--- /dev/null
+From cfb5d65f25959f724081bae8445a0241db606af6 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Fri, 13 Mar 2020 11:47:17 +0200
+Subject: ARM: dts: dra7: Add bus_dma_limit for L3 bus
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit cfb5d65f25959f724081bae8445a0241db606af6 upstream.
+
+The L3 interconnect's memory map is from 0x0 to
+0xffffffff. Out of this, System memory (SDRAM) can be
+accessed from 0x80000000 to 0xffffffff (2GB)
+
+DRA7 does support 4GB of SDRAM but upper 2GB can only be
+accessed by the MPU subsystem.
+
+Add the dma-ranges property to reflect the physical address limit
+of the L3 bus.
+
+Issues ere observed only with SATA on DRA7-EVM with 4GB RAM
+and CONFIG_ARM_LPAE enabled. This is because the controller
+supports 64-bit DMA and its driver sets the dma_mask to 64-bit
+thus resulting in DMA accesses beyond L3 limit of 2G.
+
+Setting the correct bus_dma_limit fixes the issue.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Cc: stable@kernel.org
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dra7.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -148,6 +148,7 @@
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges = <0x0 0x0 0x0 0xc0000000>;
++ dma-ranges = <0x80000000 0x0 0x80000000 0x80000000>;
+ ti,hwmods = "l3_main_1", "l3_main_2";
+ reg = <0x0 0x44000000 0x0 0x1000000>,
+ <0x0 0x45000000 0x0 0x1000>;
--- /dev/null
+From dfa7ea303f56a3a8b1ed3b91ef35af2da67ca4ee Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Mon, 16 Mar 2020 12:27:31 +0200
+Subject: ARM: dts: omap5: Add bus_dma_limit for L3 bus
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit dfa7ea303f56a3a8b1ed3b91ef35af2da67ca4ee upstream.
+
+The L3 interconnect's memory map is from 0x0 to
+0xffffffff. Out of this, System memory (SDRAM) can be
+accessed from 0x80000000 to 0xffffffff (2GB)
+
+OMAP5 does support 4GB of SDRAM but upper 2GB can only be
+accessed by the MPU subsystem.
+
+Add the dma-ranges property to reflect the physical address limit
+of the L3 bus.
+
+Cc: stable@kernel.org
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap5.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/omap5.dtsi
++++ b/arch/arm/boot/dts/omap5.dtsi
+@@ -143,6 +143,7 @@
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges = <0 0 0 0xc0000000>;
++ dma-ranges = <0x80000000 0x0 0x80000000 0x80000000>;
+ ti,hwmods = "l3_main_1", "l3_main_2", "l3_main_3";
+ reg = <0 0x44000000 0 0x2000>,
+ <0 0x44800000 0 0x3000>,
--- /dev/null
+From 7614209736fbc4927584d4387faade4f31444fce Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 9 Mar 2020 12:03:14 +0100
+Subject: ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7614209736fbc4927584d4387faade4f31444fce upstream.
+
+CEPH_OSDMAP_FULL/NEARFULL aren't set since mimic, so we need to consult
+per-pool flags as well. Unfortunately the backwards compatibility here
+is lacking:
+
+- the change that deprecated OSDMAP_FULL/NEARFULL went into mimic, but
+ was guarded by require_osd_release >= RELEASE_LUMINOUS
+- it was subsequently backported to luminous in v12.2.2, but that makes
+ no difference to clients that only check OSDMAP_FULL/NEARFULL because
+ require_osd_release is not client-facing -- it is for OSDs
+
+Since all kernels are affected, the best we can do here is just start
+checking both map flags and pool flags and send that to stable.
+
+These checks are best effort, so take osdc->lock and look up pool flags
+just once. Remove the FIXME, since filesystem quotas are checked above
+and RADOS quotas are reflected in POOL_FLAG_FULL: when the pool reaches
+its quota, both POOL_FLAG_FULL and POOL_FLAG_FULL_QUOTA are set.
+
+Cc: stable@vger.kernel.org
+Reported-by: Yanhu Cao <gmayyyha@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Acked-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/file.c | 14 +++++++++++---
+ include/linux/ceph/osdmap.h | 4 ++++
+ include/linux/ceph/rados.h | 6 ++++--
+ net/ceph/osdmap.c | 9 +++++++++
+ 4 files changed, 28 insertions(+), 5 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -1415,10 +1415,13 @@ static ssize_t ceph_write_iter(struct ki
+ struct inode *inode = file_inode(file);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
++ struct ceph_osd_client *osdc = &fsc->client->osdc;
+ struct ceph_cap_flush *prealloc_cf;
+ ssize_t count, written = 0;
+ int err, want, got;
+ bool direct_lock = false;
++ u32 map_flags;
++ u64 pool_flags;
+ loff_t pos;
+ loff_t limit = max(i_size_read(inode), fsc->max_file_size);
+
+@@ -1481,8 +1484,12 @@ retry_snap:
+ goto out;
+ }
+
+- /* FIXME: not complete since it doesn't account for being at quota */
+- if (ceph_osdmap_flag(&fsc->client->osdc, CEPH_OSDMAP_FULL)) {
++ down_read(&osdc->lock);
++ map_flags = osdc->osdmap->flags;
++ pool_flags = ceph_pg_pool_flags(osdc->osdmap, ci->i_layout.pool_id);
++ up_read(&osdc->lock);
++ if ((map_flags & CEPH_OSDMAP_FULL) ||
++ (pool_flags & CEPH_POOL_FLAG_FULL)) {
+ err = -ENOSPC;
+ goto out;
+ }
+@@ -1575,7 +1582,8 @@ retry_snap:
+ }
+
+ if (written >= 0) {
+- if (ceph_osdmap_flag(&fsc->client->osdc, CEPH_OSDMAP_NEARFULL))
++ if ((map_flags & CEPH_OSDMAP_NEARFULL) ||
++ (pool_flags & CEPH_POOL_FLAG_NEARFULL))
+ iocb->ki_flags |= IOCB_DSYNC;
+ written = generic_write_sync(iocb, written);
+ }
+--- a/include/linux/ceph/osdmap.h
++++ b/include/linux/ceph/osdmap.h
+@@ -37,6 +37,9 @@ int ceph_spg_compare(const struct ceph_s
+ #define CEPH_POOL_FLAG_HASHPSPOOL (1ULL << 0) /* hash pg seed and pool id
+ together */
+ #define CEPH_POOL_FLAG_FULL (1ULL << 1) /* pool is full */
++#define CEPH_POOL_FLAG_FULL_QUOTA (1ULL << 10) /* pool ran out of quota,
++ will set FULL too */
++#define CEPH_POOL_FLAG_NEARFULL (1ULL << 11) /* pool is nearfull */
+
+ struct ceph_pg_pool_info {
+ struct rb_node node;
+@@ -304,5 +307,6 @@ extern struct ceph_pg_pool_info *ceph_pg
+
+ extern const char *ceph_pg_pool_name_by_id(struct ceph_osdmap *map, u64 id);
+ extern int ceph_pg_poolid_by_name(struct ceph_osdmap *map, const char *name);
++u64 ceph_pg_pool_flags(struct ceph_osdmap *map, u64 id);
+
+ #endif
+--- a/include/linux/ceph/rados.h
++++ b/include/linux/ceph/rados.h
+@@ -143,8 +143,10 @@ extern const char *ceph_osd_state_name(i
+ /*
+ * osd map flag bits
+ */
+-#define CEPH_OSDMAP_NEARFULL (1<<0) /* sync writes (near ENOSPC) */
+-#define CEPH_OSDMAP_FULL (1<<1) /* no data writes (ENOSPC) */
++#define CEPH_OSDMAP_NEARFULL (1<<0) /* sync writes (near ENOSPC),
++ not set since ~luminous */
++#define CEPH_OSDMAP_FULL (1<<1) /* no data writes (ENOSPC),
++ not set since ~luminous */
+ #define CEPH_OSDMAP_PAUSERD (1<<2) /* pause all reads */
+ #define CEPH_OSDMAP_PAUSEWR (1<<3) /* pause all writes */
+ #define CEPH_OSDMAP_PAUSEREC (1<<4) /* pause recovery */
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -710,6 +710,15 @@ int ceph_pg_poolid_by_name(struct ceph_o
+ }
+ EXPORT_SYMBOL(ceph_pg_poolid_by_name);
+
++u64 ceph_pg_pool_flags(struct ceph_osdmap *map, u64 id)
++{
++ struct ceph_pg_pool_info *pi;
++
++ pi = __lookup_pg_pool(&map->pg_pools, id);
++ return pi ? pi->flags : 0;
++}
++EXPORT_SYMBOL(ceph_pg_pool_flags);
++
+ static void __remove_pg_pool(struct rb_root *root, struct ceph_pg_pool_info *pi)
+ {
+ rb_erase(&pi->node, root);
--- /dev/null
+From c8d6ee01449cd0d2f30410681cccb616a88f50b1 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Thu, 19 Mar 2020 11:43:48 +0000
+Subject: ceph: fix memory leak in ceph_cleanup_snapid_map()
+
+From: Luis Henriques <lhenriques@suse.com>
+
+commit c8d6ee01449cd0d2f30410681cccb616a88f50b1 upstream.
