--- /dev/null
+From cf2b012c90e74e85d8aea7d67e48868069cfee0c Mon Sep 17 00:00:00 2001
+From: Mike Jones <michael-a1.jones@analog.com>
+Date: Tue, 28 Jan 2020 10:59:59 -0700
+Subject: hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
+
+From: Mike Jones <michael-a1.jones@analog.com>
+
+commit cf2b012c90e74e85d8aea7d67e48868069cfee0c upstream.
+
+Change 21537dc driver PMBus polling of MFR_COMMON from bits 5/4 to
+bits 6/5. This fixs a LTC297X family bug where polling always returns
+not busy even when the part is busy. This fixes a LTC388X and
+LTM467X bug where polling used PEND and NOT_IN_TRANS, and BUSY was
+not polled, which can lead to NACKing of commands. LTC388X and
+LTM467X modules now poll BUSY and PEND, increasing reliability by
+eliminating NACKing of commands.
+
+Signed-off-by: Mike Jones <michael-a1.jones@analog.com>
+Link: https://lore.kernel.org/r/1580234400-2829-2-git-send-email-michael-a1.jones@analog.com
+Fixes: e04d1ce9bbb49 ("hwmon: (ltc2978) Add polling for chips requiring it")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/pmbus/ltc2978.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/pmbus/ltc2978.c
++++ b/drivers/hwmon/pmbus/ltc2978.c
+@@ -89,8 +89,8 @@ enum chips { ltc2974, ltc2975, ltc2977,
+
+ #define LTC_POLL_TIMEOUT 100 /* in milli-seconds */
+
+-#define LTC_NOT_BUSY BIT(5)
+-#define LTC_NOT_PENDING BIT(4)
++#define LTC_NOT_BUSY BIT(6)
++#define LTC_NOT_PENDING BIT(5)
+
+ /*
+ * LTC2978 clears peak data whenever the CLEAR_FAULTS command is executed, which
--- /dev/null
+From be8638344c70bf492963ace206a9896606b6922d Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Mon, 10 Feb 2020 08:10:33 -0500
+Subject: IB/hfi1: Close window for pq and request coliding
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit be8638344c70bf492963ace206a9896606b6922d upstream.
+
+Cleaning up a pq can result in the following warning and panic:
+
+ WARNING: CPU: 52 PID: 77418 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0
+ list_del corruption, ffff88cb2c6ac068->next is LIST_POISON1 (dead000000000100)
+ Modules linked in: mmfs26(OE) mmfslinux(OE) tracedev(OE) 8021q garp mrp ib_isert iscsi_target_mod target_core_mod crc_t10dif crct10dif_generic opa_vnic rpcrdma ib_iser libiscsi scsi_transport_iscsi ib_ipoib(OE) bridge stp llc iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel ast aesni_intel ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops drm pcspkr joydev lpc_ich mei_me drm_panel_orientation_quirks i2c_i801 mei wmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_power_meter acpi_pad hfi1(OE) rdmavt(OE) rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_core binfmt_misc numatools(OE) xpmem(OE) ip_tables
+ nfsv3 nfs_acl nfs lockd grace sunrpc fscache igb ahci i2c_algo_bit libahci dca ptp libata pps_core crc32c_intel [last unloaded: i2c_algo_bit]
+ CPU: 52 PID: 77418 Comm: pvbatch Kdump: loaded Tainted: G OE ------------ 3.10.0-957.38.3.el7.x86_64 #1
+ Hardware name: HPE.COM HPE SGI 8600-XA730i Gen10/X11DPT-SB-SG007, BIOS SBED1229 01/22/2019
+ Call Trace:
+ [<ffffffff90365ac0>] dump_stack+0x19/0x1b
+ [<ffffffff8fc98b78>] __warn+0xd8/0x100
+ [<ffffffff8fc98bff>] warn_slowpath_fmt+0x5f/0x80
+ [<ffffffff8ff970c3>] __list_del_entry+0x63/0xd0
+ [<ffffffff8ff9713d>] list_del+0xd/0x30
+ [<ffffffff8fddda70>] kmem_cache_destroy+0x50/0x110
