--- /dev/null
+From 552abb884e97d26589964e5a8c7e736f852f95f0 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 18 May 2020 12:49:45 +0200
+Subject: cpufreq: Fix up cpufreq_boost_set_sw()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 552abb884e97d26589964e5a8c7e736f852f95f0 upstream.
+
+After commit 18c49926c4bf ("cpufreq: Add QoS requests for userspace
+constraints") the return value of freq_qos_update_request(), that can
+be 1, passed by cpufreq_boost_set_sw() to its caller sometimes
+confuses the latter, which only expects to see 0 or negative error
+codes, so notice that cpufreq_boost_set_sw() can return an error code
+(which should not be -EINVAL for that matter) as soon as the first
+policy without a frequency table is found (because either all policies
+have a frequency table or none of them have it) and rework it to meet
+its caller's expectations.
+
+Fixes: 18c49926c4bf ("cpufreq: Add QoS requests for userspace constraints")
+Reported-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reported-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: 5.3+ <stable@vger.kernel.org> # 5.3+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2515,26 +2515,27 @@ EXPORT_SYMBOL_GPL(cpufreq_update_limits)
+ static int cpufreq_boost_set_sw(int state)
+ {
+ struct cpufreq_policy *policy;
+- int ret = -EINVAL;
+
+ for_each_active_policy(policy) {
++ int ret;
++
+ if (!policy->freq_table)
+- continue;
++ return -ENXIO;
+
+ ret = cpufreq_frequency_table_cpuinfo(policy,
+ policy->freq_table);
+ if (ret) {
+ pr_err("%s: Policy frequency update failed\n",
+ __func__);
+- break;
++ return ret;
+ }
+
+ ret = freq_qos_update_request(policy->max_freq_req, policy->max);
+ if (ret < 0)
+- break;
++ return ret;
+ }
+
+- return ret;
++ return 0;
+ }
+
+ int cpufreq_boost_trigger_state(int state)
--- /dev/null
+From 1032095053b34d474aa20f2625d97dd306e0991b Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Fri, 15 May 2020 20:34:06 +0800
+Subject: EDAC/skx: Use the mcmtr register to retrieve close_pg/bank_xor_enable
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+commit 1032095053b34d474aa20f2625d97dd306e0991b upstream.
+
+The skx_edac driver wrongly uses the mtr register to retrieve two fields
+close_pg and bank_xor_enable. Fix it by using the correct mcmtr register
+to get the two fields.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Reported-by: Matthew Riley <mattdr@google.com>
+Acked-by: Aristeu Rozanski <aris@redhat.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20200515210146.1337-1-tony.luck@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/i10nm_base.c | 2 +-
+ drivers/edac/skx_base.c | 20 ++++++++------------
+ drivers/edac/skx_common.c | 6 +++---
+ drivers/edac/skx_common.h | 2 +-
+ 4 files changed, 13 insertions(+), 17 deletions(-)
+
+--- a/drivers/edac/i10nm_base.c
++++ b/drivers/edac/i10nm_base.c
+@@ -161,7 +161,7 @@ static int i10nm_get_dimm_config(struct
+ mtr, mcddrtcfg, imc->mc, i, j);
+
+ if (IS_DIMM_PRESENT(mtr))
+- ndimms += skx_get_dimm_info(mtr, 0, dimm,
++ ndimms += skx_get_dimm_info(mtr, 0, 0, dimm,
+ imc, i, j);
+ else if (IS_NVDIMM_PRESENT(mcddrtcfg, j))
+ ndimms += skx_get_nvdimm_info(dimm, imc, i, j,
+--- a/drivers/edac/skx_base.c
++++ b/drivers/edac/skx_base.c
+@@ -163,27 +163,23 @@ static const struct x86_cpu_id skx_cpuid
+ };
+ MODULE_DEVICE_TABLE(x86cpu, skx_cpuids);
+
+-#define SKX_GET_MTMTR(dev, reg) \
+- pci_read_config_dword((dev), 0x87c, &(reg))
+-
+-static bool skx_check_ecc(struct pci_dev *pdev)
++static bool skx_check_ecc(u32 mcmtr)
+ {
+- u32 mtmtr;
+-
+- SKX_GET_MTMTR(pdev, mtmtr);
+-
+- return !!GET_BITFIELD(mtmtr, 2, 2);
++ return !!GET_BITFIELD(mcmtr, 2, 2);
+ }
+
+ static int skx_get_dimm_config(struct mem_ctl_info *mci)
+ {
