--- /dev/null
+From 6988a619f5b79e4efadea6e19dcfe75fbcd350b5 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Sat, 28 Nov 2020 15:57:06 -0300
+Subject: cifs: allow syscalls to be restarted in __smb_send_rqst()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 6988a619f5b79e4efadea6e19dcfe75fbcd350b5 upstream.
+
+A customer has reported that several files in their multi-threaded app
+were left with size of 0 because most of the read(2) calls returned
+-EINTR and they assumed no bytes were read. Obviously, they could
+have fixed it by simply retrying on -EINTR.
+
+We noticed that most of the -EINTR on read(2) were due to real-time
+signals sent by glibc to process wide credential changes (SIGRT_1),
+and its signal handler had been established with SA_RESTART, in which
+case those calls could have been automatically restarted by the
+kernel.
+
+Let the kernel decide to whether or not restart the syscalls when
+there is a signal pending in __smb_send_rqst() by returning
+-ERESTARTSYS. If it can't, it will return -EINTR anyway.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/transport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -340,8 +340,8 @@ __smb_send_rqst(struct TCP_Server_Info *
+ return -EAGAIN;
+
+ if (signal_pending(current)) {
+- cifs_dbg(FYI, "signal is pending before sending any data\n");
+- return -EINTR;
++ cifs_dbg(FYI, "signal pending before send request\n");
++ return -ERESTARTSYS;
+ }
+
+ /* cork the socket */
--- /dev/null
+From 212253367dc7b49ed3fc194ce71b0992eacaecf2 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Sat, 28 Nov 2020 16:54:02 -0300
+Subject: cifs: fix potential use-after-free in cifs_echo_request()
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream.
+
+This patch fixes a potential use-after-free bug in
+cifs_echo_request().
+
+For instance,
+
+ thread 1
+ --------
+ cifs_demultiplex_thread()
+ clean_demultiplex_info()
+ kfree(server)
+
+ thread 2 (workqueue)
+ --------
+ apic_timer_interrupt()
+ smp_apic_timer_interrupt()
+ irq_exit()
+ __do_softirq()
+ run_timer_softirq()
+ call_timer_fn()
+ cifs_echo_request() <- use-after-free in server ptr
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/connect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -975,6 +975,8 @@ static void clean_demultiplex_info(struc
+ list_del_init(&server->tcp_ses_list);
+ spin_unlock(&cifs_tcp_ses_lock);
+
++ cancel_delayed_work_sync(&server->echo);
++
+ spin_lock(&GlobalMid_Lock);
+ server->tcpStatus = CifsExiting;
+ spin_unlock(&GlobalMid_Lock);
--- /dev/null
+From 2bf509d96d84c3336d08375e8af34d1b85ee71c8 Mon Sep 17 00:00:00 2001
+From: Menglong Dong <dong.menglong@zte.com.cn>
+Date: Sat, 5 Dec 2020 22:14:42 -0800
+Subject: coredump: fix core_pattern parse error
+
+From: Menglong Dong <dong.menglong@zte.com.cn>
+
+commit 2bf509d96d84c3336d08375e8af34d1b85ee71c8 upstream.
+
+'format_corename()' will splite 'core_pattern' on spaces when it is in
+pipe mode, and take helper_argv[0] as the path to usermode executable.
+It works fine in most cases.
+
+However, if there is a space between '|' and '/file/path', such as
+'| /usr/lib/systemd/systemd-coredump %P %u %g', then helper_argv[0] will
+be parsed as '', and users will get a 'Core dump to | disabled'.
+
+It is not friendly to users, as the pattern above was valid previously.
+Fix this by ignoring the spaces between '|' and '/file/path'.
