--- /dev/null
+From 64fcbb6158ecc684d84c64424830a9c37c77c5b9 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Mar 2021 10:26:45 +0000
+Subject: afs: Fix accessing YFS xattrs on a non-YFS server
+
+From: David Howells <dhowells@redhat.com>
+
+commit 64fcbb6158ecc684d84c64424830a9c37c77c5b9 upstream.
+
+If someone attempts to access YFS-related xattrs (e.g. afs.yfs.acl) on a
+file on a non-YFS AFS server (such as OpenAFS), then the kernel will jump
+to a NULL function pointer because the afs_fetch_acl_operation descriptor
+doesn't point to a function for issuing an operation on a non-YFS
+server[1].
+
+Fix this by making afs_wait_for_operation() check that the issue_afs_rpc
+method is set before jumping to it and setting -ENOTSUPP if not. This fix
+also covers other potential operations that also only exist on YFS servers.
+
+afs_xattr_get/set_yfs() then need to translate -ENOTSUPP to -ENODATA as the
+former error is internal to the kernel.
+
+The bug shows up as an oops like the following:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [...]
+ Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+ [...]
+ Call Trace:
+ afs_wait_for_operation+0x83/0x1b0 [kafs]
+ afs_xattr_get_yfs+0xe6/0x270 [kafs]
+ __vfs_getxattr+0x59/0x80
+ vfs_getxattr+0x11c/0x140
+ getxattr+0x181/0x250
+ ? __check_object_size+0x13f/0x150
+ ? __fput+0x16d/0x250
+ __x64_sys_fgetxattr+0x64/0xb0
+ do_syscall_64+0x49/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7fb120a9defe
+
+This was triggered with "cp -a" which attempts to copy xattrs, including
+afs ones, but is easier to reproduce with getfattr, e.g.:
+
+ getfattr -d -m ".*" /afs/openafs.org/
+
+Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
+Reported-by: Gaja Sophie Peters <gaja.peters@math.uni-hamburg.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Gaja Sophie Peters <gaja.peters@math.uni-hamburg.de>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003498.html [1]
+Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003566.html # v1
+Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003572.html # v2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fs_operation.c | 7 +++++--
+ fs/afs/xattr.c | 8 +++++++-
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/afs/fs_operation.c
++++ b/fs/afs/fs_operation.c
+@@ -181,10 +181,13 @@ void afs_wait_for_operation(struct afs_o
+ if (test_bit(AFS_SERVER_FL_IS_YFS, &op->server->flags) &&
+ op->ops->issue_yfs_rpc)
+ op->ops->issue_yfs_rpc(op);
+- else
++ else if (op->ops->issue_afs_rpc)
+ op->ops->issue_afs_rpc(op);
++ else
++ op->ac.error = -ENOTSUPP;
+
+- op->error = afs_wait_for_call_to_complete(op->call, &op->ac);
++ if (op->call)
++ op->error = afs_wait_for_call_to_complete(op->call, &op->ac);
+ }
+
+ switch (op->error) {
+--- a/fs/afs/xattr.c
++++ b/fs/afs/xattr.c
+@@ -230,6 +230,8 @@ static int afs_xattr_get_yfs(const struc
+ else
+ ret = -ERANGE;
+ }
++ } else if (ret == -ENOTSUPP) {
++ ret = -ENODATA;
+ }
+
+ error_yacl:
+@@ -254,6 +256,7 @@ static int afs_xattr_set_yfs(const struc
+ {
+ struct afs_operation *op;
+ struct afs_vnode *vnode = AFS_FS_I(inode);
++ int ret;
+
+ if (flags == XATTR_CREATE ||
+ strcmp(name, "acl") != 0)
+@@ -268,7 +271,10 @@ static int afs_xattr_set_yfs(const struc
+ return afs_put_operation(op);
+
+ op->ops = &yfs_store_opaque_acl2_operation;
+- return afs_do_sync_operation(op);
++ ret = afs_do_sync_operation(op);
++ if (ret == -ENOTSUPP)
++ ret = -ENODATA;
++ return ret;
+ }
+
+ static const struct xattr_handler afs_xattr_yfs_handler = {
--- /dev/null
+From a7889c6320b9200e3fe415238f546db677310fa9 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 9 Mar 2021 08:27:39 +0000
+Subject: afs: Stop listxattr() from listing "afs.*" attributes
+
+From: David Howells <dhowells@redhat.com>
+
+commit a7889c6320b9200e3fe415238f546db677310fa9 upstream.
+
+afs_listxattr() lists all the available special afs xattrs (i.e. those in
+the "afs.*" space), no matter what type of server we're dealing with. But
+OpenAFS servers, for example, cannot deal with some of the extra-capable
+attributes that AuriStor (YFS) servers provide. Unfortunately, the
+presence of the afs.yfs.* attributes causes errors[1] for anything that
+tries to read them if the server is of the wrong type.
+
+Fix the problem by removing afs_listxattr() so that none of the special
+xattrs are listed (AFS doesn't support xattrs). It does mean, however,
+that getfattr won't list them, though they can still be accessed with
+getxattr() and setxattr().
+
+This can be tested with something like:
+
+ getfattr -d -m ".*" /afs/example.com/path/to/file
+
+With this change, none of the afs.* attributes should be visible.
+
+Changes:
+ver #2:
+ - Hide all of the afs.* xattrs, not just the ACL ones.
+
+Fixes: ae46578b963f ("afs: Get YFS ACLs and information through xattrs")
+Reported-by: Gaja Sophie Peters <gaja.peters@math.uni-hamburg.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Gaja Sophie Peters <gaja.peters@math.uni-hamburg.de>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003502.html [1]
+Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003567.html # v1
+Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003573.html # v2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/dir.c | 1 -
+ fs/afs/file.c | 1 -
+ fs/afs/inode.c | 1 -
+ fs/afs/internal.h | 1 -
+ fs/afs/mntpt.c | 1 -
+ fs/afs/xattr.c | 23 -----------------------
+ 6 files changed, 28 deletions(-)
+
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -69,7 +69,6 @@ const struct inode_operations afs_dir_in
+ .permission = afs_permission,
+ .getattr = afs_getattr,
+ .setattr = afs_setattr,
+- .listxattr = afs_listxattr,
+ };
+
+ const struct address_space_operations afs_dir_aops = {
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -43,7 +43,6 @@ const struct inode_operations afs_file_i
+ .getattr = afs_getattr,
+ .setattr = afs_setattr,
+ .permission = afs_permission,
+- .listxattr = afs_listxattr,
+ };
+
+ const struct address_space_operations afs_fs_aops = {
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -27,7 +27,6 @@
+
+ static const struct inode_operations afs_symlink_inode_operations = {
+ .get_link = page_get_link,
+- .listxattr = afs_listxattr,
+ };
+
+ static noinline void dump_vnode(struct afs_vnode *vnode, struct afs_vnode *parent_vnode)
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -1508,7 +1508,6 @@ extern int afs_launder_page(struct page
+ * xattr.c
+ */
+ extern const struct xattr_handler *afs_xattr_handlers[];
+-extern ssize_t afs_listxattr(struct dentry *, char *, size_t);
+
+ /*
+ * yfsclient.c
+--- a/fs/afs/mntpt.c
++++ b/fs/afs/mntpt.c
+@@ -32,7 +32,6 @@ const struct inode_operations afs_mntpt_
+ .lookup = afs_mntpt_lookup,
+ .readlink = page_readlink,
+ .getattr = afs_getattr,
+- .listxattr = afs_listxattr,
+ };
+
+ const struct inode_operations afs_autocell_inode_operations = {
+--- a/fs/afs/xattr.c
++++ b/fs/afs/xattr.c
+@@ -11,29 +11,6 @@
+ #include <linux/xattr.h>
+ #include "internal.h"
+
+-static const char afs_xattr_list[] =
+- "afs.acl\0"
+- "afs.cell\0"
+- "afs.fid\0"
+- "afs.volume\0"
+- "afs.yfs.acl\0"
+- "afs.yfs.acl_inherited\0"
+- "afs.yfs.acl_num_cleaned\0"
+- "afs.yfs.vol_acl";
+-
+-/*
+- * Retrieve a list of the supported xattrs.