+ struct skx_pvt *pvt = mci->pvt_info;
++ u32 mtr, mcmtr, amap, mcddrtcfg;
+ struct skx_imc *imc = pvt->imc;
+- u32 mtr, amap, mcddrtcfg;
+ struct dimm_info *dimm;
+ int i, j;
+ int ndimms;
+
++ /* Only the mcmtr on the first channel is effective */
++ pci_read_config_dword(imc->chan[0].cdev, 0x87c, &mcmtr);
++
+ for (i = 0; i < SKX_NUM_CHANNELS; i++) {
+ ndimms = 0;
+ pci_read_config_dword(imc->chan[i].cdev, 0x8C, &amap);
+@@ -193,14 +189,14 @@ static int skx_get_dimm_config(struct me
+ pci_read_config_dword(imc->chan[i].cdev,
+ 0x80 + 4 * j, &mtr);
+ if (IS_DIMM_PRESENT(mtr)) {
+- ndimms += skx_get_dimm_info(mtr, amap, dimm, imc, i, j);
++ ndimms += skx_get_dimm_info(mtr, mcmtr, amap, dimm, imc, i, j);
+ } else if (IS_NVDIMM_PRESENT(mcddrtcfg, j)) {
+ ndimms += skx_get_nvdimm_info(dimm, imc, i, j,
+ EDAC_MOD_STR);
+ nvdimm_count++;
+ }
+ }
+- if (ndimms && !skx_check_ecc(imc->chan[0].cdev)) {
++ if (ndimms && !skx_check_ecc(mcmtr)) {
+ skx_printk(KERN_ERR, "ECC is disabled on imc %d\n", imc->mc);
+ return -ENODEV;
+ }
+--- a/drivers/edac/skx_common.c
++++ b/drivers/edac/skx_common.c
+@@ -304,7 +304,7 @@ static int skx_get_dimm_attr(u32 reg, in
+ #define numrow(reg) skx_get_dimm_attr(reg, 2, 4, 12, 1, 6, "rows")
+ #define numcol(reg) skx_get_dimm_attr(reg, 0, 1, 10, 0, 2, "cols")
+
+-int skx_get_dimm_info(u32 mtr, u32 amap, struct dimm_info *dimm,
++int skx_get_dimm_info(u32 mtr, u32 mcmtr, u32 amap, struct dimm_info *dimm,
+ struct skx_imc *imc, int chan, int dimmno)
+ {
+ int banks = 16, ranks, rows, cols, npages;
+@@ -324,8 +324,8 @@ int skx_get_dimm_info(u32 mtr, u32 amap,
+ imc->mc, chan, dimmno, size, npages,
+ banks, 1 << ranks, rows, cols);
+
+- imc->chan[chan].dimms[dimmno].close_pg = GET_BITFIELD(mtr, 0, 0);
+- imc->chan[chan].dimms[dimmno].bank_xor_enable = GET_BITFIELD(mtr, 9, 9);
++ imc->chan[chan].dimms[dimmno].close_pg = GET_BITFIELD(mcmtr, 0, 0);
++ imc->chan[chan].dimms[dimmno].bank_xor_enable = GET_BITFIELD(mcmtr, 9, 9);
+ imc->chan[chan].dimms[dimmno].fine_grain_bank = GET_BITFIELD(amap, 0, 0);
+ imc->chan[chan].dimms[dimmno].rowbits = rows;
+ imc->chan[chan].dimms[dimmno].colbits = cols;
+--- a/drivers/edac/skx_common.h
++++ b/drivers/edac/skx_common.h
+@@ -128,7 +128,7 @@ int skx_get_all_bus_mappings(unsigned in
+
+ int skx_get_hi_lo(unsigned int did, int off[], u64 *tolm, u64 *tohm);
+
+-int skx_get_dimm_info(u32 mtr, u32 amap, struct dimm_info *dimm,
++int skx_get_dimm_info(u32 mtr, u32 mcmtr, u32 amap, struct dimm_info *dimm,
+ struct skx_imc *imc, int chan, int dimmno);
+
+ int skx_get_nvdimm_info(struct dimm_info *dimm, struct skx_imc *imc,
--- /dev/null
+From 3204be4109ad681523e3461ce64454c79278450a Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 9 Jun 2020 08:40:35 +0100
+Subject: KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 3204be4109ad681523e3461ce64454c79278450a upstream.
+
+AArch32 CP1x registers are overlayed on their AArch64 counterparts
+in the vcpu struct. This leads to an interesting problem as they
+are stored in their CPU-local format, and thus a CP1x register
+doesn't "hit" the lower 32bit portion of the AArch64 register on
+a BE host.
+
+To workaround this unfortunate situation, introduce a bias trick
+in the vcpu_cp1x() accessors which picks the correct half of the
+64bit register.
+
+Cc: stable@vger.kernel.org
+Reported-by: James Morse <james.morse@arm.com>
+Tested-by: James Morse <james.morse@arm.com>
+Acked-by: James Morse <james.morse@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_host.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_host.h
++++ b/arch/arm64/include/asm/kvm_host.h
+@@ -404,8 +404,10 @@ void vcpu_write_sys_reg(struct kvm_vcpu
+ * CP14 and CP15 live in the same array, as they are backed by the
+ * same system registers.
