--- /dev/null
+From c1d1e25a8c542816ae8dee41b81a18d30c7519a0 Mon Sep 17 00:00:00 2001
+From: Chris Chiu <chris.chiu@canonical.com>
+Date: Fri, 12 Mar 2021 11:24:30 +0800
+Subject: ACPI: video: Add missing callback back for Sony VPCEH3U1E
+
+From: Chris Chiu <chris.chiu@canonical.com>
+
+commit c1d1e25a8c542816ae8dee41b81a18d30c7519a0 upstream.
+
+The .callback of the quirk for Sony VPCEH3U1E was unintetionally
+removed by the commit 25417185e9b5 ("ACPI: video: Add DMI quirk
+for GIGABYTE GB-BXBT-2807"). Add it back to make sure the quirk
+for Sony VPCEH3U1E works as expected.
+
+Fixes: 25417185e9b5 ("ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807")
+Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Reviewed-by: Pavel Machek (CIP) <pavel@denx.de>
+Cc: 5.11+ <stable@vger.kernel.org> # 5.11+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -150,6 +150,7 @@ static const struct dmi_system_id video_
+ },
+ },
+ {
++ .callback = video_detect_force_vendor,
+ .ident = "Sony VPCEH3U1E",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
--- /dev/null
+From 221c3a09ddf70a0a51715e6c2878d8305e95c558 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+Date: Wed, 11 Apr 2018 19:05:03 +0300
+Subject: ARM: dts: at91-sama5d27_som1: fix phy address to 7
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+commit 221c3a09ddf70a0a51715e6c2878d8305e95c558 upstream.
+
+Fix the phy address to 7 for Ethernet PHY on SAMA5D27 SOM1. No
+connection established if phy address 0 is used.
+
+The board uses the 24 pins version of the KSZ8081RNA part, KSZ8081RNA
+pin 16 REFCLK as PHYAD bit [2] has weak internal pull-down. But at
+reset, connected to PD09 of the MPU it's connected with an internal
+pull-up forming PHYAD[2:0] = 7.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Fixes: 2f61929eb10a ("ARM: dts: at91: at91-sama5d27_som1: fix PHY ID")
+Cc: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Cc: <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/at91-sama5d27_som1.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/at91-sama5d27_som1.dtsi
++++ b/arch/arm/boot/dts/at91-sama5d27_som1.dtsi
+@@ -44,8 +44,8 @@
+ pinctrl-0 = <&pinctrl_macb0_default>;
+ phy-mode = "rmii";
+
+- ethernet-phy@0 {
+- reg = <0x0>;
++ ethernet-phy@7 {
++ reg = <0x7>;
+ interrupt-parent = <&pioA>;
+ interrupts = <PIN_PD31 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
--- /dev/null
+From ba8da03fa7dff59d9400250aebd38f94cde3cb0f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Sun, 7 Mar 2021 22:47:37 +0200
+Subject: arm64: dts: ls1012a: mark crypto engine dma coherent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit ba8da03fa7dff59d9400250aebd38f94cde3cb0f upstream.
+
+Crypto engine (CAAM) on LS1012A platform is configured HW-coherent,
+mark accordingly the DT node.
+
+Lack of "dma-coherent" property for an IP that is configured HW-coherent
+can lead to problems, similar to what has been reported for LS1046A.
+
+Cc: <stable@vger.kernel.org> # v4.12+
+Fixes: 85b85c569507 ("arm64: dts: ls1012a: add crypto node")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Acked-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1012a.dtsi
+@@ -177,6 +177,7 @@
+ ranges = <0x0 0x00 0x1700000 0x100000>;
+ reg = <0x00 0x1700000 0x0 0x100000>;
+ interrupts = <GIC_SPI 75 IRQ_TYPE_LEVEL_HIGH>;
++ dma-coherent;
+
+ sec_jr0: jr@10000 {
+ compatible = "fsl,sec-v5.4-job-ring",
--- /dev/null
+From 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Sun, 7 Mar 2021 22:47:36 +0200
+Subject: arm64: dts: ls1043a: mark crypto engine dma coherent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit 4fb3a074755b7737c4081cffe0ccfa08c2f2d29d upstream.
