--- /dev/null
+From 2d156b78ce8febf15cd58a025d7d9d7b7577126a Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Fri, 3 May 2019 11:15:09 +0800
+Subject: clk: Fix debugfs clk_possible_parents for clks without parent string names
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 2d156b78ce8febf15cd58a025d7d9d7b7577126a upstream.
+
+Following the commit fc0c209c147f ("clk: Allow parents to be specified
+without string names"), the parent name string is not always populated.
+
+Instead, fetch the parents clk_core struct using the appropriate helper,
+and read its name directly. If that fails, go through the possible
+sources of parent names. The order in which they are used is different
+from how parents are looked up, with the global name having precedence
+over local fw_name and indices. This makes more sense as a) the
+parent_maps structure does not differentiate between legacy global names
+and fallback global names, and b) global names likely provide more
+information than local fw_names.
+
+Fixes: fc0c209c147f ("clk: Allow parents to be specified without string names")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk.c | 44 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 41 insertions(+), 3 deletions(-)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -3023,12 +3023,50 @@ DEFINE_SHOW_ATTRIBUTE(clk_flags);
+ static int possible_parents_show(struct seq_file *s, void *data)
+ {
+ struct clk_core *core = s->private;
++ struct clk_core *parent;
+ int i;
+
+- for (i = 0; i < core->num_parents - 1; i++)
+- seq_printf(s, "%s ", core->parents[i].name);
++ /*
++ * Go through the following options to fetch a parent's name.
++ *
++ * 1. Fetch the registered parent clock and use its name
++ * 2. Use the global (fallback) name if specified
++ * 3. Use the local fw_name if provided
++ * 4. Fetch parent clock's clock-output-name if DT index was set
++ *
++ * This may still fail in some cases, such as when the parent is
++ * specified directly via a struct clk_hw pointer, but it isn't
++ * registered (yet).
++ */
++ for (i = 0; i < core->num_parents - 1; i++) {
++ parent = clk_core_get_parent_by_index(core, i);
++ if (parent)
++ seq_printf(s, "%s ", parent->name);
++ else if (core->parents[i].name)
++ seq_printf(s, "%s ", core->parents[i].name);
++ else if (core->parents[i].fw_name)
++ seq_printf(s, "<%s>(fw) ", core->parents[i].fw_name);
++ else if (core->parents[i].index >= 0)
++ seq_printf(s, "%s ",
++ of_clk_get_parent_name(core->of_node,
++ core->parents[i].index));
++ else
++ seq_puts(s, "(missing) ");
++ }
+
+- seq_printf(s, "%s\n", core->parents[i].name);
++ parent = clk_core_get_parent_by_index(core, i);
++ if (parent)
++ seq_printf(s, "%s", parent->name);
++ else if (core->parents[i].name)
++ seq_printf(s, "%s", core->parents[i].name);
++ else if (core->parents[i].fw_name)
++ seq_printf(s, "<%s>(fw)", core->parents[i].fw_name);
++ else if (core->parents[i].index >= 0)
++ seq_printf(s, "%s",
++ of_clk_get_parent_name(core->of_node,
++ core->parents[i].index));
++ else
++ seq_puts(s, "(missing)");
+
+ return 0;
+ }
--- /dev/null
+From 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 3 May 2019 14:22:08 -0700
+Subject: clk: rockchip: Don't yell about bad mmc phases when getting
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 upstream.
+
+At boot time, my rk3288-veyron devices yell with 8 lines that look
+like this:
+ [ 0.000000] rockchip_mmc_get_phase: invalid clk rate
+
+This is because the clock framework at clk_register() time tries to
+get the phase but we don't have a parent yet.
+
+While the errors appear to be harmless they are still ugly and, in
+general, we don't want yells like this in the log unless they are
+important.
+
+There's no real reason to be yelling here. We can still return
+-EINVAL to indicate that the phase makes no sense without a parent.
+If someone really tries to do tuning and the clock is reported as 0
+then we'll see the yells in rockchip_mmc_set_phase().
+
+Fixes: 4bf59902b500 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/rockchip/clk-mmc-phase.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/clk/rockchip/clk-mmc-phase.c
++++ b/drivers/clk/rockchip/clk-mmc-phase.c
+@@ -52,10 +52,8 @@ static int rockchip_mmc_get_phase(struct
+ u32 delay_num = 0;
+
+ /* See the comment for rockchip_mmc_set_phase below */
+- if (!rate) {
+- pr_err("%s: invalid clk rate\n", __func__);
++ if (!rate)
+ return -EINVAL;
+- }
+
+ raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
+
--- /dev/null
+From 11f6c2307caee89370d7752eb6f404f1ed73faaf Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <sboyd@kernel.org>
+Date: Mon, 24 Jun 2019 20:01:55 -0700
+Subject: clk: Simplify debugfs printing and add a newline
+
+From: Stephen Boyd <sboyd@kernel.org>
+
+commit 11f6c2307caee89370d7752eb6f404f1ed73faaf upstream.
+
+The possible parent printing function duplicates a bunch of if
+conditions. Pull that into another function so we can print an extra
+character at the end, either a space or a newline. This way we can add
+the required newline that got lost here and also shorten the code.
