--- /dev/null
+From e2d3e697492d9fc9df26a2db71f31591e2447768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jun 2020 17:18:56 -0700
+Subject: ARM: dts: omap4-droid4: Fix spi configuration and increase rate
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 0df12a01f4857495816b05f048c4c31439446e35 ]
+
+We can currently sometimes get "RXS timed out" errors and "EOT timed out"
+errors with spi transfers.
+
+These errors can be made easy to reproduce by reading the cpcap iio
+values in a loop while keeping the CPUs busy by also reading /dev/urandom.
+
+The "RXS timed out" errors we can fix by adding spi-cpol and spi-cpha
+in addition to the spi-cs-high property we already have.
+
+The "EOT timed out" errors we can fix by increasing the spi clock rate
+to 9.6 MHz. Looks similar MC13783 PMIC says it works at spi clock rates
+up to 20 MHz, so let's assume we can pick any rate up to 20 MHz also
+for cpcap.
+
+Cc: maemo-leste@lists.dyne.org
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi
+index bcced922b2807..b4779b0ece96d 100644
+--- a/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi
++++ b/arch/arm/boot/dts/motorola-cpcap-mapphone.dtsi
+@@ -16,8 +16,10 @@
+ #interrupt-cells = <2>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+- spi-max-frequency = <3000000>;
++ spi-max-frequency = <9600000>;
+ spi-cs-high;
++ spi-cpol;
++ spi-cpha;
+
+ cpcap_adc: adc {
+ compatible = "motorola,mapphone-cpcap-adc";
+--
+2.25.1
+
--- /dev/null
+From 71a5c39727e1a4b8e0f8ce8d6f7cddb9d1529e05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 20:54:49 +0800
+Subject: ARM: imx6: add missing put_device() call in imx6q_suspend_init()
+
+From: yu kuai <yukuai3@huawei.com>
+
+[ Upstream commit 4845446036fc9c13f43b54a65c9b757c14f5141b ]
+
+if of_find_device_by_node() succeed, imx6q_suspend_init() doesn't have a
+corresponding put_device(). Thus add a jump target to fix the exception
+handling for this function implementation.
+
+Signed-off-by: yu kuai <yukuai3@huawei.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/pm-imx6.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
+index 6078bcc9f594a..c7dcb0b207301 100644
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -483,14 +483,14 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata)
+ if (!ocram_pool) {
+ pr_warn("%s: ocram pool unavailable!\n", __func__);
+ ret = -ENODEV;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_base = gen_pool_alloc(ocram_pool, MX6Q_SUSPEND_OCRAM_SIZE);
+ if (!ocram_base) {
+ pr_warn("%s: unable to alloc ocram!\n", __func__);
+ ret = -ENOMEM;
+- goto put_node;
++ goto put_device;
+ }
+
+ ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base);
+@@ -513,7 +513,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata)
+ ret = imx6_pm_get_base(&pm_info->mmdc_base, socdata->mmdc_compat);
+ if (ret) {
+ pr_warn("%s: failed to get mmdc base %d!\n", __func__, ret);
+- goto put_node;
++ goto put_device;
+ }
+
+ ret = imx6_pm_get_base(&pm_info->src_base, socdata->src_compat);
+@@ -560,7 +560,7 @@ static int __init imx6q_suspend_init(const struct imx6_pm_socdata *socdata)
+ &imx6_suspend,
+ MX6Q_SUSPEND_OCRAM_SIZE - sizeof(*pm_info));
+
+- goto put_node;
++ goto put_device;
+
+ pl310_cache_map_failed:
+ iounmap(pm_info->gpc_base.vbase);
+@@ -570,6 +570,8 @@ iomuxc_map_failed:
+ iounmap(pm_info->src_base.vbase);
+ src_map_failed:
+ iounmap(pm_info->mmdc_base.vbase);
++put_device:
++ put_device(&pdev->dev);
+ put_node:
+ of_node_put(node);
+
+--
+2.25.1
+
--- /dev/null
+From e65825fd4c33fba63f4b221058b060b697afbf9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jun 2018 11:23:38 +0100
+Subject: arm64: entry: Place an SB sequence following an ERET instruction
+
+From: Will Deacon <will.deacon@arm.com>
+
+[ Upstream commit 679db70801da9fda91d26caf13bf5b5ccc74e8e8 ]
+
+Some CPUs can speculate past an ERET instruction and potentially perform
+speculative accesses to memory before processing the exception return.
