Linux/linux 3614692drivers/hv channel.c hyperv_vmbus.h, drivers/input/serio hyperv-keyboard.c

Merge tag 'hyperv-fixes-signed' of 
git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux

Pull Hyper-V fixes from Sasha Levin:

 - Fix for panics and network failures on PAE guests by Dexuan Cui.

 - Fix of a memory leak (and related cleanups) in the hyper-v keyboard
   driver by Dexuan Cui.

 - Code cleanups for hyper-v clocksource driver during the merge window
   by Dexuan Cui.

 - Fix for a false positive warning in the userspace hyper-v KVP store
   by Vitaly Kuznetsov.

* tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
  Drivers: hv: vmbus: Fix virt_to_hvpfn() for X86_PAE
  Tools: hv: kvp: eliminate 'may be used uninitialized' warning
  Input: hyperv-keyboard: Use in-place iterator API in the channel callback
  Drivers: hv: vmbus: Remove the unused "tsc_page" from struct hv_context

Linux/linux 0a022ecvirt/kvm/arm mmio.c, virt/kvm/arm/vgic vgic-init.c

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Two KVM/arm fixes for MMIO emulation and UBSAN.

  Unusually, we're routing them via the arm64 tree as per Paolo's
  request on the list:

    https://lore.kernel.org/kvm/21ae69a2-2546-29d0-bff6-2ea825e3d968 at redhat.com/

  We don't actually have any other arm64 fixes pending at the moment
  (touch wood), so I've pulled from Marc, written a merge commit, tagged
  the result and run it through my build/boot/bisect scripts"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity
  KVM: arm/arm64: Only skip MMIO insn once

Linux/linux 17d0fbfdrivers/scsi/lpfc lpfc_attr.c lpfc_init.c, drivers/scsi/qla2xxx qla_os.c

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Four fixes, three for edge conditions which don't occur very often.
  The lpfc fix mitigates memory exhaustion for some high CPU systems"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: lpfc: Mitigate high memory pre-allocation by SCSI-MQ
  scsi: ufs: Fix NULL pointer dereference in ufshcd_config_vreg_hpm()
  scsi: target: tcmu: avoid use-after-free after command timeout
  scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure

Linux/linux 8942230fs/xfs xfs_iops.c

Merge tag 'xfs-5.3-fixes-6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fix from Darrick Wong:
 "A single patch that fixes a xfs lockup problem when a chown/chgrp
  operation fails due to running out of quota. It has survived the usual
  xfstests runs and merges cleanly with this morning's master:

   - Fix a forgotten inode unlock when chown/chgrp fail due to quota"

* tag 'xfs-5.3-fixes-6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
DeltaFile
+1-0fs/xfs/xfs_iops.c
+1-01 files

Linux/linux bc67b17drivers/gpu/drm/mediatek mtk_drm_drv.c, drivers/gpu/drm/nouveau/nvkm/subdev/i2c aux.c

Merge tag 'drm-fixes-2019-08-24' of git://anongit.freedesktop.org/drm/drm

Pull more drm fixes from Dave Airlie:
 "Although the tree built for me fine on arm here, it appears either
  header cleanups in next or some kconfig combo it breaks, so this
  contains a fix to mediatek to include dma-mapping.h explicitly.

  There was also one nouveau fix that came in late that I was going to
  leave until next week, but since I was sending this I thought it may
  as well be in here:

  mediatek:
   - fix build in some cases

  nouveau:
   - fix hang with i2c and mst docks"

* tag 'drm-fixes-2019-08-24' of git://anongit.freedesktop.org/drm/drm:
  drm/mediatek: include dma-mapping header
  drm/nouveau: Don't retry infinitely when receiving no data on i2c over AUX

Linux/linux 087eeeavirt/kvm/arm mmio.c, virt/kvm/arm/vgic vgic-init.c

Merge tag 'kvmarm-fixes-for-5.3-3' of 
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into kvm/fixes

Pull KVM/arm fixes from Marc Zyngier as per Paulo's request at:

  https://lkml.kernel.org/r/21ae69a2-2546-29d0-bff6-2ea825e3d968 at redhat.com

  "One (hopefully last) set of fixes for KVM/arm for 5.3: an embarassing
   MMIO emulation regression, and a UBSAN splat. Oh well...

   - Don't overskip instructions on MMIO emulation

   - Fix UBSAN splat when initializing PPI priorities"

* tag 'kvmarm-fixes-for-5.3-3' of 
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm:
  KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity
  KVM: arm/arm64: Only skip MMIO insn once

Linux/linux 7837951drivers/gpu/drm/mediatek mtk_drm_drv.c

drm/mediatek: include dma-mapping header

Although it builds fine here in my arm cross compile, it seems
either via some other patches in -next or some Kconfig combination,
this fails to build for everyone.

Include linux/dma-mapping.h should fix it.

