--- /dev/null
+From cfc8f568aada98f9608a0a62511ca18d647613e2 Mon Sep 17 00:00:00 2001
+From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+Date: Fri, 19 Jul 2019 10:05:30 +0000
+Subject: ASoC: Define a set of DAPM pre/post-up events
+
+From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+
+commit cfc8f568aada98f9608a0a62511ca18d647613e2 upstream.
+
+Prepare to use SND_SOC_DAPM_PRE_POST_PMU definition to
+reduce coming code size and make it more readable.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+Reviewed-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Reviewed-by: Igor Opaniuk <igor.opaniuk@toradex.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Link: https://lore.kernel.org/r/20190719100524.23300-2-oleksandr.suvorov@toradex.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/soc-dapm.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/sound/soc-dapm.h
++++ b/include/sound/soc-dapm.h
+@@ -339,6 +339,8 @@ struct device;
+ #define SND_SOC_DAPM_WILL_PMD 0x80 /* called at start of sequence */
+ #define SND_SOC_DAPM_PRE_POST_PMD \
+ (SND_SOC_DAPM_PRE_PMD | SND_SOC_DAPM_POST_PMD)
++#define SND_SOC_DAPM_PRE_POST_PMU \
++ (SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMU)
+
+ /* convenience event type detection */
+ #define SND_SOC_DAPM_EVENT_ON(e) \
--- /dev/null
+From d84ea2123f8d27144e3f4d58cd88c9c6ddc799de Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 13 Aug 2019 16:01:02 +0200
+Subject: can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit d84ea2123f8d27144e3f4d58cd88c9c6ddc799de upstream.
+
+Some boards take longer than 5ms to power up after a reset, so allow
+some retries attempts before giving up.
+
+Fixes: ff06d611a31c ("can: mcp251x: Improve mcp251x_hw_reset()")
+Cc: linux-stable <stable@vger.kernel.org>
+Tested-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/spi/mcp251x.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -627,7 +627,7 @@ static int mcp251x_setup(struct net_devi
+ static int mcp251x_hw_reset(struct spi_device *spi)
+ {
+ struct mcp251x_priv *priv = spi_get_drvdata(spi);
+- u8 reg;
++ unsigned long timeout;
+ int ret;
+
+ /* Wait for oscillator startup timer after power up */
+@@ -641,10 +641,19 @@ static int mcp251x_hw_reset(struct spi_d
+ /* Wait for oscillator startup timer after reset */
+ mdelay(MCP251X_OST_DELAY_MS);
+
+- reg = mcp251x_read_reg(spi, CANSTAT);
+- if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF)
+- return -ENODEV;
+-
++ /* Wait for reset to finish */
++ timeout = jiffies + HZ;
++ while ((mcp251x_read_reg(spi, CANSTAT) & CANCTRL_REQOP_MASK) !=
++ CANCTRL_REQOP_CONF) {
++ usleep_range(MCP251X_OST_DELAY_MS * 1000,
++ MCP251X_OST_DELAY_MS * 1000 * 2);
++
++ if (time_after(jiffies, timeout)) {
++ dev_err(&spi->dev,
++ "MCP251x didn't enter in conf mode after reset\n");
++ return -EBUSY;
++ }
++ }
+ return 0;
+ }
+
--- /dev/null
+From 1b82feb6c5e1996513d0fb0bbb475417088b4954 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Tue, 23 Jul 2019 07:24:01 +0000
+Subject: crypto: qat - Silence smp_processor_id() warning
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+commit 1b82feb6c5e1996513d0fb0bbb475417088b4954 upstream.
+
+It seems that smp_processor_id() is only used for a best-effort
+load-balancing, refer to qat_crypto_get_instance_node(). It's not feasible
+to disable preemption for the duration of the crypto requests. Therefore,
+just silence the warning. This commit is similar to e7a9b05ca4
+("crypto: cavium - Fix smp_processor_id() warnings").
+
+Silences the following splat:
+BUG: using smp_processor_id() in preemptible [00000000] code: cryptomgr_test/2904
+caller is qat_alg_ablkcipher_setkey+0x300/0x4a0 [intel_qat]
+CPU: 1 PID: 2904 Comm: cryptomgr_test Tainted: P O 4.14.69 #1
+...