+
+Fixes: 2d156b78ce8f ("clk: Fix debugfs clk_possible_parents for clks without parent string names")
+Cc: Chen-Yu Tsai <wens@csie.org>
+Tested-by: Chen-Yu Tsai <wens@csie.org>
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -3020,11 +3020,10 @@ static int clk_flags_show(struct seq_fil
+ }
+ DEFINE_SHOW_ATTRIBUTE(clk_flags);
+
+-static int possible_parents_show(struct seq_file *s, void *data)
++static void possible_parent_show(struct seq_file *s, struct clk_core *core,
++ unsigned int i, char terminator)
+ {
+- struct clk_core *core = s->private;
+ struct clk_core *parent;
+- int i;
+
+ /*
+ * Go through the following options to fetch a parent's name.
+@@ -3038,22 +3037,6 @@ static int possible_parents_show(struct
+ * specified directly via a struct clk_hw pointer, but it isn't
+ * registered (yet).
+ */
+- for (i = 0; i < core->num_parents - 1; i++) {
+- parent = clk_core_get_parent_by_index(core, i);
+- if (parent)
+- seq_printf(s, "%s ", parent->name);
+- else if (core->parents[i].name)
+- seq_printf(s, "%s ", core->parents[i].name);
+- else if (core->parents[i].fw_name)
+- seq_printf(s, "<%s>(fw) ", core->parents[i].fw_name);
+- else if (core->parents[i].index >= 0)
+- seq_printf(s, "%s ",
+- of_clk_get_parent_name(core->of_node,
+- core->parents[i].index));
+- else
+- seq_puts(s, "(missing) ");
+- }
+-
+ parent = clk_core_get_parent_by_index(core, i);
+ if (parent)
+ seq_printf(s, "%s", parent->name);
+@@ -3068,6 +3051,19 @@ static int possible_parents_show(struct
+ else
+ seq_puts(s, "(missing)");
+
++ seq_putc(s, terminator);
++}
++
++static int possible_parents_show(struct seq_file *s, void *data)
++{
++ struct clk_core *core = s->private;
++ int i;
++
++ for (i = 0; i < core->num_parents - 1; i++)
++ possible_parent_show(s, core, i, ' ');
++
++ possible_parent_show(s, core, i, '\n');
++
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(possible_parents);
--- /dev/null
+From ac43432cb1f5c2950408534987e57c2071e24d8f Mon Sep 17 00:00:00 2001
+From: Muchun Song <smuchun@gmail.com>
+Date: Sat, 27 Jul 2019 11:21:22 +0800
+Subject: driver core: Fix use-after-free and double free on glue directory
+
+From: Muchun Song <smuchun@gmail.com>
+
+commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream.
+
+There is a race condition between removing glue directory and adding a new
+device under the glue dir. It can be reproduced in following test:
+
+CPU1: CPU2:
+
+device_add()
+ get_device_parent()
+ class_dir_create_and_add()
+ kobject_add_internal()
+ create_dir() // create glue_dir
+
+ device_add()
+ get_device_parent()
+ kobject_get() // get glue_dir
+
+device_del()
+ cleanup_glue_dir()
+ kobject_del(glue_dir)
+
+ kobject_add()
+ kobject_add_internal()
+ create_dir() // in glue_dir
+ sysfs_create_dir_ns()
+ kernfs_create_dir_ns(sd)
+
+ sysfs_remove_dir() // glue_dir->sd=NULL
+ sysfs_put() // free glue_dir->sd
+
+ // sd is freed
+ kernfs_new_node(sd)
+ kernfs_get(glue_dir)
+ kernfs_add_one()
+ kernfs_put()
+
+Before CPU1 remove last child device under glue dir, if CPU2 add a new
+device under glue dir, the glue_dir kobject reference count will be
+increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
+been called kernfs_create_dir_ns(), but not call kernfs_new_node().
+Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
+glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
+kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
+it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
+call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
+and call kernfs_put() to decrease reference count. Because the reference
+count is decremented to 0, it will also call kmem_cache_free() to free
+the glue_dir->sd again. This will result in double free.
+
+In order to avoid this happening, we also should make sure that kernfs_node
+for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
+1 to fix this race.
+
+The following calltrace is captured in kernel 4.14 with the following patch
+applied:
+
+commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+
+--------------------------------------------------------------------------
+[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
+ Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
+....
+[ 3.633986] Call trace:
+[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0
+[ 3.633994] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634001] kobject_add_internal+0x22c/0x3f0
+[ 3.634005] kobject_add+0xe4/0x118
+[ 3.634011] device_add+0x200/0x870
+[ 3.634017] _request_firmware+0x958/0xc38
+[ 3.634020] request_firmware_into_buf+0x4c/0x70
+....
+[ 3.634064] kernel BUG at .../mm/slub.c:294!
+ Here is BUG_ON(object == fp) in set_freepointer().
+....
