--- /dev/null
+From 4237c625304b212a3f30adf787901082082511ec Mon Sep 17 00:00:00 2001
+From: Tim Harvey <tharvey@gateworks.com>
+Date: Tue, 23 Jun 2020 12:06:54 -0700
+Subject: ARM: dts: imx6qdl-gw551x: fix audio SSI
+
+From: Tim Harvey <tharvey@gateworks.com>
+
+commit 4237c625304b212a3f30adf787901082082511ec upstream.
+
+The audio codec on the GW551x routes to ssi1. It fixes audio capture on
+the device.
+
+Cc: stable@vger.kernel.org
+Fixes: 3117e851cef1 ("ARM: dts: imx: Add TDA19971 HDMI Receiver to GW551x")
+Signed-off-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6qdl-gw551x.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6qdl-gw551x.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-gw551x.dtsi
+@@ -110,7 +110,7 @@
+ simple-audio-card,frame-master = <&sound_codec>;
+
+ sound_cpu: simple-audio-card,cpu {
+- sound-dai = <&ssi2>;
++ sound-dai = <&ssi1>;
+ };
+
+ sound_codec: simple-audio-card,codec {
--- /dev/null
+From 15956689a0e60aa0c795174f3c310b60d8794235 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 3 Jul 2020 12:08:42 +0100
+Subject: arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return
+
+From: Will Deacon <will@kernel.org>
+
+commit 15956689a0e60aa0c795174f3c310b60d8794235 upstream.
+
+Although we zero the upper bits of x0 on entry to the kernel from an
+AArch32 task, we do not clear them on the exception return path and can
+therefore expose 64-bit sign extended syscall return values to userspace
+via interfaces such as the 'perf_regs' ABI, which deal exclusively with
+64-bit registers.
+
+Explicitly clear the upper 32 bits of x0 on return from a compat system
+call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Keno Fischer <keno@juliacomputing.com>
+Cc: Luis Machado <luis.machado@linaro.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/syscall.h | 12 +++++++++++-
+ arch/arm64/kernel/syscall.c | 3 +++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/include/asm/syscall.h
++++ b/arch/arm64/include/asm/syscall.h
+@@ -34,6 +34,10 @@ static inline long syscall_get_error(str
+ struct pt_regs *regs)
+ {
+ unsigned long error = regs->regs[0];
++
++ if (is_compat_thread(task_thread_info(task)))
++ error = sign_extend64(error, 31);
++
+ return IS_ERR_VALUE(error) ? error : 0;
+ }
+
+@@ -47,7 +51,13 @@ static inline void syscall_set_return_va
+ struct pt_regs *regs,
+ int error, long val)
+ {
+- regs->regs[0] = (long) error ? error : val;
++ if (error)
++ val = error;
++
++ if (is_compat_thread(task_thread_info(task)))
++ val = lower_32_bits(val);
++
++ regs->regs[0] = val;
+ }
+
+ #define SYSCALL_MAX_ARGS 6
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -50,6 +50,9 @@ static void invoke_syscall(struct pt_reg
+ ret = do_ni_syscall(regs, scno);
+ }
+
++ if (is_compat_task())
++ ret = lower_32_bits(ret);
++
+ regs->regs[0] = ret;
+ }
+
--- /dev/null
+From 60176e6be0bb6f629b15aea7dcab5a95ecb158e9 Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Mon, 29 Jun 2020 11:19:21 -0500
+Subject: arm64: dts: agilex: add status to qspi dts node
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit 60176e6be0bb6f629b15aea7dcab5a95ecb158e9 upstream.
+
+Add status = "okay" to QSPI node.
+
+Fixes: c4c8757b2d895 ("arm64: dts: agilex: add QSPI support for Intel Agilex")
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.5
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/intel/socfpga_agilex_socdk.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/boot/dts/intel/socfpga_agilex_socdk.dts
++++ b/arch/arm64/boot/dts/intel/socfpga_agilex_socdk.dts
+@@ -98,6 +98,7 @@
+ };
+
+ &qspi {
++ status = "okay";
+ flash@0 {
+ #address-cells = <1>;
+ #size-cells = <1>;
--- /dev/null
+From 263a0269a59c0b4145829462a107fe7f7327105f Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Mon, 29 Jun 2020 11:25:43 -0500
+Subject: arm64: dts: stratix10: add status to qspi dts node
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit 263a0269a59c0b4145829462a107fe7f7327105f upstream.
+
+Add status = "okay" to QSPI node.
+
+Fixes: 0cb140d07fc75 ("arm64: dts: stratix10: Add QSPI support for Stratix10")
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.6
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts | 1 +
+ arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts
++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk.dts
+@@ -155,6 +155,7 @@
+ };
+
+ &qspi {
++ status = "okay";
+ flash@0 {
+ #address-cells = <1>;
+ #size-cells = <1>;
+--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts
++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts
+@@ -188,6 +188,7 @@
+ };
+
+ &qspi {
++ status = "okay";
+ flash@0 {
+ #address-cells = <1>;
+ #size-cells = <1>;
--- /dev/null
+From 3bf9b8ffc8980c1090bdd3a5570cf42420620838 Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinh.nguyen@intel.com>
+Date: Mon, 29 Jun 2020 12:47:35 -0500
+Subject: arm64: dts: stratix10: increase QSPI reg address in nand dts file
+
+From: Dinh Nguyen <dinh.nguyen@intel.com>
+
+commit 3bf9b8ffc8980c1090bdd3a5570cf42420620838 upstream.
+
+Match the QSPI reg address in the socfpga_stratix10_socdk.dts file.
+
+Fixes: 80f132d73709 ("arm64: dts: increase the QSPI reg address for Stratix10 and Agilex")
+Cc: linux-stable <stable@vger.kernel.org> # >= v5.6
+Signed-off-by: Dinh Nguyen <dinh.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts
++++ b/arch/arm64/boot/dts/altera/socfpga_stratix10_socdk_nand.dts
+@@ -212,12 +212,12 @@
+
+ qspi_boot: partition@0 {
+ label = "Boot and fpga data";
+- reg = <0x0 0x034B0000>;
++ reg = <0x0 0x03FE0000>;
+ };
+
+- qspi_rootfs: partition@4000000 {
++ qspi_rootfs: partition@3FE0000 {
+ label = "Root Filesystem - JFFS2";
+- reg = <0x034B0000 0x0EB50000>;
++ reg = <0x03FE0000 0x0C020000>;
+ };
+ };
+ };
--- /dev/null
+From ac2081cdc4d99c57f219c1a6171526e0fa0a6fff Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 2 Jul 2020 21:16:20 +0100
+Subject: arm64: ptrace: Consistently use pseudo-singlestep exceptions
+
+From: Will Deacon <will@kernel.org>
+
+commit ac2081cdc4d99c57f219c1a6171526e0fa0a6fff upstream.
+
+Although the arm64 single-step state machine can be fast-forwarded in
+cases where we wish to generate a SIGTRAP without actually executing an
+instruction, this has two major limitations outside of simply skipping
+an instruction due to emulation.
+
+1. Stepping out of a ptrace signal stop into a signal handler where
+ SIGTRAP is blocked. Fast-forwarding the stepping state machine in
+ this case will result in a forced SIGTRAP, with the handler reset to
+ SIG_DFL.
+
+2. The hardware implicitly fast-forwards the state machine when executing
+ an SVC instruction for issuing a system call. This can interact badly
+ with subsequent ptrace stops signalled during the execution of the
+ system call (e.g. SYSCALL_EXIT or seccomp traps), as they may corrupt
+ the stepping state by updating the PSTATE for the tracee.
+
+Resolve both of these issues by injecting a pseudo-singlestep exception
+on entry to a signal handler and also on return to userspace following a
+system call.
+
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Luis Machado <luis.machado@linaro.org>
+Reported-by: Keno Fischer <keno@juliacomputing.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/thread_info.h | 1 +
+ arch/arm64/kernel/ptrace.c | 27 ++++++++++++++++++++-------
+ arch/arm64/kernel/signal.c | 11 ++---------
+ arch/arm64/kernel/syscall.c | 2 +-
+ 4 files changed, 24 insertions(+), 17 deletions(-)
+
+--- a/arch/arm64/include/asm/thread_info.h
++++ b/arch/arm64/include/asm/thread_info.h
+@@ -89,6 +89,7 @@ void arch_release_task_struct(struct tas
+ #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU)
+ #define _TIF_UPROBE (1 << TIF_UPROBE)
+ #define _TIF_FSCHECK (1 << TIF_FSCHECK)
++#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
+ #define _TIF_32BIT (1 << TIF_32BIT)
+ #define _TIF_SVE (1 << TIF_SVE)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1819,12 +1819,23 @@ static void tracehook_report_syscall(str
+ saved_reg = regs->regs[regno];
+ regs->regs[regno] = dir;
+
+- if (dir == PTRACE_SYSCALL_EXIT)
++ if (dir == PTRACE_SYSCALL_ENTER) {
++ if (tracehook_report_syscall_entry(regs))
++ forget_syscall(regs);
++ regs->regs[regno] = saved_reg;
++ } else if (!test_thread_flag(TIF_SINGLESTEP)) {
+ tracehook_report_syscall_exit(regs, 0);
+- else if (tracehook_report_syscall_entry(regs))
+- forget_syscall(regs);
+-
+- regs->regs[regno] = saved_reg;
++ regs->regs[regno] = saved_reg;
++ } else {
++ regs->regs[regno] = saved_reg;
++
++ /*
++ * Signal a pseudo-step exception since we are stepping but
++ * tracer modifications to the registers may have rewound the
++ * state machine.
++ */
++ tracehook_report_syscall_exit(regs, 1);
++ }
+ }
+
+ int syscall_trace_enter(struct pt_regs *regs)
+@@ -1852,12 +1863,14 @@ int syscall_trace_enter(struct pt_regs *
+
+ void syscall_trace_exit(struct pt_regs *regs)
+ {
++ unsigned long flags = READ_ONCE(current_thread_info()->flags);
++
+ audit_syscall_exit(regs);
+
+- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
++ if (flags & _TIF_SYSCALL_TRACEPOINT)
+ trace_sys_exit(regs, regs_return_value(regs));
+
+- if (test_thread_flag(TIF_SYSCALL_TRACE))
++ if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP))
+ tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+
+ rseq_syscall(regs);
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -784,7 +784,6 @@ static void setup_restart_syscall(struct
+ */
+ static void handle_signal(struct ksignal *ksig, struct pt_regs *regs)
+ {
+- struct task_struct *tsk = current;
+ sigset_t *oldset = sigmask_to_save();
+ int usig = ksig->sig;
+ int ret;
+@@ -808,14 +807,8 @@ static void handle_signal(struct ksignal
+ */
+ ret |= !valid_user_regs(®s->user_regs, current);
+
+- /*
+- * Fast forward the stepping logic so we step into the signal
+- * handler.
+- */
+- if (!ret)
+- user_fastforward_single_step(tsk);
+-
+- signal_setup_done(ret, ksig, 0);
++ /* Step into the signal handler if we are stepping */
++ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP));
+ }
+
+ /*
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -121,7 +121,7 @@ static void el0_svc_common(struct pt_reg
+ if (!has_syscall_work(flags) && !IS_ENABLED(CONFIG_DEBUG_RSEQ)) {
+ local_daif_mask();
+ flags = current_thread_info()->flags;
+- if (!has_syscall_work(flags)) {
++ if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) {
+ /*
+ * We're off to userspace, where interrupts are
+ * always enabled after we restore the flags from
--- /dev/null
+From 3a5a4366cecc25daa300b9a9174f7fdd352b9068 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 13 Feb 2020 12:06:26 +0000
+Subject: arm64: ptrace: Override SPSR.SS when single-stepping is enabled
+
+From: Will Deacon <will@kernel.org>
+
+commit 3a5a4366cecc25daa300b9a9174f7fdd352b9068 upstream.
+
+Luis reports that, when reverse debugging with GDB, single-step does not
+function as expected on arm64:
+
+ | I've noticed, under very specific conditions, that a PTRACE_SINGLESTEP
+ | request by GDB won't execute the underlying instruction. As a consequence,
+ | the PC doesn't move, but we return a SIGTRAP just like we would for a
+ | regular successful PTRACE_SINGLESTEP request.
+
+The underlying problem is that when the CPU register state is restored
+as part of a reverse step, the SPSR.SS bit is cleared and so the hardware
+single-step state can transition to the "active-pending" state, causing
+an unexpected step exception to be taken immediately if a step operation
+is attempted.
+
+In hindsight, we probably shouldn't have exposed SPSR.SS in the pstate
+accessible by the GPR regset, but it's a bit late for that now. Instead,
+simply prevent userspace from configuring the bit to a value which is
+inconsistent with the TIF_SINGLESTEP state for the task being traced.
+
+Cc: <stable@vger.kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Keno Fischer <keno@juliacomputing.com>
+Link: https://lore.kernel.org/r/1eed6d69-d53d-9657-1fc9-c089be07f98c@linaro.org
+Reported-by: Luis Machado <luis.machado@linaro.org>
+Tested-by: Luis Machado <luis.machado@linaro.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/debug-monitors.h | 2 ++
+ arch/arm64/kernel/debug-monitors.c | 20 ++++++++++++++++----
+ arch/arm64/kernel/ptrace.c | 4 ++--
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/include/asm/debug-monitors.h
++++ b/arch/arm64/include/asm/debug-monitors.h
+@@ -109,6 +109,8 @@ void disable_debug_monitors(enum dbg_act
+
+ void user_rewind_single_step(struct task_struct *task);
+ void user_fastforward_single_step(struct task_struct *task);
++void user_regs_reset_single_step(struct user_pt_regs *regs,
++ struct task_struct *task);
+
+ void kernel_enable_single_step(struct pt_regs *regs);
+ void kernel_disable_single_step(void);
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -141,17 +141,20 @@ postcore_initcall(debug_monitors_init);
+ /*
+ * Single step API and exception handling.
+ */
+-static void set_regs_spsr_ss(struct pt_regs *regs)
++static void set_user_regs_spsr_ss(struct user_pt_regs *regs)
+ {
+ regs->pstate |= DBG_SPSR_SS;
+ }
+-NOKPROBE_SYMBOL(set_regs_spsr_ss);
++NOKPROBE_SYMBOL(set_user_regs_spsr_ss);
+
+-static void clear_regs_spsr_ss(struct pt_regs *regs)
++static void clear_user_regs_spsr_ss(struct user_pt_regs *regs)
+ {
+ regs->pstate &= ~DBG_SPSR_SS;
+ }
+-NOKPROBE_SYMBOL(clear_regs_spsr_ss);
++NOKPROBE_SYMBOL(clear_user_regs_spsr_ss);
++
++#define set_regs_spsr_ss(r) set_user_regs_spsr_ss(&(r)->user_regs)
++#define clear_regs_spsr_ss(r) clear_user_regs_spsr_ss(&(r)->user_regs)
+
+ static DEFINE_SPINLOCK(debug_hook_lock);
+ static LIST_HEAD(user_step_hook);
+@@ -404,6 +407,15 @@ void user_fastforward_single_step(struct
+ clear_regs_spsr_ss(task_pt_regs(task));
+ }
+
++void user_regs_reset_single_step(struct user_pt_regs *regs,
++ struct task_struct *task)
++{
++ if (test_tsk_thread_flag(task, TIF_SINGLESTEP))
++ set_user_regs_spsr_ss(regs);
++ else
++ clear_user_regs_spsr_ss(regs);
++}
++
+ /* Kernel API */
+ void kernel_enable_single_step(struct pt_regs *regs)
+ {
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1935,8 +1935,8 @@ static int valid_native_regs(struct user
+ */
+ int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task)
+ {
+- if (!test_tsk_thread_flag(task, TIF_SINGLESTEP))
+- regs->pstate &= ~DBG_SPSR_SS;
++ /* https://lore.kernel.org/lkml/20191118131525.GA4180@willie-the-truck */
++ user_regs_reset_single_step(regs, task);
+
+ if (is_compat_thread(task_thread_info(task)))
+ return valid_compat_regs(regs);
--- /dev/null
+From 9b6a3f3633a5cc928b78627764793b60cb62e0f6 Mon Sep 17 00:00:00 2001
+From: Mike Leach <mike.leach@linaro.org>
+Date: Wed, 1 Jul 2020 10:08:52 -0600
+Subject: coresight: etmv4: Fix CPU power management setup in probe() function
+
+From: Mike Leach <mike.leach@linaro.org>
+
+commit 9b6a3f3633a5cc928b78627764793b60cb62e0f6 upstream.
