--- /dev/null
+From e7c22eeaff8565d9a8374f320238c251ca31480b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 11 Jan 2021 14:02:50 +0100
+Subject: ALSA: fireface: Fix integer overflow in transmit_midi_msg()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit e7c22eeaff8565d9a8374f320238c251ca31480b upstream.
+
+As snd_ff.rx_bytes[] is unsigned int, and NSEC_PER_SEC is 1000000000L,
+the second multiplication in
+
+ ff->rx_bytes[port] * 8 * NSEC_PER_SEC / 31250
+
+always overflows on 32-bit platforms, truncating the result. Fix this
+by precalculating "NSEC_PER_SEC / 31250", which is an integer constant.
+
+Note that this assumes ff->rx_bytes[port] <= 16777.
+
+Fixes: 19174295788de77d ("ALSA: fireface: add transaction support")
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20210111130251.361335-2-geert+renesas@glider.be
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/fireface/ff-transaction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/fireface/ff-transaction.c
++++ b/sound/firewire/fireface/ff-transaction.c
+@@ -88,7 +88,7 @@ static void transmit_midi_msg(struct snd
+
+ /* Set interval to next transaction. */
+ ff->next_ktime[port] = ktime_add_ns(ktime_get(),
+- ff->rx_bytes[port] * 8 * NSEC_PER_SEC / 31250);
++ ff->rx_bytes[port] * 8 * (NSEC_PER_SEC / 31250));
+
+ if (quad_count == 1)
+ tcode = TCODE_WRITE_QUADLET_REQUEST;
--- /dev/null
+From 9f65df9c589f249435255da37a5dd11f1bc86f4d Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 11 Jan 2021 14:02:51 +0100
+Subject: ALSA: firewire-tascam: Fix integer overflow in midi_port_work()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 9f65df9c589f249435255da37a5dd11f1bc86f4d upstream.
+
+As snd_fw_async_midi_port.consume_bytes is unsigned int, and
+NSEC_PER_SEC is 1000000000L, the second multiplication in
+
+ port->consume_bytes * 8 * NSEC_PER_SEC / 31250
+
+always overflows on 32-bit platforms, truncating the result. Fix this
+by precalculating "NSEC_PER_SEC / 31250", which is an integer constant.
+
+Note that this assumes port->consume_bytes <= 16777.
+
+Fixes: 531f471834227d03 ("ALSA: firewire-lib/firewire-tascam: localize async midi port")
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20210111130251.361335-3-geert+renesas@glider.be
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/tascam/tascam-transaction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/tascam/tascam-transaction.c
++++ b/sound/firewire/tascam/tascam-transaction.c
+@@ -209,7 +209,7 @@ static void midi_port_work(struct work_s
+
+ /* Set interval to next transaction. */
+ port->next_ktime = ktime_add_ns(ktime_get(),
+- port->consume_bytes * 8 * NSEC_PER_SEC / 31250);
++ port->consume_bytes * 8 * (NSEC_PER_SEC / 31250));
+
+ /* Start this transaction. */
+ port->idling = false;
--- /dev/null
+From f373a811fd9a69fc8bafb9bcb41d2cfa36c62665 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 11 Dec 2020 13:06:52 +0300
+Subject: ASoC: Intel: fix error code cnl_set_dsp_D0()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f373a811fd9a69fc8bafb9bcb41d2cfa36c62665 upstream.
+
+Return -ETIMEDOUT if the dsp boot times out instead of returning
+success.
+
+Fixes: cb6a55284629 ("ASoC: Intel: cnl: Add sst library functions for cnl platform")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/X9NEvCzuN+IObnTN@mwanda
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/intel/skylake/cnl-sst.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/intel/skylake/cnl-sst.c
++++ b/sound/soc/intel/skylake/cnl-sst.c
+@@ -224,6 +224,7 @@ static int cnl_set_dsp_D0(struct sst_dsp
+ "dsp boot timeout, status=%#x error=%#x\n",
+ sst_dsp_shim_read(ctx, CNL_ADSP_FW_STATUS),
+ sst_dsp_shim_read(ctx, CNL_ADSP_ERROR_CODE));
++ ret = -ETIMEDOUT;
+ goto err;
+ }
+ } else {
--- /dev/null
+From 671ee4db952449acde126965bf76817a3159040d Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 17 Dec 2020 16:08:12 +0100
+Subject: ASoC: meson: axg-tdm-interface: fix loopback
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit 671ee4db952449acde126965bf76817a3159040d upstream.
+
+When the axg-tdm-interface was introduced, the backend DAI was marked as an
+endpoint when DPCM was walking the DAPM graph to find a its BE.
+
+It is no longer the case since this
+commit 8dd26dff00c0 ("ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks")
+Because of this, when DPCM finds a BE it does everything it needs on the
+DAIs but it won't power up the widgets between the FE and the BE if there
+is no actual endpoint after the BE.
+
+On meson-axg HWs, the loopback is a special DAI of the tdm-interface BE.
+It is only linked to the dummy codec since there no actual HW after it.
+>From the DAPM perspective, the DAI has no endpoint. Because of this, the TDM
+decoder, which is a widget between the FE and BE is not powered up.
+
+>From the user perspective, everything seems fine but no data is produced.
+
+Connecting the Loopback DAI to a dummy DAPM endpoint solves the problem.
+
+Fixes: 8dd26dff00c0 ("ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks")
+Cc: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20201217150812.3247405-1-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/meson/axg-tdm-interface.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -467,8 +467,20 @@ static int axg_tdm_iface_set_bias_level(
+ return ret;
+ }
+
++static const struct snd_soc_dapm_widget axg_tdm_iface_dapm_widgets[] = {
++ SND_SOC_DAPM_SIGGEN("Playback Signal"),
++};
++
++static const struct snd_soc_dapm_route axg_tdm_iface_dapm_routes[] = {
++ { "Loopback", NULL, "Playback Signal" },
++};
++
+ static const struct snd_soc_component_driver axg_tdm_iface_component_drv = {
+- .set_bias_level = axg_tdm_iface_set_bias_level,
++ .dapm_widgets = axg_tdm_iface_dapm_widgets,
++ .num_dapm_widgets = ARRAY_SIZE(axg_tdm_iface_dapm_widgets),
++ .dapm_routes = axg_tdm_iface_dapm_routes,
++ .num_dapm_routes = ARRAY_SIZE(axg_tdm_iface_dapm_routes),
++ .set_bias_level = axg_tdm_iface_set_bias_level,
+ };
+
+ static const struct of_device_id axg_tdm_iface_of_match[] = {
--- /dev/null
+From a84dfb3d55934253de6aed38ad75990278a2d21e Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 17 Dec 2020 16:08:34 +0100
+Subject: ASoC: meson: axg-tdmin: fix axg skew offset
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit a84dfb3d55934253de6aed38ad75990278a2d21e upstream.
