--- /dev/null
+From 15956689a0e60aa0c795174f3c310b60d8794235 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 3 Jul 2020 12:08:42 +0100
+Subject: arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return
+
+From: Will Deacon <will@kernel.org>
+
+commit 15956689a0e60aa0c795174f3c310b60d8794235 upstream.
+
+Although we zero the upper bits of x0 on entry to the kernel from an
+AArch32 task, we do not clear them on the exception return path and can
+therefore expose 64-bit sign extended syscall return values to userspace
+via interfaces such as the 'perf_regs' ABI, which deal exclusively with
+64-bit registers.
+
+Explicitly clear the upper 32 bits of x0 on return from a compat system
+call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Keno Fischer <keno@juliacomputing.com>
+Cc: Luis Machado <luis.machado@linaro.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/syscall.h | 12 +++++++++++-
+ arch/arm64/kernel/syscall.c | 3 +++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/include/asm/syscall.h
++++ b/arch/arm64/include/asm/syscall.h
+@@ -34,6 +34,10 @@ static inline long syscall_get_error(str
+ struct pt_regs *regs)
+ {
+ unsigned long error = regs->regs[0];
++
++ if (is_compat_thread(task_thread_info(task)))
++ error = sign_extend64(error, 31);
++
+ return IS_ERR_VALUE(error) ? error : 0;
+ }
+
+@@ -47,7 +51,13 @@ static inline void syscall_set_return_va
+ struct pt_regs *regs,
+ int error, long val)
+ {
+- regs->regs[0] = (long) error ? error : val;
++ if (error)
++ val = error;
++
++ if (is_compat_thread(task_thread_info(task)))
++ val = lower_32_bits(val);
++
++ regs->regs[0] = val;
+ }
+
+ #define SYSCALL_MAX_ARGS 6
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -50,6 +50,9 @@ static void invoke_syscall(struct pt_reg
+ ret = do_ni_syscall(regs, scno);
+ }
+
++ if (is_compat_task())
++ ret = lower_32_bits(ret);
++
+ regs->regs[0] = ret;
+ }
+
--- /dev/null
+From ac2081cdc4d99c57f219c1a6171526e0fa0a6fff Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 2 Jul 2020 21:16:20 +0100
+Subject: arm64: ptrace: Consistently use pseudo-singlestep exceptions
+
+From: Will Deacon <will@kernel.org>
+
+commit ac2081cdc4d99c57f219c1a6171526e0fa0a6fff upstream.
+
+Although the arm64 single-step state machine can be fast-forwarded in
+cases where we wish to generate a SIGTRAP without actually executing an
+instruction, this has two major limitations outside of simply skipping
+an instruction due to emulation.
+
+1. Stepping out of a ptrace signal stop into a signal handler where
+ SIGTRAP is blocked. Fast-forwarding the stepping state machine in
+ this case will result in a forced SIGTRAP, with the handler reset to
+ SIG_DFL.
+
+2. The hardware implicitly fast-forwards the state machine when executing
+ an SVC instruction for issuing a system call. This can interact badly
+ with subsequent ptrace stops signalled during the execution of the
+ system call (e.g. SYSCALL_EXIT or seccomp traps), as they may corrupt
+ the stepping state by updating the PSTATE for the tracee.
+
+Resolve both of these issues by injecting a pseudo-singlestep exception
+on entry to a signal handler and also on return to userspace following a
+system call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Luis Machado <luis.machado@linaro.org>
+Reported-by: Keno Fischer <keno@juliacomputing.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/thread_info.h | 1 +
+ arch/arm64/kernel/ptrace.c | 27 ++++++++++++++++++++-------
+ arch/arm64/kernel/signal.c | 11 ++---------
+ arch/arm64/kernel/syscall.c | 2 +-
+ 4 files changed, 24 insertions(+), 17 deletions(-)
+
+--- a/arch/arm64/include/asm/thread_info.h
++++ b/arch/arm64/include/asm/thread_info.h
+@@ -91,6 +91,7 @@ void arch_release_task_struct(struct tas
+ #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU)
+ #define _TIF_UPROBE (1 << TIF_UPROBE)
+ #define _TIF_FSCHECK (1 << TIF_FSCHECK)
++#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
+ #define _TIF_32BIT (1 << TIF_32BIT)
+ #define _TIF_SVE (1 << TIF_SVE)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1819,12 +1819,23 @@ static void tracehook_report_syscall(str
+ saved_reg = regs->regs[regno];
+ regs->regs[regno] = dir;
+
+- if (dir == PTRACE_SYSCALL_EXIT)
++ if (dir == PTRACE_SYSCALL_ENTER) {
++ if (tracehook_report_syscall_entry(regs))
++ forget_syscall(regs);
++ regs->regs[regno] = saved_reg;
++ } else if (!test_thread_flag(TIF_SINGLESTEP)) {
+ tracehook_report_syscall_exit(regs, 0);
+- else if (tracehook_report_syscall_entry(regs))
+- forget_syscall(regs);
+-
+- regs->regs[regno] = saved_reg;
++ regs->regs[regno] = saved_reg;
++ } else {
++ regs->regs[regno] = saved_reg;
++
++ /*
++ * Signal a pseudo-step exception since we are stepping but
++ * tracer modifications to the registers may have rewound the
++ * state machine.
++ */
++ tracehook_report_syscall_exit(regs, 1);
++ }
+ }
+
+ int syscall_trace_enter(struct pt_regs *regs)
+@@ -1852,12 +1863,14 @@ int syscall_trace_enter(struct pt_regs *
+
+ void syscall_trace_exit(struct pt_regs *regs)
+ {
++ unsigned long flags = READ_ONCE(current_thread_info()->flags);
++
+ audit_syscall_exit(regs);
+
+- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
++ if (flags & _TIF_SYSCALL_TRACEPOINT)
+ trace_sys_exit(regs, regs_return_value(regs));
+
+- if (test_thread_flag(TIF_SYSCALL_TRACE))
++ if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP))
+ tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+
+ rseq_syscall(regs);
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -782,7 +782,6 @@ static void setup_restart_syscall(struct
+ */
+ static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
+ {
+- struct task_struct *tsk = current;
+ sigset_t *oldset = sigmask_to_save();
+ int usig = ksig->sig;
+ int ret;
+@@ -806,14 +805,8 @@ static void handle_signal(struct ksignal
+ */
+ ret |= !valid_user_regs(®s->user_regs, current);
+
+- /*
+- * Fast forward the stepping logic so we step into the signal
+- * handler.
+- */
+- if (!ret)
+- user_fastforward_single_step(tsk);
+-
+- signal_setup_done(ret, ksig, 0);
++ /* Step into the signal handler if we are stepping */
++ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
+ }
+
+ /*
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -121,7 +121,7 @@ static void el0_svc_common(struct pt_reg
+ if (!has_syscall_work(flags) && !IS_ENABLED(CONFIG_DEBUG_RSEQ)) {
+ local_daif_mask();
+ flags = current_thread_info()->flags;
+- if (!has_syscall_work(flags)) {
++ if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) {
+ /*
+ * We're off to userspace, where interrupts are
+ * always enabled after we restore the flags from
--- /dev/null
+From 3a5a4366cecc25daa300b9a9174f7fdd352b9068 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 13 Feb 2020 12:06:26 +0000
+Subject: arm64: ptrace: Override SPSR.SS when single-stepping is enabled
+
+From: Will Deacon <will@kernel.org>
+
+commit 3a5a4366cecc25daa300b9a9174f7fdd352b9068 upstream.
+
+Luis reports that, when reverse debugging with GDB, single-step does not
+function as expected on arm64:
+
+ | I've noticed, under very specific conditions, that a PTRACE_SINGLESTEP
+ | request by GDB won't execute the underlying instruction. As a consequence,
+ | the PC doesn't move, but we return a SIGTRAP just like we would for a
+ | regular successful PTRACE_SINGLESTEP request.
+
+The underlying problem is that when the CPU register state is restored
+as part of a reverse step, the SPSR.SS bit is cleared and so the hardware
+single-step state can transition to the "active-pending" state, causing
+an unexpected step exception to be taken immediately if a step operation
+is attempted.
+
+In hindsight, we probably shouldn't have exposed SPSR.SS in the pstate
+accessible by the GPR regset, but it's a bit late for that now. Instead,
+simply prevent userspace from configuring the bit to a value which is
+inconsistent with the TIF_SINGLESTEP state for the task being traced.
+
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Keno Fischer <keno@juliacomputing.com>
+Link: https://lore.kernel.org/r/1eed6d69-d53d-9657-1fc9-c089be07f98c@linaro.org
+Reported-by: Luis Machado <luis.machado@linaro.org>
+Tested-by: Luis Machado <luis.machado@linaro.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/debug-monitors.h | 2 ++
+ arch/arm64/kernel/debug-monitors.c | 20 ++++++++++++++++----
+ arch/arm64/kernel/ptrace.c | 4 ++--
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/include/asm/debug-monitors.h
++++ b/arch/arm64/include/asm/debug-monitors.h
+@@ -109,6 +109,8 @@ void disable_debug_monitors(enum dbg_act
+
+ void user_rewind_single_step(struct task_struct *task);
+ void user_fastforward_single_step(struct task_struct *task);
++void user_regs_reset_single_step(struct user_pt_regs *regs,
++ struct task_struct *task);
+
+ void kernel_enable_single_step(struct pt_regs *regs);
+ void kernel_disable_single_step(void);
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -141,17 +141,20 @@ postcore_initcall(debug_monitors_init);
+ /*
+ * Single step API and exception handling.
