--- /dev/null
+From da180322582bd9db07f29e6d4a2d170afde0703f Mon Sep 17 00:00:00 2001
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+Date: Sat, 25 Jan 2020 00:20:09 +0100
+Subject: ARM: dts: sunxi: Fix DE2 clocks register range
+
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+
+commit da180322582bd9db07f29e6d4a2d170afde0703f upstream.
+
+As it can be seen from DE2 manual, clock range is 0x10000.
+
+Fix it.
+
+Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Fixes: 73f122c82775 ("ARM: dts: sun8i: a83t: Add display pipeline")
+Fixes: 05a43a262d03 ("ARM: dts: sun8i: r40: Add HDMI pipeline")
+Fixes: 21b299209330 ("ARM: sun8i: v3s: add device nodes for DE2 display pipeline")
+Fixes: d8c6f1f0295c ("ARM: sun8i: h3/h5: add DE2 CCU device node for H3")
+[wens@csie.org: added fixes tags]
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sun8i-a83t.dtsi | 2 +-
+ arch/arm/boot/dts/sun8i-r40.dtsi | 2 +-
+ arch/arm/boot/dts/sun8i-v3s.dtsi | 2 +-
+ arch/arm/boot/dts/sunxi-h3-h5.dtsi | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/sun8i-a83t.dtsi
++++ b/arch/arm/boot/dts/sun8i-a83t.dtsi
+@@ -313,7 +313,7 @@
+
+ display_clocks: clock@1000000 {
+ compatible = "allwinner,sun8i-a83t-de2-clk";
+- reg = <0x01000000 0x100000>;
++ reg = <0x01000000 0x10000>;
+ clocks = <&ccu CLK_BUS_DE>,
+ <&ccu CLK_PLL_DE>;
+ clock-names = "bus",
+--- a/arch/arm/boot/dts/sun8i-r40.dtsi
++++ b/arch/arm/boot/dts/sun8i-r40.dtsi
+@@ -118,7 +118,7 @@
+ display_clocks: clock@1000000 {
+ compatible = "allwinner,sun8i-r40-de2-clk",
+ "allwinner,sun8i-h3-de2-clk";
+- reg = <0x01000000 0x100000>;
++ reg = <0x01000000 0x10000>;
+ clocks = <&ccu CLK_BUS_DE>,
+ <&ccu CLK_DE>;
+ clock-names = "bus",
+--- a/arch/arm/boot/dts/sun8i-v3s.dtsi
++++ b/arch/arm/boot/dts/sun8i-v3s.dtsi
+@@ -105,7 +105,7 @@
+
+ display_clocks: clock@1000000 {
+ compatible = "allwinner,sun8i-v3s-de2-clk";
+- reg = <0x01000000 0x100000>;
++ reg = <0x01000000 0x10000>;
+ clocks = <&ccu CLK_BUS_DE>,
+ <&ccu CLK_DE>;
+ clock-names = "bus",
+--- a/arch/arm/boot/dts/sunxi-h3-h5.dtsi
++++ b/arch/arm/boot/dts/sunxi-h3-h5.dtsi
+@@ -113,7 +113,7 @@
+
+ display_clocks: clock@1000000 {
+ /* compatible is in per SoC .dtsi file */
+- reg = <0x01000000 0x100000>;
++ reg = <0x01000000 0x10000>;
+ clocks = <&ccu CLK_BUS_DE>,
+ <&ccu CLK_DE>;
+ clock-names = "bus",
--- /dev/null
+From daniel@iogearbox.net Wed Apr 22 10:22:28 2020
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 21 Apr 2020 15:01:49 +0200
+Subject: bpf: fix buggy r0 retval refinement for tracing helpers
+To: gregkh@linuxfoundation.org
+Cc: alexei.starovoitov@gmail.com, john.fastabend@gmail.com, kpsingh@chromium.org, jannh@google.com, fontanalorenz@gmail.com, leodidonato@gmail.com, yhs@fb.com, bpf@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>, Alexei Starovoitov <ast@kernel.org>
+Message-ID: <20200421130152.14348-1-daniel@iogearbox.net>
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 21 Apr 2020 15:01:49 +0200
+
+[ no upstream commit ]
+
+See the glory details in 100605035e15 ("bpf: Verifier, do_refine_retval_range
+may clamp umin to 0 incorrectly") for why 849fa50662fb ("bpf/verifier: refine
+retval R0 state for bpf_get_stack helper") is buggy. The whole series however
+is not suitable for stable since it adds significant amount [0] of verifier
+complexity in order to add 32bit subreg tracking. Something simpler is needed.
+
+Unfortunately, reverting 849fa50662fb ("bpf/verifier: refine retval R0 state
+for bpf_get_stack helper") or just cherry-picking 100605035e15 ("bpf: Verifier,
+do_refine_retval_range may clamp umin to 0 incorrectly") is not an option since
+it will break existing tracing programs badly (at least those that are using
+bpf_get_stack() and bpf_probe_read_str() helpers). Not fixing it in stable is
+also not an option since on 4.19 kernels an error will cause a soft-lockup due
+to hitting dead-code sanitized branch since we don't hard-wire such branches
+in old kernels yet. But even then for 5.x 849fa50662fb ("bpf/verifier: refine
+retval R0 state for bpf_get_stack helper") would cause wrong bounds on the
+verifier simluation when an error is hit.
+
+In one of the earlier iterations of mentioned patch series for upstream there
+was the concern that just using smax_value in do_refine_retval_range() would
+nuke bounds by subsequent <<32 >>32 shifts before the comparison against 0 [1]
+which eventually led to the 32bit subreg tracking in the first place. While I
+initially went for implementing the idea [1] to pattern match the two shift
+operations, it turned out to be more complex than actually needed, meaning, we
+could simply treat do_refine_retval_range() similarly to how we branch off
+verification for conditionals or under speculation, that is, pushing a new
+reg state to the stack for later verification. This means, instead of verifying
+the current path with the ret_reg in [S32MIN, msize_max_value] interval where
+later bounds would get nuked, we split this into two: i) for the success case
+where ret_reg can be in [0, msize_max_value], and ii) for the error case with
+ret_reg known to be in interval [S32MIN, -1]. Latter will preserve the bounds
+during these shift patterns and can match reg < 0 test. test_progs also succeed
+with this approach.
+
+ [0] https://lore.kernel.org/bpf/158507130343.15666.8018068546764556975.stgit@john-Precision-5820-Tower/
+ [1] https://lore.kernel.org/bpf/158015334199.28573.4940395881683556537.stgit@john-XPS-13-9370/T/#m2e0ad1d5949131014748b6daa48a3495e7f0456d
+
+Fixes: 849fa50662fb ("bpf/verifier: refine retval R0 state for bpf_get_stack helper")
+Reported-by: Lorenzo Fontana <fontanalorenz@gmail.com>
+Reported-by: Leonardo Di Donato <leodidonato@gmail.com>
+Reported-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Tested-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 45 ++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 34 insertions(+), 11 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -201,8 +201,7 @@ struct bpf_call_arg_meta {
+ bool pkt_access;
+ int regno;
+ int access_size;
+- s64 msize_smax_value;
+- u64 msize_umax_value;
++ u64 msize_max_value;
+ int ref_obj_id;
+ int func_id;
+ };
+@@ -3377,8 +3376,7 @@ static int check_func_arg(struct bpf_ver
+ /* remember the mem_size which may be used later
+ * to refine return values.
+ */
+- meta->msize_smax_value = reg->smax_value;
+- meta->msize_umax_value = reg->umax_value;
++ meta->msize_max_value = reg->umax_value;
+
+ /* The register is SCALAR_VALUE; the access check
+ * happens using its boundaries.