+
+kmemleak reports the following memory leak:
+
+unreferenced object 0xffff88821feac8a0 (size 96):
+ comm "kworker/1:0", pid 17, jiffies 4294896362 (age 20.512s)
+ hex dump (first 32 bytes):
+ a0 c8 ea 1f 82 88 ff ff 00 c9 ea 1f 82 88 ff ff ................
+ 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ad de ................
+ backtrace:
+ [<00000000b3ea77fb>] ceph_get_snapid_map+0x75/0x2a0
+ [<00000000d4060942>] fill_inode+0xb26/0x1010
+ [<0000000049da6206>] ceph_readdir_prepopulate+0x389/0xc40
+ [<00000000e2fe2549>] dispatch+0x11ab/0x1521
+ [<000000007700b894>] ceph_con_workfn+0xf3d/0x3240
+ [<0000000039138a41>] process_one_work+0x24d/0x590
+ [<00000000eb751f34>] worker_thread+0x4a/0x3d0
+ [<000000007e8f0d42>] kthread+0xfb/0x130
+ [<00000000d49bd1fa>] ret_from_fork+0x3a/0x50
+
+A kfree is missing while looping the 'to_free' list of ceph_snapid_map
+objects.
+
+Cc: stable@vger.kernel.org
+Fixes: 75c9627efb72 ("ceph: map snapid to anonymous bdev ID")
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/snap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -1155,5 +1155,6 @@ void ceph_cleanup_snapid_map(struct ceph
+ pr_err("snapid map %llx -> %x still in use\n",
+ sm->snap, sm->dev);
+ }
++ kfree(sm);
+ }
+ }
--- /dev/null
+From 53cdc1cb29e87ce5a61de5bb393eb08925d14ede Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Sat, 28 Mar 2020 19:17:19 -0700
+Subject: drivers/base/memory.c: indicate all memory blocks as removable
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 53cdc1cb29e87ce5a61de5bb393eb08925d14ede upstream.
+
+We see multiple issues with the implementation/interface to compute
+whether a memory block can be offlined (exposed via
+/sys/devices/system/memory/memoryX/removable) and would like to simplify
+it (remove the implementation).
+
+1. It runs basically lockless. While this might be good for performance,
+ we see possible races with memory offlining that will require at
+ least some sort of locking to fix.
+
+2. Nowadays, more false positives are possible. No arch-specific checks
+ are performed that validate if memory offlining will not be denied
+ right away (and such check will require locking). For example, arm64
+ won't allow to offline any memory block that was added during boot -
+ which will imply a very high error rate. Other archs have other
+ constraints.
+
+3. The interface is inherently racy. E.g., if a memory block is detected
+ to be removable (and was not a false positive at that time), there is
+ still no guarantee that offlining will actually succeed. So any
+ caller already has to deal with false positives.
+
+4. It is unclear which performance benefit this interface actually
+ provides. The introducing commit 5c755e9fd813 ("memory-hotplug: add
+ sysfs removable attribute for hotplug memory remove") mentioned
+
+ "A user-level agent must be able to identify which sections
+ of memory are likely to be removable before attempting the
+ potentially expensive operation."
+
+ However, no actual performance comparison was included.
+
+Known users:
+
+ - lsmem: Will group memory blocks based on the "removable" property. [1]
+
+ - chmem: Indirect user. It has a RANGE mode where one can specify
+ removable ranges identified via lsmem to be offlined. However,
+ it also has a "SIZE" mode, which allows a sysadmin to skip the
+ manual "identify removable blocks" step. [2]
+
+ - powerpc-utils: Uses the "removable" attribute to skip some memory
+ blocks right away when trying to find some to offline+remove.
+ However, with ballooning enabled, it already skips this
+ information completely (because it once resulted in many false
+ negatives). Therefore, the implementation can deal with false
+ positives properly already. [3]
+
+According to Nathan Fontenot, DLPAR on powerpc is nowadays no longer
+driven from userspace via the drmgr command (powerpc-utils). Nowadays
+it's managed in the kernel - including onlining/offlining of memory
+blocks - triggered by drmgr writing to /sys/kernel/dlpar. So the
+affected legacy userspace handling is only active on old kernels. Only
+very old versions of drmgr on a new kernel (unlikely) might execute
+slower - totally acceptable.
+
+With CONFIG_MEMORY_HOTREMOVE, always indicating "removable" should not
+break any user space tool. We implement a very bad heuristic now.
+Without CONFIG_MEMORY_HOTREMOVE we cannot offline anything, so report
+"not removable" as before.
+
+Original discussion can be found in [4] ("[PATCH RFC v1] mm:
+is_mem_section_removable() overhaul").
+
+Other users of is_mem_section_removable() will be removed next, so that
+we can remove is_mem_section_removable() completely.
+
+[1] http://man7.org/linux/man-pages/man1/lsmem.1.html
+[2] http://man7.org/linux/man-pages/man8/chmem.8.html
+[3] https://github.com/ibm-power-utilities/powerpc-utils
+[4] https://lkml.kernel.org/r/20200117105759.27905-1-david@redhat.com
+
+Also, this patch probably fixes a crash reported by Steve.
+http://lkml.kernel.org/r/CAPcyv4jpdaNvJ67SkjyUJLBnBnXXQv686BiVW042g03FUmWLXw@mail.gmail.com
+
+Reported-by: "Scargall, Steve" <steve.scargall@intel.com>
+Suggested-by: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Nathan Fontenot <ndfont@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: Badari Pulavarty <pbadari@us.ibm.com>
+Cc: Robert Jennings <rcj@linux.vnet.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Karel Zak <kzak@redhat.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200128093542.6908-1-david@redhat.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/memory.c | 23 +++--------------------
+ 1 file changed, 3 insertions(+), 20 deletions(-)
+
+--- a/drivers/base/memory.c
++++ b/drivers/base/memory.c
+@@ -114,30 +114,13 @@ static ssize_t phys_index_show(struct de
+ }
+
+ /*
+- * Show whether the memory block is likely to be offlineable (or is already
+- * offline). Once offline, the memory block could be removed. The return
+- * value does, however, not indicate that there is a way to remove the
+- * memory block.
++ * Legacy interface that we cannot remove. Always indicate "removable"
++ * with CONFIG_MEMORY_HOTREMOVE - bad heuristic.