+ */
+-static void set_regs_spsr_ss(struct pt_regs *regs)
++static void set_user_regs_spsr_ss(struct user_pt_regs *regs)
+ {
+ regs->pstate |= DBG_SPSR_SS;
+ }
+-NOKPROBE_SYMBOL(set_regs_spsr_ss);
++NOKPROBE_SYMBOL(set_user_regs_spsr_ss);
+
+-static void clear_regs_spsr_ss(struct pt_regs *regs)
++static void clear_user_regs_spsr_ss(struct user_pt_regs *regs)
+ {
+ regs->pstate &= ~DBG_SPSR_SS;
+ }
+-NOKPROBE_SYMBOL(clear_regs_spsr_ss);
++NOKPROBE_SYMBOL(clear_user_regs_spsr_ss);
++
++#define set_regs_spsr_ss(r) set_user_regs_spsr_ss(&(r)->user_regs)
++#define clear_regs_spsr_ss(r) clear_user_regs_spsr_ss(&(r)->user_regs)
+
+ static DEFINE_SPINLOCK(debug_hook_lock);
+ static LIST_HEAD(user_step_hook);
+@@ -404,6 +407,15 @@ void user_fastforward_single_step(struct
+ clear_regs_spsr_ss(task_pt_regs(task));
+ }
+
++void user_regs_reset_single_step(struct user_pt_regs *regs,
++ struct task_struct *task)
++{
++ if (test_tsk_thread_flag(task, TIF_SINGLESTEP))
++ set_user_regs_spsr_ss(regs);
++ else
++ clear_user_regs_spsr_ss(regs);
++}
++
+ /* Kernel API */
+ void kernel_enable_single_step(struct pt_regs *regs)
+ {
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1935,8 +1935,8 @@ static int valid_native_regs(struct user
+ */
+ int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task)
+ {
+- if (!test_tsk_thread_flag(task, TIF_SINGLESTEP))
+- regs->pstate &= ~DBG_SPSR_SS;
++ /* https://lore.kernel.org/lkml/20191118131525.GA4180@willie-the-truck */
++ user_regs_reset_single_step(regs, task);
+
+ if (is_compat_thread(task_thread_info(task)))
+ return valid_compat_regs(regs);
--- /dev/null
+From e142087b15960a4e1e5932942e5abae1f49d2318 Mon Sep 17 00:00:00 2001
+From: Robin Gong <yibin.gong@nxp.com>
+Date: Tue, 30 Jun 2020 00:59:58 +0800
+Subject: dmaengine: fsl-edma-common: correct DSIZE_32BYTE
+
+From: Robin Gong <yibin.gong@nxp.com>
+
+commit e142087b15960a4e1e5932942e5abae1f49d2318 upstream.
+
+Correct EDMA_TCD_ATTR_DSIZE_32BYTE define since it's broken by the below:
+'0x0005 --> BIT(3) | BIT(0))'
+
+Fixes: 4d6d3a90e4ac ("dmaengine: fsl-edma: fix macros")
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Tested-by: Angelo Dureghello <angelo@sysam.it>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1593449998-32091-1-git-send-email-yibin.gong@nxp.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/fsl-edma-common.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/fsl-edma-common.h
++++ b/drivers/dma/fsl-edma-common.h
+@@ -33,7 +33,7 @@
+ #define EDMA_TCD_ATTR_DSIZE_16BIT BIT(0)
+ #define EDMA_TCD_ATTR_DSIZE_32BIT BIT(1)
+ #define EDMA_TCD_ATTR_DSIZE_64BIT (BIT(0) | BIT(1))
+-#define EDMA_TCD_ATTR_DSIZE_32BYTE (BIT(3) | BIT(0))
++#define EDMA_TCD_ATTR_DSIZE_32BYTE (BIT(2) | BIT(0))
+ #define EDMA_TCD_ATTR_SSIZE_8BIT 0
+ #define EDMA_TCD_ATTR_SSIZE_16BIT (EDMA_TCD_ATTR_DSIZE_16BIT << 8)
+ #define EDMA_TCD_ATTR_SSIZE_32BIT (EDMA_TCD_ATTR_DSIZE_32BIT << 8)
--- /dev/null
+From f5e5677c420346b4e9788051c2e4d750996c428c Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Thu, 11 Jun 2020 14:17:41 +0200
+Subject: dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit f5e5677c420346b4e9788051c2e4d750996c428c upstream.
+
+NULL pointer exception happens occasionally on serial output initiated
+by login timeout. This was reproduced only if kernel was built with
+significant debugging options and EDMA driver is used with serial
+console.
+
+ col-vf50 login: root
+ Password:
+ Login timed out after 60 seconds.
+ Unable to handle kernel NULL pointer dereference at virtual address 00000044
+ Internal error: Oops: 5 [#1] ARM
+ CPU: 0 PID: 157 Comm: login Not tainted 5.7.0-next-20200610-dirty #4
+ Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree)
+ (fsl_edma_tx_handler) from [<8016eb10>] (__handle_irq_event_percpu+0x64/0x304)
+ (__handle_irq_event_percpu) from [<8016eddc>] (handle_irq_event_percpu+0x2c/0x7c)
+ (handle_irq_event_percpu) from [<8016ee64>] (handle_irq_event+0x38/0x5c)
+ (handle_irq_event) from [<801729e4>] (handle_fasteoi_irq+0xa4/0x160)
+ (handle_fasteoi_irq) from [<8016ddcc>] (generic_handle_irq+0x34/0x44)
+ (generic_handle_irq) from [<8016e40c>] (__handle_domain_irq+0x54/0xa8)
+ (__handle_domain_irq) from [<80508bc8>] (gic_handle_irq+0x4c/0x80)
+ (gic_handle_irq) from [<80100af0>] (__irq_svc+0x70/0x98)
+ Exception stack(0x8459fe80 to 0x8459fec8)
+ fe80: 72286b00 e3359f64 00000001 0000412d a0070013 85c98840 85c98840 a0070013
+ fea0: 8054e0d4 00000000 00000002 00000000 00000002 8459fed0 8081fbe8 8081fbec
+ fec0: 60070013 ffffffff
+ (__irq_svc) from [<8081fbec>] (_raw_spin_unlock_irqrestore+0x30/0x58)
+ (_raw_spin_unlock_irqrestore) from [<8056cb48>] (uart_flush_buffer+0x88/0xf8)
+ (uart_flush_buffer) from [<80554e60>] (tty_ldisc_hangup+0x38/0x1ac)
+ (tty_ldisc_hangup) from [<8054c7f4>] (__tty_hangup+0x158/0x2bc)
+ (__tty_hangup) from [<80557b90>] (disassociate_ctty.part.1+0x30/0x23c)
+ (disassociate_ctty.part.1) from [<8011fc18>] (do_exit+0x580/0xba0)
+ (do_exit) from [<801214f8>] (do_group_exit+0x3c/0xb4)
+ (do_group_exit) from [<80121580>] (__wake_up_parent+0x0/0x14)
+
+Issue looks like race condition between interrupt handler fsl_edma_tx_handler()
+(called as result of fsl_edma_xfer_desc()) and terminating the transfer with
+fsl_edma_terminate_all().
+
+The fsl_edma_tx_handler() handles interrupt for a transfer with already freed
+edesc and idle==true.
+
+Fixes: d6be34fbd39b ("dma: Add Freescale eDMA engine driver support")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1591877861-28156-2-git-send-email-krzk@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/fsl-edma.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/dma/fsl-edma.c
++++ b/drivers/dma/fsl-edma.c
+@@ -45,6 +45,13 @@ static irqreturn_t fsl_edma_tx_handler(i
+ fsl_chan = &fsl_edma->chans[ch];
+
+ spin_lock(&fsl_chan->vchan.lock);
++
++ if (!fsl_chan->edesc) {
++ /* terminate_all called before */
++ spin_unlock(&fsl_chan->vchan.lock);
++ continue;
++ }
++
+ if (!fsl_chan->edesc->iscyclic) {
+ list_del(&fsl_chan->edesc->vdesc.node);
+ vchan_cookie_complete(&fsl_chan->edesc->vdesc);
--- /dev/null
+From 8995aa3d164ddd9200e6abcf25c449cf5298c858 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Thu, 11 Jun 2020 15:21:05 +0200
+Subject: dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 8995aa3d164ddd9200e6abcf25c449cf5298c858 upstream.
+
+On Toradex Colibri VF50 (Vybrid VF5xx) with fsl-edma driver NULL pointer
+exception happens occasionally on serial output initiated by login
+timeout.
+
+This was reproduced only if kernel was built with significant debugging
+options and EDMA driver is used with serial console.
+
+Issue looks like a race condition between interrupt handler
+fsl_edma_tx_handler() (called as a result of fsl_edma_xfer_desc()) and
+terminating the transfer with fsl_edma_terminate_all().
+
+The fsl_edma_tx_handler() handles interrupt for a transfer with already
+freed edesc and idle==true.
+
+The mcf-edma driver shares design and lot of code with fsl-edma. It
+looks like being affected by same problem. Fix this pattern the same
+way as fix for fsl-edma driver.
+
+Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+Link: https://lore.kernel.org/r/1591881665-25592-1-git-send-email-krzk@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/mcf-edma.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/dma/mcf-edma.c
++++ b/drivers/dma/mcf-edma.c
+@@ -35,6 +35,13 @@ static irqreturn_t mcf_edma_tx_handler(i
+ mcf_chan = &mcf_edma->chans[ch];
+
+ spin_lock(&mcf_chan->vchan.lock);
++
++ if (!mcf_chan->edesc) {
++ /* terminate_all called before */
++ spin_unlock(&mcf_chan->vchan.lock);
++ continue;
++ }
++
+ if (!mcf_chan->edesc->iscyclic) {
+ list_del(&mcf_chan->edesc->vdesc.node);
+ vchan_cookie_complete(&mcf_chan->edesc->vdesc);
--- /dev/null
+From 05051496b2622e4d12e2036b35165969aa502f89 Mon Sep 17 00:00:00 2001
+From: Xiaojie Yuan <xiaojie.yuan@amd.com>
+Date: Tue, 14 Jul 2020 15:47:31 +0800
+Subject: drm/amdgpu/sdma5: fix wptr overwritten in ->get_wptr()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaojie Yuan <xiaojie.yuan@amd.com>
+
+commit 05051496b2622e4d12e2036b35165969aa502f89 upstream.
+
+"u64 *wptr" points to the the wptr value in write back buffer and
+"*wptr = (*wptr) >> 2;" results in the value being overwritten each time
+when ->get_wptr() is called.
