--- /dev/null
+From 7951869927dc372d5555d31cdf383d44307db760 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Dec 2020 09:52:52 +0100
+Subject: extcon: Add stubs for extcon_register_notifier_all() functions
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit c9570d4a5efd04479b3cd09c39b571eb031d94f4 ]
+
+Add stubs for extcon_register_notifier_all() function for !CONFIG_EXTCON
+case. This is useful for compile testing and for drivers which use
+EXTCON but do not require it (therefore do not depend on CONFIG_EXTCON).
+
+Fixes: 815429b39d94 ("extcon: Add new extcon_register_notifier_all() to monitor all external connectors")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/extcon.h | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/include/linux/extcon.h b/include/linux/extcon.h
+index fd183fb9c20f..0c19010da77f 100644
+--- a/include/linux/extcon.h
++++ b/include/linux/extcon.h
+@@ -271,6 +271,29 @@ static inline void devm_extcon_unregister_notifier(struct device *dev,
+ struct extcon_dev *edev, unsigned int id,
+ struct notifier_block *nb) { }
+
++static inline int extcon_register_notifier_all(struct extcon_dev *edev,
++ struct notifier_block *nb)
++{
++ return 0;
++}
++
++static inline int extcon_unregister_notifier_all(struct extcon_dev *edev,
++ struct notifier_block *nb)
++{
++ return 0;
++}
++
++static inline int devm_extcon_register_notifier_all(struct device *dev,
++ struct extcon_dev *edev,
++ struct notifier_block *nb)
++{
++ return 0;
++}
++
++static inline void devm_extcon_unregister_notifier_all(struct device *dev,
++ struct extcon_dev *edev,
++ struct notifier_block *nb) { }
++
+ static inline struct extcon_dev *extcon_get_extcon_dev(const char *extcon_name)
+ {
+ return ERR_PTR(-ENODEV);
+--
+2.30.2
+
--- /dev/null
+From 41cf224b7f9b147a85643f91abd804707ef4b218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jan 2021 16:10:55 +0800
+Subject: extcon: Fix error handling in extcon_dev_register
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit d3bdd1c3140724967ca4136755538fa7c05c2b4e ]
+
+When devm_kcalloc() fails, we should execute device_unregister()
+to unregister edev->dev from system.
+
+Fixes: 046050f6e623e ("extcon: Update the prototype of extcon_register_notifier() with enum extcon")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c
+index 0a6438cbb3f3..e7a9561a826d 100644
+--- a/drivers/extcon/extcon.c
++++ b/drivers/extcon/extcon.c
+@@ -1241,6 +1241,7 @@ int extcon_dev_register(struct extcon_dev *edev)
+ sizeof(*edev->nh), GFP_KERNEL);
+ if (!edev->nh) {
+ ret = -ENOMEM;
++ device_unregister(&edev->dev);
+ goto err_dev;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 1c639aacf695f0413e3943adae5b295db7b177bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Apr 2021 06:58:36 +0000
+Subject: firewire: nosy: Fix a use-after-free bug in nosy_ioctl()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 829933ef05a951c8ff140e814656d73e74915faf ]
+
+For each device, the nosy driver allocates a pcilynx structure.
+A use-after-free might happen in the following scenario:
+
+ 1. Open nosy device for the first time and call ioctl with command
+ NOSY_IOC_START, then a new client A will be malloced and added to
+ doubly linked list.
+ 2. Open nosy device for the second time and call ioctl with command
+ NOSY_IOC_START, then a new client B will be malloced and added to
+ doubly linked list.
+ 3. Call ioctl with command NOSY_IOC_START for client A, then client A
+ will be readded to the doubly linked list. Now the doubly linked
+ list is messed up.
+ 4. Close the first nosy device and nosy_release will be called. In
+ nosy_release, client A will be unlinked and freed.
+ 5. Close the second nosy device, and client A will be referenced,
+ resulting in UAF.
+
+The root cause of this bug is that the element in the doubly linked list
+is reentered into the list.
+
+Fix this bug by adding a check before inserting a client. If a client
+is already in the linked list, don't insert it.
