--- /dev/null
+From 8ad6687af834b1455fddd66d0225b6d074e3dad5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 18:33:54 -0700
+Subject: alpha: fix annotation of io{read,write}{16,32}be()
+
+From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
+
+[ Upstream commit bd72866b8da499e60633ff28f8a4f6e09ca78efe ]
+
+These accessors must be used to read/write a big-endian bus. The value
+returned or written is native-endian.
+
+However, these accessors are defined using be{16,32}_to_cpu() or
+cpu_to_be{16,32}() to make the endian conversion but these expect a
+__be{16,32} when none is present. Keeping them would need a force cast
+that would solve nothing at all.
+
+So, do the conversion using swab{16,32}, like done in asm-generic for
+similar situations.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Link: http://lkml.kernel.org/r/20200622114232.80039-1-luc.vanoostenryck@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/asm/io.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h
+index ff4049155c840..355aec0867f4d 100644
+--- a/arch/alpha/include/asm/io.h
++++ b/arch/alpha/include/asm/io.h
+@@ -491,10 +491,10 @@ extern inline void writeq(u64 b, volatile void __iomem *addr)
+ }
+ #endif
+
+-#define ioread16be(p) be16_to_cpu(ioread16(p))
+-#define ioread32be(p) be32_to_cpu(ioread32(p))
+-#define iowrite16be(v,p) iowrite16(cpu_to_be16(v), (p))
+-#define iowrite32be(v,p) iowrite32(cpu_to_be32(v), (p))
++#define ioread16be(p) swab16(ioread16(p))
++#define ioread32be(p) swab32(ioread32(p))
++#define iowrite16be(v,p) iowrite16(swab16(v), (p))
++#define iowrite32be(v,p) iowrite32(swab32(v), (p))
+
+ #define inb_p inb
+ #define inw_p inw
+--
+2.25.1
+
--- /dev/null
+From 12e9a53afa9956f12d257de1a5fce9ad95f3ee2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2017 10:00:13 -0700
+Subject: ext4: clean up ext4_match() and callers
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit d9b9f8d5a88cb7881d9f1c2b7e9de9a3fe1dc9e2 ]
+
+When ext4 encryption was originally merged, we were encrypting the
+user-specified filename in ext4_match(), introducing a lot of additional
+complexity into ext4_match() and its callers. This has since been
+changed to encrypt the filename earlier, so we can remove the gunk
+that's no longer needed. This more or less reverts ext4_search_dir()
+and ext4_find_dest_de() to the way they were in the v4.0 kernel.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 81 +++++++++++++++----------------------------------
+ 1 file changed, 25 insertions(+), 56 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 566a8b08ccdd6..eb41fb189d4b3 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1226,19 +1226,18 @@ static void dx_insert_block(struct dx_frame *frame, u32 hash, ext4_lblk_t block)
+ }
+
+ /*
+- * NOTE! unlike strncmp, ext4_match returns 1 for success, 0 for failure.
++ * Test whether a directory entry matches the filename being searched for.
+ *
+- * `len <= EXT4_NAME_LEN' is guaranteed by caller.
+- * `de != NULL' is guaranteed by caller.
++ * Return: %true if the directory entry matches, otherwise %false.