+
+Crypto engine (CAAM) on LS1043A platform is configured HW-coherent,
+mark accordingly the DT node.
+
+Lack of "dma-coherent" property for an IP that is configured HW-coherent
+can lead to problems, similar to what has been reported for LS1046A.
+
+Cc: <stable@vger.kernel.org> # v4.8+
+Fixes: 63dac35b58f4 ("arm64: dts: ls1043a: add crypto node")
+Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Acked-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi
+@@ -241,6 +241,7 @@
+ ranges = <0x0 0x00 0x1700000 0x100000>;
+ reg = <0x00 0x1700000 0x0 0x100000>;
+ interrupts = <0 75 0x4>;
++ dma-coherent;
+
+ sec_jr0: jr@10000 {
+ compatible = "fsl,sec-v5.4-job-ring",
--- /dev/null
+From 9c3a16f88385e671b63a0de7b82b85e604a80f42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Sun, 7 Mar 2021 22:47:35 +0200
+Subject: arm64: dts: ls1046a: mark crypto engine dma coherent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit 9c3a16f88385e671b63a0de7b82b85e604a80f42 upstream.
+
+Crypto engine (CAAM) on LS1046A platform is configured HW-coherent,
+mark accordingly the DT node.
+
+As reported by Greg and Sascha, and explained by Robin, lack of
+"dma-coherent" property for an IP that is configured HW-coherent
+can lead to problems, e.g. on v5.11:
+
+> kernel BUG at drivers/crypto/caam/jr.c:247!
+> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+> Modules linked in:
+> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.11.0-20210225-3-00039-g434215968816-dirty #12
+> Hardware name: TQ TQMLS1046A SoM on Arkona AT1130 (C300) board (DT)
+> pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
+> pc : caam_jr_dequeue+0x98/0x57c
+> lr : caam_jr_dequeue+0x98/0x57c
+> sp : ffff800010003d50
+> x29: ffff800010003d50 x28: ffff8000118d4000
+> x27: ffff8000118d4328 x26: 00000000000001f0
+> x25: ffff0008022be480 x24: ffff0008022c6410
+> x23: 00000000000001f1 x22: ffff8000118d4329
+> x21: 0000000000004d80 x20: 00000000000001f1
+> x19: 0000000000000001 x18: 0000000000000020
+> x17: 0000000000000000 x16: 0000000000000015
+> x15: ffff800011690230 x14: 2e2e2e2e2e2e2e2e
+> x13: 2e2e2e2e2e2e2020 x12: 3030303030303030
+> x11: ffff800011700a38 x10: 00000000fffff000
+> x9 : ffff8000100ada30 x8 : ffff8000116a8a38
+> x7 : 0000000000000001 x6 : 0000000000000000
+> x5 : 0000000000000000 x4 : 0000000000000000
+> x3 : 00000000ffffffff x2 : 0000000000000000
+> x1 : 0000000000000000 x0 : 0000000000001800
+> Call trace:
+> caam_jr_dequeue+0x98/0x57c
+> tasklet_action_common.constprop.0+0x164/0x18c
+> tasklet_action+0x44/0x54
+> __do_softirq+0x160/0x454
+> __irq_exit_rcu+0x164/0x16c
+> irq_exit+0x1c/0x30
+> __handle_domain_irq+0xc0/0x13c
+> gic_handle_irq+0x5c/0xf0
+> el1_irq+0xb4/0x180
+> arch_cpu_idle+0x18/0x30
+> default_idle_call+0x3c/0x1c0
+> do_idle+0x23c/0x274
+> cpu_startup_entry+0x34/0x70
+> rest_init+0xdc/0xec
+> arch_call_rest_init+0x1c/0x28
+> start_kernel+0x4ac/0x4e4
+> Code: 91392021 912c2000 d377d8c6 97f24d96 (d4210000)
+
+Cc: <stable@vger.kernel.org> # v4.10+
+Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support")
+Link: https://lore.kernel.org/linux-crypto/fe6faa24-d8f7-d18f-adfa-44fa0caa1598@arm.com
+Reported-by: Greg Ungerer <gerg@kernel.org>
+Reported-by: Sascha Hauer <s.hauer@pengutronix.de>
+Tested-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Acked-by: Greg Ungerer <gerg@kernel.org>
+Acked-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi
+@@ -244,6 +244,7 @@
+ ranges = <0x0 0x00 0x1700000 0x100000>;
+ reg = <0x00 0x1700000 0x0 0x100000>;
+ interrupts = <GIC_SPI 75 IRQ_TYPE_LEVEL_HIGH>;
++ dma-coherent;
+
+ sec_jr0: jr@10000 {
+ compatible = "fsl,sec-v5.4-job-ring",
--- /dev/null
+From 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 26 Mar 2021 14:32:32 -0400
+Subject: dm ioctl: fix out of bounds array access when no devices
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream.