+ */
+-#define vcpu_cp14(v,r) ((v)->arch.ctxt.copro[(r)])
+-#define vcpu_cp15(v,r) ((v)->arch.ctxt.copro[(r)])
++#define CPx_BIAS IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
++
++#define vcpu_cp14(v,r) ((v)->arch.ctxt.copro[(r) ^ CPx_BIAS])
++#define vcpu_cp15(v,r) ((v)->arch.ctxt.copro[(r) ^ CPx_BIAS])
+
+ struct kvm_vm_stat {
+ ulong remote_tlb_flush;
--- /dev/null
+From 7c582bf4ed84f3eb58bdd1f63024a14c17551e7d Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Fri, 29 May 2020 15:06:54 +0000
+Subject: KVM: arm64: Stop writing aarch32's CSSELR into ACTLR
+
+From: James Morse <james.morse@arm.com>
+
+commit 7c582bf4ed84f3eb58bdd1f63024a14c17551e7d upstream.
+
+aarch32 has pairs of registers to access the high and low parts of 64bit
+registers. KVM has a union of 64bit sys_regs[] and 32bit copro[]. The
+32bit accessors read the high or low part of the 64bit sys_reg[] value
+through the union.
+
+Both sys_reg_descs[] and cp15_regs[] list access_csselr() as the accessor
+for CSSELR{,_EL1}. access_csselr() is only aware of the 64bit sys_regs[],
+and expects r->reg to be 'CSSELR_EL1' in the enum, index 2 of the 64bit
+array.
+
+cp15_regs[] uses the 32bit copro[] alias of sys_regs[]. Here CSSELR is
+c0_CSSELR which is the same location in sys_reg[]. r->reg is 'c0_CSSELR',
+index 4 in the 32bit array.
+
+access_csselr() uses the 32bit r->reg value to access the 64bit array,
+so reads and write the wrong value. sys_regs[4], is ACTLR_EL1, which
+is subsequently save/restored when we enter the guest.
+
+ACTLR_EL1 is supposed to be read-only for the guest. This register
+only affects execution at EL1, and the host's value is restored before
+we return to host EL1.
+
+Convert the 32bit register index back to the 64bit version.
+
+Suggested-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529150656.7339-2-james.morse@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/sys_regs.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -1280,10 +1280,16 @@ static bool access_clidr(struct kvm_vcpu
+ static bool access_csselr(struct kvm_vcpu *vcpu, struct sys_reg_params *p,
+ const struct sys_reg_desc *r)
+ {
++ int reg = r->reg;
++
++ /* See the 32bit mapping in kvm_host.h */
++ if (p->is_aarch32)
++ reg = r->reg / 2;
++
+ if (p->is_write)
+- vcpu_write_sys_reg(vcpu, p->regval, r->reg);
++ vcpu_write_sys_reg(vcpu, p->regval, reg);
+ else
+- p->regval = vcpu_read_sys_reg(vcpu, r->reg);
++ p->regval = vcpu_read_sys_reg(vcpu, reg);
+ return true;
+ }
+
--- /dev/null
+From fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d Mon Sep 17 00:00:00 2001
+From: Xing Li <lixing@loongson.cn>
+Date: Sat, 23 May 2020 15:56:28 +0800
+Subject: KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
+
+From: Xing Li <lixing@loongson.cn>
+
+commit fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d upstream.
+
+The code in decode_config4() of arch/mips/kernel/cpu-probe.c
+
+ asid_mask = MIPS_ENTRYHI_ASID;
+ if (config4 & MIPS_CONF4_AE)
+ asid_mask |= MIPS_ENTRYHI_ASIDX;
+ set_cpu_asid_mask(c, asid_mask);
+
+set asid_mask to cpuinfo->asid_mask.
+
+So in order to support variable ASID_MASK, KVM_ENTRYHI_ASID should also
+be changed to cpu_asid_mask(&boot_cpu_data).
+
+Cc: Stable <stable@vger.kernel.org> #4.9+
+Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
+Signed-off-by: Xing Li <lixing@loongson.cn>
+[Huacai: Change current_cpu_data to boot_cpu_data for optimization]
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Message-Id: <1590220602-3547-2-git-send-email-chenhc@lemote.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -275,7 +275,7 @@ enum emulation_result {
+ #define MIPS3_PG_FRAME 0x3fffffc0
+
+ #define VPN2_MASK 0xffffe000
+-#define KVM_ENTRYHI_ASID MIPS_ENTRYHI_ASID
++#define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data)
+ #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G)
+ #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK)
+ #define TLB_ASID(x) ((x).tlb_hi & KVM_ENTRYHI_ASID)
--- /dev/null
+From 5816c76dea116a458f1932eefe064e35403248eb Mon Sep 17 00:00:00 2001
+From: Xing Li <lixing@loongson.cn>
+Date: Sat, 23 May 2020 15:56:29 +0800
+Subject: KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
+
+From: Xing Li <lixing@loongson.cn>
+
+commit 5816c76dea116a458f1932eefe064e35403248eb upstream.
+
+If a CPU support more than 32bit vmbits (which is true for 64bit CPUs),
+VPN2_MASK set to fixed 0xffffe000 will lead to a wrong EntryHi in some
+functions such as _kvm_mips_host_tlb_inv().
+
+The cpu_vmbits definition of 32bit CPU in cpu-features.h is 31, so we
+still use the old definition.
