--- /dev/null
+From 477d08478170469d10b533624342d13701e24b34 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 4 Aug 2020 11:52:13 +0900
+Subject: bootconfig: Fix to find the initargs correctly
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 477d08478170469d10b533624342d13701e24b34 upstream.
+
+Since the parse_args() stops parsing at '--', bootconfig_params()
+will never get the '--' as param and initargs_found never be true.
+In the result, if we pass some init arguments via the bootconfig,
+those are always appended to the kernel command line with '--'
+even if the kernel command line already has '--'.
+
+To fix this correctly, check the return value of parse_args()
+and set initargs_found true if the return value is not an error
+but a valid address.
+
+Link: https://lkml.kernel.org/r/159650953285.270383.14822353843556363851.stgit@devnote2
+
+Fixes: f61872bb58a1 ("bootconfig: Use parse_args() to find bootconfig and '--'")
+Cc: stable@vger.kernel.org
+Reported-by: Arvind Sankar <nivedita@alum.mit.edu>
+Suggested-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ init/main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/init/main.c
++++ b/init/main.c
+@@ -385,8 +385,6 @@ static int __init bootconfig_params(char
+ {
+ if (strcmp(param, "bootconfig") == 0) {
+ bootconfig_found = true;
+- } else if (strcmp(param, "--") == 0) {
+- initargs_found = true;
+ }
+ return 0;
+ }
+@@ -397,19 +395,23 @@ static void __init setup_boot_config(con
+ const char *msg;
+ int pos;
+ u32 size, csum;
+- char *data, *copy;
++ char *data, *copy, *err;
+ int ret;
+
+ /* Cut out the bootconfig data even if we have no bootconfig option */
+ data = get_boot_config_from_initrd(&size, &csum);
+
+ strlcpy(tmp_cmdline, boot_command_line, COMMAND_LINE_SIZE);
+- parse_args("bootconfig", tmp_cmdline, NULL, 0, 0, 0, NULL,
+- bootconfig_params);
++ err = parse_args("bootconfig", tmp_cmdline, NULL, 0, 0, 0, NULL,
++ bootconfig_params);
+
+- if (!bootconfig_found)
++ if (IS_ERR(err) || !bootconfig_found)
+ return;
+
++ /* parse_args() stops at '--' and returns an address */
++ if (err)
++ initargs_found = true;
++
+ if (!data) {
+ pr_err("'bootconfig' found on command line, but no bootconfig found\n");
+ return;
--- /dev/null
+From a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Tue, 4 Aug 2020 18:25:01 +0900
+Subject: dm: don't call report zones for more than the user requested
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d upstream.
+
+Don't call report zones for more zones than the user actually requested,
+otherwise this can lead to out-of-bounds accesses in the callback
+functions.
+
+Such a situation can happen if the target's ->report_zones() callback
+function returns 0 because we've reached the end of the target and then
+restart the report zones on the second target.
+
+We're again calling into ->report_zones() and ultimately into the user
+supplied callback function but when we're not subtracting the number of
+zones already processed this may lead to out-of-bounds accesses in the
+user callbacks.
+
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Fixes: d41003513e61 ("block: rework zone reporting")
+Cc: stable@vger.kernel.org # v5.5+
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -503,7 +503,8 @@ static int dm_blk_report_zones(struct ge
+ }
+
+ args.tgt = tgt;
+- ret = tgt->type->report_zones(tgt, &args, nr_zones);
++ ret = tgt->type->report_zones(tgt, &args,
++ nr_zones - args.zone_idx);
+ if (ret < 0)
+ goto out;
+ } while (args.zone_idx < nr_zones &&
--- /dev/null
+From 3b2a999582c467d1883716b37ffcc00178a13713 Mon Sep 17 00:00:00 2001
+From: Liu Ying <victor.liu@nxp.com>
+Date: Thu, 9 Jul 2020 10:28:52 +0800
+Subject: drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
+
+From: Liu Ying <victor.liu@nxp.com>
+
+commit 3b2a999582c467d1883716b37ffcc00178a13713 upstream.
+
+Both of the two LVDS channels should be disabled for split mode
+in the encoder's ->disable() callback, because they are enabled
+in the encoder's ->enable() callback.