+
+The following KASAN report reveals it:
+
+ BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210
+ Write of size 8 at addr ffff888102ad7360 by task poc
+ CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ nosy_release+0x1ea/0x210
+ __fput+0x1e2/0x840
+ task_work_run+0xe8/0x180
+ exit_to_user_mode_prepare+0x114/0x120
+ syscall_exit_to_user_mode+0x1d/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ Allocated by task 337:
+ nosy_open+0x154/0x4d0
+ misc_open+0x2ec/0x410
+ chrdev_open+0x20d/0x5a0
+ do_dentry_open+0x40f/0xe80
+ path_openat+0x1cf9/0x37b0
+ do_filp_open+0x16d/0x390
+ do_sys_openat2+0x11d/0x360
+ __x64_sys_open+0xfd/0x1a0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ Freed by task 337:
+ kfree+0x8f/0x210
+ nosy_release+0x158/0x210
+ __fput+0x1e2/0x840
+ task_work_run+0xe8/0x180
+ exit_to_user_mode_prepare+0x114/0x120
+ syscall_exit_to_user_mode+0x1d/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128
+ The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380)
+
+[ Modified to use 'list_empty()' inside proper lock - Linus ]
+
+Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/
+Reported-and-tested-by: 马哲宇 (Zheyu Ma) <zheyuma97@gmail.com>
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Cc: Greg Kroah-Hartman <greg@kroah.com>
+Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index 5fd6a60b6741..88ed971e32c0 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -346,6 +346,7 @@ nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ struct client *client = file->private_data;
+ spinlock_t *client_list_lock = &client->lynx->client_list_lock;
+ struct nosy_stats stats;
++ int ret;
+
+ switch (cmd) {
+ case NOSY_IOC_GET_STATS:
+@@ -360,11 +361,15 @@ nosy_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ return 0;
+
+ case NOSY_IOC_START:
++ ret = -EBUSY;
+ spin_lock_irq(client_list_lock);
+- list_add_tail(&client->link, &client->lynx->client_list);
++ if (list_empty(&client->link)) {
++ list_add_tail(&client->link, &client->lynx->client_list);
++ ret = 0;
++ }
+ spin_unlock_irq(client_list_lock);
+
+- return 0;
++ return ret;
+
+ case NOSY_IOC_STOP:
+ spin_lock_irq(client_list_lock);
+--
+2.30.2
+
--- /dev/null
+From 4ba1733ce80e0be6876df47cd2ff74e46cd6a76c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Feb 2021 16:20:27 -0600
+Subject: firmware: stratix10-svc: reset COMMAND_RECONFIG_FLAG_PARTIAL to 0
+
+From: Richard Gong <richard.gong@intel.com>
+
+[ Upstream commit 2e8496f31d0be8f43849b2980b069f3a9805d047 ]
+
+Clean up COMMAND_RECONFIG_FLAG_PARTIAL flag by resetting it to 0, which
+aligns with the firmware settings.
+
+Fixes: 36847f9e3e56 ("firmware: stratix10-svc: correct reconfig flag and timeout values")
+Signed-off-by: Richard Gong <richard.gong@intel.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/firmware/intel/stratix10-svc-client.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/firmware/intel/stratix10-svc-client.h b/include/linux/firmware/intel/stratix10-svc-client.h
+index a93d85932eb9..f843c6a10cf3 100644
+--- a/include/linux/firmware/intel/stratix10-svc-client.h
++++ b/include/linux/firmware/intel/stratix10-svc-client.h
+@@ -56,7 +56,7 @@
+ * COMMAND_RECONFIG_FLAG_PARTIAL:
+ * Set to FPGA configuration type (full or partial).
+ */
+-#define COMMAND_RECONFIG_FLAG_PARTIAL 1
++#define COMMAND_RECONFIG_FLAG_PARTIAL 0
+
+ /**
+ * Timeout settings for service clients:
+--
+2.30.2
+
--- /dev/null
+From b6c449c3350fd85cafcc2140a59018a19096d7cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 12:37:55 +0530
+Subject: powerpc/mm/book3s64: Use the correct storage key value when calling
+ H_PROTECT
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+[ Upstream commit 53f1d31708f6240e4615b0927df31f182e389e2f ]
+
+H_PROTECT expects the flag value to include flags:
+ AVPN, pp0, pp1, pp2, key0-key4, Noexec, CMO Option flags
+
+This patch updates hpte_updatepp() to fetch the storage key value from
+the linux page table and use the same in H_PROTECT hcall.
+
+native_hpte_updatepp() is not updated because the kernel doesn't clear
+the existing storage key value there. The kernel also doesn't use
+hpte_updatepp() callback for updating storage keys.
