = lpfc_sli_iocbq_lookup(phba, pring, saveq);
+- if (phba->sli_rev == LPFC_SLI_REV4)
+- spin_unlock_irqrestore(&pring->ring_lock, iflag);
+- else
+- spin_unlock_irqrestore(&phba->hbalock, iflag);
+-
+ if (cmdiocbp) {
+ if (cmdiocbp->iocb_cmpl) {
+ /*
+@@ -3409,8 +3427,10 @@ lpfc_sli_handle_fast_ring_event(struct lpfc_hba *phba,
+ break;
+ }
+
++ spin_unlock_irqrestore(&phba->hbalock, iflag);
+ cmdiocbq = lpfc_sli_iocbq_lookup(phba, pring,
+ &rspiocbq);
++ spin_lock_irqsave(&phba->hbalock, iflag);
+ if (unlikely(!cmdiocbq))
+ break;
+ if (cmdiocbq->iocb_flag & LPFC_DRIVER_ABORTED)
+@@ -3604,9 +3624,12 @@ lpfc_sli_sp_handle_rspiocb(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+
+ case LPFC_ABORT_IOCB:
+ cmdiocbp = NULL;
+- if (irsp->ulpCommand != CMD_XRI_ABORTED_CX)
++ if (irsp->ulpCommand != CMD_XRI_ABORTED_CX) {
++ spin_unlock_irqrestore(&phba->hbalock, iflag);
+ cmdiocbp = lpfc_sli_iocbq_lookup(phba, pring,
+ saveq);
++ spin_lock_irqsave(&phba->hbalock, iflag);
++ }
+ if (cmdiocbp) {
+ /* Call the specified completion routine */
+ if (cmdiocbp->iocb_cmpl) {
+@@ -13070,13 +13093,11 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lpfc_hba *phba,
+ return NULL;
+
+ wcqe = &irspiocbq->cq_event.cqe.wcqe_cmpl;
+- spin_lock_irqsave(&pring->ring_lock, iflags);
+ pring->stats.iocb_event++;
+ /* Look up the ELS command IOCB and create pseudo response IOCB */
+ cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring,
+ bf_get(lpfc_wcqe_c_request_tag, wcqe));
+ if (unlikely(!cmdiocbq)) {
+- spin_unlock_irqrestore(&pring->ring_lock, iflags);
+ lpfc_printf_log(phba, KERN_WARNING, LOG_SLI,
+ "0386 ELS complete with no corresponding "
+ "cmdiocb: 0x%x 0x%x 0x%x 0x%x\n",
+@@ -13086,6 +13107,7 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lpfc_hba *phba,
+ return NULL;
+ }
+
++ spin_lock_irqsave(&pring->ring_lock, iflags);
+ /* Put the iocb back on the txcmplq */
+ lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq);
+ spin_unlock_irqrestore(&pring->ring_lock, iflags);
+@@ -13856,9 +13878,9 @@ lpfc_sli4_fp_handle_fcp_wcqe(struct lpfc_hba *phba, struct lpfc_queue *cq,
+ /* Look up the FCP command IOCB and create pseudo response IOCB */
+ spin_lock_irqsave(&pring->ring_lock, iflags);
+ pring->stats.iocb_event++;
++ spin_unlock_irqrestore(&pring->ring_lock, iflags);
+ cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring,
+ bf_get(lpfc_wcqe_c_request_tag, wcqe));
+- spin_unlock_irqrestore(&pring->ring_lock, iflags);
+ if (unlikely(!cmdiocbq)) {
+ lpfc_printf_log(phba, KERN_WARNING, LOG_SLI,
+ "0374 FCP complete with no corresponding "
+--
+2.20.1
+
--- /dev/null
+From cf93ad1324675537b092a0d006572c1e137c5f38 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 9 May 2019 23:22:47 +0800
+Subject: scsi: myrs: Fix uninitialized variable
+
+[ Upstream commit 41552199b5518fe26bee0829a28dd1880441b430 ]
+
+drivers/scsi/myrs.c: In function 'myrs_log_event':
+drivers/scsi/myrs.c:821:24: warning: 'sshdr.sense_key' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ struct scsi_sense_hdr sshdr;
+
+If ev->ev_code is not 0x1C, sshdr.sense_key may be used uninitialized. Fix
+this by initializing variable 'sshdr' to 0.