+@@ -3866,21 +3864,44 @@ static int prepare_func_exit(struct bpf_
+ return 0;
+ }
+
+-static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,
+- int func_id,
+- struct bpf_call_arg_meta *meta)
++static int do_refine_retval_range(struct bpf_verifier_env *env,
++ struct bpf_reg_state *regs, int ret_type,
++ int func_id, struct bpf_call_arg_meta *meta)
+ {
+ struct bpf_reg_state *ret_reg = ®s[BPF_REG_0];
++ struct bpf_reg_state tmp_reg = *ret_reg;
++ bool ret;
+
+ if (ret_type != RET_INTEGER ||
+ (func_id != BPF_FUNC_get_stack &&
+ func_id != BPF_FUNC_probe_read_str))
+- return;
++ return 0;
++
++ /* Error case where ret is in interval [S32MIN, -1]. */
++ ret_reg->smin_value = S32_MIN;
++ ret_reg->smax_value = -1;
+
+- ret_reg->smax_value = meta->msize_smax_value;
+- ret_reg->umax_value = meta->msize_umax_value;
+ __reg_deduce_bounds(ret_reg);
+ __reg_bound_offset(ret_reg);
++ __update_reg_bounds(ret_reg);
++
++ ret = push_stack(env, env->insn_idx + 1, env->insn_idx, false);
++ if (!ret)
++ return -EFAULT;
++
++ *ret_reg = tmp_reg;
++
++ /* Success case where ret is in range [0, msize_max_value]. */
++ ret_reg->smin_value = 0;
++ ret_reg->smax_value = meta->msize_max_value;
++ ret_reg->umin_value = ret_reg->smin_value;
++ ret_reg->umax_value = ret_reg->smax_value;
++
++ __reg_deduce_bounds(ret_reg);
++ __reg_bound_offset(ret_reg);
++ __update_reg_bounds(ret_reg);
++
++ return 0;
+ }
+
+ static int
+@@ -4112,7 +4133,9 @@ static int check_helper_call(struct bpf_
+ regs[BPF_REG_0].ref_obj_id = id;
+ }
+
+- do_refine_retval_range(regs, fn->ret_type, func_id, &meta);
++ err = do_refine_retval_range(env, regs, fn->ret_type, func_id, &meta);
++ if (err)
++ return err;
+
+ err = check_map_func_compatibility(env, meta.map_ptr, func_id);
+ if (err)
--- /dev/null
+From d2db08c7a14e0b5eed6132baf258b80622e041a9 Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 30 Mar 2020 14:37:19 -0700
+Subject: bpf: Test_progs, add test to catch retval refine error handling
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit d2db08c7a14e0b5eed6132baf258b80622e041a9 upstream.
+
+Before this series the verifier would clamp return bounds of
+bpf_get_stack() to [0, X] and this led the verifier to believe
+that a JMP_JSLT 0 would be false and so would prune that path.
+
+The result is anything hidden behind that JSLT would be unverified.
+Add a test to catch this case by hiding an goto pc-1 behind the
+check which will cause an infinite loop if not rejected.
+
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/158560423908.10843.11783152347709008373.stgit@john-Precision-5820-Tower
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c | 5 ++
+ tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c | 26 +++++++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
++++ b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
+@@ -82,6 +82,7 @@ static void get_stack_print_output(void
+ void test_get_stack_raw_tp(void)
+ {
+ const char *file = "./test_get_stack_rawtp.o";
++ const char *file_err = "./test_get_stack_rawtp_err.o";
+ const char *prog_name = "raw_tracepoint/sys_enter";
+ int i, err, prog_fd, exp_cnt = MAX_CNT_RAWTP;
+ struct perf_buffer_opts pb_opts = {};
+@@ -93,6 +94,10 @@ void test_get_stack_raw_tp(void)
+ struct bpf_map *map;
+ cpu_set_t cpu_set;
+
++ err = bpf_prog_load(file_err, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd);
++ if (CHECK(err >= 0, "prog_load raw tp", "err %d errno %d\n", err, errno))
++ return;
++
+ err = bpf_prog_load(file, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd);
+ if (CHECK(err, "prog_load raw tp", "err %d errno %d\n", err, errno))
+ return;
+--- /dev/null
++++ b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c
+@@ -0,0 +1,26 @@
++// SPDX-License-Identifier: GPL-2.0
++
++#include <linux/bpf.h>
++#include <bpf/bpf_helpers.h>
++
++#define MAX_STACK_RAWTP 10
++
++SEC("raw_tracepoint/sys_enter")
++int bpf_prog2(void *ctx)
++{
++ __u64 stack[MAX_STACK_RAWTP];
++ int error;
++
++ /* set all the flags which should return -EINVAL */
++ error = bpf_get_stack(ctx, stack, 0, -1);
++ if (error < 0)
++ goto loop;
++
++ return error;
++loop:
++ while (1) {
++ error++;
++ }
++}
++
++char _license[] SEC("license") = "GPL";
--- /dev/null
+From 9ac26e9973bac5716a2a542e32f380c84db2b88c Mon Sep 17 00:00:00 2001
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Mon, 30 Mar 2020 14:37:40 -0700
+Subject: bpf: Test_verifier, bpf_get_stack return value add <0
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 9ac26e9973bac5716a2a542e32f380c84db2b88c upstream.
+
+With current ALU32 subreg handling and retval refine fix from last
+patches we see an expected failure in test_verifier. With verbose
+verifier state being printed at each step for clarity we have the
+following relavent lines [I omit register states that are not
+necessarily useful to see failure cause],
+
+#101/p bpf_get_stack return R0 within range FAIL
+Failed to load prog 'Success'!
+[..]
+14: (85) call bpf_get_stack#67
+ R0_w=map_value(id=0,off=0,ks=8,vs=48,imm=0)
+ R3_w=inv48
+15:
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+15: (b7) r1 = 0
+16:
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+ R1_w=inv0
+16: (bf) r8 = r0
+17:
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+ R1_w=inv0
+ R8_w=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+17: (67) r8 <<= 32
+18:
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+ R1_w=inv0
+ R8_w=inv(id=0,smax_value=9223372032559808512,
+ umax_value=18446744069414584320,
+ var_off=(0x0; 0xffffffff00000000),
+ s32_min_value=0,
+ s32_max_value=0,
+ u32_max_value=0,
+ var32_off=(0x0; 0x0))
+18: (c7) r8 s>>= 32
+19
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+ R1_w=inv0
+ R8_w=inv(id=0,smin_value=-2147483648,
+ smax_value=2147483647,
+ var32_off=(0x0; 0xffffffff))
+19: (cd) if r1 s< r8 goto pc+16
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+ R1_w=inv0
+ R8_w=inv(id=0,smin_value=-2147483648,
+ smax_value=0,
+ var32_off=(0x0; 0xffffffff))
+20:
+ R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff))
+ R1_w=inv0
+ R8_w=inv(id=0,smin_value=-2147483648,
+ smax_value=0,
+ R9=inv48
+20: (1f) r9 -= r8
+21: (bf) r2 = r7
+22:
+ R2_w=map_value(id=0,off=0,ks=8,vs=48,imm=0)
+22: (0f) r2 += r8
+value -2147483648 makes map_value pointer be out of bounds
+
+After call bpf_get_stack() on line 14 and some moves we have at line 16
+an r8 bound with max_value 48 but an unknown min value. This is to be
+expected bpf_get_stack call can only return a max of the input size but
+is free to return any negative error in the 32-bit register space. The
+C helper is returning an int so will use lower 32-bits.
+
+Lines 17 and 18 clear the top 32 bits with a left/right shift but use
+ARSH so we still have worst case min bound before line 19 of -2147483648.
+At this point the signed check 'r1 s< r8' meant to protect the addition
+on line 22 where dst reg is a map_value pointer may very well return
+true with a large negative number. Then the final line 22 will detect
+this as an invalid operation and fail the program. What we want to do
+is proceed only if r8 is positive non-error. So change 'r1 s< r8' to
+'r1 s> r8' so that we jump if r8 is negative.
+
+Next we will throw an error because we access past the end of the map
+value. The map value size is 48 and sizeof(struct test_val) is 48 so
+we walk off the end of the map value on the second call to
+get bpf_get_stack(). Fix this by changing sizeof(struct test_val) to
+24 by using 'sizeof(struct test_val) / 2'. After this everything passes
+as expected.
+
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/158560426019.10843.3285429543232025187.stgit@john-Precision-5820-Tower
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/bpf/verifier/bpf_get_stack.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
++++ b/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
+@@ -9,17 +9,17 @@
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
+ BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
+- BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
++ BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)/2),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
+- BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
++ BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)/2),
+ BPF_MOV64_IMM(BPF_REG_4, 256),
+ BPF_EMIT_CALL(BPF_FUNC_get_stack),
+ BPF_MOV64_IMM(BPF_REG_1, 0),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+ BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
+ BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
+- BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
++ BPF_JMP_REG(BPF_JSGT, BPF_REG_1, BPF_REG_8, 16),
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
+@@ -29,7 +29,7 @@
+ BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
+- BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
++ BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)/2),
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
+ BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
--- /dev/null
+From daniel@iogearbox.net Wed Apr 22 10:24:25 2020
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 21 Apr 2020 15:01:52 +0200
+Subject: bpf, test_verifier: switch bpf_get_stack's 0 s> r8 test
+To: gregkh@linuxfoundation.org
+Cc: alexei.starovoitov@gmail.com, john.fastabend@gmail.com, kpsingh@chromium.org, jannh@google.com, fontanalorenz@gmail.com, leodidonato@gmail.com, yhs@fb.com, bpf@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>, Alexei Starovoitov <ast@kernel.org>
+Message-ID: <20200421130152.14348-4-daniel@iogearbox.net>
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ no upstream commit ]
+
+Switch the comparison, so that is_branch_taken() will recognize that below
+branch is never taken:
+
+ [...]
+ 17: [...] R1_w=inv0 [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...]
+ 17: (67) r8 <<= 32
+ 18: [...] R8_w=inv(id=0,smax_value=-4294967296,umin_value=9223372036854775808,umax_value=18446744069414584320,var_off=(0x8000000000000000; 0x7fffffff00000000)) [...]