+ */
+ static ssize_t removable_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+ {
+- struct memory_block *mem = to_memory_block(dev);
+- unsigned long pfn;
+- int ret = 1, i;
+-
+- if (mem->state != MEM_ONLINE)
+- goto out;
+-
+- for (i = 0; i < sections_per_block; i++) {
+- if (!present_section_nr(mem->start_section_nr + i))
+- continue;
+- pfn = section_nr_to_pfn(mem->start_section_nr + i);
+- ret &= is_mem_section_removable(pfn, PAGES_PER_SECTION);
+- }
+-
+-out:
+- return sprintf(buf, "%d\n", ret);
++ return sprintf(buf, "%d\n", (int)IS_ENABLED(CONFIG_MEMORY_HOTREMOVE));
+ }
+
+ /*
--- /dev/null
+From 8959b304c7062889b1276092cc8590dc1ba98f65 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 6 Mar 2020 14:23:26 +0100
+Subject: gpiolib: Fix irq_disable() semantics
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 8959b304c7062889b1276092cc8590dc1ba98f65 upstream.
+
+The implementation if .irq_disable() which kicks in between
+the gpiolib and the driver is not properly mimicking the
+expected semantics of the irqchip core: the irqchip will
+call .irq_disable() if that exists, else it will call
+mask_irq() which first checks if .irq_mask() is defined
+before calling it.
+
+Since we are calling it unconditionally, we get this bug
+from drivers/pinctrl/qcom/pinctrl-ssbi-gpio.c, as it only
+defines .irq_mask_ack and not .irq_mask:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ pgd = (ptrval)
+ (...)
+ PC is at 0x0
+ LR is at gpiochip_irq_disable+0x20/0x30
+
+Fix this by only calling .irq_mask() if it exists.
+
+Cc: Brian Masney <masneyb@onstation.org>
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Fixes: 461c1a7d4733 ("gpiolib: override irq_enable/disable")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20200306132326.1329640-1-linus.walleij@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -2194,9 +2194,16 @@ static void gpiochip_irq_disable(struct
+ {
+ struct gpio_chip *chip = irq_data_get_irq_chip_data(d);
+
++ /*
++ * Since we override .irq_disable() we need to mimic the
++ * behaviour of __irq_disable() in irq/chip.c.
++ * First call .irq_disable() if it exists, else mimic the
++ * behaviour of mask_irq() which calls .irq_mask() if
++ * it exists.
++ */
+ if (chip->irq.irq_disable)
+ chip->irq.irq_disable(d);
+- else
++ else if (chip->irq.chip->irq_mask)
+ chip->irq.chip->irq_mask(d);
+ gpiochip_disable_irq(chip, d->hwirq);
+ }
--- /dev/null
+From ce2e1ca703071723ca2dd94d492a5ab6d15050da Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Thu, 26 Mar 2020 15:51:34 +0100
+Subject: mac80211: Check port authorization in the ieee80211_tx_dequeue() case
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream.
+
+mac80211 used to check port authorization in the Data frame enqueue case
+when going through start_xmit(). However, that authorization status may
+change while the frame is waiting in a queue. Add a similar check in the
+dequeue case to avoid sending previously accepted frames after
+authorization change. This provides additional protection against
+potential leaking of frames after a station has been disconnected and
+the keys for it are being removed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3596,8 +3596,25 @@ begin:
+ tx.skb = skb;
+ tx.sdata = vif_to_sdata(info->control.vif);
+
+- if (txq->sta)
++ if (txq->sta) {
+ tx.sta = container_of(txq->sta, struct sta_info, sta);
++ /*
++ * Drop unicast frames to unauthorised stations unless they are
++ * EAPOL frames from the local station.
++ */
++ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
++ tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
++ !is_multicast_ether_addr(hdr->addr1) &&
++ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
++ (!(info->control.flags &
++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) ||
++ !ether_addr_equal(tx.sdata->vif.addr,
++ hdr->addr2)))) {
++ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
++ ieee80211_free_txskb(&local->hw, skb);
++ goto begin;
++ }
++ }
+
+ /*
+ * The key can be removed while the packet was queued, so need to call
--- /dev/null
+From a0761a301746ec2d92d7fcb82af69c0a6a4339aa Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 26 Mar 2020 15:09:42 +0200
+Subject: mac80211: drop data frames without key on encrypted links
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a0761a301746ec2d92d7fcb82af69c0a6a4339aa upstream.
+
+If we know that we have an encrypted link (based on having had
+a key configured for TX in the past) then drop all data frames
+in the key selection handler if there's no key anymore.
+
+This fixes an issue with mac80211 internal TXQs - there we can
+buffer frames for an encrypted link, but then if the key is no
+longer there when they're dequeued, the frames are sent without
+encryption. This happens if a station is disconnected while the
+frames are still on the TXQ.
+
+Detecting that a link should be encrypted based on a first key
+having been configured for TX is fine as there are no use cases
+for a connection going from with encryption to no encryption.
+With extended key IDs, however, there is a case of having a key
+configured for only decryption, so we can't just trigger this
+behaviour on a key being configured.
+
+Cc: stable@vger.kernel.org
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200326150855.6865c7f28a14.I9fb1d911b064262d33e33dfba730cdeef83926ca@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/debugfs_sta.c | 3 ++-
+ net/mac80211/key.c | 20 ++++++++++++--------
+ net/mac80211/sta_info.h | 1 +
+ net/mac80211/tx.c | 12 +++++++++---
+ 4 files changed, 24 insertions(+), 12 deletions(-)
+
+--- a/net/mac80211/debugfs_sta.c
++++ b/net/mac80211/debugfs_sta.c
+@@ -5,7 +5,7 @@
+ * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 Intel Deutschland GmbH
+- * Copyright (C) 2018 - 2019 Intel Corporation
++ * Copyright (C) 2018 - 2020 Intel Corporation
+ */
+
+ #include <linux/debugfs.h>
+@@ -78,6 +78,7 @@ static const char * const sta_flag_names
+ FLAG(MPSP_OWNER),
+ FLAG(MPSP_RECIPIENT),
+ FLAG(PS_DELIVER),
++ FLAG(USES_ENCRYPTION),
+ #undef FLAG
+ };
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -6,7 +6,7 @@
+ * Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright 2015-2017 Intel Deutschland GmbH
+- * Copyright 2018-2019 Intel Corporation
++ * Copyright 2018-2020 Intel Corporation
+ */
+
+ #include <linux/if_ether.h>
+@@ -262,22 +262,29 @@ static void ieee80211_key_disable_hw_acc
+ sta ? sta->sta.addr : bcast_addr, ret);
+ }
+
+-int ieee80211_set_tx_key(struct ieee80211_key *key)
++static int _ieee80211_set_tx_key(struct ieee80211_key *key, bool force)
+ {
+ struct sta_info *sta = key->sta;
+ struct ieee80211_local *local = key->local;
+
+ assert_key_lock(local);
+
++ set_sta_flag(sta, WLAN_STA_USES_ENCRYPTION);
++
+ sta->ptk_idx = key->conf.keyidx;
+
+- if (!ieee80211_hw_check(&local->hw, AMPDU_KEYBORDER_SUPPORT))
++ if (force || !ieee80211_hw_check(&local->hw, AMPDU_KEYBORDER_SUPPORT))
+ clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
+ ieee80211_check_fast_xmit(sta);
+
+ return 0;
+ }
+
++int ieee80211_set_tx_key(struct ieee80211_key *key)
++{
++ return _ieee80211_set_tx_key(key, false);
++}
++
+ static void ieee80211_pairwise_rekey(struct ieee80211_key *old,
+ struct ieee80211_key *new)
+ {
+@@ -441,11 +448,8 @@ static int ieee80211_key_replace(struct
+ if (pairwise) {
+ rcu_assign_pointer(sta->ptk[idx], new);
+ if (new &&
+- !(new->conf.flags & IEEE80211_KEY_FLAG_NO_AUTO_TX)) {
+- sta->ptk_idx = idx;
+- clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
+- ieee80211_check_fast_xmit(sta);
+- }
++ !(new->conf.flags & IEEE80211_KEY_FLAG_NO_AUTO_TX))
++ _ieee80211_set_tx_key(new, true);
+ } else {
+ rcu_assign_pointer(sta->gtk[idx], new);
+ }
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -98,6 +98,7 @@ enum ieee80211_sta_info_flags {
+ WLAN_STA_MPSP_OWNER,
+ WLAN_STA_MPSP_RECIPIENT,
+ WLAN_STA_PS_DELIVER,
++ WLAN_STA_USES_ENCRYPTION,
+
+ NUM_WLAN_STA_FLAGS,
+ };
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -590,10 +590,13 @@ ieee80211_tx_h_select_key(struct ieee802
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
+
+- if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT))
++ if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) {
+ tx->key = NULL;
+- else if (tx->sta &&
+- (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
++ return TX_CONTINUE;
++ }
++
++ if (tx->sta &&
++ (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
+ tx->key = key;
+ else if (ieee80211_is_group_privacy_action(tx->skb) &&
+ (key = rcu_dereference(tx->sdata->default_multicast_key)))
+@@ -654,6 +657,9 @@ ieee80211_tx_h_select_key(struct ieee802
+ if (!skip_hw && tx->key &&
+ tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
+ info->control.hw_key = &tx->key->conf;
++ } else if (!ieee80211_is_mgmt(hdr->frame_control) && tx->sta &&
++ test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {
++ return TX_DROP;
+ }
+
+ return TX_CONTINUE;
--- /dev/null
+From b16798f5b907733966fd1a558fca823b3c67e4a1 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 26 Mar 2020 15:51:35 +0100
+Subject: mac80211: mark station unauthorized before key removal
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream.
