--- /dev/null
+From a58015d638cd4e4555297b04bec9b49028369075 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 7 Jan 2021 23:23:48 -0800
+Subject: ACPI: scan: Harden acpi_device_add() against device ID overflows
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit a58015d638cd4e4555297b04bec9b49028369075 upstream.
+
+Linux VM on Hyper-V crashes with the latest mainline:
+
+[ 4.069624] detected buffer overflow in strcpy
+[ 4.077733] kernel BUG at lib/string.c:1149!
+..
+[ 4.085819] RIP: 0010:fortify_panic+0xf/0x11
+...
+[ 4.085819] Call Trace:
+[ 4.085819] acpi_device_add.cold.15+0xf2/0xfb
+[ 4.085819] acpi_add_single_object+0x2a6/0x690
+[ 4.085819] acpi_bus_check_add+0xc6/0x280
+[ 4.085819] acpi_ns_walk_namespace+0xda/0x1aa
+[ 4.085819] acpi_walk_namespace+0x9a/0xc2
+[ 4.085819] acpi_bus_scan+0x78/0x90
+[ 4.085819] acpi_scan_init+0xfa/0x248
+[ 4.085819] acpi_init+0x2c1/0x321
+[ 4.085819] do_one_initcall+0x44/0x1d0
+[ 4.085819] kernel_init_freeable+0x1ab/0x1f4
+
+This is because of the recent buffer overflow detection in the
+commit 6a39e62abbaf ("lib: string.h: detect intra-object overflow in
+fortified string functions")
+
+Here acpi_device_bus_id->bus_id can only hold 14 characters, while the
+the acpi_device_hid(device) returns a 22-char string
+"HYPER_V_GEN_COUNTER_V1".
+
+Per ACPI Spec v6.2, Section 6.1.5 _HID (Hardware ID), if the ID is a
+string, it must be of the form AAA#### or NNNN####, i.e. 7 chars or 8
+chars.
+
+The field bus_id in struct acpi_device_bus_id was originally defined as
+char bus_id[9], and later was enlarged to char bus_id[15] in 2007 in the
+commit bb0958544f3c ("ACPI: use more understandable bus_id for ACPI
+devices")
+
+Fix the issue by changing the field bus_id to const char *, and use
+kstrdup_const() to initialize it.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Tested-By: Jethro Beekman <jethro@fortanix.com>
+[ rjw: Subject change, whitespace adjustment ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/internal.h | 2 +-
+ drivers/acpi/scan.c | 15 ++++++++++++++-
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -97,7 +97,7 @@ void acpi_scan_table_handler(u32 event,
+ extern struct list_head acpi_bus_id_list;
+
+ struct acpi_device_bus_id {
+- char bus_id[15];
++ const char *bus_id;
+ unsigned int instance_no;
+ struct list_head node;
+ };
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -487,6 +487,7 @@ static void acpi_device_del(struct acpi_
+ acpi_device_bus_id->instance_no--;
+ else {
+ list_del(&acpi_device_bus_id->node);
++ kfree_const(acpi_device_bus_id->bus_id);
+ kfree(acpi_device_bus_id);
+ }
+ break;
+@@ -675,7 +676,14 @@ int acpi_device_add(struct acpi_device *
+ }
+ if (!found) {
+ acpi_device_bus_id = new_bus_id;
+- strcpy(acpi_device_bus_id->bus_id, acpi_device_hid(device));
++ acpi_device_bus_id->bus_id =
++ kstrdup_const(acpi_device_hid(device), GFP_KERNEL);
++ if (!acpi_device_bus_id->bus_id) {
++ pr_err(PREFIX "Memory allocation error for bus id\n");
++ result = -ENOMEM;
++ goto err_free_new_bus_id;
++ }
++
+ acpi_device_bus_id->instance_no = 0;
+ list_add_tail(&acpi_device_bus_id->node, &acpi_bus_id_list);
+ }
+@@ -710,6 +718,11 @@ int acpi_device_add(struct acpi_device *
+ if (device->parent)
+ list_del(&device->node);
+ list_del(&device->wakeup_list);
++
++ err_free_new_bus_id:
++ if (!found)
++ kfree(new_bus_id);
++
+ mutex_unlock(&acpi_device_lock);
+
+ err_detach:
--- /dev/null
+From 5c6679b5cb120f07652418524ab186ac47680b49 Mon Sep 17 00:00:00 2001
+From: Thomas Hebb <tommyhebb@gmail.com>
+Date: Sat, 12 Dec 2020 17:20:12 -0800
+Subject: ASoC: dapm: remove widget from dirty list on free
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+commit 5c6679b5cb120f07652418524ab186ac47680b49 upstream.