+Call Trace:
+ dump_stack+0x5f/0x86
+ check_preemption_disabled+0xd3/0xe0
+ qat_alg_ablkcipher_setkey+0x300/0x4a0 [intel_qat]
+ skcipher_setkey_ablkcipher+0x2b/0x40
+ __test_skcipher+0x1f3/0xb20
+ ? cpumask_next_and+0x26/0x40
+ ? find_busiest_group+0x10e/0x9d0
+ ? preempt_count_add+0x49/0xa0
+ ? try_module_get+0x61/0xf0
+ ? crypto_mod_get+0x15/0x30
+ ? __kmalloc+0x1df/0x1f0
+ ? __crypto_alloc_tfm+0x116/0x180
+ ? crypto_skcipher_init_tfm+0xa6/0x180
+ ? crypto_create_tfm+0x4b/0xf0
+ test_skcipher+0x21/0xa0
+ alg_test_skcipher+0x3f/0xa0
+ alg_test.part.6+0x126/0x2a0
+ ? finish_task_switch+0x21b/0x260
+ ? __schedule+0x1e9/0x800
+ ? __wake_up_common+0x8d/0x140
+ cryptomgr_test+0x40/0x50
+ kthread+0xff/0x130
+ ? cryptomgr_notify+0x540/0x540
+ ? kthread_create_on_node+0x70/0x70
+ ret_from_fork+0x24/0x50
+
+Fixes: ed8ccaef52 ("crypto: qat - Add support for SRIOV")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/adf_common_drv.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h
+@@ -95,7 +95,7 @@ struct service_hndl {
+
+ static inline int get_current_node(void)
+ {
+- return topology_physical_package_id(smp_processor_id());
++ return topology_physical_package_id(raw_smp_processor_id());
+ }
+
+ int adf_service_register(struct service_hndl *service);
--- /dev/null
+From jinpuwang@gmail.com Tue Oct 8 09:22:17 2019
+From: Jack Wang <jinpuwang@gmail.com>
+Date: Mon, 7 Oct 2019 14:36:53 +0200
+Subject: KVM: nVMX: handle page fault in vmread fix
+To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org, pbonzini@redhat.com
+Cc: Jack Wang <jinpu.wang@cloud.ionos.com>
+Message-ID: <20191007123653.17961-1-jinpuwang@gmail.com>
+
+From: Jack Wang <jinpu.wang@cloud.ionos.com>
+
+During backport f7eea636c3d5 ("KVM: nVMX: handle page fault in vmread"),
+there was a mistake the exception reference should be passed to function
+kvm_write_guest_virt_system, instead of NULL, other wise, we will get
+NULL pointer deref, eg
+
+kvm-unit-test triggered a NULL pointer deref below:
+[ 948.518437] kvm [24114]: vcpu0, guest rIP: 0x407ef9 kvm_set_msr_common: MSR_IA32_DEBUGCTLMSR 0x3, nop
+[ 949.106464] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+[ 949.106707] PGD 0 P4D 0
+[ 949.106872] Oops: 0002 [#1] SMP
+[ 949.107038] CPU: 2 PID: 24126 Comm: qemu-2.7 Not tainted 4.19.77-pserver #4.19.77-1+feature+daily+update+20191005.1625+a4168bb~deb9
+[ 949.107283] Hardware name: Dell Inc. Precision Tower 3620/09WH54, BIOS 2.7.3 01/31/2018
+[ 949.107549] RIP: 0010:kvm_write_guest_virt_system+0x12/0x40 [kvm]
+[ 949.107719] Code: c0 5d 41 5c 41 5d 41 5e 83 f8 03 41 0f 94 c0 41 c1 e0 02 e9 b0 ed ff ff 0f 1f 44 00 00 48 89 f0 c6 87 59 56 00 00 01 48 89 d6 <49> c7 00 00 00 00 00 89 ca 49 c7 40 08 00 00 00 00 49 c7 40 10 00
+[ 949.108044] RSP: 0018:ffffb31b0a953cb0 EFLAGS: 00010202
+[ 949.108216] RAX: 000000000046b4d8 RBX: ffff9e9f415b0000 RCX: 0000000000000008
+[ 949.108389] RDX: ffffb31b0a953cc0 RSI: ffffb31b0a953cc0 RDI: ffff9e9f415b0000
+[ 949.108562] RBP: 00000000d2e14928 R08: 0000000000000000 R09: 0000000000000000
+[ 949.108733] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffffffffc8
+[ 949.108907] R13: 0000000000000002 R14: ffff9e9f4f26f2e8 R15: 0000000000000000
+[ 949.109079] FS: 00007eff8694c700(0000) GS:ffff9e9f51a80000(0000) knlGS:0000000031415928
+[ 949.109318] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 949.109495] CR2: 0000000000000000 CR3: 00000003be53b002 CR4: 00000000003626e0
+[ 949.109671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 949.109845] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 949.110017] Call Trace:
+[ 949.110186] handle_vmread+0x22b/0x2f0 [kvm_intel]
+[ 949.110356] ? vmexit_fill_RSB+0xc/0x30 [kvm_intel]
+[ 949.110549] kvm_arch_vcpu_ioctl_run+0xa98/0x1b30 [kvm]
+[ 949.110725] ? kvm_vcpu_ioctl+0x388/0x5d0 [kvm]
+[ 949.110901] kvm_vcpu_ioctl+0x388/0x5d0 [kvm]
+[ 949.111072] do_vfs_ioctl+0xa2/0x620
+