+ [<ffffffffc0328130>] hfi1_user_sdma_free_queues+0xf0/0x200 [hfi1]
+ [<ffffffffc02e2350>] hfi1_file_close+0x70/0x1e0 [hfi1]
+ [<ffffffff8fe4519c>] __fput+0xec/0x260
+ [<ffffffff8fe453fe>] ____fput+0xe/0x10
+ [<ffffffff8fcbfd1b>] task_work_run+0xbb/0xe0
+ [<ffffffff8fc2bc65>] do_notify_resume+0xa5/0xc0
+ [<ffffffff90379134>] int_signal+0x12/0x17
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff8fe1f93e>] kmem_cache_close+0x7e/0x300
+ PGD 2cdab19067 PUD 2f7bfdb067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in: mmfs26(OE) mmfslinux(OE) tracedev(OE) 8021q garp mrp ib_isert iscsi_target_mod target_core_mod crc_t10dif crct10dif_generic opa_vnic rpcrdma ib_iser libiscsi scsi_transport_iscsi ib_ipoib(OE) bridge stp llc iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crct10dif_pclmul crct10dif_common crc32_pclmul ghash_clmulni_intel ast aesni_intel ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops drm pcspkr joydev lpc_ich mei_me drm_panel_orientation_quirks i2c_i801 mei wmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_power_meter acpi_pad hfi1(OE) rdmavt(OE) rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_core binfmt_misc numatools(OE) xpmem(OE) ip_tables
+ nfsv3 nfs_acl nfs lockd grace sunrpc fscache igb ahci i2c_algo_bit libahci dca ptp libata pps_core crc32c_intel [last unloaded: i2c_algo_bit]
+ CPU: 52 PID: 77418 Comm: pvbatch Kdump: loaded Tainted: G W OE ------------ 3.10.0-957.38.3.el7.x86_64 #1
+ Hardware name: HPE.COM HPE SGI 8600-XA730i Gen10/X11DPT-SB-SG007, BIOS SBED1229 01/22/2019
+ task: ffff88cc26db9040 ti: ffff88b5393a8000 task.ti: ffff88b5393a8000
+ RIP: 0010:[<ffffffff8fe1f93e>] [<ffffffff8fe1f93e>] kmem_cache_close+0x7e/0x300
+ RSP: 0018:ffff88b5393abd60 EFLAGS: 00010287
+ RAX: 0000000000000000 RBX: ffff88cb2c6ac000 RCX: 0000000000000003
+ RDX: 0000000000000400 RSI: 0000000000000400 RDI: ffffffff9095b800
+ RBP: ffff88b5393abdb0 R08: ffffffff9095b808 R09: ffffffff8ff77c19
+ R10: ffff88b73ce1f160 R11: ffffddecddde9800 R12: ffff88cb2c6ac000
+ R13: 000000000000000c R14: ffff88cf3fdca780 R15: 0000000000000000
+ FS: 00002aaaaab52500(0000) GS:ffff88b73ce00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000010 CR3: 0000002d27664000 CR4: 00000000007607e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ [<ffffffff8fe20d44>] __kmem_cache_shutdown+0x14/0x80
+ [<ffffffff8fddda78>] kmem_cache_destroy+0x58/0x110
+ [<ffffffffc0328130>] hfi1_user_sdma_free_queues+0xf0/0x200 [hfi1]
+ [<ffffffffc02e2350>] hfi1_file_close+0x70/0x1e0 [hfi1]
+ [<ffffffff8fe4519c>] __fput+0xec/0x260
+ [<ffffffff8fe453fe>] ____fput+0xe/0x10
+ [<ffffffff8fcbfd1b>] task_work_run+0xbb/0xe0
+ [<ffffffff8fc2bc65>] do_notify_resume+0xa5/0xc0
+ [<ffffffff90379134>] int_signal+0x12/0x17
+ Code: 00 00 ba 00 04 00 00 0f 4f c2 3d 00 04 00 00 89 45 bc 0f 84 e7 01 00 00 48 63 45 bc 49 8d 04 c4 48 89 45 b0 48 8b 80 c8 00 00 00 <48> 8b 78 10 48 89 45 c0 48 83 c0 10 48 89 45 d0 48 8b 17 48 39
+ RIP [<ffffffff8fe1f93e>] kmem_cache_close+0x7e/0x300
+ RSP <ffff88b5393abd60>
+ CR2: 0000000000000010
+
+The panic is the result of slab entries being freed during the destruction
+of the pq slab.
+
+The code attempts to quiesce the pq, but looking for n_req == 0 doesn't
+account for new requests.
+
+Fix the issue by using SRCU to get a pq pointer and adjust the pq free
+logic to NULL the fd pq pointer prior to the quiesce.