+
+Fixes: 6556f7f82b9c ("drm: imx: Move imx-drm driver out of staging")
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/imx/imx-ldb.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/imx/imx-ldb.c
++++ b/drivers/gpu/drm/imx/imx-ldb.c
+@@ -303,18 +303,19 @@ static void imx_ldb_encoder_disable(stru
+ {
+ struct imx_ldb_channel *imx_ldb_ch = enc_to_imx_ldb_ch(encoder);
+ struct imx_ldb *ldb = imx_ldb_ch->ldb;
++ int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN;
+ int mux, ret;
+
+ drm_panel_disable(imx_ldb_ch->panel);
+
+- if (imx_ldb_ch == &ldb->channel[0])
++ if (imx_ldb_ch == &ldb->channel[0] || dual)
+ ldb->ldb_ctrl &= ~LDB_CH0_MODE_EN_MASK;
+- else if (imx_ldb_ch == &ldb->channel[1])
++ if (imx_ldb_ch == &ldb->channel[1] || dual)
+ ldb->ldb_ctrl &= ~LDB_CH1_MODE_EN_MASK;
+
+ regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl);
+
+- if (ldb->ldb_ctrl & LDB_SPLIT_MODE_EN) {
++ if (dual) {
+ clk_disable_unprepare(ldb->clk[0]);
+ clk_disable_unprepare(ldb->clk[1]);
+ }
--- /dev/null
+From ca43f274e03f91c533643299ae4984965ce03205 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Thu, 16 Jul 2020 18:38:35 +0200
+Subject: drm/ingenic: Fix incorrect assumption about plane->index
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit ca43f274e03f91c533643299ae4984965ce03205 upstream.
+
+plane->index is NOT the index of the color plane in a YUV frame.
+Actually, a YUV frame is represented by a single drm_plane, even though
+it contains three Y, U, V planes.
+
+v2-v3: No change
+
+Cc: stable@vger.kernel.org # v5.3
+Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs")
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200716163846.174790-1-paul@crapouillou.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ingenic/ingenic-drm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ingenic/ingenic-drm.c
++++ b/drivers/gpu/drm/ingenic/ingenic-drm.c
+@@ -384,7 +384,7 @@ static void ingenic_drm_plane_atomic_upd
+ addr = drm_fb_cma_get_gem_addr(state->fb, state, 0);
+ width = state->src_w >> 16;
+ height = state->src_h >> 16;
+- cpp = state->fb->format->cpp[plane->index];
++ cpp = state->fb->format->cpp[0];
+
+ priv->dma_hwdesc->addr = addr;
+ priv->dma_hwdesc->cmd = width * height * cpp / 4;
--- /dev/null
+From 70499cdfeb3625c87eebe4f7a7ea06fa7447e5df Mon Sep 17 00:00:00 2001
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Fri, 24 Jul 2020 12:06:31 -0500
+Subject: gfs2: Never call gfs2_block_zero_range with an open transaction
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+commit 70499cdfeb3625c87eebe4f7a7ea06fa7447e5df upstream.
+
+Before this patch, some functions started transactions then they called
+gfs2_block_zero_range. However, gfs2_block_zero_range, like writes, can
+start transactions, which results in a recursive transaction error.
+For example:
+
+do_shrink
+ trunc_start
+ gfs2_trans_begin <------------------------------------------------
+ gfs2_block_zero_range
+ iomap_zero_range(inode, from, length, NULL, &gfs2_iomap_ops);
+ iomap_apply ... iomap_zero_range_actor
+ iomap_begin
+ gfs2_iomap_begin
+ gfs2_iomap_begin_write
+ actor (iomap_zero_range_actor)
+ iomap_zero
+ iomap_write_begin
+ gfs2_iomap_page_prepare
+ gfs2_trans_begin <------------------------
+
+This patch reorders the callers of gfs2_block_zero_range so that they
+only start their transactions after the call. It also adds a BUG_ON to
+ensure this doesn't happen again.
+
+Fixes: 2257e468a63b ("gfs2: implement gfs2_block_zero_range using iomap_zero_range")
+Cc: stable@vger.kernel.org # v5.5+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/bmap.c | 69 ++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 39 insertions(+), 30 deletions(-)
+
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -1351,9 +1351,15 @@ int gfs2_extent_map(struct inode *inode,
+ return ret;
+ }
+
++/*
++ * NOTE: Never call gfs2_block_zero_range with an open transaction because it
++ * uses iomap write to perform its actions, which begin their own transactions
++ * (iomap_begin, page_prepare, etc.)