+Signed-off-by: Jack Wang <jinpu.wang@cloud.ionos.com>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7668,7 +7668,7 @@ static int handle_vmread(struct kvm_vcpu
+ /* _system ok, as nested_vmx_check_permission verified cpl=0 */
+ if (kvm_write_guest_virt_system(vcpu, gva, &field_value,
+ (is_long_mode(vcpu) ? 8 : 4),
+- NULL))
++ &e))
+ kvm_inject_page_fault(vcpu, &e);
+ }
+
--- /dev/null
+From a13b03bbb4575b350b46090af4dfd30e735aaed1 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 29 Aug 2019 14:25:17 +0200
+Subject: KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit a13b03bbb4575b350b46090af4dfd30e735aaed1 upstream.
+
+If the KVM_S390_MEM_OP ioctl is called with an access register >= 16,
+then there is certainly a bug in the calling userspace application.
+We check for wrong access registers, but only if the vCPU was already
+in the access register mode before (i.e. the SIE block has recorded
+it). The check is also buried somewhere deep in the calling chain (in
+the function ar_translation()), so this is somewhat hard to find.
+
+It's better to always report an error to the userspace in case this
+field is set wrong, and it's safer in the KVM code if we block wrong
+values here early instead of relying on a check somewhere deep down
+the calling chain, so let's add another check to kvm_s390_guest_mem_op()
+directly.
+
+We also should check that the "size" is non-zero here (thanks to Janosch
+Frank for the hint!). If we do not check the size, we could call vmalloc()
+with this 0 value, and this will cause a kernel warning.
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Link: https://lkml.kernel.org/r/20190829122517.31042-1-thuth@redhat.com
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -3033,7 +3033,7 @@ static long kvm_s390_guest_mem_op(struct
+ const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION
+ | KVM_S390_MEMOP_F_CHECK_ONLY;
+
+- if (mop->flags & ~supported_flags)
++ if (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size)
+ return -EINVAL;
+
+ if (mop->size > MEM_OP_MAX_SIZE)
--- /dev/null
+From e7de4f7b64c23e503a8c42af98d56f2a7462bd6d Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <ajd@linux.ibm.com>
+Date: Fri, 3 May 2019 17:52:53 +1000
+Subject: powerpc/powernv: Restrict OPAL symbol map to only be readable by root
+
+From: Andrew Donnellan <ajd@linux.ibm.com>
+
+commit e7de4f7b64c23e503a8c42af98d56f2a7462bd6d upstream.
+
+Currently the OPAL symbol map is globally readable, which seems bad as
+it contains physical addresses.
+
+Restrict it to root.
+
+Fixes: c8742f85125d ("powerpc/powernv: Expose OPAL firmware symbol map")
+Cc: stable@vger.kernel.org # v3.19+
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190503075253.22798-1-ajd@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal.c
++++ b/arch/powerpc/platforms/powernv/opal.c
+@@ -579,7 +579,10 @@ static ssize_t symbol_map_read(struct fi
+ bin_attr->size);
+ }
+
+-static BIN_ATTR_RO(symbol_map, 0);
++static struct bin_attribute symbol_map_attr = {
++ .attr = {.name = "symbol_map", .mode = 0400},
++ .read = symbol_map_read
++};
+
+ static void opal_export_symmap(void)
+ {
+@@ -596,10 +599,10 @@ static void opal_export_symmap(void)
+ return;
+
+ /* Setup attributes */
+- bin_attr_symbol_map.private = __va(be64_to_cpu(syms[0]));
+- bin_attr_symbol_map.size = be64_to_cpu(syms[1]);
++ symbol_map_attr.private = __va(be64_to_cpu(syms[0]));
++ symbol_map_attr.size = be64_to_cpu(syms[1]);
+
+- rc = sysfs_create_bin_file(opal_kobj, &bin_attr_symbol_map);
++ rc = sysfs_create_bin_file(opal_kobj, &symbol_map_attr);
+ if (rc)
+ pr_warn("Error %d creating OPAL symbols file\n", rc);
+ }
--- /dev/null
+From ea298e6ee8b34b3ed4366be7eb799d0650ebe555 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 17 Sep 2019 20:04:04 +0200
+Subject: s390/cio: avoid calling strlen on null pointer
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit ea298e6ee8b34b3ed4366be7eb799d0650ebe555 upstream.