+ */
+-static inline int ext4_match(struct ext4_filename *fname,
+- struct ext4_dir_entry_2 *de)
++static inline bool ext4_match(const struct ext4_filename *fname,
++ const struct ext4_dir_entry_2 *de)
+ {
+ const void *name = fname_name(fname);
+ u32 len = fname_len(fname);
+
+ if (!de->inode)
+- return 0;
++ return false;
+
+ #ifdef CONFIG_EXT4_FS_ENCRYPTION
+ if (unlikely(!name)) {
+@@ -1270,48 +1269,31 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size,
+ struct ext4_dir_entry_2 * de;
+ char * dlimit;
+ int de_len;
+- int res;
+
+ de = (struct ext4_dir_entry_2 *)search_buf;
+ dlimit = search_buf + buf_size;
+ while ((char *) de < dlimit) {
+ /* this code is executed quadratically often */
+ /* do minimal checking `by hand' */
+- if ((char *) de + de->name_len <= dlimit) {
+- res = ext4_match(fname, de);
+- if (res < 0) {
+- res = -1;
+- goto return_result;
+- }
+- if (res > 0) {
+- /* found a match - just to be sure, do
+- * a full check */
+- if (ext4_check_dir_entry(dir, NULL, de, bh,
+- bh->b_data,
+- bh->b_size, offset)) {
+- res = -1;
+- goto return_result;
+- }
+- *res_dir = de;
+- res = 1;
+- goto return_result;
+- }
+-
++ if ((char *) de + de->name_len <= dlimit &&
++ ext4_match(fname, de)) {
++ /* found a match - just to be sure, do
++ * a full check */
++ if (ext4_check_dir_entry(dir, NULL, de, bh, bh->b_data,
++ bh->b_size, offset))
++ return -1;
++ *res_dir = de;
++ return 1;
+ }
+ /* prevent looping on a bad block */
+ de_len = ext4_rec_len_from_disk(de->rec_len,
+ dir->i_sb->s_blocksize);
+- if (de_len <= 0) {
+- res = -1;
+- goto return_result;
+- }
++ if (de_len <= 0)
++ return -1;
+ offset += de_len;
+ de = (struct ext4_dir_entry_2 *) ((char *) de + de_len);
+ }
+-
+- res = 0;
+-return_result:
+- return res;
++ return 0;
+ }
+
+ static int is_dx_internal_node(struct inode *dir, ext4_lblk_t block,
+@@ -1824,24 +1806,15 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode,
+ int nlen, rlen;
+ unsigned int offset = 0;
+ char *top;
+- int res;
+
+ de = (struct ext4_dir_entry_2 *)buf;
+ top = buf + buf_size - reclen;
+ while ((char *) de <= top) {
+ if (ext4_check_dir_entry(dir, NULL, de, bh,
+- buf, buf_size, offset)) {
+- res = -EFSCORRUPTED;
+- goto return_result;
+- }
+- /* Provide crypto context and crypto buffer to ext4 match */
+- res = ext4_match(fname, de);
+- if (res < 0)
+- goto return_result;
+- if (res > 0) {
+- res = -EEXIST;
+- goto return_result;
+- }
++ buf, buf_size, offset))
++ return -EFSCORRUPTED;
++ if (ext4_match(fname, de))
++ return -EEXIST;
+ nlen = EXT4_DIR_REC_LEN(de->name_len);
+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
+ if ((de->inode ? rlen - nlen : rlen) >= reclen)
+@@ -1849,15 +1822,11 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode,
+ de = (struct ext4_dir_entry_2 *)((char *)de + rlen);
+ offset += rlen;
+ }
+-
+ if ((char *) de > top)
+- res = -ENOSPC;
+- else {
+- *dest_de = de;
+- res = 0;
+- }
+-return_result:
+- return res;
++ return -ENOSPC;
++
++ *dest_de = de;
++ return 0;
+ }
+
+ int ext4_insert_dentry(struct inode *dir,
+--
+2.25.1
+
--- /dev/null
+From 2b3c025f77db462036740efd42a8603faeb83090 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 18:21:35 +0200
+Subject: ext4: fix checking of directory entry validity for inline directories
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 7303cb5bfe845f7d43cd9b2dbd37dbb266efda9b ]
+
+ext4_search_dir() and ext4_generic_delete_entry() can be called both for
+standard director blocks and for inline directories stored inside inode
+or inline xattr space. For the second case we didn't call
+ext4_check_dir_entry() with proper constraints that could result in
+accepting corrupted directory entry as well as false positive filesystem
+errors like:
+
+EXT4-fs error (device dm-0): ext4_search_dir:1395: inode #28320400:
+block 113246792: comm dockerd: bad entry in directory: directory entry too
+close to block end - offset=0, inode=28320403, rec_len=32, name_len=8,
+size=4096
+
+Fix the arguments passed to ext4_check_dir_entry().