+
+The current probe() function calls a pair of cpuhp_xxx API functions to
+setup CPU hotplug handling. The hotplug lock is held for the duration of
+the two calls and other CPU related code using cpus_read_lock() /
+cpus_read_unlock() calls.
+
+The problem is that on error states, goto: statements bypass the
+cpus_read_unlock() call. This code has increased in complexity as the
+driver has developed.
+
+This patch introduces a pair of helper functions etm4_pm_setup_cpuslocked()
+and etm4_pm_clear() which correct the issues above and group the PM code a
+little better.
+
+The two functions etm4_cpu_pm_register() and etm4_cpu_pm_unregister() are
+dropped as these call cpu_pm_register_notifier() / ..unregister_notifier()
+dependent on CONFIG_CPU_PM - but this define is used to nop these functions
+out in the pm headers - so the wrapper functions are superfluous.
+
+Fixes: f188b5e76aae ("coresight: etm4x: Save/restore state across CPU low power states")
+Fixes: e9f5d63f84fe ("hwtracing/coresight-etm4x: Use cpuhp_setup_state_nocalls_cpuslocked()")
+Fixes: 58eb457be028 ("hwtracing/coresight-etm4x: Convert to hotplug state machine")
+Signed-off-by: Mike Leach <mike.leach@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20200701160852.2782823-3-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/coresight/coresight-etm4x.c | 82 ++++++++++++++++----------
+ 1 file changed, 53 insertions(+), 29 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x.c
+@@ -1399,18 +1399,57 @@ static struct notifier_block etm4_cpu_pm
+ .notifier_call = etm4_cpu_pm_notify,
+ };
+
+-static int etm4_cpu_pm_register(void)
++/* Setup PM. Called with cpus locked. Deals with error conditions and counts */
++static int etm4_pm_setup_cpuslocked(void)
+ {
+- if (IS_ENABLED(CONFIG_CPU_PM))
+- return cpu_pm_register_notifier(&etm4_cpu_pm_nb);
++ int ret;
+
+- return 0;
++ if (etm4_count++)
++ return 0;
++
++ ret = cpu_pm_register_notifier(&etm4_cpu_pm_nb);
++ if (ret)
++ goto reduce_count;
++
++ ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING,
++ "arm/coresight4:starting",
++ etm4_starting_cpu, etm4_dying_cpu);
++
++ if (ret)
++ goto unregister_notifier;
++
++ ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ONLINE_DYN,
++ "arm/coresight4:online",
++ etm4_online_cpu, NULL);
++
++ /* HP dyn state ID returned in ret on success */
++ if (ret > 0) {
++ hp_online = ret;
++ return 0;
++ }
++
++ /* failed dyn state - remove others */
++ cpuhp_remove_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING);
++
++unregister_notifier:
++ cpu_pm_unregister_notifier(&etm4_cpu_pm_nb);
++
++reduce_count:
++ --etm4_count;
++ return ret;
+ }
+
+-static void etm4_cpu_pm_unregister(void)
++static void etm4_pm_clear(void)
+ {
+- if (IS_ENABLED(CONFIG_CPU_PM))
+- cpu_pm_unregister_notifier(&etm4_cpu_pm_nb);
++ if (--etm4_count != 0)
++ return;
++
++ cpu_pm_unregister_notifier(&etm4_cpu_pm_nb);
++ cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING);
++ if (hp_online) {
++ cpuhp_remove_state_nocalls(hp_online);
++ hp_online = 0;
++ }
+ }
+
+ static int etm4_probe(struct amba_device *adev, const struct amba_id *id)
+@@ -1464,24 +1503,15 @@ static int etm4_probe(struct amba_device
+ etm4_init_arch_data, drvdata, 1))
+ dev_err(dev, "ETM arch init failed\n");
+
+- if (!etm4_count++) {
+- cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ARM_CORESIGHT_STARTING,
+- "arm/coresight4:starting",
+- etm4_starting_cpu, etm4_dying_cpu);
+- ret = cpuhp_setup_state_nocalls_cpuslocked(CPUHP_AP_ONLINE_DYN,
+- "arm/coresight4:online",
+- etm4_online_cpu, NULL);
+- if (ret < 0)
+- goto err_arch_supported;
+- hp_online = ret;
++ ret = etm4_pm_setup_cpuslocked();
++ cpus_read_unlock();
+
+- ret = etm4_cpu_pm_register();
+- if (ret)
+- goto err_arch_supported;
++ /* etm4_pm_setup_cpuslocked() does its own cleanup - exit on error */
++ if (ret) {
++ etmdrvdata[drvdata->cpu] = NULL;
++ return ret;
+ }
+
+- cpus_read_unlock();
+-
+ if (etm4_arch_supported(drvdata->arch) == false) {
+ ret = -EINVAL;
+ goto err_arch_supported;
+@@ -1528,13 +1558,7 @@ static int etm4_probe(struct amba_device
+
+ err_arch_supported:
+ etmdrvdata[drvdata->cpu] = NULL;
+- if (--etm4_count == 0) {
+- etm4_cpu_pm_unregister();
+-
+- cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING);
+- if (hp_online)
+- cpuhp_remove_state_nocalls(hp_online);
+- }
++ etm4_pm_clear();
+ return ret;
+ }
+
--- /dev/null
+From 6348dd291e3653534a9e28e6917569bc9967b35b Mon Sep 17 00:00:00 2001
+From: Charan Teja Kalla <charante@codeaurora.org>
+Date: Fri, 19 Jun 2020 17:27:19 +0530
+Subject: dmabuf: use spinlock to access dmabuf->name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Charan Teja Kalla <charante@codeaurora.org>
+
+commit 6348dd291e3653534a9e28e6917569bc9967b35b upstream.
+
+There exists a sleep-while-atomic bug while accessing the dmabuf->name
+under mutex in the dmabuffs_dname(). This is caused from the SELinux
+permissions checks on a process where it tries to validate the inherited
+files from fork() by traversing them through iterate_fd() (which
+traverse files under spin_lock) and call
+match_file(security/selinux/hooks.c) where the permission checks happen.
+This audit information is logged using dump_common_audit_data() where it
+calls d_path() to get the file path name. If the file check happen on
+the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to
+access dmabuf->name. The flow will be like below:
+flush_unauthorized_files()
+ iterate_fd()
+ spin_lock() --> Start of the atomic section.
+ match_file()
+ file_has_perm()
+ avc_has_perm()
+ avc_audit()
+ slow_avc_audit()
+ common_lsm_audit()
+ dump_common_audit_data()
+ audit_log_d_path()
+ d_path()
+ dmabuffs_dname()
+ mutex_lock()--> Sleep while atomic.
+
+Call trace captured (on 4.19 kernels) is below:
+___might_sleep+0x204/0x208
+__might_sleep+0x50/0x88
+__mutex_lock_common+0x5c/0x1068
+__mutex_lock_common+0x5c/0x1068
+mutex_lock_nested+0x40/0x50
+dmabuffs_dname+0xa0/0x170
+d_path+0x84/0x290
+audit_log_d_path+0x74/0x130
+common_lsm_audit+0x334/0x6e8
+slow_avc_audit+0xb8/0xf8
+avc_has_perm+0x154/0x218
+file_has_perm+0x70/0x180
+match_file+0x60/0x78
+iterate_fd+0x128/0x168
+selinux_bprm_committing_creds+0x178/0x248
+security_bprm_committing_creds+0x30/0x48
+install_exec_creds+0x1c/0x68
+load_elf_binary+0x3a4/0x14e0
+search_binary_handler+0xb0/0x1e0
+
+So, use spinlock to access dmabuf->name to avoid sleep-while-atomic.
+
+Cc: <stable@vger.kernel.org> [5.3+]
+Signed-off-by: Charan Teja Kalla <charante@codeaurora.org>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+ [sumits: added comment to spinlock_t definition to avoid warning]
+Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/a83e7f0d-4e54-9848-4b58-e1acdbe06735@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma-buf/dma-buf.c | 11 +++++++----
+ include/linux/dma-buf.h | 1 +
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma-buf/dma-buf.c
++++ b/drivers/dma-buf/dma-buf.c
+@@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentr
+ size_t ret = 0;
+
+ dmabuf = dentry->d_fsdata;
+- dma_resv_lock(dmabuf->resv, NULL);
++ spin_lock(&dmabuf->name_lock);
+ if (dmabuf->name)
+ ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN);
+- dma_resv_unlock(dmabuf->resv);
++ spin_unlock(&dmabuf->name_lock);
+
+ return dynamic_dname(dentry, buffer, buflen, "/%s:%s",
+ dentry->d_name.name, ret > 0 ? name : "");
+@@ -338,8 +338,10 @@ static long dma_buf_set_name(struct dma_
+ kfree(name);
+ goto out_unlock;
+ }
++ spin_lock(&dmabuf->name_lock);
+ kfree(dmabuf->name);
+ dmabuf->name = name;
++ spin_unlock(&dmabuf->name_lock);
+
+ out_unlock:
+ dma_resv_unlock(dmabuf->resv);
+@@ -402,10 +404,10 @@ static void dma_buf_show_fdinfo(struct s
+ /* Don't count the temporary reference taken inside procfs seq_show */
+ seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
+ seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
+- dma_resv_lock(dmabuf->resv, NULL);
++ spin_lock(&dmabuf->name_lock);
+ if (dmabuf->name)
+ seq_printf(m, "name:\t%s\n", dmabuf->name);
+- dma_resv_unlock(dmabuf->resv);
++ spin_unlock(&dmabuf->name_lock);
+ }
+
+ static const struct file_operations dma_buf_fops = {
+@@ -542,6 +544,7 @@ struct dma_buf *dma_buf_export(const str
+ dmabuf->size = exp_info->size;
+ dmabuf->exp_name = exp_info->exp_name;
+ dmabuf->owner = exp_info->owner;
++ spin_lock_init(&dmabuf->name_lock);
+ init_waitqueue_head(&dmabuf->poll);
+ dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll;
+ dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0;
+--- a/include/linux/dma-buf.h
++++ b/include/linux/dma-buf.h
+@@ -311,6 +311,7 @@ struct dma_buf {
+ void *vmap_ptr;
+ const char *exp_name;
+ const char *name;
++ spinlock_t name_lock; /* spinlock to protect name access */
+ struct module *owner;
+ struct list_head list_node;
+ void *priv;
--- /dev/null
+From e142087b15960a4e1e5932942e5abae1f49d2318 Mon Sep 17 00:00:00 2001
+From: Robin Gong <yibin.gong@nxp.com>
+Date: Tue, 30 Jun 2020 00:59:58 +0800
+Subject: dmaengine: fsl-edma-common: correct DSIZE_32BYTE
+
+From: Robin Gong <yibin.gong@nxp.com>
+
+commit e142087b15960a4e1e5932942e5abae1f49d2318 upstream.
+
+Correct EDMA_TCD_ATTR_DSIZE_32BYTE define since it's broken by the below:
+'0x0005 --> BIT(3) | BIT(0))'
+
+Fixes: 4d6d3a90e4ac ("dmaengine: fsl-edma: fix macros")
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Tested-by: Angelo Dureghello <angelo@sysam.it>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1593449998-32091-1-git-send-email-yibin.gong@nxp.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/fsl-edma-common.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/fsl-edma-common.h
++++ b/drivers/dma/fsl-edma-common.h
+@@ -33,7 +33,7 @@
+ #define EDMA_TCD_ATTR_DSIZE_16BIT BIT(0)
+ #define EDMA_TCD_ATTR_DSIZE_32BIT BIT(1)
+ #define EDMA_TCD_ATTR_DSIZE_64BIT (BIT(0) | BIT(1))
+-#define EDMA_TCD_ATTR_DSIZE_32BYTE (BIT(3) | BIT(0))
++#define EDMA_TCD_ATTR_DSIZE_32BYTE (BIT(2) | BIT(0))
+ #define EDMA_TCD_ATTR_SSIZE_8BIT 0
+ #define EDMA_TCD_ATTR_SSIZE_16BIT (EDMA_TCD_ATTR_DSIZE_16BIT << 8)
+ #define EDMA_TCD_ATTR_SSIZE_32BIT (EDMA_TCD_ATTR_DSIZE_32BIT << 8)
--- /dev/null
+From f5e5677c420346b4e9788051c2e4d750996c428c Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Thu, 11 Jun 2020 14:17:41 +0200
+Subject: dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit f5e5677c420346b4e9788051c2e4d750996c428c upstream.
+
+NULL pointer exception happens occasionally on serial output initiated
+by login timeout. This was reproduced only if kernel was built with
+significant debugging options and EDMA driver is used with serial
+console.
+
+ col-vf50 login: root
+ Password:
+ Login timed out after 60 seconds.
+ Unable to handle kernel NULL pointer dereference at virtual address 00000044
+ Internal error: Oops: 5 [#1] ARM
+ CPU: 0 PID: 157 Comm: login Not tainted 5.7.0-next-20200610-dirty #4
+ Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree)
+ (fsl_edma_tx_handler) from [<8016eb10>] (__handle_irq_event_percpu+0x64/0x304)
+ (__handle_irq_event_percpu) from [<8016eddc>] (handle_irq_event_percpu+0x2c/0x7c)
+ (handle_irq_event_percpu) from [<8016ee64>] (handle_irq_event+0x38/0x5c)
+ (handle_irq_event) from [<801729e4>] (handle_fasteoi_irq+0xa4/0x160)
+ (handle_fasteoi_irq) from [<8016ddcc>] (generic_handle_irq+0x34/0x44)
+ (generic_handle_irq) from [<8016e40c>] (__handle_domain_irq+0x54/0xa8)
+ (__handle_domain_irq) from [<80508bc8>] (gic_handle_irq+0x4c/0x80)
+ (gic_handle_irq) from [<80100af0>] (__irq_svc+0x70/0x98)
+ Exception stack(0x8459fe80 to 0x8459fec8)
+ fe80: 72286b00 e3359f64 00000001 0000412d a0070013 85c98840 85c98840 a0070013
+ fea0: 8054e0d4 00000000 00000002 00000000 00000002 8459fed0 8081fbe8 8081fbec
+ fec0: 60070013 ffffffff
+ (__irq_svc) from [<8081fbec>] (_raw_spin_unlock_irqrestore+0x30/0x58)
+ (_raw_spin_unlock_irqrestore) from [<8056cb48>] (uart_flush_buffer+0x88/0xf8)
+ (uart_flush_buffer) from [<80554e60>] (tty_ldisc_hangup+0x38/0x1ac)
+ (tty_ldisc_hangup) from [<8054c7f4>] (__tty_hangup+0x158/0x2bc)
+ (__tty_hangup) from [<80557b90>] (disassociate_ctty.part.1+0x30/0x23c)
+ (disassociate_ctty.part.1) from [<8011fc18>] (do_exit+0x580/0xba0)
+ (do_exit) from [<801214f8>] (do_group_exit+0x3c/0xb4)
+ (do_group_exit) from [<80121580>] (__wake_up_parent+0x0/0x14)
+
+Issue looks like race condition between interrupt handler fsl_edma_tx_handler()
+(called as result of fsl_edma_xfer_desc()) and terminating the transfer with
+fsl_edma_terminate_all().
+
+The fsl_edma_tx_handler() handles interrupt for a transfer with already freed
+edesc and idle==true.
+
+Fixes: d6be34fbd39b ("dma: Add Freescale eDMA engine driver support")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1591877861-28156-2-git-send-email-krzk@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/fsl-edma.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/dma/fsl-edma.c
++++ b/drivers/dma/fsl-edma.c
+@@ -45,6 +45,13 @@ static irqreturn_t fsl_edma_tx_handler(i
+ fsl_chan = &fsl_edma->chans[ch];
+
+ spin_lock(&fsl_chan->vchan.lock);
++
++ if (!fsl_chan->edesc) {
++ /* terminate_all called before */
++ spin_unlock(&fsl_chan->vchan.lock);
++ continue;
++ }
++
+ if (!fsl_chan->edesc->iscyclic) {
+ list_del(&fsl_chan->edesc->vdesc.node);
+ vchan_cookie_complete(&fsl_chan->edesc->vdesc);
--- /dev/null
+From 8995aa3d164ddd9200e6abcf25c449cf5298c858 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Thu, 11 Jun 2020 15:21:05 +0200
+Subject: dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 8995aa3d164ddd9200e6abcf25c449cf5298c858 upstream.
+
+On Toradex Colibri VF50 (Vybrid VF5xx) with fsl-edma driver NULL pointer
+exception happens occasionally on serial output initiated by login
+timeout.
+
+This was reproduced only if kernel was built with significant debugging
+options and EDMA driver is used with serial console.