+
+A widget's "dirty" list_head, much like its "list" list_head, eventually
+chains back to a list_head on the snd_soc_card itself. This means that
+the list can stick around even after the widget (or all widgets) have
+been freed. Currently, however, widgets that are in the dirty list when
+freed remain there, corrupting the entire list and leading to memory
+errors and undefined behavior when the list is next accessed or
+modified.
+
+I encountered this issue when a component failed to probe relatively
+late in snd_soc_bind_card(), causing it to bail out and call
+soc_cleanup_card_resources(), which eventually called
+snd_soc_dapm_free() with widgets that were still dirty from when they'd
+been added.
+
+Fixes: db432b414e20 ("ASoC: Do DAPM power checks only for widgets changed since last run")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/f8b5f031d50122bf1a9bfc9cae046badf4a7a31a.1607822410.git.tommyhebb@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -2484,6 +2484,7 @@ void snd_soc_dapm_free_widget(struct snd
+ enum snd_soc_dapm_direction dir;
+
+ list_del(&w->list);
++ list_del(&w->dirty);
+ /*
+ * remove source and sink paths associated to this widget.
+ * While removing the path, remove reference to it from both
--- /dev/null
+From 17ffc193cdc6dc7a613d00d8ad47fc1f801b9bf0 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 12 Jan 2021 14:54:47 -0500
+Subject: dm integrity: fix the maximum number of arguments
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 17ffc193cdc6dc7a613d00d8ad47fc1f801b9bf0 upstream.
+
+Advance the maximum number of arguments from 9 to 15 to account for
+all potential feature flags that may be supplied.
+
+Linux 4.19 added "meta_device"
+(356d9d52e1221ba0c9f10b8b38652f78a5298329) and "recalculate"
+(a3fcf7253139609bf9ff901fbf955fba047e75dd) flags.
+
+Commit 468dfca38b1a6fbdccd195d875599cb7c8875cd9 added
+"sectors_per_bit" and "bitmap_flush_interval".
+
+Commit 84597a44a9d86ac949900441cea7da0af0f2f473 added
+"allow_discards".
+
+And the commit d537858ac8aaf4311b51240893add2fc62003b97 added
+"fix_padding".
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-integrity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -3585,7 +3585,7 @@ static int dm_integrity_ctr(struct dm_ta
+ unsigned extra_args;
+ struct dm_arg_set as;
+ static const struct dm_arg _args[] = {
+- {0, 9, "Invalid number of feature args"},
++ {0, 15, "Invalid number of feature args"},
+ };
+ unsigned journal_sectors, interleave_sectors, buffer_sectors, journal_watermark, sync_msec;
+ bool should_write_sb;
--- /dev/null
+From cc07d72bf350b77faeffee1c37bc52197171473f Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Thu, 24 Sep 2020 13:14:52 -0400
+Subject: dm raid: fix discard limits for raid1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit cc07d72bf350b77faeffee1c37bc52197171473f upstream.
+
+Block core warned that discard_granularity was 0 for dm-raid with
+personality of raid1. Reason is that raid_io_hints() was incorrectly
+special-casing raid1 rather than raid0.
+
+Fix raid_io_hints() by removing discard limits settings for
+raid1. Check for raid0 instead.
