commit 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Feb 14 16:32:24 2020 -0500

    Linux 4.14.171

commit a5efc7dd242eb1086de3b02077e29657e4577e76
Author: Nicolai Stange <nstange@suse.de>
Date:   Tue Jan 14 11:39:03 2020 +0100

    libertas: make lbs_ibss_join_existing() return error code on rates overflow
    
    [ Upstream commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb ]
    
    Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
    descriptor") introduced a bounds check on the number of supplied rates to
    lbs_ibss_join_existing() and made it to return on overflow.
    
    However, the aforementioned commit doesn't set the return value accordingly
    and thus, lbs_ibss_join_existing() would return with zero even though it
    failed.
    
    Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
    number of supplied rates fails.
    
    Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
    Signed-off-by: Nicolai Stange <nstange@suse.de>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 783c96281bce4b38bb51e8c24b27b5dc4fdb3a51
Author: Nicolai Stange <nstange@suse.de>
Date:   Tue Jan 14 11:39:02 2020 +0100

    libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
    
    [ Upstream commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 ]
    
    Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
    descriptor") introduced a bounds check on the number of supplied rates to
    lbs_ibss_join_existing().
    
    Unfortunately, it introduced a return path from within a RCU read side
    critical section without a corresponding rcu_read_unlock(). Fix this.
    
    Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
    Signed-off-by: Nicolai Stange <nstange@suse.de>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 43e189049f32740c0d015f43a407658ac53d1743
Author: Qing Xu <m1s5p6688@gmail.com>
Date:   Thu Jan 2 10:39:27 2020 +0800

    mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
    
    [ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ]
    
    mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
    the destination size may trigger a buffer overflower,
    which a local user could use to cause denial of service
    or the execution of arbitrary code.
    Fix it by putting the length check before calling memcpy().
    
    Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 49e9f1057ef968af57a62860697898cb35246936
Author: Qing Xu <m1s5p6688@gmail.com>
Date:   Thu Jan 2 10:39:26 2020 +0800

    mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
    
    [ Upstream commit 3a9b153c5591548612c3955c9600a98150c81875 ]
    
    mwifiex_ret_wmm_get_status() calls memcpy() without checking the
    destination size.Since the source is given from remote AP which
    contains illegal wmm elements , this may trigger a heap buffer
    overflow.
    Fix it by putting the length check before calling memcpy().
    
    Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9b95c9d93dace8566865758e3c64d21a84a9d06c
Author: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Date:   Fri May 24 14:41:28 2019 +0530

    serial: uartps: Move the spinlock after the read of the tx empty
    
    commit 107475685abfdee504bb0ef4824f15797f6d2d4d upstream.
    
    Currently we are doing a read of the status register.
    Move the spinlock after that as the reads need not be spinlock
    protected. This patch prevents relaxing the cpu with spinlock held.
    
    Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
    Cc: Pavel Machek <pavel@denx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad6026d244ef0a1fa4823efed0abcfad11a06849
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Mon Jan 27 14:07:23 2020 -0500

    dm: fix potential for q->make_request_fn NULL pointer
    
    commit 47ace7e012b9f7ad71d43ac9063d335ea3d6820b upstream.
    
    Move blk_queue_make_request() to dm.c:alloc_dev() so that
    q->make_request_fn is never NULL during the lifetime of a DM device
    (even one that is created without a DM table).
    
    Otherwise generic_make_request() will crash simply by doing:
      dmsetup create -n test
      mount /dev/dm-N /mnt
    
    While at it, move ->congested_data initialization out of
    dm.c:alloc_dev() and into the bio-based specific init method.
    
    Reported-by: Stefan Bader <stefan.bader@canonical.com>
    BugLink: https://bugs.launchpad.net/bugs/1860231
    Fixes: ff36ab34583a ("dm: remove request-based logic from make_request_fn wrapper")
    Depends-on: c12c9a3c3860c ("dm: various cleanups to md->queue initialization code")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    [smb: adjusted for context and dm_init_md_queue() exitsting in older
          kernels]
    Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f2cfc606d03c00558393d8688b64b33bcb1de710
Author: Anand Lodnoor <anand.lodnoor@broadcom.com>
Date:   Tue Jan 14 16:51:19 2020 +0530

    scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state
    
    commit 6d7537270e3283b92f9b327da9d58a4de40fe8d0 upstream.
    
    Driver initiates OCR if a DCMD command times out. But there is a deadlock
    if the driver attempts to invoke another OCR before the mutex lock
    (reset_mutex) is released from the previous session of OCR.
    
    This patch takes care of the above scenario using new flag
    MEGASAS_FUSION_OCR_NOT_POSSIBLE to indicate if OCR is possible.
    
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/1579000882-20246-9-git-send-email-anand.lodnoor@broadcom.com
    Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
    Signed-off-by: Anand Lodnoor <anand.lodnoor@broadcom.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8b360321449e805bb8f9833b7e249c8cefacfb29
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Wed Dec 18 20:48:07 2019 +0100

    pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B
    
    commit 805f635703b2562b5ddd822c62fc9124087e5dd5 upstream.
    
    The FN_SDSELF_B and FN_SD1_CLK_B enum IDs are used twice, which means
    one set of users must be wrong.  Replace them by the correct enum IDs.
    
    Fixes: 87f8c988636db0d4 ("sh-pfc: Add r8a7778 pinmux support")
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Link: https://lore.kernel.org/r/20191218194812.12741-2-geert+renesas@glider.be
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 079c03b754b9264192b82ff6f88a49991eb50581
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Tue Oct 22 15:25:22 2019 +0200

    media: i2c: adv748x: Fix unsafe macros
    
    commit 0d962e061abcf1b9105f88fb850158b5887fbca3 upstream.
    
    Enclose multiple macro parameters in parentheses in order to
    make such macros safer and fix the Clang warning below:
    
    drivers/media/i2c/adv748x/adv748x-afe.c:452:12: warning: operator '?:'
    has lower precedence than '|'; '|' will be evaluated first
    [-Wbitwise-conditional-parentheses]
    
    ret = sdp_clrset(state, ADV748X_SDP_FRP, ADV748X_SDP_FRP_MASK, enable
    ? ctrl->val - 1 : 0);
    
    Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0b751f35f93eed9515f27053268c28782a671059
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Dec 30 21:19:33 2019 -0600

    crypto: atmel-sha - fix error handling when setting hmac key
    
    commit b529f1983b2dcc46354f311feda92e07b6e9e2da upstream.
    
    HMAC keys can be of any length, and atmel_sha_hmac_key_set() can only
    fail due to -ENOMEM.  But atmel_sha_hmac_setkey() incorrectly treated
    any error as a "bad key length" error.  Fix it to correctly propagate
    the -ENOMEM error code and not set any tfm result flags.
    
    Fixes: 81d8750b2b59 ("crypto: atmel-sha - add support to hmac(shaX)")
    Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
    Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Cc: Ludovic Desroches <ludovic.desroches@microchip.com>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bcf27e218594685647c5c46a11d5f2b80fdfded1
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Dec 30 21:19:32 2019 -0600

    crypto: artpec6 - return correct error code for failed setkey()
    
    commit b828f905904cd76424230c69741a4cabb0174168 upstream.
    
    ->setkey() is supposed to retun -EINVAL for invalid key lengths, not -1.
    
    Fixes: a21eb94fc4d3 ("crypto: axis - add ARTPEC-6/7 crypto accelerator driver")
    Cc: Jesper Nilsson <jesper.nilsson@axis.com>
    Cc: Lars Persson <lars.persson@axis.com>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Lars Persson <lars.persson@axis.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4b99ae6d648416af377f5ac389619f12e555b362
Author: Gavin Shan <gshan@redhat.com>
Date:   Tue Jan 21 16:56:59 2020 +1100

    KVM: arm/arm64: Fix young bit from mmu notifier
    
    commit cf2d23e0bac9f6b5cd1cba8898f5f05ead40e530 upstream.
    
    kvm_test_age_hva() is called upon mmu_notifier_test_young(), but wrong
    address range has been passed to handle_hva_to_gpa(). With the wrong
    address range, no young bits will be checked in handle_hva_to_gpa().
    It means zero is always returned from mmu_notifier_test_young().
    
    This fixes the issue by passing correct address range to the underly
    function handle_hva_to_gpa(), so that the hardware young (access) bit
    will be visited.
    
    Fixes: 35307b9a5f7e ("arm/arm64: KVM: Implement Stage-2 page aging")
    Signed-off-by: Gavin Shan <gshan@redhat.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20200121055659.19560-1-gshan@redhat.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1e26078c29edb7bdf7d75ddc52d34912b805791e
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Mon Jan 13 23:30:19 2020 +0000

    arm64: cpufeature: Fix the type of no FP/SIMD capability
    
    commit 449443c03d8cfdacf7313e17779a2594ebf87e6d upstream.
    
    The NO_FPSIMD capability is defined with scope SYSTEM, which implies
    that the "absence" of FP/SIMD on at least one CPU is detected only
    after all the SMP CPUs are brought up. However, we use the status
    of this capability for every context switch. So, let us change
    the scope to LOCAL_CPU to allow the detection of this capability
    as and when the first CPU without FP is brought up.
    
    Also, the current type allows hotplugged CPU to be brought up without
    FP/SIMD when all the current CPUs have FP/SIMD and we have the userspace
    up. Fix both of these issues by changing the capability to
    BOOT_RESTRICTED_LOCAL_CPU_FEATURE.
    
    Fixes: 82e0191a1aa11abf ("arm64: Support systems without FP/ASIMD")
    Cc: Will Deacon <will@kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c3f4c5ecf759b55bbabc17a2ff784fcf06ebfb23
Author: Olof Johansson <olof@lixom.net>
Date:   Wed Dec 18 01:18:49 2019 +0100

    ARM: 8949/1: mm: mark free_memmap as __init
    
    commit 31f3010e60522ede237fb145a63b4af5a41718c2 upstream.
    
    As of commit ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING
    forcibly"), free_memmap() might not always be inlined, and thus is
    triggering a section warning:
    
    WARNING: vmlinux.o(.text.unlikely+0x904): Section mismatch in reference from the function free_memmap() to the function .meminit.text:memblock_free()
    
    Mark it as __init, since the faller (free_unused_memmap) already is.
    
    Fixes: ac7c3e4ff401 ("compiler: enable CONFIG_OPTIMIZE_INLINING forcibly")
    Signed-off-by: Olof Johansson <olof@lixom.net>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d73066c047a0cf2e4286023320512d059ac2b405
Author: Eric Auger <eric.auger@redhat.com>
Date:   Fri Dec 13 10:42:37 2019 +0100

    KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
    
    commit 8c58be34494b7f1b2adb446e2d8beeb90e5de65b upstream.
    
    Saving/restoring an unmapped collection is a valid scenario. For
    example this happens if a MAPTI command was sent, featuring an
    unmapped collection. At the moment the CTE fails to be restored.
    Only compare against the number of online vcpus if the rdist
    base is set.
    
    Fixes: ea1ad53e1e31a ("KVM: arm64: vgic-its: Collection table save/restore")
    Signed-off-by: Eric Auger <eric.auger@redhat.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
    Link: https://lore.kernel.org/r/20191213094237.19627-1-eric.auger@redhat.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cef509c55685401ab07f08276df15d287f280815
Author: Alexey Kardashevskiy <aik@ozlabs.ru>
Date:   Mon Dec 16 15:19:22 2019 +1100

    powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW
    
    commit 7559d3d295f3365ea7ac0c0274c05e633fe4f594 upstream.
    
    By default a pseries guest supports a H_PUT_TCE hypercall which maps
    a single IOMMU page in a DMA window. Additionally the hypervisor may
    support H_PUT_TCE_INDIRECT/H_STUFF_TCE which update multiple TCEs at once;
    this is advertised via the device tree /rtas/ibm,hypertas-functions
    property which Linux converts to FW_FEATURE_MULTITCE.
    
    FW_FEATURE_MULTITCE is checked when dma_iommu_ops is used; however
    the code managing the huge DMA window (DDW) ignores it and calls
    H_PUT_TCE_INDIRECT even if it is explicitly disabled via
    the "multitce=off" kernel command line parameter.
    
    This adds FW_FEATURE_MULTITCE checking to the DDW code path.
    
    This changes tce_build_pSeriesLP to take liobn and page size as
    the huge window does not have iommu_table descriptor which usually
    the place to store these numbers.
    
    Fixes: 4e8b0cf46b25 ("powerpc/pseries: Add support for dynamic dma windows")
    Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
    Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
    Tested-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20191216041924.42318-3-aik@ozlabs.ru
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 197cd72ec3aa5afcf1ab1da61135d7ee2bfb4b49
Author: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Date:   Mon Jan 20 14:10:02 2020 -0800

    powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning
    
    commit aff8c8242bc638ba57247ae1ec5f272ac3ed3b92 upstream.
    
    Commit e5afdf9dd515 ("powerpc/vfio_spapr_tce: Add reference counting to
    iommu_table") missed an iommu_table allocation in the pseries vio code.
    The iommu_table is allocated with kzalloc and as a result the associated
    kref gets a value of zero. This has the side effect that during a DLPAR
    remove of the associated virtual IOA the iommu_tce_table_put() triggers
    a use-after-free underflow warning.
    
    Call Trace:
    [c0000002879e39f0] [c00000000071ecb4] refcount_warn_saturate+0x184/0x190
    (unreliable)
    [c0000002879e3a50] [c0000000000500ac] iommu_tce_table_put+0x9c/0xb0
    [c0000002879e3a70] [c0000000000f54e4] vio_dev_release+0x34/0x70
    [c0000002879e3aa0] [c00000000087cfa4] device_release+0x54/0xf0
    [c0000002879e3b10] [c000000000d64c84] kobject_cleanup+0xa4/0x240
    [c0000002879e3b90] [c00000000087d358] put_device+0x28/0x40
    [c0000002879e3bb0] [c0000000007a328c] dlpar_remove_slot+0x15c/0x250
    [c0000002879e3c50] [c0000000007a348c] remove_slot_store+0xac/0xf0
    [c0000002879e3cd0] [c000000000d64220] kobj_attr_store+0x30/0x60
    [c0000002879e3cf0] [c0000000004ff13c] sysfs_kf_write+0x6c/0xa0
    [c0000002879e3d10] [c0000000004fde4c] kernfs_fop_write+0x18c/0x260
    [c0000002879e3d60] [c000000000410f3c] __vfs_write+0x3c/0x70
    [c0000002879e3d80] [c000000000415408] vfs_write+0xc8/0x250
    [c0000002879e3dd0] [c0000000004157dc] ksys_write+0x7c/0x120
    [c0000002879e3e20] [c00000000000b278] system_call+0x5c/0x68
    
    Further, since the refcount was always zero the iommu_tce_table_put()
    fails to call the iommu_table release function resulting in a leak.
    
    Fix this issue be initilizing the iommu_table kref immediately after
    allocation.
    
    Fixes: e5afdf9dd515 ("powerpc/vfio_spapr_tce: Add reference counting to iommu_table")
    Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
    Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/1579558202-26052-1-git-send-email-tyreld@linux.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a7a57c810a891ac924462de512f5e9cc81f6aee
Author: Zhengyuan Liu <liuzhengyuan@kylinos.cn>
Date:   Sat Dec 14 00:27:12 2019 +0800

    tools/power/acpi: fix compilation error
    
    commit 1985f8c7f9a42a651a9750d6fcadc74336d182df upstream.
    
    If we compile tools/acpi target in the top source directory, we'd get a
    compilation error showing as bellow:
    
            # make tools/acpi
              DESCEND  power/acpi
              DESCEND  tools/acpidbg
              CC       tools/acpidbg/acpidbg.o
            Assembler messages:
            Fatal error: can't create /home/lzy/kernel-upstream/power/acpi/\
                            tools/acpidbg/acpidbg.o: No such file or directory
            ../../Makefile.rules:26: recipe for target '/home/lzy/kernel-upstream/\
                            power/acpi/tools/acpidbg/acpidbg.o' failed
            make[3]: *** [/home/lzy/kernel-upstream//power/acpi/tools/acpidbg/\
                            acpidbg.o] Error 1
            Makefile:19: recipe for target 'acpidbg' failed
            make[2]: *** [acpidbg] Error 2
            Makefile:54: recipe for target 'acpi' failed
            make[1]: *** [acpi] Error 2
            Makefile:1607: recipe for target 'tools/acpi' failed
            make: *** [tools/acpi] Error 2
    
    Fixes: d5a4b1a540b8 ("tools/power/acpi: Remove direct kernel source include reference")
    Signed-off-by: Zhengyuan Liu <liuzhengyuan@kylinos.cn>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 59d6a094087e3bd135cb92da76c345be2f5def1b
Author: Alexandre Belloni <alexandre.belloni@bootlin.com>
Date:   Fri Jan 10 18:20:07 2020 +0100

    ARM: dts: at91: sama5d3: define clock rate range for tcb1
    
    commit a7e0f3fc01df4b1b7077df777c37feae8c9e8b6d upstream.
    
    The clock rate range for the TCB1 clock is missing. define it in the device
    tree.
    
    Reported-by: Karl Rudbæk Olsen <karl@micro-technic.com>
    Fixes: d2e8190b7916 ("ARM: at91/dt: define sama5d3 clocks")
    Link: https://lore.kernel.org/r/20200110172007.1253659-2-alexandre.belloni@bootlin.com
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc2807c061a6b73baec206cb716b1c6461a288df
Author: Alexandre Belloni <alexandre.belloni@bootlin.com>
Date:   Fri Jan 10 18:20:06 2020 +0100

    ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
    
    commit ee0aa926ddb0bd8ba59e33e3803b3b5804e3f5da upstream.
    
    Currently the maximum rate for peripheral clock is calculated based on a
    typical 133MHz MCK. The maximum frequency is defined in the datasheet as a
    ratio to MCK. Some sama5d3 platforms are using a 166MHz MCK. Update the
    device trees to match the maximum rate based on 166MHz.
    
    Reported-by: Karl Rudbæk Olsen <karl@micro-technic.com>
    Fixes: d2e8190b7916 ("ARM: at91/dt: define sama5d3 clocks")
    Link: https://lore.kernel.org/r/20200110172007.1253659-1-alexandre.belloni@bootlin.com
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cf2647f146c41995f03b9b1e3800157aee2cf87d
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Wed Jan 22 19:05:20 2020 +0300

    platform/x86: intel_mid_powerbtn: Take a copy of ddata
    
    commit 5e0c94d3aeeecc68c573033f08d9678fecf253bd upstream.
    
    The driver gets driver_data from memory that is marked as const (which
    is probably put to read-only memory) and it then modifies it. This
    likely causes some sort of fault to happen.
    
    Fix this by taking a copy of the structure.
    
    Fixes: c94a8ff14de3 ("platform/x86: intel_mid_powerbtn: make mid_pb_ddata const")
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 18a698a8659dd115c15db8c0ede9319d528ad815
Author: Jose Abreu <Jose.Abreu@synopsys.com>
Date:   Tue Jan 14 17:09:24 2020 +0100

    ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node
    
    commit 7980dff398f86a618f502378fa27cf7e77449afa upstream.
    
    Add a missing property to GMAC node so that multicast filtering works
    correctly.
    
    Fixes: 556cc1c5f528 ("ARC: [axs101] Add support for AXS101 SDP (software development platform)")
    Acked-by: Alexey Brodkin <abrodkin@synopsys.com>
    Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
    Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1eaca30af8afce3aa6664a5e0a84012f22c471e8
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Thu Jan 23 15:14:35 2020 +0200

    rtc: cmos: Stop using shared IRQ
    
    commit b6da197a2e9670df6f07e6698629e9ce95ab614e upstream.
    
    As reported by Guilherme G. Piccoli:
    
    ---8<---8<---8<---
    
    The rtc-cmos interrupt setting was changed in the commit 079062b28fb4
    ("rtc: cmos: prevent kernel warning on IRQ flags mismatch") in order
    to allow shared interrupts; according to that commit's description,
    some machine got kernel warnings due to the interrupt line being shared
    between rtc-cmos and other hardware, and rtc-cmos didn't allow IRQ sharing
    that time.
    
    After the aforementioned commit though it was observed a huge increase
    in lost HPET interrupts in some systems, observed through the following
    kernel message:
    
    [...] hpet1: lost 35 rtc interrupts
    
    After investigation, it was narrowed down to the shared interrupts
    usage when having the kernel option "irqpoll" enabled. In this case,
    all IRQ handlers are called for non-timer interrupts, if such handlers
    are setup in shared IRQ lines. The rtc-cmos IRQ handler could be set to
    hpet_rtc_interrupt(), which will produce the kernel "lost interrupts"
    message after doing work - lots of readl/writel to HPET registers, which
    are known to be slow.
    
    Although "irqpoll" is not a default kernel option, it's used in some contexts,
    one being the kdump kernel (which is an already "impaired" kernel usually
    running with 1 CPU available), so the performance burden could be considerable.
    Also, the same issue would happen (in a shorter extent though) when using
    "irqfixup" kernel option.
    
    In a quick experiment, a virtual machine with uptime of 2 minutes produced
    >300 calls to hpet_rtc_interrupt() when "irqpoll" was set, whereas without
    sharing interrupts this number reduced to 1 interrupt. Machines with more
    hardware than a VM should generate even more unnecessary HPET interrupts
    in this scenario.
    