+
+Issue looks like a race condition between interrupt handler
+fsl_edma_tx_handler() (called as a result of fsl_edma_xfer_desc()) and
+terminating the transfer with fsl_edma_terminate_all().
+
+The fsl_edma_tx_handler() handles interrupt for a transfer with already
+freed edesc and idle==true.
+
+The mcf-edma driver shares design and lot of code with fsl-edma. It
+looks like being affected by same problem. Fix this pattern the same
+way as fix for fsl-edma driver.
+
+Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Robin Gong <yibin.gong@nxp.com>
+Link: https://lore.kernel.org/r/1591881665-25592-1-git-send-email-krzk@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/mcf-edma.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/dma/mcf-edma.c
++++ b/drivers/dma/mcf-edma.c
+@@ -35,6 +35,13 @@ static irqreturn_t mcf_edma_tx_handler(i
+ mcf_chan = &mcf_edma->chans[ch];
+
+ spin_lock(&mcf_chan->vchan.lock);
++
++ if (!mcf_chan->edesc) {
++ /* terminate_all called before */
++ spin_unlock(&mcf_chan->vchan.lock);
++ continue;
++ }
++
+ if (!mcf_chan->edesc->iscyclic) {
+ list_del(&mcf_chan->edesc->vdesc.node);
+ vchan_cookie_complete(&mcf_chan->edesc->vdesc);
--- /dev/null
+From be73e608ae2711dc8a1ab8b9549d9e348061b2ee Mon Sep 17 00:00:00 2001
+From: Josip Pavic <Josip.Pavic@amd.com>
+Date: Mon, 6 Jul 2020 15:43:39 -0400
+Subject: drm/amd/display: handle failed allocation during stream construction
+
+From: Josip Pavic <Josip.Pavic@amd.com>
+
+commit be73e608ae2711dc8a1ab8b9549d9e348061b2ee upstream.
+
+[Why]
+Failing to allocate a transfer function during stream construction leads
+to a null pointer dereference
+
+[How]
+Handle the failed allocation by failing the stream construction
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Josip Pavic <Josip.Pavic@amd.com>
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+@@ -56,7 +56,7 @@ void update_stream_signal(struct dc_stre
+ }
+ }
+
+-static void dc_stream_construct(struct dc_stream_state *stream,
++static bool dc_stream_construct(struct dc_stream_state *stream,
+ struct dc_sink *dc_sink_data)
+ {
+ uint32_t i = 0;
+@@ -118,11 +118,17 @@ static void dc_stream_construct(struct d
+ update_stream_signal(stream, dc_sink_data);
+
+ stream->out_transfer_func = dc_create_transfer_func();
++ if (stream->out_transfer_func == NULL) {
++ dc_sink_release(dc_sink_data);
++ return false;
++ }
+ stream->out_transfer_func->type = TF_TYPE_BYPASS;
+ stream->out_transfer_func->ctx = stream->ctx;
+
+ stream->stream_id = stream->ctx->dc_stream_id_count;
+ stream->ctx->dc_stream_id_count++;
++
++ return true;
+ }
+
+ static void dc_stream_destruct(struct dc_stream_state *stream)
+@@ -164,13 +170,20 @@ struct dc_stream_state *dc_create_stream
+
+ stream = kzalloc(sizeof(struct dc_stream_state), GFP_KERNEL);
+ if (stream == NULL)
+- return NULL;
++ goto alloc_fail;
+
+- dc_stream_construct(stream, sink);
++ if (dc_stream_construct(stream, sink) == false)
++ goto construct_fail;
+
+ kref_init(&stream->refcount);
+
+ return stream;
++
++construct_fail:
++ kfree(stream);
++
++alloc_fail:
++ return NULL;
+ }
+
+ struct dc_stream_state *dc_copy_stream(const struct dc_stream_state *stream)
--- /dev/null
+From b448d30b0c303d5454ea572b772d1ffae96bc6e7 Mon Sep 17 00:00:00 2001
+From: hersen wu <hersenxs.wu@amd.com>
+Date: Mon, 22 Jun 2020 13:29:16 -0400
+Subject: drm/amd/display: OLED panel backlight adjust not work with external display connected
+
+From: hersen wu <hersenxs.wu@amd.com>
+
+commit b448d30b0c303d5454ea572b772d1ffae96bc6e7 upstream.
+
+[Why]
+amdgpu_dm->backlight_caps is for single eDP only. the caps are upddated
+for very connector. Real eDP caps will be overwritten by other external
+display. For OLED panel, caps->aux_support is set to 1 for OLED pnael.
+after external connected, caps+.aux_support is set to 0. This causes
+OLED backlight adjustment not work.
+
+[How]
+within update_conector_ext_caps, backlight caps will be updated only for
+eDP connector.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: hersen wu <hersenxs.wu@amd.com>
+Reviewed-by: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -1804,6 +1804,7 @@ static void update_connector_ext_caps(st
+ struct amdgpu_display_manager *dm;
+ struct drm_connector *conn_base;
+ struct amdgpu_device *adev;
++ struct dc_link *link = NULL;
+ static const u8 pre_computed_values[] = {
+ 50, 51, 52, 53, 55, 56, 57, 58, 59, 61, 62, 63, 65, 66, 68, 69,
+ 71, 72, 74, 75, 77, 79, 81, 82, 84, 86, 88, 90, 92, 94, 96, 98};
+@@ -1811,6 +1812,10 @@ static void update_connector_ext_caps(st
+ if (!aconnector || !aconnector->dc_link)
+ return;
+
++ link = aconnector->dc_link;
++ if (link->connector_signal != SIGNAL_TYPE_EDP)
++ return;
++
+ conn_base = &aconnector->base;
+ adev = conn_base->dev->dev_private;
+ dm = &adev->dm;
--- /dev/null
+From 3168470142e0a82b5732c04ed4c031a9322ae170 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 10 Jul 2020 17:50:00 -0400
+Subject: drm/amdgpu/display: create fake mst encoders ahead of time (v4)
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 3168470142e0a82b5732c04ed4c031a9322ae170 upstream.
+
+Prevents a warning in the MST create connector case.
+
+v2: create global fake encoders rather per connector fake encoders
+to avoid running out of encoder indices.
+
+v3: use the actual number of crtcs on the asic rather than the max
+to conserve encoders.
+
+v4: v3 plus missing hunk I forgot to git add.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1108
+Fixes: c6385e503aeaf9 ("drm/amdgpu: drop legacy drm load and unload callbacks")
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 5.7.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 11 ++
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 57 +++++-------
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 3
+ 4 files changed, 50 insertions(+), 30 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -956,6 +956,9 @@ static int amdgpu_dm_init(struct amdgpu_
+ /* Update the actual used number of crtc */
+ adev->mode_info.num_crtc = adev->dm.display_indexes_num;
+
++ /* create fake encoders for MST */
++ dm_dp_create_fake_mst_encoders(adev);
++
+ /* TODO: Add_display_info? */
+
+ /* TODO use dynamic cursor width */
+@@ -979,6 +982,12 @@ error:
+
+ static void amdgpu_dm_fini(struct amdgpu_device *adev)
+ {
++ int i;
++
++ for (i = 0; i < adev->dm.display_indexes_num; i++) {
++ drm_encoder_cleanup(&adev->dm.mst_encoders[i].base);
++ }
++
+ amdgpu_dm_audio_fini(adev);
+
+ amdgpu_dm_destroy_drm_device(&adev->dm);
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+@@ -43,6 +43,9 @@
+ */
+
+ #define AMDGPU_DM_MAX_DISPLAY_INDEX 31
++
++#define AMDGPU_DM_MAX_CRTC 6
++
+ /*
+ #include "include/amdgpu_dal_power_if.h"
+ #include "amdgpu_dm_irq.h"
+@@ -327,6 +330,13 @@ struct amdgpu_display_manager {
+ * available in FW
+ */
+ const struct gpu_info_soc_bounding_box_v1_0 *soc_bounding_box;
++
++ /**
++ * @mst_encoders:
++ *
++ * fake encoders used for DP MST.
++ */
++ struct amdgpu_encoder mst_encoders[AMDGPU_DM_MAX_CRTC];
+ };
+
+ struct amdgpu_dm_connector {
+@@ -355,7 +365,6 @@ struct amdgpu_dm_connector {
+ struct amdgpu_dm_dp_aux dm_dp_aux;
+ struct drm_dp_mst_port *port;
+ struct amdgpu_dm_connector *mst_port;
+- struct amdgpu_encoder *mst_encoder;
+ struct drm_dp_aux *dsc_aux;
+
+ /* TODO see if we can merge with ddc_bus or make a dm_connector */
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -137,13 +137,10 @@ static void
+ dm_dp_mst_connector_destroy(struct drm_connector *connector)
+ {
+ struct amdgpu_dm_connector *amdgpu_dm_connector = to_amdgpu_dm_connector(connector);
+- struct amdgpu_encoder *amdgpu_encoder = amdgpu_dm_connector->mst_encoder;
+
+ kfree(amdgpu_dm_connector->edid);
+ amdgpu_dm_connector->edid = NULL;
+
+- drm_encoder_cleanup(&amdgpu_encoder->base);
+- kfree(amdgpu_encoder);
+ drm_connector_cleanup(connector);
+ drm_dp_mst_put_port_malloc(amdgpu_dm_connector->port);
+ kfree(amdgpu_dm_connector);
+@@ -280,7 +277,11 @@ static struct drm_encoder *
+ dm_mst_atomic_best_encoder(struct drm_connector *connector,
+ struct drm_connector_state *connector_state)
+ {
+- return &to_amdgpu_dm_connector(connector)->mst_encoder->base;
++ struct drm_device *dev = connector->dev;
++ struct amdgpu_device *adev = dev->dev_private;
++ struct amdgpu_crtc *acrtc = to_amdgpu_crtc(connector_state->crtc);
++
++ return &adev->dm.mst_encoders[acrtc->crtc_id].base;
+ }
+
+ static int
+@@ -343,31 +344,27 @@ static const struct drm_encoder_funcs am
+ .destroy = amdgpu_dm_encoder_destroy,
+ };
+
+-static struct amdgpu_encoder *
+-dm_dp_create_fake_mst_encoder(struct amdgpu_dm_connector *connector)
++void
++dm_dp_create_fake_mst_encoders(struct amdgpu_device *adev)
+ {
+- struct drm_device *dev = connector->base.dev;
+- struct amdgpu_device *adev = dev->dev_private;
+- struct amdgpu_encoder *amdgpu_encoder;
+- struct drm_encoder *encoder;
+-
+- amdgpu_encoder = kzalloc(sizeof(*amdgpu_encoder), GFP_KERNEL);
+- if (!amdgpu_encoder)
+- return NULL;
++ struct drm_device *dev = adev->ddev;
++ int i;
+
+- encoder = &amdgpu_encoder->base;
+- encoder->possible_crtcs = amdgpu_dm_get_encoder_crtc_mask(adev);
++ for (i = 0; i < adev->dm.display_indexes_num; i++) {
++ struct amdgpu_encoder *amdgpu_encoder = &adev->dm.mst_encoders[i];
++ struct drm_encoder *encoder = &amdgpu_encoder->base;
++
++ encoder->possible_crtcs = amdgpu_dm_get_encoder_crtc_mask(adev);
++
++ drm_encoder_init(
++ dev,
++ &amdgpu_encoder->base,
++ &amdgpu_dm_encoder_funcs,
++ DRM_MODE_ENCODER_DPMST,
++ NULL);
+
+- drm_encoder_init(
+- dev,
+- &amdgpu_encoder->base,
+- &amdgpu_dm_encoder_funcs,
+- DRM_MODE_ENCODER_DPMST,
+- NULL);
+-
+- drm_encoder_helper_add(encoder, &amdgpu_dm_encoder_helper_funcs);
+-
+- return amdgpu_encoder;
++ drm_encoder_helper_add(encoder, &amdgpu_dm_encoder_helper_funcs);
++ }
+ }
+
+ static struct drm_connector *
+@@ -380,6 +377,7 @@ dm_dp_add_mst_connector(struct drm_dp_ms
+ struct amdgpu_device *adev = dev->dev_private;
+ struct amdgpu_dm_connector *aconnector;
+ struct drm_connector *connector;
++ int i;
+
+ aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL);
+ if (!aconnector)
+@@ -406,9 +404,10 @@ dm_dp_add_mst_connector(struct drm_dp_ms
+ master->dc_link,
+ master->connector_id);
+
+- aconnector->mst_encoder = dm_dp_create_fake_mst_encoder(master);
+- drm_connector_attach_encoder(&aconnector->base,
+- &aconnector->mst_encoder->base);
++ for (i = 0; i < adev->dm.display_indexes_num; i++) {
++ drm_connector_attach_encoder(&aconnector->base,
++ &adev->dm.mst_encoders[i].base);
++ }
+
+ connector->max_bpc_property = master->base.max_bpc_property;
+ if (connector->max_bpc_property)
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h
+@@ -35,6 +35,9 @@ void amdgpu_dm_initialize_dp_connector(s
+ struct amdgpu_dm_connector *aconnector,
+ int link_index);
+
++void
++dm_dp_create_fake_mst_encoders(struct amdgpu_device *adev);
++
+ #if defined(CONFIG_DRM_AMD_DC_DCN)
+ bool compute_mst_dsc_configs_for_state(struct drm_atomic_state *state,
+ struct dc_state *dc_state);
--- /dev/null
+From 98a34cf931e848f8489d3fb15a8f5fc03802ad65 Mon Sep 17 00:00:00 2001
+From: chen gong <curry.gong@amd.com>
+Date: Mon, 13 Jul 2020 16:11:24 +0800
+Subject: drm/amdgpu/powerplay: Modify SMC message name for setting power profile mode
+
+From: chen gong <curry.gong@amd.com>
+
+commit 98a34cf931e848f8489d3fb15a8f5fc03802ad65 upstream.
+
+I consulted Cai Land(Chuntian.Cai@amd.com), he told me corresponding smc
+message name to fSMC_MSG_SetWorkloadMask() is
+"PPSMC_MSG_ActiveProcessNotify" in firmware code of Renoir.
+
+Strange though it may seem, but it's a fact.
+
+Signed-off-by: chen gong <curry.gong@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/renoir_ppt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/powerplay/renoir_ppt.c
++++ b/drivers/gpu/drm/amd/powerplay/renoir_ppt.c
+@@ -687,7 +687,7 @@ static int renoir_set_power_profile_mode
+ return -EINVAL;
+ }
+
+- ret = smu_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask,
++ ret = smu_send_smc_msg_with_param(smu, SMU_MSG_ActiveProcessNotify,
+ 1 << workload_type,
+ NULL);
+ if (ret) {
--- /dev/null
+From 05051496b2622e4d12e2036b35165969aa502f89 Mon Sep 17 00:00:00 2001
+From: Xiaojie Yuan <xiaojie.yuan@amd.com>
+Date: Tue, 14 Jul 2020 15:47:31 +0800
+Subject: drm/amdgpu/sdma5: fix wptr overwritten in ->get_wptr()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaojie Yuan <xiaojie.yuan@amd.com>
+
+commit 05051496b2622e4d12e2036b35165969aa502f89 upstream.
+
+"u64 *wptr" points to the the wptr value in write back buffer and
+"*wptr = (*wptr) >> 2;" results in the value being overwritten each time
+when ->get_wptr() is called.
+
+umr uses /sys/kernel/debug/dri/0/amdgpu_ring_sdma0 to get rptr/wptr and
+decode ring content and it is affected by this issue.
+
+fix and simplify the logic similar as sdma_v4_0_ring_get_wptr().