+
+Fixes: 61697a6abd24a ("dm: eliminate 'split_discard_bios' flag from DM target interface")
+Cc: stable@vger.kernel.org
+Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Stephan Bärwolf <stephan@matrixstorm.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-raid.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3744,10 +3744,10 @@ static void raid_io_hints(struct dm_targ
+ blk_limits_io_opt(limits, chunk_size_bytes * mddev_data_stripes(rs));
+
+ /*
+- * RAID1 and RAID10 personalities require bio splitting,
+- * RAID0/4/5/6 don't and process large discard bios properly.
++ * RAID0 and RAID10 personalities require bio splitting,
++ * RAID1/4/5/6 don't and process large discard bios properly.
+ */
+- if (rs_is_raid1(rs) || rs_is_raid10(rs)) {
++ if (rs_is_raid0(rs) || rs_is_raid10(rs)) {
+ limits->discard_granularity = chunk_size_bytes;
+ limits->max_discard_sectors = rs->md.chunk_sectors;
+ }
--- /dev/null
+From fcc42338375a1e67b8568dbb558f8b784d0f3b01 Mon Sep 17 00:00:00 2001
+From: Akilesh Kailash <akailash@google.com>
+Date: Mon, 28 Dec 2020 07:14:07 +0000
+Subject: dm snapshot: flush merged data before committing metadata
+
+From: Akilesh Kailash <akailash@google.com>
+
+commit fcc42338375a1e67b8568dbb558f8b784d0f3b01 upstream.
+
+If the origin device has a volatile write-back cache and the following
+events occur:
+
+1: After finishing merge operation of one set of exceptions,
+ merge_callback() is invoked.
+2: Update the metadata in COW device tracking the merge completion.
+ This update to COW device is flushed cleanly.
+3: System crashes and the origin device's cache where the recent
+ merge was completed has not been flushed.
+
+During the next cycle when we read the metadata from the COW device,
+we will skip reading those metadata whose merge was completed in
+step (1). This will lead to data loss/corruption.
+
+To address this, flush the origin device post merge IO before
+updating the metadata.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Akilesh Kailash <akailash@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-snap.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -141,6 +141,11 @@ struct dm_snapshot {
+ * for them to be committed.
+ */
+ struct bio_list bios_queued_during_merge;
++
++ /*
++ * Flush data after merge.
++ */
++ struct bio flush_bio;
+ };
+
+ /*
+@@ -1121,6 +1126,17 @@ shut:
+
+ static void error_bios(struct bio *bio);
+
++static int flush_data(struct dm_snapshot *s)
++{
++ struct bio *flush_bio = &s->flush_bio;
++
++ bio_reset(flush_bio);
++ bio_set_dev(flush_bio, s->origin->bdev);
++ flush_bio->bi_opf = REQ_OP_WRITE | REQ_PREFLUSH;
++
++ return submit_bio_wait(flush_bio);
++}
++
+ static void merge_callback(int read_err, unsigned long write_err, void *context)
+ {
+ struct dm_snapshot *s = context;
+@@ -1134,6 +1150,11 @@ static void merge_callback(int read_err,
+ goto shut;
+ }
+
++ if (flush_data(s) < 0) {
++ DMERR("Flush after merge failed: shutting down merge");
++ goto shut;
++ }
++
+ if (s->store->type->commit_merge(s->store,
+ s->num_merging_chunks) < 0) {
+ DMERR("Write error in exception store: shutting down merge");
+@@ -1318,6 +1339,7 @@ static int snapshot_ctr(struct dm_target
+ s->first_merging_chunk = 0;
+ s->num_merging_chunks = 0;
+ bio_list_init(&s->bios_queued_during_merge);
++ bio_init(&s->flush_bio, NULL, 0);
+
+ /* Allocate hash table for COW data */
+ if (init_hash_tables(s)) {
+@@ -1504,6 +1526,8 @@ static void snapshot_dtr(struct dm_targe
+
+ dm_exception_store_destroy(s->store);
+
++ bio_uninit(&s->flush_bio);
++
+ dm_put_device(ti, s->cow);
+
+ dm_put_device(ti, s->origin);
--- /dev/null
+From 4d4f9c1a17a3480f8fe523673f7232b254d724b7 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Wed, 16 Dec 2020 23:39:56 +0000
+Subject: MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 4d4f9c1a17a3480f8fe523673f7232b254d724b7 upstream.