    ---8<---8<---8<---
    
    After looking into the rtc-cmos driver history and DSDT table from
    the Microsoft Surface 3, we may notice that Hans de Goede submitted
    a correct fix (see dependency below). Thus, we simply revert
    the culprit commit.
    
    Fixes: 079062b28fb4 ("rtc: cmos: prevent kernel warning on IRQ flags mismatch")
    Depends-on: a1e23a42f1bd ("rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs")
    Reported-by: Guilherme G. Piccoli <gpiccoli@canonical.com>
    Cc: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Tested-by: Guilherme G. Piccoli <gpiccoli@canonical.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20200123131437.28157-1-andriy.shevchenko@linux.intel.com
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 64ab2bb7f98e2fda9d59efe40b592285981d85d9
Author: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Date:   Thu Dec 12 16:31:10 2019 +0100

    rtc: hym8563: Return -EINVAL if the time is known to be invalid
    
    commit f236a2a2ebabad0848ad0995af7ad1dc7029e895 upstream.
    
    The current code returns -EPERM when the voltage loss bit is set.
    Since the bit indicates that the time value is not valid, return
    -EINVAL instead, which is the appropriate error code for this
    situation.
    
    Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver")
    Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
    Link: https://lore.kernel.org/r/20191212153111.966923-1-paul.kocialkowski@bootlin.com
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 69332673468b8f488dfc073684d09d7b916e1e52
Author: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Date:   Mon Feb 10 10:18:25 2020 -0700

    serial: uartps: Add a timeout to the tx empty wait
    
    [ Upstream commit 277375b864e8147975b064b513f491e2a910e66a ]
    
    In case the cable is not connected then the target gets into
    an infinite wait for tx empty.
    Add a timeout to the tx empty wait.
    
    Reported-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
    Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0cffbe2a1bb5a1e63b67bebf38eb653aabfd6f43
Author: Robert Milkowski <rmilkowski@gmail.com>
Date:   Tue Jan 28 08:37:47 2020 +0000

    NFSv4: try lease recovery on NFS4ERR_EXPIRED
    
    commit 924491f2e476f7234d722b24171a4daff61bbe13 upstream.
    
    Currently, if an nfs server returns NFS4ERR_EXPIRED to open(),
    we return EIO to applications without even trying to recover.
    
    Fixes: 272289a3df72 ("NFSv4: nfs4_do_handle_exception() handle revoke/expiry of a single stateid")
    Signed-off-by: Robert Milkowski <rmilkowski@gmail.com>
    Reviewed-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e69fb85b026bd7e71d7ac5c51dfa8cd82a1107b9
Author: Trond Myklebust <trondmy@gmail.com>
Date:   Mon Jan 6 15:25:04 2020 -0500

    NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
    
    commit 221203ce6406273cf00e5c6397257d986c003ee6 upstream.
    
    Instead of making assumptions about the commit verifier contents, change
    the commit code to ensure we always check that the verifier was set
    by the XDR code.
    
    Fixes: f54bcf2ecee9 ("pnfs: Prepare for flexfiles by pulling out common code")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15466c4d2910c8e385d74cf0fb37b747750124bb
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Mon Dec 30 16:32:38 2019 +0100

    nfs: NFS_SWAP should depend on SWAP
    
    commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc upstream.
    
    If CONFIG_SWAP=n, it does not make much sense to offer the user the
    option to enable support for swapping over NFS, as that will still fail
    at run time:
    
        # swapon /swap
        swapon: /swap: swapon failed: Function not implemented
    
    Fix this by adding a dependency on CONFIG_SWAP.
    
    Fixes: a564b8f0398636ba ("nfs: enable swap on NFS")
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2edc1dc9008b02fc43f22698c88c390c493e9399
Author: Logan Gunthorpe <logang@deltatee.com>
Date:   Wed Jan 8 14:32:08 2020 -0700

    PCI: Don't disable bridge BARs when assigning bus resources
    
    commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 upstream.
    
    Some PCI bridges implement BARs in addition to bridge windows.  For
    example, here's a PLX switch:
    
      04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI
                Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca)
                (prog-if 00 [Normal decode])
          Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0
          Memory at 90a00000 (32-bit, non-prefetchable) [size=256K]
          Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0
          I/O behind bridge: 00002000-00003fff
          Memory behind bridge: 90000000-909fffff
          Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff
    
    Previously, when the kernel assigned resource addresses (with the
    pci=realloc command line parameter, for example) it could clear the struct
    resource corresponding to the BAR.  When this happened, lspci would report
    this BAR as "ignored":
    
       Region 0: Memory at <ignored> (32-bit, non-prefetchable) [size=256K]
    
    This is because the kernel reports a zero start address and zero flags
    in the corresponding sysfs resource file and in /proc/bus/pci/devices.
    Investigation with 'lspci -x', however, shows the BIOS-assigned address
    will still be programmed in the device's BAR registers.
    
    It's clearly a bug that the kernel lost track of the BAR value, but in most
    cases, this still won't result in a visible issue because nothing uses the
    memory, so nothing is affected.  However, when an IOMMU is in use, it will
    not reserve this space in the IOVA because the kernel no longer thinks the
    range is valid.  (See dmar_init_reserved_ranges() for the Intel
    implementation of this.)
    
    Without the proper reserved range, a DMA mapping may allocate an IOVA that
    matches a bridge BAR, which results in DMA accesses going to the BAR
    instead of the intended RAM.
    
    The problem was in pci_assign_unassigned_root_bus_resources().  When any
    resource from a bridge device fails to get assigned, the code set the
    resource's flags to zero.  This makes sense for bridge windows, as they
    will be re-enabled later, but for regular BARs, it makes the kernel
    permanently lose track of the fact that they decode address space.
    
    Change pci_assign_unassigned_root_bus_resources() and
    pci_assign_unassigned_bridge_resources() so they only clear "res->flags"
    for bridge *windows*, not bridge BARs.
    
    Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)")
    Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com
    [bhelgaas: commit log, check for pci_is_bridge()]
    Reported-by: Kit Chow <kchow@gigaio.com>
    Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b642fb092de14eb6ed760f5fb7ceb160ec6bee98
Author: Logan Gunthorpe <logang@deltatee.com>
Date:   Mon Jan 6 12:03:27 2020 -0700

    PCI/switchtec: Fix vep_vector_number ioread width
    
    commit 9375646b4cf03aee81bc6c305aa18cc80b682796 upstream.
    
    vep_vector_number is actually a 16 bit register which should be read with
    ioread16() instead of ioread32().
    
    Fixes: 080b47def5e5 ("MicroSemi Switchtec management interface driver")
    Link: https://lore.kernel.org/r/20200106190337.2428-3-logang@deltatee.com
    Reported-by: Doug Meyer <dmeyer@gigaio.com>
    Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 251601c93fd4615168607d2be37b7dfa7c9cfab4
Author: Bean Huo <beanhuo@micron.com>
Date:   Mon Jan 20 14:08:13 2020 +0100

    scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails
    
    commit b9fc5320212efdfb4e08b825aaa007815fd11d16 upstream.
    
    A non-zero error value likely being returned by ufshcd_scsi_add_wlus() in
    case of failure of adding the WLs, but ufshcd_probe_hba() doesn't use this
    value, and doesn't report this failure to upper caller.  This patch is to
    fix this issue.
    
    Fixes: 2a8fa600445c ("ufs: manually add well known logical units")
    Link: https://lore.kernel.org/r/20200120130820.1737-2-huobean@gmail.com
    Reviewed-by: Asutosh Das <asutoshd@codeaurora.org>
    Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
    Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
    Signed-off-by: Bean Huo <beanhuo@micron.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 38df0eb4a4092a7e8c3ed6945c432fdb5e74ba30
Author: HÃ¥kon Bugge <haakon.bugge@oracle.com>
Date:   Mon Dec 16 13:04:36 2019 +0100

    RDMA/netlink: Do not always generate an ACK for some netlink operations
    
    commit a242c36951ecd24bc16086940dbe6b522205c461 upstream.
    
    In rdma_nl_rcv_skb(), the local variable err is assigned the return value
    of the supplied callback function, which could be one of
    ib_nl_handle_resolve_resp(), ib_nl_handle_set_timeout(), or
    ib_nl_handle_ip_res_resp(). These three functions all return skb->len on
    success.
    
    rdma_nl_rcv_skb() is merely a copy of netlink_rcv_skb(). The callback
    functions used by the latter have the convention: "Returns 0 on success or
    a negative error code".
    
    In particular, the statement (equal for both functions):
    
       if (nlh->nlmsg_flags & NLM_F_ACK || err)
    
    implies that rdma_nl_rcv_skb() always will ack a message, independent of
    the NLM_F_ACK being set in nlmsg_flags or not.
    
    The fix could be to change the above statement, but it is better to keep
    the two *_rcv_skb() functions equal in this respect and instead change the
    three callback functions in the rdma subsystem to the correct convention.
    
    Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink")
    Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
    Link: https://lore.kernel.org/r/20191216120436.3204814-1-haakon.bugge@oracle.com
    Suggested-by: Mark Haywood <mark.haywood@oracle.com>
    Signed-off-by: HÃ¥kon Bugge <haakon.bugge@oracle.com>
    Tested-by: Mark Haywood <mark.haywood@oracle.com>
    Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
    Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b164187829c7db401ca2da9e19f2c30a026b3e5
Author: Sunil Muthuswamy <sunilmut@microsoft.com>
Date:   Fri Jan 24 03:08:18 2020 +0000

    hv_sock: Remove the accept port restriction
    
    [ Upstream commit c742c59e1fbd022b64d91aa9a0092b3a699d653c ]
    
    Currently, hv_sock restricts the port the guest socket can accept
    connections on. hv_sock divides the socket port namespace into two parts
    for server side (listening socket), 0-0x7FFFFFFF & 0x80000000-0xFFFFFFFF
    (there are no restrictions on client port namespace). The first part
    (0-0x7FFFFFFF) is reserved for sockets where connections can be accepted.
    The second part (0x80000000-0xFFFFFFFF) is reserved for allocating ports
    for the peer (host) socket, once a connection is accepted.
    This reservation of the port namespace is specific to hv_sock and not
    known by the generic vsock library (ex: af_vsock). This is problematic
    because auto-binds/ephemeral ports are handled by the generic vsock
    library and it has no knowledge of this port reservation and could
    allocate a port that is not compatible with hv_sock (and legitimately so).
    The issue hasn't surfaced so far because the auto-bind code of vsock
    (__vsock_bind_stream) prior to the change 'VSOCK: bind to random port for
    VMADDR_PORT_ANY' would start walking up from LAST_RESERVED_PORT (1023) and
    start assigning ports. That will take a large number of iterations to hit
    0x7FFFFFFF. But, after the above change to randomize port selection, the
    issue has started coming up more frequently.
    There has really been no good reason to have this port reservation logic
    in hv_sock from the get go. Reserving a local port for peer ports is not
    how things are handled generally. Peer ports should reflect the peer port.
    This fixes the issue by lifting the port reservation, and also returns the
    right peer port. Since the code converts the GUID to the peer port (by
    using the first 4 bytes), there is a possibility of conflicts, but that
    seems like a reasonable risk to take, given this is limited to vsock and
    that only applies to all local sockets.
    
    Signed-off-by: Sunil Muthuswamy <sunilmut@microsoft.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7d57b1fd0f77ccd0def6893c02f3babe96e37ef
Author: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Date:   Mon Nov 4 14:48:11 2019 -0800

    ASoC: pcm: update FE/BE trigger order based on the command
    
    [ Upstream commit acbf27746ecfa96b290b54cc7f05273482ea128a ]
    
    Currently, the trigger orders SND_SOC_DPCM_TRIGGER_PRE/POST
    determine the order in which FE DAI and BE DAI are triggered.
    In the case of SND_SOC_DPCM_TRIGGER_PRE, the FE DAI is
    triggered before the BE DAI and in the case of
    SND_SOC_DPCM_TRIGGER_POST, the BE DAI is triggered before
    the FE DAI. And this order remains the same irrespective of the
    trigger command.
    
    In the case of the SOF driver, during playback, the FW
    expects the BE DAI to be triggered before the FE DAI during
    the START trigger. The BE DAI trigger handles the starting of
    Link DMA and so it must be started before the FE DAI is started
    to prevent xruns during pause/release. This can be addressed
    by setting the trigger order for the FE dai link to
    SND_SOC_DPCM_TRIGGER_POST. But during the STOP trigger,
    the FW expects the FE DAI to be triggered before the BE DAI.
    Retaining the same order during the START and STOP commands,
    results in FW error as the DAI component in the FW is still
    active.
    
    The issue can be fixed by mirroring the trigger order of
    FE and BE DAI's during the START and STOP trigger. So, with the
    trigger order set to SND_SOC_DPCM_TRIGGER_PRE, the FE DAI will be
    trigger first during SNDRV_PCM_TRIGGER_START/STOP/RESUME
    and the BE DAI will be triggered first during the
    STOP/SUSPEND/PAUSE commands. Conversely, with the trigger order
    set to SND_SOC_DPCM_TRIGGER_POST, the BE DAI will be triggered
    first during the SNDRV_PCM_TRIGGER_START/STOP/RESUME commands
    and the FE DAI will be triggered first during the
    SNDRV_PCM_TRIGGER_STOP/SUSPEND/PAUSE commands.
    
    Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Link: https://lore.kernel.org/r/20191104224812.3393-2-ranjani.sridharan@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c12b8cb9f1546df81368d076f7ec3e13222d1b6c
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 6 13:55:01 2020 +0000

    rxrpc: Fix service call disconnection
    
    [ Upstream commit b39a934ec72fa2b5a74123891f25273a38378b90 ]
    
    The recent patch that substituted a flag on an rxrpc_call for the
    connection pointer being NULL as an indication that a call was disconnected
    puts the set_bit in the wrong place for service calls.  This is only a
    problem if a call is implicitly terminated by a new call coming in on the
    same connection channel instead of a terminating ACK packet.
    
    In such a case, rxrpc_input_implicit_end_call() calls
    __rxrpc_disconnect_call(), which is now (incorrectly) setting the
    disconnection bit, meaning that when rxrpc_release_call() is later called,
    it doesn't call rxrpc_disconnect_call() and so the call isn't removed from
    the peer's error distribution list and the list gets corrupted.
    
    KASAN finds the issue as an access after release on a call, but the
    position at which it occurs is confusing as it appears to be related to a
    different call (the call site is where the latter call is being removed
    from the error distribution list and either the next or pprev pointer
    points to a previously released call).
    
    Fix this by moving the setting of the flag from __rxrpc_disconnect_call()
    to rxrpc_disconnect_call() in the same place that the connection pointer
    was being cleared.
    
    Fixes: 5273a191dca6 ("rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect")
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f993a79d85fe81379ac4b2f9b4660823f8574a6d
Author: Song Liu <songliubraving@fb.com>
Date:   Thu Jan 23 10:11:46 2020 -0800

    perf/core: Fix mlock accounting in perf_mmap()
    
    commit 003461559ef7a9bd0239bae35a22ad8924d6e9ad upstream.
    
    Decreasing sysctl_perf_event_mlock between two consecutive perf_mmap()s of
    a perf ring buffer may lead to an integer underflow in locked memory
    accounting. This may lead to the undesired behaviors, such as failures in
    BPF map creation.
    
    Address this by adjusting the accounting logic to take into account the
    possibility that the amount of already locked memory may exceed the
    current limit.
    
    Fixes: c4b75479741c ("perf/core: Make the mlock accounting simple again")
    Suggested-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Signed-off-by: Song Liu <songliubraving@fb.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: <stable@vger.kernel.org>
    Acked-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Link: https://lkml.kernel.org/r/20200123181146.2238074-1-songliubraving@fb.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2106d26897f9341ddb7ad74bfc5867808cec927a
Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date:   Fri Jan 31 19:08:59 2020 +0300

    clocksource: Prevent double add_timer_on() for watchdog_timer
    
    commit febac332a819f0e764aa4da62757ba21d18c182b upstream.
    
    Kernel crashes inside QEMU/KVM are observed:
    
      kernel BUG at kernel/time/timer.c:1154!
      BUG_ON(timer_pending(timer) || !timer->function) in add_timer_on().
    
    At the same time another cpu got:
    
      general protection fault: 0000 [#1] SMP PTI of poinson pointer 0xdead000000000200 in:
    
      __hlist_del at include/linux/list.h:681
      (inlined by) detach_timer at kernel/time/timer.c:818
      (inlined by) expire_timers at kernel/time/timer.c:1355
      (inlined by) __run_timers at kernel/time/timer.c:1686
      (inlined by) run_timer_softirq at kernel/time/timer.c:1699
    
    Unfortunately kernel logs are badly scrambled, stacktraces are lost.
    
    Printing the timer->function before the BUG_ON() pointed to
    clocksource_watchdog().
    
    The execution of clocksource_watchdog() can race with a sequence of
    clocksource_stop_watchdog() .. clocksource_start_watchdog():
    
    expire_timers()
     detach_timer(timer, true);
      timer->entry.pprev = NULL;
     raw_spin_unlock_irq(&base->lock);
     call_timer_fn
      clocksource_watchdog()
    
                                            clocksource_watchdog_kthread() or
                                            clocksource_unbind()
    
                                            spin_lock_irqsave(&watchdog_lock, flags);
                                            clocksource_stop_watchdog();
                                             del_timer(&watchdog_timer);
                                             watchdog_running = 0;
                                            spin_unlock_irqrestore(&watchdog_lock, flags);
    
                                            spin_lock_irqsave(&watchdog_lock, flags);
                                            clocksource_start_watchdog();
                                             add_timer_on(&watchdog_timer, ...);
                                             watchdog_running = 1;
                                            spin_unlock_irqrestore(&watchdog_lock, flags);
    
      spin_lock(&watchdog_lock);
      add_timer_on(&watchdog_timer, ...);
       BUG_ON(timer_pending(timer) || !timer->function);
        timer_pending() -> true
        BUG()
    
    I.e. inside clocksource_watchdog() watchdog_timer could be already armed.
    
    Check timer_pending() before calling add_timer_on(). This is sufficient as
    all operations are synchronized by watchdog_lock.
    
    Fixes: 75c5158f70c0 ("timekeeping: Update clocksource with stop_machine")
    Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/158048693917.4378.13823603769948933793.stgit@buzz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 640d7fb2d29c08aa8c0569853d1df4cfdd3eb333
Author: Ronnie Sahlberg <lsahlber@redhat.com>
Date:   Wed Feb 5 11:08:01 2020 +1000

    cifs: fail i/o on soft mounts if sessionsetup errors out
    
    commit b0dd940e582b6a60296b9847a54012a4b080dc72 upstream.
    
    RHBZ: 1579050
    
    If we have a soft mount we should fail commands for session-setup
    failures (such as the password having changed/ account being deleted/ ...)
    and return an error back to the application.
    
    Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9a473fc4c82c35d2c54095c09dde1dd7e1dc298f
Author: Christian Borntraeger <borntraeger@de.ibm.com>
Date:   Fri Jan 31 05:02:00 2020 -0500

    KVM: s390: do not clobber registers during guest reset/store status
    
    [ Upstream commit 55680890ea78be0df5e1384989f1be835043c084 ]
    
    The initial CPU reset clobbers the userspace fpc and the store status
    ioctl clobbers the guest acrs + fpr.  As these calls are only done via
    ioctl (and not via vcpu_run), no CPU context is loaded, so we can (and
    must) act directly on the sync regs, not on the thread context.
    
    Cc: stable@kernel.org
    Fixes: e1788bb995be ("KVM: s390: handle floating point registers in the run ioctl not in vcpu_put/load")
    Fixes: 31d8b8d41a7e ("KVM: s390: handle access registers in the run ioctl not in vcpu_put/load")
    Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Reviewed-by: Cornelia Huck <cohuck@redhat.com>
    Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
    Link: https://lore.kernel.org/r/20200131100205.74720-2-frankja@linux.ibm.com
    Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0941ce401d489cb4d53b852fbff7cfce3982beb0
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Wed Jan 8 12:24:38 2020 -0800

    KVM: Play nice with read-only memslots when querying host page size
    
    [ Upstream commit 42cde48b2d39772dba47e680781a32a6c4b7dc33 ]
    
    Avoid the "writable" check in __gfn_to_hva_many(), which will always fail
    on read-only memslots due to gfn_to_hva() assuming writes.  Functionally,
    this allows x86 to create large mappings for read-only memslots that
    are backed by HugeTLB mappings.
    
    Note, the changelog for commit 05da45583de9 ("KVM: MMU: large page
    support") states "If the largepage contains write-protected pages, a
    large pte is not used.", but "write-protected" refers to pages that are
    temporarily read-only, e.g. read-only memslots didn't even exist at the
    time.
    
    Fixes: 4d8b81abc47b ("KVM: introduce readonly memslot")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    [Redone using kvm_vcpu_gfn_to_memslot_prot. - Paolo]
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8d4d63d8c806bab7d6cb4254f462aa10e5f78ed
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Wed Jan 8 12:24:37 2020 -0800

    KVM: Use vcpu-specific gva->hva translation when querying host page size
    
    [ Upstream commit f9b84e19221efc5f493156ee0329df3142085f28 ]
    
    Use kvm_vcpu_gfn_to_hva() when retrieving the host page size so that the
    correct set of memslots is used when handling x86 page faults in SMM.
    
