--- /dev/null
+From 08257610302159e08fd4f5d33787807374ea63c7 Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Tue, 30 Jun 2020 13:49:38 +0530
+Subject: arm64: dts: qcom: sc7180: Drop the unused non-MSA SID
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 08257610302159e08fd4f5d33787807374ea63c7 upstream.
+
+Having a non-MSA (Modem Self-Authentication) SID bypassed breaks modem
+sandboxing i.e if a transaction were to originate from it, the hardware
+memory protections units (XPUs) would fail to flag them (any transaction
+originating from modem are historically termed as an MSA transaction).
+Drop the unused non-MSA modem SID on SC7180 SoCs and cheza so that SMMU
+continues to block them.
+
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Fixes: bec71ba243e95 ("arm64: dts: qcom: sc7180: Update Q6V5 MSS node")
+Fixes: 68aee4af5f620 ("arm64: dts: qcom: sdm845-cheza: Add iommus property")
+Cc: stable@vger.kernel.org
+Reported-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200630081938.8131-1-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/qcom/sc7180-idp.dts | 2 +-
+ arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/qcom/sc7180-idp.dts
++++ b/arch/arm64/boot/dts/qcom/sc7180-idp.dts
+@@ -312,7 +312,7 @@
+ &remoteproc_mpss {
+ status = "okay";
+ compatible = "qcom,sc7180-mss-pil";
+- iommus = <&apps_smmu 0x460 0x1>, <&apps_smmu 0x444 0x3>;
++ iommus = <&apps_smmu 0x461 0x0>, <&apps_smmu 0x444 0x3>;
+ memory-region = <&mba_mem &mpss_mem>;
+ };
+
+--- a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
+@@ -634,7 +634,7 @@ ap_ts_i2c: &i2c14 {
+ };
+
+ &mss_pil {
+- iommus = <&apps_smmu 0x780 0x1>,
++ iommus = <&apps_smmu 0x781 0x0>,
+ <&apps_smmu 0x724 0x3>;
+ };
+
--- /dev/null
+From 539707caa1a89ee4efc57b4e4231c20c46575ccc Mon Sep 17 00:00:00 2001
+From: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Date: Thu, 18 Jun 2020 21:35:44 +0800
+Subject: arm64: perf: Correct the event index in sysfs
+
+From: Shaokun Zhang <zhangshaokun@hisilicon.com>
+
+commit 539707caa1a89ee4efc57b4e4231c20c46575ccc upstream.
+
+When PMU event ID is equal or greater than 0x4000, it will be reduced
+by 0x4000 and it is not the raw number in the sysfs. Let's correct it
+and obtain the raw event ID.
+
+Before this patch:
+cat /sys/bus/event_source/devices/armv8_pmuv3_0/events/sample_feed
+event=0x001
+After this patch:
+cat /sys/bus/event_source/devices/armv8_pmuv3_0/events/sample_feed
+event=0x4001
+
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1592487344-30555-3-git-send-email-zhangshaokun@hisilicon.com
+[will: fixed formatting of 'if' condition]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/perf_event.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -155,7 +155,7 @@ armv8pmu_events_sysfs_show(struct device
+
+ pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr);
+
+- return sprintf(page, "event=0x%03llx\n", pmu_attr->id);
++ return sprintf(page, "event=0x%04llx\n", pmu_attr->id);
+ }
+
+ #define ARMV8_EVENT_ATTR(name, config) \
+@@ -244,10 +244,13 @@ armv8pmu_event_attr_is_visible(struct ko
+ test_bit(pmu_attr->id, cpu_pmu->pmceid_bitmap))
+ return attr->mode;
+
+- pmu_attr->id -= ARMV8_PMUV3_EXT_COMMON_EVENT_BASE;
+- if (pmu_attr->id < ARMV8_PMUV3_MAX_COMMON_EVENTS &&
+- test_bit(pmu_attr->id, cpu_pmu->pmceid_ext_bitmap))
+- return attr->mode;
++ if (pmu_attr->id >= ARMV8_PMUV3_EXT_COMMON_EVENT_BASE) {
++ u64 id = pmu_attr->id - ARMV8_PMUV3_EXT_COMMON_EVENT_BASE;
++
++ if (id < ARMV8_PMUV3_MAX_COMMON_EVENTS &&
++ test_bit(id, cpu_pmu->pmceid_ext_bitmap))
++ return attr->mode;
++ }
+
+ return 0;
+ }
--- /dev/null
+From baf57b56d3604880ccb3956ec6c62ea894f5de99 Mon Sep 17 00:00:00 2001
+From: Paul Aurich <paul@darkrain42.org>
+Date: Thu, 9 Jul 2020 22:01:16 -0700
+Subject: cifs: Fix leak when handling lease break for cached root fid
+
+From: Paul Aurich <paul@darkrain42.org>
+
+commit baf57b56d3604880ccb3956ec6c62ea894f5de99 upstream.
+
+Handling a lease break for the cached root didn't free the
+smb2_lease_break_work allocation, resulting in a leak:
+
+ unreferenced object 0xffff98383a5af480 (size 128):
+ comm "cifsd", pid 684, jiffies 4294936606 (age 534.868s)
+ hex dump (first 32 bytes):
+ c0 ff ff ff 1f 00 00 00 88 f4 5a 3a 38 98 ff ff ..........Z:8...