+
+Fixes: 77266186397c ("scsi: myrs: Add Mylex RAID controller (SCSI interface)")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/myrs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/myrs.c b/drivers/scsi/myrs.c
+index b8d54ef8cf6d..eb0dd566330a 100644
+--- a/drivers/scsi/myrs.c
++++ b/drivers/scsi/myrs.c
+@@ -818,7 +818,7 @@ static void myrs_log_event(struct myrs_hba *cs, struct myrs_event *ev)
+ unsigned char ev_type, *ev_msg;
+ struct Scsi_Host *shost = cs->host;
+ struct scsi_device *sdev;
+- struct scsi_sense_hdr sshdr;
++ struct scsi_sense_hdr sshdr = {0};
+ unsigned char sense_info[4];
+ unsigned char cmd_specific[4];
+
+--
+2.20.1
+
--- /dev/null
+From 1c3122db53825b4f335d77d9eefe54ed88bf9007 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 20 Apr 2019 12:05:54 +0800
+Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead
+
+[ Upstream commit c09581a52765a85f19fc35340127396d5e3379cc ]
+
+KASAN reports this:
+
+BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
+Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429
+
+CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x1c4/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ memcpy+0x1f/0x50 mm/kasan/common.c:130
+ qedi_dbg_err+0xda/0x330 [qedi]
+ ? 0xffffffffc12d0000
+ qedi_init+0x118/0x1000 [qedi]
+ ? 0xffffffffc12d0000
+ ? 0xffffffffc12d0000
+ ? 0xffffffffc12d0000
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
+RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+The buggy address belongs to the variable:
+ __func__.67584+0x0/0xffffffffffffd520 [qedi]
+
+Memory state around the buggy address:
+ ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
+ ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
+> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
+ ^
+ ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
+ ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa
+
+Currently the qedi_dbg_* family of functions can overrun the end of the
+source string if it is less than the destination buffer length because of
+the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
+and just use func instead as it is always a null terminated string.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------
+ 1 file changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c
+index 8fd28b056f73..3383314a3882 100644
+--- a/drivers/scsi/qedi/qedi_dbg.c
++++ b/drivers/scsi/qedi/qedi_dbg.c
+@@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ va_end(va);
+ }
+@@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+@@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_notice("[%s]:[%s:%d]:%d: %pV",
+- dev_name(&qedi->pdev->dev), nfunc, line,
++ dev_name(&qedi->pdev->dev), func, line,
+ qedi->host_no, &vaf);
+ else
+- pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+@@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+--
+2.20.1
+
--- /dev/null
+From a4d4c4b3241def444cc45f573d3d912c81053e21 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 24 Apr 2019 16:02:56 +0800
+Subject: scsi: qedi: remove set but not used variables 'cdev' and 'udev'
+
+[ Upstream commit d0adee5d12752256ff0c87ad7f002f21fe49d618 ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/scsi/qedi/qedi_iscsi.c: In function 'qedi_ep_connect':
+drivers/scsi/qedi/qedi_iscsi.c:813:23: warning: variable 'udev' set but not used [-Wunused-but-set-variable]
+drivers/scsi/qedi/qedi_iscsi.c:812:18: warning: variable 'cdev' set but not used [-Wunused-but-set-variable]
+
+These have never been used since introduction.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_iscsi.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index bf371e7b957d..c3d0d246df14 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -809,8 +809,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
+ struct qedi_endpoint *qedi_ep;
+ struct sockaddr_in *addr;
+ struct sockaddr_in6 *addr6;
+- struct qed_dev *cdev = NULL;
+- struct qedi_uio_dev *udev = NULL;
+ struct iscsi_path path_req;
+ u32 msg_type = ISCSI_KEVENT_IF_DOWN;
+ u32 iscsi_cid = QEDI_CID_RESERVED;
+@@ -830,8 +828,6 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr,
+ }
+
+ qedi = iscsi_host_priv(shost);
+- cdev = qedi->cdev;
+- udev = qedi->udev;
+
+ if (test_bit(QEDI_IN_OFFLINE, &qedi->flags) ||
+ test_bit(QEDI_IN_RECOVERY, &qedi->flags)) {
+--
+2.20.1
+
--- /dev/null
+From 4c6dac87cc65532fcc5d4ada82aaa7bfb3f582fc Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Mon, 6 May 2019 13:52:19 -0700
+Subject: scsi: qla2xxx: Add cleanup for PCI EEH recovery
+
+[ Upstream commit 5386a4e6c7fecd282d265a24d930a74ba3c5917b ]
+
+During EEH error recovery testing it was discovered that driver's reset()
+callback partially frees resources used by driver, leaving some stale
+memory. After reset() is done and when resume() callback in driver uses