+
+umr uses /sys/kernel/debug/dri/0/amdgpu_ring_sdma0 to get rptr/wptr and
+decode ring content and it is affected by this issue.
+
+fix and simplify the logic similar as sdma_v4_0_ring_get_wptr().
+
+v2: fix for sdma5.2 as well
+v3: drop sdma 5.2 changes for 5.8 and stable
+
+Suggested-by: Le Ma <le.ma@amd.com>
+Signed-off-by: Xiaojie Yuan <xiaojie.yuan@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
+@@ -286,30 +286,20 @@ static uint64_t sdma_v5_0_ring_get_rptr(
+ static uint64_t sdma_v5_0_ring_get_wptr(struct amdgpu_ring *ring)
+ {
+ struct amdgpu_device *adev = ring->adev;
+- u64 *wptr = NULL;
+- uint64_t local_wptr = 0;
++ u64 wptr;
+
+ if (ring->use_doorbell) {
+ /* XXX check if swapping is necessary on BE */
+- wptr = ((u64 *)&adev->wb.wb[ring->wptr_offs]);
+- DRM_DEBUG("wptr/doorbell before shift == 0x%016llx\n", *wptr);
+- *wptr = (*wptr) >> 2;
+- DRM_DEBUG("wptr/doorbell after shift == 0x%016llx\n", *wptr);
++ wptr = READ_ONCE(*((u64 *)&adev->wb.wb[ring->wptr_offs]));
++ DRM_DEBUG("wptr/doorbell before shift == 0x%016llx\n", wptr);
+ } else {
+- u32 lowbit, highbit;
+-
+- wptr = &local_wptr;
+- lowbit = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR)) >> 2;
+- highbit = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI)) >> 2;
+-
+- DRM_DEBUG("wptr [%i]high== 0x%08x low==0x%08x\n",
+- ring->me, highbit, lowbit);
+- *wptr = highbit;
+- *wptr = (*wptr) << 32;
+- *wptr |= lowbit;
++ wptr = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI));
++ wptr = wptr << 32;
++ wptr |= RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR));
++ DRM_DEBUG("wptr before shift [%i] wptr == 0x%016llx\n", ring->me, wptr);
+ }
+
+- return *wptr;
++ return wptr >> 2;
+ }
+
+ /**
--- /dev/null
+From 858f1299fd6f7518ddef19ddd304c8398ac79fa5 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sat, 11 Jul 2020 21:32:36 +0100
+Subject: drm/i915/gt: Ignore irq enabling on the virtual engines
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 858f1299fd6f7518ddef19ddd304c8398ac79fa5 upstream.
+
+We do not use the virtual engines for interrupts (they have physical
+components), but we do use them to decouple the fence signaling during
+submission. Currently, when we submit a completed request, we try to
+enable the interrupt handler for the virtual engine, but we never disarm
+it. A quick fix is then to mark the irq as enabled, and it will then
+remain enabled -- and this prevents us from waking the device and never
+letting it sleep again.
+
+Fixes: f8db4d051b5e ("drm/i915: Initialise breadcrumb lists on the virtual engine")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: <stable@vger.kernel.org> # v5.5+
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200711203236.12330-1-chris@chris-wilson.co.uk
+(cherry picked from commit 4fe6abb8f51355224808ab02a9febf65d184c40b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gt/intel_lrc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
+@@ -3751,6 +3751,7 @@ intel_execlists_create_virtual(struct i9
+ intel_engine_init_active(&ve->base, ENGINE_VIRTUAL);
+
+ intel_engine_init_execlists(&ve->base);
++ ve->base.breadcrumbs.irq_armed = true; /* fake HW, used for irq_work */
+
+ ve->base.cops = &virtual_context_ops;
+ ve->base.request_alloc = execlists_request_alloc;
--- /dev/null
+From 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 Mon Sep 17 00:00:00 2001
+From: Chirantan Ekbote <chirantan@chromium.org>
+Date: Tue, 14 Jul 2020 19:26:39 +0900
+Subject: fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS
+
+From: Chirantan Ekbote <chirantan@chromium.org>
+
+commit 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 upstream.
+
+The ioctl encoding for this parameter is a long but the documentation says
+it should be an int and the kernel drivers expect it to be an int. If the
+fuse driver treats this as a long it might end up scribbling over the stack
+of a userspace process that only allocated enough space for an int.
+
+This was previously discussed in [1] and a patch for fuse was proposed in
+[2]. From what I can tell the patch in [2] was nacked in favor of adding
+new, "fixed" ioctls and using those from userspace. However there is still
+no "fixed" version of these ioctls and the fact is that it's sometimes
+infeasible to change all userspace to use the new one.
+
+Handling the ioctls specially in the fuse driver seems like the most
+pragmatic way for fuse servers to support them without causing crashes in
+userspace applications that call them.
+
+[1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/
+[2]: https://sourceforge.net/p/fuse/mailman/message/31771759/
+
+Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
+Fixes: 59efec7b9039 ("fuse: implement ioctl support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -18,6 +18,7 @@
+ #include <linux/swap.h>
+ #include <linux/falloc.h>
+ #include <linux/uio.h>
++#include <linux/fs.h>
+
+ static struct page **fuse_pages_alloc(unsigned int npages, gfp_t flags,
+ struct fuse_page_desc **desc)
+@@ -2758,7 +2759,16 @@ long fuse_do_ioctl(struct file *file, un
+ struct iovec *iov = iov_page;
+
+ iov->iov_base = (void __user *)arg;
+- iov->iov_len = _IOC_SIZE(cmd);
++
++ switch (cmd) {
++ case FS_IOC_GETFLAGS:
++ case FS_IOC_SETFLAGS:
++ iov->iov_len = sizeof(int);
++ break;
++ default:
++ iov->iov_len = _IOC_SIZE(cmd);
++ break;
++ }
+
+ if (_IOC_DIR(cmd) & _IOC_WRITE) {
+ in_iov = iov;
--- /dev/null
+From e8b20a474cf2c42698d1942f939ff2128819f151 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 14 Jul 2020 14:45:41 +0200
+Subject: fuse: ignore 'data' argument of mount(..., MS_REMOUNT)
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit e8b20a474cf2c42698d1942f939ff2128819f151 upstream.
+
+The command
+
+ mount -o remount -o unknownoption /mnt/fuse
+
+succeeds on kernel versions prior to v5.4 and fails on kernel version at or
+after. This is because fuse_parse_param() rejects any unrecognised options
+in case of FS_CONTEXT_FOR_RECONFIGURE, just as for FS_CONTEXT_FOR_MOUNT.
+
+This causes a regression in case the fuse filesystem is in fstab, since
+remount sends all options found there to the kernel; even ones that are
+meant for the initial mount and are consumed by the userspace fuse server.
+
+Fix this by ignoring mount options, just as fuse_remount_fs() did prior to
+the conversion to the new API.
+
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Fixes: c30da2e981a7 ("fuse: convert to use the new mount API")
+Cc: <stable@vger.kernel.org> # v5.4
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -473,6 +473,13 @@ static int fuse_parse_param(struct fs_co
+ struct fuse_fs_context *ctx = fc->fs_private;
+ int opt;
+
++ /*
++ * Ignore options coming from mount(MS_REMOUNT) for backward
++ * compatibility.
++ */
++ if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE)
++ return 0;
++
+ opt = fs_parse(fc, &fuse_fs_parameters, param, &result);
+ if (opt < 0)
+ return opt;
--- /dev/null
+From 0189a2d367f49729622fdafaef5da73161591859 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 14 Jul 2020 14:45:41 +0200
+Subject: fuse: use ->reconfigure() instead of ->remount_fs()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 0189a2d367f49729622fdafaef5da73161591859 upstream.
+
+s_op->remount_fs() is only called from legacy_reconfigure(), which is not
+used after being converted to the new API.
+
+Convert to using ->reconfigure(). This restores the previous behavior of
+syncing the filesystem and rejecting MS_MANDLOCK on remount.
+
+Fixes: c30da2e981a7 ("fuse: convert to use the new mount API")
+Cc: <stable@vger.kernel.org> # v5.4
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -121,10 +121,12 @@ static void fuse_evict_inode(struct inod
+ }
+ }
+
+-static int fuse_remount_fs(struct super_block *sb, int *flags, char *data)
++static int fuse_reconfigure(struct fs_context *fc)
+ {
++ struct super_block *sb = fc->root->d_sb;
++
+ sync_filesystem(sb);
+- if (*flags & SB_MANDLOCK)
++ if (fc->sb_flags & SB_MANDLOCK)
+ return -EINVAL;
+
+ return 0;
+@@ -822,7 +824,6 @@ static const struct super_operations fus
+ .evict_inode = fuse_evict_inode,
+ .write_inode = fuse_write_inode,
+ .drop_inode = generic_delete_inode,
+- .remount_fs = fuse_remount_fs,
+ .put_super = fuse_put_super,
+ .umount_begin = fuse_umount_begin,
+ .statfs = fuse_statfs,
+@@ -1296,6 +1297,7 @@ static int fuse_get_tree(struct fs_conte
+ static const struct fs_context_operations fuse_context_ops = {
+ .free = fuse_free_fc,
+ .parse_param = fuse_parse_param,
++ .reconfigure = fuse_reconfigure,
+ .get_tree = fuse_get_tree,
+ };
+
--- /dev/null
+From baedb87d1b53532f81b4bd0387f83b05d4f7eb9a Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 17 Jul 2020 18:00:02 +0200
+Subject: genirq/affinity: Handle affinity setting on inactive interrupts correctly
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream.
+
+Setting interrupt affinity on inactive interrupts is inconsistent when
+hierarchical irq domains are enabled. The core code should just store the
+affinity and not call into the irq chip driver for inactive interrupts
+because the chip drivers may not be in a state to handle such requests.
+
+X86 has a hacky workaround for that but all other irq chips have not which
+causes problems e.g. on GIC V3 ITS.