+
+Fixes: 315c69261dd3 ("coredump: split pipe command whitespace before expanding template")
+Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Paul Wise <pabs3@bonedaddy.net>
+Cc: Jakub Wilk <jwilk@jwilk.net> [https://bugs.debian.org/924398]
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/5fb62870.1c69fb81.8ef5d.af76@mx.google.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coredump.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/coredump.c
++++ b/fs/coredump.c
+@@ -224,7 +224,8 @@ static int format_corename(struct core_n
+ */
+ if (ispipe) {
+ if (isspace(*pat_ptr)) {
+- was_space = true;
++ if (cn->used != 0)
++ was_space = true;
+ pat_ptr++;
+ continue;
+ } else if (was_space) {
--- /dev/null
+From 89478335718c98557f10470a9bc5c555b9261c4e Mon Sep 17 00:00:00 2001
+From: Sergei Shtepa <sergei.shtepa@veeam.com>
+Date: Wed, 11 Nov 2020 15:55:46 +0300
+Subject: dm: fix bug with RCU locking in dm_blk_report_zones
+
+From: Sergei Shtepa <sergei.shtepa@veeam.com>
+
+commit 89478335718c98557f10470a9bc5c555b9261c4e upstream.
+
+The dm_get_live_table() function makes RCU read lock so
+dm_put_live_table() must be called even if dm_table map is not found.
+
+Fixes: e76239a3748c9 ("block: add a report_zones method")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sergei Shtepa <sergei.shtepa@veeam.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -455,8 +455,10 @@ static int dm_blk_report_zones(struct ge
+ return -EAGAIN;
+
+ map = dm_get_live_table(md, &srcu_idx);
+- if (!map)
+- return -EIO;
++ if (!map) {
++ ret = -EIO;
++ goto out;
++ }
+
+ tgt = dm_table_find_target(map, sector);
+ if (!tgt) {
--- /dev/null
+From bde3808bc8c2741ad3d804f84720409aee0c2972 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Fri, 4 Dec 2020 15:25:18 -0500
+Subject: dm: remove invalid sparse __acquires and __releases annotations
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit bde3808bc8c2741ad3d804f84720409aee0c2972 upstream.
+
+Fixes sparse warnings:
+drivers/md/dm.c:508:12: warning: context imbalance in 'dm_prepare_ioctl' - wrong count at exit
+drivers/md/dm.c:543:13: warning: context imbalance in 'dm_unprepare_ioctl' - wrong count at exit
+
+Fixes: 971888c46993f ("dm: hold DM table for duration of ioctl rather than use blkdev_get")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -495,7 +495,6 @@ out:
+
+ static int dm_prepare_ioctl(struct mapped_device *md, int *srcu_idx,
+ struct block_device **bdev)
+- __acquires(md->io_barrier)
+ {
+ struct dm_target *tgt;
+ struct dm_table *map;
+@@ -529,7 +528,6 @@ retry:
+ }
+
+ static void dm_unprepare_ioctl(struct mapped_device *md, int srcu_idx)
+- __releases(md->io_barrier)
+ {
+ dm_put_live_table(md, srcu_idx);
+ }
--- /dev/null
+From 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 10 Nov 2020 07:45:13 -0500
+Subject: dm writecache: fix the maximum number of arguments
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 67aa3ec3dbc43d6e34401d9b2a40040ff7bb57af upstream.
+
+Advance the maximum number of arguments to 16.
+This fixes issue where certain operations, combined with table
+configured args, exceed 10 arguments.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: 48debafe4f2f ("dm: add writecache target")
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-writecache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -1889,7 +1889,7 @@ static int writecache_ctr(struct dm_targ
+ struct wc_memory_superblock s;
+
+ static struct dm_arg _args[] = {
+- {0, 10, "Invalid number of feature args"},
++ {0, 16, "Invalid number of feature args"},
+ };
+
+ as.argc = argc;
--- /dev/null
+From 777a7717d60ccdc9b84f35074f848d3f746fc3bf Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 26 Nov 2020 14:08:41 +0000
+Subject: drm/i915/gt: Program mocs:63 for cache eviction on gen9
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 777a7717d60ccdc9b84f35074f848d3f746fc3bf upstream.