+
+Fixes: e87473bc1b6c ("IB/hfi1: Only set fd pointer when base context is completely initialized")
+Link: https://lore.kernel.org/r/20200210131033.87408.81174.stgit@awfm-01.aw.intel.com
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/file_ops.c | 52 ++++++++++++++++++------------
+ drivers/infiniband/hw/hfi1/hfi.h | 5 ++
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 3 -
+ drivers/infiniband/hw/hfi1/user_sdma.c | 17 ++++++---
+ 4 files changed, 48 insertions(+), 29 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/file_ops.c
++++ b/drivers/infiniband/hw/hfi1/file_ops.c
+@@ -195,23 +195,24 @@ static int hfi1_file_open(struct inode *
+
+ fd = kzalloc(sizeof(*fd), GFP_KERNEL);
+
+- if (fd) {
+- fd->rec_cpu_num = -1; /* no cpu affinity by default */
+- fd->mm = current->mm;
+- mmgrab(fd->mm);
+- fd->dd = dd;
+- kobject_get(&fd->dd->kobj);
+- fp->private_data = fd;
+- } else {
+- fp->private_data = NULL;
+-
+- if (atomic_dec_and_test(&dd->user_refcount))
+- complete(&dd->user_comp);
+-
+- return -ENOMEM;
+- }
+-
++ if (!fd || init_srcu_struct(&fd->pq_srcu))
++ goto nomem;
++ spin_lock_init(&fd->pq_rcu_lock);
++ spin_lock_init(&fd->tid_lock);
++ spin_lock_init(&fd->invalid_lock);
++ fd->rec_cpu_num = -1; /* no cpu affinity by default */
++ fd->mm = current->mm;
++ mmgrab(fd->mm);
++ fd->dd = dd;
++ kobject_get(&fd->dd->kobj);
++ fp->private_data = fd;
+ return 0;
++nomem:
++ kfree(fd);
++ fp->private_data = NULL;
++ if (atomic_dec_and_test(&dd->user_refcount))
++ complete(&dd->user_comp);
++ return -ENOMEM;
+ }
+
+ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd,
+@@ -417,21 +418,30 @@ static long hfi1_file_ioctl(struct file
+ static ssize_t hfi1_write_iter(struct kiocb *kiocb, struct iov_iter *from)
+ {
+ struct hfi1_filedata *fd = kiocb->ki_filp->private_data;
+- struct hfi1_user_sdma_pkt_q *pq = fd->pq;
++ struct hfi1_user_sdma_pkt_q *pq;
+ struct hfi1_user_sdma_comp_q *cq = fd->cq;
+ int done = 0, reqs = 0;
+ unsigned long dim = from->nr_segs;
++ int idx;
+
+- if (!cq || !pq)
++ idx = srcu_read_lock(&fd->pq_srcu);
++ pq = srcu_dereference(fd->pq, &fd->pq_srcu);
++ if (!cq || !pq) {
++ srcu_read_unlock(&fd->pq_srcu, idx);
+ return -EIO;
++ }
+
+- if (!iter_is_iovec(from) || !dim)
++ if (!iter_is_iovec(from) || !dim) {
++ srcu_read_unlock(&fd->pq_srcu, idx);
+ return -EINVAL;
++ }
+
+ trace_hfi1_sdma_request(fd->dd, fd->uctxt->ctxt, fd->subctxt, dim);
+
+- if (atomic_read(&pq->n_reqs) == pq->n_max_reqs)
++ if (atomic_read(&pq->n_reqs) == pq->n_max_reqs) {
++ srcu_read_unlock(&fd->pq_srcu, idx);
+ return -ENOSPC;
++ }
+
+ while (dim) {
+ int ret;
+@@ -449,6 +459,7 @@ static ssize_t hfi1_write_iter(struct ki
+ reqs++;
+ }
+
++ srcu_read_unlock(&fd->pq_srcu, idx);
+ return reqs;
+ }
+
+@@ -824,6 +835,7 @@ done:
+ if (atomic_dec_and_test(&dd->user_refcount))
+ complete(&dd->user_comp);
+
++ cleanup_srcu_struct(&fdata->pq_srcu);
+ kfree(fdata);
+ return 0;
+ }
+--- a/drivers/infiniband/hw/hfi1/hfi.h
++++ b/drivers/infiniband/hw/hfi1/hfi.h
+@@ -1353,10 +1353,13 @@ struct mmu_rb_handler;
+
+ /* Private data for file operations */