+ 18: (c7) r8 s>>= 32
+ 19: [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...]
+ 19: (6d) if r1 s> r8 goto pc+16
+ [...] R1_w=inv0 [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...]
+ [...]
+
+Currently we check for is_branch_taken() only if either K is source, or source
+is a scalar value that is const. For upstream it would be good to extend this
+properly to check whether dst is const and src not.
+
+For the sake of the test_verifier, it is probably not needed here:
+
+ # ./test_verifier 101
+ #101/p bpf_get_stack return R0 within range OK
+ Summary: 1 PASSED, 0 SKIPPED, 0 FAILED
+
+I haven't seen this issue in test_progs* though, they are passing fine:
+
+ # ./test_progs-no_alu32 -t get_stack
+ Switching to flavor 'no_alu32' subdirectory...
+ #20 get_stack_raw_tp:OK
+ Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
+
+ # ./test_progs -t get_stack
+ #20 get_stack_raw_tp:OK
+ Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/verifier/bpf_get_stack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
++++ b/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
+@@ -19,7 +19,7 @@
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+ BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
+ BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
+- BPF_JMP_REG(BPF_JSGT, BPF_REG_1, BPF_REG_8, 16),
++ BPF_JMP_REG(BPF_JSLT, BPF_REG_8, BPF_REG_1, 16),
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
--- /dev/null
+From 9bb50ed7470944238ec8e30a94ef096caf9056ee Mon Sep 17 00:00:00 2001
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Wed, 8 Apr 2020 22:43:00 +0300
+Subject: dma-debug: fix displaying of dma allocation type
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+commit 9bb50ed7470944238ec8e30a94ef096caf9056ee upstream.
+
+The commit 2e05ea5cdc1a ("dma-mapping: implement dma_map_single_attrs using
+dma_map_page_attrs") removed "dma_debug_page" enum, but missed to update
+type2name string table. This causes incorrect displaying of dma allocation
+type.
+Fix it by removing "page" string from type2name string table and switch to
+use named initializers.
+
+Before (dma_alloc_coherent()):
+k3-ringacc 4b800000.ringacc: scather-gather idx 2208 P=d1140000 N=d114 D=d1140000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable
+k3-ringacc 4b800000.ringacc: scather-gather idx 2216 P=d1150000 N=d115 D=d1150000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable
+
+After:
+k3-ringacc 4b800000.ringacc: coherent idx 2208 P=d1140000 N=d114 D=d1140000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable
+k3-ringacc 4b800000.ringacc: coherent idx 2216 P=d1150000 N=d115 D=d1150000 L=40 DMA_BIDIRECTIONAL dma map error check not applicable
+
+Fixes: 2e05ea5cdc1a ("dma-mapping: implement dma_map_single_attrs using dma_map_page_attrs")
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/dma/debug.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -137,9 +137,12 @@ static const char *const maperr2str[] =
+ [MAP_ERR_CHECKED] = "dma map error checked",
+ };
+
+-static const char *type2name[5] = { "single", "page",
+- "scather-gather", "coherent",
+- "resource" };
++static const char *type2name[] = {
++ [dma_debug_single] = "single",
++ [dma_debug_sg] = "scather-gather",
++ [dma_debug_coherent] = "coherent",
++ [dma_debug_resource] = "resource",
++};
+
+ static const char *dir2name[4] = { "DMA_BIDIRECTIONAL", "DMA_TO_DEVICE",
+ "DMA_FROM_DEVICE", "DMA_NONE" };
--- /dev/null
+From fb2511247dc4061fd122d0195838278a4a0b7b59 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= <j.neuschaefer@gmx.net>
+Date: Tue, 18 Feb 2020 16:02:19 +0100
+Subject: docs: Fix path to MTD command line partition parser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+commit fb2511247dc4061fd122d0195838278a4a0b7b59 upstream.
+
+cmdlinepart.c has been moved to drivers/mtd/parsers/.
+
+Fixes: a3f12a35c91d ("mtd: parsers: Move CMDLINE parser")
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/admin-guide/kernel-parameters.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2741,7 +2741,7 @@
+ <name>,<region-number>[,<base>,<size>,<buswidth>,<altbuswidth>]
+
+ mtdparts= [MTD]
+- See drivers/mtd/cmdlinepart.c.
++ See drivers/mtd/parsers/cmdlinepart.c
+
+ multitce=off [PPC] This parameter disables the use of the pSeries
+ firmware feature for updating multiple TCE entries
--- /dev/null
+From d3d19d6fc5736a798b118971935ce274f7deaa82 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 13 Jan 2020 14:08:14 +0300
+Subject: fbdev: potential information leak in do_fb_ioctl()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.
+
+The "fix" struct has a 2 byte hole after ->ywrapstep and the
+"fix = info->fix;" assignment doesn't necessarily clear it. It depends
+on the compiler. The solution is just to replace the assignment with an
+memcpy().
+
+Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Andrea Righi <righi.andrea@gmail.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: Peter Rosin <peda@axentia.se>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1110,7 +1110,7 @@ static long do_fb_ioctl(struct fb_info *
+ break;
+ case FBIOGET_FSCREENINFO:
+ lock_fb_info(info);
+- fix = info->fix;
++ memcpy(&fix, &info->fix, sizeof(fix));
+ if (info->flags & FBINFO_HIDE_SMEM_START)
+ fix.smem_start = 0;
+ unlock_fb_info(info);
--- /dev/null
+From 93166f5f2e4dc593cff8ca77ef828ac6f148b0f3 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Tue, 17 Dec 2019 20:00:25 -0700
+Subject: fbmem: Adjust indentation in fb_prepare_logo and fb_blank
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 93166f5f2e4dc593cff8ca77ef828ac6f148b0f3 upstream.
+
+Clang warns:
+
+../drivers/video/fbdev/core/fbmem.c:665:3: warning: misleading
+indentation; statement is not part of the previous 'else'
+[-Wmisleading-indentation]
+ if (fb_logo.depth > 4 && depth > 4) {
+ ^
+../drivers/video/fbdev/core/fbmem.c:661:2: note: previous statement is
+here
+ else
+ ^
+../drivers/video/fbdev/core/fbmem.c:1075:3: warning: misleading
+indentation; statement is not part of the previous 'if'
+[-Wmisleading-indentation]
+ return ret;
+ ^
+../drivers/video/fbdev/core/fbmem.c:1072:2: note: previous statement is
+here
+ if (!ret)
+ ^
+2 warnings generated.
+
+This warning occurs because there are spaces before the tabs on these
+lines. Normalize the indentation in these functions so that it is
+consistent with the Linux kernel coding style and clang no longer warns.
+
+Fixes: 1692b37c99d5 ("fbdev: Fix logo if logo depth is less than framebuffer depth")
+Link: https://github.com/ClangBuiltLinux/linux/issues/825
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191218030025.10064-1-natechancellor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbmem.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -662,20 +662,20 @@ int fb_prepare_logo(struct fb_info *info
+ fb_logo.depth = 1;
+
+
+- if (fb_logo.depth > 4 && depth > 4) {
+- switch (info->fix.visual) {
+- case FB_VISUAL_TRUECOLOR:
+- fb_logo.needs_truepalette = 1;
+- break;
+- case FB_VISUAL_DIRECTCOLOR:
+- fb_logo.needs_directpalette = 1;
+- fb_logo.needs_cmapreset = 1;
+- break;
+- case FB_VISUAL_PSEUDOCOLOR:
+- fb_logo.needs_cmapreset = 1;
+- break;
+- }
+- }
++ if (fb_logo.depth > 4 && depth > 4) {
++ switch (info->fix.visual) {
++ case FB_VISUAL_TRUECOLOR:
++ fb_logo.needs_truepalette = 1;
++ break;
++ case FB_VISUAL_DIRECTCOLOR:
++ fb_logo.needs_directpalette = 1;
++ fb_logo.needs_cmapreset = 1;
++ break;
++ case FB_VISUAL_PSEUDOCOLOR:
++ fb_logo.needs_cmapreset = 1;
++ break;
++ }
++ }
+
+ height = fb_logo.logo->height;
+ if (fb_center_logo)
+@@ -1060,19 +1060,19 @@ fb_blank(struct fb_info *info, int blank
+ struct fb_event event;
+ int ret = -EINVAL;
+
+- if (blank > FB_BLANK_POWERDOWN)
+- blank = FB_BLANK_POWERDOWN;
++ if (blank > FB_BLANK_POWERDOWN)
++ blank = FB_BLANK_POWERDOWN;
+
+ event.info = info;
+ event.data = ␣
+
+ if (info->fbops->fb_blank)
+- ret = info->fbops->fb_blank(blank, info);
++ ret = info->fbops->fb_blank(blank, info);
+
+ if (!ret)
+ fb_notifier_call_chain(FB_EVENT_BLANK, &event);
+
+- return ret;
++ return ret;
+ }
+ EXPORT_SYMBOL(fb_blank);
+
--- /dev/null
+From 328b50e9a0ad1fe8accdf8c19923deebab5e0c01 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maxime=20Roussin-B=C3=A9langer?=
+ <maxime.roussinbelanger@gmail.com>
+Date: Wed, 19 Feb 2020 12:40:08 -0500
+Subject: iio: si1133: read 24-bit signed integer for measurement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Roussin-Bélanger <maxime.roussinbelanger@gmail.com>
+
+commit 328b50e9a0ad1fe8accdf8c19923deebab5e0c01 upstream.