+
+If there are not any dm devices, we need to zero the "dev" argument in
+the first structure dm_name_list. However, this can cause out of
+bounds write, because the "needed" variable is zero and len may be
+less than eight.
+
+Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is
+too small to hold the "nl->dev" value.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -529,7 +529,7 @@ static int list_devices(struct file *fil
+ * Grab our output buffer.
+ */
+ nl = orig_nl = get_result_buffer(param, param_size, &len);
+- if (len < needed) {
++ if (len < needed || len < sizeof(nl->dev)) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ goto out;
+ }
--- /dev/null
+From 160f99db943224e55906dd83880da1a704c6e6b9 Mon Sep 17 00:00:00 2001
+From: JeongHyeon Lee <jhs2.lee@samsung.com>
+Date: Thu, 11 Mar 2021 21:10:50 +0900
+Subject: dm verity: fix DM_VERITY_OPTS_MAX value
+
+From: JeongHyeon Lee <jhs2.lee@samsung.com>
+
+commit 160f99db943224e55906dd83880da1a704c6e6b9 upstream.
+
+Three optional parameters must be accepted at once in a DM verity table, e.g.:
+ (verity_error_handling_mode) (ignore_zero_block) (check_at_most_once)
+Fix this to be possible by incrementing DM_VERITY_OPTS_MAX.
+
+Signed-off-by: JeongHyeon Lee <jhs2.lee@samsung.com>
+Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-verity-target.c
++++ b/drivers/md/dm-verity-target.c
+@@ -33,7 +33,7 @@
+ #define DM_VERITY_OPT_IGN_ZEROES "ignore_zero_blocks"
+ #define DM_VERITY_OPT_AT_MOST_ONCE "check_at_most_once"
+
+-#define DM_VERITY_OPTS_MAX (2 + DM_VERITY_OPTS_FEC + \
++#define DM_VERITY_OPTS_MAX (3 + DM_VERITY_OPTS_FEC + \
+ DM_VERITY_ROOT_HASH_VERIFICATION_OPTS)
+
+ static unsigned dm_verity_prefetch_cluster = DM_VERITY_DEFAULT_PREFETCH_SIZE;
--- /dev/null
+From 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 24 Mar 2021 21:37:44 -0700
+Subject: gcov: fix clang-11+ support
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b upstream.
+
+LLVM changed the expected function signatures for llvm_gcda_start_file()
+and llvm_gcda_emit_function() in the clang-11 release. Users of
+clang-11 or newer may have noticed their kernels failing to boot due to
+a panic when enabling CONFIG_GCOV_KERNEL=y +CONFIG_GCOV_PROFILE_ALL=y.
+Fix up the function signatures so calling these functions doesn't panic
+the kernel.