+- */
+-ssize_t afs_listxattr(struct dentry *dentry, char *buffer, size_t size)
+-{
+- if (size == 0)
+- return sizeof(afs_xattr_list);
+- if (size < sizeof(afs_xattr_list))
+- return -ERANGE;
+- memcpy(buffer, afs_xattr_list, sizeof(afs_xattr_list));
+- return sizeof(afs_xattr_list);
+-}
+-
+ /*
+ * Deal with the result of a successful fetch ACL operation.
+ */
--- /dev/null
+From 50b1affc891cbc103a2334ce909a026e25f4c84d Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 18 Mar 2021 13:20:08 +0000
+Subject: ALSA: usb-audio: Fix unintentional sign extension issue
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 50b1affc891cbc103a2334ce909a026e25f4c84d upstream.
+
+The shifting of the u8 integer device by 24 bits to the left will
+be promoted to a 32 bit signed int and then sign-extended to a
+64 bit unsigned long. In the event that the top bit of device is
+set then all then all the upper 32 bits of the unsigned long will
+end up as also being set because of the sign-extension. Fix this
+by casting device to an unsigned long before the shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+Fixes: a07df82c7990 ("ALSA: usb-audio: Add DJM750 to Pioneer mixer quirk")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210318132008.15266-1-colin.king@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_quirks.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -2883,7 +2883,7 @@ static int snd_djm_controls_put(struct s
+ u8 group = (private_value & SND_DJM_GROUP_MASK) >> SND_DJM_GROUP_SHIFT;
+ u16 value = elem->value.enumerated.item[0];
+
+- kctl->private_value = ((device << SND_DJM_DEVICE_SHIFT) |
++ kctl->private_value = (((unsigned long)device << SND_DJM_DEVICE_SHIFT) |
+ (group << SND_DJM_GROUP_SHIFT) |
+ value);
+
+@@ -2921,7 +2921,7 @@ static int snd_djm_controls_create(struc
+ value = device->controls[i].default_value;
+ knew.name = device->controls[i].name;
+ knew.private_value = (
+- (device_idx << SND_DJM_DEVICE_SHIFT) |
++ ((unsigned long)device_idx << SND_DJM_DEVICE_SHIFT) |
+ (i << SND_DJM_GROUP_SHIFT) |
+ value);
+ err = snd_djm_controls_update(mixer, device_idx, i, value);
--- /dev/null
+From 3bb4852d598f0275ed5996a059df55be7318ac2f Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Tue, 9 Mar 2021 14:21:29 +0000
+Subject: ASoC: codecs: wcd934x: add a sanity check in set channel map
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 3bb4852d598f0275ed5996a059df55be7318ac2f upstream.
+
+set channel map can be passed with a channel maps, however if
+the number of channels that are passed are more than the actual
+supported channels then we would be accessing array out of bounds.
+
+So add a sanity check to validate these numbers!
+
+Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210309142129.14182-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd934x.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -1873,6 +1873,12 @@ static int wcd934x_set_channel_map(struc
+
+ wcd = snd_soc_component_get_drvdata(dai->component);
+
++ if (tx_num > WCD934X_TX_MAX || rx_num > WCD934X_RX_MAX) {
++ dev_err(wcd->dev, "Invalid tx %d or rx %d channel count\n",
++ tx_num, rx_num);
++ return -EINVAL;
++ }
++
+ if (!tx_slot || !rx_slot) {
+ dev_err(wcd->dev, "Invalid tx_slot=%p, rx_slot=%p\n",
+ tx_slot, rx_slot);
--- /dev/null
+From 87263968516fb9507d6215d53f44052627fae8d8 Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Tue, 16 Feb 2021 14:42:21 +0300
+Subject: ASoC: fsl_ssi: Fix TDM slot setup for I2S mode
+
+From: Alexander Shiyan <shc_work@mail.ru>
+
+commit 87263968516fb9507d6215d53f44052627fae8d8 upstream.
+
+When using the driver in I2S TDM mode, the _fsl_ssi_set_dai_fmt()
+function rewrites the number of slots previously set by the
+fsl_ssi_set_dai_tdm_slot() function to 2 by default.
+To fix this, let's use the saved slot count value or, if TDM
+is not used and the slot count is not set, proceed as before.
+
+Fixes: 4f14f5c11db1 ("ASoC: fsl_ssi: Fix number of words per frame for I2S-slave mode")
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Link: https://lore.kernel.org/r/20210216114221.26635-1-shc_work@mail.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/fsl/fsl_ssi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/fsl/fsl_ssi.c
++++ b/sound/soc/fsl/fsl_ssi.c
+@@ -878,6 +878,7 @@ static int fsl_ssi_hw_free(struct snd_pc
+ static int _fsl_ssi_set_dai_fmt(struct fsl_ssi *ssi, unsigned int fmt)
+ {
+ u32 strcr = 0, scr = 0, stcr, srcr, mask;
++ unsigned int slots;
+
+ ssi->dai_fmt = fmt;
+
+@@ -909,10 +910,11 @@ static int _fsl_ssi_set_dai_fmt(struct f
+ return -EINVAL;
+ }
+
++ slots = ssi->slots ? : 2;
+ regmap_update_bits(ssi->regs, REG_SSI_STCCR,
+- SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(2));
++ SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(slots));
+ regmap_update_bits(ssi->regs, REG_SSI_SRCCR,
+- SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(2));
++ SSI_SxCCR_DC_MASK, SSI_SxCCR_DC(slots));
+
+ /* Data on rising edge of bclk, frame low, 1clk before data */
+ strcr |= SSI_STCR_TFSI | SSI_STCR_TSCKP | SSI_STCR_TEFS;
--- /dev/null
+From ca08ddfd961d2a17208d9182e0ee5791b39bd8bf Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 24 Feb 2021 11:50:52 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ca08ddfd961d2a17208d9182e0ee5791b39bd8bf upstream.
+
+When I added the quirk for the "HP Pavilion x2 10-p0XX" I copied the
+byt_rt5640_quirk_table[] entry for the HP Pavilion x2 10-k0XX / 10-n0XX
+models since these use almost the same settings.