+
+Instead of adding more ugly hacks all over the place, solve the problem in
+the core code. If the affinity is set on an inactive interrupt then:
+
+ - Store it in the irq descriptors affinity mask
+ - Update the effective affinity to reflect that so user space has
+ a consistent view
+ - Don't call into the irq chip driver
+
+This is the core equivalent of the X86 workaround and works correctly
+because the affinity setting is established in the irq chip when the
+interrupt is activated later on.
+
+Note, that this is only effective when hierarchical irq domains are enabled
+by the architecture. Doing it unconditionally would break legacy irq chip
+implementations.
+
+For hierarchial irq domains this works correctly as none of the drivers can
+have a dependency on affinity setting in inactive state by design.
+
+Remove the X86 workaround as it is not longer required.
+
+Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts")
+Reported-by: Ali Saidi <alisaidi@amazon.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Ali Saidi <alisaidi@amazon.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com
+Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/vector.c | 22 +++++-----------------
+ kernel/irq/manage.c | 37 +++++++++++++++++++++++++++++++++++--
+ 2 files changed, 40 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -446,12 +446,10 @@ static int x86_vector_activate(struct ir
+ trace_vector_activate(irqd->irq, apicd->is_managed,
+ apicd->can_reserve, reserve);
+
+- /* Nothing to do for fixed assigned vectors */
+- if (!apicd->can_reserve && !apicd->is_managed)
+- return 0;
+-
+ raw_spin_lock_irqsave(&vector_lock, flags);
+- if (reserve || irqd_is_managed_and_shutdown(irqd))
++ if (!apicd->can_reserve && !apicd->is_managed)
++ assign_irq_vector_any_locked(irqd);
++ else if (reserve || irqd_is_managed_and_shutdown(irqd))
+ vector_assign_managed_shutdown(irqd);
+ else if (apicd->is_managed)
+ ret = activate_managed(irqd);
+@@ -769,20 +767,10 @@ void lapic_offline(void)
+ static int apic_set_affinity(struct irq_data *irqd,
+ const struct cpumask *dest, bool force)
+ {
+- struct apic_chip_data *apicd = apic_chip_data(irqd);
+ int err;
+
+- /*
+- * Core code can call here for inactive interrupts. For inactive
+- * interrupts which use managed or reservation mode there is no
+- * point in going through the vector assignment right now as the
+- * activation will assign a vector which fits the destination
+- * cpumask. Let the core code store the destination mask and be
+- * done with it.
+- */
+- if (!irqd_is_activated(irqd) &&
+- (apicd->is_managed || apicd->can_reserve))
+- return IRQ_SET_MASK_OK;
++ if (WARN_ON_ONCE(!irqd_is_activated(irqd)))
++ return -EIO;
+
+ raw_spin_lock(&vector_lock);
+ cpumask_and(vector_searchmask, dest, cpu_online_mask);
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -194,9 +194,9 @@ void irq_set_thread_affinity(struct irq_
+ set_bit(IRQTF_AFFINITY, &action->thread_flags);
+ }
+
++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
+ static void irq_validate_effective_affinity(struct irq_data *data)
+ {
+-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
+ const struct cpumask *m = irq_data_get_effective_affinity_mask(data);
+ struct irq_chip *chip = irq_data_get_irq_chip(data);
+
+@@ -204,9 +204,19 @@ static void irq_validate_effective_affin
+ return;
+ pr_warn_once("irq_chip %s did not update eff. affinity mask of irq %u\n",
+ chip->name, data->irq);
+-#endif
+ }
+
++static inline void irq_init_effective_affinity(struct irq_data *data,
++ const struct cpumask *mask)
++{
++ cpumask_copy(irq_data_get_effective_affinity_mask(data), mask);
++}
++#else
++static inline void irq_validate_effective_affinity(struct irq_data *data) { }
++static inline void irq_init_effective_affinity(struct irq_data *data,
++ const struct cpumask *mask) { }
++#endif
++
+ int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask,
+ bool force)
+ {
+@@ -265,6 +275,26 @@ static int irq_try_set_affinity(struct i
+ return ret;
+ }
+
++static bool irq_set_affinity_deactivated(struct irq_data *data,
++ const struct cpumask *mask, bool force)
++{
++ struct irq_desc *desc = irq_data_to_desc(data);
++
++ /*
++ * If the interrupt is not yet activated, just store the affinity
++ * mask and do not call the chip driver at all. On activation the
++ * driver has to make sure anyway that the interrupt is in a
++ * useable state so startup works.
++ */
++ if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || irqd_is_activated(data))
++ return false;
++
++ cpumask_copy(desc->irq_common_data.affinity, mask);
++ irq_init_effective_affinity(data, mask);
++ irqd_set(data, IRQD_AFFINITY_SET);
++ return true;
++}
++
+ int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
+ bool force)
+ {
+@@ -275,6 +305,9 @@ int irq_set_affinity_locked(struct irq_d
+ if (!chip || !chip->irq_set_affinity)
+ return -EINVAL;
+
++ if (irq_set_affinity_deactivated(data, mask, force))
++ return 0;
++
+ if (irq_can_move_pcntxt(data) && !irqd_is_setaffinity_pending(data)) {
+ ret = irq_try_set_affinity(data, mask, force);
+ } else {
--- /dev/null
+From 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc Mon Sep 17 00:00:00 2001
+From: Vishwas M <vishwas.reddy.vr@gmail.com>
+Date: Tue, 7 Jul 2020 19:57:47 +0530
+Subject: hwmon: (emc2103) fix unable to change fan pwm1_enable attribute
+
+From: Vishwas M <vishwas.reddy.vr@gmail.com>
+
+commit 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc upstream.
+
+This patch fixes a bug which does not let FAN mode to be changed from
+sysfs(pwm1_enable). i.e pwm1_enable can not be set to 3, it will always
+remain at 0.
+
+This is caused because the device driver handles the result of
+"read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg)" incorrectly. The
+driver thinks an error has occurred if the (result != 0). This has been
+fixed by changing the condition to (result < 0).
+
+Signed-off-by: Vishwas M <vishwas.reddy.vr@gmail.com>
+Link: https://lore.kernel.org/r/20200707142747.118414-1-vishwas.reddy.vr@gmail.com
+Fixes: 9df7305b5a86 ("hwmon: Add driver for SMSC EMC2103 temperature monitor and fan controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/emc2103.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/emc2103.c
++++ b/drivers/hwmon/emc2103.c
+@@ -443,7 +443,7 @@ static ssize_t pwm1_enable_store(struct
+ }
+
+ result = read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg);
+- if (result) {
++ if (result < 0) {
+ count = result;
+ goto err;
+ }
--- /dev/null
+From a50ca29523b18baea548bdf5df9b4b923c2bb4f6 Mon Sep 17 00:00:00 2001
+From: Dave Wang <dave.wang@emc.com.tw>
+Date: Wed, 8 Jul 2020 22:25:03 -0700
+Subject: Input: elan_i2c - add more hardware ID for Lenovo laptops
+
+From: Dave Wang <dave.wang@emc.com.tw>
+
+commit a50ca29523b18baea548bdf5df9b4b923c2bb4f6 upstream.
+
+This adds more hardware IDs for Elan touchpads found in various Lenovo
+laptops.
+
+Signed-off-by: Dave Wang <dave.wang@emc.com.tw>
+Link: https://lore.kernel.org/r/000201d5a8bd$9fead3f0$dfc07bd0$@emc.com.tw
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/input/elan-i2c-ids.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/include/linux/input/elan-i2c-ids.h
++++ b/include/linux/input/elan-i2c-ids.h
+@@ -67,8 +67,15 @@ static const struct acpi_device_id elan_
+ { "ELAN062B", 0 },
+ { "ELAN062C", 0 },
+ { "ELAN062D", 0 },
++ { "ELAN062E", 0 }, /* Lenovo V340 Whiskey Lake U */
++ { "ELAN062F", 0 }, /* Lenovo V340 Comet Lake U */
+ { "ELAN0631", 0 },
+ { "ELAN0632", 0 },
++ { "ELAN0633", 0 }, /* Lenovo S145 */
++ { "ELAN0634", 0 }, /* Lenovo V340 Ice lake */
++ { "ELAN0635", 0 }, /* Lenovo V1415-IIL */
++ { "ELAN0636", 0 }, /* Lenovo V1415-Dali */
++ { "ELAN0637", 0 }, /* Lenovo V1415-IGLR */
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From 17d51429da722cd8fc77a365a112f008abf4f8b3 Mon Sep 17 00:00:00 2001
+From: David Pedersen <limero1337@gmail.com>
+Date: Mon, 6 Jul 2020 18:48:51 -0700
+Subject: Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list
+
+From: David Pedersen <limero1337@gmail.com>
+
+commit 17d51429da722cd8fc77a365a112f008abf4f8b3 upstream.
+
+This fixes two finger trackpad scroll on the Lenovo XiaoXin Air 12.
+Without nomux, the trackpad behaves as if only one finger is present and
+moves the cursor when trying to scroll.
+
+Signed-off-by: David Pedersen <limero1337@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200625133754.291325-1-limero1337@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -426,6 +426,13 @@ static const struct dmi_system_id __init
+ },
+ },
+ {
++ /* Lenovo XiaoXin Air 12 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "80UN"),
++ },
++ },
++ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 1360"),
--- /dev/null
+From e78e1fdb282726beaf88aa75943682217e6ded0e Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:39 +0300
+Subject: intel_th: Fix a NULL dereference when hub driver is not loaded
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit e78e1fdb282726beaf88aa75943682217e6ded0e upstream.