+
+The compressed payload is not necesarily 4-byte aligned, at least when
+compiling with Clang. In that case, the 4-byte value appended to the
+compressed payload that corresponds to the uncompressed kernel image
+size must be read using get_unaligned_le32().
+
+This fixes Clang-built kernels not booting on MIPS (tested on a Ingenic
+JZ4770 board).
+
+Fixes: b8f54f2cde78 ("MIPS: ZBOOT: copy appended dtb to the end of the kernel")
+Cc: <stable@vger.kernel.org> # v4.7
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/compressed/decompress.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/boot/compressed/decompress.c
++++ b/arch/mips/boot/compressed/decompress.c
+@@ -13,6 +13,7 @@
+ #include <linux/libfdt.h>
+
+ #include <asm/addrspace.h>
++#include <asm/unaligned.h>
+
+ /*
+ * These two variables specify the free mem region
+@@ -113,7 +114,7 @@ void decompress_kernel(unsigned long boo
+ dtb_size = fdt_totalsize((void *)&__appended_dtb);
+
+ /* last four bytes is always image size in little endian */
+- image_size = le32_to_cpup((void *)&__image_end - 4);
++ image_size = get_unaligned_le32((void *)&__image_end - 4);
+
+ /* copy dtb to where the booted kernel will expect it */
+ memcpy((void *)VMLINUX_LOAD_ADDRESS_ULL + image_size,
--- /dev/null
+From 698222457465ce343443be81c5512edda86e5914 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 24 Dec 2020 19:44:38 +0000
+Subject: MIPS: Fix malformed NT_FILE and NT_SIGINFO in 32bit coredumps
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 698222457465ce343443be81c5512edda86e5914 upstream.
+
+Patches that introduced NT_FILE and NT_SIGINFO notes back in 2012
+had taken care of native (fs/binfmt_elf.c) and compat (fs/compat_binfmt_elf.c)
+coredumps; unfortunately, compat on mips (which does not go through the
+usual compat_binfmt_elf.c) had not been noticed.
+
+As the result, both N32 and O32 coredumps on 64bit mips kernels
+have those sections malformed enough to confuse the living hell out of
+all gdb and readelf versions (up to and including the tip of binutils-gdb.git).
+
+Longer term solution is to make both O32 and N32 compat use the
+regular compat_binfmt_elf.c, but that's too much for backports. The minimal
+solution is to do in arch/mips/kernel/binfmt_elf[on]32.c the same thing
+those patches have done in fs/compat_binfmt_elf.c
+
+Cc: stable@kernel.org # v3.7+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/binfmt_elfn32.c | 7 +++++++
+ arch/mips/kernel/binfmt_elfo32.c | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/arch/mips/kernel/binfmt_elfn32.c
++++ b/arch/mips/kernel/binfmt_elfn32.c
+@@ -103,4 +103,11 @@ jiffies_to_old_timeval32(unsigned long j
+ #undef ns_to_timeval
+ #define ns_to_timeval ns_to_old_timeval32
+
++/*
++ * Some data types as stored in coredump.
++ */
++#define user_long_t compat_long_t
++#define user_siginfo_t compat_siginfo_t
++#define copy_siginfo_to_external copy_siginfo_to_external32
++
+ #include "../../../fs/binfmt_elf.c"
+--- a/arch/mips/kernel/binfmt_elfo32.c
++++ b/arch/mips/kernel/binfmt_elfo32.c
+@@ -106,4 +106,11 @@ jiffies_to_old_timeval32(unsigned long j
+ #undef ns_to_timeval
+ #define ns_to_timeval ns_to_old_timeval32
+
++/*
++ * Some data types as stored in coredump.