+
+Cc: Stable <stable@vger.kernel.org>
+Reviewed-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
+Signed-off-by: Xing Li <lixing@loongson.cn>
+[Huacai: Improve commit messages]
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Message-Id: <1590220602-3547-3-git-send-email-chenhc@lemote.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/kvm_host.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -274,7 +274,11 @@ enum emulation_result {
+ #define MIPS3_PG_SHIFT 6
+ #define MIPS3_PG_FRAME 0x3fffffc0
+
++#if defined(CONFIG_64BIT)
++#define VPN2_MASK GENMASK(cpu_vmbits - 1, 13)
++#else
+ #define VPN2_MASK 0xffffe000
++#endif
+ #define KVM_ENTRYHI_ASID cpu_asid_mask(&boot_cpu_data)
+ #define TLB_IS_GLOBAL(x) ((x).tlb_lo[0] & (x).tlb_lo[1] & ENTRYLO_G)
+ #define TLB_VPN2(x) ((x).tlb_hi & VPN2_MASK)
--- /dev/null
+From a3535be731c2a343912578465021f50937f7b099 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 16 May 2020 09:19:06 -0400
+Subject: KVM: nSVM: fix condition for filtering async PF
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit a3535be731c2a343912578465021f50937f7b099 upstream.
+
+Async page faults have to be trapped in the host (L1 in this case),
+since the APF reason was passed from L0 to L1 and stored in the L1 APF
+data page. This was completely reversed: the page faults were passed
+to the guest, a L2 hypervisor.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3236,8 +3236,8 @@ static int nested_svm_exit_special(struc
+ return NESTED_EXIT_HOST;
+ break;
+ case SVM_EXIT_EXCP_BASE + PF_VECTOR:
+- /* When we're shadowing, trap PFs, but not async PF */
+- if (!npt_enabled && svm->vcpu.arch.apf.host_apf_reason == 0)
++ /* Trap async PF even if not shadowing */
++ if (!npt_enabled || svm->vcpu.arch.apf.host_apf_reason)
+ return NESTED_EXIT_HOST;
+ break;
+ default:
--- /dev/null
+From 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 20 May 2020 08:02:17 -0400
+Subject: KVM: nSVM: leave ASID aside in copy_vmcb_control_area
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 6c0238c4a62b3a0b1201aeb7e33a4636d552a436 upstream.
+
+Restoring the ASID from the hsave area on VMEXIT is wrong, because its
+value depends on the handling of TLB flushes. Just skipping the field in
+copy_vmcb_control_area will do.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3326,7 +3326,7 @@ static inline void copy_vmcb_control_are
+ dst->iopm_base_pa = from->iopm_base_pa;
+ dst->msrpm_base_pa = from->msrpm_base_pa;
+ dst->tsc_offset = from->tsc_offset;
+- dst->asid = from->asid;
++ /* asid not copied, it is handled manually for svm->vmcb. */
+ dst->tlb_ctl = from->tlb_ctl;
+ dst->int_ctl = from->int_ctl;
+ dst->int_vector = from->int_vector;
--- /dev/null
+From 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 27 Feb 2020 09:44:30 -0800
+Subject: KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 upstream.
+
+Consult only the basic exit reason, i.e. bits 15:0 of vmcs.EXIT_REASON,
+when determining whether a nested VM-Exit should be reflected into L1 or
+handled by KVM in L0.
+
+For better or worse, the switch statement in nested_vmx_exit_reflected()
+currently defaults to "true", i.e. reflects any nested VM-Exit without
+dedicated logic. Because the case statements only contain the basic
+exit reason, any VM-Exit with modifier bits set will be reflected to L1,
+even if KVM intended to handle it in L0.
+
+Practically speaking, this only affects EXIT_REASON_MCE_DURING_VMENTRY,
+i.e. a #MC that occurs on nested VM-Enter would be incorrectly routed to
+L1, as "failed VM-Entry" is the only modifier that KVM can currently
+encounter. The SMM modifiers will never be generated as KVM doesn't
+support/employ a SMI Transfer Monitor. Ditto for "exit from enclave",
+as KVM doesn't yet support virtualizing SGX, i.e. it's impossible to
+enter an enclave in a KVM guest (L1 or L2).
+
+Fixes: 644d711aa0e1 ("KVM: nVMX: Deciding if L0 or L1 should handle an L2 exit")
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Xiaoyao Li <xiaoyao.li@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200227174430.26371-1-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/nested.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -5562,7 +5562,7 @@ bool nested_vmx_exit_reflected(struct kv
+ vmcs_read32(VM_EXIT_INTR_ERROR_CODE),
+ KVM_ISA_VMX);
+
+- switch (exit_reason) {
++ switch ((u16)exit_reason) {
+ case EXIT_REASON_EXCEPTION_NMI:
+ if (is_nmi(intr_info))
+ return false;
--- /dev/null
+From 5c911beff20aa8639e7a1f28988736c13e03ed54 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 1 May 2020 09:31:17 -0700
+Subject: KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 5c911beff20aa8639e7a1f28988736c13e03ed54 upstream.
+
+Skip the Indirect Branch Prediction Barrier that is triggered on a VMCS
+switch when running with spectre_v2_user=on/auto if the switch is
+between two VMCSes in the same guest, i.e. between vmcs01 and vmcs02.