+
+While doing this I accidentally also copied and kept the non-standard
+OVCD_TH_1500UA setting used on those models. This too low threshold is
+causing headsets to often be seen as headphones (without a headset-mic)
+and when correctly identified it is causing ghost play/pause
+button-presses to get detected.
+
+Correct the HP Pavilion x2 10-p0XX quirk to use the default OVCD_TH_2000UA
+setting, fixing these problems.
+
+Fixes: fbdae7d6d04d ("ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 Detachable quirks")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210224105052.42116-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -577,7 +577,7 @@ static const struct dmi_system_id byt_rt
+ },
+ .driver_data = (void *)(BYT_RT5640_DMIC1_MAP |
+ BYT_RT5640_JD_SRC_JD1_IN4P |
+- BYT_RT5640_OVCD_TH_1500UA |
++ BYT_RT5640_OVCD_TH_2000UA |
+ BYT_RT5640_OVCD_SF_0P75 |
+ BYT_RT5640_MCLK_EN),
+ },
--- /dev/null
+From 9922f50f7178496e709d3d064920b5031f0d9061 Mon Sep 17 00:00:00 2001
+From: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
+Date: Thu, 11 Mar 2021 21:15:57 +0530
+Subject: ASoC: qcom: lpass-cpu: Fix lpass dai ids parse
+
+From: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
+
+commit 9922f50f7178496e709d3d064920b5031f0d9061 upstream.
+
+The max boundary check while parsing dai ids makes
+sound card registration fail after common up dai ids.
+
+Fixes: cd3484f7f138 ("ASoC: qcom: Fix broken support to MI2S TERTIARY and QUATERNARY")
+
+Signed-off-by: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
+Link: https://lore.kernel.org/r/20210311154557.24978-1-srivasam@codeaurora.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/lpass-cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/lpass-cpu.c
++++ b/sound/soc/qcom/lpass-cpu.c
+@@ -737,7 +737,7 @@ static void of_lpass_cpu_parse_dai_data(
+
+ for_each_child_of_node(dev->of_node, node) {
+ ret = of_property_read_u32(node, "reg", &id);
+- if (ret || id < 0 || id >= data->variant->num_dai) {
++ if (ret || id < 0) {
+ dev_err(dev, "valid dai id not found: %d\n", ret);
+ continue;
+ }
--- /dev/null
+From 1c668e1c0a0f74472469cd514f40c9012b324c31 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Tue, 9 Mar 2021 14:21:27 +0000
+Subject: ASoC: qcom: sdm845: Fix array out of bounds access
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 1c668e1c0a0f74472469cd514f40c9012b324c31 upstream.
+
+Static analysis Coverity had detected a potential array out-of-bounds
+write issue due to the fact that MAX AFE port Id was set to 16 instead
+of using AFE_PORT_MAX macro.
+
+Fix this by properly using AFE_PORT_MAX macro.
+
+Fixes: 1b93a8843147 ("ASoC: qcom: sdm845: handle soundwire stream")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210309142129.14182-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/sdm845.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/sdm845.c
++++ b/sound/soc/qcom/sdm845.c
+@@ -33,12 +33,12 @@
+ struct sdm845_snd_data {
+ struct snd_soc_jack jack;
+ bool jack_setup;
+- bool stream_prepared[SLIM_MAX_RX_PORTS];
++ bool stream_prepared[AFE_PORT_MAX];
+ struct snd_soc_card *card;
+ uint32_t pri_mi2s_clk_count;
+ uint32_t sec_mi2s_clk_count;
+ uint32_t quat_tdm_clk_count;
+- struct sdw_stream_runtime *sruntime[SLIM_MAX_RX_PORTS];
++ struct sdw_stream_runtime *sruntime[AFE_PORT_MAX];
+ };
+
+ static unsigned int tdm_slot_offset[8] = {0, 4, 8, 12, 16, 20, 24, 28};
--- /dev/null
+From 4800fe6ea1022eb240215b1743d2541adad8efc7 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Tue, 9 Mar 2021 14:21:28 +0000
+Subject: ASoC: qcom: sdm845: Fix array out of range on rx slim channels
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 4800fe6ea1022eb240215b1743d2541adad8efc7 upstream.
+
+WCD934x has only 13 RX SLIM ports however we are setting it as 16
+in set_channel_map, this will lead to array out of bounds error!
+
+Orignally caught by enabling USBAN array out of bounds check:
+
+Fixes: 5caf64c633a3 ("ASoC: qcom: sdm845: add support to DB845c and Lenovo Yoga")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210309142129.14182-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/sdm845.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/sdm845.c
++++ b/sound/soc/qcom/sdm845.c
+@@ -27,7 +27,7 @@
+ #define SPK_TDM_RX_MASK 0x03
+ #define NUM_TDM_SLOTS 8
+ #define SLIM_MAX_TX_PORTS 16
+-#define SLIM_MAX_RX_PORTS 16
++#define SLIM_MAX_RX_PORTS 13
+ #define WCD934X_DEFAULT_MCLK_RATE 9600000
+
+ struct sdm845_snd_data {
--- /dev/null
+From 8ca88d53351cc58d535b2bfc7386835378fb0db2 Mon Sep 17 00:00:00 2001
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Mon, 15 Mar 2021 23:01:31 +0530
+Subject: ASoC: simple-card-utils: Do not handle device clock
+
+From: Sameer Pujar <spujar@nvidia.com>
+
+commit 8ca88d53351cc58d535b2bfc7386835378fb0db2 upstream.
+
+This reverts commit 1e30f642cf29 ("ASoC: simple-card-utils: Fix device
+module clock"). The original patch ended up breaking following platform,
+which depends on set_sysclk() to configure internal PLL on wm8904 codec
+and expects simple-card-utils to not update the MCLK rate.
+ - "arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var3-ads2.dts"
+
+It would be best if codec takes care of setting MCLK clock via DAI
+set_sysclk() callback.
+
+Reported-by: Michael Walle <michael@walle.cc>
+Suggested-by: Mark Brown <broonie@kernel.org>
+Suggested-by: Michael Walle <michael@walle.cc>
+Fixes: 1e30f642cf29 ("ASoC: simple-card-utils: Fix device module clock")
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Tested-by: Michael Walle <michael@walle.cc>
+Link: https://lore.kernel.org/r/1615829492-8972-2-git-send-email-spujar@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/generic/simple-card-utils.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/generic/simple-card-utils.c
++++ b/sound/soc/generic/simple-card-utils.c
+@@ -172,15 +172,16 @@ int asoc_simple_parse_clk(struct device
+ * or device's module clock.
+ */
+ clk = devm_get_clk_from_child(dev, node, NULL);
+- if (IS_ERR(clk))
+- clk = devm_get_clk_from_child(dev, dlc->of_node, NULL);
+-
+ if (!IS_ERR(clk)) {
+- simple_dai->clk = clk;
+ simple_dai->sysclk = clk_get_rate(clk);
+- } else if (!of_property_read_u32(node, "system-clock-frequency",
+- &val)) {
++
++ simple_dai->clk = clk;
++ } else if (!of_property_read_u32(node, "system-clock-frequency", &val)) {
+ simple_dai->sysclk = val;
++ } else {
++ clk = devm_get_clk_from_child(dev, dlc->of_node, NULL);
++ if (!IS_ERR(clk))
++ simple_dai->sysclk = clk_get_rate(clk);
+ }
+
+ if (of_property_read_bool(node, "system-clock-direction-out"))
--- /dev/null
+From fd8299181995093948ec6ca75432e797b4a39143 Mon Sep 17 00:00:00 2001
+From: Pan Xiuli <xiuli.pan@linux.intel.com>
+Date: Mon, 8 Mar 2021 18:41:27 -0600
+Subject: ASoC: SOF: intel: fix wrong poll bits in dsp power down
+
+From: Pan Xiuli <xiuli.pan@linux.intel.com>
+
+commit fd8299181995093948ec6ca75432e797b4a39143 upstream.