+
+Link: https://reviews.llvm.org/rGcdd683b516d147925212724b09ec6fb792a40041
+Link: https://reviews.llvm.org/rG13a633b438b6500ecad9e4f936ebadf3411d0f44
+Link: https://lkml.kernel.org/r/20210312224132.3413602-2-ndesaulniers@google.com
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Reported-by: Prasad Sodagudi <psodagud@quicinc.com>
+Suggested-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Fangrui Song <maskray@google.com>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Cc: <stable@vger.kernel.org> [5.4+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/gcov/clang.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 69 insertions(+)
+
+--- a/kernel/gcov/clang.c
++++ b/kernel/gcov/clang.c
+@@ -75,7 +75,9 @@ struct gcov_fn_info {
+
+ u32 num_counters;
+ u64 *counters;
++#if CONFIG_CLANG_VERSION < 110000
+ const char *function_name;
++#endif
+ };
+
+ static struct gcov_info *current_info;
+@@ -105,6 +107,7 @@ void llvm_gcov_init(llvm_gcov_callback w
+ }
+ EXPORT_SYMBOL(llvm_gcov_init);
+
++#if CONFIG_CLANG_VERSION < 110000
+ void llvm_gcda_start_file(const char *orig_filename, const char version[4],
+ u32 checksum)
+ {
+@@ -113,7 +116,17 @@ void llvm_gcda_start_file(const char *or
+ current_info->checksum = checksum;
+ }
+ EXPORT_SYMBOL(llvm_gcda_start_file);
++#else
++void llvm_gcda_start_file(const char *orig_filename, u32 version, u32 checksum)
++{
++ current_info->filename = orig_filename;
++ current_info->version = version;
++ current_info->checksum = checksum;
++}
++EXPORT_SYMBOL(llvm_gcda_start_file);
++#endif
+
++#if CONFIG_CLANG_VERSION < 110000
+ void llvm_gcda_emit_function(u32 ident, const char *function_name,
+ u32 func_checksum, u8 use_extra_checksum, u32 cfg_checksum)
+ {
+@@ -133,6 +146,24 @@ void llvm_gcda_emit_function(u32 ident,
+ list_add_tail(&info->head, ¤t_info->functions);
+ }
+ EXPORT_SYMBOL(llvm_gcda_emit_function);
++#else
++void llvm_gcda_emit_function(u32 ident, u32 func_checksum,
++ u8 use_extra_checksum, u32 cfg_checksum)
++{
++ struct gcov_fn_info *info = kzalloc(sizeof(*info), GFP_KERNEL);
++
++ if (!info)
++ return;
++
++ INIT_LIST_HEAD(&info->head);
++ info->ident = ident;
++ info->checksum = func_checksum;
++ info->use_extra_checksum = use_extra_checksum;
++ info->cfg_checksum = cfg_checksum;
++ list_add_tail(&info->head, ¤t_info->functions);
++}
++EXPORT_SYMBOL(llvm_gcda_emit_function);
++#endif
+
+ void llvm_gcda_emit_arcs(u32 num_counters, u64 *counters)
+ {
+@@ -295,6 +326,7 @@ void gcov_info_add(struct gcov_info *dst
+ }
+ }
+
++#if CONFIG_CLANG_VERSION < 110000
+ static struct gcov_fn_info *gcov_fn_info_dup(struct gcov_fn_info *fn)
+ {
+ size_t cv_size; /* counter values size */
+@@ -322,6 +354,28 @@ err_name:
+ kfree(fn_dup);
+ return NULL;
+ }
++#else
++static struct gcov_fn_info *gcov_fn_info_dup(struct gcov_fn_info *fn)
++{
++ size_t cv_size; /* counter values size */
++ struct gcov_fn_info *fn_dup = kmemdup(fn, sizeof(*fn),
++ GFP_KERNEL);
++ if (!fn_dup)
++ return NULL;
++ INIT_LIST_HEAD(&fn_dup->head);
++
++ cv_size = fn->num_counters * sizeof(fn->counters[0]);
++ fn_dup->counters = vmalloc(cv_size);
++ if (!fn_dup->counters) {
++ kfree(fn_dup);
++ return NULL;
++ }
++
++ memcpy(fn_dup->counters, fn->counters, cv_size);
++
++ return fn_dup;
++}
++#endif
+
+ /**
+ * gcov_info_dup - duplicate profiling data set
+@@ -362,6 +416,7 @@ err:
+ * gcov_info_free - release memory for profiling data set duplicate
+ * @info: profiling data set duplicate to free
+ */
++#if CONFIG_CLANG_VERSION < 110000
+ void gcov_info_free(struct gcov_info *info)
+ {
+ struct gcov_fn_info *fn, *tmp;
+@@ -375,6 +430,20 @@ void gcov_info_free(struct gcov_info *in
+ kfree(info->filename);
+ kfree(info);
+ }
++#else
++void gcov_info_free(struct gcov_info *info)
++{
++ struct gcov_fn_info *fn, *tmp;
++
++ list_for_each_entry_safe(fn, tmp, &info->functions, head) {
++ vfree(fn->counters);
++ list_del(&fn->head);
++ kfree(fn);
++ }
++ kfree(info->filename);
++ kfree(info);
++}
++#endif
+
+ #define ITER_STRIDE PAGE_SIZE
+
--- /dev/null
+From 92063f3ca73aab794bd5408d3361fd5b5ea33079 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.ibm.com>
+Date: Fri, 19 Mar 2021 11:17:23 -0400
+Subject: integrity: double check iint_cache was initialized
+
+From: Mimi Zohar <zohar@linux.ibm.com>
+
+commit 92063f3ca73aab794bd5408d3361fd5b5ea33079 upstream.