+Since the register state is often controlled by a lower privilege level
+at the point of an ERET, this could potentially be used as part of a
+side-channel attack.
+
+This patch emits an SB sequence after each ERET so that speculation is
+held up on exception return.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/entry.S | 2 ++
+ arch/arm64/kvm/hyp/entry.S | 1 +
+ arch/arm64/kvm/hyp/hyp-entry.S | 4 ++++
+ 3 files changed, 7 insertions(+)
+
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index c1ffa95c0ad24..f70e0893ba518 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -367,6 +367,7 @@ alternative_insn eret, nop, ARM64_UNMAP_KERNEL_AT_EL0
+ .else
+ eret
+ .endif
++ sb
+ .endm
+
+ .macro irq_stack_entry
+@@ -1046,6 +1047,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003
+ mrs x30, far_el1
+ .endif
+ eret
++ sb
+ .endm
+
+ .align 11
+diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S
+index a360ac6e89e9d..bc5c6cdb8538d 100644
+--- a/arch/arm64/kvm/hyp/entry.S
++++ b/arch/arm64/kvm/hyp/entry.S
+@@ -83,6 +83,7 @@ ENTRY(__guest_enter)
+
+ // Do not touch any register after this!
+ eret
++ sb
+ ENDPROC(__guest_enter)
+
+ ENTRY(__guest_exit)
+diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S
+index 3c283fd8c8f5a..b4d6a6c6c6ce5 100644
+--- a/arch/arm64/kvm/hyp/hyp-entry.S
++++ b/arch/arm64/kvm/hyp/hyp-entry.S
+@@ -96,6 +96,7 @@ el1_sync: // Guest trapped into EL2
+ do_el2_call
+
+ eret
++ sb
+
+ el1_hvc_guest:
+ /*
+@@ -146,6 +147,7 @@ wa_epilogue:
+ mov x0, xzr
+ add sp, sp, #16
+ eret
++ sb
+
+ el1_trap:
+ get_vcpu_ptr x1, x0
+@@ -204,6 +206,7 @@ el2_error:
+ b.ne __hyp_panic
+ mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
+ eret
++ sb
+
+ ENTRY(__hyp_do_panic)
+ mov lr, #(PSR_F_BIT | PSR_I_BIT | PSR_A_BIT | PSR_D_BIT |\
+@@ -212,6 +215,7 @@ ENTRY(__hyp_do_panic)
+ ldr lr, =panic
+ msr elr_el2, lr
+ eret
++ sb
+ ENDPROC(__hyp_do_panic)
+
+ ENTRY(__hyp_panic)
+--
+2.25.1
+
--- /dev/null
+From 50e28a9d6799bd2e46ed3caa58c26aa3fbff00ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jun 2020 22:51:29 -0400
+Subject: cifs: update ctime and mtime during truncate
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 5618303d8516f8ac5ecfe53ee8e8bc9a40eaf066 ]
+
+As the man description of the truncate, if the size changed,
+then the st_ctime and st_mtime fields should be updated. But
+in cifs, we doesn't do it.
+
+It lead the xfstests generic/313 failed.
+
+So, add the ATTR_MTIME|ATTR_CTIME flags on attrs when change
+the file size
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/inode.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
+index 528fe225b65a9..d0d295a28b6e4 100644
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -2216,6 +2216,15 @@ set_size_out:
+ if (rc == 0) {
+ cifsInode->server_eof = attrs->ia_size;
+ cifs_setsize(inode, attrs->ia_size);
++
++ /*
++ * The man page of truncate says if the size changed,
++ * then the st_ctime and st_mtime fields for the file
++ * are updated.
++ */
++ attrs->ia_ctime = attrs->ia_mtime = current_time(inode);
++ attrs->ia_valid |= ATTR_CTIME | ATTR_MTIME;
++
+ cifs_truncate_page(inode->i_mapping, inode->i_size);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b5b7c36b6514e63667622938e9371c10f27d7dfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 19:38:02 +0200
+Subject: gpu: host1x: Detach driver on unregister
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit d9a0a05bf8c76e6dc79230669a8b5d685b168c30 ]
+
+Currently when a host1x device driver is unregistered, it is not
+detached from the host1x controller, which means that the device
+will stay around and when the driver is registered again, it may
+bind to the old, stale device rather than the new one that was
+created from scratch upon driver registration. This in turn can
+cause various weird crashes within the driver core because it is
+confronted with a device that was already deleted.