+
+The ADSPCS_SPA is Set Power Active bit. To check if DSP is powered
+down, we need to check ADSPCS_CPA, the Current Power Active bit.
+
+Fixes: 747503b1813a3 ("ASoC: SOF: Intel: Add Intel specific HDA DSP HW operations")
+Reviewed-by: Rander Wang <rander.wang@intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Pan Xiuli <xiuli.pan@linux.intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210309004127.4940-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/intel/hda-dsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/sof/intel/hda-dsp.c
++++ b/sound/soc/sof/intel/hda-dsp.c
+@@ -207,7 +207,7 @@ int hda_dsp_core_power_down(struct snd_s
+
+ ret = snd_sof_dsp_read_poll_timeout(sdev, HDA_DSP_BAR,
+ HDA_DSP_REG_ADSPCS, adspcs,
+- !(adspcs & HDA_DSP_ADSPCS_SPA_MASK(core_mask)),
++ !(adspcs & HDA_DSP_ADSPCS_CPA_MASK(core_mask)),
+ HDA_DSP_REG_POLL_INTERVAL_US,
+ HDA_DSP_PD_TIMEOUT * USEC_PER_MSEC);
+ if (ret < 0)
--- /dev/null
+From 5bb0ecddb2a7f638d65e457f3da9fa334c967b14 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Mon, 1 Mar 2021 18:34:10 -0600
+Subject: ASoC: SOF: Intel: unregister DMIC device on probe error
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+commit 5bb0ecddb2a7f638d65e457f3da9fa334c967b14 upstream.
+
+We only unregister the platform device during the .remove operation,
+but if the probe fails we will never reach this sequence.
+
+Suggested-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Fixes: dd96daca6c83e ("ASoC: SOF: Intel: Add APL/CNL HW DSP support")
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+Link: https://lore.kernel.org/r/20210302003410.1178535-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/intel/hda.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/sof/intel/hda.c
++++ b/sound/soc/sof/intel/hda.c
+@@ -898,6 +898,7 @@ free_streams:
+ /* dsp_unmap: not currently used */
+ iounmap(sdev->bar[HDA_DSP_BAR]);
+ hdac_bus_unmap:
++ platform_device_unregister(hdev->dmic_dev);
+ iounmap(bus->remap_addr);
+ hda_codec_i915_exit(sdev);
+ err:
--- /dev/null
+From 6a77c6bb7260bd5000f95df454d9f8cdb1af7132 Mon Sep 17 00:00:00 2001
+From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Date: Fri, 5 Mar 2021 13:09:47 -0800
+Subject: i915/perf: Start hrtimer only if sampling the OA buffer
+
+From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+
+commit 6a77c6bb7260bd5000f95df454d9f8cdb1af7132 upstream.
+
+SAMPLE_OA parameter enables sampling of OA buffer and results in a call
+to init the OA buffer which initializes the OA unit head/tail pointers.
+The OA_EXPONENT parameter controls the periodicity of the OA reports in
+the OA buffer and results in starting a hrtimer.
+
+Before gen12, all use cases required the use of the OA buffer and i915
+enforced this setting when vetting out the parameters passed. In these
+platforms the hrtimer was enabled if OA_EXPONENT was passed. This worked
+fine since it was implied that SAMPLE_OA is always passed.
+
+With gen12, this changed. Users can use perf without enabling the OA
+buffer as in OAR use cases. While an OAR use case should ideally not
+start the hrtimer, we see that passing an OA_EXPONENT parameter will
+start the hrtimer even though SAMPLE_OA is not specified. This results
+in an uninitialized OA buffer, so the head/tail pointers used to track
+the buffer are zero.
+
+This itself does not fail, but if we ran a use-case that SAMPLED the OA
+buffer previously, then the OA_TAIL register is still pointing to an old
+value. When the timer callback runs, it ends up calculating a
+wrong/large number of available reports. Since we do a spinlock_irq_save
+and start processing a large number of reports, NMI watchdog fires and
+causes a crash.
+
+Start the timer only if SAMPLE_OA is specified.
+
+v2:
+- Drop SAMPLE OA check when appending samples (Ashutosh)
+- Prevent read if OA buffer is not being sampled
+
+Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL")
+Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Signed-off-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210305210947.58751-1-umesh.nerlige.ramappa@intel.com
+(cherry picked from commit be0bdd67fda9468156c733976688f6487d0c42f7)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_perf.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_perf.c
++++ b/drivers/gpu/drm/i915/i915_perf.c
+@@ -600,7 +600,6 @@ static int append_oa_sample(struct i915_
+ {
+ int report_size = stream->oa_buffer.format_size;
+ struct drm_i915_perf_record_header header;
+- u32 sample_flags = stream->sample_flags;
+
+ header.type = DRM_I915_PERF_RECORD_SAMPLE;
+ header.pad = 0;
+@@ -614,10 +613,8 @@ static int append_oa_sample(struct i915_
+ return -EFAULT;
+ buf += sizeof(header);
+
+- if (sample_flags & SAMPLE_OA_REPORT) {
+- if (copy_to_user(buf, report, report_size))
+- return -EFAULT;
+- }
++ if (copy_to_user(buf, report, report_size))
++ return -EFAULT;
+
+ (*offset) += header.size;
+
+@@ -2676,7 +2673,7 @@ static void i915_oa_stream_enable(struct
+
+ stream->perf->ops.oa_enable(stream);
+
+- if (stream->periodic)
++ if (stream->sample_flags & SAMPLE_OA_REPORT)
+ hrtimer_start(&stream->poll_check_timer,
+ ns_to_ktime(stream->poll_oa_period),
+ HRTIMER_MODE_REL_PINNED);
+@@ -2739,7 +2736,7 @@ static void i915_oa_stream_disable(struc
+ {
+ stream->perf->ops.oa_disable(stream);
+
+- if (stream->periodic)
++ if (stream->sample_flags & SAMPLE_OA_REPORT)
+ hrtimer_cancel(&stream->poll_check_timer);
+ }
+
+@@ -3022,7 +3019,7 @@ static ssize_t i915_perf_read(struct fil
+ * disabled stream as an error. In particular it might otherwise lead
+ * to a deadlock for blocking file descriptors...
+ */
+- if (!stream->enabled)
++ if (!stream->enabled || !(stream->sample_flags & SAMPLE_OA_REPORT))
+ return -EIO;
+
+ if (!(file->f_flags & O_NONBLOCK)) {
--- /dev/null
+From bfdd89f232aa2de5a4b3fc985cba894148b830a8 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 24 Feb 2021 13:39:50 -0500
+Subject: nfsd: don't abort copies early
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit bfdd89f232aa2de5a4b3fc985cba894148b830a8 upstream.