+ 88 f4 5a 3a 38 98 ff ff 80 88 d6 8a ff ff ff ff ..Z:8...........
+ backtrace:
+ [<0000000068957336>] smb2_is_valid_oplock_break+0x1fa/0x8c0
+ [<0000000073b70b9e>] cifs_demultiplex_thread+0x73d/0xcc0
+ [<00000000905fa372>] kthread+0x11c/0x150
+ [<0000000079378e4e>] ret_from_fork+0x22/0x30
+
+Avoid this leak by only allocating when necessary.
+
+Fixes: a93864d93977 ("cifs: add lease tracking to the cached root fid")
+Signed-off-by: Paul Aurich <paul@darkrain42.org>
+CC: Stable <stable@vger.kernel.org> # v4.18+
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2misc.c | 73 +++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 52 insertions(+), 21 deletions(-)
+
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -508,15 +508,31 @@ cifs_ses_oplock_break(struct work_struct
+ kfree(lw);
+ }
+
++static void
++smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key,
++ __le32 new_lease_state)
++{
++ struct smb2_lease_break_work *lw;
++
++ lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
++ if (!lw) {
++ cifs_put_tlink(tlink);
++ return;
++ }
++
++ INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
++ lw->tlink = tlink;
++ lw->lease_state = new_lease_state;
++ memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE);
++ queue_work(cifsiod_wq, &lw->lease_break);
++}
++
+ static bool
+-smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
+- struct smb2_lease_break_work *lw)
++smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
+ {
+- bool found;
+ __u8 lease_state;
+ struct list_head *tmp;
+ struct cifsFileInfo *cfile;
+- struct cifs_pending_open *open;
+ struct cifsInodeInfo *cinode;
+ int ack_req = le32_to_cpu(rsp->Flags &
+ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+@@ -546,22 +562,29 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
+ cfile->oplock_level = lease_state;
+
+ cifs_queue_oplock_break(cfile);
+- kfree(lw);
+ return true;
+ }
+
+- found = false;
++ return false;
++}
++
++static struct cifs_pending_open *
++smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon,
++ struct smb2_lease_break *rsp)
++{
++ __u8 lease_state = le32_to_cpu(rsp->NewLeaseState);
++ int ack_req = le32_to_cpu(rsp->Flags &
++ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
++ struct cifs_pending_open *open;
++ struct cifs_pending_open *found = NULL;
++
+ list_for_each_entry(open, &tcon->pending_opens, olist) {
+ if (memcmp(open->lease_key, rsp->LeaseKey,
+ SMB2_LEASE_KEY_SIZE))
+ continue;
+
+ if (!found && ack_req) {
+- found = true;
+- memcpy(lw->lease_key, open->lease_key,
+- SMB2_LEASE_KEY_SIZE);
+- lw->tlink = cifs_get_tlink(open->tlink);
+- queue_work(cifsiod_wq, &lw->lease_break);
++ found = open;
+ }
+
+ cifs_dbg(FYI, "found in the pending open list\n");
+@@ -582,14 +605,7 @@ smb2_is_valid_lease_break(char *buffer)
+ struct TCP_Server_Info *server;
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon;
+- struct smb2_lease_break_work *lw;
+-
+- lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
+- if (!lw)
+- return false;
+-
+- INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
+- lw->lease_state = rsp->NewLeaseState;
++ struct cifs_pending_open *open;
+
+ cifs_dbg(FYI, "Checking for lease break\n");
+
+@@ -607,11 +623,27 @@ smb2_is_valid_lease_break(char *buffer)
+ spin_lock(&tcon->open_file_lock);
+ cifs_stats_inc(
+ &tcon->stats.cifs_stats.num_oplock_brks);
+- if (smb2_tcon_has_lease(tcon, rsp, lw)) {
++ if (smb2_tcon_has_lease(tcon, rsp)) {
+ spin_unlock(&tcon->open_file_lock);
+ spin_unlock(&cifs_tcp_ses_lock);
+ return true;
+ }
++ open = smb2_tcon_find_pending_open_lease(tcon,
++ rsp);
++ if (open) {
++ __u8 lease_key[SMB2_LEASE_KEY_SIZE];
++ struct tcon_link *tlink;
++
++ tlink = cifs_get_tlink(open->tlink);
++ memcpy(lease_key, open->lease_key,
++ SMB2_LEASE_KEY_SIZE);
++ spin_unlock(&tcon->open_file_lock);
++ spin_unlock(&cifs_tcp_ses_lock);
++ smb2_queue_pending_open_break(tlink,
++ lease_key,
++ rsp->NewLeaseState);
++ return true;
++ }
+ spin_unlock(&tcon->open_file_lock);
+
+ if (tcon->crfid.is_valid &&
+@@ -629,7 +661,6 @@ smb2_is_valid_lease_break(char *buffer)
+ }
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+- kfree(lw);
+ cifs_dbg(FYI, "Can not process lease break - no lease matched\n");
+ return false;
+ }
--- /dev/null
+From add48ba425192c6e04ce70549129cacd01e2a09e Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Mon, 27 Jul 2020 12:16:05 +0200
+Subject: dt-bindings: iio: io-channel-mux: Fix compatible string in example code
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit add48ba425192c6e04ce70549129cacd01e2a09e upstream.