+
+v2: fix for sdma5.2 as well
+v3: drop sdma 5.2 changes for 5.8 and stable
+
+Suggested-by: Le Ma <le.ma@amd.com>
+Signed-off-by: Xiaojie Yuan <xiaojie.yuan@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_0.c
+@@ -286,30 +286,20 @@ static uint64_t sdma_v5_0_ring_get_rptr(
+ static uint64_t sdma_v5_0_ring_get_wptr(struct amdgpu_ring *ring)
+ {
+ struct amdgpu_device *adev = ring->adev;
+- u64 *wptr = NULL;
+- uint64_t local_wptr = 0;
++ u64 wptr;
+
+ if (ring->use_doorbell) {
+ /* XXX check if swapping is necessary on BE */
+- wptr = ((u64 *)&adev->wb.wb[ring->wptr_offs]);
+- DRM_DEBUG("wptr/doorbell before shift == 0x%016llx\n", *wptr);
+- *wptr = (*wptr) >> 2;
+- DRM_DEBUG("wptr/doorbell after shift == 0x%016llx\n", *wptr);
++ wptr = READ_ONCE(*((u64 *)&adev->wb.wb[ring->wptr_offs]));
++ DRM_DEBUG("wptr/doorbell before shift == 0x%016llx\n", wptr);
+ } else {
+- u32 lowbit, highbit;
+-
+- wptr = &local_wptr;
+- lowbit = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR)) >> 2;
+- highbit = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI)) >> 2;
+-
+- DRM_DEBUG("wptr [%i]high== 0x%08x low==0x%08x\n",
+- ring->me, highbit, lowbit);
+- *wptr = highbit;
+- *wptr = (*wptr) << 32;
+- *wptr |= lowbit;
++ wptr = RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI));
++ wptr = wptr << 32;
++ wptr |= RREG32(sdma_v5_0_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR));
++ DRM_DEBUG("wptr before shift [%i] wptr == 0x%016llx\n", ring->me, wptr);
+ }
+
+- return *wptr;
++ return wptr >> 2;
+ }
+
+ /**
--- /dev/null
+From 858f1299fd6f7518ddef19ddd304c8398ac79fa5 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sat, 11 Jul 2020 21:32:36 +0100
+Subject: drm/i915/gt: Ignore irq enabling on the virtual engines
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 858f1299fd6f7518ddef19ddd304c8398ac79fa5 upstream.
+
+We do not use the virtual engines for interrupts (they have physical
+components), but we do use them to decouple the fence signaling during
+submission. Currently, when we submit a completed request, we try to
+enable the interrupt handler for the virtual engine, but we never disarm
+it. A quick fix is then to mark the irq as enabled, and it will then
+remain enabled -- and this prevents us from waking the device and never
+letting it sleep again.
+
+Fixes: f8db4d051b5e ("drm/i915: Initialise breadcrumb lists on the virtual engine")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: <stable@vger.kernel.org> # v5.5+
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200711203236.12330-1-chris@chris-wilson.co.uk
+(cherry picked from commit 4fe6abb8f51355224808ab02a9febf65d184c40b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gt/intel_lrc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
+@@ -5188,6 +5188,7 @@ intel_execlists_create_virtual(struct in
+ intel_engine_init_active(&ve->base, ENGINE_VIRTUAL);
+ intel_engine_init_breadcrumbs(&ve->base);
+ intel_engine_init_execlists(&ve->base);
++ ve->base.breadcrumbs.irq_armed = true; /* fake HW, used for irq_work */
+
+ ve->base.cops = &virtual_context_ops;
+ ve->base.request_alloc = execlists_request_alloc;
--- /dev/null
+From 110f9efa858f584c6bed177cd48d0c0f526940e1 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Mon, 13 Jul 2020 17:05:49 +0100
+Subject: drm/i915/gt: Only swap to a random sibling once upon creation
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 110f9efa858f584c6bed177cd48d0c0f526940e1 upstream.
+
+The danger in switching at random upon intel_context_pin is that the
+context may still actually be inflight, as it will not be scheduled out
+until a context switch after it is complete -- that may be a long time
+after we do a final intel_context_unpin.
+
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2118
+Fixes: 6d06779e8672 ("drm/i915: Load balancing across a virtual engine")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: <stable@vger.kernel.org> # v5.3+
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200713160549.17344-1-chris@chris-wilson.co.uk
+(cherry picked from commit 90a987205c6cf74116a102ed446d22d92cdaf915)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gt/intel_lrc.c | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
+@@ -4897,13 +4897,8 @@ static void virtual_engine_initial_hint(
+ * typically be the first we inspect for submission.
+ */
+ swp = prandom_u32_max(ve->num_siblings);
+- if (!swp)
+- return;
+-
+- swap(ve->siblings[swp], ve->siblings[0]);
+- if (!intel_engine_has_relative_mmio(ve->siblings[0]))
+- virtual_update_register_offsets(ve->context.lrc_reg_state,
+- ve->siblings[0]);
++ if (swp)
++ swap(ve->siblings[swp], ve->siblings[0]);
+ }
+
+ static int virtual_context_alloc(struct intel_context *ce)
+@@ -4916,15 +4911,9 @@ static int virtual_context_alloc(struct
+ static int virtual_context_pin(struct intel_context *ce)
+ {
+ struct virtual_engine *ve = container_of(ce, typeof(*ve), context);
+- int err;
+
+ /* Note: we must use a real engine class for setting up reg state */
+- err = __execlists_context_pin(ce, ve->siblings[0]);
+- if (err)
+- return err;
+-
+- virtual_engine_initial_hint(ve);
+- return 0;
++ return __execlists_context_pin(ce, ve->siblings[0]);
+ }
+
+ static void virtual_context_enter(struct intel_context *ce)
+@@ -5270,6 +5259,7 @@ intel_execlists_create_virtual(struct in
+
+ ve->base.flags |= I915_ENGINE_IS_VIRTUAL;
+
++ virtual_engine_initial_hint(ve);
+ return &ve->context;
+
+ err_put:
--- /dev/null
+From 6647e6cdba753e71170be7da2acfead7154f56d8 Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Wed, 12 Feb 2020 14:54:45 +0100
+Subject: drm/i915: Move cec_notifier to intel_hdmi_connector_unregister, v2.
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+commit 6647e6cdba753e71170be7da2acfead7154f56d8 upstream.
+
+This fixes the following KASAN splash on module reload:
+[ 145.136327] ==================================================================
+[ 145.136502] BUG: KASAN: use-after-free in intel_hdmi_destroy+0x74/0x80 [i915]
+[ 145.136514] Read of size 8 at addr ffff888216641830 by task kworker/1:1/134
+
+[ 145.136535] CPU: 1 PID: 134 Comm: kworker/1:1 Tainted: G U T 5.5.0-rc7-valkyria+ #5783
+[ 145.136539] Hardware name: GIGABYTE GB-BKi3A-7100/MFLP3AP-00, BIOS F1 07/27/2016
+[ 145.136546] Workqueue: events drm_connector_free_work_fn
+[ 145.136551] Call Trace:
+[ 145.136560] dump_stack+0xa1/0xe0
+[ 145.136571] print_address_description.constprop.0+0x1e/0x210
+[ 145.136639] ? intel_hdmi_destroy+0x74/0x80 [i915]
+[ 145.136703] ? intel_hdmi_destroy+0x74/0x80 [i915]
+[ 145.136710] __kasan_report.cold+0x1b/0x37
+[ 145.136790] ? intel_hdmi_destroy+0x74/0x80 [i915]
+[ 145.136863] ? intel_hdmi_destroy+0x74/0x80 [i915]
+[ 145.136870] kasan_report+0x27/0x30
+[ 145.136881] __asan_report_load8_noabort+0x1c/0x20
+[ 145.136946] intel_hdmi_destroy+0x74/0x80 [i915]
+[ 145.136954] drm_connector_free_work_fn+0xd1/0x100
+[ 145.136967] process_one_work+0x86e/0x1610
+[ 145.136987] ? pwq_dec_nr_in_flight+0x2f0/0x2f0
+[ 145.137004] ? move_linked_works+0x128/0x2c0
+[ 145.137021] worker_thread+0x63e/0xc90
+[ 145.137048] kthread+0x2f6/0x3f0
+[ 145.137054] ? calculate_sigpending+0x81/0xa0
+[ 145.137059] ? process_one_work+0x1610/0x1610
+[ 145.137064] ? kthread_bind+0x40/0x40
+[ 145.137075] ret_from_fork+0x24/0x30
+
+[ 145.137111] Allocated by task 0:
+[ 145.137119] (stack is not available)
+
+[ 145.137137] Freed by task 5053:
+[ 145.137147] save_stack+0x28/0x90
+[ 145.137152] __kasan_slab_free+0x136/0x180
+[ 145.137157] kasan_slab_free+0x26/0x30
+[ 145.137161] kfree+0xe6/0x350
+[ 145.137242] intel_ddi_encoder_destroy+0x60/0x80 [i915]
+[ 145.137252] drm_mode_config_cleanup+0x11d/0x8f0
+[ 145.137329] intel_modeset_driver_remove+0x1f5/0x350 [i915]
+[ 145.137403] i915_driver_remove+0xc4/0x130 [i915]
+[ 145.137482] i915_pci_remove+0x3e/0x90 [i915]
+[ 145.137489] pci_device_remove+0x108/0x2d0
+[ 145.137494] device_release_driver_internal+0x1e6/0x4a0
+[ 145.137499] driver_detach+0xcb/0x198
+[ 145.137503] bus_remove_driver+0xde/0x204
+[ 145.137508] driver_unregister+0x6d/0xa0
+[ 145.137513] pci_unregister_driver+0x2e/0x230
+[ 145.137576] i915_exit+0x1f/0x26 [i915]
+[ 145.137157] kasan_slab_free+0x26/0x30
+[ 145.137161] kfree+0xe6/0x350
+[ 145.137242] intel_ddi_encoder_destroy+0x60/0x80 [i915]
+[ 145.137252] drm_mode_config_cleanup+0x11d/0x8f0
+[ 145.137329] intel_modeset_driver_remove+0x1f5/0x350 [i915]
+[ 145.137403] i915_driver_remove+0xc4/0x130 [i915]
+[ 145.137482] i915_pci_remove+0x3e/0x90 [i915]
+[ 145.137489] pci_device_remove+0x108/0x2d0
+[ 145.137494] device_release_driver_internal+0x1e6/0x4a0
+[ 145.137499] driver_detach+0xcb/0x198
+[ 145.137503] bus_remove_driver+0xde/0x204
+[ 145.137508] driver_unregister+0x6d/0xa0
+[ 145.137513] pci_unregister_driver+0x2e/0x230
+[ 145.137576] i915_exit+0x1f/0x26 [i915]
+[ 145.137581] __x64_sys_delete_module+0x35b/0x470
+[ 145.137586] do_syscall_64+0x99/0x4e0
+[ 145.137591] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+[ 145.137606] The buggy address belongs to the object at ffff888216640000
+ which belongs to the cache kmalloc-8k of size 8192
+[ 145.137618] The buggy address is located 6192 bytes inside of
+ 8192-byte region [ffff888216640000, ffff888216642000)
+[ 145.137630] The buggy address belongs to the page:
+[ 145.137640] page:ffffea0008599000 refcount:1 mapcount:0 mapping:ffff888107c02a80 index:0xffff888216644000 compound_mapcount: 0
+[ 145.137647] raw: 0200000000010200 0000000000000000 0000000100000001 ffff888107c02a80
+[ 145.137652] raw: ffff888216644000 0000000080020001 00000001ffffffff 0000000000000000
+[ 145.137656] page dumped because: kasan: bad access detected
+
+[ 145.137668] Memory state around the buggy address:
+[ 145.137678] ffff888216641700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 145.137687] ffff888216641780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 145.137697] >ffff888216641800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 145.137706] ^
+[ 145.137715] ffff888216641880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 145.137724] ffff888216641900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 145.137733] ==================================================================
+[ 145.137742] Disabling lock debugging due to kernel taint
+
+Changes since v1:
+- Add fixes tags.
+- Use early unregister.
+
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Fixes: 9c229127aee2 ("drm/i915: hdmi: add CEC notifier to intel_hdmi")
+Cc: <stable@vger.kernel.org> # v4.19+
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200212135445.1469133-1-maarten.lankhorst@linux.intel.com
+(cherry picked from commit a581483b1e5466d28fc50ff623fba31cea2cccb6)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/display/intel_hdmi.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_hdmi.c
++++ b/drivers/gpu/drm/i915/display/intel_hdmi.c
+@@ -2821,19 +2821,13 @@ intel_hdmi_connector_register(struct drm
+ return ret;
+ }
+
+-static void intel_hdmi_destroy(struct drm_connector *connector)
++static void intel_hdmi_connector_unregister(struct drm_connector *connector)
+ {
+ struct cec_notifier *n = intel_attached_hdmi(to_intel_connector(connector))->cec_notifier;
+
+ cec_notifier_conn_unregister(n);
+
+- intel_connector_destroy(connector);
+-}
+-
+-static void intel_hdmi_connector_unregister(struct drm_connector *connector)
+-{
+ intel_hdmi_remove_i2c_symlink(connector);
+-
+ intel_connector_unregister(connector);
+ }
+
+@@ -2845,7 +2839,7 @@ static const struct drm_connector_funcs
+ .atomic_set_property = intel_digital_connector_atomic_set_property,
+ .late_register = intel_hdmi_connector_register,
+ .early_unregister = intel_hdmi_connector_unregister,
+- .destroy = intel_hdmi_destroy,
++ .destroy = intel_connector_destroy,
+ .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
+ .atomic_duplicate_state = intel_digital_connector_duplicate_state,
+ };
--- /dev/null
+From 1f054fd26e29784d373c3d29c348ee48f1c41fb2 Mon Sep 17 00:00:00 2001
+From: Roland Scheidegger <sroland@vmware.com>
+Date: Thu, 9 Jul 2020 18:54:14 +0200
+Subject: drm/vmwgfx: fix update of display surface when resolution changes
+
+From: Roland Scheidegger <sroland@vmware.com>
+
+commit 1f054fd26e29784d373c3d29c348ee48f1c41fb2 upstream.
+
+The assignment of metadata overwrote the new display resolution values,
+hence we'd miss the size actually changed and wouldn't redefine the
+surface. This would then lead to command buffer error when trying to
+update the screen target (due to the size mismatch), and result in a
+VM with black screen.
+
+Fixes: 504901dbb0b5 ("drm/vmwgfx: Refactor surface_define to use vmw_surface_metadata")
+Reviewed-by: Charmaine Lee <charmainel@vmware.com>
+Signed-off-by: Roland Scheidegger <sroland@vmware.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+@@ -1069,10 +1069,6 @@ vmw_stdu_primary_plane_prepare_fb(struct
+ if (new_content_type != SAME_AS_DISPLAY) {
+ struct vmw_surface_metadata metadata = {0};
+
+- metadata.base_size.width = hdisplay;
+- metadata.base_size.height = vdisplay;
+- metadata.base_size.depth = 1;
+-
+ /*
+ * If content buffer is a buffer object, then we have to
+ * construct surface info
+@@ -1104,6 +1100,10 @@ vmw_stdu_primary_plane_prepare_fb(struct
+ metadata = new_vfbs->surface->metadata;
+ }
+
++ metadata.base_size.width = hdisplay;
++ metadata.base_size.height = vdisplay;
++ metadata.base_size.depth = 1;
++
+ if (vps->surf) {
+ struct drm_vmw_size cur_base_size =
+ vps->surf->metadata.base_size;
--- /dev/null
+From 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 Mon Sep 17 00:00:00 2001
+From: Chirantan Ekbote <chirantan@chromium.org>
+Date: Tue, 14 Jul 2020 19:26:39 +0900
+Subject: fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS
+
+From: Chirantan Ekbote <chirantan@chromium.org>
+
+commit 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 upstream.
+
+The ioctl encoding for this parameter is a long but the documentation says
+it should be an int and the kernel drivers expect it to be an int. If the
+fuse driver treats this as a long it might end up scribbling over the stack
+of a userspace process that only allocated enough space for an int.
+
+This was previously discussed in [1] and a patch for fuse was proposed in
+[2]. From what I can tell the patch in [2] was nacked in favor of adding
+new, "fixed" ioctls and using those from userspace. However there is still
+no "fixed" version of these ioctls and the fact is that it's sometimes
+infeasible to change all userspace to use the new one.
+
+Handling the ioctls specially in the fuse driver seems like the most
+pragmatic way for fuse servers to support them without causing crashes in
+userspace applications that call them.
+
+[1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/
+[2]: https://sourceforge.net/p/fuse/mailman/message/31771759/
+
+Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
+Fixes: 59efec7b9039 ("fuse: implement ioctl support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -18,6 +18,7 @@
+ #include <linux/swap.h>
+ #include <linux/falloc.h>
+ #include <linux/uio.h>
++#include <linux/fs.h>
+
+ static struct page **fuse_pages_alloc(unsigned int npages, gfp_t flags,
+ struct fuse_page_desc **desc)
+@@ -2758,7 +2759,16 @@ long fuse_do_ioctl(struct file *file, un
+ struct iovec *iov = iov_page;
+
+ iov->iov_base = (void __user *)arg;
+- iov->iov_len = _IOC_SIZE(cmd);
++
++ switch (cmd) {
++ case FS_IOC_GETFLAGS:
++ case FS_IOC_SETFLAGS:
++ iov->iov_len = sizeof(int);
++ break;
++ default:
++ iov->iov_len = _IOC_SIZE(cmd);
++ break;
++ }
+
+ if (_IOC_DIR(cmd) & _IOC_WRITE) {
+ in_iov = iov;
--- /dev/null
+From e8b20a474cf2c42698d1942f939ff2128819f151 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 14 Jul 2020 14:45:41 +0200
+Subject: fuse: ignore 'data' argument of mount(..., MS_REMOUNT)
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit e8b20a474cf2c42698d1942f939ff2128819f151 upstream.
