--- /dev/null
+From 5ce00760a84848d008554c693ceb6286f4d9c509 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 29 Apr 2020 21:02:03 +0200
+Subject: ALSA: opti9xx: shut up gcc-10 range warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 5ce00760a84848d008554c693ceb6286f4d9c509 upstream.
+
+gcc-10 points out a few instances of suspicious integer arithmetic
+leading to value truncation:
+
+sound/isa/opti9xx/opti92x-ad1848.c: In function 'snd_opti9xx_configure':
+sound/isa/opti9xx/opti92x-ad1848.c:322:43: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_opti9xx_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow]
+ 322 | (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask)))
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
+sound/isa/opti9xx/opti92x-ad1848.c:351:3: note: in expansion of macro 'snd_opti9xx_write_mask'
+ 351 | snd_opti9xx_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff);
+ | ^~~~~~~~~~~~~~~~~~~~~~
+sound/isa/opti9xx/miro.c: In function 'snd_miro_configure':
+sound/isa/opti9xx/miro.c:873:40: error: overflow in conversion from 'int' to 'unsigned char' changes value from '(int)snd_miro_read(chip, 3) & -256 | 240' to '240' [-Werror=overflow]
+ 873 | (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask)))
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
+sound/isa/opti9xx/miro.c:1010:3: note: in expansion of macro 'snd_miro_write_mask'
+ 1010 | snd_miro_write_mask(chip, OPTi9XX_MC_REG(3), 0xf0, 0xff);
+ | ^~~~~~~~~~~~~~~~~~~
+
+These are all harmless here as only the low 8 bit are passed down
+anyway. Change the macros to inline functions to make the code
+more readable and also avoid the warning.
+
+Strictly speaking those functions also need locking to make the
+read/write pair atomic, but it seems unlikely that anyone would
+still run into that issue.
+
+Fixes: 1841f613fd2e ("[ALSA] Add snd-miro driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20200429190216.85919-1-arnd@arndb.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/isa/opti9xx/miro.c | 9 ++++++---
+ sound/isa/opti9xx/opti92x-ad1848.c | 9 ++++++---
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/sound/isa/opti9xx/miro.c
++++ b/sound/isa/opti9xx/miro.c
+@@ -867,10 +867,13 @@ static void snd_miro_write(struct snd_mi
+ spin_unlock_irqrestore(&chip->lock, flags);
+ }
+
++static inline void snd_miro_write_mask(struct snd_miro *chip,
++ unsigned char reg, unsigned char value, unsigned char mask)
++{
++ unsigned char oldval = snd_miro_read(chip, reg);
+
+-#define snd_miro_write_mask(chip, reg, value, mask) \
+- snd_miro_write(chip, reg, \
+- (snd_miro_read(chip, reg) & ~(mask)) | ((value) & (mask)))
++ snd_miro_write(chip, reg, (oldval & ~mask) | (value & mask));
++}
+
+ /*
+ * Proc Interface
+--- a/sound/isa/opti9xx/opti92x-ad1848.c
++++ b/sound/isa/opti9xx/opti92x-ad1848.c
+@@ -317,10 +317,13 @@ static void snd_opti9xx_write(struct snd
+ }
+
+
+-#define snd_opti9xx_write_mask(chip, reg, value, mask) \
+- snd_opti9xx_write(chip, reg, \
+- (snd_opti9xx_read(chip, reg) & ~(mask)) | ((value) & (mask)))
++static inline void snd_opti9xx_write_mask(struct snd_opti9xx *chip,
++ unsigned char reg, unsigned char value, unsigned char mask)
++{
++ unsigned char oldval = snd_opti9xx_read(chip, reg);
+
++ snd_opti9xx_write(chip, reg, (oldval & ~mask) | (value & mask));
++}
+
+ static int snd_opti9xx_configure(struct snd_opti9xx *chip,
+ long port,
--- /dev/null
+From 1578e5d03112e3e9d37e1c4d95b6dfb734c73955 Mon Sep 17 00:00:00 2001
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Date: Wed, 29 Apr 2020 16:10:50 +0100
+Subject: arm64: vdso: Add -fasynchronous-unwind-tables to cflags
+
+From: Vincenzo Frascino <vincenzo.frascino@arm.com>
+
+commit 1578e5d03112e3e9d37e1c4d95b6dfb734c73955 upstream.
+
+On arm64 linux gcc uses -fasynchronous-unwind-tables -funwind-tables
+by default since gcc-8, so now the de facto platform ABI is to allow
+unwinding from async signal handlers.
+
+However on bare metal targets (aarch64-none-elf), and on old gcc,
+async and sync unwind tables are not enabled by default to avoid
+runtime memory costs.
+
+This means if linux is built with a baremetal toolchain the vdso.so
+may not have unwind tables which breaks the gcc platform ABI guarantee
+in userspace.
+
+Add -fasynchronous-unwind-tables explicitly to the vgettimeofday.o
+cflags to address the ABI change.
+
+Fixes: 28b1a824a4f4 ("arm64: vdso: Substitute gettimeofday() with C implementation")
+Cc: Will Deacon <will@kernel.org>
+Reported-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/vdso/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/vdso/Makefile
++++ b/arch/arm64/kernel/vdso/Makefile
+@@ -32,7 +32,7 @@ UBSAN_SANITIZE := n
+ OBJECT_FILES_NON_STANDARD := y
+ KCOV_INSTRUMENT := n
+
+-CFLAGS_vgettimeofday.o = -O2 -mcmodel=tiny
++CFLAGS_vgettimeofday.o = -O2 -mcmodel=tiny -fasynchronous-unwind-tables
+
+ ifneq ($(c-gettimeofday-y),)
+ CFLAGS_vgettimeofday.o += -include $(c-gettimeofday-y)
--- /dev/null
+From b9f960201249f20deea586b4ec814669b4c6b1c0 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 24 Apr 2020 19:11:42 +0300
+Subject: dmaengine: dmatest: Fix iteration non-stop logic
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit b9f960201249f20deea586b4ec814669b4c6b1c0 upstream.