+old data which results into error leaving adapter disabled due to PCIe
+error.
+
+This patch does cleanup for EEH recovery code path and prevents adapter
+from getting disabled.
+
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 221 +++++++++++++---------------------
+ 1 file changed, 82 insertions(+), 139 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 91f576d743fe..d377e50a6c19 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -6838,6 +6838,78 @@ qla2x00_release_firmware(void)
+ mutex_unlock(&qla_fw_lock);
+ }
+
++static void qla_pci_error_cleanup(scsi_qla_host_t *vha)
++{
++ struct qla_hw_data *ha = vha->hw;
++ scsi_qla_host_t *base_vha = pci_get_drvdata(ha->pdev);
++ struct qla_qpair *qpair = NULL;
++ struct scsi_qla_host *vp;
++ fc_port_t *fcport;
++ int i;
++ unsigned long flags;
++
++ ha->chip_reset++;
++
++ ha->base_qpair->chip_reset = ha->chip_reset;
++ for (i = 0; i < ha->max_qpairs; i++) {
++ if (ha->queue_pair_map[i])
++ ha->queue_pair_map[i]->chip_reset =
++ ha->base_qpair->chip_reset;
++ }
++
++ /* purge MBox commands */
++ if (atomic_read(&ha->num_pend_mbx_stage3)) {
++ clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
++ complete(&ha->mbx_intr_comp);
++ }
++
++ i = 0;
++
++ while (atomic_read(&ha->num_pend_mbx_stage3) ||
++ atomic_read(&ha->num_pend_mbx_stage2) ||
++ atomic_read(&ha->num_pend_mbx_stage1)) {
++ msleep(20);
++ i++;
++ if (i > 50)
++ break;
++ }
++
++ ha->flags.purge_mbox = 0;
++
++ mutex_lock(&ha->mq_lock);
++ list_for_each_entry(qpair, &base_vha->qp_list, qp_list_elem)
++ qpair->online = 0;
++ mutex_unlock(&ha->mq_lock);
++
++ qla2x00_mark_all_devices_lost(vha, 0);
++
++ spin_lock_irqsave(&ha->vport_slock, flags);
++ list_for_each_entry(vp, &ha->vp_list, list) {
++ atomic_inc(&vp->vref_count);
++ spin_unlock_irqrestore(&ha->vport_slock, flags);
++ qla2x00_mark_all_devices_lost(vp, 0);
++ spin_lock_irqsave(&ha->vport_slock, flags);
++ atomic_dec(&vp->vref_count);
++ }
++ spin_unlock_irqrestore(&ha->vport_slock, flags);
++
++ /* Clear all async request states across all VPs. */
++ list_for_each_entry(fcport, &vha->vp_fcports, list)
++ fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT);
++
++ spin_lock_irqsave(&ha->vport_slock, flags);
++ list_for_each_entry(vp, &ha->vp_list, list) {
++ atomic_inc(&vp->vref_count);
++ spin_unlock_irqrestore(&ha->vport_slock, flags);
++ list_for_each_entry(fcport, &vp->vp_fcports, list)
++ fcport->flags &= ~(FCF_LOGIN_NEEDED | FCF_ASYNC_SENT);
++ spin_lock_irqsave(&ha->vport_slock, flags);
++ atomic_dec(&vp->vref_count);
++ }
++ spin_unlock_irqrestore(&ha->vport_slock, flags);
++}
++
++
+ static pci_ers_result_t
+ qla2xxx_pci_error_detected(struct pci_dev *pdev, pci_channel_state_t state)
+ {
+@@ -6863,20 +6935,7 @@ qla2xxx_pci_error_detected(struct pci_dev *pdev, pci_channel_state_t state)
+ return PCI_ERS_RESULT_CAN_RECOVER;
+ case pci_channel_io_frozen:
+ ha->flags.eeh_busy = 1;
+- /* For ISP82XX complete any pending mailbox cmd */
+- if (IS_QLA82XX(ha)) {
+- ha->flags.isp82xx_fw_hung = 1;
+- ql_dbg(ql_dbg_aer, vha, 0x9001, "Pci channel io frozen\n");
+- qla82xx_clear_pending_mbx(vha);
+- }
+- qla2x00_free_irqs(vha);
+- pci_disable_device(pdev);
+- /* Return back all IOs */
+- qla2x00_abort_all_cmds(vha, DID_RESET << 16);
+- if (ql2xmqsupport || ql2xnvmeenable) {
+- set_bit(QPAIR_ONLINE_CHECK_NEEDED, &vha->dpc_flags);
+- qla2xxx_wake_dpc(vha);
+- }
++ qla_pci_error_cleanup(vha);
+ return PCI_ERS_RESULT_NEED_RESET;
+ case pci_channel_io_perm_failure:
+ ha->flags.pci_channel_io_perm_failure = 1;
+@@ -6930,122 +6989,14 @@ qla2xxx_pci_mmio_enabled(struct pci_dev *pdev)
+ return PCI_ERS_RESULT_RECOVERED;
+ }
+
+-static uint32_t
+-qla82xx_error_recovery(scsi_qla_host_t *base_vha)
+-{
+- uint32_t rval = QLA_FUNCTION_FAILED;
+- uint32_t drv_active = 0;
+- struct qla_hw_data *ha = base_vha->hw;
+- int fn;
+- struct pci_dev *other_pdev = NULL;
+-
+- ql_dbg(ql_dbg_aer, base_vha, 0x9006,
+- "Entered %s.\n", __func__);
+-
+- set_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags);
+-
+- if (base_vha->flags.online) {
+- /* Abort all outstanding commands,
+- * so as to be requeued later */
+- qla2x00_abort_isp_cleanup(base_vha);
+- }
+-
+-
+- fn = PCI_FUNC(ha->pdev->devfn);
+- while (fn > 0) {
+- fn--;
+- ql_dbg(ql_dbg_aer, base_vha, 0x9007,
+- "Finding pci device at function = 0x%x.\n", fn);
+- other_pdev =
+- pci_get_domain_bus_and_slot(pci_domain_nr(ha->pdev->bus),
+- ha->pdev->bus->number, PCI_DEVFN(PCI_SLOT(ha->pdev->devfn),
+- fn));
+-
+- if (!other_pdev)
+- continue;
+- if (atomic_read(&other_pdev->enable_cnt)) {
+- ql_dbg(ql_dbg_aer, base_vha, 0x9008,
+- "Found PCI func available and enable at 0x%x.\n",
+- fn);
+- pci_dev_put(other_pdev);
+- break;
+- }
+- pci_dev_put(other_pdev);
+- }
+-
+- if (!fn) {
+- /* Reset owner */
+- ql_dbg(ql_dbg_aer, base_vha, 0x9009,