+
+Ville noticed that the last mocs entry is used unconditionally by the HW
+when it performs cache evictions, and noted that while the value is not
+meant to be writable by the driver, we should program it to a reasonable
+value nevertheless.
+
+As it turns out, we can change the value of mocs:63 and the value we
+were programming into it would cause hard hangs in conjunction with
+atomic operations.
+
+v2: Add details from bspec about how it is used by HW
+
+Suggested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2707
+Fixes: 3bbaba0ceaa2 ("drm/i915: Added Programming of the MOCS")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jason Ekstrand <jason@jlekstrand.net>
+Cc: <stable@vger.kernel.org> # v4.3+
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201126140841.1982-1-chris@chris-wilson.co.uk
+(cherry picked from commit 977933b5da7c16f39295c4c1d4259a58ece65dbe)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gt/intel_mocs.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_mocs.c
++++ b/drivers/gpu/drm/i915/gt/intel_mocs.c
+@@ -130,7 +130,19 @@ static const struct drm_i915_mocs_entry
+ GEN9_MOCS_ENTRIES,
+ MOCS_ENTRY(I915_MOCS_CACHED,
+ LE_3_WB | LE_TC_2_LLC_ELLC | LE_LRUM(3),
+- L3_3_WB)
++ L3_3_WB),
++
++ /*
++ * mocs:63
++ * - used by the L3 for all of its evictions.
++ * Thus it is expected to allow LLC cacheability to enable coherent
++ * flows to be maintained.
++ * - used to force L3 uncachable cycles.
++ * Thus it is expected to make the surface L3 uncacheable.
++ */
++ MOCS_ENTRY(63,
++ LE_3_WB | LE_TC_1_LLC | LE_LRUM(3),
++ L3_1_UC)
+ };
+
+ /* NOTE: the LE_TGT_CACHE is not used on Broxton */
--- /dev/null
+From 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 26 Nov 2020 23:38:38 +0530
+Subject: ftrace: Fix updating FTRACE_FL_TRAMP
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit 4c75b0ff4e4bf7a45b5aef9639799719c28d0073 upstream.
+
+On powerpc, kprobe-direct.tc triggered FTRACE_WARN_ON() in
+ftrace_get_addr_new() followed by the below message:
+ Bad trampoline accounting at: 000000004222522f (wake_up_process+0xc/0x20) (f0000001)
+
+The set of steps leading to this involved:
+- modprobe ftrace-direct-too
+- enable_probe
+- modprobe ftrace-direct
+- rmmod ftrace-direct <-- trigger
+
+The problem turned out to be that we were not updating flags in the
+ftrace record properly. From the above message about the trampoline
+accounting being bad, it can be seen that the ftrace record still has
+FTRACE_FL_TRAMP set though ftrace-direct module is going away. This
+happens because we are checking if any ftrace_ops has the
+FTRACE_FL_TRAMP flag set _before_ updating the filter hash.
+
+The fix for this is to look for any _other_ ftrace_ops that also needs
+FTRACE_FL_TRAMP.
+
+Link: https://lkml.kernel.org/r/56c113aa9c3e10c19144a36d9684c7882bf09af5.1606412433.git.naveen.n.rao@linux.vnet.ibm.com
+
+Cc: stable@vger.kernel.org
+Fixes: a124692b698b0 ("ftrace: Enable trampoline when rec count returns back to one")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1626,6 +1626,8 @@ static bool test_rec_ops_needs_regs(stru
+ static struct ftrace_ops *
+ ftrace_find_tramp_ops_any(struct dyn_ftrace *rec);
+ static struct ftrace_ops *
++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude);
++static struct ftrace_ops *
+ ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
+
+ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
+@@ -1763,7 +1765,7 @@ static bool __ftrace_hash_rec_update(str
+ * to it.