    Fixes: 54bf36aac520 ("KVM: x86: use vcpu-specific functions to read/write/translate GFNs")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a4870bd1ee22d2a5c8cf720e5f3045999de3bdb0
Author: Miaohe Lin <linmiaohe@huawei.com>
Date:   Sat Dec 28 14:25:24 2019 +0800

    KVM: nVMX: vmread should not set rflags to specify success in case of #PF
    
    [ Upstream commit a4d956b9390418623ae5d07933e2679c68b6f83c ]
    
    In case writing to vmread destination operand result in a #PF, vmread
    should not call nested_vmx_succeed() to set rflags to specify success.
    Similar to as done in VMPTRST (See handle_vmptrst()).
    
    Reviewed-by: Liran Alon <liran.alon@oracle.com>
    Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 07157433a3fe520110090d58715591c412e2dbab
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Tue Dec 10 15:24:32 2019 -0800

    KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
    
    [ Upstream commit fe6ed369fca98e99df55c932b85782a5687526b5 ]
    
    Reject writes to RTIT address MSRs if the data being written is a
    non-canonical address as the MSRs are subject to canonical checks, e.g.
    KVM will trigger an unchecked #GP when loading the values to hardware
    during pt_guest_enter().
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6b26d90d125a1bceee429cb2b839bae8ac8b8b38
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Tue Jan 7 16:12:10 2020 -0800

    KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
    
    [ Upstream commit e30a7d623dccdb3f880fbcad980b0cb589a1da45 ]
    
    Remove the bogus 64-bit only condition from the check that disables MMIO
    spte optimization when the system supports the max PA, i.e. doesn't have
    any reserved PA bits.  32-bit KVM always uses PAE paging for the shadow
    MMU, and per Intel's SDM:
    
      PAE paging translates 32-bit linear addresses to 52-bit physical
      addresses.
    
    The kernel's restrictions on max physical addresses are limits on how
    much memory the kernel can reasonably use, not what physical addresses
    are supported by hardware.
    
    Fixes: ce88decffd17 ("KVM: MMU: mmio page fault support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0eed3d7100e69e9f05c37ab13f37f42181e35d4d
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Mon Dec 9 12:19:31 2019 -0800

    KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform
    
    [ Upstream commit f958bd2314d117f8c29f4821401bc1925bc2e5ef ]
    
    Unlike most state managed by XSAVE, MPX is initialized to zero on INIT.
    Because INITs are usually recognized in the context of a VCPU_RUN call,
    kvm_vcpu_reset() puts the guest's FPU so that the FPU state is resident
    in memory, zeros the MPX state, and reloads FPU state to hardware.  But,
    in the unlikely event that an INIT is recognized during
    kvm_arch_vcpu_ioctl_get_mpstate() via kvm_apic_accept_events(),
    kvm_vcpu_reset() will call kvm_put_guest_fpu() without a preceding
    kvm_load_guest_fpu() and corrupt the guest's FPU state (and possibly
    userspace's FPU state as well).
    
    Given that MPX is being removed from the kernel[*], fix the bug with the
    simple-but-ugly approach of loading the guest's FPU during
    KVM_GET_MP_STATE.
    
    [*] See commit f240652b6032b ("x86/mpx: Remove MPX APIs").
    
    Fixes: f775b13eedee2 ("x86,kvm: move qemu/guest FPU switching out to vcpu_run")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8d3a5b81348e79168d1fb1a53824d5236b4aaa5f
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Thu Jan 23 15:33:02 2020 -0500

    btrfs: flush write bio if we loop in extent_write_cache_pages
    
    [ Upstream commit 42ffb0bf584ae5b6b38f72259af1e0ee417ac77f ]
    
    There exists a deadlock with range_cyclic that has existed forever.  If
    we loop around with a bio already built we could deadlock with a writer
    who has the page locked that we're attempting to write but is waiting on
    a page in our bio to be written out.  The task traces are as follows
    
      PID: 1329874  TASK: ffff889ebcdf3800  CPU: 33  COMMAND: "kworker/u113:5"
       #0 [ffffc900297bb658] __schedule at ffffffff81a4c33f
       #1 [ffffc900297bb6e0] schedule at ffffffff81a4c6e3
       #2 [ffffc900297bb6f8] io_schedule at ffffffff81a4ca42
       #3 [ffffc900297bb708] __lock_page at ffffffff811f145b
       #4 [ffffc900297bb798] __process_pages_contig at ffffffff814bc502
       #5 [ffffc900297bb8c8] lock_delalloc_pages at ffffffff814bc684
       #6 [ffffc900297bb900] find_lock_delalloc_range at ffffffff814be9ff
       #7 [ffffc900297bb9a0] writepage_delalloc at ffffffff814bebd0
       #8 [ffffc900297bba18] __extent_writepage at ffffffff814bfbf2
       #9 [ffffc900297bba98] extent_write_cache_pages at ffffffff814bffbd
    
      PID: 2167901  TASK: ffff889dc6a59c00  CPU: 14  COMMAND:
      "aio-dio-invalid"
       #0 [ffffc9003b50bb18] __schedule at ffffffff81a4c33f
       #1 [ffffc9003b50bba0] schedule at ffffffff81a4c6e3
       #2 [ffffc9003b50bbb8] io_schedule at ffffffff81a4ca42
       #3 [ffffc9003b50bbc8] wait_on_page_bit at ffffffff811f24d6
       #4 [ffffc9003b50bc60] prepare_pages at ffffffff814b05a7
       #5 [ffffc9003b50bcd8] btrfs_buffered_write at ffffffff814b1359
       #6 [ffffc9003b50bdb0] btrfs_file_write_iter at ffffffff814b5933
       #7 [ffffc9003b50be38] new_sync_write at ffffffff8128f6a8
       #8 [ffffc9003b50bec8] vfs_write at ffffffff81292b9d
       #9 [ffffc9003b50bf00] ksys_pwrite64 at ffffffff81293032
    
    I used drgn to find the respective pages we were stuck on
    
    page_entry.page 0xffffea00fbfc7500 index 8148 bit 15 pid 2167901
    page_entry.page 0xffffea00f9bb7400 index 7680 bit 0 pid 1329874
    
    As you can see the kworker is waiting for bit 0 (PG_locked) on index
    7680, and aio-dio-invalid is waiting for bit 15 (PG_writeback) on index
    8148.  aio-dio-invalid has 7680, and the kworker epd looks like the
    following
    
      crash> struct extent_page_data ffffc900297bbbb0
      struct extent_page_data {
        bio = 0xffff889f747ed830,
        tree = 0xffff889eed6ba448,
        extent_locked = 0,
        sync_io = 0
      }
    
    Probably worth mentioning as well that it waits for writeback of the
    page to complete while holding a lock on it (at prepare_pages()).
    
    Using drgn I walked the bio pages looking for page
    0xffffea00fbfc7500 which is the one we're waiting for writeback on
    
      bio = Object(prog, 'struct bio', address=0xffff889f747ed830)
      for i in range(0, bio.bi_vcnt.value_()):
          bv = bio.bi_io_vec[i]
          if bv.bv_page.value_() == 0xffffea00fbfc7500:
              print("FOUND IT")
    
    which validated what I suspected.
    
    The fix for this is simple, flush the epd before we loop back around to
    the beginning of the file during writeout.
    
    Fixes: b293f02e1423 ("Btrfs: Add writepages support")
    CC: stable@vger.kernel.org # 4.4+
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ce02876c29909a62d580035e6dab401e54277bb3
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:53 2019 -0800

    KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks
    
    [ Upstream commit 66061740f1a487f4ed54fde75e724709f805da53 ]
    
    This fixes Spectre-v1/L1TF vulnerabilities in intel_find_fixed_event()
    and intel_rdpmc_ecx_to_pmc().
    kvm_rdpmc() (ancestor of intel_find_fixed_event()) and
    reprogram_fixed_counter() (ancestor of intel_rdpmc_ecx_to_pmc()) are
    exported symbols so KVM should treat them conservatively from a security
    perspective.
    
    Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a31a66fe1c7d27064ecea28f2710979c1e2e66c2
Author: Claudiu Beznea <claudiu.beznea@microchip.com>
Date:   Wed Dec 18 14:28:25 2019 +0200

    drm: atmel-hlcdc: enable clock before configuring timing engine
    
    [ Upstream commit 2c1fb9d86f6820abbfaa38a6836157c76ccb4e7b ]
    
    Changing pixel clock source without having this clock source enabled
    will block the timing engine and the next operations after (in this case
    setting ATMEL_HLCDC_CFG(5) settings in atmel_hlcdc_crtc_mode_set_nofb()
    will fail). It is recomended (although in datasheet this is not present)
    to actually enabled pixel clock source before doing any changes on timing
    enginge (only SAM9X60 datasheet specifies that the peripheral clock and
    pixel clock must be enabled before using LCD controller).
    
    Fixes: 1a396789f65a ("drm: add Atmel HLCDC Display Controller support")
    Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
    Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
    Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
    Cc: <stable@vger.kernel.org> # v4.0+
    Link: https://patchwork.freedesktop.org/patch/msgid/1576672109-22707-3-git-send-email-claudiu.beznea@microchip.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f6eb1d580e7d11db285e781c4ddeec012d72bc1a
Author: Filipe Manana <fdmanana@suse.com>
Date:   Wed Jan 22 12:23:20 2020 +0000

    Btrfs: fix race between adding and putting tree mod seq elements and nodes
    
    [ Upstream commit 7227ff4de55d931bbdc156c8ef0ce4f100c78a5b ]
    
    There is a race between adding and removing elements to the tree mod log
    list and rbtree that can lead to use-after-free problems.
    
    Consider the following example that explains how/why the problems happens:
    
    1) Task A has mod log element with sequence number 200. It currently is
       the only element in the mod log list;
    
    2) Task A calls btrfs_put_tree_mod_seq() because it no longer needs to
       access the tree mod log. When it enters the function, it initializes
       'min_seq' to (u64)-1. Then it acquires the lock 'tree_mod_seq_lock'
       before checking if there are other elements in the mod seq list.
       Since the list it empty, 'min_seq' remains set to (u64)-1. Then it
       unlocks the lock 'tree_mod_seq_lock';
    
    3) Before task A acquires the lock 'tree_mod_log_lock', task B adds
       itself to the mod seq list through btrfs_get_tree_mod_seq() and gets a
       sequence number of 201;
    
    4) Some other task, name it task C, modifies a btree and because there
       elements in the mod seq list, it adds a tree mod elem to the tree
       mod log rbtree. That node added to the mod log rbtree is assigned
       a sequence number of 202;
    
    5) Task B, which is doing fiemap and resolving indirect back references,
       calls btrfs get_old_root(), with 'time_seq' == 201, which in turn
       calls tree_mod_log_search() - the search returns the mod log node
       from the rbtree with sequence number 202, created by task C;
    
    6) Task A now acquires the lock 'tree_mod_log_lock', starts iterating
       the mod log rbtree and finds the node with sequence number 202. Since
       202 is less than the previously computed 'min_seq', (u64)-1, it
       removes the node and frees it;
    
    7) Task B still has a pointer to the node with sequence number 202, and
       it dereferences the pointer itself and through the call to
       __tree_mod_log_rewind(), resulting in a use-after-free problem.
    
    This issue can be triggered sporadically with the test case generic/561
    from fstests, and it happens more frequently with a higher number of
    duperemove processes. When it happens to me, it either freezes the VM or
    it produces a trace like the following before crashing:
    
      [ 1245.321140] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
      [ 1245.321200] CPU: 1 PID: 26997 Comm: pool Not tainted 5.5.0-rc6-btrfs-next-52 #1
      [ 1245.321235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
      [ 1245.321287] RIP: 0010:rb_next+0x16/0x50
      [ 1245.321307] Code: ....
      [ 1245.321372] RSP: 0018:ffffa151c4d039b0 EFLAGS: 00010202
      [ 1245.321388] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8ae221363c80 RCX: 6b6b6b6b6b6b6b6b
      [ 1245.321409] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8ae221363c80
      [ 1245.321439] RBP: ffff8ae20fcc4688 R08: 0000000000000002 R09: 0000000000000000
      [ 1245.321475] R10: ffff8ae20b120910 R11: 00000000243f8bb1 R12: 0000000000000038
      [ 1245.321506] R13: ffff8ae221363c80 R14: 000000000000075f R15: ffff8ae223f762b8
      [ 1245.321539] FS:  00007fdee1ec7700(0000) GS:ffff8ae236c80000(0000) knlGS:0000000000000000
      [ 1245.321591] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1245.321614] CR2: 00007fded4030c48 CR3: 000000021da16003 CR4: 00000000003606e0
      [ 1245.321642] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1245.321668] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1245.321706] Call Trace:
      [ 1245.321798]  __tree_mod_log_rewind+0xbf/0x280 [btrfs]
      [ 1245.321841]  btrfs_search_old_slot+0x105/0xd00 [btrfs]
      [ 1245.321877]  resolve_indirect_refs+0x1eb/0xc60 [btrfs]
      [ 1245.321912]  find_parent_nodes+0x3dc/0x11b0 [btrfs]
      [ 1245.321947]  btrfs_check_shared+0x115/0x1c0 [btrfs]
      [ 1245.321980]  ? extent_fiemap+0x59d/0x6d0 [btrfs]
      [ 1245.322029]  extent_fiemap+0x59d/0x6d0 [btrfs]
      [ 1245.322066]  do_vfs_ioctl+0x45a/0x750
      [ 1245.322081]  ksys_ioctl+0x70/0x80
      [ 1245.322092]  ? trace_hardirqs_off_thunk+0x1a/0x1c
      [ 1245.322113]  __x64_sys_ioctl+0x16/0x20
      [ 1245.322126]  do_syscall_64+0x5c/0x280
      [ 1245.322139]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [ 1245.322155] RIP: 0033:0x7fdee3942dd7
      [ 1245.322177] Code: ....
      [ 1245.322258] RSP: 002b:00007fdee1ec6c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [ 1245.322294] RAX: ffffffffffffffda RBX: 00007fded40210d8 RCX: 00007fdee3942dd7
      [ 1245.322314] RDX: 00007fded40210d8 RSI: 00000000c020660b RDI: 0000000000000004
      [ 1245.322337] RBP: 0000562aa89e7510 R08: 0000000000000000 R09: 00007fdee1ec6d44
      [ 1245.322369] R10: 0000000000000073 R11: 0000000000000246 R12: 00007fdee1ec6d48
      [ 1245.322390] R13: 00007fdee1ec6d40 R14: 00007fded40210d0 R15: 00007fdee1ec6d50
      [ 1245.322423] Modules linked in: ....
      [ 1245.323443] ---[ end trace 01de1e9ec5dff3cd ]---
    
    Fix this by ensuring that btrfs_put_tree_mod_seq() computes the minimum
    sequence number and iterates the rbtree while holding the lock
    'tree_mod_log_lock' in write mode. Also get rid of the 'tree_mod_seq_lock'
    lock, since it is now redundant.
    
    Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions")
    Fixes: 097b8a7c9e48e2 ("Btrfs: join tree mod log code with the code holding back delayed refs")
    CC: stable@vger.kernel.org # 4.4+
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: Nikolay Borisov <nborisov@suse.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1066f7e4bcb93336df322ece6c1e468dd103c810
Author: David Sterba <dsterba@suse.com>
Date:   Mon Mar 5 15:43:41 2018 +0100

    btrfs: remove trivial locking wrappers of tree mod log
    
    [ Upstream commit b1a09f1ec540408abf3a50d15dff5d9506932693 ]
    
    The wrappers are trivial and do not bring any extra value on top of the
    plain locking primitives.
    
    Reviewed-by: Nikolay Borisov <nborisov@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8d9ec3725592cb97012d3a2a4eedbd880538d7b2
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Tue Jan 21 09:17:06 2020 -0500

    btrfs: free block groups after free'ing fs trees
    
    [ Upstream commit 4e19443da1941050b346f8fc4c368aa68413bc88 ]
    
    Sometimes when running generic/475 we would trip the
    WARN_ON(cache->reserved) check when free'ing the block groups on umount.
    This is because sometimes we don't commit the transaction because of IO
    errors and thus do not cleanup the tree logs until at umount time.
    
    These blocks are still reserved until they are cleaned up, but they
    aren't cleaned up until _after_ we do the free block groups work.  Fix
    this by moving the free after free'ing the fs roots, that way all of the
    tree logs are cleaned up and we have a properly cleaned fs.  A bunch of
    loops of generic/475 confirmed this fixes the problem.
    
    CC: stable@vger.kernel.org # 4.9+
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 71f54d0173e947c09b5dfaf155bf3756afca5326
Author: Anand Jain <anand.jain@oracle.com>
Date:   Thu Oct 10 10:39:25 2019 +0800

    btrfs: use bool argument in free_root_pointers()
    
    [ Upstream commit 4273eaff9b8d5e141113a5bdf9628c02acf3afe5 ]
    
    We don't need int argument bool shall do in free_root_pointers().  And
    rename the argument as it confused two people.
    
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Anand Jain <anand.jain@oracle.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1d5a59051c77b9ab36c1d03b709588f541a1e1ed
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Nov 19 12:07:33 2019 +0000

    Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES
    
    [ Upstream commit 0e56315ca147b3e60c7bf240233a301d3c7fb508 ]
    
    When using the NO_HOLES feature, if we punch a hole into a file and then
    fsync it, there are cases where a subsequent fsync will miss the fact that
    a hole was punched, resulting in the holes not existing after replaying
    the log tree.
    
    Essentially these cases all imply that, tree-log.c:copy_items(), is not
    invoked for the leafs that delimit holes, because nothing changed those
    leafs in the current transaction. And it's precisely copy_items() where
    we currenly detect and log holes, which works as long as the holes are
    between file extent items in the input leaf or between the beginning of
    input leaf and the previous leaf or between the last item in the leaf
    and the next leaf.
    
    First example where we miss a hole:
    
      *) The extent items of the inode span multiple leafs;
    
      *) The punched hole covers a range that affects only the extent items of
         the first leaf;
    
      *) The fsync operation is done in full mode (BTRFS_INODE_NEEDS_FULL_SYNC
         is set in the inode's runtime flags).
    
      That results in the hole not existing after replaying the log tree.
    
      For example, if the fs/subvolume tree has the following layout for a
      particular inode:
    
          Leaf N, generation 10:
    
          [ ... INODE_ITEM INODE_REF EXTENT_ITEM (0 64K) EXTENT_ITEM (64K 128K) ]
    
          Leaf N + 1, generation 10:
    
          [ EXTENT_ITEM (128K 64K) ... ]
    
      If at transaction 11 we punch a hole coverting the range [0, 128K[, we end
      up dropping the two extent items from leaf N, but we don't touch the other
      leaf, so we end up in the following state:
    
          Leaf N, generation 11:
    
          [ ... INODE_ITEM INODE_REF ]
    
          Leaf N + 1, generation 10:
    
          [ EXTENT_ITEM (128K 64K) ... ]
    
      A full fsync after punching the hole will only process leaf N because it
      was modified in the current transaction, but not leaf N + 1, since it
      was not modified in the current transaction (generation 10 and not 11).
      As a result the fsync will not log any holes, because it didn't process
      any leaf with extent items.
    
    Second example where we will miss a hole:
    
      *) An inode as its items spanning 5 (or more) leafs;
    
      *) A hole is punched and it covers only the extents items of the 3rd
         leaf. This resulsts in deleting the entire leaf and not touching any
         of the other leafs.
    
      So the only leaf that is modified in the current transaction, when
      punching the hole, is the first leaf, which contains the inode item.
      During the full fsync, the only leaf that is passed to copy_items()
      is that first leaf, and that's not enough for the hole detection
      code in copy_items() to determine there's a hole between the last
      file extent item in the 2nd leaf and the first file extent item in
      the 3rd leaf (which was the 4th leaf before punching the hole).
    
    Fix this by scanning all leafs and punch holes as necessary when doing a
    full fsync (less common than a non-full fsync) when the NO_HOLES feature
    is enabled. The lack of explicit file extent items to mark holes makes it
    necessary to scan existing extents to determine if holes exist.
    
    A test case for fstests follows soon.
    