+
+Fix the following kasan finding:
+BUG: KASAN: global-out-of-bounds in ccwgroup_create_dev+0x850/0x1140
+Read of size 1 at addr 0000000000000000 by task systemd-udevd.r/561
+
+CPU: 30 PID: 561 Comm: systemd-udevd.r Tainted: G B
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+([<0000000231b3db7e>] show_stack+0x14e/0x1a8)
+ [<0000000233826410>] dump_stack+0x1d0/0x218
+ [<000000023216fac4>] print_address_description+0x64/0x380
+ [<000000023216f5a8>] __kasan_report+0x138/0x168
+ [<00000002331b8378>] ccwgroup_create_dev+0x850/0x1140
+ [<00000002332b618a>] group_store+0x3a/0x50
+ [<00000002323ac706>] kernfs_fop_write+0x246/0x3b8
+ [<00000002321d409a>] vfs_write+0x132/0x450
+ [<00000002321d47da>] ksys_write+0x122/0x208
+ [<0000000233877102>] system_call+0x2a6/0x2c8
+
+Triggered by:
+openat(AT_FDCWD, "/sys/bus/ccwgroup/drivers/qeth/group",
+ O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 16
+write(16, "0.0.bd00,0.0.bd01,0.0.bd02", 26) = 26
+
+The problem is that __get_next_id in ccwgroup_create_dev might set "buf"
+buffer pointer to NULL and explicit check for that is required.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Sebastian Ott <sebott@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/ccwgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/cio/ccwgroup.c
++++ b/drivers/s390/cio/ccwgroup.c
+@@ -369,7 +369,7 @@ int ccwgroup_create_dev(struct device *p
+ goto error;
+ }
+ /* Check for trailing stuff. */
+- if (i == num_devices && strlen(buf) > 0) {
++ if (i == num_devices && buf && strlen(buf) > 0) {
+ rc = -EINVAL;
+ goto error;
+ }
--- /dev/null
+From ab5758848039de9a4b249d46e4ab591197eebaf2 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 19 Sep 2019 15:55:17 +0200
+Subject: s390/cio: exclude subchannels with no parent from pseudo check
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit ab5758848039de9a4b249d46e4ab591197eebaf2 upstream.
+
+ccw console is created early in start_kernel and used before css is
+initialized or ccw console subchannel is registered. Until then console
+subchannel does not have a parent. For that reason assume subchannels
+with no parent are not pseudo subchannels. This fixes the following
+kasan finding:
+
+BUG: KASAN: global-out-of-bounds in sch_is_pseudo_sch+0x8e/0x98
+Read of size 8 at addr 00000000000005e8 by task swapper/0/0
+
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc8-07370-g6ac43dd12538 #2
+Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0)
+Call Trace:
+([<000000000012cd76>] show_stack+0x14e/0x1e0)
+ [<0000000001f7fb44>] dump_stack+0x1a4/0x1f8
+ [<00000000007d7afc>] print_address_description+0x64/0x3c8
+ [<00000000007d75f6>] __kasan_report+0x14e/0x180
+ [<00000000018a2986>] sch_is_pseudo_sch+0x8e/0x98
+ [<000000000189b950>] cio_enable_subchannel+0x1d0/0x510
+ [<00000000018cac7c>] ccw_device_recognition+0x12c/0x188
+ [<0000000002ceb1a8>] ccw_device_enable_console+0x138/0x340
+ [<0000000002cf1cbe>] con3215_init+0x25e/0x300
+ [<0000000002c8770a>] console_init+0x68a/0x9b8
+ [<0000000002c6a3d6>] start_kernel+0x4fe/0x728
+ [<0000000000100070>] startup_continue+0x70/0xd0
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Sebastian Ott <sebott@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/css.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/s390/cio/css.c
++++ b/drivers/s390/cio/css.c
+@@ -1120,6 +1120,8 @@ device_initcall(cio_settle_init);
+
+ int sch_is_pseudo_sch(struct subchannel *sch)
+ {
++ if (!sch->dev.parent)
++ return 0;
+ return sch == to_css(sch->dev.parent)->pseudo_subchannel;
+ }
+
--- /dev/null
+From f3122a79a1b0a113d3aea748e0ec26f2cb2889de Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 17 Sep 2019 22:59:03 +0200
+Subject: s390/topology: avoid firing events before kobjs are created
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit f3122a79a1b0a113d3aea748e0ec26f2cb2889de upstream.