+
+The command
+
+ mount -o remount -o unknownoption /mnt/fuse
+
+succeeds on kernel versions prior to v5.4 and fails on kernel version at or
+after. This is because fuse_parse_param() rejects any unrecognised options
+in case of FS_CONTEXT_FOR_RECONFIGURE, just as for FS_CONTEXT_FOR_MOUNT.
+
+This causes a regression in case the fuse filesystem is in fstab, since
+remount sends all options found there to the kernel; even ones that are
+meant for the initial mount and are consumed by the userspace fuse server.
+
+Fix this by ignoring mount options, just as fuse_remount_fs() did prior to
+the conversion to the new API.
+
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Fixes: c30da2e981a7 ("fuse: convert to use the new mount API")
+Cc: <stable@vger.kernel.org> # v5.4
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -468,6 +468,13 @@ static int fuse_parse_param(struct fs_co
+ struct fuse_fs_context *ctx = fc->fs_private;
+ int opt;
+
++ /*
++ * Ignore options coming from mount(MS_REMOUNT) for backward
++ * compatibility.
++ */
++ if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE)
++ return 0;
++
+ opt = fs_parse(fc, fuse_fs_parameters, param, &result);
+ if (opt < 0)
+ return opt;
--- /dev/null
+From 0189a2d367f49729622fdafaef5da73161591859 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 14 Jul 2020 14:45:41 +0200
+Subject: fuse: use ->reconfigure() instead of ->remount_fs()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 0189a2d367f49729622fdafaef5da73161591859 upstream.
+
+s_op->remount_fs() is only called from legacy_reconfigure(), which is not
+used after being converted to the new API.
+
+Convert to using ->reconfigure(). This restores the previous behavior of
+syncing the filesystem and rejecting MS_MANDLOCK on remount.
+
+Fixes: c30da2e981a7 ("fuse: convert to use the new mount API")
+Cc: <stable@vger.kernel.org> # v5.4
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -121,10 +121,12 @@ static void fuse_evict_inode(struct inod
+ }
+ }
+
+-static int fuse_remount_fs(struct super_block *sb, int *flags, char *data)
++static int fuse_reconfigure(struct fs_context *fc)
+ {
++ struct super_block *sb = fc->root->d_sb;
++
+ sync_filesystem(sb);
+- if (*flags & SB_MANDLOCK)
++ if (fc->sb_flags & SB_MANDLOCK)
+ return -EINVAL;
+
+ return 0;
+@@ -817,7 +819,6 @@ static const struct super_operations fus
+ .evict_inode = fuse_evict_inode,
+ .write_inode = fuse_write_inode,
+ .drop_inode = generic_delete_inode,
+- .remount_fs = fuse_remount_fs,
+ .put_super = fuse_put_super,
+ .umount_begin = fuse_umount_begin,
+ .statfs = fuse_statfs,
+@@ -1291,6 +1292,7 @@ static int fuse_get_tree(struct fs_conte
+ static const struct fs_context_operations fuse_context_ops = {
+ .free = fuse_free_fc,
+ .parse_param = fuse_parse_param,
++ .reconfigure = fuse_reconfigure,
+ .get_tree = fuse_get_tree,
+ };
+
--- /dev/null
+From baedb87d1b53532f81b4bd0387f83b05d4f7eb9a Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 17 Jul 2020 18:00:02 +0200
+Subject: genirq/affinity: Handle affinity setting on inactive interrupts correctly
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream.
+
+Setting interrupt affinity on inactive interrupts is inconsistent when
+hierarchical irq domains are enabled. The core code should just store the
+affinity and not call into the irq chip driver for inactive interrupts
+because the chip drivers may not be in a state to handle such requests.
+
+X86 has a hacky workaround for that but all other irq chips have not which
+causes problems e.g. on GIC V3 ITS.
+
+Instead of adding more ugly hacks all over the place, solve the problem in
+the core code. If the affinity is set on an inactive interrupt then:
+
+ - Store it in the irq descriptors affinity mask
+ - Update the effective affinity to reflect that so user space has
+ a consistent view
+ - Don't call into the irq chip driver
+
+This is the core equivalent of the X86 workaround and works correctly
+because the affinity setting is established in the irq chip when the
+interrupt is activated later on.
+
+Note, that this is only effective when hierarchical irq domains are enabled
+by the architecture. Doing it unconditionally would break legacy irq chip
+implementations.
+
+For hierarchial irq domains this works correctly as none of the drivers can
+have a dependency on affinity setting in inactive state by design.
+
+Remove the X86 workaround as it is not longer required.
+
+Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts")
+Reported-by: Ali Saidi <alisaidi@amazon.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Ali Saidi <alisaidi@amazon.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com
+Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/vector.c | 22 +++++-----------------
+ kernel/irq/manage.c | 37 +++++++++++++++++++++++++++++++++++--
+ 2 files changed, 40 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -446,12 +446,10 @@ static int x86_vector_activate(struct ir
+ trace_vector_activate(irqd->irq, apicd->is_managed,
+ apicd->can_reserve, reserve);
+
+- /* Nothing to do for fixed assigned vectors */
+- if (!apicd->can_reserve && !apicd->is_managed)
+- return 0;
+-
+ raw_spin_lock_irqsave(&vector_lock, flags);
+- if (reserve || irqd_is_managed_and_shutdown(irqd))
++ if (!apicd->can_reserve && !apicd->is_managed)
++ assign_irq_vector_any_locked(irqd);
++ else if (reserve || irqd_is_managed_and_shutdown(irqd))
+ vector_assign_managed_shutdown(irqd);
+ else if (apicd->is_managed)
+ ret = activate_managed(irqd);
+@@ -775,20 +773,10 @@ void lapic_offline(void)
+ static int apic_set_affinity(struct irq_data *irqd,
+ const struct cpumask *dest, bool force)
+ {
+- struct apic_chip_data *apicd = apic_chip_data(irqd);
+ int err;
+
+- /*
+- * Core code can call here for inactive interrupts. For inactive
+- * interrupts which use managed or reservation mode there is no
+- * point in going through the vector assignment right now as the
+- * activation will assign a vector which fits the destination
+- * cpumask. Let the core code store the destination mask and be
+- * done with it.
+- */
+- if (!irqd_is_activated(irqd) &&
+- (apicd->is_managed || apicd->can_reserve))
+- return IRQ_SET_MASK_OK;
++ if (WARN_ON_ONCE(!irqd_is_activated(irqd)))
++ return -EIO;
+
+ raw_spin_lock(&vector_lock);
+ cpumask_and(vector_searchmask, dest, cpu_online_mask);
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -195,9 +195,9 @@ void irq_set_thread_affinity(struct irq_
+ set_bit(IRQTF_AFFINITY, &action->thread_flags);
+ }
+
++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
+ static void irq_validate_effective_affinity(struct irq_data *data)
+ {
+-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
+ const struct cpumask *m = irq_data_get_effective_affinity_mask(data);
+ struct irq_chip *chip = irq_data_get_irq_chip(data);
+
+@@ -205,9 +205,19 @@ static void irq_validate_effective_affin
+ return;
+ pr_warn_once("irq_chip %s did not update eff. affinity mask of irq %u\n",
+ chip->name, data->irq);
+-#endif
+ }
+
++static inline void irq_init_effective_affinity(struct irq_data *data,
++ const struct cpumask *mask)
++{
++ cpumask_copy(irq_data_get_effective_affinity_mask(data), mask);
++}
++#else
++static inline void irq_validate_effective_affinity(struct irq_data *data) { }
++static inline void irq_init_effective_affinity(struct irq_data *data,
++ const struct cpumask *mask) { }
++#endif
++
+ int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask,
+ bool force)
+ {
+@@ -304,6 +314,26 @@ static int irq_try_set_affinity(struct i
+ return ret;
+ }
+
++static bool irq_set_affinity_deactivated(struct irq_data *data,
++ const struct cpumask *mask, bool force)
++{
++ struct irq_desc *desc = irq_data_to_desc(data);
++
++ /*
++ * If the interrupt is not yet activated, just store the affinity
++ * mask and do not call the chip driver at all. On activation the
++ * driver has to make sure anyway that the interrupt is in a
++ * useable state so startup works.
++ */
++ if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || irqd_is_activated(data))
++ return false;
++
++ cpumask_copy(desc->irq_common_data.affinity, mask);
++ irq_init_effective_affinity(data, mask);
++ irqd_set(data, IRQD_AFFINITY_SET);
++ return true;
++}
++
+ int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
+ bool force)
+ {
+@@ -314,6 +344,9 @@ int irq_set_affinity_locked(struct irq_d
+ if (!chip || !chip->irq_set_affinity)
+ return -EINVAL;
+
++ if (irq_set_affinity_deactivated(data, mask, force))
++ return 0;
++
+ if (irq_can_move_pcntxt(data) && !irqd_is_setaffinity_pending(data)) {
+ ret = irq_try_set_affinity(data, mask, force);
+ } else {
--- /dev/null
+From c66ef39eb27fe123ee05082b90eb2985c33c7715 Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Sat, 18 Jul 2020 14:32:10 +0200
+Subject: hwmon: (drivetemp) Avoid SCT usage on Toshiba DT01ACA family drives
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit c66ef39eb27fe123ee05082b90eb2985c33c7715 upstream.
+
+It has been observed that Toshiba DT01ACA family drives have
+WRITE FPDMA QUEUED command timeouts and sometimes just freeze until
+power-cycled under heavy write loads when their temperature is getting
+polled in SCT mode. The SMART mode seems to be fine, though.
+
+Let's make sure we don't use SCT mode for these drives then.
+
+While only the 3 TB model was actually caught exhibiting the problem let's
+play safe here to avoid data corruption and extend the ban to the whole
+family.
+
+Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors")
+Cc: stable@vger.kernel.org
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Link: https://lore.kernel.org/r/0cb2e7022b66c6d21d3f189a12a97878d0e7511b.1595075458.git.mail@maciej.szmigiero.name
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/drivetemp.c | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+--- a/drivers/hwmon/drivetemp.c
++++ b/drivers/hwmon/drivetemp.c
+@@ -285,6 +285,42 @@ static int drivetemp_get_scttemp(struct
+ return err;
+ }
+
++static const char * const sct_avoid_models[] = {
++/*
++ * These drives will have WRITE FPDMA QUEUED command timeouts and sometimes just
++ * freeze until power-cycled under heavy write loads when their temperature is
++ * getting polled in SCT mode. The SMART mode seems to be fine, though.
++ *
++ * While only the 3 TB model (DT01ACA3) was actually caught exhibiting the
++ * problem let's play safe here to avoid data corruption and ban the whole
++ * DT01ACAx family.
++
++ * The models from this array are prefix-matched.
++ */
++ "TOSHIBA DT01ACA",
++};
++
++static bool drivetemp_sct_avoid(struct drivetemp_data *st)
++{
++ struct scsi_device *sdev = st->sdev;
++ unsigned int ctr;
++
++ if (!sdev->model)
++ return false;
++
++ /*
++ * The "model" field contains just the raw SCSI INQUIRY response
++ * "product identification" field, which has a width of 16 bytes.
++ * This field is space-filled, but is NOT NULL-terminated.
++ */
++ for (ctr = 0; ctr < ARRAY_SIZE(sct_avoid_models); ctr++)
++ if (!strncmp(sdev->model, sct_avoid_models[ctr],
++ strlen(sct_avoid_models[ctr])))
++ return true;
++
++ return false;
++}
++
+ static int drivetemp_identify_sata(struct drivetemp_data *st)
+ {
+ struct scsi_device *sdev = st->sdev;
+@@ -326,6 +362,13 @@ static int drivetemp_identify_sata(struc
+ /* bail out if this is not a SATA device */
+ if (!is_ata || !is_sata)
+ return -ENODEV;
++
++ if (have_sct && drivetemp_sct_avoid(st)) {
++ dev_notice(&sdev->sdev_gendev,
++ "will avoid using SCT for temperature monitoring\n");
++ have_sct = false;
++ }
++
+ if (!have_sct)
+ goto skip_sct;
+
--- /dev/null
+From 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc Mon Sep 17 00:00:00 2001
+From: Vishwas M <vishwas.reddy.vr@gmail.com>
+Date: Tue, 7 Jul 2020 19:57:47 +0530
+Subject: hwmon: (emc2103) fix unable to change fan pwm1_enable attribute
+
+From: Vishwas M <vishwas.reddy.vr@gmail.com>
+
+commit 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc upstream.
+
+This patch fixes a bug which does not let FAN mode to be changed from
+sysfs(pwm1_enable). i.e pwm1_enable can not be set to 3, it will always
+remain at 0.
+
+This is caused because the device driver handles the result of
+"read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg)" incorrectly. The
+driver thinks an error has occurred if the (result != 0). This has been
+fixed by changing the condition to (result < 0).
+
+Signed-off-by: Vishwas M <vishwas.reddy.vr@gmail.com>
+Link: https://lore.kernel.org/r/20200707142747.118414-1-vishwas.reddy.vr@gmail.com
+Fixes: 9df7305b5a86 ("hwmon: Add driver for SMSC EMC2103 temperature monitor and fan controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/emc2103.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/emc2103.c
++++ b/drivers/hwmon/emc2103.c
+@@ -443,7 +443,7 @@ static ssize_t pwm1_enable_store(struct
+ }
+
+ result = read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg);
+- if (result) {
++ if (result < 0) {
+ count = result;
+ goto err;
+ }
--- /dev/null
+From a50ca29523b18baea548bdf5df9b4b923c2bb4f6 Mon Sep 17 00:00:00 2001
+From: Dave Wang <dave.wang@emc.com.tw>
+Date: Wed, 8 Jul 2020 22:25:03 -0700
+Subject: Input: elan_i2c - add more hardware ID for Lenovo laptops
+
+From: Dave Wang <dave.wang@emc.com.tw>
+
+commit a50ca29523b18baea548bdf5df9b4b923c2bb4f6 upstream.
+
+This adds more hardware IDs for Elan touchpads found in various Lenovo
+laptops.
+
+Signed-off-by: Dave Wang <dave.wang@emc.com.tw>
+Link: https://lore.kernel.org/r/000201d5a8bd$9fead3f0$dfc07bd0$@emc.com.tw
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/input/elan-i2c-ids.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/include/linux/input/elan-i2c-ids.h
++++ b/include/linux/input/elan-i2c-ids.h
+@@ -67,8 +67,15 @@ static const struct acpi_device_id elan_
+ { "ELAN062B", 0 },
+ { "ELAN062C", 0 },
+ { "ELAN062D", 0 },
++ { "ELAN062E", 0 }, /* Lenovo V340 Whiskey Lake U */
++ { "ELAN062F", 0 }, /* Lenovo V340 Comet Lake U */
+ { "ELAN0631", 0 },
+ { "ELAN0632", 0 },
++ { "ELAN0633", 0 }, /* Lenovo S145 */
++ { "ELAN0634", 0 }, /* Lenovo V340 Ice lake */
++ { "ELAN0635", 0 }, /* Lenovo V1415-IIL */
++ { "ELAN0636", 0 }, /* Lenovo V1415-Dali */
++ { "ELAN0637", 0 }, /* Lenovo V1415-IGLR */
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From 17d51429da722cd8fc77a365a112f008abf4f8b3 Mon Sep 17 00:00:00 2001
+From: David Pedersen <limero1337@gmail.com>
+Date: Mon, 6 Jul 2020 18:48:51 -0700
+Subject: Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list
+
+From: David Pedersen <limero1337@gmail.com>
+
+commit 17d51429da722cd8fc77a365a112f008abf4f8b3 upstream.
+
+This fixes two finger trackpad scroll on the Lenovo XiaoXin Air 12.
+Without nomux, the trackpad behaves as if only one finger is present and
+moves the cursor when trying to scroll.
+
+Signed-off-by: David Pedersen <limero1337@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200625133754.291325-1-limero1337@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -426,6 +426,13 @@ static const struct dmi_system_id __init
+ },
+ },
+ {
++ /* Lenovo XiaoXin Air 12 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "80UN"),
++ },
++ },
++ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 1360"),
--- /dev/null
+From e78e1fdb282726beaf88aa75943682217e6ded0e Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:39 +0300
+Subject: intel_th: Fix a NULL dereference when hub driver is not loaded
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit e78e1fdb282726beaf88aa75943682217e6ded0e upstream.