++ */
++#define user_long_t compat_long_t
++#define user_siginfo_t compat_siginfo_t
++#define copy_siginfo_to_external copy_siginfo_to_external32
++
+ #include "../../../fs/binfmt_elf.c"
--- /dev/null
+From ad4fddef5f2345aa9214e979febe2f47639c10d9 Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Fri, 27 Nov 2020 09:39:43 +0100
+Subject: mips: fix Section mismatch in reference
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+commit ad4fddef5f2345aa9214e979febe2f47639c10d9 upstream.
+
+When building mips tinyconfig with clang the following error show up:
+
+WARNING: modpost: vmlinux.o(.text+0x1940c): Section mismatch in reference from the function r4k_cache_init() to the function .init.text:loongson3_sc_init()
+The function r4k_cache_init() references
+the function __init loongson3_sc_init().
+This is often because r4k_cache_init lacks a __init
+annotation or the annotation of loongson3_sc_init is wrong.
+
+Remove marked __init from function loongson3_sc_init(),
+mips_sc_probe_cm3(), and mips_sc_probe().
+
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/c-r4k.c | 2 +-
+ arch/mips/mm/sc-mips.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -1576,7 +1576,7 @@ static void __init loongson2_sc_init(voi
+ c->options |= MIPS_CPU_INCLUSIVE_CACHES;
+ }
+
+-static void __init loongson3_sc_init(void)
++static void loongson3_sc_init(void)
+ {
+ struct cpuinfo_mips *c = ¤t_cpu_data;
+ unsigned int config2, lsize;
+--- a/arch/mips/mm/sc-mips.c
++++ b/arch/mips/mm/sc-mips.c
+@@ -147,7 +147,7 @@ static inline int mips_sc_is_activated(s
+ return 1;
+ }
+
+-static int __init mips_sc_probe_cm3(void)
++static int mips_sc_probe_cm3(void)
+ {
+ struct cpuinfo_mips *c = ¤t_cpu_data;
+ unsigned long cfg = read_gcr_l2_config();
+@@ -181,7 +181,7 @@ static int __init mips_sc_probe_cm3(void
+ return 0;
+ }
+
+-static inline int __init mips_sc_probe(void)
++static inline int mips_sc_probe(void)
+ {
+ struct cpuinfo_mips *c = ¤t_cpu_data;
+ unsigned int config1, config2;
--- /dev/null
+From 5b058973d3205578aa6c9a71392e072a11ca44ef Mon Sep 17 00:00:00 2001
+From: Anders Roxell <anders.roxell@linaro.org>
+Date: Fri, 11 Dec 2020 11:24:37 +0100
+Subject: mips: lib: uncached: fix non-standard usage of variable 'sp'
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+commit 5b058973d3205578aa6c9a71392e072a11ca44ef upstream.
+
+When building mips tinyconfig with clang the following warning show up:
+
+arch/mips/lib/uncached.c:45:6: warning: variable 'sp' is uninitialized when used here [-Wuninitialized]
+ if (sp >= (long)CKSEG0 && sp < (long)CKSEG2)
+ ^~
+arch/mips/lib/uncached.c:40:18: note: initialize the variable 'sp' to silence this warning
+ register long sp __asm__("$sp");
+ ^
+ = 0
+1 warning generated.
+
+Rework to make an explicit inline move, instead of the non-standard use
+of specifying registers for local variables. This is what's written
+from the gcc-10 manual [1] about specifying registers for local
+variables:
+
+"6.47.5.2 Specifying Registers for Local Variables
+.................................................
+[...]
+
+"The only supported use for this feature is to specify registers for
+input and output operands when calling Extended 'asm' (*note Extended
+Asm::). [...]".
