From f6eaf6c8e873b1568c13d65490fc046d2e9d5474 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Dec 2020 16:00:52 +0100
Subject: [PATCH] 4.9-stable patches

added patches:
	md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
	media-msi2500-assign-spi-bus-number-dynamically.patch
---
 ...a-race-between-concurrent-md_ioctl-s.patch | 75 +++++++++++++++++++
 ...00-assign-spi-bus-number-dynamically.patch | 34 +++++++++
 queue-4.9/series                              |  2 +
 3 files changed, 111 insertions(+)
 create mode 100644 queue-4.9/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
 create mode 100644 queue-4.9/media-msi2500-assign-spi-bus-number-dynamically.patch

diff --git a/queue-4.9/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch b/queue-4.9/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
new file mode 100644
index 00000000000..7fce040a35a
--- /dev/null
+++ b/queue-4.9/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
@@ -0,0 +1,75 @@
+From c731b84b51bf7fe83448bea8f56a6d55006b0615 Mon Sep 17 00:00:00 2001
+From: "Dae R. Jeong" <dae.r.jeong@kaist.ac.kr>
+Date: Thu, 22 Oct 2020 10:21:28 +0900
+Subject: md: fix a warning caused by a race between concurrent md_ioctl()s
+
+From: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+
+commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream.
+
+Syzkaller reports a warning as belows.
+WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169
+...
+Call Trace:
+...
+RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169
+RSP: 0018:ffff888096027950 EFLAGS: 00010293
+RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2
+RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007
+RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482
+R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932
+R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408
+ __blkdev_driver_ioctl block/ioctl.c:304 [inline]
+ blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606
+ block_ioctl+0xee/0x130 fs/block_dev.c:1930
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is caused by a race between two concurrenct md_ioctl()s closing
+the array.
+CPU1 (md_ioctl())                   CPU2 (md_ioctl())
+------                              ------
+set_bit(MD_CLOSING, &mddev->flags);
+did_set_md_closing = true;
+                                    WARN_ON_ONCE(test_bit(MD_CLOSING,
+                                            &mddev->flags));
+if(did_set_md_closing)
+    clear_bit(MD_CLOSING, &mddev->flags);
+
+Fix the warning by returning immediately if the MD_CLOSING bit is set
+in &mddev->flags which indicates that the array is being closed.
+
+Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop")
+Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dae R. Jeong <dae.r.jeong@kaist.ac.kr>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6857,8 +6857,11 @@ static int md_ioctl(struct block_device
+ 			err = -EBUSY;
+ 			goto out;
+ 		}
+-		WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags));
+-		set_bit(MD_CLOSING, &mddev->flags);
++		if (test_and_set_bit(MD_CLOSING, &mddev->flags)) {
++			mutex_unlock(&mddev->open_mutex);
++			err = -EBUSY;
++			goto out;
++		}
+ 		did_set_md_closing = true;
+ 		mutex_unlock(&mddev->open_mutex);
+ 		sync_blockdev(bdev);
diff --git a/queue-4.9/media-msi2500-assign-spi-bus-number-dynamically.patch b/queue-4.9/media-msi2500-assign-spi-bus-number-dynamically.patch
new file mode 100644
index 00000000000..58b1a216cbb
--- /dev/null
+++ b/queue-4.9/media-msi2500-assign-spi-bus-number-dynamically.patch
@@ -0,0 +1,34 @@
+From 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 Mon Sep 17 00:00:00 2001
+From: Antti Palosaari <crope@iki.fi>
+Date: Sat, 17 Aug 2019 03:12:10 +0200
+Subject: media: msi2500: assign SPI bus number dynamically
+
+From: Antti Palosaari <crope@iki.fi>
+
+commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream.
+
+SPI bus number must be assigned dynamically for each device, otherwise it
+will crash when multiple devices are plugged to system.
+
+Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/msi2500/msi2500.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/msi2500/msi2500.c
++++ b/drivers/media/usb/msi2500/msi2500.c
+@@ -1250,7 +1250,7 @@ static int msi2500_probe(struct usb_inte
+ 	}
+ 
+ 	dev->master = master;
+-	master->bus_num = 0;
++	master->bus_num = -1;
+ 	master->num_chipselect = 1;
+ 	master->transfer_one_message = msi2500_transfer_one_message;
+ 	spi_master_set_devdata(master, dev);
diff --git a/queue-4.9/series b/queue-4.9/series
index f749d5fb7c8..9ad1c1a4c8c 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -44,3 +44,5 @@ arm-dts-exynos-fix-usb-3.0-vbus-control-and-over-current-pins-on-exynos5410.patc
 arm-dts-exynos-fix-usb-3.0-pins-supply-being-turned-off-on-odroid-xu.patch
 hid-i2c-hid-add-vero-k147-to-descriptor-override.patch
 serial_core-check-for-port-state-when-tty-is-in-error-state.patch
+media-msi2500-assign-spi-bus-number-dynamically.patch
+md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch
-- 
2.47.3