+
+Connecting master to an output port when GTH driver module is not loaded
+triggers a NULL dereference:
+
+> RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th]
+> Call Trace:
+> ? sth_stm_link+0x12/0x20 [intel_th_sth]
+> stm_source_link_store+0x164/0x270 [stm_core]
+> dev_attr_store+0x17/0x30
+> sysfs_kf_write+0x3e/0x50
+> kernfs_fop_write+0xda/0x1b0
+> __vfs_write+0x1b/0x40
+> vfs_write+0xb9/0x1a0
+> ksys_write+0x67/0xe0
+> __x64_sys_write+0x1a/0x20
+> do_syscall_64+0x57/0x1d0
+> entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Make sure the module in question is loaded and return an error if not.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Tested-by: Ammy Yi <ammy.yi@intel.com>
+Cc: stable@vger.kernel.org # v4.4
+Link: https://lore.kernel.org/r/20200706161339.55468-5-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/core.c | 21 ++++++++++++++++++---
+ drivers/hwtracing/intel_th/sth.c | 4 +---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -1021,15 +1021,30 @@ int intel_th_set_output(struct intel_th_
+ {
+ struct intel_th_device *hub = to_intel_th_hub(thdev);
+ struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver);
++ int ret;
+
+ /* In host mode, this is up to the external debugger, do nothing. */
+ if (hub->host_mode)
+ return 0;
+
+- if (!hubdrv->set_output)
+- return -ENOTSUPP;
++ /*
++ * hub is instantiated together with the source device that
++ * calls here, so guaranteed to be present.
++ */
++ hubdrv = to_intel_th_driver(hub->dev.driver);
++ if (!hubdrv || !try_module_get(hubdrv->driver.owner))
++ return -EINVAL;
+
+- return hubdrv->set_output(hub, master);
++ if (!hubdrv->set_output) {
++ ret = -ENOTSUPP;
++ goto out;
++ }
++
++ ret = hubdrv->set_output(hub, master);
++
++out:
++ module_put(hubdrv->driver.owner);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(intel_th_set_output);
+
+--- a/drivers/hwtracing/intel_th/sth.c
++++ b/drivers/hwtracing/intel_th/sth.c
+@@ -161,9 +161,7 @@ static int sth_stm_link(struct stm_data
+ {
+ struct sth_device *sth = container_of(stm_data, struct sth_device, stm);
+
+- intel_th_set_output(to_intel_th_device(sth->dev), master);
+-
+- return 0;
++ return intel_th_set_output(to_intel_th_device(sth->dev), master);
+ }
+
+ static int intel_th_sw_init(struct sth_device *sth)
--- /dev/null
+From fd73d74a32bfaaf259441322cc5a1c83caaa94f2 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:38 +0300
+Subject: intel_th: pci: Add Emmitsburg PCH support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit fd73d74a32bfaaf259441322cc5a1c83caaa94f2 upstream.
+
+This adds support for the Trace Hub in Emmitsburg PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20200706161339.55468-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -258,6 +258,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4b26),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
++ {
++ /* Emmitsburg PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1bcc),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From 203c1f615052921901b7a8fbe2005d8ea6add076 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:36 +0300
+Subject: intel_th: pci: Add Jasper Lake CPU support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 203c1f615052921901b7a8fbe2005d8ea6add076 upstream.
+
+This adds support for the Trace Hub in Jasper Lake CPU.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20200706161339.55468-2-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -239,6 +239,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
++ /* Jasper Lake CPU */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4e29),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
++ {
+ /* Elkhart Lake CPU */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4529),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
--- /dev/null
+From 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 6 Jul 2020 19:13:37 +0300
+Subject: intel_th: pci: Add Tiger Lake PCH-H support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 upstream.
+
+This adds support for the Trace Hub in Tiger Lake PCH-H.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lore.kernel.org/r/20200706161339.55468-3-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -234,6 +234,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
+ {
++ /* Tiger Lake PCH-H */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x43a6),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
++ {
+ /* Jasper Lake PCH */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4da6),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
--- /dev/null
+From e852c2c251ed9c23ae6e3efebc5ec49adb504207 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 29 Jun 2020 01:53:59 +0300
+Subject: mei: bus: don't clean driver pointer
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit e852c2c251ed9c23ae6e3efebc5ec49adb504207 upstream.
+
+It's not needed to set driver to NULL in mei_cl_device_remove()
+which is bus_type remove() handler as this is done anyway
+in __device_release_driver().
+
+Actually this is causing an endless loop in driver_detach()
+on ubuntu patched kernel, while removing (rmmod) the mei_hdcp module.
+The reason list_empty(&drv->p->klist_devices.k_list) is always not-empty.
+as the check is always true in __device_release_driver()
+ if (dev->driver != drv)
+ return;
+
+The non upstream patch is causing this behavior, titled:
+'vfio -- release device lock before userspace requests'
+
+Nevertheless the fix is correct also for the upstream.
+
+Link: https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20180912085046.3401-2-apw@canonical.com/
+Cc: <stable@vger.kernel.org>
+Cc: Andy Whitcroft <apw@canonical.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20200628225359.2185929-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/bus.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -745,9 +745,8 @@ static int mei_cl_device_remove(struct d
+
+ mei_cl_bus_module_put(cldev);
+ module_put(THIS_MODULE);
+- dev->driver = NULL;
+- return ret;
+
++ return ret;
+ }
+
+ static ssize_t name_show(struct device *dev, struct device_attribute *a,
--- /dev/null
+From b037d60a3b1d1227609fd858fa34321f41829911 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Wed, 24 Jun 2020 13:35:41 +0200
+Subject: misc: atmel-ssc: lock with mutex instead of spinlock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+commit b037d60a3b1d1227609fd858fa34321f41829911 upstream.
+
+Uninterruptible context is not needed in the driver and causes lockdep
+warning because of mutex taken in of_alias_get_id(). Convert the lock to
+mutex to avoid the issue.
+
+Cc: stable@vger.kernel.org
+Fixes: 099343c64e16 ("ARM: at91: atmel-ssc: add device tree support")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Link: https://lore.kernel.org/r/50f0d7fa107f318296afb49477c3571e4d6978c5.1592998403.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/atmel-ssc.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/misc/atmel-ssc.c
++++ b/drivers/misc/atmel-ssc.c
+@@ -10,7 +10,7 @@
+ #include <linux/clk.h>
+ #include <linux/err.h>
+ #include <linux/io.h>
+-#include <linux/spinlock.h>
++#include <linux/mutex.h>
+ #include <linux/atmel-ssc.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
+@@ -20,7 +20,7 @@
+ #include "../../sound/soc/atmel/atmel_ssc_dai.h"
+
+ /* Serialize access to ssc_list and user count */
+-static DEFINE_SPINLOCK(user_lock);
++static DEFINE_MUTEX(user_lock);
+ static LIST_HEAD(ssc_list);
+
+ struct ssc_device *ssc_request(unsigned int ssc_num)
+@@ -28,7 +28,7 @@ struct ssc_device *ssc_request(unsigned
+ int ssc_valid = 0;
+ struct ssc_device *ssc;
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ list_for_each_entry(ssc, &ssc_list, list) {
+ if (ssc->pdev->dev.of_node) {
+ if (of_alias_get_id(ssc->pdev->dev.of_node, "ssc")
+@@ -44,18 +44,18 @@ struct ssc_device *ssc_request(unsigned
+ }
+
+ if (!ssc_valid) {
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+ pr_err("ssc: ssc%d platform device is missing\n", ssc_num);
+ return ERR_PTR(-ENODEV);
+ }
+
+ if (ssc->user) {
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+ dev_dbg(&ssc->pdev->dev, "module busy\n");
+ return ERR_PTR(-EBUSY);
+ }
+ ssc->user++;
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ clk_prepare(ssc->clk);
+
+@@ -67,14 +67,14 @@ void ssc_free(struct ssc_device *ssc)
+ {
+ bool disable_clk = true;
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ if (ssc->user)
+ ssc->user--;
+ else {
+ disable_clk = false;
+ dev_dbg(&ssc->pdev->dev, "device already free\n");
+ }
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ if (disable_clk)
+ clk_unprepare(ssc->clk);
+@@ -237,9 +237,9 @@ static int ssc_probe(struct platform_dev
+ return -ENXIO;
+ }
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ list_add_tail(&ssc->list, &ssc_list);
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ platform_set_drvdata(pdev, ssc);
+
+@@ -258,9 +258,9 @@ static int ssc_remove(struct platform_de
+
+ ssc_sound_dai_remove(ssc);
+
+- spin_lock(&user_lock);
++ mutex_lock(&user_lock);
+ list_del(&ssc->list);
+- spin_unlock(&user_lock);
++ mutex_unlock(&user_lock);
+
+ return 0;
+ }
--- /dev/null
+From 6544abc520f0fff701e9da382110dc29676c683a Mon Sep 17 00:00:00 2001
+From: Walter Lozano <walter.lozano@collabora.com>
+Date: Wed, 15 Jul 2020 23:54:52 -0300
+Subject: opp: Increase parsed_static_opps in _of_add_opp_table_v1()
+
+From: Walter Lozano <walter.lozano@collabora.com>
+
+commit 6544abc520f0fff701e9da382110dc29676c683a upstream.
+
+Currently, when using _of_add_opp_table_v2 parsed_static_opps is
+increased and this value is used in _opp_remove_all_static() to
+check if there are static opp entries that need to be freed.
+Unfortunately this does not happen when using _of_add_opp_table_v1(),
+which leads to warnings.
+
+This patch increases parsed_static_opps in _of_add_opp_table_v1() in a
+similar way as in _of_add_opp_table_v2().
+
+Fixes: 03758d60265c ("opp: Replace list_kref with a local counter")
+Cc: v5.6+ <stable@vger.kernel.org> # v5.6+
+Signed-off-by: Walter Lozano <walter.lozano@collabora.com>
+[ Viresh: Do the operation with lock held and set the value to 1 instead
+ of incrementing it ]
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/opp/of.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/opp/of.c
++++ b/drivers/opp/of.c
+@@ -733,6 +733,10 @@ static int _of_add_opp_table_v1(struct d
+ return -EINVAL;
+ }
+
++ mutex_lock(&opp_table->lock);
++ opp_table->parsed_static_opps = 1;
++ mutex_unlock(&opp_table->lock);
++
+ val = prop->value;
+ while (nr) {
+ unsigned long freq = be32_to_cpup(val++) * 1000;
--- /dev/null
+From 81a33c1ee941c3bb9ffc6bac8f676be13351344e Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 18 Jun 2020 18:43:53 +0300
+Subject: ovl: fix unneeded call to ovl_change_flags()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 81a33c1ee941c3bb9ffc6bac8f676be13351344e upstream.
+
+The check if user has changed the overlay file was wrong, causing unneeded
+call to ovl_change_flags() including taking f_lock on every file access.
+
+Fixes: d989903058a8 ("ovl: do not generate duplicate fsnotify events for "fake" path")
+Cc: <stable@vger.kernel.org> # v4.19+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/file.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -32,13 +32,16 @@ static char ovl_whatisit(struct inode *i
+ return 'm';
+ }
+
++/* No atime modificaton nor notify on underlying */
++#define OVL_OPEN_FLAGS (O_NOATIME | FMODE_NONOTIFY)
++
+ static struct file *ovl_open_realfile(const struct file *file,
+ struct inode *realinode)
+ {
+ struct inode *inode = file_inode(file);
+ struct file *realfile;
+ const struct cred *old_cred;
+- int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY;
++ int flags = file->f_flags | OVL_OPEN_FLAGS;
+
+ old_cred = ovl_override_creds(inode->i_sb);
+ realfile = open_with_fake_path(&file->f_path, flags, realinode,
+@@ -59,8 +62,7 @@ static int ovl_change_flags(struct file
+ struct inode *inode = file_inode(file);
+ int err;
+
+- /* No atime modificaton on underlying */
+- flags |= O_NOATIME | FMODE_NONOTIFY;
++ flags |= OVL_OPEN_FLAGS;
+
+ /* If some flag changed that cannot be changed then something's amiss */
+ if (WARN_ON((file->f_flags ^ flags) & ~OVL_SETFL_MASK))
+@@ -113,7 +115,7 @@ static int ovl_real_fdget_meta(const str
+ }
+
+ /* Did the flags change since open? */
+- if (unlikely((file->f_flags ^ real->file->f_flags) & ~O_NOATIME))
++ if (unlikely((file->f_flags ^ real->file->f_flags) & ~OVL_OPEN_FLAGS))
+ return ovl_change_flags(real->file, file->f_flags);
+
+ return 0;
--- /dev/null
+From 24f14009b8f1754ec2ae4c168940c01259b0f88a Mon Sep 17 00:00:00 2001
+From: youngjun <her0gyugyu@gmail.com>
+Date: Tue, 16 Jun 2020 17:30:43 +0900
+Subject: ovl: inode reference leak in ovl_is_inuse true case.
+
+From: youngjun <her0gyugyu@gmail.com>
+
+commit 24f14009b8f1754ec2ae4c168940c01259b0f88a upstream.
+
+When "ovl_is_inuse" true case, trap inode reference not put. plus adding
+the comment explaining sequence of ovl_is_inuse after ovl_setup_trap.
+
+Fixes: 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection")
+Cc: <stable@vger.kernel.org> # v4.19+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: youngjun <her0gyugyu@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1450,14 +1450,23 @@ static int ovl_get_layers(struct super_b
+ if (err < 0)
+ goto out;
+
++ /*
++ * Check if lower root conflicts with this overlay layers before
++ * checking if it is in-use as upperdir/workdir of "another"
++ * mount, because we do not bother to check in ovl_is_inuse() if
++ * the upperdir/workdir is in fact in-use by our
++ * upperdir/workdir.
++ */
+ err = ovl_setup_trap(sb, stack[i].dentry, &trap, "lowerdir");
+ if (err)
+ goto out;
+
+ if (ovl_is_inuse(stack[i].dentry)) {
+ err = ovl_report_in_use(ofs, "lowerdir");
+- if (err)
++ if (err) {
++ iput(trap);
+ goto out;
++ }
+ }
+
+ mnt = clone_private_mount(&stack[i]);
--- /dev/null
+From 124c2de2c0aee96271e4ddab190083d8aa7aa71a Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Wed, 17 Jun 2020 09:57:11 +0300
+Subject: ovl: relax WARN_ON() when decoding lower directory file handle
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 124c2de2c0aee96271e4ddab190083d8aa7aa71a upstream.
+
+Decoding a lower directory file handle to overlay path with cold
+inode/dentry cache may go as follows:
+
+1. Decode real lower file handle to lower dir path
+2. Check if lower dir is indexed (was copied up)
+3. If indexed, get the upper dir path from index
+4. Lookup upper dir path in overlay
+5. If overlay path found, verify that overlay lower is the lower dir
+ from step 1
+
+On failure to verify step 5 above, user will get an ESTALE error and a
+WARN_ON will be printed.
+
+A mismatch in step 5 could be a result of lower directory that was renamed
+while overlay was offline, after that lower directory has been copied up
+and indexed.
+
+This is a scripted reproducer based on xfstest overlay/052:
+
+ # Create lower subdir
+ create_dirs
+ create_test_files $lower/lowertestdir/subdir
+ mount_dirs
+ # Copy up lower dir and encode lower subdir file handle
+ touch $SCRATCH_MNT/lowertestdir
+ test_file_handles $SCRATCH_MNT/lowertestdir/subdir -p -o $tmp.fhandle
+ # Rename lower dir offline
+ unmount_dirs
+ mv $lower/lowertestdir $lower/lowertestdir.new/
+ mount_dirs
+ # Attempt to decode lower subdir file handle
+ test_file_handles $SCRATCH_MNT -p -i $tmp.fhandle
+
+Since this WARN_ON() can be triggered by user we need to relax it.
+
+Fixes: 4b91c30a5a19 ("ovl: lookup connected ancestor of dir in inode cache")
+Cc: <stable@vger.kernel.org> # v4.16+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/export.c
++++ b/fs/overlayfs/export.c
+@@ -478,7 +478,7 @@ static struct dentry *ovl_lookup_real_in
+ if (IS_ERR_OR_NULL(this))
+ return this;
+
+- if (WARN_ON(ovl_dentry_real_at(this, layer->idx) != real)) {
++ if (ovl_dentry_real_at(this, layer->idx) != real) {
+ dput(this);
+ this = ERR_PTR(-EIO);
+ }
--- /dev/null
+From 192b6a780598976feb7321ff007754f8511a4129 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Sun, 12 Jul 2020 18:50:47 +0530
+Subject: powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 192b6a780598976feb7321ff007754f8511a4129 upstream.