+ */
+ if (ftrace_rec_count(rec) == 1 &&
+- ftrace_find_tramp_ops_any(rec))
++ ftrace_find_tramp_ops_any_other(rec, ops))
+ rec->flags |= FTRACE_FL_TRAMP;
+ else
+ rec->flags &= ~FTRACE_FL_TRAMP;
+@@ -2185,6 +2187,24 @@ ftrace_find_tramp_ops_any(struct dyn_ftr
+ continue;
+
+ if (hash_contains_ip(ip, op->func_hash))
++ return op;
++ } while_for_each_ftrace_op(op);
++
++ return NULL;
++}
++
++static struct ftrace_ops *
++ftrace_find_tramp_ops_any_other(struct dyn_ftrace *rec, struct ftrace_ops *op_exclude)
++{
++ struct ftrace_ops *op;
++ unsigned long ip = rec->ip;
++
++ do_for_each_ftrace_op(op, ftrace_ops_list) {
++
++ if (op == op_exclude || !op->trampoline)
++ continue;
++
++ if (hash_contains_ip(ip, op->func_hash))
+ return op;
+ } while_for_each_ftrace_op(op);
+
--- /dev/null
+From 61e6fe59ede155881a622f5901551b1cc8748f6a Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Fri, 9 Oct 2020 13:03:20 +0200
+Subject: i2c: imx: Don't generate STOP condition if arbitration has been lost
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 61e6fe59ede155881a622f5901551b1cc8748f6a upstream.
+
+If arbitration is lost, the master automatically changes to slave mode.
+I2SR_IBB may or may not be reset by hardware. Raising a STOP condition
+by resetting I2CR_MSTA has no effect and will not clear I2SR_IBB.
+
+So calling i2c_imx_bus_busy() is not required and would busy-wait until
+timeout.
+
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Tested (not extensively) on Vybrid VF500 (Toradex VF50):
+Tested-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org # Requires trivial backporting, simple remove
+ # the 3rd argument from the calls to
+ # i2c_imx_bus_busy().
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-imx.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -567,6 +567,8 @@ static void i2c_imx_stop(struct imx_i2c_
+ /* Stop I2C transaction */
+ dev_dbg(&i2c_imx->adapter.dev, "<%s>\n", __func__);
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
++ if (!(temp & I2CR_MSTA))
++ i2c_imx->stopped = 1;
+ temp &= ~(I2CR_MSTA | I2CR_MTX);
+ if (i2c_imx->dma)
+ temp &= ~I2CR_DMAEN;
+@@ -732,9 +734,12 @@ static int i2c_imx_dma_read(struct imx_i
+ */
+ dev_dbg(dev, "<%s> clear MSTA\n", __func__);
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
++ if (!(temp & I2CR_MSTA))
++ i2c_imx->stopped = 1;
+ temp &= ~(I2CR_MSTA | I2CR_MTX);
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+- i2c_imx_bus_busy(i2c_imx, 0);
++ if (!i2c_imx->stopped)
++ i2c_imx_bus_busy(i2c_imx, 0);
+ } else {
+ /*
+ * For i2c master receiver repeat restart operation like:
+@@ -857,9 +862,12 @@ static int i2c_imx_read(struct imx_i2c_s
+ dev_dbg(&i2c_imx->adapter.dev,
+ "<%s> clear MSTA\n", __func__);
+ temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
++ if (!(temp & I2CR_MSTA))
++ i2c_imx->stopped = 1;
+ temp &= ~(I2CR_MSTA | I2CR_MTX);
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+- i2c_imx_bus_busy(i2c_imx, 0);
++ if (!i2c_imx->stopped)
++ i2c_imx_bus_busy(i2c_imx, 0);
+ } else {
+ /*
+ * For i2c master receiver repeat restart operation like:
--- /dev/null
+From a1ee28117077c3bf24e5ab6324c835eaab629c45 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Sat, 28 Nov 2020 17:07:21 +1000
+Subject: powerpc/64s/powernv: Fix memory corruption when saving SLB entries on MCE
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit a1ee28117077c3bf24e5ab6324c835eaab629c45 upstream.
