--- /dev/null
+From ec665b756e6f79c60078b00dbdabea3aa8a4b787 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 31 Jul 2019 11:40:18 +0300
+Subject: backlight: gpio-backlight: Correct initial power state handling
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit ec665b756e6f79c60078b00dbdabea3aa8a4b787 upstream.
+
+The default-on property - or the def_value via legacy pdata) should be
+handled as:
+if it is 1, the backlight must be enabled (kept enabled)
+if it is 0, the backlight must be disabled (kept disabled)
+
+This only works for the case when default-on is set. If it is not set then
+the brightness of the backlight is set to 0. Now if the backlight is
+enabled by external driver (graphics) the backlight will stay disabled since
+the brightness is configured as 0. The backlight will not turn on.
+
+In order to minimize screen flickering during device boot:
+
+The initial brightness should be set to 1.
+
+If booted in non DT mode or no phandle link to the backlight node:
+follow the def_value/default-on to select UNBLANK or POWERDOWN
+
+If in DT boot we have phandle link then leave the GPIO in a state which the
+bootloader left it and let the user of the backlight to configure it
+further.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/backlight/gpio_backlight.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/backlight/gpio_backlight.c
++++ b/drivers/video/backlight/gpio_backlight.c
+@@ -62,13 +62,11 @@ static int gpio_backlight_probe_dt(struc
+ {
+ struct device *dev = &pdev->dev;
+ struct device_node *np = dev->of_node;
+- enum gpiod_flags flags;
+ int ret;
+
+ gbl->def_value = of_property_read_bool(np, "default-on");
+- flags = gbl->def_value ? GPIOD_OUT_HIGH : GPIOD_OUT_LOW;
+
+- gbl->gpiod = devm_gpiod_get(dev, NULL, flags);
++ gbl->gpiod = devm_gpiod_get(dev, NULL, GPIOD_ASIS);
+ if (IS_ERR(gbl->gpiod)) {
+ ret = PTR_ERR(gbl->gpiod);
+
+@@ -82,6 +80,22 @@ static int gpio_backlight_probe_dt(struc
+ return 0;
+ }
+
++static int gpio_backlight_initial_power_state(struct gpio_backlight *gbl)
++{
++ struct device_node *node = gbl->dev->of_node;
++
++ /* Not booted with device tree or no phandle link to the node */
++ if (!node || !node->phandle)
++ return gbl->def_value ? FB_BLANK_UNBLANK : FB_BLANK_POWERDOWN;
++
++ /* if the enable GPIO is disabled, do not enable the backlight */
++ if (gpiod_get_value_cansleep(gbl->gpiod) == 0)
++ return FB_BLANK_POWERDOWN;
++
++ return FB_BLANK_UNBLANK;
++}
++
++
+ static int gpio_backlight_probe(struct platform_device *pdev)
+ {
+ struct gpio_backlight_platform_data *pdata =
+@@ -142,7 +156,9 @@ static int gpio_backlight_probe(struct p
+ return PTR_ERR(bl);
+ }
+
+- bl->props.brightness = gbl->def_value;
++ bl->props.power = gpio_backlight_initial_power_state(gbl);
++ bl->props.brightness = 1;
++
+ backlight_update_status(bl);
+
+ platform_set_drvdata(pdev, bl);
--- /dev/null
+From 60e2793d440a3ec95abb5d6d4fc034a4b480472d Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Fri, 5 Nov 2021 13:38:06 -0700
+Subject: mm, oom: do not trigger out_of_memory from the #PF
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit 60e2793d440a3ec95abb5d6d4fc034a4b480472d upstream.
+
+Any allocation failure during the #PF path will return with VM_FAULT_OOM
+which in turn results in pagefault_out_of_memory. This can happen for 2
+different reasons. a) Memcg is out of memory and we rely on
+mem_cgroup_oom_synchronize to perform the memcg OOM handling or b)
+normal allocation fails.
+
+The latter is quite problematic because allocation paths already trigger
+out_of_memory and the page allocator tries really hard to not fail
+allocations. Anyway, if the OOM killer has been already invoked there
+is no reason to invoke it again from the #PF path. Especially when the
+OOM condition might be gone by that time and we have no way to find out
+other than allocate.
+
+Moreover if the allocation failed and the OOM killer hasn't been invoked
+then we are unlikely to do the right thing from the #PF context because
+we have already lost the allocation context and restictions and
+therefore might oom kill a task from a different NUMA domain.
+
+This all suggests that there is no legitimate reason to trigger
+out_of_memory from pagefault_out_of_memory so drop it. Just to be sure
+that no #PF path returns with VM_FAULT_OOM without allocation print a
+warning that this is happening before we restart the #PF.
+
+[VvS: #PF allocation can hit into limit of cgroup v1 kmem controller.
+This is a local problem related to memcg, however, it causes unnecessary
+global OOM kills that are repeated over and over again and escalate into a
+real disaster. This has been broken since kmem accounting has been
+introduced for cgroup v1 (3.8). There was no kmem specific reclaim for
+the separate limit so the only way to handle kmem hard limit was to return
+with ENOMEM. In upstream the problem will be fixed by removing the
+outdated kmem limit, however stable and LTS kernels cannot do it and are
+still affected. This patch fixes the problem and should be backported
+into stable/LTS.]