+
+Even if the IAMR value denies execute access, the current code returns
+true from pkey_access_permitted() for an execute permission check, if
+the AMR read pkey bit is cleared.
+
+This results in repeated page fault loop with a test like below:
+
+ #define _GNU_SOURCE
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <signal.h>
+ #include <inttypes.h>
+
+ #include <assert.h>
+ #include <malloc.h>
+ #include <unistd.h>
+ #include <pthread.h>
+ #include <sys/mman.h>
+
+ #ifdef SYS_pkey_mprotect
+ #undef SYS_pkey_mprotect
+ #endif
+
+ #ifdef SYS_pkey_alloc
+ #undef SYS_pkey_alloc
+ #endif
+
+ #ifdef SYS_pkey_free
+ #undef SYS_pkey_free
+ #endif
+
+ #undef PKEY_DISABLE_EXECUTE
+ #define PKEY_DISABLE_EXECUTE 0x4
+
+ #define SYS_pkey_mprotect 386
+ #define SYS_pkey_alloc 384
+ #define SYS_pkey_free 385
+
+ #define PPC_INST_NOP 0x60000000
+ #define PPC_INST_BLR 0x4e800020
+ #define PROT_RWX (PROT_READ | PROT_WRITE | PROT_EXEC)
+
+ static int sys_pkey_mprotect(void *addr, size_t len, int prot, int pkey)
+ {
+ return syscall(SYS_pkey_mprotect, addr, len, prot, pkey);
+ }
+
+ static int sys_pkey_alloc(unsigned long flags, unsigned long access_rights)
+ {
+ return syscall(SYS_pkey_alloc, flags, access_rights);
+ }
+
+ static int sys_pkey_free(int pkey)
+ {
+ return syscall(SYS_pkey_free, pkey);
+ }
+
+ static void do_execute(void *region)
+ {
+ /* jump to region */
+ asm volatile(
+ "mtctr %0;"
+ "bctrl"
+ : : "r"(region) : "ctr", "lr");
+ }
+
+ static void do_protect(void *region)
+ {
+ size_t pgsize;
+ int i, pkey;
+
+ pgsize = getpagesize();
+
+ pkey = sys_pkey_alloc(0, PKEY_DISABLE_EXECUTE);
+ assert (pkey > 0);
+
+ /* perform mprotect */
+ assert(!sys_pkey_mprotect(region, pgsize, PROT_RWX, pkey));
+ do_execute(region);
+
+ /* free pkey */
+ assert(!sys_pkey_free(pkey));
+
+ }
+
+ int main(int argc, char **argv)
+ {
+ size_t pgsize, numinsns;
+ unsigned int *region;
+ int i;
+
+ /* allocate memory region to protect */
+ pgsize = getpagesize();
+ region = memalign(pgsize, pgsize);
+ assert(region != NULL);
+ assert(!mprotect(region, pgsize, PROT_RWX));
+
+ /* fill page with NOPs with a BLR at the end */
+ numinsns = pgsize / sizeof(region[0]);
+ for (i = 0; i < numinsns - 1; i++)
+ region[i] = PPC_INST_NOP;
+ region[i] = PPC_INST_BLR;
+
+ do_protect(region);
+
+ return EXIT_SUCCESS;
+ }
+
+The fix is to only check the IAMR for an execute check, the AMR value
+is not relevant.
+
+Fixes: f2407ef3ba22 ("powerpc: helper to validate key-access permissions of a pte")
+Cc: stable@vger.kernel.org # v4.16+
+Reported-by: Sandipan Das <sandipan@linux.ibm.com>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+[mpe: Add detail to change log, tweak wording & formatting]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200712132047.1038594-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/book3s64/pkeys.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/mm/book3s64/pkeys.c
++++ b/arch/powerpc/mm/book3s64/pkeys.c
+@@ -357,12 +357,14 @@ static bool pkey_access_permitted(int pk
+ return true;
+
+ pkey_shift = pkeyshift(pkey);
+- if (execute && !(read_iamr() & (IAMR_EX_BIT << pkey_shift)))
+- return true;
++ if (execute)
++ return !(read_iamr() & (IAMR_EX_BIT << pkey_shift));
++
++ amr = read_amr();
++ if (write)
++ return !(amr & (AMR_WR_BIT << pkey_shift));
+
+- amr = read_amr(); /* Delay reading amr until absolutely needed */
+- return ((!write && !(amr & (AMR_RD_BIT << pkey_shift))) ||
+- (write && !(amr & (AMR_WR_BIT << pkey_shift))));
++ return !(amr & (AMR_RD_BIT << pkey_shift));
+ }
+
+ bool arch_pte_access_permitted(u64 pte, bool write, bool execute)
--- /dev/null
+From b710d27bf72068b15b2f0305d825988183e2ff28 Mon Sep 17 00:00:00 2001
+From: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Date: Fri, 19 Jun 2020 12:31:13 +0530
+Subject: powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size
+
+From: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+
+commit b710d27bf72068b15b2f0305d825988183e2ff28 upstream.
+
+Early secure guest boot hits the below crash while booting with
+vcpus numbers aligned with page boundary for PAGE size of 64k
+and LPPACA size of 1k i.e 64, 128 etc.
+
+ Partition configured for 64 cpus.
+ CPU maps initialized for 1 thread per core
+ ------------[ cut here ]------------
+ kernel BUG at arch/powerpc/kernel/paca.c:89!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
+
+This is due to the BUG_ON() for shared_lppaca_total_size equal to
+shared_lppaca_size. Instead the code should only BUG_ON() if we have
+exceeded the total_size, which indicates we've overflowed the array.
+
+Fixes: bd104e6db6f0 ("powerpc/pseries/svm: Use shared memory for LPPACA structures")
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Reviewed-by: Laurent Dufour <ldufour@linux.ibm.com>
+Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+[mpe: Reword change log to clarify we're fixing not removing the check]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200619070113.16696-1-sathnaga@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/paca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/paca.c
++++ b/arch/powerpc/kernel/paca.c
+@@ -86,7 +86,7 @@ static void *__init alloc_shared_lppaca(
+ * This is very early in boot, so no harm done if the kernel crashes at
+ * this point.
+ */
+- BUG_ON(shared_lppaca_size >= shared_lppaca_total_size);
++ BUG_ON(shared_lppaca_size > shared_lppaca_total_size);
+
+ return ptr;
+ }
--- /dev/null
+From 93b9de223c0135db495c25334e66cb669bef13e2 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 6 Jul 2020 17:47:35 -0700
+Subject: Revert "Input: elants_i2c - report resolution information for touch major"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 93b9de223c0135db495c25334e66cb669bef13e2 upstream.
+
+This reverts commit 061706716384f1633d3d5090b22a99f33f1fcf2f - it turns
+out that the resolution of 1 unit per mm was not correct for a number of
+touch screens, causing touch sizes to be reported as way too large.
+See https://crbug.com/1085648
+
+Reported-by: Harry Cutts <hcutts@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/elants_i2c.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/input/touchscreen/elants_i2c.c
++++ b/drivers/input/touchscreen/elants_i2c.c
+@@ -1318,7 +1318,6 @@ static int elants_i2c_probe(struct i2c_c
+ 0, MT_TOOL_PALM, 0, 0);
+ input_abs_set_res(ts->input, ABS_MT_POSITION_X, ts->x_res);
+ input_abs_set_res(ts->input, ABS_MT_POSITION_Y, ts->y_res);
+- input_abs_set_res(ts->input, ABS_MT_TOUCH_MAJOR, 1);
+
+ error = input_register_device(ts->input);
+ if (error) {
--- /dev/null
+From 853eab68afc80f59f36bbdeb715e5c88c501e680 Mon Sep 17 00:00:00 2001
+From: Wade Mealing <wmealing@redhat.com>
+Date: Wed, 17 Jun 2020 13:49:47 +0200
+Subject: Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()"
+
+From: Wade Mealing <wmealing@redhat.com>
+
+commit 853eab68afc80f59f36bbdeb715e5c88c501e680 upstream.
+
+Turns out that the permissions for 0400 really are what we want here,
+otherwise any user can read from this file.
+
+[fixed formatting, added changelog, and made attribute static - gregkh]
+
+Reported-by: Wade Mealing <wmealing@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832
+Reviewed-by: Steffen Maier <maier@linux.ibm.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Link: https://lore.kernel.org/r/20200617114946.GA2131650@kroah.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/zram/zram_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -2025,7 +2025,8 @@ static ssize_t hot_add_show(struct class
+ return ret;
+ return scnprintf(buf, PAGE_SIZE, "%d\n", ret);
+ }
+-static CLASS_ATTR_RO(hot_add);
++static struct class_attribute class_attr_hot_add =
++ __ATTR(hot_add, 0400, hot_add_show, NULL);
+
+ static ssize_t hot_remove_store(struct class *class,
+ struct class_attribute *attr,
--- /dev/null
+From 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 6 Jul 2020 14:32:26 +0200
+Subject: riscv: use 16KB kernel stack on 64-bit
+
+From: Andreas Schwab <schwab@suse.de>
+
+commit 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed upstream.
+
+With the current 8KB stack size there are frequent overflows in a 64-bit
+configuration. We may split IRQ stacks off in the future, but this fixes a
+number of issues right now.
+
+Signed-off-by: Andreas Schwab <schwab@suse.de>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+[Palmer: mention irqstack in the commit text]
+Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/include/asm/thread_info.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/riscv/include/asm/thread_info.h
++++ b/arch/riscv/include/asm/thread_info.h
+@@ -12,7 +12,11 @@
+ #include <linux/const.h>
+
+ /* thread information allocation */
++#ifdef CONFIG_64BIT
++#define THREAD_SIZE_ORDER (2)
++#else
+ #define THREAD_SIZE_ORDER (1)
++#endif
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
+
+ #ifndef __ASSEMBLY__
--- /dev/null
+From 01cfcde9c26d8555f0e6e9aea9d6049f87683998 Mon Sep 17 00:00:00 2001
+From: Vincent Guittot <vincent.guittot@linaro.org>
+Date: Fri, 10 Jul 2020 17:24:26 +0200
+Subject: sched/fair: handle case of task_h_load() returning 0
+
+From: Vincent Guittot <vincent.guittot@linaro.org>
+
+commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream.
+
+task_h_load() can return 0 in some situations like running stress-ng
+mmapfork, which forks thousands of threads, in a sched group on a 224 cores
+system. The load balance doesn't handle this correctly because
+env->imbalance never decreases and it will stop pulling tasks only after
+reaching loop_max, which can be equal to the number of running tasks of
+the cfs. Make sure that imbalance will be decreased by at least 1.
+
+misfit task is the other feature that doesn't handle correctly such
+situation although it's probably more difficult to face the problem
+because of the smaller number of CPUs and running tasks on heterogenous
+system.
+
+We can't simply ensure that task_h_load() returns at least one because it
+would imply to handle underflow in other places.
+
+Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
+Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Cc: <stable@vger.kernel.org> # v4.4+
+Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/fair.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4033,7 +4033,11 @@ static inline void update_misfit_status(
+ return;
+ }
+
+- rq->misfit_task_load = task_h_load(p);
++ /*
++ * Make sure that misfit_task_load will not be null even if
++ * task_h_load() returns 0.
++ */
++ rq->misfit_task_load = max_t(unsigned long, task_h_load(p), 1);
+ }
+
+ #else /* CONFIG_SMP */
+@@ -7633,7 +7637,14 @@ static int detach_tasks(struct lb_env *e
+
+ switch (env->migration_type) {
+ case migrate_load:
+- load = task_h_load(p);
++ /*
++ * Depending of the number of CPUs and tasks and the
++ * cgroup hierarchy, task_h_load() can return a null
++ * value. Make sure that env->imbalance decreases
++ * otherwise detach_tasks() will stop only after
++ * detaching up to loop_max tasks.
++ */
++ load = max_t(unsigned long, task_h_load(p), 1);
+
+ if (sched_feat(LB_MIN) &&
+ load < 16 && !env->sd->nr_balance_failed)
--- /dev/null
+From ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon, 6 Jul 2020 16:49:10 -0400
+Subject: sched: Fix unreliable rseq cpu_id for new tasks
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db upstream.
+
+While integrating rseq into glibc and replacing glibc's sched_getcpu
+implementation with rseq, glibc's tests discovered an issue with
+incorrect __rseq_abi.cpu_id field value right after the first time
+a newly created process issues sched_setaffinity.
+
+For the records, it triggers after building glibc and running tests, and
+then issuing:
+
+ for x in {1..2000} ; do posix/tst-affinity-static & done
+
+and shows up as:
+
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 2, expected 0
+error: Unexpected CPU 138, expected 0
+error: Unexpected CPU 138, expected 0
+error: Unexpected CPU 138, expected 0
+error: Unexpected CPU 138, expected 0
+
+This is caused by the scheduler invoking __set_task_cpu() directly from
+sched_fork() and wake_up_new_task(), thus bypassing rseq_migrate() which
+is done by set_task_cpu().
+
+Add the missing rseq_migrate() to both functions. The only other direct
+use of __set_task_cpu() is done by init_idle(), which does not involve a
+user-space task.
+
+Based on my testing with the glibc test-case, just adding rseq_migrate()
+to wake_up_new_task() is sufficient to fix the observed issue. Also add
+it to sched_fork() to keep things consistent.
+
+The reason why this never triggered so far with the rseq/basic_test
+selftest is unclear.
+
+The current use of sched_getcpu(3) does not typically require it to be
+always accurate. However, use of the __rseq_abi.cpu_id field within rseq
+critical sections requires it to be accurate. If it is not accurate, it
+can cause corruption in the per-cpu data targeted by rseq critical
+sections in user-space.
+
+Reported-By: Florian Weimer <fweimer@redhat.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-By: Florian Weimer <fweimer@redhat.com>
+Cc: stable@vger.kernel.org # v4.18+
+Link: https://lkml.kernel.org/r/20200707201505.2632-1-mathieu.desnoyers@efficios.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2876,6 +2876,7 @@ int sched_fork(unsigned long clone_flags
+ * Silence PROVE_RCU.
+ */
+ raw_spin_lock_irqsave(&p->pi_lock, flags);
++ rseq_migrate(p);
+ /*
+ * We're setting the CPU for the first time, we don't migrate,
+ * so use __set_task_cpu().
+@@ -2940,6 +2941,7 @@ void wake_up_new_task(struct task_struct
+ * as we're not fully set-up yet.
+ */
+ p->recent_used_cpu = task_cpu(p);
++ rseq_migrate(p);
+ __set_task_cpu(p, select_task_rq(p, task_cpu(p), SD_BALANCE_FORK, 0));
+ #endif
+ rq = __task_rq_lock(p, &rf);
--- /dev/null
+From 07d3f04550023395bbf34b99ec7e00fc50d9859f Mon Sep 17 00:00:00 2001
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Date: Wed, 15 Jul 2020 17:31:53 +0530
+Subject: scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro
+
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+
+commit 07d3f04550023395bbf34b99ec7e00fc50d9859f upstream.
+
+As the ENABLE_IRQ_POLL macro is undefined, the check for ENABLE_IRQ_POLL
+macro in ISR will always be false. This leads to irq polling being
+non-functional.
+
+Remove ENABLE_IRQ_POLL check from ISR.