+
+Under some circumstances, i.e. when test is still running and about to
+time out and user runs, for example,
+
+ grep -H . /sys/module/dmatest/parameters/*
+
+the iterations parameter is not respected and test is going on and on until
+user gives
+
+ echo 0 > /sys/module/dmatest/parameters/run
+
+This is not what expected.
+
+The history of this bug is interesting. I though that the commit
+ 2d88ce76eb98 ("dmatest: add a 'wait' parameter")
+is a culprit, but looking closer to the code I think it simple revealed the
+broken logic from the day one, i.e. in the commit
+ 0a2ff57d6fba ("dmaengine: dmatest: add a maximum number of test iterations")
+which adds iterations parameter.
+
+So, to the point, the conditional of checking the thread to be stopped being
+first part of conjunction logic prevents to check iterations. Thus, we have to
+always check both conditions to be able to stop after given iterations.
+
+Since it wasn't visible before second commit appeared, I add a respective
+Fixes tag.
+
+Fixes: 2d88ce76eb98 ("dmatest: add a 'wait' parameter")
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Link: https://lore.kernel.org/r/20200424161147.16895-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/dmatest.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -662,8 +662,8 @@ static int dmatest_func(void *data)
+ flags = DMA_CTRL_ACK | DMA_PREP_INTERRUPT;
+
+ ktime = ktime_get();
+- while (!kthread_should_stop()
+- && !(params->iterations && total_tests >= params->iterations)) {
++ while (!(kthread_should_stop() ||
++ (params->iterations && total_tests >= params->iterations))) {
+ struct dma_async_tx_descriptor *tx = NULL;
+ struct dmaengine_unmap_data *um;
+ dma_addr_t *dsts;
--- /dev/null
+From aa72f1d20ee973d68f26d46fce5e1cf6f9b7e1ca Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 28 Apr 2020 14:35:18 +0300
+Subject: dmaengine: dmatest: Fix process hang when reading 'wait' parameter
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit aa72f1d20ee973d68f26d46fce5e1cf6f9b7e1ca upstream.
+
+If we do
+
+ % echo 1 > /sys/module/dmatest/parameters/run
+ [ 115.851124] dmatest: Could not start test, no channels configured
+
+ % echo dma8chan7 > /sys/module/dmatest/parameters/channel
+ [ 127.563872] dmatest: Added 1 threads using dma8chan7
+
+ % cat /sys/module/dmatest/parameters/wait
+ ... !!! HANG !!! ...
+
+The culprit is the commit 6138f967bccc
+
+ ("dmaengine: dmatest: Use fixed point div to calculate iops")
+
+which makes threads not to run, but pending and being kicked off by writing
+to the 'run' node. However, it forgot to consider 'wait' routine to avoid
+above mentioned case.
+
+In order to fix this, check for really running threads, i.e. with pending
+and done flags unset.
+
+It's pity the culprit commit hadn't updated documentation and tested all
+possible scenarios.
+
+Fixes: 6138f967bccc ("dmaengine: dmatest: Use fixed point div to calculate iops")
+Cc: Seraj Alijan <seraj.alijan@sondrel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20200428113518.70620-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/dmatest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -240,7 +240,7 @@ static bool is_threaded_test_run(struct
+ struct dmatest_thread *thread;
+
+ list_for_each_entry(thread, &dtc->threads, node) {
+- if (!thread->done)
++ if (!thread->done && !thread->pending)
+ return true;
+ }
+ }
--- /dev/null
+From dd7bc8158b413e0b580c491e8bd18cb91057c7c2 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 28 Apr 2020 21:27:48 +0100
+Subject: Fix use after free in get_tree_bdev()
+
+From: David Howells <dhowells@redhat.com>
+
+commit dd7bc8158b413e0b580c491e8bd18cb91057c7c2 upstream.
+
+Commit 6fcf0c72e4b9, a fix to get_tree_bdev() put a missing blkdev_put() in
+the wrong place, before a warnf() that displays the bdev under
+consideration rather after it.
+
+This results in a silent lockup in printk("%pg") called via warnf() from
+get_tree_bdev() under some circumstances when there's a race with the
+blockdev being frozen. This can be caused by xfstests/tests/generic/085 in
+combination with Lukas Czerner's ext4 mount API conversion patchset. It
+looks like it ought to occur with other users of get_tree_bdev() such as
+XFS, but apparently doesn't.
+
+Fix this by switching the order of the lines.
+
+Fixes: 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in get_tree_bdev()")
+Reported-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Ian Kent <raven@themaw.net>
+cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -1302,8 +1302,8 @@ int get_tree_bdev(struct fs_context *fc,
+ mutex_lock(&bdev->bd_fsfreeze_mutex);
+ if (bdev->bd_fsfreeze_count > 0) {
+ mutex_unlock(&bdev->bd_fsfreeze_mutex);
+- blkdev_put(bdev, mode);
+ warnf(fc, "%pg: Can't mount, blockdev is frozen", bdev);
++ blkdev_put(bdev, mode);
+ return -EBUSY;
+ }
+
--- /dev/null
+From c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a Mon Sep 17 00:00:00 2001
+From: ryan_chen <ryan_chen@aspeedtech.com>
+Date: Wed, 29 Apr 2020 11:37:37 +0800
+Subject: i2c: aspeed: Avoid i2c interrupt status clear race condition.
+
+From: ryan_chen <ryan_chen@aspeedtech.com>
+
+commit c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a upstream.
+
+In AST2600 there have a slow peripheral bus between CPU and i2c
+controller. Therefore GIC i2c interrupt status clear have delay timing,
+when CPU issue write clear i2c controller interrupt status. To avoid
+this issue, the driver need have read after write clear at i2c ISR.