+
+[1] https://docs.w3cub.com/gcc~10/local-register-variables
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Reported-by: Nathan Chancellor <natechancellor@gmail.com>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/lib/uncached.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/lib/uncached.c
++++ b/arch/mips/lib/uncached.c
+@@ -37,10 +37,12 @@
+ */
+ unsigned long run_uncached(void *func)
+ {
+- register long sp __asm__("$sp");
+ register long ret __asm__("$2");
+ long lfunc = (long)func, ufunc;
+ long usp;
++ long sp;
++
++ __asm__("move %0, $sp" : "=r" (sp));
+
+ if (sp >= (long)CKSEG0 && sp < (long)CKSEG2)
+ usp = CKSEG1ADDR(sp);
--- /dev/null
+From 69e976831cd53f9ba304fd20305b2025ecc78eab Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Sun, 10 Jan 2021 14:21:05 +0000
+Subject: MIPS: relocatable: fix possible boot hangup with KASLR enabled
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 69e976831cd53f9ba304fd20305b2025ecc78eab upstream.
+
+LLVM-built Linux triggered a boot hangup with KASLR enabled.
+
+arch/mips/kernel/relocate.c:get_random_boot() uses linux_banner,
+which is a string constant, as a random seed, but accesses it
+as an array of unsigned long (in rotate_xor()).
+When the address of linux_banner is not aligned to sizeof(long),
+such access emits unaligned access exception and hangs the kernel.
+
+Use PTR_ALIGN() to align input address to sizeof(long) and also
+align down the input length to prevent possible access-beyond-end.
+
+Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/relocate.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/relocate.c
++++ b/arch/mips/kernel/relocate.c
+@@ -187,8 +187,14 @@ static int __init relocate_exception_tab
+ static inline __init unsigned long rotate_xor(unsigned long hash,
+ const void *area, size_t size)
+ {
+- size_t i;
+- unsigned long *ptr = (unsigned long *)area;
++ const typeof(hash) *ptr = PTR_ALIGN(area, sizeof(hash));
++ size_t diff, i;
++
++ diff = (void *)ptr - area;
++ if (unlikely(size < diff + sizeof(hash)))
++ return hash;
++
++ size = ALIGN_DOWN(size - diff, sizeof(hash));
+
+ for (i = 0; i < size / sizeof(hash); i++) {
+ /* Rotate by odd number of bits and XOR. */
--- /dev/null
+From 0eb98f1588c2cc7a79816d84ab18a55d254f481c Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Tue, 12 Jan 2021 15:49:24 -0800
+Subject: mm/hugetlb: fix potential missing huge page size info
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+commit 0eb98f1588c2cc7a79816d84ab18a55d254f481c upstream.
+
+The huge page size is encoded for VM_FAULT_HWPOISON errors only. So if
+we return VM_FAULT_HWPOISON, huge page size would just be ignored.
+
+Link: https://lkml.kernel.org/r/20210107123449.38481-1-linmiaohe@huawei.com
+Fixes: aa50d3a7aa81 ("Encode huge page size for VM_FAULT_HWPOISON errors")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -4036,7 +4036,7 @@ retry:
+ * So we need to block hugepage fault by PG_hwpoison bit check.
+ */
+ if (unlikely(PageHWPoison(page))) {
+- ret = VM_FAULT_HWPOISON |
++ ret = VM_FAULT_HWPOISON_LARGE |
+ VM_FAULT_SET_HINDEX(hstate_index(h));
+ goto backout_unlocked;
+ }
--- /dev/null
+From cb82a54904a99df9e8f9e9d282046055dae5a730 Mon Sep 17 00:00:00 2001
+From: Leon Schuermann <leon@is.currently.online>
+Date: Mon, 11 Jan 2021 20:03:13 +0100
+Subject: r8152: Add Lenovo Powered USB-C Travel Hub
+
+From: Leon Schuermann <leon@is.currently.online>
+
+commit cb82a54904a99df9e8f9e9d282046055dae5a730 upstream.
+
+This USB-C Hub (17ef:721e) based on the Realtek RTL8153B chip used to
+use the cdc_ether driver. However, using this driver, with the system
+suspended the device constantly sends pause-frames as soon as the
+receive buffer fills up. This causes issues with other devices, where
+some Ethernet switches stop forwarding packets altogether.
