--- /dev/null
+From 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 Mon Sep 17 00:00:00 2001
+From: Terry Zhou <bjzhou@marvell.com>
+Date: Fri, 6 Nov 2020 11:00:39 +0100
+Subject: clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Terry Zhou <bjzhou@marvell.com>
+
+commit 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 upstream.
+
+There is an error in the current code that the XTAL MODE
+pin was set to NB MPP1_31 which should be NB MPP1_9.
+The latch register of NB MPP1_9 has different offset of 0x8.
+
+Signed-off-by: Terry Zhou <bjzhou@marvell.com>
+[pali: Fix pin name in commit message]
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 7ea8250406a6 ("clk: mvebu: Add the xtal clock for Armada 3700 SoC")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20201106100039.11385-1-pali@kernel.org
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/mvebu/armada-37xx-xtal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/mvebu/armada-37xx-xtal.c
++++ b/drivers/clk/mvebu/armada-37xx-xtal.c
+@@ -15,8 +15,8 @@
+ #include <linux/platform_device.h>
+ #include <linux/regmap.h>
+
+-#define NB_GPIO1_LATCH 0xC
+-#define XTAL_MODE BIT(31)
++#define NB_GPIO1_LATCH 0x8
++#define XTAL_MODE BIT(9)
+
+ static int armada_3700_xtal_clock_probe(struct platform_device *pdev)
+ {
--- /dev/null
+From 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 Mon Sep 17 00:00:00 2001
+From: Zwane Mwaikambo <zwane@yosper.io>
+Date: Mon, 12 Oct 2020 22:59:14 -0700
+Subject: drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor()
+
+From: Zwane Mwaikambo <zwane@yosper.io>
+
+commit 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 upstream.
+
+I observed this when unplugging a DP monitor whilst a computer is asleep
+and then waking it up. This left DP chardev nodes still being present on
+the filesystem and accessing these device nodes caused an oops because
+drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened.
+This can also be reproduced by creating a device node with mknod(1) and
+issuing an open(2)
+
+[166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018
+[166164.933202] #PF: supervisor read access in kernel mode
+[166164.933204] #PF: error_code(0x0000) - not-present page
+[166164.933205] PGD 0 P4D 0
+[166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W
+5.8.0-rc6+ #1
+[166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W
+(1.11 ) 04/21/2020
+[166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70
+[drm_kms_helper]
+[166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7
+c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6
+<8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1
+[166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246
+[166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000
+[166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180
+[166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0
+[166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003
+[166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000
+[166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000)
+knlGS:0000000000000000
+[166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0
+[166164.933247] Call Trace:
+[166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper]
+[166164.933278] chrdev_open+0xa7/0x1c0
+[166164.933282] ? cdev_put.part.0+0x20/0x20
+[166164.933287] do_dentry_open+0x161/0x3c0
+[166164.933291] vfs_open+0x2d/0x30
+[166164.933297] path_openat+0xb27/0x10e0
+[166164.933306] ? atime_needs_update+0x73/0xd0
+[166164.933309] do_filp_open+0x91/0x100
+[166164.933313] ? __alloc_fd+0xb2/0x150
+[166164.933316] do_sys_openat2+0x210/0x2d0
+[166164.933318] do_sys_open+0x46/0x80
+[166164.933320] __x64_sys_openat+0x20/0x30
+[166164.933328] do_syscall_64+0x52/0xc0
+[166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+(gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29
+Dump of assembler code for function drm_dp_aux_dev_get_by_minor:
+ 0x0000000000017b10 <+0>: callq 0x17b15 <drm_dp_aux_dev_get_by_minor+5>
+ 0x0000000000017b15 <+5>: push %rbp
+ 0x0000000000017b16 <+6>: mov %rsp,%rbp
+ 0x0000000000017b19 <+9>: push %r12
+ 0x0000000000017b1b <+11>: mov %edi,%r12d
+ 0x0000000000017b1e <+14>: mov $0x0,%rdi
+ 0x0000000000017b25 <+21>: callq 0x17b2a <drm_dp_aux_dev_get_by_minor+26>
+ 0x0000000000017b2a <+26>: mov %r12d,%esi
+ 0x0000000000017b2d <+29>: mov $0x0,%rdi
+ 0x0000000000017b34 <+36>: callq 0x17b39 <drm_dp_aux_dev_get_by_minor+41>
+ 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <=========
+ 0x0000000000017b3c <+44>: mov %rax,%r12
+ 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi
+ 0x0000000000017b43 <+51>: test %edx,%edx
+ 0x0000000000017b45 <+53>: je 0x17b7a <drm_dp_aux_dev_get_by_minor+106>
+ 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx
+ 0x0000000000017b4a <+58>: mov %edx,%eax
+ 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi)
+ 0x0000000000017b50 <+64>: jne 0x17b76 <drm_dp_aux_dev_get_by_minor+102>
+ 0x0000000000017b52 <+66>: test %edx,%edx
+ 0x0000000000017b54 <+68>: js 0x17b6d <drm_dp_aux_dev_get_by_minor+93>
+ 0x0000000000017b56 <+70>: test %ecx,%ecx
+ 0x0000000000017b58 <+72>: js 0x17b6d <drm_dp_aux_dev_get_by_minor+93>
+ 0x0000000000017b5a <+74>: mov $0x0,%rdi
+ 0x0000000000017b61 <+81>: callq 0x17b66 <drm_dp_aux_dev_get_by_minor+86>
+ 0x0000000000017b66 <+86>: mov %r12,%rax
+ 0x0000000000017b69 <+89>: pop %r12
+ 0x0000000000017b6b <+91>: pop %rbp
+ 0x0000000000017b6c <+92>: retq
+ 0x0000000000017b6d <+93>: xor %esi,%esi
+ 0x0000000000017b6f <+95>: callq 0x17b74 <drm_dp_aux_dev_get_by_minor+100>
+ 0x0000000000017b74 <+100>: jmp 0x17b5a <drm_dp_aux_dev_get_by_minor+74>
+ 0x0000000000017b76 <+102>: mov %eax,%edx
+ 0x0000000000017b78 <+104>: jmp 0x17b43 <drm_dp_aux_dev_get_by_minor+51>
+ 0x0000000000017b7a <+106>: xor %r12d,%r12d
+ 0x0000000000017b7d <+109>: jmp 0x17b5a <drm_dp_aux_dev_get_by_minor+74>
+End of assembler dump.
+
+(gdb) list *drm_dp_aux_dev_get_by_minor+0x29
+0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65).
+60 static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index)
+61 {
+62 struct drm_dp_aux_dev *aux_dev = NULL;
+63
+64 mutex_lock(&aux_idr_mutex);
+65 aux_dev = idr_find(&aux_idr, index);
+66 if (!kref_get_unless_zero(&aux_dev->refcount))
+67 aux_dev = NULL;
+68 mutex_unlock(&aux_idr_mutex);
+69
+(gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount
+$8 = 0x18
+
+Looking at the caller, checks on the minor are pushed down to
+drm_dp_aux_dev_get_by_minor()
+
+static int auxdev_open(struct inode *inode, struct file *file)
+{
+ unsigned int minor = iminor(inode);
+ struct drm_dp_aux_dev *aux_dev;
+
+ aux_dev = drm_dp_aux_dev_get_by_minor(minor); <====
+ if (!aux_dev)
+ return -ENODEV;
+
+ file->private_data = aux_dev;
+ return 0;
+}
+
+Fixes: e94cb37b34eb ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.")
+Cc: <stable@vger.kernel.org> # v4.6+
+Signed-off-by: Zwane Mwaikambo <zwane@yosper.io>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+[added Cc to stable]
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_aux_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_aux_dev.c
++++ b/drivers/gpu/drm/drm_dp_aux_dev.c
+@@ -60,7 +60,7 @@ static struct drm_dp_aux_dev *drm_dp_aux
+
+ mutex_lock(&aux_idr_mutex);
+ aux_dev = idr_find(&aux_idr, index);
+- if (!kref_get_unless_zero(&aux_dev->refcount))
++ if (aux_dev && !kref_get_unless_zero(&aux_dev->refcount))
+ aux_dev = NULL;
+ mutex_unlock(&aux_idr_mutex);
+
--- /dev/null
+From 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b Mon Sep 17 00:00:00 2001
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Tue, 3 Nov 2020 20:07:43 +0800
+Subject: iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+commit 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b upstream.
+
+Fix the missing clk_disable_unprepare() of info->pclk
+before return from rockchip_saradc_resume in the error
+handling case when fails to prepare and enable info->clk.
+
+Suggested-by: Robin Murphy <robin.murphy@arm.com>
+Fixes: 44d6f2ef94f9 ("iio: adc: add driver for Rockchip saradc")
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201103120743.110662-1-miaoqinglang@huawei.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/rockchip_saradc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/rockchip_saradc.c
++++ b/drivers/iio/adc/rockchip_saradc.c
+@@ -383,7 +383,7 @@ static int rockchip_saradc_resume(struct
+
+ ret = clk_prepare_enable(info->clk);
+ if (ret)
+- return ret;
++ clk_disable_unprepare(info->pclk);
+
+ return ret;
+ }
--- /dev/null
+From 19ef7b70ca9487773c29b449adf0c70f540a0aab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Thu, 12 Nov 2020 15:43:22 +0100
+Subject: iio: buffer: Fix demux update
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 19ef7b70ca9487773c29b449adf0c70f540a0aab upstream.
+
+When updating the buffer demux, we will skip a scan element from the
+device in the case `in_ind != out_ind` and we enter the while loop.
+in_ind should only be refreshed with `find_next_bit()` in the end of the
+loop.
+
+Note, to cause problems we need a situation where we are skippig over
+an element (channel not enabled) that happens to not have the same size
+as the next element. Whilst this is a possible situation we haven't
+actually identified any cases in mainline where it happens as most drivers
+have consistent channel storage sizes with the exception of the timestamp
+which is the last element and hence never skipped over.
+
+Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-buffer.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -850,12 +850,12 @@ static int iio_buffer_update_demux(struc
+ indio_dev->masklength,
+ in_ind + 1);
+ while (in_ind != out_ind) {
+- in_ind = find_next_bit(indio_dev->active_scan_mask,
+- indio_dev->masklength,
+- in_ind + 1);
+ length = iio_storage_bytes_for_si(indio_dev, in_ind);
+ /* Make sure we are aligned */
+ in_loc = roundup(in_loc, length) + length;
++ in_ind = find_next_bit(indio_dev->active_scan_mask,
++ indio_dev->masklength,
++ in_ind + 1);
+ }
+ length = iio_storage_bytes_for_si(indio_dev, in_ind);
+ out_loc = roundup(out_loc, length);
--- /dev/null
+From dc7de42d6b50a07b37feeba4c6b5136290fcee81 Mon Sep 17 00:00:00 2001
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:38 +0100
+Subject: iio:imu:bmi160: Fix too large a buffer.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit dc7de42d6b50a07b37feeba4c6b5136290fcee81 upstream.