+
+The typical result of the backwards comparison here is that the source
+server in a server-to-server copy will return BAD_STATEID within a few
+seconds of the copy starting, instead of giving the copy a full lease
+period, so the copy_file_range() call will end up unnecessarily
+returning a short read.
+
+Fixes: 624322f1adc5 "NFSD add COPY_NOTIFY operation"
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5372,7 +5372,7 @@ nfs4_laundromat(struct nfsd_net *nn)
+ idr_for_each_entry(&nn->s2s_cp_stateids, cps_t, i) {
+ cps = container_of(cps_t, struct nfs4_cpntf_state, cp_stateid);
+ if (cps->cp_stateid.sc_type == NFS4_COPYNOTIFY_STID &&
+- cps->cpntf_time > cutoff)
++ cps->cpntf_time < cutoff)
+ _free_cpntf_state_locked(nn, cps);
+ }
+ spin_unlock(&nn->s2s_cp_lock);
--- /dev/null
+From d30881f573e565ebb5dbb50b31ed6106b5c81328 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 18 Feb 2021 21:02:07 -0500
+Subject: nfsd: Don't keep looking up unhashed files in the nfsd file cache
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit d30881f573e565ebb5dbb50b31ed6106b5c81328 upstream.
+
+If a file is unhashed, then we're going to reject it anyway and retry,
+so make sure we skip it when we're doing the RCU lockless lookup.
+This avoids a number of unnecessary nfserr_jukebox returns from
+nfsd_file_acquire()
+
+Fixes: 65294c1f2c5e ("nfsd: add a new struct file caching facility to nfsd")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/filecache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -897,6 +897,8 @@ nfsd_file_find_locked(struct inode *inod
+ continue;
+ if (!nfsd_match_cred(nf->nf_cred, current_cred()))
+ continue;
++ if (!test_bit(NFSD_FILE_HASHED, &nf->nf_flags))
++ continue;
+ if (nfsd_file_get(nf) != NULL)
+ return nf;
+ }
--- /dev/null
+From 614c9750173e412663728215152cc6d12bcb3425 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Tue, 9 Mar 2021 09:41:14 -0500
+Subject: NFSD: fix dest to src mount in inter-server COPY
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit 614c9750173e412663728215152cc6d12bcb3425 upstream.
+
+A cleanup of the inter SSC copy needs to call fput() of the source
+file handle to make sure that file structure is freed as well as
+drop the reference on the superblock to unmount the source server.
+
+Fixes: 36e1e5ba90fb ("NFSD: Fix use-after-free warning when doing inter-server copy")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Dai Ngo <dai.ngo@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1299,7 +1299,7 @@ nfsd4_cleanup_inter_ssc(struct vfsmount
+ struct nfsd_file *dst)
+ {
+ nfs42_ssc_close(src->nf_file);
+- /* 'src' is freed by nfsd4_do_async_copy */
++ fput(src->nf_file);
+ nfsd_file_put(dst);
+ mntput(ss_mnt);
+ }
--- /dev/null
+From c7de87ff9dac5f396f62d584f3908f80ddc0e07b Mon Sep 17 00:00:00 2001
+From: Joe Korty <joe.korty@concurrent-rt.com>
+Date: Fri, 26 Feb 2021 09:38:20 -0500
+Subject: NFSD: Repair misuse of sv_lock in 5.10.16-rt30.
+
+From: Joe Korty <joe.korty@concurrent-rt.com>
+
+commit c7de87ff9dac5f396f62d584f3908f80ddc0e07b upstream.
+
+[ This problem is in mainline, but only rt has the chops to be
+able to detect it. ]
+
+Lockdep reports a circular lock dependency between serv->sv_lock and
+softirq_ctl.lock on system shutdown, when using a kernel built with
+CONFIG_PREEMPT_RT=y, and a nfs mount exists.
+
+This is due to the definition of spin_lock_bh on rt:
+
+ local_bh_disable();
+ rt_spin_lock(lock);
+
+which forces a softirq_ctl.lock -> serv->sv_lock dependency. This is
+not a problem as long as _every_ lock of serv->sv_lock is a:
+
+ spin_lock_bh(&serv->sv_lock);
+
+but there is one of the form:
+
+ spin_lock(&serv->sv_lock);
+
+This is what is causing the circular dependency splat. The spin_lock()
+grabs the lock without first grabbing softirq_ctl.lock via local_bh_disable.
+If later on in the critical region, someone does a local_bh_disable, we
+get a serv->sv_lock -> softirq_ctrl.lock dependency established. Deadlock.
+
+Fix is to make serv->sv_lock be locked with spin_lock_bh everywhere, no
+exceptions.
+
+[ OK ] Stopped target NFS client services.
+ Stopping Logout off all iSCSI sessions on shutdown...
+ Stopping NFS server and services...
+[ 109.442380]
+[ 109.442385] ======================================================
+[ 109.442386] WARNING: possible circular locking dependency detected
+[ 109.442387] 5.10.16-rt30 #1 Not tainted
+[ 109.442389] ------------------------------------------------------
+[ 109.442390] nfsd/1032 is trying to acquire lock:
+[ 109.442392] ffff994237617f60 ((softirq_ctrl.lock).lock){+.+.}-{2:2}, at: __local_bh_disable_ip+0xd9/0x270
+[ 109.442405]
+[ 109.442405] but task is already holding lock:
+[ 109.442406] ffff994245cb00b0 (&serv->sv_lock){+.+.}-{0:0}, at: svc_close_list+0x1f/0x90
+[ 109.442415]
+[ 109.442415] which lock already depends on the new lock.