+
+This can be hit by an HPT guest running on an HPT host and bring down
+the host, so it's quite important to fix.
+
+Fixes: 7290f3b3d3e6 ("powerpc/64s/powernv: machine check dump SLB contents")
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Acked-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201128070728.825934-2-npiggin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/setup.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/setup.c
++++ b/arch/powerpc/platforms/powernv/setup.c
+@@ -186,11 +186,16 @@ static void __init pnv_init(void)
+ add_preferred_console("hvc", 0, NULL);
+
+ if (!radix_enabled()) {
++ size_t size = sizeof(struct slb_entry) * mmu_slb_size;
+ int i;
+
+ /* Allocate per cpu area to save old slb contents during MCE */
+- for_each_possible_cpu(i)
+- paca_ptrs[i]->mce_faulty_slbs = memblock_alloc_node(mmu_slb_size, __alignof__(*paca_ptrs[i]->mce_faulty_slbs), cpu_to_node(i));
++ for_each_possible_cpu(i) {
++ paca_ptrs[i]->mce_faulty_slbs =
++ memblock_alloc_node(size,
++ __alignof__(struct slb_entry),
++ cpu_to_node(i));
++ }
+ }
+ }
+
--- /dev/null
+From 9ea69a55b3b9a71cded9726af591949c1138f235 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Thu, 26 Nov 2020 09:28:52 +0100
+Subject: powerpc/pseries: Pass MSI affinity to irq_create_mapping()
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+commit 9ea69a55b3b9a71cded9726af591949c1138f235 upstream.
+
+With virtio multiqueue, normally each queue IRQ is mapped to a CPU.
+
+Commit 0d9f0a52c8b9f ("virtio_scsi: use virtio IRQ affinity") exposed
+an existing shortcoming of the arch code by moving virtio_scsi to
+the automatic IRQ affinity assignment.
+
+The affinity is correctly computed in msi_desc but this is not applied
+to the system IRQs.
+
+It appears the affinity is correctly passed to rtas_setup_msi_irqs() but
+lost at this point and never passed to irq_domain_alloc_descs()
+(see commit 06ee6d571f0e ("genirq: Add affinity hint to irq allocation"))
+because irq_create_mapping() doesn't take an affinity parameter.
+
+Use the new irq_create_mapping_affinity() function, which allows to forward
+the affinity setting from rtas_setup_msi_irqs() to irq_domain_alloc_descs().
+
+With this change, the virtqueues are correctly dispatched between the CPUs
+on pseries.
+
+Fixes: e75eafb9b039 ("genirq/msi: Switch to new irq spreading infrastructure")
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20201126082852.1178497-3-lvivier@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/msi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/msi.c
++++ b/arch/powerpc/platforms/pseries/msi.c
+@@ -458,7 +458,8 @@ again:
+ return hwirq;
+ }
+
+- virq = irq_create_mapping(NULL, hwirq);
++ virq = irq_create_mapping_affinity(NULL, hwirq,
++ entry->affinity);
+
+ if (!virq) {
+ pr_debug("rtas_msi: Failed mapping hwirq %d\n", hwirq);
--- /dev/null
+From a2bd4097b3ec242f4de4924db463a9c94530e03a Mon Sep 17 00:00:00 2001
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+Date: Thu, 26 Nov 2020 18:00:37 +0100
+Subject: s390/pci: fix CPU address in MSI for directed IRQ
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+commit a2bd4097b3ec242f4de4924db463a9c94530e03a upstream.
+
+The directed MSIs are delivered to CPUs whose address is
+written to the MSI message address. The current code assumes
+that a CPU logical number (as it is seen by the kernel)
+is also the CPU address.
+
+The above assumption is not correct, as the CPU address
+is rather the value returned by STAP instruction. That
+value does not necessarily match the kernel logical CPU
+number.