+- "This devfn is reset owner = 0x%x.\n",
+- ha->pdev->devfn);
+- qla82xx_idc_lock(ha);
+-
+- qla82xx_wr_32(ha, QLA82XX_CRB_DEV_STATE,
+- QLA8XXX_DEV_INITIALIZING);
+-
+- qla82xx_wr_32(ha, QLA82XX_CRB_DRV_IDC_VERSION,
+- QLA82XX_IDC_VERSION);
+-
+- drv_active = qla82xx_rd_32(ha, QLA82XX_CRB_DRV_ACTIVE);
+- ql_dbg(ql_dbg_aer, base_vha, 0x900a,
+- "drv_active = 0x%x.\n", drv_active);
+-
+- qla82xx_idc_unlock(ha);
+- /* Reset if device is not already reset
+- * drv_active would be 0 if a reset has already been done
+- */
+- if (drv_active)
+- rval = qla82xx_start_firmware(base_vha);
+- else
+- rval = QLA_SUCCESS;
+- qla82xx_idc_lock(ha);
+-
+- if (rval != QLA_SUCCESS) {
+- ql_log(ql_log_info, base_vha, 0x900b,
+- "HW State: FAILED.\n");
+- qla82xx_clear_drv_active(ha);
+- qla82xx_wr_32(ha, QLA82XX_CRB_DEV_STATE,
+- QLA8XXX_DEV_FAILED);
+- } else {
+- ql_log(ql_log_info, base_vha, 0x900c,
+- "HW State: READY.\n");
+- qla82xx_wr_32(ha, QLA82XX_CRB_DEV_STATE,
+- QLA8XXX_DEV_READY);
+- qla82xx_idc_unlock(ha);
+- ha->flags.isp82xx_fw_hung = 0;
+- rval = qla82xx_restart_isp(base_vha);
+- qla82xx_idc_lock(ha);
+- /* Clear driver state register */
+- qla82xx_wr_32(ha, QLA82XX_CRB_DRV_STATE, 0);
+- qla82xx_set_drv_active(base_vha);
+- }
+- qla82xx_idc_unlock(ha);
+- } else {
+- ql_dbg(ql_dbg_aer, base_vha, 0x900d,
+- "This devfn is not reset owner = 0x%x.\n",
+- ha->pdev->devfn);
+- if ((qla82xx_rd_32(ha, QLA82XX_CRB_DEV_STATE) ==
+- QLA8XXX_DEV_READY)) {
+- ha->flags.isp82xx_fw_hung = 0;
+- rval = qla82xx_restart_isp(base_vha);
+- qla82xx_idc_lock(ha);
+- qla82xx_set_drv_active(base_vha);
+- qla82xx_idc_unlock(ha);
+- }
+- }
+- clear_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags);
+-
+- return rval;
+-}
+-
+ static pci_ers_result_t
+ qla2xxx_pci_slot_reset(struct pci_dev *pdev)
+ {
+ pci_ers_result_t ret = PCI_ERS_RESULT_DISCONNECT;
+ scsi_qla_host_t *base_vha = pci_get_drvdata(pdev);
+ struct qla_hw_data *ha = base_vha->hw;
+- struct rsp_que *rsp;
+- int rc, retries = 10;
++ int rc;
++ struct qla_qpair *qpair = NULL;
+
+ ql_dbg(ql_dbg_aer, base_vha, 0x9004,
+ "Slot Reset.\n");
+@@ -7074,24 +7025,16 @@ qla2xxx_pci_slot_reset(struct pci_dev *pdev)
+ goto exit_slot_reset;
+ }
+
+- rsp = ha->rsp_q_map[0];
+- if (qla2x00_request_irqs(ha, rsp))
+- goto exit_slot_reset;
+
+ if (ha->isp_ops->pci_config(base_vha))
+ goto exit_slot_reset;
+
+- if (IS_QLA82XX(ha)) {
+- if (qla82xx_error_recovery(base_vha) == QLA_SUCCESS) {
+- ret = PCI_ERS_RESULT_RECOVERED;
+- goto exit_slot_reset;
+- } else
+- goto exit_slot_reset;
+- }
+-
+- while (ha->flags.mbox_busy && retries--)
+- msleep(1000);
++ mutex_lock(&ha->mq_lock);
++ list_for_each_entry(qpair, &base_vha->qp_list, qp_list_elem)
++ qpair->online = 1;
++ mutex_unlock(&ha->mq_lock);
+
++ base_vha->flags.online = 1;
+ set_bit(ABORT_ISP_ACTIVE, &base_vha->dpc_flags);
+ if (ha->isp_ops->abort_isp(base_vha) == QLA_SUCCESS)
+ ret = PCI_ERS_RESULT_RECOVERED;
+@@ -7115,13 +7058,13 @@ qla2xxx_pci_resume(struct pci_dev *pdev)
+ ql_dbg(ql_dbg_aer, base_vha, 0x900f,
+ "pci_resume.\n");
+
++ ha->flags.eeh_busy = 0;
++
+ ret = qla2x00_wait_for_hba_online(base_vha);
+ if (ret != QLA_SUCCESS) {
+ ql_log(ql_log_fatal, base_vha, 0x9002,
+ "The device failed to resume I/O from slot/link_reset.\n");
+ }
+-
+- ha->flags.eeh_busy = 0;
+ }
+
+ static void
+--
+2.20.1
+
--- /dev/null
+From 4c96d4b936cfe8f5d89f883794c8fc204b4fce45 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Thu, 16 May 2019 21:34:11 -0700
+Subject: selftests/bpf: fix bpf_get_current_task
+
+[ Upstream commit 7ed4b4e60bb1dd3df7a45dfbde3a96efce9df7eb ]
+
+Fix bpf_get_current_task() declaration.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bpf_helpers.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h
+index c81fc350f7ad..a43a52cdd3f0 100644
+--- a/tools/testing/selftests/bpf/bpf_helpers.h
++++ b/tools/testing/selftests/bpf/bpf_helpers.h
+@@ -246,7 +246,7 @@ static int (*bpf_skb_change_type)(void *ctx, __u32 type) =
+ (void *) BPF_FUNC_skb_change_type;
+ static unsigned int (*bpf_get_hash_recalc)(void *ctx) =
+ (void *) BPF_FUNC_get_hash_recalc;
+-static unsigned long long (*bpf_get_current_task)(void *ctx) =
++static unsigned long long (*bpf_get_current_task)(void) =
+ (void *) BPF_FUNC_get_current_task;
+ static int (*bpf_skb_change_tail)(void *ctx, __u32 len, __u64 flags) =
+ (void *) BPF_FUNC_skb_change_tail;
+--
+2.20.1
+
--- /dev/null
+From 952a7736b64286c32588b0285e38f328ca39dac8 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 20 May 2019 12:36:54 +0800
+Subject: selftests: fib_rule_tests: fix local IPv4 address typo
+
+[ Upstream commit fc82d93e57e3d41f79eff19031588b262fc3d0b6 ]
+
+The IPv4 testing address are all in 192.51.100.0 subnet. It doesn't make
+sense to set a 198.51.100.1 local address. Should be a typo.
