--- /dev/null
+From baf57b56d3604880ccb3956ec6c62ea894f5de99 Mon Sep 17 00:00:00 2001
+From: Paul Aurich <paul@darkrain42.org>
+Date: Thu, 9 Jul 2020 22:01:16 -0700
+Subject: cifs: Fix leak when handling lease break for cached root fid
+
+From: Paul Aurich <paul@darkrain42.org>
+
+commit baf57b56d3604880ccb3956ec6c62ea894f5de99 upstream.
+
+Handling a lease break for the cached root didn't free the
+smb2_lease_break_work allocation, resulting in a leak:
+
+ unreferenced object 0xffff98383a5af480 (size 128):
+ comm "cifsd", pid 684, jiffies 4294936606 (age 534.868s)
+ hex dump (first 32 bytes):
+ c0 ff ff ff 1f 00 00 00 88 f4 5a 3a 38 98 ff ff ..........Z:8...
+ 88 f4 5a 3a 38 98 ff ff 80 88 d6 8a ff ff ff ff ..Z:8...........
+ backtrace:
+ [<0000000068957336>] smb2_is_valid_oplock_break+0x1fa/0x8c0
+ [<0000000073b70b9e>] cifs_demultiplex_thread+0x73d/0xcc0
+ [<00000000905fa372>] kthread+0x11c/0x150
+ [<0000000079378e4e>] ret_from_fork+0x22/0x30
+
+Avoid this leak by only allocating when necessary.
+
+Fixes: a93864d93977 ("cifs: add lease tracking to the cached root fid")
+Signed-off-by: Paul Aurich <paul@darkrain42.org>
+CC: Stable <stable@vger.kernel.org> # v4.18+
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2misc.c | 73 +++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 52 insertions(+), 21 deletions(-)
+
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -509,15 +509,31 @@ cifs_ses_oplock_break(struct work_struct
+ kfree(lw);
+ }
+
++static void
++smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key,
++ __le32 new_lease_state)
++{
++ struct smb2_lease_break_work *lw;
++
++ lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
++ if (!lw) {
++ cifs_put_tlink(tlink);
++ return;
++ }
++
++ INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
++ lw->tlink = tlink;
++ lw->lease_state = new_lease_state;
++ memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE);
++ queue_work(cifsiod_wq, &lw->lease_break);
++}
++
+ static bool
+-smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
+- struct smb2_lease_break_work *lw)
++smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
+ {
+- bool found;
+ __u8 lease_state;
+ struct list_head *tmp;
+ struct cifsFileInfo *cfile;
+- struct cifs_pending_open *open;
+ struct cifsInodeInfo *cinode;
+ int ack_req = le32_to_cpu(rsp->Flags &
+ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+@@ -556,22 +572,29 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
+ &cinode->flags);
+
+ cifs_queue_oplock_break(cfile);
+- kfree(lw);
+ return true;
+ }
+
+- found = false;
++ return false;
++}
++
++static struct cifs_pending_open *
++smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon,
++ struct smb2_lease_break *rsp)
++{
++ __u8 lease_state = le32_to_cpu(rsp->NewLeaseState);
++ int ack_req = le32_to_cpu(rsp->Flags &
++ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
++ struct cifs_pending_open *open;
++ struct cifs_pending_open *found = NULL;
++
+ list_for_each_entry(open, &tcon->pending_opens, olist) {
+ if (memcmp(open->lease_key, rsp->LeaseKey,
+ SMB2_LEASE_KEY_SIZE))
+ continue;
+
+ if (!found && ack_req) {
+- found = true;
+- memcpy(lw->lease_key, open->lease_key,
+- SMB2_LEASE_KEY_SIZE);
+- lw->tlink = cifs_get_tlink(open->tlink);
+- queue_work(cifsiod_wq, &lw->lease_break);
++ found = open;
+ }
+
+ cifs_dbg(FYI, "found in the pending open list\n");
+@@ -592,14 +615,7 @@ smb2_is_valid_lease_break(char *buffer)
+ struct TCP_Server_Info *server;
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon;
+- struct smb2_lease_break_work *lw;
+-
+- lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
+- if (!lw)
+- return false;
+-
+- INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
+- lw->lease_state = rsp->NewLeaseState;
++ struct cifs_pending_open *open;
+
+ cifs_dbg(FYI, "Checking for lease break\n");