+
+The correct compatible string is "gpio-mux" (see
+bindings/mux/gpio-mux.txt).
+
+Cc: stable@vger.kernel.org # v4.13+
+Reviewed-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Link: https://lore.kernel.org/r/20200727101605.24384-1-ceggers@arri.de
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt
++++ b/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt
+@@ -21,7 +21,7 @@ controller state. The mux controller sta
+
+ Example:
+ mux: mux-controller {
+- compatible = "mux-gpio";
++ compatible = "gpio-mux";
+ #mux-control-cells = <0>;
+
+ mux-gpios = <&pioA 0 GPIO_ACTIVE_HIGH>,
--- /dev/null
+From 65afb0932a81c1de719ceee0db0b276094b10ac8 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Mon, 6 Jul 2020 14:02:57 +0300
+Subject: iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit 65afb0932a81c1de719ceee0db0b276094b10ac8 upstream.
+
+There are 2 exit paths where the lock isn't held, but try to unlock the
+mutex when exiting. In these places we should just return from the
+function.
+
+A neater approach would be to cleanup the ad5592r_read_raw(), but that
+would make this patch more difficult to backport to stable versions.
+
+Fixes 56ca9db862bf3: ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs")
+Reported-by: Charles Stanhope <charles.stanhope@gmail.com>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad5592r-base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/dac/ad5592r-base.c
++++ b/drivers/iio/dac/ad5592r-base.c
+@@ -413,7 +413,7 @@ static int ad5592r_read_raw(struct iio_d
+ s64 tmp = *val * (3767897513LL / 25LL);
+ *val = div_s64_rem(tmp, 1000000000LL, val2);
+
+- ret = IIO_VAL_INT_PLUS_MICRO;
++ return IIO_VAL_INT_PLUS_MICRO;
+ } else {
+ int mult;
+
+@@ -444,7 +444,7 @@ static int ad5592r_read_raw(struct iio_d
+ ret = IIO_VAL_INT;
+ break;
+ default:
+- ret = -EINVAL;
++ return -EINVAL;
+ }
+
+ unlock:
--- /dev/null
+From a1bab9396c2d98c601ce81c27567159dfbc10c19 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Mon, 13 Jul 2020 13:40:19 +0200
+Subject: iio: imu: st_lsm6dsx: reset hw ts after resume
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit a1bab9396c2d98c601ce81c27567159dfbc10c19 upstream.
+
+Reset hw time samples generator after system resume in order to avoid
+disalignment between system and device time reference since FIFO
+batching and time samples generator are disabled during suspend.
+
+Fixes: 213451076bd3 ("iio: imu: st_lsm6dsx: add hw timestamp support")
+Tested-by: Sean Nyekjaer <sean@geanix.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 3 +--
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 23 +++++++++++++++--------
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 2 +-
+ 3 files changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+@@ -436,8 +436,7 @@ int st_lsm6dsx_update_watermark(struct s
+ u16 watermark);
+ int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable);
+ int st_lsm6dsx_flush_fifo(struct st_lsm6dsx_hw *hw);
+-int st_lsm6dsx_set_fifo_mode(struct st_lsm6dsx_hw *hw,
+- enum st_lsm6dsx_fifo_mode fifo_mode);
++int st_lsm6dsx_resume_fifo(struct st_lsm6dsx_hw *hw);
+ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw);
+ int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw);
+ int st_lsm6dsx_check_odr(struct st_lsm6dsx_sensor *sensor, u32 odr, u8 *val);
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+@@ -184,8 +184,8 @@ static int st_lsm6dsx_update_decimators(
+ return err;
+ }
+
+-int st_lsm6dsx_set_fifo_mode(struct st_lsm6dsx_hw *hw,
+- enum st_lsm6dsx_fifo_mode fifo_mode)
++static int st_lsm6dsx_set_fifo_mode(struct st_lsm6dsx_hw *hw,
++ enum st_lsm6dsx_fifo_mode fifo_mode)
+ {
+ unsigned int data;
+
+@@ -302,6 +302,18 @@ static int st_lsm6dsx_reset_hw_ts(struct
+ return 0;
+ }
+
++int st_lsm6dsx_resume_fifo(struct st_lsm6dsx_hw *hw)
++{
++ int err;
++
++ /* reset hw ts counter */
++ err = st_lsm6dsx_reset_hw_ts(hw);
++ if (err < 0)
++ return err;
++
++ return st_lsm6dsx_set_fifo_mode(hw, ST_LSM6DSX_FIFO_CONT);
++}
++
+ /*
+ * Set max bulk read to ST_LSM6DSX_MAX_WORD_LEN/ST_LSM6DSX_MAX_TAGGED_WORD_LEN
+ * in order to avoid a kmalloc for each bus access
+@@ -675,12 +687,7 @@ int st_lsm6dsx_update_fifo(struct st_lsm
+ goto out;
+
+ if (fifo_mask) {
+- /* reset hw ts counter */
+- err = st_lsm6dsx_reset_hw_ts(hw);
+- if (err < 0)
+- goto out;
+-
+- err = st_lsm6dsx_set_fifo_mode(hw, ST_LSM6DSX_FIFO_CONT);
++ err = st_lsm6dsx_resume_fifo(hw);
+ if (err < 0)
+ goto out;
+ }
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+@@ -2458,7 +2458,7 @@ static int __maybe_unused st_lsm6dsx_res
+ }
+
+ if (hw->fifo_mask)
+- err = st_lsm6dsx_set_fifo_mode(hw, ST_LSM6DSX_FIFO_CONT);
++ err = st_lsm6dsx_resume_fifo(hw);
+
+ return err;
+ }
--- /dev/null
+From e0eb34810113dbbf1ace57440cf48d514312a373 Mon Sep 17 00:00:00 2001
+From: Mansur Alisha Shaik <mansur@codeaurora.org>
+Date: Fri, 1 May 2020 08:28:00 +0200
+Subject: media: venus: fix multiple encoder crash
+
+From: Mansur Alisha Shaik <mansur@codeaurora.org>
+
+commit e0eb34810113dbbf1ace57440cf48d514312a373 upstream.