+
+Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C")
+Signed-off-by: ryan_chen <ryan_chen@aspeedtech.com>
+Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[wsa: added Fixes tag]
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-aspeed.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-aspeed.c
++++ b/drivers/i2c/busses/i2c-aspeed.c
+@@ -603,6 +603,7 @@ static irqreturn_t aspeed_i2c_bus_irq(in
+ /* Ack all interrupts except for Rx done */
+ writel(irq_received & ~ASPEED_I2CD_INTR_RX_DONE,
+ bus->base + ASPEED_I2C_INTR_STS_REG);
++ readl(bus->base + ASPEED_I2C_INTR_STS_REG);
+ irq_remaining = irq_received;
+
+ #if IS_ENABLED(CONFIG_I2C_SLAVE)
+@@ -645,9 +646,11 @@ static irqreturn_t aspeed_i2c_bus_irq(in
+ irq_received, irq_handled);
+
+ /* Ack Rx done */
+- if (irq_received & ASPEED_I2CD_INTR_RX_DONE)
++ if (irq_received & ASPEED_I2CD_INTR_RX_DONE) {
+ writel(ASPEED_I2CD_INTR_RX_DONE,
+ bus->base + ASPEED_I2C_INTR_STS_REG);
++ readl(bus->base + ASPEED_I2C_INTR_STS_REG);
++ }
+ spin_unlock(&bus->lock);
+ return irq_remaining ? IRQ_NONE : IRQ_HANDLED;
+ }
--- /dev/null
+From 068143a8195fb0fdeea1f3ca430b3db0f6d04a53 Mon Sep 17 00:00:00 2001
+From: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+Date: Sun, 22 Mar 2020 23:50:19 +0530
+Subject: i2c: iproc: generate stop event for slave writes
+
+From: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+
+commit 068143a8195fb0fdeea1f3ca430b3db0f6d04a53 upstream.
+
+When slave status is I2C_SLAVE_RX_END, generate I2C_SLAVE_STOP
+event to i2c_client.
+
+Fixes: c245d94ed106 ("i2c: iproc: Add multi byte read-write support for slave mode")
+Signed-off-by: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-bcm-iproc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-bcm-iproc.c
++++ b/drivers/i2c/busses/i2c-bcm-iproc.c
+@@ -359,6 +359,9 @@ static bool bcm_iproc_i2c_slave_isr(stru
+ value = (u8)((val >> S_RX_DATA_SHIFT) & S_RX_DATA_MASK);
+ i2c_slave_event(iproc_i2c->slave,
+ I2C_SLAVE_WRITE_RECEIVED, &value);
++ if (rx_status == I2C_SLAVE_RX_END)
++ i2c_slave_event(iproc_i2c->slave,
++ I2C_SLAVE_STOP, &value);
+ }
+ } else if (status & BIT(IS_S_TX_UNDERRUN_SHIFT)) {
+ /* Master read other than start */
--- /dev/null
+From b74aa02d7a30ee5e262072a7d6e8deff10b37924 Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Wed, 22 Apr 2020 08:30:02 -0500
+Subject: iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+commit b74aa02d7a30ee5e262072a7d6e8deff10b37924 upstream.
+
+Currently, system fails to boot because the legacy interrupt remapping
+mode does not enable 128-bit IRTE (GA), which is required for x2APIC
+support.
+
+Fix by using AMD_IOMMU_GUEST_IR_LEGACY_GA mode when booting with
+kernel option amd_iommu_intr=legacy instead. The initialization
+logic will check GASup and automatically fallback to using
+AMD_IOMMU_GUEST_IR_LEGACY if GA mode is not supported.
+
+Fixes: 3928aa3f5775 ("iommu/amd: Detect and enable guest vAPIC support")
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/1587562202-14183-1-git-send-email-suravee.suthikulpanit@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -2946,7 +2946,7 @@ static int __init parse_amd_iommu_intr(c
+ {
+ for (; *str; ++str) {
+ if (strncmp(str, "legacy", 6) == 0) {
+- amd_iommu_guest_ir = AMD_IOMMU_GUEST_IR_LEGACY;
++ amd_iommu_guest_ir = AMD_IOMMU_GUEST_IR_LEGACY_GA;
+ break;
+ }
+ if (strncmp(str, "vapic", 5) == 0) {
--- /dev/null
+From b52649aee6243ea661905bdc5fbe28cc5f6dec76 Mon Sep 17 00:00:00 2001
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+Date: Sat, 18 Apr 2020 21:47:03 +0800
+Subject: iommu/qcom: Fix local_base status check
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+commit b52649aee6243ea661905bdc5fbe28cc5f6dec76 upstream.
+
+The function qcom_iommu_device_probe() does not perform sufficient
+error checking after executing devm_ioremap_resource(), which can
+result in crashes if a critical error path is encountered.
+
+Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu")
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20200418134703.1760-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/qcom_iommu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/qcom_iommu.c
++++ b/drivers/iommu/qcom_iommu.c
+@@ -814,8 +814,11 @@ static int qcom_iommu_device_probe(struc
+ qcom_iommu->dev = dev;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- if (res)
++ if (res) {
+ qcom_iommu->local_base = devm_ioremap_resource(dev, res);
++ if (IS_ERR(qcom_iommu->local_base))
++ return PTR_ERR(qcom_iommu->local_base);
++ }
+
+ qcom_iommu->iface_clk = devm_clk_get(dev, "iface");
+ if (IS_ERR(qcom_iommu->iface_clk)) {
--- /dev/null
+From 7648f939cb919b9d15c21fff8cd9eba908d595dc Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 20 Apr 2020 15:51:47 +0200
+Subject: nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 7648f939cb919b9d15c21fff8cd9eba908d595dc upstream.
+
+nfs3_set_acl keeps track of the acl it allocated locally to determine if an acl
+needs to be released at the end. This results in a memory leak when the
+function allocates an acl as well as a default acl. Fix by releasing acls
+that differ from the acl originally passed into nfs3_set_acl.