+
+Link: https://lore.kernel.org/r/20200715120153.20512-1-chandrakanth.patil@broadcom.com
+Fixes: a6ffd5bf6819 ("scsi: megaraid_sas: Call disable_irq from process IRQ")
+Cc: <stable@vger.kernel.org> # v5.3+
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -3797,10 +3797,8 @@ static irqreturn_t megasas_isr_fusion(in
+ if (instance->mask_interrupts)
+ return IRQ_NONE;
+
+-#if defined(ENABLE_IRQ_POLL)
+ if (irq_context->irq_poll_scheduled)
+ return IRQ_HANDLED;
+-#endif
+
+ if (!instance->msix_vectors) {
+ mfiStatus = instance->instancet->clear_intr(instance);
revert-serial-core-refactor-uart_unlock_and_check_sysrq.patch
serial-core-fix-sysrq-overhead-regression.patch
ovl-fix-regression-with-re-formatted-lower-squashfs.patch
+ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch
+ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch
+ovl-fix-unneeded-call-to-ovl_change_flags.patch
+fuse-ignore-data-argument-of-mount-...-ms_remount.patch
+fuse-use-reconfigure-instead-of-remount_fs.patch
+fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch
+revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch
+mei-bus-don-t-clean-driver-pointer.patch
+revert-input-elants_i2c-report-resolution-information-for-touch-major.patch
+input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch
+input-elan_i2c-add-more-hardware-id-for-lenovo-laptops.patch
+coresight-etmv4-fix-cpu-power-management-setup-in-probe-function.patch
+uio_pdrv_genirq-remove-warning-when-irq-is-not-specified.patch
+uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch
+scsi-megaraid_sas-remove-undefined-enable_irq_poll-macro.patch
+timer-prevent-base-clk-from-moving-backward.patch
+timer-fix-wheel-index-calculation-on-last-level.patch
+riscv-use-16kb-kernel-stack-on-64-bit.patch
+hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch
+hwmon-drivetemp-avoid-sct-usage-on-toshiba-dt01aca-family-drives.patch
+powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch
+powerpc-pseries-svm-fix-incorrect-check-for-shared_lppaca_size.patch
+intel_th-pci-add-jasper-lake-cpu-support.patch
+intel_th-pci-add-tiger-lake-pch-h-support.patch
+intel_th-pci-add-emmitsburg-pch-support.patch
+intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch
+opp-increase-parsed_static_opps-in-_of_add_opp_table_v1.patch
+dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch
+dmaengine-mcf-edma-fix-null-pointer-exception-in-mcf_edma_tx_handler.patch
+dmaengine-fsl-edma-common-correct-dsize_32byte.patch
+misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch
+dmabuf-use-spinlock-to-access-dmabuf-name.patch
+thermal-int3403_thermal-downgrade-error-message.patch
+arm-dts-imx6qdl-gw551x-fix-audio-ssi.patch
+arm64-dts-agilex-add-status-to-qspi-dts-node.patch
+arm64-dts-stratix10-add-status-to-qspi-dts-node.patch
+arm64-dts-stratix10-increase-qspi-reg-address-in-nand-dts-file.patch
+arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch
+arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch
+arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch
+sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch
+sched-fair-handle-case-of-task_h_load-returning-0.patch
+x86-ioperm-fix-io-bitmap-invalidation-on-xen-pv.patch
+genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch
+drm-vmwgfx-fix-update-of-display-surface-when-resolution-changes.patch
+drm-amdgpu-powerplay-modify-smc-message-name-for-setting-power-profile-mode.patch
+drm-amdgpu-sdma5-fix-wptr-overwritten-in-get_wptr.patch
+drm-amd-display-handle-failed-allocation-during-stream-construction.patch
+drm-amd-display-oled-panel-backlight-adjust-not-work-with-external-display-connected.patch
+drm-amdgpu-display-create-fake-mst-encoders-ahead-of-time-v4.patch
+drm-i915-move-cec_notifier-to-intel_hdmi_connector_unregister-v2.patch
+drm-i915-gt-ignore-irq-enabling-on-the-virtual-engines.patch
+drm-i915-gt-only-swap-to-a-random-sibling-once-upon-creation.patch
--- /dev/null
+From f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 Mon Sep 17 00:00:00 2001
+From: Alex Hung <alex.hung@canonical.com>
+Date: Mon, 15 Jun 2020 16:39:57 -0600
+Subject: thermal: int3403_thermal: Downgrade error message
+
+From: Alex Hung <alex.hung@canonical.com>
+
+commit f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 upstream.
+
+Downgrade "Unsupported event" message from dev_err to dev_dbg to avoid
+flooding with this message on some platforms.
+
+Cc: stable@vger.kernel.org # v5.4+
+Suggested-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Alex Hung <alex.hung@canonical.com>
+[ rzhang: fix typo in changelog ]
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://lore.kernel.org/r/20200615223957.183153-1-alex.hung@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/intel/int340x_thermal/int3403_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/intel/int340x_thermal/int3403_thermal.c
++++ b/drivers/thermal/intel/int340x_thermal/int3403_thermal.c
+@@ -74,7 +74,7 @@ static void int3403_notify(acpi_handle h
+ THERMAL_TRIP_CHANGED);
+ break;
+ default:
+- dev_err(&priv->pdev->dev, "Unsupported event [0x%x]\n", event);
++ dev_dbg(&priv->pdev->dev, "Unsupported event [0x%x]\n", event);
+ break;
+ }
+ }
--- /dev/null
+From e2a71bdea81690b6ef11f4368261ec6f5b6891aa Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Fri, 17 Jul 2020 16:05:40 +0200
+Subject: timer: Fix wheel index calculation on last level
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit e2a71bdea81690b6ef11f4368261ec6f5b6891aa upstream.
+
+When an expiration delta falls into the last level of the wheel, that delta
+has be compared against the maximum possible delay and reduced to fit in if
+necessary.
+
+However instead of comparing the delta against the maximum, the code
+compares the actual expiry against the maximum. Then instead of fixing the
+delta to fit in, it sets the maximum delta as the expiry value.
+
+This can result in various undesired outcomes, the worst possible one
+being a timer expiring 15 days ahead to fire immediately.
+
+Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200717140551.29076-2-frederic@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -522,8 +522,8 @@ static int calc_wheel_index(unsigned lon
+ * Force expire obscene large timeouts to expire at the
+ * capacity limit of the wheel.
+ */
+- if (expires >= WHEEL_TIMEOUT_CUTOFF)
+- expires = WHEEL_TIMEOUT_MAX;
++ if (delta >= WHEEL_TIMEOUT_CUTOFF)
++ expires = clk + WHEEL_TIMEOUT_MAX;
+
+ idx = calc_index(expires, LVL_DEPTH - 1);
+ }
--- /dev/null
+From 30c66fc30ee7a98c4f3adf5fb7e213b61884474f Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Fri, 3 Jul 2020 03:06:57 +0200
+Subject: timer: Prevent base->clk from moving backward
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit 30c66fc30ee7a98c4f3adf5fb7e213b61884474f upstream.
+
+When a timer is enqueued with a negative delta (ie: expiry is below
+base->clk), it gets added to the wheel as expiring now (base->clk).
+
+Yet the value that gets stored in base->next_expiry, while calling
+trigger_dyntick_cpu(), is the initial timer->expires value. The
+resulting state becomes:
+
+ base->next_expiry < base->clk
+
+On the next timer enqueue, forward_timer_base() may accidentally
+rewind base->clk. As a possible outcome, timers may expire way too
+early, the worst case being that the highest wheel levels get spuriously
+processed again.
+
+To prevent from that, make sure that base->next_expiry doesn't get below
+base->clk.
+
+Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible")
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20200703010657.2302-1-frederic@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -585,7 +585,15 @@ trigger_dyntick_cpu(struct timer_base *b
+ * Set the next expiry time and kick the CPU so it can reevaluate the
+ * wheel:
+ */
+- base->next_expiry = timer->expires;
++ if (time_before(timer->expires, base->clk)) {
++ /*
++ * Prevent from forward_timer_base() moving the base->clk
++ * backward
++ */
++ base->next_expiry = base->clk;
++ } else {
++ base->next_expiry = timer->expires;
++ }
+ wake_up_nohz_cpu(base->cpu);
+ }
+
+@@ -897,10 +905,13 @@ static inline void forward_timer_base(st
+ * If the next expiry value is > jiffies, then we fast forward to
+ * jiffies otherwise we forward to the next expiry value.
+ */
+- if (time_after(base->next_expiry, jnow))
++ if (time_after(base->next_expiry, jnow)) {
+ base->clk = jnow;
+- else
++ } else {
++ if (WARN_ON_ONCE(time_before(base->next_expiry, base->clk)))
++ return;
+ base->clk = base->next_expiry;
++ }
+ #endif
+ }
+
--- /dev/null
+From bf12fdf0ab728ca8e5933aac46dd972c0dd0421e Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Wed, 1 Jul 2020 16:56:58 +0200
+Subject: uio_pdrv_genirq: fix use without device tree and no interrupt
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit bf12fdf0ab728ca8e5933aac46dd972c0dd0421e upstream.
+
+While e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no
+interrupt") added support for using uio_pdrv_genirq for devices without
+interrupt for device tree platforms, the removal of uio_pdrv in
+26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead")
+broke the support for non device tree platforms.
+
+This change fixes this, so that uio_pdrv_genirq can be used without
+interrupt on all platforms.
+
+This still leaves the support that uio_pdrv had for custom interrupt
+handler lacking, as uio_pdrv_genirq does not handle it (yet).
+
+Fixes: 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead")
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200701145659.3978-3-esben@geanix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio_pdrv_genirq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/uio/uio_pdrv_genirq.c
++++ b/drivers/uio/uio_pdrv_genirq.c
+@@ -161,7 +161,7 @@ static int uio_pdrv_genirq_probe(struct
+ if (!uioinfo->irq) {
+ ret = platform_get_irq_optional(pdev, 0);
+ uioinfo->irq = ret;
+- if (ret == -ENXIO && pdev->dev.of_node)
++ if (ret == -ENXIO)
+ uioinfo->irq = UIO_IRQ_NONE;
+ else if (ret == -EPROBE_DEFER)
+ return ret;
--- /dev/null
+From 324ac45f25e634eca6346953ae531e8da3e0c73d Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Wed, 1 Jul 2020 16:56:57 +0200
+Subject: uio_pdrv_genirq: Remove warning when irq is not specified
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit 324ac45f25e634eca6346953ae531e8da3e0c73d upstream.
+
+Since e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no
+interrupt"), the uio_pdrv_genirq has supported use without interrupt,
+so the change in 7723f4c5ecdb ("driver core: platform: Add an error
+message to") added false warnings for those cases.
+
+Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()")
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200701145659.3978-2-esben@geanix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio_pdrv_genirq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/uio/uio_pdrv_genirq.c
++++ b/drivers/uio/uio_pdrv_genirq.c
+@@ -159,7 +159,7 @@ static int uio_pdrv_genirq_probe(struct
+ priv->pdev = pdev;
+
+ if (!uioinfo->irq) {
+- ret = platform_get_irq(pdev, 0);
++ ret = platform_get_irq_optional(pdev, 0);
+ uioinfo->irq = ret;
+ if (ret == -ENXIO && pdev->dev.of_node)
+ uioinfo->irq = UIO_IRQ_NONE;
--- /dev/null
+From cadfad870154e14f745ec845708bc17d166065f2 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 17 Jul 2020 16:53:55 -0700
+Subject: x86/ioperm: Fix io bitmap invalidation on Xen PV
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit cadfad870154e14f745ec845708bc17d166065f2 upstream.
+
+tss_invalidate_io_bitmap() wasn't wired up properly through the pvop
+machinery, so the TSS and Xen's io bitmap would get out of sync
+whenever disabling a valid io bitmap.
+
+Add a new pvop for tss_invalidate_io_bitmap() to fix it.
+
+This is XSA-329.
+
+Fixes: 22fe5b0439dd ("x86/ioperm: Move TSS bitmap update to exit to user work")
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/d53075590e1f91c19f8af705059d3ff99424c020.1595030016.git.luto@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/io_bitmap.h | 16 ++++++++++++++++
+ arch/x86/include/asm/paravirt.h | 5 +++++
+ arch/x86/include/asm/paravirt_types.h | 1 +
+ arch/x86/kernel/paravirt.c | 3 ++-
+ arch/x86/kernel/process.c | 18 ++----------------
+ arch/x86/xen/enlighten_pv.c | 12 ++++++++++++
+ 6 files changed, 38 insertions(+), 17 deletions(-)
+
+--- a/arch/x86/include/asm/io_bitmap.h
++++ b/arch/x86/include/asm/io_bitmap.h
+@@ -19,12 +19,28 @@ struct task_struct;
+ void io_bitmap_share(struct task_struct *tsk);
+ void io_bitmap_exit(struct task_struct *tsk);
+
++static inline void native_tss_invalidate_io_bitmap(void)
++{
++ /*
++ * Invalidate the I/O bitmap by moving io_bitmap_base outside the
++ * TSS limit so any subsequent I/O access from user space will
++ * trigger a #GP.
++ *
++ * This is correct even when VMEXIT rewrites the TSS limit
++ * to 0x67 as the only requirement is that the base points
++ * outside the limit.
++ */
++ this_cpu_write(cpu_tss_rw.x86_tss.io_bitmap_base,
++ IO_BITMAP_OFFSET_INVALID);
++}
++
+ void native_tss_update_io_bitmap(void);
+
+ #ifdef CONFIG_PARAVIRT_XXL
+ #include <asm/paravirt.h>
+ #else
+ #define tss_update_io_bitmap native_tss_update_io_bitmap
++#define tss_invalidate_io_bitmap native_tss_invalidate_io_bitmap
+ #endif
+
+ #else
+--- a/arch/x86/include/asm/paravirt.h
++++ b/arch/x86/include/asm/paravirt.h
+@@ -296,6 +296,11 @@ static inline void write_idt_entry(gate_
+ }
+
+ #ifdef CONFIG_X86_IOPL_IOPERM
++static inline void tss_invalidate_io_bitmap(void)
++{
++ PVOP_VCALL0(cpu.invalidate_io_bitmap);
++}
++
+ static inline void tss_update_io_bitmap(void)
+ {
+ PVOP_VCALL0(cpu.update_io_bitmap);
+--- a/arch/x86/include/asm/paravirt_types.h
++++ b/arch/x86/include/asm/paravirt_types.h
+@@ -141,6 +141,7 @@ struct pv_cpu_ops {
+ void (*load_sp0)(unsigned long sp0);
+
+ #ifdef CONFIG_X86_IOPL_IOPERM
++ void (*invalidate_io_bitmap)(void);
+ void (*update_io_bitmap)(void);
+ #endif
+
+--- a/arch/x86/kernel/paravirt.c
++++ b/arch/x86/kernel/paravirt.c
+@@ -343,7 +343,8 @@ struct paravirt_patch_template pv_ops =
+ .cpu.swapgs = native_swapgs,
+
+ #ifdef CONFIG_X86_IOPL_IOPERM
+- .cpu.update_io_bitmap = native_tss_update_io_bitmap,
++ .cpu.invalidate_io_bitmap = native_tss_invalidate_io_bitmap,
++ .cpu.update_io_bitmap = native_tss_update_io_bitmap,
+ #endif
+
+ .cpu.start_context_switch = paravirt_nop,
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -322,20 +322,6 @@ void arch_setup_new_exec(void)
+ }
+
+ #ifdef CONFIG_X86_IOPL_IOPERM
+-static inline void tss_invalidate_io_bitmap(struct tss_struct *tss)
+-{
+- /*
+- * Invalidate the I/O bitmap by moving io_bitmap_base outside the
+- * TSS limit so any subsequent I/O access from user space will
+- * trigger a #GP.
+- *
+- * This is correct even when VMEXIT rewrites the TSS limit
+- * to 0x67 as the only requirement is that the base points
+- * outside the limit.
+- */
+- tss->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET_INVALID;
+-}
+-
+ static inline void switch_to_bitmap(unsigned long tifp)
+ {
+ /*
+@@ -346,7 +332,7 @@ static inline void switch_to_bitmap(unsi
+ * user mode.
+ */
+ if (tifp & _TIF_IO_BITMAP)
+- tss_invalidate_io_bitmap(this_cpu_ptr(&cpu_tss_rw));
++ tss_invalidate_io_bitmap();
+ }
+
+ static void tss_copy_io_bitmap(struct tss_struct *tss, struct io_bitmap *iobm)
+@@ -380,7 +366,7 @@ void native_tss_update_io_bitmap(void)
+ u16 *base = &tss->x86_tss.io_bitmap_base;
+
+ if (!test_thread_flag(TIF_IO_BITMAP)) {
+- tss_invalidate_io_bitmap(tss);
++ native_tss_invalidate_io_bitmap();
+ return;
+ }
+
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -841,6 +841,17 @@ static void xen_load_sp0(unsigned long s
+ }
+
+ #ifdef CONFIG_X86_IOPL_IOPERM
++static void xen_invalidate_io_bitmap(void)
++{
++ struct physdev_set_iobitmap iobitmap = {
++ .bitmap = 0,
++ .nr_ports = 0,
++ };
++
++ native_tss_invalidate_io_bitmap();
++ HYPERVISOR_physdev_op(PHYSDEVOP_set_iobitmap, &iobitmap);
++}
++
+ static void xen_update_io_bitmap(void)
+ {
+ struct physdev_set_iobitmap iobitmap;
+@@ -1070,6 +1081,7 @@ static const struct pv_cpu_ops xen_cpu_o
+ .load_sp0 = xen_load_sp0,
+
+ #ifdef CONFIG_X86_IOPL_IOPERM
++ .invalidate_io_bitmap = xen_invalidate_io_bitmap,
+ .update_io_bitmap = xen_update_io_bitmap,
+ #endif
+ .io_delay = xen_io_delay,
projects / thirdparty / kernel / stable-queue.git / commitdiff