+
+The chip is configured in 24 bit mode. The values read from
+it must always be treated as is. This fixes the issue by
+replacing the previous 16 bits value by a 24 bits buffer.
+
+This changes affects the value output by previous version of
+the driver, since the least significant byte was missing.
+The upper half of 16 bit values previously output are now
+the upper half of a 24 bit value.
+
+Fixes: e01e7eaf37d8 ("iio: light: introduce si1133")
+
+Reported-by: Simon Goyette <simon.goyette@gmail.com>
+Co-authored-by: Guillaume Champagne <champagne.guillaume.c@gmail.com>
+Signed-off-by: Maxime Roussin-Bélanger <maxime.roussinbelanger@gmail.com>
+Signed-off-by: Guillaume Champagne <champagne.guillaume.c@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/light/si1133.c | 37 ++++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+--- a/drivers/iio/light/si1133.c
++++ b/drivers/iio/light/si1133.c
+@@ -102,6 +102,9 @@
+ #define SI1133_INPUT_FRACTION_LOW 15
+ #define SI1133_LUX_OUTPUT_FRACTION 12
+ #define SI1133_LUX_BUFFER_SIZE 9
++#define SI1133_MEASURE_BUFFER_SIZE 3
++
++#define SI1133_SIGN_BIT_INDEX 23
+
+ static const int si1133_scale_available[] = {
+ 1, 2, 4, 8, 16, 32, 64, 128};
+@@ -234,13 +237,13 @@ static const struct si1133_lux_coeff lux
+ }
+ };
+
+-static int si1133_calculate_polynomial_inner(u32 input, u8 fraction, u16 mag,
++static int si1133_calculate_polynomial_inner(s32 input, u8 fraction, u16 mag,
+ s8 shift)
+ {
+ return ((input << fraction) / mag) << shift;
+ }
+
+-static int si1133_calculate_output(u32 x, u32 y, u8 x_order, u8 y_order,
++static int si1133_calculate_output(s32 x, s32 y, u8 x_order, u8 y_order,
+ u8 input_fraction, s8 sign,
+ const struct si1133_coeff *coeffs)
+ {
+@@ -276,7 +279,7 @@ static int si1133_calculate_output(u32 x
+ * The algorithm is from:
+ * https://siliconlabs.github.io/Gecko_SDK_Doc/efm32zg/html/si1133_8c_source.html#l00716
+ */
+-static int si1133_calc_polynomial(u32 x, u32 y, u8 input_fraction, u8 num_coeff,
++static int si1133_calc_polynomial(s32 x, s32 y, u8 input_fraction, u8 num_coeff,
+ const struct si1133_coeff *coeffs)
+ {
+ u8 x_order, y_order;
+@@ -614,7 +617,7 @@ static int si1133_measure(struct si1133_
+ {
+ int err;
+
+- __be16 resp;
++ u8 buffer[SI1133_MEASURE_BUFFER_SIZE];
+
+ err = si1133_set_adcmux(data, 0, chan->channel);
+ if (err)
+@@ -625,12 +628,13 @@ static int si1133_measure(struct si1133_
+ if (err)
+ return err;
+
+- err = si1133_bulk_read(data, SI1133_REG_HOSTOUT(0), sizeof(resp),
+- (u8 *)&resp);
++ err = si1133_bulk_read(data, SI1133_REG_HOSTOUT(0), sizeof(buffer),
++ buffer);
+ if (err)
+ return err;
+
+- *val = be16_to_cpu(resp);
++ *val = sign_extend32((buffer[0] << 16) | (buffer[1] << 8) | buffer[2],
++ SI1133_SIGN_BIT_INDEX);
+
+ return err;
+ }
+@@ -704,9 +708,9 @@ static int si1133_get_lux(struct si1133_
+ {
+ int err;
+ int lux;
+- u32 high_vis;
+- u32 low_vis;
+- u32 ir;
++ s32 high_vis;
++ s32 low_vis;
++ s32 ir;
+ u8 buffer[SI1133_LUX_BUFFER_SIZE];
+
+ /* Activate lux channels */
+@@ -719,9 +723,16 @@ static int si1133_get_lux(struct si1133_
+ if (err)
+ return err;
+
+- high_vis = (buffer[0] << 16) | (buffer[1] << 8) | buffer[2];
+- low_vis = (buffer[3] << 16) | (buffer[4] << 8) | buffer[5];
+- ir = (buffer[6] << 16) | (buffer[7] << 8) | buffer[8];
++ high_vis =
++ sign_extend32((buffer[0] << 16) | (buffer[1] << 8) | buffer[2],
++ SI1133_SIGN_BIT_INDEX);
++
++ low_vis =
++ sign_extend32((buffer[3] << 16) | (buffer[4] << 8) | buffer[5],
++ SI1133_SIGN_BIT_INDEX);
++
++ ir = sign_extend32((buffer[6] << 16) | (buffer[7] << 8) | buffer[8],
++ SI1133_SIGN_BIT_INDEX);
+
+ if (high_vis > SI1133_ADC_THRESHOLD || ir > SI1133_ADC_THRESHOLD)
+ lux = si1133_calc_polynomial(high_vis, ir,
--- /dev/null
+From d3ec10aa95819bff18a0d936b18884c7816d0914 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Sat, 21 Mar 2020 21:11:24 -0400
+Subject: KEYS: Don't write out to userspace while holding key semaphore
+
+From: Waiman Long <longman@redhat.com>
+
+commit d3ec10aa95819bff18a0d936b18884c7816d0914 upstream.
+
+A lockdep circular locking dependency report was seen when running a
+keyutils test:
+
+[12537.027242] ======================================================
+[12537.059309] WARNING: possible circular locking dependency detected
+[12537.088148] 4.18.0-147.7.1.el8_1.x86_64+debug #1 Tainted: G OE --------- - -
+[12537.125253] ------------------------------------------------------
+[12537.153189] keyctl/25598 is trying to acquire lock:
+[12537.175087] 000000007c39f96c (&mm->mmap_sem){++++}, at: __might_fault+0xc4/0x1b0
+[12537.208365]
+[12537.208365] but task is already holding lock:
+[12537.234507] 000000003de5b58d (&type->lock_class){++++}, at: keyctl_read_key+0x15a/0x220
+[12537.270476]
+[12537.270476] which lock already depends on the new lock.