+
+The comment implies this device has 3 sensor types, but it only
+has an accelerometer and a gyroscope (both 3D). As such the
+buffer does not need to be as long as stated.
+
+Note I've separated this from the following patch which fixes
+the alignment for passing to iio_push_to_buffers_with_timestamp()
+as they are different issues even if they affect the same line
+of code.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: Daniel Baluta <daniel.baluta@oss.nxp.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-5-jic23@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/bmi160/bmi160_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/imu/bmi160/bmi160_core.c
++++ b/drivers/iio/imu/bmi160/bmi160_core.c
+@@ -385,8 +385,8 @@ static irqreturn_t bmi160_trigger_handle
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct bmi160_data *data = iio_priv(indio_dev);
+- __le16 buf[16];
+- /* 3 sens x 3 axis x __le16 + 3 x __le16 pad + 4 x __le16 tstamp */
++ __le16 buf[12];
++ /* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */
+ int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L;
+ __le16 sample;
+
--- /dev/null
+From a61817216bcc755eabbcb1cf281d84ccad267ed1 Mon Sep 17 00:00:00 2001
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:35 +0100
+Subject: iio:light:rpr0521: Fix timestamp alignment and prevent data leak.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit a61817216bcc755eabbcb1cf281d84ccad267ed1 upstream.
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned
+to the size of the timestamp (8 bytes). This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here. We close both issues by
+moving to a suitable structure in the iio_priv().
+This data is allocated with kzalloc() so no data can leak apart
+from previous readings and in this case the status byte from the device.
+
+The forced alignment of ts is not necessary in this case but it
+potentially makes the code less fragile.
+
+>From personal communications with Mikko:
+
+We could probably split the reading of the int register, but it
+would mean a significant performance cost of 20 i2c clock cycles.
+
+Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: Mikko Koivunen <mikko.koivunen@fi.rohmeurope.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-2-jic23@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/light/rpr0521.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/light/rpr0521.c
++++ b/drivers/iio/light/rpr0521.c
+@@ -197,6 +197,17 @@ struct rpr0521_data {
+ bool pxs_need_dis;
+
+ struct regmap *regmap;
++
++ /*
++ * Ensure correct naturally aligned timestamp.
++ * Note that the read will put garbage data into
++ * the padding but this should not be a problem
++ */
++ struct {
++ __le16 channels[3];
++ u8 garbage;
++ s64 ts __aligned(8);
++ } scan;
+ };
+
+ static IIO_CONST_ATTR(in_intensity_scale_available, RPR0521_ALS_SCALE_AVAIL);
+@@ -452,8 +463,6 @@ static irqreturn_t rpr0521_trigger_consu
+ struct rpr0521_data *data = iio_priv(indio_dev);
+ int err;
+
+- u8 buffer[16]; /* 3 16-bit channels + padding + ts */
+-
+ /* Use irq timestamp when reasonable. */
+ if (iio_trigger_using_own(indio_dev) && data->irq_timestamp) {
+ pf->timestamp = data->irq_timestamp;
+@@ -464,11 +473,11 @@ static irqreturn_t rpr0521_trigger_consu
+ pf->timestamp = iio_get_time_ns(indio_dev);
+
+ err = regmap_bulk_read(data->regmap, RPR0521_REG_PXS_DATA,
+- &buffer,
++ data->scan.channels,
+ (3 * 2) + 1); /* 3 * 16-bit + (discarded) int clear reg. */
+ if (!err)
+ iio_push_to_buffers_with_timestamp(indio_dev,
+- buffer, pf->timestamp);
++ &data->scan, pf->timestamp);
+ else
+ dev_err(&data->client->dev,
+ "Trigger consumer can't read from sensor.\n");
--- /dev/null
+From d837a996f57c29a985177bc03b0e599082047f27 Mon Sep 17 00:00:00 2001
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:36 +0100
+Subject: iio:light:st_uvis25: Fix timestamp alignment and prevent data leak.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit d837a996f57c29a985177bc03b0e599082047f27 upstream.
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned
+to the size of the timestamp (8 bytes). This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here. We close both issues by
+moving to a suitable structure in the iio_priv()
+
+This data is allocated with kzalloc() so no data can leak apart
+from previous readings.
+
+A local unsigned int variable is used for the regmap call so it
+is clear there is no potential issue with writing into the padding
+of the structure.
+
+Fixes: 3025c8688c1e ("iio: light: add support for UVIS25 sensor")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-3-jic23@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/light/st_uvis25.h | 5 +++++
+ drivers/iio/light/st_uvis25_core.c | 8 +++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/light/st_uvis25.h
++++ b/drivers/iio/light/st_uvis25.h
+@@ -28,6 +28,11 @@ struct st_uvis25_hw {
+ struct iio_trigger *trig;
+ bool enabled;
+ int irq;
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u8 chan;
++ s64 ts __aligned(8);
++ } scan;
+ };
+
+ extern const struct dev_pm_ops st_uvis25_pm_ops;
+--- a/drivers/iio/light/st_uvis25_core.c
++++ b/drivers/iio/light/st_uvis25_core.c
+@@ -235,17 +235,19 @@ static const struct iio_buffer_setup_ops
+
+ static irqreturn_t st_uvis25_buffer_handler_thread(int irq, void *p)
+ {
+- u8 buffer[ALIGN(sizeof(u8), sizeof(s64)) + sizeof(s64)];
+ struct iio_poll_func *pf = p;
+ struct iio_dev *iio_dev = pf->indio_dev;
+ struct st_uvis25_hw *hw = iio_priv(iio_dev);
++ unsigned int val;
+ int err;
+
+- err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, (int *)buffer);
++ err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, &val);
+ if (err < 0)
+ goto out;
+
+- iio_push_to_buffers_with_timestamp(iio_dev, buffer,
++ hw->scan.chan = val;
++
++ iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan,
+ iio_get_time_ns(iio_dev));
+
+ out:
--- /dev/null
+From 198cf32f0503d2ad60d320b95ef6fb8243db857f Mon Sep 17 00:00:00 2001
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:40 +0100
+Subject: iio:pressure:mpl3115: Force alignment of buffer
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 198cf32f0503d2ad60d320b95ef6fb8243db857f upstream.
+
+Whilst this is another case of the issue Lars reported with
+an array of elements of smaller than 8 bytes being passed
+to iio_push_to_buffers_with_timestamp(), the solution here is
+a bit different from the other cases and relies on __aligned
+working on the stack (true since 4.6?)
+
+This one is unusual. We have to do an explicit memset() each time
+as we are reading 3 bytes into a potential 4 byte channel which
+may sometimes be a 2 byte channel depending on what is enabled.
+As such, moving the buffer to the heap in the iio_priv structure
+doesn't save us much. We can't use a nice explicit structure
+on the stack either as the data channels have different storage
+sizes and are all separately controlled.
+
+Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: Peter Meerwald <pmeerw@pmeerw.net>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-7-jic23@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/pressure/mpl3115.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/pressure/mpl3115.c
++++ b/drivers/iio/pressure/mpl3115.c
+@@ -147,7 +147,14 @@ static irqreturn_t mpl3115_trigger_handl
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct mpl3115_data *data = iio_priv(indio_dev);
+- u8 buffer[16]; /* 32-bit channel + 16-bit channel + padding + ts */
++ /*
++ * 32-bit channel + 16-bit channel + padding + ts
++ * Note that it is possible for only one of the first 2
++ * channels to be enabled. If that happens, the first element
++ * of the buffer may be either 16 or 32-bits. As such we cannot
++ * use a simple structure definition to express this data layout.
++ */
++ u8 buffer[16] __aligned(8);
+ int ret, pos = 0;
+
+ mutex_lock(&data->lock);
--- /dev/null
+From c61b3e4839007668360ed8b87d7da96d2e59fc6c Mon Sep 17 00:00:00 2001
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Fri, 13 Nov 2020 14:58:46 -0600
+Subject: jfs: Fix array index bounds check in dbAdjTree
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+commit c61b3e4839007668360ed8b87d7da96d2e59fc6c upstream.
+
+Bounds checking tools can flag a bug in dbAdjTree() for an array index
+out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
+both structures dmaptree and dmapctl, use the larger array to eliminate
+the false positive.
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jfs/jfs_dmap.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jfs/jfs_dmap.h
++++ b/fs/jfs/jfs_dmap.h
+@@ -196,7 +196,7 @@ typedef union dmtree {
+ #define dmt_leafidx t1.leafidx
+ #define dmt_height t1.height
+ #define dmt_budmin t1.budmin
+-#define dmt_stree t1.stree
++#define dmt_stree t2.stree
+
+ /*
+ * on-disk aggregate disk allocation map descriptor.
--- /dev/null
+From 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 20 Nov 2020 08:50:07 -0800
+Subject: libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 2dd2a1740ee19cd2636d247276cf27bfa434b0e2 upstream.
+
+A recent change to ndctl to attempt to reconfigure namespaces in place
+uncovered a label accounting problem in block-window-type namespaces.
+The ndctl "create.sh" test is able to trigger this signature:
+
+ WARNING: CPU: 34 PID: 9167 at drivers/nvdimm/label.c:1100 __blk_label_update+0x9a3/0xbc0 [libnvdimm]
+ [..]
+ RIP: 0010:__blk_label_update+0x9a3/0xbc0 [libnvdimm]
+ [..]
+ Call Trace:
+ uuid_store+0x21b/0x2f0 [libnvdimm]
+ kernfs_fop_write+0xcf/0x1c0
+ vfs_write+0xcc/0x380
+ ksys_write+0x68/0xe0
+
+When allocated capacity for a namespace is renamed (new UUID) the labels
+with the old UUID need to be deleted. The ndctl behavior to always
+destroy namespaces on reconfiguration hid this problem.
+
+The immediate impact of this bug is limited since block-window-type
+namespaces only seem to exist in the specification and not in any
+shipping products. However, the label handling code is being reused for
+other technologies like CXL region labels, so there is a benefit to
+making sure both vertical labels sets (block-window) and horizontal
+label sets (pmem) have a functional reference implementation in
+libnvdimm.
+
+Fixes: c4703ce11c23 ("libnvdimm/namespace: Fix label tracking error")
+Cc: <stable@vger.kernel.org>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/label.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/nvdimm/label.c
++++ b/drivers/nvdimm/label.c
+@@ -861,6 +861,15 @@ static int __blk_label_update(struct nd_
+ }
+ }
+
++ /* release slots associated with any invalidated UUIDs */
++ mutex_lock(&nd_mapping->lock);
++ list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list)
++ if (test_and_clear_bit(ND_LABEL_REAP, &label_ent->flags)) {
++ reap_victim(nd_mapping, label_ent);
++ list_move(&label_ent->list, &list);
++ }
++ mutex_unlock(&nd_mapping->lock);
++
+ /*
+ * Find the resource associated with the first label in the set
+ * per the v1.2 namespace specification.