+
+Currently we are considering the instances which are available
+in core->inst list for load calculation in min_loaded_core()
+function, but this is incorrect because by the time we call
+decide_core() for second instance, the third instance not
+filled yet codec_freq_data pointer.
+
+Solve this by considering the instances whose session has started.
+
+Cc: stable@vger.kernel.org # v5.7+
+Fixes: 4ebf969375bc ("media: venus: introduce core selection")
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Mansur Alisha Shaik <mansur@codeaurora.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/qcom/venus/pm_helpers.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/pm_helpers.c
++++ b/drivers/media/platform/qcom/venus/pm_helpers.c
+@@ -496,6 +496,10 @@ min_loaded_core(struct venus_inst *inst,
+ list_for_each_entry(inst_pos, &core->instances, list) {
+ if (inst_pos == inst)
+ continue;
++
++ if (inst_pos->state != INST_START)
++ continue;
++
+ vpp_freq = inst_pos->clk_data.codec_freq_data->vpp_freq;
+ coreid = inst_pos->clk_data.core_id;
+
--- /dev/null
+From c92d30e4b78dc331909f8c6056c2792aa14e2166 Mon Sep 17 00:00:00 2001
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Tue, 2 Jun 2020 21:50:16 +0200
+Subject: media: vsp1: dl: Fix NULL pointer dereference on unbind
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+commit c92d30e4b78dc331909f8c6056c2792aa14e2166 upstream.
+
+In commit f3b98e3c4d2e16 ("media: vsp1: Provide support for extended
+command pools"), the vsp pointer used for referencing the VSP1 device
+structure from a command pool during vsp1_dl_ext_cmd_pool_destroy() was
+not populated.
+
+Correctly assign the pointer to prevent the following
+null-pointer-dereference when removing the device:
+
+[*] h3ulcb-kf #>
+echo fea28000.vsp > /sys/bus/platform/devices/fea28000.vsp/driver/unbind
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
+ Mem abort info:
+ ESR = 0x96000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000007318be000
+ [0000000000000028] pgd=00000007333a1003, pud=00000007333a6003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 1 PID: 486 Comm: sh Not tainted 5.7.0-rc6-arm64-renesas-00118-ge644645abf47 #185
+ Hardware name: Renesas H3ULCB Kingfisher board based on r8a77951 (DT)
+ pstate: 40000005 (nZcv daif -PAN -UAO)
+ pc : vsp1_dlm_destroy+0xe4/0x11c
+ lr : vsp1_dlm_destroy+0xc8/0x11c
+ sp : ffff800012963b60
+ x29: ffff800012963b60 x28: ffff0006f83fc440
+ x27: 0000000000000000 x26: ffff0006f5e13e80
+ x25: ffff0006f5e13ed0 x24: ffff0006f5e13ed0
+ x23: ffff0006f5e13ed0 x22: dead000000000122
+ x21: ffff0006f5e3a080 x20: ffff0006f5df2938
+ x19: ffff0006f5df2980 x18: 0000000000000003
+ x17: 0000000000000000 x16: 0000000000000016
+ x15: 0000000000000003 x14: 00000000000393c0
+ x13: ffff800011a5ec18 x12: ffff800011d8d000
+ x11: ffff0006f83fcc68 x10: ffff800011a53d70
+ x9 : ffff8000111f3000 x8 : 0000000000000000
+ x7 : 0000000000210d00 x6 : 0000000000000000
+ x5 : ffff800010872e60 x4 : 0000000000000004
+ x3 : 0000000078068000 x2 : ffff800012781000
+ x1 : 0000000000002c00 x0 : 0000000000000000
+ Call trace:
+ vsp1_dlm_destroy+0xe4/0x11c
+ vsp1_wpf_destroy+0x10/0x20
+ vsp1_entity_destroy+0x24/0x4c
+ vsp1_destroy_entities+0x54/0x130
+ vsp1_remove+0x1c/0x40
+ platform_drv_remove+0x28/0x50
+ __device_release_driver+0x178/0x220
+ device_driver_detach+0x44/0xc0
+ unbind_store+0xe0/0x104
+ drv_attr_store+0x20/0x30
+ sysfs_kf_write+0x48/0x70
+ kernfs_fop_write+0x148/0x230
+ __vfs_write+0x18/0x40
+ vfs_write+0xdc/0x1c4
+ ksys_write+0x68/0xf0
+ __arm64_sys_write+0x18/0x20
+ el0_svc_common.constprop.0+0x70/0x170
+ do_el0_svc+0x20/0x80
+ el0_sync_handler+0x134/0x1b0
+ el0_sync+0x140/0x180
+ Code: b40000c2 f9403a60 d2800084 a9400663 (f9401400)
+ ---[ end trace 3875369841fb288a ]---
+
+Fixes: f3b98e3c4d2e16 ("media: vsp1: Provide support for extended command pools")
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Tested-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vsp1/vsp1_dl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/vsp1/vsp1_dl.c
++++ b/drivers/media/platform/vsp1/vsp1_dl.c
+@@ -431,6 +431,8 @@ vsp1_dl_cmd_pool_create(struct vsp1_devi
+ if (!pool)
+ return NULL;
+
++ pool->vsp1 = vsp1;
++
+ spin_lock_init(&pool->lock);
+ INIT_LIST_HEAD(&pool->free);
+
--- /dev/null
+From 1c95348ba327fe8621d3680890c2341523d3524a Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 22 Jun 2020 23:45:47 +0200
+Subject: pinctrl: ingenic: Enhance support for IRQ_TYPE_EDGE_BOTH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 1c95348ba327fe8621d3680890c2341523d3524a upstream.