+[12537.270476]
+[12537.307209]
+[12537.307209] the existing dependency chain (in reverse order) is:
+[12537.340754]
+[12537.340754] -> #3 (&type->lock_class){++++}:
+[12537.367434] down_write+0x4d/0x110
+[12537.385202] __key_link_begin+0x87/0x280
+[12537.405232] request_key_and_link+0x483/0xf70
+[12537.427221] request_key+0x3c/0x80
+[12537.444839] dns_query+0x1db/0x5a5 [dns_resolver]
+[12537.468445] dns_resolve_server_name_to_ip+0x1e1/0x4d0 [cifs]
+[12537.496731] cifs_reconnect+0xe04/0x2500 [cifs]
+[12537.519418] cifs_readv_from_socket+0x461/0x690 [cifs]
+[12537.546263] cifs_read_from_socket+0xa0/0xe0 [cifs]
+[12537.573551] cifs_demultiplex_thread+0x311/0x2db0 [cifs]
+[12537.601045] kthread+0x30c/0x3d0
+[12537.617906] ret_from_fork+0x3a/0x50
+[12537.636225]
+[12537.636225] -> #2 (root_key_user.cons_lock){+.+.}:
+[12537.664525] __mutex_lock+0x105/0x11f0
+[12537.683734] request_key_and_link+0x35a/0xf70
+[12537.705640] request_key+0x3c/0x80
+[12537.723304] dns_query+0x1db/0x5a5 [dns_resolver]
+[12537.746773] dns_resolve_server_name_to_ip+0x1e1/0x4d0 [cifs]
+[12537.775607] cifs_reconnect+0xe04/0x2500 [cifs]
+[12537.798322] cifs_readv_from_socket+0x461/0x690 [cifs]
+[12537.823369] cifs_read_from_socket+0xa0/0xe0 [cifs]
+[12537.847262] cifs_demultiplex_thread+0x311/0x2db0 [cifs]
+[12537.873477] kthread+0x30c/0x3d0
+[12537.890281] ret_from_fork+0x3a/0x50
+[12537.908649]
+[12537.908649] -> #1 (&tcp_ses->srv_mutex){+.+.}:
+[12537.935225] __mutex_lock+0x105/0x11f0
+[12537.954450] cifs_call_async+0x102/0x7f0 [cifs]
+[12537.977250] smb2_async_readv+0x6c3/0xc90 [cifs]
+[12538.000659] cifs_readpages+0x120a/0x1e50 [cifs]
+[12538.023920] read_pages+0xf5/0x560
+[12538.041583] __do_page_cache_readahead+0x41d/0x4b0
+[12538.067047] ondemand_readahead+0x44c/0xc10
+[12538.092069] filemap_fault+0xec1/0x1830
+[12538.111637] __do_fault+0x82/0x260
+[12538.129216] do_fault+0x419/0xfb0
+[12538.146390] __handle_mm_fault+0x862/0xdf0
+[12538.167408] handle_mm_fault+0x154/0x550
+[12538.187401] __do_page_fault+0x42f/0xa60
+[12538.207395] do_page_fault+0x38/0x5e0
+[12538.225777] page_fault+0x1e/0x30
+[12538.243010]
+[12538.243010] -> #0 (&mm->mmap_sem){++++}:
+[12538.267875] lock_acquire+0x14c/0x420
+[12538.286848] __might_fault+0x119/0x1b0
+[12538.306006] keyring_read_iterator+0x7e/0x170
+[12538.327936] assoc_array_subtree_iterate+0x97/0x280
+[12538.352154] keyring_read+0xe9/0x110
+[12538.370558] keyctl_read_key+0x1b9/0x220
+[12538.391470] do_syscall_64+0xa5/0x4b0
+[12538.410511] entry_SYSCALL_64_after_hwframe+0x6a/0xdf
+[12538.435535]
+[12538.435535] other info that might help us debug this:
+[12538.435535]
+[12538.472829] Chain exists of:
+[12538.472829] &mm->mmap_sem --> root_key_user.cons_lock --> &type->lock_class
+[12538.472829]
+[12538.524820] Possible unsafe locking scenario:
+[12538.524820]
+[12538.551431] CPU0 CPU1
+[12538.572654] ---- ----
+[12538.595865] lock(&type->lock_class);
+[12538.613737] lock(root_key_user.cons_lock);
+[12538.644234] lock(&type->lock_class);
+[12538.672410] lock(&mm->mmap_sem);
+[12538.687758]
+[12538.687758] *** DEADLOCK ***
+[12538.687758]
+[12538.714455] 1 lock held by keyctl/25598:
+[12538.732097] #0: 000000003de5b58d (&type->lock_class){++++}, at: keyctl_read_key+0x15a/0x220
+[12538.770573]
+[12538.770573] stack backtrace:
+[12538.790136] CPU: 2 PID: 25598 Comm: keyctl Kdump: loaded Tainted: G
+[12538.844855] Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 12/27/2015
+[12538.881963] Call Trace:
+[12538.892897] dump_stack+0x9a/0xf0
+[12538.907908] print_circular_bug.isra.25.cold.50+0x1bc/0x279
+[12538.932891] ? save_trace+0xd6/0x250
+[12538.948979] check_prev_add.constprop.32+0xc36/0x14f0
+[12538.971643] ? keyring_compare_object+0x104/0x190
+[12538.992738] ? check_usage+0x550/0x550
+[12539.009845] ? sched_clock+0x5/0x10
+[12539.025484] ? sched_clock_cpu+0x18/0x1e0
+[12539.043555] __lock_acquire+0x1f12/0x38d0
+[12539.061551] ? trace_hardirqs_on+0x10/0x10
+[12539.080554] lock_acquire+0x14c/0x420
+[12539.100330] ? __might_fault+0xc4/0x1b0
+[12539.119079] __might_fault+0x119/0x1b0
+[12539.135869] ? __might_fault+0xc4/0x1b0
+[12539.153234] keyring_read_iterator+0x7e/0x170
+[12539.172787] ? keyring_read+0x110/0x110
+[12539.190059] assoc_array_subtree_iterate+0x97/0x280
+[12539.211526] keyring_read+0xe9/0x110
+[12539.227561] ? keyring_gc_check_iterator+0xc0/0xc0
+[12539.249076] keyctl_read_key+0x1b9/0x220
+[12539.266660] do_syscall_64+0xa5/0x4b0
+[12539.283091] entry_SYSCALL_64_after_hwframe+0x6a/0xdf
+
+One way to prevent this deadlock scenario from happening is to not
+allow writing to userspace while holding the key semaphore. Instead,
+an internal buffer is allocated for getting the keys out from the
+read method first before copying them out to userspace without holding
+the lock.
+
+That requires taking out the __user modifier from all the relevant
+read methods as well as additional changes to not use any userspace
+write helpers. That is,
+
+ 1) The put_user() call is replaced by a direct copy.
+ 2) The copy_to_user() call is replaced by memcpy().
+ 3) All the fault handling code is removed.
+
+Compiling on a x86-64 system, the size of the rxrpc_read() function is
+reduced from 3795 bytes to 2384 bytes with this patch.
+
+Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/keys/big_key-type.h | 2
+ include/keys/user-type.h | 3 -
+ include/linux/key-type.h | 2
+ net/dns_resolver/dns_key.c | 2
+ net/rxrpc/key.c | 27 +++--------
+ security/keys/big_key.c | 11 +---
+ security/keys/encrypted-keys/encrypted.c | 7 +-
+ security/keys/keyctl.c | 73 ++++++++++++++++++++++++-------
+ security/keys/keyring.c | 6 --
+ security/keys/request_key_auth.c | 7 +-
+ security/keys/trusted.c | 14 -----
+ security/keys/user_defined.c | 5 --
+ 12 files changed, 85 insertions(+), 74 deletions(-)
+
+--- a/include/keys/big_key-type.h
++++ b/include/keys/big_key-type.h
+@@ -17,6 +17,6 @@ extern void big_key_free_preparse(struct
+ extern void big_key_revoke(struct key *key);
+ extern void big_key_destroy(struct key *key);
+ extern void big_key_describe(const struct key *big_key, struct seq_file *m);
+-extern long big_key_read(const struct key *key, char __user *buffer, size_t buflen);
++extern long big_key_read(const struct key *key, char *buffer, size_t buflen);
+
+ #endif /* _KEYS_BIG_KEY_TYPE_H */
+--- a/include/keys/user-type.h
++++ b/include/keys/user-type.h
+@@ -41,8 +41,7 @@ extern int user_update(struct key *key,
+ extern void user_revoke(struct key *key);
+ extern void user_destroy(struct key *key);
+ extern void user_describe(const struct key *user, struct seq_file *m);
+-extern long user_read(const struct key *key,
+- char __user *buffer, size_t buflen);
++extern long user_read(const struct key *key, char *buffer, size_t buflen);
+
+ static inline const struct user_key_payload *user_key_payload_rcu(const struct key *key)
+ {
+--- a/include/linux/key-type.h
++++ b/include/linux/key-type.h
+@@ -127,7 +127,7 @@ struct key_type {
+ * much is copied into the buffer
+ * - shouldn't do the copy if the buffer is NULL
+ */
+- long (*read)(const struct key *key, char __user *buffer, size_t buflen);
++ long (*read)(const struct key *key, char *buffer, size_t buflen);
+
+ /* handle request_key() for this type instead of invoking
+ * /sbin/request-key (optional)
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -302,7 +302,7 @@ static void dns_resolver_describe(const
+ * - the key's semaphore is read-locked
+ */
+ static long dns_resolver_read(const struct key *key,
+- char __user *buffer, size_t buflen)
++ char *buffer, size_t buflen)
+ {
+ int err = PTR_ERR(key->payload.data[dns_key_error]);
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -31,7 +31,7 @@ static void rxrpc_free_preparse_s(struct
+ static void rxrpc_destroy(struct key *);