+
+Fix this by detaching the driver from the host1x controller when
+it is unregistered. This ensures that the deleted device also is
+no longer present in the device list that drivers will bind to.
+
+Reported-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Tested-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/host1x/bus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
+index f9cde03030fd9..c2a9dcf6f4907 100644
+--- a/drivers/gpu/host1x/bus.c
++++ b/drivers/gpu/host1x/bus.c
+@@ -615,8 +615,17 @@ EXPORT_SYMBOL(host1x_driver_register_full);
+ */
+ void host1x_driver_unregister(struct host1x_driver *driver)
+ {
++ struct host1x *host1x;
++
+ driver_unregister(&driver->driver);
+
++ mutex_lock(&devices_lock);
++
++ list_for_each_entry(host1x, &devices, list)
++ host1x_detach_driver(host1x, driver);
++
++ mutex_unlock(&devices_lock);
++
+ mutex_lock(&drivers_lock);
+ list_del_init(&driver->list);
+ mutex_unlock(&drivers_lock);
+--
+2.25.1
+
--- /dev/null
+From 54eed098499e3d2df8c846d22ec5ef067689e173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2020 13:19:43 +0000
+Subject: ixgbe: protect ring accesses with READ- and WRITE_ONCE
+
+From: Ciara Loftus <ciara.loftus@intel.com>
+
+[ Upstream commit f140ad9fe2ae16f385f8fe4dc9cf67bb4c51d794 ]
+
+READ_ONCE should be used when reading rings prior to accessing the
+statistics pointer. Introduce this as well as the corresponding WRITE_ONCE
+usage when allocating and freeing the rings, to ensure protected access.
+
+Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c | 12 ++++++------
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 14 +++++++++++---
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c
+index f1bfae0c41d0c..3cf8b3ea43b08 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c
+@@ -917,7 +917,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter,
+ ring->queue_index = txr_idx;
+
+ /* assign ring to adapter */
+- adapter->tx_ring[txr_idx] = ring;
++ WRITE_ONCE(adapter->tx_ring[txr_idx], ring);
+
+ /* update count and index */
+ txr_count--;
+@@ -944,7 +944,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter,
+ set_ring_xdp(ring);
+
+ /* assign ring to adapter */
+- adapter->xdp_ring[xdp_idx] = ring;
++ WRITE_ONCE(adapter->xdp_ring[xdp_idx], ring);
+
+ /* update count and index */
+ xdp_count--;
+@@ -991,7 +991,7 @@ static int ixgbe_alloc_q_vector(struct ixgbe_adapter *adapter,
+ ring->queue_index = rxr_idx;
+
+ /* assign ring to adapter */
+- adapter->rx_ring[rxr_idx] = ring;
++ WRITE_ONCE(adapter->rx_ring[rxr_idx], ring);
+
+ /* update count and index */
+ rxr_count--;
+@@ -1020,13 +1020,13 @@ static void ixgbe_free_q_vector(struct ixgbe_adapter *adapter, int v_idx)
+
+ ixgbe_for_each_ring(ring, q_vector->tx) {
+ if (ring_is_xdp(ring))
+- adapter->xdp_ring[ring->queue_index] = NULL;
++ WRITE_ONCE(adapter->xdp_ring[ring->queue_index], NULL);
+ else
+- adapter->tx_ring[ring->queue_index] = NULL;
++ WRITE_ONCE(adapter->tx_ring[ring->queue_index], NULL);
+ }
+
+ ixgbe_for_each_ring(ring, q_vector->rx)
+- adapter->rx_ring[ring->queue_index] = NULL;
++ WRITE_ONCE(adapter->rx_ring[ring->queue_index], NULL);
+
+ adapter->q_vector[v_idx] = NULL;
+ napi_hash_del(&q_vector->napi);
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 64ee45b6680a0..9c3fa0b555519 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -6842,7 +6842,10 @@ void ixgbe_update_stats(struct ixgbe_adapter *adapter)
+ }
+
+ for (i = 0; i < adapter->num_rx_queues; i++) {
+- struct ixgbe_ring *rx_ring = adapter->rx_ring[i];
++ struct ixgbe_ring *rx_ring = READ_ONCE(adapter->rx_ring[i]);
++
++ if (!rx_ring)
++ continue;
+ non_eop_descs += rx_ring->rx_stats.non_eop_descs;
+ alloc_rx_page_failed += rx_ring->rx_stats.alloc_rx_page_failed;
+ alloc_rx_buff_failed += rx_ring->rx_stats.alloc_rx_buff_failed;
+@@ -6861,15 +6864,20 @@ void ixgbe_update_stats(struct ixgbe_adapter *adapter)
+ packets = 0;