    Fixes: 16e7549f045d33 ("Btrfs: incompatible format change to remove hole extents")
    CC: stable@vger.kernel.org # 4.4+
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8a024c09cb4364fd2c7d676c1df26a975875b480
Author: Filipe Manana <fdmanana@suse.com>
Date:   Tue Mar 19 17:18:13 2019 +0000

    Btrfs: fix assertion failure on fsync with NO_HOLES enabled
    
    [ Upstream commit 0ccc3876e4b2a1559a4dbe3126dda4459d38a83b ]
    
    Back in commit a89ca6f24ffe4 ("Btrfs: fix fsync after truncate when
    no_holes feature is enabled") I added an assertion that is triggered when
    an inline extent is found to assert that the length of the (uncompressed)
    data the extent represents is the same as the i_size of the inode, since
    that is true most of the time I couldn't find or didn't remembered about
    any exception at that time. Later on the assertion was expanded twice to
    deal with a case of a compressed inline extent representing a range that
    matches the sector size followed by an expanding truncate, and another
    case where fallocate can update the i_size of the inode without adding
    or updating existing extents (if the fallocate range falls entirely within
    the first block of the file). These two expansion/fixes of the assertion
    were done by commit 7ed586d0a8241 ("Btrfs: fix assertion on fsync of
    regular file when using no-holes feature") and commit 6399fb5a0b69a
    ("Btrfs: fix assertion failure during fsync in no-holes mode").
    These however missed the case where an falloc expands the i_size of an
    inode to exactly the sector size and inline extent exists, for example:
    
     $ mkfs.btrfs -f -O no-holes /dev/sdc
     $ mount /dev/sdc /mnt
    
     $ xfs_io -f -c "pwrite -S 0xab 0 1096" /mnt/foobar
     wrote 1096/1096 bytes at offset 0
     1 KiB, 1 ops; 0.0002 sec (4.448 MiB/sec and 4255.3191 ops/sec)
    
     $ xfs_io -c "falloc 1096 3000" /mnt/foobar
     $ xfs_io -c "fsync" /mnt/foobar
     Segmentation fault
    
     $ dmesg
     [701253.602385] assertion failed: len == i_size || (len == fs_info->sectorsize && btrfs_file_extent_compression(leaf, extent) != BTRFS_COMPRESS_NONE) || (len < i_size && i_size < fs_info->sectorsize), file: fs/btrfs/tree-log.c, line: 4727
     [701253.602962] ------------[ cut here ]------------
     [701253.603224] kernel BUG at fs/btrfs/ctree.h:3533!
     [701253.603503] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
     [701253.603774] CPU: 2 PID: 7192 Comm: xfs_io Tainted: G        W         5.0.0-rc8-btrfs-next-45 #1
     [701253.604054] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
     [701253.604650] RIP: 0010:assfail.constprop.23+0x18/0x1a [btrfs]
     (...)
     [701253.605591] RSP: 0018:ffffbb48c186bc48 EFLAGS: 00010286
     [701253.605914] RAX: 00000000000000de RBX: ffff921d0a7afc08 RCX: 0000000000000000
     [701253.606244] RDX: 0000000000000000 RSI: ffff921d36b16868 RDI: ffff921d36b16868
     [701253.606580] RBP: ffffbb48c186bcf0 R08: 0000000000000000 R09: 0000000000000000
     [701253.606913] R10: 0000000000000003 R11: 0000000000000000 R12: ffff921d05d2de18
     [701253.607247] R13: ffff921d03b54000 R14: 0000000000000448 R15: ffff921d059ecf80
     [701253.607769] FS:  00007f14da906700(0000) GS:ffff921d36b00000(0000) knlGS:0000000000000000
     [701253.608163] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     [701253.608516] CR2: 000056087ea9f278 CR3: 00000002268e8001 CR4: 00000000003606e0
     [701253.608880] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     [701253.609250] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     [701253.609608] Call Trace:
     [701253.609994]  btrfs_log_inode+0xdfb/0xe40 [btrfs]
     [701253.610383]  btrfs_log_inode_parent+0x2be/0xa60 [btrfs]
     [701253.610770]  ? do_raw_spin_unlock+0x49/0xc0
     [701253.611150]  btrfs_log_dentry_safe+0x4a/0x70 [btrfs]
     [701253.611537]  btrfs_sync_file+0x3b2/0x440 [btrfs]
     [701253.612010]  ? do_sysinfo+0xb0/0xf0
     [701253.612552]  do_fsync+0x38/0x60
     [701253.612988]  __x64_sys_fsync+0x10/0x20
     [701253.613360]  do_syscall_64+0x60/0x1b0
     [701253.613733]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
     [701253.614103] RIP: 0033:0x7f14da4e66d0
     (...)
     [701253.615250] RSP: 002b:00007fffa670fdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
     [701253.615647] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f14da4e66d0
     [701253.616047] RDX: 000056087ea9c260 RSI: 000056087ea9c260 RDI: 0000000000000003
     [701253.616450] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000010
     [701253.616854] R10: 000000000000009b R11: 0000000000000246 R12: 000056087ea9c260
     [701253.617257] R13: 000056087ea9c240 R14: 0000000000000000 R15: 000056087ea9dd10
     (...)
     [701253.619941] ---[ end trace e088d74f132b6da5 ]---
    
    Updating the assertion again to allow for this particular case would result
    in a meaningless assertion, plus there is currently no risk of logging
    content that would result in any corruption after a log replay if the size
    of the data encoded in an inline extent is greater than the inode's i_size
    (which is not currently possibe either with or without compression),
    therefore just remove the assertion.
    
    CC: stable@vger.kernel.org # 4.4+
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cf1569db065f8c9cb9f0c73ff8951f4071b29976
Author: Qu Wenruo <wqu@suse.com>
Date:   Wed Jun 6 15:41:49 2018 +0800

    btrfs: Get rid of the confusing btrfs_file_extent_inline_len
    
    [ Upstream commit e41ca5897489b1c18af75ff0cc8f5c80260b3281 ]
    
    We used to call btrfs_file_extent_inline_len() to get the uncompressed
    data size of an inlined extent.
    
    However this function is hiding evil, for compressed extent, it has no
    choice but to directly read out ram_bytes from btrfs_file_extent_item.
    While for uncompressed extent, it uses item size to calculate the real
    data size, and ignoring ram_bytes completely.
    
    In fact, for corrupted ram_bytes, due to above behavior kernel
    btrfs_print_leaf() can't even print correct ram_bytes to expose the bug.
    
    Since we have the tree-checker to verify all EXTENT_DATA, such mismatch
    can be detected pretty easily, thus we can trust ram_bytes without the
    evil btrfs_file_extent_inline_len().
    
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7be41b349ca90dcbdea4bb33e212f977c76b4040
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Dec 31 12:11:49 2019 -0600

    ext4: fix deadlock allocating crypto bounce page from mempool
    
    [ Upstream commit 547c556f4db7c09447ecf5f833ab6aaae0c5ab58 ]
    
    ext4_writepages() on an encrypted file has to encrypt the data, but it
    can't modify the pagecache pages in-place, so it encrypts the data into
    bounce pages and writes those instead.  All bounce pages are allocated
    from a mempool using GFP_NOFS.
    
    This is not correct use of a mempool, and it can deadlock.  This is
    because GFP_NOFS includes __GFP_DIRECT_RECLAIM, which enables the "never
    fail" mode for mempool_alloc() where a failed allocation will fall back
    to waiting for one of the preallocated elements in the pool.
    
    But since this mode is used for all a bio's pages and not just the
    first, it can deadlock waiting for pages already in the bio to be freed.
    
    This deadlock can be reproduced by patching mempool_alloc() to pretend
    that pool->alloc() always fails (so that it always falls back to the
    preallocations), and then creating an encrypted file of size > 128 KiB.
    
    Fix it by only using GFP_NOFS for the first page in the bio.  For
    subsequent pages just use GFP_NOWAIT, and if any of those fail, just
    submit the bio and start a new one.
    
    This will need to be fixed in f2fs too, but that's less straightforward.
    
    Fixes: c9af28fdd449 ("ext4 crypto: don't let data integrity writebacks fail with ENOMEM")
    Cc: stable@vger.kernel.org
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Link: https://lore.kernel.org/r/20191231181149.47619-1-ebiggers@kernel.org
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3576bb20416f9f34a75b492c6c969e8446aad24e
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Feb 4 19:26:05 2020 -0800

    bonding/alb: properly access headers in bond_alb_xmit()
    
    [ Upstream commit 38f88c45404293bbc027b956def6c10cbd45c616 ]
    
    syzbot managed to send an IPX packet through bond_alb_xmit()
    and af_packet and triggered a use-after-free.
    
    First, bond_alb_xmit() was using ipx_hdr() helper to reach
    the IPX header, but ipx_hdr() was using the transport offset
    instead of the network offset. In the particular syzbot
    report transport offset was 0xFFFF
    
    This patch removes ipx_hdr() since it was only (mis)used from bonding.
    
    Then we need to make sure IPv4/IPv6/IPX headers are pulled
    in skb->head before dereferencing anything.
    
    BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
    Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
     (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)
    
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
     [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
     [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
     [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
     [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
     [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
     [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
     [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
     [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
     [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
     [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
     [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
     [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
     [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
     [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
     [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
     [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
     [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
     [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
     [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
     [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
     [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
     [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Cc: Jay Vosburgh <j.vosburgh@gmail.com>
    Cc: Veaceslav Falico <vfalico@gmail.com>
    Cc: Andy Gospodarek <andy@greyhouse.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 196491f360855e6042dc372bb303b69794fefb99
Author: Harini Katakam <harini.katakam@xilinx.com>
Date:   Wed Feb 5 18:08:12 2020 +0530

    net: macb: Limit maximum GEM TX length in TSO
    
    [ Upstream commit f822e9c4ffa511a5c681cf866287d9383a3b6f1b ]
    
    GEM_MAX_TX_LEN currently resolves to 0x3FF8 for any IP version supporting
    TSO with full 14bits of length field in payload descriptor. But an IP
    errata causes false amba_error (bit 6 of ISR) when length in payload
    descriptors is specified above 16387. The error occurs because the DMA
    falsely concludes that there is not enough space in SRAM for incoming
    payload. These errors were observed continuously under stress of large
    packets using iperf on a version where SRAM was 16K for each queue. This
    errata will be documented shortly and affects all versions since TSO
    functionality was added. Hence limit the max length to 0x3FC0 (rounded).
    
    Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 03d7740a4c3925f05de82f61b3fe50359280e146
Author: Harini Katakam <harini.katakam@xilinx.com>
Date:   Wed Feb 5 18:08:11 2020 +0530

    net: macb: Remove unnecessary alignment check for TSO
    
    [ Upstream commit 41c1ef978c8d0259c6636e6d2d854777e92650eb ]
    
    The IP TSO implementation does NOT require the length to be a
    multiple of 8. That is only a requirement for UFO as per IP
    documentation. Hence, exit macb_features_check function in the
    beginning if the protocol is not UDP. Only when it is UDP,
    proceed further to the alignment checks. Update comments to
    reflect the same. Also remove dead code checking for protocol
    TCP when calculating header length.
    
    Fixes: 1629dd4f763c ("cadence: Add LSO support.")
    Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1d4754d49fb86f8521c9b3c99242daae80e3776d
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Wed Feb 5 12:32:04 2020 -0800

    net: systemport: Avoid RBUF stuck in Wake-on-LAN mode
    
    [ Upstream commit 263a425a482fc495d6d3f9a29b9103a664c38b69 ]
    
    After a number of suspend and resume cycles, it is possible for the RBUF
    to be stuck in Wake-on-LAN mode, despite the MPD enable bit being
    cleared which instructed the RBUF to exit that mode.
    
    Avoid creating that problematic condition by clearing the RX_EN and
    TX_EN bits in the UniMAC prior to disable the Magic Packet Detector
    logic which is guaranteed to make the RBUF exit Wake-on-LAN mode.
    
    Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e79fbd72dca656e3c8f89bb4ebbcc369f5e40774
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Tue Feb 4 11:10:12 2020 -0800

    net_sched: fix a resource leak in tcindex_set_parms()
    
    [ Upstream commit 52b5ae501c045010aeeb1d5ac0373ff161a88291 ]
    
    Jakub noticed there is a potential resource leak in
    tcindex_set_parms(): when tcindex_filter_result_init() fails
    and it jumps to 'errout1' which doesn't release the memory
    and resources allocated by tcindex_alloc_perfect_hash().
    
    We should just jump to 'errout_alloc' which calls
    tcindex_free_perfect_hash().
    
    Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
    Reported-by: Jakub Kicinski <kuba@kernel.org>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad998ed96e150faed0d0f148d12d66dd6ce20e9f
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Thu Feb 6 11:23:52 2020 -0800

    net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port
    
    [ Upstream commit de34d7084edd069dac5aa010cfe32bd8c4619fa6 ]
    
    The 7445 switch clocking profiles do not allow us to run the IMP port at
    2Gb/sec in a way that it is reliable and consistent. Make sure that the
    setting is only applied to the 7278 family.
    
    Fixes: 8f1880cbe8d0 ("net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c338e06f4ae39cb2cc1f14de6068b643a24049ea
Author: Andreas Kemnade <andreas@kemnade.info>
Date:   Fri Jan 17 22:59:22 2020 +0100

    mfd: rn5t618: Mark ADC control register volatile
    
    commit 2f3dc25c0118de03a00ddc88b61f7216854f534d upstream.
    
    There is a bit which gets cleared after conversion.
    
    Fixes: 9bb9e29c78f8 ("mfd: Add Ricoh RN5T618 PMIC core driver")
    Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 31aa47d4e26083842729dd480593a743e94c315a
Author: Marco Felsch <m.felsch@pengutronix.de>
Date:   Wed Jan 8 10:57:02 2020 +0100

    mfd: da9062: Fix watchdog compatible string
    
    commit 1112ba02ff1190ca9c15a912f9269e54b46d2d82 upstream.
    
    The watchdog driver compatible is "dlg,da9062-watchdog" and not
    "dlg,da9062-wdt". Therefore the mfd-core can't populate the of_node and
    fwnode. As result the watchdog driver can't parse the devicetree.
    
    Fixes: 9b40b030c4ad ("mfd: da9062: Supply core driver")
    Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
    Acked-by: Guenter Roeck <linux@roeck-us.net>
    Reviewed-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c91730d38fd7f8151eb6f9d4a4f39d06170d3d40
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jan 13 16:23:46 2020 +0300

    ubi: Fix an error pointer dereference in error handling code
    
    commit 5d3805af279c93ef49a64701f35254676d709622 upstream.
    
    If "seen_pebs = init_seen(ubi);" fails then "seen_pebs" is an error pointer
    and we try to kfree() it which results in an Oops.
    
    This patch re-arranges the error handling so now it only frees things
    which have been allocated successfully.
    
    Fixes: daef3dd1f0ae ("UBI: Fastmap: Add self check to detect absent PEBs")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9ab31c4b1d7be0acea4fc14f7687e5d90d1321de
Author: Sascha Hauer <s.hauer@pengutronix.de>
Date:   Wed Oct 23 11:58:12 2019 +0200

    ubi: fastmap: Fix inverted logic in seen selfcheck
    
    commit ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 upstream.
    
    set_seen() sets the bit corresponding to the PEB number in the bitmap,
    so when self_check_seen() wants to find PEBs that haven't been seen we
    have to print the PEBs that have their bit cleared, not the ones which
    have it set.
    
    Fixes: 5d71afb00840 ("ubi: Use bitmaps in Fastmap self-check code")
    Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a0f808e5594127631d07e4059e59450afe99ea8b
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Mon Nov 4 14:43:17 2019 +0100

    nfsd: fix jiffies/time_t mixup in LRU list
    
    commit 9594497f2c78993cb66b696122f7c65528ace985 upstream.
    
    The nfsd4_blocked_lock->nbl_time timestamp is recorded in jiffies,
    but then compared to a CLOCK_REALTIME timestamp later on, which makes
    no sense.
    
    For consistency with the other timestamps, change this to use a time_t.
    
    This is a change in behavior, which may cause regressions, but the
    current code is not sensible. On a system with CONFIG_HZ=1000,
    the 'time_after((unsigned long)nbl->nbl_time, (unsigned long)cutoff))'
    check is false for roughly the first 18 days of uptime and then true
    for the next 49 days.
    
    Fixes: 7919d0a27f1e ("nfsd: add a LRU list for blocked locks")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7558ea7f5ef69b48474ce3a1b468dde3e0bc7e5b
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Sun Nov 3 22:32:20 2019 +0100

    nfsd: fix delay timer on 32-bit architectures
    
    commit 2561c92b12f4f4e386d453556685f75775c0938b upstream.
    
    The nfsd4_cb_layout_done() function takes a 'time_t' value,
    multiplied by NSEC_PER_SEC*2 to get a nanosecond value.
    
    This works fine on 64-bit architectures, but on 32-bit, any
    value over 1 second results in a signed integer overflow
    with unexpected results.
    
    Cast one input to a 64-bit type in order to produce the
    same result that we have on 64-bit architectures, regarless
    of the type of nfsd4_lease.
    
    Fixes: 6b9b21073d3b ("nfsd: give up on CB_LAYOUTRECALLs after two lease periods")
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fc18aad70b27ccd194aae04aa91a7c2eecbe0835
Author: Yishai Hadas <yishaih@mellanox.com>
Date:   Sun Dec 22 14:46:48 2019 +0200

    IB/core: Fix ODP get user pages flow
    
    commit d07de8bd1709a80a282963ad7b2535148678a9e4 upstream.
    
    The nr_pages argument of get_user_pages_remote() should always be in terms
    of the system page size, not the MR page size. Use PAGE_SIZE instead of
    umem_odp->page_shift.
    
    Fixes: 403cd12e2cf7 ("IB/umem: Add contiguous ODP support")
    Link: https://lore.kernel.org/r/20191222124649.52300-3-leon@kernel.org
    Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
    Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
    Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 47e1f185a32a1fc79344ab3532f8c97bc3e2a420
Author: Prabhath Sajeepa <psajeepa@purestorage.com>
Date:   Thu Dec 12 17:11:29 2019 -0700

    IB/mlx5: Fix outstanding_pi index for GSI qps
    
    commit b5671afe5e39ed71e94eae788bacdcceec69db09 upstream.
    
    Commit b0ffeb537f3a ("IB/mlx5: Fix iteration overrun in GSI qps") changed
    the way outstanding WRs are tracked for the GSI QP. But the fix did not
    cover the case when a call to ib_post_send() fails and updates index to
    track outstanding.
    
    Since the prior commmit outstanding_pi should not be bounded otherwise the
    loop generate_completions() will fail.
    
    Fixes: b0ffeb537f3a ("IB/mlx5: Fix iteration overrun in GSI qps")
    Link: https://lore.kernel.org/r/1576195889-23527-1-git-send-email-psajeepa@purestorage.com
    Signed-off-by: Prabhath Sajeepa <psajeepa@purestorage.com>
    Acked-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0b8e15f035ecc7dfc27e3cefc9c2833c166634ab
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Dec 9 14:16:23 2019 -0700

    net: tulip: Adjust indentation in {dmfe, uli526x}_init_module
    
    commit fe06bf3d83ef0d92f35a24e03297172e92ce9ce3 upstream.
    
    Clang warns:
    
    ../drivers/net/ethernet/dec/tulip/uli526x.c:1812:3: warning: misleading
    indentation; statement is not part of the previous 'if'
    [-Wmisleading-indentation]
            switch (mode) {
            ^
    ../drivers/net/ethernet/dec/tulip/uli526x.c:1809:2: note: previous
    statement is here
            if (cr6set)
            ^
    1 warning generated.
    
    ../drivers/net/ethernet/dec/tulip/dmfe.c:2217:3: warning: misleading
    indentation; statement is not part of the previous 'if'
    [-Wmisleading-indentation]
            switch(mode) {
            ^
    ../drivers/net/ethernet/dec/tulip/dmfe.c:2214:2: note: previous
    statement is here
            if (cr6set)
            ^
    1 warning generated.
    
    This warning occurs because there is a space before the tab on these
    lines. Remove them so that the indentation is consistent with the Linux
    kernel coding style and clang no longer warns.
    
    While we are here, adjust the default block in dmfe_init_module to have
    a proper break between the label and assignment and add a space between
    the switch and opening parentheses to avoid a checkpatch warning.
    
    Fixes: e1c3e5014040 ("[PATCH] initialisation cleanup for ULI526x-net-driver")
    Link: https://github.com/ClangBuiltLinux/linux/issues/795
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 94268998e37bc216e122217716e0c6bd64b0f567
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Dec 9 14:50:27 2019 -0700

    net: smc911x: Adjust indentation in smc911x_phy_configure
    
    commit 5c61e223004b3b5c3f1dd25718e979bc17a3b12d upstream.
    
    Clang warns:
    
    ../drivers/net/ethernet/smsc/smc911x.c:939:3: warning: misleading
    indentation; statement is not part of the previous 'if'
    [-Wmisleading-indentation]
             if (!lp->ctl_rfduplx)
             ^
    ../drivers/net/ethernet/smsc/smc911x.c:936:2: note: previous statement
    is here
            if (lp->ctl_rspeed != 100)
            ^
    1 warning generated.
    
    This warning occurs because there is a space after the tab on this line.
    Remove it so that the indentation is consistent with the Linux kernel
    coding style and clang no longer warns.
    
    Fixes: 0a0c72c9118c ("[PATCH] RE: [PATCH 1/1] net driver: Add support for SMSC LAN911x line of ethernet chips")
    Link: https://github.com/ClangBuiltLinux/linux/issues/796
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e94b702430344fb4e0bf2dedcad1f2f17cfbfa39
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Dec 9 15:38:59 2019 -0700

    ppp: Adjust indentation into ppp_async_input
    
    commit 08cbc75f96029d3092664213a844a5e25523aa35 upstream.
    
    Clang warns:
    
    ../drivers/net/ppp/ppp_async.c:877:6: warning: misleading indentation;
    statement is not part of the previous 'if' [-Wmisleading-indentation]
                                    ap->rpkt = skb;
                                    ^
    ../drivers/net/ppp/ppp_async.c:875:5: note: previous statement is here
                                    if (!skb)
                                    ^
    1 warning generated.
    