+The IBPB is intended to prevent one guest from attacking another, which
+is unnecessary in the nested case as it's the same guest from KVM's
+perspective.
+
+This all but eliminates the overhead observed for nested VMX transitions
+when running with CONFIG_RETPOLINE=y and spectre_v2_user=on/auto, which
+can be significant, e.g. roughly 3x on current systems.
+
+Reported-by: Alexander Graf <graf@amazon.com>
+Cc: KarimAllah Raslan <karahmed@amazon.de>
+Cc: stable@vger.kernel.org
+Fixes: 15d45071523d ("KVM/x86: Add IBPB support")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200501163117.4655-1-sean.j.christopherson@intel.com>
+[Invert direction of bool argument. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/nested.c | 2 +-
+ arch/x86/kvm/vmx/vmx.c | 18 ++++++++++++++----
+ arch/x86/kvm/vmx/vmx.h | 3 ++-
+ 3 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -303,7 +303,7 @@ static void vmx_switch_vmcs(struct kvm_v
+ cpu = get_cpu();
+ prev = vmx->loaded_vmcs;
+ vmx->loaded_vmcs = vmcs;
+- vmx_vcpu_load_vmcs(vcpu, cpu);
++ vmx_vcpu_load_vmcs(vcpu, cpu, prev);
+ vmx_sync_vmcs_host_state(vmx, prev);
+ put_cpu();
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -1314,10 +1314,12 @@ after_clear_sn:
+ pi_set_on(pi_desc);
+ }
+
+-void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu)
++void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu,
++ struct loaded_vmcs *buddy)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ bool already_loaded = vmx->loaded_vmcs->cpu == cpu;
++ struct vmcs *prev;
+
+ if (!already_loaded) {
+ loaded_vmcs_clear(vmx->loaded_vmcs);
+@@ -1336,10 +1338,18 @@ void vmx_vcpu_load_vmcs(struct kvm_vcpu
+ local_irq_enable();
+ }
+
+- if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
++ prev = per_cpu(current_vmcs, cpu);
++ if (prev != vmx->loaded_vmcs->vmcs) {
+ per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
+ vmcs_load(vmx->loaded_vmcs->vmcs);
+- indirect_branch_prediction_barrier();
++
++ /*
++ * No indirect branch prediction barrier needed when switching
++ * the active VMCS within a guest, e.g. on nested VM-Enter.
++ * The L1 VMM can protect itself with retpolines, IBPB or IBRS.
++ */
++ if (!buddy || WARN_ON_ONCE(buddy->vmcs != prev))
++ indirect_branch_prediction_barrier();
+ }
+
+ if (!already_loaded) {
+@@ -1376,7 +1386,7 @@ void vmx_vcpu_load(struct kvm_vcpu *vcpu
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+- vmx_vcpu_load_vmcs(vcpu, cpu);
++ vmx_vcpu_load_vmcs(vcpu, cpu, NULL);
+
+ vmx_vcpu_pi_load(vcpu, cpu);
+
+--- a/arch/x86/kvm/vmx/vmx.h
++++ b/arch/x86/kvm/vmx/vmx.h
+@@ -320,7 +320,8 @@ struct kvm_vmx {
+ };
+
+ bool nested_vmx_allowed(struct kvm_vcpu *vcpu);
+-void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu);
++void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu,
++ struct loaded_vmcs *buddy);
+ void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu);
+ int allocate_vpid(void);
+ void free_vpid(int vpid);
--- /dev/null
+From 0d9668721311607353d4861e6c32afeb272813dc Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Wed, 27 May 2020 10:23:34 +0200
+Subject: media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+commit 0d9668721311607353d4861e6c32afeb272813dc upstream.
+
+Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core: platform:
+Initialize dma_parms for platform devices") in v5.7-rc5 causes
+vb2_dma_contig_clear_max_seg_size() to kfree memory that was not
+allocated by vb2_dma_contig_set_max_seg_size().
+
+The assumption in vb2_dma_contig_set_max_seg_size() seems to be that
+dev->dma_parms is always NULL when the driver is probed, and the case
+where dev->dma_parms has bee initialized by someone else than the driver
+(by calling vb2_dma_contig_set_max_seg_size) will cause a failure.
+
+All the current users of these functions are platform devices, which now
+always have dma_parms set by the driver core. To fix the issue for v5.7,
+make vb2_dma_contig_set_max_seg_size() return an error if dma_parms is
+NULL to be on the safe side, and remove the kfree code from
+vb2_dma_contig_clear_max_seg_size().