+
+The kernel may be built with multiple LSMs, but only a subset may be
+enabled on the boot command line by specifying "lsm=". Not including
+"integrity" on the ordered LSM list may result in a NULL deref.
+
+As reported by Dmitry Vyukov:
+in qemu:
+qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu
+max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G -hda
+wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std
+ -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard
+ -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net
+nic,model=virtio-net-pci -object
+memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M
+ -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0
+root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1
+panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile
+vm_pid -m 2G -cpu host
+
+But it crashes on NULL deref in integrity_inode_get during boot:
+
+Run /sbin/init as init process
+BUG: kernel NULL pointer dereference, address: 000000000000001c
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP KASAN
+CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014
+RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920
+Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b
+3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f
+1c 4cf
+RSP: 0000:ffffc9000032f9d8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff888017fc4f00 RCX: 0000000000000000
+RDX: ffff888040220000 RSI: 0000000000000c40 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888019263627
+R10: ffffffff83937cd1 R11: 0000000000000000 R12: 0000000000000c40
+R13: ffff888019263538 R14: 0000000000000000 R15: 0000000000ffffff
+FS: 0000000000000000(0000) GS:ffff88802d180000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000000001c CR3: 000000000b48e000 CR4: 0000000000750ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ integrity_inode_get+0x47/0x260 security/integrity/iint.c:105
+ process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237
+ ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474
+ security_bprm_check+0x7d/0xa0 security/security.c:845
+ search_binary_handler fs/exec.c:1708 [inline]
+ exec_binprm fs/exec.c:1761 [inline]
+ bprm_execve fs/exec.c:1830 [inline]
+ bprm_execve+0x764/0x19a0 fs/exec.c:1792
+ kernel_execve+0x370/0x460 fs/exec.c:1973
+ try_to_run_init_process+0x14/0x4e init/main.c:1366
+ kernel_init+0x11d/0x1b8 init/main.c:1477
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+Modules linked in:
+CR2: 000000000000001c
+---[ end trace 22d601a500de7d79 ]---
+
+Since LSMs and IMA may be configured at build time, but not enabled at
+run time, panic the system if "integrity" was not initialized before use.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/iint.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/security/integrity/iint.c
++++ b/security/integrity/iint.c
+@@ -98,6 +98,14 @@ struct integrity_iint_cache *integrity_i
+ struct rb_node *node, *parent = NULL;
+ struct integrity_iint_cache *iint, *test_iint;
+
++ /*
++ * The integrity's "iint_cache" is initialized at security_init(),
++ * unless it is not included in the ordered list of LSMs enabled
++ * on the boot command line.
++ */
++ if (!iint_cache)
++ panic("%s: lsm=integrity required.\n", __func__);
++
+ iint = integrity_iint_find(inode);
+ if (iint)
+ return iint;
--- /dev/null
+From cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 24 Mar 2021 21:37:20 -0700
+Subject: kasan: fix per-page tags for non-page_alloc pages
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af upstream.