+
+Fixes: 65b2b4939a64 ("selftests: net: initial fib rule tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_rule_tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/fib_rule_tests.sh b/tools/testing/selftests/net/fib_rule_tests.sh
+index 4b7e107865bf..1ba069967fa2 100755
+--- a/tools/testing/selftests/net/fib_rule_tests.sh
++++ b/tools/testing/selftests/net/fib_rule_tests.sh
+@@ -55,7 +55,7 @@ setup()
+
+ $IP link add dummy0 type dummy
+ $IP link set dev dummy0 up
+- $IP address add 198.51.100.1/24 dev dummy0
++ $IP address add 192.51.100.1/24 dev dummy0
+ $IP -6 address add 2001:db8:1::1/64 dev dummy0
+
+ set +e
+--
+2.20.1
+
--- /dev/null
+From 439e124aa2e7b24c23590e600373379e525ff81c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 20 May 2019 15:37:49 -0700
+Subject: selftests/timers: Add missing fflush(stdout) calls
+
+[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ]
+
+When running under a pipe, some timer tests would not report output in
+real-time because stdout flushes were missing after printf()s that lacked
+a newline. This adds them to restore real-time status output that humans
+can enjoy.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/timers/adjtick.c | 1 +
+ tools/testing/selftests/timers/leapcrash.c | 1 +
+ tools/testing/selftests/timers/mqueue-lat.c | 1 +
+ tools/testing/selftests/timers/nanosleep.c | 1 +
+ tools/testing/selftests/timers/nsleep-lat.c | 1 +
+ tools/testing/selftests/timers/raw_skew.c | 1 +
+ tools/testing/selftests/timers/set-tai.c | 1 +
+ tools/testing/selftests/timers/set-tz.c | 2 ++
+ tools/testing/selftests/timers/threadtest.c | 1 +
+ tools/testing/selftests/timers/valid-adjtimex.c | 2 ++
+ 10 files changed, 12 insertions(+)
+
+diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c
+index 0caca3a06bd2..54d8d87f36b3 100644
+--- a/tools/testing/selftests/timers/adjtick.c
++++ b/tools/testing/selftests/timers/adjtick.c
+@@ -136,6 +136,7 @@ int check_tick_adj(long tickval)
+
+ eppm = get_ppm_drift();
+ printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm);
++ fflush(stdout);
+
+ tx1.modes = 0;
+ adjtimex(&tx1);
+diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c
+index 830c462f605d..dc80728ed191 100644
+--- a/tools/testing/selftests/timers/leapcrash.c
++++ b/tools/testing/selftests/timers/leapcrash.c
+@@ -101,6 +101,7 @@ int main(void)
+ }
+ clear_time_state();
+ printf(".");
++ fflush(stdout);
+ }
+ printf("[OK]\n");
+ return ksft_exit_pass();
+diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c
+index 1867db5d6f5e..7916cf5cc6ff 100644
+--- a/tools/testing/selftests/timers/mqueue-lat.c
++++ b/tools/testing/selftests/timers/mqueue-lat.c
+@@ -102,6 +102,7 @@ int main(int argc, char **argv)
+ int ret;
+
+ printf("Mqueue latency : ");
++ fflush(stdout);
+
+ ret = mqueue_lat_test();
+ if (ret < 0) {
+diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c
+index 8adb0bb51d4d..71b5441c2fd9 100644
+--- a/tools/testing/selftests/timers/nanosleep.c
++++ b/tools/testing/selftests/timers/nanosleep.c
+@@ -142,6 +142,7 @@ int main(int argc, char **argv)
+ continue;
+
+ printf("Nanosleep %-31s ", clockstring(clockid));
++ fflush(stdout);
+
+ length = 10;
+ while (length <= (NSEC_PER_SEC * 10)) {
+diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c
+index c3c3dc10db17..eb3e79ed7b4a 100644
+--- a/tools/testing/selftests/timers/nsleep-lat.c
++++ b/tools/testing/selftests/timers/nsleep-lat.c
+@@ -155,6 +155,7 @@ int main(int argc, char **argv)
+ continue;
+
+ printf("nsleep latency %-26s ", clockstring(clockid));
++ fflush(stdout);
+
+ length = 10;
+ while (length <= (NSEC_PER_SEC * 10)) {
+diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c
+index dcf73c5dab6e..b41d8dd0c40c 100644
+--- a/tools/testing/selftests/timers/raw_skew.c
++++ b/tools/testing/selftests/timers/raw_skew.c
+@@ -112,6 +112,7 @@ int main(int argv, char **argc)
+ printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n");
+
+ printf("Estimating clock drift: ");
++ fflush(stdout);
+ sleep(120);
+
+ get_monotonic_and_raw(&mon, &raw);
+diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c
+index 70fed27d8fd3..8c4179ee2ca2 100644
+--- a/tools/testing/selftests/timers/set-tai.c
++++ b/tools/testing/selftests/timers/set-tai.c
+@@ -55,6 +55,7 @@ int main(int argc, char **argv)
+ printf("tai offset started at %i\n", ret);
+
+ printf("Checking tai offsets can be properly set: ");
++ fflush(stdout);
+ for (i = 1; i <= 60; i++) {
+ ret = set_tai(i);
+ ret = get_tai();
+diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c
+index 877fd5532fee..62bd33eb16f0 100644
+--- a/tools/testing/selftests/timers/set-tz.c
++++ b/tools/testing/selftests/timers/set-tz.c
+@@ -65,6 +65,7 @@ int main(int argc, char **argv)
+ printf("tz_minuteswest started at %i, dst at %i\n", min, dst);
+
+ printf("Checking tz_minuteswest can be properly set: ");
++ fflush(stdout);
+ for (i = -15*60; i < 15*60; i += 30) {
+ ret = set_tz(i, dst);
+ ret = get_tz_min();
+@@ -76,6 +77,7 @@ int main(int argc, char **argv)
+ printf("[OK]\n");
+
+ printf("Checking invalid tz_minuteswest values are caught: ");
