--- /dev/null
+From f34ee9cb2c5ac5af426fee6fa4591a34d187e696 Mon Sep 17 00:00:00 2001
+From: "Pratik R. Sampat" <psampat@linux.ibm.com>
+Date: Wed, 28 Jul 2021 17:35:00 +0530
+Subject: cpufreq: powernv: Fix init_chip_info initialization in numa=off
+
+From: Pratik R. Sampat <psampat@linux.ibm.com>
+
+commit f34ee9cb2c5ac5af426fee6fa4591a34d187e696 upstream.
+
+In the numa=off kernel command-line configuration init_chip_info() loops
+around the number of chips and attempts to copy the cpumask of that node
+which is NULL for all iterations after the first chip.
+
+Hence, store the cpu mask for each chip instead of derving cpumask from
+node while populating the "chips" struct array and copy that to the
+chips[i].mask
+
+Fixes: 053819e0bf84 ("cpufreq: powernv: Handle throttling due to Pmax capping at chip level")
+Cc: stable@vger.kernel.org # v4.3+
+Reported-by: Shirisha Ganta <shirisha.ganta1@ibm.com>
+Signed-off-by: Pratik R. Sampat <psampat@linux.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+[mpe: Rename goto label to out_free_chip_cpu_mask]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210728120500.87549-2-psampat@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/powernv-cpufreq.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/powernv-cpufreq.c
++++ b/drivers/cpufreq/powernv-cpufreq.c
+@@ -36,6 +36,7 @@
+ #define MAX_PSTATE_SHIFT 32
+ #define LPSTATE_SHIFT 48
+ #define GPSTATE_SHIFT 56
++#define MAX_NR_CHIPS 32
+
+ #define MAX_RAMP_DOWN_TIME 5120
+ /*
+@@ -1051,12 +1052,20 @@ static int init_chip_info(void)
+ unsigned int *chip;
+ unsigned int cpu, i;
+ unsigned int prev_chip_id = UINT_MAX;
++ cpumask_t *chip_cpu_mask;
+ int ret = 0;
+
+ chip = kcalloc(num_possible_cpus(), sizeof(*chip), GFP_KERNEL);
+ if (!chip)
+ return -ENOMEM;
+
++ /* Allocate a chip cpu mask large enough to fit mask for all chips */
++ chip_cpu_mask = kcalloc(MAX_NR_CHIPS, sizeof(cpumask_t), GFP_KERNEL);
++ if (!chip_cpu_mask) {
++ ret = -ENOMEM;
++ goto free_and_return;
++ }
++
+ for_each_possible_cpu(cpu) {
+ unsigned int id = cpu_to_chip_id(cpu);
+
+@@ -1064,22 +1073,25 @@ static int init_chip_info(void)
+ prev_chip_id = id;
+ chip[nr_chips++] = id;
+ }
++ cpumask_set_cpu(cpu, &chip_cpu_mask[nr_chips-1]);
+ }
+
+ chips = kcalloc(nr_chips, sizeof(struct chip), GFP_KERNEL);
+ if (!chips) {
+ ret = -ENOMEM;
+- goto free_and_return;
++ goto out_free_chip_cpu_mask;
+ }
+
+ for (i = 0; i < nr_chips; i++) {
+ chips[i].id = chip[i];
+- cpumask_copy(&chips[i].mask, cpumask_of_node(chip[i]));
++ cpumask_copy(&chips[i].mask, &chip_cpu_mask[i]);
+ INIT_WORK(&chips[i].throttle, powernv_cpufreq_work_fn);
+ for_each_cpu(cpu, &chips[i].mask)
+ per_cpu(chip_info, cpu) = &chips[i];
+ }
+
++out_free_chip_cpu_mask:
++ kfree(chip_cpu_mask);
+ free_and_return:
+ kfree(chip);
+ return ret;
--- /dev/null
+From a7a9d11e12fcc32160d55e8612e72e5ab51b15dc Mon Sep 17 00:00:00 2001
+From: "Jerry (Fangzhi) Zuo" <Jerry.Zuo@amd.com>
+Date: Wed, 17 Jun 2020 20:34:33 -0400
+Subject: drm/amd/display: Update bounding box states (v2)
+
+From: Jerry (Fangzhi) Zuo <Jerry.Zuo@amd.com>
+
+commit a7a9d11e12fcc32160d55e8612e72e5ab51b15dc upstream.
+
+[Why]
+Drop hardcoded dispclk, dppclk, phyclk
+
+[How]
+Read the corresponding values from clock table entries already populated.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1403
+Cc: stable@vger.kernel.org
+Signed-off-by: Jerry (Fangzhi) Zuo <Jerry.Zuo@amd.com>
+Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 41 +++++++++++++-----
+ 1 file changed, 31 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
+@@ -2455,16 +2455,37 @@ void dcn30_update_bw_bounding_box(struct
+ dc->dml.soc.dispclk_dppclk_vco_speed_mhz = dc->clk_mgr->dentist_vco_freq_khz / 1000.0;
+
+ if (bw_params->clk_table.entries[0].memclk_mhz) {
++ int max_dcfclk_mhz = 0, max_dispclk_mhz = 0, max_dppclk_mhz = 0, max_phyclk_mhz = 0;
+
+- if (bw_params->clk_table.entries[1].dcfclk_mhz > dcfclk_sta_targets[num_dcfclk_sta_targets-1]) {
++ for (i = 0; i < MAX_NUM_DPM_LVL; i++) {
++ if (bw_params->clk_table.entries[i].dcfclk_mhz > max_dcfclk_mhz)
++ max_dcfclk_mhz = bw_params->clk_table.entries[i].dcfclk_mhz;
++ if (bw_params->clk_table.entries[i].dispclk_mhz > max_dispclk_mhz)
++ max_dispclk_mhz = bw_params->clk_table.entries[i].dispclk_mhz;
++ if (bw_params->clk_table.entries[i].dppclk_mhz > max_dppclk_mhz)
++ max_dppclk_mhz = bw_params->clk_table.entries[i].dppclk_mhz;
++ if (bw_params->clk_table.entries[i].phyclk_mhz > max_phyclk_mhz)
++ max_phyclk_mhz = bw_params->clk_table.entries[i].phyclk_mhz;
++ }
++
++ if (!max_dcfclk_mhz)
++ max_dcfclk_mhz = dcn3_0_soc.clock_limits[0].dcfclk_mhz;
++ if (!max_dispclk_mhz)
++ max_dispclk_mhz = dcn3_0_soc.clock_limits[0].dispclk_mhz;
++ if (!max_dppclk_mhz)
++ max_dppclk_mhz = dcn3_0_soc.clock_limits[0].dppclk_mhz;
++ if (!max_phyclk_mhz)
++ max_phyclk_mhz = dcn3_0_soc.clock_limits[0].phyclk_mhz;
++
++ if (max_dcfclk_mhz > dcfclk_sta_targets[num_dcfclk_sta_targets-1]) {
+ // If max DCFCLK is greater than the max DCFCLK STA target, insert into the DCFCLK STA target array
+- dcfclk_sta_targets[num_dcfclk_sta_targets] = bw_params->clk_table.entries[1].dcfclk_mhz;
++ dcfclk_sta_targets[num_dcfclk_sta_targets] = max_dcfclk_mhz;
+ num_dcfclk_sta_targets++;
+- } else if (bw_params->clk_table.entries[1].dcfclk_mhz < dcfclk_sta_targets[num_dcfclk_sta_targets-1]) {
++ } else if (max_dcfclk_mhz < dcfclk_sta_targets[num_dcfclk_sta_targets-1]) {
+ // If max DCFCLK is less than the max DCFCLK STA target, cap values and remove duplicates
+ for (i = 0; i < num_dcfclk_sta_targets; i++) {
+- if (dcfclk_sta_targets[i] > bw_params->clk_table.entries[1].dcfclk_mhz) {
+- dcfclk_sta_targets[i] = bw_params->clk_table.entries[1].dcfclk_mhz;
++ if (dcfclk_sta_targets[i] > max_dcfclk_mhz) {
++ dcfclk_sta_targets[i] = max_dcfclk_mhz;
+ break;
+ }
+ }
+@@ -2502,7 +2523,7 @@ void dcn30_update_bw_bounding_box(struct
+ dcfclk_mhz[num_states] = dcfclk_sta_targets[i];
+ dram_speed_mts[num_states++] = optimal_uclk_for_dcfclk_sta_targets[i++];
+ } else {
+- if (j < num_uclk_states && optimal_dcfclk_for_uclk[j] <= bw_params->clk_table.entries[1].dcfclk_mhz) {
++ if (j < num_uclk_states && optimal_dcfclk_for_uclk[j] <= max_dcfclk_mhz) {
+ dcfclk_mhz[num_states] = optimal_dcfclk_for_uclk[j];
+ dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16;
+ } else {
+@@ -2517,7 +2538,7 @@ void dcn30_update_bw_bounding_box(struct
+ }
+
+ while (j < num_uclk_states && num_states < DC__VOLTAGE_STATES &&
+- optimal_dcfclk_for_uclk[j] <= bw_params->clk_table.entries[1].dcfclk_mhz) {
++ optimal_dcfclk_for_uclk[j] <= max_dcfclk_mhz) {
+ dcfclk_mhz[num_states] = optimal_dcfclk_for_uclk[j];
+ dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16;
+ }
+@@ -2530,9 +2551,9 @@ void dcn30_update_bw_bounding_box(struct
+ dcn3_0_soc.clock_limits[i].dram_speed_mts = dram_speed_mts[i];
+
+ /* Fill all states with max values of all other clocks */
+- dcn3_0_soc.clock_limits[i].dispclk_mhz = bw_params->clk_table.entries[1].dispclk_mhz;
+- dcn3_0_soc.clock_limits[i].dppclk_mhz = bw_params->clk_table.entries[1].dppclk_mhz;
+- dcn3_0_soc.clock_limits[i].phyclk_mhz = bw_params->clk_table.entries[1].phyclk_mhz;
++ dcn3_0_soc.clock_limits[i].dispclk_mhz = max_dispclk_mhz;
++ dcn3_0_soc.clock_limits[i].dppclk_mhz = max_dppclk_mhz;
++ dcn3_0_soc.clock_limits[i].phyclk_mhz = max_phyclk_mhz;
+ dcn3_0_soc.clock_limits[i].dtbclk_mhz = dcn3_0_soc.clock_limits[0].dtbclk_mhz;
+ /* These clocks cannot come from bw_params, always fill from dcn3_0_soc[1] */
+ /* FCLK, PHYCLK_D18, SOCCLK, DSCCLK */
--- /dev/null
+From 0bbf06d888734041e813b916d7821acd4f72005a Mon Sep 17 00:00:00 2001
+From: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Date: Tue, 24 Aug 2021 15:10:50 -0400
+Subject: drm/amd/display: Update number of DCN3 clock states
+
+From: Aurabindo Pillai <aurabindo.pillai@amd.com>
+
+commit 0bbf06d888734041e813b916d7821acd4f72005a upstream.
+
+[Why & How]
+The DCN3 SoC parameter num_states was calculated but not saved into the
+object.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1403
+Cc: stable@vger.kernel.org
+Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c
+@@ -2522,6 +2522,7 @@ void dcn30_update_bw_bounding_box(struct
+ dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16;
+ }
+
++ dcn3_0_soc.num_states = num_states;
+ for (i = 0; i < dcn3_0_soc.num_states; i++) {
+ dcn3_0_soc.clock_limits[i].state = i;
+ dcn3_0_soc.clock_limits[i].dcfclk_mhz = dcfclk_mhz[i];
--- /dev/null
+From ea7acd7c5967542353430947f3faf699e70602e5 Mon Sep 17 00:00:00 2001
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Date: Tue, 22 Jun 2021 12:23:38 -0400
+Subject: drm/amdgpu: Fix BUG_ON assert
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+commit ea7acd7c5967542353430947f3faf699e70602e5 upstream.