+
+@@ -617,11 +633,27 @@ smb2_is_valid_lease_break(char *buffer)
+ spin_lock(&tcon->open_file_lock);
+ cifs_stats_inc(
+ &tcon->stats.cifs_stats.num_oplock_brks);
+- if (smb2_tcon_has_lease(tcon, rsp, lw)) {
++ if (smb2_tcon_has_lease(tcon, rsp)) {
+ spin_unlock(&tcon->open_file_lock);
+ spin_unlock(&cifs_tcp_ses_lock);
+ return true;
+ }
++ open = smb2_tcon_find_pending_open_lease(tcon,
++ rsp);
++ if (open) {
++ __u8 lease_key[SMB2_LEASE_KEY_SIZE];
++ struct tcon_link *tlink;
++
++ tlink = cifs_get_tlink(open->tlink);
++ memcpy(lease_key, open->lease_key,
++ SMB2_LEASE_KEY_SIZE);
++ spin_unlock(&tcon->open_file_lock);
++ spin_unlock(&cifs_tcp_ses_lock);
++ smb2_queue_pending_open_break(tlink,
++ lease_key,
++ rsp->NewLeaseState);
++ return true;
++ }
+ spin_unlock(&tcon->open_file_lock);
+
+ if (tcon->crfid.is_valid &&
+@@ -639,7 +671,6 @@ smb2_is_valid_lease_break(char *buffer)
+ }
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+- kfree(lw);
+ cifs_dbg(FYI, "Can not process lease break - no lease matched\n");
+ return false;
+ }
--- /dev/null
+From add48ba425192c6e04ce70549129cacd01e2a09e Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Mon, 27 Jul 2020 12:16:05 +0200
+Subject: dt-bindings: iio: io-channel-mux: Fix compatible string in example code
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit add48ba425192c6e04ce70549129cacd01e2a09e upstream.
+
+The correct compatible string is "gpio-mux" (see
+bindings/mux/gpio-mux.txt).
+
+Cc: stable@vger.kernel.org # v4.13+
+Reviewed-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Link: https://lore.kernel.org/r/20200727101605.24384-1-ceggers@arri.de
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt
++++ b/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt
+@@ -21,7 +21,7 @@ controller state. The mux controller sta
+
+ Example:
+ mux: mux-controller {
+- compatible = "mux-gpio";
++ compatible = "gpio-mux";
+ #mux-control-cells = <0>;
+
+ mux-gpios = <&pioA 0 GPIO_ACTIVE_HIGH>,
--- /dev/null
+From 65afb0932a81c1de719ceee0db0b276094b10ac8 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Mon, 6 Jul 2020 14:02:57 +0300
+Subject: iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit 65afb0932a81c1de719ceee0db0b276094b10ac8 upstream.
+
+There are 2 exit paths where the lock isn't held, but try to unlock the
+mutex when exiting. In these places we should just return from the
+function.
+
+A neater approach would be to cleanup the ad5592r_read_raw(), but that
+would make this patch more difficult to backport to stable versions.
+
+Fixes 56ca9db862bf3: ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs")
+Reported-by: Charles Stanhope <charles.stanhope@gmail.com>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad5592r-base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/dac/ad5592r-base.c
++++ b/drivers/iio/dac/ad5592r-base.c
+@@ -417,7 +417,7 @@ static int ad5592r_read_raw(struct iio_d
+ s64 tmp = *val * (3767897513LL / 25LL);
+ *val = div_s64_rem(tmp, 1000000000LL, val2);
+
+- ret = IIO_VAL_INT_PLUS_MICRO;
++ return IIO_VAL_INT_PLUS_MICRO;
+ } else {
+ int mult;
+
+@@ -448,7 +448,7 @@ static int ad5592r_read_raw(struct iio_d
+ ret = IIO_VAL_INT;
+ break;
+ default:
+- ret = -EINVAL;
++ return -EINVAL;
+ }
+
+ unlock:
--- /dev/null
+From c92d30e4b78dc331909f8c6056c2792aa14e2166 Mon Sep 17 00:00:00 2001
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Tue, 2 Jun 2020 21:50:16 +0200
+Subject: media: vsp1: dl: Fix NULL pointer dereference on unbind
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+commit c92d30e4b78dc331909f8c6056c2792aa14e2166 upstream.
+
+In commit f3b98e3c4d2e16 ("media: vsp1: Provide support for extended
+command pools"), the vsp pointer used for referencing the VSP1 device
+structure from a command pool during vsp1_dl_ext_cmd_pool_destroy() was
+not populated.