+
+For v5.8 we should remove the two functions and move the
+dma_set_max_seg_size() calls into the drivers.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Fixes: 9495b7e92f71 ("driver core: platform: Initialize dma_parms for platform devices")
+Cc: stable@vger.kernel.org
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/videobuf2/videobuf2-dma-contig.c | 20 +-----------------
+ include/media/videobuf2-dma-contig.h | 2 -
+ 2 files changed, 3 insertions(+), 19 deletions(-)
+
+--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
+@@ -726,9 +726,8 @@ EXPORT_SYMBOL_GPL(vb2_dma_contig_memops)
+ int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size)
+ {
+ if (!dev->dma_parms) {
+- dev->dma_parms = kzalloc(sizeof(*dev->dma_parms), GFP_KERNEL);
+- if (!dev->dma_parms)
+- return -ENOMEM;
++ dev_err(dev, "Failed to set max_seg_size: dma_parms is NULL\n");
++ return -ENODEV;
+ }
+ if (dma_get_max_seg_size(dev) < size)
+ return dma_set_max_seg_size(dev, size);
+@@ -737,21 +736,6 @@ int vb2_dma_contig_set_max_seg_size(stru
+ }
+ EXPORT_SYMBOL_GPL(vb2_dma_contig_set_max_seg_size);
+
+-/*
+- * vb2_dma_contig_clear_max_seg_size() - release resources for DMA parameters
+- * @dev: device for configuring DMA parameters
+- *
+- * This function releases resources allocated to configure DMA parameters
+- * (see vb2_dma_contig_set_max_seg_size() function). It should be called from
+- * device drivers on driver remove.
+- */
+-void vb2_dma_contig_clear_max_seg_size(struct device *dev)
+-{
+- kfree(dev->dma_parms);
+- dev->dma_parms = NULL;
+-}
+-EXPORT_SYMBOL_GPL(vb2_dma_contig_clear_max_seg_size);
+-
+ MODULE_DESCRIPTION("DMA-contig memory handling routines for videobuf2");
+ MODULE_AUTHOR("Pawel Osciak <pawel@osciak.com>");
+ MODULE_LICENSE("GPL");
+--- a/include/media/videobuf2-dma-contig.h
++++ b/include/media/videobuf2-dma-contig.h
+@@ -25,7 +25,7 @@ vb2_dma_contig_plane_dma_addr(struct vb2
+ }
+
+ int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size);
+-void vb2_dma_contig_clear_max_seg_size(struct device *dev);
++static inline void vb2_dma_contig_clear_max_seg_size(struct device *dev) { }
+
+ extern const struct vb2_mem_ops vb2_dma_contig_memops;
+
--- /dev/null
+From f809da6db68a8be49e317f0ccfbced1af9258839 Mon Sep 17 00:00:00 2001
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 1 May 2020 14:43:05 -0700
+Subject: scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+commit f809da6db68a8be49e317f0ccfbced1af9258839 upstream.
+
+Implementation of a previous patch added a condition to an if check that
+always end up with the if test being true. Execution of the else clause was
+inadvertently negated. The additional condition check was incorrect and
+unnecessary after the other modifications had been done in that patch.
+
+Remove the check from the if series.
+
+Link: https://lore.kernel.org/r/20200501214310.91713-5-jsmart2021@gmail.com
+Fixes: b95b21193c85 ("scsi: lpfc: Fix loss of remote port after devloss due to lack of RPIs")
+Cc: <stable@vger.kernel.org> # v5.4+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_ct.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_ct.c
++++ b/drivers/scsi/lpfc/lpfc_ct.c
+@@ -462,7 +462,6 @@ lpfc_prep_node_fc4type(struct lpfc_vport
+ struct lpfc_nodelist *ndlp;
+
+ if ((vport->port_type != LPFC_NPIV_PORT) ||
+- (fc4_type == FC_TYPE_FCP) ||
+ !(vport->ct_flags & FC_CT_RFF_ID) || !vport->cfg_restrict_login) {
+
+ ndlp = lpfc_setup_disc_node(vport, Did);
--- /dev/null
+From b9d5e3e7f370a817c742fb089ac1a86dfe8947dc Mon Sep 17 00:00:00 2001
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Date: Fri, 8 May 2020 14:21:30 +0530
+Subject: scsi: megaraid_sas: Replace undefined MFI_BIG_ENDIAN macro with __BIG_ENDIAN_BITFIELD macro
+
+From: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+
+commit b9d5e3e7f370a817c742fb089ac1a86dfe8947dc upstream.
+
+MFI_BIG_ENDIAN macro used in drivers structure bitfield to check the CPU
+big endianness is undefined which would break the code on big endian
+machine. __BIG_ENDIAN_BITFIELD kernel macro should be used in places of
+MFI_BIG_ENDIAN macro.