+
+This fixes the below kernel crash observed with KUAP enabled.
+
+ BUG: Unable to handle kernel data access on write at 0xc009fffffc440000
+ Faulting instruction address: 0xc0000000000b7030
+ Key fault AMR: 0xfcffffffffffffff IAMR: 0xc0000077bc498100
+ Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ ...
+ CFAR: c000000000010100 DAR: c009fffffc440000 DSISR: 02200000 IRQMASK: 0
+ ...
+ NIP memset+0x68/0x104
+ LR pcpu_alloc+0x54c/0xb50
+ Call Trace:
+ pcpu_alloc+0x55c/0xb50 (unreliable)
+ blk_stat_alloc_callback+0x94/0x150
+ blk_mq_init_allocated_queue+0x64/0x560
+ blk_mq_init_queue+0x54/0xb0
+ scsi_mq_alloc_queue+0x30/0xa0
+ scsi_alloc_sdev+0x1cc/0x300
+ scsi_probe_and_add_lun+0xb50/0x1020
+ __scsi_scan_target+0x17c/0x790
+ scsi_scan_channel+0x90/0xe0
+ scsi_scan_host_selected+0x148/0x1f0
+ do_scan_async+0x2c/0x2a0
+ async_run_entry_fn+0x78/0x220
+ process_one_work+0x264/0x540
+ worker_thread+0xa8/0x600
+ kthread+0x190/0x1a0
+ ret_from_kernel_thread+0x5c/0x6c
+
+With KUAP enabled the kernel uses storage key 3 for all its
+translations. But as shown by the debug print, in this specific case we
+have the hash page table entry created with key value 0.
+
+ Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194
+
+and DSISR indicates a key fault.
+
+This can happen due to parallel fault on the same EA by different CPUs:
+
+ CPU 0 CPU 1
+ fault on X
+
+ H_PAGE_BUSY set
+ fault on X
+
+ finish fault handling and
+ clear H_PAGE_BUSY
+ check for H_PAGE_BUSY
+ continue with fault handling.
+
+This implies CPU1 will end up calling hpte_updatepp for address X and
+the kernel updated the hash pte entry with key 0
+
+Fixes: d94b827e89dc ("powerpc/book3s64/kuap: Use Key 3 for kernel mapping with hash translation")
+Reported-by: Murilo Opsfelder Araujo <muriloo@linux.ibm.com>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Debugged-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210326070755.304625-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/lpar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
+index 764170fdb0f7..3805519a6469 100644
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -887,7 +887,8 @@ static long pSeries_lpar_hpte_updatepp(unsigned long slot,
+
+ want_v = hpte_encode_avpn(vpn, psize, ssize);
+
+- flags = (newpp & 7) | H_AVPN;
++ flags = (newpp & (HPTE_R_PP | HPTE_R_N | HPTE_R_KEY_LO)) | H_AVPN;
++ flags |= (newpp & HPTE_R_KEY_HI) >> 48;
+ if (mmu_has_feature(MMU_FTR_KERNEL_RO))
+ /* Move pp0 into bit 8 (IBM 55) */
+ flags |= (newpp & HPTE_R_PP0) >> 55;
+--
+2.30.2
+
--- /dev/null
+From 38e5a8a88e001162663409153e6b0d5024cdd2d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 03:00:45 -0500
+Subject: powerpc/pseries/mobility: handle premature return from H_JOIN
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 274cb1ca2e7ce02cab56f5f4c61a74aeb566f931 ]
+
+The pseries join/suspend sequence in its current form was written with
+the assumption that it was the only user of H_PROD and that it needn't
+handle spurious successful returns from H_JOIN. That's wrong;
+powerpc's paravirt spinlock code uses H_PROD, and CPUs entering
+do_join() can be woken prematurely from H_JOIN with a status of
+H_SUCCESS as a result. This causes all CPUs to exit the sequence
+early, preventing suspend from occurring at all.
+
+Add a 'done' boolean flag to the pseries_suspend_info struct, and have
+the waking thread set it before waking the other threads. Threads
+which receive H_SUCCESS from H_JOIN retry if the 'done' flag is still
+unset.