+
+Connecting master to an output port when GTH driver module is not loaded
+triggers a NULL dereference:
+
+> RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th]
+> Call Trace:
+> ? sth_stm_link+0x12/0x20 [intel_th_sth]
+> stm_source_link_store+0x164/0x270 [stm_core]
+> dev_attr_store+0x17/0x30
+> sysfs_kf_write+0x3e/0x50
+> kernfs_fop_write+0xda/0x1b0
+> __vfs_write+0x1b/0x40
+> vfs_write+0xb9/0x1a0
+> ksys_write+0x67/0xe0
+> __x64_sys_write+0x1a/0x20
+> do_syscall_64+0x57/0x1d0
+> entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Make sure the module in question is loaded and return an error if not.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Tested-by: Ammy Yi <ammy.yi@intel.com>
+Cc: stable@vger.kernel.org # v4.4
+Link: https://lore.kernel.org/r/20200706161339.55468-5-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/core.c | 21 ++++++++++++++++++---
+ drivers/hwtracing/intel_th/sth.c | 4 +---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -1021,15 +1021,30 @@ int intel_th_set_output(struct intel_th_
+ {
+ struct intel_th_device *hub = to_intel_th_hub(thdev);
+ struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver);
++ int ret;
+
+ /* In host mode, this is up to the external debugger, do nothing. */
+ if (hub->host_mode)
+ return 0;
+
+- if (!hubdrv->set_output)
+- return -ENOTSUPP;
++ /*
++ * hub is instantiated together with the source device that
++ * calls here, so guaranteed to be present.
++ */
++ hubdrv = to_intel_th_driver(hub->dev.driver);
++ if (!hubdrv || !try_module_get(hubdrv->driver.owner))
++ return -EINVAL;
+
+- return hubdrv->set_output(hub, master);
++ if (!hubdrv->set_output) {
++ ret = -ENOTSUPP;
++ goto out;
++ }
++
++ ret = hubdrv->set_output(hub, master);
++
++out:
++ module_put(hubdrv->driver.owner);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(intel_th_set_output);
+
+--- a/drivers/hwtracing/intel_th/sth.c
++++ b/drivers/hwtracing/intel_th/sth.c
+@@ -161,9 +161,7 @@ static int sth_stm_link(struct stm_data
+ {
+ struct sth_device *sth = container_of(stm_data, struct sth_device, stm);
+
+- intel_th_set_output(to_intel_th_device(sth->dev), master);
+-
+- return 0;
++ return intel_th_set_output(to_intel_th_device(sth->dev), master);
+ }
+
+ static int intel_th_sw_init(struct sth_device *sth)
--- /dev/null
+From fd73d74a32bfaaf259441322cc5a1c83caaa94f2 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:38 +0300
+Subject: intel_th: pci: Add Emmitsburg PCH support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit fd73d74a32bfaaf259441322cc5a1c83caaa94f2 upstream.
+
+This adds support for the Trace Hub in Emmitsburg PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20200706161339.55468-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -254,6 +254,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4b26),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
++ {
++ /* Emmitsburg PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1bcc),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From 203c1f615052921901b7a8fbe2005d8ea6add076 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:36 +0300
+Subject: intel_th: pci: Add Jasper Lake CPU support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 203c1f615052921901b7a8fbe2005d8ea6add076 upstream.
+
+This adds support for the Trace Hub in Jasper Lake CPU.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20200706161339.55468-2-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -235,6 +235,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
++ /* Jasper Lake CPU */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4e29),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
++ {
+ /* Elkhart Lake CPU */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4529),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
--- /dev/null
+From 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:37 +0300
+Subject: intel_th: pci: Add Tiger Lake PCH-H support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 upstream.
+
+This adds support for the Trace Hub in Tiger Lake PCH-H.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20200706161339.55468-3-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -230,6 +230,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
++ /* Tiger Lake PCH-H */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x43a6),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
++ {
+ /* Jasper Lake PCH */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4da6),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
--- /dev/null
+From e852c2c251ed9c23ae6e3efebc5ec49adb504207 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 29 Jun 2020 01:53:59 +0300
+Subject: mei: bus: don't clean driver pointer
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit e852c2c251ed9c23ae6e3efebc5ec49adb504207 upstream.
+
+It's not needed to set driver to NULL in mei_cl_device_remove()
+which is bus_type remove() handler as this is done anyway
+in __device_release_driver().
+
+Actually this is causing an endless loop in driver_detach()
+on ubuntu patched kernel, while removing (rmmod) the mei_hdcp module.
+The reason list_empty(&drv->p->klist_devices.k_list) is always not-empty.
+as the check is always true in __device_release_driver()
+ if (dev->driver != drv)
+ return;
+
+The non upstream patch is causing this behavior, titled:
+'vfio -- release device lock before userspace requests'
+
+Nevertheless the fix is correct also for the upstream.
+
+Link: https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20180912085046.3401-2-apw@canonical.com/
+Cc: <stable@vger.kernel.org>
+Cc: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20200628225359.2185929-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/bus.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -745,9 +745,8 @@ static int mei_cl_device_remove(struct d
+
+ mei_cl_bus_module_put(cldev);
+ module_put(THIS_MODULE);
+- dev->driver = NULL;
+- return ret;
+
++ return ret;
+ }
+
+ static ssize_t name_show(struct device *dev, struct device_attribute *a,
--- /dev/null
+From b037d60a3b1d1227609fd858fa34321f41829911 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Wed, 24 Jun 2020 13:35:41 +0200
+Subject: misc: atmel-ssc: lock with mutex instead of spinlock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+commit b037d60a3b1d1227609fd858fa34321f41829911 upstream.
+
+Uninterruptible context is not needed in the driver and causes lockdep
+warning because of mutex taken in of_alias_get_id(). Convert the lock to
+mutex to avoid the issue.
+
+Cc: stable@vger.kernel.org
+Fixes: 099343c64e16 ("ARM: at91: atmel-ssc: add device tree support")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Link: https://lore.kernel.org/r/50f0d7fa107f318296afb49477c3571e4d6978c5.1592998403.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/atmel-ssc.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/misc/atmel-ssc.c
++++ b/drivers/misc/atmel-ssc.c
+@@ -10,7 +10,7 @@
+ #include <linux/clk.h>
+ #include <linux/err.h>
+ #include <linux/io.h>
+-#include <linux/spinlock.h>
++#include <linux/mutex.h>
+ #include <linux/atmel-ssc.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
+@@ -20,7 +20,7 @@
+ #include "../../sound/soc/atmel/atmel_ssc_dai.h"
+
+ /* Serialize access to ssc_list and user count */
+-static DEFINE_SPINLOCK(user_lock);
++static DEFINE_MUTEX(user_lock);
+ static LIST_HEAD(ssc_list);
+
+ struct ssc_device *ssc_request(unsigned int ssc_num)
+@@ -28,7 +28,7 @@ struct ssc_device *ssc_request(unsigned
+ int ssc_valid = 0;
+ struct ssc_device *ssc;
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ list_for_each_entry(ssc, &ssc_list, list) {
+ if (ssc->pdev->dev.of_node) {
+ if (of_alias_get_id(ssc->pdev->dev.of_node, "ssc")
+@@ -44,18 +44,18 @@ struct ssc_device *ssc_request(unsigned
+ }
+
+ if (!ssc_valid) {
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+ pr_err("ssc: ssc%d platform device is missing\n", ssc_num);
+ return ERR_PTR(-ENODEV);
+ }
+
+ if (ssc->user) {
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+ dev_dbg(&ssc->pdev->dev, "module busy\n");
+ return ERR_PTR(-EBUSY);
+ }
+ ssc->user++;
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ clk_prepare(ssc->clk);
+
+@@ -67,14 +67,14 @@ void ssc_free(struct ssc_device *ssc)
+ {
+ bool disable_clk = true;
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ if (ssc->user)
+ ssc->user--;
+ else {
+ disable_clk = false;
+ dev_dbg(&ssc->pdev->dev, "device already free\n");
+ }
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ if (disable_clk)
+ clk_unprepare(ssc->clk);
+@@ -237,9 +237,9 @@ static int ssc_probe(struct platform_dev
+ return -ENXIO;
+ }
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ list_add_tail(&ssc->list, &ssc_list);
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ platform_set_drvdata(pdev, ssc);
+
+@@ -258,9 +258,9 @@ static int ssc_remove(struct platform_de
+
+ ssc_sound_dai_remove(ssc);
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ list_del(&ssc->list);
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ return 0;
+ }
--- /dev/null
+From 81a33c1ee941c3bb9ffc6bac8f676be13351344e Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 18 Jun 2020 18:43:53 +0300
+Subject: ovl: fix unneeded call to ovl_change_flags()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 81a33c1ee941c3bb9ffc6bac8f676be13351344e upstream.
+
+The check if user has changed the overlay file was wrong, causing unneeded
+call to ovl_change_flags() including taking f_lock on every file access.
+
+Fixes: d989903058a8 ("ovl: do not generate duplicate fsnotify events for "fake" path")
+Cc: <stable@vger.kernel.org> # v4.19+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/file.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -21,13 +21,16 @@ static char ovl_whatisit(struct inode *i
+ return 'm';
+ }
+
++/* No atime modificaton nor notify on underlying */
++#define OVL_OPEN_FLAGS (O_NOATIME | FMODE_NONOTIFY)
++
+ static struct file *ovl_open_realfile(const struct file *file,
+ struct inode *realinode)
+ {
+ struct inode *inode = file_inode(file);
+ struct file *realfile;
+ const struct cred *old_cred;
+- int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY;
++ int flags = file->f_flags | OVL_OPEN_FLAGS;
+
+ old_cred = ovl_override_creds(inode->i_sb);
+ realfile = open_with_fake_path(&file->f_path, flags, realinode,
+@@ -48,8 +51,7 @@ static int ovl_change_flags(struct file
+ struct inode *inode = file_inode(file);
+ int err;
+
+- /* No atime modificaton on underlying */
+- flags |= O_NOATIME | FMODE_NONOTIFY;
++ flags |= OVL_OPEN_FLAGS;
+
+ /* If some flag changed that cannot be changed then something's amiss */
+ if (WARN_ON((file->f_flags ^ flags) & ~OVL_SETFL_MASK))
+@@ -102,7 +104,7 @@ static int ovl_real_fdget_meta(const str
+ }
+
+ /* Did the flags change since open? */
+- if (unlikely((file->f_flags ^ real->file->f_flags) & ~O_NOATIME))
++ if (unlikely((file->f_flags ^ real->file->f_flags) & ~OVL_OPEN_FLAGS))
+ return ovl_change_flags(real->file, file->f_flags);
+
+ return 0;
--- /dev/null
+From 24f14009b8f1754ec2ae4c168940c01259b0f88a Mon Sep 17 00:00:00 2001
+From: youngjun <her0gyugyu@gmail.com>
+Date: Tue, 16 Jun 2020 17:30:43 +0900
+Subject: ovl: inode reference leak in ovl_is_inuse true case.