+[ 3.634346] Call trace:
+[ 3.634351] kmem_cache_free+0x504/0x6b8
+[ 3.634355] kernfs_put+0x14c/0x1d8
+[ 3.634359] kernfs_create_dir_ns+0x88/0xb0
+[ 3.634362] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634366] kobject_add_internal+0x22c/0x3f0
+[ 3.634370] kobject_add+0xe4/0x118
+[ 3.634374] device_add+0x200/0x870
+[ 3.634378] _request_firmware+0x958/0xc38
+[ 3.634381] request_firmware_into_buf+0x4c/0x70
+--------------------------------------------------------------------------
+
+Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+Signed-off-by: Muchun Song <smuchun@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -1820,12 +1820,63 @@ static inline struct kobject *get_glue_d
+ */
+ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
+ {
++ unsigned int ref;
++
+ /* see if we live in a "glue" directory */
+ if (!live_in_glue_dir(glue_dir, dev))
+ return;
+
+ mutex_lock(&gdp_mutex);
+- if (!kobject_has_children(glue_dir))
++ /**
++ * There is a race condition between removing glue directory
++ * and adding a new device under the glue directory.
++ *
++ * CPU1: CPU2:
++ *
++ * device_add()
++ * get_device_parent()
++ * class_dir_create_and_add()
++ * kobject_add_internal()
++ * create_dir() // create glue_dir
++ *
++ * device_add()
++ * get_device_parent()
++ * kobject_get() // get glue_dir
++ *
++ * device_del()
++ * cleanup_glue_dir()
++ * kobject_del(glue_dir)
++ *
++ * kobject_add()
++ * kobject_add_internal()
++ * create_dir() // in glue_dir
++ * sysfs_create_dir_ns()
++ * kernfs_create_dir_ns(sd)
++ *
++ * sysfs_remove_dir() // glue_dir->sd=NULL
++ * sysfs_put() // free glue_dir->sd
++ *
++ * // sd is freed
++ * kernfs_new_node(sd)
++ * kernfs_get(glue_dir)
++ * kernfs_add_one()
++ * kernfs_put()
++ *
++ * Before CPU1 remove last child device under glue dir, if CPU2 add
++ * a new device under glue dir, the glue_dir kobject reference count
++ * will be increase to 2 in kobject_get(k). And CPU2 has been called
++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
++ * and sysfs_put(). This result in glue_dir->sd is freed.
++ *
++ * Then the CPU2 will see a stale "empty" but still potentially used
++ * glue dir around in kernfs_new_node().
++ *
++ * In order to avoid this happening, we also should make sure that
++ * kernfs_node for glue_dir is released in CPU1 only when refcount
++ * for glue_dir kobj is 1.
++ */
++ ref = kref_read(&glue_dir->kref);
++ if (!kobject_has_children(glue_dir) && !--ref)
+ kobject_del(glue_dir);
+ kobject_put(glue_dir);
+ mutex_unlock(&gdp_mutex);
--- /dev/null
+From 5ffff4415f9eeae834960226770963e2947e17eb Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Mon, 29 Apr 2019 09:52:38 +0200
+Subject: drm/meson: Add support for XBGR8888 & ABGR8888 formats
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 5ffff4415f9eeae834960226770963e2947e17eb upstream.
+
+Add missing XBGR8888 & ABGR8888 formats variants from the primary plane.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190429075238.7884-1-narmstrong@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/meson/meson_plane.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/gpu/drm/meson/meson_plane.c
++++ b/drivers/gpu/drm/meson/meson_plane.c
+@@ -153,6 +153,13 @@ static void meson_plane_atomic_update(st
+ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
+ OSD_COLOR_MATRIX_32_ARGB;
+ break;
++ case DRM_FORMAT_XBGR8888:
++ /* For XRGB, replace the pixel's alpha by 0xFF */
++ writel_bits_relaxed(OSD_REPLACE_EN, OSD_REPLACE_EN,
++ priv->io_base + _REG(VIU_OSD1_CTRL_STAT2));
++ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
++ OSD_COLOR_MATRIX_32_ABGR;
++ break;
+ case DRM_FORMAT_ARGB8888:
+ /* For ARGB, use the pixel's alpha */
+ writel_bits_relaxed(OSD_REPLACE_EN, 0,
+@@ -160,6 +167,13 @@ static void meson_plane_atomic_update(st
+ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
+ OSD_COLOR_MATRIX_32_ARGB;
+ break;
++ case DRM_FORMAT_ABGR8888:
++ /* For ARGB, use the pixel's alpha */
++ writel_bits_relaxed(OSD_REPLACE_EN, 0,
++ priv->io_base + _REG(VIU_OSD1_CTRL_STAT2));
++ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
++ OSD_COLOR_MATRIX_32_ABGR;
++ break;
+ case DRM_FORMAT_RGB888:
+ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_24 |
+ OSD_COLOR_MATRIX_24_RGB;
+@@ -346,7 +360,9 @@ static const struct drm_plane_funcs meso
+
+ static const uint32_t supported_drm_formats[] = {
+ DRM_FORMAT_ARGB8888,
++ DRM_FORMAT_ABGR8888,
+ DRM_FORMAT_XRGB8888,
++ DRM_FORMAT_XBGR8888,
+ DRM_FORMAT_RGB888,
+ DRM_FORMAT_RGB565,
+ };
--- /dev/null
+From bc6f2a757d525e001268c3658bd88822e768f8db Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 11 Jun 2019 23:00:07 +0800
+Subject: kernel/module: Fix mem leak in module_add_modinfo_attrs
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit bc6f2a757d525e001268c3658bd88822e768f8db upstream.