+
+If a station is still marked as authorized, mark it as no longer
+so before removing its keys. This allows frames transmitted to it
+to be rejected, providing additional protection against leaking
+plain text data during the disconnection flow.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/sta_info.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -4,7 +4,7 @@
+ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
+- * Copyright (C) 2018-2019 Intel Corporation
++ * Copyright (C) 2018-2020 Intel Corporation
+ */
+
+ #include <linux/module.h>
+@@ -1032,6 +1032,11 @@ static void __sta_info_destroy_part2(str
+ might_sleep();
+ lockdep_assert_held(&local->sta_mtx);
+
++ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
++ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
++ WARN_ON_ONCE(ret);
++ }
++
+ /* now keys can no longer be reached */
+ ieee80211_free_sta_keys(local, sta);
+
--- /dev/null
+From b943f045a9af9fd02f923e43fe8d7517e9961701 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Sat, 28 Mar 2020 19:17:29 -0700
+Subject: mm/sparse: fix kernel crash with pfn_section_valid check
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit b943f045a9af9fd02f923e43fe8d7517e9961701 upstream.
+
+Fix the crash like this:
+
+ BUG: Kernel NULL pointer dereference on read at 0x00000000
+ Faulting instruction address: 0xc000000000c3447c
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ CPU: 11 PID: 7519 Comm: lt-ndctl Not tainted 5.6.0-rc7-autotest #1
+ ...
+ NIP [c000000000c3447c] vmemmap_populated+0x98/0xc0
+ LR [c000000000088354] vmemmap_free+0x144/0x320
+ Call Trace:
+ section_deactivate+0x220/0x240
+ __remove_pages+0x118/0x170
+ arch_remove_memory+0x3c/0x150
+ memunmap_pages+0x1cc/0x2f0
+ devm_action_release+0x30/0x50
+ release_nodes+0x2f8/0x3e0
+ device_release_driver_internal+0x168/0x270
+ unbind_store+0x130/0x170
+ drv_attr_store+0x44/0x60
+ sysfs_kf_write+0x68/0x80
+ kernfs_fop_write+0x100/0x290
+ __vfs_write+0x3c/0x70
+ vfs_write+0xcc/0x240
+ ksys_write+0x7c/0x140
+ system_call+0x5c/0x68
+
+The crash is due to NULL dereference at
+
+ test_bit(idx, ms->usage->subsection_map);
+
+due to ms->usage = NULL in pfn_section_valid()
+
+With commit d41e2f3bd546 ("mm/hotplug: fix hot remove failure in
+SPARSEMEM|!VMEMMAP case") section_mem_map is set to NULL after
+depopulate_section_mem(). This was done so that pfn_page() can work
+correctly with kernel config that disables SPARSEMEM_VMEMMAP. With that
+config pfn_to_page does
+
+ __section_mem_map_addr(__sec) + __pfn;
+
+where
+
+ static inline struct page *__section_mem_map_addr(struct mem_section *section)
+ {
+ unsigned long map = section->section_mem_map;
+ map &= SECTION_MAP_MASK;
+ return (struct page *)map;
+ }
+
+Now with SPASEMEM_VMEMAP enabled, mem_section->usage->subsection_map is
+used to check the pfn validity (pfn_valid()). Since section_deactivate
+release mem_section->usage if a section is fully deactivated,
+pfn_valid() check after a subsection_deactivate cause a kernel crash.
+
+ static inline int pfn_valid(unsigned long pfn)
+ {
+ ...
+ return early_section(ms) || pfn_section_valid(ms, pfn);
+ }
+
+where
+
+ static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
+ {
+ int idx = subsection_map_index(pfn);
+
+ return test_bit(idx, ms->usage->subsection_map);
+ }
+
+Avoid this by clearing SECTION_HAS_MEM_MAP when mem_section->usage is
+freed. For architectures like ppc64 where large pages are used for
+vmmemap mapping (16MB), a specific vmemmap mapping can cover multiple
+sections. Hence before a vmemmap mapping page can be freed, the kernel
+needs to make sure there are no valid sections within that mapping.
+Clearing the section valid bit before depopulate_section_memap enables
+this.
+
+[aneesh.kumar@linux.ibm.com: add comment]
+ Link: http://lkml.kernel.org/r/20200326133235.343616-1-aneesh.kumar@linux.ibm.comLink: http://lkml.kernel.org/r/20200325031914.107660-1-aneesh.kumar@linux.ibm.com
+Fixes: d41e2f3bd546 ("mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case")
+Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Pankaj Gupta <pankaj.gupta.linux@gmail.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/sparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/mm/sparse.c
++++ b/mm/sparse.c
+@@ -789,6 +789,12 @@ static void section_deactivate(unsigned
+ ms->usage = NULL;
+ }
+ memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr);
++ /*
++ * Mark the section invalid so that valid_section()
++ * return false. This prevents code from dereferencing
++ * ms->usage array.
++ */
++ ms->section_mem_map &= ~SECTION_HAS_MEM_MAP;
+ }
+
+ if (section_is_early && memmap)
--- /dev/null
+From d795a90e2ba024dbf2f22107ae89c210b98b08b8 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Sat, 28 Mar 2020 19:17:15 -0700
+Subject: mm/swapfile.c: move inode_lock out of claim_swapfile
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit d795a90e2ba024dbf2f22107ae89c210b98b08b8 upstream.
+
+claim_swapfile() currently keeps the inode locked when it is successful,
+or the file is already swapfile (with -EBUSY). And, on the other error
+cases, it does not lock the inode.
+
+This inconsistency of the lock state and return value is quite confusing
+and actually causing a bad unlock balance as below in the "bad_swap"
+section of __do_sys_swapon().
+
+This commit fixes this issue by moving the inode_lock() and IS_SWAPFILE
+check out of claim_swapfile(). The inode is unlocked in
+"bad_swap_unlock_inode" section, so that the inode is ensured to be
+unlocked at "bad_swap". Thus, error handling codes after the locking now
+jumps to "bad_swap_unlock_inode" instead of "bad_swap".
+
+ =====================================
+ WARNING: bad unlock balance detected!
+ 5.5.0-rc7+ #176 Not tainted
+ -------------------------------------
+ swapon/4294 is trying to release lock (&sb->s_type->i_mutex_key) at: __do_sys_swapon+0x94b/0x3550
+ but there are no more locks to release!