+
+The signal captured on from tdm decoder of the AXG SoC is incorrect. It
+appears amplified. The skew offset of the decoder is wrong.
+
+Setting the skew offset to 3, like the g12 and sm1 SoCs, solves and gives
+correct data.
+
+Fixes: 13a22e6a98f8 ("ASoC: meson: add tdm input driver")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20201217150834.3247526-1-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/meson/axg-tdmin.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/sound/soc/meson/axg-tdmin.c
++++ b/sound/soc/meson/axg-tdmin.c
+@@ -228,15 +228,6 @@ static const struct axg_tdm_formatter_dr
+ .regmap_cfg = &axg_tdmin_regmap_cfg,
+ .ops = &axg_tdmin_ops,
+ .quirks = &(const struct axg_tdm_formatter_hw) {
+- .skew_offset = 2,
+- },
+-};
+-
+-static const struct axg_tdm_formatter_driver g12a_tdmin_drv = {
+- .component_drv = &axg_tdmin_component_drv,
+- .regmap_cfg = &axg_tdmin_regmap_cfg,
+- .ops = &axg_tdmin_ops,
+- .quirks = &(const struct axg_tdm_formatter_hw) {
+ .skew_offset = 3,
+ },
+ };
+@@ -247,10 +238,10 @@ static const struct of_device_id axg_tdm
+ .data = &axg_tdmin_drv,
+ }, {
+ .compatible = "amlogic,g12a-tdmin",
+- .data = &g12a_tdmin_drv,
++ .data = &axg_tdmin_drv,
+ }, {
+ .compatible = "amlogic,sm1-tdmin",
+- .data = &g12a_tdmin_drv,
++ .data = &axg_tdmin_drv,
+ }, {}
+ };
+ MODULE_DEVICE_TABLE(of, axg_tdmin_of_match);
--- /dev/null
+From 869c4d5eb1e6fbda66aa790c48bdb946d71494a0 Mon Sep 17 00:00:00 2001
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 11 Jan 2021 04:26:39 -0500
+Subject: bnxt_en: Improve stats context resource accounting with RDMA driver loaded.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+commit 869c4d5eb1e6fbda66aa790c48bdb946d71494a0 upstream.
+
+The function bnxt_get_ulp_stat_ctxs() does not count the stats contexts
+used by the RDMA driver correctly when the RDMA driver is freeing the
+MSIX vectors. It assumes that if the RDMA driver is registered, the
+additional stats contexts will be needed. This is not true when the
+RDMA driver is about to unregister and frees the MSIX vectors.
+
+This slight error leads to over accouting of the stats contexts needed
+after the RDMA driver has unloaded. This will cause some firmware
+warning and error messages in dmesg during subsequent config. changes
+or ifdown/ifup.
+
+Fix it by properly accouting for extra stats contexts only if the
+RDMA driver is registered and MSIX vectors have been successfully
+requested.
+
+Fixes: c027c6b4e91f ("bnxt_en: get rid of num_stat_ctxs variable")
+Reviewed-by: Yongping Zhang <yongping.zhang@broadcom.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -216,8 +216,12 @@ int bnxt_get_ulp_msix_base(struct bnxt *
+
+ int bnxt_get_ulp_stat_ctxs(struct bnxt *bp)
+ {
+- if (bnxt_ulp_registered(bp->edev, BNXT_ROCE_ULP))
+- return BNXT_MIN_ROCE_STAT_CTXS;
++ if (bnxt_ulp_registered(bp->edev, BNXT_ROCE_ULP)) {
++ struct bnxt_en_dev *edev = bp->edev;
++
++ if (edev->ulp_tbl[BNXT_ROCE_ULP].msix_requested)
++ return BNXT_MIN_ROCE_STAT_CTXS;
++ }
+
+ return 0;
+ }
--- /dev/null
+From 0378c625afe80eb3f212adae42cc33c9f6f31abf Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 6 Jan 2021 18:19:05 -0500
+Subject: dm: eliminate potential source of excessive kernel log noise
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 0378c625afe80eb3f212adae42cc33c9f6f31abf upstream.
+
+There wasn't ever a real need to log an error in the kernel log for
+ioctls issued with insufficient permissions. Simply return an error
+and if an admin/user is sufficiently motivated they can enable DM's
+dynamic debugging to see an explanation for why the ioctls were
+disallowed.
+
+Reported-by: Nir Soffer <nsoffer@redhat.com>
+Fixes: e980f62353c6 ("dm: don't allow ioctls to targets that don't map to whole devices")
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -548,7 +548,7 @@ static int dm_blk_ioctl(struct block_dev
+ * subset of the parent bdev; require extra privileges.
+ */
+ if (!capable(CAP_SYS_RAWIO)) {
+- DMWARN_LIMIT(
++ DMDEBUG_LIMIT(
+ "%s: sending ioctl %x to DM device without required privilege.",
+ current->comm, cmd);
+ r = -ENOIOCTLCMD;
--- /dev/null
+From 00cb645fd7e29bdd20967cd20fa8f77bcdf422f9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 18 Nov 2020 13:40:58 +0100
+Subject: drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 00cb645fd7e29bdd20967cd20fa8f77bcdf422f9 upstream.
+
+Commit 25b4620ee822 ("drm/i915/dsi: Skip delays for v3 VBTs in vid-mode")
+added an intel_dsi_msleep() helper which skips sleeping if the
+MIPI-sequences have a version of 3 or newer and the panel is in vid-mode;
+and it moved a bunch of msleep-s over to this new helper.