+
+Link: https://lore.kernel.org/r/20200508085130.23339-1-chandrakanth.patil@broadcom.com
+Fixes: a7faf81d7858 ("scsi: megaraid_sas: Set no_write_same only for Virtual Disk")
+Cc: <stable@vger.kernel.org> # v5.6+
+Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas.h | 4 ++--
+ drivers/scsi/megaraid/megaraid_sas_fusion.h | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas.h
++++ b/drivers/scsi/megaraid/megaraid_sas.h
+@@ -511,7 +511,7 @@ union MR_PROGRESS {
+ */
+ struct MR_PD_PROGRESS {
+ struct {
+-#ifndef MFI_BIG_ENDIAN
++#ifndef __BIG_ENDIAN_BITFIELD
+ u32 rbld:1;
+ u32 patrol:1;
+ u32 clear:1;
+@@ -537,7 +537,7 @@ struct MR_PD_PROGRESS {
+ };
+
+ struct {
+-#ifndef MFI_BIG_ENDIAN
++#ifndef __BIG_ENDIAN_BITFIELD
+ u32 rbld:1;
+ u32 patrol:1;
+ u32 clear:1;
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.h
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h
+@@ -774,7 +774,7 @@ struct MR_SPAN_BLOCK_INFO {
+ struct MR_CPU_AFFINITY_MASK {
+ union {
+ struct {
+-#ifndef MFI_BIG_ENDIAN
++#ifndef __BIG_ENDIAN_BITFIELD
+ u8 hw_path:1;
+ u8 cpu0:1;
+ u8 cpu1:1;
+@@ -866,7 +866,7 @@ struct MR_LD_RAID {
+ __le16 seqNum;
+
+ struct {
+-#ifndef MFI_BIG_ENDIAN
++#ifndef __BIG_ENDIAN_BITFIELD
+ u32 ldSyncRequired:1;
+ u32 regTypeReqOnReadIsValid:1;
+ u32 isEPD:1;
+@@ -889,7 +889,7 @@ struct {
+ /* 0x30 - 0x33, Logical block size for the LD */
+ u32 logical_block_length;
+ struct {
+-#ifndef MFI_BIG_ENDIAN
++#ifndef __BIG_ENDIAN_BITFIELD
+ /* 0x34, P_I_EXPONENT from READ CAPACITY 16 */
+ u32 ld_pi_exp:4;
+ /* 0x34, LOGICAL BLOCKS PER PHYSICAL
--- /dev/null
+From 6fd8525a70221c26823b1c7e912fb21f218fb0c5 Mon Sep 17 00:00:00 2001
+From: Sumit Saxena <sumit.saxena@broadcom.com>
+Date: Fri, 8 May 2020 14:22:42 +0530
+Subject: scsi: megaraid_sas: TM command refire leads to controller firmware crash
+
+From: Sumit Saxena <sumit.saxena@broadcom.com>
+
+commit 6fd8525a70221c26823b1c7e912fb21f218fb0c5 upstream.
+
+When TM command times out, driver invokes the controller reset. Post reset,
+driver re-fires pended TM commands which leads to firmware crash.
+
+Post controller reset, return pended TM commands back to OS.
+
+Link: https://lore.kernel.org/r/20200508085242.23406-1-chandrakanth.patil@broadcom.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -4238,6 +4238,7 @@ void megasas_refire_mgmt_cmd(struct mega
+ struct fusion_context *fusion;
+ struct megasas_cmd *cmd_mfi;
+ union MEGASAS_REQUEST_DESCRIPTOR_UNION *req_desc;
++ struct MPI2_RAID_SCSI_IO_REQUEST *scsi_io_req;
+ u16 smid;
+ bool refire_cmd = 0;
+ u8 result;
+@@ -4305,6 +4306,11 @@ void megasas_refire_mgmt_cmd(struct mega
+ result = COMPLETE_CMD;
+ }
+
++ scsi_io_req = (struct MPI2_RAID_SCSI_IO_REQUEST *)
++ cmd_fusion->io_request;
++ if (scsi_io_req->Function == MPI2_FUNCTION_SCSI_TASK_MGMT)
++ result = RETURN_CMD;
++
+ switch (result) {
+ case REFIRE_CMD:
+ megasas_fire_cmd_fusion(instance, req_desc);
+@@ -4533,7 +4539,6 @@ megasas_issue_tm(struct megasas_instance
+ if (!timeleft) {
+ dev_err(&instance->pdev->dev,
+ "task mgmt type 0x%x timed out\n", type);
+- cmd_mfi->flags |= DRV_DCMD_SKIP_REFIRE;
+ mutex_unlock(&instance->reset_mutex);
+ rc = megasas_reset_fusion(instance->host, MFI_IO_TIMEOUT_OCR);
+ mutex_lock(&instance->reset_mutex);
--- /dev/null
+From 619ee76f5c9f6a1d601d1a056a454d62bf676ae4 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Mon, 25 May 2020 19:20:57 +0900
+Subject: selftests/ftrace: Return unsupported if no error_log file
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 619ee76f5c9f6a1d601d1a056a454d62bf676ae4 upstream.
+
+Check whether error_log file exists in tracing/error_log testcase
+and return UNSUPPORTED if no error_log file.
+
+This can happen if we run the ftracetest on the older stable
+kernel.