    This warning occurs because there is a space before the tab on this
    line. Clean up this entire block's indentation so that it is consistent
    with the Linux kernel coding style and clang no longer warns.
    
    Fixes: 6722e78c9005 ("[PPP]: handle misaligned accesses")
    Link: https://github.com/ClangBuiltLinux/linux/issues/800
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c4ceea2c97fc0517571e563d8fedd80231b3895e
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Dec 17 18:21:52 2019 -0700

    NFC: pn544: Adjust indentation in pn544_hci_check_presence
    
    commit 5080832627b65e3772a35d1dced68c64e2b24442 upstream.
    
    Clang warns
    
    ../drivers/nfc/pn544/pn544.c:696:4: warning: misleading indentation;
    statement is not part of the previous 'if' [-Wmisleading-indentation]
                     return nfc_hci_send_cmd(hdev, NFC_HCI_RF_READER_A_GATE,
                     ^
    ../drivers/nfc/pn544/pn544.c:692:3: note: previous statement is here
                    if (target->nfcid1_len != 4 && target->nfcid1_len != 7 &&
                    ^
    1 warning generated.
    
    This warning occurs because there is a space after the tab on this line.
    Remove it so that the indentation is consistent with the Linux kernel
    coding style and clang no longer warns.
    
    Fixes: da052850b911 ("NFC: Add pn544 presence check for different targets")
    Link: https://github.com/ClangBuiltLinux/linux/issues/814
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4f91c79cd4fe68908e6844560bee3b581aea6c41
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Mon Dec 9 13:03:38 2019 -0700

    powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize
    
    commit c3aae14e5d468d18dbb5d7c0c8c7e2968cc14aad upstream.
    
    Clang warns:
    
    ../arch/powerpc/boot/4xx.c:231:3: warning: misleading indentation;
    statement is not part of the previous 'else' [-Wmisleading-indentation]
            val = SDRAM0_READ(DDR0_42);
            ^
    ../arch/powerpc/boot/4xx.c:227:2: note: previous statement is here
            else
            ^
    
    This is because there is a space at the beginning of this line; remove
    it so that the indentation is consistent according to the Linux kernel
    coding style and clang no longer warns.
    
    Fixes: d23f5099297c ("[POWERPC] 4xx: Adds decoding of 440SPE memory size to boot wrapper library")
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://github.com/ClangBuiltLinux/linux/issues/780
    Link: https://lore.kernel.org/r/20191209200338.12546-1-natechancellor@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 00ab265a94df37909bfbadf494a01a969d329f94
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Dec 17 20:19:31 2019 -0700

    ext2: Adjust indentation in ext2_fill_super
    
    commit d9e9866803f7b6c3fdd35d345e97fb0b2908bbbc upstream.
    
    Clang warns:
    
    ../fs/ext2/super.c:1076:3: warning: misleading indentation; statement is
    not part of the previous 'if' [-Wmisleading-indentation]
            sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) -
            ^
    ../fs/ext2/super.c:1074:2: note: previous statement is here
            if (EXT2_BLOCKS_PER_GROUP(sb) == 0)
            ^
    1 warning generated.
    
    This warning occurs because there is a space before the tab on this
    line. Remove it so that the indentation is consistent with the Linux
    kernel coding style and clang no longer warns.
    
    Fixes: 41f04d852e35 ("[PATCH] ext2: fix mounts at 16T")
    Link: https://github.com/ClangBuiltLinux/linux/issues/827
    Link: https://lore.kernel.org/r/20191218031930.31393-1-natechancellor@gmail.com
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0225f69280146a9e75736145c46cb2c31d8f890f
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Dec 17 18:36:37 2019 -0700

    phy: qualcomm: Adjust indentation in read_poll_timeout
    
    commit a89806c998ee123bb9c0f18526e55afd12c0c0ab upstream.
    
    Clang warns:
    
    ../drivers/phy/qualcomm/phy-qcom-apq8064-sata.c:83:4: warning:
    misleading indentation; statement is not part of the previous 'if'
    [-Wmisleading-indentation]
                     usleep_range(DELAY_INTERVAL_US, DELAY_INTERVAL_US + 50);
                     ^
    ../drivers/phy/qualcomm/phy-qcom-apq8064-sata.c:80:3: note: previous
    statement is here
                    if (readl_relaxed(addr) & mask)
                    ^
    1 warning generated.
    
    This warning occurs because there is a space after the tab on this line.
    Remove it so that the indentation is consistent with the Linux kernel
    coding style and clang no longer warns.
    
    Fixes: 1de990d8a169 ("phy: qcom: Add driver for QCOM APQ8064 SATA PHY")
    Link: https://github.com/ClangBuiltLinux/linux/issues/816
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c909605d73ab4a26ef98c9fb8c291ff2f4c5f9b4
Author: Asutosh Das <asutoshd@codeaurora.org>
Date:   Mon Nov 25 22:53:30 2019 -0800

    scsi: ufs: Recheck bkops level if bkops is disabled
    
    commit 24366c2afbb0539fb14eff330d4e3a5db5c0a3ef upstream.
    
    bkops level should be rechecked upon receiving an exception.  Currently the
    level is being cached and never updated.
    
    Update bkops each time the level is checked.  Also do not use the cached
    bkops level value if it is disabled and then enabled.
    
    Fixes: afdfff59a0e0 (scsi: ufs: handle non spec compliant bkops behaviour by device)
    Link: https://lore.kernel.org/r/1574751214-8321-2-git-send-email-cang@qti.qualcomm.com
    Reviewed-by: Bean Huo <beanhuo@micron.com>
    Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
    Tested-by: Alim Akhtar <alim.akhtar@samsung.com>
    Signed-off-by: Asutosh Das <asutoshd@codeaurora.org>
    Signed-off-by: Can Guo <cang@codeaurora.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9082f8193cd1cb96b61cbe31588a683cdf69264
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Dec 17 18:52:52 2019 -0700

    scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free
    
    commit aa8679736a82386551eb9f3ea0e6ebe2c0e99104 upstream.
    
    Clang warns:
    
    ../drivers/scsi/qla4xxx/ql4_os.c:4148:3: warning: misleading
    indentation; statement is not part of the previous 'if'
    [-Wmisleading-indentation]
             if (ha->fw_dump)
             ^
    ../drivers/scsi/qla4xxx/ql4_os.c:4144:2: note: previous statement is
    here
            if (ha->queues)
            ^
    1 warning generated.
    
    This warning occurs because there is a space after the tab on this
    line.  Remove it so that the indentation is consistent with the Linux
    kernel coding style and clang no longer warns.
    
    Fixes: 068237c87c64 ("[SCSI] qla4xxx: Capture minidump for ISP82XX on firmware failure")
    Link: https://github.com/ClangBuiltLinux/linux/issues/819
    Link: https://lore.kernel.org/r/20191218015252.20890-1-natechancellor@gmail.com
    Acked-by: Manish Rangankar <mrangankar@marvell.com>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ee281862e5a0ffd8384472775fb0a68359170f8
Author: Nathan Chancellor <natechancellor@gmail.com>
Date:   Tue Dec 17 18:47:26 2019 -0700

    scsi: csiostor: Adjust indentation in csio_device_reset
    
    commit a808a04c861782e31fc30e342a619c144aaee14a upstream.
    
    Clang warns:
    
    ../drivers/scsi/csiostor/csio_scsi.c:1386:3: warning: misleading
    indentation; statement is not part of the previous 'if'
    [-Wmisleading-indentation]
             csio_lnodes_exit(hw, 1);
             ^
    ../drivers/scsi/csiostor/csio_scsi.c:1382:2: note: previous statement is
    here
            if (*buf != '1')
            ^
    1 warning generated.
    
    This warning occurs because there is a space after the tab on this
    line.  Remove it so that the indentation is consistent with the Linux
    kernel coding style and clang no longer warns.
    
    Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver")
    Link: https://github.com/ClangBuiltLinux/linux/issues/818
    Link: https://lore.kernel.org/r/20191218014726.8455-1-natechancellor@gmail.com
    Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2585e20dfb6ae57b6aec2fc5cf85f43d5fbe96a8
Author: Bart Van Assche <bvanassche@acm.org>
Date:   Wed Dec 18 16:49:05 2019 -0800

    scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type
    
    commit 3f5f7335e5e234e340b48ecb24c2aba98a61f934 upstream.
    
    Since qla82xx_get_fw_size() returns a number in CPU-endian format, change
    its return type from __le32 into u32. This patch does not change any
    functionality.
    
    Fixes: 9c2b297572bf ("[SCSI] qla2xxx: Support for loading Unified ROM Image (URI) format firmware file.")
    Cc: Himanshu Madhani <hmadhani@marvell.com>
    Cc: Quinn Tran <qutran@marvell.com>
    Cc: Martin Wilck <mwilck@suse.com>
    Cc: Daniel Wagner <dwagner@suse.de>
    Cc: Roman Bolshakov <r.bolshakov@yadro.com>
    Link: https://lore.kernel.org/r/20191219004905.39586-1-bvanassche@acm.org
    Reviewed-by: Daniel Wagner <dwagner@suse.de>
    Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
    Signed-off-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a6f16a683832cba400f4eab38df4cd92a937e2da
Author: Stephen Warren <swarren@nvidia.com>
Date:   Thu Oct 3 14:50:30 2019 -0600

    clk: tegra: Mark fuse clock as critical
    
    commit bf83b96f87ae2abb1e535306ea53608e8de5dfbb upstream.
    
    For a little over a year, U-Boot on Tegra124 has configured the flow
    controller to perform automatic RAM re-repair on off->on power
    transitions of the CPU rail[1]. This is mandatory for correct operation
    of Tegra124. However, RAM re-repair relies on certain clocks, which the
    kernel must enable and leave running. The fuse clock is one of those
    clocks. Mark this clock as critical so that LP1 power mode (system
    suspend) operates correctly.
    
    [1] 3cc7942a4ae5 ARM: tegra: implement RAM repair
    
    Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Stephen Warren <swarren@nvidia.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 724fbee218b56daeee17d20cf4c7de785eef6c67
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Wed Dec 18 13:54:48 2019 -0800

    KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
    
    commit 16be9ddea268ad841457a59109963fff8c9de38d upstream.
    
    Free the vCPU's wbinvd_dirty_mask if vCPU creation fails after
    kvm_arch_vcpu_init(), e.g. when installing the vCPU's file descriptor.
    Do the freeing by calling kvm_arch_vcpu_free() instead of open coding
    the freeing.  This adds a likely superfluous, but ultimately harmless,
    call to kvmclock_reset(), which only clears vcpu->arch.pv_time_enabled.
    Using kvm_arch_vcpu_free() allows for additional cleanup in the future.
    
    Fixes: f5f48ee15c2ee ("KVM: VMX: Execute WBINVD to keep data consistency with assigned devices")
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f572810877041346667414c2b9cf0e368d575f71
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Wed Dec 18 13:54:47 2019 -0800

    KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
    
    commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream.
    
    Explicitly free the shared page if kvmppc_mmu_init() fails during
    kvmppc_core_vcpu_create(), as the page is freed only in
    kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit().
    
    Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page")
    Cc: stable@vger.kernel.org
    Reviewed-by: Greg Kurz <groug@kaod.org>
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Acked-by: Paul Mackerras <paulus@ozlabs.org>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7fe5a37ddec06e9e6544283bd175084b4a827a0f
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Wed Dec 18 13:54:46 2019 -0800

    KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
    
    commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream.
    
    Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any
    resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page.
    
    Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes")
    Cc: stable@vger.kernel.org
    Reviewed-by: Greg Kurz <groug@kaod.org>
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Acked-by: Paul Mackerras <paulus@ozlabs.org>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4609a0bfd5065688d16920a0c401589818ed3e06
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:47 2019 -0800

    KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks
    
    commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit().
    This function contains index computations based on the
    (attacker-controlled) MSR number.
    
    Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 703ae42319295fb9089f2ddb61fb135e0f0e8d20
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:41 2019 -0800

    KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
    
    commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
    kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
    symbol, so KVM should treat it conservatively from a security perspective.
    
    Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86f71e86d42e70a1e21116f28e778eac495843c0
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:49 2019 -0800

    KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
    
    commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and
    get_msr_mce().
    Both functions contain index computations based on the
    (attacker-controlled) MSR number.
    
    Fixes: 890ca9aefa78 ("KVM: Add MCE support")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec01d89eeae22f709d95ecddbbae251bea9d2468
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:44 2019 -0800

    KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
    
    commit 8c86405f606ca8508b8d9280680166ca26723695 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect().
    This function contains index computations based on the
    (attacker-controlled) IOREGSEL register.
    
    Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6b58586c367a8722f45e63411e5de943ddd0c13b
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:48 2019 -0800

    KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks
    
    commit 13c5183a4e643cc2b03a22d0e582c8e17bb7457d upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and
    get_fixed_pmc() functions.
    They both contain index computations based on the (attacker-controlled)
    MSR number.
    
    Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aa209fe55a32a5f91a087af5ed71d870971461cf
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:45 2019 -0800

    KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
    
    commit 670564559ca35b439c8d8861fc399451ddf95137 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect().
    This function contains index computations based on the
    (attacker-controlled) IOREGSEL register.
    
    This patch depends on patch
    "KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks".
    
    Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3645b2277bcddc2ecbb329343ffa7a929c7211e5
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:42 2019 -0800

    KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks
    
    commit 8618793750071d66028584a83ed0b4fa7eb4f607 upstream.
    
    This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data()
    and kvm_hv_msr_set_crash_data().
    These functions contain index computations that use the
    (attacker-controlled) MSR number.
    
    Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 112a14ba32837b062ac47957679adb875b9adc1e
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:46 2019 -0800

    KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
    
    commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
    This function contains index computations based on the
    (attacker-controlled) MSR number.
    
    Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8fd994e37dd3e833ad74fb9a63de6b8fbc1c8ef4
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:52 2019 -0800

    KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
    
    commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and
    kvm_get_dr().
    Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are
    exported symbols so KVM should tream them conservatively from a security
    perspective.
    
    Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7341bf4c2aead34731d1a6f3c98fcb69d5bc21c7
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:50 2019 -0800

    KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
    
    commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream.
    
    This fixes Spectre-v1/L1TF vulnerabilities in
    vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(),
    vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar().  When
    invoked from emulation, these functions contain index computations
    based on the (attacker-influenced) segment value.  Using constants
    prevents the attack.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0be275c65416047541a03c6716f13a337a5ff269
Author: Marios Pomonis <pomonis@google.com>
Date:   Wed Dec 11 12:47:43 2019 -0800

    KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
    
    commit 14e32321f3606e4b0970200b6e5e47ee6f1e6410 upstream.
    
    This fixes a Spectre-v1/L1TF vulnerability in picdev_write().
    It replaces index computations based on the (attacked-controlled) port
    number with constants through a minor refactoring.
    
    Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation")
    
    Signed-off-by: Nick Finco <nifi@google.com>
    Signed-off-by: Marios Pomonis <pomonis@google.com>
    Reviewed-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Jim Mattson <jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80b93ccca152af665e5c83246dfeedad9b446a02
Author: Juergen Gross <jgross@suse.com>
Date:   Fri Jan 17 14:49:31 2020 +0100

    xen/balloon: Support xend-based toolstack take two
    
    commit eda4eabf86fd6806eaabc23fb90dd056fdac037b upstream.
    
    Commit 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack")
    tried to fix a regression with running on rather ancient Xen versions.
    Unfortunately the fix was based on the assumption that xend would
    just use another Xenstore node, but in reality only some downstream
    versions of xend are doing that. The upstream xend does not write
    that Xenstore node at all, so the problem must be fixed in another
    way.
    
    The easiest way to achieve that is to fall back to the behavior
    before commit 96edd61dcf4436 ("xen/balloon: don't online new memory
    initially") in case the static memory maximum can't be read.
    
    This is achieved by setting static_max to the current number of
    memory pages known by the system resulting in target_diff becoming
    zero.
    
    Fixes: 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Cc: <stable@vger.kernel.org> # 4.13
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c1484c4362dd0dc3b4c5cb654d5ec301f37e4aa
Author: Gavin Shan <gshan@redhat.com>
Date:   Tue Dec 10 15:48:29 2019 +1100

    tools/kvm_stat: Fix kvm_exit filter name
    
    commit 5fcf3a55a62afb0760ccb6f391d62f20bce4a42f upstream.
    
    The filter name is fixed to "exit_reason" for some kvm_exit events, no
    matter what architect we have. Actually, the filter name ("exit_reason")
    is only applicable to x86, meaning it's broken on other architects
    including aarch64.
    
    This fixes the issue by providing various kvm_exit filter names, depending
    on architect we're on. Afterwards, the variable filter name is picked and
    applied through ioctl(fd, SET_FILTER).
    
    Reported-by: Andrew Jones <drjones@redhat.com>
    Signed-off-by: Gavin Shan <gshan@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4274984b78716c7cd8686c5d9ae0e9c319760ff8
Author: Roberto Bergantinos Corpas <rbergant@redhat.com>
Date:   Tue Feb 4 11:32:56 2020 +0100

    sunrpc: expiry_time should be seconds not timeval
    
    commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream.
    
    When upcalling gssproxy, cache_head.expiry_time is set as a
    timeval, not seconds since boot. As such, RPC cache expiry
    logic will not clean expired objects created under
    auth.rpcsec.context cache.
    
    This has proven to cause kernel memory leaks on field. Using
    64 bit variants of getboottime/timespec
    
    Expiration times have worked this way since 2010's c5b29f885afe "sunrpc:
    use seconds since boot in expiry cache".  The gssproxy code introduced
    in 2012 added gss_proxy_save_rsc and introduced the bug.  That's a while
    for this to lurk, but it required a bit of an extreme case to make it
    obvious.
    
    Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
    Cc: stable@vger.kernel.org
    Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..."
    Tested-By: Frank Sorenson <sorenson@redhat.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6a7ad15be999f8f7c78b081c2fc77f3ec1269e6e
Author: Brian Norris <briannorris@chromium.org>
Date:   Mon Jan 6 14:42:12 2020 -0800

    mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
    
    commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream.
    
    We called rcu_read_lock(), so we need to call rcu_read_unlock() before
    we return.
    
    Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
    Cc: stable@vger.kernel.org
    Cc: huangwen <huangwenabc@gmail.com>
    Cc: Ganapathi Bhat <ganapathi.bhat@nxp.com>
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d2cf2297979f0f4f2a4cc7e540cf0b944e9936c3
Author: Luca Coelho <luciano.coelho@intel.com>
Date:   Fri Jan 31 15:45:25 2020 +0200

    iwlwifi: don't throw error when trying to remove IGTK
    
    commit 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af upstream.
    
    The IGTK keys are only removed by mac80211 after it has already
    removed the AP station.  This causes the driver to throw an error
    because mac80211 is trying to remove the IGTK when the station doesn't
    exist anymore.
    
    The firmware is aware that the station has been removed and can deal
    with it the next time we try to add an IGTK for a station, so we
    shouldn't try to remove the key if the station ID is
    IWL_MVM_INVALID_STA.  Do this by removing the check for mvm_sta before
    calling iwl_mvm_send_sta_igtk() and check return from that function
    gracefully if the station ID is invalid.
    
    Cc: stable@vger.kernel.org # 4.12+
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 06bd486ee98b91d58c2f9cbadff4ae35b4cd4dfb
Author: Stephen Warren <swarren@nvidia.com>
Date:   Thu Oct 3 14:50:31 2019 -0600

    ARM: tegra: Enable PLLP bypass during Tegra124 LP1
    
    commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream.
    
    For a little over a year, U-Boot has configured the flow controller to
    perform automatic RAM re-repair on off->on power transitions of the CPU
    rail[1]. This is mandatory for correct operation of Tegra124. However,
    RAM re-repair relies on certain clocks, which the kernel must enable and
    leave running. PLLP is one of those clocks. This clock is shut down
    during LP1 in order to save power. Enable bypass (which I believe routes
    osc_div_clk, essentially the crystal clock, to the PLL output) so that
    this clock signal toggles even though the PLL is not active. This is
    required so that LP1 power mode (system suspend) operates correctly.
    
    The bypass configuration must then be undone when resuming from LP1, so
    that all peripheral clocks run at the expected rate. Without this, many
    peripherals won't work correctly; for example, the UART baud rate would
    be incorrect.
    
    NVIDIA's downstream kernel code only does this if not compiled for
    Tegra30, so the added code is made conditional upon the chip ID.
    NVIDIA's downstream code makes this change conditional upon the active
    CPU cluster. The upstream kernel currently doesn't support cluster
    switching, so this patch doesn't test the active CPU cluster ID.
    
    [1] 3cc7942a4ae5 ARM: tegra: implement RAM repair
    
    Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Stephen Warren <swarren@nvidia.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f7a7788766849cfbde527c1fc3765e9033c03dad
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Fri Jan 17 08:57:51 2020 -0500

    btrfs: set trans->drity in btrfs_commit_transaction
    
    commit d62b23c94952e78211a383b7d90ef0afbd9a3717 upstream.
    