+
+Correctly assign the pointer to prevent the following
+null-pointer-dereference when removing the device:
+
+[*] h3ulcb-kf #>
+echo fea28000.vsp > /sys/bus/platform/devices/fea28000.vsp/driver/unbind
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
+ Mem abort info:
+ ESR = 0x96000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000007318be000
+ [0000000000000028] pgd=00000007333a1003, pud=00000007333a6003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 1 PID: 486 Comm: sh Not tainted 5.7.0-rc6-arm64-renesas-00118-ge644645abf47 #185
+ Hardware name: Renesas H3ULCB Kingfisher board based on r8a77951 (DT)
+ pstate: 40000005 (nZcv daif -PAN -UAO)
+ pc : vsp1_dlm_destroy+0xe4/0x11c
+ lr : vsp1_dlm_destroy+0xc8/0x11c
+ sp : ffff800012963b60
+ x29: ffff800012963b60 x28: ffff0006f83fc440
+ x27: 0000000000000000 x26: ffff0006f5e13e80
+ x25: ffff0006f5e13ed0 x24: ffff0006f5e13ed0
+ x23: ffff0006f5e13ed0 x22: dead000000000122
+ x21: ffff0006f5e3a080 x20: ffff0006f5df2938
+ x19: ffff0006f5df2980 x18: 0000000000000003
+ x17: 0000000000000000 x16: 0000000000000016
+ x15: 0000000000000003 x14: 00000000000393c0
+ x13: ffff800011a5ec18 x12: ffff800011d8d000
+ x11: ffff0006f83fcc68 x10: ffff800011a53d70
+ x9 : ffff8000111f3000 x8 : 0000000000000000
+ x7 : 0000000000210d00 x6 : 0000000000000000
+ x5 : ffff800010872e60 x4 : 0000000000000004
+ x3 : 0000000078068000 x2 : ffff800012781000
+ x1 : 0000000000002c00 x0 : 0000000000000000
+ Call trace:
+ vsp1_dlm_destroy+0xe4/0x11c
+ vsp1_wpf_destroy+0x10/0x20
+ vsp1_entity_destroy+0x24/0x4c
+ vsp1_destroy_entities+0x54/0x130
+ vsp1_remove+0x1c/0x40
+ platform_drv_remove+0x28/0x50
+ __device_release_driver+0x178/0x220
+ device_driver_detach+0x44/0xc0
+ unbind_store+0xe0/0x104
+ drv_attr_store+0x20/0x30
+ sysfs_kf_write+0x48/0x70
+ kernfs_fop_write+0x148/0x230
+ __vfs_write+0x18/0x40
+ vfs_write+0xdc/0x1c4
+ ksys_write+0x68/0xf0
+ __arm64_sys_write+0x18/0x20
+ el0_svc_common.constprop.0+0x70/0x170
+ do_el0_svc+0x20/0x80
+ el0_sync_handler+0x134/0x1b0
+ el0_sync+0x140/0x180
+ Code: b40000c2 f9403a60 d2800084 a9400663 (f9401400)
+ ---[ end trace 3875369841fb288a ]---
+
+Fixes: f3b98e3c4d2e16 ("media: vsp1: Provide support for extended command pools")
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Tested-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vsp1/vsp1_dl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/vsp1/vsp1_dl.c
++++ b/drivers/media/platform/vsp1/vsp1_dl.c
+@@ -431,6 +431,8 @@ vsp1_dl_cmd_pool_create(struct vsp1_devi
+ if (!pool)
+ return NULL;
+
++ pool->vsp1 = vsp1;
++
+ spin_lock_init(&pool->lock);
+ INIT_LIST_HEAD(&pool->free);
+
--- /dev/null
+From 63dee5df43a31f3844efabc58972f0a206ca4534 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 24 Jul 2020 19:25:25 +1000
+Subject: powerpc: Allow 4224 bytes of stack expansion for the signal frame
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream.
+
+We have powerpc specific logic in our page fault handling to decide if
+an access to an unmapped address below the stack pointer should expand
+the stack VMA.
+
+The code was originally added in 2004 "ported from 2.4". The rough
+logic is that the stack is allowed to grow to 1MB with no extra
+checking. Over 1MB the access must be within 2048 bytes of the stack
+pointer, or be from a user instruction that updates the stack pointer.
+
+The 2048 byte allowance below the stack pointer is there to cover the
+288 byte "red zone" as well as the "about 1.5kB" needed by the signal
+delivery code.
+
+Unfortunately since then the signal frame has expanded, and is now
+4224 bytes on 64-bit kernels with transactional memory enabled. This
+means if a process has consumed more than 1MB of stack, and its stack
+pointer lies less than 4224 bytes from the next page boundary, signal
+delivery will fault when trying to expand the stack and the process
+will see a SEGV.