+
+With added CPU domain to placement you can have
+now 3 placemnts at once.
+
+CC: stable@kernel.org
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210622162339.761651-5-andrey.grodzovsky@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+@@ -207,7 +207,7 @@ void amdgpu_bo_placement_from_domain(str
+ c++;
+ }
+
+- BUG_ON(c >= AMDGPU_BO_MAX_PLACEMENTS);
++ BUG_ON(c > AMDGPU_BO_MAX_PLACEMENTS);
+
+ placement->num_placement = c;
+ placement->placement = places;
--- /dev/null
+From 92bd92c44d0d9be5dcbcda315b4be4b909ed9740 Mon Sep 17 00:00:00 2001
+From: Rajkumar Subbiah <rsubbia@codeaurora.org>
+Date: Tue, 6 Jul 2021 08:30:34 -0700
+Subject: drm/dp_mst: Fix return code on sideband message failure
+
+From: Rajkumar Subbiah <rsubbia@codeaurora.org>
+
+commit 92bd92c44d0d9be5dcbcda315b4be4b909ed9740 upstream.
+
+Commit 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing +
+selftests") added some debug code for sideband message tracing. But
+it seems to have unintentionally changed the behavior on sideband message
+failure. It catches and returns failure only if DRM_UT_DP is enabled.
+Otherwise it ignores the error code and returns success. So on an MST
+unplug, the caller is unaware that the clear payload message failed and
+ends up waiting for 4 seconds for the response. Fixes the issue by
+returning the proper error code.
+
+Changes in V2:
+-- Revise commit text as review comment
+-- add Fixes text
+
+Changes in V3:
+-- remove "unlikely" optimization
+
+Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests")
+Cc: <stable@vger.kernel.org> # v5.5+
+Signed-off-by: Rajkumar Subbiah <rsubbia@codeaurora.org>
+Signed-off-by: Kuogee Hsieh <khsieh@codeaurora.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1625585434-9562-1-git-send-email-khsieh@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2869,11 +2869,13 @@ static int process_single_tx_qlock(struc
+ idx += tosend + 1;
+
+ ret = drm_dp_send_sideband_msg(mgr, up, chunk, idx);
+- if (unlikely(ret) && drm_debug_enabled(DRM_UT_DP)) {
+- struct drm_printer p = drm_debug_printer(DBG_PREFIX);
++ if (ret) {
++ if (drm_debug_enabled(DRM_UT_DP)) {
++ struct drm_printer p = drm_debug_printer(DBG_PREFIX);
+
+- drm_printf(&p, "sideband msg failed to send\n");
+- drm_dp_mst_dump_sideband_msg_tx(&p, txmsg);
++ drm_printf(&p, "sideband msg failed to send\n");
++ drm_dp_mst_dump_sideband_msg_tx(&p, txmsg);
++ }
+ return ret;
+ }
+
--- /dev/null
+From 147696720eca12ae48d020726208b9a61cdd80bc Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Wed, 14 Jul 2021 16:22:28 +0200
+Subject: drm/mgag200: Select clock in PLL update functions
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 147696720eca12ae48d020726208b9a61cdd80bc upstream.
+
+Put the clock-selection code into each of the PLL-update functions to
+make them select the correct pixel clock. Instead of copying the code,
+introduce a new helper WREG_MISC_MASKED, which does masked writes into
+<MISC>. Use it from each individual PLL update function.
+
+The pixel clock for video output was not actually set before programming
+the clock's values. It worked because the device had the correct clock
+pre-set.
+
+v2:
+ * don't duplicate <MISC> update code (Sam)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: db05f8d3dc87 ("drm/mgag200: Split MISC register update into PLL selection, SYNC and I/O")
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Emil Velikov <emil.velikov@collabora.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.9+
+Link: https://patchwork.freedesktop.org/patch/msgid/20210714142240.21979-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mgag200/mgag200_drv.h | 16 ++++++++++++++++
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 20 +++++++++++++-------
+ drivers/gpu/drm/mgag200/mgag200_reg.h | 9 ++++-----
+ 3 files changed, 33 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/mgag200/mgag200_drv.h
++++ b/drivers/gpu/drm/mgag200/mgag200_drv.h
+@@ -43,6 +43,22 @@
+ #define ATTR_INDEX 0x1fc0
+ #define ATTR_DATA 0x1fc1
+
++#define WREG_MISC(v) \
++ WREG8(MGA_MISC_OUT, v)
++
++#define RREG_MISC(v) \
++ ((v) = RREG8(MGA_MISC_IN))
++
++#define WREG_MISC_MASKED(v, mask) \
++ do { \
++ u8 misc_; \
++ u8 mask_ = (mask); \
++ RREG_MISC(misc_); \
++ misc_ &= ~mask_; \
++ misc_ |= ((v) & mask_); \
++ WREG_MISC(misc_); \
++ } while (0)
++
+ #define WREG_ATTR(reg, v) \
+ do { \
+ RREG8(0x1fda); \
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -172,6 +172,8 @@ static int mgag200_g200_set_plls(struct
+ drm_dbg_kms(dev, "clock: %ld vco: %ld m: %d n: %d p: %d s: %d\n",
+ clock, f_vco, m, n, p, s);
+
++ WREG_MISC_MASKED(MGAREG_MISC_CLKSEL_MGA, MGAREG_MISC_CLKSEL_MASK);
++
+ WREG_DAC(MGA1064_PIX_PLLC_M, m);
+ WREG_DAC(MGA1064_PIX_PLLC_N, n);
+ WREG_DAC(MGA1064_PIX_PLLC_P, (p | (s << 3)));
+@@ -287,6 +289,8 @@ static int mga_g200se_set_plls(struct mg
+ return 1;
+ }
+
++ WREG_MISC_MASKED(MGAREG_MISC_CLKSEL_MGA, MGAREG_MISC_CLKSEL_MASK);
++
+ WREG_DAC(MGA1064_PIX_PLLC_M, m);
+ WREG_DAC(MGA1064_PIX_PLLC_N, n);
+ WREG_DAC(MGA1064_PIX_PLLC_P, p);
+@@ -383,6 +387,8 @@ static int mga_g200wb_set_plls(struct mg
+ }
+ }
+
++ WREG_MISC_MASKED(MGAREG_MISC_CLKSEL_MGA, MGAREG_MISC_CLKSEL_MASK);
++
+ for (i = 0; i <= 32 && pll_locked == false; i++) {
+ if (i > 0) {
+ WREG8(MGAREG_CRTC_INDEX, 0x1e);
+@@ -520,6 +526,8 @@ static int mga_g200ev_set_plls(struct mg
+ }
+ }
+
++ WREG_MISC_MASKED(MGAREG_MISC_CLKSEL_MGA, MGAREG_MISC_CLKSEL_MASK);
++
+ WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
+ tmp = RREG8(DAC_DATA);
+ tmp |= MGA1064_PIX_CLK_CTL_CLK_DIS;
+@@ -652,6 +660,9 @@ static int mga_g200eh_set_plls(struct mg
+ }
+ }
+ }
++
++ WREG_MISC_MASKED(MGAREG_MISC_CLKSEL_MGA, MGAREG_MISC_CLKSEL_MASK);
++
+ for (i = 0; i <= 32 && pll_locked == false; i++) {
+ WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
+ tmp = RREG8(DAC_DATA);
+@@ -752,6 +763,8 @@ static int mga_g200er_set_plls(struct mg
+ }
+ }
+
++ WREG_MISC_MASKED(MGAREG_MISC_CLKSEL_MGA, MGAREG_MISC_CLKSEL_MASK);
++
+ WREG8(DAC_INDEX, MGA1064_PIX_CLK_CTL);
+ tmp = RREG8(DAC_DATA);
+ tmp |= MGA1064_PIX_CLK_CTL_CLK_DIS;
+@@ -785,8 +798,6 @@ static int mga_g200er_set_plls(struct mg
+
+ static int mgag200_crtc_set_plls(struct mga_device *mdev, long clock)
+ {
+- u8 misc;
+-
+ switch(mdev->type) {
+ case G200_PCI:
+ case G200_AGP:
+@@ -811,11 +822,6 @@ static int mgag200_crtc_set_plls(struct
+ break;
+ }
+
+- misc = RREG8(MGA_MISC_IN);
+- misc &= ~MGAREG_MISC_CLK_SEL_MASK;
+- misc |= MGAREG_MISC_CLK_SEL_MGA_MSK;
+- WREG8(MGA_MISC_OUT, misc);
+-
+ return 0;
+ }
+
+--- a/drivers/gpu/drm/mgag200/mgag200_reg.h
++++ b/drivers/gpu/drm/mgag200/mgag200_reg.h
+@@ -222,11 +222,10 @@
+
+ #define MGAREG_MISC_IOADSEL (0x1 << 0)
+ #define MGAREG_MISC_RAMMAPEN (0x1 << 1)
+-#define MGAREG_MISC_CLK_SEL_MASK GENMASK(3, 2)
+-#define MGAREG_MISC_CLK_SEL_VGA25 (0x0 << 2)
+-#define MGAREG_MISC_CLK_SEL_VGA28 (0x1 << 2)
+-#define MGAREG_MISC_CLK_SEL_MGA_PIX (0x2 << 2)
+-#define MGAREG_MISC_CLK_SEL_MGA_MSK (0x3 << 2)
++#define MGAREG_MISC_CLKSEL_MASK GENMASK(3, 2)
++#define MGAREG_MISC_CLKSEL_VGA25 (0x0 << 2)
++#define MGAREG_MISC_CLKSEL_VGA28 (0x1 << 2)
++#define MGAREG_MISC_CLKSEL_MGA (0x3 << 2)
+ #define MGAREG_MISC_VIDEO_DIS (0x1 << 4)
+ #define MGAREG_MISC_HIGH_PG_SEL (0x1 << 5)
+ #define MGAREG_MISC_HSYNCPOL BIT(6)
--- /dev/null
+From cb0927ab80d224c9074f53d1a55b087d12ec5a85 Mon Sep 17 00:00:00 2001
+From: David Heidelberg <david@ixit.cz>
+Date: Wed, 11 Aug 2021 19:06:31 +0200
+Subject: drm/msi/mdp4: populate priv->kms in mdp4_kms_init
+
+From: David Heidelberg <david@ixit.cz>
+
+commit cb0927ab80d224c9074f53d1a55b087d12ec5a85 upstream.
+
+Without this fix boot throws NULL ptr exception at msm_dsi_manager_setup_encoder
+on devices like Nexus 7 2013 (MDP4 v4.4).
+
+Fixes: 03436e3ec69c ("drm/msm/dsi: Move setup_encoder to modeset_init")
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Link: https://lore.kernel.org/r/20210811170631.39296-1-david@ixit.cz
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
+@@ -397,6 +397,7 @@ struct msm_kms *mdp4_kms_init(struct drm
+ {
+ struct platform_device *pdev = to_platform_device(dev->dev);
+ struct mdp4_platform_config *config = mdp4_get_config(pdev);
++ struct msm_drm_private *priv = dev->dev_private;
+ struct mdp4_kms *mdp4_kms;
+ struct msm_kms *kms = NULL;
+ struct msm_gem_address_space *aspace;
+@@ -412,7 +413,8 @@ struct msm_kms *mdp4_kms_init(struct drm
+
+ mdp_kms_init(&mdp4_kms->base, &kms_funcs);
+
+- kms = &mdp4_kms->base.base;
++ priv->kms = &mdp4_kms->base.base;
++ kms = priv->kms;
+
+ mdp4_kms->dev = dev;
+
--- /dev/null
+From bd7ffbc3ca12629aeb66fb9e28cf42b7f37e3e3b Mon Sep 17 00:00:00 2001
+From: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Date: Tue, 24 Aug 2021 13:30:27 -0400
+Subject: drm/panfrost: Clamp lock region to Bifrost minimum
+
+From: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+
+commit bd7ffbc3ca12629aeb66fb9e28cf42b7f37e3e3b upstream.