+
+Fixes: 109ba779d6cc ("ext4: check for directory entries too close to block end")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20200731162135.8080-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index eb41fb189d4b3..faf142a6fa8bb 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1279,8 +1279,8 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size,
+ ext4_match(fname, de)) {
+ /* found a match - just to be sure, do
+ * a full check */
+- if (ext4_check_dir_entry(dir, NULL, de, bh, bh->b_data,
+- bh->b_size, offset))
++ if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf,
++ buf_size, offset))
+ return -1;
+ *res_dir = de;
+ return 1;
+@@ -2312,7 +2312,7 @@ int ext4_generic_delete_entry(handle_t *handle,
+ de = (struct ext4_dir_entry_2 *)entry_buf;
+ while (i < buf_size - csum_size) {
+ if (ext4_check_dir_entry(dir, NULL, de, bh,
+- bh->b_data, bh->b_size, i))
++ entry_buf, buf_size, i))
+ return -EFSCORRUPTED;
+ if (de == de_del) {
+ if (pde)
+--
+2.25.1
+
--- /dev/null
+From d85a50349cc4c035ecb93430a41e0c6bc5559e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 22:24:07 -0700
+Subject: Input: psmouse - add a newline when printing 'proto' by sysfs
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 4aec14de3a15cf9789a0e19c847f164776f49473 ]
+
+When I cat parameter 'proto' by sysfs, it displays as follows. It's
+better to add a newline for easy reading.
+
+root@syzkaller:~# cat /sys/module/psmouse/parameters/proto
+autoroot@syzkaller:~#
+
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Link: https://lore.kernel.org/r/20200720073846.120724-1-wangxiongfeng2@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/mouse/psmouse-base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c
+index ad18dab0ac476..5bd9633541b07 100644
+--- a/drivers/input/mouse/psmouse-base.c
++++ b/drivers/input/mouse/psmouse-base.c
+@@ -1911,7 +1911,7 @@ static int psmouse_get_maxproto(char *buffer, const struct kernel_param *kp)
+ {
+ int type = *((unsigned int *)kp->arg);
+
+- return sprintf(buffer, "%s", psmouse_protocol_by_type(type)->name);
++ return sprintf(buffer, "%s\n", psmouse_protocol_by_type(type)->name);
+ }
+
+ static int __init psmouse_init(void)
+--
+2.25.1
+
--- /dev/null
+From 1e722b06a3a63754ca5beee772001d29fd6b257a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jun 2020 17:06:35 +0800
+Subject: jffs2: fix UAF problem
+
+From: Zhe Li <lizhe67@huawei.com>
+
+[ Upstream commit 798b7347e4f29553db4b996393caf12f5b233daf ]
+
+The log of UAF problem is listed below.
+BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc
+Read of size 4 by task rm/8283
+=============================================================================
+BUG kmalloc-32 (Tainted: P B O ): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0
+ 0xb0bba6ef
+ jffs2_write_dirent+0x11c/0x9c8 [jffs2]
+ __slab_alloc.isra.21.constprop.25+0x2c/0x44
+ __kmalloc+0x1dc/0x370
+ jffs2_write_dirent+0x11c/0x9c8 [jffs2]
+ jffs2_do_unlink+0x328/0x5fc [jffs2]
+ jffs2_rmdir+0x110/0x1cc [jffs2]
+ vfs_rmdir+0x180/0x268
+ do_rmdir+0x2cc/0x300
+ ret_from_syscall+0x0/0x3c
+INFO: Freed in 0x205b age=3054364 cpu=0 pid=0
+ 0x2e9173
+ jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
+ jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
+ jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2]
+ jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2]
+ jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2]
+ jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2]
+ kthread+0x1a8/0x1b0
+ ret_from_kernel_thread+0x5c/0x64
+Call Trace:
+[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable)
+[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2]
+[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268
+[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300
+[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c
+
+The root cause is that we don't get "jffs2_inode_info.sem" before
+we scan list "jffs2_inode_info.dents" in function jffs2_rmdir.