+ /* gather some stats to the adapter struct that are per queue */
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+- struct ixgbe_ring *tx_ring = adapter->tx_ring[i];
++ struct ixgbe_ring *tx_ring = READ_ONCE(adapter->tx_ring[i]);
++
++ if (!tx_ring)
++ continue;
+ restart_queue += tx_ring->tx_stats.restart_queue;
+ tx_busy += tx_ring->tx_stats.tx_busy;
+ bytes += tx_ring->stats.bytes;
+ packets += tx_ring->stats.packets;
+ }
+ for (i = 0; i < adapter->num_xdp_queues; i++) {
+- struct ixgbe_ring *xdp_ring = adapter->xdp_ring[i];
++ struct ixgbe_ring *xdp_ring = READ_ONCE(adapter->xdp_ring[i]);
+
++ if (!xdp_ring)
++ continue;
+ restart_queue += xdp_ring->tx_stats.restart_queue;
+ tx_busy += xdp_ring->tx_stats.tx_busy;
+ bytes += xdp_ring->stats.bytes;
+--
+2.25.1
+
--- /dev/null
+From 1e651df0804a21ff25cbd15ad58cc2d9e10b8753 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 17:55:25 +0300
+Subject: nvme-rdma: assign completion vector correctly
+
+From: Max Gurtovoy <maxg@mellanox.com>
+
+[ Upstream commit 032a9966a22a3596addf81dacf0c1736dfedc32a ]
+
+The completion vector index that is given during CQ creation can't
+exceed the number of support vectors by the underlying RDMA device. This
+violation currently can accure, for example, in case one will try to
+connect with N regular read/write queues and M poll queues and the sum
+of N + M > num_supported_vectors. This will lead to failure in establish
+a connection to remote target. Instead, in that case, share a completion
+vector between queues.
+
+Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 9fffe41ead500..c91bfd839cabe 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -470,7 +470,7 @@ static int nvme_rdma_create_queue_ib(struct nvme_rdma_queue *queue)
+ * Spread I/O queues completion vectors according their queue index.
+ * Admin queues can always go on completion vector 0.
+ */
+- comp_vector = idx == 0 ? idx : idx - 1;
++ comp_vector = (idx == 0 ? idx : idx - 1) % ibdev->num_comp_vectors;
+
+ /* +1 for ib_stop_cq */
+ queue->ib_cq = ib_alloc_cq(ibdev, queue,
+--
+2.25.1
+
--- /dev/null
+From db206edbbcbe8b661a7070cad3aa090624583551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 15:05:49 +0200
+Subject: s390/kasan: fix early pgm check handler execution
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 998f5bbe3dbdab81c1cfb1aef7c3892f5d24f6c7 ]
+
+Currently if early_pgm_check_handler is called it ends up in pgm check
+loop. The problem is that early_pgm_check_handler is instrumented by
+KASAN but executed without DAT flag enabled which leads to addressing
+exception when KASAN checks try to access shadow memory.
+
+Fix that by executing early handlers with DAT flag on under KASAN as
+expected.
+
+Reported-and-tested-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/early.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
+index 4ba5ad44a21a2..73045142febf0 100644
+--- a/arch/s390/kernel/early.c
++++ b/arch/s390/kernel/early.c
+@@ -317,6 +317,8 @@ static noinline __init void setup_lowcore_early(void)
+ psw_t psw;
+
+ psw.mask = PSW_MASK_BASE | PSW_DEFAULT_KEY | PSW_MASK_EA | PSW_MASK_BA;
++ if (IS_ENABLED(CONFIG_KASAN))
++ psw.mask |= PSW_MASK_DAT;
+ psw.addr = (unsigned long) s390_base_ext_handler;
+ S390_lowcore.external_new_psw = psw;
+ psw.addr = (unsigned long) s390_base_pgm_handler;
+--
+2.25.1
+
--- /dev/null
+From 680bc5fff53bc3b52d9368719bd7e176eb954e18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 17:04:46 +0200
+Subject: scsi: mptscsih: Fix read sense data size
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit afe89f115e84edbc76d316759e206580a06c6973 ]
+
+The sense data buffer in sense_buf_pool is allocated with size of
+MPT_SENSE_BUFFER_ALLOC(64) (multiplied by req_depth) while SNS_LEN(sc)(96)
+is used when reading the data. That may lead to a read from unallocated
+area, sometimes from another (unallocated) page. To fix this, limit the
+read size to MPT_SENSE_BUFFER_ALLOC.