++ */
+ static int gfs2_block_zero_range(struct inode *inode, loff_t from,
+ unsigned int length)
+ {
++ BUG_ON(current->journal_info);
+ return iomap_zero_range(inode, from, length, NULL, &gfs2_iomap_ops);
+ }
+
+@@ -1414,6 +1420,16 @@ static int trunc_start(struct inode *ino
+ u64 oldsize = inode->i_size;
+ int error;
+
++ if (!gfs2_is_stuffed(ip)) {
++ unsigned int blocksize = i_blocksize(inode);
++ unsigned int offs = newsize & (blocksize - 1);
++ if (offs) {
++ error = gfs2_block_zero_range(inode, newsize,
++ blocksize - offs);
++ if (error)
++ return error;
++ }
++ }
+ if (journaled)
+ error = gfs2_trans_begin(sdp, RES_DINODE + RES_JDATA, GFS2_JTRUNC_REVOKES);
+ else
+@@ -1427,19 +1443,10 @@ static int trunc_start(struct inode *ino
+
+ gfs2_trans_add_meta(ip->i_gl, dibh);
+
+- if (gfs2_is_stuffed(ip)) {
++ if (gfs2_is_stuffed(ip))
+ gfs2_buffer_clear_tail(dibh, sizeof(struct gfs2_dinode) + newsize);
+- } else {
+- unsigned int blocksize = i_blocksize(inode);
+- unsigned int offs = newsize & (blocksize - 1);
+- if (offs) {
+- error = gfs2_block_zero_range(inode, newsize,
+- blocksize - offs);
+- if (error)
+- goto out;
+- }
++ else
+ ip->i_diskflags |= GFS2_DIF_TRUNC_IN_PROG;
+- }
+
+ i_size_write(inode, newsize);
+ ip->i_inode.i_mtime = ip->i_inode.i_ctime = current_time(&ip->i_inode);
+@@ -2448,25 +2455,7 @@ int __gfs2_punch_hole(struct file *file,
+ loff_t start, end;
+ int error;
+
+- start = round_down(offset, blocksize);
+- end = round_up(offset + length, blocksize) - 1;
+- error = filemap_write_and_wait_range(inode->i_mapping, start, end);
+- if (error)
+- return error;
+-
+- if (gfs2_is_jdata(ip))
+- error = gfs2_trans_begin(sdp, RES_DINODE + 2 * RES_JDATA,
+- GFS2_JTRUNC_REVOKES);
+- else
+- error = gfs2_trans_begin(sdp, RES_DINODE, 0);
+- if (error)
+- return error;
+-
+- if (gfs2_is_stuffed(ip)) {
+- error = stuffed_zero_range(inode, offset, length);
+- if (error)
+- goto out;
+- } else {
++ if (!gfs2_is_stuffed(ip)) {
+ unsigned int start_off, end_len;
+
+ start_off = offset & (blocksize - 1);
+@@ -2489,6 +2478,26 @@ int __gfs2_punch_hole(struct file *file,
+ }
+ }
+
++ start = round_down(offset, blocksize);
++ end = round_up(offset + length, blocksize) - 1;
++ error = filemap_write_and_wait_range(inode->i_mapping, start, end);
++ if (error)
++ return error;
++
++ if (gfs2_is_jdata(ip))
++ error = gfs2_trans_begin(sdp, RES_DINODE + 2 * RES_JDATA,
++ GFS2_JTRUNC_REVOKES);
++ else
++ error = gfs2_trans_begin(sdp, RES_DINODE, 0);
++ if (error)
++ return error;
++
++ if (gfs2_is_stuffed(ip)) {
++ error = stuffed_zero_range(inode, offset, length);
++ if (error)
++ goto out;
++ }
++
+ if (gfs2_is_jdata(ip)) {
+ BUG_ON(!current->journal_info);
+ gfs2_journaled_truncate_range(inode, offset, length);
--- /dev/null
+From 11990a5bd7e558e9203c1070fc52fb6f0488e75b Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 6 Aug 2020 14:15:23 -0700
+Subject: module: Correctly truncate sysfs sections output
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 11990a5bd7e558e9203c1070fc52fb6f0488e75b upstream.