+
+This was based on my reading of the big comment around line 730 which
+starts with "Panel enable/disable sequences from the VBT spec.",
+where the "v3 video mode seq" column does not have any wait t# entries.
+
+Given that this code has been used on a lot of different devices without
+issues until now, it seems that my interpretation of the spec here is
+mostly correct.
+
+But now I have encountered one device, an Acer Aspire Switch 10 E
+SW3-016, where the panel will not light up unless we do actually honor the
+panel_on_delay after exexuting the MIPI_SEQ_PANEL_ON sequence.
+
+What seems to set this model apart is that it is lacking a
+MIPI_SEQ_DEASSERT_RESET sequence, which is where the power-on
+delay usually happens.
+
+Fix the panel not lighting up on this model by using an unconditional
+msleep(panel_on_delay) instead of intel_dsi_msleep() when there is
+no MIPI_SEQ_DEASSERT_RESET sequence.
+
+Fixes: 25b4620ee822 ("drm/i915/dsi: Skip delays for v3 VBTs in vid-mode")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201118124058.26021-1-hdegoede@redhat.com
+(cherry picked from commit 6fdb335f1c9c0845b50625de1624d8445c4c4a07)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/display/vlv_dsi.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/vlv_dsi.c
++++ b/drivers/gpu/drm/i915/display/vlv_dsi.c
+@@ -797,10 +797,20 @@ static void intel_dsi_pre_enable(struct
+ if (intel_dsi->gpio_panel)
+ gpiod_set_value_cansleep(intel_dsi->gpio_panel, 1);
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_POWER_ON);
+- intel_dsi_msleep(intel_dsi, intel_dsi->panel_on_delay);
+
+- /* Deassert reset */
+- intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DEASSERT_RESET);
++ /*
++ * Give the panel time to power-on and then deassert its reset.
++ * Depending on the VBT MIPI sequences version the deassert-seq
++ * may contain the necessary delay, intel_dsi_msleep() will skip
++ * the delay in that case. If there is no deassert-seq, then an
++ * unconditional msleep is used to give the panel time to power-on.
++ */
++ if (dev_priv->vbt.dsi.sequence[MIPI_SEQ_DEASSERT_RESET]) {
++ intel_dsi_msleep(intel_dsi, intel_dsi->panel_on_delay);
++ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DEASSERT_RESET);
++ } else {
++ msleep(intel_dsi->panel_on_delay);
++ }
+
+ if (IS_GEMINILAKE(dev_priv)) {
+ glk_cold_boot = glk_dsi_enable_io(encoder);
--- /dev/null
+From d36a1dd9f77ae1e72da48f4123ed35627848507d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 5 Jan 2021 14:43:46 -0500
+Subject: dump_common_audit_data(): fix racy accesses to ->d_name
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream.
+
+We are not guaranteed the locking environment that would prevent
+dentry getting renamed right under us. And it's possible for
+old long name to be freed after rename, leading to UAF here.
+
+Cc: stable@kernel.org # v2.6.2+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/lsm_audit.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/security/lsm_audit.c
++++ b/security/lsm_audit.c
+@@ -274,7 +274,9 @@ static void dump_common_audit_data(struc
+ struct inode *inode;
+
+ audit_log_format(ab, " name=");
++ spin_lock(&a->u.dentry->d_lock);
+ audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
++ spin_unlock(&a->u.dentry->d_lock);
+
+ inode = d_backing_inode(a->u.dentry);
+ if (inode) {
+@@ -292,8 +294,9 @@ static void dump_common_audit_data(struc
+ dentry = d_find_alias(inode);
+ if (dentry) {
+ audit_log_format(ab, " name=");
+- audit_log_untrustedstring(ab,
+- dentry->d_name.name);
++ spin_lock(&dentry->d_lock);
++ audit_log_untrustedstring(ab, dentry->d_name.name);
++ spin_unlock(&dentry->d_lock);
+ dput(dentry);
+ }
+ audit_log_format(ab, " dev=");
--- /dev/null
+From dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 16 Dec 2020 11:18:43 +0100
+Subject: ext4: fix superblock checksum failure when setting password salt
+
+From: Jan Kara <jack@suse.cz>
+
+commit dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 upstream.
+
+When setting password salt in the superblock, we forget to recompute the
+superblock checksum so it will not match until the next superblock
+modification which recomputes the checksum. Fix it.
+
+CC: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Andreas Dilger <adilger@dilger.ca>
+Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20201216101844.22917-8-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -1160,7 +1160,10 @@ resizefs_out:
+ err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+ if (err)
+ goto pwsalt_err_journal;
++ lock_buffer(sbi->s_sbh);
+ generate_random_uuid(sbi->s_es->s_encrypt_pw_salt);
++ ext4_superblock_csum_set(sb);
++ unlock_buffer(sbi->s_sbh);
+ err = ext4_handle_dirty_metadata(handle, NULL,
+ sbi->s_sbh);
+ pwsalt_err_journal:
--- /dev/null
+From 2cb091f6293df898b47f4e0f2e54324e2bbaf816 Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@nvidia.com>
+Date: Wed, 13 Jan 2021 14:17:00 +0200
+Subject: IB/mlx5: Fix error unwinding when set_has_smi_cap fails
+
+From: Parav Pandit <parav@nvidia.com>
+
+commit 2cb091f6293df898b47f4e0f2e54324e2bbaf816 upstream.
+
+When set_has_smi_cap() fails, multiport master cleanup is missed. Fix it
+by doing the correct error unwinding goto.
+
+Fixes: a989ea01cb10 ("RDMA/mlx5: Move SMI caps logic")
+Link: https://lore.kernel.org/r/20210113121703.559778-3-leon@kernel.org
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -6173,7 +6173,7 @@ static int mlx5_ib_stage_init_init(struc
+
+ err = set_has_smi_cap(dev);
+ if (err)
+- return err;
++ goto err_mp;
+
+ if (!mlx5_core_mp_enabled(mdev)) {
+ for (i = 1; i <= dev->num_ports; i++) {
--- /dev/null
+From 2d6ffc63f12417b979955a5b22ad9a76d2af5de9 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Thu, 31 Dec 2020 08:53:20 +0800
+Subject: iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev()
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 2d6ffc63f12417b979955a5b22ad9a76d2af5de9 upstream.
