--- /dev/null
+From ee11b93f95eabdf8198edd4668bf9102e7248270 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 29 Oct 2020 17:31:45 -0400
+Subject: ftrace: Fix recursion check for NMI test
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit ee11b93f95eabdf8198edd4668bf9102e7248270 upstream.
+
+The code that checks recursion will work to only do the recursion check once
+if there's nested checks. The top one will do the check, the other nested
+checks will see recursion was already checked and return zero for its "bit".
+On the return side, nothing will be done if the "bit" is zero.
+
+The problem is that zero is returned for the "good" bit when in NMI context.
+This will set the bit for NMIs making it look like *all* NMI tracing is
+recursing, and prevent tracing of anything in NMI context!
+
+The simple fix is to return "bit + 1" and subtract that bit on the end to
+get the real bit.
+
+Cc: stable@vger.kernel.org
+Fixes: edc15cafcbfa3 ("tracing: Avoid unnecessary multiple recursion checks")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -653,7 +653,7 @@ static __always_inline int trace_test_an
+ current->trace_recursion = val;
+ barrier();
+
+- return bit;
++ return bit + 1;
+ }
+
+ static __always_inline void trace_clear_recursion(int bit)
+@@ -663,6 +663,7 @@ static __always_inline void trace_clear_
+ if (!bit)
+ return;
+
++ bit--;
+ bit = 1 << bit;
+ val &= ~bit;
+
--- /dev/null
+From 726b3d3f141fba6f841d715fc4d8a4a84f02c02a Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 29 Oct 2020 19:35:08 -0400
+Subject: ftrace: Handle tracing when switching between context
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 726b3d3f141fba6f841d715fc4d8a4a84f02c02a upstream.
+
+When an interrupt or NMI comes in and switches the context, there's a delay
+from when the preempt_count() shows the update. As the preempt_count() is
+used to detect recursion having each context have its own bit get set when
+tracing starts, and if that bit is already set, it is considered a recursion
+and the function exits. But if this happens in that section where context
+has changed but preempt_count() has not been updated, this will be
+incorrectly flagged as a recursion.
+
+To handle this case, create another bit call TRANSITION and test it if the
+current context bit is already set. Flag the call as a recursion if the
+TRANSITION bit is already set, and if not, set it and continue. The
+TRANSITION bit will be cleared normally on the return of the function that
+set it, or if the current context bit is clear, set it and clear the
+TRANSITION bit to allow for another transition between the current context
+and an even higher one.
+
+Cc: stable@vger.kernel.org
+Fixes: edc15cafcbfa3 ("tracing: Avoid unnecessary multiple recursion checks")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.h | 23 +++++++++++++++++++++--
+ kernel/trace/trace_selftest.c | 9 +++++++--
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -592,6 +592,12 @@ enum {
+ * function is called to clear it.
+ */
+ TRACE_GRAPH_NOTRACE_BIT,
++
++ /*
++ * When transitioning between context, the preempt_count() may
++ * not be correct. Allow for a single recursion to cover this case.
++ */
++ TRACE_TRANSITION_BIT,
+ };
+
+ #define trace_recursion_set(bit) do { (current)->trace_recursion |= (1<<(bit)); } while (0)
+@@ -646,8 +652,21 @@ static __always_inline int trace_test_an
+ return 0;
+
+ bit = trace_get_context_bit() + start;
+- if (unlikely(val & (1 << bit)))
+- return -1;
++ if (unlikely(val & (1 << bit))) {
++ /*
++ * It could be that preempt_count has not been updated during
++ * a switch between contexts. Allow for a single recursion.
++ */
++ bit = TRACE_TRANSITION_BIT;
++ if (trace_recursion_test(bit))
++ return -1;
++ trace_recursion_set(bit);
++ barrier();
++ return bit + 1;
++ }
++
++ /* Normal check passed, clear the transition to allow it again */
++ trace_recursion_clear(TRACE_TRANSITION_BIT);
+
+ val |= 1 << bit;
+ current->trace_recursion = val;
+--- a/kernel/trace/trace_selftest.c
++++ b/kernel/trace/trace_selftest.c
+@@ -492,8 +492,13 @@ trace_selftest_function_recursion(void)
+ unregister_ftrace_function(&test_rec_probe);
+
+ ret = -1;
+- if (trace_selftest_recursion_cnt != 1) {
+- pr_cont("*callback not called once (%d)* ",
++ /*
++ * Recursion allows for transitions between context,
++ * and may call the callback twice.