+
+Link: https://lore.kernel.org/r/20200616150446.4840-1-thenzl@redhat.com
+Co-developed-by: Stanislav Saner <ssaner@redhat.com>
+Signed-off-by: Stanislav Saner <ssaner@redhat.com>
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/message/fusion/mptscsih.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
+index 6ba07c7feb92b..2af7ae13449d3 100644
+--- a/drivers/message/fusion/mptscsih.c
++++ b/drivers/message/fusion/mptscsih.c
+@@ -118,8 +118,6 @@ int mptscsih_suspend(struct pci_dev *pdev, pm_message_t state);
+ int mptscsih_resume(struct pci_dev *pdev);
+ #endif
+
+-#define SNS_LEN(scp) SCSI_SENSE_BUFFERSIZE
+-
+
+ /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
+ /*
+@@ -2420,7 +2418,7 @@ mptscsih_copy_sense_data(struct scsi_cmnd *sc, MPT_SCSI_HOST *hd, MPT_FRAME_HDR
+ /* Copy the sense received into the scsi command block. */
+ req_index = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
+ sense_data = ((u8 *)ioc->sense_buf_pool + (req_index * MPT_SENSE_BUFFER_ALLOC));
+- memcpy(sc->sense_buffer, sense_data, SNS_LEN(sc));
++ memcpy(sc->sense_buffer, sense_data, MPT_SENSE_BUFFER_ALLOC);
+
+ /* Log SMART data (asc = 0x5D, non-IM case only) if required.
+ */
+--
+2.25.1
+
spi-spi-fsl-dspi-fix-lockup-if-device-is-removed-dur.patch
spi-spi-fsl-dspi-use-irqf_shared-mode-to-request-irq.patch
spi-spi-fsl-dspi-fix-external-abort-on-interrupt-in-.patch
+arm64-entry-place-an-sb-sequence-following-an-eret-i.patch
+arm-dts-omap4-droid4-fix-spi-configuration-and-incre.patch
+gpu-host1x-detach-driver-on-unregister.patch
+spi-spidev-fix-a-race-between-spidev_release-and-spi.patch
+spi-spidev-fix-a-potential-use-after-free-in-spidev_.patch
+ixgbe-protect-ring-accesses-with-read-and-write_once.patch
+s390-kasan-fix-early-pgm-check-handler-execution.patch
+cifs-update-ctime-and-mtime-during-truncate.patch
+arm-imx6-add-missing-put_device-call-in-imx6q_suspen.patch
+scsi-mptscsih-fix-read-sense-data-size.patch
+nvme-rdma-assign-completion-vector-correctly.patch
+x86-entry-increase-entry_stack-size-to-a-full-page.patch
--- /dev/null
+From 02b87e77f1f6de41df2e7f76ef329c25e665850f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 11:21:25 +0800
+Subject: spi: spidev: fix a potential use-after-free in spidev_release()
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+[ Upstream commit 06096cc6c5a84ced929634b0d79376b94c65a4bd ]
+
+If an spi device is unbounded from the driver before the release
+process, there will be an NULL pointer reference when it's
+referenced in spi_slave_abort().