--- /dev/null
+From a8da01f79c89755fad55ed0ea96e8d2103242a72 Mon Sep 17 00:00:00 2001
+From: Zhao Heming <heming.zhao@suse.com>
+Date: Thu, 19 Nov 2020 19:41:33 +0800
+Subject: md/cluster: block reshape with remote resync job
+
+From: Zhao Heming <heming.zhao@suse.com>
+
+commit a8da01f79c89755fad55ed0ea96e8d2103242a72 upstream.
+
+Reshape request should be blocked with ongoing resync job. In cluster
+env, a node can start resync job even if the resync cmd isn't executed
+on it, e.g., user executes "mdadm --grow" on node A, sometimes node B
+will start resync job. However, current update_raid_disks() only check
+local recovery status, which is incomplete. As a result, we see user will
+execute "mdadm --grow" successfully on local, while the remote node deny
+to do reshape job when it doing resync job. The inconsistent handling
+cause array enter unexpected status. If user doesn't observe this issue
+and continue executing mdadm cmd, the array doesn't work at last.
+
+Fix this issue by blocking reshape request. When node executes "--grow"
+and detects ongoing resync, it should stop and report error to user.
+
+The following script reproduces the issue with ~100% probability.
+(two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB)
+```
+ # on node1, node2 is the remote node.
+ssh root@node2 "mdadm -S --scan"
+mdadm -S --scan
+for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \
+count=20; done
+
+mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh
+ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh"
+
+sleep 5
+
+mdadm --manage --add /dev/md0 /dev/sdi
+mdadm --wait /dev/md0
+mdadm --grow --raid-devices=3 /dev/md0
+
+mdadm /dev/md0 --fail /dev/sdg
+mdadm /dev/md0 --remove /dev/sdg
+mdadm --grow --raid-devices=2 /dev/md0
+```
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhao Heming <heming.zhao@suse.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6895,6 +6895,7 @@ static int update_raid_disks(struct mdde
+ return -EINVAL;
+ if (mddev->sync_thread ||
+ test_bit(MD_RECOVERY_RUNNING, &mddev->recovery) ||
++ test_bit(MD_RESYNCING_REMOTE, &mddev->recovery) ||
+ mddev->reshape_position != MaxSector)
+ return -EBUSY;
+
+@@ -9241,8 +9242,11 @@ static void check_sb_changes(struct mdde
+ }
+ }
+
+- if (mddev->raid_disks != le32_to_cpu(sb->raid_disks))
+- update_raid_disks(mddev, le32_to_cpu(sb->raid_disks));
++ if (mddev->raid_disks != le32_to_cpu(sb->raid_disks)) {
++ ret = update_raid_disks(mddev, le32_to_cpu(sb->raid_disks));
++ if (ret)
++ pr_warn("md: updating array disks failed. %d\n", ret);
++ }
+
+ /* Finally set the event to be up to date */
+ mddev->events = le64_to_cpu(sb->events);
--- /dev/null
+From bca5b0658020be90b6b504ca514fd80110204f71 Mon Sep 17 00:00:00 2001
+From: Zhao Heming <heming.zhao@suse.com>
+Date: Thu, 19 Nov 2020 19:41:34 +0800
+Subject: md/cluster: fix deadlock when node is doing resync job
+
+From: Zhao Heming <heming.zhao@suse.com>
+
+commit bca5b0658020be90b6b504ca514fd80110204f71 upstream.
+
+md-cluster uses MD_CLUSTER_SEND_LOCK to make node can exclusively send msg.
+During sending msg, node can concurrently receive msg from another node.
+When node does resync job, grab token_lockres:EX may trigger a deadlock:
+```
+nodeA nodeB
+-------------------- --------------------
+a.
+send METADATA_UPDATED
+held token_lockres:EX
+ b.
+ md_do_sync
+ resync_info_update
+ send RESYNCING
+ + set MD_CLUSTER_SEND_LOCK
+ + wait for holding token_lockres:EX
+
+ c.
+ mdadm /dev/md0 --remove /dev/sdg
+ + held reconfig_mutex
+ + send REMOVE
+ + wait_event(MD_CLUSTER_SEND_LOCK)
+
+ d.
+ recv_daemon //METADATA_UPDATED from A
+ process_metadata_update
+ + (mddev_trylock(mddev) ||
+ MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD)
+ //this time, both return false forever
+```
+Explaination:
+a. A send METADATA_UPDATED
+ This will block another node to send msg
+
+b. B does sync jobs, which will send RESYNCING at intervals.
+ This will be block for holding token_lockres:EX lock.
+
+c. B do "mdadm --remove", which will send REMOVE.
+ This will be blocked by step <b>: MD_CLUSTER_SEND_LOCK is 1.
+
+d. B recv METADATA_UPDATED msg, which send from A in step <a>.
+ This will be blocked by step <c>: holding mddev lock, it makes
+ wait_event can't hold mddev lock. (btw,
+ MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD keep ZERO in this scenario.)
+
+There is a similar deadlock in commit 0ba959774e93
+("md-cluster: use sync way to handle METADATA_UPDATED msg")
+In that commit, step c is "update sb". This patch step c is
+"mdadm --remove".
+
+For fixing this issue, we can refer the solution of function:
+metadata_update_start. Which does the same grab lock_token action.
+lock_comm can use the same steps to avoid deadlock. By moving
+MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD from lock_token to lock_comm.
+It enlarge a little bit window of MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD,
+but it is safe & can break deadlock.
+
+Repro steps (I only triggered 3 times with hundreds tests):
+
+two nodes share 3 iSCSI luns: sdg/sdh/sdi. Each lun size is 1GB.
+```
+ssh root@node2 "mdadm -S --scan"
+mdadm -S --scan
+for i in {g,h,i};do dd if=/dev/zero of=/dev/sd$i oflag=direct bs=1M \
+count=20; done
+
+mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sdg /dev/sdh \
+ --bitmap-chunk=1M
+ssh root@node2 "mdadm -A /dev/md0 /dev/sdg /dev/sdh"
+
+sleep 5
+
+mkfs.xfs /dev/md0
+mdadm --manage --add /dev/md0 /dev/sdi
+mdadm --wait /dev/md0
+mdadm --grow --raid-devices=3 /dev/md0
+
+mdadm /dev/md0 --fail /dev/sdg
+mdadm /dev/md0 --remove /dev/sdg
+mdadm --grow --raid-devices=2 /dev/md0
+```
+
+test script will hung when executing "mdadm --remove".
+
+```
+ # dump stacks by "echo t > /proc/sysrq-trigger"
+md0_cluster_rec D 0 5329 2 0x80004000
+Call Trace:
+ __schedule+0x1f6/0x560
+ ? _cond_resched+0x2d/0x40
+ ? schedule+0x4a/0xb0
+ ? process_metadata_update.isra.0+0xdb/0x140 [md_cluster]
+ ? wait_woken+0x80/0x80
+ ? process_recvd_msg+0x113/0x1d0 [md_cluster]
+ ? recv_daemon+0x9e/0x120 [md_cluster]
+ ? md_thread+0x94/0x160 [md_mod]
+ ? wait_woken+0x80/0x80
+ ? md_congested+0x30/0x30 [md_mod]
+ ? kthread+0x115/0x140
+ ? __kthread_bind_mask+0x60/0x60
+ ? ret_from_fork+0x1f/0x40
+
+mdadm D 0 5423 1 0x00004004
+Call Trace:
+ __schedule+0x1f6/0x560
+ ? __schedule+0x1fe/0x560
+ ? schedule+0x4a/0xb0
+ ? lock_comm.isra.0+0x7b/0xb0 [md_cluster]
+ ? wait_woken+0x80/0x80
+ ? remove_disk+0x4f/0x90 [md_cluster]
+ ? hot_remove_disk+0xb1/0x1b0 [md_mod]
+ ? md_ioctl+0x50c/0xba0 [md_mod]
+ ? wait_woken+0x80/0x80
+ ? blkdev_ioctl+0xa2/0x2a0
+ ? block_ioctl+0x39/0x40
+ ? ksys_ioctl+0x82/0xc0
+ ? __x64_sys_ioctl+0x16/0x20
+ ? do_syscall_64+0x5f/0x150
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+md0_resync D 0 5425 2 0x80004000
+Call Trace:
+ __schedule+0x1f6/0x560
+ ? schedule+0x4a/0xb0
+ ? dlm_lock_sync+0xa1/0xd0 [md_cluster]
+ ? wait_woken+0x80/0x80
+ ? lock_token+0x2d/0x90 [md_cluster]
+ ? resync_info_update+0x95/0x100 [md_cluster]
+ ? raid1_sync_request+0x7d3/0xa40 [raid1]
+ ? md_do_sync.cold+0x737/0xc8f [md_mod]
+ ? md_thread+0x94/0x160 [md_mod]
+ ? md_congested+0x30/0x30 [md_mod]
+ ? kthread+0x115/0x140
+ ? __kthread_bind_mask+0x60/0x60
+ ? ret_from_fork+0x1f/0x40
+```
+
+At last, thanks for Xiao's solution.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhao Heming <heming.zhao@suse.com>
+Suggested-by: Xiao Ni <xni@redhat.com>
+Reviewed-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md-cluster.c | 67 +++++++++++++++++++++++++++---------------------
+ drivers/md/md.c | 6 ++--
+ 2 files changed, 42 insertions(+), 31 deletions(-)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -669,9 +669,27 @@ out:
+ * Takes the lock on the TOKEN lock resource so no other
+ * node can communicate while the operation is underway.
+ */
+-static int lock_token(struct md_cluster_info *cinfo, bool mddev_locked)
++static int lock_token(struct md_cluster_info *cinfo)
+ {
+- int error, set_bit = 0;
++ int error;
++
++ error = dlm_lock_sync(cinfo->token_lockres, DLM_LOCK_EX);
++ if (error) {
++ pr_err("md-cluster(%s:%d): failed to get EX on TOKEN (%d)\n",
++ __func__, __LINE__, error);
++ } else {
++ /* Lock the receive sequence */
++ mutex_lock(&cinfo->recv_mutex);
++ }
++ return error;
++}
++
++/* lock_comm()
++ * Sets the MD_CLUSTER_SEND_LOCK bit to lock the send channel.
++ */
++static int lock_comm(struct md_cluster_info *cinfo, bool mddev_locked)
++{
++ int rv, set_bit = 0;
+ struct mddev *mddev = cinfo->mddev;
+
+ /*
+@@ -682,34 +700,19 @@ static int lock_token(struct md_cluster_
+ */
+ if (mddev_locked && !test_bit(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD,
+ &cinfo->state)) {
+- error = test_and_set_bit_lock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD,
++ rv = test_and_set_bit_lock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD,
+ &cinfo->state);
+- WARN_ON_ONCE(error);
++ WARN_ON_ONCE(rv);
+ md_wakeup_thread(mddev->thread);
+ set_bit = 1;
+ }
+- error = dlm_lock_sync(cinfo->token_lockres, DLM_LOCK_EX);
+- if (set_bit)
+- clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state);
+
+- if (error)
+- pr_err("md-cluster(%s:%d): failed to get EX on TOKEN (%d)\n",
+- __func__, __LINE__, error);
+-
+- /* Lock the receive sequence */
+- mutex_lock(&cinfo->recv_mutex);
+- return error;
+-}
+-
+-/* lock_comm()
+- * Sets the MD_CLUSTER_SEND_LOCK bit to lock the send channel.