+ struct hfi1_filedata {
++ struct srcu_struct pq_srcu;
+ struct hfi1_devdata *dd;
+ struct hfi1_ctxtdata *uctxt;
+ struct hfi1_user_sdma_comp_q *cq;
+- struct hfi1_user_sdma_pkt_q *pq;
++ /* update side lock for SRCU */
++ spinlock_t pq_rcu_lock;
++ struct hfi1_user_sdma_pkt_q __rcu *pq;
+ u16 subctxt;
+ /* for cpu affinity; -1 if none */
+ int rec_cpu_num;
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -90,9 +90,6 @@ int hfi1_user_exp_rcv_init(struct hfi1_f
+ struct hfi1_devdata *dd = uctxt->dd;
+ int ret = 0;
+
+- spin_lock_init(&fd->tid_lock);
+- spin_lock_init(&fd->invalid_lock);
+-
+ fd->entry_to_rb = kcalloc(uctxt->expected_count,
+ sizeof(struct rb_node *),
+ GFP_KERNEL);
+--- a/drivers/infiniband/hw/hfi1/user_sdma.c
++++ b/drivers/infiniband/hw/hfi1/user_sdma.c
+@@ -179,7 +179,6 @@ int hfi1_user_sdma_alloc_queues(struct h
+ pq = kzalloc(sizeof(*pq), GFP_KERNEL);
+ if (!pq)
+ return -ENOMEM;
+-
+ pq->dd = dd;
+ pq->ctxt = uctxt->ctxt;
+ pq->subctxt = fd->subctxt;
+@@ -236,7 +235,7 @@ int hfi1_user_sdma_alloc_queues(struct h
+ goto pq_mmu_fail;
+ }
+
+- fd->pq = pq;
++ rcu_assign_pointer(fd->pq, pq);
+ fd->cq = cq;
+
+ return 0;
+@@ -264,8 +263,14 @@ int hfi1_user_sdma_free_queues(struct hf
+
+ trace_hfi1_sdma_user_free_queues(uctxt->dd, uctxt->ctxt, fd->subctxt);
+
+- pq = fd->pq;
++ spin_lock(&fd->pq_rcu_lock);
++ pq = srcu_dereference_check(fd->pq, &fd->pq_srcu,
++ lockdep_is_held(&fd->pq_rcu_lock));
+ if (pq) {
++ rcu_assign_pointer(fd->pq, NULL);
++ spin_unlock(&fd->pq_rcu_lock);
++ synchronize_srcu(&fd->pq_srcu);
++ /* at this point there can be no more new requests */
+ if (pq->handler)
+ hfi1_mmu_rb_unregister(pq->handler);
+ iowait_sdma_drain(&pq->busy);
+@@ -277,7 +282,8 @@ int hfi1_user_sdma_free_queues(struct hf
+ kfree(pq->req_in_use);
+ kmem_cache_destroy(pq->txreq_cache);
+ kfree(pq);
+- fd->pq = NULL;
++ } else {
++ spin_unlock(&fd->pq_rcu_lock);
+ }
+ if (fd->cq) {
+ vfree(fd->cq->comps);
+@@ -321,7 +327,8 @@ int hfi1_user_sdma_process_request(struc
+ {
+ int ret = 0, i;
+ struct hfi1_ctxtdata *uctxt = fd->uctxt;
+- struct hfi1_user_sdma_pkt_q *pq = fd->pq;
++ struct hfi1_user_sdma_pkt_q *pq =
++ srcu_dereference(fd->pq, &fd->pq_srcu);
+ struct hfi1_user_sdma_comp_q *cq = fd->cq;
+ struct hfi1_devdata *dd = pq->dd;
+ unsigned long idx = 0;
--- /dev/null
+From f861854e1b435b27197417f6f90d87188003cb24 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 21 Jan 2020 11:01:25 -0800
+Subject: perf/x86/intel: Fix inaccurate period in context switch for auto-reload
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit f861854e1b435b27197417f6f90d87188003cb24 upstream.
+
+Perf doesn't take the left period into account when auto-reload is
+enabled with fixed period sampling mode in context switch.
+
+Here is the MSR trace of the perf command as below.
+(The MSR trace is simplified from a ftrace log.)
+
+ #perf record -e cycles:p -c 2000000 -- ./triad_loop
+
+ //The MSR trace of task schedule out
+ //perf disable all counters, disable PEBS, disable GP counter 0,
+ //read GP counter 0, and re-enable all counters.