+
+Fixes: b7fa0554cf1b ("[PATCH] NFS: Add support for NFSv3 ACLs")
+Reported-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs3acl.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/nfs3acl.c
++++ b/fs/nfs/nfs3acl.c
+@@ -253,37 +253,45 @@ int nfs3_proc_setacls(struct inode *inod
+
+ int nfs3_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+ {
+- struct posix_acl *alloc = NULL, *dfacl = NULL;
++ struct posix_acl *orig = acl, *dfacl = NULL, *alloc;
+ int status;
+
+ if (S_ISDIR(inode->i_mode)) {
+ switch(type) {
+ case ACL_TYPE_ACCESS:
+- alloc = dfacl = get_acl(inode, ACL_TYPE_DEFAULT);
++ alloc = get_acl(inode, ACL_TYPE_DEFAULT);
+ if (IS_ERR(alloc))
+ goto fail;
++ dfacl = alloc;
+ break;
+
+ case ACL_TYPE_DEFAULT:
+- dfacl = acl;
+- alloc = acl = get_acl(inode, ACL_TYPE_ACCESS);
++ alloc = get_acl(inode, ACL_TYPE_ACCESS);
+ if (IS_ERR(alloc))
+ goto fail;
++ dfacl = acl;
++ acl = alloc;
+ break;
+ }
+ }
+
+ if (acl == NULL) {
+- alloc = acl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL);
++ alloc = posix_acl_from_mode(inode->i_mode, GFP_KERNEL);
+ if (IS_ERR(alloc))
+ goto fail;
++ acl = alloc;
+ }
+ status = __nfs3_proc_setacls(inode, acl, dfacl);
+- posix_acl_release(alloc);
++out:
++ if (acl != orig)
++ posix_acl_release(acl);
++ if (dfacl != orig)
++ posix_acl_release(dfacl);
+ return status;
+
+ fail:
+- return PTR_ERR(alloc);
++ status = PTR_ERR(alloc);
++ goto out;
+ }
+
+ const struct xattr_handler *nfs3_xattr_handlers[] = {
--- /dev/null
+From 132be62387c7a72a38872676c18b0dfae264adb8 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <niklas.cassel@wdc.com>
+Date: Mon, 27 Apr 2020 14:34:41 +0200
+Subject: nvme: prevent double free in nvme_alloc_ns() error handling
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+commit 132be62387c7a72a38872676c18b0dfae264adb8 upstream.
+
+When jumping to the out_put_disk label, we will call put_disk(), which will
+trigger a call to disk_release(), which calls blk_put_queue().
+
+Later in the cleanup code, we do blk_cleanup_queue(), which will also call
+blk_put_queue().
+
+Putting the queue twice is incorrect, and will generate a KASAN splat.
+
+Set the disk->queue pointer to NULL, before calling put_disk(), so that the
+first call to blk_put_queue() will not free the queue.
+
+The second call to blk_put_queue() uses another pointer to the same queue,
+so this call will still free the queue.
+
+Fixes: 85136c010285 ("lightnvm: simplify geometry enumeration")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3566,6 +3566,8 @@ static int nvme_alloc_ns(struct nvme_ctr
+
+ return 0;
+ out_put_disk:
++ /* prevent double queue cleanup */
++ ns->disk->queue = NULL;
+ put_disk(ns->disk);
+ out_unlink_ns:
+ mutex_lock(&ctrl->subsys->lock);
--- /dev/null
+From 983653515849fb56b78ce55d349bb384d43030f6 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 7 Apr 2020 12:37:14 +0300
+Subject: RDMA/cm: Fix an error check in cm_alloc_id_priv()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 983653515849fb56b78ce55d349bb384d43030f6 upstream.
+
+The xa_alloc_cyclic_irq() function returns either 0 or 1 on success and
+negatives on error. This code treats 1 as an error and returns ERR_PTR(1)
+which will cause an Oops in the caller.
+
+Fixes: ae78ff3a0f0c ("RDMA/cm: Convert local_id_table to XArray")
+Link: https://lore.kernel.org/r/20200407093714.GA80285@mwanda
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -873,7 +873,7 @@ struct ib_cm_id *ib_create_cm_id(struct
+
+ ret = xa_alloc_cyclic_irq(&cm.local_id_table, &id, NULL, xa_limit_32b,
+ &cm.local_id_next, GFP_KERNEL);
+- if (ret)
++ if (ret < 0)
+ goto error;
+ cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand;
+ xa_store_irq(&cm.local_id_table, cm_local_id(cm_id_priv->id.local_id),
--- /dev/null
+From e8dc4e885c459343970b25acd9320fe9ee5492e7 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Tue, 10 Mar 2020 11:25:31 +0200
+Subject: RDMA/cm: Fix ordering of xa_alloc_cyclic() in ib_create_cm_id()
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit e8dc4e885c459343970b25acd9320fe9ee5492e7 upstream.
+
+xa_alloc_cyclic() is a SMP release to be paired with some later acquire
+during xa_load() as part of cm_acquire_id().
+
+As such, xa_alloc_cyclic() must be done after the cm_id is fully
+initialized, in particular, it absolutely must be after the
+refcount_set(), otherwise the refcount_inc() in cm_acquire_id() may not
+see the set.
+
+As there are several cases where a reader will be able to use the
+id.local_id after cm_acquire_id in the IB_CM_IDLE state there needs to be
+an unfortunate split into a NULL allocate and a finalizing xa_store.