+
+Ingenic SoCs don't natively support registering an interrupt for both
+rising and falling edges. This has to be emulated in software.
+
+Until now, this was emulated by switching back and forth between
+IRQ_TYPE_EDGE_RISING and IRQ_TYPE_EDGE_FALLING according to the level of
+the GPIO. While this worked most of the time, when used with GPIOs that
+need debouncing, some events would be lost. For instance, between the
+time a falling-edge interrupt happens and the interrupt handler
+configures the hardware for rising-edge, the level of the pin may have
+already risen, and the rising-edge event is lost.
+
+To address that issue, instead of switching back and forth between
+IRQ_TYPE_EDGE_RISING and IRQ_TYPE_EDGE_FALLING, we now switch back and
+forth between IRQ_TYPE_LEVEL_LOW and IRQ_TYPE_LEVEL_HIGH. Since we
+always switch in the interrupt handler, they actually permit to detect
+level changes. In the example above, if the pin level rises before
+switching the IRQ type from IRQ_TYPE_LEVEL_LOW to IRQ_TYPE_LEVEL_HIGH,
+a new interrupt will raise as soon as the handler exits, and the
+rising-edge event will be properly detected.
+
+Fixes: e72394e2ea19 ("pinctrl: ingenic: Merge GPIO functionality")
+Reported-by: João Henrique <johnnyonflame@hotmail.com>
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: João Henrique <johnnyonflame@hotmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200622214548.265417-1-paul@crapouillou.net
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-ingenic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-ingenic.c
++++ b/drivers/pinctrl/pinctrl-ingenic.c
+@@ -1810,9 +1810,9 @@ static void ingenic_gpio_irq_ack(struct
+ */
+ high = ingenic_gpio_get_value(jzgc, irq);
+ if (high)
+- irq_set_type(jzgc, irq, IRQ_TYPE_EDGE_FALLING);
++ irq_set_type(jzgc, irq, IRQ_TYPE_LEVEL_LOW);
+ else
+- irq_set_type(jzgc, irq, IRQ_TYPE_EDGE_RISING);
++ irq_set_type(jzgc, irq, IRQ_TYPE_LEVEL_HIGH);
+ }
+
+ if (jzgc->jzpc->info->version >= ID_JZ4760)
+@@ -1848,7 +1848,7 @@ static int ingenic_gpio_irq_set_type(str
+ */
+ bool high = ingenic_gpio_get_value(jzgc, irqd->hwirq);
+
+- type = high ? IRQ_TYPE_EDGE_FALLING : IRQ_TYPE_EDGE_RISING;
++ type = high ? IRQ_TYPE_LEVEL_LOW : IRQ_TYPE_LEVEL_HIGH;
+ }
+
+ irq_set_type(jzgc, irqd->hwirq, type);
--- /dev/null
+From 84e7a946da71f678affacea301f6d5cb4d9784e8 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 22 Jun 2020 23:45:48 +0200
+Subject: pinctrl: ingenic: Properly detect GPIO direction when configured for IRQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 84e7a946da71f678affacea301f6d5cb4d9784e8 upstream.
+
+The PAT1 register contains information about the IRQ type (edge/level)
+for input GPIOs with IRQ enabled, and the direction for non-IRQ GPIOs.
+So it makes sense to read it only if the GPIO has no interrupt
+configured, otherwise input GPIOs configured for level IRQs are
+misdetected as output GPIOs.