+
+When locking a region, we currently clamp to a PAGE_SIZE as the minimum
+lock region. While this is valid for Midgard, it is invalid for Bifrost,
+where the minimum locking size is 8x larger than the 4k page size. Add a
+hardware definition for the minimum lock region size (corresponding to
+KBASE_LOCK_REGION_MIN_SIZE_LOG2 in kbase) and respect it.
+
+Signed-off-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Tested-by: Chris Morgan <macromorgan@hotmail.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210824173028.7528-4-alyssa.rosenzweig@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +-
+ drivers/gpu/drm/panfrost/panfrost_regs.h | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -63,7 +63,7 @@ static void lock_region(struct panfrost_
+ /* The size is encoded as ceil(log2) minus(1), which may be calculated
+ * with fls. The size must be clamped to hardware bounds.
+ */
+- size = max_t(u64, size, PAGE_SIZE);
++ size = max_t(u64, size, AS_LOCK_REGION_MIN_SIZE);
+ region_width = fls64(size - 1) - 1;
+ region |= region_width;
+
+--- a/drivers/gpu/drm/panfrost/panfrost_regs.h
++++ b/drivers/gpu/drm/panfrost/panfrost_regs.h
+@@ -318,6 +318,8 @@
+ #define AS_FAULTSTATUS_ACCESS_TYPE_READ (0x2 << 8)
+ #define AS_FAULTSTATUS_ACCESS_TYPE_WRITE (0x3 << 8)
+
++#define AS_LOCK_REGION_MIN_SIZE (1ULL << 15)
++
+ #define gpu_write(dev, reg, data) writel(data, dev->iomem + reg)
+ #define gpu_read(dev, reg) readl(dev->iomem + reg)
+
--- /dev/null
+From 7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@collabora.com>
+Date: Mon, 21 Jun 2021 15:38:56 +0200
+Subject: drm/panfrost: Make sure MMU context lifetime is not bound to panfrost_priv
+
+From: Boris Brezillon <boris.brezillon@collabora.com>
+
+commit 7fdc48cc63a30fa3480d18bdd8c5fff2b9b15212 upstream.
+
+Jobs can be in-flight when the file descriptor is closed (either because
+the process did not terminate properly, or because it didn't wait for
+all GPU jobs to be finished), and apparently panfrost_job_close() does
+not cancel already running jobs. Let's refcount the MMU context object
+so it's lifetime is no longer bound to the FD lifetime and running jobs
+can finish properly without generating spurious page faults.
+
+Reported-by: Icecream95 <ixn@keemail.me>
+Fixes: 7282f7645d06 ("drm/panfrost: Implement per FD address spaces")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210621133907.1683899-2-boris.brezillon@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_device.h | 8 -
+ drivers/gpu/drm/panfrost/panfrost_drv.c | 50 +--------
+ drivers/gpu/drm/panfrost/panfrost_gem.c | 20 +--
+ drivers/gpu/drm/panfrost/panfrost_job.c | 4
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 160 +++++++++++++++++++----------
+ drivers/gpu/drm/panfrost/panfrost_mmu.h | 5
+ 6 files changed, 136 insertions(+), 111 deletions(-)
+
+--- a/drivers/gpu/drm/panfrost/panfrost_device.h
++++ b/drivers/gpu/drm/panfrost/panfrost_device.h
+@@ -120,8 +120,12 @@ struct panfrost_device {
+ };
+
+ struct panfrost_mmu {
++ struct panfrost_device *pfdev;
++ struct kref refcount;
+ struct io_pgtable_cfg pgtbl_cfg;
+ struct io_pgtable_ops *pgtbl_ops;
++ struct drm_mm mm;
++ spinlock_t mm_lock;
+ int as;
+ atomic_t as_count;
+ struct list_head list;
+@@ -132,9 +136,7 @@ struct panfrost_file_priv {
+
+ struct drm_sched_entity sched_entity[NUM_JOB_SLOTS];
+
+- struct panfrost_mmu mmu;
+- struct drm_mm mm;
+- spinlock_t mm_lock;
++ struct panfrost_mmu *mmu;
+ };
+
+ static inline struct panfrost_device *to_panfrost_device(struct drm_device *ddev)
+--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
+@@ -417,7 +417,7 @@ static int panfrost_ioctl_madvise(struct
+ * anyway, so let's not bother.
+ */
+ if (!list_is_singular(&bo->mappings.list) ||
+- WARN_ON_ONCE(first->mmu != &priv->mmu)) {
++ WARN_ON_ONCE(first->mmu != priv->mmu)) {
+ ret = -EINVAL;
+ goto out_unlock_mappings;
+ }
+@@ -449,32 +449,6 @@ int panfrost_unstable_ioctl_check(void)
+ return 0;
+ }
+
+-#define PFN_4G (SZ_4G >> PAGE_SHIFT)
+-#define PFN_4G_MASK (PFN_4G - 1)
+-#define PFN_16M (SZ_16M >> PAGE_SHIFT)
+-
+-static void panfrost_drm_mm_color_adjust(const struct drm_mm_node *node,
+- unsigned long color,
+- u64 *start, u64 *end)
+-{
+- /* Executable buffers can't start or end on a 4GB boundary */
+- if (!(color & PANFROST_BO_NOEXEC)) {
+- u64 next_seg;
+-
+- if ((*start & PFN_4G_MASK) == 0)
+- (*start)++;
+-
+- if ((*end & PFN_4G_MASK) == 0)
+- (*end)--;
+-
+- next_seg = ALIGN(*start, PFN_4G);
+- if (next_seg - *start <= PFN_16M)
+- *start = next_seg + 1;
+-
+- *end = min(*end, ALIGN(*start, PFN_4G) - 1);
+- }
+-}
+-
+ static int
+ panfrost_open(struct drm_device *dev, struct drm_file *file)
+ {
+@@ -489,15 +463,11 @@ panfrost_open(struct drm_device *dev, st
+ panfrost_priv->pfdev = pfdev;
+ file->driver_priv = panfrost_priv;
+
+- spin_lock_init(&panfrost_priv->mm_lock);
+-
+- /* 4G enough for now. can be 48-bit */
+- drm_mm_init(&panfrost_priv->mm, SZ_32M >> PAGE_SHIFT, (SZ_4G - SZ_32M) >> PAGE_SHIFT);
+- panfrost_priv->mm.color_adjust = panfrost_drm_mm_color_adjust;
+-
+- ret = panfrost_mmu_pgtable_alloc(panfrost_priv);
+- if (ret)
+- goto err_pgtable;
++ panfrost_priv->mmu = panfrost_mmu_ctx_create(pfdev);
++ if (IS_ERR(panfrost_priv->mmu)) {
++ ret = PTR_ERR(panfrost_priv->mmu);
++ goto err_free;
++ }
+
+ ret = panfrost_job_open(panfrost_priv);
+ if (ret)
+@@ -506,9 +476,8 @@ panfrost_open(struct drm_device *dev, st
+ return 0;
+
+ err_job:
+- panfrost_mmu_pgtable_free(panfrost_priv);
+-err_pgtable:
+- drm_mm_takedown(&panfrost_priv->mm);
++ panfrost_mmu_ctx_put(panfrost_priv->mmu);
++err_free:
+ kfree(panfrost_priv);
+ return ret;
+ }
+@@ -521,8 +490,7 @@ panfrost_postclose(struct drm_device *de
+ panfrost_perfcnt_close(file);
+ panfrost_job_close(panfrost_priv);
+
+- panfrost_mmu_pgtable_free(panfrost_priv);
+- drm_mm_takedown(&panfrost_priv->mm);
++ panfrost_mmu_ctx_put(panfrost_priv->mmu);
+ kfree(panfrost_priv);
+ }
+
+--- a/drivers/gpu/drm/panfrost/panfrost_gem.c
++++ b/drivers/gpu/drm/panfrost/panfrost_gem.c
+@@ -60,7 +60,7 @@ panfrost_gem_mapping_get(struct panfrost
+
+ mutex_lock(&bo->mappings.lock);
+ list_for_each_entry(iter, &bo->mappings.list, node) {
+- if (iter->mmu == &priv->mmu) {
++ if (iter->mmu == priv->mmu) {
+ kref_get(&iter->refcount);
+ mapping = iter;
+ break;
+@@ -74,16 +74,13 @@ panfrost_gem_mapping_get(struct panfrost
+ static void
+ panfrost_gem_teardown_mapping(struct panfrost_gem_mapping *mapping)
+ {
+- struct panfrost_file_priv *priv;
+-
+ if (mapping->active)
+ panfrost_mmu_unmap(mapping);
+
+- priv = container_of(mapping->mmu, struct panfrost_file_priv, mmu);
+- spin_lock(&priv->mm_lock);
++ spin_lock(&mapping->mmu->mm_lock);
+ if (drm_mm_node_allocated(&mapping->mmnode))
+ drm_mm_remove_node(&mapping->mmnode);
+- spin_unlock(&priv->mm_lock);
++ spin_unlock(&mapping->mmu->mm_lock);
+ }
+
+ static void panfrost_gem_mapping_release(struct kref *kref)
+@@ -94,6 +91,7 @@ static void panfrost_gem_mapping_release
+
+ panfrost_gem_teardown_mapping(mapping);
+ drm_gem_object_put(&mapping->obj->base.base);
++ panfrost_mmu_ctx_put(mapping->mmu);
+ kfree(mapping);
+ }
+
+@@ -143,11 +141,11 @@ int panfrost_gem_open(struct drm_gem_obj
+ else
+ align = size >= SZ_2M ? SZ_2M >> PAGE_SHIFT : 0;
+
+- mapping->mmu = &priv->mmu;
+- spin_lock(&priv->mm_lock);
+- ret = drm_mm_insert_node_generic(&priv->mm, &mapping->mmnode,
++ mapping->mmu = panfrost_mmu_ctx_get(priv->mmu);
++ spin_lock(&mapping->mmu->mm_lock);
++ ret = drm_mm_insert_node_generic(&mapping->mmu->mm, &mapping->mmnode,
+ size >> PAGE_SHIFT, align, color, 0);
+- spin_unlock(&priv->mm_lock);
++ spin_unlock(&mapping->mmu->mm_lock);
+ if (ret)
+ goto err;
+
+@@ -176,7 +174,7 @@ void panfrost_gem_close(struct drm_gem_o
+
+ mutex_lock(&bo->mappings.lock);
+ list_for_each_entry(iter, &bo->mappings.list, node) {
+- if (iter->mmu == &priv->mmu) {
++ if (iter->mmu == priv->mmu) {
+ mapping = iter;
+ list_del(&iter->node);
+ break;
+--- a/drivers/gpu/drm/panfrost/panfrost_job.c
++++ b/drivers/gpu/drm/panfrost/panfrost_job.c
+@@ -165,7 +165,7 @@ static void panfrost_job_hw_submit(struc
+ return;
+ }
+
+- cfg = panfrost_mmu_as_get(pfdev, &job->file_priv->mmu);
++ cfg = panfrost_mmu_as_get(pfdev, job->file_priv->mmu);
+
+ job_write(pfdev, JS_HEAD_NEXT_LO(js), jc_head & 0xFFFFFFFF);
+ job_write(pfdev, JS_HEAD_NEXT_HI(js), jc_head >> 32);
+@@ -524,7 +524,7 @@ static irqreturn_t panfrost_job_irq_hand
+ if (job) {
+ pfdev->jobs[j] = NULL;
+
+- panfrost_mmu_as_put(pfdev, &job->file_priv->mmu);
++ panfrost_mmu_as_put(pfdev, job->file_priv->mmu);
+ panfrost_devfreq_record_idle(&pfdev->pfdevfreq);
+
+ dma_fence_signal_locked(job->done_fence);
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -1,5 +1,8 @@