+
+Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation")
+Link: https://lore.kernel.org/r/20200310092545.251365-2-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cm.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -597,18 +597,6 @@ static int cm_init_av_by_path(struct sa_
+ return 0;
+ }
+
+-static int cm_alloc_id(struct cm_id_private *cm_id_priv)
+-{
+- int err;
+- u32 id;
+-
+- err = xa_alloc_cyclic_irq(&cm.local_id_table, &id, cm_id_priv,
+- xa_limit_32b, &cm.local_id_next, GFP_KERNEL);
+-
+- cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand;
+- return err;
+-}
+-
+ static u32 cm_local_id(__be32 local_id)
+ {
+ return (__force u32) (local_id ^ cm.random_id_operand);
+@@ -862,6 +850,7 @@ struct ib_cm_id *ib_create_cm_id(struct
+ void *context)
+ {
+ struct cm_id_private *cm_id_priv;
++ u32 id;
+ int ret;
+
+ cm_id_priv = kzalloc(sizeof *cm_id_priv, GFP_KERNEL);
+@@ -873,9 +862,6 @@ struct ib_cm_id *ib_create_cm_id(struct
+ cm_id_priv->id.cm_handler = cm_handler;
+ cm_id_priv->id.context = context;
+ cm_id_priv->id.remote_cm_qpn = 1;
+- ret = cm_alloc_id(cm_id_priv);
+- if (ret)
+- goto error;
+
+ spin_lock_init(&cm_id_priv->lock);
+ init_completion(&cm_id_priv->comp);
+@@ -884,11 +870,20 @@ struct ib_cm_id *ib_create_cm_id(struct
+ INIT_LIST_HEAD(&cm_id_priv->altr_list);
+ atomic_set(&cm_id_priv->work_count, -1);
+ atomic_set(&cm_id_priv->refcount, 1);
++
++ ret = xa_alloc_cyclic_irq(&cm.local_id_table, &id, NULL, xa_limit_32b,
++ &cm.local_id_next, GFP_KERNEL);
++ if (ret)
++ goto error;
++ cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand;
++ xa_store_irq(&cm.local_id_table, cm_local_id(cm_id_priv->id.local_id),
++ cm_id_priv, GFP_KERNEL);
++
+ return &cm_id_priv->id;
+
+ error:
+ kfree(cm_id_priv);
+- return ERR_PTR(-ENOMEM);
++ return ERR_PTR(ret);
+ }
+ EXPORT_SYMBOL(ib_create_cm_id);
+
--- /dev/null
+From f0abc761bbb9418876cc4d1ebc473e4ea6352e42 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leon@kernel.org>
+Date: Thu, 23 Apr 2020 09:01:22 +0300
+Subject: RDMA/core: Fix race between destroy and release FD object
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit f0abc761bbb9418876cc4d1ebc473e4ea6352e42 upstream.
+
+The call to ->lookup_put() was too early and it caused an unlock of the
+read/write protection of the uobject after the FD was put. This allows a
+race:
+
+ CPU1 CPU2
+ rdma_lookup_put_uobject()
+ lookup_put_fd_uobject()
+ fput()
+ fput()
+ uverbs_uobject_fd_release()
+ WARN_ON(uverbs_try_lock_object(uobj,
+ UVERBS_LOOKUP_WRITE));
+ atomic_dec(usecnt)
+
+Fix the code by changing the order, first unlock and call to
+->lookup_put() after that.
+
+Fixes: 3832125624b7 ("IB/core: Add support for idr types")
+Link: https://lore.kernel.org/r/20200423060122.6182-1-leon@kernel.org
+Suggested-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/rdma_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/rdma_core.c
++++ b/drivers/infiniband/core/rdma_core.c
+@@ -689,7 +689,6 @@ void rdma_lookup_put_uobject(struct ib_u
+ enum rdma_lookup_mode mode)
+ {
+ assert_uverbs_usecnt(uobj, mode);
+- uobj->uapi_object->type_class->lookup_put(uobj, mode);
+ /*
+ * In order to unlock an object, either decrease its usecnt for
+ * read access or zero it in case of exclusive access. See
+@@ -706,6 +705,7 @@ void rdma_lookup_put_uobject(struct ib_u
+ break;
+ }
+
++ uobj->uapi_object->type_class->lookup_put(uobj, mode);
+ /* Pairs with the kref obtained by type->lookup_get */
+ uverbs_uobject_put(uobj);
+ }
--- /dev/null
+From 0fb00941dc63990a10951146df216fc7b0e20bc2 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leon@kernel.org>
+Date: Tue, 21 Apr 2020 11:29:28 +0300
+Subject: RDMA/core: Prevent mixed use of FDs between shared ufiles
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 0fb00941dc63990a10951146df216fc7b0e20bc2 upstream.
+
+FDs can only be used on the ufile that created them, they cannot be mixed
+to other ufiles. We are lacking a check to prevent it.
+
+ BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
+ BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
+ BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336
+ Write of size 8 at addr 0000000000000038 by task syz-executor179/284
+
+ CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x94/0xce lib/dump_stack.c:118
+ __kasan_report+0x18f/0x1b7 mm/kasan/report.c:510
+ kasan_report+0xe/0x20 mm/kasan/common.c:639
+ check_memory_region_inline mm/kasan/generic.c:185 [inline]
+ check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
+ atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
+ atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
+ fput_many+0x1a/0x140 fs/file_table.c:336
+ rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692
+ uobj_put_read include/rdma/uverbs_std_types.h:96 [inline]
+ _ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline]
+ create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006
+ ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089
+ ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769
+ __vfs_write+0x7c/0x100 fs/read_write.c:494
+ vfs_write+0x168/0x4a0 fs/read_write.c:558
+ ksys_write+0xc8/0x200 fs/read_write.c:611
+ do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x44ef99
+ Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
+ RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99
+ RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005
+ RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830
+ R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000
+
+Fixes: cf8966b3477d ("IB/core: Add support for fd objects")
+Link: https://lore.kernel.org/r/20200421082929.311931-2-leon@kernel.org
+Suggested-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/rdma_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/rdma_core.c
++++ b/drivers/infiniband/core/rdma_core.c
+@@ -362,7 +362,7 @@ lookup_get_fd_uobject(const struct uverb
+ * and the caller is expected to ensure that uverbs_close_fd is never
+ * done while a call top lookup is possible.