Signed-off-by: Dave Airlie <airlied at redhat.com>

Linux/linux 9140d8bdrivers/infiniband/hw/hfi1 tid_rdma.c, drivers/infiniband/hw/mlx5 qp.c

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Doug Ledford:
 "No beating around the bush: this is a monster pull request for an -rc5
  kernel. Intel hit me with a series of fixes for TID processing.
  Mellanox hit me with a series for their UMR memory support.

  And we had one fix for siw that fixes the 32bit build warnings and
  because of the number of casts that had to be changed to properly
  silence the warnings, that one patch alone is a full 40% of the LOC of
  this entire pull request. Given that this is the initial release
  kernel for siw, I'm trying to fix anything in it that we can, so that
  adds to the impetus to take fixes for it like this one.

  I had to do a rebase early in the week. Jason had thought he put a
  patch on the rc queue that he needed to be there so he could base some
  work off of it, and it had actually not been placed there. So he asked
  me (on Tuesday) to fix that up before pushing my wip branch to the
  official rc branch. I did, and that's why the early patches look like
  they were all committed at the same time on Tuesday. That bunch had
  been in my queue prior.

  The various patches all pass my test for being legitimate fixes and
  not attempts to slide new features or development into a late rc.
  Well, they were all fixes with the exception of a couple clean up

    [54 lines not shown]

Linux/linux b9bd680. MAINTAINERS, drivers/nvme/host core.c nvme.h

Merge tag 'for-linus-20190823' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "Here's a set of fixes that should go into this release. This contains:

   - Three minor fixes for NVMe.

   - Three minor tweaks for the io_uring polling logic.

   - Officially mark Song as the MD maintainer, after he's been filling
     that role sucessfully for the last 6 months or so"

* tag 'for-linus-20190823' of git://git.kernel.dk/linux-block:
  io_uring: add need_resched() check in inner poll loop
  md: update MAINTAINERS info
  io_uring: don't enter poll loop if we have CQEs pending
  nvme: Add quirk for LiteON CL1 devices running FW 22301111
  nvme: Fix cntlid validation when not using NVMEoF
  nvme-multipath: fix possible I/O hang when paths are updated
  io_uring: fix potential hang with polled IO

Linux/linux dd469a4drivers/md dm-zoned-metadata.c dm-zoned-target.c, drivers/md/persistent-data dm-btree.c

Merge tag 'for-5.3/dm-fixes-2' of 
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Revert a DM bufio change from during the 5.3 merge window now that a
   proper fix has been made to the block loopback driver.

 - Fix DM kcopyd to wakeup so failed subjobs get completed.

 - Various fixes to DM zoned target to address error handling, and other
   small tweaks (SPDX license identifiers and fix typos).

 - Fix DM integrity range locking race by tracking whether journal has
   changed.

 - Fix DM dust target to detect reads of badblocks beyond the first 512b
   sector (applicable if blocksize is larger than 512b).

 - Fix DM persistent-data issue in both the DM btree and DM
   space-map-metadata interfaces.

 - Fix out of bounds memory access with certain DM table configurations.

* tag 'for-5.3/dm-fixes-2' of 

    [15 lines not shown]

Linux/linux f576518fs read_write.c, fs/xfs xfs_reflink.c xfs_ioctl32.c

Merge tag 'xfs-5.3-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Darrick Wong:
 "Here are a few more bug fixes that trickled in since the last pull.
  They've survived the usual xfstests runs and merge cleanly with this
  morning's master.

  I expect there to be one more pull request tomorrow for the fix to
  that quota related inode unlock bug that we were reviewing last night,
  but it will continue to soak in the testing machine for several more
  hours.

   - Fix missing compat ioctl handling for get/setlabel

   - Fix missing ioctl pointer sanitization on s390

   - Fix a page locking deadlock in the dedupe comparison code

   - Fix inadequate locking in reflink code w.r.t. concurrent directio

   - Fix broken error detection when breaking layouts"

* tag 'xfs-5.3-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  fs/xfs: Fix return code of xfs_break_leased_layouts()
  xfs: fix reflink source file racing with directio writes

    [3 lines not shown]

Linux/linux 2e16f3evirt/kvm/arm/vgic vgic-init.c

KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity

At the moment we initialise the target *mask* of a virtual IRQ to the
VCPU it belongs to, even though this mask is only defined for GICv2 and
quickly runs out of bits for many GICv3 guests.
This behaviour triggers an UBSAN complaint for more than 32 VCPUs:
------
[ 5659.462377] UBSAN: Undefined behaviour in virt/kvm/arm/vgic/vgic-init.c:223:21
[ 5659.471689] shift exponent 32 is too large for 32-bit type 'unsigned int'
------
Also for GICv3 guests the reporting of TARGET in the "vgic-state" debugfs
dump is wrong, due to this very same problem.

Because there is no requirement to create the VGIC device before the
VCPUs (and QEMU actually does it the other way round), we can't safely
initialise mpidr or targets in kvm_vgic_vcpu_init(). But since we touch
every private IRQ for each VCPU anyway later (in vgic_init()), we can
just move the initialisation of those fields into there, where we
definitely know the VGIC type.