+- */
+-static int lock_comm(struct md_cluster_info *cinfo, bool mddev_locked)
+-{
+ wait_event(cinfo->wait,
+ !test_and_set_bit(MD_CLUSTER_SEND_LOCK, &cinfo->state));
+-
+- return lock_token(cinfo, mddev_locked);
++ rv = lock_token(cinfo);
++ if (set_bit)
++ clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state);
++ return rv;
+ }
+
+ static void unlock_comm(struct md_cluster_info *cinfo)
+@@ -789,9 +792,11 @@ static int sendmsg(struct md_cluster_inf
+ {
+ int ret;
+
+- lock_comm(cinfo, mddev_locked);
+- ret = __sendmsg(cinfo, cmsg);
+- unlock_comm(cinfo);
++ ret = lock_comm(cinfo, mddev_locked);
++ if (!ret) {
++ ret = __sendmsg(cinfo, cmsg);
++ unlock_comm(cinfo);
++ }
+ return ret;
+ }
+
+@@ -1063,7 +1068,7 @@ static int metadata_update_start(struct
+ return 0;
+ }
+
+- ret = lock_token(cinfo, 1);
++ ret = lock_token(cinfo);
+ clear_bit_unlock(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state);
+ return ret;
+ }
+@@ -1181,7 +1186,10 @@ static void update_size(struct mddev *md
+ int raid_slot = -1;
+
+ md_update_sb(mddev, 1);
+- lock_comm(cinfo, 1);
++ if (lock_comm(cinfo, 1)) {
++ pr_err("%s: lock_comm failed\n", __func__);
++ return;
++ }
+
+ memset(&cmsg, 0, sizeof(cmsg));
+ cmsg.type = cpu_to_le32(METADATA_UPDATED);
+@@ -1330,7 +1338,8 @@ static int add_new_disk(struct mddev *md
+ cmsg.type = cpu_to_le32(NEWDISK);
+ memcpy(cmsg.uuid, uuid, 16);
+ cmsg.raid_slot = cpu_to_le32(rdev->desc_nr);
+- lock_comm(cinfo, 1);
++ if (lock_comm(cinfo, 1))
++ return -EAGAIN;
+ ret = __sendmsg(cinfo, &cmsg);
+ if (ret) {
+ unlock_comm(cinfo);
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6564,8 +6564,10 @@ static int hot_remove_disk(struct mddev
+ goto busy;
+
+ kick_rdev:
+- if (mddev_is_clustered(mddev))
+- md_cluster_ops->remove_disk(mddev, rdev);
++ if (mddev_is_clustered(mddev)) {
++ if (md_cluster_ops->remove_disk(mddev, rdev))
++ goto busy;
++ }
+
+ md_kick_rdev_from_array(rdev);
+ set_bit(MD_SB_CHANGE_DEVS, &mddev->sb_flags);
--- /dev/null
+From 639a82434f16a6df0ce0e7c8595976f1293940fd Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 24 Nov 2020 07:25:06 +0100
+Subject: mtd: parser: cmdline: Fix parsing of part-names with colons
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 639a82434f16a6df0ce0e7c8595976f1293940fd upstream.
+
+Some devices (especially QCA ones) are already using hardcoded partition
+names with colons in it. The OpenMesh A62 for example provides following
+mtd relevant information via cmdline:
+
+ root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait
+
+The change to split only on the last colon between mtd-id and partitions
+will cause newpart to see following string for the first partition:
+
+ KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive)
+
+Such a partition list cannot be parsed and thus the device fails to boot.
+
+Avoid this behavior by making sure that the start of the first part-name
+("(") will also be the last byte the mtd-id split algorithm is using for
+its colon search.
+
+Fixes: eb13fa022741 ("mtd: parser: cmdline: Support MTD names containing one or more colons")
+Cc: stable@vger.kernel.org
+Cc: Ron Minnich <rminnich@google.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20201124062506.185392-1-sven@narfation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/cmdlinepart.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/cmdlinepart.c
++++ b/drivers/mtd/cmdlinepart.c
+@@ -231,7 +231,7 @@ static int mtdpart_setup_real(char *s)
+ struct cmdline_mtd_partition *this_mtd;
+ struct mtd_partition *parts;
+ int mtd_id_len, num_parts;
+- char *p, *mtd_id, *semicol;
++ char *p, *mtd_id, *semicol, *open_parenth;
+
+ /*
+ * Replace the first ';' by a NULL char so strrchr can work
+@@ -241,6 +241,14 @@ static int mtdpart_setup_real(char *s)
+ if (semicol)
+ *semicol = '\0';
+
++ /*
++ * make sure that part-names with ":" will not be handled as
++ * part of the mtd-id with an ":"
++ */
++ open_parenth = strchr(s, '(');
++ if (open_parenth)
++ *open_parenth = '\0';
++
+ mtd_id = s;
+
+ /*
+@@ -250,6 +258,10 @@ static int mtdpart_setup_real(char *s)
+ */
+ p = strrchr(s, ':');
+
++ /* Restore the '(' now. */
++ if (open_parenth)
++ *open_parenth = '(';
++
+ /* Restore the ';' now. */
+ if (semicol)
+ *semicol = ';';
--- /dev/null
+From bc3686021122de953858a5be4cbf6e3f1d821e79 Mon Sep 17 00:00:00 2001
+From: Praveenkumar I <ipkumar@codeaurora.org>
+Date: Fri, 9 Oct 2020 13:37:52 +0530
+Subject: mtd: rawnand: qcom: Fix DMA sync on FLASH_STATUS register read
+
+From: Praveenkumar I <ipkumar@codeaurora.org>
+
+commit bc3686021122de953858a5be4cbf6e3f1d821e79 upstream.
+
+After each codeword NAND_FLASH_STATUS is read for possible operational
+failures. But there is no DMA sync for CPU operation before reading it
+and this leads to incorrect or older copy of DMA buffer in reg_read_buf.
+
+This patch adds the DMA sync on reg_read_buf for CPU before reading it.
+
+Fixes: 5bc36b2bf6e2 ("mtd: rawnand: qcom: check for operation errors in case of raw read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Praveenkumar I <ipkumar@codeaurora.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/1602230872-25616-1-git-send-email-ipkumar@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/qcom_nandc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/nand/raw/qcom_nandc.c
++++ b/drivers/mtd/nand/raw/qcom_nandc.c
+@@ -1578,6 +1578,8 @@ static int check_flash_errors(struct qco
+ struct qcom_nand_controller *nandc = get_qcom_nand_controller(chip);
+ int i;
+
++ nandc_read_buffer_sync(nandc, true);
++
+ for (i = 0; i < cw_cnt; i++) {
+ u32 flash = le32_to_cpu(nandc->reg_read_buf[i]);
+
--- /dev/null
+From 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Thu, 1 Oct 2020 12:20:13 +0200
+Subject: mtd: spinand: Fix OOB read
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit 868cbe2a6dcee451bd8f87cbbb2a73cf463b57e5 upstream.
+
+So far OOB have never been used in SPI-NAND, add the missing memcpy to
+make it work properly.
+
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20201001102014.20100-6-miquel.raynal@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/spi/core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -378,6 +378,10 @@ static int spinand_write_to_cache_op(str
+ }
+ }
+
++ if (req->ooblen)
++ memcpy(req->oobbuf.in, spinand->oobbuf + req->ooboffs,
++ req->ooblen);
++
+ return 0;
+ }
+
--- /dev/null
+From 4684709bf81a2d98152ed6b610e3d5c403f9bced Mon Sep 17 00:00:00 2001
+From: Jubin Zhong <zhongjubin@huawei.com>
+Date: Wed, 2 Dec 2020 10:33:42 +0800
+Subject: PCI: Fix pci_slot_release() NULL pointer dereference
+
+From: Jubin Zhong <zhongjubin@huawei.com>
+
+commit 4684709bf81a2d98152ed6b610e3d5c403f9bced upstream.
+
+If kobject_init_and_add() fails, pci_slot_release() is called to delete
+slot->list from parent->slots. But slot->list hasn't been initialized
+yet, so we dereference a NULL pointer:
+
+ Unable to handle kernel NULL pointer dereference at virtual address
+00000000
+ ...
+ CPU: 10 PID: 1 Comm: swapper/0 Not tainted 4.4.240 #197
+ task: ffffeb398a45ef10 task.stack: ffffeb398a470000
+ PC is at __list_del_entry_valid+0x5c/0xb0
+ LR is at pci_slot_release+0x84/0xe4
+ ...
+ __list_del_entry_valid+0x5c/0xb0
+ pci_slot_release+0x84/0xe4
+ kobject_put+0x184/0x1c4
+ pci_create_slot+0x17c/0x1b4
+ __pci_hp_initialize+0x68/0xa4
+ pciehp_probe+0x1a4/0x2fc
+ pcie_port_probe_service+0x58/0x84
+ driver_probe_device+0x320/0x470
+
+Initialize slot->list before calling kobject_init_and_add() to avoid this.
+
+Fixes: 8a94644b440e ("PCI: Fix pci_create_slot() reference count leak")
+Link: https://lore.kernel.org/r/1606876422-117457-1-git-send-email-zhongjubin@huawei.com
+Signed-off-by: Jubin Zhong <zhongjubin@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v5.9+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/slot.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/slot.c
++++ b/drivers/pci/slot.c
+@@ -307,6 +307,9 @@ placeholder:
+ goto err;
+ }
+
++ INIT_LIST_HEAD(&slot->list);
++ list_add(&slot->list, &parent->slots);
++
+ err = kobject_init_and_add(&slot->kobj, &pci_slot_ktype, NULL,
+ "%s", slot_name);
+ if (err) {
+@@ -314,9 +317,6 @@ placeholder:
+ goto err;
+ }
+
+- INIT_LIST_HEAD(&slot->list);
+- list_add(&slot->list, &parent->slots);
+-
+ down_read(&pci_bus_sem);
+ list_for_each_entry(dev, &parent->devices, bus_list)
+ if (PCI_SLOT(dev->devfn) == slot_nr)
--- /dev/null
+From a1158e36f876f6269978a4176e3a1d48d27fe7a1 Mon Sep 17 00:00:00 2001
+From: Yangtao Li <frank@allwinnertech.com>
+Date: Tue, 10 Nov 2020 14:24:40 +0800
+Subject: pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler
+
+From: Yangtao Li <frank@allwinnertech.com>
+
+commit a1158e36f876f6269978a4176e3a1d48d27fe7a1 upstream.