+ */
+- if (f->f_op != fd_type->fops) {
++ if (f->f_op != fd_type->fops || uobject->ufile != ufile) {
+ fput(f);
+ return ERR_PTR(-EBADF);
+ }
--- /dev/null
+From c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c Mon Sep 17 00:00:00 2001
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Mon, 13 Apr 2020 16:22:35 +0300
+Subject: RDMA/mlx4: Initialize ib_spec on the stack
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+commit c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c upstream.
+
+Initialize ib_spec on the stack before using it, otherwise we will have
+garbage values that will break creating default rules with invalid parsing
+error.
+
+Fixes: a37a1a428431 ("IB/mlx4: Add mechanism to support flow steering over IB links")
+Link: https://lore.kernel.org/r/20200413132235.930642-1-leon@kernel.org
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -1492,8 +1492,9 @@ static int __mlx4_ib_create_default_rule
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(pdefault_rules->rules_create_list); i++) {
++ union ib_flow_spec ib_spec = {};
+ int ret;
+- union ib_flow_spec ib_spec;
++
+ switch (pdefault_rules->rules_create_list[i]) {
+ case 0:
+ /* no rule */
--- /dev/null
+From 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 Mon Sep 17 00:00:00 2001
+From: Aharon Landau <aharonl@mellanox.com>
+Date: Mon, 13 Apr 2020 16:20:28 +0300
+Subject: RDMA/mlx5: Set GRH fields in query QP on RoCE
+
+From: Aharon Landau <aharonl@mellanox.com>
+
+commit 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 upstream.
+
+GRH fields such as sgid_index, hop limit, et. are set in the QP context
+when QP is created/modified.
+
+Currently, when query QP is performed, we fill the GRH fields only if the
+GRH bit is set in the QP context, but this bit is not set for RoCE. Adjust
+the check so we will set all relevant data for the RoCE too.
+
+Since this data is returned to userspace, the below is an ABI regression.
+
+Fixes: d8966fcd4c25 ("IB/core: Use rdma_ah_attr accessor functions")
+Link: https://lore.kernel.org/r/20200413132028.930109-1-leon@kernel.org
+Signed-off-by: Aharon Landau <aharonl@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -5496,7 +5496,9 @@ static void to_rdma_ah_attr(struct mlx5_
+ rdma_ah_set_path_bits(ah_attr, path->grh_mlid & 0x7f);
+ rdma_ah_set_static_rate(ah_attr,
+ path->static_rate ? path->static_rate - 5 : 0);
+- if (path->grh_mlid & (1 << 7)) {
++
++ if (path->grh_mlid & (1 << 7) ||
++ ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE) {
+ u32 tc_fl = be32_to_cpu(path->tclass_flowlabel);
+
+ rdma_ah_set_grh(ah_attr, NULL,
--- /dev/null
+From 6e051971b0e2eeb0ce7ec65d3cc8180450512d36 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Wed, 15 Apr 2020 11:09:22 -0300
+Subject: RDMA/siw: Fix potential siw_mem refcnt leak in siw_fastreg_mr()
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 6e051971b0e2eeb0ce7ec65d3cc8180450512d36 upstream.
+
+siw_fastreg_mr() invokes siw_mem_id2obj(), which returns a local reference
+of the siw_mem object to "mem" with increased refcnt. When
+siw_fastreg_mr() returns, "mem" becomes invalid, so the refcount should be
+decreased to keep refcount balanced.
+
+The issue happens in one error path of siw_fastreg_mr(). When "base_mr"
+equals to NULL but "mem" is not NULL, the function forgets to decrease the
+refcnt increased by siw_mem_id2obj() and causes a refcnt leak.
+
+Reorganize the flow so that the goto unwind can be used as expected.
+
+Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
+Link: https://lore.kernel.org/r/1586939949-69856-1-git-send-email-xiyuyang19@fudan.edu.cn
+Reported-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/siw/siw_qp_tx.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
+@@ -920,20 +920,27 @@ static int siw_fastreg_mr(struct ib_pd *
+ {
+ struct ib_mr *base_mr = (struct ib_mr *)(uintptr_t)sqe->base_mr;
+ struct siw_device *sdev = to_siw_dev(pd->device);
+- struct siw_mem *mem = siw_mem_id2obj(sdev, sqe->rkey >> 8);
++ struct siw_mem *mem;
+ int rv = 0;
+
+ siw_dbg_pd(pd, "STag 0x%08x\n", sqe->rkey);
+
+- if (unlikely(!mem || !base_mr)) {
++ if (unlikely(!base_mr)) {
+ pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey);
+ return -EINVAL;
+ }
++
+ if (unlikely(base_mr->rkey >> 8 != sqe->rkey >> 8)) {
+ pr_warn("siw: fastreg: STag 0x%08x: bad MR\n", sqe->rkey);
+- rv = -EINVAL;
+- goto out;
++ return -EINVAL;
++ }
++
++ mem = siw_mem_id2obj(sdev, sqe->rkey >> 8);
++ if (unlikely(!mem)) {
++ pr_warn("siw: fastreg: STag 0x%08x unknown\n", sqe->rkey);
++ return -EINVAL;
+ }
++
+ if (unlikely(mem->pd != pd)) {
+ pr_warn("siw: fastreg: PD mismatch\n");
+ rv = -EINVAL;
--- /dev/null
+From 5a263892d7d0b4fe351363f8d1a14c6a75955475 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Tue, 21 Apr 2020 22:46:21 +0200
+Subject: scsi: qla2xxx: check UNLOADING before posting async work
+
+From: Martin Wilck <mwilck@suse.com>
+
+commit 5a263892d7d0b4fe351363f8d1a14c6a75955475 upstream.
+
+qlt_free_session_done() tries to post async PRLO / LOGO, and waits for the
+completion of these async commands. If UNLOADING is set, this is doomed to
+timeout, because the async logout command will never complete.
+
+The only way to avoid waiting pointlessly is to fail posting these commands
+in the first place if the driver is in UNLOADING state. In general,
+posting any command should be avoided when the driver is UNLOADING.