+
+The VT-d hardware will ignore those Addr bits which have been masked by
+the AM field in the PASID-based-IOTLB invalidation descriptor. As the
+result, if the starting address in the descriptor is not aligned with
+the address mask, some IOTLB caches might not invalidate. Hence people
+will see below errors.
+
+[ 1093.704661] dmar_fault: 29 callbacks suppressed
+[ 1093.704664] DMAR: DRHD: handling fault status reg 3
+[ 1093.712738] DMAR: [DMA Read] Request device [7a:02.0] PASID 2
+ fault addr 7f81c968d000 [fault reason 113]
+ SM: Present bit in first-level paging entry is clear
+
+Fix this by using aligned address for PASID-based-IOTLB invalidation.
+
+Fixes: 1c4f88b7f1f9 ("iommu/vt-d: Shared virtual address in scalable mode")
+Reported-and-tested-by: Guo Kaijie <Kaijie.Guo@intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20201231005323.2178523-2-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-svm.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -99,8 +99,10 @@ int intel_svm_finish_prq(struct intel_io
+ return 0;
+ }
+
+-static void intel_flush_svm_range_dev (struct intel_svm *svm, struct intel_svm_dev *sdev,
+- unsigned long address, unsigned long pages, int ih)
++static void __flush_svm_range_dev(struct intel_svm *svm,
++ struct intel_svm_dev *sdev,
++ unsigned long address,
++ unsigned long pages, int ih)
+ {
+ struct qi_desc desc;
+
+@@ -151,6 +153,22 @@ static void intel_flush_svm_range_dev (s
+ }
+ }
+
++static void intel_flush_svm_range_dev(struct intel_svm *svm,
++ struct intel_svm_dev *sdev,
++ unsigned long address,
++ unsigned long pages, int ih)
++{
++ unsigned long shift = ilog2(__roundup_pow_of_two(pages));
++ unsigned long align = (1ULL << (VTD_PAGE_SHIFT + shift));
++ unsigned long start = ALIGN_DOWN(address, align);
++ unsigned long end = ALIGN(address + (pages << VTD_PAGE_SHIFT), align);
++
++ while (start < end) {
++ __flush_svm_range_dev(svm, sdev, start, align >> VTD_PAGE_SHIFT, ih);
++ start += align;
++ }
++}
++
+ static void intel_flush_svm_range(struct intel_svm *svm, unsigned long address,
+ unsigned long pages, int ih)
+ {
--- /dev/null
+From 8ff60eb052eeba95cfb3efe16b08c9199f8121cf Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 12 Jan 2021 15:49:04 -0800
+Subject: mm, slub: consider rest of partial list if acquire_slab() fails
+
+From: Jann Horn <jannh@google.com>
+
+commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf upstream.
+
+acquire_slab() fails if there is contention on the freelist of the page
+(probably because some other CPU is concurrently freeing an object from
+the page). In that case, it might make sense to look for a different page
+(since there might be more remote frees to the page from other CPUs, and
+we don't want contention on struct page).
+
+However, the current code accidentally stops looking at the partial list
+completely in that case. Especially on kernels without CONFIG_NUMA set,
+this means that get_partial() fails and new_slab_objects() falls back to
+new_slab(), allocating new pages. This could lead to an unnecessary
+increase in memory fragmentation.
+
+Link: https://lkml.kernel.org/r/20201228130853.1871516-1-jannh@google.com
+Fixes: 7ced37197196 ("slub: Acquire_slab() avoid loop")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1887,7 +1887,7 @@ static void *get_partial_node(struct kme
+
+ t = acquire_slab(s, n, page, object == NULL, &objects);
+ if (!t)
+- break;
++ continue; /* cmpxchg raced */
+
+ available += objects;
+ if (!object) {
--- /dev/null
+From 86b53fbf08f48d353a86a06aef537e78e82ba721 Mon Sep 17 00:00:00 2001
+From: "j.nixdorf@avm.de" <j.nixdorf@avm.de>
+Date: Tue, 5 Jan 2021 15:17:01 +0100
+Subject: net: sunrpc: interpret the return value of kstrtou32 correctly
+
+From: j.nixdorf@avm.de <j.nixdorf@avm.de>
+
+commit 86b53fbf08f48d353a86a06aef537e78e82ba721 upstream.
+
+A return value of 0 means success. This is documented in lib/kstrtox.c.
+
+This was found by trying to mount an NFS share from a link-local IPv6
+address with the interface specified by its index:
+
+ mount("[fe80::1%1]:/srv/nfs", "/mnt", "nfs", 0, "nolock,addr=fe80::1%1")
+
+Before this commit this failed with EINVAL and also caused the following
+message in dmesg:
+
+ [...] NFS: bad IP address specified: addr=fe80::1%1
+
+The syscall using the same address based on the interface name instead
+of its index succeeds.
+
+Credits for this patch go to my colleague Christian Speich, who traced
+the origin of this bug to this line of code.
+
+Signed-off-by: Johannes Nixdorf <j.nixdorf@avm.de>
+Fixes: 00cfaa943ec3 ("replace strict_strto calls")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/addr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/addr.c
++++ b/net/sunrpc/addr.c
+@@ -185,7 +185,7 @@ static int rpc_parse_scope_id(struct net
+ scope_id = dev->ifindex;
+ dev_put(dev);
+ } else {
+- if (kstrtou32(p, 10, &scope_id) == 0) {
++ if (kstrtou32(p, 10, &scope_id) != 0) {
+ kfree(p);
+ return 0;
+ }
--- /dev/null
+From f6351c3f1c27c80535d76cac2299aec44c36291e Mon Sep 17 00:00:00 2001
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+Date: Fri, 8 Jan 2021 12:44:33 +0100
+Subject: netfilter: conntrack: fix reading nf_conntrack_buckets
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+commit f6351c3f1c27c80535d76cac2299aec44c36291e upstream.
+
+The old way of changing the conntrack hashsize runtime was through changing
+the module param via file /sys/module/nf_conntrack/parameters/hashsize. This
+was extended to sysctl change in commit 3183ab8997a4 ("netfilter: conntrack:
+allow increasing bucket size via sysctl too").