+
+The only-root-readable /sys/module/$module/sections/$section files
+did not truncate their output to the available buffer size. While most
+paths into the kernfs read handlers end up using PAGE_SIZE buffers,
+it's possible to get there through other paths (e.g. splice, sendfile).
+Actually limit the output to the "count" passed into the read function,
+and report it back correctly. *sigh*
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/20200805002015.GE23458@shao2-debian
+Fixes: ed66f991bb19 ("module: Refactor section attr into bin attribute")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/module.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -1517,18 +1517,34 @@ struct module_sect_attrs {
+ struct module_sect_attr attrs[];
+ };
+
++#define MODULE_SECT_READ_SIZE (3 /* "0x", "\n" */ + (BITS_PER_LONG / 4))
+ static ssize_t module_sect_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *battr,
+ char *buf, loff_t pos, size_t count)
+ {
+ struct module_sect_attr *sattr =
+ container_of(battr, struct module_sect_attr, battr);
++ char bounce[MODULE_SECT_READ_SIZE + 1];
++ size_t wrote;
+
+ if (pos != 0)
+ return -EINVAL;
+
+- return sprintf(buf, "0x%px\n",
+- kallsyms_show_value(file->f_cred) ? (void *)sattr->address : NULL);
++ /*
++ * Since we're a binary read handler, we must account for the
++ * trailing NUL byte that sprintf will write: if "buf" is
++ * too small to hold the NUL, or the NUL is exactly the last
++ * byte, the read will look like it got truncated by one byte.
++ * Since there is no way to ask sprintf nicely to not write
++ * the NUL, we have to use a bounce buffer.
++ */
++ wrote = scnprintf(bounce, sizeof(bounce), "0x%px\n",
++ kallsyms_show_value(file->f_cred)
++ ? (void *)sattr->address : NULL);
++ count = min(count, wrote);
++ memcpy(buf, bounce, count);
++
++ return count;
+ }
+
+ static void free_sect_attrs(struct module_sect_attrs *sect_attrs)
+@@ -1577,7 +1593,7 @@ static void add_sect_attrs(struct module
+ goto out;
+ sect_attrs->nsections++;
+ sattr->battr.read = module_sect_read;
+- sattr->battr.size = 3 /* "0x", "\n" */ + (BITS_PER_LONG / 4);
++ sattr->battr.size = MODULE_SECT_READ_SIZE;
+ sattr->battr.attr.mode = 0400;
+ *(gattr++) = &(sattr++)->battr;
+ }
--- /dev/null
+From a58a057ce65b52125dd355b7d8b0d540ea267a5f Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Jul 2020 18:10:54 +0300
+Subject: perf intel-pt: Fix duplicate branch after CBR
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit a58a057ce65b52125dd355b7d8b0d540ea267a5f upstream.
+
+CBR events can result in a duplicate branch event, because the state
+type defaults to a branch. Fix by clearing the state type.
+
+Example: trace 'sleep' and hope for a frequency change
+
+ Before:
+
+ $ perf record -e intel_pt//u sleep 0.1
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.034 MB perf.data ]
+ $ perf script --itrace=bpe > before.txt
+
+ After:
+
+ $ perf script --itrace=bpe > after.txt
+ $ diff -u before.txt after.txt
+# --- before.txt 2020-07-07 14:42:18.191508098 +0300
+# +++ after.txt 2020-07-07 14:42:36.587891753 +0300
+ @@ -29673,7 +29673,6 @@
+ sleep 93431 [007] 15411.619905: 1 branches:u: 0 [unknown] ([unknown]) => 7f0818abb2e0 clock_nanosleep@@GLIBC_2.17+0x0 (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+ sleep 93431 [007] 15411.619905: 1 branches:u: 7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 0 [unknown] ([unknown])
+ sleep 93431 [007] 15411.720069: cbr: cbr: 15 freq: 1507 MHz ( 56%) 7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+ - sleep 93431 [007] 15411.720069: 1 branches:u: 7f0818abb30c clock_nanosleep@@GLIBC_2.17+0x2c (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 0 [unknown] ([unknown])
+ sleep 93431 [007] 15411.720076: 1 branches:u: 0 [unknown] ([unknown]) => 7f0818abb30e clock_nanosleep@@GLIBC_2.17+0x2e (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+ sleep 93431 [007] 15411.720077: 1 branches:u: 7f0818abb323 clock_nanosleep@@GLIBC_2.17+0x43 (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 7f0818ac0eb7 __nanosleep+0x17 (/usr/lib/x86_64-linux-gnu/libc-2.31.so)
+ sleep 93431 [007] 15411.720077: 1 branches:u: 7f0818ac0ebf __nanosleep+0x1f (/usr/lib/x86_64-linux-gnu/libc-2.31.so) => 55cb7e4c2827 rpl_nanosleep+0x97 (/usr/bin/sleep)
+
+Fixes: 91de8684f1cff ("perf intel-pt: Cater for CBR change in PSB+")
+Fixes: abe5a1d3e4bee ("perf intel-pt: Decoder to output CBR changes immediately")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20200710151104.15137-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1977,8 +1977,10 @@ next:
+ * possibility of another CBR change that gets caught up
+ * in the PSB+.