On the way make sure we really have either a VGICv2 or a VGICv3 device,
since the existing code is just checking for "VGICv3 or not", silently
ignoring the uninitialised case.

Signed-off-by: Andre Przywara <andre.przywara at arm.com>

    [3 lines not shown]

Linux/linux e3fb13bkernel module.c

Merge tag 'modules-for-v5.3-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux

Pull modules fixes from Jessica Yu:
 "Fix BUG_ON() being triggered in frob_text() due to non-page-aligned
  module sections"

* tag 'modules-for-v5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux:
  modules: page-align module section allocations only for arches supporting strict module 
rwx
  modules: always page-align module section allocations
DeltaFile
+2-2kernel/module.c
+2-21 files

Linux/linux 4e56394fs/ceph xattr.c inode.c, net/ceph osd_client.c

Merge tag 'ceph-for-5.3-rc6' of git://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "Three important fixes tagged for stable (an indefinite hang, a crash
  on an assert and a NULL pointer dereference) plus a small series from
  Luis fixing instances of vfree() under spinlock"

* tag 'ceph-for-5.3-rc6' of git://github.com/ceph/ceph-client:
  libceph: fix PG split vs OSD (re)connect race
  ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply
  ceph: clear page dirty before invalidate page
  ceph: fix buffer free while holding i_ceph_lock in fill_inode()
  ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()
  ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
  libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer

Linux/linux c536277drivers/infiniband/sw/siw siw_cm.c siw_qp_tx.c

RDMA/siw: Fix 64/32bit pointer inconsistency

Fixes improper casting between addresses and unsigned types.
Changes siw_pbl_get_buffer() function to return appropriate
dma_addr_t, and not u64.

Also fixes debug prints. Now any potentially kernel private
pointers are printed formatted as '%pK', to allow keeping that
information secret.

Fixes: d941bfe500be ("RDMA/siw: Change CQ flags from 64->32 bits")
Fixes: b0fff7317bb4 ("rdma/siw: completion queue methods")
Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
Fixes: f29dd55b0236 ("rdma/siw: queue pair methods")
Fixes: 2251334dcac9 ("rdma/siw: application buffer management")
Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
Fixes: 6c52fdc244b5 ("rdma/siw: connection management")
Fixes: a531975279f3 ("rdma/siw: main include file")

Reported-by: Geert Uytterhoeven <geert at linux-m68k.org>
Reported-by: Jason Gunthorpe <jgg at ziepe.ca>
Reported-by: Leon Romanovsky <leon at kernel.org>
Signed-off-by: Bernard Metzler <bmt at zurich.ibm.com>
Link: https://lore.kernel.org/r/20190822173738.26817-1-bmt at zurich.ibm.com
Signed-off-by: Doug Ledford <dledford at redhat.com>

Linux/linux 1374a22drivers/gpu/drm/amd/amdgpu amdgpu_cs.c, drivers/gpu/drm/amd/display/amdgpu_dm amdgpu_dm.c

Merge tag 'drm-fixes-2019-08-23' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Live from the laundromat after my washing machine broke down, we have
  the 5.3-rc6 fixes. Changelog is in the tag below, but nothing too
  noteworthy in here:

  rcar-du:
   - LVDS dual-link mode fix

  mediatek:
   - of node refcount fix
   - prime buffer import fix
   - dma max seg fix

  komeda:
   - output polling fix
   - abfc format fix
   - memory-region DT fix

  amdgpu:
   - bpc display fix
   - ioctl memory leak fix
   - gfxoff fix
   - smu warnings fix

    [21 lines not shown]

Linux/linux 1cfd5d3drivers/md dm-table.c

dm table: fix invalid memory accesses with too high sector number

If the sector number is too high, dm_table_find_target() should return a
pointer to a zeroed dm_target structure (the caller should test it with
dm_target_is_valid).

However, for some table sizes, the code in dm_table_find_target() that
performs btree lookup will access out of bound memory structures.

Fix this bug by testing the sector number at the beginning of
dm_table_find_target(). Also, add an "inline" keyword to the function
dm_table_get_size() because this is a hot path.

Fixes: 512875bd9661 ("dm: table detect io beyond device")
Cc: stable at vger.kernel.org
Reported-by: Zhang Tao <kontais at zoho.com>
Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>

Linux/linux 1fb254afs/xfs xfs_iops.c

xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT

Benjamin Moody reported to Debian that XFS partially wedges when a chgrp
fails on account of being out of disk quota.  I ran his reproducer
script:

# adduser dummy
# adduser dummy plugdev

# dd if=/dev/zero bs=1M count=100 of=test.img
# mkfs.xfs test.img
# mount -t xfs -o gquota test.img /mnt
# mkdir -p /mnt/dummy
# chown -c dummy /mnt/dummy
# xfs_quota -xc 'limit -g bsoft=100k bhard=100k plugdev' /mnt

(and then as user dummy)

$ dd if=/dev/urandom bs=1M count=50 of=/mnt/dummy/foo
$ chgrp plugdev /mnt/dummy/foo

and saw:

================================================
WARNING: lock held when returning to user space!