+
+In module_add_modinfo_attrs if sysfs_create_file
+fails, we forget to free allocated modinfo_attrs
+and roll back the sysfs files.
+
+Fixes: 03e88ae1b13d ("[PATCH] fix module sysfs files reference counting")
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1697,6 +1697,8 @@ static int add_usage_links(struct module
+ return ret;
+ }
+
++static void module_remove_modinfo_attrs(struct module *mod, int end);
++
+ static int module_add_modinfo_attrs(struct module *mod)
+ {
+ struct module_attribute *attr;
+@@ -1711,24 +1713,34 @@ static int module_add_modinfo_attrs(stru
+ return -ENOMEM;
+
+ temp_attr = mod->modinfo_attrs;
+- for (i = 0; (attr = modinfo_attrs[i]) && !error; i++) {
++ for (i = 0; (attr = modinfo_attrs[i]); i++) {
+ if (!attr->test || attr->test(mod)) {
+ memcpy(temp_attr, attr, sizeof(*temp_attr));
+ sysfs_attr_init(&temp_attr->attr);
+ error = sysfs_create_file(&mod->mkobj.kobj,
+ &temp_attr->attr);
++ if (error)
++ goto error_out;
+ ++temp_attr;
+ }
+ }
++
++ return 0;
++
++error_out:
++ if (i > 0)
++ module_remove_modinfo_attrs(mod, --i);
+ return error;
+ }
+
+-static void module_remove_modinfo_attrs(struct module *mod)
++static void module_remove_modinfo_attrs(struct module *mod, int end)
+ {
+ struct module_attribute *attr;
+ int i;
+
+ for (i = 0; (attr = &mod->modinfo_attrs[i]); i++) {
++ if (end >= 0 && i > end)
++ break;
+ /* pick a field to test for end of list */
+ if (!attr->attr.name)
+ break;
+@@ -1816,7 +1828,7 @@ static int mod_sysfs_setup(struct module
+ return 0;
+
+ out_unreg_modinfo_attrs:
+- module_remove_modinfo_attrs(mod);
++ module_remove_modinfo_attrs(mod, -1);
+ out_unreg_param:
+ module_param_sysfs_remove(mod);
+ out_unreg_holders:
+@@ -1852,7 +1864,7 @@ static void mod_sysfs_fini(struct module
+ {
+ }
+
+-static void module_remove_modinfo_attrs(struct module *mod)
++static void module_remove_modinfo_attrs(struct module *mod, int end)
+ {
+ }
+
+@@ -1868,7 +1880,7 @@ static void init_param_lock(struct modul
+ static void mod_sysfs_teardown(struct module *mod)
+ {
+ del_usage_links(mod);
+- module_remove_modinfo_attrs(mod);
++ module_remove_modinfo_attrs(mod, -1);
+ module_param_sysfs_remove(mod);
+ kobject_put(mod->mkobj.drivers_dir);
+ kobject_put(mod->holders_dir);
--- /dev/null
+From b1571a0e77d8cef14227af293c6dda1464a57270 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 3 May 2019 15:54:36 +0300
+Subject: mt76: Fix a signedness bug in mt7615_add_interface()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b1571a0e77d8cef14227af293c6dda1464a57270 upstream.
+
+The problem is that "mvif->omac_idx" is a u8 so it can't be negative
+and the error handling won't work. The get_omac_idx() function returns
+-1 on error.
+
+Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+@@ -77,11 +77,12 @@ static int mt7615_add_interface(struct i
+ goto out;
+ }
+
+- mvif->omac_idx = get_omac_idx(vif->type, dev->omac_mask);
+- if (mvif->omac_idx < 0) {
++ idx = get_omac_idx(vif->type, dev->omac_mask);
++ if (idx < 0) {
+ ret = -ENOSPC;
+ goto out;
+ }
++ mvif->omac_idx = idx;
+
+ /* TODO: DBDC support. Use band 0 and wmm 0 for now */
+ mvif->band_idx = 0;
--- /dev/null
+From 9db1aec0c2d72a3b7b115ba56e8dbb5b46855333 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 3 May 2019 16:09:13 +0300
+Subject: mt76: mt7615: Use after free in mt7615_mcu_set_bcn()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 9db1aec0c2d72a3b7b115ba56e8dbb5b46855333 upstream.
+
+We dereference "skb" when we assign:
+
+ req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
+ ^^^^^^^^
+So this patch just moves the dev_kfree_skb() down a bit to avoid the
+use after free.