+
+Using the Realtek driver (r8152) fixes this issue. Pause frames are no
+longer sent while the host system is suspended.
+
+Signed-off-by: Leon Schuermann <leon@is.currently.online>
+Tested-by: Leon Schuermann <leon@is.currently.online>
+Link: https://lore.kernel.org/r/20210111190312.12589-2-leon@is.currently.online
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cdc_ether.c | 7 +++++++
+ drivers/net/usb/r8152.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -787,6 +787,13 @@ static const struct usb_device_id produc
+ .driver_info = 0,
+ },
+
++/* Lenovo Powered USB-C Travel Hub (4X90S92381, based on Realtek RTL8153) */
++{
++ USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0x721e, USB_CLASS_COMM,
++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
++ .driver_info = 0,
++},
++
+ /* ThinkPad USB-C Dock Gen 2 (based on Realtek RTL8153) */
+ {
+ USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0xa387, USB_CLASS_COMM,
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -5845,6 +5845,7 @@ static const struct usb_device_id rtl815
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7205)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x720c)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x7214)},
++ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x721e)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0xa387)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_NVIDIA, 0x09ff)},
--- /dev/null
+From f2bc3af6353cb2a33dfa9d270d999d839eef54cb Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Tue, 29 Dec 2020 18:46:53 -0800
+Subject: RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd()
+
+From: Tom Rix <trix@redhat.com>
+
+commit f2bc3af6353cb2a33dfa9d270d999d839eef54cb upstream.
+
+In ocrdma_dealloc_ucontext_pd() uctx->cntxt_pd is assigned to the variable
+pd and then after uctx->cntxt_pd is freed, the variable pd is passed to
+function _ocrdma_dealloc_pd() which dereferences pd directly or through
+its call to ocrdma_mbx_dealloc_pd().
+
+Reorder the free using the variable pd.
+
+Cc: stable@vger.kernel.org
+Fixes: 21a428a019c9 ("RDMA: Handle PD allocations by IB/core")
+Link: https://lore.kernel.org/r/20201230024653.1516495-1-trix@redhat.com
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
++++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+@@ -442,9 +442,9 @@ static void ocrdma_dealloc_ucontext_pd(s
+ pr_err("%s(%d) Freeing in use pdid=0x%x.\n",
+ __func__, dev->id, pd->id);
+ }
+- kfree(uctx->cntxt_pd);
+ uctx->cntxt_pd = NULL;
+ _ocrdma_dealloc_pd(dev, pd);
++ kfree(pd);
+ }
+
+ static struct ocrdma_pd *ocrdma_get_ucontext_pd(struct ocrdma_ucontext *uctx)
kbuild-enforce-werror-return-type.patch
btrfs-prevent-null-pointer-dereference-in-extent_io_tree_panic.patch
+asoc-dapm-remove-widget-from-dirty-list-on-free.patch
+x86-hyperv-check-cpu-mask-after-interrupt-has-been-disabled.patch
+tracing-kprobes-do-the-notrace-functions-check-without-kprobes-on-ftrace.patch
+mips-fix-section-mismatch-in-reference.patch
+mips-lib-uncached-fix-non-standard-usage-of-variable-sp.patch
+mips-boot-fix-unaligned-access-with-config_mips_raw_appended_dtb.patch
+mips-fix-malformed-nt_file-and-nt_siginfo-in-32bit-coredumps.patch
+mips-relocatable-fix-possible-boot-hangup-with-kaslr-enabled.patch
+rdma-ocrdma-fix-use-after-free-in-ocrdma_dealloc_ucontext_pd.patch
+acpi-scan-harden-acpi_device_add-against-device-id-overflows.patch
+mm-hugetlb-fix-potential-missing-huge-page-size-info.patch
+dm-raid-fix-discard-limits-for-raid1.patch
+dm-snapshot-flush-merged-data-before-committing-metadata.patch
+dm-integrity-fix-the-maximum-number-of-arguments.patch
+r8152-add-lenovo-powered-usb-c-travel-hub.patch
--- /dev/null
+From 7bb83f6fc4ee84e95d0ac0d14452c2619fb3fe70 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 8 Jan 2021 13:19:38 +0900
+Subject: tracing/kprobes: Do the notrace functions check without kprobes on ftrace
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 7bb83f6fc4ee84e95d0ac0d14452c2619fb3fe70 upstream.