+This patch add codes to get "jffs2_inode_info.sem" before we scan
+"jffs2_inode_info.dents" to slove the UAF problem.
+
+Signed-off-by: Zhe Li <lizhe67@huawei.com>
+Reviewed-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/dir.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
+index e273171696972..7a3368929245d 100644
+--- a/fs/jffs2/dir.c
++++ b/fs/jffs2/dir.c
+@@ -588,10 +588,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry)
+ int ret;
+ uint32_t now = get_seconds();
+
++ mutex_lock(&f->sem);
+ for (fd = f->dents ; fd; fd = fd->next) {
+- if (fd->ino)
++ if (fd->ino) {
++ mutex_unlock(&f->sem);
+ return -ENOTEMPTY;
++ }
+ }
++ mutex_unlock(&f->sem);
+
+ ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name,
+ dentry->d_name.len, f, now);
+--
+2.25.1
+
--- /dev/null
+From ffe439be9f78e17e16d6d415aeca02137f8d497b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 17:17:52 +1000
+Subject: m68knommu: fix overwriting of bits in ColdFire V3 cache control
+
+From: Greg Ungerer <gerg@linux-m68k.org>
+
+[ Upstream commit bdee0e793cea10c516ff48bf3ebb4ef1820a116b ]
+
+The Cache Control Register (CACR) of the ColdFire V3 has bits that
+control high level caching functions, and also enable/disable the use
+of the alternate stack pointer register (the EUSP bit) to provide
+separate supervisor and user stack pointer registers. The code as
+it is today will blindly clear the EUSP bit on cache actions like
+invalidation. So it is broken for this case - and that will result
+in failed booting (interrupt entry and exit processing will be
+completely hosed).
+
+This only affects ColdFire V3 parts that support the alternate stack
+register (like the 5329 for example) - generally speaking new parts do,
+older parts don't. It has no impact on ColdFire V3 parts with the single
+stack pointer, like the 5307 for example.
+
+Fix the cache bit defines used, so they maintain the EUSP bit when
+carrying out cache actions through the CACR register.
+
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/m53xxacr.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/m68k/include/asm/m53xxacr.h b/arch/m68k/include/asm/m53xxacr.h
+index 3177ce8331d69..baee0c77b9818 100644
+--- a/arch/m68k/include/asm/m53xxacr.h
++++ b/arch/m68k/include/asm/m53xxacr.h
+@@ -88,9 +88,9 @@
+ * coherency though in all cases. And for copyback caches we will need
+ * to push cached data as well.
+ */
+-#define CACHE_INIT CACR_CINVA
+-#define CACHE_INVALIDATE CACR_CINVA
+-#define CACHE_INVALIDATED CACR_CINVA
++#define CACHE_INIT (CACHE_MODE + CACR_CINVA - CACR_EC)
++#define CACHE_INVALIDATE (CACHE_MODE + CACR_CINVA)
++#define CACHE_INVALIDATED (CACHE_MODE + CACR_CINVA)
+
+ #define ACR0_MODE ((CONFIG_RAMBASE & 0xff000000) + \
+ (0x000f0000) + \
+--
+2.25.1
+
--- /dev/null
+From 350abde29518782ee05bfbfaf45c7f022abfa186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 18:17:28 +0200
+Subject: media: budget-core: Improve exception handling in budget_register()
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit fc0456458df8b3421dba2a5508cd817fbc20ea71 ]
+
+budget_register() has no error handling after its failure.