+
+It is found on many allwinner soc that there is a low probability that
+the interrupt status cannot be read in sunxi_pinctrl_irq_handler. This
+will cause the interrupt status of a gpio bank to always be active on
+gic, preventing gic from responding to other spi interrupts correctly.
+
+So we should call the chained_irq_* each time enter sunxi_pinctrl_irq_handler().
+
+Signed-off-by: Yangtao Li <frank@allwinnertech.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/85263ce8b058e80cea25c6ad6383eb256ce96cc8.1604988979.git.frank@allwinnertech.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -1001,20 +1001,22 @@ static void sunxi_pinctrl_irq_handler(st
+ if (bank == pctl->desc->irq_banks)
+ return;
+
++ chained_irq_enter(chip, desc);
++
+ reg = sunxi_irq_status_reg_from_bank(pctl->desc, bank);
+ val = readl(pctl->membase + reg);
+
+ if (val) {
+ int irqoffset;
+
+- chained_irq_enter(chip, desc);
+ for_each_set_bit(irqoffset, &val, IRQ_PER_BANK) {
+ int pin_irq = irq_find_mapping(pctl->domain,
+ bank * IRQ_PER_BANK + irqoffset);
+ generic_handle_irq(pin_irq);
+ }
+- chained_irq_exit(chip, desc);
+ }
++
++ chained_irq_exit(chip, desc);
+ }
+
+ static int sunxi_pinctrl_add_function(struct sunxi_pinctrl *pctl,
--- /dev/null
+From fe6000990394639ed374cb76c313be3640714f47 Mon Sep 17 00:00:00 2001
+From: Carlos Garnacho <carlosg@gnome.org>
+Date: Tue, 1 Dec 2020 14:57:27 +0100
+Subject: platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12
+
+From: Carlos Garnacho <carlosg@gnome.org>
+
+commit fe6000990394639ed374cb76c313be3640714f47 upstream.
+
+This 2-in-1 model (Product name: Switch SA5-271) features a SW_TABLET_MODE
+that works as it would be expected, both when detaching the keyboard and
+when folding it behind the tablet body.
+
+It used to work until the introduction of the allow list at
+commit 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list
+for SW_TABLET_MODE reporting"). Add this model to it, so that the Virtual
+Buttons device announces the EV_SW features again.
+
+Fixes: 8169bd3e6e193 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
+Link: https://lore.kernel.org/r/20201201135727.212917-1-carlosg@gnome.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/intel-vbtn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -203,6 +203,12 @@ static const struct dmi_system_id dmi_sw
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion 13 x360 PC"),
+ },
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Switch SA5-271"),
++ },
++ },
+ {} /* Array terminator */
+ };
+
--- /dev/null
+From 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf Mon Sep 17 00:00:00 2001
+From: James Smart <james.smart@broadcom.com>
+Date: Tue, 20 Oct 2020 13:27:11 -0700
+Subject: scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc()
+
+From: James Smart <james.smart@broadcom.com>
+
+commit 62e3a931db60daf94fdb3159d685a5bc6ad4d0cf upstream.
+
+The following calltrace was seen:
+
+BUG: sleeping function called from invalid context at mm/slab.h:494
+...
+Call Trace:
+ dump_stack+0x9a/0xf0
+ ___might_sleep.cold.63+0x13d/0x178
+ slab_pre_alloc_hook+0x6a/0x90
+ kmem_cache_alloc_trace+0x3a/0x2d0
+ lpfc_sli4_nvmet_alloc+0x4c/0x280 [lpfc]
+ lpfc_post_rq_buffer+0x2e7/0xa60 [lpfc]
+ lpfc_sli4_hba_setup+0x6b4c/0xa4b0 [lpfc]
+ lpfc_pci_probe_one_s4.isra.15+0x14f8/0x2280 [lpfc]
+ lpfc_pci_probe_one+0x260/0x2880 [lpfc]
+ local_pci_probe+0xd4/0x180
+ work_for_cpu_fn+0x51/0xa0
+ process_one_work+0x8f0/0x17b0
+ worker_thread+0x536/0xb50
+ kthread+0x30c/0x3d0
+ ret_from_fork+0x3a/0x50
+
+A prior patch introduced a spin_lock_irqsave(hbalock) in the
+lpfc_post_rq_buffer() routine. Call trace is seen as the hbalock is held
+with interrupts disabled during a GFP_KERNEL allocation in
+lpfc_sli4_nvmet_alloc().
+
+Fix by reordering locking so that hbalock not held when calling
+sli4_nvmet_alloc() (aka rqb_buf_list()).
+
+Link: https://lore.kernel.org/r/20201020202719.54726-2-james.smart@broadcom.com
+Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap")
+Cc: <stable@vger.kernel.org> # v4.17+
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_mem.c | 4 +---
+ drivers/scsi/lpfc/lpfc_sli.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_mem.c
++++ b/drivers/scsi/lpfc/lpfc_mem.c
+@@ -560,8 +560,6 @@ lpfc_els_hbq_free(struct lpfc_hba *phba,
+ * Description: Allocates a DMA-mapped receive buffer from the lpfc_hrb_pool PCI
+ * pool along a non-DMA-mapped container for it.
+ *
+- * Notes: Not interrupt-safe. Must be called with no locks held.
+- *
+ * Returns:
+ * pointer to HBQ on success
+ * NULL on failure
+@@ -631,7 +629,7 @@ lpfc_sli4_nvmet_alloc(struct lpfc_hba *p
+ {
+ struct rqb_dmabuf *dma_buf;
+
+- dma_buf = kzalloc(sizeof(struct rqb_dmabuf), GFP_KERNEL);
++ dma_buf = kzalloc(sizeof(*dma_buf), GFP_KERNEL);
+ if (!dma_buf)
+ return NULL;
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -6755,12 +6755,16 @@ lpfc_post_rq_buffer(struct lpfc_hba *phb
+ struct rqb_dmabuf *rqb_buffer;
+ LIST_HEAD(rqb_buf_list);
+
+- spin_lock_irqsave(&phba->hbalock, flags);
+ rqbp = hrq->rqbp;
+ for (i = 0; i < count; i++) {
++ spin_lock_irqsave(&phba->hbalock, flags);
+ /* IF RQ is already full, don't bother */
+- if (rqbp->buffer_count + i >= rqbp->entry_count - 1)
++ if (rqbp->buffer_count + i >= rqbp->entry_count - 1) {
++ spin_unlock_irqrestore(&phba->hbalock, flags);
+ break;
++ }
++ spin_unlock_irqrestore(&phba->hbalock, flags);
++
+ rqb_buffer = rqbp->rqb_alloc_buffer(phba);
+ if (!rqb_buffer)
+ break;
+@@ -6769,6 +6773,8 @@ lpfc_post_rq_buffer(struct lpfc_hba *phb
+ rqb_buffer->idx = idx;
+ list_add_tail(&rqb_buffer->hbuf.list, &rqb_buf_list);
+ }
++
++ spin_lock_irqsave(&phba->hbalock, flags);
+ while (!list_empty(&rqb_buf_list)) {
+ list_remove_head(&rqb_buf_list, rqb_buffer, struct rqb_dmabuf,
+ hbuf.list);
--- /dev/null
+From e5785d3ec32f5f44dd88cd7b398e496742630469 Mon Sep 17 00:00:00 2001
+From: James Smart <james.smart@broadcom.com>
+Date: Tue, 20 Oct 2020 13:27:13 -0700
+Subject: scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free()
+
+From: James Smart <james.smart@broadcom.com>
+
+commit e5785d3ec32f5f44dd88cd7b398e496742630469 upstream.
+
+Commit 9816ef6ecbc1 ("scsi: lpfc: Use after free in lpfc_rq_buf_free()")
+was made to correct a use after free condition in lpfc_rq_buf_free().
+Unfortunately, a subsequent patch cut on a tree without the fix
+inadvertently reverted the fix.
+
+Put the fix back: Move the freeing of the rqb_entry to after the print
+function that references it.
+
+Link: https://lore.kernel.org/r/20201020202719.54726-4-james.smart@broadcom.com
+Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap")
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_mem.c
++++ b/drivers/scsi/lpfc/lpfc_mem.c
+@@ -752,7 +752,6 @@ lpfc_rq_buf_free(struct lpfc_hba *phba,
+ drqe.address_hi = putPaddrHigh(rqb_entry->dbuf.phys);
+ rc = lpfc_sli4_rq_put(rqb_entry->hrq, rqb_entry->drq, &hrqe, &drqe);
+ if (rc < 0) {
+- (rqbp->rqb_free_buffer)(phba, rqb_entry);
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "6409 Cannot post to HRQ %d: %x %x %x "
+ "DRQ %x %x\n",
+@@ -762,6 +761,7 @@ lpfc_rq_buf_free(struct lpfc_hba *phba,
+ rqb_entry->hrq->entry_count,
+ rqb_entry->drq->host_index,
+ rqb_entry->drq->hba_index);
++ (rqbp->rqb_free_buffer)(phba, rqb_entry);
+ } else {
+ list_add_tail(&rqb_entry->hbuf.list, &rqbp->rqb_buffer_list);
+ rqbp->buffer_count++;
smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch
ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch
jffs2-fix-gc-exit-abnormally.patch
+jfs-fix-array-index-bounds-check-in-dbadjtree.patch
+drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch
+spi-spi-sh-fix-use-after-free-on-unbind.patch
+spi-davinci-fix-use-after-free-on-unbind.patch
+spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch
+spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch
+spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch
+spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch
+spi-mt7621-fix-missing-clk_disable_unprepare-on-error-in-mt7621_spi_probe.patch
+soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch
+mtd-spinand-fix-oob-read.patch
+mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch
+mtd-rawnand-qcom-fix-dma-sync-on-flash_status-register-read.patch
+scsi-lpfc-fix-invalid-sleeping-context-in-lpfc_sli4_nvmet_alloc.patch
+scsi-lpfc-re-fix-use-after-free-in-lpfc_rq_buf_free.patch
+iio-buffer-fix-demux-update.patch
+iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch
+iio-light-rpr0521-fix-timestamp-alignment-and-prevent-data-leak.patch
+iio-light-st_uvis25-fix-timestamp-alignment-and-prevent-data-leak.patch
+iio-pressure-mpl3115-force-alignment-of-buffer.patch
+iio-imu-bmi160-fix-too-large-a-buffer.patch
+md-cluster-block-reshape-with-remote-resync-job.patch
+md-cluster-fix-deadlock-when-node-is-doing-resync-job.patch
+pinctrl-sunxi-always-call-chained_irq_-enter-exit-in-sunxi_pinctrl_irq_handler.patch
+clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch
+xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch
+xen-xenbus-allow-watches-discard-events-before-queueing.patch
+xen-xenbus-add-will_handle-callback-support-in-xenbus_watch_path.patch
+xen-xenbus-xen_bus_type-support-will_handle-watch-callback.patch
+xen-xenbus-count-pending-messages-for-each-watch.patch
+xenbus-xenbus_backend-disallow-pending-watch-messages.patch
+libnvdimm-namespace-fix-reaping-of-invalidated-block-window-namespace-labels.patch
+platform-x86-intel-vbtn-allow-switch-events-on-acer-switch-alpha-12.patch
+pci-fix-pci_slot_release-null-pointer-dereference.patch
--- /dev/null
+From fc3e62e25c3896855b7c3d72df19ca6be3459c9f Mon Sep 17 00:00:00 2001
+From: Evan Green <evgreen@chromium.org>
+Date: Tue, 29 Sep 2020 13:30:57 -0700
+Subject: soc: qcom: smp2p: Safely acquire spinlock without IRQs
+
+From: Evan Green <evgreen@chromium.org>
+
+commit fc3e62e25c3896855b7c3d72df19ca6be3459c9f upstream.