+
+Fixes: 9327dc0aeef3 ("powerpc/pseries/mobility: use stop_machine for join/suspend")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210315080045.460331-3-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/mobility.c | 26 ++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c
+index a6739ce9feac..e83e0891272d 100644
+--- a/arch/powerpc/platforms/pseries/mobility.c
++++ b/arch/powerpc/platforms/pseries/mobility.c
+@@ -458,9 +458,12 @@ static int do_suspend(void)
+ * or if an error is received from H_JOIN. The thread which performs
+ * the first increment (i.e. sets it to 1) is responsible for
+ * waking the other threads.
++ * @done: False if join/suspend is in progress. True if the operation is
++ * complete (successful or not).
+ */
+ struct pseries_suspend_info {
+ atomic_t counter;
++ bool done;
+ };
+
+ static int do_join(void *arg)
+@@ -470,6 +473,7 @@ static int do_join(void *arg)
+ long hvrc;
+ int ret;
+
++retry:
+ /* Must ensure MSR.EE off for H_JOIN. */
+ hard_irq_disable();
+ hvrc = plpar_hcall_norets(H_JOIN);
+@@ -485,8 +489,20 @@ static int do_join(void *arg)
+ case H_SUCCESS:
+ /*
+ * The suspend is complete and this cpu has received a
+- * prod.
++ * prod, or we've received a stray prod from unrelated
++ * code (e.g. paravirt spinlocks) and we need to join
++ * again.
++ *
++ * This barrier orders the return from H_JOIN above vs
++ * the load of info->done. It pairs with the barrier
++ * in the wakeup/prod path below.
+ */
++ smp_mb();
++ if (READ_ONCE(info->done) == false) {
++ pr_info_ratelimited("premature return from H_JOIN on CPU %i, retrying",
++ smp_processor_id());
++ goto retry;
++ }
+ ret = 0;
+ break;
+ case H_BAD_MODE:
+@@ -500,6 +516,13 @@ static int do_join(void *arg)
+
+ if (atomic_inc_return(counter) == 1) {
+ pr_info("CPU %u waking all threads\n", smp_processor_id());
++ WRITE_ONCE(info->done, true);
++ /*
++ * This barrier orders the store to info->done vs subsequent
++ * H_PRODs to wake the other CPUs. It pairs with the barrier
++ * in the H_SUCCESS case above.
++ */
++ smp_mb();
+ prod_others();
+ }
+ /*
+@@ -553,6 +576,7 @@ static int pseries_suspend(u64 handle)
+
+ info = (struct pseries_suspend_info) {
+ .counter = ATOMIC_INIT(0),
++ .done = false,
+ };
+
+ ret = stop_machine(do_join, &info, cpu_online_mask);
+--
+2.30.2
+
--- /dev/null
+From a33b58f9a1a3b25fd0e036664ddcb411b59d7c90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 03:00:44 -0500
+Subject: powerpc/pseries/mobility: use struct for shared state
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit e834df6cfc71d8e5ce2c27a0184145ea125c3f0f ]
+
+The atomic_t counter is the only shared state for the join/suspend
+sequence so far, but that will change. Contain it in a
+struct (pseries_suspend_info), and document its intended use. No
+functional change.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210315080045.460331-2-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/mobility.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c
+index ea4d6a660e0d..a6739ce9feac 100644
+--- a/arch/powerpc/platforms/pseries/mobility.c
++++ b/arch/powerpc/platforms/pseries/mobility.c
+@@ -452,9 +452,21 @@ static int do_suspend(void)
+ return ret;
+ }
+
++/**
++ * struct pseries_suspend_info - State shared between CPUs for join/suspend.
++ * @counter: Threads are to increment this upon resuming from suspend
++ * or if an error is received from H_JOIN. The thread which performs
++ * the first increment (i.e. sets it to 1) is responsible for
++ * waking the other threads.