+
+ other info that might help us debug this:
+ no locks held by swapon/4294.
+
+ stack backtrace:
+ CPU: 5 PID: 4294 Comm: swapon Not tainted 5.5.0-rc7-BTRFS-ZNS+ #176
+ Hardware name: ASUS All Series/H87-PRO, BIOS 2102 07/29/2014
+ Call Trace:
+ dump_stack+0xa1/0xea
+ print_unlock_imbalance_bug.cold+0x114/0x123
+ lock_release+0x562/0xed0
+ up_write+0x2d/0x490
+ __do_sys_swapon+0x94b/0x3550
+ __x64_sys_swapon+0x54/0x80
+ do_syscall_64+0xa4/0x4b0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f15da0a0dc7
+
+Fixes: 1638045c3677 ("mm: set S_SWAPFILE on blockdev swap devices")
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: Qais Youef <qais.yousef@arm.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200206090132.154869-1-naohiro.aota@wdc.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/swapfile.c | 39 +++++++++++++++++++--------------------
+ 1 file changed, 19 insertions(+), 20 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -2892,10 +2892,6 @@ static int claim_swapfile(struct swap_in
+ p->bdev = inode->i_sb->s_bdev;
+ }
+
+- inode_lock(inode);
+- if (IS_SWAPFILE(inode))
+- return -EBUSY;
+-
+ return 0;
+ }
+
+@@ -3150,17 +3146,22 @@ SYSCALL_DEFINE2(swapon, const char __use
+ mapping = swap_file->f_mapping;
+ inode = mapping->host;
+
+- /* If S_ISREG(inode->i_mode) will do inode_lock(inode); */
+ error = claim_swapfile(p, inode);
+ if (unlikely(error))
+ goto bad_swap;
+
++ inode_lock(inode);
++ if (IS_SWAPFILE(inode)) {
++ error = -EBUSY;
++ goto bad_swap_unlock_inode;
++ }
++
+ /*
+ * Read the swap header.
+ */
+ if (!mapping->a_ops->readpage) {
+ error = -EINVAL;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+ page = read_mapping_page(mapping, 0, swap_file);
+ if (IS_ERR(page)) {
+@@ -3172,14 +3173,14 @@ SYSCALL_DEFINE2(swapon, const char __use
+ maxpages = read_swap_header(p, swap_header, inode);
+ if (unlikely(!maxpages)) {
+ error = -EINVAL;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+
+ /* OK, set up the swap map and apply the bad block list */
+ swap_map = vzalloc(maxpages);
+ if (!swap_map) {
+ error = -ENOMEM;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+
+ if (bdi_cap_stable_pages_required(inode_to_bdi(inode)))
+@@ -3204,7 +3205,7 @@ SYSCALL_DEFINE2(swapon, const char __use
+ GFP_KERNEL);
+ if (!cluster_info) {
+ error = -ENOMEM;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+
+ for (ci = 0; ci < nr_cluster; ci++)
+@@ -3213,7 +3214,7 @@ SYSCALL_DEFINE2(swapon, const char __use
+ p->percpu_cluster = alloc_percpu(struct percpu_cluster);
+ if (!p->percpu_cluster) {
+ error = -ENOMEM;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+ for_each_possible_cpu(cpu) {
+ struct percpu_cluster *cluster;
+@@ -3227,13 +3228,13 @@ SYSCALL_DEFINE2(swapon, const char __use
+
+ error = swap_cgroup_swapon(p->type, maxpages);
+ if (error)
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+
+ nr_extents = setup_swap_map_and_extents(p, swap_header, swap_map,
+ cluster_info, maxpages, &span);
+ if (unlikely(nr_extents < 0)) {
+ error = nr_extents;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+ /* frontswap enabled? set up bit-per-page map for frontswap */
+ if (IS_ENABLED(CONFIG_FRONTSWAP))
+@@ -3273,7 +3274,7 @@ SYSCALL_DEFINE2(swapon, const char __use
+
+ error = init_swap_address_space(p->type, maxpages);
+ if (error)
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+
+ /*
+ * Flush any pending IO and dirty mappings before we start using this
+@@ -3283,7 +3284,7 @@ SYSCALL_DEFINE2(swapon, const char __use
+ error = inode_drain_writes(inode);
+ if (error) {
+ inode->i_flags &= ~S_SWAPFILE;
+- goto bad_swap;
++ goto bad_swap_unlock_inode;
+ }
+
+ mutex_lock(&swapon_mutex);
+@@ -3308,6 +3309,8 @@ SYSCALL_DEFINE2(swapon, const char __use
+
+ error = 0;
+ goto out;
++bad_swap_unlock_inode:
++ inode_unlock(inode);
+ bad_swap:
+ free_percpu(p->percpu_cluster);
+ p->percpu_cluster = NULL;
+@@ -3315,6 +3318,7 @@ bad_swap:
+ set_blocksize(p->bdev, p->old_block_size);
+ blkdev_put(p->bdev, FMODE_READ | FMODE_WRITE | FMODE_EXCL);
+ }
++ inode = NULL;
+ destroy_swap_extents(p);
+ swap_cgroup_swapoff(p->type);
+ spin_lock(&swap_lock);
+@@ -3326,13 +3330,8 @@ bad_swap:
+ kvfree(frontswap_map);
+ if (inced_nr_rotate_swap)
+ atomic_dec(&nr_rotate_swap);
+- if (swap_file) {
+- if (inode) {
+- inode_unlock(inode);
+- inode = NULL;
+- }
++ if (swap_file)
+ filp_close(swap_file, NULL);
+- }
+ out:
+ if (page && !IS_ERR(page)) {
+ kunmap(page);
--- /dev/null
+From 0016d3201753b59f3ae84b868fe66c86ad256f19 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 25 Mar 2020 09:05:32 +0100
+Subject: nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 0016d3201753b59f3ae84b868fe66c86ad256f19 upstream.
+
+The new opmode notification used this attribute with a u8, when
+it's documented as a u32 and indeed used in userspace as such,
+it just happens to work on little-endian systems since userspace
+isn't doing any strict size validation, and the u8 goes into the
+lower byte. Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 466b9936bf93 ("cfg80211: Add support to notify station's opmode change to userspace")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20200325090531.be124f0a11c7.Iedbf4e197a85471ebd729b186d5365c0343bf7a8@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -16407,7 +16407,7 @@ void cfg80211_sta_opmode_change_notify(s
+ goto nla_put_failure;
+
+ if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
+- nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
++ nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
+ goto nla_put_failure;
+
+ if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
--- /dev/null
+From 1efde2754275dbd9d11c6e0132a4f09facf297ab Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 28 Feb 2020 00:42:01 +0900
+Subject: perf probe: Do not depend on dwfl_module_addrsym()
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 1efde2754275dbd9d11c6e0132a4f09facf297ab upstream.
+
+Do not depend on dwfl_module_addrsym() because it can fail on user-space
+shared libraries.
+
+Actually, same bug was fixed by commit 664fee3dc379 ("perf probe: Do not
+use dwfl_module_addrsym if dwarf_diename finds symbol name"), but commit
+07d369857808 ("perf probe: Fix wrong address verification) reverted to
+get actual symbol address from symtab.
+
+This fixes it again by getting symbol address from DIE, and only if the
+DIE has only address range, it uses dwfl_module_addrsym().