+
+Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -1270,7 +1270,6 @@ int mt7615_mcu_set_bcn(struct mt7615_dev
+ mt7615_mac_write_txwi(dev, (__le32 *)(req.pkt), skb, wcid, NULL,
+ 0, NULL);
+ memcpy(req.pkt + MT_TXD_SIZE, skb->data, skb->len);
+- dev_kfree_skb(skb);
+
+ req.omac_idx = mvif->omac_idx;
+ req.enable = en;
+@@ -1281,6 +1280,7 @@ int mt7615_mcu_set_bcn(struct mt7615_dev
+ req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
+ req.tim_ie_pos = cpu_to_le16(MT_TXD_SIZE + tim_off);
+
++ dev_kfree_skb(skb);
+ skb = mt7615_mcu_msg_alloc(&req, sizeof(req));
+
+ return mt7615_mcu_msg_send(dev, skb, MCU_EXT_CMD_BCN_OFFLOAD,
--- /dev/null
+From 336d4b138be2dad372b67a2388e42805c48aaa38 Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Tue, 7 May 2019 18:25:41 +0800
+Subject: mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit 336d4b138be2dad372b67a2388e42805c48aaa38 upstream.
+
+One main goal of the function mtk_nfc_update_ecc_stats is to check
+whether sectors are all empty. If they are empty, set these sectors's
+data buffer and OOB buffer as 0xff.
+
+But now, the sector OOB buffer pointer is wrongly assigned. We always
+do memset from sector 0.
+
+To fix this issue, pass start sector number to make OOB buffer pointer
+be properly assigned.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -853,19 +853,21 @@ static int mtk_nfc_write_oob_std(struct
+ return mtk_nfc_write_page_raw(chip, NULL, 1, page);
+ }
+
+-static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 sectors)
++static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 start,
++ u32 sectors)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
+ struct mtk_nfc *nfc = nand_get_controller_data(chip);
+ struct mtk_nfc_nand_chip *mtk_nand = to_mtk_nand(chip);
+ struct mtk_ecc_stats stats;
++ u32 reg_size = mtk_nand->fdm.reg_size;
+ int rc, i;
+
+ rc = nfi_readl(nfc, NFI_STA) & STA_EMP_PAGE;
+ if (rc) {
+ memset(buf, 0xff, sectors * chip->ecc.size);
+ for (i = 0; i < sectors; i++)
+- memset(oob_ptr(chip, i), 0xff, mtk_nand->fdm.reg_size);
++ memset(oob_ptr(chip, start + i), 0xff, reg_size);
+ return 0;
+ }
+
+@@ -885,7 +887,7 @@ static int mtk_nfc_read_subpage(struct m
+ u32 spare = mtk_nand->spare_per_sector;
+ u32 column, sectors, start, end, reg;
+ dma_addr_t addr;
+- int bitflips;
++ int bitflips = 0;
+ size_t len;
+ u8 *buf;
+ int rc;
+@@ -952,14 +954,11 @@ static int mtk_nfc_read_subpage(struct m
+ if (rc < 0) {
+ dev_err(nfc->dev, "subpage done timeout\n");
+ bitflips = -EIO;
+- } else {
+- bitflips = 0;
+- if (!raw) {
+- rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE);
+- bitflips = rc < 0 ? -ETIMEDOUT :
+- mtk_nfc_update_ecc_stats(mtd, buf, sectors);
+- mtk_nfc_read_fdm(chip, start, sectors);
+- }
++ } else if (!raw) {
++ rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE);
++ bitflips = rc < 0 ? -ETIMEDOUT :
++ mtk_nfc_update_ecc_stats(mtd, buf, start, sectors);
++ mtk_nfc_read_fdm(chip, start, sectors);
+ }
+
+ dma_unmap_single(nfc->dev, addr, len, DMA_FROM_DEVICE);
--- /dev/null
+From 2d2f4273cbe9058d1f5a518e5e880d27d7b3b30f Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 9 May 2019 13:27:22 -0600
+Subject: PCI: Always allow probing with driver_override
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 2d2f4273cbe9058d1f5a518e5e880d27d7b3b30f upstream.
+
+Commit 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control
+VF driver binding") introduced the sriov_drivers_autoprobe attribute
+which allows users to prevent the kernel from automatically probing a
+driver for new VFs as they are created. This allows VFs to be spawned
+without automatically binding the new device to a host driver, such as
+in cases where the user intends to use the device only with a meta
+driver like vfio-pci. However, the current implementation prevents any
+use of drivers_probe with the VF while sriov_drivers_autoprobe=0. This
+blocks the now current general practice of setting driver_override
+followed by using drivers_probe to bind a device to a specified driver.
+
+The kernel never automatically sets a driver_override therefore it seems
+we can assume a driver_override reflects the intent of the user. Also,
+probing a device using a driver_override match seems outside the scope
+of the 'auto' part of sriov_drivers_autoprobe. Therefore, let's allow
+driver_override matches regardless of sriov_drivers_autoprobe, which we
+can do by simply testing if a driver_override is set for a device as a
+'can probe' condition.