    [15 lines not shown]
DeltaFile
+1-0fs/xfs/xfs_iops.c
+1-01 files

Linux/linux a4a759bdrivers/gpu/drm/nouveau/nvkm/subdev/i2c aux.c

Merge branch 'linux-5.3' of git://github.com/skeggsb/linux into drm-fixes

Fixes i2c on DP with some docks.

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Ben Skeggs <skeggsb at gmail.com>
Link: 
https://patchwork.freedesktop.org/patch/msgid/CACAvsv713t2_BQ44gVV7Lqic6Vwmhq0r4FB5v-t0kD1jzFrbmQ at mail.gmail.com

Linux/linux c358ebfdrivers/gpu/drm/nouveau/nvkm/subdev/i2c aux.c

drm/nouveau: Don't retry infinitely when receiving no data on i2c over AUX

While I had thought I had fixed this issue in:

commit 342406e4fbba ("drm/nouveau/i2c: Disable i2c bus access after
->fini()")

It turns out that while I did fix the error messages I was seeing on my
P50 when trying to access i2c busses with the GPU in runtime suspend, I
accidentally had missed one important detail that was mentioned on the
bug report this commit was supposed to fix: that the CPU would only lock
up when trying to access i2c busses _on connected devices_ _while the
GPU is not in runtime suspend_. Whoops. That definitely explains why I
was not able to get my machine to hang with i2c bus interactions until
now, as plugging my P50 into it's dock with an HDMI monitor connected
allowed me to finally reproduce this locally.

Now that I have managed to reproduce this issue properly, it looks like
the problem is much simpler then it looks. It turns out that some
connected devices, such as MST laptop docks, will actually ACK i2c reads
even if no data was actually read:

[  275.063043] nouveau 0000:01:00.0: i2c: aux 000a: 1: 0000004c 1
[  275.063447] nouveau 0000:01:00.0: i2c: aux 000a: 00 01101000 10040000
[  275.063759] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000001

    [17 lines not shown]

Linux/linux 75710f0drivers/gpu/drm/amd/powerplay smu_v11_0.c

drm/amdgpu/powerplay: silence a warning in smu_v11_0_setup_pptable

I think gcc is confused as I don't see how size could be used
unitialized, but go ahead and silence the warning.

Signed-off-by: Alex Deucher <alexander.deucher at amd.com>
Reviewed-by: Evan Quan <evan.quan at amd.com>
Signed-off-by: Dave Airlie <airlied at redhat.com>
Link: 
https://patchwork.freedesktop.org/patch/msgid/20190822032527.1376-1-alexander.deucher at amd.com

Linux/linux cf3627fdrivers/gpu/drm/arm/display/komeda komeda_format_caps.c komeda_dev.c, drivers/gpu/drm/omapdrm omap_drv.c

Merge tag 'drm-misc-fixes-2019-08-22' of git://anongit.freedesktop.org/drm/drm-misc into 
drm-fixes

Fixes for v5.3-rc6:
- dma fix for omap.
- Make output polling work on komeda.
- Fix bpp computing for AFBC formats in komeda.
- Support the memory-region property in komeda.

Signed-off-by: Dave Airlie <airlied at redhat.com>

From: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
Link: 
https://patchwork.freedesktop.org/patch/msgid/5f1fdfe3-814e-fad1-663c-7279217fc085 at linux.intel.com

Linux/linux dd89c11drivers/gpu/drm/i915 intel_drv.h, drivers/gpu/drm/i915/display intel_ddi.c

Merge tag 'drm-intel-fixes-2019-08-22' of git://anongit.freedesktop.org/drm/drm-intel into 
drm-fixes

drm/i915 fixes for v5.3-rc6:
- fix hardware state readout for 10 bpc HDMI

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Jani Nikula <jani.nikula at intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/87sgptd114.fsf at intel.com

Linux/linux 08f5439fs io_uring.c

io_uring: add need_resched() check in inner poll loop

The outer poll loop checks for whether we need to reschedule, and
returns to userspace if we do. However, it's possible to get stuck
in the inner loop as well, if the CPU we are running on needs to
reschedule to finish the IO work.

Add the need_resched() check in the inner loop as well. This fixes
a potential hang if the kernel is configured with
CONFIG_PREEMPT_VOLUNTARY=y.