+Add the missed undo functions for error handling to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/ttpci/budget-core.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/pci/ttpci/budget-core.c b/drivers/media/pci/ttpci/budget-core.c
+index e9674b40007c1..6107c469efa07 100644
+--- a/drivers/media/pci/ttpci/budget-core.c
++++ b/drivers/media/pci/ttpci/budget-core.c
+@@ -386,20 +386,25 @@ static int budget_register(struct budget *budget)
+ ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->hw_frontend);
+
+ if (ret < 0)
+- return ret;
++ goto err_release_dmx;
+
+ budget->mem_frontend.source = DMX_MEMORY_FE;
+ ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->mem_frontend);
+ if (ret < 0)
+- return ret;
++ goto err_release_dmx;
+
+ ret = dvbdemux->dmx.connect_frontend(&dvbdemux->dmx, &budget->hw_frontend);
+ if (ret < 0)
+- return ret;
++ goto err_release_dmx;
+
+ dvb_net_init(&budget->dvb_adapter, &budget->dvb_net, &dvbdemux->dmx);
+
+ return 0;
++
++err_release_dmx:
++ dvb_dmxdev_release(&budget->dmxdev);
++ dvb_dmx_release(&budget->demux);
++ return ret;
+ }
+
+ static void budget_unregister(struct budget *budget)
+--
+2.25.1
+
--- /dev/null
+From ce138a3a18cba332da1e5cc9c41fbf0cc40d3e33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 11:02:23 +0200
+Subject: media: vpss: clean up resources in init
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 9c487b0b0ea7ff22127fe99a7f67657d8730ff94 ]
+
+If platform_driver_register() fails within vpss_init() resources are not
+cleaned up. The patch fixes this issue by introducing the corresponding
+error handling.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/davinci/vpss.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c
+index c2c68988e38ac..9884b34d6f406 100644
+--- a/drivers/media/platform/davinci/vpss.c
++++ b/drivers/media/platform/davinci/vpss.c
+@@ -519,19 +519,31 @@ static void vpss_exit(void)
+
+ static int __init vpss_init(void)
+ {
++ int ret;
++
+ if (!request_mem_region(VPSS_CLK_CTRL, 4, "vpss_clock_control"))
+ return -EBUSY;
+
+ oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
+ if (unlikely(!oper_cfg.vpss_regs_base2)) {
+- release_mem_region(VPSS_CLK_CTRL, 4);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_ioremap;
+ }
+
+ writel(VPSS_CLK_CTRL_VENCCLKEN |
+- VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
++ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
++
++ ret = platform_driver_register(&vpss_driver);
++ if (ret)
++ goto err_pd_register;
++
++ return 0;
+
+- return platform_driver_register(&vpss_driver);
++err_pd_register:
++ iounmap(oper_cfg.vpss_regs_base2);
++err_ioremap:
++ release_mem_region(VPSS_CLK_CTRL, 4);
++ return ret;
+ }
+ subsys_initcall(vpss_init);
+ module_exit(vpss_exit);
+--
+2.25.1
+
--- /dev/null
+From 56fe3c45faceed070d9a871043e7be9b3c6d7b4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 01:18:23 -0700
+Subject: scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases
+
+From: Javed Hasan <jhasan@marvell.com>
+
+[ Upstream commit ec007ef40abb6a164d148b0dc19789a7a2de2cc8 ]
+
+In fc_disc_gpn_id_resp(), skb is supposed to get freed in all cases except
+for PTR_ERR. However, in some cases it didn't.
+
+This fix is to call fc_frame_free(fp) before function returns.