+
+Fixes: 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control VF driver binding")
+Link: https://lore.kernel.org/lkml/155742996741.21878.569845487290798703.stgit@gimli.home
+Link: https://lore.kernel.org/linux-pci/155672991496.20698.4279330795743262888.stgit@gimli.home/T/#u
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-driver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -399,7 +399,8 @@ void __weak pcibios_free_irq(struct pci_
+ #ifdef CONFIG_PCI_IOV
+ static inline bool pci_device_can_probe(struct pci_dev *pdev)
+ {
+- return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe);
++ return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe ||
++ pdev->driver_override);
+ }
+ #else
+ static inline bool pci_device_can_probe(struct pci_dev *pdev)
--- /dev/null
+From 6fbcdd59094ade30db63f32316e9502425d7b256 Mon Sep 17 00:00:00 2001
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Date: Wed, 6 Mar 2019 12:10:38 +1100
+Subject: powerpc: Add barrier_nospec to raw_copy_in_user()
+
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+
+commit 6fbcdd59094ade30db63f32316e9502425d7b256 upstream.
+
+Commit ddf35cf3764b ("powerpc: Use barrier_nospec in copy_from_user()")
+Added barrier_nospec before loading from user-controlled pointers. The
+intention was to order the load from the potentially user-controlled
+pointer vs a previous branch based on an access_ok() check or similar.
+
+In order to achieve the same result, add a barrier_nospec to the
+raw_copy_in_user() function before loading from such a user-controlled
+pointer.
+
+Fixes: ddf35cf3764b ("powerpc: Use barrier_nospec in copy_from_user()")
+Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/uaccess.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -312,6 +312,7 @@ raw_copy_in_user(void __user *to, const
+ {
+ unsigned long ret;
+
++ barrier_nospec();
+ allow_user_access(to, from, n);
+ ret = __copy_tofrom_user(to, from, n);
+ prevent_user_access(to, from, n);
kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch
kvm-nvmx-handle-page-fault-in-vmread.patch
x86-purgatory-change-compiler-flags-from-mcmodel-kernel-to-mcmodel-large-to-fix-kexec-relocation-errors.patch
+powerpc-add-barrier_nospec-to-raw_copy_in_user.patch
+kernel-module-fix-mem-leak-in-module_add_modinfo_attrs.patch
+x86-boot-use-efi_setup_data-for-searching-rsdp-on-kexec-ed-kernels.patch
+x86-ima-check-efi-setupmode-too.patch
+drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch
+clk-fix-debugfs-clk_possible_parents-for-clks-without-parent-string-names.patch
+clk-simplify-debugfs-printing-and-add-a-newline.patch
+mt76-fix-a-signedness-bug-in-mt7615_add_interface.patch
+mt76-mt7615-use-after-free-in-mt7615_mcu_set_bcn.patch
+clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch
+mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch
+pci-always-allow-probing-with-driver_override.patch
+ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch
+driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch
--- /dev/null
+From bacfa94b08027b9f66ede7044972e3b066766b3e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 14 May 2019 22:31:08 +0200
+Subject: ubifs: Correctly use tnc_next() in search_dh_cookie()
+
+From: Richard Weinberger <richard@nod.at>
+
+commit bacfa94b08027b9f66ede7044972e3b066766b3e upstream.
+
+Commit c877154d307f fixed an uninitialized variable and optimized
+the function to not call tnc_next() in the first iteration of the
+loop. While this seemed perfectly legit and wise, it turned out to
+be illegal.
+If the lookup function does not find an exact match it will rewind
+the cursor by 1.
+The rewinded cursor will not match the name hash we are looking for
+and this results in a spurious -ENOENT.
+So we need to move to the next entry in case of an non-exact match,
+but not if the match was exact.
+
+While we are here, update the documentation to avoid further confusion.
+
+Cc: Hyunchul Lee <hyc.lee@gmail.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Fixes: c877154d307f ("ubifs: Fix uninitialized variable in search_dh_cookie()")
+Fixes: 781f675e2d7e ("ubifs: Fix unlink code wrt. double hash lookups")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -1158,8 +1158,8 @@ static struct ubifs_znode *dirty_cow_bot
+ * o exact match, i.e. the found zero-level znode contains key @key, then %1
+ * is returned and slot number of the matched branch is stored in @n;
+ * o not exact match, which means that zero-level znode does not contain
+- * @key, then %0 is returned and slot number of the closest branch is stored
+- * in @n;
++ * @key, then %0 is returned and slot number of the closest branch or %-1
++ * is stored in @n; In this case calling tnc_next() is mandatory.
+ * o @key is so small that it is even less than the lowest key of the
+ * leftmost zero-level node, then %0 is returned and %0 is stored in @n.