+ static void rxrpc_destroy_s(struct key *);
+ static void rxrpc_describe(const struct key *, struct seq_file *);
+-static long rxrpc_read(const struct key *, char __user *, size_t);
++static long rxrpc_read(const struct key *, char *, size_t);
+
+ /*
+ * rxrpc defined keys take an arbitrary string as the description and an
+@@ -1042,12 +1042,12 @@ EXPORT_SYMBOL(rxrpc_get_null_key);
+ * - this returns the result in XDR form
+ */
+ static long rxrpc_read(const struct key *key,
+- char __user *buffer, size_t buflen)
++ char *buffer, size_t buflen)
+ {
+ const struct rxrpc_key_token *token;
+ const struct krb5_principal *princ;
+ size_t size;
+- __be32 __user *xdr, *oldxdr;
++ __be32 *xdr, *oldxdr;
+ u32 cnlen, toksize, ntoks, tok, zero;
+ u16 toksizes[AFSTOKEN_MAX];
+ int loop;
+@@ -1124,30 +1124,25 @@ static long rxrpc_read(const struct key
+ if (!buffer || buflen < size)
+ return size;
+
+- xdr = (__be32 __user *) buffer;
++ xdr = (__be32 *)buffer;
+ zero = 0;
+ #define ENCODE(x) \
+ do { \
+- __be32 y = htonl(x); \
+- if (put_user(y, xdr++) < 0) \
+- goto fault; \
++ *xdr++ = htonl(x); \
+ } while(0)
+ #define ENCODE_DATA(l, s) \
+ do { \
+ u32 _l = (l); \
+ ENCODE(l); \
+- if (copy_to_user(xdr, (s), _l) != 0) \
+- goto fault; \
+- if (_l & 3 && \
+- copy_to_user((u8 __user *)xdr + _l, &zero, 4 - (_l & 3)) != 0) \
+- goto fault; \
++ memcpy(xdr, (s), _l); \
++ if (_l & 3) \
++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \
+ xdr += (_l + 3) >> 2; \
+ } while(0)
+ #define ENCODE64(x) \
+ do { \
+ __be64 y = cpu_to_be64(x); \
+- if (copy_to_user(xdr, &y, 8) != 0) \
+- goto fault; \
++ memcpy(xdr, &y, 8); \
+ xdr += 8 >> 2; \
+ } while(0)
+ #define ENCODE_STR(s) \
+@@ -1238,8 +1233,4 @@ static long rxrpc_read(const struct key
+ ASSERTCMP((char __user *) xdr - buffer, ==, size);
+ _leave(" = %zu", size);
+ return size;
+-
+-fault:
+- _leave(" = -EFAULT");
+- return -EFAULT;
+ }
+--- a/security/keys/big_key.c
++++ b/security/keys/big_key.c
+@@ -352,7 +352,7 @@ void big_key_describe(const struct key *
+ * read the key data
+ * - the key's semaphore is read-locked
+ */
+-long big_key_read(const struct key *key, char __user *buffer, size_t buflen)
++long big_key_read(const struct key *key, char *buffer, size_t buflen)
+ {
+ size_t datalen = (size_t)key->payload.data[big_key_len];
+ long ret;
+@@ -391,9 +391,8 @@ long big_key_read(const struct key *key,
+
+ ret = datalen;
+
+- /* copy decrypted data to user */
+- if (copy_to_user(buffer, buf->virt, datalen) != 0)
+- ret = -EFAULT;
++ /* copy out decrypted data */
++ memcpy(buffer, buf->virt, datalen);
+
+ err_fput:
+ fput(file);
+@@ -401,9 +400,7 @@ error:
+ big_key_free_buffer(buf);
+ } else {
+ ret = datalen;
+- if (copy_to_user(buffer, key->payload.data[big_key_data],
+- datalen) != 0)
+- ret = -EFAULT;
++ memcpy(buffer, key->payload.data[big_key_data], datalen);
+ }
+
+ return ret;
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -902,14 +902,14 @@ out:
+ }
+
+ /*
+- * encrypted_read - format and copy the encrypted data to userspace
++ * encrypted_read - format and copy out the encrypted data
+ *
+ * The resulting datablob format is:
+ * <master-key name> <decrypted data length> <encrypted iv> <encrypted data>
+ *
+ * On success, return to userspace the encrypted key datablob size.
+ */
+-static long encrypted_read(const struct key *key, char __user *buffer,
++static long encrypted_read(const struct key *key, char *buffer,
+ size_t buflen)
+ {
+ struct encrypted_key_payload *epayload;
+@@ -957,8 +957,7 @@ static long encrypted_read(const struct
+ key_put(mkey);
+ memzero_explicit(derived_key, sizeof(derived_key));
+
+- if (copy_to_user(buffer, ascii_buf, asciiblob_len) != 0)
+- ret = -EFAULT;
++ memcpy(buffer, ascii_buf, asciiblob_len);
+ kzfree(ascii_buf);
+
+ return asciiblob_len;
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -798,6 +798,21 @@ error:
+ }
+
+ /*
++ * Call the read method
++ */
++static long __keyctl_read_key(struct key *key, char *buffer, size_t buflen)
++{
++ long ret;
++
++ down_read(&key->sem);
++ ret = key_validate(key);
++ if (ret == 0)
++ ret = key->type->read(key, buffer, buflen);
++ up_read(&key->sem);
++ return ret;
++}
++
++/*
+ * Read a key's payload.
+ *
+ * The key must either grant the caller Read permission, or it must grant the
+@@ -812,26 +827,27 @@ long keyctl_read_key(key_serial_t keyid,
+ struct key *key;
+ key_ref_t key_ref;
+ long ret;
++ char *key_data;
+
+ /* find the key first */
+ key_ref = lookup_user_key(keyid, 0, 0);
+ if (IS_ERR(key_ref)) {
+ ret = -ENOKEY;
+- goto error;
++ goto out;
+ }
+
+ key = key_ref_to_ptr(key_ref);
+
+ ret = key_read_state(key);
+ if (ret < 0)
+- goto error2; /* Negatively instantiated */
++ goto key_put_out; /* Negatively instantiated */
+
+ /* see if we can read it directly */
+ ret = key_permission(key_ref, KEY_NEED_READ);
+ if (ret == 0)
+ goto can_read_key;
+ if (ret != -EACCES)
+- goto error2;
++ goto key_put_out;
+
+ /* we can't; see if it's searchable from this process's keyrings
+ * - we automatically take account of the fact that it may be
+@@ -839,26 +855,51 @@ long keyctl_read_key(key_serial_t keyid,
+ */
+ if (!is_key_possessed(key_ref)) {
+ ret = -EACCES;
+- goto error2;
++ goto key_put_out;
+ }
+
+ /* the key is probably readable - now try to read it */
+ can_read_key:
+- ret = -EOPNOTSUPP;
+- if (key->type->read) {
+- /* Read the data with the semaphore held (since we might sleep)
+- * to protect against the key being updated or revoked.
+- */
+- down_read(&key->sem);
+- ret = key_validate(key);
+- if (ret == 0)
+- ret = key->type->read(key, buffer, buflen);
+- up_read(&key->sem);
++ if (!key->type->read) {
++ ret = -EOPNOTSUPP;
++ goto key_put_out;
++ }
++
++ if (!buffer || !buflen) {
++ /* Get the key length from the read method */
++ ret = __keyctl_read_key(key, NULL, 0);
++ goto key_put_out;
++ }
++
++ /*
++ * Read the data with the semaphore held (since we might sleep)
++ * to protect against the key being updated or revoked.
++ *
++ * Allocating a temporary buffer to hold the keys before
++ * transferring them to user buffer to avoid potential
++ * deadlock involving page fault and mmap_sem.
++ */
++ key_data = kmalloc(buflen, GFP_KERNEL);
++
++ if (!key_data) {
++ ret = -ENOMEM;
++ goto key_put_out;
++ }
++ ret = __keyctl_read_key(key, key_data, buflen);
++
++ /*
++ * Read methods will just return the required length without
++ * any copying if the provided length isn't large enough.
++ */
++ if (ret > 0 && ret <= buflen) {
++ if (copy_to_user(buffer, key_data, ret))
++ ret = -EFAULT;
+ }
++ kzfree(key_data);
+
+-error2:
++key_put_out:
+ key_put(key);
+-error:
++out:
+ return ret;
+ }
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -459,7 +459,6 @@ static int keyring_read_iterator(const v
+ {
+ struct keyring_read_iterator_context *ctx = data;
+ const struct key *key = keyring_ptr_to_key(object);
+- int ret;
+
+ kenter("{%s,%d},,{%zu/%zu}",
+ key->type->name, key->serial, ctx->count, ctx->buflen);
+@@ -467,10 +466,7 @@ static int keyring_read_iterator(const v
+ if (ctx->count >= ctx->buflen)
+ return 1;
+
+- ret = put_user(key->serial, ctx->buffer);
+- if (ret < 0)
+- return ret;
+- ctx->buffer++;
++ *ctx->buffer++ = key->serial;
+ ctx->count += sizeof(key->serial);
+ return 0;
+ }
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -22,7 +22,7 @@ static int request_key_auth_instantiate(
+ static void request_key_auth_describe(const struct key *, struct seq_file *);
+ static void request_key_auth_revoke(struct key *);
+ static void request_key_auth_destroy(struct key *);
+-static long request_key_auth_read(const struct key *, char __user *, size_t);
++static long request_key_auth_read(const struct key *, char *, size_t);
+
+ /*
+ * The request-key authorisation key type definition.