Reported-by: Sagi Grimberg <sagi at grimberg.me>
Reviewed-by: Sagi Grimberg <sagi at grimberg.me>
Tested-by: Sagi Grimberg <sagi at grimberg.me>
Signed-off-by: Jens Axboe <axboe at kernel.dk>
DeltaFile
+7-1fs/io_uring.c
+7-11 files

Linux/linux 59c36bcDocumentation/PCI pciebus-howto.rst picebus-howto.rst, drivers/pci quirks.c

Merge tag 'pci-v5.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - Reset both NVIDIA GPU and HDA in ThinkPad P50 quirk, which was broken
   by another quirk that enabled the HDA device (Lyude Paul)

 - Fix pciebus-howto.rst documentation filename typo (Bjorn Helgaas)

* tag 'pci-v5.3-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  Documentation PCI: Fix pciebus-howto.rst filename typo
  PCI: Reset both NVIDIA GPU and HDA in ThinkPad P50 workaround

Linux/linux ae14824drivers/md/persistent-data dm-space-map-metadata.c

dm space map metadata: fix missing store of apply_bops() return value

In commit 6096d91af0b6 ("dm space map metadata: fix occasional leak
of a metadata block on resize"), we refactor the commit logic to a new
function 'apply_bops'.  But when that logic was replaced in out() the
return value was not stored.  This may lead out() returning a wrong
value to the caller.

Fixes: 6096d91af0b6 ("dm space map metadata: fix occasional leak of a metadata block on 
resize")
Cc: stable at vger.kernel.org
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5 at huawei.com>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>

Linux/linux e4f9d60drivers/md/persistent-data dm-btree.c

dm btree: fix order of block initialization in btree_split_beneath

When btree_split_beneath() splits a node to two new children, it will
allocate two blocks: left and right.  If right block's allocation
failed, the left block will be unlocked and marked dirty.  If this
happened, the left block'ss content is zero, because it wasn't
initialized with the btree struct before the attempot to allocate the
right block.  Upon return, when flushing the left block to disk, the
validator will fail when check this block.  Then a BUG_ON is raised.

Fix this by completely initializing the left block before allocating and
initializing the right block.

Fixes: 4dcb8b57df359 ("dm btree: fix leak of bufio-backed block in btree_split_beneath 
error path")
Cc: stable at vger.kernel.org
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5 at huawei.com>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>

Linux/linux 20eabc8arch/mips/include/asm/octeon cvmx-sli-defs.h, drivers/dma fsldma.c

Merge tag 'Wimplicit-fallthrough-5.3-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux

Pull more fallthrough fixes from Gustavo A. R. Silva:
 "Fix fall-through warnings on arm and mips for multiple configurations"

* tag 'Wimplicit-fallthrough-5.3-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux:
  video: fbdev: acornfb: Mark expected switch fall-through
  scsi: libsas: sas_discover: Mark expected switch fall-through
  MIPS: Octeon: Mark expected switch fall-through
  power: supply: ab8500_charger: Mark expected switch fall-through
  watchdog: wdt285: Mark expected switch fall-through
  mtd: sa1100: Mark expected switch fall-through
  drm/sun4i: tcon: Mark expected switch fall-through
  drm/sun4i: sun6i_mipi_dsi: Mark expected switch fall-through
  ARM: riscpc: Mark expected switch fall-through
  dmaengine: fsldma: Mark expected switch fall-through

Linux/linux e5b7c16drivers/platform/chrome cros_ec_ishtp.c

Merge tag 'tag-chrome-platform-fixes-for-v5.3-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux

Pull chrome platform fix from Benson Leung:
 "Fix a kernel crash during suspend/resume of cros_ec_ishtp"

* tag 'tag-chrome-platform-fixes-for-v5.3-rc6' of 
git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
  platform/chrome: cros_ec_ishtp: fix crash during suspend

Linux/linux e8c3fa9fs/afs cell.c dir.c

Merge tag 'afs-fixes-20190822' of 
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull AFS fixes from David Howells:

 - Fix a cell record leak due to the default error not being cleared.

 - Fix an oops in tracepoint due to a pointer that may contain an error.

 - Fix the ACL storage op for YFS where the wrong op definition is being
   used. By luck, this only actually affects the information appearing
   in traces.

* tag 'afs-fixes-20190822' of 
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  afs: use correct afs_call_type in yfs_fs_store_opaque_acl2
  afs: Fix possible oops in afs_lookup trace event
  afs: Fix leak in afs_lookup_cell_rcu()

Linux/linux fab4f97drivers/infiniband/sw/siw siw_qp_tx.c

RDMA/siw: Fix SGL mapping issues

All user level and most in-kernel applications submit WQEs
where the SG list entries are all of a single type.
iSER in particular, however, will send us WQEs with mixed SG
types: sge[0] = kernel buffer, sge[1] = PBL region.
Check and set is_kva on each SG entry individually instead of
assuming the first SGE type carries through to the last.
This fixes iSER over siw.

Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
Reported-by: Krishnamraju Eraparaju <krishna2 at chelsio.com>
Tested-by: Krishnamraju Eraparaju <krishna2 at chelsio.com>
Signed-off-by: Bernard Metzler <bmt at zurich.ibm.com>
Link: https://lore.kernel.org/r/20190822150741.21871-1-bmt at zurich.ibm.com
Signed-off-by: Doug Ledford <dledford at redhat.com>

Linux/linux d37b1e5drivers/infiniband/hw/bnxt_re qplib_rcfw.h qplib_rcfw.c

RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message

Driver copies FW commands to the HW queue as  units of 16 bytes. Some
of the command structures are not exact multiple of 16. So while copying
the data from those structures, the stack out of bounds messages are
reported by KASAN. The following error is reported.

[ 1337.530155] ==================================================================
[ 1337.530277] BUG: KASAN: stack-out-of-bounds in bnxt_qplib_rcfw_send_message+0x40a/0x850 
[bnxt_re]
[ 1337.530413] Read of size 16 at addr ffff888725477a48 by task rmmod/2785

[ 1337.530540] CPU: 5 PID: 2785 Comm: rmmod Tainted: G           OE     5.2.0-rc6+ #75
[ 1337.530541] Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.0.4 08/28/2014
[ 1337.530542] Call Trace:
[ 1337.530548]  dump_stack+0x5b/0x90
[ 1337.530556]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530560]  print_address_description+0x65/0x22e
[ 1337.530568]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530575]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530577]  __kasan_report.cold.3+0x37/0x77
[ 1337.530581]  ? _raw_write_trylock+0x10/0xe0
[ 1337.530588]  ? bnxt_qplib_rcfw_send_message+0x40a/0x850 [bnxt_re]
[ 1337.530590]  kasan_report+0xe/0x20
[ 1337.530592]  memcpy+0x1f/0x50

    [54 lines not shown]

Linux/linux 7533be8fs/afs yfsclient.c

afs: use correct afs_call_type in yfs_fs_store_opaque_acl2

It seems that 'yfs_RXYFSStoreOpaqueACL2' should be use in
yfs_fs_store_opaque_acl2().

Fixes: f5e4546347bc ("afs: Implement YFS ACL setting")
Signed-off-by: YueHaibing <yuehaibing at huawei.com>
Signed-off-by: David Howells <dhowells at redhat.com>
DeltaFile
+1-1fs/afs/yfsclient.c
+1-11 files

Linux/linux a5fb8e6fs/afs cell.c

afs: Fix leak in afs_lookup_cell_rcu()

Fix a leak on the cell refcount in afs_lookup_cell_rcu() due to
non-clearance of the default error in the case a NULL cell name is passed
and the workstation default cell is used.

Also put a bit at the end to make sure we don't leak a cell ref if we're
going to be returning an error.

This leak results in an assertion like the following when the kafs module is
unloaded:

        AFS: Assertion failed
        2 == 1 is false
        0x2 == 0x1 is false
        ------------[ cut here ]------------
        kernel BUG at fs/afs/cell.c:770!
        ...
        RIP: 0010:afs_manage_cells+0x220/0x42f [kafs]
        ...
         process_one_work+0x4c2/0x82c
         ? pool_mayday_timeout+0x1e1/0x1e1
         ? do_raw_spin_lock+0x134/0x175
         worker_thread+0x336/0x4a6
         ? rescuer_thread+0x4af/0x4af

    [6 lines not shown]
DeltaFile
+4-0fs/afs/cell.c
+4-01 files

Linux/linux c4c613ffs/afs dir.c

afs: Fix possible oops in afs_lookup trace event

The afs_lookup trace event can cause the following:

[  216.576777] BUG: kernel NULL pointer dereference, address: 000000000000023b
[  216.576803] #PF: supervisor read access in kernel mode
[  216.576813] #PF: error_code(0x0000) - not-present page
...
[  216.576913] RIP: 0010:trace_event_raw_event_afs_lookup+0x9e/0x1c0 [kafs]

If the inode from afs_do_lookup() is an error other than ENOENT, or if it
is ENOENT and afs_try_auto_mntpt() returns an error, the trace event will
try to dereference the error pointer as a valid pointer.

Use IS_ERR_OR_NULL to only pass a valid pointer for the trace, or NULL.

Ideally the trace would include the error value, but for now just avoid
the oops.

Fixes: 80548b03991f ("afs: Add more tracepoints")
Signed-off-by: Marc Dionne <marc.dionne at auristor.com>
Signed-off-by: David Howells <dhowells at redhat.com>
DeltaFile
+2-1fs/afs/dir.c
+2-11 files

Linux/linux 2113c5fvirt/kvm/arm mmio.c

KVM: arm/arm64: Only skip MMIO insn once

If after an MMIO exit to userspace a VCPU is immediately run with an
immediate_exit request, such as when a signal is delivered or an MMIO
emulation completion is needed, then the VCPU completes the MMIO
emulation and immediately returns to userspace. As the exit_reason
does not get changed from KVM_EXIT_MMIO in these cases we have to
be careful not to complete the MMIO emulation again, when the VCPU is
eventually run again, because the emulation does an instruction skip
(and doing too many skips would be a waste of guest code :-) We need
to use additional VCPU state to track if the emulation is complete.
As luck would have it, we already have 'mmio_needed', which even
appears to be used in this way by other architectures already.

Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation")
Acked-by: Mark Rutland <mark.rutland at arm.com>
Signed-off-by: Andrew Jones <drjones at redhat.com>
Signed-off-by: Marc Zyngier <maz at kernel.org>

Linux/linux 86968effs/ceph xattr.c

ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()

Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
i_xattrs.prealloc_blob buffer while holding the i_ceph_lock.  This can be
fixed by postponing the call until later, when the lock is released.

The following backtrace was triggered by fstests generic/117.

  BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
  in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
  3 locks held by fsstress/650:
   #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
   #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
   #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: 
__ceph_setxattr+0x297/0x810
  CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
  Call Trace:
   dump_stack+0x67/0x90
   ___might_sleep.cold+0x9f/0xb1
   vfree+0x4b/0x60
   ceph_buffer_release+0x1b/0x60
   __ceph_setxattr+0x2b4/0x810
   __vfs_setxattr+0x66/0x80

    [17 lines not shown]
DeltaFile
+6-2fs/ceph/xattr.c
+6-21 files

Linux/linux 5c49895include/linux/ceph buffer.h

libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer

Signed-off-by: Luis Henriques <lhenriques at suse.com>
Reviewed-by: Jeff Layton <jlayton at kernel.org>
Signed-off-by: Ilya Dryomov <idryomov at gmail.com>

Linux/linux c95f1c5fs/ceph addr.c

ceph: clear page dirty before invalidate page

clear_page_dirty_for_io(page) before mapping->a_ops->invalidatepage().
invalidatepage() clears page's private flag, if dirty flag is not
cleared, the page may cause BUG_ON failure in ceph_set_page_dirty().

Cc: stable at vger.kernel.org
Link: https://tracker.ceph.com/issues/40862
Signed-off-by: Erqi Chen <chenerqi at gmail.com>
Reviewed-by: Jeff Layton <jlayton at kernel.org>
Signed-off-by: Ilya Dryomov <idryomov at gmail.com>
DeltaFile
+3-2fs/ceph/addr.c
+3-21 files

Linux/linux 28a2826fs/ceph locks.c

ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply

When ceph_mdsc_do_request returns an error, we can't assume that the
filelock_reply pointer will be set. Only try to fetch fields out of
the r_reply_info when it returns success.

Cc: stable at vger.kernel.org
Reported-by: Hector Martin <hector at marcansoft.com>
Signed-off-by: Jeff Layton <jlayton at kernel.org>
Reviewed-by: "Yan, Zheng" <zyan at redhat.com>
Signed-off-by: Ilya Dryomov <idryomov at gmail.com>
DeltaFile
+1-2fs/ceph/locks.c
+1-21 files

Linux/linux a561372net/ceph osd_client.c

libceph: fix PG split vs OSD (re)connect race

We can't rely on ->peer_features in calc_target() because it may be
called both when the OSD session is established and open and when it's
not.  ->peer_features is not valid unless the OSD session is open.  If
this happens on a PG split (pg_num increase), that could mean we don't
resend a request that should have been resent, hanging the client
indefinitely.

In userspace this was fixed by looking at require_osd_release and
get_xinfo[osd].features fields of the osdmap.  However these fields
belong to the OSD section of the osdmap, which the kernel doesn't
decode (only the client section is decoded).

Instead, let's drop this feature check.  It effectively checks for
luminous, so only pre-luminous OSDs would be affected in that on a PG
split the kernel might resend a request that should not have been
resent.  Duplicates can occur in other scenarios, so both sides should
already be prepared for them: see dup/replay logic on the OSD side and
retry_attempt check on the client side.

Cc: stable at vger.kernel.org
Fixes: 7de030d6b10a ("libceph: resend on PG splits if OSD has RESEND_ON_SPLIT")
Link: https://tracker.ceph.com/issues/41162
Reported-by: Jerry Lee <leisurelysw24 at gmail.com>

    [3 lines not shown]

Linux/linux 12fe3ddfs/ceph xattr.c caps.c

ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()

Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
freeing the i_xattrs.blob buffer while holding the i_ceph_lock.  This can
be fixed by having this function returning the old blob buffer and have
the callers of this function freeing it when the lock is released.

The following backtrace was triggered by fstests generic/117.

  BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
  in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
  4 locks held by fsstress/649:
   #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
   #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
   #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
   #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
  CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
  Call Trace:
   dump_stack+0x67/0x90
   ___might_sleep.cold+0x9f/0xb1
   vfree+0x4b/0x60
   ceph_buffer_release+0x1b/0x60
   __ceph_build_xattrs_blob+0x12b/0x170

    [18 lines not shown]

Linux/linux af8a85afs/ceph inode.c

ceph: fix buffer free while holding i_ceph_lock in fill_inode()

Calling ceph_buffer_put() in fill_inode() may result in freeing the
i_xattrs.blob buffer while holding the i_ceph_lock.  This can be fixed by
postponing the call until later, when the lock is released.