+ // SPDX-License-Identifier: GPL-2.0
+ /* Copyright 2019 Linaro, Ltd, Rob Herring <robh@kernel.org> */
++
++#include <drm/panfrost_drm.h>
++
+ #include <linux/atomic.h>
+ #include <linux/bitfield.h>
+ #include <linux/delay.h>
+@@ -337,7 +340,7 @@ static void mmu_tlb_inv_context_s1(void
+
+ static void mmu_tlb_sync_context(void *cookie)
+ {
+- //struct panfrost_device *pfdev = cookie;
++ //struct panfrost_mmu *mmu = cookie;
+ // TODO: Wait 1000 GPU cycles for HW_ISSUE_6367/T60X
+ }
+
+@@ -359,57 +362,10 @@ static const struct iommu_flush_ops mmu_
+ .tlb_flush_leaf = mmu_tlb_flush_leaf,
+ };
+
+-int panfrost_mmu_pgtable_alloc(struct panfrost_file_priv *priv)
+-{
+- struct panfrost_mmu *mmu = &priv->mmu;
+- struct panfrost_device *pfdev = priv->pfdev;
+-
+- INIT_LIST_HEAD(&mmu->list);
+- mmu->as = -1;
+-
+- mmu->pgtbl_cfg = (struct io_pgtable_cfg) {
+- .pgsize_bitmap = SZ_4K | SZ_2M,
+- .ias = FIELD_GET(0xff, pfdev->features.mmu_features),
+- .oas = FIELD_GET(0xff00, pfdev->features.mmu_features),
+- .coherent_walk = pfdev->coherent,
+- .tlb = &mmu_tlb_ops,
+- .iommu_dev = pfdev->dev,
+- };
+-
+- mmu->pgtbl_ops = alloc_io_pgtable_ops(ARM_MALI_LPAE, &mmu->pgtbl_cfg,
+- priv);
+- if (!mmu->pgtbl_ops)
+- return -EINVAL;
+-
+- return 0;
+-}
+-
+-void panfrost_mmu_pgtable_free(struct panfrost_file_priv *priv)
+-{
+- struct panfrost_device *pfdev = priv->pfdev;
+- struct panfrost_mmu *mmu = &priv->mmu;
+-
+- spin_lock(&pfdev->as_lock);
+- if (mmu->as >= 0) {
+- pm_runtime_get_noresume(pfdev->dev);
+- if (pm_runtime_active(pfdev->dev))
+- panfrost_mmu_disable(pfdev, mmu->as);
+- pm_runtime_put_autosuspend(pfdev->dev);
+-
+- clear_bit(mmu->as, &pfdev->as_alloc_mask);
+- clear_bit(mmu->as, &pfdev->as_in_use_mask);
+- list_del(&mmu->list);
+- }
+- spin_unlock(&pfdev->as_lock);
+-
+- free_io_pgtable_ops(mmu->pgtbl_ops);
+-}
+-
+ static struct panfrost_gem_mapping *
+ addr_to_mapping(struct panfrost_device *pfdev, int as, u64 addr)
+ {
+ struct panfrost_gem_mapping *mapping = NULL;
+- struct panfrost_file_priv *priv;
+ struct drm_mm_node *node;
+ u64 offset = addr >> PAGE_SHIFT;
+ struct panfrost_mmu *mmu;
+@@ -422,11 +378,10 @@ addr_to_mapping(struct panfrost_device *
+ goto out;
+
+ found_mmu:
+- priv = container_of(mmu, struct panfrost_file_priv, mmu);
+
+- spin_lock(&priv->mm_lock);
++ spin_lock(&mmu->mm_lock);
+
+- drm_mm_for_each_node(node, &priv->mm) {
++ drm_mm_for_each_node(node, &mmu->mm) {
+ if (offset >= node->start &&
+ offset < (node->start + node->size)) {
+ mapping = drm_mm_node_to_panfrost_mapping(node);
+@@ -436,7 +391,7 @@ found_mmu:
+ }
+ }
+
+- spin_unlock(&priv->mm_lock);
++ spin_unlock(&mmu->mm_lock);
+ out:
+ spin_unlock(&pfdev->as_lock);
+ return mapping;
+@@ -549,6 +504,107 @@ err_bo:
+ return ret;
+ }
+
++static void panfrost_mmu_release_ctx(struct kref *kref)
++{
++ struct panfrost_mmu *mmu = container_of(kref, struct panfrost_mmu,
++ refcount);
++ struct panfrost_device *pfdev = mmu->pfdev;
++
++ spin_lock(&pfdev->as_lock);
++ if (mmu->as >= 0) {
++ pm_runtime_get_noresume(pfdev->dev);
++ if (pm_runtime_active(pfdev->dev))
++ panfrost_mmu_disable(pfdev, mmu->as);
++ pm_runtime_put_autosuspend(pfdev->dev);
++
++ clear_bit(mmu->as, &pfdev->as_alloc_mask);
++ clear_bit(mmu->as, &pfdev->as_in_use_mask);
++ list_del(&mmu->list);
++ }
++ spin_unlock(&pfdev->as_lock);
++
++ free_io_pgtable_ops(mmu->pgtbl_ops);
++ drm_mm_takedown(&mmu->mm);
++ kfree(mmu);
++}
++
++void panfrost_mmu_ctx_put(struct panfrost_mmu *mmu)
++{
++ kref_put(&mmu->refcount, panfrost_mmu_release_ctx);
++}
++
++struct panfrost_mmu *panfrost_mmu_ctx_get(struct panfrost_mmu *mmu)
++{
++ kref_get(&mmu->refcount);
++
++ return mmu;
++}
++
++#define PFN_4G (SZ_4G >> PAGE_SHIFT)
++#define PFN_4G_MASK (PFN_4G - 1)
++#define PFN_16M (SZ_16M >> PAGE_SHIFT)
++
++static void panfrost_drm_mm_color_adjust(const struct drm_mm_node *node,
++ unsigned long color,
++ u64 *start, u64 *end)
++{
++ /* Executable buffers can't start or end on a 4GB boundary */
++ if (!(color & PANFROST_BO_NOEXEC)) {
++ u64 next_seg;
++
++ if ((*start & PFN_4G_MASK) == 0)
++ (*start)++;
++
++ if ((*end & PFN_4G_MASK) == 0)
++ (*end)--;
++
++ next_seg = ALIGN(*start, PFN_4G);
++ if (next_seg - *start <= PFN_16M)
++ *start = next_seg + 1;
++
++ *end = min(*end, ALIGN(*start, PFN_4G) - 1);
++ }
++}
++
++struct panfrost_mmu *panfrost_mmu_ctx_create(struct panfrost_device *pfdev)
++{
++ struct panfrost_mmu *mmu;
++
++ mmu = kzalloc(sizeof(*mmu), GFP_KERNEL);
++ if (!mmu)
++ return ERR_PTR(-ENOMEM);
++
++ mmu->pfdev = pfdev;
++ spin_lock_init(&mmu->mm_lock);
++
++ /* 4G enough for now. can be 48-bit */
++ drm_mm_init(&mmu->mm, SZ_32M >> PAGE_SHIFT, (SZ_4G - SZ_32M) >> PAGE_SHIFT);
++ mmu->mm.color_adjust = panfrost_drm_mm_color_adjust;
++
++ INIT_LIST_HEAD(&mmu->list);
++ mmu->as = -1;
++
++ mmu->pgtbl_cfg = (struct io_pgtable_cfg) {
++ .pgsize_bitmap = SZ_4K | SZ_2M,
++ .ias = FIELD_GET(0xff, pfdev->features.mmu_features),
++ .oas = FIELD_GET(0xff00, pfdev->features.mmu_features),
++ .coherent_walk = pfdev->coherent,
++ .tlb = &mmu_tlb_ops,
++ .iommu_dev = pfdev->dev,
++ };
++
++ mmu->pgtbl_ops = alloc_io_pgtable_ops(ARM_MALI_LPAE, &mmu->pgtbl_cfg,
++ mmu);
++ if (!mmu->pgtbl_ops) {
++ kfree(mmu);
++ return ERR_PTR(-EINVAL);
++ }
++
++ kref_init(&mmu->refcount);
++
++ return mmu;
++}
++
+ static const char *access_type_name(struct panfrost_device *pfdev,
+ u32 fault_status)
+ {
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.h
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.h
+@@ -18,7 +18,8 @@ void panfrost_mmu_reset(struct panfrost_
+ u32 panfrost_mmu_as_get(struct panfrost_device *pfdev, struct panfrost_mmu *mmu);
+ void panfrost_mmu_as_put(struct panfrost_device *pfdev, struct panfrost_mmu *mmu);
+
+-int panfrost_mmu_pgtable_alloc(struct panfrost_file_priv *priv);
+-void panfrost_mmu_pgtable_free(struct panfrost_file_priv *priv);
++struct panfrost_mmu *panfrost_mmu_ctx_get(struct panfrost_mmu *mmu);
++void panfrost_mmu_ctx_put(struct panfrost_mmu *mmu);
++struct panfrost_mmu *panfrost_mmu_ctx_create(struct panfrost_device *pfdev);
+
+ #endif
--- /dev/null
+From b5fab345654c603c07525100d744498f28786929 Mon Sep 17 00:00:00 2001
+From: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Date: Tue, 24 Aug 2021 13:30:25 -0400
+Subject: drm/panfrost: Simplify lock_region calculation
+
+From: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+
+commit b5fab345654c603c07525100d744498f28786929 upstream.
+
+In lock_region, simplify the calculation of the region_width parameter.
+This field is the size, but encoded as ceil(log2(size)) - 1.
+ceil(log2(size)) may be computed directly as fls(size - 1). However, we
+want to use the 64-bit versions as the amount to lock can exceed
+32-bits.
+
+This avoids undefined (and completely wrong) behaviour when locking all
+memory (size ~0). In this case, the old code would "round up" ~0 to the
+nearest page, overflowing to 0. Since fls(0) == 0, this would calculate
+a region width of 10 + 0 = 10. But then the code would shift by
+(region_width - 11) = -1. As shifting by a negative number is undefined,
+UBSAN flags the bug. Of course, even if it were defined the behaviour is
+wrong, instead of locking all memory almost none would get locked.
+
+The new form of the calculation corrects this special case and avoids
+the undefined behaviour.
+
+Signed-off-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Reported-and-tested-by: Chris Morgan <macromorgan@hotmail.com>
+Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210824173028.7528-2-alyssa.rosenzweig@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -59,21 +59,12 @@ static void lock_region(struct panfrost_
+ {
+ u8 region_width;
+ u64 region = iova & PAGE_MASK;
+- /*
+- * fls returns:
+- * 1 .. 32
+- *
+- * 10 + fls(num_pages)
+- * results in the range (11 .. 42)
+- */
+-
+- size = round_up(size, PAGE_SIZE);
+
+- region_width = 10 + fls(size >> PAGE_SHIFT);
+- if ((size >> PAGE_SHIFT) != (1ul << (region_width - 11))) {
+- /* not pow2, so must go up to the next pow2 */
+- region_width += 1;
+- }
++ /* The size is encoded as ceil(log2) minus(1), which may be calculated
++ * with fls. The size must be clamped to hardware bounds.
++ */
++ size = max_t(u64, size, PAGE_SIZE);
++ region_width = fls64(size - 1) - 1;
+ region |= region_width;
+
+ /* Lock the region that needs to be updated */
--- /dev/null
+From a77b58825d7221d4a45c47881c35a47ba003aa73 Mon Sep 17 00:00:00 2001
+From: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Date: Tue, 24 Aug 2021 13:30:26 -0400
+Subject: drm/panfrost: Use u64 for size in lock_region
+
+From: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+
+commit a77b58825d7221d4a45c47881c35a47ba003aa73 upstream.