+ *
+@@ -1882,13 +1882,19 @@ int ubifs_tnc_lookup_nm(struct ubifs_inf
+
+ static int search_dh_cookie(struct ubifs_info *c, const union ubifs_key *key,
+ struct ubifs_dent_node *dent, uint32_t cookie,
+- struct ubifs_znode **zn, int *n)
++ struct ubifs_znode **zn, int *n, int exact)
+ {
+ int err;
+ struct ubifs_znode *znode = *zn;
+ struct ubifs_zbranch *zbr;
+ union ubifs_key *dkey;
+
++ if (!exact) {
++ err = tnc_next(c, &znode, n);
++ if (err)
++ return err;
++ }
++
+ for (;;) {
+ zbr = &znode->zbranch[*n];
+ dkey = &zbr->key;
+@@ -1930,7 +1936,7 @@ static int do_lookup_dh(struct ubifs_inf
+ if (unlikely(err < 0))
+ goto out_unlock;
+
+- err = search_dh_cookie(c, key, dent, cookie, &znode, &n);
++ err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err);
+
+ out_unlock:
+ mutex_unlock(&c->tnc_mutex);
+@@ -2723,7 +2729,7 @@ int ubifs_tnc_remove_dh(struct ubifs_inf
+ if (unlikely(err < 0))
+ goto out_free;
+
+- err = search_dh_cookie(c, key, dent, cookie, &znode, &n);
++ err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err);
+ if (err)
+ goto out_free;
+ }
--- /dev/null
+From 0a23ebc66a46786769dd68bfdaa3102345819b9c Mon Sep 17 00:00:00 2001
+From: Junichi Nomura <j-nomura@ce.jp.nec.com>
+Date: Thu, 11 Apr 2019 15:49:32 +0200
+Subject: x86/boot: Use efi_setup_data for searching RSDP on kexec-ed kernels
+
+From: Junichi Nomura <j-nomura@ce.jp.nec.com>
+
+commit 0a23ebc66a46786769dd68bfdaa3102345819b9c upstream.
+
+Commit
+
+ 3a63f70bf4c3a ("x86/boot: Early parse RSDP and save it in boot_params")
+
+broke kexec boot on EFI systems. efi_get_rsdp_addr() in the early
+parsing code tries to search RSDP from the EFI tables but that will
+crash because the table address is virtual when the kernel was booted by
+kexec (set_virtual_address_map() has run in the first kernel and cannot
+be run again in the second kernel).
+
+In the case of kexec, the physical address of EFI tables is provided via
+efi_setup_data in boot_params, which is set up by kexec(1).
+
+Factor out the table parsing code and use different pointers depending
+on whether the kernel is booted by kexec or not.
+
+ [ bp: Massage. ]
+
+Fixes: 3a63f70bf4c3a ("x86/boot: Early parse RSDP and save it in boot_params")
+Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Cc: Chao Fan <fanc.fnst@cn.fujitsu.com>
+Cc: Dave Young <dyoung@redhat.com>
+Link: https://lkml.kernel.org/r/20190408231011.GA5402@jeru.linux.bs1.fc.nec.co.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/acpi.c | 143 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 107 insertions(+), 36 deletions(-)
+
+--- a/arch/x86/boot/compressed/acpi.c
++++ b/arch/x86/boot/compressed/acpi.c
+@@ -44,17 +44,109 @@ static acpi_physical_address get_acpi_rs
+ return addr;
+ }
+
+-/* Search EFI system tables for RSDP. */
+-static acpi_physical_address efi_get_rsdp_addr(void)
++/*
++ * Search EFI system tables for RSDP. If both ACPI_20_TABLE_GUID and
++ * ACPI_TABLE_GUID are found, take the former, which has more features.
++ */
++static acpi_physical_address
++__efi_get_rsdp_addr(unsigned long config_tables, unsigned int nr_tables,
++ bool efi_64)
+ {
+ acpi_physical_address rsdp_addr = 0;
+
+ #ifdef CONFIG_EFI
+- unsigned long systab, systab_tables, config_tables;
++ int i;
++
++ /* Get EFI tables from systab. */
++ for (i = 0; i < nr_tables; i++) {
++ acpi_physical_address table;
++ efi_guid_t guid;
++
++ if (efi_64) {
++ efi_config_table_64_t *tbl = (efi_config_table_64_t *)config_tables + i;
++
++ guid = tbl->guid;
++ table = tbl->table;
++
++ if (!IS_ENABLED(CONFIG_X86_64) && table >> 32) {
++ debug_putstr("Error getting RSDP address: EFI config table located above 4GB.\n");
++ return 0;
++ }
++ } else {
++ efi_config_table_32_t *tbl = (efi_config_table_32_t *)config_tables + i;
++
++ guid = tbl->guid;
++ table = tbl->table;
++ }
++
++ if (!(efi_guidcmp(guid, ACPI_TABLE_GUID)))
++ rsdp_addr = table;
++ else if (!(efi_guidcmp(guid, ACPI_20_TABLE_GUID)))
++ return table;
++ }
++#endif
++ return rsdp_addr;
++}
++
++/* EFI/kexec support is 64-bit only. */
++#ifdef CONFIG_X86_64
++static struct efi_setup_data *get_kexec_setup_data_addr(void)
++{
++ struct setup_data *data;
++ u64 pa_data;
++
++ pa_data = boot_params->hdr.setup_data;
++ while (pa_data) {
++ data = (struct setup_data *)pa_data;
++ if (data->type == SETUP_EFI)
++ return (struct efi_setup_data *)(pa_data + sizeof(struct setup_data));
++
++ pa_data = data->next;
++ }
++ return NULL;