+
+To allow performing tag checks on page_alloc addresses obtained via
+page_address(), tag-based KASAN modes store tags for page_alloc
+allocations in page->flags.
+
+Currently, the default tag value stored in page->flags is 0x00.
+Therefore, page_address() returns a 0x00ffff... address for pages that
+were not allocated via page_alloc.
+
+This might cause problems. A particular case we encountered is a
+conflict with KFENCE. If a KFENCE-allocated slab object is being freed
+via kfree(page_address(page) + offset), the address passed to kfree()
+will get tagged with 0x00 (as slab pages keep the default per-page
+tags). This leads to is_kfence_address() check failing, and a KFENCE
+object ending up in normal slab freelist, which causes memory
+corruptions.
+
+This patch changes the way KASAN stores tag in page-flags: they are now
+stored xor'ed with 0xff. This way, KASAN doesn't need to initialize
+per-page flags for every created page, which might be slow.
+
+With this change, page_address() returns natively-tagged (with 0xff)
+pointers for pages that didn't have tags set explicitly.
+
+This patch fixes the encountered conflict with KFENCE and prevents more
+similar issues that can occur in the future.
+
+Link: https://lkml.kernel.org/r/1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com
+Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc")
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Peter Collingbourne <pcc@google.com>
+Cc: Evgenii Stepanov <eugenis@google.com>
+Cc: Branislav Rankov <Branislav.Rankov@arm.com>
+Cc: Kevin Brodsky <kevin.brodsky@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mm.h | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1226,13 +1226,26 @@ static inline bool cpupid_match_pid(stru
+ #endif /* CONFIG_NUMA_BALANCING */
+
+ #ifdef CONFIG_KASAN_SW_TAGS
++
++/*
++ * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid
++ * setting tags for all pages to native kernel tag value 0xff, as the default
++ * value 0x00 maps to 0xff.
++ */
++
+ static inline u8 page_kasan_tag(const struct page *page)
+ {
+- return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK;
++ u8 tag;
++
++ tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK;
++ tag ^= 0xff;
++
++ return tag;
+ }
+
+ static inline void page_kasan_tag_set(struct page *page, u8 tag)
+ {
++ tag ^= 0xff;
+ page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT);
+ page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT;
+ }
--- /dev/null
+From 804741ac7b9f2fdebe3740cb0579cb8d94d49e60 Mon Sep 17 00:00:00 2001
+From: Mian Yousaf Kaukab <ykaukab@suse.de>
+Date: Thu, 18 Mar 2021 09:50:26 +0100
+Subject: netsec: restore phy power state after controller reset
+
+From: Mian Yousaf Kaukab <ykaukab@suse.de>
+
+commit 804741ac7b9f2fdebe3740cb0579cb8d94d49e60 upstream.
+
+Since commit 8e850f25b581 ("net: socionext: Stop PHY before resetting
+netsec") netsec_netdev_init() power downs phy before resetting the
+controller. However, the state is not restored once the reset is
+complete. As a result it is not possible to bring up network on a
+platform with Broadcom BCM5482 phy.
+
+Fix the issue by restoring phy power state after controller reset is
+complete.
+
+Fixes: 8e850f25b581 ("net: socionext: Stop PHY before resetting netsec")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/socionext/netsec.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/socionext/netsec.c
++++ b/drivers/net/ethernet/socionext/netsec.c
+@@ -1693,14 +1693,17 @@ static int netsec_netdev_init(struct net
+ goto err1;
+
+ /* set phy power down */
+- data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR) |
+- BMCR_PDOWN;
+- netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data);
++ data = netsec_phy_read(priv->mii_bus, priv->phy_addr, MII_BMCR);
++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR,
++ data | BMCR_PDOWN);
+
+ ret = netsec_reset_hardware(priv, true);
+ if (ret)
+ goto err2;
+
++ /* Restore phy power state */
++ netsec_phy_write(priv->mii_bus, priv->phy_addr, MII_BMCR, data);
++
+ spin_lock_init(&priv->desc_ring[NETSEC_RING_TX].lock);
+ spin_lock_init(&priv->desc_ring[NETSEC_RING_RX].lock);
+
--- /dev/null
+From 538d2dd0b9920334e6596977a664e9e7bac73703 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 21 Mar 2021 17:35:13 +0100
+Subject: platform/x86: intel-vbtn: Stop reporting SW_DOCK events
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 538d2dd0b9920334e6596977a664e9e7bac73703 upstream.