+
+The commit introduced second "user" variable nf_conntrack_htable_size_user
+which shadow actual variable nf_conntrack_htable_size. When hashsize is
+changed via module param this "user" variable isn't updated. This results in
+sysctl net/netfilter/nf_conntrack_buckets shows the wrong value when users
+update via the old way.
+
+This patch fix the issue by always updating "user" variable when reading the
+proc file. This will take care of changes to the actual variable without
+sysctl need to be aware.
+
+Fixes: 3183ab8997a4 ("netfilter: conntrack: allow increasing bucket size via sysctl too")
+Reported-by: Yoel Caspersen <yoel@kviknet.dk>
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_standalone.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -521,6 +521,9 @@ nf_conntrack_hash_sysctl(struct ctl_tabl
+ {
+ int ret;
+
++ /* module_param hashsize could have changed value */
++ nf_conntrack_htable_size_user = nf_conntrack_htable_size;
++
+ ret = proc_dointvec(table, write, buffer, lenp, ppos);
+ if (ret < 0 || !write)
+ return ret;
--- /dev/null
+From 869f4fdaf4ca7bb6e0d05caf6fa1108dddc346a7 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Sat, 9 Jan 2021 20:01:21 +0800
+Subject: netfilter: nf_nat: Fix memleak in nf_nat_init
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit 869f4fdaf4ca7bb6e0d05caf6fa1108dddc346a7 upstream.
+
+When register_pernet_subsys() fails, nf_nat_bysource
+should be freed just like when nf_ct_extend_register()
+fails.
+
+Fixes: 1cd472bf036ca ("netfilter: nf_nat: add nat hook register functions to nf_nat")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -1174,6 +1174,7 @@ static int __init nf_nat_init(void)
+ ret = register_pernet_subsys(&nat_net_ops);
+ if (ret < 0) {
+ nf_ct_extend_unregister(&nat_extend);
++ kvfree(nf_nat_bysource);
+ return ret;
+ }
+
--- /dev/null
+From 896567ee7f17a8a736cda8a28cc987228410a2ac Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sun, 10 Jan 2021 15:58:08 -0500
+Subject: NFS: nfs_igrab_and_active must first reference the superblock
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 896567ee7f17a8a736cda8a28cc987228410a2ac upstream.
+
+Before referencing the inode, we must ensure that the superblock can be
+referenced. Otherwise, we can end up with iput() calling superblock
+operations that are no longer valid or accessible.
+
+Fixes: ea7c38fef0b7 ("NFSv4: Ensure we reference the inode for return-on-close in delegreturn")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/internal.h | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -569,12 +569,14 @@ extern void nfs4_test_session_trunk(stru
+
+ static inline struct inode *nfs_igrab_and_active(struct inode *inode)
+ {
+- inode = igrab(inode);
+- if (inode != NULL && !nfs_sb_active(inode->i_sb)) {
+- iput(inode);
+- inode = NULL;
++ struct super_block *sb = inode->i_sb;
++
++ if (sb && nfs_sb_active(sb)) {
++ if (igrab(inode))
++ return inode;
++ nfs_sb_deactive(sb);
+ }
+- return inode;
++ return NULL;
+ }
+
+ static inline void nfs_iput_and_deactive(struct inode *inode)
--- /dev/null
+From cb2856c5971723910a86b7d1d0cf623d6919cbc4 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 6 Jan 2021 14:13:22 -0500
+Subject: NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit cb2856c5971723910a86b7d1d0cf623d6919cbc4 upstream.
+
+If we exit _lgopen_prepare_attached() without setting a layout, we will
+currently leak the plh_outstanding counter.
+
+Fixes: 411ae722d10a ("pNFS: Wait for stale layoutget calls to complete in pnfs_update_layout()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -2215,6 +2215,7 @@ static void _lgopen_prepare_attached(str
+ &rng, GFP_KERNEL);
+ if (!lgp) {
+ pnfs_clear_first_layoutget(lo);
++ nfs_layoutget_end(lo);
+ pnfs_put_layout_hdr(lo);
+ return;
+ }
--- /dev/null
+From 3d1a90ab0ed93362ec8ac85cf291243c87260c21 Mon Sep 17 00:00:00 2001
+From: Dave Wysochanski <dwysocha@redhat.com>
+Date: Fri, 11 Dec 2020 05:12:51 -0500
+Subject: NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
+
+From: Dave Wysochanski <dwysocha@redhat.com>
+
+commit 3d1a90ab0ed93362ec8ac85cf291243c87260c21 upstream.
+
+It is only safe to call the tracepoint before rpc_put_task() because
+'data' is freed inside nfs4_lock_release (rpc_release).
+
+Fixes: 48c9579a1afe ("Adding stateid information to tracepoints")
+Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -6959,9 +6959,9 @@ static int _nfs4_do_setlk(struct nfs4_st
+ data->arg.new_lock_owner, ret);
+ } else
+ data->cancelled = true;
++ trace_nfs4_set_lock(fl, state, &data->res.stateid, cmd, ret);
+ rpc_put_task(task);
+ dprintk("%s: done, ret = %d!\n", __func__, ret);
+- trace_nfs4_set_lock(fl, state, &data->res.stateid, cmd, ret);
+ return ret;
+ }
+
--- /dev/null
+From ca1ff67d0fb14f39cf0cc5102b1fbcc3b14f6fb9 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 13 Jan 2021 13:56:57 -0800
+Subject: nvme-tcp: fix possible data corruption with bio merges
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit ca1ff67d0fb14f39cf0cc5102b1fbcc3b14f6fb9 upstream.
+
+When a bio merges, we can get a request that spans multiple
+bios, and the overall request payload size is the sum of
+all bios. When we calculate how much we need to send
+from the existing bio (and bvec), we did not take into
+account the iov_iter byte count cap.
+
+Since multipage bvecs support, bvecs can split in the middle
+which means that when we account for the last bvec send we
+should also take the iov_iter byte count cap as it might be
+lower than the last bvec size.