++ */
++ if (trace_selftest_recursion_cnt != 1 &&
++ trace_selftest_recursion_cnt != 2) {
++ pr_cont("*callback not called once (or twice) (%d)* ",
+ trace_selftest_recursion_cnt);
+ goto out;
+ }
--- /dev/null
+From 9f5d1c336a10c0d24e83e40b4c1b9539f7dba627 Mon Sep 17 00:00:00 2001
+From: Mike Galbraith <efault@gmx.de>
+Date: Wed, 4 Nov 2020 16:12:44 +0100
+Subject: futex: Handle transient "ownerless" rtmutex state correctly
+
+From: Mike Galbraith <efault@gmx.de>
+
+commit 9f5d1c336a10c0d24e83e40b4c1b9539f7dba627 upstream.
+
+Gratian managed to trigger the BUG_ON(!newowner) in fixup_pi_state_owner().
+This is one possible chain of events leading to this:
+
+Task Prio Operation
+T1 120 lock(F)
+T2 120 lock(F) -> blocks (top waiter)
+T3 50 (RT) lock(F) -> boosts T1 and blocks (new top waiter)
+XX timeout/ -> wakes T2
+ signal
+T1 50 unlock(F) -> wakes T3 (rtmutex->owner == NULL, waiter bit is set)
+T2 120 cleanup -> try_to_take_mutex() fails because T3 is the top waiter
+ and the lower priority T2 cannot steal the lock.
+ -> fixup_pi_state_owner() sees newowner == NULL -> BUG_ON()
+
+The comment states that this is invalid and rt_mutex_real_owner() must
+return a non NULL owner when the trylock failed, but in case of a queued
+and woken up waiter rt_mutex_real_owner() == NULL is a valid transient
+state. The higher priority waiter has simply not yet managed to take over
+the rtmutex.
+
+The BUG_ON() is therefore wrong and this is just another retry condition in
+fixup_pi_state_owner().
+
+Drop the locks, so that T3 can make progress, and then try the fixup again.
+
+Gratian provided a great analysis, traces and a reproducer. The analysis is
+to the point, but it confused the hell out of that tglx dude who had to
+page in all the futex horrors again. Condensed version is above.
+
+[ tglx: Wrote comment and changelog ]
+
+Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex")
+Reported-by: Gratian Crisan <gratian.crisan@ni.com>
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/87a6w6x7bb.fsf@ni.com
+Link: https://lore.kernel.org/r/87sg9pkvf7.fsf@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2511,10 +2511,22 @@ retry:
+ }
+
+ /*
+- * Since we just failed the trylock; there must be an owner.
++ * The trylock just failed, so either there is an owner or
++ * there is a higher priority waiter than this one.
+ */
+ newowner = rt_mutex_owner(&pi_state->pi_mutex);
+- BUG_ON(!newowner);
++ /*
++ * If the higher priority waiter has not yet taken over the
++ * rtmutex then newowner is NULL. We can't return here with
++ * that state because it's inconsistent vs. the user space
++ * state. So drop the locks and try again. It's a valid
++ * situation and not any different from the other retry
++ * conditions.
++ */
++ if (unlikely(!newowner)) {
++ err = -EAGAIN;
++ goto handle_err;
++ }
+ } else {
+ WARN_ON_ONCE(argowner != current);
+ if (oldowner == current) {
--- /dev/null
+From 69a8eed58cc09aea3b01a64997031dd5d3c02c07 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Mon, 5 Oct 2020 10:48:03 +0200
+Subject: mtd: spi-nor: Don't copy self-pointing struct around
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+commit 69a8eed58cc09aea3b01a64997031dd5d3c02c07 upstream.
+
+spi_nor_parse_sfdp() modifies the passed structure so that it points to
+itself (params.erase_map.regions to params.erase_map.uniform_region). This
+makes it impossible to copy the local struct anywhere else.
+
+Therefore only use memcpy() in backup-restore scenario. The bug may show up
+like below:
+
+BUG: unable to handle page fault for address: ffffc90000b377f8
+Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 4 PID: 3500 Comm: flashcp Tainted: G O 5.4.53-... #1
+...