+
+With this patch, "rmmod qla2xxx" completes without noticeable delay.
+
+Link: https://lore.kernel.org/r/20200421204621.19228-3-mwilck@suse.com
+Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip")
+Acked-by: Arun Easi <aeasi@marvell.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -4857,6 +4857,9 @@ qla2x00_alloc_work(struct scsi_qla_host
+ struct qla_work_evt *e;
+ uint8_t bail;
+
++ if (test_bit(UNLOADING, &vha->dpc_flags))
++ return NULL;
++
+ QLA_VHA_MARK_BUSY(vha, bail);
+ if (bail)
+ return NULL;
--- /dev/null
+From 856e152a3c08bf7987cbd41900741d83d9cddc8e Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Tue, 21 Apr 2020 22:46:20 +0200
+Subject: scsi: qla2xxx: set UNLOADING before waiting for session deletion
+
+From: Martin Wilck <mwilck@suse.com>
+
+commit 856e152a3c08bf7987cbd41900741d83d9cddc8e upstream.
+
+The purpose of the UNLOADING flag is to avoid port login procedures to
+continue when a controller is in the process of shutting down. It makes
+sense to set this flag before starting session teardown.
+
+Furthermore, use atomic test_and_set_bit() to avoid the shutdown being run
+multiple times in parallel. In qla2x00_disable_board_on_pci_error(), the
+test for UNLOADING is postponed until after the check for an already
+disabled PCI board.
+
+Link: https://lore.kernel.org/r/20200421204621.19228-2-mwilck@suse.com
+Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip")
+Reviewed-by: Arun Easi <aeasi@marvell.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3700,6 +3700,13 @@ qla2x00_remove_one(struct pci_dev *pdev)
+ }
+ qla2x00_wait_for_hba_ready(base_vha);
+
++ /*
++ * if UNLOADING flag is already set, then continue unload,
++ * where it was set first.
++ */
++ if (test_and_set_bit(UNLOADING, &base_vha->dpc_flags))
++ return;
++
+ if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha) ||
+ IS_QLA28XX(ha)) {
+ if (ha->flags.fw_started)
+@@ -3718,15 +3725,6 @@ qla2x00_remove_one(struct pci_dev *pdev)
+
+ qla2x00_wait_for_sess_deletion(base_vha);
+
+- /*
+- * if UNLOAD flag is already set, then continue unload,
+- * where it was set first.
+- */
+- if (test_bit(UNLOADING, &base_vha->dpc_flags))
+- return;
+-
+- set_bit(UNLOADING, &base_vha->dpc_flags);
+-
+ qla_nvme_delete(base_vha);
+
+ dma_free_coherent(&ha->pdev->dev,
+@@ -6053,13 +6051,6 @@ qla2x00_disable_board_on_pci_error(struc
+ struct pci_dev *pdev = ha->pdev;
+ scsi_qla_host_t *base_vha = pci_get_drvdata(ha->pdev);
+
+- /*
+- * if UNLOAD flag is already set, then continue unload,
+- * where it was set first.
+- */
+- if (test_bit(UNLOADING, &base_vha->dpc_flags))
+- return;
+-
+ ql_log(ql_log_warn, base_vha, 0x015b,
+ "Disabling adapter.\n");
+
+@@ -6070,9 +6061,14 @@ qla2x00_disable_board_on_pci_error(struc
+ return;
+ }
+
+- qla2x00_wait_for_sess_deletion(base_vha);
++ /*
++ * if UNLOADING flag is already set, then continue unload,
++ * where it was set first.
++ */
++ if (test_and_set_bit(UNLOADING, &base_vha->dpc_flags))
++ return;
+
+- set_bit(UNLOADING, &base_vha->dpc_flags);
++ qla2x00_wait_for_sess_deletion(base_vha);
+
+ qla2x00_delete_all_vps(ha, base_vha);
+
--- /dev/null
+From 1d2ff149b263c9325875726a7804a0c75ef7112e Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Sun, 19 Apr 2020 18:31:09 +0200
+Subject: scsi: target/iblock: fix WRITE SAME zeroing
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit 1d2ff149b263c9325875726a7804a0c75ef7112e upstream.
+
+SBC4 specifies that WRITE SAME requests with the UNMAP bit set to zero
+"shall perform the specified write operation to each LBA specified by the
+command". Commit 2237498f0b5c ("target/iblock: Convert WRITE_SAME to
+blkdev_issue_zeroout") modified the iblock backend to call
+blkdev_issue_zeroout() when handling WRITE SAME requests with UNMAP=0 and a
+zero data segment.
+
+The iblock blkdev_issue_zeroout() call incorrectly provides a flags
+parameter of 0 (bool false), instead of BLKDEV_ZERO_NOUNMAP. The bool
+false parameter reflects the blkdev_issue_zeroout() API prior to commit
+ee472d835c26 ("block: add a flags argument to (__)blkdev_issue_zeroout")
+which was merged shortly before 2237498f0b5c.