+
+Fixes: ebd6651418b6 ("pinctrl: ingenic: Implement .get_direction for GPIO chips")
+Reported-by: João Henrique <johnnyonflame@hotmail.com>
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200622214548.265417-2-paul@crapouillou.net
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-ingenic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-ingenic.c
++++ b/drivers/pinctrl/pinctrl-ingenic.c
+@@ -1955,7 +1955,8 @@ static int ingenic_gpio_get_direction(st
+ unsigned int pin = gc->base + offset;
+
+ if (jzpc->info->version >= ID_JZ4760) {
+- if (ingenic_get_pin_config(jzpc, pin, JZ4760_GPIO_PAT1))
++ if (ingenic_get_pin_config(jzpc, pin, JZ4760_GPIO_INT) ||
++ ingenic_get_pin_config(jzpc, pin, JZ4760_GPIO_PAT1))
+ return GPIO_LINE_DIRECTION_IN;
+ return GPIO_LINE_DIRECTION_OUT;
+ }
--- /dev/null
+From 63dee5df43a31f3844efabc58972f0a206ca4534 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 24 Jul 2020 19:25:25 +1000
+Subject: powerpc: Allow 4224 bytes of stack expansion for the signal frame
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream.
+
+We have powerpc specific logic in our page fault handling to decide if
+an access to an unmapped address below the stack pointer should expand
+the stack VMA.
+
+The code was originally added in 2004 "ported from 2.4". The rough
+logic is that the stack is allowed to grow to 1MB with no extra
+checking. Over 1MB the access must be within 2048 bytes of the stack
+pointer, or be from a user instruction that updates the stack pointer.
+
+The 2048 byte allowance below the stack pointer is there to cover the
+288 byte "red zone" as well as the "about 1.5kB" needed by the signal
+delivery code.
+
+Unfortunately since then the signal frame has expanded, and is now
+4224 bytes on 64-bit kernels with transactional memory enabled. This
+means if a process has consumed more than 1MB of stack, and its stack
+pointer lies less than 4224 bytes from the next page boundary, signal
+delivery will fault when trying to expand the stack and the process
+will see a SEGV.
+
+The total size of the signal frame is the size of struct rt_sigframe
+(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on
+64-bit).
+
+The 2048 byte allowance was correct until 2008 as the signal frame
+was:
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1440 */
+ /* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */
+ long unsigned int _unused[2]; /* 1440 16 */
+ unsigned int tramp[6]; /* 1456 24 */
+ struct siginfo * pinfo; /* 1480 8 */
+ void * puc; /* 1488 8 */
+ struct siginfo info; /* 1496 128 */
+ /* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */
+ char abigap[288]; /* 1624 288 */
+
+ /* size: 1920, cachelines: 15, members: 7 */
+ /* padding: 8 */
+};
+
+1920 + 128 = 2048
+
+Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore,
+ptrace and signal support") (Jul 2008) the signal frame expanded to
+2304 bytes:
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1696 */ <--
+ /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
+ long unsigned int _unused[2]; /* 1696 16 */
+ unsigned int tramp[6]; /* 1712 24 */
+ struct siginfo * pinfo; /* 1736 8 */
+ void * puc; /* 1744 8 */
+ struct siginfo info; /* 1752 128 */
+ /* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */
+ char abigap[288]; /* 1880 288 */
+
+ /* size: 2176, cachelines: 17, members: 7 */
+ /* padding: 8 */
+};
+
+2176 + 128 = 2304
+
+At this point we should have been exposed to the bug, though as far as
+I know it was never reported. I no longer have a system old enough to
+easily test on.
+
+Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a
+grow-down stack segment") caused our stack expansion code to never
+trigger, as there was always a VMA found for a write up to PAGE_SIZE
+below r1.
+
+That meant the bug was hidden as we continued to expand the signal
+frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory
+state to the signal context") (Feb 2013):
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1696 */
+ /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
+ struct ucontext uc_transact; /* 1696 1696 */ <--
+ /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
+ long unsigned int _unused[2]; /* 3392 16 */
+ unsigned int tramp[6]; /* 3408 24 */
+ struct siginfo * pinfo; /* 3432 8 */
+ void * puc; /* 3440 8 */
+ struct siginfo info; /* 3448 128 */
+ /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
+ char abigap[288]; /* 3576 288 */
+
+ /* size: 3872, cachelines: 31, members: 8 */
+ /* padding: 8 */
+ /* last cacheline: 32 bytes */
+};
+
+3872 + 128 = 4000
+
+And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit
+userspace to 512 bytes") (Feb 2014):
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1696 */
+ /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
+ struct ucontext uc_transact; /* 1696 1696 */
+ /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
+ long unsigned int _unused[2]; /* 3392 16 */
+ unsigned int tramp[6]; /* 3408 24 */
+ struct siginfo * pinfo; /* 3432 8 */
+ void * puc; /* 3440 8 */
+ struct siginfo info; /* 3448 128 */
+ /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
+ char abigap[512]; /* 3576 512 */ <--
+
+ /* size: 4096, cachelines: 32, members: 8 */
+ /* padding: 8 */
+};
+
+4096 + 128 = 4224
+
+Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard
+gap, between vmas") exposed us to the existing bug, because it changed
+the stack VMA to be the correct/real size, meaning our stack expansion
+code is now triggered.
+
+Fix it by increasing the allowance to 4224 bytes.
+
+Hard-coding 4224 is obviously unsafe against future expansions of the
+signal frame in the same way as the existing code. We can't easily use
+sizeof() because the signal frame structure is not in a header. We
+will either fix that, or rip out all the custom stack expansion
+checking logic entirely.