+
+Mali virtual addresses are 48-bit. Use a u64 instead of size_t to ensure
+we can express the "lock everything" condition as ~0ULL without
+overflow. This code was silently broken on any platform where a size_t
+is less than 48-bits; in particular, it was broken on 32-bit armv7
+platforms which remain in use with panfrost. (Mainly RK3288)
+
+Signed-off-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Suggested-by: Rob Herring <robh@kernel.org>
+Tested-by: Chris Morgan <macromorgan@hotmail.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210824173028.7528-3-alyssa.rosenzweig@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -55,7 +55,7 @@ static int write_cmd(struct panfrost_dev
+ }
+
+ static void lock_region(struct panfrost_device *pfdev, u32 as_nr,
+- u64 iova, size_t size)
++ u64 iova, u64 size)
+ {
+ u8 region_width;
+ u64 region = iova & PAGE_MASK;
+@@ -75,7 +75,7 @@ static void lock_region(struct panfrost_
+
+
+ static int mmu_hw_do_operation_locked(struct panfrost_device *pfdev, int as_nr,
+- u64 iova, size_t size, u32 op)
++ u64 iova, u64 size, u32 op)
+ {
+ if (as_nr < 0)
+ return 0;
+@@ -92,7 +92,7 @@ static int mmu_hw_do_operation_locked(st
+
+ static int mmu_hw_do_operation(struct panfrost_device *pfdev,
+ struct panfrost_mmu *mmu,
+- u64 iova, size_t size, u32 op)
++ u64 iova, u64 size, u32 op)
+ {
+ int ret;
+
+@@ -109,7 +109,7 @@ static void panfrost_mmu_enable(struct p
+ u64 transtab = cfg->arm_mali_lpae_cfg.transtab;
+ u64 memattr = cfg->arm_mali_lpae_cfg.memattr;
+
+- mmu_hw_do_operation_locked(pfdev, as_nr, 0, ~0UL, AS_COMMAND_FLUSH_MEM);
++ mmu_hw_do_operation_locked(pfdev, as_nr, 0, ~0ULL, AS_COMMAND_FLUSH_MEM);
+
+ mmu_write(pfdev, AS_TRANSTAB_LO(as_nr), transtab & 0xffffffffUL);
+ mmu_write(pfdev, AS_TRANSTAB_HI(as_nr), transtab >> 32);
+@@ -125,7 +125,7 @@ static void panfrost_mmu_enable(struct p
+
+ static void panfrost_mmu_disable(struct panfrost_device *pfdev, u32 as_nr)
+ {
+- mmu_hw_do_operation_locked(pfdev, as_nr, 0, ~0UL, AS_COMMAND_FLUSH_MEM);
++ mmu_hw_do_operation_locked(pfdev, as_nr, 0, ~0ULL, AS_COMMAND_FLUSH_MEM);
+
+ mmu_write(pfdev, AS_TRANSTAB_LO(as_nr), 0);
+ mmu_write(pfdev, AS_TRANSTAB_HI(as_nr), 0);
+@@ -225,7 +225,7 @@ static size_t get_pgsize(u64 addr, size_
+
+ static void panfrost_mmu_flush_range(struct panfrost_device *pfdev,
+ struct panfrost_mmu *mmu,
+- u64 iova, size_t size)
++ u64 iova, u64 size)
+ {
+ if (mmu->as < 0)
+ return;
--- /dev/null
+From 09a26e832705fdb7a9484495b71a05e0bbc65207 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Thu, 2 Sep 2021 14:58:53 -0700
+Subject: hugetlb: fix hugetlb cgroup refcounting during vma split
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 09a26e832705fdb7a9484495b71a05e0bbc65207 upstream.
+
+Guillaume Morin reported hitting the following WARNING followed by GPF or
+NULL pointer deference either in cgroups_destroy or in the kill_css path.:
+
+ percpu ref (css_release) <= 0 (-1) after switching to atomic
+ WARNING: CPU: 23 PID: 130 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x127/0x130
+ CPU: 23 PID: 130 Comm: ksoftirqd/23 Kdump: loaded Tainted: G O 5.10.60 #1
+ RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x127/0x130
+ Call Trace:
+ rcu_core+0x30f/0x530
+ rcu_core_si+0xe/0x10
+ __do_softirq+0x103/0x2a2
+ run_ksoftirqd+0x2b/0x40
+ smpboot_thread_fn+0x11a/0x170
+ kthread+0x10a/0x140
+ ret_from_fork+0x22/0x30
+
+Upon further examination, it was discovered that the css structure was
+associated with hugetlb reservations.
+
+For private hugetlb mappings the vma points to a reserve map that
+contains a pointer to the css. At mmap time, reservations are set up
+and a reference to the css is taken. This reference is dropped in the
+vma close operation; hugetlb_vm_op_close. However, if a vma is split no
+additional reference to the css is taken yet hugetlb_vm_op_close will be
+called twice for the split vma resulting in an underflow.
+
+Fix by taking another reference in hugetlb_vm_op_open. Note that the
+reference is only taken for the owner of the reserve map. In the more
+common fork case, the pointer to the reserve map is cleared for
+non-owning vmas.
+
+Link: https://lkml.kernel.org/r/20210830215015.155224-1-mike.kravetz@oracle.com
+Fixes: e9fe92ae0cd2 ("hugetlb_cgroup: add reservation accounting for private mappings")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reported-by: Guillaume Morin <guillaume@morinfr.org>
+Suggested-by: Guillaume Morin <guillaume@morinfr.org>
+Tested-by: Guillaume Morin <guillaume@morinfr.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb_cgroup.h | 12 ++++++++++++
+ mm/hugetlb.c | 4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb_cgroup.h
++++ b/include/linux/hugetlb_cgroup.h
+@@ -118,6 +118,13 @@ static inline void hugetlb_cgroup_put_rs
+ css_put(&h_cg->css);
+ }
+
++static inline void resv_map_dup_hugetlb_cgroup_uncharge_info(
++ struct resv_map *resv_map)
++{
++ if (resv_map->css)
++ css_get(resv_map->css);
++}
++
+ extern int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
+ struct hugetlb_cgroup **ptr);
+ extern int hugetlb_cgroup_charge_cgroup_rsvd(int idx, unsigned long nr_pages,
+@@ -196,6 +203,11 @@ static inline void hugetlb_cgroup_put_rs
+ {
+ }
+
++static inline void resv_map_dup_hugetlb_cgroup_uncharge_info(
++ struct resv_map *resv_map)
++{
++}
++
+ static inline int hugetlb_cgroup_charge_cgroup(int idx, unsigned long nr_pages,
+ struct hugetlb_cgroup **ptr)
+ {
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3659,8 +3659,10 @@ static void hugetlb_vm_op_open(struct vm
+ * after this open call completes. It is therefore safe to take a
+ * new reference here without additional locking.
+ */
+- if (resv && is_vma_resv_set(vma, HPAGE_RESV_OWNER))
++ if (resv && is_vma_resv_set(vma, HPAGE_RESV_OWNER)) {
++ resv_map_dup_hugetlb_cgroup_uncharge_info(resv);
+ kref_get(&resv->refs);
++ }
+ }
+
+ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
--- /dev/null
+From f9398f15605a50110bf570aaa361163a85113dd1 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 23 Jul 2021 15:19:31 -0700
+Subject: lib/test_stackinit: Fix static initializer test
+
+From: Kees Cook <keescook@chromium.org>
+
+commit f9398f15605a50110bf570aaa361163a85113dd1 upstream.
+
+The static initializer test got accidentally converted to a dynamic
+initializer. Fix this and retain the giant padding hole without using
+an aligned struct member.
+
+Fixes: 50ceaa95ea09 ("lib: Introduce test_stackinit module")
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210723221933.3431999-2-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_stackinit.c | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+--- a/lib/test_stackinit.c
++++ b/lib/test_stackinit.c
+@@ -67,10 +67,10 @@ static bool range_contains(char *haystac
+ #define INIT_STRUCT_none /**/
+ #define INIT_STRUCT_zero = { }
+ #define INIT_STRUCT_static_partial = { .two = 0, }
+-#define INIT_STRUCT_static_all = { .one = arg->one, \
+- .two = arg->two, \
+- .three = arg->three, \
+- .four = arg->four, \
++#define INIT_STRUCT_static_all = { .one = 0, \
++ .two = 0, \
++ .three = 0, \
++ .four = 0, \
+ }
+ #define INIT_STRUCT_dynamic_partial = { .two = arg->two, }
+ #define INIT_STRUCT_dynamic_all = { .one = arg->one, \
+@@ -84,8 +84,7 @@ static bool range_contains(char *haystac
+ var.one = 0; \
+ var.two = 0; \
+ var.three = 0; \
+- memset(&var.four, 0, \
+- sizeof(var.four))
++ var.four = 0
+
+ /*
+ * @name: unique string name for the test
+@@ -210,18 +209,13 @@ struct test_small_hole {
+ unsigned long four;
+ };
+
+-/* Try to trigger unhandled padding in a structure. */
+-struct test_aligned {
+- u32 internal1;
+- u64 internal2;
+-} __aligned(64);
+-
++/* Trigger unhandled padding in a structure. */
+ struct test_big_hole {
+ u8 one;
+ u8 two;
+ u8 three;
+ /* 61 byte padding hole here. */
+- struct test_aligned four;
++ u8 four __aligned(64);
+ } __aligned(64);
+
+ struct test_trailing_hole {
--- /dev/null
+From 32b2397c1e56f33b0b1881def965bb89bd12f448 Mon Sep 17 00:00:00 2001
+From: sumiyawang <sumiyawang@tencent.com>
+Date: Sun, 22 Aug 2021 19:49:09 +0800
+Subject: libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind
+
+From: sumiyawang <sumiyawang@tencent.com>
+
+commit 32b2397c1e56f33b0b1881def965bb89bd12f448 upstream.
+
+There is a use after free crash when the pmem driver tears down its
+mapping while I/O is still inbound.
+
+This is triggered by driver unbind, "ndctl destroy-namespace", while I/O
+is in flight.
+
+Fix the sequence of blk_cleanup_queue() vs memunmap().
+
+The crash signature is of the form:
+
+ BUG: unable to handle page fault for address: ffffc90080200000
+ CPU: 36 PID: 9606 Comm: systemd-udevd
+ Call Trace:
+ ? pmem_do_bvec+0xf9/0x3a0
+ ? xas_alloc+0x55/0xd0
+ pmem_rw_page+0x4b/0x80
+ bdev_read_page+0x86/0xb0
+ do_mpage_readpage+0x5d4/0x7a0
+ ? lru_cache_add+0xe/0x10
+ mpage_readpages+0xf9/0x1c0
+ ? bd_link_disk_holder+0x1a0/0x1a0
+ blkdev_readpages+0x1d/0x20
+ read_pages+0x67/0x1a0
+
+ ndctl Call Trace in vmcore:
+ PID: 23473 TASK: ffff88c4fbbe8000 CPU: 1 COMMAND: "ndctl"
+ __schedule
+ schedule
+ blk_mq_freeze_queue_wait
+ blk_freeze_queue
+ blk_cleanup_queue
+ pmem_release_queue
+ devm_action_release
+ release_nodes
+ devres_release_all
+ device_release_driver_internal
+ device_driver_detach
+ unbind_store
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: sumiyawang <sumiyawang@tencent.com>
+Reviewed-by: yongduan <yongduan@tencent.com>
+Link: https://lore.kernel.org/r/1629632949-14749-1-git-send-email-sumiyawang@tencent.com
+Fixes: 50f44ee7248a ("mm/devm_memremap_pages: fix final page put race")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvdimm/pmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/pmem.c
++++ b/drivers/nvdimm/pmem.c
+@@ -448,11 +448,11 @@ static int pmem_attach_disk(struct devic
+ pmem->pfn_flags |= PFN_MAP;
+ bb_range = pmem->pgmap.range;
+ } else {
++ addr = devm_memremap(dev, pmem->phys_addr,
++ pmem->size, ARCH_MEMREMAP_PMEM);
+ if (devm_add_action_or_reset(dev, pmem_release_queue,
+ &pmem->pgmap))
+ return -ENOMEM;
+- addr = devm_memremap(dev, pmem->phys_addr,
+- pmem->size, ARCH_MEMREMAP_PMEM);
+ bb_range.start = res->start;
+ bb_range.end = res->end;
+ }
--- /dev/null
+From fab827dbee8c2e06ca4ba000fa6c48bcf9054aba Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 2 Sep 2021 14:54:57 -0700
+Subject: memcg: enable accounting for pids in nested pid namespaces
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit fab827dbee8c2e06ca4ba000fa6c48bcf9054aba upstream.