++}
++
++static acpi_physical_address kexec_get_rsdp_addr(void)
++{
++ efi_system_table_64_t *systab;
++ struct efi_setup_data *esd;
++ struct efi_info *ei;
++ char *sig;
++
++ esd = (struct efi_setup_data *)get_kexec_setup_data_addr();
++ if (!esd)
++ return 0;
++
++ if (!esd->tables) {
++ debug_putstr("Wrong kexec SETUP_EFI data.\n");
++ return 0;
++ }
++
++ ei = &boot_params->efi_info;
++ sig = (char *)&ei->efi_loader_signature;
++ if (strncmp(sig, EFI64_LOADER_SIGNATURE, 4)) {
++ debug_putstr("Wrong kexec EFI loader signature.\n");
++ return 0;
++ }
++
++ /* Get systab from boot params. */
++ systab = (efi_system_table_64_t *) (ei->efi_systab | ((__u64)ei->efi_systab_hi << 32));
++ if (!systab)
++ error("EFI system table not found in kexec boot_params.");
++
++ return __efi_get_rsdp_addr((unsigned long)esd->tables, systab->nr_tables, true);
++}
++#else
++static acpi_physical_address kexec_get_rsdp_addr(void) { return 0; }
++#endif /* CONFIG_X86_64 */
++
++static acpi_physical_address efi_get_rsdp_addr(void)
++{
++#ifdef CONFIG_EFI
++ unsigned long systab, config_tables;
+ unsigned int nr_tables;
+ struct efi_info *ei;
+ bool efi_64;
+- int size, i;
+ char *sig;
+
+ ei = &boot_params->efi_info;
+@@ -88,49 +180,20 @@ static acpi_physical_address efi_get_rsd
+
+ config_tables = stbl->tables;
+ nr_tables = stbl->nr_tables;
+- size = sizeof(efi_config_table_64_t);
+ } else {
+ efi_system_table_32_t *stbl = (efi_system_table_32_t *)systab;
+
+ config_tables = stbl->tables;
+ nr_tables = stbl->nr_tables;
+- size = sizeof(efi_config_table_32_t);
+ }
+
+ if (!config_tables)
+ error("EFI config tables not found.");
+
+- /* Get EFI tables from systab. */
+- for (i = 0; i < nr_tables; i++) {
+- acpi_physical_address table;
+- efi_guid_t guid;
+-
+- config_tables += size;
+-
+- if (efi_64) {
+- efi_config_table_64_t *tbl = (efi_config_table_64_t *)config_tables;
+-
+- guid = tbl->guid;
+- table = tbl->table;
+-
+- if (!IS_ENABLED(CONFIG_X86_64) && table >> 32) {
+- debug_putstr("Error getting RSDP address: EFI config table located above 4GB.\n");
+- return 0;
+- }
+- } else {
+- efi_config_table_32_t *tbl = (efi_config_table_32_t *)config_tables;
+-
+- guid = tbl->guid;
+- table = tbl->table;
+- }
+-
+- if (!(efi_guidcmp(guid, ACPI_TABLE_GUID)))
+- rsdp_addr = table;
+- else if (!(efi_guidcmp(guid, ACPI_20_TABLE_GUID)))
+- return table;
+- }
++ return __efi_get_rsdp_addr(config_tables, nr_tables, efi_64);
++#else
++ return 0;
+ #endif
+- return rsdp_addr;
+ }
+
+ static u8 compute_checksum(u8 *buffer, u32 length)
+@@ -220,6 +283,14 @@ acpi_physical_address get_rsdp_addr(void
+ if (!pa)
+ pa = boot_params->acpi_rsdp_addr;
+
++ /*
++ * Try to get EFI data from setup_data. This can happen when we're a
++ * kexec'ed kernel and kexec(1) has passed all the required EFI info to
++ * us.
++ */
++ if (!pa)
++ pa = kexec_get_rsdp_addr();
++
+ if (!pa)
+ pa = efi_get_rsdp_addr();
+
--- /dev/null
+From 980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.ibm.com>
+Date: Wed, 24 Apr 2019 13:05:46 -0400
+Subject: x86/ima: check EFI SetupMode too
+
+From: Mimi Zohar <zohar@linux.ibm.com>
+
+commit 980ef4d22a95a3cd84a9b8ffaa7b81b391d173c6 upstream.
+
+Checking "SecureBoot" mode is not sufficient, also check "SetupMode".
+
+Fixes: 399574c64eaf ("x86/ima: retry detecting secure boot mode")
+Reported-by: Matthew Garrett <mjg59@google.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ima_arch.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/ima_arch.c
++++ b/arch/x86/kernel/ima_arch.c
+@@ -11,10 +11,11 @@ extern struct boot_params boot_params;
+ static enum efi_secureboot_mode get_sb_mode(void)
+ {
+ efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
++ efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
+ efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
+ efi_status_t status;
+ unsigned long size;
+- u8 secboot;
++ u8 secboot, setupmode;
+
+ size = sizeof(secboot);
+
+@@ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_m
+ return efi_secureboot_mode_unknown;
+ }
+
+- if (secboot == 0) {
++ size = sizeof(setupmode);
++ status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
++ NULL, &size, &setupmode);
++
++ if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
++ setupmode = 0;
++
++ if (secboot == 0 || setupmode == 1) {
+ pr_info("ima: secureboot mode disabled\n");
+ return efi_secureboot_mode_disabled;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