+ */
+- if (decoder->cbr != decoder->cbr_seen)
++ if (decoder->cbr != decoder->cbr_seen) {
++ decoder->state.type = 0;
+ return 0;
++ }
+ break;
+
+ case INTEL_PT_PIP:
+@@ -2019,8 +2021,10 @@ next:
+
+ case INTEL_PT_CBR:
+ intel_pt_calc_cbr(decoder);
+- if (decoder->cbr != decoder->cbr_seen)
++ if (decoder->cbr != decoder->cbr_seen) {
++ decoder->state.type = 0;
+ return 0;
++ }
+ break;
+
+ case INTEL_PT_MODE_EXEC:
--- /dev/null
+From 401136bb084fd021acd9f8c51b52fe0a25e326b2 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 10 Jul 2020 18:10:53 +0300
+Subject: perf intel-pt: Fix FUP packet state
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 401136bb084fd021acd9f8c51b52fe0a25e326b2 upstream.
+
+While walking code towards a FUP ip, the packet state is
+INTEL_PT_STATE_FUP or INTEL_PT_STATE_FUP_NO_TIP. That was mishandled
+resulting in the state becoming INTEL_PT_STATE_IN_SYNC prematurely. The
+result was an occasional lost EXSTOP event.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20200710151104.15137-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 21 ++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1164,6 +1164,7 @@ static int intel_pt_walk_fup(struct inte
+ return 0;
+ if (err == -EAGAIN ||
+ intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
++ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+ if (intel_pt_fup_event(decoder))
+ return 0;
+ return -EAGAIN;
+@@ -1942,17 +1943,13 @@ next:
+ }
+ if (decoder->set_fup_mwait)
+ no_tip = true;
++ if (no_tip)
++ decoder->pkt_state = INTEL_PT_STATE_FUP_NO_TIP;
++ else
++ decoder->pkt_state = INTEL_PT_STATE_FUP;
+ err = intel_pt_walk_fup(decoder);
+- if (err != -EAGAIN) {
+- if (err)
+- return err;
+- if (no_tip)
+- decoder->pkt_state =
+- INTEL_PT_STATE_FUP_NO_TIP;
+- else
+- decoder->pkt_state = INTEL_PT_STATE_FUP;
+- return 0;
+- }
++ if (err != -EAGAIN)
++ return err;
+ if (no_tip) {
+ no_tip = false;
+ break;
+@@ -2599,15 +2596,11 @@ const struct intel_pt_state *intel_pt_de
+ err = intel_pt_walk_tip(decoder);
+ break;
+ case INTEL_PT_STATE_FUP:
+- decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+ err = intel_pt_walk_fup(decoder);
+ if (err == -EAGAIN)
+ err = intel_pt_walk_fup_tip(decoder);
+- else if (!err)
+- decoder->pkt_state = INTEL_PT_STATE_FUP;
+ break;
+ case INTEL_PT_STATE_FUP_NO_TIP:
+- decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+ err = intel_pt_walk_fup(decoder);
+ if (err == -EAGAIN)
+ err = intel_pt_walk_trace(decoder);
--- /dev/null
+From 12d572e785b15bc764e956caaa8a4c846fd15694 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 10 Jul 2020 22:11:23 +0900
+Subject: perf probe: Fix memory leakage when the probe point is not found
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 12d572e785b15bc764e956caaa8a4c846fd15694 upstream.