+
+Commit 5d097056c9a0 ("kmemcg: account certain kmem allocations to memcg")
+enabled memcg accounting for pids allocated from init_pid_ns.pid_cachep,
+but forgot to adjust the setting for nested pid namespaces. As a result,
+pid memory is not accounted exactly where it is really needed, inside
+memcg-limited containers with their own pid namespaces.
+
+Pid was one the first kernel objects enabled for memcg accounting.
+init_pid_ns.pid_cachep marked by SLAB_ACCOUNT and we can expect that any
+new pids in the system are memcg-accounted.
+
+Though recently I've noticed that it is wrong. nested pid namespaces
+creates own slab caches for pid objects, nested pids have increased size
+because contain id both for all parent and for own pid namespaces. The
+problem is that these slab caches are _NOT_ marked by SLAB_ACCOUNT, as a
+result any pids allocated in nested pid namespaces are not
+memcg-accounted.
+
+Pid struct in nested pid namespace consumes up to 500 bytes memory, 100000
+such objects gives us up to ~50Mb unaccounted memory, this allow container
+to exceed assigned memcg limits.
+
+Link: https://lkml.kernel.org/r/8b6de616-fd1a-02c6-cbdb-976ecdcfa604@virtuozzo.com
+Fixes: 5d097056c9a0 ("kmemcg: account certain kmem allocations to memcg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/pid_namespace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/pid_namespace.c
++++ b/kernel/pid_namespace.c
+@@ -51,7 +51,8 @@ static struct kmem_cache *create_pid_cac
+ mutex_lock(&pid_caches_mutex);
+ /* Name collision forces to do allocation under mutex. */
+ if (!*pkc)
+- *pkc = kmem_cache_create(name, len, 0, SLAB_HWCACHE_ALIGN, 0);
++ *pkc = kmem_cache_create(name, len, 0,
++ SLAB_HWCACHE_ALIGN | SLAB_ACCOUNT, 0);
+ mutex_unlock(&pid_caches_mutex);
+ /* current can fail, but someone else can succeed. */
+ return READ_ONCE(*pkc);
--- /dev/null
+From 4b42fb213678d2b6a9eeea92a9be200f23e49583 Mon Sep 17 00:00:00 2001
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+Date: Wed, 8 Sep 2021 18:10:02 -0700
+Subject: mm/hmm: bypass devmap pte when all pfn requested flags are fulfilled
+
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+
+commit 4b42fb213678d2b6a9eeea92a9be200f23e49583 upstream.
+
+Previously, we noticed the one rpma example was failed[1] since commit
+36f30e486dce ("IB/core: Improve ODP to use hmm_range_fault()"), where it
+will use ODP feature to do RDMA WRITE between fsdax files.
+
+After digging into the code, we found hmm_vma_handle_pte() will still
+return EFAULT even though all the its requesting flags has been
+fulfilled. That's because a DAX page will be marked as (_PAGE_SPECIAL |
+PAGE_DEVMAP) by pte_mkdevmap().
+
+Link: https://github.com/pmem/rpma/issues/1142 [1]
+Link: https://lkml.kernel.org/r/20210830094232.203029-1-lizhijian@cn.fujitsu.com
+Fixes: 405506274922 ("mm/hmm: add missing call to hmm_pte_need_fault in HMM_PFN_SPECIAL handling")
+Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hmm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -291,10 +291,13 @@ static int hmm_vma_handle_pte(struct mm_
+ goto fault;
+
+ /*
++ * Bypass devmap pte such as DAX page when all pfn requested
++ * flags(pfn_req_flags) are fulfilled.
+ * Since each architecture defines a struct page for the zero page, just
+ * fall through and treat it like a normal page.
+ */
+- if (pte_special(pte) && !is_zero_pfn(pte_pfn(pte))) {
++ if (pte_special(pte) && !pte_devmap(pte) &&
++ !is_zero_pfn(pte_pfn(pte))) {
+ if (hmm_pte_need_fault(hmm_vma_walk, pfn_req_flags, 0)) {
+ pte_unmap(ptep);
+ return -EFAULT;
--- /dev/null
+From 13db8c50477d83ad3e3b9b0ae247e5cd833a7ae4 Mon Sep 17 00:00:00 2001
+From: Liu Zixian <liuzixian4@huawei.com>
+Date: Wed, 8 Sep 2021 18:10:05 -0700
+Subject: mm/hugetlb: initialize hugetlb_usage in mm_init
+
+From: Liu Zixian <liuzixian4@huawei.com>
+
+commit 13db8c50477d83ad3e3b9b0ae247e5cd833a7ae4 upstream.
+
+After fork, the child process will get incorrect (2x) hugetlb_usage. If
+a process uses 5 2MB hugetlb pages in an anonymous mapping,
+
+ HugetlbPages: 10240 kB
+
+and then forks, the child will show,
+
+ HugetlbPages: 20480 kB
+
+The reason for double the amount is because hugetlb_usage will be copied
+from the parent and then increased when we copy page tables from parent
+to child. Child will have 2x actual usage.
+
+Fix this by adding hugetlb_count_init in mm_init.
+
+Link: https://lkml.kernel.org/r/20210826071742.877-1-liuzixian4@huawei.com
+Fixes: 5d317b2b6536 ("mm: hugetlb: proc: add HugetlbPages field to /proc/PID/status")
+Signed-off-by: Liu Zixian <liuzixian4@huawei.com>
+Reviewed-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 9 +++++++++
+ kernel/fork.c | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -722,6 +722,11 @@ static inline spinlock_t *huge_pte_lockp
+
+ void hugetlb_report_usage(struct seq_file *m, struct mm_struct *mm);
+
++static inline void hugetlb_count_init(struct mm_struct *mm)
++{
++ atomic_long_set(&mm->hugetlb_usage, 0);
++}
++
+ static inline void hugetlb_count_add(long l, struct mm_struct *mm)
+ {
+ atomic_long_add(l, &mm->hugetlb_usage);
+@@ -897,6 +902,10 @@ static inline spinlock_t *huge_pte_lockp
+ return &mm->page_table_lock;
+ }
+
++static inline void hugetlb_count_init(struct mm_struct *mm)
++{
++}
++
+ static inline void hugetlb_report_usage(struct seq_file *f, struct mm_struct *m)
+ {
+ }
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1037,6 +1037,7 @@ static struct mm_struct *mm_init(struct
+ mm->pmd_huge_pte = NULL;
+ #endif
+ mm_init_uprobes_state(mm);
++ hugetlb_count_init(mm);
+
+ if (current->mm) {
+ mm->flags = current->mm->flags & MMF_INIT_MASK;
--- /dev/null
+From 32d4f4b782bb8f0ceb78c6b5dc46eb577ae25bf7 Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@surriel.com>
+Date: Wed, 8 Sep 2021 18:10:08 -0700
+Subject: mm,vmscan: fix divide by zero in get_scan_count
+
+From: Rik van Riel <riel@surriel.com>
+
+commit 32d4f4b782bb8f0ceb78c6b5dc46eb577ae25bf7 upstream.
+
+Commit f56ce412a59d ("mm: memcontrol: fix occasional OOMs due to
+proportional memory.low reclaim") introduced a divide by zero corner
+case when oomd is being used in combination with cgroup memory.low
+protection.
+
+When oomd decides to kill a cgroup, it will force the cgroup memory to
+be reclaimed after killing the tasks, by writing to the memory.max file
+for that cgroup, forcing the remaining page cache and reclaimable slab
+to be reclaimed down to zero.
+
+Previously, on cgroups with some memory.low protection that would result
+in the memory being reclaimed down to the memory.low limit, or likely
+not at all, having the page cache reclaimed asynchronously later.
+
+With f56ce412a59d the oomd write to memory.max tries to reclaim all the
+way down to zero, which may race with another reclaimer, to the point of
+ending up with the divide by zero below.
+
+This patch implements the obvious fix.
+
+Link: https://lkml.kernel.org/r/20210826220149.058089c6@imladris.surriel.com
+Fixes: f56ce412a59d ("mm: memcontrol: fix occasional OOMs due to proportional memory.low reclaim")
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Chris Down <chris@chrisdown.name>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmscan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2378,7 +2378,7 @@ out:
+ cgroup_size = max(cgroup_size, protection);
+
+ scan = lruvec_size - lruvec_size * protection /
+- cgroup_size;
++ (cgroup_size + 1);
+
+ /*
+ * Minimally target SWAP_CLUSTER_MAX pages to keep
--- /dev/null
+From 552799f8b3b0074d2617f53a63a088f9514a66e3 Mon Sep 17 00:00:00 2001
+From: Jan Hoffmann <jan@3e8.eu>
+Date: Wed, 1 Sep 2021 20:49:33 +0200
+Subject: net: dsa: lantiq_gswip: fix maximum frame length
+
+From: Jan Hoffmann <jan@3e8.eu>
+
+commit 552799f8b3b0074d2617f53a63a088f9514a66e3 upstream.
+
+Currently, outgoing packets larger than 1496 bytes are dropped when
+tagged VLAN is used on a switch port.
+
+Add the frame check sequence length to the value of the register
+GSWIP_MAC_FLEN to fix this. This matches the lantiq_ppa vendor driver,
+which uses a value consisting of 1518 bytes for the MAC frame, plus the
+lengths of special tag and VLAN tags.
+
+Fixes: 14fceff4771e ("net: dsa: Add Lantiq / Intel DSA driver for vrx200")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Hoffmann <jan@3e8.eu>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lantiq_gswip.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -853,7 +853,8 @@ static int gswip_setup(struct dsa_switch
+
+ gswip_switch_mask(priv, 0, GSWIP_MAC_CTRL_2_MLEN,
+ GSWIP_MAC_CTRL_2p(cpu_port));
+- gswip_switch_w(priv, VLAN_ETH_FRAME_LEN + 8, GSWIP_MAC_FLEN);
++ gswip_switch_w(priv, VLAN_ETH_FRAME_LEN + 8 + ETH_FCS_LEN,
++ GSWIP_MAC_FLEN);
+ gswip_switch_mask(priv, 0, GSWIP_BM_QUEUE_GCTRL_GL_MOD,
+ GSWIP_BM_QUEUE_GCTRL);
+
--- /dev/null
+From 52d5a0c6bd8a89f460243ed937856354f8f253a3 Mon Sep 17 00:00:00 2001
+From: chenying <chenying.kernel@bytedance.com>
+Date: Mon, 16 Aug 2021 18:02:56 +0800
+Subject: ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup()
+
+From: chenying <chenying.kernel@bytedance.com>
+
+commit 52d5a0c6bd8a89f460243ed937856354f8f253a3 upstream.