+
+The total size of the signal frame is the size of struct rt_sigframe
+(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on
+64-bit).
+
+The 2048 byte allowance was correct until 2008 as the signal frame
+was:
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1440 */
+ /* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */
+ long unsigned int _unused[2]; /* 1440 16 */
+ unsigned int tramp[6]; /* 1456 24 */
+ struct siginfo * pinfo; /* 1480 8 */
+ void * puc; /* 1488 8 */
+ struct siginfo info; /* 1496 128 */
+ /* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */
+ char abigap[288]; /* 1624 288 */
+
+ /* size: 1920, cachelines: 15, members: 7 */
+ /* padding: 8 */
+};
+
+1920 + 128 = 2048
+
+Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore,
+ptrace and signal support") (Jul 2008) the signal frame expanded to
+2304 bytes:
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1696 */ <--
+ /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
+ long unsigned int _unused[2]; /* 1696 16 */
+ unsigned int tramp[6]; /* 1712 24 */
+ struct siginfo * pinfo; /* 1736 8 */
+ void * puc; /* 1744 8 */
+ struct siginfo info; /* 1752 128 */
+ /* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */
+ char abigap[288]; /* 1880 288 */
+
+ /* size: 2176, cachelines: 17, members: 7 */
+ /* padding: 8 */
+};
+
+2176 + 128 = 2304
+
+At this point we should have been exposed to the bug, though as far as
+I know it was never reported. I no longer have a system old enough to
+easily test on.
+
+Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a
+grow-down stack segment") caused our stack expansion code to never
+trigger, as there was always a VMA found for a write up to PAGE_SIZE
+below r1.
+
+That meant the bug was hidden as we continued to expand the signal
+frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory
+state to the signal context") (Feb 2013):
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1696 */
+ /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
+ struct ucontext uc_transact; /* 1696 1696 */ <--
+ /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
+ long unsigned int _unused[2]; /* 3392 16 */
+ unsigned int tramp[6]; /* 3408 24 */
+ struct siginfo * pinfo; /* 3432 8 */
+ void * puc; /* 3440 8 */
+ struct siginfo info; /* 3448 128 */
+ /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
+ char abigap[288]; /* 3576 288 */
+
+ /* size: 3872, cachelines: 31, members: 8 */
+ /* padding: 8 */
+ /* last cacheline: 32 bytes */
+};
+
+3872 + 128 = 4000
+
+And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit
+userspace to 512 bytes") (Feb 2014):
+
+struct rt_sigframe {
+ struct ucontext uc; /* 0 1696 */
+ /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */
+ struct ucontext uc_transact; /* 1696 1696 */
+ /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */
+ long unsigned int _unused[2]; /* 3392 16 */
+ unsigned int tramp[6]; /* 3408 24 */
+ struct siginfo * pinfo; /* 3432 8 */
+ void * puc; /* 3440 8 */
+ struct siginfo info; /* 3448 128 */
+ /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */
+ char abigap[512]; /* 3576 512 */ <--
+
+ /* size: 4096, cachelines: 32, members: 8 */
+ /* padding: 8 */
+};
+
+4096 + 128 = 4224
+
+Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard
+gap, between vmas") exposed us to the existing bug, because it changed
+the stack VMA to be the correct/real size, meaning our stack expansion
+code is now triggered.
+
+Fix it by increasing the allowance to 4224 bytes.
+
+Hard-coding 4224 is obviously unsafe against future expansions of the
+signal frame in the same way as the existing code. We can't easily use
+sizeof() because the signal frame structure is not in a header. We
+will either fix that, or rip out all the custom stack expansion
+checking logic entirely.
+
+Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support")
+Cc: stable@vger.kernel.org # v2.6.27+
+Reported-by: Tom Lane <tgl@sss.pgh.pa.us>
+Tested-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/fault.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/mm/fault.c
++++ b/arch/powerpc/mm/fault.c
+@@ -233,6 +233,9 @@ static bool bad_kernel_fault(bool is_exe
+ return is_exec || (address >= TASK_SIZE);
+ }
+
++// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE
++#define SIGFRAME_MAX_SIZE (4096 + 128)
++
+ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
+ struct vm_area_struct *vma, unsigned int flags,
+ bool *must_retry)
+@@ -240,7 +243,7 @@ static bool bad_stack_expansion(struct p
+ /*
+ * N.B. The POWER/Open ABI allows programs to access up to
+ * 288 bytes below the stack pointer.