+
+smp2p_update_bits() should disable interrupts when it acquires its
+spinlock. This is important because without the _irqsave, a priority
+inversion can occur.
+
+This function is called both with interrupts enabled in
+qcom_q6v5_request_stop(), and with interrupts disabled in
+ipa_smp2p_panic_notifier(). IRQ handling of spinlocks should be
+consistent to avoid the panic notifier deadlocking because it's
+sitting on the thread that's already got the lock via _request_stop().
+
+Found via lockdep.
+
+Cc: stable@vger.kernel.org
+Fixes: 50e99641413e7 ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point")
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Link: https://lore.kernel.org/r/20200929133040.RESEND.1.Ideabf6dcdfc577cf39ce3d95b0e4aa1ac8b38f0c@changeid
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/soc/qcom/smp2p.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/soc/qcom/smp2p.c
++++ b/drivers/soc/qcom/smp2p.c
+@@ -326,15 +326,16 @@ static int qcom_smp2p_inbound_entry(stru
+ static int smp2p_update_bits(void *data, u32 mask, u32 value)
+ {
+ struct smp2p_entry *entry = data;
++ unsigned long flags;
+ u32 orig;
+ u32 val;
+
+- spin_lock(&entry->lock);
++ spin_lock_irqsave(&entry->lock, flags);
+ val = orig = readl(entry->value);
+ val &= ~mask;
+ val |= value;
+ writel(val, entry->value);
+- spin_unlock(&entry->lock);
++ spin_unlock_irqrestore(&entry->lock, flags);
+
+ if (val != orig)
+ qcom_smp2p_kick(entry->smp2p);
--- /dev/null
+From 373afef350a93519b4b8d636b0895da8650b714b Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:01 +0100
+Subject: spi: davinci: Fix use-after-free on unbind
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 373afef350a93519b4b8d636b0895da8650b714b upstream.
+
+davinci_spi_remove() accesses the driver's private data after it's been
+freed with spi_master_put().
+
+Fix by moving the spi_master_put() to the end of the function.
+
+Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Cc: <stable@vger.kernel.org> # v4.7+
+Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-davinci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-davinci.c
++++ b/drivers/spi/spi-davinci.c
+@@ -1086,13 +1086,13 @@ static int davinci_spi_remove(struct pla
+ spi_bitbang_stop(&dspi->bitbang);
+
+ clk_disable_unprepare(dspi->clk);
+- spi_master_put(master);
+
+ if (dspi->dma_rx) {
+ dma_release_channel(dspi->dma_rx);
+ dma_release_channel(dspi->dma_tx);
+ }
+
++ spi_master_put(master);
+ return 0;
+ }
+
--- /dev/null
+From 702b15cb97123cedcec56a39d9a21c5288eb9ae1 Mon Sep 17 00:00:00 2001
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Tue, 3 Nov 2020 15:49:12 +0800
+Subject: spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+commit 702b15cb97123cedcec56a39d9a21c5288eb9ae1 upstream.
+
+Fix the missing clk_disable_unprepare() before return
+from mt7621_spi_probe in the error handling case.
+
+Fixes: cbd66c626e16 ("spi: mt7621: Move SPI driver out of staging")
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Link: https://lore.kernel.org/r/20201103074912.195576-1-miaoqinglang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/mt7621-spi/spi-mt7621.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/mt7621-spi/spi-mt7621.c
++++ b/drivers/staging/mt7621-spi/spi-mt7621.c
+@@ -455,6 +455,7 @@ static int mt7621_spi_probe(struct platf
+ master = spi_alloc_master(&pdev->dev, sizeof(*rs));
+ if (master == NULL) {
+ dev_info(&pdev->dev, "master allocation failed\n");
++ clk_disable_unprepare(clk);
+ return -ENOMEM;
+ }
+
+@@ -480,6 +481,7 @@ static int mt7621_spi_probe(struct platf
+ ret = device_reset(&pdev->dev);
+ if (ret) {
+ dev_err(&pdev->dev, "SPI reset failed!\n");
++ clk_disable_unprepare(clk);
+ return ret;
+ }
+
--- /dev/null
+From c575e9113bff5e024d75481613faed5ef9d465b2 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 8 Nov 2020 23:41:00 +0100
+Subject: spi: pic32: Don't leak DMA channels in probe error path
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit c575e9113bff5e024d75481613faed5ef9d465b2 upstream.
+
+If the calls to devm_request_irq() or devm_spi_register_master() fail
+on probe of the PIC32 SPI driver, the DMA channels requested by
+pic32_spi_dma_prep() are erroneously not released. Plug the leak.
+
+Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.7+
+Cc: Purna Chandra Mandal <purna.mandal@microchip.com>
+Link: https://lore.kernel.org/r/9624250e3a7aa61274b38219a62375bac1def637.1604874488.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pic32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/spi/spi-pic32.c
++++ b/drivers/spi/spi-pic32.c
+@@ -839,6 +839,7 @@ static int pic32_spi_probe(struct platfo
+ return 0;
+
+ err_bailout:
++ pic32_spi_dma_unprep(pic32s);
+ clk_disable_unprepare(pic32s->clk);
+ err_master:
+ spi_master_put(master);
--- /dev/null
+From a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:10 +0100
+Subject: spi: rb4xx: Don't leak SPI master in probe error path
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 upstream.
+
+If the calls to devm_clk_get(), devm_spi_register_master() or
+clk_prepare_enable() fail on probe of the Mikrotik RB4xx SPI driver,
+the spi_master struct is erroneously not freed.
+
+Fix by switching over to the new devm_spi_alloc_master() helper.
+
+Fixes: 05aec357871f ("spi: Add SPI driver for Mikrotik RB4xx series boards")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.2+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.2+
+Cc: Bert Vermeulen <bert@biot.com>
+Link: https://lore.kernel.org/r/369bf26d71927f60943b1d9d8f51810f00b0237d.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rb4xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-rb4xx.c
++++ b/drivers/spi/spi-rb4xx.c
+@@ -148,7 +148,7 @@ static int rb4xx_spi_probe(struct platfo
+ if (IS_ERR(spi_base))
+ return PTR_ERR(spi_base);
+
+- master = spi_alloc_master(&pdev->dev, sizeof(*rbspi));
++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*rbspi));
+ if (!master)
+ return -ENOMEM;
+
--- /dev/null
+From 5b8c88462d83331dacb48aeaec8388117fef82e0 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:11 +0100
+Subject: spi: sc18is602: Don't leak SPI master in probe error path
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 5b8c88462d83331dacb48aeaec8388117fef82e0 upstream.
+
+If the call to devm_gpiod_get_optional() fails on probe of the NXP
+SC18IS602/603 SPI driver, the spi_master struct is erroneously not freed.
+
+Fix by switching over to the new devm_spi_alloc_master() helper.
+
+Fixes: f99008013e19 ("spi: sc18is602: Add reset control via gpio pin.")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.9+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.9+
+Cc: Phil Reid <preid@electromag.com.au>
+Link: https://lore.kernel.org/r/d5f715527b894b91d530fe11a86f51b3184a4e1a.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sc18is602.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/spi/spi-sc18is602.c
++++ b/drivers/spi/spi-sc18is602.c
+@@ -248,13 +248,12 @@ static int sc18is602_probe(struct i2c_cl
+ struct sc18is602_platform_data *pdata = dev_get_platdata(dev);
+ struct sc18is602 *hw;
+ struct spi_master *master;
+- int error;
+
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C |
+ I2C_FUNC_SMBUS_WRITE_BYTE_DATA))
+ return -EINVAL;
+
+- master = spi_alloc_master(dev, sizeof(struct sc18is602));
++ master = devm_spi_alloc_master(dev, sizeof(struct sc18is602));
+ if (!master)
+ return -ENOMEM;
+
+@@ -308,15 +307,7 @@ static int sc18is602_probe(struct i2c_cl
+ master->min_speed_hz = hw->freq / 128;
+ master->max_speed_hz = hw->freq / 4;
+
+- error = devm_spi_register_master(dev, master);
+- if (error)
+- goto error_reg;
+-
+- return 0;
+-
+-error_reg:
+- spi_master_put(master);
+- return error;
++ return devm_spi_register_master(dev, master);
+ }
+
+ static const struct i2c_device_id sc18is602_id[] = {
--- /dev/null
+From e77df3eca12be4b17f13cf9f215cff248c57d98f Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:04 +0100
+Subject: spi: spi-sh: Fix use-after-free on unbind
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit e77df3eca12be4b17f13cf9f215cff248c57d98f upstream.
+
+spi_sh_remove() accesses the driver's private data after calling
+spi_unregister_master() even though that function releases the last
+reference on the spi_master and thereby frees the private data.
+
+Fix by switching over to the new devm_spi_alloc_master() helper which
+keeps the private data accessible until the driver has unbound.
+
+Fixes: 680c1305e259 ("spi/spi_sh: use spi_unregister_master instead of spi_master_put in remove path")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v3.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v3.0+
+Cc: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/6d97628b536baf01d5e3e39db61108f84d44c8b2.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/spi/spi-sh.c
++++ b/drivers/spi/spi-sh.c
+@@ -450,7 +450,7 @@ static int spi_sh_probe(struct platform_
+ return irq;
+ }
+
+- master = spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data));
++ master = devm_spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data));
+ if (master == NULL) {
+ dev_err(&pdev->dev, "spi_alloc_master error.\n");
+ return -ENOMEM;
+@@ -468,16 +468,14 @@ static int spi_sh_probe(struct platform_
+ break;
+ default:
+ dev_err(&pdev->dev, "No support width\n");
+- ret = -ENODEV;
+- goto error1;
++ return -ENODEV;
+ }
+ ss->irq = irq;
+ ss->master = master;
+ ss->addr = devm_ioremap(&pdev->dev, res->start, resource_size(res));
+ if (ss->addr == NULL) {
+ dev_err(&pdev->dev, "ioremap error.\n");
+- ret = -ENOMEM;
+- goto error1;
++ return -ENOMEM;
+ }
+ INIT_LIST_HEAD(&ss->queue);
+ spin_lock_init(&ss->lock);
+@@ -487,7 +485,7 @@ static int spi_sh_probe(struct platform_
+ ret = request_irq(irq, spi_sh_irq, 0, "spi_sh", ss);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "request_irq error\n");
+- goto error1;
++ return ret;
+ }
+
+ master->num_chipselect = 2;
+@@ -506,9 +504,6 @@ static int spi_sh_probe(struct platform_
+
+ error3:
+ free_irq(irq, ss);
+- error1:
+- spi_master_put(master);
+-
+ return ret;
+ }
+
--- /dev/null
+From 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 8 Nov 2020 23:41:00 +0100
+Subject: spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb upstream.