+
+Link: https://lore.kernel.org/r/20200729081824.30996-2-jhasan@marvell.com
+Reviewed-by: Girish Basrur <gbasrur@marvell.com>
+Reviewed-by: Santosh Vernekar <svernekar@marvell.com>
+Reviewed-by: Saurav Kashyap <skashyap@marvell.com>
+Reviewed-by: Shyam Sundar <ssundar@marvell.com>
+Signed-off-by: Javed Hasan <jhasan@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_disc.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c
+index 880a9068ca126..ef06af4e3611d 100644
+--- a/drivers/scsi/libfc/fc_disc.c
++++ b/drivers/scsi/libfc/fc_disc.c
+@@ -595,8 +595,12 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp,
+ mutex_lock(&disc->disc_mutex);
+ if (PTR_ERR(fp) == -FC_EX_CLOSED)
+ goto out;
+- if (IS_ERR(fp))
+- goto redisc;
++ if (IS_ERR(fp)) {
++ mutex_lock(&disc->disc_mutex);
++ fc_disc_restart(disc);
++ mutex_unlock(&disc->disc_mutex);
++ goto out;
++ }
+
+ cp = fc_frame_payload_get(fp, sizeof(*cp));
+ if (!cp)
+@@ -621,7 +625,7 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp,
+ new_rdata->disc_id = disc->disc_id;
+ lport->tt.rport_login(new_rdata);
+ }
+- goto out;
++ goto free_fp;
+ }
+ rdata->disc_id = disc->disc_id;
+ lport->tt.rport_login(rdata);
+@@ -635,6 +639,8 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp,
+ redisc:
+ fc_disc_restart(disc);
+ }
++free_fp:
++ fc_frame_free(fp);
+ out:
+ mutex_unlock(&disc->disc_mutex);
+ kref_put(&rdata->kref, lport->tt.rport_destroy);
+--
+2.25.1
+
romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch
mm-include-cma-pages-in-lowmem_reserve-at-boot.patch
mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch
+ext4-clean-up-ext4_match-and-callers.patch
+ext4-fix-checking-of-directory-entry-validity-for-in.patch
+media-budget-core-improve-exception-handling-in-budg.patch
+media-vpss-clean-up-resources-in-init.patch
+input-psmouse-add-a-newline-when-printing-proto-by-s.patch
+m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch
+xfs-fix-inode-quota-reservation-checks.patch
+jffs2-fix-uaf-problem.patch
+scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch
+virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch
+xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch
+alpha-fix-annotation-of-io-read-write-16-32-be.patch
--- /dev/null
+From 92003491b269581e9c7faedb00217eb0f531eabb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 15:44:09 +0800
+Subject: virtio_ring: Avoid loop when vq is broken in virtqueue_poll
+
+From: Mao Wenan <wenan.mao@linux.alibaba.com>
+
+[ Upstream commit 481a0d7422db26fb63e2d64f0652667a5c6d0f3e ]
+
+The loop may exist if vq->broken is true,
+virtqueue_get_buf_ctx_packed or virtqueue_get_buf_ctx_split
+will return NULL, so virtnet_poll will reschedule napi to
+receive packet, it will lead cpu usage(si) to 100%.
+
+call trace as below:
+virtnet_poll
+ virtnet_receive
+ virtqueue_get_buf_ctx
+ virtqueue_get_buf_ctx_packed
+ virtqueue_get_buf_ctx_split
+ virtqueue_napi_complete
+ virtqueue_poll //return true
+ virtqueue_napi_schedule //it will reschedule napi
+
+to fix this, return false if vq is broken in virtqueue_poll.
+
+Signed-off-by: Mao Wenan <wenan.mao@linux.alibaba.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/1596354249-96204-1-git-send-email-wenan.mao@linux.alibaba.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_ring.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
+index a01a41a412693..6b3565feddb21 100644
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -603,6 +603,9 @@ bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx)
+ {
+ struct vring_virtqueue *vq = to_vvq(_vq);
+
++ if (unlikely(vq->broken))
++ return false;
++
+ virtio_mb(vq->weak_barriers);
+ return (u16)last_used_idx != virtio16_to_cpu(_vq->vdev, vq->vring.used->idx);
+ }
+--
+2.25.1
+
--- /dev/null
+From 254f1bbda7c8e38d190a7cd1ef67bb2f0f03adb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 10:36:09 -0700
+Subject: xfs: fix inode quota reservation checks
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit f959b5d037e71a4d69b5bf71faffa065d9269b4a ]
+
+xfs_trans_dqresv is the function that we use to make reservations
+against resource quotas. Each resource contains two counters: the
+q_core counter, which tracks resources allocated on disk; and the dquot
+reservation counter, which tracks how much of that resource has either
+been allocated or reserved by threads that are working on metadata
+updates.