+
+Fix the memory leakage in debuginfo__find_trace_events() when the probe
+point is not found in the debuginfo. If there is no probe point found in
+the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0.
+
+Thus the caller of debuginfo__find_probes() must check the tf.ntevs and
+release the allocated memory for the array of struct probe_trace_event.
+
+The current code releases the memory only if the debuginfo__find_probes()
+hits an error but not checks tf.ntevs. In the result, the memory allocated
+on *tevs are not released if tf.ntevs == 0.
+
+This fixes the memory leakage by checking tf.ntevs == 0 in addition to
+ret < 0.
+
+Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/probe-finder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1467,7 +1467,7 @@ int debuginfo__find_trace_events(struct
+ if (ret >= 0 && tf.pf.skip_empty_arg)
+ ret = fill_empty_trace_arg(pev, tf.tevs, tf.ntevs);
+
+- if (ret < 0) {
++ if (ret < 0 || tf.ntevs == 0) {
+ for (i = 0; i < tf.ntevs; i++)
+ clear_probe_trace_event(&tf.tevs[i]);
+ zfree(tevs);
--- /dev/null
+From 11fd3eb874e73ee8069bcfd54e3c16fa7ce56fe6 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 10 Jul 2020 22:11:13 +0900
+Subject: perf probe: Fix wrong variable warning when the probe point is not found
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 11fd3eb874e73ee8069bcfd54e3c16fa7ce56fe6 upstream.
+
+Fix a wrong "variable not found" warning when the probe point is not
+found in the debuginfo.
+
+Since the debuginfo__find_probes() can return 0 even if it does not find
+given probe point in the debuginfo, fill_empty_trace_arg() can be called
+with tf.ntevs == 0 and it can emit a wrong warning. To fix this, reject
+ntevs == 0 in fill_empty_trace_arg().
+
+E.g. without this patch;
+
+ # perf probe -x /lib64/libc-2.30.so -a "memcpy arg1=%di"
+ Failed to find the location of the '%di' variable at this address.
+ Perhaps it has been optimized out.
+ Use -V with the --range option to show '%di' location range.
+ Added new events:
+ probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di)
+ probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe_libc:memcpy -aR sleep 1
+
+With this;
+
+ # perf probe -x /lib64/libc-2.30.so -a "memcpy arg1=%di"
+ Added new events:
+ probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di)
+ probe_libc:memcpy (on memcpy in /usr/lib64/libc-2.30.so with arg1=%di)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe_libc:memcpy -aR sleep 1
+
+Fixes: cb4027308570 ("perf probe: Trace a magic number if variable is not found")
+Reported-by: Andi Kleen <andi@firstfloor.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Tested-by: Andi Kleen <ak@linux.intel.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/159438667364.62703.2200642186798763202.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/probe-finder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1408,6 +1408,9 @@ static int fill_empty_trace_arg(struct p
+ char *type;
+ int i, j, ret;
+
++ if (!ntevs)
++ return -ENOENT;
++
+ for (i = 0; i < pev->nargs; i++) {
+ type = NULL;
+ for (j = 0; j < ntevs; j++) {
--- /dev/null
+From 5b7be880074c73540948f8fc597e0407b98fabfa Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Tue, 2 Jun 2020 22:02:56 +0530
+Subject: remoteproc: qcom: q6v5: Update running state before requesting stop
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 5b7be880074c73540948f8fc597e0407b98fabfa upstream.
+
+Sometimes the stop triggers a watchdog rather than a stop-ack. Update
+the running state to false on requesting stop to skip the watchdog
+instead.
+
+Error Logs:
+$ echo stop > /sys/class/remoteproc/remoteproc0/state
+ipa 1e40000.ipa: received modem stopping event
+remoteproc-modem: watchdog received: sys_m_smsm_mpss.c:291:APPS force stop
+qcom-q6v5-mss 4080000.remoteproc-modem: port failed halt
+ipa 1e40000.ipa: received modem offline event
+remoteproc0: stopped remote processor 4080000.remoteproc-modem
+
+Reviewed-by: Evan Green <evgreen@chromium.org>
+Fixes: 3b415c8fb263 ("remoteproc: q6v5: Extract common resource handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200602163257.26978-1-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5.c
++++ b/drivers/remoteproc/qcom_q6v5.c
+@@ -153,6 +153,8 @@ int qcom_q6v5_request_stop(struct qcom_q
+ {
+ int ret;
+
++ q6v5->running = false;
++
+ qcom_smem_state_update_bits(q6v5->state,
+ BIT(q6v5->stop_bit), BIT(q6v5->stop_bit));
+
--- /dev/null
+From e013f455d95add874f310dc47c608e8c70692ae5 Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:45 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit e013f455d95add874f310dc47c608e8c70692ae5 upstream.
