--- /dev/null
+From 57d92ce20ccb3060a38877b52218712a500dd5ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 20:54:49 +0800
+Subject: ARM: imx6: add missing put_device() call in imx6q_suspend_init()
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit 4845446036fc9c13f43b54a65c9b757c14f5141b ]
+
+if of_find_device_by_node() succeed, imx6q_suspend_init() doesn't have a
+corresponding put_device(). Thus add a jump target to fix the exception
+handling for this function implementation.
+
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/pm-imx6.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
+index dd9eb3f14f45c..6da26692f2fde 100644
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -481,14 +481,14 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata)
+ if (!ocram_pool) {
+ pr_warn("%s: ocram pool unavailable!\n", __func__);
+ ret = -ENODEV;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_base = gen_pool_alloc(ocram_pool, MX6Q_SUSPEND_OCRAM_SIZE);
+ if (!ocram_base) {
+ pr_warn("%s: unable to alloc ocram!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base);
+@@ -511,7 +511,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata)
+ ret = imx6_pm_get_base(&pm_info->mmdc_base, socdata->mmdc_compat);
+ if (ret) {
+ pr_warn("%s: failed to get mmdc base %d!\n", __func__, ret);
+- goto put_node;
++ goto put_device;
+ }
+
+ ret = imx6_pm_get_base(&pm_info->src_base, socdata->src_compat);
+@@ -558,7 +558,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata)
+ &imx6_suspend,
+ MX6Q_SUSPEND_OCRAM_SIZE - sizeof(*pm_info));
+
+- goto put_node;
++ goto put_device;
+
+ pl310_cache_map_failed:
+ iounmap(pm_info->gpc_base.vbase);
+@@ -568,6 +568,8 @@ iomuxc_map_failed:
+ iounmap(pm_info->src_base.vbase);
+ src_map_failed:
+ iounmap(pm_info->mmdc_base.vbase);
++put_device:
++ put_device(&pdev->dev);
+ put_node:
+ of_node_put(node);
+
+--
+2.25.1
+
--- /dev/null
+From 96929d575b8921e10268c7f8456188ca6c14b0df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 12:50:23 -0700
+Subject: arm64: entry: Place an SB sequence following an ERET instruction
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 upstream
+
+Some CPUs can speculate past an ERET instruction and potentially perform
+speculative accesses to memory before processing the exception return.
+Since the register state is often controlled by a lower privilege level
+at the point of an ERET, this could potentially be used as part of a
+side-channel attack.
+
+This patch emits an SB sequence after each ERET so that speculation is
+held up on exception return.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+[florian: Adjust hyp-entry.S to account for the label
+ added change to hyp/entry.S]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 2 ++
+ arch/arm64/kvm/hyp/entry.S | 2 ++
+ arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index ca978d7d98eb4..3408c782702c2 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -255,6 +255,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
+ .else
+ eret
+ .endif
++ sb
+ .endm
+
+ .macro get_thread_info, rd
+@@ -945,6 +946,7 @@ __ni_sys_trace:
+ mrs x30, far_el1
+ .endif
+ eret
++ sb
+ .endm
+
+ .align 11
+diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S
+index a360ac6e89e9d..93704e6894d2e 100644
+--- a/arch/arm64/kvm/hyp/entry.S
++++ b/arch/arm64/kvm/hyp/entry.S
+@@ -83,6 +83,7 @@ ENTRY(__guest_enter)
+
+ // Do not touch any register after this!
+ eret
++ sb
+ ENDPROC(__guest_enter)
+
+ ENTRY(__guest_exit)
+@@ -195,4 +196,5 @@ alternative_endif
+ ldp x0, x1, [sp], #16
+
+ eret
++ sb
+ ENDPROC(__fpsimd_guest_restore)
+diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S
+index bf4988f9dae8f..3675e7f0ab726 100644
+--- a/arch/arm64/kvm/hyp/hyp-entry.S
++++ b/arch/arm64/kvm/hyp/hyp-entry.S
+@@ -97,6 +97,7 @@ el1_sync: // Guest trapped into EL2
+ do_el2_call
+
+ 2: eret
++ sb
+
+ el1_hvc_guest:
+ /*
+@@ -147,6 +148,7 @@ wa_epilogue:
+ mov x0, xzr
+ add sp, sp, #16
+ eret
++ sb
+
+ el1_trap:
+ get_vcpu_ptr x1, x0
+@@ -198,6 +200,7 @@ el2_error:
+ b.ne __hyp_panic
+ mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
+ eret
++ sb
+
+ ENTRY(__hyp_do_panic)
+ mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\
+@@ -206,6 +209,7 @@ ENTRY(__hyp_do_panic)
+ ldr lr, =panic
+ msr elr_el2, lr
+ eret
++ sb
+ ENDPROC(__hyp_do_panic)
+
+ ENTRY(__hyp_panic)
+--
+2.25.1
+
--- /dev/null
+From b8d41ab8b1a2823293543a075345460b38aca61d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jun 2020 22:51:29 -0400
+Subject: cifs: update ctime and mtime during truncate
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 5618303d8516f8ac5ecfe53ee8e8bc9a40eaf066 ]
+
+As the man description of the truncate, if the size changed,
+then the st_ctime and st_mtime fields should be updated. But
+in cifs, we doesn't do it.