+
+Stop reporting SW_DOCK events because this breaks suspend-on-lid-close.
+
+SW_DOCK should only be reported for docking stations, but all the DSDTs in
+my DSDT collection which use the intel-vbtn code, always seem to use this
+for 2-in-1s / convertibles and set SW_DOCK=1 when in laptop-mode (in tandem
+with setting SW_TABLET_MODE=0).
+
+This causes userspace to think the laptop is docked to a port-replicator
+and to disable suspend-on-lid-close, which is undesirable.
+
+Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting.
+
+Note this may theoretically cause us to stop reporting SW_DOCK on some
+device where the 0xCA and 0xCB intel-vbtn events are actually used for
+reporting docking to a classic docking-station / port-replicator but
+I'm not aware of any such devices.
+
+Also the most important thing is that we only report SW_DOCK when it
+reliably reports being docked to a classic docking-station without any
+false positives, which clearly is not the case here. If there is a
+chance of reporting false positives then it is better to not report
+SW_DOCK at all.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210321163513.72328-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -46,8 +46,16 @@ static const struct key_entry intel_vbtn
+ };
+
+ static const struct key_entry intel_vbtn_switchmap[] = {
+- { KE_SW, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */
+- { KE_SW, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */
++ /*
++ * SW_DOCK should only be reported for docking stations, but DSDTs using the
++ * intel-vbtn code, always seem to use this for 2-in-1s / convertibles and set
++ * SW_DOCK=1 when in laptop-mode (in tandem with setting SW_TABLET_MODE=0).
++ * This causes userspace to think the laptop is docked to a port-replicator
++ * and to disable suspend-on-lid-close, which is undesirable.
++ * Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting.
++ */
++ { KE_IGNORE, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */
++ { KE_IGNORE, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */
+ { KE_SW, 0xCC, { .sw = { SW_TABLET_MODE, 1 } } }, /* Tablet */
+ { KE_SW, 0xCD, { .sw = { SW_TABLET_MODE, 0 } } }, /* Laptop */
+ };
block-suppress-uevent-for-hidden-device-when-removed.patch
ia64-fix-ia64_syscall_get_set_arguments-for-break-ba.patch
ia64-fix-ptrace-ptrace_syscall_info_exit-sign.patch
+netsec-restore-phy-power-state-after-controller-reset.patch
+platform-x86-intel-vbtn-stop-reporting-sw_dock-events.patch
+squashfs-fix-inode-lookup-sanity-checks.patch
+squashfs-fix-xattr-id-and-id-lookup-sanity-checks.patch
+kasan-fix-per-page-tags-for-non-page_alloc-pages.patch
+gcov-fix-clang-11-support.patch
+acpi-video-add-missing-callback-back-for-sony-vpceh3u1e.patch
+arm64-dts-ls1046a-mark-crypto-engine-dma-coherent.patch
+arm64-dts-ls1012a-mark-crypto-engine-dma-coherent.patch
+arm64-dts-ls1043a-mark-crypto-engine-dma-coherent.patch
+arm-dts-at91-sama5d27_som1-fix-phy-address-to-7.patch
+integrity-double-check-iint_cache-was-initialized.patch
+dm-verity-fix-dm_verity_opts_max-value.patch
+dm-ioctl-fix-out-of-bounds-array-access-when-no-devices.patch
--- /dev/null
+From c1b2028315c6b15e8d6725e0d5884b15887d3daa Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Wed, 24 Mar 2021 21:37:32 -0700
+Subject: squashfs: fix inode lookup sanity checks
+
+From: Sean Nyekjaer <sean@geanix.com>
+
+commit c1b2028315c6b15e8d6725e0d5884b15887d3daa upstream.
