--- /dev/null
+From 7db3b61b6bba4310f454588c2ca6faf2958ad79f Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 6 Dec 2019 13:55:17 +0800
+Subject: crypto: api - Check spawn->alg under lock in crypto_drop_spawn
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream.
+
+We need to check whether spawn->alg is NULL under lock as otherwise
+the algorithm could be removed from under us after we have checked
+it and found it to be non-NULL. This could cause us to remove the
+spawn from a non-existent list.
+
+Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algapi.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -652,11 +652,9 @@ EXPORT_SYMBOL_GPL(crypto_grab_spawn);
+
+ void crypto_drop_spawn(struct crypto_spawn *spawn)
+ {
+- if (!spawn->alg)
+- return;
+-
+ down_write(&crypto_alg_sem);
+- list_del(&spawn->list);
++ if (spawn->alg)
++ list_del(&spawn->list);
+ up_write(&crypto_alg_sem);
+ }
+ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
--- /dev/null
+From d33c240d47dab4fd15123d9e73fc8810cbc6ed6a Mon Sep 17 00:00:00 2001
+From: Tianyu Lan <Tianyu.Lan@microsoft.com>
+Date: Sat, 25 Jan 2020 16:50:47 -0500
+Subject: hv_balloon: Balloon up according to request page number
+
+From: Tianyu Lan <Tianyu.Lan@microsoft.com>
+
+commit d33c240d47dab4fd15123d9e73fc8810cbc6ed6a upstream.
+
+Current code has assumption that balloon request memory size aligns
+with 2MB. But actually Hyper-V doesn't guarantee such alignment. When
+balloon driver receives non-aligned balloon request, it produces warning
+and balloon up more memory than requested in order to keep 2MB alignment.
+Remove the warning and balloon up memory according to actual requested
+memory size.
+
+Fixes: f6712238471a ("hv: hv_balloon: avoid memory leak on alloc_error of 2MB memory block")
+Cc: stable@vger.kernel.org
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_balloon.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -1170,10 +1170,7 @@ static unsigned int alloc_balloon_pages(
+ unsigned int i = 0;
+ struct page *pg;
+
+- if (num_pages < alloc_unit)
+- return 0;
+-
+- for (i = 0; (i * alloc_unit) < num_pages; i++) {
++ for (i = 0; i < num_pages / alloc_unit; i++) {
+ if (bl_resp->hdr.size + sizeof(union dm_mem_page_range) >
+ PAGE_SIZE)
+ return i * alloc_unit;
+@@ -1207,7 +1204,7 @@ static unsigned int alloc_balloon_pages(
+
+ }
+
+- return num_pages;
++ return i * alloc_unit;
+ }
+
+ static void balloon_up(struct work_struct *dummy)
+@@ -1222,9 +1219,6 @@ static void balloon_up(struct work_struc
+ long avail_pages;
+ unsigned long floor;
+
+- /* The host balloons pages in 2M granularity. */
+- WARN_ON_ONCE(num_pages % PAGES_IN_2M != 0);
+-
+ /*
+ * We will attempt 2M allocations. However, if we fail to
+ * allocate 2M chunks, we will go back to 4k allocations.
+@@ -1234,14 +1228,13 @@ static void balloon_up(struct work_struc
+ avail_pages = si_mem_available();
+ floor = compute_balloon_floor();
+
+- /* Refuse to balloon below the floor, keep the 2M granularity. */
++ /* Refuse to balloon below the floor. */
+ if (avail_pages < num_pages || avail_pages - num_pages < floor) {
+ pr_warn("Balloon request will be partially fulfilled. %s\n",
+ avail_pages < num_pages ? "Not enough memory." :
+ "Balloon floor reached.");
+
+ num_pages = avail_pages > floor ? (avail_pages - floor) : 0;
+- num_pages -= num_pages % PAGES_IN_2M;
+ }
+
+ while (!done) {
--- /dev/null
+From a60ec78d306c6548d4adbc7918b587a723c555cc Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Thu, 19 Sep 2019 11:11:37 -0400
+Subject: power: supply: ltc2941-battery-gauge: fix use-after-free
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream.
+
+This driver's remove path calls cancel_delayed_work().
+However, that function does not wait until the work function
+finishes. This could mean that the work function is still
+running after the driver's remove function has finished,
+which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+that the work is properly cancelled, no longer running, and
+unable to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/supply/ltc2941-battery-gauge.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/ltc2941-battery-gauge.c
++++ b/drivers/power/supply/ltc2941-battery-gauge.c
+@@ -406,7 +406,7 @@ static int ltc294x_i2c_remove(struct i2c
+ {
+ struct ltc294x_info *info = i2c_get_clientdata(client);
+
+- cancel_delayed_work(&info->work);
++ cancel_delayed_work_sync(&info->work);
+ power_supply_unregister(info->supply);
+ return 0;
+ }
--- /dev/null
+From 641e0efddcbde52461e017136acd3ce7f2ef0c14 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Tue, 17 Dec 2019 14:06:16 -0800
+Subject: scsi: qla2xxx: Fix mtcp dump collection failure
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream.
+
+MTCP dump failed due to MB Reg 10 was picking garbage data from stack
+memory.
+
+Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -5853,9 +5853,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t *
+ mcp->mb[7] = LSW(MSD(req_dma));
+ mcp->mb[8] = MSW(addr);
+ /* Setting RAM ID to valid */
+- mcp->mb[10] |= BIT_7;
+ /* For MCTP RAM ID is 0x40 */
+- mcp->mb[10] |= 0x40;
++ mcp->mb[10] = BIT_7 | 0x40;
+
+ mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|
+ MBX_0;
pci-keystone-fix-link-training-retries-initiation.patch
mmc-sdhci-of-at91-fix-memleak-on-clk_get-failure.patch
ubifs-don-t-trigger-assertion-on-invalid-no-key-file.patch
+hv_balloon-balloon-up-according-to-request-page-number.patch
+crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
+scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
+power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