+
+If the calls to devm_platform_ioremap_resource(), irq_of_parse_and_map()
+or devm_request_irq() fail on probe of the ST SSC4 SPI driver, the
+runtime PM disable depth is incremented even though it was not
+decremented before. Fix it.
+
+Fixes: cd050abeba2a ("spi: st-ssc4: add missed pm_runtime_disable")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v5.5+
+Cc: Chuhong Yuan <hslester96@gmail.com>
+Link: https://lore.kernel.org/r/fbe8768c30dc829e2d77eabe7be062ca22f84024.1604874488.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-st-ssc4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-st-ssc4.c
++++ b/drivers/spi/spi-st-ssc4.c
+@@ -379,13 +379,14 @@ static int spi_st_probe(struct platform_
+ ret = devm_spi_register_master(&pdev->dev, master);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to register master\n");
+- goto clk_disable;
++ goto rpm_disable;
+ }
+
+ return 0;
+
+-clk_disable:
++rpm_disable:
+ pm_runtime_disable(&pdev->dev);
++clk_disable:
+ clk_disable_unprepare(spi_st->clk);
+ put_master:
+ spi_master_put(master);
--- /dev/null
+From 1c728719a4da6e654afb9cc047164755072ed7c9 Mon Sep 17 00:00:00 2001
+From: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Date: Mon, 14 Dec 2020 10:25:57 +0100
+Subject: xen-blkback: set ring->xenblkd to NULL after kthread_stop()
+
+From: Pawel Wieczorkiewicz <wipawel@amazon.de>
+
+commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream.
+
+When xen_blkif_disconnect() is called, the kernel thread behind the
+block interface is stopped by calling kthread_stop(ring->xenblkd).
+The ring->xenblkd thread pointer being non-NULL determines if the
+thread has been already stopped.
+Normally, the thread's function xen_blkif_schedule() sets the
+ring->xenblkd to NULL, when the thread's main loop ends.
+
+However, when the thread has not been started yet (i.e.
+wake_up_process() has not been called on it), the xen_blkif_schedule()
+function would not be called yet.
+
+In such case the kthread_stop() call returns -EINTR and the
+ring->xenblkd remains dangling.
+When this happens, any consecutive call to xen_blkif_disconnect (for
+example in frontend_changed() callback) leads to a kernel crash in
+kthread_stop() (e.g. NULL pointer dereference in exit_creds()).
+
+This is XSA-350.
+
+Cc: <stable@vger.kernel.org> # 4.12
+Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread")
+Reported-by: Olivier Benjamin <oliben@amazon.com>
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/xenbus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -264,6 +264,7 @@ static int xen_blkif_disconnect(struct x
+
+ if (ring->xenblkd) {
+ kthread_stop(ring->xenblkd);
++ ring->xenblkd = NULL;
+ wake_up(&ring->shutdown_wq);
+ }
+
--- /dev/null
+From 2e85d32b1c865bec703ce0c962221a5e955c52c2 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sjpark@amazon.de>
+Date: Mon, 14 Dec 2020 10:04:18 +0100
+Subject: xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path()
+
+From: SeongJae Park <sjpark@amazon.de>
+
+commit 2e85d32b1c865bec703ce0c962221a5e955c52c2 upstream.
+
+Some code does not directly make 'xenbus_watch' object and call
+'register_xenbus_watch()' but use 'xenbus_watch_path()' instead. This
+commit adds support of 'will_handle' callback in the
+'xenbus_watch_path()' and it's wrapper, 'xenbus_watch_pathfmt()'.
+
+This is part of XSA-349
+
+Cc: stable@vger.kernel.org
+Signed-off-by: SeongJae Park <sjpark@amazon.de>
+Reported-by: Michael Kurth <mku@amazon.de>
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/xenbus.c | 3 ++-
+ drivers/net/xen-netback/xenbus.c | 2 +-
+ drivers/xen/xen-pciback/xenbus.c | 2 +-
+ drivers/xen/xenbus/xenbus_client.c | 9 +++++++--
+ drivers/xen/xenbus/xenbus_probe.c | 2 +-
+ include/xen/xenbus.h | 6 +++++-
+ 6 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -652,7 +652,8 @@ static int xen_blkbk_probe(struct xenbus
+ /* setup back pointer */
+ be->blkif->be = be;
+
+- err = xenbus_watch_pathfmt(dev, &be->backend_watch, backend_changed,
++ err = xenbus_watch_pathfmt(dev, &be->backend_watch, NULL,
++ backend_changed,
+ "%s/%s", dev->nodename, "physical-device");
+ if (err)
+ goto fail;
+--- a/drivers/net/xen-netback/xenbus.c
++++ b/drivers/net/xen-netback/xenbus.c
+@@ -1043,7 +1043,7 @@ static void connect(struct backend_info
+ xenvif_carrier_on(be->vif);
+
+ unregister_hotplug_status_watch(be);
+- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch,
++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL,
+ hotplug_status_changed,
+ "%s/%s", dev->nodename, "hotplug-status");
+ if (!err)
+--- a/drivers/xen/xen-pciback/xenbus.c
++++ b/drivers/xen/xen-pciback/xenbus.c
+@@ -688,7 +688,7 @@ static int xen_pcibk_xenbus_probe(struct
+
+ /* watch the backend node for backend configuration information */
+ err = xenbus_watch_path(dev, dev->nodename, &pdev->be_watch,
+- xen_pcibk_be_watch);
++ NULL, xen_pcibk_be_watch);
+ if (err)
+ goto out;
+
+--- a/drivers/xen/xenbus/xenbus_client.c
++++ b/drivers/xen/xenbus/xenbus_client.c
+@@ -114,19 +114,22 @@ EXPORT_SYMBOL_GPL(xenbus_strstate);
+ */
+ int xenbus_watch_path(struct xenbus_device *dev, const char *path,
+ struct xenbus_watch *watch,
++ bool (*will_handle)(struct xenbus_watch *,
++ const char *, const char *),
+ void (*callback)(struct xenbus_watch *,
+ const char *, const char *))
+ {
+ int err;
+
+ watch->node = path;
+- watch->will_handle = NULL;
++ watch->will_handle = will_handle;
+ watch->callback = callback;
+
+ err = register_xenbus_watch(watch);
+
+ if (err) {
+ watch->node = NULL;
++ watch->will_handle = NULL;
+ watch->callback = NULL;
+ xenbus_dev_fatal(dev, err, "adding watch on %s", path);
+ }
+@@ -153,6 +156,8 @@ EXPORT_SYMBOL_GPL(xenbus_watch_path);
+ */
+ int xenbus_watch_pathfmt(struct xenbus_device *dev,
+ struct xenbus_watch *watch,
++ bool (*will_handle)(struct xenbus_watch *,
++ const char *, const char *),
+ void (*callback)(struct xenbus_watch *,
+ const char *, const char *),
+ const char *pathfmt, ...)
+@@ -169,7 +174,7 @@ int xenbus_watch_pathfmt(struct xenbus_d
+ xenbus_dev_fatal(dev, -ENOMEM, "allocating path for watch");
+ return -ENOMEM;
+ }
+- err = xenbus_watch_path(dev, path, watch, callback);
++ err = xenbus_watch_path(dev, path, watch, will_handle, callback);
+
+ if (err)
+ kfree(path);
+--- a/drivers/xen/xenbus/xenbus_probe.c
++++ b/drivers/xen/xenbus/xenbus_probe.c
+@@ -136,7 +136,7 @@ static int watch_otherend(struct xenbus_
+ container_of(dev->dev.bus, struct xen_bus_type, bus);
+
+ return xenbus_watch_pathfmt(dev, &dev->otherend_watch,
+- bus->otherend_changed,
++ NULL, bus->otherend_changed,
+ "%s/%s", dev->otherend, "state");
+ }
+
+--- a/include/xen/xenbus.h
++++ b/include/xen/xenbus.h
+@@ -199,10 +199,14 @@ void xenbus_probe(struct work_struct *);
+
+ int xenbus_watch_path(struct xenbus_device *dev, const char *path,
+ struct xenbus_watch *watch,
++ bool (*will_handle)(struct xenbus_watch *,
++ const char *, const char *),
+ void (*callback)(struct xenbus_watch *,
+ const char *, const char *));
+-__printf(4, 5)
++__printf(5, 6)
+ int xenbus_watch_pathfmt(struct xenbus_device *dev, struct xenbus_watch *watch,
++ bool (*will_handle)(struct xenbus_watch *,
++ const char *, const char *),
+ void (*callback)(struct xenbus_watch *,
+ const char *, const char *),
+ const char *pathfmt, ...);
--- /dev/null
+From fed1755b118147721f2c87b37b9d66e62c39b668 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sjpark@amazon.de>
+Date: Mon, 14 Dec 2020 10:02:45 +0100
+Subject: xen/xenbus: Allow watches discard events before queueing
+
+From: SeongJae Park <sjpark@amazon.de>
+
+commit fed1755b118147721f2c87b37b9d66e62c39b668 upstream.
+
+If handling logics of watch events are slower than the events enqueue
+logic and the events can be created from the guests, the guests could
+trigger memory pressure by intensively inducing the events, because it
+will create a huge number of pending events that exhausting the memory.
+
+Fortunately, some watch events could be ignored, depending on its
+handler callback. For example, if the callback has interest in only one
+single path, the watch wouldn't want multiple pending events. Or, some
+watches could ignore events to same path.
+
+To let such watches to volutarily help avoiding the memory pressure
+situation, this commit introduces new watch callback, 'will_handle'. If
+it is not NULL, it will be called for each new event just before
+enqueuing it. Then, if the callback returns false, the event will be
+discarded. No watch is using the callback for now, though.