+
+When mouting a squashfs image created without inode compression it fails
+with: "unable to read inode lookup table"
+
+It turns out that the BLOCK_OFFSET is missing when checking the
+SQUASHFS_METADATA_SIZE agaist the actual size.
+
+Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com
+Fixes: eabac19e40c0 ("squashfs: add more sanity checks in inode lookup")
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Acked-by: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/export.c | 8 ++++++--
+ fs/squashfs/squashfs_fs.h | 1 +
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/squashfs/export.c
++++ b/fs/squashfs/export.c
+@@ -152,14 +152,18 @@ __le64 *squashfs_read_inode_lookup_table
+ start = le64_to_cpu(table[n]);
+ end = le64_to_cpu(table[n + 1]);
+
+- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
++ if (start >= end
++ || (end - start) >
++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
+ kfree(table);
+ return ERR_PTR(-EINVAL);
+ }
+ }
+
+ start = le64_to_cpu(table[indexes - 1]);
+- if (start >= lookup_table_start || (lookup_table_start - start) > SQUASHFS_METADATA_SIZE) {
++ if (start >= lookup_table_start ||
++ (lookup_table_start - start) >
++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
+ kfree(table);
+ return ERR_PTR(-EINVAL);
+ }
+--- a/fs/squashfs/squashfs_fs.h
++++ b/fs/squashfs/squashfs_fs.h
+@@ -17,6 +17,7 @@
+
+ /* size of metadata (inode and directory) blocks */
+ #define SQUASHFS_METADATA_SIZE 8192
++#define SQUASHFS_BLOCK_OFFSET 2
+
+ /* default size of block device I/O */
+ #ifdef CONFIG_SQUASHFS_4K_DEVBLK_SIZE
--- /dev/null
+From 8b44ca2b634527151af07447a8090a5f3a043321 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Wed, 24 Mar 2021 21:37:35 -0700
+Subject: squashfs: fix xattr id and id lookup sanity checks
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit 8b44ca2b634527151af07447a8090a5f3a043321 upstream.
+
+The checks for maximum metadata block size is missing
+SQUASHFS_BLOCK_OFFSET (the two byte length count).
+
+Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk
+Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Cc: Sean Nyekjaer <sean@geanix.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/id.c | 6 ++++--
+ fs/squashfs/xattr_id.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/squashfs/id.c
++++ b/fs/squashfs/id.c
+@@ -97,14 +97,16 @@ __le64 *squashfs_read_id_index_table(str
+ start = le64_to_cpu(table[n]);
+ end = le64_to_cpu(table[n + 1]);
+
+- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
++ if (start >= end || (end - start) >
++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
+ kfree(table);
+ return ERR_PTR(-EINVAL);
+ }
+ }
+
+ start = le64_to_cpu(table[indexes - 1]);
+- if (start >= id_table_start || (id_table_start - start) > SQUASHFS_METADATA_SIZE) {
++ if (start >= id_table_start || (id_table_start - start) >
++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
+ kfree(table);
+ return ERR_PTR(-EINVAL);
+ }
+--- a/fs/squashfs/xattr_id.c
++++ b/fs/squashfs/xattr_id.c
+@@ -109,14 +109,16 @@ __le64 *squashfs_read_xattr_id_table(str
+ start = le64_to_cpu(table[n]);
+ end = le64_to_cpu(table[n + 1]);
+
+- if (start >= end || (end - start) > SQUASHFS_METADATA_SIZE) {
++ if (start >= end || (end - start) >
++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
+ kfree(table);
+ return ERR_PTR(-EINVAL);
+ }
+ }
+
+ start = le64_to_cpu(table[indexes - 1]);
+- if (start >= table_start || (table_start - start) > SQUASHFS_METADATA_SIZE) {
++ if (start >= table_start || (table_start - start) >
++ (SQUASHFS_METADATA_SIZE + SQUASHFS_BLOCK_OFFSET)) {
+ kfree(table);
+ return ERR_PTR(-EINVAL);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