+
+Fixes: 07d369857808 ("perf probe: Fix wrong address verification)
+Reported-by: Alexandre Ghiti <alex@ghiti.fr>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Alexandre Ghiti <alex@ghiti.fr>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sasha Levin <sashal@kernel.org>
+Link: http://lore.kernel.org/lkml/158281812176.476.14164573830975116234.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/probe-finder.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -615,14 +615,19 @@ static int convert_to_trace_point(Dwarf_
+ return -EINVAL;
+ }
+
+- /* Try to get actual symbol name from symtab */
+- symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
++ if (dwarf_entrypc(sp_die, &eaddr) == 0) {
++ /* If the DIE has entrypc, use it. */
++ symbol = dwarf_diename(sp_die);
++ } else {
++ /* Try to get actual symbol name and address from symtab */
++ symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
++ eaddr = sym.st_value;
++ }
+ if (!symbol) {
+ pr_warning("Failed to find symbol at 0x%lx\n",
+ (unsigned long)paddr);
+ return -ENOENT;
+ }
+- eaddr = sym.st_value;
+
+ tp->offset = (unsigned long)(paddr - eaddr);
+ tp->address = (unsigned long)paddr;
--- /dev/null
+From 6b8d68f1ce9266b05a55e93c62923ff51daae4c1 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 28 Feb 2020 16:57:42 +0900
+Subject: perf probe: Fix to delete multiple probe event
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 6b8d68f1ce9266b05a55e93c62923ff51daae4c1 upstream.
+
+When we put an event with multiple probes, perf-probe fails to delete
+with filters. This comes from a failure to list up the event name
+because of overwrapping its name.
+
+To fix this issue, skip to list up the event which has same name.
+
+Without this patch:
+
+ # perf probe -l \*
+ probe_perf:map__map_ip (on perf_sample__fprintf_brstackoff:21@
+ probe_perf:map__map_ip (on perf_sample__fprintf_brstackoff:25@
+ probe_perf:map__map_ip (on append_inlines:12@util/machine.c in
+ probe_perf:map__map_ip (on unwind_entry:19@util/machine.c in /
+ probe_perf:map__map_ip (on map__map_ip@util/map.h in /home/mhi
+ probe_perf:map__map_ip (on map__map_ip@util/map.h in /home/mhi
+ # perf probe -d \*
+ "*" does not hit any event.
+ Error: Failed to delete events. Reason: No such file or directory (Code: -2)
+
+With it:
+
+ # perf probe -d \*
+ Removed event: probe_perf:map__map_ip
+ #
+
+Fixes: 72363540c009 ("perf probe: Support multiprobe event")
+Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
+Reported-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/158287666197.16697.7514373548551863562.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
+index 0f5fda11675f..8c852948513e 100644
+--- a/tools/perf/util/probe-file.c
++++ b/tools/perf/util/probe-file.c
+@@ -206,6 +206,9 @@ static struct strlist *__probe_file__get_namelist(int fd, bool include_group)
+ } else
+ ret = strlist__add(sl, tev.event);
+ clear_probe_trace_event(&tev);
++ /* Skip if there is same name multi-probe event in the list */
++ if (ret == -EEXIST)
++ ret = 0;
+ if (ret < 0)
+ break;
+ }
--- /dev/null
+From 5bdfa854013ce4193de0d097931fd841382c76a7 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Tue, 10 Mar 2020 09:53:39 +0200
+Subject: RDMA/mad: Do not crash if the rdma device does not have a umad interface
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 5bdfa854013ce4193de0d097931fd841382c76a7 upstream.
+
+Non-IB devices do not have a umad interface and the client_data will be
+left set to NULL. In this case calling get_nl_info() will try to kref a
+NULL cdev causing a crash:
+
+ general protection fault, probably for non-canonical address 0xdffffc00000000ba: 0000 [#1] PREEMPT SMP KASAN
+ KASAN: null-ptr-deref in range [0x00000000000005d0-0x00000000000005d7]
+ CPU: 0 PID: 20851 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ RIP: 0010:kobject_get+0x35/0x150 lib/kobject.c:640
+ Code: 53 e8 3f b0 8b f9 4d 85 e4 0f 84 a2 00 00 00 e8 31 b0 8b f9 49 8d 7c 24 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f b6 04 02 48 89 fa
++83 e2 07 38 d0 7f 08 84 c0 0f 85 eb 00 00 00
+ RSP: 0018:ffffc9000946f1a0 EFLAGS: 00010203
+ RAX: dffffc0000000000 RBX: ffffffff85bdbbb0 RCX: ffffc9000bf22000
+ RDX: 00000000000000ba RSI: ffffffff87e9d78f RDI: 00000000000005d4
+ RBP: ffffc9000946f1b8 R08: ffff8880581a6440 R09: ffff8880581a6cd0
+ R10: fffffbfff154b838 R11: ffffffff8aa5c1c7 R12: 0000000000000598
+ R13: 0000000000000000 R14: ffffc9000946f278 R15: ffff88805cb0c4d0
+ FS: 00007faa9e8af700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000001b30121000 CR3: 000000004515d000 CR4: 00000000001406f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ get_device+0x25/0x40 drivers/base/core.c:2574
+ __ib_get_client_nl_info+0x205/0x2e0 drivers/infiniband/core/device.c:1861
+ ib_get_client_nl_info+0x35/0x180 drivers/infiniband/core/device.c:1881
+ nldev_get_chardev+0x575/0xac0 drivers/infiniband/core/nldev.c:1621
+ rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline]
+ rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
+ rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:672
+ ____sys_sendmsg+0x753/0x880 net/socket.c:2343
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2397
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
+ __do_sys_sendmsg net/socket.c:2439 [inline]
+ __se_sys_sendmsg net/socket.c:2437 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Cc: stable@kernel.org
+Fixes: 8f71bb0030b8 ("RDMA: Report available cdevs through RDMA_NLDEV_CMD_GET_CHARDEV")
+Link: https://lore.kernel.org/r/20200310075339.238090-1-leon@kernel.org
+Reported-by: syzbot+46fe08363dbba223dec5@syzkaller.appspotmail.com
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/user_mad.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -1129,17 +1129,30 @@ static const struct file_operations umad
+ .llseek = no_llseek,
+ };
+
++static struct ib_umad_port *get_port(struct ib_device *ibdev,
++ struct ib_umad_device *umad_dev,
++ unsigned int port)
++{
++ if (!umad_dev)
++ return ERR_PTR(-EOPNOTSUPP);
++ if (!rdma_is_port_valid(ibdev, port))
++ return ERR_PTR(-EINVAL);
++ if (!rdma_cap_ib_mad(ibdev, port))
++ return ERR_PTR(-EOPNOTSUPP);
++
++ return &umad_dev->ports[port - rdma_start_port(ibdev)];
++}
++
+ static int ib_umad_get_nl_info(struct ib_device *ibdev, void *client_data,
+ struct ib_client_nl_info *res)
+ {
+- struct ib_umad_device *umad_dev = client_data;
++ struct ib_umad_port *port = get_port(ibdev, client_data, res->port);
+
+- if (!rdma_is_port_valid(ibdev, res->port))
+- return -EINVAL;
++ if (IS_ERR(port))
++ return PTR_ERR(port);
+
+ res->abi = IB_USER_MAD_ABI_VERSION;
+- res->cdev = &umad_dev->ports[res->port - rdma_start_port(ibdev)].dev;
+-
++ res->cdev = &port->dev;
+ return 0;
+ }
+
+@@ -1154,15 +1167,13 @@ MODULE_ALIAS_RDMA_CLIENT("umad");
+ static int ib_issm_get_nl_info(struct ib_device *ibdev, void *client_data,
+ struct ib_client_nl_info *res)
+ {
+- struct ib_umad_device *umad_dev =
+- ib_get_client_data(ibdev, &umad_client);
++ struct ib_umad_port *port = get_port(ibdev, client_data, res->port);
+
+- if (!rdma_is_port_valid(ibdev, res->port))
+- return -EINVAL;
++ if (IS_ERR(port))
++ return PTR_ERR(port);
+
+ res->abi = IB_USER_MAD_ABI_VERSION;
+- res->cdev = &umad_dev->ports[res->port - rdma_start_port(ibdev)].sm_dev;
+-
++ res->cdev = &port->sm_dev;
+ return 0;
+ }
+
--- /dev/null
+From 7aefa6237cfe4a6fcf06a8656eee988b36f8fefc Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@ziepe.ca>
+Date: Mon, 9 Mar 2020 16:05:15 -0300
+Subject: RDMA/nl: Do not permit empty devices names during RDMA_NLDEV_CMD_NEWLINK/SET
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 7aefa6237cfe4a6fcf06a8656eee988b36f8fefc upstream.