+[ 109.442415]
+[ 109.442416]
+[ 109.442416] the existing dependency chain (in reverse order) is:
+[ 109.442417]
+[ 109.442417] -> #1 (&serv->sv_lock){+.+.}-{0:0}:
+[ 109.442421] rt_spin_lock+0x2b/0xc0
+[ 109.442428] svc_add_new_perm_xprt+0x42/0xa0
+[ 109.442430] svc_addsock+0x135/0x220
+[ 109.442434] write_ports+0x4b3/0x620
+[ 109.442438] nfsctl_transaction_write+0x45/0x80
+[ 109.442440] vfs_write+0xff/0x420
+[ 109.442444] ksys_write+0x4f/0xc0
+[ 109.442446] do_syscall_64+0x33/0x40
+[ 109.442450] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 109.442454]
+[ 109.442454] -> #0 ((softirq_ctrl.lock).lock){+.+.}-{2:2}:
+[ 109.442457] __lock_acquire+0x1264/0x20b0
+[ 109.442463] lock_acquire+0xc2/0x400
+[ 109.442466] rt_spin_lock+0x2b/0xc0
+[ 109.442469] __local_bh_disable_ip+0xd9/0x270
+[ 109.442471] svc_xprt_do_enqueue+0xc0/0x4d0
+[ 109.442474] svc_close_list+0x60/0x90
+[ 109.442476] svc_close_net+0x49/0x1a0
+[ 109.442478] svc_shutdown_net+0x12/0x40
+[ 109.442480] nfsd_destroy+0xc5/0x180
+[ 109.442482] nfsd+0x1bc/0x270
+[ 109.442483] kthread+0x194/0x1b0
+[ 109.442487] ret_from_fork+0x22/0x30
+[ 109.442492]
+[ 109.442492] other info that might help us debug this:
+[ 109.442492]
+[ 109.442493] Possible unsafe locking scenario:
+[ 109.442493]
+[ 109.442493] CPU0 CPU1
+[ 109.442494] ---- ----
+[ 109.442495] lock(&serv->sv_lock);
+[ 109.442496] lock((softirq_ctrl.lock).lock);
+[ 109.442498] lock(&serv->sv_lock);
+[ 109.442499] lock((softirq_ctrl.lock).lock);
+[ 109.442501]
+[ 109.442501] *** DEADLOCK ***
+[ 109.442501]
+[ 109.442501] 3 locks held by nfsd/1032:
+[ 109.442503] #0: ffffffff93b49258 (nfsd_mutex){+.+.}-{3:3}, at: nfsd+0x19a/0x270
+[ 109.442508] #1: ffff994245cb00b0 (&serv->sv_lock){+.+.}-{0:0}, at: svc_close_list+0x1f/0x90
+[ 109.442512] #2: ffffffff93a81b20 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0x5/0xc0
+[ 109.442518]
+[ 109.442518] stack backtrace:
+[ 109.442519] CPU: 0 PID: 1032 Comm: nfsd Not tainted 5.10.16-rt30 #1
+[ 109.442522] Hardware name: Supermicro X9DRL-3F/iF/X9DRL-3F/iF, BIOS 3.2 09/22/2015
+[ 109.442524] Call Trace:
+[ 109.442527] dump_stack+0x77/0x97
+[ 109.442533] check_noncircular+0xdc/0xf0
+[ 109.442546] __lock_acquire+0x1264/0x20b0
+[ 109.442553] lock_acquire+0xc2/0x400
+[ 109.442564] rt_spin_lock+0x2b/0xc0
+[ 109.442570] __local_bh_disable_ip+0xd9/0x270
+[ 109.442573] svc_xprt_do_enqueue+0xc0/0x4d0
+[ 109.442577] svc_close_list+0x60/0x90
+[ 109.442581] svc_close_net+0x49/0x1a0
+[ 109.442585] svc_shutdown_net+0x12/0x40
+[ 109.442588] nfsd_destroy+0xc5/0x180
+[ 109.442590] nfsd+0x1bc/0x270
+[ 109.442595] kthread+0x194/0x1b0
+[ 109.442600] ret_from_fork+0x22/0x30
+[ 109.518225] nfsd: last server has exited, flushing export cache
+[ OK ] Stopped NFSv4 ID-name mapping service.
+[ OK ] Stopped GSSAPI Proxy Daemon.
+[ OK ] Stopped NFS Mount Daemon.
+[ OK ] Stopped NFS status monitor for NFSv2/3 locking..
+
+Fixes: 719f8bcc883e ("svcrpc: fix xpt_list traversal locking on shutdown")
+Signed-off-by: Joe Korty <joe.korty@concurrent-rt.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/svc_xprt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -1062,7 +1062,7 @@ static int svc_close_list(struct svc_ser
+ struct svc_xprt *xprt;
+ int ret = 0;
+
+- spin_lock(&serv->sv_lock);
++ spin_lock_bh(&serv->sv_lock);
+ list_for_each_entry(xprt, xprt_list, xpt_list) {
+ if (xprt->xpt_net != net)
+ continue;
+@@ -1070,7 +1070,7 @@ static int svc_close_list(struct svc_ser
+ set_bit(XPT_CLOSE, &xprt->xpt_flags);
+ svc_xprt_enqueue(xprt);
+ }
+- spin_unlock(&serv->sv_lock);
++ spin_unlock_bh(&serv->sv_lock);
+ return ret;
+ }
+
--- /dev/null
+From b94e8cd2e6a94fc7563529ddc82726a7e77e04de Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 15 Mar 2021 10:32:07 +0100
+Subject: nvme: fix Write Zeroes limitations
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit b94e8cd2e6a94fc7563529ddc82726a7e77e04de upstream.
+
+We voluntarily limit the Write Zeroes sizes to the MDTS value provided by
+the hardware, but currently get the units wrong, so fix that.
+
+Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Tested-by: Klaus Jensen <k.jensen@samsung.com>
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/core.c | 38 +++++++++++++-------------------------
+ 1 file changed, 13 insertions(+), 25 deletions(-)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1894,30 +1894,18 @@ static void nvme_config_discard(struct g
+ blk_queue_max_write_zeroes_sectors(queue, UINT_MAX);
+ }
+
+-static void nvme_config_write_zeroes(struct gendisk *disk, struct nvme_ns *ns)
+-{
+- u64 max_blocks;
+-
+- if (!(ns->ctrl->oncs & NVME_CTRL_ONCS_WRITE_ZEROES) ||
+- (ns->ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES))
+- return;
+- /*
+- * Even though NVMe spec explicitly states that MDTS is not
+- * applicable to the write-zeroes:- "The restriction does not apply to
+- * commands that do not transfer data between the host and the
+- * controller (e.g., Write Uncorrectable ro Write Zeroes command).".
+- * In order to be more cautious use controller's max_hw_sectors value
+- * to configure the maximum sectors for the write-zeroes which is
+- * configured based on the controller's MDTS field in the
+- * nvme_init_identify() if available.
+- */
+- if (ns->ctrl->max_hw_sectors == UINT_MAX)
+- max_blocks = (u64)USHRT_MAX + 1;
+- else
+- max_blocks = ns->ctrl->max_hw_sectors + 1;
+-
+- blk_queue_max_write_zeroes_sectors(disk->queue,
+- nvme_lba_to_sect(ns, max_blocks));
++/*
++ * Even though NVMe spec explicitly states that MDTS is not applicable to the
++ * write-zeroes, we are cautious and limit the size to the controllers
++ * max_hw_sectors value, which is based on the MDTS field and possibly other
++ * limiting factors.
++ */
++static void nvme_config_write_zeroes(struct request_queue *q,
++ struct nvme_ctrl *ctrl)
++{
++ if ((ctrl->oncs & NVME_CTRL_ONCS_WRITE_ZEROES) &&
++ !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES))
++ blk_queue_max_write_zeroes_sectors(q, ctrl->max_hw_sectors);
+ }
+
+ static bool nvme_ns_ids_valid(struct nvme_ns_ids *ids)
+@@ -2089,7 +2077,7 @@ static void nvme_update_disk_info(struct
+ set_capacity_revalidate_and_notify(disk, capacity, false);
+
+ nvme_config_discard(disk, ns);
+- nvme_config_write_zeroes(disk, ns);
++ nvme_config_write_zeroes(disk->queue, ns->ctrl);
+
+ if (id->nsattr & NVME_NS_ATTR_RO)
+ set_disk_ro(disk, true);
--- /dev/null
+From fd0823f405090f9f410fc3e3ff7efb52e7b486fa Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 15 Mar 2021 14:08:11 -0700
+Subject: nvme-tcp: fix a NULL deref when receiving a 0-length r2t PDU
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit fd0823f405090f9f410fc3e3ff7efb52e7b486fa upstream.