The following backtrace was triggered by fstests generic/070.

  BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
  in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
  6 locks held by kworker/0:4/3852:
   #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
   #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: 
process_one_work+0x1b8/0x5f0
   #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
   #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
   #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
   #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: 
fill_inode.isra.0+0xf8/0xf70
  CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
  Workqueue: ceph-msgr ceph_con_workfn
  Call Trace:
   dump_stack+0x67/0x90

    [20 lines not shown]
DeltaFile
+4-3fs/ceph/inode.c
+4-31 files

Linux/linux 7035eef. MAINTAINERS

md: update MAINTAINERS info

I have been reviewing patches for md in the past few months. Mark me
as the MD maintainer, as I have effectively been filling that role.

Cc: NeilBrown <neilb at suse.com>
Signed-off-by: Song Liu <songliubraving at fb.com>
Signed-off-by: Jens Axboe <axboe at kernel.dk>
DeltaFile
+2-2MAINTAINERS
+2-21 files

Linux/linux 1e85e6cdrivers/gpu/drm/amd/amdgpu amdgpu_cs.c soc15.c, drivers/gpu/drm/amd/display/amdgpu_dm amdgpu_dm.c

Merge tag 'drm-fixes-5.3-2019-08-21' of git://people.freedesktop.org/~agd5f/linux into 
drm-fixes

drm-fixes-5.3-2019-08-21:

amdgpu:
- Fix gfxoff logic on RV
- Powerplay fixes
- Fix a possible memory leak in CS ioctl
- bpc fix for display

Signed-off-by: Dave Airlie <airlied at redhat.com>
From: Alex Deucher <alexdeucher at gmail.com>
Link: 
https://patchwork.freedesktop.org/patch/msgid/20190822021022.3356-1-alexander.deucher at amd.com

Linux/linux 2ba552bdrivers/gpu/drm/mediatek mtk_drm_drv.c mtk_drm_drv.h

Merge tag 'mediatek-drm-fixes-5.3' of https://github.com/ckhu-mediatek/linux.git-tags into 
drm-fixes

Mediatek memory leak drm fix for Linux 5.3

Signed-off-by: Dave Airlie <airlied at redhat.com>

From: CK Hu <ck.hu at mediatek.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1566264270.30493.4.camel at mtksdaap41

Linux/linux 14673e1drivers/gpu/drm/rcar-du rcar_lvds.c

Merge tag 'du-fixes-20190816' of git://linuxtv.org/pinchartl/media into drm-fixes

R-Car LVDS encoder fix

Signed-off-by: Dave Airlie <airlied at redhat.com>

From: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
Link: 
https://patchwork.freedesktop.org/patch/msgid/20190816130115.GH5020 at pendragon.ideasonboard.com

Linux/linux ec6e491drivers/gpu/drm/amd/display/amdgpu_dm amdgpu_dm.c

drm/amd/display: Calculate bpc based on max_requested_bpc

[Why]
The only place where state->max_bpc is updated on the connector is
at the start of atomic check during drm_atomic_connector_check. It
isn't updated when adding the connectors to the atomic state after
the fact. It also doesn't necessarily reflect the right value when
called in amdgpu during mode validation outside of atomic check.

This can cause the wrong bpc to be used even if the max_requested_bpc
is the correct value.

[How]
Don't rely on state->max_bpc reflecting the real bpc value and just
do the min(...) based on display info bpc and max_requested_bpc.

Fixes: 01933ba42d3d ("drm/amd/display: Use current connector state if NULL when checking 
bpc")
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas at amd.com>
Reviewed-by: Leo Li <sunpeng.li at amd.com>
Signed-off-by: Alex Deucher <alexander.deucher at amd.com>

Linux/linux 1a701eadrivers/gpu/drm/amd/amdgpu amdgpu_cs.c

drm/amdgpu: prevent memory leaks in AMDGPU_CS ioctl

Error out if the AMDGPU_CS ioctl is called with multiple SYNCOBJ_OUT and/or
TIMELINE_SIGNAL chunks, since otherwise the last chunk wins while the
allocated array as well as the reference counts of sync objects are leaked.

Signed-off-by: Nicolai Hähnle <nicolai.haehnle at amd.com>
Reviewed-by: Christian König <christian.koenig at amd.com>
Signed-off-by: Alex Deucher <alexander.deucher at amd.com>

Linux/linux 221a2bddrivers/gpu/drm/amd/amdgpu nv.c

drm/amd/amdgpu: disable MMHUB PG for navi10

Disable MMHUB PG for navi10 according to the production requirement.

Signed-off-by: Kenneth Feng <kenneth.feng at amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang at amd.com>
Reviewed-by: Kevin Wang <kevin1.wang at amd.com>
Signed-off-by: Alex Deucher <alexander.deucher at amd.com>