+
+From: youngjun <her0gyugyu@gmail.com>
+
+commit 24f14009b8f1754ec2ae4c168940c01259b0f88a upstream.
+
+When "ovl_is_inuse" true case, trap inode reference not put. plus adding
+the comment explaining sequence of ovl_is_inuse after ovl_setup_trap.
+
+Fixes: 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection")
+Cc: <stable@vger.kernel.org> # v4.19+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: youngjun <her0gyugyu@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1356,14 +1356,23 @@ static int ovl_get_lower_layers(struct s
+ if (err < 0)
+ goto out;
+
++ /*
++ * Check if lower root conflicts with this overlay layers before
++ * checking if it is in-use as upperdir/workdir of "another"
++ * mount, because we do not bother to check in ovl_is_inuse() if
++ * the upperdir/workdir is in fact in-use by our
++ * upperdir/workdir.
++ */
+ err = ovl_setup_trap(sb, stack[i].dentry, &trap, "lowerdir");
+ if (err)
+ goto out;
+
+ if (ovl_is_inuse(stack[i].dentry)) {
+ err = ovl_report_in_use(ofs, "lowerdir");
+- if (err)
++ if (err) {
++ iput(trap);
+ goto out;
++ }
+ }
+
+ mnt = clone_private_mount(&stack[i]);
--- /dev/null
+From 124c2de2c0aee96271e4ddab190083d8aa7aa71a Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Wed, 17 Jun 2020 09:57:11 +0300
+Subject: ovl: relax WARN_ON() when decoding lower directory file handle
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 124c2de2c0aee96271e4ddab190083d8aa7aa71a upstream.
+
+Decoding a lower directory file handle to overlay path with cold
+inode/dentry cache may go as follows:
+
+1. Decode real lower file handle to lower dir path
+2. Check if lower dir is indexed (was copied up)
+3. If indexed, get the upper dir path from index
+4. Lookup upper dir path in overlay
+5. If overlay path found, verify that overlay lower is the lower dir
+ from step 1
+
+On failure to verify step 5 above, user will get an ESTALE error and a
+WARN_ON will be printed.
+
+A mismatch in step 5 could be a result of lower directory that was renamed
+while overlay was offline, after that lower directory has been copied up
+and indexed.
+
+This is a scripted reproducer based on xfstest overlay/052:
+
+ # Create lower subdir
+ create_dirs
+ create_test_files $lower/lowertestdir/subdir
+ mount_dirs
+ # Copy up lower dir and encode lower subdir file handle
+ touch $SCRATCH_MNT/lowertestdir
+ test_file_handles $SCRATCH_MNT/lowertestdir/subdir -p -o $tmp.fhandle
+ # Rename lower dir offline
+ unmount_dirs
+ mv $lower/lowertestdir $lower/lowertestdir.new/
+ mount_dirs
+ # Attempt to decode lower subdir file handle
+ test_file_handles $SCRATCH_MNT -p -i $tmp.fhandle
+
+Since this WARN_ON() can be triggered by user we need to relax it.
+
+Fixes: 4b91c30a5a19 ("ovl: lookup connected ancestor of dir in inode cache")
+Cc: <stable@vger.kernel.org> # v4.16+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/export.c
++++ b/fs/overlayfs/export.c
+@@ -482,7 +482,7 @@ static struct dentry *ovl_lookup_real_in
+ if (IS_ERR_OR_NULL(this))
+ return this;
+
+- if (WARN_ON(ovl_dentry_real_at(this, layer->idx) != real)) {
++ if (ovl_dentry_real_at(this, layer->idx) != real) {
+ dput(this);
+ this = ERR_PTR(-EIO);
+ }
--- /dev/null
+From 192b6a780598976feb7321ff007754f8511a4129 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Sun, 12 Jul 2020 18:50:47 +0530
+Subject: powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 192b6a780598976feb7321ff007754f8511a4129 upstream.
+
+Even if the IAMR value denies execute access, the current code returns
+true from pkey_access_permitted() for an execute permission check, if
+the AMR read pkey bit is cleared.
+
+This results in repeated page fault loop with a test like below:
+
+ #define _GNU_SOURCE
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <signal.h>
+ #include <inttypes.h>
+
+ #include <assert.h>
+ #include <malloc.h>
+ #include <unistd.h>
+ #include <pthread.h>
+ #include <sys/mman.h>
+
+ #ifdef SYS_pkey_mprotect
+ #undef SYS_pkey_mprotect
+ #endif
+
+ #ifdef SYS_pkey_alloc
+ #undef SYS_pkey_alloc
+ #endif
+
+ #ifdef SYS_pkey_free
+ #undef SYS_pkey_free
+ #endif
+
+ #undef PKEY_DISABLE_EXECUTE
+ #define PKEY_DISABLE_EXECUTE 0x4
+
+ #define SYS_pkey_mprotect 386
+ #define SYS_pkey_alloc 384
+ #define SYS_pkey_free 385
+
+ #define PPC_INST_NOP 0x60000000
+ #define PPC_INST_BLR 0x4e800020
+ #define PROT_RWX (PROT_READ | PROT_WRITE | PROT_EXEC)
+
+ static int sys_pkey_mprotect(void *addr, size_t len, int prot, int pkey)
+ {
+ return syscall(SYS_pkey_mprotect, addr, len, prot, pkey);
+ }
+
+ static int sys_pkey_alloc(unsigned long flags, unsigned long access_rights)
+ {
+ return syscall(SYS_pkey_alloc, flags, access_rights);
+ }
+
+ static int sys_pkey_free(int pkey)
+ {
+ return syscall(SYS_pkey_free, pkey);
+ }
+
+ static void do_execute(void *region)
+ {
+ /* jump to region */
+ asm volatile(
+ "mtctr %0;"
+ "bctrl"
+ : : "r"(region) : "ctr", "lr");
+ }
+
+ static void do_protect(void *region)
+ {
+ size_t pgsize;
+ int i, pkey;
+
+ pgsize = getpagesize();
+
+ pkey = sys_pkey_alloc(0, PKEY_DISABLE_EXECUTE);
+ assert (pkey > 0);
+
+ /* perform mprotect */
+ assert(!sys_pkey_mprotect(region, pgsize, PROT_RWX, pkey));
+ do_execute(region);
+
+ /* free pkey */
+ assert(!sys_pkey_free(pkey));
+
+ }
+
+ int main(int argc, char **argv)
+ {
+ size_t pgsize, numinsns;
+ unsigned int *region;
+ int i;
+
+ /* allocate memory region to protect */
+ pgsize = getpagesize();
+ region = memalign(pgsize, pgsize);
+ assert(region != NULL);
+ assert(!mprotect(region, pgsize, PROT_RWX));
+
+ /* fill page with NOPs with a BLR at the end */
+ numinsns = pgsize / sizeof(region[0]);
+ for (i = 0; i < numinsns - 1; i++)
+ region[i] = PPC_INST_NOP;
+ region[i] = PPC_INST_BLR;
+
+ do_protect(region);
+
+ return EXIT_SUCCESS;
+ }
+
+The fix is to only check the IAMR for an execute check, the AMR value
+is not relevant.
+
+Fixes: f2407ef3ba22 ("powerpc: helper to validate key-access permissions of a pte")
+Cc: stable@vger.kernel.org # v4.16+
+Reported-by: Sandipan Das <sandipan@linux.ibm.com>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+[mpe: Add detail to change log, tweak wording & formatting]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200712132047.1038594-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/book3s64/pkeys.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/mm/book3s64/pkeys.c
++++ b/arch/powerpc/mm/book3s64/pkeys.c
+@@ -367,12 +367,14 @@ static bool pkey_access_permitted(int pk
+ return true;
+
+ pkey_shift = pkeyshift(pkey);
+- if (execute && !(read_iamr() & (IAMR_EX_BIT << pkey_shift)))
+- return true;
++ if (execute)
++ return !(read_iamr() & (IAMR_EX_BIT << pkey_shift));
++
++ amr = read_amr();
++ if (write)
++ return !(amr & (AMR_WR_BIT << pkey_shift));
+
+- amr = read_amr(); /* Delay reading amr until absolutely needed */
+- return ((!write && !(amr & (AMR_RD_BIT << pkey_shift))) ||
+- (write && !(amr & (AMR_WR_BIT << pkey_shift))));
++ return !(amr & (AMR_RD_BIT << pkey_shift));
+ }
+
+ bool arch_pte_access_permitted(u64 pte, bool write, bool execute)
--- /dev/null
+From b710d27bf72068b15b2f0305d825988183e2ff28 Mon Sep 17 00:00:00 2001
+From: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Date: Fri, 19 Jun 2020 12:31:13 +0530
+Subject: powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size
+
+From: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+
+commit b710d27bf72068b15b2f0305d825988183e2ff28 upstream.
+
+Early secure guest boot hits the below crash while booting with
+vcpus numbers aligned with page boundary for PAGE size of 64k
+and LPPACA size of 1k i.e 64, 128 etc.
+
+ Partition configured for 64 cpus.
+ CPU maps initialized for 1 thread per core
+ ------------[ cut here ]------------
+ kernel BUG at arch/powerpc/kernel/paca.c:89!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
+
+This is due to the BUG_ON() for shared_lppaca_total_size equal to
+shared_lppaca_size. Instead the code should only BUG_ON() if we have
+exceeded the total_size, which indicates we've overflowed the array.