+
+If function ovl_instantiate() returns an error, ovl_cleanup will be called
+and try to remove newdentry from wdir, but the newdentry has been moved to
+udir at this time. This will causes BUG_ON(victim->d_parent->d_inode !=
+dir) in fs/namei.c:may_delete.
+
+Signed-off-by: chenying <chenying.kernel@bytedance.com>
+Fixes: 01b39dcc9568 ("ovl: use inode_insert5() to hash a newly created inode")
+Link: https://lore.kernel.org/linux-unionfs/e6496a94-a161-dc04-c38a-d2544633acb4@bytedance.com/
+Cc: <stable@vger.kernel.org> # v4.18
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/dir.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -542,8 +542,10 @@ static int ovl_create_over_whiteout(stru
+ goto out_cleanup;
+ }
+ err = ovl_instantiate(dentry, inode, newdentry, hardlink);
+- if (err)
+- goto out_cleanup;
++ if (err) {
++ ovl_cleanup(udir, newdentry);
++ dput(newdentry);
++ }
+ out_dput:
+ dput(upper);
+ out_unlock:
--- /dev/null
+From 030f653078316a9cc9ca6bd1b0234dcf858be35d Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 30 Aug 2021 05:42:27 -0400
+Subject: parisc: fix crash with signals and alloca
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 030f653078316a9cc9ca6bd1b0234dcf858be35d upstream.
+
+I was debugging some crashes on parisc and I found out that there is a
+crash possibility if a function using alloca is interrupted by a signal.
+The reason for the crash is that the gcc alloca implementation leaves
+garbage in the upper 32 bits of the sp register. This normally doesn't
+matter (the upper bits are ignored because the PSW W-bit is clear),
+however the signal delivery routine in the kernel uses full 64 bits of sp
+and it fails with -EFAULT if the upper 32 bits are not zero.
+
+I created this program that demonstrates the problem:
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <alloca.h>
+
+static __attribute__((noinline,noclone)) void aa(int *size)
+{
+ void * volatile p = alloca(-*size);
+ while (1) ;
+}
+
+static void handler(int sig)
+{
+ write(1, "signal delivered\n", 17);
+ _exit(0);
+}
+
+int main(void)
+{
+ int size = -0x100;
+ signal(SIGALRM, handler);
+ alarm(1);
+ aa(&size);
+}
+
+If you compile it with optimizations, it will crash.
+The "aa" function has this disassembly:
+
+000106a0 <aa>:
+ 106a0: 08 03 02 41 copy r3,r1
+ 106a4: 08 1e 02 43 copy sp,r3
+ 106a8: 6f c1 00 80 stw,ma r1,40(sp)
+ 106ac: 37 dc 3f c1 ldo -20(sp),ret0
+ 106b0: 0c 7c 12 90 stw ret0,8(r3)
+ 106b4: 0f 40 10 9c ldw 0(r26),ret0 ; ret0 = 0x00000000FFFFFF00
+ 106b8: 97 9c 00 7e subi 3f,ret0,ret0 ; ret0 = 0xFFFFFFFF0000013F
+ 106bc: d7 80 1c 1a depwi 0,31,6,ret0 ; ret0 = 0xFFFFFFFF00000100
+ 106c0: 0b 9e 0a 1e add,l sp,ret0,sp ; sp = 0xFFFFFFFFxxxxxxxx
+ 106c4: e8 1f 1f f7 b,l,n 106c4 <aa+0x24>,r0
+
+This patch fixes the bug by truncating the "usp" variable to 32 bits.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/signal.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/parisc/kernel/signal.c
++++ b/arch/parisc/kernel/signal.c
+@@ -237,6 +237,12 @@ setup_rt_frame(struct ksignal *ksig, sig
+ #endif
+
+ usp = (regs->gr[30] & ~(0x01UL));
++#ifdef CONFIG_64BIT
++ if (is_compat_task()) {
++ /* The gcc alloca implementation leaves garbage in the upper 32 bits of sp */
++ usp = (compat_uint_t)usp;
++ }
++#endif
+ /*FIXME: frame_size parameter is unused, remove it. */
+ frame = get_sigframe(&ksig->ka, usp, sizeof(*frame));
+
--- /dev/null
+From 3abc16af57c9939724df92fcbda296b25cc95168 Mon Sep 17 00:00:00 2001
+From: Patryk Duda <pdk@semihalf.com>
+Date: Tue, 18 May 2021 16:07:58 +0200
+Subject: platform/chrome: cros_ec_proto: Send command again when timeout occurs
+
+From: Patryk Duda <pdk@semihalf.com>
+
+commit 3abc16af57c9939724df92fcbda296b25cc95168 upstream.
+
+Sometimes kernel is trying to probe Fingerprint MCU (FPMCU) when it
+hasn't initialized SPI yet. This can happen because FPMCU is restarted
+during system boot and kernel can send message in short window
+eg. between sysjump to RW and SPI initialization.
+
+Cc: <stable@vger.kernel.org> # 4.4+
+Signed-off-by: Patryk Duda <pdk@semihalf.com>
+Link: https://lore.kernel.org/r/20210518140758.29318-1-pdk@semihalf.com
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_proto.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/platform/chrome/cros_ec_proto.c
++++ b/drivers/platform/chrome/cros_ec_proto.c
+@@ -279,6 +279,15 @@ static int cros_ec_host_command_proto_qu
+ msg->insize = sizeof(struct ec_response_get_protocol_info);
+
+ ret = send_command(ec_dev, msg);
++ /*
++ * Send command once again when timeout occurred.
++ * Fingerprint MCU (FPMCU) is restarted during system boot which
++ * introduces small window in which FPMCU won't respond for any
++ * messages sent by kernel. There is no need to wait before next
++ * attempt because we waited at least EC_MSG_DEADLINE_MS.
++ */
++ if (ret == -ETIMEDOUT)
++ ret = send_command(ec_dev, msg);
+
+ if (ret < 0) {
+ dev_dbg(ec_dev->dev,
--- /dev/null
+From 93ebb6828723b8aef114415c4dc3518342f7dcad Mon Sep 17 00:00:00 2001
+From: Halil Pasic <pasic@linux.ibm.com>
+Date: Sat, 24 Jul 2021 01:17:46 +0200
+Subject: s390/pv: fix the forcing of the swiotlb
+
+From: Halil Pasic <pasic@linux.ibm.com>
+
+commit 93ebb6828723b8aef114415c4dc3518342f7dcad upstream.
+
+Since commit 903cd0f315fe ("swiotlb: Use is_swiotlb_force_bounce for
+swiotlb data bouncing") if code sets swiotlb_force it needs to do so
+before the swiotlb is initialised. Otherwise
+io_tlb_default_mem->force_bounce will not get set to true, and devices
+that use (the default) swiotlb will not bounce despite switolb_force
+having the value of SWIOTLB_FORCE.
+
+Let us restore swiotlb functionality for PV by fulfilling this new
+requirement.
+
+This change addresses what turned out to be a fragility in
+commit 64e1f0c531d1 ("s390/mm: force swiotlb for protected
+virtualization"), which ain't exactly broken in its original context,
+but could give us some more headache if people backport the broken
+change and forget this fix.
+
+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
+Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Fixes: 903cd0f315fe ("swiotlb: Use is_swiotlb_force_bounce for swiotlb data bouncing")
+Fixes: 64e1f0c531d1 ("s390/mm: force swiotlb for protected virtualization")
+Cc: stable@vger.kernel.org #5.3+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/mm/init.c
++++ b/arch/s390/mm/init.c
+@@ -180,9 +180,9 @@ static void pv_init(void)
+ return;
+
+ /* make sure bounce buffers are shared */
++ swiotlb_force = SWIOTLB_FORCE;
+ swiotlb_init(1);
+ swiotlb_update_mem_attributes();
+- swiotlb_force = SWIOTLB_FORCE;
+ }
+
+ void __init mem_init(void)
--- /dev/null
+From 44d01fc86d952f5a8b8b32bdb4841504d5833d95 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Tue, 20 Apr 2021 20:01:47 +0200
+Subject: scsi: BusLogic: Fix missing pr_cont() use
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 44d01fc86d952f5a8b8b32bdb4841504d5833d95 upstream.
+
+Update BusLogic driver's messaging system to use pr_cont() for continuation
+lines, bringing messy output:
+
+pci 0000:00:13.0: PCI->APIC IRQ transform: INT A -> IRQ 17
+scsi: ***** BusLogic SCSI Driver Version 2.1.17 of 12 September 2013 *****
+scsi: Copyright 1995-1998 by Leonard N. Zubkoff <lnz@dandelion.com>
+scsi0: Configuring BusLogic Model BT-958 PCI Wide Ultra SCSI Host Adapter
+scsi0: Firmware Version: 5.07B, I/O Address: 0x7000, IRQ Channel: 17/Level
+scsi0: PCI Bus: 0, Device: 19, Address:
+0xE0012000,
+Host Adapter SCSI ID: 7
+scsi0: Parity Checking: Enabled, Extended Translation: Enabled
+scsi0: Synchronous Negotiation: Ultra, Wide Negotiation: Enabled
+scsi0: Disconnect/Reconnect: Enabled, Tagged Queuing: Enabled
+scsi0: Scatter/Gather Limit: 128 of 8192 segments, Mailboxes: 211
+scsi0: Driver Queue Depth: 211, Host Adapter Queue Depth: 192
+scsi0: Tagged Queue Depth:
+Automatic
+, Untagged Queue Depth: 3
+scsi0: SCSI Bus Termination: Both Enabled
+, SCAM: Disabled
+
+scsi0: *** BusLogic BT-958 Initialized Successfully ***
+scsi host0: BusLogic BT-958
+
+back to order:
+
+pci 0000:00:13.0: PCI->APIC IRQ transform: INT A -> IRQ 17
+scsi: ***** BusLogic SCSI Driver Version 2.1.17 of 12 September 2013 *****
+scsi: Copyright 1995-1998 by Leonard N. Zubkoff <lnz@dandelion.com>
+scsi0: Configuring BusLogic Model BT-958 PCI Wide Ultra SCSI Host Adapter
+scsi0: Firmware Version: 5.07B, I/O Address: 0x7000, IRQ Channel: 17/Level
+scsi0: PCI Bus: 0, Device: 19, Address: 0xE0012000, Host Adapter SCSI ID: 7
+scsi0: Parity Checking: Enabled, Extended Translation: Enabled
+scsi0: Synchronous Negotiation: Ultra, Wide Negotiation: Enabled
+scsi0: Disconnect/Reconnect: Enabled, Tagged Queuing: Enabled
+scsi0: Scatter/Gather Limit: 128 of 8192 segments, Mailboxes: 211
+scsi0: Driver Queue Depth: 211, Host Adapter Queue Depth: 192
+scsi0: Tagged Queue Depth: Automatic, Untagged Queue Depth: 3
+scsi0: SCSI Bus Termination: Both Enabled, SCAM: Disabled
+scsi0: *** BusLogic BT-958 Initialized Successfully ***
+scsi host0: BusLogic BT-958
+
+Also diagnostic output such as with the BusLogic=TraceConfiguration
+parameter is affected and becomes vertical and therefore hard to read.