+
+Fixes: 4eab1cc461a6 ("selftests/ftrace: Add tracing/error_log testcase")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/ftrace/test.d/ftrace/tracing-error-log.tc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/tracing-error-log.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/tracing-error-log.tc
+@@ -14,6 +14,8 @@ if [ ! -f set_event ]; then
+ exit_unsupported
+ fi
+
++[ -f error_log ] || exit_unsupported
++
+ ftrace_errlog_check 'event filter parse error' '((sig >= 10 && sig < 15) || dsig ^== 17) && comm != bash' 'events/signal/signal_generate/filter'
+
+ exit 0
proc-use-new_inode-not-new_inode_pseudo.patch
remoteproc-fall-back-to-using-parent-memory-pool-if-no-dedicated-available.patch
remoteproc-fix-and-restore-the-parenting-hierarchy-for-vdev.patch
+cpufreq-fix-up-cpufreq_boost_set_sw.patch
+edac-skx-use-the-mcmtr-register-to-retrieve-close_pg-bank_xor_enable.patch
+video-vt8500lcdfb-fix-fallthrough-warning.patch
+video-fbdev-w100fb-fix-a-potential-double-free.patch
+media-videobuf2-dma-contig-fix-bad-kfree-in-vb2_dma_contig_clear_max_seg_size.patch
+kvm-nvmx-skip-ibpb-when-switching-between-vmcs01-and-vmcs02.patch
+kvm-nsvm-fix-condition-for-filtering-async-pf.patch
+kvm-nsvm-leave-asid-aside-in-copy_vmcb_control_area.patch
+kvm-nvmx-consult-only-the-basic-exit-reason-when-routing-nested-exit.patch
+kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch
+kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch
+kvm-arm64-stop-writing-aarch32-s-csselr-into-actlr.patch
+kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch
+scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch
+scsi-lpfc-fix-negation-of-else-clause-in-lpfc_prep_node_fc4type.patch
+scsi-megaraid_sas-replace-undefined-mfi_big_endian-macro-with-__big_endian_bitfield-macro.patch
+selftests-ftrace-return-unsupported-if-no-error_log-file.patch
--- /dev/null
+From 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 6 May 2020 20:19:02 +0200
+Subject: video: fbdev: w100fb: Fix a potential double free.
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
+
+Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
+the 'w100fb_restore_vidmem' function. (these functions are called
+respectively from the 'suspend' and the 'resume' functions)
+
+However, it is also freed in the 'remove' function.
+
+In order to avoid a potential double free, set the corresponding pointer
+to NULL once freed in the 'w100fb_restore_vidmem' function.
+
+Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence")
+Cc: Richard Purdie <rpurdie@rpsys.net>
+Cc: Antonino Daplas <adaplas@pol.net>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: <stable@vger.kernel.org> # v2.6.14+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/w100fb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/w100fb.c
++++ b/drivers/video/fbdev/w100fb.c
+@@ -588,6 +588,7 @@ static void w100fb_restore_vidmem(struct
+ memsize=par->mach->mem->size;
+ memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize);
+ vfree(par->saved_extmem);
++ par->saved_extmem = NULL;
+ }
+ if (par->saved_intmem) {
+ memsize=MEM_INT_SIZE;
+@@ -596,6 +597,7 @@ static void w100fb_restore_vidmem(struct
+ else
+ memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize);
+ vfree(par->saved_intmem);
++ par->saved_intmem = NULL;
+ }
+ }
+
--- /dev/null
+From 1c49f35e9e9156273124a0cfd38b57f7a7d4828f Mon Sep 17 00:00:00 2001
+From: Sam Ravnborg <sam@ravnborg.org>
+Date: Sun, 12 Apr 2020 22:21:43 +0200
+Subject: video: vt8500lcdfb: fix fallthrough warning
+
+From: Sam Ravnborg <sam@ravnborg.org>
+
+commit 1c49f35e9e9156273124a0cfd38b57f7a7d4828f upstream.
+
+Fix following warning:
+vt8500lcdfb.c: In function 'vt8500lcd_blank':
+vt8500lcdfb.c:229:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
+ if (info->fix.visual == FB_VISUAL_PSEUDOCOLOR ||
+ ^
+vt8500lcdfb.c:233:2: note: here
+ case FB_BLANK_UNBLANK:
+ ^~~~
+
+Adding a simple "fallthrough;" fixed the warning.
+The fix was build tested.
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Reported-by: kbuild test robot <lkp@intel.com>
+Fixes: e41f1a989408 ("fbdev: Implement simple blanking in pseudocolor modes for vt8500lcdfb")
+Cc: Alexey Charkov <alchark@gmail.com>
+Cc: Paul Mundt <lethal@linux-sh.org>
+Cc: <stable@vger.kernel.org> # v2.6.38+
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200412202143.GA26948@ravnborg.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/vt8500lcdfb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/video/fbdev/vt8500lcdfb.c
++++ b/drivers/video/fbdev/vt8500lcdfb.c
+@@ -230,6 +230,7 @@ static int vt8500lcd_blank(int blank, st
+ info->fix.visual == FB_VISUAL_STATIC_PSEUDOCOLOR)
+ for (i = 0; i < 256; i++)
+ vt8500lcd_setcolreg(i, 0, 0, 0, 0, info);
++ fallthrough;
+ case FB_BLANK_UNBLANK:
+ if (info->fix.visual == FB_VISUAL_PSEUDOCOLOR ||
+ info->fix.visual == FB_VISUAL_STATIC_PSEUDOCOLOR)
projects / thirdparty / kernel / stable-queue.git / commitdiff