++ fflush(stdout);
+
+ if (!set_tz(-15*60-1, dst)) {
+ printf("[FAILED] %i didn't return failure!\n", -15*60-1);
+diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c
+index 759c9c06f1a0..cf3e48919874 100644
+--- a/tools/testing/selftests/timers/threadtest.c
++++ b/tools/testing/selftests/timers/threadtest.c
+@@ -163,6 +163,7 @@ int main(int argc, char **argv)
+ strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start));
+ printf("%s\n", buf);
+ printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime);
++ fflush(stdout);
+
+ /* spawn */
+ for (i = 0; i < thread_count; i++)
+diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c
+index d9d3ab93b31a..5397de708d3c 100644
+--- a/tools/testing/selftests/timers/valid-adjtimex.c
++++ b/tools/testing/selftests/timers/valid-adjtimex.c
+@@ -123,6 +123,7 @@ int validate_freq(void)
+ /* Set the leap second insert flag */
+
+ printf("Testing ADJ_FREQ... ");
++ fflush(stdout);
+ for (i = 0; i < NUM_FREQ_VALID; i++) {
+ tx.modes = ADJ_FREQUENCY;
+ tx.freq = valid_freq[i];
+@@ -250,6 +251,7 @@ int set_bad_offset(long sec, long usec, int use_nano)
+ int validate_set_offset(void)
+ {
+ printf("Testing ADJ_SETOFFSET... ");
++ fflush(stdout);
+
+ /* Test valid values */
+ if (set_offset(NSEC_PER_SEC - 1, 1))
+--
+2.20.1
+
drm-i915-dsi-use-a-fuzzy-check-for-burst-mode-clock-check.patch
drm-i915-fix-per-pixel-alpha-with-ccs.patch
drm-i915-dmc-protect-against-reading-random-memory.patch
+x86-uaccess-kcov-disable-stack-protector.patch
+alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch
+alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch
+revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch
+drivers-misc-fix-out-of-bounds-access-in-function-pa.patch
+f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch
+drivers-perf-arm_spe-don-t-error-on-high-order-pages.patch
+bpf-sockmap-only-stop-flush-strp-if-it-was-enabled-a.patch
+bpf-sockmap-remove-duplicate-queue-free.patch
+bpf-sockmap-fix-msg-sg.size-account-on-ingress-skb.patch
+scsi-qla2xxx-add-cleanup-for-pci-eeh-recovery.patch
+scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func.patch
+scsi-qedi-remove-set-but-not-used-variables-cdev-and.patch
+scsi-lpfc-resolve-lockdep-warnings.patch
+scsi-lpfc-correct-rcu-unlock-issue-in-lpfc_nvme_info.patch
+scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch
+arm64-print-physical-address-of-page-table-base-in-s.patch
+net-macb-fix-error-format-in-dev_err.patch
+enetc-fix-null-dma-address-unmap-for-tx-bd-extension.patch
+bpf-tcp-correctly-handle-dont_wait-flags-and-timeo-0.patch
+arm64-mm-inhibit-huge-vmap-with-ptdump.patch
+tools-bpftool-move-set_max_rlimit-before-__bpf_objec.patch
+selftests-bpf-fix-bpf_get_current_task.patch
+nvme-pci-fix-controller-freeze-wait-disabling.patch
+nvme-fix-srcu-locking-on-error-return-in-nvme_get_ns.patch
+nvme-remove-the-ifdef-around-nvme_nvm_ioctl.patch
+nvme-merge-nvme_ns_ioctl-into-nvme_ioctl.patch
+nvme-release-namespace-srcu-protection-before-perfor.patch
+nvme-fix-memory-leak-for-power-latency-tolerance.patch
+platform-x86-pmc_atom-add-lex-3i380d-industrial-pc-t.patch
+platform-x86-pmc_atom-add-several-beckhoff-automatio.patch
+scsi-myrs-fix-uninitialized-variable.patch
+scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch
+drm-amdgpu-keep-stolen-memory-on-picasso.patch
+libnvdimm-fix-compilation-warnings-with-w-1.patch
+selftests-fib_rule_tests-fix-local-ipv4-address-typo.patch
+selftests-timers-add-missing-fflush-stdout-calls.patch
+tracing-prevent-hist_field_var_ref-from-accessing-nu.patch
+usbnet-ipheth-fix-racing-condition.patch
+nvme-pci-use-blk-mq-mapping-for-unmanaged-irqs.patch
+tools-io_uring-fix-makefile-for-pthread-library-link.patch
+kvm-arm-arm64-move-cc-it-checks-under-hyp-s-makefile.patch
+kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch
+kvm-selftests-fix-a-condition-in-test_hv_cpuid.patch
+kvm-vmx-fix-wmissing-prototypes-warnings.patch
+kvm-lapic-fix-lapic_timer_advance_ns-parameter-overf.patch
+kvm-x86-do-not-spam-dmesg-with-vmcs-vmcb-dumps.patch
+kvm-x86-pmu-mask-the-result-of-rdpmc-according-to-th.patch
+kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch
+kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch
+kvm-selftests-aarch64-dirty_log_test-fix-unaligned-m.patch
+kvm-selftests-aarch64-fix-default-vm-mode.patch
+tools-kvm_stat-fix-fields-filter-for-child-events.patch
--- /dev/null
+From b9f2becf900b7cf3e9e361263701af44c87ccd50 Mon Sep 17 00:00:00 2001
+From: Yonghong Song <yhs@fb.com>
+Date: Thu, 16 May 2019 10:17:31 -0700
+Subject: tools/bpftool: move set_max_rlimit() before
+ __bpf_object__open_xattr()
+
+[ Upstream commit ac4e0e055fee5751c78bba1fc9ce508a6874d916 ]
+
+For a host which has a lower rlimit for max locked memory (e.g., 64KB),
+the following error occurs in one of our production systems:
+ # /usr/sbin/bpftool prog load /paragon/pods/52877437/home/mark.o \
+ /sys/fs/bpf/paragon_mark_21 type cgroup/skb \
+ map idx 0 pinned /sys/fs/bpf/paragon_map_21
+ libbpf: Error in bpf_object__probe_name():Operation not permitted(1).