+
+It lead the xfstests generic/313 failed.
+
+So, add the ATTR_MTIME|ATTR_CTIME flags on attrs when change
+the file size
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/inode.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index 3dad943da956f..acd8e0dccab4c 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -2194,6 +2194,15 @@ set_size_out:
+ if (rc == 0) {
+ cifsInode->server_eof = attrs->ia_size;
+ cifs_setsize(inode, attrs->ia_size);
++
++ /*
++ * The man page of truncate says if the size changed,
++ * then the st_ctime and st_mtime fields for the file
++ * are updated.
++ */
++ attrs->ia_ctime = attrs->ia_mtime = current_time(inode);
++ attrs->ia_valid |= ATTR_CTIME | ATTR_MTIME;
++
+ cifs_truncate_page(inode->i_mapping, inode->i_size);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From d71bf4bf34ec8339d83fe1c1fad7a40ea0aaa2b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 19:38:02 +0200
+Subject: gpu: host1x: Detach driver on unregister
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit d9a0a05bf8c76e6dc79230669a8b5d685b168c30 ]
+
+Currently when a host1x device driver is unregistered, it is not
+detached from the host1x controller, which means that the device
+will stay around and when the driver is registered again, it may
+bind to the old, stale device rather than the new one that was
+created from scratch upon driver registration. This in turn can
+cause various weird crashes within the driver core because it is
+confronted with a device that was already deleted.
+
+Fix this by detaching the driver from the host1x controller when
+it is unregistered. This ensures that the deleted device also is
+no longer present in the device list that drivers will bind to.
+
+Reported-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Tested-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/host1x/bus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
+index c27858ae05529..6ef89e8a515a9 100644
+--- a/drivers/gpu/host1x/bus.c
++++ b/drivers/gpu/host1x/bus.c
+@@ -542,8 +542,17 @@ EXPORT_SYMBOL(host1x_driver_register_full);
+
+ void host1x_driver_unregister(struct host1x_driver *driver)
+ {
++ struct host1x *host1x;
++
+ driver_unregister(&driver->driver);
+
++ mutex_lock(&devices_lock);
++
++ list_for_each_entry(host1x, &devices, list)
++ host1x_detach_driver(host1x, driver);
++
++ mutex_unlock(&devices_lock);
++
+ mutex_lock(&drivers_lock);
+ list_del_init(&driver->list);
+ mutex_unlock(&drivers_lock);
+--
+2.25.1
+
--- /dev/null
+From faf0f85f8d2a23571fd5a99ca98a3d6567c8f164 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 15:05:49 +0200
+Subject: s390/kasan: fix early pgm check handler execution
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 998f5bbe3dbdab81c1cfb1aef7c3892f5d24f6c7 ]
+
+Currently if early_pgm_check_handler is called it ends up in pgm check
+loop. The problem is that early_pgm_check_handler is instrumented by
+KASAN but executed without DAT flag enabled which leads to addressing
+exception when KASAN checks try to access shadow memory.
+
+Fix that by executing early handlers with DAT flag on under KASAN as
+expected.
+
+Reported-and-tested-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/early.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
+index a651c2bc94ef8..f862cc27fe98f 100644
+--- a/arch/s390/kernel/early.c
++++ b/arch/s390/kernel/early.c
+@@ -288,6 +288,8 @@ static noinline __init void setup_lowcore_early(void)
+ psw_t psw;
+
+ psw.mask = PSW_MASK_BASE | PSW_DEFAULT_KEY | PSW_MASK_EA | PSW_MASK_BA;
++ if (IS_ENABLED(CONFIG_KASAN))
++ psw.mask |= PSW_MASK_DAT;
+ psw.addr = (unsigned long) s390_base_ext_handler;
+ S390_lowcore.external_new_psw = psw;
+ psw.addr = (unsigned long) s390_base_pgm_handler;
+--
+2.25.1
+
--- /dev/null
+From 20fa7a0913fbffce4581a7d22ee85d58e6b35339 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 17:04:46 +0200
+Subject: scsi: mptscsih: Fix read sense data size
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ]
+
+The sense data buffer in sense_buf_pool is allocated with size of
+MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96)
+is used when reading the data. That may lead to a read from unallocated
+area, sometimes from another (unallocated) page. To fix this, limit the
+read size to MPT_SENSE_BUFFER_ALLOC.
+
+Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com
+Co-developed-by: Stanislav Saner <ssaner@redhat.com>
+Signed-off-by: Stanislav Saner <ssaner@redhat.com>
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/message/fusion/mptscsih.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
+index 6c9fc11efb872..e77185e143ab7 100644
+--- a/drivers/message/fusion/mptscsih.c
++++ b/drivers/message/fusion/mptscsih.c
+@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state);
+ int mptscsih_resume(struct pci_dev *pdev);
+ #endif
+
+-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE
+-
+
+ /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
+ /*
+@@ -2427,7 +2425,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR
+ /* Copy the sense received into the scsi command block. */
+ req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
+ sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC));
+- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc));
++ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC);
+
+ /* Log SMART data (asc = 0x5D, non-IM case only) if required.