+
+Reported-by: Hao Wang <pkuwangh@gmail.com>
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+Tested-by: Hao Wang <pkuwangh@gmail.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -186,7 +186,7 @@ static inline size_t nvme_tcp_req_cur_of
+
+ static inline size_t nvme_tcp_req_cur_length(struct nvme_tcp_request *req)
+ {
+- return min_t(size_t, req->iter.bvec->bv_len - req->iter.iov_offset,
++ return min_t(size_t, iov_iter_single_seg_count(&req->iter),
+ req->pdu_len - req->pdu_sent);
+ }
+
--- /dev/null
+From 5501e9229a80d95a1ea68609f44c447a75d23ed5 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 7 Jan 2021 19:41:59 +0200
+Subject: perf intel-pt: Fix 'CPU too large' error
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 5501e9229a80d95a1ea68609f44c447a75d23ed5 upstream.
+
+In some cases, the number of cpus (nr_cpus_online) is confused with the
+maximum cpu number (nr_cpus_avail), which results in the error in the
+example below:
+
+Example on system with 8 cpus:
+
+ Before:
+ # echo 0 > /sys/devices/system/cpu/cpu2/online
+ # ./perf record --kcore -e intel_pt// taskset --cpu-list 7 uname
+ Linux
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.147 MB perf.data ]
+ # ./perf script --itrace=e
+ Requested CPU 7 too large. Consider raising MAX_NR_CPUS
+ 0x25908 [0x8]: failed to process type: 68 [Invalid argument]
+
+ After:
+ # ./perf script --itrace=e
+ #
+
+Fixes: 8c7274691f0d ("perf machine: Replace MAX_NR_CPUS with perf_env::nr_cpus_online")
+Fixes: 7df4e36a4785 ("perf session: Replace MAX_NR_CPUS with perf_env::nr_cpus_online")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210107174159.24897-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/machine.c | 4 ++--
+ tools/perf/util/session.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2587,7 +2587,7 @@ int machines__for_each_thread(struct mac
+
+ pid_t machine__get_current_tid(struct machine *machine, int cpu)
+ {
+- int nr_cpus = min(machine->env->nr_cpus_online, MAX_NR_CPUS);
++ int nr_cpus = min(machine->env->nr_cpus_avail, MAX_NR_CPUS);
+
+ if (cpu < 0 || cpu >= nr_cpus || !machine->current_tid)
+ return -1;
+@@ -2599,7 +2599,7 @@ int machine__set_current_tid(struct mach
+ pid_t tid)
+ {
+ struct thread *thread;
+- int nr_cpus = min(machine->env->nr_cpus_online, MAX_NR_CPUS);
++ int nr_cpus = min(machine->env->nr_cpus_avail, MAX_NR_CPUS);
+
+ if (cpu < 0)
+ return -EINVAL;
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -2314,7 +2314,7 @@ int perf_session__cpu_bitmap(struct perf
+ {
+ int i, err = -1;
+ struct perf_cpu_map *map;
+- int nr_cpus = min(session->header.env.nr_cpus_online, MAX_NR_CPUS);
++ int nr_cpus = min(session->header.env.nr_cpus_avail, MAX_NR_CPUS);
+
+ for (i = 0; i < PERF_TYPE_MAX; ++i) {
+ struct evsel *evsel;
--- /dev/null
+From 67bbceedc9bb8ad48993a8bd6486054756d711f4 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 4 Jan 2021 13:35:46 -0500
+Subject: pNFS: Mark layout for return if return-on-close was not sent
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 67bbceedc9bb8ad48993a8bd6486054756d711f4 upstream.
+
+If the layout return-on-close failed because the layoutreturn was never
+sent, then we should mark the layout for return again.
+
+Fixes: 9c47b18cf722 ("pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1524,12 +1524,18 @@ void pnfs_roc_release(struct nfs4_layout
+ int ret)
+ {
+ struct pnfs_layout_hdr *lo = args->layout;
++ struct inode *inode = args->inode;
+ const nfs4_stateid *arg_stateid = NULL;
+ const nfs4_stateid *res_stateid = NULL;
+ struct nfs4_xdr_opaque_data *ld_private = args->ld_private;
+
+ switch (ret) {
+ case -NFS4ERR_NOMATCHING_LAYOUT:
++ spin_lock(&inode->i_lock);
++ if (pnfs_layout_is_valid(lo) &&
++ nfs4_stateid_match_other(&args->stateid, &lo->plh_stateid))
++ pnfs_set_plh_return_info(lo, args->range.iomode, 0);
++ spin_unlock(&inode->i_lock);
+ break;
+ case 0:
+ if (res->lrs_present)
--- /dev/null
+From 2c8d5fc37fe2384a9bdb6965443ab9224d46f704 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 5 Jan 2021 06:43:45 -0500
+Subject: pNFS: Stricter ordering of layoutget and layoutreturn
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 2c8d5fc37fe2384a9bdb6965443ab9224d46f704 upstream.
+
+If a layout return is in progress, we should wait for it to complete,
+in case the layout segment we are picking up gets returned too.
+
+Fixes: 30cb3ee299cb ("pNFS: Handle NFS4ERR_OLD_STATEID on layoutreturn by bumping the state seqid")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 43 +++++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 22 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1986,6 +1986,27 @@ lookup_again:
+ goto lookup_again;
+ }
+
++ /*
++ * Because we free lsegs when sending LAYOUTRETURN, we need to wait
++ * for LAYOUTRETURN.
++ */
++ if (test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) {
++ spin_unlock(&ino->i_lock);
++ dprintk("%s wait for layoutreturn\n", __func__);
++ lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
++ if (!IS_ERR(lseg)) {
++ pnfs_put_layout_hdr(lo);
++ dprintk("%s retrying\n", __func__);
++ trace_pnfs_update_layout(ino, pos, count, iomode, lo,
++ lseg,
++ PNFS_UPDATE_LAYOUT_RETRY);
++ goto lookup_again;
++ }
++ trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
++ PNFS_UPDATE_LAYOUT_RETURN);
++ goto out_put_layout_hdr;
++ }
++
+ lseg = pnfs_find_lseg(lo, &arg, strict_iomode);
+ if (lseg) {
+ trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
+@@ -2039,28 +2060,6 @@ lookup_again:
+ nfs4_stateid_copy(&stateid, &lo->plh_stateid);
+ }
+
+- /*
+- * Because we free lsegs before sending LAYOUTRETURN, we need to wait
+- * for LAYOUTRETURN even if first is true.