+ Couldn't load basic 'r0 = 0' BPF program.
+ Error: failed to open object file
+
+The reason is due to low locked memory during bpf_object__probe_name()
+which probes whether program name is supported in kernel or not
+during __bpf_object__open_xattr().
+
+bpftool program load already tries to relax mlock rlimit before
+bpf_object__load(). Let us move set_max_rlimit() before
+__bpf_object__open_xattr(), which fixed the issue here.
+
+Fixes: 47eff61777c7 ("bpf, libbpf: introduce bpf_object__probe_caps to test BPF capabilities")
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index d2be5a06c339..ed8ef5c82256 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -873,6 +873,8 @@ static int load_with_options(int argc, char **argv, bool first_prog_only)
+ }
+ }
+
++ set_max_rlimit();
++
+ obj = __bpf_object__open_xattr(&attr, bpf_flags);
+ if (IS_ERR_OR_NULL(obj)) {
+ p_err("failed to open object file");
+@@ -952,8 +954,6 @@ static int load_with_options(int argc, char **argv, bool first_prog_only)
+ goto err_close_obj;
+ }
+
+- set_max_rlimit();
+-
+ err = bpf_object__load(obj);
+ if (err) {
+ p_err("failed to load object file");
+--
+2.20.1
+
--- /dev/null
+From d53db702cd7a685e0b224bd54e0a43ff6e200739 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 22 May 2019 08:47:54 -0600
+Subject: tools/io_uring: fix Makefile for pthread library link
+
+[ Upstream commit 486f069253c3c738dec62daeb16f7232b2cca065 ]
+
+Currently fails with:
+
+io_uring-bench.o: In function `main':
+/home/axboe/git/linux-block/tools/io_uring/io_uring-bench.c:560: undefined reference to `pthread_create'
+/home/axboe/git/linux-block/tools/io_uring/io_uring-bench.c:588: undefined reference to `pthread_join'
+collect2: error: ld returned 1 exit status
+Makefile:11: recipe for target 'io_uring-bench' failed
+make: *** [io_uring-bench] Error 1
+
+Move -lpthread to the end.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/io_uring/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/io_uring/Makefile b/tools/io_uring/Makefile
+index f79522fc37b5..00f146c54c53 100644
+--- a/tools/io_uring/Makefile
++++ b/tools/io_uring/Makefile
+@@ -8,7 +8,7 @@ all: io_uring-cp io_uring-bench
+ $(CC) $(CFLAGS) -o $@ $^
+
+ io_uring-bench: syscall.o io_uring-bench.o
+- $(CC) $(CFLAGS) $(LDLIBS) -o $@ $^
++ $(CC) $(CFLAGS) -o $@ $^ $(LDLIBS)
+
+ io_uring-cp: setup.o syscall.o queue.o
+
+--
+2.20.1
+
--- /dev/null
+From fb979946f7556bc5f8ddec9cdb94e8269c6a1895 Mon Sep 17 00:00:00 2001
+From: Stefan Raspl <stefan.raspl@de.ibm.com>
+Date: Sun, 21 Apr 2019 15:26:24 +0200
+Subject: tools/kvm_stat: fix fields filter for child events
+
+[ Upstream commit 883d25e70b2f699fed9017e509d1ef8e36229b89 ]
+
+The fields filter would not work with child fields, as the respective
+parents would not be included. No parents displayed == no childs displayed.
+To reproduce, run on s390 (would work on other platforms, too, but would
+require a different filter name):
+- Run 'kvm_stat -d'
+- Press 'f'
+- Enter 'instruct'
+Notice that events like instruction_diag_44 or instruction_diag_500 are not
+displayed - the output remains empty.
+With this patch, we will filter by matching events and their parents.
+However, consider the following example where we filter by
+instruction_diag_44:
+
+ kvm statistics - summary
+ regex filter: instruction_diag_44
+ Event Total %Total CurAvg/s
+ exit_instruction 276 100.0 12
+ instruction_diag_44 256 92.8 11
+ Total 276 12
+
+Note that the parent ('exit_instruction') displays the total events, but
+the childs listed do not match its total (256 instead of 276). This is
+intended (since we're filtering all but one child), but might be confusing
+on first sight.
+
+Signed-off-by: Stefan Raspl <raspl@linux.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/kvm/kvm_stat/kvm_stat | 16 ++++++++++++----
+ tools/kvm/kvm_stat/kvm_stat.txt | 2 ++
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat
+index 2ed395b817cb..bc508dae286c 100755
+--- a/tools/kvm/kvm_stat/kvm_stat
++++ b/tools/kvm/kvm_stat/kvm_stat
+@@ -575,8 +575,12 @@ class TracepointProvider(Provider):
+ def update_fields(self, fields_filter):
+ """Refresh fields, applying fields_filter"""
+ self.fields = [field for field in self._get_available_fields()
+- if self.is_field_wanted(fields_filter, field) or
+- ARCH.tracepoint_is_child(field)]
++ if self.is_field_wanted(fields_filter, field)]
++ # add parents for child fields - otherwise we won't see any output!