+
+This is part of XSA-349
+
+Cc: stable@vger.kernel.org
+Signed-off-by: SeongJae Park <sjpark@amazon.de>
+Reported-by: Michael Kurth <mku@amazon.de>
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/xen-netback/xenbus.c | 4 ++++
+ drivers/xen/xenbus/xenbus_client.c | 1 +
+ drivers/xen/xenbus/xenbus_xs.c | 5 ++++-
+ include/xen/xenbus.h | 7 +++++++
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/xen-netback/xenbus.c
++++ b/drivers/net/xen-netback/xenbus.c
+@@ -777,12 +777,14 @@ static int xen_register_credit_watch(str
+ return -ENOMEM;
+ snprintf(node, maxlen, "%s/rate", dev->nodename);
+ vif->credit_watch.node = node;
++ vif->credit_watch.will_handle = NULL;
+ vif->credit_watch.callback = xen_net_rate_changed;
+ err = register_xenbus_watch(&vif->credit_watch);
+ if (err) {
+ pr_err("Failed to set watcher %s\n", vif->credit_watch.node);
+ kfree(node);
+ vif->credit_watch.node = NULL;
++ vif->credit_watch.will_handle = NULL;
+ vif->credit_watch.callback = NULL;
+ }
+ return err;
+@@ -829,6 +831,7 @@ static int xen_register_mcast_ctrl_watch
+ snprintf(node, maxlen, "%s/request-multicast-control",
+ dev->otherend);
+ vif->mcast_ctrl_watch.node = node;
++ vif->mcast_ctrl_watch.will_handle = NULL;
+ vif->mcast_ctrl_watch.callback = xen_mcast_ctrl_changed;
+ err = register_xenbus_watch(&vif->mcast_ctrl_watch);
+ if (err) {
+@@ -836,6 +839,7 @@ static int xen_register_mcast_ctrl_watch
+ vif->mcast_ctrl_watch.node);
+ kfree(node);
+ vif->mcast_ctrl_watch.node = NULL;
++ vif->mcast_ctrl_watch.will_handle = NULL;
+ vif->mcast_ctrl_watch.callback = NULL;
+ }
+ return err;
+--- a/drivers/xen/xenbus/xenbus_client.c
++++ b/drivers/xen/xenbus/xenbus_client.c
+@@ -120,6 +120,7 @@ int xenbus_watch_path(struct xenbus_devi
+ int err;
+
+ watch->node = path;
++ watch->will_handle = NULL;
+ watch->callback = callback;
+
+ err = register_xenbus_watch(watch);
+--- a/drivers/xen/xenbus/xenbus_xs.c
++++ b/drivers/xen/xenbus/xenbus_xs.c
+@@ -705,7 +705,10 @@ int xs_watch_msg(struct xs_watch_event *
+
+ spin_lock(&watches_lock);
+ event->handle = find_watch(event->token);
+- if (event->handle != NULL) {
++ if (event->handle != NULL &&
++ (!event->handle->will_handle ||
++ event->handle->will_handle(event->handle,
++ event->path, event->token))) {
+ spin_lock(&watch_events_lock);
+ list_add_tail(&event->list, &watch_events);
+ wake_up(&watch_events_waitq);
+--- a/include/xen/xenbus.h
++++ b/include/xen/xenbus.h
+@@ -59,6 +59,13 @@ struct xenbus_watch
+ /* Path being watched. */
+ const char *node;
+
++ /*
++ * Called just before enqueing new event while a spinlock is held.
++ * The event will be discarded if this callback returns false.
++ */
++ bool (*will_handle)(struct xenbus_watch *,
++ const char *path, const char *token);
++
+ /* Callback (executed in a process context with no locks held). */
+ void (*callback)(struct xenbus_watch *,
+ const char *path, const char *token);
--- /dev/null
+From 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sjpark@amazon.de>
+Date: Mon, 14 Dec 2020 10:07:13 +0100
+Subject: xen/xenbus: Count pending messages for each watch
+
+From: SeongJae Park <sjpark@amazon.de>
+
+commit 3dc86ca6b4c8cfcba9da7996189d1b5a358a94fc upstream.
+
+This commit adds a counter of pending messages for each watch in the
+struct. It is used to skip unnecessary pending messages lookup in
+'unregister_xenbus_watch()'. It could also be used in 'will_handle'
+callback.
+
+This is part of XSA-349
+
+Cc: stable@vger.kernel.org
+Signed-off-by: SeongJae Park <sjpark@amazon.de>
+Reported-by: Michael Kurth <mku@amazon.de>
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus_xs.c | 29 ++++++++++++++++++-----------
+ include/xen/xenbus.h | 2 ++
+ 2 files changed, 20 insertions(+), 11 deletions(-)
+
+--- a/drivers/xen/xenbus/xenbus_xs.c
++++ b/drivers/xen/xenbus/xenbus_xs.c
+@@ -711,6 +711,7 @@ int xs_watch_msg(struct xs_watch_event *
+ event->path, event->token))) {
+ spin_lock(&watch_events_lock);
+ list_add_tail(&event->list, &watch_events);
++ event->handle->nr_pending++;
+ wake_up(&watch_events_waitq);
+ spin_unlock(&watch_events_lock);
+ } else
+@@ -768,6 +769,8 @@ int register_xenbus_watch(struct xenbus_
+
+ sprintf(token, "%lX", (long)watch);
+
++ watch->nr_pending = 0;
++
+ down_read(&xs_watch_rwsem);
+
+ spin_lock(&watches_lock);
+@@ -817,11 +820,14 @@ void unregister_xenbus_watch(struct xenb
+
+ /* Cancel pending watch events. */
+ spin_lock(&watch_events_lock);
+- list_for_each_entry_safe(event, tmp, &watch_events, list) {
+- if (event->handle != watch)
+- continue;
+- list_del(&event->list);
+- kfree(event);
++ if (watch->nr_pending) {
++ list_for_each_entry_safe(event, tmp, &watch_events, list) {
++ if (event->handle != watch)
++ continue;
++ list_del(&event->list);
++ kfree(event);
++ }
++ watch->nr_pending = 0;
+ }
+ spin_unlock(&watch_events_lock);
+
+@@ -868,7 +874,6 @@ void xs_suspend_cancel(void)
+
+ static int xenwatch_thread(void *unused)
+ {
+- struct list_head *ent;
+ struct xs_watch_event *event;
+
+ xenwatch_pid = current->pid;
+@@ -883,13 +888,15 @@ static int xenwatch_thread(void *unused)
+ mutex_lock(&xenwatch_mutex);
+
+ spin_lock(&watch_events_lock);
+- ent = watch_events.next;
+- if (ent != &watch_events)
+- list_del(ent);
++ event = list_first_entry_or_null(&watch_events,
++ struct xs_watch_event, list);
++ if (event) {
++ list_del(&event->list);
++ event->handle->nr_pending--;
++ }
+ spin_unlock(&watch_events_lock);
+
+- if (ent != &watch_events) {
+- event = list_entry(ent, struct xs_watch_event, list);
++ if (event) {
+ event->handle->callback(event->handle, event->path,
+ event->token);
+ kfree(event);
+--- a/include/xen/xenbus.h
++++ b/include/xen/xenbus.h
+@@ -59,6 +59,8 @@ struct xenbus_watch
+ /* Path being watched. */
+ const char *node;
+
++ unsigned int nr_pending;
++
+ /*
+ * Called just before enqueing new event while a spinlock is held.
+ * The event will be discarded if this callback returns false.
--- /dev/null
+From be987200fbaceaef340872841d4f7af2c5ee8dc3 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sjpark@amazon.de>
+Date: Mon, 14 Dec 2020 10:05:47 +0100
+Subject: xen/xenbus/xen_bus_type: Support will_handle watch callback
+
+From: SeongJae Park <sjpark@amazon.de>
+
+commit be987200fbaceaef340872841d4f7af2c5ee8dc3 upstream.
+
+This commit adds support of the 'will_handle' watch callback for
+'xen_bus_type' users.
+
+This is part of XSA-349
+
+Cc: stable@vger.kernel.org
+Signed-off-by: SeongJae Park <sjpark@amazon.de>
+Reported-by: Michael Kurth <mku@amazon.de>
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus.h | 2 ++
+ drivers/xen/xenbus/xenbus_probe.c | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xenbus/xenbus.h
++++ b/drivers/xen/xenbus/xenbus.h
+@@ -44,6 +44,8 @@ struct xen_bus_type {
+ int (*get_bus_id)(char bus_id[XEN_BUS_ID_SIZE], const char *nodename);
+ int (*probe)(struct xen_bus_type *bus, const char *type,
+ const char *dir);
++ bool (*otherend_will_handle)(struct xenbus_watch *watch,
++ const char *path, const char *token);
+ void (*otherend_changed)(struct xenbus_watch *watch, const char *path,
+ const char *token);
+ struct bus_type bus;
+--- a/drivers/xen/xenbus/xenbus_probe.c
++++ b/drivers/xen/xenbus/xenbus_probe.c
+@@ -136,7 +136,8 @@ static int watch_otherend(struct xenbus_
+ container_of(dev->dev.bus, struct xen_bus_type, bus);
+
+ return xenbus_watch_pathfmt(dev, &dev->otherend_watch,
+- NULL, bus->otherend_changed,
++ bus->otherend_will_handle,
++ bus->otherend_changed,
+ "%s/%s", dev->otherend, "state");
+ }
+
--- /dev/null
+From 9996bd494794a2fe393e97e7a982388c6249aa76 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sjpark@amazon.de>
+Date: Mon, 14 Dec 2020 10:08:40 +0100
+Subject: xenbus/xenbus_backend: Disallow pending watch messages
+
+From: SeongJae Park <sjpark@amazon.de>
+
+commit 9996bd494794a2fe393e97e7a982388c6249aa76 upstream.
+
+'xenbus_backend' watches 'state' of devices, which is writable by
+guests. Hence, if guests intensively updates it, dom0 will have lots of
+pending events that exhausting memory of dom0. In other words, guests
+can trigger dom0 memory pressure. This is known as XSA-349. However,
+the watch callback of it, 'frontend_changed()', reads only 'state', so
+doesn't need to have the pending events.
+
+To avoid the problem, this commit disallows pending watch messages for
+'xenbus_backend' using the 'will_handle()' watch callback.
+
+This is part of XSA-349
+
+Cc: stable@vger.kernel.org
+Signed-off-by: SeongJae Park <sjpark@amazon.de>
+Reported-by: Michael Kurth <mku@amazon.de>
+Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus_probe_backend.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/xen/xenbus/xenbus_probe_backend.c
++++ b/drivers/xen/xenbus/xenbus_probe_backend.c
+@@ -180,6 +180,12 @@ static int xenbus_probe_backend(struct x
+ return err;
+ }
+
++static bool frontend_will_handle(struct xenbus_watch *watch,
++ const char *path, const char *token)
++{
++ return watch->nr_pending == 0;
++}
++
+ static void frontend_changed(struct xenbus_watch *watch,
+ const char *path, const char *token)
+ {
+@@ -191,6 +197,7 @@ static struct xen_bus_type xenbus_backen
+ .levels = 3, /* backend/type/<frontend>/<id> */
+ .get_bus_id = backend_bus_id,
+ .probe = xenbus_probe_backend,
++ .otherend_will_handle = frontend_will_handle,
+ .otherend_changed = frontend_changed,
+ .bus = {
+ .name = "xen-backend",
projects / thirdparty / kernel / stable-queue.git / commitdiff