+- */
+- if (test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) {
+- spin_unlock(&ino->i_lock);
+- dprintk("%s wait for layoutreturn\n", __func__);
+- lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
+- if (!IS_ERR(lseg)) {
+- if (first)
+- pnfs_clear_first_layoutget(lo);
+- pnfs_put_layout_hdr(lo);
+- dprintk("%s retrying\n", __func__);
+- trace_pnfs_update_layout(ino, pos, count, iomode, lo,
+- lseg, PNFS_UPDATE_LAYOUT_RETRY);
+- goto lookup_again;
+- }
+- trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
+- PNFS_UPDATE_LAYOUT_RETURN);
+- goto out_put_layout_hdr;
+- }
+-
+ if (pnfs_layoutgets_blocked(lo)) {
+ trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
+ PNFS_UPDATE_LAYOUT_BLOCKED);
--- /dev/null
+From 078000d02d57f02dde61de4901f289672e98c8bc Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 4 Jan 2021 13:18:03 -0500
+Subject: pNFS: We want return-on-close to complete when evicting the inode
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 078000d02d57f02dde61de4901f289672e98c8bc upstream.
+
+If the inode is being evicted, it should be safe to run return-on-close,
+so we should do it to ensure we don't inadvertently leak layout segments.
+
+Fixes: 1c5bd76d17cc ("pNFS: Enable layoutreturn operation for return-on-close")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 26 ++++++++++----------------
+ fs/nfs/pnfs.c | 8 +++-----
+ fs/nfs/pnfs.h | 8 +++-----
+ 3 files changed, 16 insertions(+), 26 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3488,10 +3488,8 @@ static void nfs4_close_done(struct rpc_t
+ trace_nfs4_close(state, &calldata->arg, &calldata->res, task->tk_status);
+
+ /* Handle Layoutreturn errors */
+- if (pnfs_roc_done(task, calldata->inode,
+- &calldata->arg.lr_args,
+- &calldata->res.lr_res,
+- &calldata->res.lr_ret) == -EAGAIN)
++ if (pnfs_roc_done(task, &calldata->arg.lr_args, &calldata->res.lr_res,
++ &calldata->res.lr_ret) == -EAGAIN)
+ goto out_restart;
+
+ /* hmm. we are done with the inode, and in the process of freeing
+@@ -6238,10 +6236,8 @@ static void nfs4_delegreturn_done(struct
+ trace_nfs4_delegreturn_exit(&data->args, &data->res, task->tk_status);
+
+ /* Handle Layoutreturn errors */
+- if (pnfs_roc_done(task, data->inode,
+- &data->args.lr_args,
+- &data->res.lr_res,
+- &data->res.lr_ret) == -EAGAIN)
++ if (pnfs_roc_done(task, &data->args.lr_args, &data->res.lr_res,
++ &data->res.lr_ret) == -EAGAIN)
+ goto out_restart;
+
+ switch (task->tk_status) {
+@@ -6290,10 +6286,10 @@ static void nfs4_delegreturn_release(voi
+ struct nfs4_delegreturndata *data = calldata;
+ struct inode *inode = data->inode;
+
++ if (data->lr.roc)
++ pnfs_roc_release(&data->lr.arg, &data->lr.res,
++ data->res.lr_ret);
+ if (inode) {
+- if (data->lr.roc)
+- pnfs_roc_release(&data->lr.arg, &data->lr.res,
+- data->res.lr_ret);
+ nfs_post_op_update_inode_force_wcc(inode, &data->fattr);
+ nfs_iput_and_deactive(inode);
+ }
+@@ -6368,16 +6364,14 @@ static int _nfs4_proc_delegreturn(struct
+ nfs_fattr_init(data->res.fattr);
+ data->timestamp = jiffies;
+ data->rpc_status = 0;
+- data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res, cred);
+ data->inode = nfs_igrab_and_active(inode);
+- if (data->inode) {
++ if (data->inode || issync) {
++ data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res,
++ cred);
+ if (data->lr.roc) {
+ data->args.lr_args = &data->lr.arg;
+ data->res.lr_res = &data->lr.res;
+ }
+- } else if (data->lr.roc) {
+- pnfs_roc_release(&data->lr.arg, &data->lr.res, 0);
+- data->lr.roc = false;
+ }
+
+ task_setup_data.callback_data = data;
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1475,10 +1475,8 @@ out_noroc:
+ return false;
+ }
+
+-int pnfs_roc_done(struct rpc_task *task, struct inode *inode,
+- struct nfs4_layoutreturn_args **argpp,
+- struct nfs4_layoutreturn_res **respp,
+- int *ret)
++int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp,
++ struct nfs4_layoutreturn_res **respp, int *ret)
+ {
+ struct nfs4_layoutreturn_args *arg = *argpp;
+ int retval = -EAGAIN;
+@@ -1511,7 +1509,7 @@ int pnfs_roc_done(struct rpc_task *task,
+ return 0;
+ case -NFS4ERR_OLD_STATEID:
+ if (!nfs4_layout_refresh_old_stateid(&arg->stateid,
+- &arg->range, inode))
++ &arg->range, arg->inode))
+ break;
+ *ret = -NFS4ERR_NOMATCHING_LAYOUT;
+ return -EAGAIN;
+--- a/fs/nfs/pnfs.h
++++ b/fs/nfs/pnfs.h
+@@ -283,10 +283,8 @@ bool pnfs_roc(struct inode *ino,
+ struct nfs4_layoutreturn_args *args,
+ struct nfs4_layoutreturn_res *res,
+ const struct cred *cred);
+-int pnfs_roc_done(struct rpc_task *task, struct inode *inode,
+- struct nfs4_layoutreturn_args **argpp,
+- struct nfs4_layoutreturn_res **respp,
+- int *ret);
++int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp,
++ struct nfs4_layoutreturn_res **respp, int *ret);
+ void pnfs_roc_release(struct nfs4_layoutreturn_args *args,
+ struct nfs4_layoutreturn_res *res,
+ int ret);
+@@ -711,7 +709,7 @@ pnfs_roc(struct inode *ino,
+ }
+
+ static inline int
+-pnfs_roc_done(struct rpc_task *task, struct inode *inode,
++pnfs_roc_done(struct rpc_task *task,
+ struct nfs4_layoutreturn_args **argpp,
+ struct nfs4_layoutreturn_res **respp,
+ int *ret)
--- /dev/null
+From 1c3aa6bd0b823105c2030af85d92d158e815d669 Mon Sep 17 00:00:00 2001
+From: Mark Bloch <mbloch@nvidia.com>
+Date: Wed, 13 Jan 2021 14:17:03 +0200
+Subject: RDMA/mlx5: Fix wrong free of blue flame register on error
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+commit 1c3aa6bd0b823105c2030af85d92d158e815d669 upstream.