+
+Enable the notrace function check on the architecture which doesn't
+support kprobes on ftrace but support dynamic ftrace. This notrace
+function check is not only for the kprobes on ftrace but also
+sw-breakpoint based kprobes.
+Thus there is no reason to limit this check for the arch which
+supports kprobes on ftrace.
+
+This also changes the dependency of Kconfig. Because kprobe event
+uses the function tracer's address list for identifying notrace
+function, if the CONFIG_DYNAMIC_FTRACE=n, it can not check whether
+the target function is notrace or not.
+
+Link: https://lkml.kernel.org/r/20210105065730.2634785-1-naveen.n.rao@linux.vnet.ibm.com
+Link: https://lkml.kernel.org/r/161007957862.114704.4512260007555399463.stgit@devnote2
+
+Cc: stable@vger.kernel.org
+Fixes: 45408c4f92506 ("tracing: kprobes: Prohibit probing on notrace function")
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/Kconfig | 2 +-
+ kernel/trace/trace_kprobe.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/Kconfig
++++ b/kernel/trace/Kconfig
+@@ -478,7 +478,7 @@ config KPROBE_EVENTS
+ config KPROBE_EVENTS_ON_NOTRACE
+ bool "Do NOT protect notrace function from kprobe events"
+ depends on KPROBE_EVENTS
+- depends on KPROBES_ON_FTRACE
++ depends on DYNAMIC_FTRACE
+ default n
+ help
+ This is only for the developers who want to debug ftrace itself
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -433,7 +433,7 @@ static int disable_trace_kprobe(struct t
+ return 0;
+ }
+
+-#if defined(CONFIG_KPROBES_ON_FTRACE) && \
++#if defined(CONFIG_DYNAMIC_FTRACE) && \
+ !defined(CONFIG_KPROBE_EVENTS_ON_NOTRACE)
+ static bool __within_notrace_func(unsigned long addr)
+ {
--- /dev/null
+From ad0a6bad44758afa3b440c254a24999a0c7e35d5 Mon Sep 17 00:00:00 2001
+From: Wei Liu <wei.liu@kernel.org>
+Date: Tue, 5 Jan 2021 17:50:43 +0000
+Subject: x86/hyperv: check cpu mask after interrupt has been disabled
+
+From: Wei Liu <wei.liu@kernel.org>
+
+commit ad0a6bad44758afa3b440c254a24999a0c7e35d5 upstream.
+
+We've observed crashes due to an empty cpu mask in
+hyperv_flush_tlb_others. Obviously the cpu mask in question is changed
+between the cpumask_empty call at the beginning of the function and when
+it is actually used later.
+
+One theory is that an interrupt comes in between and a code path ends up
+changing the mask. Move the check after interrupt has been disabled to
+see if it fixes the issue.
+
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20210105175043.28325-1-wei.liu@kernel.org
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/hyperv/mmu.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/hyperv/mmu.c
++++ b/arch/x86/hyperv/mmu.c
+@@ -66,11 +66,17 @@ static void hyperv_flush_tlb_others(cons
+ if (!hv_hypercall_pg)
+ goto do_native;
+
+- if (cpumask_empty(cpus))
+- return;
+-
+ local_irq_save(flags);
+
++ /*
++ * Only check the mask _after_ interrupt has been disabled to avoid the
++ * mask changing under our feet.
++ */
++ if (cpumask_empty(cpus)) {
++ local_irq_restore(flags);
++ return;
++ }
++
+ flush_pcpu = (struct hv_tlb_flush **)
+ this_cpu_ptr(hyperv_pcpu_input_arg);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