+
+Fixes: bd104e6db6f0 ("powerpc/pseries/svm: Use shared memory for LPPACA structures")
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Reviewed-by: Laurent Dufour <ldufour@linux.ibm.com>
+Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+[mpe: Reword change log to clarify we're fixing not removing the check]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200619070113.16696-1-sathnaga@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/paca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/paca.c
++++ b/arch/powerpc/kernel/paca.c
+@@ -86,7 +86,7 @@ static void *__init alloc_shared_lppaca(
+ * This is very early in boot, so no harm done if the kernel crashes at
+ * this point.
+ */
+- BUG_ON(shared_lppaca_size >= shared_lppaca_total_size);
++ BUG_ON(shared_lppaca_size > shared_lppaca_total_size);
+
+ return ptr;
+ }
--- /dev/null
+From 853eab68afc80f59f36bbdeb715e5c88c501e680 Mon Sep 17 00:00:00 2001
+From: Wade Mealing <wmealing@redhat.com>
+Date: Wed, 17 Jun 2020 13:49:47 +0200
+Subject: Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()"
+
+From: Wade Mealing <wmealing@redhat.com>
+
+commit 853eab68afc80f59f36bbdeb715e5c88c501e680 upstream.
+
+Turns out that the permissions for 0400 really are what we want here,
+otherwise any user can read from this file.
+
+[fixed formatting, added changelog, and made attribute static - gregkh]
+
+Reported-by: Wade Mealing <wmealing@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832
+Reviewed-by: Steffen Maier <maier@linux.ibm.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Link: https://lore.kernel.org/r/20200617114946.GA2131650@kroah.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/zram/zram_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -2023,7 +2023,8 @@ static ssize_t hot_add_show(struct class
+ return ret;
+ return scnprintf(buf, PAGE_SIZE, "%d\n", ret);
+ }
+-static CLASS_ATTR_RO(hot_add);
++static struct class_attribute class_attr_hot_add =
++ __ATTR(hot_add, 0400, hot_add_show, NULL);
+
+ static ssize_t hot_remove_store(struct class *class,
+ struct class_attribute *attr,
--- /dev/null
+From 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 6 Jul 2020 14:32:26 +0200
+Subject: riscv: use 16KB kernel stack on 64-bit
+
+From: Andreas Schwab <schwab@suse.de>
+
+commit 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed upstream.
+
+With the current 8KB stack size there are frequent overflows in a 64-bit
+configuration. We may split IRQ stacks off in the future, but this fixes a
+number of issues right now.
+
+Signed-off-by: Andreas Schwab <schwab@suse.de>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+[Palmer: mention irqstack in the commit text]
+Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/include/asm/thread_info.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/riscv/include/asm/thread_info.h
++++ b/arch/riscv/include/asm/thread_info.h
+@@ -12,7 +12,11 @@
+ #include <linux/const.h>
+
+ /* thread information allocation */
++#ifdef CONFIG_64BIT
++#define THREAD_SIZE_ORDER (2)
++#else
+ #define THREAD_SIZE_ORDER (1)
++#endif
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
+
+ #ifndef __ASSEMBLY__
--- /dev/null
+From 01cfcde9c26d8555f0e6e9aea9d6049f87683998 Mon Sep 17 00:00:00 2001
+From: Vincent Guittot <vincent.guittot@linaro.org>
+Date: Fri, 10 Jul 2020 17:24:26 +0200
+Subject: sched/fair: handle case of task_h_load() returning 0
+
+From: Vincent Guittot <vincent.guittot@linaro.org>
+
+commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream.
+
+task_h_load() can return 0 in some situations like running stress-ng
+mmapfork, which forks thousands of threads, in a sched group on a 224 cores
+system. The load balance doesn't handle this correctly because
+env->imbalance never decreases and it will stop pulling tasks only after
+reaching loop_max, which can be equal to the number of running tasks of
+the cfs. Make sure that imbalance will be decreased by at least 1.
+
+misfit task is the other feature that doesn't handle correctly such
+situation although it's probably more difficult to face the problem
+because of the smaller number of CPUs and running tasks on heterogenous
+system.
+
+We can't simply ensure that task_h_load() returns at least one because it
+would imply to handle underflow in other places.
+
+Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
+Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Cc: <stable@vger.kernel.org> # v4.4+
+Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/fair.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3824,7 +3824,11 @@ static inline void update_misfit_status(
+ return;
+ }
+
+- rq->misfit_task_load = task_h_load(p);
++ /*
++ * Make sure that misfit_task_load will not be null even if
++ * task_h_load() returns 0.
++ */
++ rq->misfit_task_load = max_t(unsigned long, task_h_load(p), 1);
+ }
+
+ #else /* CONFIG_SMP */
+@@ -7407,7 +7411,15 @@ static int detach_tasks(struct lb_env *e
+ if (!can_migrate_task(p, env))
+ goto next;
+
+- load = task_h_load(p);
++ /*
++ * Depending of the number of CPUs and tasks and the
++ * cgroup hierarchy, task_h_load() can return a null
++ * value. Make sure that env->imbalance decreases
++ * otherwise detach_tasks() will stop only after
++ * detaching up to loop_max tasks.
++ */
++ load = max_t(unsigned long, task_h_load(p), 1);
++
+
+ if (sched_feat(LB_MIN) && load < 16 && !env->sd->nr_balance_failed)
+ goto next;
--- /dev/null
+From ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon, 6 Jul 2020 16:49:10 -0400
+Subject: sched: Fix unreliable rseq cpu_id for new tasks
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db upstream.
+
+While integrating rseq into glibc and replacing glibc's sched_getcpu
+implementation with rseq, glibc's tests discovered an issue with
+incorrect __rseq_abi.cpu_id field value right after the first time
+a newly created process issues sched_setaffinity.
+
+For the records, it triggers after building glibc and running tests, and
+then issuing:
+
+ for x in {1..2000} ; do posix/tst-affinity-static & done
+
+and shows up as:
+
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 138, expected 0
+error: Unexpected CPU 138, expected 0
+error: Unexpected CPU 138, expected 0
+error: Unexpected CPU 138, expected 0
+
+This is caused by the scheduler invoking __set_task_cpu() directly from
+sched_fork() and wake_up_new_task(), thus bypassing rseq_migrate() which
+is done by set_task_cpu().
+
+Add the missing rseq_migrate() to both functions. The only other direct
+use of __set_task_cpu() is done by init_idle(), which does not involve a
+user-space task.
+
+Based on my testing with the glibc test-case, just adding rseq_migrate()
+to wake_up_new_task() is sufficient to fix the observed issue. Also add
+it to sched_fork() to keep things consistent.
+
+The reason why this never triggered so far with the rseq/basic_test
+selftest is unclear.
+
+The current use of sched_getcpu(3) does not typically require it to be
+always accurate. However, use of the __rseq_abi.cpu_id field within rseq
+critical sections requires it to be accurate. If it is not accurate, it
+can cause corruption in the per-cpu data targeted by rseq critical
+sections in user-space.
+
+Reported-By: Florian Weimer <fweimer@redhat.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-By: Florian Weimer <fweimer@redhat.com>
+Cc: stable@vger.kernel.org # v4.18+
+Link: https://lkml.kernel.org/r/20200707201505.2632-1-mathieu.desnoyers@efficios.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2889,6 +2889,7 @@ int sched_fork(unsigned long clone_flags
+ * Silence PROVE_RCU.
+ */
+ raw_spin_lock_irqsave(&p->pi_lock, flags);
++ rseq_migrate(p);
+ /*
+ * We're setting the CPU for the first time, we don't migrate,
+ * so use __set_task_cpu().
+@@ -2953,6 +2954,7 @@ void wake_up_new_task(struct task_struct
+ * as we're not fully set-up yet.
+ */
+ p->recent_used_cpu = task_cpu(p);
++ rseq_migrate(p);
+ __set_task_cpu(p, select_task_rq(p, task_cpu(p), SD_BALANCE_FORK, 0));
+ #endif
+ rq = __task_rq_lock(p, &rf);
--- /dev/null
+From 07d3f04550023395bbf34b99ec7e00fc50d9859f Mon Sep 17 00:00:00 2001
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Date: Wed, 15 Jul 2020 17:31:53 +0530
+Subject: scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro
+
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+
+commit 07d3f04550023395bbf34b99ec7e00fc50d9859f upstream.
+
+As the ENABLE_IRQ_POLL macro is undefined, the check for ENABLE_IRQ_POLL
+macro in ISR will always be false. This leads to irq polling being
+non-functional.
+
+Remove ENABLE_IRQ_POLL check from ISR.
+
+Link: https://lore.kernel.org/r/20200715120153.20512-1-chandrakanth.patil@broadcom.com
+Fixes: a6ffd5bf6819 ("scsi: megaraid_sas: Call disable_irq from process IRQ")
+Cc: <stable@vger.kernel.org> # v5.3+
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -3787,10 +3787,8 @@ static irqreturn_t megasas_isr_fusion(in
+ if (instance->mask_interrupts)
+ return IRQ_NONE;
+
+-#if defined(ENABLE_IRQ_POLL)
+ if (irq_context->irq_poll_scheduled)
+ return IRQ_HANDLED;
+-#endif
+
+ if (!instance->msix_vectors) {
+ mfiStatus = instance->instancet->clear_intr(instance);
virtio-virtio_console-add-missing-module_device_table-for-rproc-serial.patch
serial-mxs-auart-add-missed-iounmap-in-probe-failure-and-remove.patch
ovl-fix-regression-with-re-formatted-lower-squashfs.patch
+ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch
+ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch
+ovl-fix-unneeded-call-to-ovl_change_flags.patch
+fuse-ignore-data-argument-of-mount-...-ms_remount.patch
+fuse-use-reconfigure-instead-of-remount_fs.patch
+fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch
+revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch
+mei-bus-don-t-clean-driver-pointer.patch
+input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch
+input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch
+uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch
+uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch
+scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch
+timer-prevent-base-clk-from-moving-backward.patch
+timer-fix-wheel-index-calculation-on-last-level.patch
+riscv-use-16kb-kernel-stack-on-64-bit.patch
+hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch
+powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch
+powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch
+intel_th-pci-add-jasper-lake-cpu-support.patch
+intel_th-pci-add-tiger-lake-pch-h-support.patch
+intel_th-pci-add-emmitsburg-pch-support.patch
+intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch
+dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch
+dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch
+dmaengine-fsl-edma-common-correct-dsize_32byte.patch
+misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch
+thermal-int3403_thermal-downgrade-error-message.patch
+thermal-drivers-cpufreq_cooling-fix-wrong-frequency-converted-from-power.patch
+arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch
+arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch
+arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch
+sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch
+sched-fair-handle-case-of-task_h_load-returning-0.patch
+genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch
+drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch
+drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch
--- /dev/null
+From 371a3bc79c11b707d7a1b7a2c938dc3cc042fffb Mon Sep 17 00:00:00 2001
+From: Finley Xiao <finley.xiao@rock-chips.com>
+Date: Fri, 19 Jun 2020 17:08:25 +0800
+Subject: thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power
+
+From: Finley Xiao <finley.xiao@rock-chips.com>
+
+commit 371a3bc79c11b707d7a1b7a2c938dc3cc042fffb upstream.