+
+If the allocation of the fast path blue flame register fails, the driver
+should free the regular blue flame register allocated a statement above,
+not the one that it just failed to allocate.
+
+Fixes: 16c1975f1032 ("IB/mlx5: Create profile infrastructure to add and remove stages")
+Link: https://lore.kernel.org/r/20210113121703.559778-6-leon@kernel.org
+Reported-by: Hans Petter Selasky <hanss@nvidia.com>
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -6626,7 +6626,7 @@ static int mlx5_ib_stage_bfrag_init(stru
+
+ err = mlx5_alloc_bfreg(dev->mdev, &dev->fp_bfreg, false, true);
+ if (err)
+- mlx5_free_bfreg(dev->mdev, &dev->fp_bfreg);
++ mlx5_free_bfreg(dev->mdev, &dev->bfreg);
+
+ return err;
+ }
--- /dev/null
+From 3c638cdb8ecc0442552156e0fed8708dd2c7f35b Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leon@kernel.org>
+Date: Wed, 16 Dec 2020 12:07:53 +0200
+Subject: RDMA/restrack: Don't treat as an error allocation ID wrapping
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+commit 3c638cdb8ecc0442552156e0fed8708dd2c7f35b upstream.
+
+xa_alloc_cyclic() call returns positive number if ID allocation
+succeeded but wrapped. It is not an error, so normalize the "ret"
+variable to zero as marker of not-an-error.
+
+ drivers/infiniband/core/restrack.c:261 rdma_restrack_add()
+ warn: 'ret' can be either negative or positive
+
+Fixes: fd47c2f99f04 ("RDMA/restrack: Convert internal DB from hash to XArray")
+Link: https://lore.kernel.org/r/20201216100753.1127638-1-leon@kernel.org
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/restrack.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/core/restrack.c
++++ b/drivers/infiniband/core/restrack.c
+@@ -234,6 +234,7 @@ static void rdma_restrack_add(struct rdm
+ } else {
+ ret = xa_alloc_cyclic(&rt->xa, &res->id, res, xa_limit_32b,
+ &rt->next_id, GFP_KERNEL);
++ ret = (ret < 0) ? ret : 0;
+ }
+
+ if (!ret)
--- /dev/null
+From a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Sat, 26 Dec 2020 15:42:48 +0800
+Subject: RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 upstream.
+
+If usnic_ib_qp_grp_create() fails at the first call, dev_list
+will not be freed on error, which leads to memleak.
+
+Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
+Link: https://lore.kernel.org/r/20201226074248.2893-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+@@ -214,6 +214,7 @@ find_free_vf_and_create_qp_grp(struct us
+
+ }
+ usnic_uiom_free_dev_list(dev_list);
++ dev_list = NULL;
+ }
+
+ /* Try to find resources on an unused vf */
+@@ -239,6 +240,8 @@ find_free_vf_and_create_qp_grp(struct us
+ qp_grp_check:
+ if (IS_ERR_OR_NULL(qp_grp)) {
+ usnic_err("Failed to allocate qp_grp\n");
++ if (usnic_ib_share_vf)
++ usnic_uiom_free_dev_list(dev_list);
+ return ERR_PTR(qp_grp ? PTR_ERR(qp_grp) : -ENOMEM);
+ }
+ return qp_grp;
acpi-scan-add-stub-acpi_create_platform_device-for-c.patch
drm-msm-call-msm_init_vram-before-binding-the-gpu.patch
arm-picoxcell-fix-missing-interrupt-parent-propertie.patch
+perf-intel-pt-fix-cpu-too-large-error.patch
+dump_common_audit_data-fix-racy-accesses-to-d_name.patch
+asoc-meson-axg-tdm-interface-fix-loopback.patch
+asoc-meson-axg-tdmin-fix-axg-skew-offset.patch
+asoc-intel-fix-error-code-cnl_set_dsp_d0.patch
+nvme-tcp-fix-possible-data-corruption-with-bio-merges.patch
+nfs4-fix-use-after-free-in-trace_event_raw_event_nfs4_set_lock.patch
+pnfs-we-want-return-on-close-to-complete-when-evicting-the-inode.patch
+pnfs-mark-layout-for-return-if-return-on-close-was-not-sent.patch
+pnfs-stricter-ordering-of-layoutget-and-layoutreturn.patch
+nfs-pnfs-fix-a-leak-of-the-layout-plh_outstanding-counter.patch
+nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch
+ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch
+rdma-restrack-don-t-treat-as-an-error-allocation-id-wrapping.patch
+rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch
+bnxt_en-improve-stats-context-resource-accounting-with-rdma-driver-loaded.patch
+rdma-mlx5-fix-wrong-free-of-blue-flame-register-on-error.patch
+ib-mlx5-fix-error-unwinding-when-set_has_smi_cap-fails.patch
+drm-i915-dsi-use-unconditional-msleep-for-the-panel_on_delay-when-there-is-no-reset-deassert-mipi-sequence.patch
+mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch
+iommu-vt-d-fix-unaligned-addresses-for-intel_flush_svm_range_dev.patch
+net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch
+dm-eliminate-potential-source-of-excessive-kernel-log-noise.patch
+alsa-fireface-fix-integer-overflow-in-transmit_midi_msg.patch
+alsa-firewire-tascam-fix-integer-overflow-in-midi_port_work.patch
+netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch
+netfilter-nf_nat-fix-memleak-in-nf_nat_init.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