+
+Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts")
+Cc: <stable@vger.kernel.org> # v5.2+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/pci/pci_irq.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -103,9 +103,10 @@ static int zpci_set_irq_affinity(struct
+ {
+ struct msi_desc *entry = irq_get_msi_desc(data->irq);
+ struct msi_msg msg = entry->msg;
++ int cpu_addr = smp_cpu_get_cpu_address(cpumask_first(dest));
+
+ msg.address_lo &= 0xff0000ff;
+- msg.address_lo |= (cpumask_first(dest) << 8);
++ msg.address_lo |= (cpu_addr << 8);
+ pci_write_msi_msg(data->irq, &msg);
+
+ return IRQ_SET_MASK_OK;
+@@ -238,6 +239,7 @@ int arch_setup_msi_irqs(struct pci_dev *
+ unsigned long bit;
+ struct msi_desc *msi;
+ struct msi_msg msg;
++ int cpu_addr;
+ int rc, irq;
+
+ zdev->aisb = -1UL;
+@@ -287,9 +289,15 @@ int arch_setup_msi_irqs(struct pci_dev *
+ handle_percpu_irq);
+ msg.data = hwirq - bit;
+ if (irq_delivery == DIRECTED) {
++ if (msi->affinity)
++ cpu = cpumask_first(&msi->affinity->mask);
++ else
++ cpu = 0;
++ cpu_addr = smp_cpu_get_cpu_address(cpu);
++
+ msg.address_lo = zdev->msi_addr & 0xff0000ff;
+- msg.address_lo |= msi->affinity ?
+- (cpumask_first(&msi->affinity->mask) << 8) : 0;
++ msg.address_lo |= (cpu_addr << 8);
++
+ for_each_possible_cpu(cpu) {
+ airq_iv_set_data(zpci_ibv[cpu], hwirq, irq);
+ }
--- /dev/null
+From 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 Mon Sep 17 00:00:00 2001
+From: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Date: Wed, 25 Nov 2020 15:18:38 +0530
+Subject: scsi: mpt3sas: Fix ioctl timeout
+
+From: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+
+commit 42f687038bcc34aa919e0e4c29b04e4cda3f6a79 upstream.
+
+Commit c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol
+level reset") modified the ioctl path 'timeout' variable type to u8 from
+unsigned long, limiting the maximum timeout value that the driver can
+support to 255 seconds.
+
+If the management application is requesting a higher value the resulting
+timeout will be zero. The operation times out immediately and the ioctl
+request fails.
+
+Change datatype back to unsigned long.
+
+Link: https://lore.kernel.org/r/20201125094838.4340-1-suganath-prabu.subramani@broadcom.com
+Fixes: c1a6c5ac4278 ("scsi: mpt3sas: For NVME device, issue a protocol level reset")
+Cc: <stable@vger.kernel.org> #v4.18+
+Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+@@ -650,7 +650,7 @@ _ctl_do_mpt_command(struct MPT3SAS_ADAPT
+ Mpi26NVMeEncapsulatedRequest_t *nvme_encap_request = NULL;
+ struct _pcie_device *pcie_device = NULL;
+ u16 smid;
+- u8 timeout;
++ unsigned long timeout;
+ u8 issue_reset;
+ u32 sz, sz_arg;
+ void *psge;
alsa-hda-realtek-enable-headset-of-asus-ux482eg-b9400cea-with-alc294.patch
alsa-hda-realtek-add-new-codec-supported-for-alc897.patch
alsa-hda-generic-add-option-to-enforce-preferred_dacs-pairs.patch
+ftrace-fix-updating-ftrace_fl_tramp.patch
+cifs-allow-syscalls-to-be-restarted-in-__smb_send_rqst.patch
+cifs-fix-potential-use-after-free-in-cifs_echo_request.patch
+s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch
+i2c-imx-don-t-generate-stop-condition-if-arbitration-has-been-lost.patch