+
+The function cpu_power_to_freq is used to find a frequency and set the
+cooling device to consume at most the power to be converted. For example,
+if the power to be converted is 80mW, and the em table is as follow.
+struct em_cap_state table[] = {
+ /* KHz mW */
+ { 1008000, 36, 0 },
+ { 1200000, 49, 0 },
+ { 1296000, 59, 0 },
+ { 1416000, 72, 0 },
+ { 1512000, 86, 0 },
+};
+The target frequency should be 1416000KHz, not 1512000KHz.
+
+Fixes: 349d39dc5739 ("thermal: cpu_cooling: merge frequency and power tables")
+Cc: <stable@vger.kernel.org> # v4.13+
+Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Amit Kucheria <amit.kucheria@linaro.org>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200619090825.32747-1-finley.xiao@rock-chips.com
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/cpu_cooling.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/thermal/cpu_cooling.c
++++ b/drivers/thermal/cpu_cooling.c
+@@ -210,11 +210,11 @@ static u32 cpu_power_to_freq(struct cpuf
+ int i;
+ struct freq_table *freq_table = cpufreq_cdev->freq_table;
+
+- for (i = 1; i <= cpufreq_cdev->max_level; i++)
+- if (power > freq_table[i].power)
++ for (i = 0; i < cpufreq_cdev->max_level; i++)
++ if (power >= freq_table[i].power)
+ break;
+
+- return freq_table[i - 1].frequency;
++ return freq_table[i].frequency;
+ }
+
+ /**
--- /dev/null
+From f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 Mon Sep 17 00:00:00 2001
+From: Alex Hung <alex.hung@canonical.com>
+Date: Mon, 15 Jun 2020 16:39:57 -0600
+Subject: thermal: int3403_thermal: Downgrade error message
+
+From: Alex Hung <alex.hung@canonical.com>
+
+commit f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 upstream.
+
+Downgrade "Unsupported event" message from dev_err to dev_dbg to avoid
+flooding with this message on some platforms.
+
+Cc: stable@vger.kernel.org # v5.4+
+Suggested-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Alex Hung <alex.hung@canonical.com>
+[ rzhang: fix typo in changelog ]
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://lore.kernel.org/r/20200615223957.183153-1-alex.hung@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/intel/int340x_thermal/int3403_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/intel/int340x_thermal/int3403_thermal.c
++++ b/drivers/thermal/intel/int340x_thermal/int3403_thermal.c
+@@ -74,7 +74,7 @@ static void int3403_notify(acpi_handle h
+ THERMAL_TRIP_CHANGED);
+ break;
+ default:
+- dev_err(&priv->pdev->dev, "Unsupported event [0x%x]\n", event);
++ dev_dbg(&priv->pdev->dev, "Unsupported event [0x%x]\n", event);
+ break;
+ }
+ }
--- /dev/null
+From e2a71bdea81690b6ef11f4368261ec6f5b6891aa Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Fri, 17 Jul 2020 16:05:40 +0200
+Subject: timer: Fix wheel index calculation on last level
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit e2a71bdea81690b6ef11f4368261ec6f5b6891aa upstream.
+
+When an expiration delta falls into the last level of the wheel, that delta
+has be compared against the maximum possible delay and reduced to fit in if
+necessary.
+
+However instead of comparing the delta against the maximum, the code
+compares the actual expiry against the maximum. Then instead of fixing the
+delta to fit in, it sets the maximum delta as the expiry value.
+
+This can result in various undesired outcomes, the worst possible one
+being a timer expiring 15 days ahead to fire immediately.
+
+Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200717140551.29076-2-frederic@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -522,8 +522,8 @@ static int calc_wheel_index(unsigned lon
+ * Force expire obscene large timeouts to expire at the
+ * capacity limit of the wheel.
+ */
+- if (expires >= WHEEL_TIMEOUT_CUTOFF)
+- expires = WHEEL_TIMEOUT_MAX;
++ if (delta >= WHEEL_TIMEOUT_CUTOFF)
++ expires = clk + WHEEL_TIMEOUT_MAX;
+
+ idx = calc_index(expires, LVL_DEPTH - 1);
+ }
--- /dev/null
+From 30c66fc30ee7a98c4f3adf5fb7e213b61884474f Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Fri, 3 Jul 2020 03:06:57 +0200
+Subject: timer: Prevent base->clk from moving backward
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit 30c66fc30ee7a98c4f3adf5fb7e213b61884474f upstream.
+
+When a timer is enqueued with a negative delta (ie: expiry is below
+base->clk), it gets added to the wheel as expiring now (base->clk).
+
+Yet the value that gets stored in base->next_expiry, while calling
+trigger_dyntick_cpu(), is the initial timer->expires value. The
+resulting state becomes:
+
+ base->next_expiry < base->clk
+
+On the next timer enqueue, forward_timer_base() may accidentally
+rewind base->clk. As a possible outcome, timers may expire way too
+early, the worst case being that the highest wheel levels get spuriously
+processed again.
+
+To prevent from that, make sure that base->next_expiry doesn't get below
+base->clk.
+
+Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible")
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200703010657.2302-1-frederic@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -585,7 +585,15 @@ trigger_dyntick_cpu(struct timer_base *b
+ * Set the next expiry time and kick the CPU so it can reevaluate the
+ * wheel:
+ */
+- base->next_expiry = timer->expires;
++ if (time_before(timer->expires, base->clk)) {
++ /*
++ * Prevent from forward_timer_base() moving the base->clk
++ * backward
++ */
++ base->next_expiry = base->clk;
++ } else {
++ base->next_expiry = timer->expires;
++ }
+ wake_up_nohz_cpu(base->cpu);
+ }
+
+@@ -897,10 +905,13 @@ static inline void forward_timer_base(st
+ * If the next expiry value is > jiffies, then we fast forward to
+ * jiffies otherwise we forward to the next expiry value.
+ */
+- if (time_after(base->next_expiry, jnow))
++ if (time_after(base->next_expiry, jnow)) {
+ base->clk = jnow;
+- else
++ } else {
++ if (WARN_ON_ONCE(time_before(base->next_expiry, base->clk)))
++ return;
+ base->clk = base->next_expiry;
++ }
+ #endif
+ }
+
--- /dev/null
+From bf12fdf0ab728ca8e5933aac46dd972c0dd0421e Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Wed, 1 Jul 2020 16:56:58 +0200
+Subject: uio_pdrv_genirq: fix use without device tree and no interrupt
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit bf12fdf0ab728ca8e5933aac46dd972c0dd0421e upstream.
+
+While e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no
+interrupt") added support for using uio_pdrv_genirq for devices without
+interrupt for device tree platforms, the removal of uio_pdrv in
+26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead")
+broke the support for non device tree platforms.
+
+This change fixes this, so that uio_pdrv_genirq can be used without
+interrupt on all platforms.
+
+This still leaves the support that uio_pdrv had for custom interrupt
+handler lacking, as uio_pdrv_genirq does not handle it (yet).
+
+Fixes: 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead")
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200701145659.3978-3-esben@geanix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio_pdrv_genirq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/uio/uio_pdrv_genirq.c
++++ b/drivers/uio/uio_pdrv_genirq.c
+@@ -154,7 +154,7 @@ static int uio_pdrv_genirq_probe(struct
+ if (!uioinfo->irq) {
+ ret = platform_get_irq_optional(pdev, 0);
+ uioinfo->irq = ret;
+- if (ret == -ENXIO && pdev->dev.of_node)
++ if (ret == -ENXIO)
+ uioinfo->irq = UIO_IRQ_NONE;
+ else if (ret < 0) {
+ dev_err(&pdev->dev, "failed to get IRQ\n");
--- /dev/null
+From 324ac45f25e634eca6346953ae531e8da3e0c73d Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Wed, 1 Jul 2020 16:56:57 +0200
+Subject: uio_pdrv_genirq: Remove warning when irq is not specified
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit 324ac45f25e634eca6346953ae531e8da3e0c73d upstream.
+
+Since e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no
+interrupt"), the uio_pdrv_genirq has supported use without interrupt,
+so the change in 7723f4c5ecdb ("driver core: platform: Add an error
+message to") added false warnings for those cases.
+
+Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()")
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200701145659.3978-2-esben@geanix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio_pdrv_genirq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/uio/uio_pdrv_genirq.c
++++ b/drivers/uio/uio_pdrv_genirq.c
+@@ -152,7 +152,7 @@ static int uio_pdrv_genirq_probe(struct
+ priv->pdev = pdev;
+
+ if (!uioinfo->irq) {
+- ret = platform_get_irq(pdev, 0);
++ ret = platform_get_irq_optional(pdev, 0);
+ uioinfo->irq = ret;
+ if (ret == -ENXIO && pdev->dev.of_node)
+ uioinfo->irq = UIO_IRQ_NONE;
projects / thirdparty / kernel / stable-queue.git / commitdiff