+
+arch_update_cpu_topology is first called from:
+kernel_init_freeable->sched_init_smp->sched_init_domains
+
+even before cpus has been registered in:
+kernel_init_freeable->do_one_initcall->s390_smp_init
+
+Do not trigger kobject_uevent change events until cpu devices are
+actually created. Fixes the following kasan findings:
+
+BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb40/0xee0
+Read of size 8 at addr 0000000000000020 by task swapper/0/1
+
+BUG: KASAN: global-out-of-bounds in kobject_uevent_env+0xb36/0xee0
+Read of size 8 at addr 0000000000000018 by task swapper/0/1
+
+CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+([<0000000143c6db7e>] show_stack+0x14e/0x1a8)
+ [<0000000145956498>] dump_stack+0x1d0/0x218
+ [<000000014429fb4c>] print_address_description+0x64/0x380
+ [<000000014429f630>] __kasan_report+0x138/0x168
+ [<0000000145960b96>] kobject_uevent_env+0xb36/0xee0
+ [<0000000143c7c47c>] arch_update_cpu_topology+0x104/0x108
+ [<0000000143df9e22>] sched_init_domains+0x62/0xe8
+ [<000000014644c94a>] sched_init_smp+0x3a/0xc0
+ [<0000000146433a20>] kernel_init_freeable+0x558/0x958
+ [<000000014599002a>] kernel_init+0x22/0x160
+ [<00000001459a71d4>] ret_from_fork+0x28/0x30
+ [<00000001459a71dc>] kernel_thread_starter+0x0/0x10
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/topology.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/topology.c
++++ b/arch/s390/kernel/topology.c
+@@ -256,7 +256,8 @@ int arch_update_cpu_topology(void)
+ topology_update_polarization_simple();
+ for_each_online_cpu(cpu) {
+ dev = get_cpu_device(cpu);
+- kobject_uevent(&dev->kobj, KOBJ_CHANGE);
++ if (dev)
++ kobject_uevent(&dev->kobj, KOBJ_CHANGE);
+ }
+ return rc;
+ }
--- /dev/null
+kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op.patch
+s390-topology-avoid-firing-events-before-kobjs-are-created.patch
+s390-cio-avoid-calling-strlen-on-null-pointer.patch
+s390-cio-exclude-subchannels-with-no-parent-from-pseudo-check.patch
+kvm-nvmx-handle-page-fault-in-vmread-fix.patch
+asoc-define-a-set-of-dapm-pre-post-up-events.patch
+powerpc-powernv-restrict-opal-symbol-map-to-only-be-readable-by-root.patch
+can-mcp251x-mcp251x_hw_reset-allow-more-time-after-a-reset.patch
+crypto-qat-silence-smp_processor_id-warning.patch
+usercopy-avoid-highmem-pfn-warning.patch
+timer-read-jiffies-once-when-forwarding-base-clk.patch
--- /dev/null
+From e430d802d6a3aaf61bd3ed03d9404888a29b9bf9 Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Thu, 19 Sep 2019 20:04:47 +0800
+Subject: timer: Read jiffies once when forwarding base clk
+
+From: Li RongQing <lirongqing@baidu.com>
+
+commit e430d802d6a3aaf61bd3ed03d9404888a29b9bf9 upstream.
+
+The timer delayed for more than 3 seconds warning was triggered during
+testing.
+
+ Workqueue: events_unbound sched_tick_remote
+ RIP: 0010:sched_tick_remote+0xee/0x100
+ ...
+ Call Trace:
+ process_one_work+0x18c/0x3a0
+ worker_thread+0x30/0x380
+ kthread+0x113/0x130
+ ret_from_fork+0x22/0x40
+
+The reason is that the code in collect_expired_timers() uses jiffies
+unprotected:
+
+ if (next_event > jiffies)
+ base->clk = jiffies;
+
+As the compiler is allowed to reload the value base->clk can advance
+between the check and the store and in the worst case advance farther than
+next event. That causes the timer expiry to be delayed until the wheel
+pointer wraps around.