+@@ -80,7 +80,7 @@ static void request_key_auth_describe(co
+ * - the key's semaphore is read-locked
+ */
+ static long request_key_auth_read(const struct key *key,
+- char __user *buffer, size_t buflen)
++ char *buffer, size_t buflen)
+ {
+ struct request_key_auth *rka = dereference_key_locked(key);
+ size_t datalen;
+@@ -97,8 +97,7 @@ static long request_key_auth_read(const
+ if (buflen > datalen)
+ buflen = datalen;
+
+- if (copy_to_user(buffer, rka->callout_info, buflen) != 0)
+- ret = -EFAULT;
++ memcpy(buffer, rka->callout_info, buflen);
+ }
+
+ return ret;
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -1144,11 +1144,10 @@ out:
+ * trusted_read - copy the sealed blob data to userspace in hex.
+ * On success, return to userspace the trusted key datablob size.
+ */
+-static long trusted_read(const struct key *key, char __user *buffer,
++static long trusted_read(const struct key *key, char *buffer,
+ size_t buflen)
+ {
+ const struct trusted_key_payload *p;
+- char *ascii_buf;
+ char *bufp;
+ int i;
+
+@@ -1157,18 +1156,9 @@ static long trusted_read(const struct ke
+ return -EINVAL;
+
+ if (buffer && buflen >= 2 * p->blob_len) {
+- ascii_buf = kmalloc_array(2, p->blob_len, GFP_KERNEL);
+- if (!ascii_buf)
+- return -ENOMEM;
+-
+- bufp = ascii_buf;
++ bufp = buffer;
+ for (i = 0; i < p->blob_len; i++)
+ bufp = hex_byte_pack(bufp, p->blob[i]);
+- if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
+- kzfree(ascii_buf);
+- return -EFAULT;
+- }
+- kzfree(ascii_buf);
+ }
+ return 2 * p->blob_len;
+ }
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -168,7 +168,7 @@ EXPORT_SYMBOL_GPL(user_describe);
+ * read the key data
+ * - the key's semaphore is read-locked
+ */
+-long user_read(const struct key *key, char __user *buffer, size_t buflen)
++long user_read(const struct key *key, char *buffer, size_t buflen)
+ {
+ const struct user_key_payload *upayload;
+ long ret;
+@@ -181,8 +181,7 @@ long user_read(const struct key *key, ch
+ if (buflen > upayload->datalen)
+ buflen = upayload->datalen;
+
+- if (copy_to_user(buffer, upayload->data, buflen) != 0)
+- ret = -EFAULT;
++ memcpy(buffer, upayload->data, buflen);
+ }
+
+ return ret;
--- /dev/null
+From 80c503e0e68fbe271680ab48f0fe29bc034b01b7 Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@kernel.org>
+Date: Thu, 23 Jan 2020 09:19:01 -0800
+Subject: locktorture: Print ratio of acquisitions, not failures
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+commit 80c503e0e68fbe271680ab48f0fe29bc034b01b7 upstream.
+
+The __torture_print_stats() function in locktorture.c carefully
+initializes local variable "min" to statp[0].n_lock_acquired, but
+then compares it to statp[i].n_lock_fail. Given that the .n_lock_fail
+field should normally be zero, and given the initialization, it seems
+reasonable to display the maximum and minimum number acquisitions
+instead of miscomputing the maximum and minimum number of failures.
+This commit therefore switches from failures to acquisitions.
+
+And this turns out to be not only a day-zero bug, but entirely my
+own fault. I hate it when that happens!
+
+Fixes: 0af3fe1efa53 ("locktorture: Add a lock-torture kernel module")
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Josh Triplett <josh@joshtriplett.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/locktorture.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/locking/locktorture.c
++++ b/kernel/locking/locktorture.c
+@@ -697,10 +697,10 @@ static void __torture_print_stats(char *
+ if (statp[i].n_lock_fail)
+ fail = true;
+ sum += statp[i].n_lock_acquired;
+- if (max < statp[i].n_lock_fail)
+- max = statp[i].n_lock_fail;
+- if (min > statp[i].n_lock_fail)
+- min = statp[i].n_lock_fail;
++ if (max < statp[i].n_lock_acquired)
++ max = statp[i].n_lock_acquired;
++ if (min > statp[i].n_lock_acquired)
++ min = statp[i].n_lock_acquired;
+ }
+ page += sprintf(page,
+ "%s: Total: %lld Max/Min: %ld/%ld %s Fail: %d %s\n",
--- /dev/null
+From 4da0ea71ea934af18db4c63396ba2af1a679ef02 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 28 Feb 2020 12:25:54 +0300
+Subject: mtd: lpddr: Fix a double free in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 4da0ea71ea934af18db4c63396ba2af1a679ef02 upstream.
+
+This function is only called from lpddr_probe(). We free "lpddr" both
+here and in the caller, so it's a double free. The best place to free
+"lpddr" is in lpddr_probe() so let's delete this one.
+
+Fixes: 8dc004395d5e ("[MTD] LPDDR qinfo probing.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200228092554.o57igp3nqhyvf66t@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/lpddr/lpddr_cmds.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/mtd/lpddr/lpddr_cmds.c
++++ b/drivers/mtd/lpddr/lpddr_cmds.c
+@@ -68,7 +68,6 @@ struct mtd_info *lpddr_cmdset(struct map
+ shared = kmalloc_array(lpddr->numchips, sizeof(struct flchip_shared),
+ GFP_KERNEL);
+ if (!shared) {
+- kfree(lpddr);
+ kfree(mtd);
+ return NULL;
+ }
--- /dev/null
+From 49c64df880570034308e4a9a49c4bc95cf8cdb33 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Wed, 18 Mar 2020 23:31:56 +0800
+Subject: mtd: phram: fix a double free issue in error path
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+commit 49c64df880570034308e4a9a49c4bc95cf8cdb33 upstream.
+
+The variable 'name' is released multiple times in the error path,
+which may cause double free issues.
+This problem is avoided by adding a goto label to release the memory
+uniformly. And this change also makes the code a bit more cleaner.
+
+Fixes: 4f678a58d335 ("mtd: fix memory leaks in phram_setup")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Cc: Joern Engel <joern@lazybastard.org>
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: linux-mtd@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200318153156.25612-1-wenyang@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/devices/phram.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/mtd/devices/phram.c
++++ b/drivers/mtd/devices/phram.c
+@@ -243,22 +243,25 @@ static int phram_setup(const char *val)
+
+ ret = parse_num64(&start, token[1]);
+ if (ret) {
+- kfree(name);
+ parse_err("illegal start address\n");
++ goto error;
+ }
+
+ ret = parse_num64(&len, token[2]);
+ if (ret) {
+- kfree(name);
+ parse_err("illegal device length\n");
++ goto error;
+ }
+
+ ret = register_device(name, start, len);
+- if (!ret)
+- pr_info("%s device: %#llx at %#llx\n", name, len, start);
+- else
+- kfree(name);
++ if (ret)
++ goto error;
+
++ pr_info("%s device: %#llx at %#llx\n", name, len, start);
++ return 0;
++
++error:
++ kfree(name);
+ return ret;
+ }
+
--- /dev/null
+From 009264605cdf1b12962c3a46f75818d05452e890 Mon Sep 17 00:00:00 2001
+From: Christophe Kerello <christophe.kerello@st.com>
+Date: Thu, 23 Jan 2020 09:22:48 +0100
+Subject: mtd: rawnand: free the nand_device object
+
+From: Christophe Kerello <christophe.kerello@st.com>
+
+commit 009264605cdf1b12962c3a46f75818d05452e890 upstream.
+
+This patch releases the resources allocated in nanddev_init function.
+
+Fixes: a7ab085d7c16 ("mtd: rawnand: Initialize the nand_device object")
+Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/1579767768-32295-1-git-send-email-christophe.kerello@st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/nand_base.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/nand/raw/nand_base.c
++++ b/drivers/mtd/nand/raw/nand_base.c
+@@ -5907,6 +5907,8 @@ void nand_cleanup(struct nand_chip *chip
+ chip->ecc.algo == NAND_ECC_BCH)
+ nand_bch_free((struct nand_bch_control *)chip->ecc.priv);
+
++ nanddev_cleanup(&chip->base);
++
+ /* Free bad block table memory */
+ kfree(chip->bbt);
+ kfree(chip->data_buf);
--- /dev/null
+From 621a7b780bd8b7054647d53d5071961f2c9e0873 Mon Sep 17 00:00:00 2001
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+Date: Tue, 18 Feb 2020 10:05:25 +0000
+Subject: mtd: spinand: Explicitly use MTD_OPS_RAW to write the bad block marker to OOB
+
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+
+commit 621a7b780bd8b7054647d53d5071961f2c9e0873 upstream.
+
+When writing the bad block marker to the OOB area the access mode
+should be set to MTD_OPS_RAW as it is done for reading the marker.
+Currently this only works because req.mode is initialized to
+MTD_OPS_PLACE_OOB (0) and spinand_write_to_cache_op() checks for
+req.mode != MTD_OPS_AUTO_OOB.
+
+Fix this by explicitly setting req.mode to MTD_OPS_RAW.