+- * The kernel signal delivery code writes up to about 1.5kB
++ * The kernel signal delivery code writes a bit over 4KB
+ * below the stack pointer (r1) before decrementing it.
+ * The exec code can write slightly over 640kB to the stack
+ * before setting the user r1. Thus we allow the stack to
+@@ -265,7 +268,7 @@ static bool bad_stack_expansion(struct p
+ * between the last mapped region and the stack will
+ * expand the stack rather than segfaulting.
+ */
+- if (address + 2048 >= uregs->gpr[1])
++ if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1])
+ return false;
+
+ if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
--- /dev/null
+From 0c83b277ada72b585e6a3e52b067669df15bcedb Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 4 Aug 2020 22:44:06 +1000
+Subject: powerpc: Fix circular dependency between percpu.h and mmu.h
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 0c83b277ada72b585e6a3e52b067669df15bcedb upstream.
+
+Recently random.h started including percpu.h (see commit
+f227e3ec3b5c ("random32: update the net random state on interrupt and
+activity")), which broke corenet64_smp_defconfig:
+
+ In file included from /linux/arch/powerpc/include/asm/paca.h:18,
+ from /linux/arch/powerpc/include/asm/percpu.h:13,
+ from /linux/include/linux/random.h:14,
+ from /linux/lib/uuid.c:14:
+ /linux/arch/powerpc/include/asm/mmu.h:139:22: error: unknown type name 'next_tlbcam_idx'
+ 139 | DECLARE_PER_CPU(int, next_tlbcam_idx);
+
+This is due to a circular header dependency:
+ asm/mmu.h includes asm/percpu.h, which includes asm/paca.h, which
+ includes asm/mmu.h
+
+Which means DECLARE_PER_CPU() isn't defined when mmu.h needs it.
+
+We can fix it by moving the include of paca.h below the include of
+asm-generic/percpu.h.
+
+This moves the include of paca.h out of the #ifdef __powerpc64__, but
+that is OK because paca.h is almost entirely inside #ifdef
+CONFIG_PPC64 anyway.
+
+It also moves the include of paca.h out of the #ifdef CONFIG_SMP,
+which could possibly break something, but seems to have no ill
+effects.
+
+Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity")
+Cc: stable@vger.kernel.org # v5.8
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200804130558.292328-1-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/percpu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/percpu.h
++++ b/arch/powerpc/include/asm/percpu.h
+@@ -10,8 +10,6 @@
+
+ #ifdef CONFIG_SMP
+
+-#include <asm/paca.h>
+-
+ #define __my_cpu_offset local_paca->data_offset
+
+ #endif /* CONFIG_SMP */
+@@ -19,4 +17,6 @@
+
+ #include <asm-generic/percpu.h>
+
++#include <asm/paca.h>
++
+ #endif /* _ASM_POWERPC_PERCPU_H_ */
btrfs-only-search-for-left_info-if-there-is-no-right_info-in-try_merge_free_space.patch
btrfs-fix-memory-leaks-after-failure-to-lookup-checksums-during-inode-logging.patch
btrfs-fix-return-value-mixup-in-btrfs_get_extent.patch
+dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch
+iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch
+xtensa-fix-xtensa_pmu_setup-prototype.patch
+cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch
+powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch
+powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch
+media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch
--- /dev/null
+From 6d65d3769d1910379e1cfa61ebf387efc6bfb22c Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Fri, 31 Jul 2020 12:37:32 -0700
+Subject: xtensa: fix xtensa_pmu_setup prototype
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 6d65d3769d1910379e1cfa61ebf387efc6bfb22c upstream.
+
+Fix the following build error in configurations with
+CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS=y:
+
+ arch/xtensa/kernel/perf_event.c:420:29: error: passing argument 3 of
+ ‘cpuhp_setup_state’ from incompatible pointer type
+
+Cc: stable@vger.kernel.org
+Fixes: 25a77b55e74c ("xtensa/perf: Convert the hotplug notifier to state machine callbacks")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/kernel/perf_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/xtensa/kernel/perf_event.c
++++ b/arch/xtensa/kernel/perf_event.c
+@@ -404,7 +404,7 @@ static struct pmu xtensa_pmu = {
+ .read = xtensa_pmu_read,
+ };
+
+-static int xtensa_pmu_setup(int cpu)
++static int xtensa_pmu_setup(unsigned int cpu)
+ {
+ unsigned i;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