+
+Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support")
+Cc: stable@vger.kernel.org # v2.6.27+
+Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
+Tested-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/fault.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/mm/fault.c
++++ b/arch/powerpc/mm/fault.c
+@@ -267,6 +267,9 @@ static bool bad_kernel_fault(struct pt_r
+ return false;
+ }
+
++// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE
++#define SIGFRAME_MAX_SIZE (4096 + 128)
++
+ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
+ struct vm_area_struct *vma, unsigned int flags,
+ bool *must_retry)
+@@ -274,7 +277,7 @@ static bool bad_stack_expansion(struct p
+ /*
+ * N.B. The POWER/Open ABI allows programs to access up to
+ * 288 bytes below the stack pointer.
+- * The kernel signal delivery code writes up to about 1.5kB
++ * The kernel signal delivery code writes a bit over 4KB
+ * below the stack pointer (r1) before decrementing it.
+ * The exec code can write slightly over 640kB to the stack
+ * before setting the user r1. Thus we allow the stack to
+@@ -299,7 +302,7 @@ static bool bad_stack_expansion(struct p
+ * between the last mapped region and the stack will
+ * expand the stack rather than segfaulting.
+ */
+- if (address + 2048 >= uregs->gpr[1])
++ if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1])
+ return false;
+
+ if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
--- /dev/null
+From 0c83b277ada72b585e6a3e52b067669df15bcedb Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 4 Aug 2020 22:44:06 +1000
+Subject: powerpc: Fix circular dependency between percpu.h and mmu.h
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 0c83b277ada72b585e6a3e52b067669df15bcedb upstream.
+
+Recently random.h started including percpu.h (see commit
+f227e3ec3b5c ("random32: update the net random state on interrupt and
+activity")), which broke corenet64_smp_defconfig:
+
+ In file included from /linux/arch/powerpc/include/asm/paca.h:18,
+ from /linux/arch/powerpc/include/asm/percpu.h:13,
+ from /linux/include/linux/random.h:14,
+ from /linux/lib/uuid.c:14:
+ /linux/arch/powerpc/include/asm/mmu.h:139:22: error: unknown type name 'next_tlbcam_idx'
+ 139 | DECLARE_PER_CPU(int, next_tlbcam_idx);
+
+This is due to a circular header dependency:
+ asm/mmu.h includes asm/percpu.h, which includes asm/paca.h, which
+ includes asm/mmu.h
+
+Which means DECLARE_PER_CPU() isn't defined when mmu.h needs it.
+
+We can fix it by moving the include of paca.h below the include of
+asm-generic/percpu.h.
+
+This moves the include of paca.h out of the #ifdef __powerpc64__, but
+that is OK because paca.h is almost entirely inside #ifdef
+CONFIG_PPC64 anyway.
+
+It also moves the include of paca.h out of the #ifdef CONFIG_SMP,
+which could possibly break something, but seems to have no ill
+effects.
+
+Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity")
+Cc: stable@vger.kernel.org # v5.8
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200804130558.292328-1-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/percpu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/percpu.h
++++ b/arch/powerpc/include/asm/percpu.h
+@@ -10,8 +10,6 @@
+
+ #ifdef CONFIG_SMP
+
+-#include <asm/paca.h>
+-
+ #define __my_cpu_offset local_paca->data_offset
+
+ #endif /* CONFIG_SMP */
+@@ -19,4 +17,6 @@
+
+ #include <asm-generic/percpu.h>
+
++#include <asm/paca.h>
++
+ #endif /* _ASM_POWERPC_PERCPU_H_ */
--- /dev/null
+From 7c466b0807960edc13e4b855be85ea765df9a6cd Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Mon, 15 Jun 2020 13:18:39 +0000
+Subject: powerpc/ptdump: Fix build failure in hashpagetable.c
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 7c466b0807960edc13e4b855be85ea765df9a6cd upstream.
+
+H_SUCCESS is only defined when CONFIG_PPC_PSERIES is defined.
+
+!= H_SUCCESS means != 0. Modify the test accordingly.
+
+Fixes: 65e701b2d2a8 ("powerpc/ptdump: drop non vital #ifdefs")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/795158fc1d2b3dff3bf7347881947a887ea9391a.1592227105.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/ptdump/hashpagetable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/ptdump/hashpagetable.c
++++ b/arch/powerpc/mm/ptdump/hashpagetable.c
+@@ -258,7 +258,7 @@ static int pseries_find(unsigned long ea
+ for (i = 0; i < HPTES_PER_GROUP; i += 4, hpte_group += 4) {
+ lpar_rc = plpar_pte_read_4(0, hpte_group, (void *)ptes);
+
+- if (lpar_rc != H_SUCCESS)
++ if (lpar_rc)
+ continue;
+ for (j = 0; j < 4; j++) {
+ if (HPTE_V_COMPARE(ptes[j].v, want_v) &&
btrfs-make-sure-sb_i_version-doesn-t-get-unset-by-remount.patch
btrfs-fix-return-value-mixup-in-btrfs_get_extent.patch
btrfs-check-correct-variable-after-allocation-in-btrfs_backref_iter_alloc.patch
+arm64-dts-qcom-sc7180-drop-the-unused-non-msa-sid.patch
+arm64-perf-correct-the-event-index-in-sysfs.patch
+dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch
+iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch
+iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch
+xtensa-add-missing-exclusive-access-state-management.patch
+xtensa-fix-xtensa_pmu_setup-prototype.patch
+cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch
+powerpc-ptdump-fix-build-failure-in-hashpagetable.c.patch
+powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch
+powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch
+pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch
+pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch
+media-venus-fix-multiple-encoder-crash.patch
+media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch
--- /dev/null
+From a0fc1436f1f4f84e93144480bf30e0c958d135b6 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 31 Jul 2020 12:38:05 -0700
+Subject: xtensa: add missing exclusive access state management
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit a0fc1436f1f4f84e93144480bf30e0c958d135b6 upstream.