+
+When the controller sends us a 0-length r2t PDU we should not attempt to
+try to set up a h2cdata PDU but rather conclude that this is a buggy
+controller (forward progress is not possible) and simply fail it
+immediately.
+
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+Reported-by: Belanger, Martin <Martin.Belanger@dell.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/tcp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -568,6 +568,13 @@ static int nvme_tcp_setup_h2c_data_pdu(s
+ req->pdu_len = le32_to_cpu(pdu->r2t_length);
+ req->pdu_sent = 0;
+
++ if (unlikely(!req->pdu_len)) {
++ dev_err(queue->ctrl->ctrl.device,
++ "req %d r2t len is %u, probably a bug...\n",
++ rq->tag, req->pdu_len);
++ return -EPROTO;
++ }
++
+ if (unlikely(req->data_sent + req->pdu_len > req->data_len)) {
+ dev_err(queue->ctrl->ctrl.device,
+ "req %d r2t len %u exceeded data len %u (%zu sent)\n",
--- /dev/null
+From bb83337058a7000644cdeffc67361d2473534756 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 15 Mar 2021 13:53:47 -0700
+Subject: nvme-tcp: fix misuse of __smp_processor_id with preemption enabled
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit bb83337058a7000644cdeffc67361d2473534756 upstream.
+
+For our pure advisory use-case, we only rely on this call as a hint, so
+fix the warning complaints of using the smp_processor_id variants with
+preemption enabled.
+
+Fixes: db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq context")
+Fixes: ada831772188 ("nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -287,7 +287,7 @@ static inline void nvme_tcp_queue_reques
+ * directly, otherwise queue io_work. Also, only do that if we
+ * are on the same cpu, so we don't introduce contention.
+ */
+- if (queue->io_cpu == __smp_processor_id() &&
++ if (queue->io_cpu == raw_smp_processor_id() &&
+ sync && empty && mutex_trylock(&queue->send_mutex)) {
+ queue->more_requests = !last;
+ nvme_tcp_send_all(queue);
--- /dev/null
+From 72f572428b83d0bc7028e7c4326d1a5f45205e44 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 15 Mar 2021 14:04:26 -0700
+Subject: nvme-tcp: fix possible hang when failing to set io queues
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 72f572428b83d0bc7028e7c4326d1a5f45205e44 upstream.
+
+We only setup io queues for nvme controllers, and it makes absolutely no
+sense to allow a controller (re)connect without any I/O queues. If we
+happen to fail setting the queue count for any reason, we should not
+allow this to be a successful reconnect as I/O has no chance in going
+through. Instead just fail and schedule another reconnect.
+
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/tcp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1748,8 +1748,11 @@ static int nvme_tcp_alloc_io_queues(stru
+ return ret;
+
+ ctrl->queue_count = nr_io_queues + 1;
+- if (ctrl->queue_count < 2)
+- return 0;
++ if (ctrl->queue_count < 2) {
++ dev_err(ctrl->device,
++ "unable to set any I/O queues\n");
++ return -ENOMEM;
++ }
+
+ dev_info(ctrl->device,
+ "creating %d I/O queues.\n", nr_io_queues);
--- /dev/null
+From d218a8a3003e84ab136e69a4e30dd4ec7dab2d22 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 15 Mar 2021 15:34:51 -0700
+Subject: nvmet: don't check iosqes,iocqes for discovery controllers
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit d218a8a3003e84ab136e69a4e30dd4ec7dab2d22 upstream.
+
+From the base spec, Figure 78:
+
+ "Controller Configuration, these fields are defined as parameters to
+ configure an "I/O Controller (IOC)" and not to configure a "Discovery
+ Controller (DC).
+
+ ...
+ If the controller does not support I/O queues, then this field shall
+ be read-only with a value of 0h
+
+Just perform this check for I/O controllers.
+
+Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
+Reported-by: Belanger, Martin <Martin.Belanger@dell.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/target/core.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -1109,9 +1109,20 @@ static void nvmet_start_ctrl(struct nvme
+ {
+ lockdep_assert_held(&ctrl->lock);
+
+- if (nvmet_cc_iosqes(ctrl->cc) != NVME_NVM_IOSQES ||
+- nvmet_cc_iocqes(ctrl->cc) != NVME_NVM_IOCQES ||
+- nvmet_cc_mps(ctrl->cc) != 0 ||
++ /*
++ * Only I/O controllers should verify iosqes,iocqes.
++ * Strictly speaking, the spec says a discovery controller
++ * should verify iosqes,iocqes are zeroed, however that
++ * would break backwards compatibility, so don't enforce it.
++ */
++ if (ctrl->subsys->type != NVME_NQN_DISC &&
++ (nvmet_cc_iosqes(ctrl->cc) != NVME_NVM_IOSQES ||
++ nvmet_cc_iocqes(ctrl->cc) != NVME_NVM_IOCQES)) {
++ ctrl->csts = NVME_CSTS_CFS;
++ return;
++ }
++
++ if (nvmet_cc_mps(ctrl->cc) != 0 ||
+ nvmet_cc_ams(ctrl->cc) != 0 ||
+ nvmet_cc_css(ctrl->cc) != 0) {
+ ctrl->csts = NVME_CSTS_CFS;
vhost-vdpa-fix-use-after-free-of-v-config_ctx.patch
vhost-vdpa-set-v-config_ctx-to-null-if-eventfd_ctx_fdget-fails.patch
drm-amd-display-correct-algorithm-for-reversed-gamma.patch
+asoc-fsl_ssi-fix-tdm-slot-setup-for-i2s-mode.patch
+asoc-intel-bytcr_rt5640-fix-hp-pavilion-x2-10-p0xx-ovcd-current-threshold.patch
+asoc-sof-intel-unregister-dmic-device-on-probe-error.patch
+asoc-sof-intel-fix-wrong-poll-bits-in-dsp-power-down.patch
+asoc-qcom-sdm845-fix-array-out-of-bounds-access.patch
+asoc-qcom-sdm845-fix-array-out-of-range-on-rx-slim-channels.patch
+asoc-codecs-wcd934x-add-a-sanity-check-in-set-channel-map.patch
+asoc-qcom-lpass-cpu-fix-lpass-dai-ids-parse.patch
+asoc-simple-card-utils-do-not-handle-device-clock.patch
+afs-fix-accessing-yfs-xattrs-on-a-non-yfs-server.patch
+afs-stop-listxattr-from-listing-afs.-attributes.patch
+alsa-usb-audio-fix-unintentional-sign-extension-issue.patch
+nvme-fix-write-zeroes-limitations.patch
+nvme-tcp-fix-misuse-of-__smp_processor_id-with-preemption-enabled.patch
+nvme-tcp-fix-possible-hang-when-failing-to-set-io-queues.patch
+nvme-tcp-fix-a-null-deref-when-receiving-a-0-length-r2t-pdu.patch
+nvmet-don-t-check-iosqes-iocqes-for-discovery-controllers.patch
+nfsd-don-t-keep-looking-up-unhashed-files-in-the-nfsd-file-cache.patch
+nfsd-don-t-abort-copies-early.patch
+nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch
+nfsd-fix-dest-to-src-mount-in-inter-server-copy.patch
+svcrdma-disable-timeouts-on-rdma-backchannel.patch
+vfio-iommu_api-should-be-selected.patch
+vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch
+sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch
+i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch
--- /dev/null
+From f1442d6349a2e7bb7a6134791bdc26cb776c79af Mon Sep 17 00:00:00 2001
+From: Daniel Kobras <kobras@puzzle-itc.de>
+Date: Sat, 27 Feb 2021 00:04:37 +0100
+Subject: sunrpc: fix refcount leak for rpc auth modules
+
+From: Daniel Kobras <kobras@puzzle-itc.de>
+
+commit f1442d6349a2e7bb7a6134791bdc26cb776c79af upstream.