+
+Empty device names cannot be added to sysfs and crash with:
+
+ kobject: (00000000f9de3792): attempted to be registered with empty name!
+ WARNING: CPU: 1 PID: 10856 at lib/kobject.c:234 kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
+ Kernel panic - not syncing: panic_on_warn set ...
+ CPU: 1 PID: 10856 Comm: syz-executor459 Not tainted 5.6.0-rc3-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ panic+0x2e3/0x75c kernel/panic.c:221
+ __warn.cold+0x2f/0x3e kernel/panic.c:582
+ report_bug+0x289/0x300 lib/bug.c:195
+ fixup_bug arch/x86/kernel/traps.c:174 [inline]
+ fixup_bug arch/x86/kernel/traps.c:169 [inline]
+ do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
+ do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
+ invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
+ RIP: 0010:kobject_add_internal+0x7ac/0x9a0 lib/kobject.c:234
+ Code: 7a ca ca f9 e9 f0 f8 ff ff 4c 89 f7 e8 cd ca ca f9 e9 95 f9 ff ff e8 13 25 8c f9 4c 89 e6 48 c7 c7 a0 08 1a 89 e8 a3 76 5c f9 <0f> 0b 41 bd ea ff ff ff e9 52 ff ff ff e8 f2 24 8c f9 0f 0b e8 eb
+ RSP: 0018:ffffc90002006eb0 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffffffff815eae46 RDI: fffff52000400dc8
+ RBP: ffffc90002006f08 R08: ffff8880972ac500 R09: ffffed1015d26659
+ R10: ffffed1015d26658 R11: ffff8880ae9332c7 R12: ffff888093034668
+ R13: 0000000000000000 R14: ffff8880a69d7600 R15: 0000000000000001
+ kobject_add_varg lib/kobject.c:390 [inline]
+ kobject_add+0x150/0x1c0 lib/kobject.c:442
+ device_add+0x3be/0x1d00 drivers/base/core.c:2412
+ ib_register_device drivers/infiniband/core/device.c:1371 [inline]
+ ib_register_device+0x93e/0xe40 drivers/infiniband/core/device.c:1343
+ rxe_register_device+0x52e/0x655 drivers/infiniband/sw/rxe/rxe_verbs.c:1231
+ rxe_add+0x122b/0x1661 drivers/infiniband/sw/rxe/rxe.c:302
+ rxe_net_add+0x91/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:539
+ rxe_newlink+0x39/0x90 drivers/infiniband/sw/rxe/rxe.c:318
+ nldev_newlink+0x28a/0x430 drivers/infiniband/core/nldev.c:1538
+ rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:195 [inline]
+ rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
+ rdma_nl_rcv+0x5d9/0x980 drivers/infiniband/core/netlink.c:259
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:672
+ ____sys_sendmsg+0x753/0x880 net/socket.c:2343
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2397
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
+ __do_sys_sendmsg net/socket.c:2439 [inline]
+ __se_sys_sendmsg net/socket.c:2437 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Prevent empty names when checking the name provided from userspace during
+newlink and rename.
+
+Fixes: 3856ec4b93c9 ("RDMA/core: Add RDMA_NLDEV_CMD_NEWLINK/DELLINK support")
+Fixes: 05d940d3a3ec ("RDMA/nldev: Allow IB device rename through RDMA netlink")
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20200309191648.GA30852@ziepe.ca
+Reported-and-tested-by: syzbot+da615ac67d4dbea32cbc@syzkaller.appspotmail.com
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/nldev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -863,6 +863,10 @@ static int nldev_set_doit(struct sk_buff
+
+ nla_strlcpy(name, tb[RDMA_NLDEV_ATTR_DEV_NAME],
+ IB_DEVICE_NAME_MAX);
++ if (strlen(name) == 0) {
++ err = -EINVAL;
++ goto done;
++ }
+ err = ib_device_rename(device, name);
+ goto done;
+ }
+@@ -1468,7 +1472,7 @@ static int nldev_newlink(struct sk_buff
+
+ nla_strlcpy(ibdev_name, tb[RDMA_NLDEV_ATTR_DEV_NAME],
+ sizeof(ibdev_name));
+- if (strchr(ibdev_name, '%'))
++ if (strchr(ibdev_name, '%') || strlen(ibdev_name) == 0)
+ return -EINVAL;
+
+ nla_strlcpy(type, tb[RDMA_NLDEV_ATTR_LINK_TYPE], sizeof(type));
--- /dev/null
+From c80b18cbb04b7b101af9bd14550f13d9866c646a Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 19 Feb 2020 14:00:41 -0600
+Subject: rtlwifi: rtl8188ee: Fix regression due to commit d1d1a96bdb44
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit c80b18cbb04b7b101af9bd14550f13d9866c646a upstream.
+
+For some unexplained reason, commit d1d1a96bdb44 ("rtlwifi: rtl8188ee:
+Remove local configuration variable") broke at least one system. As
+the only net effect of the change was to remove 2 bytes from the start
+of struct phy_status_rpt, this patch adds 2 bytes of padding at the
+beginning of the struct.
+
+Fixes: d1d1a96bdb44 ("rtlwifi: rtl8188ee: Remove local configuration variable")
+Cc: Stable <stable@vger.kernel.org> # V5.4+
+Reported-by: Ashish <ashishkumar.yadav@students.iiserpune.ac.in>
+Tested-by: Ashish <ashishkumar.yadav@students.iiserpune.ac.in>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.h
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.h
+@@ -561,6 +561,7 @@ static inline void clear_pci_tx_desc_con
+ rxmcs == DESC92C_RATE11M)
+
+ struct phy_status_rpt {
++ u8 padding[2];
+ u8 ch_corr[2];
+ u8 cck_sig_qual_ofdm_pwdb_all;
+ u8 cck_agc_rpt_ofdm_cfosho_a;
--- /dev/null
+From e33a814e772cdc36436c8c188d8c42d019fda639 Mon Sep 17 00:00:00 2001
+From: Dirk Mueller <dmueller@suse.com>
+Date: Tue, 14 Jan 2020 18:53:41 +0100
+Subject: scripts/dtc: Remove redundant YYLOC global declaration
+
+From: Dirk Mueller <dmueller@suse.com>
+
+commit e33a814e772cdc36436c8c188d8c42d019fda639 upstream.
+
+gcc 10 will default to -fno-common, which causes this error at link
+time:
+
+ (.text+0x0): multiple definition of `yylloc'; dtc-lexer.lex.o (symbol from plugin):(.text+0x0): first defined here
+
+This is because both dtc-lexer as well as dtc-parser define the same
+global symbol yyloc. Before with -fcommon those were merged into one
+defintion. The proper solution would be to to mark this as "extern",
+however that leads to:
+
+ dtc-lexer.l:26:16: error: redundant redeclaration of 'yylloc' [-Werror=redundant-decls]
+ 26 | extern YYLTYPE yylloc;
+ | ^~~~~~
+In file included from dtc-lexer.l:24:
+dtc-parser.tab.h:127:16: note: previous declaration of 'yylloc' was here
+ 127 | extern YYLTYPE yylloc;
+ | ^~~~~~
+cc1: all warnings being treated as errors
+
+which means the declaration is completely redundant and can just be
+dropped.