+
+The result of the s32ex opcode is recorded in the ATOMCTL special
+register and must be retrieved with the getex opcode. Context switch
+between s32ex and getex may trash the ATOMCTL register and result in
+duplicate update or missing update of the atomic variable.
+Add atomctl8 field to the struct thread_info and use getex to swap
+ATOMCTL bit 8 as a part of context switch.
+Clear exclusive access monitor on kernel entry.
+
+Cc: stable@vger.kernel.org
+Fixes: f7c34874f04a ("xtensa: add exclusive atomics support")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/include/asm/thread_info.h | 4 ++++
+ arch/xtensa/kernel/asm-offsets.c | 3 +++
+ arch/xtensa/kernel/entry.S | 11 +++++++++++
+ 3 files changed, 18 insertions(+)
+
+--- a/arch/xtensa/include/asm/thread_info.h
++++ b/arch/xtensa/include/asm/thread_info.h
+@@ -55,6 +55,10 @@ struct thread_info {
+ mm_segment_t addr_limit; /* thread address space */
+
+ unsigned long cpenable;
++#if XCHAL_HAVE_EXCLUSIVE
++ /* result of the most recent exclusive store */
++ unsigned long atomctl8;
++#endif
+
+ /* Allocate storage for extra user states and coprocessor states. */
+ #if XTENSA_HAVE_COPROCESSORS
+--- a/arch/xtensa/kernel/asm-offsets.c
++++ b/arch/xtensa/kernel/asm-offsets.c
+@@ -93,6 +93,9 @@ int main(void)
+ DEFINE(THREAD_RA, offsetof (struct task_struct, thread.ra));
+ DEFINE(THREAD_SP, offsetof (struct task_struct, thread.sp));
+ DEFINE(THREAD_CPENABLE, offsetof (struct thread_info, cpenable));
++#if XCHAL_HAVE_EXCLUSIVE
++ DEFINE(THREAD_ATOMCTL8, offsetof (struct thread_info, atomctl8));
++#endif
+ #if XTENSA_HAVE_COPROCESSORS
+ DEFINE(THREAD_XTREGS_CP0, offsetof(struct thread_info, xtregs_cp.cp0));
+ DEFINE(THREAD_XTREGS_CP1, offsetof(struct thread_info, xtregs_cp.cp1));
+--- a/arch/xtensa/kernel/entry.S
++++ b/arch/xtensa/kernel/entry.S
+@@ -374,6 +374,11 @@ common_exception:
+ s32i a2, a1, PT_LCOUNT
+ #endif
+
++#if XCHAL_HAVE_EXCLUSIVE
++ /* Clear exclusive access monitor set by interrupted code */
++ clrex
++#endif
++
+ /* It is now save to restore the EXC_TABLE_FIXUP variable. */
+
+ rsr a2, exccause
+@@ -2020,6 +2025,12 @@ ENTRY(_switch_to)
+ s32i a3, a4, THREAD_CPENABLE
+ #endif
+
++#if XCHAL_HAVE_EXCLUSIVE
++ l32i a3, a5, THREAD_ATOMCTL8
++ getex a3
++ s32i a3, a4, THREAD_ATOMCTL8
++#endif
++
+ /* Flush register file. */
+
+ spill_registers_kernel
--- /dev/null
+From 6d65d3769d1910379e1cfa61ebf387efc6bfb22c Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 31 Jul 2020 12:37:32 -0700
+Subject: xtensa: fix xtensa_pmu_setup prototype
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 6d65d3769d1910379e1cfa61ebf387efc6bfb22c upstream.
+
+Fix the following build error in configurations with
+CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS=y:
+
+ arch/xtensa/kernel/perf_event.c:420:29: error: passing argument 3 of
+ ‘cpuhp_setup_state’ from incompatible pointer type
+
+Cc: stable@vger.kernel.org
+Fixes: 25a77b55e74c ("xtensa/perf: Convert the hotplug notifier to state machine callbacks")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/kernel/perf_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/xtensa/kernel/perf_event.c
++++ b/arch/xtensa/kernel/perf_event.c
+@@ -399,7 +399,7 @@ static struct pmu xtensa_pmu = {
+ .read = xtensa_pmu_read,
+ };
+
+-static int xtensa_pmu_setup(int cpu)
++static int xtensa_pmu_setup(unsigned int cpu)
+ {
+ unsigned i;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