+
+Link: https://lore.kernel.org/r/20200419163109.11689-1-ddiss@suse.de
+Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_iblock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_iblock.c
++++ b/drivers/target/target_core_iblock.c
+@@ -432,7 +432,7 @@ iblock_execute_zero_out(struct block_dev
+ target_to_linux_sector(dev, cmd->t_task_lba),
+ target_to_linux_sector(dev,
+ sbc_get_write_same_sectors(cmd)),
+- GFP_KERNEL, false);
++ GFP_KERNEL, BLKDEV_ZERO_NOUNMAP);
+ if (ret)
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+
dm-writecache-fix-data-corruption-when-reloading-the-target.patch
dm-multipath-use-updated-mpathf_queue_io-on-mapping-for-bio-based-mpath.patch
arm-dts-imx6qdl-sr-som-ti-indicate-powering-off-wifi-is-safe.patch
+scsi-qla2xxx-set-unloading-before-waiting-for-session-deletion.patch
+scsi-qla2xxx-check-unloading-before-posting-async-work.patch
+rdma-mlx5-set-grh-fields-in-query-qp-on-roce.patch
+rdma-mlx4-initialize-ib_spec-on-the-stack.patch
+rdma-siw-fix-potential-siw_mem-refcnt-leak-in-siw_fastreg_mr.patch
+rdma-core-prevent-mixed-use-of-fds-between-shared-ufiles.patch
+rdma-core-fix-race-between-destroy-and-release-fd-object.patch
+rdma-cm-fix-ordering-of-xa_alloc_cyclic-in-ib_create_cm_id.patch
+rdma-cm-fix-an-error-check-in-cm_alloc_id_priv.patch
+i2c-iproc-generate-stop-event-for-slave-writes.patch
+vfio-avoid-possible-overflow-in-vfio_iommu_type1_pin_pages.patch
+vfio-type1-fix-va-pa-translation-for-pfnmap-vmas-in-vaddr_get_pfn.patch
+iommu-qcom-fix-local_base-status-check.patch
+scsi-target-iblock-fix-write-same-zeroing.patch
+iommu-amd-fix-legacy-interrupt-remapping-for-x2apic-enabled-system.patch
+i2c-aspeed-avoid-i2c-interrupt-status-clear-race-condition.patch
+alsa-opti9xx-shut-up-gcc-10-range-warning.patch
+fix-use-after-free-in-get_tree_bdev.patch
+nvme-prevent-double-free-in-nvme_alloc_ns-error-handling.patch
+nfs-fix-potential-posix_acl-refcnt-leak-in-nfs3_set_acl.patch
+dmaengine-dmatest-fix-iteration-non-stop-logic.patch
+dmaengine-dmatest-fix-process-hang-when-reading-wait-parameter.patch
+arm64-vdso-add-fasynchronous-unwind-tables-to-cflags.patch
--- /dev/null
+From 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 Mon Sep 17 00:00:00 2001
+From: Yan Zhao <yan.y.zhao@intel.com>
+Date: Wed, 8 Apr 2020 03:12:34 -0400
+Subject: vfio: avoid possible overflow in vfio_iommu_type1_pin_pages
+
+From: Yan Zhao <yan.y.zhao@intel.com>
+
+commit 0ea971f8dcd6dee78a9a30ea70227cf305f11ff7 upstream.
+
+add parentheses to avoid possible vaddr overflow.
+
+Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices")
+Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio_iommu_type1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -593,7 +593,7 @@ static int vfio_iommu_type1_pin_pages(vo
+ continue;
+ }
+
+- remote_vaddr = dma->vaddr + iova - dma->iova;
++ remote_vaddr = dma->vaddr + (iova - dma->iova);
+ ret = vfio_pin_page_external(dma, remote_vaddr, &phys_pfn[i],
+ do_accounting);
+ if (ret)
--- /dev/null
+From 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 16 Apr 2020 15:50:57 -0700
+Subject: vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d upstream.
+
+Use follow_pfn() to get the PFN of a PFNMAP VMA instead of assuming that
+vma->vm_pgoff holds the base PFN of the VMA. This fixes a bug where
+attempting to do VFIO_IOMMU_MAP_DMA on an arbitrary PFNMAP'd region of
+memory calculates garbage for the PFN.
+
+Hilariously, this only got detected because the first "PFN" calculated
+by vaddr_get_pfn() is PFN 0 (vma->vm_pgoff==0), and iommu_iova_to_phys()
+uses PA==0 as an error, which triggers a WARN in vfio_unmap_unpin()
+because the translation "failed". PFN 0 is now unconditionally reserved
+on x86 in order to mitigate L1TF, which causes is_invalid_reserved_pfn()
+to return true and in turns results in vaddr_get_pfn() returning success
+for PFN 0. Eventually the bogus calculation runs into PFNs that aren't
+reserved and leads to failure in vfio_pin_map_dma(). The subsequent
+call to vfio_remove_dma() attempts to unmap PFN 0 and WARNs.
+
+ WARNING: CPU: 8 PID: 5130 at drivers/vfio/vfio_iommu_type1.c:750 vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1]
+ Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio ...
+ CPU: 8 PID: 5130 Comm: sgx Tainted: G W 5.6.0-rc5-705d787c7fee-vfio+ #3
+ Hardware name: Intel Corporation Mehlow UP Server Platform/Moss Beach Server, BIOS CNLSE2R1.D00.X119.B49.1803010910 03/01/2018
+ RIP: 0010:vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1]
+ Code: <0f> 0b 49 81 c5 00 10 00 00 e9 c5 fe ff ff bb 00 10 00 00 e9 3d fe
+ RSP: 0018:ffffbeb5039ebda8 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffff9a55cbf8d480 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a52b771c200
+ RBP: 0000000000000000 R08: 0000000000000040 R09: 00000000fffffff2
+ R10: 0000000000000001 R11: ffff9a51fa896000 R12: 0000000184010000
+ R13: 0000000184000000 R14: 0000000000010000 R15: ffff9a55cb66ea08
+ FS: 00007f15d3830b40(0000) GS:ffff9a55d5600000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000561cf39429e0 CR3: 000000084f75f005 CR4: 00000000003626e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ vfio_remove_dma+0x17/0x70 [vfio_iommu_type1]
+ vfio_iommu_type1_ioctl+0x9e3/0xa7b [vfio_iommu_type1]
+ ksys_ioctl+0x92/0xb0
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x4c/0x180
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f15d04c75d7
+ Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
+
+Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio_iommu_type1.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -380,8 +380,8 @@ static int vaddr_get_pfn(struct mm_struc
+ vma = find_vma_intersection(mm, vaddr, vaddr + 1);
+
+ if (vma && vma->vm_flags & VM_PFNMAP) {
+- *pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
+- if (is_invalid_reserved_pfn(*pfn))
++ if (!follow_pfn(vma, vaddr, pfn) &&
++ is_invalid_reserved_pfn(*pfn))
+ ret = 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