+
+Signed-off-by: Dirk Mueller <dmueller@suse.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+[robh: cherry-pick from upstream]
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/dtc/dtc-lexer.l | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/scripts/dtc/dtc-lexer.l
++++ b/scripts/dtc/dtc-lexer.l
+@@ -23,7 +23,6 @@ LINECOMMENT "//".*\n
+ #include "srcpos.h"
+ #include "dtc-parser.tab.h"
+
+-YYLTYPE yylloc;
+ extern bool treesource_error;
+
+ /* CAUTION: this will stop working if we ever use yyless() or yyunput() */
--- /dev/null
+From ea697a8bf5a4161e59806fab14f6e4a46dc7dcb0 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 24 Mar 2020 11:16:15 -0400
+Subject: scsi: sd: Fix optimal I/O size for devices that change reported values
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit ea697a8bf5a4161e59806fab14f6e4a46dc7dcb0 upstream.
+
+Some USB bridge devices will return a default set of characteristics during
+initialization. And then, once an attached drive has spun up, substitute
+the actual parameters reported by the drive. According to the SCSI spec,
+the device should return a UNIT ATTENTION in case any reported parameters
+change. But in this case the change is made silently after a small window
+where default values are reported.
+
+Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of
+physical block size") validated the reported optimal I/O size against the
+physical block size to overcome problems with devices reporting nonsensical
+transfer sizes. However, this validation did not account for the fact that
+aforementioned devices will return default values during a brief window
+during spin-up. The subsequent change in reported characteristics would
+invalidate the checking that had previously been performed.
+
+Unset a previously configured optimal I/O size should the sanity checking
+fail on subsequent revalidate attempts.
+
+Link: https://lore.kernel.org/r/33fb522e-4f61-1b76-914f-c9e6a3553c9b@gmail.com
+Cc: Bryan Gurney <bgurney@redhat.com>
+Cc: <stable@vger.kernel.org>
+Reported-by: Bernhard Sulzer <micraft.b@gmail.com>
+Tested-by: Bernhard Sulzer <micraft.b@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3171,9 +3171,11 @@ static int sd_revalidate_disk(struct gen
+ if (sd_validate_opt_xfer_size(sdkp, dev_max)) {
+ q->limits.io_opt = logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
+ rw_max = logical_to_sectors(sdp, sdkp->opt_xfer_blocks);
+- } else
++ } else {
++ q->limits.io_opt = 0;
+ rw_max = min_not_zero(logical_to_sectors(sdp, dev_max),
+ (sector_t)BLK_DEF_MAX_SECTORS);
++ }
+
+ /* Do not exceed controller limit */
+ rw_max = min(rw_max, queue_max_hw_sectors(q));
input-avoid-bit-macro-usage-in-the-serio.h-uapi-header.patch
ib-rdmavt-free-kernel-completion-queue-when-done.patch
rdma-core-fix-missing-error-check-on-dev_set_name.patch
+gpiolib-fix-irq_disable-semantics.patch
+rdma-nl-do-not-permit-empty-devices-names-during-rdma_nldev_cmd_newlink-set.patch
+rdma-mad-do-not-crash-if-the-rdma-device-does-not-have-a-umad-interface.patch
+ceph-check-pool_flag_full-nearfull-in-addition-to-osdmap_full-nearfull.patch
+ceph-fix-memory-leak-in-ceph_cleanup_snapid_map.patch
+arm-dts-dra7-add-bus_dma_limit-for-l3-bus.patch
+arm-dts-omap5-add-bus_dma_limit-for-l3-bus.patch
+x86-ioremap-fix-config_efi-n-build.patch
+perf-probe-fix-to-delete-multiple-probe-event.patch
+perf-probe-do-not-depend-on-dwfl_module_addrsym.patch
+rtlwifi-rtl8188ee-fix-regression-due-to-commit-d1d1a96bdb44.patch
+tools-let-o-makes-handle-a-relative-path-with-c-option.patch
+scripts-dtc-remove-redundant-yyloc-global-declaration.patch
+scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch
+nl80211-fix-nl80211_attr_channel_width-attribute-type.patch
+mac80211-drop-data-frames-without-key-on-encrypted-links.patch
+mac80211-check-port-authorization-in-the-ieee80211_tx_dequeue-case.patch
+mac80211-mark-station-unauthorized-before-key-removal.patch
+mm-swapfile.c-move-inode_lock-out-of-claim_swapfile.patch
+drivers-base-memory.c-indicate-all-memory-blocks-as-removable.patch
+mm-sparse-fix-kernel-crash-with-pfn_section_valid-check.patch
--- /dev/null
+From be40920fbf1003c38ccdc02b571e01a75d890c82 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 7 Mar 2020 03:32:58 +0900
+Subject: tools: Let O= makes handle a relative path with -C option
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit be40920fbf1003c38ccdc02b571e01a75d890c82 upstream.
+
+When I tried to compile tools/perf from the top directory with the -C
+option, the O= option didn't work correctly if I passed a relative path:
+
+ $ make O=BUILD -C tools/perf/
+ make: Entering directory '/home/mhiramat/ksrc/linux/tools/perf'
+ BUILD: Doing 'make -j8' parallel build
+ ../scripts/Makefile.include:4: *** O=/home/mhiramat/ksrc/linux/tools/perf/BUILD does not exist. Stop.
+ make: *** [Makefile:70: all] Error 2
+ make: Leaving directory '/home/mhiramat/ksrc/linux/tools/perf'
+
+The O= directory existence check failed because the check script ran in
+the build target directory instead of the directory where I ran the make
+command.
+
+To fix that, once change directory to $(PWD) and check O= directory,
+since the PWD is set to where the make command runs.
+
+Fixes: c883122acc0d ("perf tools: Let O= makes handle relative paths")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Michal Marek <michal.lkml@markovi.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/158351957799.3363.15269768530697526765.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/Makefile | 2 +-
+ tools/scripts/Makefile.include | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/Makefile
++++ b/tools/perf/Makefile
+@@ -35,7 +35,7 @@ endif
+ # Only pass canonical directory names as the output directory:
+ #
+ ifneq ($(O),)
+- FULL_O := $(shell readlink -f $(O) || echo $(O))
++ FULL_O := $(shell cd $(PWD); readlink -f $(O) || echo $(O))
+ endif
+
+ #
+--- a/tools/scripts/Makefile.include
++++ b/tools/scripts/Makefile.include
+@@ -1,8 +1,8 @@
+ # SPDX-License-Identifier: GPL-2.0
+ ifneq ($(O),)
+ ifeq ($(origin O), command line)
+- dummy := $(if $(shell test -d $(O) || echo $(O)),$(error O=$(O) does not exist),)
+- ABSOLUTE_O := $(shell cd $(O) ; pwd)
++ dummy := $(if $(shell cd $(PWD); test -d $(O) || echo $(O)),$(error O=$(O) does not exist),)
++ ABSOLUTE_O := $(shell cd $(PWD); cd $(O) ; pwd)
+ OUTPUT := $(ABSOLUTE_O)/$(if $(subdir),$(subdir)/)
+ COMMAND_O := O=$(ABSOLUTE_O)
+ ifeq ($(objtree),)
--- /dev/null
+From 870b4333a62e45b0b2000d14b301b7b8b8cad9da Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 18 Mar 2020 19:27:48 +0100
+Subject: x86/ioremap: Fix CONFIG_EFI=n build
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 870b4333a62e45b0b2000d14b301b7b8b8cad9da upstream.
+
+In order to use efi_mem_type(), one needs CONFIG_EFI enabled. Otherwise
+that function is undefined. Use IS_ENABLED() to check and avoid the
+ifdeffery as the compiler optimizes away the following unreachable code
+then.
+
+Fixes: 985e537a4082 ("x86/ioremap: Map EFI runtime services data as encrypted for SEV")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/7561e981-0d9b-d62c-0ef2-ce6007aff1ab@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/ioremap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/mm/ioremap.c
++++ b/arch/x86/mm/ioremap.c
+@@ -115,6 +115,9 @@ static void __ioremap_check_other(resour
+ if (!sev_active())
+ return;
+
++ if (!IS_ENABLED(CONFIG_EFI))
++ return;
++
+ if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA)
+ desc->flags |= IORES_MAP_ENCRYPTED;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