    If we abort a transaction we have the following sequence
    
    if (!trans->dirty && list_empty(&trans->new_bgs))
            return;
    WRITE_ONCE(trans->transaction->aborted, err);
    
    The idea being if we didn't modify anything with our trans handle then
    we don't really need to abort the whole transaction, maybe the other
    trans handles are fine and we can carry on.
    
    However in the case of create_snapshot we add a pending_snapshot object
    to our transaction and then commit the transaction.  We don't actually
    modify anything.  sync() behaves the same way, attach to an existing
    transaction and commit it.  This means that if we have an IO error in
    the right places we could abort the committing transaction with our
    trans->dirty being not set and thus not set transaction->aborted.
    
    This is a problem because in the create_snapshot() case we depend on
    pending->error being set to something, or btrfs_commit_transaction
    returning an error.
    
    If we are not the trans handle that gets to commit the transaction, and
    we're waiting on the commit to happen we get our return value from
    cur_trans->aborted.  If this was not set to anything because sync() hit
    an error in the transaction commit before it could modify anything then
    cur_trans->aborted would be 0.  Thus we'd return 0 from
    btrfs_commit_transaction() in create_snapshot.
    
    This is a problem because we then try to do things with
    pending_snapshot->snap, which will be NULL because we didn't create the
    snapshot, and then we'll get a NULL pointer dereference like the
    following
    
    "BUG: kernel NULL pointer dereference, address: 00000000000001f0"
    RIP: 0010:btrfs_orphan_cleanup+0x2d/0x330
    Call Trace:
     ? btrfs_mksubvol.isra.31+0x3f2/0x510
     btrfs_mksubvol.isra.31+0x4bc/0x510
     ? __sb_start_write+0xfa/0x200
     ? mnt_want_write_file+0x24/0x50
     btrfs_ioctl_snap_create_transid+0x16c/0x1a0
     btrfs_ioctl_snap_create_v2+0x11e/0x1a0
     btrfs_ioctl+0x1534/0x2c10
     ? free_debug_processing+0x262/0x2a3
     do_vfs_ioctl+0xa6/0x6b0
     ? do_sys_open+0x188/0x220
     ? syscall_trace_enter+0x1f8/0x330
     ksys_ioctl+0x60/0x90
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x4a/0x1b0
    
    In order to fix this we need to make sure anybody who calls
    commit_transaction has trans->dirty set so that they properly set the
    trans->transaction->aborted value properly so any waiters know bad
    things happened.
    
    This was found while I was running generic/475 with my modified
    fsstress, it reproduced within a few runs.  I ran with this patch all
    night and didn't see the problem again.
    
    CC: stable@vger.kernel.org # 4.4+
    Signed-off-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d046cfa737337c19fa77dc7487453477c99a8334
Author: Trond Myklebust <trondmy@gmail.com>
Date:   Sun Feb 2 17:53:54 2020 -0500

    NFS: Directory page cache pages need to be locked when read
    
    commit 114de38225d9b300f027e2aec9afbb6e0def154b upstream.
    
    When a NFS directory page cache page is removed from the page cache,
    its contents are freed through a call to nfs_readdir_clear_array().
    To prevent the removal of the page cache entry until after we've
    finished reading it, we must take the page lock.
    
    Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir")
    Cc: stable@vger.kernel.org # v2.6.37+
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 120112701bc3c0acb8d0bafdbbdf91af76e1eb3f
Author: Trond Myklebust <trondmy@gmail.com>
Date:   Sun Feb 2 17:53:53 2020 -0500

    NFS: Fix memory leaks and corruption in readdir
    
    commit 4b310319c6a8ce708f1033d57145e2aa027a883c upstream.
    
    nfs_readdir_xdr_to_array() must not exit without having initialised
    the array, so that the page cache deletion routines can safely
    call nfs_readdir_clear_array().
    Furthermore, we should ensure that if we exit nfs_readdir_filler()
    with an error, we free up any page contents to prevent a leak
    if we try to fill the page again.
    
    Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir")
    Cc: stable@vger.kernel.org # v2.6.37+
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 56846c93728bd7f843127380594602ff5db5a30d
Author: Arun Easi <aeasi@marvell.com>
Date:   Thu Jan 23 20:50:14 2020 -0800

    scsi: qla2xxx: Fix unbound NVME response length
    
    commit 00fe717ee1ea3c2979db4f94b1533c57aed8dea9 upstream.
    
    On certain cases when response length is less than 32, NVME response data
    is supplied inline in IOCB. This is indicated by some combination of state
    flags. There was an instance when a high, and incorrect, response length
    was indicated causing driver to overrun buffers. Fix this by checking and
    limiting the response payload length.
    
    Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200124045014.23554-1-hmadhani@marvell.com
    Signed-off-by: Arun Easi <aeasi@marvell.com>
    Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
    Reviewed-by: Ewan D. Milne <emilne@redhat.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a793a2640be68660ae99e68da0e276239615cb99
Author: Chuhong Yuan <hslester96@gmail.com>
Date:   Tue Dec 10 00:21:44 2019 +0800

    crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill
    
    commit 7f8c36fe9be46862c4f3c5302f769378028a34fa upstream.
    
    Since tasklet is needed to be initialized before registering IRQ
    handler, adjust the position of tasklet_init to fix the wrong order.
    
    Besides, to fix the missed tasklet_kill, this patch adds a helper
    function and uses devm_add_action to kill the tasklet automatically.
    
    Fixes: ce92136843cb ("crypto: picoxcell - add support for the picoxcell crypto engines")
    Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 90060df5c2d61e8db99baa72f853e7db136f67f2
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Sat Dec 7 22:15:15 2019 +0800

    crypto: api - Fix race condition in crypto_spawn_alg
    
    commit 73669cc556462f4e50376538d77ee312142e8a8a upstream.
    
    The function crypto_spawn_alg is racy because it drops the lock
    before shooting the dying algorithm.  The algorithm could disappear
    altogether before we shoot it.
    
    This patch fixes it by moving the shooting into the locked section.
    
    Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6042a22f705a68970a22b37257caaf2089885c7e
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Thu Dec 5 09:54:01 2019 +0000

    crypto: atmel-aes - Fix counter overflow in CTR mode
    
    commit 781a08d9740afa73357f1a60d45d7c93d7cca2dd upstream.
    
    32 bit counter is not supported by neither of our AES IPs, all implement
    a 16 bit block counter. Drop the 32 bit block counter logic.
    
    Fixes: fcac83656a3e ("crypto: atmel-aes - fix the counter overflow in CTR mode")
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b7b3a5797f161bba8c811812f894c5eb4662e4d
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Fri Nov 29 16:40:24 2019 +0800

    crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
    
    commit e8d998264bffade3cfe0536559f712ab9058d654 upstream.
    
    We should not be modifying the original request's MAY_SLEEP flag
    upon completion.  It makes no sense to do so anyway.
    
    Reported-by: Eric Biggers <ebiggers@kernel.org>
    Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Tested-by: Eric Biggers <ebiggers@kernel.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6590628bd5cd71f870785db0f7c9df6cb31a6f3a
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Wed Nov 27 13:01:36 2019 +0100

    crypto: ccp - set max RSA modulus size for v3 platform devices as well
    
    commit 11548f5a5747813ff84bed6f2ea01100053b0d8d upstream.
    
    AMD Seattle incorporates a non-PCI version of the v3 CCP crypto
    accelerator, and this version was left behind when the maximum
    RSA modulus size was parameterized in order to support v5 hardware
    which supports larger moduli than v3 hardware does. Due to this
    oversight, RSA acceleration no longer works at all on these systems.
    
    Fix this by setting the .rsamax property to the appropriate value
    for v3 platform hardware.
    
    Fixes: e28c190db66830c0 ("csrypto: ccp - Expand RSA support for a v5 ccp")
    Cc: Gary R Hook <gary.hook@amd.com>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Acked-by: Gary R Hook <gary.hook@amd.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f536b55474f1396151faf086e250cdcdb2dd5752
Author: Toke Høiland-Jørgensen <toke@redhat.com>
Date:   Mon Jan 20 14:06:41 2020 +0100

    samples/bpf: Don't try to remove user's homedir on clean
    
    commit b2e5e93ae8af6a34bca536cdc4b453ab1e707b8b upstream.
    
    The 'clean' rule in the samples/bpf Makefile tries to remove backup
    files (ending in ~). However, if no such files exist, it will instead try
    to remove the user's home directory. While the attempt is mostly harmless,
    it does lead to a somewhat scary warning like this:
    
    rm: cannot remove '~': Is a directory
    
    Fix this by using find instead of shell expansion to locate any actual
    backup files that need to be removed.
    
    Fixes: b62a796c109c ("samples/bpf: allow make to be run from samples/bpf/ directory")
    Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
    Link: https://lore.kernel.org/bpf/157952560126.1683545.7273054725976032511.stgit@toke.dk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e78ca4d34768bc7c18cfce47c84b6a46bc40b855
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Wed Feb 5 09:20:32 2020 -0500

    ftrace: Protect ftrace_graph_hash with ftrace_sync
    
    [ Upstream commit 54a16ff6f2e50775145b210bcd94d62c3c2af117 ]
    
    As function_graph tracer can run when RCU is not "watching", it can not be
    protected by synchronize_rcu() it requires running a task on each CPU before
    it can be freed. Calling schedule_on_each_cpu(ftrace_sync) needs to be used.
    
    Link: https://lore.kernel.org/r/20200205131110.GT2935@paulmck-ThinkPad-P72
    
    Cc: stable@vger.kernel.org
    Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables")
    Reported-by: "Paul E. McKenney" <paulmck@kernel.org>
    Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5aa98ea3dc2b34d1d8d9fc8a0dc38c6da225dfa6
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Wed Feb 5 02:17:57 2020 -0500

    ftrace: Add comment to why rcu_dereference_sched() is open coded
    
    [ Upstream commit 16052dd5bdfa16dbe18d8c1d4cde2ddab9d23177 ]
    
    Because the function graph tracer can execute in sections where RCU is not
    "watching", the rcu_dereference_sched() for the has needs to be open coded.
    This is fine because the RCU "flavor" of the ftrace hash is protected by
    its own RCU handling (it does its own little synchronization on every CPU
    and does not rely on RCU sched).
    
    Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bdfe89cbbcdb643cd5ac68a2c35d5a5ff54e9a52
Author: Amol Grover <frextrite@gmail.com>
Date:   Wed Feb 5 11:27:02 2020 +0530

    tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu
    
    [ Upstream commit fd0e6852c407dd9aefc594f54ddcc21d84803d3b ]
    
    Fix following instances of sparse error
    kernel/trace/ftrace.c:5667:29: error: incompatible types in comparison
    kernel/trace/ftrace.c:5813:21: error: incompatible types in comparison
    kernel/trace/ftrace.c:5868:36: error: incompatible types in comparison
    kernel/trace/ftrace.c:5870:25: error: incompatible types in comparison
    
    Use rcu_dereference_protected to dereference the newly annotated pointer.
    
    Link: http://lkml.kernel.org/r/20200205055701.30195-1-frextrite@gmail.com
    
    Signed-off-by: Amol Grover <frextrite@gmail.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d10713270dd35966929ffc939ef4017df122c99c
Author: Amol Grover <frextrite@gmail.com>
Date:   Sat Feb 1 12:57:04 2020 +0530

    tracing: Annotate ftrace_graph_hash pointer with __rcu
    
    [ Upstream commit 24a9729f831462b1d9d61dc85ecc91c59037243f ]
    
    Fix following instances of sparse error
    kernel/trace/ftrace.c:5664:29: error: incompatible types in comparison
    kernel/trace/ftrace.c:5785:21: error: incompatible types in comparison
    kernel/trace/ftrace.c:5864:36: error: incompatible types in comparison
    kernel/trace/ftrace.c:5866:25: error: incompatible types in comparison
    
    Use rcu_dereference_protected to access the __rcu annotated pointer.
    
    Link: http://lkml.kernel.org/r/20200201072703.17330-1-frextrite@gmail.com
    
    Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Amol Grover <frextrite@gmail.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 41724dfbf8ab1a8a830a5d8fbbc89180f7ac6108
Author: Milan Broz <gmazyland@gmail.com>
Date:   Mon Jan 6 10:11:47 2020 +0100

    dm crypt: fix benbi IV constructor crash if used in authenticated mode
    
    commit 4ea9471fbd1addb25a4d269991dc724e200ca5b5 upstream.
    
    If benbi IV is used in AEAD construction, for example:
      cryptsetup luksFormat <device> --cipher twofish-xts-benbi --key-size 512 --integrity=hmac-sha256
    the constructor uses wrong skcipher function and crashes:
    
     BUG: kernel NULL pointer dereference, address: 00000014
     ...
     EIP: crypt_iv_benbi_ctr+0x15/0x70 [dm_crypt]
     Call Trace:
      ? crypt_subkey_size+0x20/0x20 [dm_crypt]
      crypt_ctr+0x567/0xfc0 [dm_crypt]
      dm_table_add_target+0x15f/0x340 [dm_mod]
    
    Fix this by properly using crypt_aead_blocksize() in this case.
    
    Fixes: ef43aa38063a6 ("dm crypt: add cryptographic data integrity protection (authenticated encryption)")
    Cc: stable@vger.kernel.org # v4.12+
    Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941051
    Reported-by: Jerad Simpson <jbsimpson@gmail.com>
    Signed-off-by: Milan Broz <gmazyland@gmail.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 28ae7054c731af053c3915500f2f257fd40ff9b2
Author: Joe Thornber <ejt@redhat.com>
Date:   Tue Jan 7 11:58:42 2020 +0000

    dm space map common: fix to ensure new block isn't already in use
    
    commit 4feaef830de7ffdd8352e1fe14ad3bf13c9688f8 upstream.
    
    The space-maps track the reference counts for disk blocks allocated by
    both the thin-provisioning and cache targets.  There are variants for
    tracking metadata blocks and data blocks.
    
    Transactionality is implemented by never touching blocks from the
    previous transaction, so we can rollback in the event of a crash.
    
    When allocating a new block we need to ensure the block is free (has
    reference count of 0) in both the current and previous transaction.
    Prior to this fix we were doing this by searching for a free block in
    the previous transaction, and relying on a 'begin' counter to track
    where the last allocation in the current transaction was.  This
    'begin' field was not being updated in all code paths (eg, increment
    of a data block reference count due to breaking sharing of a neighbour
    block in the same btree leaf).
    
    This fix keeps the 'begin' field, but now it's just a hint to speed up
    the search.  Instead the current transaction is searched for a free
    block, and then the old transaction is double checked to ensure it's
    free.  Much simpler.
    
    This fixes reports of sm_disk_new_block()'s BUG_ON() triggering when
    DM thin-provisioning's snapshots are heavily used.
    
    Reported-by: Eric Wheeler <dm-devel@lists.ewheeler.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Joe Thornber <ejt@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b52f0b54d2647b44fed825aeeea5767cc65c417
Author: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Date:   Mon Dec 23 17:05:46 2019 -0800

    dm zoned: support zone sizes smaller than 128MiB
    
    commit b39962950339912978484cdac50069258545d753 upstream.
    
    dm-zoned is observed to log failed kernel assertions and not work
    correctly when operating against a device with a zone size smaller
    than 128MiB (e.g. 32768 bits per 4K block). The reason is that the
    bitmap size per zone is calculated as zero with such a small zone
    size. Fix this problem and also make the code related to zone bitmap
    management be able to handle per zone bitmaps smaller than a single
    block.
    
    A dm-zoned-tools patch is required to properly format dm-zoned devices
    with zone sizes smaller than 128MiB.
    
    Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target")
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
    Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a687c3bfdc5e24d75048b95ae15a88c86852affb
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Sun Jan 26 22:52:47 2020 +1100

    of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
    
    commit dabf6b36b83a18d57e3d4b9d50544ed040d86255 upstream.
    
    There's an OF helper called of_dma_is_coherent(), which checks if a
    device has a "dma-coherent" property to see if the device is coherent
    for DMA.
    
    But on some platforms devices are coherent by default, and on some
    platforms it's not possible to update existing device trees to add the
    "dma-coherent" property.
    
    So add a Kconfig symbol to allow arch code to tell
    of_dma_is_coherent() that devices are coherent by default, regardless
    of the presence of the property.
    
    Select that symbol on powerpc when NOT_COHERENT_CACHE is not set, ie.
    when the system has a coherent cache.
    
    Fixes: 92ea637edea3 ("of: introduce of_dma_is_coherent() helper")
    Cc: stable@vger.kernel.org # v3.16+
    Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
    Tested-by: Christian Zigotzky <chzigotzky@xenosoft.de>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5d56260c5e9fdbbba59655f63622f6159bf0e595
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Thu Jan 23 00:11:24 2020 +0100

    PM: core: Fix handling of devices deleted during system-wide resume
    
    commit 0552e05fdfea191a2cf3a0abd33574b5ef9ca818 upstream.
    
    If a device is deleted by one of its system-wide resume callbacks
    (for example, because it does not appear to be present or accessible
    any more) along with its children, the resume of the children may
    continue leading to use-after-free errors and other issues
    (potentially).
    
    Namely, if the device's children are resumed asynchronously, their
    resume may have been scheduled already before the device's callback
    runs and so the device may be deleted while dpm_wait_for_superior()
    is being executed for them.  The memory taken up by the parent device
    object may be freed then while dpm_wait() is waiting for the parent's
    resume callback to complete, which leads to a use-after-free.
    Moreover, the resume of the children is really not expected to
    continue after they have been unregistered, so it must be terminated
    right away in that case.
    
    To address this problem, modify dpm_wait_for_superior() to check
    if the target device is still there in the system-wide PM list of
    devices and if so, to increment its parent's reference counter, both
    under dpm_list_mtx which prevents device_del() running for the child
    from dropping the parent's reference counter prematurely.
    
    If the device is not present in the system-wide PM list of devices
    any more, the resume of it cannot continue, so check that again after
    dpm_wait() returns, which means that the parent's callback has been
    completed, and pass the result of that check to the caller of
    dpm_wait_for_superior() to allow it to abort the device's resume
    if it is not there any more.
    
    Link: https://lore.kernel.org/linux-pm/1579568452-27253-1-git-send-email-chanho.min@lge.com
    Reported-by: Chanho Min <chanho.min@lge.com>
    Cc: All applicable <stable@vger.kernel.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 084f3fc1fb2b4d09be04310ddbb5a428b0a90397
Author: Chengguang Xu <cgxu519@mykernel.net>
Date:   Sat Jan 4 22:20:04 2020 +0800

    f2fs: code cleanup for f2fs_statfs_project()
    
    commit bf2cbd3c57159c2b639ee8797b52ab5af180bf83 upstream.
    
    Calling min_not_zero() to simplify complicated prjquota
    limit comparison in f2fs_statfs_project().
    
    Signed-off-by: Chengguang Xu <cgxu519@mykernel.net>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 646b25533fed46c0e9cc3fec4cb3c77302d74825
Author: Chengguang Xu <cgxu519@mykernel.net>
Date:   Sat Jan 4 22:20:03 2020 +0800

    f2fs: fix miscounted block limit in f2fs_statfs_project()
    
    commit acdf2172172a511f97fa21ed0ee7609a6d3b3a07 upstream.
    
    statfs calculates Total/Used/Avail disk space in block unit,
    so we should translate soft/hard prjquota limit to block unit
    as well.
    
    Below testing result shows the block/inode numbers of
    Total/Used/Avail from df command are all correct afer
    applying this patch.
    
    [root@localhost quota-tools]\# ./repquota -P /dev/sdb1

commit 182f211e1160ab75ee889a19e72b3acb8a58ab81
Author: Chengguang Xu <cgxu519@mykernel.net>
Date:   Mon Nov 25 11:20:36 2019 +0800

    f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project()
    
    commit 909110c060f22e65756659ec6fa957ae75777e00 upstream.
    
    Setting softlimit larger than hardlimit seems meaningless
    for disk quota but currently it is allowed. In this case,
    there may be a bit of comfusion for users when they run
    df comamnd to directory which has project quota.
    
    For example, we set 20M softlimit and 10M hardlimit of
    block usage limit for project quota of test_dir(project id 123).
    
    [root@hades f2fs]# repquota -P -a

commit 3bb37758725b2206a19ea7a28ceea908ba1513e8
Author: Sven Van Asbroeck <thesven73@gmail.com>
Date:   Thu Sep 19 11:11:37 2019 -0400

    power: supply: ltc2941-battery-gauge: fix use-after-free
    
    commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream.
    
    This driver's remove path calls cancel_delayed_work().
    However, that function does not wait until the work function
    finishes. This could mean that the work function is still
    running after the driver's remove function has finished,
    which would result in a use-after-free.
    
    Fix by calling cancel_delayed_work_sync(), which ensures that
    that the work is properly cancelled, no longer running, and
    unable to re-schedule itself.
    
    This issue was detected with the help of Coccinelle.
    
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 724106f30c039f124c6de5ac9d28ddd305c25b11
Author: Quinn Tran <qutran@marvell.com>
Date:   Tue Dec 17 14:06:16 2019 -0800

    scsi: qla2xxx: Fix mtcp dump collection failure
    
    commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream.
    
    MTCP dump failed due to MB Reg 10 was picking garbage data from stack
    memory.
    
    Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com
    Signed-off-by: Quinn Tran <qutran@marvell.com>
    Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4fa9dd9ce20ffd2f327cddcacd19c3e44603df54
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Fri Dec 6 13:55:17 2019 +0800

    crypto: api - Check spawn->alg under lock in crypto_drop_spawn
    
    commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream.
    
    We need to check whether spawn->alg is NULL under lock as otherwise
    the algorithm could be removed from under us after we have checked
    it and found it to be non-NULL.  This could cause us to remove the
    spawn from a non-existent list.
    
    Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0fb0ea3cb8cc45298ed0be3f3732b7ea6143aecc
Author: Tianyu Lan <Tianyu.Lan@microsoft.com>
Date:   Sat Jan 25 16:50:47 2020 -0500

    hv_balloon: Balloon up according to request page number
    
    commit d33c240d47dab4fd15123d9e73fc8810cbc6ed6a upstream.
    
    Current code has assumption that balloon request memory size aligns
    with 2MB. But actually Hyper-V doesn't guarantee such alignment. When
    balloon driver receives non-aligned balloon request, it produces warning
    and balloon up more memory than requested in order to keep 2MB alignment.
    Remove the warning and balloon up memory according to actual requested
    memory size.
    
    Fixes: f6712238471a ("hv: hv_balloon: avoid memory leak on alloc_error of 2MB memory block")
    Cc: stable@vger.kernel.org
    Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
    Reviewed-by: Michael Kelley <mikelley@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7c5cf5c43fdb32354b6653dddd9f88a0393d81ab
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Jan 20 14:31:59 2020 -0800

    ubifs: don't trigger assertion on invalid no-key filename
    
    [ Upstream commit f0d07a98a070bb5e443df19c3aa55693cbca9341 ]
    
    If userspace provides an invalid fscrypt no-key filename which encodes a
    hash value with any of the UBIFS node type bits set (i.e. the high 3
    bits), gracefully report ENOENT rather than triggering ubifs_assert().
    
    Test case with kvm-xfstests shell:
    
        . fs/ubifs/config
        . ~/xfstests/common/encrypt
        dev=$(__blkdev_to_ubi_volume /dev/vdc)
        ubiupdatevol $dev -t
        mount $dev /mnt -t ubifs
        mkdir /mnt/edir
        xfs_io -c set_encpolicy /mnt/edir
        rm /mnt/edir/_,,,,,DAAAAAAAAAAAAAAAAAAAAAAAAAA
    
    With the bug, the following assertion fails on the 'rm' command:
    
        [   19.066048] UBIFS error (ubi0:0 pid 379): ubifs_assert_failed: UBIFS assert failed: !(hash & ~UBIFS_S_KEY_HASH_MASK), in fs/ubifs/key.h:170
    
    Fixes: f4f61d2cc6d8 ("ubifs: Implement encrypted filenames")
    Cc: <stable@vger.kernel.org> # v4.10+
    Link: https://lore.kernel.org/r/20200120223201.241390-5-ebiggers@kernel.org
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 87c639a95a97355d933f56c7f4d37965e220ff54
Author: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Date:   Thu Jan 2 11:42:16 2020 +0100

    mmc: sdhci-of-at91: fix memleak on clk_get failure
    
    [ Upstream commit a04184ce777b46e92c2b3c93c6dcb2754cb005e1 ]
    
    sdhci_alloc_host() does its work not using managed infrastructure, so
    needs explicit free on error path. Add it where needed.
    
    Cc: <stable@vger.kernel.org>
    Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
    Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
    Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/b2a44d5be2e06ff075f32477e466598bb0f07b36.1577961679.git.mirq-linux@rere.qmqm.pl
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 969917d2e893cb954ec10524da0fa37bd9df624b
Author: Yurii Monakov <monakov.y@gmail.com>
Date:   Tue Dec 17 14:38:36 2019 +0300

    PCI: keystone: Fix link training retries initiation
    
    [ Upstream commit 6df19872d881641e6394f93ef2938cffcbdae5bb ]
    
    ks_pcie_stop_link() function does not clear LTSSM_EN_VAL bit so
    link training was not triggered more than once after startup.
    In configurations where link can be unstable during early boot,
    for example, under low temperature, it will never be established.
    
    Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
    Signed-off-by: Yurii Monakov <monakov.y@gmail.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Acked-by: Andrew Murray <andrew.murray@arm.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3de94c38e987354f52b95c2be940f8685c00f807
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Sat Jan 11 17:50:36 2020 +0800

    ubifs: Fix deadlock in concurrent bulk-read and writepage
    
    commit f5de5b83303e61b1f3fb09bd77ce3ac2d7a475f2 upstream.
    
    In ubifs, concurrent execution of writepage and bulk read on the same file
    may cause ABBA deadlock, for example (Reproduce method see Link):
    
    Process A(Bulk-read starts from page4)         Process B(write page4 back)
      vfs_read                                       wb_workfn or fsync
      ...                                            ...
      generic_file_buffered_read                     write_cache_pages
        ubifs_readpage                                 LOCK(page4)
    
          ubifs_bulk_read                              ubifs_writepage
            LOCK(ui->ui_mutex)                           ubifs_write_inode
    
              ubifs_do_bulk_read                           LOCK(ui->ui_mutex)
                find_or_create_page(alloc page4)                  ↑
                  LOCK(page4)                   <--     ABBA deadlock occurs!
    
    In order to ensure the serialization execution of bulk read, we can't
    remove the big lock 'ui->ui_mutex' in ubifs_bulk_read(). Instead, we
    allow ubifs_do_bulk_read() to lock page failed by replacing
    find_or_create_page(FGP_LOCK) with
    pagecache_get_page(FGP_LOCK | FGP_NOWAIT).
    
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Suggested-by: zhangyi (F) <yi.zhang@huawei.com>
    Cc: <Stable@vger.kernel.org>
    Fixes: 4793e7c5e1c ("UBIFS: add bulk-read facility")
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=206153
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d95ec03f72325b9830b2a204a93d4233df265139
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Dec 9 14:23:24 2019 -0800

    ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag
    
    commit 2b57067a7778484c10892fa191997bfda29fea13 upstream.
    
    UBIFS's implementation of FS_IOC_SETFLAGS fails to preserve existing
    inode flags that aren't settable by FS_IOC_SETFLAGS, namely the encrypt
    flag.  This causes the encrypt flag to be unexpectedly cleared.
    
    Fix it by preserving existing unsettable flags, like ext4 and f2fs do.
    
    Test case with kvm-xfstests shell:
    
        FSTYP=ubifs KEYCTL_PROG=keyctl
        . fs/ubifs/config
        . ~/xfstests/common/encrypt
        dev=$(__blkdev_to_ubi_volume /dev/vdc)
        ubiupdatevol -t $dev
        mount $dev /mnt -t ubifs
        k=$(_generate_session_encryption_key)
        mkdir /mnt/edir
        xfs_io -c "set_encpolicy $k" /mnt/edir
        echo contents > /mnt/edir/file
        chattr +i /mnt/edir/file
        chattr -i /mnt/edir/file
    
    With the bug, the following errors occur on the last command:
    
        [   18.081559] fscrypt (ubifs, inode 67): Inconsistent encryption context (parent directory: 65)
        chattr: Operation not permitted while reading flags on /mnt/edir/file
    
    Fixes: d475a507457b ("ubifs: Add skeleton for fscrypto")
    Cc: <stable@vger.kernel.org> # v4.10+
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c68fb6c809824d4f9b25357b1969d4631c5a8e01
Author: Hou Tao <houtao1@huawei.com>
Date:   Sat Feb 9 16:54:20 2019 +0800

    ubifs: Reject unsupported ioctl flags explicitly
    
    commit 2fe8b2d5578d7d142982e3bf62e4c0caf8b8fe02 upstream.
    
    Reject unsupported ioctl flags explicitly, so the following command
    on a regular ubifs file will fail:
            chattr +d ubifs_file
    
    And xfstests generic/424 will pass.
    
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7e372f648d9efd8002e70845eedd752e2197c6c5
Author: Stephen Boyd <swboyd@chromium.org>
Date:   Thu Jan 9 07:59:07 2020 -0800

    alarmtimer: Unregister wakeup source when module get fails
    
    commit 6b6d188aae79a630957aefd88ff5c42af6553ee3 upstream.
    
    The alarmtimer_rtc_add_device() function creates a wakeup source and then
    tries to grab a module reference. If that fails the function returns early
    with an error code, but fails to remove the wakeup source.
    
    Cleanup this exit path so there is no dangling wakeup source, which is
    named 'alarmtime' left allocated which will conflict with another RTC
    device that may be registered later.
    
    Fixes: 51218298a25e ("alarmtimer: Ensure RTC module is not unloaded")
    Signed-off-by: Stephen Boyd <swboyd@chromium.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Douglas Anderson <dianders@chromium.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200109155910.907-2-swboyd@chromium.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfd90b0b3732843cbd9fc92f58cbe61333754da6
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Tue Dec 17 20:08:11 2019 +0100

    ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards
    
    commit d21a91629f4b8e794fc4c0e0c17c85cedf1d806c upstream.
    
    Despite our heuristics to not wrongly export a non working ACPI backlight
    interface on desktop machines, we still end up exporting one on desktops
    using a motherboard from the MSI MS-7721 series.
    
    I've looked at improving the heuristics, but in this case a quirk seems
    to be the only way to solve this.
    
    While at it also add a comment to separate the video_detect_force_none
    entries in the video_detect_dmi_table from other type of entries, as we
    already do for the other entry types.
    
    Cc: All applicable <stable@vger.kernel.org>
    BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1783786
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3760557c3a9bc43bbd782052c81d6aebe5d7317f
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Wed Dec 4 16:27:49 2019 +0100

    mmc: spi: Toggle SPI polarity, do not hardcode it
    
    commit af3ed119329cf9690598c5a562d95dfd128e91d6 upstream.
    
    The code in mmc_spi_initsequence() tries to send a burst with
    high chipselect and for this reason hardcodes the device into
    SPI_CS_HIGH.
    
    This is not good because the SPI_CS_HIGH flag indicates
    logical "asserted" CS not always the physical level. In
    some cases the signal is inverted in the GPIO library and
    in that case SPI_CS_HIGH is already set, and enforcing
    SPI_CS_HIGH again will actually drive it low.
    
    Instead of hard-coding this, toggle the polarity so if the
    default is LOW it goes high to assert chipselect but if it
    is already high then toggle it low instead.
    
    Cc: Phil Elwell <phil@raspberrypi.org>
    Reported-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Reviewed-by: Mark Brown <broonie@kernel.org>
    Link: https://lore.kernel.org/r/20191204152749.12652-1-linus.walleij@linaro.org
    Cc: stable@vger.kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 11f54321c287f761fcf7c7e184d2569b4ca07b94
Author: Pingfan Liu <kernelfans@gmail.com>
Date:   Fri Jan 10 12:54:02 2020 +0800

    powerpc/pseries: Advance pfn if section is not present in lmb_is_removable()
    
    commit fbee6ba2dca30d302efe6bddb3a886f5e964a257 upstream.
    
    In lmb_is_removable(), if a section is not present, it should continue
    to test the rest of the sections in the block. But the current code
    fails to do so.
    
    Fixes: 51925fb3c5c9 ("powerpc/pseries: Implement memory hotplug remove in the kernel")
    Cc: stable@vger.kernel.org # v4.1+
    Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/1578632042-12415-1-git-send-email-kernelfans@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5823cb6e4cb50e332e0947291ab79ea1b869ed69
Author: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Date:   Mon Jan 6 13:50:02 2020 -0600

    powerpc/xmon: don't access ASDR in VMs
    
    commit c2a20711fc181e7f22ee5c16c28cb9578af84729 upstream.
    
    ASDR is HV-privileged and must only be accessed in HV-mode.
    Fixes a Program Check (0x700) when xmon in a VM dumps SPRs.
    
    Fixes: d1e1b351f50f ("powerpc/xmon: Add ISA v3.0 SPRs to SPR dump")
    Cc: stable@vger.kernel.org # v4.14+
    Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20200107021633.GB29843@us.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d4f4594e80f8f768d1448fd55f4ccbbb87e806a
Author: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Date:   Thu Jan 16 19:59:04 2020 +0100

    s390/mm: fix dynamic pagetable upgrade for hugetlbfs
    
    commit 5f490a520bcb393389a4d44bec90afcb332eb112 upstream.
    
    Commit ee71d16d22bb ("s390/mm: make TASK_SIZE independent from the number
    of page table levels") changed the logic of TASK_SIZE and also removed the
    arch_mmap_check() implementation for s390. This combination has a subtle
    effect on how get_unmapped_area() for hugetlbfs pages works. It is now
    possible that a user process establishes a hugetlbfs mapping at an address
    above 4 TB, without triggering a dynamic pagetable upgrade from 3 to 4
    levels.
    
    This is because hugetlbfs mappings will not use mm->get_unmapped_area, but
    rather file->f_op->get_unmapped_area, which currently is the generic
    implementation of hugetlb_get_unmapped_area() that does not know about s390
    dynamic pagetable upgrades, but with the new definition of TASK_SIZE, it
    will now allow mappings above 4 TB.
    
    Subsequent access to such a mapped address above 4 TB will result in a page
    fault loop, because the CPU cannot translate such a large address with 3
    pagetable levels. The fault handler will try to map in a hugepage at the
    address, but due to the folded pagetable logic it will end up with creating
    entries in the 3 level pagetable, possibly overwriting existing mappings,
    and then it all repeats when the access is retried.
    
    Apart from the page fault loop, this can have various nasty effects, e.g.
    kernel panic from one of the BUG_ON() checks in memory management code,
    or even data loss if an existing mapping gets overwritten.
    
    Fix this by implementing HAVE_ARCH_HUGETLB_UNMAPPED_AREA support for s390,
    providing an s390 version for hugetlb_get_unmapped_area() with pagetable
    upgrade support similar to arch_get_unmapped_area(), which will then be
    used instead of the generic version.
    
    Fixes: ee71d16d22bb ("s390/mm: make TASK_SIZE independent from the number of page table levels")
    Cc: <stable@vger.kernel.org> # 4.12+
    Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dd2624ae656864cb10673de3cd9f85d964965ec3
Author: Alexander Lobakin <alobakin@dlink.ru>
Date:   Fri Jan 17 17:02:07 2020 +0300

    MIPS: fix indentation of the 'RELOCS' message
    
    commit a53998802e178451701d59d38e36f551422977ba upstream.
    
    quiet_cmd_relocs lacks a whitespace which results in:
    
      LD      vmlinux
      SORTEX  vmlinux
      SYSMAP  System.map
      RELOCS vmlinux
      Building modules, stage 2.
      MODPOST 64 modules
    
    After this patch:
    
      LD      vmlinux
      SORTEX  vmlinux
      SYSMAP  System.map
      RELOCS  vmlinux
      Building modules, stage 2.
      MODPOST 64 modules
    
    Typo is present in kernel tree since the introduction of relocatable
    kernel support in commit e818fac595ab ("MIPS: Generate relocation table
    when CONFIG_RELOCATABLE"), but the relocation scripts were moved to
    Makefile.postlink later with commit 44079d3509ae ("MIPS: Use
    Makefile.postlink to insert relocations into vmlinux").
    
    Fixes: 44079d3509ae ("MIPS: Use Makefile.postlink to insert relocations into vmlinux")
    Cc: <stable@vger.kernel.org> # v4.11+
    Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
    [paulburton@kernel.org: Fixup commit references in commit message.]
    Signed-off-by: Paul Burton <paulburton@kernel.org>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: James Hogan <jhogan@kernel.org>
    Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
    Cc: Rob Herring <robh@kernel.org>
    Cc: linux-mips@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ab16247f636fd37ed2b7a64eb7572d793f8bb02
Author: Christoffer Dall <christoffer.dall@arm.com>
Date:   Thu Dec 12 20:50:55 2019 +0100

    KVM: arm64: Only sign-extend MMIO up to register width
    
    commit b6ae256afd32f96bec0117175b329d0dd617655e upstream.
    
    On AArch64 you can do a sign-extended load to either a 32-bit or 64-bit
    register, and we should only sign extend the register up to the width of
    the register as specified in the operation (by using the 32-bit Wn or
    64-bit Xn register specifier).
    
    As it turns out, the architecture provides this decoding information in
    the SF ("Sixty-Four" -- how cute...) bit.
    
    Let's take advantage of this with the usual 32-bit/64-bit header file
    dance and do the right thing on AArch64 hosts.
    
    Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20191212195055.5541-1-christoffer.dall@arm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c314b8240df488cfad979ddc86394d1fcb3ba64c
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Wed Jan 22 19:28:04 2020 +0300

    platform/x86: intel_scu_ipc: Fix interrupt support
    
    commit e48b72a568bbd641c91dad354138d3c17d03ee6f upstream.
    
    Currently the driver has disabled interrupt support for Tangier but
    actually interrupt works just fine if the command is not written twice
    in a row. Also we need to ack the interrupt in the handler.
    
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 89f75bff6862cbf627b2b2dfc01da1a70df8ca9d
Author: Kevin Hao <haokexin@gmail.com>
Date:   Mon Jan 20 12:35:47 2020 +0800

    irqdomain: Fix a memory leak in irq_domain_push_irq()
    
    commit 0f394daef89b38d58c91118a2b08b8a1b316703b upstream.
    
    Fix a memory leak reported by kmemleak:
    unreferenced object 0xffff000bc6f50e80 (size 128):
      comm "kworker/23:2", pid 201, jiffies 4294894947 (age 942.132s)
      hex dump (first 32 bytes):
        00 00 00 00 41 00 00 00 86 c0 03 00 00 00 00 00  ....A...........
        00 a0 b2 c6 0b 00 ff ff 40 51 fd 10 00 80 ff ff  ........@Q......
      backtrace:
        [<00000000e62d2240>] kmem_cache_alloc_trace+0x1a4/0x320
        [<00000000279143c9>] irq_domain_push_irq+0x7c/0x188
        [<00000000d9f4c154>] thunderx_gpio_probe+0x3ac/0x438
        [<00000000fd09ec22>] pci_device_probe+0xe4/0x198
        [<00000000d43eca75>] really_probe+0xdc/0x320
        [<00000000d3ebab09>] driver_probe_device+0x5c/0xf0
        [<000000005b3ecaa0>] __device_attach_driver+0x88/0xc0
        [<000000004e5915f5>] bus_for_each_drv+0x7c/0xc8
        [<0000000079d4db41>] __device_attach+0xe4/0x140
        [<00000000883bbda9>] device_initial_probe+0x18/0x20
        [<000000003be59ef6>] bus_probe_device+0x98/0xa0
        [<0000000039b03d3f>] deferred_probe_work_func+0x74/0xa8
        [<00000000870934ce>] process_one_work+0x1c8/0x470
        [<00000000e3cce570>] worker_thread+0x1f8/0x428
        [<000000005d64975e>] kthread+0xfc/0x128
        [<00000000f0eaa764>] ret_from_fork+0x10/0x18
    
    Fixes: 495c38d3001f ("irqdomain: Add irq_domain_{push,pop}_irq() functions")
    Signed-off-by: Kevin Hao <haokexin@gmail.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20200120043547.22271-1-haokexin@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 06495469423cd58f1801c80aeb30a17dcfb16e67
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Thu Jan 30 22:13:51 2020 -0800

    lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more()
    
    commit 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 upstream.
    
    In case memory resources for _ptr2_ were allocated, release them before
    return.
    
    Notice that in case _ptr1_ happens to be NULL, krealloc() behaves
    exactly like kmalloc().
    
    Addresses-Coverity-ID: 1490594 ("Resource leak")
    Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor
    Fixes: 3f15801cdc23 ("lib: add kasan test module")
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 48d8bba5e94d87304391438f548cedf30aefa609
Author: Helen Koike <helen.koike@collabora.com>
Date:   Tue Dec 17 21:00:22 2019 +0100

    media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments
    
    commit f51e50db4c20d46930b33be3f208851265694f3e upstream.
    
    boundary->width and boundary->height are sizes relative to
    boundary->left and boundary->top coordinates, but they were not being
    taken into consideration to adjust r->left and r->top, leading to the
    following error:
    
    Consider the follow as initial values for boundary and r:
    
    struct v4l2_rect boundary = {
            .left = 100,
            .top = 100,
            .width = 800,
            .height = 600,
    }
    
    struct v4l2_rect r = {
            .left = 0,
            .top = 0,
            .width = 1920,
            .height = 960,
    }
    
    calling v4l2_rect_map_inside(&r, &boundary) was modifying r to:
    
    r = {
            .left = 0,
            .top = 0,
            .width = 800,
            .height = 600,
    }
    
    Which is wrongly outside the boundary rectangle, because:
    
            v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600
            ...
            if (r->left + r->width > boundary->width) // true
                    r->left = boundary->width - r->width; // r->left = 800 - 800
            if (r->top + r->height > boundary->height) // true
                    r->top = boundary->height - r->height; // r->height = 600 - 600
    
    Fix this by considering top/left coordinates from boundary.
    
    Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions")
    Signed-off-by: Helen Koike <helen.koike@collabora.com>
    Cc: <stable@vger.kernel.org>      # for v4.7 and up
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfc1bb3b70ddac8319b44a9fa69bd9656a6a2eeb
Author: John Hubbard <jhubbard@nvidia.com>
Date:   Thu Jan 30 22:12:50 2020 -0800

    media/v4l2-core: set pages dirty upon releasing DMA buffers
    
    commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream.
    
    After DMA is complete, and the device and CPU caches are synchronized,
    it's still required to mark the CPU pages as dirty, if the data was
    coming from the device.  However, this driver was just issuing a bare
    put_page() call, without any set_page_dirty*() call.
    
    Fix the problem, by calling set_page_dirty_lock() if the CPU pages were
    potentially receiving data from the device.
    
    Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com
    Signed-off-by: John Hubbard <jhubbard@nvidia.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
    Cc: <stable@vger.kernel.org>
    Cc: Alex Williamson <alex.williamson@redhat.com>
    Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    Cc: Björn Töpel <bjorn.topel@intel.com>
    Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: Ira Weiny <ira.weiny@intel.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Jason Gunthorpe <jgg@mellanox.com>
    Cc: Jason Gunthorpe <jgg@ziepe.ca>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Jerome Glisse <jglisse@redhat.com>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Kirill A. Shutemov <kirill@shutemov.name>
    Cc: Leon Romanovsky <leonro@mellanox.com>
    Cc: Mike Rapoport <rppt@linux.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d219e276b2bc7c5517bcd822e9c6ccb3cfbfa0c3
Author: Takashi Iwai <tiwai@suse.de>
Date:   Sat Feb 1 09:05:30 2020 +0100

    ALSA: dummy: Fix PCM format loop in proc output
    
    commit 2acf25f13ebe8beb40e97a1bbe76f36277c64f1e upstream.
    
    The loop termination for iterating over all formats should contain
    SNDRV_PCM_FORMAT_LAST, not less than it.
    
    Fixes: 9b151fec139d ("ALSA: dummy - Add debug proc file")
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7d0c0dfe866736e221ce1773a6b45b06af945e9b
Author: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Date:   Thu Jan 9 13:17:22 2020 +0000

    usb: gadget: f_ecm: Use atomic_t to track in-flight request
    
    commit d710562e01c48d59be3f60d58b7a85958b39aeda upstream.
    
    Currently ecm->notify_req is used to flag when a request is in-flight.
    ecm->notify_req is set to NULL and when a request completes it is
    subsequently reset.
    
    This is fundamentally buggy in that the unbind logic of the ECM driver will
    unconditionally free ecm->notify_req leading to a NULL pointer dereference.
    
    Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 51f94eb089ee1aed6a846925265bc645dc30a99f
Author: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Date:   Thu Jan 9 13:17:21 2020 +0000

    usb: gadget: f_ncm: Use atomic_t to track in-flight request
    
    commit 5b24c28cfe136597dc3913e1c00b119307a20c7e upstream.
    
    Currently ncm->notify_req is used to flag when a request is in-flight.
    ncm->notify_req is set to NULL and when a request completes it is
    subsequently reset.
    
    This is fundamentally buggy in that the unbind logic of the NCM driver will
    unconditionally free ncm->notify_req leading to a NULL pointer dereference.
    
    Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6d906054db5a0db80d1801f68b21dc165cc52bbe
Author: Roger Quadros <rogerq@ti.com>
Date:   Mon Dec 23 08:47:35 2019 +0200

    usb: gadget: legacy: set max_speed to super-speed
    
    commit 463f67aec2837f981b0a0ce8617721ff59685c00 upstream.
    
    These interfaces do support super-speed so let's not
    limit maximum speed to high-speed.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Roger Quadros <rogerq@ti.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 67cd8ccd494c155f1d0cbb992fe569832fe46d48
Author: Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Sat Dec 14 19:51:14 2019 -0600

    brcmfmac: Fix memory leak in brcmf_usbdev_qinit
    
    commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream.
    
    In the implementation of brcmf_usbdev_qinit() the allocated memory for
    reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
    handling path.
    
    Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
    Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 93b8f119275ef52b718dd34f1fff269e46e534f1
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Sat Aug 17 10:12:08 2019 -0400

    tracing: Fix sched switch start/stop refcount racy updates
    
    commit 64ae572bc7d0060429e40e1c8d803ce5eb31a0d6 upstream.
    
    Reading the sched_cmdline_ref and sched_tgid_ref initial state within
    tracing_start_sched_switch without holding the sched_register_mutex is
    racy against concurrent updates, which can lead to tracepoint probes
    being registered more than once (and thus trigger warnings within
    tracepoint.c).
    
    [ May be the fix for this bug ]
    Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com
    
    Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com
    
    Cc: stable@vger.kernel.org
    CC: Steven Rostedt (VMware) <rostedt@goodmis.org>
    CC: Joel Fernandes (Google) <joel@joelfernandes.org>
    CC: Peter Zijlstra <peterz@infradead.org>
    CC: Thomas Gleixner <tglx@linutronix.de>
    CC: Paul E. McKenney <paulmck@linux.ibm.com>
    Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com
    Fixes: d914ba37d7145 ("tracing: Add support for recording tgid of tasks")
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc407553b31f77fc505facfa75965513293e95c7
Author: Oliver Neukum <oneukum@suse.com>
Date:   Thu Nov 21 11:28:10 2019 +0100

    mfd: dln2: More sanity checking for endpoints
    
    commit 2b8bd606b1e60ca28c765f69c1eedd7d2a2e9dca upstream.
    
    It is not enough to check for the number of endpoints.
    The types must also be correct.
    
    Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 52f001bf9ba6d5fc628852dd6102a98f573e0b3b
Author: Will Deacon <will@kernel.org>
Date:   Fri Nov 8 16:48:38 2019 +0100

    media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
    
    commit 68035c80e129c4cfec659aac4180354530b26527 upstream.
    
    Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
    up the following WARNING from the UVC chain scanning code:
    
      | list_add double add: new=ffff880069084010, prev=ffff880069084010,
      | next=ffff880067d22298.
      | ------------[ cut here ]------------
      | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
      | Modules linked in:
      | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
      | 4.14.0-rc2-42613-g1488251d1a98 #238
      | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      | Workqueue: usb_hub_wq hub_event
      | task: ffff88006b01ca40 task.stack: ffff880064358000
      | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
      | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
      | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
      | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
      | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
      | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
      | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
      | FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
      | CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
      | Call Trace:
      |  __list_add ./include/linux/list.h:59
      |  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
      |  uvc_scan_chain_forward.isra.8+0x373/0x416
      | drivers/media/usb/uvc/uvc_driver.c:1471
      |  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
      |  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
      |  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
    
    Looking into the output from usbmon, the interesting part is the
    following data packet:
    
      ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
      00090403 00000e01 00000924 03000103 7c003328 010204db
    
    If we drop the lead configuration and interface descriptors, we're left
    with an output terminal descriptor describing a generic display:
    
      /* Output terminal descriptor */
      buf[0]        09
      buf[1]        24
      buf[2]        03      /* UVC_VC_OUTPUT_TERMINAL */
      buf[3]        00      /* ID */
      buf[4]        01      /* type == 0x0301 (UVC_OTT_DISPLAY) */
      buf[5]        03
      buf[6]        7c
      buf[7]        00      /* source ID refers to self! */
      buf[8]        33
    
    The problem with this descriptor is that it is self-referential: the
    source ID of 0 matches itself! This causes the 'struct uvc_entity'
    representing the display to be added to its chain list twice during
    'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
    processed directly from the 'dev->entities' list and then again
    immediately afterwards when trying to follow the source ID in
    'uvc_scan_chain_forward()'
    
    Add a check before adding an entity to a chain list to ensure that the
    entity is not already part of a chain.
    
    Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/
    
    Cc: <stable@vger.kernel.org>
    Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3740a6078d9daefc8ce90f8e50a3cc2115908ba8
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jan 30 21:50:36 2020 +0000

    rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
    
    [ Upstream commit 5273a191dca65a675dc0bcf3909e59c6933e2831 ]
    
    When a call is disconnected, the connection pointer from the call is
    cleared to make sure it isn't used again and to prevent further attempted
    transmission for the call.  Unfortunately, there might be a daemon trying
    to use it at the same time to transmit a packet.
    
    Fix this by keeping call->conn set, but setting a flag on the call to
    indicate disconnection instead.
    
    Remove also the bits in the transmission functions where the conn pointer is
    checked and a ref taken under spinlock as this is now redundant.
    
    Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs")
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 532e2558e5747fc7f868023fa19e327cbc4608f0
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jan 30 21:50:36 2020 +0000

    rxrpc: Fix insufficient receive notification generation
    
    [ Upstream commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b ]
    
    In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
    number of the packet is immediately following the hard-ack point at the end
    of the function.  However, this isn't sufficient, since the recvmsg side
    may have been advancing the window and then overrun the position in which
    we're adding - at which point rx_hard_ack >= seq0 and no notification is
    generated.
    
    Fix this by always generating a notification at the end of the input
    function.
    
    Without this, a long call may stall, possibly indefinitely.
    
    Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e1b992f58e39cd6f2712608480fdb96ff23e40ad
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 31 10:44:50 2020 -0800

    tcp: clear tp->segs_{in|out} in tcp_disconnect()
    
    [ Upstream commit 784f8344de750a41344f4bbbebb8507a730fc99c ]
    
    tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect().
    
    tcp_disconnect() is rarely used, but it is worth fixing it.
    
    Fixes: 2efd055c53c0 ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit deae87cf1936573cc1eaaee531b9e446ab0bf7ee
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 31 10:32:41 2020 -0800

    tcp: clear tp->data_segs{in|out} in tcp_disconnect()
    
    [ Upstream commit db7ffee6f3eb3683cdcaeddecc0a630a14546fe3 ]
    
    tp->data_segs_in and tp->data_segs_out need to be cleared
    in tcp_disconnect().
    
    tcp_disconnect() is rarely used, but it is worth fixing it.
    
    Fixes: a44d6eacdaf5 ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Martin KaFai Lau <kafai@fb.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4d469d93a89ee0d9a77b5880b353f4c9dd6ef5e2
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 31 10:22:47 2020 -0800

    tcp: clear tp->delivered in tcp_disconnect()
    
    [ Upstream commit 2fbdd56251b5c62f96589f39eded277260de7267 ]
    
    tp->delivered needs to be cleared in tcp_disconnect().
    
    tcp_disconnect() is rarely used, but it is worth fixing it.
    
    Fixes: ddf1af6fa00e ("tcp: new delivery accounting")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Acked-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24070b40926b42c35ca0649f44711cad5da0cf96
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 31 09:14:47 2020 -0800

    tcp: clear tp->total_retrans in tcp_disconnect()
    
    [ Upstream commit c13c48c00a6bc1febc73902505bdec0967bd7095 ]
    
    total_retrans needs to be cleared in tcp_disconnect().
    
    tcp_disconnect() is rarely used, but it is worth fixing it.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: SeongJae Park <sjpark@amazon.de>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fa32d7ce0cf8c04cefa72c87a95f222164be0131
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Sun Feb 2 02:41:38 2020 -0500

    bnxt_en: Fix TC queue mapping.
    
    [ Upstream commit 18e4960c18f484ac288f41b43d0e6c4c88e6ea78 ]
    
    The driver currently only calls netdev_set_tc_queue when the number of
    TCs is greater than 1.  Instead, the comparison should be greater than
    or equal to 1.  Even with 1 TC, we need to set the queue mapping.
    
    This bug can cause warnings when the number of TCs is changed back to 1.
    
    Fixes: 7809592d3e2e ("bnxt_en: Enable MSIX early in bnxt_init_one().")
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6cb448ee493c8a514c9afa0c346f3f5b3227de85
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sun Feb 2 21:14:35 2020 -0800

    net_sched: fix an OOB access in cls_tcindex
    
    [ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ]
    
    As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
    to compute the size of memory allocation, but cp->hash is
    set again after the allocation, this caused an out-of-bound
    access.
    
    So we have to move all cp->hash initialization and computation
    before the memory allocation. Move cp->mask and cp->shift together
    as cp->hash may need them for computation too.
    
    Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
    Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: John Fastabend <john.fastabend@gmail.com>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7950ef09699d175bfec32d318d547c845462cc2f
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Feb 3 10:15:07 2020 -0800

    net: hsr: fix possible NULL deref in hsr_handle_frame()
    
    [ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ]
    
    hsr_port_get_rcu() can return NULL, so we need to be careful.
    
    general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
    CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
    RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
    Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
    RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
    RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
    RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
    R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
    R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
    FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <IRQ>
     hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
     __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
     __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
     __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
     process_backlog+0x206/0x750 net/core/dev.c:6144
     napi_poll net/core/dev.c:6582 [inline]
     net_rx_action+0x508/0x1120 net/core/dev.c:6650
     __do_softirq+0x262/0x98c kernel/softirq.c:292
     do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
     </IRQ>
    
    Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ff8e755ddfd46899a07649749a515a083fc333e3
Author: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
Date:   Tue Feb 4 12:24:00 2020 +1300

    l2tp: Allow duplicate session creation with UDP
    
    [ Upstream commit 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 ]
    
    In the past it was possible to create multiple L2TPv3 sessions with the
    same session id as long as the sessions belonged to different tunnels.
    The resulting sessions had issues when used with IP encapsulated tunnels,
    but worked fine with UDP encapsulated ones. Some applications began to
    rely on this behaviour to avoid having to negotiate unique session ids.
    
    Some time ago a change was made to require session ids to be unique across
    all tunnels, breaking the applications making use of this "feature".
    
    This change relaxes the duplicate session id check to allow duplicates
    if both of the colliding sessions belong to UDP encapsulated tunnels.
    
    Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
    Signed-off-by: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
    Acked-by: James Chapman <jchapman@katalix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 52083ed47287d3c508cda33186c898d8a90eba6b
Author: Taehee Yoo <ap420073@gmail.com>
Date:   Tue Feb 4 03:24:59 2020 +0000

    gtp: use __GFP_NOWARN to avoid memalloc warning
    
    [ Upstream commit bd5cd35b782abf5437fbd01dfaee12437d20e832 ]
    
    gtp hashtable size is received by user-space.
    So, this hashtable size could be too large. If so, kmalloc will internally
    print a warning message.
    This warning message is actually not necessary for the gtp module.
    So, this patch adds __GFP_NOWARN to avoid this message.
    
    Splat looks like:
    [ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
    [ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
    [ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
    [ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
    [ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
    [ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
    [ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
    [ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
    [ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
    [ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
    [ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
    [ 2171.292328][ T1860] FS:  00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
    [ 2171.293409][ T1860] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
    [ 2171.295424][ T1860] Call Trace:
    [ 2171.295756][ T1860]  ? mark_held_locks+0xa5/0xe0
    [ 2171.296659][ T1860]  ? __alloc_pages_slowpath+0x21b0/0x21b0
    [ 2171.298283][ T1860]  ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
    [ 2171.298962][ T1860]  ? alloc_pages_current+0xc1/0x1a0
    [ 2171.299475][ T1860]  kmalloc_order+0x22/0x80
    [ 2171.299936][ T1860]  kmalloc_order_trace+0x1d/0x140
    [ 2171.300437][ T1860]  __kmalloc+0x302/0x3a0
    [ 2171.300896][ T1860]  gtp_newlink+0x293/0xba0 [gtp]
    [ ... ]
    
    Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
    Signed-off-by: Taehee Yoo <ap420073@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44220931fc222da3f15efe15495c9f022ace499c
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 31 15:27:04 2020 -0800

    cls_rsvp: fix rsvp_policy
    
    [ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ]
    
    NLA_BINARY can be confusing, since .len value represents
    the max size of the blob.
    
    cls_rsvp really wants user space to provide long enough data
    for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
    
    BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
    BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
    BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
    CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1c9/0x220 lib/dump_stack.c:118
     kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
     __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
     rsvp_get net/sched/cls_rsvp.h:258 [inline]
     gen_handle net/sched/cls_rsvp.h:402 [inline]
     rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
     tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
     rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
     netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
     rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
     netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
     netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
     netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
     sock_sendmsg_nosec net/socket.c:639 [inline]
     sock_sendmsg net/socket.c:659 [inline]
     ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
     ___sys_sendmsg net/socket.c:2384 [inline]
     __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
     __do_sys_sendmsg net/socket.c:2426 [inline]
     __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
     __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
     do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x45b349
    Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
    RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
    RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
    
    Uninit was created at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
     kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
     kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
     slab_alloc_node mm/slub.c:2774 [inline]
     __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
     __kmalloc_reserve net/core/skbuff.c:141 [inline]
     __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
     alloc_skb include/linux/skbuff.h:1049 [inline]
     netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
     netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
     sock_sendmsg_nosec net/socket.c:639 [inline]
     sock_sendmsg net/socket.c:659 [inline]
     ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
     ___sys_sendmsg net/socket.c:2384 [inline]
     __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
     __do_sys_sendmsg net/socket.c:2426 [inline]
     __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
     __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
     do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fc91784c307f9b4bf0bea3a36b5f6e484a2c30fc
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Tue Jan 14 14:26:14 2020 +0100

    sparc32: fix struct ipc64_perm type definition
    
    [ Upstream commit 34ca70ef7d3a9fa7e89151597db5e37ae1d429b4 ]
    
    As discussed in the strace issue tracker, it appears that the sparc32
    sysvipc support has been broken for the past 11 years. It was however
    working in compat mode, which is how it must have escaped most of the
    regular testing.
    
    The problem is that a cleanup patch inadvertently changed the uid/gid
    fields in struct ipc64_perm from 32-bit types to 16-bit types in uapi
    headers.
    
    Both glibc and uclibc-ng still use the original types, so they should
    work fine with compat mode, but not natively.  Change the definitions
    to use __kernel_uid32_t and __kernel_gid32_t again.
    
    Fixes: 83c86984bff2 ("sparc: unify ipcbuf.h")
    Link: https://github.com/strace/strace/issues/116
    Cc: <stable@vger.kernel.org> # v2.6.29
    Cc: Sam Ravnborg <sam@ravnborg.org>
    Cc: "Dmitry V . Levin" <ldv@altlinux.org>
    Cc: Rich Felker <dalias@libc.org>
    Cc: libc-alpha@sourceware.org
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7a63a59b6644f8b04d05e81096ddf90297c847a8
Author: Luca Coelho <luciano.coelho@intel.com>
Date:   Mon Nov 25 13:21:58 2019 +0200

    iwlwifi: mvm: fix NVM check for 3168 devices
    
    [ Upstream commit b3f20e098293892388d6a0491d6bbb2efb46fbff ]
    
    We had a check on !NVM_EXT and then a check for NVM_SDP in the else
    block of this if.  The else block, obviously, could only be reached if
    using NVM_EXT, so it would never be NVM_SDP.
    
    Fix that by checking whether the nvm_type is IWL_NVM instead of
    checking for !IWL_NVM_EXT to solve this issue.
    
    Reported-by: Stefan Sperling <stsp@stsp.name>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 57da5bc425bd787c2806cdf84f3921527a5c57ad
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date:   Fri Jan 10 14:50:54 2020 -0800

    x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
    
    [ Upstream commit 5efc6fa9044c3356d6046c6e1da6d02572dbed6b ]
    
    /proc/cpuinfo currently reports Hardware Lock Elision (HLE) feature to
    be present on boot cpu even if it was disabled during the bootup. This
    is because cpuinfo_x86->x86_capability HLE bit is not updated after TSX
    state is changed via the new MSR IA32_TSX_CTRL.
    
    Update the cached HLE bit also since it is expected to change after an
    update to CPUID_CLEAR bit in MSR IA32_TSX_CTRL.
    
    Fixes: 95c5824f75f3 ("x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default")
    Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
    Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/2529b99546294c893dfa1c89e2b3e46da3369a59.1578685425.git.pawan.kumar.gupta@linux.intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9a4da2a7546525a8a7d869447c9ea9ca874112a5
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Jan 3 17:35:13 2020 +0100

    media: iguanair: fix endpoint sanity check
    
    [ Upstream commit 1b257870a78b0a9ce98fdfb052c58542022ffb5b ]
    
    Make sure to use the current alternate setting, which need not be the
    first one by index, when verifying the endpoint descriptors and
    initialising the URBs.
    
    Failing to do so could cause the driver to misbehave or trigger a WARN()
    in usb_submit_urb() that kernels with panic_on_warn set would choke on.
    
    Fixes: 26ff63137c45 ("[media] Add support for the IguanaWorks USB IR Transceiver")
    Fixes: ab1cbdf159be ("media: iguanair: add sanity checks")
    Cc: stable <stable@vger.kernel.org>     # 3.6
    Cc: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Sean Young <sean@mess.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7645d80ca740aeda9c6a80e1491976bd2c2ff331
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Sat Dec 28 19:54:55 2019 +0800

    kernel/module: Fix memleak in module_add_modinfo_attrs()
    
    [ Upstream commit f6d061d617124abbd55396a3bc37b9bf7d33233c ]
    
    In module_add_modinfo_attrs() if sysfs_create_file() fails
    on the first iteration of the loop (so i = 0), we forget to
    free the modinfo_attrs.
    
    Fixes: bc6f2a757d52 ("kernel/module: Fix mem leak in module_add_modinfo_attrs")
    Reviewed-by: Miroslav Benes <mbenes@suse.cz>
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Signed-off-by: Jessica Yu <jeyu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>