+ //The counter 0 stops at 0xfffffff82840
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0
+ write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 0
+ write_msr: MSR_P6_EVNTSEL0(186), value 40003003c
+ rdpmc: 0, value fffffff82840
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff
+
+ //The MSR trace of the same task schedule in again
+ //perf disable all counters, enable and set GP counter 0,
+ //enable PEBS, and re-enable all counters.
+ //0xffffffe17b80 (-2000000) is written to GP counter 0.
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0
+ write_msr: MSR_IA32_PMC0(4c1), value ffffffe17b80
+ write_msr: MSR_P6_EVNTSEL0(186), value 40043003c
+ write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 1
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff
+
+When the same task schedule in again, the counter should starts from
+previous left. However, it starts from the fixed period -2000000 again.
+
+A special variant of intel_pmu_save_and_restart() is used for
+auto-reload, which doesn't update the hwc->period_left.
+When the monitored task schedules in again, perf doesn't know the left
+period. The fixed period is used, which is inaccurate.
+
+With auto-reload, the counter always has a negative counter value. So
+the left period is -value. Update the period_left in
+intel_pmu_save_and_restart_reload().
+
+With the patch:
+
+ //The MSR trace of task schedule out
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0
+ write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 0
+ write_msr: MSR_P6_EVNTSEL0(186), value 40003003c
+ rdpmc: 0, value ffffffe25cbc
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff
+
+ //The MSR trace of the same task schedule in again
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value 0
+ write_msr: MSR_IA32_PMC0(4c1), value ffffffe25cbc
+ write_msr: MSR_P6_EVNTSEL0(186), value 40043003c
+ write_msr: MSR_IA32_PEBS_ENABLE(3f1), value 1
+ write_msr: MSR_CORE_PERF_GLOBAL_CTRL(38f), value f000000ff
+
+Fixes: d31fc13fdcb2 ("perf/x86/intel: Fix event update for auto-reload")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lkml.kernel.org/r/20200121190125.3389-1-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/ds.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1368,6 +1368,8 @@ intel_pmu_save_and_restart_reload(struct
+ old = ((s64)(prev_raw_count << shift) >> shift);
+ local64_add(new - old + count * period, &event->count);
+
++ local64_set(&hwc->period_left, -new);
++
+ perf_event_update_userpage(event);
+
+ return 0;
--- /dev/null
+From 1dd017882e01d2fcd9c5dbbf1eb376211111c393 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leon@kernel.org>
+Date: Wed, 12 Feb 2020 10:06:51 +0200
+Subject: RDMA/core: Fix protection fault in get_pkey_idx_qp_list
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 1dd017882e01d2fcd9c5dbbf1eb376211111c393 upstream.
+
+We don't need to set pkey as valid in case that user set only one of pkey
+index or port number, otherwise it will be resulted in NULL pointer
+dereference while accessing to uninitialized pkey list. The following
+crash from Syzkaller revealed it.
+
+ kasan: CONFIG_KASAN_INLINE enabled
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] SMP KASAN PTI
+ CPU: 1 PID: 14753 Comm: syz-executor.2 Not tainted 5.5.0-rc5 #2
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:get_pkey_idx_qp_list+0x161/0x2d0
+ Code: 01 00 00 49 8b 5e 20 4c 39 e3 0f 84 b9 00 00 00 e8 e4 42 6e fe 48
+ 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04
+ 02 84 c0 74 08 3c 01 0f 8e d0 00 00 00 48 8d 7d 04 48 b8
+ RSP: 0018:ffffc9000bc6f950 EFLAGS: 00010202
+ RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff82c8bdec
+ RDX: 0000000000000002 RSI: ffffc900030a8000 RDI: 0000000000000010
+ RBP: ffff888112c8ce80 R08: 0000000000000004 R09: fffff5200178df1f
+ R10: 0000000000000001 R11: fffff5200178df1f R12: ffff888115dc4430
+ R13: ffff888115da8498 R14: ffff888115dc4410 R15: ffff888115da8000
+ FS: 00007f20777de700(0000) GS:ffff88811b100000(0000)
+ knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000001b2f721000 CR3: 00000001173ca002 CR4: 0000000000360ee0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ port_pkey_list_insert+0xd7/0x7c0
+ ib_security_modify_qp+0x6fa/0xfc0
+ _ib_modify_qp+0x8c4/0xbf0
+ modify_qp+0x10da/0x16d0
+ ib_uverbs_modify_qp+0x9a/0x100
+ ib_uverbs_write+0xaa5/0xdf0
+ __vfs_write+0x7c/0x100
+ vfs_write+0x168/0x4a0
+ ksys_write+0xc8/0x200
+ do_syscall_64+0x9c/0x390
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs")
+Link: https://lore.kernel.org/r/20200212080651.GB679970@unreal
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Message-Id: <20200212080651.GB679970@unreal>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/security.c | 24 +++++++++---------------
+ 1 file changed, 9 insertions(+), 15 deletions(-)
+
+--- a/drivers/infiniband/core/security.c
++++ b/drivers/infiniband/core/security.c
+@@ -338,22 +338,16 @@ static struct ib_ports_pkeys *get_new_pp
+ if (!new_pps)
+ return NULL;
+
+- if (qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) {
+- if (!qp_pps) {
+- new_pps->main.port_num = qp_attr->port_num;
+- new_pps->main.pkey_index = qp_attr->pkey_index;
+- } else {
+- new_pps->main.port_num = (qp_attr_mask & IB_QP_PORT) ?