+thunderbolt-fix-use-after-free-in-remove_unplugged_switch.patch
+drm-i915-gt-program-mocs-63-for-cache-eviction-on-gen9.patch
+scsi-mpt3sas-fix-ioctl-timeout.patch
+dm-writecache-fix-the-maximum-number-of-arguments.patch
+powerpc-64s-powernv-fix-memory-corruption-when-saving-slb-entries-on-mce.patch
+powerpc-pseries-pass-msi-affinity-to-irq_create_mapping.patch
+dm-fix-bug-with-rcu-locking-in-dm_blk_report_zones.patch
+dm-remove-invalid-sparse-__acquires-and-__releases-annotations.patch
+x86-uprobes-do-not-use-prefixes.nbytes-when-looping-over-prefixes.bytes.patch
+coredump-fix-core_pattern-parse-error.patch
--- /dev/null
+From 600c0849cf86b75d86352f59745226273290986a Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 18 Nov 2020 13:08:21 +0200
+Subject: thunderbolt: Fix use-after-free in remove_unplugged_switch()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 600c0849cf86b75d86352f59745226273290986a upstream.
+
+Paulian reported a crash that happens when a dock is unplugged during
+hibernation:
+
+[78436.228217] thunderbolt 0-1: device disconnected
+[78436.228365] BUG: kernel NULL pointer dereference, address: 00000000000001e0
+...
+[78436.228397] RIP: 0010:icm_free_unplugged_children+0x109/0x1a0
+...
+[78436.228432] Call Trace:
+[78436.228439] icm_rescan_work+0x24/0x30
+[78436.228444] process_one_work+0x1a3/0x3a0
+[78436.228449] worker_thread+0x30/0x370
+[78436.228454] ? process_one_work+0x3a0/0x3a0
+[78436.228457] kthread+0x13d/0x160
+[78436.228461] ? kthread_park+0x90/0x90
+[78436.228465] ret_from_fork+0x1f/0x30
+
+This happens because remove_unplugged_switch() calls tb_switch_remove()
+that releases the memory pointed by sw so the following lines reference
+to a memory that might be released already.
+
+Fix this by saving pointer to the parent device before calling
+tb_switch_remove().
+
+Reported-by: Paulian Bogdan Marinca <paulian@marinca.net>
+Fixes: 4f7c2e0d8765 ("thunderbolt: Make sure device runtime resume completes before taking domain lock")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/icm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/thunderbolt/icm.c
++++ b/drivers/thunderbolt/icm.c
+@@ -1919,7 +1919,9 @@ static int complete_rpm(struct device *d
+
+ static void remove_unplugged_switch(struct tb_switch *sw)
+ {
+- pm_runtime_get_sync(sw->dev.parent);
++ struct device *parent = get_device(sw->dev.parent);
++
++ pm_runtime_get_sync(parent);
+
+ /*
+ * Signal this and switches below for rpm_complete because
+@@ -1930,8 +1932,10 @@ static void remove_unplugged_switch(stru
+ bus_for_each_dev(&tb_bus_type, &sw->dev, NULL, complete_rpm);
+ tb_switch_remove(sw);
+
+- pm_runtime_mark_last_busy(sw->dev.parent);
+- pm_runtime_put_autosuspend(sw->dev.parent);
++ pm_runtime_mark_last_busy(parent);
++ pm_runtime_put_autosuspend(parent);
++
++ put_device(parent);
+ }
+
+ static void icm_free_unplugged_children(struct tb_switch *sw)
--- /dev/null
+From 4e9a5ae8df5b3365183150f6df49e49dece80d8c Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 3 Dec 2020 13:50:37 +0900
+Subject: x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 4e9a5ae8df5b3365183150f6df49e49dece80d8c upstream.