++ for field in self._fields:
++ parent = ARCH.tracepoint_is_child(field)
++ if (parent and parent not in self._fields):
++ self.fields.append(parent)
+
+ @staticmethod
+ def _get_online_cpus():
+@@ -735,8 +739,12 @@ class DebugfsProvider(Provider):
+ def update_fields(self, fields_filter):
+ """Refresh fields, applying fields_filter"""
+ self._fields = [field for field in self._get_available_fields()
+- if self.is_field_wanted(fields_filter, field) or
+- ARCH.debugfs_is_child(field)]
++ if self.is_field_wanted(fields_filter, field)]
++ # add parents for child fields - otherwise we won't see any output!
++ for field in self._fields:
++ parent = ARCH.debugfs_is_child(field)
++ if (parent and parent not in self._fields):
++ self.fields.append(parent)
+
+ @property
+ def fields(self):
+diff --git a/tools/kvm/kvm_stat/kvm_stat.txt b/tools/kvm/kvm_stat/kvm_stat.txt
+index 0811d860fe75..c057ba52364e 100644
+--- a/tools/kvm/kvm_stat/kvm_stat.txt
++++ b/tools/kvm/kvm_stat/kvm_stat.txt
+@@ -34,6 +34,8 @@ INTERACTIVE COMMANDS
+ *c*:: clear filter
+
+ *f*:: filter by regular expression
++ :: *Note*: Child events pull in their parents, and parents' stats summarize
++ all child events, not just the filtered ones
+
+ *g*:: filter by guest name/PID
+
+--
+2.20.1
+
--- /dev/null
+From 2c12c95ac8d163b2f5d8e74a65a7b29f3ed81bd5 Mon Sep 17 00:00:00 2001
+From: Tom Zanussi <tom.zanussi@linux.intel.com>
+Date: Thu, 18 Apr 2019 10:18:50 -0500
+Subject: tracing: Prevent hist_field_var_ref() from accessing NULL
+ tracing_map_elts
+
+[ Upstream commit 55267c88c003a3648567beae7c90512d3e2ab15e ]
+
+hist_field_var_ref() is an implementation of hist_field_fn_t(), which
+can be called with a null tracing_map_elt elt param when assembling a
+key in event_hist_trigger().
+
+In the case of hist_field_var_ref() this doesn't make sense, because a
+variable can only be resolved by looking it up using an already
+assembled key i.e. a variable can't be used to assemble a key since
+the key is required in order to access the variable.
+
+Upper layers should prevent the user from constructing a key using a
+variable in the first place, but in case one slips through, it
+shouldn't cause a NULL pointer dereference. Also if one does slip
+through, we want to know about it, so emit a one-time warning in that
+case.
+
+Link: http://lkml.kernel.org/r/64ec8dc15c14d305295b64cdfcc6b2b9dd14753f.1555597045.git.tom.zanussi@linux.intel.com
+
+Reported-by: Vincent Bernat <vincent@bernat.ch>
+Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_hist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index 0a200d42fa96..f50d57eac875 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -1815,6 +1815,9 @@ static u64 hist_field_var_ref(struct hist_field *hist_field,
+ struct hist_elt_data *elt_data;
+ u64 var_val = 0;
+
++ if (WARN_ON_ONCE(!elt))
++ return var_val;
++
+ elt_data = elt->private_data;
+ var_val = elt_data->var_ref_vals[hist_field->var_ref_idx];
+
+--
+2.20.1
+
--- /dev/null
+From 4dc3c793a124d09ee873b0b8ecea61f101effe99 Mon Sep 17 00:00:00 2001
+From: Bernd Eckstein <3erndeckstein@gmail.com>
+Date: Mon, 20 May 2019 17:31:09 +0200
+Subject: usbnet: ipheth: fix racing condition
+
+[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ]
+
+Fix a racing condition in ipheth.c that can lead to slow performance.
+
+Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback
+ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called.
+When this happens, the queue is stopped longer than it needs to be,
+thus reducing network performance.
+
+Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order
+is always correct. In case, usb_submit_urb() fails, the queue is woken up
+again as callback will not fire.
+
+Testing: This racing condition is usually not noticeable, as it has to
+occur very frequently to slowdown the network. The callback from the USB
+is usually triggered slow enough, so the situation does not appear.
+However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10,
+the we loose the race quite often and the following speedup can be noticed:
+
+Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s
+With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s
+
+Signed-off-by: Oliver Zweigle <Oliver.Zweigle@faro.com>
+Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 3d8a70d3ea9b..3d71f1716390 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net)
+ dev);
+ dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
++ netif_stop_queue(net);
+ retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC);
+ if (retval) {
+ dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n",
+ __func__, retval);
+ dev->net->stats.tx_errors++;
+ dev_kfree_skb_any(skb);
++ netif_wake_queue(net);
+ } else {
+ dev->net->stats.tx_packets++;
+ dev->net->stats.tx_bytes += skb->len;
+ dev_consume_skb_any(skb);
+- netif_stop_queue(net);
+ }
+
+ return NETDEV_TX_OK;
+--
+2.20.1
+
--- /dev/null
+From f7f0840a06b69a15ee0848f80062cffd9b00567b Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Mar 2019 19:54:25 +0100
+Subject: x86/uaccess, kcov: Disable stack protector
+
+[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ]
+
+New tooling noticed this mishap:
+
+ kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled
+ kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled
+
+All the other instrumentation (KASAN,UBSAN) also have stack protector
+disabled.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/Makefile b/kernel/Makefile
+index 6c57e78817da..62471e75a2b0 100644
+--- a/kernel/Makefile
++++ b/kernel/Makefile
+@@ -30,6 +30,7 @@ KCOV_INSTRUMENT_extable.o := n
+ # Don't self-instrument.
+ KCOV_INSTRUMENT_kcov.o := n
+ KASAN_SANITIZE_kcov.o := n
++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
+
+ # cond_syscall is currently not LTO compatible
+ CFLAGS_sys_ni.o = $(DISABLE_LTO)
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