+RIP: 0010:spi_nor_erase+0x8e/0x5c0
+Code: 64 24 18 89 db 4d 8b b5 d0 04 00 00 4c 89 64 24 18 4c 89 64 24 20 eb 12 a8 10 0f 85 59 02 00 00 49 83 c6 10 0f 84 4f 02 00 00 <49> 8b 06 48 89 c2 48 83 e2 c0 48 89 d1 49 03 4e 08 48 39 cb 73 d8
+RSP: 0018:ffffc9000217fc48 EFLAGS: 00010206
+RAX: 0000000000740000 RBX: 0000000000000000 RCX: 0000000000740000
+RDX: ffff8884550c9980 RSI: ffff88844f9c0bc0 RDI: ffff88844ede7bb8
+RBP: 0000000000740000 R08: ffffffff815bfbe0 R09: ffff88844f9c0bc0
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000217fc60
+R13: ffff88844ede7818 R14: ffffc90000b377f8 R15: 0000000000000000
+FS: 00007f4699780500(0000) GS:ffff88846ff00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffc90000b377f8 CR3: 00000004538ee000 CR4: 0000000000340fe0
+Call Trace:
+ part_erase+0x27/0x50
+ mtdchar_ioctl+0x831/0xba0
+ ? filemap_map_pages+0x186/0x3d0
+ ? do_filp_open+0xad/0x110
+ ? _copy_to_user+0x22/0x30
+ ? cp_new_stat+0x150/0x180
+ mtdchar_unlocked_ioctl+0x2a/0x40
+ do_vfs_ioctl+0xa0/0x630
+ ? __do_sys_newfstat+0x3c/0x60
+ ksys_ioctl+0x70/0x80
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x6a/0x200
+ ? prepare_exit_to_usermode+0x50/0xd0
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f46996b6817
+
+Cc: stable@vger.kernel.org
+Fixes: c46872170a54 ("mtd: spi-nor: Move erase_map to 'struct spi_nor_flash_parameter'")
+Co-developed-by: Matija Glavinic Pecotic <matija.glavinic-pecotic.ext@nokia.com>
+Signed-off-by: Matija Glavinic Pecotic <matija.glavinic-pecotic.ext@nokia.com>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Tested-by: Baurzhan Ismagulov <ibr@radix50.net>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20201005084803.23460-1-alexander.sverdlin@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/spi-nor/spi-nor.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/spi-nor/spi-nor.c
++++ b/drivers/mtd/spi-nor/spi-nor.c
+@@ -4444,11 +4444,10 @@ static void spi_nor_sfdp_init_params(str
+
+ memcpy(&sfdp_params, &nor->params, sizeof(sfdp_params));
+
+- if (spi_nor_parse_sfdp(nor, &sfdp_params)) {
++ if (spi_nor_parse_sfdp(nor, &nor->params)) {
++ memcpy(&nor->params, &sfdp_params, sizeof(nor->params));
+ nor->addr_width = 0;
+ nor->flags &= ~SNOR_F_4B_OPCODES;
+- } else {
+- memcpy(&nor->params, &sfdp_params, sizeof(nor->params));
+ }
+ }
+
--- /dev/null
+From cf1ad559a20d1930aa7b47a52f54e1f8718de301 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Mon, 2 Nov 2020 22:27:27 +0100
+Subject: regulator: defer probe when trying to get voltage from unresolved supply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+commit cf1ad559a20d1930aa7b47a52f54e1f8718de301 upstream.
+
+regulator_get_voltage_rdev() is called in regulator probe() when
+applying machine constraints. The "fixed" commit exposed the problem
+that non-bypassed regulators can forward the request to its parent
+(like bypassed ones) supply. Return -EPROBE_DEFER when the supply
+is expected but not resolved yet.