+
+Since insn.prefixes.nbytes can be bigger than the size of
+insn.prefixes.bytes[] when a prefix is repeated, the proper check must
+be
+
+ insn.prefixes.bytes[i] != 0 and i < 4
+
+instead of using insn.prefixes.nbytes.
+
+Introduce a for_each_insn_prefix() macro for this purpose. Debugged by
+Kees Cook <keescook@chromium.org>.
+
+ [ bp: Massage commit message, sync with the respective header in tools/
+ and drop "we". ]
+
+Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints")
+Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/160697103739.3146288.7437620795200799020.stgit@devnote2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/insn.h | 15 +++++++++++++++
+ arch/x86/kernel/uprobes.c | 10 ++++++----
+ tools/arch/x86/include/asm/insn.h | 15 +++++++++++++++
+ 3 files changed, 36 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/insn.h
++++ b/arch/x86/include/asm/insn.h
+@@ -195,6 +195,21 @@ static inline int insn_offset_immediate(
+ return insn_offset_displacement(insn) + insn->displacement.nbytes;
+ }
+
++/**
++ * for_each_insn_prefix() -- Iterate prefixes in the instruction
++ * @insn: Pointer to struct insn.
++ * @idx: Index storage.
++ * @prefix: Prefix byte.
++ *
++ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix
++ * and the index is stored in @idx (note that this @idx is just for a cursor,
++ * do not change it.)
++ * Since prefixes.nbytes can be bigger than 4 if some prefixes
++ * are repeated, it cannot be used for looping over the prefixes.
++ */
++#define for_each_insn_prefix(insn, idx, prefix) \
++ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++)
++
+ #define POP_SS_OPCODE 0x1f
+ #define MOV_SREG_OPCODE 0x8e
+
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -255,12 +255,13 @@ static volatile u32 good_2byte_insns[256
+
+ static bool is_prefix_bad(struct insn *insn)
+ {
++ insn_byte_t p;
+ int i;
+
+- for (i = 0; i < insn->prefixes.nbytes; i++) {
++ for_each_insn_prefix(insn, i, p) {
+ insn_attr_t attr;
+
+- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]);
++ attr = inat_get_opcode_attribute(p);
+ switch (attr) {
+ case INAT_MAKE_PREFIX(INAT_PFX_ES):
+ case INAT_MAKE_PREFIX(INAT_PFX_CS):
+@@ -715,6 +716,7 @@ static const struct uprobe_xol_ops push_
+ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
+ {
+ u8 opc1 = OPCODE1(insn);
++ insn_byte_t p;
+ int i;
+
+ switch (opc1) {
+@@ -746,8 +748,8 @@ static int branch_setup_xol_ops(struct a
+ * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix.
+ * No one uses these insns, reject any branch insns with such prefix.
+ */
+- for (i = 0; i < insn->prefixes.nbytes; i++) {
+- if (insn->prefixes.bytes[i] == 0x66)
++ for_each_insn_prefix(insn, i, p) {
++ if (p == 0x66)
+ return -ENOTSUPP;
+ }
+
+--- a/tools/arch/x86/include/asm/insn.h
++++ b/tools/arch/x86/include/asm/insn.h
+@@ -195,6 +195,21 @@ static inline int insn_offset_immediate(
+ return insn_offset_displacement(insn) + insn->displacement.nbytes;
+ }
+
++/**
++ * for_each_insn_prefix() -- Iterate prefixes in the instruction
++ * @insn: Pointer to struct insn.
++ * @idx: Index storage.
++ * @prefix: Prefix byte.
++ *
++ * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix
++ * and the index is stored in @idx (note that this @idx is just for a cursor,
++ * do not change it.)
++ * Since prefixes.nbytes can be bigger than 4 if some prefixes
++ * are repeated, it cannot be used for looping over the prefixes.
++ */
++#define for_each_insn_prefix(insn, idx, prefix) \
++ for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++)
++
+ #define POP_SS_OPCODE 0x1f
+ #define MOV_SREG_OPCODE 0x8e
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