+
+Convert the code to use READ_ONCE()
+
+Fixes: 236968383cf5 ("timers: Optimize collect_expired_timers() for NOHZ")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Liang ZhiCheng <liangzhicheng@baidu.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1568894687-14499-1-git-send-email-lirongqing@baidu.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1586,21 +1586,23 @@ void timer_clear_idle(void)
+ static int collect_expired_timers(struct timer_base *base,
+ struct hlist_head *heads)
+ {
++ unsigned long now = READ_ONCE(jiffies);
++
+ /*
+ * NOHZ optimization. After a long idle sleep we need to forward the
+ * base to current jiffies. Avoid a loop by searching the bitfield for
+ * the next expiring timer.
+ */
+- if ((long)(jiffies - base->clk) > 2) {
++ if ((long)(now - base->clk) > 2) {
+ unsigned long next = __next_timer_interrupt(base);
+
+ /*
+ * If the next timer is ahead of time forward to current
+ * jiffies, otherwise forward to the next expiry time:
+ */
+- if (time_after(next, jiffies)) {
++ if (time_after(next, now)) {
+ /* The call site will increment clock! */
+- base->clk = jiffies - 1;
++ base->clk = now - 1;
+ return 0;
+ }
+ base->clk = next;
--- /dev/null
+From 314eed30ede02fa925990f535652254b5bad6b65 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 17 Sep 2019 11:00:25 -0700
+Subject: usercopy: Avoid HIGHMEM pfn warning
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 314eed30ede02fa925990f535652254b5bad6b65 upstream.
+
+When running on a system with >512MB RAM with a 32-bit kernel built with:
+
+ CONFIG_DEBUG_VIRTUAL=y
+ CONFIG_HIGHMEM=y
+ CONFIG_HARDENED_USERCOPY=y
+
+all execve()s will fail due to argv copying into kmap()ed pages, and on
+usercopy checking the calls ultimately of virt_to_page() will be looking
+for "bad" kmap (highmem) pointers due to CONFIG_DEBUG_VIRTUAL=y:
+
+ ------------[ cut here ]------------
+ kernel BUG at ../arch/x86/mm/physaddr.c:83!
+ invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.3.0-rc8 #6
+ Hardware name: Dell Inc. Inspiron 1318/0C236D, BIOS A04 01/15/2009
+ EIP: __phys_addr+0xaf/0x100
+ ...
+ Call Trace:
+ __check_object_size+0xaf/0x3c0
+ ? __might_sleep+0x80/0xa0
+ copy_strings+0x1c2/0x370
+ copy_strings_kernel+0x2b/0x40
+ __do_execve_file+0x4ca/0x810
+ ? kmem_cache_alloc+0x1c7/0x370
+ do_execve+0x1b/0x20
+ ...
+
+The check is from arch/x86/mm/physaddr.c:
+
+ VIRTUAL_BUG_ON((phys_addr >> PAGE_SHIFT) > max_low_pfn);
+
+Due to the kmap() in fs/exec.c:
+
+ kaddr = kmap(kmapped_page);
+ ...
+ if (copy_from_user(kaddr+offset, str, bytes_to_copy)) ...
+
+Now we can fetch the correct page to avoid the pfn check. In both cases,
+hardened usercopy will need to walk the page-span checker (if enabled)
+to do sanity checking.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Fixes: f5509cc18daa ("mm: Hardened usercopy")
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Link: https://lore.kernel.org/r/201909171056.7F2FFD17@keescook
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/usercopy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/mm/usercopy.c
++++ b/mm/usercopy.c
+@@ -15,6 +15,7 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <linux/mm.h>
++#include <linux/highmem.h>
+ #include <linux/slab.h>
+ #include <asm/sections.h>
+
+@@ -217,7 +218,12 @@ static inline const char *check_heap_obj
+ if (!virt_addr_valid(ptr))
+ return NULL;
+
+- page = virt_to_head_page(ptr);
++ /*
++ * When CONFIG_HIGHMEM=y, kmap_to_page() will give either the
++ * highmem page or fallback to virt_to_page(). The following
++ * is effectively a highmem-aware virt_to_head_page().
++ */
++ page = compound_head(kmap_to_page((void *)ptr));
+
+ /* Check slab allocator for flags and size. */
+ if (PageSlab(page))
projects / thirdparty / kernel / stable-queue.git / commitdiff