++ */
++struct pseries_suspend_info {
++ atomic_t counter;
++};
++
+ static int do_join(void *arg)
+ {
+- atomic_t *counter = arg;
++ struct pseries_suspend_info *info = arg;
++ atomic_t *counter = &info->counter;
+ long hvrc;
+ int ret;
+
+@@ -535,11 +547,15 @@ static int pseries_suspend(u64 handle)
+ int ret;
+
+ while (true) {
+- atomic_t counter = ATOMIC_INIT(0);
++ struct pseries_suspend_info info;
+ unsigned long vasi_state;
+ int vasi_err;
+
+- ret = stop_machine(do_join, &counter, cpu_online_mask);
++ info = (struct pseries_suspend_info) {
++ .counter = ATOMIC_INIT(0),
++ };
++
++ ret = stop_machine(do_join, &info, cpu_online_mask);
+ if (ret == 0)
+ break;
+ /*
+--
+2.30.2
+
kvm-x86-compile-out-tdp-mmu-on-32-bit-systems.patch
kvm-x86-mmu-ensure-tlbs-are-flushed-for-tdp-mmu-duri.patch
kbuild-add-resolve_btfids-clean-to-root-clean-target.patch
+extcon-add-stubs-for-extcon_register_notifier_all-fu.patch
+extcon-fix-error-handling-in-extcon_dev_register.patch
+firmware-stratix10-svc-reset-command_reconfig_flag_p.patch
+powerpc-pseries-mobility-use-struct-for-shared-state.patch
+powerpc-pseries-mobility-handle-premature-return-fro.patch
+usb-dwc3-pci-enable-dis_ux_susphy_quirk-for-intel-me.patch
+video-hyperv_fb-fix-a-double-free-in-hvfb_probe.patch
+powerpc-mm-book3s64-use-the-correct-storage-key-valu.patch
+firewire-nosy-fix-a-use-after-free-bug-in-nosy_ioctl.patch
--- /dev/null
+From 4979ad4f9cbd1e6f8cab0f3defb494124665c9fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 14:52:44 +0200
+Subject: usb: dwc3: pci: Enable dis_uX_susphy_quirk for Intel Merrifield
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit b522f830d35189e0283fa4d5b4b3ef8d7a78cfcb ]
+
+It seems that on Intel Merrifield platform the USB PHY shouldn't be suspended.
+Otherwise it can't be enabled by simply change the cable in the connector.
+
+Enable corresponding quirk for the platform in question.
+
+Fixes: e5f4ca3fce90 ("usb: dwc3: ulpi: Fix USB2.0 HS/FS/LS PHY suspend regression")
+Suggested-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210322125244.79407-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
+index bae6a70664c8..598daed8086f 100644
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -118,6 +118,8 @@ static const struct property_entry dwc3_pci_intel_properties[] = {
+ static const struct property_entry dwc3_pci_mrfld_properties[] = {
+ PROPERTY_ENTRY_STRING("dr_mode", "otg"),
+ PROPERTY_ENTRY_STRING("linux,extcon-name", "mrfld_bcove_pwrsrc"),
++ PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"),
++ PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"),
+ PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"),
+ {}
+ };
+--
+2.30.2
+
--- /dev/null
+From 5be5befb43d9d73072053f94e309ef69bf2c7361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 03:37:24 -0700
+Subject: video: hyperv_fb: Fix a double free in hvfb_probe
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 37df9f3fedb6aeaff5564145e8162aab912c9284 ]
+
+Function hvfb_probe() calls hvfb_getmem(), expecting upon return that
+info->apertures is either NULL or points to memory that should be freed
+by framebuffer_release(). But hvfb_getmem() is freeing the memory and
+leaving the pointer non-NULL, resulting in a double free if an error
+occurs or later if hvfb_remove() is called.
+
+Fix this by removing all kfree(info->apertures) calls in hvfb_getmem().
+This will allow framebuffer_release() to free the memory, which follows
+the pattern of other fbdev drivers.
+
+Fixes: 3a6fb6c4255c ("video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs.")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20210324103724.4189-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/hyperv_fb.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
+index c8b0ae676809..4dc9077dd2ac 100644
+--- a/drivers/video/fbdev/hyperv_fb.c
++++ b/drivers/video/fbdev/hyperv_fb.c
+@@ -1031,7 +1031,6 @@ static int hvfb_getmem(struct hv_device *hdev, struct fb_info *info)
+ PCI_DEVICE_ID_HYPERV_VIDEO, NULL);
+ if (!pdev) {
+ pr_err("Unable to find PCI Hyper-V video\n");
+- kfree(info->apertures);
+ return -ENODEV;
+ }
+
+@@ -1129,7 +1128,6 @@ getmem_done:
+ } else {
+ pci_dev_put(pdev);
+ }
+- kfree(info->apertures);
+
+ return 0;
+
+@@ -1141,7 +1139,6 @@ err2:
+ err1:
+ if (!gen2vm)
+ pci_dev_put(pdev);
+- kfree(info->apertures);
+
+ return -ENOMEM;
+ }
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