+
+The following mem abort is observed when the mba firmware size exceeds
+the allocated mba region. MBA firmware size is restricted to a maximum
+size of 1M and remaining memory region is used by modem debug policy
+firmware when available. Hence verify whether the MBA firmware size lies
+within the allocated memory region and is not greater than 1M before
+loading.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+ __memcpy+0x110/0x180
+ rproc_start+0x40/0x218
+ rproc_boot+0x5b4/0x608
+ state_store+0x54/0xf8
+ dev_attr_store+0x44/0x60
+ sysfs_kf_write+0x58/0x80
+ kernfs_fop_write+0x140/0x230
+ vfs_write+0xc4/0x208
+ ksys_write+0x74/0xf8
+ __arm64_sys_write+0x24/0x30
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5_mss.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5_mss.c
++++ b/drivers/remoteproc/qcom_q6v5_mss.c
+@@ -408,6 +408,12 @@ static int q6v5_load(struct rproc *rproc
+ {
+ struct q6v5 *qproc = rproc->priv;
+
++ /* MBA is restricted to a maximum size of 1M */
++ if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
++ dev_err(qproc->dev, "MBA firmware load failed\n");
++ return -EINVAL;
++ }
++
+ memcpy(qproc->mba_region, fw->data, fw->size);
+
+ return 0;
--- /dev/null
+From 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:46 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 upstream.
+
+The following mem abort is observed when one of the modem blob firmware
+size exceeds the allocated mpss region. Fix this by restricting the copy
+size to segment size using request_firmware_into_buf before load.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+ __memcpy+0x110/0x180
+ rproc_start+0xd0/0x190
+ rproc_boot+0x404/0x550
+ state_store+0x54/0xf8
+ dev_attr_store+0x44/0x60
+ sysfs_kf_write+0x58/0x80
+ kernfs_fop_write+0x140/0x230
+ vfs_write+0xc4/0x208
+ ksys_write+0x74/0xf8
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-3-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5_mss.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/remoteproc/qcom_q6v5_mss.c
++++ b/drivers/remoteproc/qcom_q6v5_mss.c
+@@ -1145,15 +1145,14 @@ static int q6v5_mpss_load(struct q6v5 *q
+ } else if (phdr->p_filesz) {
+ /* Replace "xxx.xxx" with "xxx.bxx" */
+ sprintf(fw_name + fw_name_len - 3, "b%02d", i);
+- ret = request_firmware(&seg_fw, fw_name, qproc->dev);
++ ret = request_firmware_into_buf(&seg_fw, fw_name, qproc->dev,
++ ptr, phdr->p_filesz);
+ if (ret) {
+ dev_err(qproc->dev, "failed to load %s\n", fw_name);
+ iounmap(ptr);
+ goto release_firmware;
+ }
+
+- memcpy(ptr, seg_fw->data, seg_fw->size);
+-
+ release_firmware(seg_fw);
+ }
+
ceph-set-sec_context-xattr-on-symlink-creation.patch
ceph-handle-zero-length-feature-mask-in-session-messages.patch
pseries-fix-64-bit-logical-memory-block-panic.patch
+dm-don-t-call-report-zones-for-more-than-the-user-requested.patch
+module-correctly-truncate-sysfs-sections-output.patch
+bootconfig-fix-to-find-the-initargs-correctly.patch
+perf-probe-fix-wrong-variable-warning-when-the-probe-point-is-not-found.patch
+perf-probe-fix-memory-leakage-when-the-probe-point-is-not-found.patch
+perf-intel-pt-fix-fup-packet-state.patch
+perf-intel-pt-fix-duplicate-branch-after-cbr.patch
+gfs2-never-call-gfs2_block_zero_range-with-an-open-transaction.patch
+remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch
+remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
+remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
+drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch
+drm-ingenic-fix-incorrect-assumption-about-plane-index.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