+
+Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Reported-by: Ondřej Jirman <megous@megous.com>
+Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Tested-by: Ondřej Jirman <megous@megous.com>
+Link: https://lore.kernel.org/r/a9041d68b4d35e4a2dd71629c8a6422662acb5ee.1604351936.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -4045,6 +4045,8 @@ int regulator_get_voltage_rdev(struct re
+ ret = rdev->desc->fixed_uV;
+ } else if (rdev->supply) {
+ ret = regulator_get_voltage_rdev(rdev->supply->rdev);
++ } else if (rdev->supply_name) {
++ return -EPROBE_DEFER;
+ } else {
+ return -EINVAL;
+ }
mm-always-have-io_remap_pfn_range-set-pgprot_decrypted.patch
gfs2-wake-up-when-sd_glock_disposal-becomes-zero.patch
ring-buffer-fix-recursion-protection-transitions-between-interrupt-context.patch
+mtd-spi-nor-don-t-copy-self-pointing-struct-around.patch
+ftrace-fix-recursion-check-for-nmi-test.patch
+ftrace-handle-tracing-when-switching-between-context.patch
+regulator-defer-probe-when-trying-to-get-voltage-from-unresolved-supply.patch
+spi-bcm2835-fix-gpio-cs-level-inversion.patch
+tracing-fix-out-of-bounds-write-in-get_trace_buf.patch
+futex-handle-transient-ownerless-rtmutex-state-correctly.patch
--- /dev/null
+From 5e31ba0c0543a04483b53151eb5b7413efece94c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
+Date: Wed, 14 Oct 2020 11:02:30 +0200
+Subject: spi: bcm2835: fix gpio cs level inversion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Hundebøll <martin@geanix.com>
+
+commit 5e31ba0c0543a04483b53151eb5b7413efece94c upstream.
+
+The work on improving gpio chip-select in spi core, and the following
+fixes, has caused the bcm2835 spi driver to use wrong levels. Fix this
+by simply removing level handling in the bcm2835 driver, and let the
+core do its work.
+
+Fixes: 3e5ec1db8bfe ("spi: Fix SPI_CS_HIGH setting when using native and GPIO CS")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Martin Hundebøll <martin@geanix.com>
+Link: https://lore.kernel.org/r/20201014090230.2706810-1-martin@geanix.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-bcm2835.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -1245,18 +1245,6 @@ static int bcm2835_spi_setup(struct spi_
+ if (!chip)
+ return 0;
+
+- /*
+- * Retrieve the corresponding GPIO line used for CS.
+- * The inversion semantics will be handled by the GPIO core
+- * code, so we pass GPIOS_OUT_LOW for "unasserted" and
+- * the correct flag for inversion semantics. The SPI_CS_HIGH
+- * on spi->mode cannot be checked for polarity in this case
+- * as the flag use_gpio_descriptors enforces SPI_CS_HIGH.
+- */
+- if (of_property_read_bool(spi->dev.of_node, "spi-cs-high"))
+- lflags = GPIO_ACTIVE_HIGH;
+- else
+- lflags = GPIO_ACTIVE_LOW;
+ spi->cs_gpiod = gpiochip_request_own_desc(chip, 8 - spi->chip_select,
+ DRV_NAME,
+ lflags,
--- /dev/null
+From c1acb4ac1a892cf08d27efcb964ad281728b0545 Mon Sep 17 00:00:00 2001
+From: Qiujun Huang <hqjagain@gmail.com>
+Date: Fri, 30 Oct 2020 00:19:05 +0800
+Subject: tracing: Fix out of bounds write in get_trace_buf
+
+From: Qiujun Huang <hqjagain@gmail.com>
+
+commit c1acb4ac1a892cf08d27efcb964ad281728b0545 upstream.
+
+The nesting count of trace_printk allows for 4 levels of nesting. The
+nesting counter starts at zero and is incremented before being used to
+retrieve the current context's buffer. But the index to the buffer uses the
+nesting counter after it was incremented, and not its original number,
+which in needs to do.
+
+Link: https://lkml.kernel.org/r/20201029161905.4269-1-hqjagain@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: 3d9622c12c887 ("tracing: Add barrier to trace_printk() buffer nesting modification")
+Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3012,7 +3012,7 @@ static char *get_trace_buf(void)
+
+ /* Interrupts must see nesting incremented before we use the buffer */
+ barrier();
+- return &buffer->buffer[buffer->nesting][0];
++ return &buffer->buffer[buffer->nesting - 1][0];
+ }
+
+ static void put_trace_buf(void)
projects / thirdparty / kernel / stable-queue.git / commitdiff