+
+Fix it by checking it's already freed before reference.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Link: https://lore.kernel.org/r/20200618032125.4650-2-zhenzhong.duan@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index 5edf4029a3486..167047760d79a 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -607,15 +607,20 @@ err_find_dev:
+ static int spidev_release(struct inode *inode, struct file *filp)
+ {
+ struct spidev_data *spidev;
++ int dofree;
+
+ mutex_lock(&device_list_lock);
+ spidev = filp->private_data;
+ filp->private_data = NULL;
+
++ spin_lock_irq(&spidev->spi_lock);
++ /* ... after we unbound from the underlying device? */
++ dofree = (spidev->spi == NULL);
++ spin_unlock_irq(&spidev->spi_lock);
++
+ /* last close? */
+ spidev->users--;
+ if (!spidev->users) {
+- int dofree;
+
+ kfree(spidev->tx_buffer);
+ spidev->tx_buffer = NULL;
+@@ -623,19 +628,14 @@ static int spidev_release(struct inode *inode, struct file *filp)
+ kfree(spidev->rx_buffer);
+ spidev->rx_buffer = NULL;
+
+- spin_lock_irq(&spidev->spi_lock);
+- if (spidev->spi)
+- spidev->speed_hz = spidev->spi->max_speed_hz;
+-
+- /* ... after we unbound from the underlying device? */
+- dofree = (spidev->spi == NULL);
+- spin_unlock_irq(&spidev->spi_lock);
+-
+ if (dofree)
+ kfree(spidev);
++ else
++ spidev->speed_hz = spidev->spi->max_speed_hz;
+ }
+ #ifdef CONFIG_SPI_SLAVE
+- spi_slave_abort(spidev->spi);
++ if (!dofree)
++ spi_slave_abort(spidev->spi);
+ #endif
+ mutex_unlock(&device_list_lock);
+
+--
+2.25.1
+
--- /dev/null
+From 0a5fa72d56f04520648977cf603a8731607a1f89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 11:21:24 +0800
+Subject: spi: spidev: fix a race between spidev_release and spidev_remove
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+[ Upstream commit abd42781c3d2155868821f1b947ae45bbc33330d ]
+
+Imagine below scene, spidev is referenced after it's freed.
+
+spidev_release() spidev_remove()
+...
+ spin_lock_irq(&spidev->spi_lock);
+ spidev->spi = NULL;
+ spin_unlock_irq(&spidev->spi_lock);
+mutex_lock(&device_list_lock);
+dofree = (spidev->spi == NULL);
+if (dofree)
+ kfree(spidev);
+mutex_unlock(&device_list_lock);
+ mutex_lock(&device_list_lock);
+ list_del(&spidev->device_entry);
+ device_destroy(spidev_class, spidev->devt);
+ clear_bit(MINOR(spidev->devt), minors);
+ if (spidev->users == 0)
+ kfree(spidev);
+ mutex_unlock(&device_list_lock);
+
+Fix it by resetting spidev->spi in device_list_lock's protection.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Link: https://lore.kernel.org/r/20200618032125.4650-1-zhenzhong.duan@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index 028725573e632..5edf4029a3486 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -782,13 +782,13 @@ static int spidev_remove(struct spi_device *spi)
+ {
+ struct spidev_data *spidev = spi_get_drvdata(spi);
+
++ /* prevent new opens */
++ mutex_lock(&device_list_lock);
+ /* make sure ops on existing fds can abort cleanly */
+ spin_lock_irq(&spidev->spi_lock);
+ spidev->spi = NULL;
+ spin_unlock_irq(&spidev->spi_lock);
+
+- /* prevent new opens */
+- mutex_lock(&device_list_lock);
+ list_del(&spidev->device_entry);
+ device_destroy(spidev_class, spidev->devt);
+ clear_bit(MINOR(spidev->devt), minors);
+--
+2.25.1
+
--- /dev/null
+From 545c79297eb22d9bb9522c1de423695d56868ba4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 18:25:57 +0200
+Subject: x86/entry: Increase entry_stack size to a full page
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit c7aadc09321d8f9a1d3bd1e6d8a47222ecddf6c5 ]
+
+Marco crashed in bad_iret with a Clang11/KCSAN build due to
+overflowing the stack. Now that we run C code on it, expand it to a
+full page.
+
+Suggested-by: Andy Lutomirski <luto@amacapital.net>
+Reported-by: Marco Elver <elver@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Tested-by: Marco Elver <elver@google.com>
+Link: https://lkml.kernel.org/r/20200618144801.819246178@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/processor.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
+index 6a87eda9691e4..56a89519dc144 100644
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -344,7 +344,7 @@ struct x86_hw_tss {
+ #define INVALID_IO_BITMAP_OFFSET 0x8000
+
+ struct entry_stack {
+- unsigned long words[64];
++ char stack[PAGE_SIZE];
+ };
+
+ struct entry_stack_page {
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