+This has now been corrected, e.g.:
+
+pci 0000:00:13.0: PCI->APIC IRQ transform: INT A -> IRQ 17
+blogic_cmd(86) Status = 30: 4 ==> 4: FF 05 93 00
+blogic_cmd(95) Status = 28: (Modify I/O Address)
+blogic_cmd(91) Status = 30: 1 ==> 1: 01
+blogic_cmd(04) Status = 30: 4 ==> 4: 41 41 35 30
+blogic_cmd(8D) Status = 30: 14 ==> 14: 45 DC 00 20 00 00 00 00 00 40 30 37 42 1D
+scsi: ***** BusLogic SCSI Driver Version 2.1.17 of 12 September 2013 *****
+scsi: Copyright 1995-1998 by Leonard N. Zubkoff <lnz@dandelion.com>
+blogic_cmd(04) Status = 30: 4 ==> 4: 41 41 35 30
+blogic_cmd(0B) Status = 30: 3 ==> 3: 00 08 07
+blogic_cmd(0D) Status = 30: 34 ==> 34: 03 01 07 04 00 00 00 00 00 00 00 00 00 00 00 00 FF 42 44 46 FF 00 00 00 00 00 00 00 00 00 FF 00 FF 00
+blogic_cmd(8D) Status = 30: 14 ==> 14: 45 DC 00 20 00 00 00 00 00 40 30 37 42 1D
+blogic_cmd(84) Status = 30: 1 ==> 1: 37
+blogic_cmd(8B) Status = 30: 5 ==> 5: 39 35 38 20 20
+blogic_cmd(85) Status = 30: 1 ==> 1: 42
+blogic_cmd(86) Status = 30: 4 ==> 4: FF 05 93 00
+blogic_cmd(91) Status = 30: 64 ==> 64: 41 46 3E 20 39 35 38 20 20 00 C4 00 04 01 07 2F 07 04 35 FF FF FF FF FF FF FF FF FF FF 01 00 FE FF 08 FF FF 00 00 00 00 00 00 00 01 00 01 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 FC
+scsi0: Configuring BusLogic Model BT-958 PCI Wide Ultra SCSI Host Adapter
+
+etc.
+
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2104201940430.44318@angie.orcam.me.uk
+Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines")
+Cc: stable@vger.kernel.org # v4.9+
+Acked-by: Khalid Aziz <khalid@gonehiking.org>
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/BusLogic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/BusLogic.c
++++ b/drivers/scsi/BusLogic.c
+@@ -3603,7 +3603,7 @@ static void blogic_msg(enum blogic_msgle
+ if (buf[0] != '\n' || len > 1)
+ printk("%sscsi%d: %s", blogic_msglevelmap[msglevel], adapter->host_no, buf);
+ } else
+- printk("%s", buf);
++ pr_cont("%s", buf);
+ } else {
+ if (begin) {
+ if (adapter != NULL && adapter->adapter_initd)
+@@ -3611,7 +3611,7 @@ static void blogic_msg(enum blogic_msgle
+ else
+ printk("%s%s", blogic_msglevelmap[msglevel], buf);
+ } else
+- printk("%s", buf);
++ pr_cont("%s", buf);
+ }
+ begin = (buf[len - 1] == '\n');
+ }
--- /dev/null
+From 62e0dec59c1e139dab55aff5aa442adc97804271 Mon Sep 17 00:00:00 2001
+From: Saurav Kashyap <skashyap@marvell.com>
+Date: Mon, 9 Aug 2021 21:37:17 -0700
+Subject: scsi: qla2xxx: Changes to support kdump kernel
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+commit 62e0dec59c1e139dab55aff5aa442adc97804271 upstream.
+
+Avoid allocating firmware dump and only allocate a single queue for a kexec
+kernel.
+
+Link: https://lore.kernel.org/r/20210810043720.1137-12-njavali@marvell.com
+Cc: stable@vger.kernel.org
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -14,6 +14,7 @@
+ #include <linux/slab.h>
+ #include <linux/blk-mq-pci.h>
+ #include <linux/refcount.h>
++#include <linux/crash_dump.h>
+
+ #include <scsi/scsi_tcq.h>
+ #include <scsi/scsicam.h>
+@@ -2828,6 +2829,11 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ return ret;
+ }
+
++ if (is_kdump_kernel()) {
++ ql2xmqsupport = 0;
++ ql2xallocfwdump = 0;
++ }
++
+ /* This may fail but that's ok */
+ pci_enable_pcie_error_reporting(pdev);
+
--- /dev/null
+From c8fadf019964d0eb1da410ba8b629494d3339db9 Mon Sep 17 00:00:00 2001
+From: Saurav Kashyap <skashyap@marvell.com>
+Date: Mon, 9 Aug 2021 21:37:19 -0700
+Subject: scsi: qla2xxx: Sync queue idx with queue_pair_map idx
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+commit c8fadf019964d0eb1da410ba8b629494d3339db9 upstream.
+
+The first invocation of function find_first_zero_bit will return 0 and
+queue_id gets set to 0.
+
+An index of queue_pair_map also gets set to 0.
+
+ qpair_id = find_first_zero_bit(ha->qpair_qid_map, ha->max_qpairs);
+
+ set_bit(qpair_id, ha->qpair_qid_map);
+ ha->queue_pair_map[qpair_id] = qpair;
+
+In the alloc_queue callback driver checks the map, if queue is already
+allocated:
+
+ ha->queue_pair_map[qidx]
+
+This works fine as long as max_qpairs is greater than nvme_max_hw_queues(8)
+since the size of the queue_pair_map is equal to max_qpair. In case nr_cpus
+is less than 8, max_qpairs is less than 8. This creates wrong value
+returned as qpair.
+
+[ 1572.353669] qla2xxx [0000:24:00.3]-2121:6: Returning existing qpair of 4e00000000000000 for idx=2
+[ 1572.354458] general protection fault: 0000 [#1] SMP PTI
+[ 1572.354461] CPU: 1 PID: 44 Comm: kworker/1:1H Kdump: loaded Tainted: G IOE --------- - - 4.18.0-304.el8.x86_64 #1
+[ 1572.354462] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 03/01/2013
+[ 1572.354467] Workqueue: kblockd blk_mq_run_work_fn
+[ 1572.354485] RIP: 0010:qla_nvme_post_cmd+0x92/0x760 [qla2xxx]
+[ 1572.354486] Code: 84 24 5c 01 00 00 00 00 b8 0a 74 1e 66 83 79 48 00 0f 85 a8 03 00 00 48 8b 44 24 08 48 89 ee 4c 89 e7 8b 50 24 e8 5e 8e 00 00 <f0> 41 ff 47 04 0f ae f0 41 f6 47 24 04 74 19 f0 41 ff 4f 04 b8 f0
+[ 1572.354487] RSP: 0018:ffff9c81c645fc90 EFLAGS: 00010246
+[ 1572.354489] RAX: 0000000000000001 RBX: ffff8ea3e5070138 RCX: 0000000000000001
+[ 1572.354490] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8ea4c866b800
+[ 1572.354491] RBP: ffff8ea4c866b800 R08: 0000000000005010 R09: ffff8ea4c866b800
+[ 1572.354492] R10: 0000000000000001 R11: 000000069d1ca3ff R12: ffff8ea4bc460000
+[ 1572.354493] R13: ffff8ea3e50702b0 R14: ffff8ea4c4c16a58 R15: 4e00000000000000
+[ 1572.354494] FS: 0000000000000000(0000) GS:ffff8ea4dfd00000(0000) knlGS:0000000000000000
+[ 1572.354495] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1572.354496] CR2: 000055884504fa58 CR3: 00000005a1410001 CR4: 00000000000606e0
+[ 1572.354497] Call Trace:
+[ 1572.354503] ? check_preempt_curr+0x62/0x90
+[ 1572.354506] ? dma_direct_map_sg+0x72/0x1f0
+[ 1572.354509] ? nvme_fc_start_fcp_op.part.32+0x175/0x460 [nvme_fc]
+[ 1572.354511] ? blk_mq_dispatch_rq_list+0x11c/0x730
+[ 1572.354515] ? __switch_to_asm+0x35/0x70
+[ 1572.354516] ? __switch_to_asm+0x41/0x70
+[ 1572.354518] ? __switch_to_asm+0x35/0x70
+[ 1572.354519] ? __switch_to_asm+0x41/0x70
+[ 1572.354521] ? __switch_to_asm+0x35/0x70
+[ 1572.354522] ? __switch_to_asm+0x41/0x70
+[ 1572.354523] ? __switch_to_asm+0x35/0x70
+[ 1572.354525] ? entry_SYSCALL_64_after_hwframe+0xb9/0xca
+[ 1572.354527] ? __switch_to_asm+0x41/0x70
+[ 1572.354529] ? __blk_mq_sched_dispatch_requests+0xc6/0x170
+[ 1572.354531] ? blk_mq_sched_dispatch_requests+0x30/0x60
+[ 1572.354532] ? __blk_mq_run_hw_queue+0x51/0xd0
+[ 1572.354535] ? process_one_work+0x1a7/0x360
+[ 1572.354537] ? create_worker+0x1a0/0x1a0
+[ 1572.354538] ? worker_thread+0x30/0x390
+[ 1572.354540] ? create_worker+0x1a0/0x1a0
+[ 1572.354541] ? kthread+0x116/0x130
+[ 1572.354543] ? kthread_flush_work_fn+0x10/0x10
+[ 1572.354545] ? ret_from_fork+0x35/0x40
+
+Fix is to use index 0 for admin and first IO queue.
+
+Link: https://lore.kernel.org/r/20210810043720.1137-14-njavali@marvell.com
+Fixes: e84067d74301 ("scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration")
+Cc: stable@vger.kernel.org
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_nvme.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -91,8 +91,9 @@ static int qla_nvme_alloc_queue(struct n
+ struct qla_hw_data *ha;
+ struct qla_qpair *qpair;
+
+- if (!qidx)
+- qidx++;
++ /* Map admin queue and 1st IO queue to index 0 */
++ if (qidx)
++ qidx--;
+
+ vha = (struct scsi_qla_host *)lport->private;
+ ha = vha->hw;
net-hns3-clean-up-a-type-mismatch-warning.patch
fs-io_uring-don-t-use-the-return-value-from-import_i.patch
io_uring-remove-duplicated-io_size-from-rw.patch
+parisc-fix-crash-with-signals-and-alloca.patch
+ovl-fix-bug_on-in-may_delete-when-called-from-ovl_cleanup.patch
+scsi-buslogic-fix-missing-pr_cont-use.patch
+scsi-qla2xxx-changes-to-support-kdump-kernel.patch
+scsi-qla2xxx-sync-queue-idx-with-queue_pair_map-idx.patch
+cpufreq-powernv-fix-init_chip_info-initialization-in-numa-off.patch
+s390-pv-fix-the-forcing-of-the-swiotlb.patch
+hugetlb-fix-hugetlb-cgroup-refcounting-during-vma-split.patch
+mm-hmm-bypass-devmap-pte-when-all-pfn-requested-flags-are-fulfilled.patch
+mm-hugetlb-initialize-hugetlb_usage-in-mm_init.patch
+mm-vmscan-fix-divide-by-zero-in-get_scan_count.patch
+memcg-enable-accounting-for-pids-in-nested-pid-namespaces.patch
+libnvdimm-pmem-fix-crash-triggered-when-i-o-in-flight-during-unbind.patch
+platform-chrome-cros_ec_proto-send-command-again-when-timeout-occurs.patch
+lib-test_stackinit-fix-static-initializer-test.patch
+net-dsa-lantiq_gswip-fix-maximum-frame-length.patch
+drm-mgag200-select-clock-in-pll-update-functions.patch
+drm-msi-mdp4-populate-priv-kms-in-mdp4_kms_init.patch
+drm-dp_mst-fix-return-code-on-sideband-message-failure.patch
+drm-panfrost-make-sure-mmu-context-lifetime-is-not-bound-to-panfrost_priv.patch
+drm-amdgpu-fix-bug_on-assert.patch
+drm-amd-display-update-number-of-dcn3-clock-states.patch
+drm-amd-display-update-bounding-box-states-v2.patch
+drm-panfrost-simplify-lock_region-calculation.patch
+drm-panfrost-use-u64-for-size-in-lock_region.patch
+drm-panfrost-clamp-lock-region-to-bifrost-minimum.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