+ */
+--
+2.25.1
+
kvm-s390-reduce-number-of-io-pins-to-1.patch
+arm64-entry-place-an-sb-sequence-following-an-eret-i.patch
+gpu-host1x-detach-driver-on-unregister.patch
+spi-spidev-fix-a-race-between-spidev_release-and-spi.patch
+spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch
+s390-kasan-fix-early-pgm-check-handler-execution.patch
+cifs-update-ctime-and-mtime-during-truncate.patch
+arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch
+scsi-mptscsih-fix-read-sense-data-size.patch
--- /dev/null
+From 628e71ff9fd87e83f7aea133c79d22d64ebe3f19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 11:21:25 +0800
+Subject: spi: spidev: fix a potential use-after-free in spidev_release()
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+[ Upstream commit 06096cc6c5a84ced929634b0d79376b94c65a4bd ]
+
+If an spi device is unbounded from the driver before the release
+process, there will be an NULL pointer reference when it's
+referenced in spi_slave_abort().
+
+Fix it by checking it's already freed before reference.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Link: https://lore.kernel.org/r/20200618032125.4650-2-zhenzhong.duan@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index 67ad7e46da42d..c364d9ce6d4b5 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -636,15 +636,20 @@ err_find_dev:
+ static int spidev_release(struct inode *inode, struct file *filp)
+ {
+ struct spidev_data *spidev;
++ int dofree;
+
+ mutex_lock(&device_list_lock);
+ spidev = filp->private_data;
+ filp->private_data = NULL;
+
++ spin_lock_irq(&spidev->spi_lock);
++ /* ... after we unbound from the underlying device? */
++ dofree = (spidev->spi == NULL);
++ spin_unlock_irq(&spidev->spi_lock);
++
+ /* last close? */
+ spidev->users--;
+ if (!spidev->users) {
+- int dofree;
+
+ kfree(spidev->tx_buffer);
+ spidev->tx_buffer = NULL;
+@@ -652,19 +657,14 @@ static int spidev_release(struct inode *inode, struct file *filp)
+ kfree(spidev->rx_buffer);
+ spidev->rx_buffer = NULL;
+
+- spin_lock_irq(&spidev->spi_lock);
+- if (spidev->spi)
+- spidev->speed_hz = spidev->spi->max_speed_hz;
+-
+- /* ... after we unbound from the underlying device? */
+- dofree = (spidev->spi == NULL);
+- spin_unlock_irq(&spidev->spi_lock);
+-
+ if (dofree)
+ kfree(spidev);
++ else
++ spidev->speed_hz = spidev->spi->max_speed_hz;
+ }
+ #ifdef CONFIG_SPI_SLAVE
+- spi_slave_abort(spidev->spi);
++ if (!dofree)
++ spi_slave_abort(spidev->spi);
+ #endif
+ mutex_unlock(&device_list_lock);
+
+--
+2.25.1
+
--- /dev/null
+From 16b8e159c4fed32fad73c2c23e4022cecc9d33e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 11:21:24 +0800
+Subject: spi: spidev: fix a race between spidev_release and spidev_remove
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+[ Upstream commit abd42781c3d2155868821f1b947ae45bbc33330d ]
+
+Imagine below scene, spidev is referenced after it's freed.
+
+spidev_release() spidev_remove()
+...
+ spin_lock_irq(&spidev->spi_lock);
+ spidev->spi = NULL;
+ spin_unlock_irq(&spidev->spi_lock);
+mutex_lock(&device_list_lock);
+dofree = (spidev->spi == NULL);
+if (dofree)
+ kfree(spidev);
+mutex_unlock(&device_list_lock);
+ mutex_lock(&device_list_lock);
+ list_del(&spidev->device_entry);
+ device_destroy(spidev_class, spidev->devt);
+ clear_bit(MINOR(spidev->devt), minors);
+ if (spidev->users == 0)
+ kfree(spidev);
+ mutex_unlock(&device_list_lock);
+
+Fix it by resetting spidev->spi in device_list_lock's protection.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Link: https://lore.kernel.org/r/20200618032125.4650-1-zhenzhong.duan@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index a685c6114a8d5..67ad7e46da42d 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -809,13 +809,13 @@ static int spidev_remove(struct spi_device *spi)
+ {
+ struct spidev_data *spidev = spi_get_drvdata(spi);
+
++ /* prevent new opens */
++ mutex_lock(&device_list_lock);
+ /* make sure ops on existing fds can abort cleanly */
+ spin_lock_irq(&spidev->spi_lock);
+ spidev->spi = NULL;
+ spin_unlock_irq(&spidev->spi_lock);
+
+- /* prevent new opens */
+- mutex_lock(&device_list_lock);
+ list_del(&spidev->device_entry);
+ device_destroy(spidev_class, spidev->devt);
+ clear_bit(MINOR(spidev->devt), minors);
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