+- qp_attr->port_num :
+- qp_pps->main.port_num;
+-
+- new_pps->main.pkey_index =
+- (qp_attr_mask & IB_QP_PKEY_INDEX) ?
+- qp_attr->pkey_index :
+- qp_pps->main.pkey_index;
+- }
++ if (qp_attr_mask & IB_QP_PORT)
++ new_pps->main.port_num =
++ (qp_pps) ? qp_pps->main.port_num : qp_attr->port_num;
++ if (qp_attr_mask & IB_QP_PKEY_INDEX)
++ new_pps->main.pkey_index = (qp_pps) ? qp_pps->main.pkey_index :
++ qp_attr->pkey_index;
++ if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
+ new_pps->main.state = IB_PORT_PKEY_VALID;
+- } else if (qp_pps) {
++
++ if (!(qp_attr_mask & (IB_QP_PKEY_INDEX || IB_QP_PORT)) && qp_pps) {
+ new_pps->main.port_num = qp_pps->main.port_num;
+ new_pps->main.pkey_index = qp_pps->main.pkey_index;
+ if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
--- /dev/null
+From 0f8a206df7c920150d2aa45574fba0ab7ff6be4f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Sat, 8 Feb 2020 07:08:59 -0700
+Subject: s390/time: Fix clk type in get_tod_clock
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 0f8a206df7c920150d2aa45574fba0ab7ff6be4f upstream.
+
+Clang warns:
+
+In file included from ../arch/s390/boot/startup.c:3:
+In file included from ../include/linux/elf.h:5:
+In file included from ../arch/s390/include/asm/elf.h:132:
+In file included from ../include/linux/compat.h:10:
+In file included from ../include/linux/time.h:74:
+In file included from ../include/linux/time32.h:13:
+In file included from ../include/linux/timex.h:65:
+../arch/s390/include/asm/timex.h:160:20: warning: passing 'unsigned char
+[16]' to parameter of type 'char *' converts between pointers to integer
+types with different sign [-Wpointer-sign]
+ get_tod_clock_ext(clk);
+ ^~~
+../arch/s390/include/asm/timex.h:149:44: note: passing argument to
+parameter 'clk' here
+static inline void get_tod_clock_ext(char *clk)
+ ^
+
+Change clk's type to just be char so that it matches what happens in
+get_tod_clock_ext.
+
+Fixes: 57b28f66316d ("[S390] s390_hypfs: Add new attributes")
+Link: https://github.com/ClangBuiltLinux/linux/issues/861
+Link: http://lkml.kernel.org/r/20200208140858.47970-1-natechancellor@gmail.com
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/timex.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/timex.h
++++ b/arch/s390/include/asm/timex.h
+@@ -155,7 +155,7 @@ static inline void get_tod_clock_ext(cha
+
+ static inline unsigned long long get_tod_clock(void)
+ {
+- unsigned char clk[STORE_CLOCK_EXT_SIZE];
++ char clk[STORE_CLOCK_EXT_SIZE];
+
+ get_tod_clock_ext(clk);
+ return *((unsigned long long *)&clk[1]);
padata-remove-broken-queue-flushing.patch
serial-imx-ensure-that-rx-irqs-are-off-if-rx-is-off.patch
serial-imx-only-handle-irqs-that-are-actually-enabled.patch
+ib-hfi1-close-window-for-pq-and-request-coliding.patch
+rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch
+s390-time-fix-clk-type-in-get_tod_clock.patch
+perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch
+hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