+
+If an auth module's accept op returns SVC_CLOSE, svc_process_common()
+enters a call path that does not call svc_authorise() before leaving the
+function, and thus leaks a reference on the auth module's refcount. Hence,
+make sure calls to svc_authenticate() and svc_authorise() are paired for
+all call paths, to make sure rpc auth modules can be unloaded.
+
+Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
+Fixes: 4d712ef1db05 ("svcauth_gss: Close connection when dropping an incoming message")
+Link: https://lore.kernel.org/linux-nfs/3F1B347F-B809-478F-A1E9-0BE98E22B0F0@oracle.com/T/#t
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/svc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1408,7 +1408,7 @@ svc_process_common(struct svc_rqst *rqst
+
+ sendit:
+ if (svc_authorise(rqstp))
+- goto close;
++ goto close_xprt;
+ return 1; /* Caller can now send it */
+
+ release_dropit:
+@@ -1420,6 +1420,8 @@ release_dropit:
+ return 0;
+
+ close:
++ svc_authorise(rqstp);
++close_xprt:
+ if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
+ svc_close_xprt(rqstp->rq_xprt);
+ dprintk("svc: svc_process close\n");
+@@ -1428,7 +1430,7 @@ release_dropit:
+ err_short_len:
+ svc_printk(rqstp, "short len %zd, dropping request\n",
+ argv->iov_len);
+- goto close;
++ goto close_xprt;
+
+ err_bad_rpc:
+ serv->sv_stats->rpcbadfmt++;
--- /dev/null
+From 6820bf77864d5894ff67b5c00d7dba8f92011e3d Mon Sep 17 00:00:00 2001
+From: Timo Rothenpieler <timo@rothenpieler.org>
+Date: Tue, 23 Feb 2021 00:36:19 +0100
+Subject: svcrdma: disable timeouts on rdma backchannel
+
+From: Timo Rothenpieler <timo@rothenpieler.org>
+
+commit 6820bf77864d5894ff67b5c00d7dba8f92011e3d upstream.
+
+This brings it in line with the regular tcp backchannel, which also has
+all those timeouts disabled.
+
+Prevents the backchannel from timing out, getting some async operations
+like server side copying getting stuck indefinitely on the client side.
+
+Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
+Fixes: 5d252f90a800 ("svcrdma: Add class for RDMA backwards direction transport")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
+@@ -246,9 +246,9 @@ xprt_setup_rdma_bc(struct xprt_create *a
+ xprt->timeout = &xprt_rdma_bc_timeout;
+ xprt_set_bound(xprt);
+ xprt_set_connected(xprt);
+- xprt->bind_timeout = RPCRDMA_BIND_TO;
+- xprt->reestablish_timeout = RPCRDMA_INIT_REEST_TO;
+- xprt->idle_timeout = RPCRDMA_IDLE_DISC_TO;
++ xprt->bind_timeout = 0;
++ xprt->reestablish_timeout = 0;
++ xprt->idle_timeout = 0;
+
+ xprt->prot = XPRT_TRANSPORT_BC_RDMA;
+ xprt->ops = &xprt_rdma_bc_procs;
--- /dev/null
+From 179209fa12709a3df8888c323b37315da2683c24 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Tue, 23 Feb 2021 15:17:46 -0400
+Subject: vfio: IOMMU_API should be selected
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 179209fa12709a3df8888c323b37315da2683c24 upstream.
+
+As IOMMU_API is a kconfig without a description (eg does not show in the
+menu) the correct operator is select not 'depends on'. Using 'depends on'
+for this kind of symbol means VFIO is not selectable unless some other
+random kconfig has already enabled IOMMU_API for it.
+
+Fixes: cba3345cc494 ("vfio: VFIO core")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Message-Id: <1-v1-df057e0f92c3+91-vfio_arm_compile_test_jgg@nvidia.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vfio/Kconfig
++++ b/drivers/vfio/Kconfig
+@@ -21,7 +21,7 @@ config VFIO_VIRQFD
+
+ menuconfig VFIO
+ tristate "VFIO Non-Privileged userspace driver framework"
+- depends on IOMMU_API
++ select IOMMU_API
+ select VFIO_IOMMU_TYPE1 if (X86 || S390 || ARM || ARM64)
+ help
+ VFIO provides a framework for secure userspace device drivers.
--- /dev/null
+From 4c050286bb202cffd5467c1cba982dff391d62e1 Mon Sep 17 00:00:00 2001
+From: Gautam Dawar <gdawar.xilinx@gmail.com>
+Date: Wed, 24 Feb 2021 17:18:45 +0530
+Subject: vhost_vdpa: fix the missing irq_bypass_unregister_producer() invocation
+
+From: Gautam Dawar <gdawar.xilinx@gmail.com>
+
+commit 4c050286bb202cffd5467c1cba982dff391d62e1 upstream.
+
+When qemu with vhost-vdpa netdevice is run for the first time,
+it works well. But after the VM is powered off, the next qemu run
+causes kernel panic due to a NULL pointer dereference in
+irq_bypass_register_producer().
+
+When the VM is powered off, vhost_vdpa_clean_irq() misses on calling
+irq_bypass_unregister_producer() for irq 0 because of the existing check.
+
+This leaves stale producer nodes, which are reset in
+vhost_vring_call_reset() when vhost_dev_init() is invoked during the
+second qemu run.
+
+As the node member of struct irq_bypass_producer is also initialized
+to zero, traversal on the producers list causes crash due to NULL
+pointer dereference.
+
+Fixes: 2cf1ba9a4d15c ("vhost_vdpa: implement IRQ offloading in vhost_vdpa")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=211711
+Signed-off-by: Gautam Dawar <gdawar.xilinx@gmail.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20210224114845.104173-1-gdawar.xilinx@gmail.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vdpa.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -910,14 +910,10 @@ err:
+
+ static void vhost_vdpa_clean_irq(struct vhost_vdpa *v)
+ {
+- struct vhost_virtqueue *vq;
+ int i;
+
+- for (i = 0; i < v->nvqs; i++) {
+- vq = &v->vqs[i];
+- if (vq->call_ctx.producer.irq)
+- irq_bypass_unregister_producer(&vq->call_ctx.producer);
+- }
++ for (i = 0; i < v->nvqs; i++)
++ vhost_vdpa_unsetup_vq_irq(v, i);
+ }
+
+ static int vhost_vdpa_release(struct inode *inode, struct file *filep)
projects / thirdparty / kernel / stable-queue.git / commitdiff