+
+For disk blocks, we compare the proposed reservation counter against the
+hard and soft limits to decide if we're going to fail the operation.
+However, for inodes we inexplicably compare against the q_core counter,
+not the incore reservation count.
+
+Since the q_core counter is always lower than the reservation count and
+we unlock the dquot between reservation and transaction commit, this
+means that multiple threads can reserve the last inode count before we
+hit the hard limit, and when they commit, we'll be well over the hard
+limit.
+
+Fix this by checking against the incore inode reservation counter, since
+we would appear to maintain that correctly (and that's what we report in
+GETQUOTA).
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Allison Collins <allison.henderson@oracle.com>
+Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_trans_dquot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c
+index ce78534a047ee..bb8de2dddabe2 100644
+--- a/fs/xfs/xfs_trans_dquot.c
++++ b/fs/xfs/xfs_trans_dquot.c
+@@ -662,7 +662,7 @@ xfs_trans_dqresv(
+ }
+ }
+ if (ninos > 0) {
+- total_count = be64_to_cpu(dqp->q_core.d_icount) + ninos;
++ total_count = dqp->q_res_icount + ninos;
+ timer = be32_to_cpu(dqp->q_core.d_itimer);
+ warns = be16_to_cpu(dqp->q_core.d_iwarns);
+ warnlimit = dqp->q_mount->m_quotainfo->qi_iwarnlimit;
+--
+2.25.1
+
--- /dev/null
+From d501d9cc701860dd4d89eb5e797e3681e2ff88d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 15:18:48 -0700
+Subject: xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init
+
+From: Eiichi Tsukata <devel@etsukata.com>
+
+[ Upstream commit 96cf2a2c75567ff56195fe3126d497a2e7e4379f ]
+
+If xfs_sysfs_init is called with parent_kobj == NULL, UBSAN
+shows the following warning:
+
+ UBSAN: null-ptr-deref in ./fs/xfs/xfs_sysfs.h:37:23
+ member access within null pointer of type 'struct xfs_kobj'
+ Call Trace:
+ dump_stack+0x10e/0x195
+ ubsan_type_mismatch_common+0x241/0x280
+ __ubsan_handle_type_mismatch_v1+0x32/0x40
+ init_xfs_fs+0x12b/0x28f
+ do_one_initcall+0xdd/0x1d0
+ do_initcall_level+0x151/0x1b6
+ do_initcalls+0x50/0x8f
+ do_basic_setup+0x29/0x2b
+ kernel_init_freeable+0x19f/0x20b
+ kernel_init+0x11/0x1e0
+ ret_from_fork+0x22/0x30
+
+Fix it by checking parent_kobj before the code accesses its member.
+
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+[darrick: minor whitespace edits]
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_sysfs.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h
+index be692e59938db..c457b010c623d 100644
+--- a/fs/xfs/xfs_sysfs.h
++++ b/fs/xfs/xfs_sysfs.h
+@@ -44,9 +44,11 @@ xfs_sysfs_init(
+ struct xfs_kobj *parent_kobj,
+ const char *name)
+ {
++ struct kobject *parent;
++
++ parent = parent_kobj ? &parent_kobj->kobject : NULL;
+ init_completion(&kobj->complete);
+- return kobject_init_and_add(&kobj->kobject, ktype,
+- &parent_kobj->kobject, "%s", name);
++ return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name);
+ }
+
+ static inline void
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