+
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200218100432.32433-3-frieder.schrempf@kontron.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/spi/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -609,6 +609,7 @@ static int spinand_markbad(struct nand_d
+ .ooboffs = 0,
+ .ooblen = sizeof(marker),
+ .oobbuf.out = marker,
++ .mode = MTD_OPS_RAW,
+ };
+ int ret;
+
--- /dev/null
+From d0802dc411f469569a537283b6f3833af47aece9 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 30 Mar 2020 14:38:46 -0700
+Subject: net: dsa: bcm_sf2: Fix overflow checks
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit d0802dc411f469569a537283b6f3833af47aece9 upstream.
+
+Commit f949a12fd697 ("net: dsa: bcm_sf2: fix buffer overflow doing
+set_rxnfc") tried to fix the some user controlled buffer overflows in
+bcm_sf2_cfp_rule_set() and bcm_sf2_cfp_rule_del() but the fix was using
+CFP_NUM_RULES, which while it is correct not to overflow the bitmaps, is
+not representative of what the device actually supports. Correct that by
+using bcm_sf2_cfp_rule_size() instead.
+
+The latter subtracts the number of rules by 1, so change the checks from
+greater than or equal to greater than accordingly.
+
+Fixes: f949a12fd697 ("net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/dsa/bcm_sf2_cfp.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/dsa/bcm_sf2_cfp.c
++++ b/drivers/net/dsa/bcm_sf2_cfp.c
+@@ -882,17 +882,14 @@ static int bcm_sf2_cfp_rule_set(struct d
+ fs->m_ext.data[1]))
+ return -EINVAL;
+
+- if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES)
++ if (fs->location != RX_CLS_LOC_ANY &&
++ fs->location > bcm_sf2_cfp_rule_size(priv))
+ return -EINVAL;
+
+ if (fs->location != RX_CLS_LOC_ANY &&
+ test_bit(fs->location, priv->cfp.used))
+ return -EBUSY;
+
+- if (fs->location != RX_CLS_LOC_ANY &&
+- fs->location > bcm_sf2_cfp_rule_size(priv))
+- return -EINVAL;
+-
+ ret = bcm_sf2_cfp_rule_cmp(priv, port, fs);
+ if (ret == 0)
+ return -EEXIST;
+@@ -973,7 +970,7 @@ static int bcm_sf2_cfp_rule_del(struct b
+ struct cfp_rule *rule;
+ int ret;
+
+- if (loc >= CFP_NUM_RULES)
++ if (loc > bcm_sf2_cfp_rule_size(priv))
+ return -EINVAL;
+
+ /* Refuse deleting unused rules, and those that are not unique since
iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch
f2fs-fix-to-wait-all-node-page-writeback.patch
drm-nouveau-gr-gp107-gp108-implement-workaround-for-.patch
+net-dsa-bcm_sf2-fix-overflow-checks.patch
+dma-debug-fix-displaying-of-dma-allocation-type.patch
+fbdev-potential-information-leak-in-do_fb_ioctl.patch
+arm-dts-sunxi-fix-de2-clocks-register-range.patch
+iio-si1133-read-24-bit-signed-integer-for-measurement.patch
+fbmem-adjust-indentation-in-fb_prepare_logo-and-fb_blank.patch
+tty-evh_bytechan-fix-out-of-bounds-accesses.patch
+locktorture-print-ratio-of-acquisitions-not-failures.patch
+mtd-rawnand-free-the-nand_device-object.patch
+mtd-spinand-explicitly-use-mtd_ops_raw-to-write-the-bad-block-marker-to-oob.patch
+docs-fix-path-to-mtd-command-line-partition-parser.patch
+mtd-lpddr-fix-a-double-free-in-probe.patch
+mtd-phram-fix-a-double-free-issue-in-error-path.patch
+keys-don-t-write-out-to-userspace-while-holding-key-semaphore.patch
+bpf-fix-buggy-r0-retval-refinement-for-tracing-helpers.patch
+bpf-test_verifier-bpf_get_stack-return-value-add-0.patch
+bpf-test_progs-add-test-to-catch-retval-refine-error-handling.patch
+bpf-test_verifier-switch-bpf_get_stack-s-0-s-r8-test.patch
--- /dev/null
+From 3670664b5da555a2a481449b3baafff113b0ac35 Mon Sep 17 00:00:00 2001
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+Date: Thu, 9 Jan 2020 18:39:12 +1100
+Subject: tty: evh_bytechan: Fix out of bounds accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Rothwell <sfr@canb.auug.org.au>
+
+commit 3670664b5da555a2a481449b3baafff113b0ac35 upstream.
+
+ev_byte_channel_send() assumes that its third argument is a 16 byte
+array. Some places where it is called it may not be (or we can't
+easily tell if it is). Newer compilers have started producing warnings
+about this, so make sure we actually pass a 16 byte array.
+
+There may be more elegant solutions to this, but the driver is quite
+old and hasn't been updated in many years.
+
+The warnings (from a powerpc allyesconfig build) are:
+
+ In file included from include/linux/byteorder/big_endian.h:5,
+ from arch/powerpc/include/uapi/asm/byteorder.h:14,
+ from include/asm-generic/bitops/le.h:6,
+ from arch/powerpc/include/asm/bitops.h:250,
+ from include/linux/bitops.h:29,
+ from include/linux/kernel.h:12,
+ from include/asm-generic/bug.h:19,
+ from arch/powerpc/include/asm/bug.h:109,
+ from include/linux/bug.h:5,
+ from include/linux/mmdebug.h:5,
+ from include/linux/gfp.h:5,
+ from include/linux/slab.h:15,
+ from drivers/tty/ehv_bytechan.c:24:
+ drivers/tty/ehv_bytechan.c: In function ‘ehv_bc_udbg_putc’:
+ arch/powerpc/include/asm/epapr_hcalls.h:298:20: warning: array subscript 1 is outside array bounds of ‘const char[1]’ [-Warray-bounds]
+ 298 | r6 = be32_to_cpu(p[1]);
+ include/uapi/linux/byteorder/big_endian.h:40:51: note: in definition of macro ‘__be32_to_cpu’
+ 40 | #define __be32_to_cpu(x) ((__force __u32)(__be32)(x))
+ | ^
+ arch/powerpc/include/asm/epapr_hcalls.h:298:7: note: in expansion of macro ‘be32_to_cpu’
+ 298 | r6 = be32_to_cpu(p[1]);
+ | ^~~~~~~~~~~
+ drivers/tty/ehv_bytechan.c:166:13: note: while referencing ‘data’
+ 166 | static void ehv_bc_udbg_putc(char c)
+ | ^~~~~~~~~~~~~~~~
+
+Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor byte channel driver")
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Tested-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+[mpe: Trim warnings from change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200109183912.5fcb52aa@canb.auug.org.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/ehv_bytechan.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/ehv_bytechan.c
++++ b/drivers/tty/ehv_bytechan.c
+@@ -136,6 +136,21 @@ static int find_console_handle(void)
+ return 1;
+ }
+
++static unsigned int local_ev_byte_channel_send(unsigned int handle,
++ unsigned int *count,
++ const char *p)
++{
++ char buffer[EV_BYTE_CHANNEL_MAX_BYTES];
++ unsigned int c = *count;
++
++ if (c < sizeof(buffer)) {
++ memcpy(buffer, p, c);
++ memset(&buffer[c], 0, sizeof(buffer) - c);
++ p = buffer;
++ }
++ return ev_byte_channel_send(handle, count, p);
++}
++
+ /*************************** EARLY CONSOLE DRIVER ***************************/
+
+ #ifdef CONFIG_PPC_EARLY_DEBUG_EHV_BC
+@@ -154,7 +169,7 @@ static void byte_channel_spin_send(const
+
+ do {
+ count = 1;
+- ret = ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE,
++ ret = local_ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE,
+ &count, &data);
+ } while (ret == EV_EAGAIN);
+ }
+@@ -221,7 +236,7 @@ static int ehv_bc_console_byte_channel_s
+ while (count) {
+ len = min_t(unsigned int, count, EV_BYTE_CHANNEL_MAX_BYTES);
+ do {
+- ret = ev_byte_channel_send(handle, &len, s);
++ ret = local_ev_byte_channel_send(handle, &len, s);
+ } while (ret == EV_EAGAIN);
+ count -= len;
+ s += len;
+@@ -401,7 +416,7 @@ static void ehv_bc_tx_dequeue(struct ehv
+ CIRC_CNT_TO_END(bc->head, bc->tail, BUF_SIZE),
+ EV_BYTE_CHANNEL_MAX_BYTES);
+
+- ret = ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail);
++ ret = local_ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail);
+
+ /* 'len' is valid only if the return code is 0 or EV_EAGAIN */
+ if (!ret || (ret == EV_EAGAIN))
projects / thirdparty / kernel / stable-queue.git / commitdiff