+
+Link: https://lkml.kernel.org/r/f5fd8dd8-0ad4-c524-5f65-920b01972a42@virtuozzo.com
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Uladzislau Rezki <urezki@gmail.com>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/oom_kill.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -1135,19 +1135,15 @@ bool out_of_memory(struct oom_control *o
+ }
+
+ /*
+- * The pagefault handler calls here because it is out of memory, so kill a
+- * memory-hogging task. If oom_lock is held by somebody else, a parallel oom
+- * killing is already in progress so do nothing.
++ * The pagefault handler calls here because some allocation has failed. We have
++ * to take care of the memcg OOM here because this is the only safe context without
++ * any locks held but let the oom killer triggered from the allocation context care
++ * about the global OOM.
+ */
+ void pagefault_out_of_memory(void)
+ {
+- struct oom_control oc = {
+- .zonelist = NULL,
+- .nodemask = NULL,
+- .memcg = NULL,
+- .gfp_mask = 0,
+- .order = 0,
+- };
++ static DEFINE_RATELIMIT_STATE(pfoom_rs, DEFAULT_RATELIMIT_INTERVAL,
++ DEFAULT_RATELIMIT_BURST);
+
+ if (mem_cgroup_oom_synchronize(true))
+ return;
+@@ -1155,8 +1151,6 @@ void pagefault_out_of_memory(void)
+ if (fatal_signal_pending(current))
+ return;
+
+- if (!mutex_trylock(&oom_lock))
+- return;
+- out_of_memory(&oc);
+- mutex_unlock(&oom_lock);
++ if (__ratelimit(&pfoom_rs))
++ pr_warn("Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF\n");
+ }
--- /dev/null
+From 0b28179a6138a5edd9d82ad2687c05b3773c387b Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 5 Nov 2021 13:38:02 -0700
+Subject: mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 0b28179a6138a5edd9d82ad2687c05b3773c387b upstream.
+
+Patch series "memcg: prohibit unconditional exceeding the limit of dying tasks", v3.
+
+Memory cgroup charging allows killed or exiting tasks to exceed the hard
+limit. It can be misused and allowed to trigger global OOM from inside
+a memcg-limited container. On the other hand if memcg fails allocation,
+called from inside #PF handler it triggers global OOM from inside
+pagefault_out_of_memory().
+
+To prevent these problems this patchset:
+ (a) removes execution of out_of_memory() from
+ pagefault_out_of_memory(), becasue nobody can explain why it is
+ necessary.
+ (b) allow memcg to fail allocation of dying/killed tasks.
+
+This patch (of 3):
+
+Any allocation failure during the #PF path will return with VM_FAULT_OOM
+which in turn results in pagefault_out_of_memory which in turn executes
+out_out_memory() and can kill a random task.
+
+An allocation might fail when the current task is the oom victim and
+there are no memory reserves left. The OOM killer is already handled at
+the page allocator level for the global OOM and at the charging level
+for the memcg one. Both have much more information about the scope of
+allocation/charge request. This means that either the OOM killer has
+been invoked properly and didn't lead to the allocation success or it
+has been skipped because it couldn't have been invoked. In both cases
+triggering it from here is pointless and even harmful.
+
+It makes much more sense to let the killed task die rather than to wake
+up an eternally hungry oom-killer and send him to choose a fatter victim
+for breakfast.
+
+Link: https://lkml.kernel.org/r/0828a149-786e-7c06-b70a-52d086818ea3@virtuozzo.com
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Suggested-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Uladzislau Rezki <urezki@gmail.com>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/oom_kill.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -1152,6 +1152,9 @@ void pagefault_out_of_memory(void)
+ if (mem_cgroup_oom_synchronize(true))
+ return;
+
++ if (fatal_signal_pending(current))
++ return;
++
+ if (!mutex_trylock(&oom_lock))
+ return;
+ out_of_memory(&oc);
--- /dev/null
+From foo@baz Mon Nov 15 03:31:22 PM CET 2021
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Mon, 15 Nov 2021 16:35:32 +0530
+Subject: powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
+To: <stable@vger.kernel.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>, Daniel Borkmann <daniel@iogearbox.net>
+Message-ID: <0c1116e0f065c749de2f6188c7fdbfb4521743d1.1636968020.git.naveen.n.rao@linux.vnet.ibm.com>
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+upstream commit b7540d62509453263604a155bf2d5f0ed450cba2
+
+Emit similar instruction sequences to commit a048a07d7f4535
+("powerpc/64s: Add support for a store forwarding barrier at kernel
+entry/exit") when encountering BPF_NOSPEC.
+
+Mitigations are enabled depending on what the firmware advertises. In
+particular, we do not gate these mitigations based on current settings,
+just like in x86. Due to this, we don't need to take any action if
+mitigations are enabled or disabled at runtime.
+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/956570cbc191cd41f8274bed48ee757a86dac62a.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
+[adjust macros to account for commits 0654186510a40e, 3a181237916310 and ef909ba954145e.
+adjust security feature checks to account for commit 84ed26fd00c514]
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit64.h | 8 ++---
+ arch/powerpc/net/bpf_jit_comp64.c | 56 +++++++++++++++++++++++++++++++++++---
+ 2 files changed, 56 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit64.h
++++ b/arch/powerpc/net/bpf_jit64.h
+@@ -20,18 +20,18 @@
+ * with our redzone usage.
+ *
+ * [ prev sp ] <-------------
+- * [ nv gpr save area ] 6*8 |
++ * [ nv gpr save area ] 5*8 |
+ * [ tail_call_cnt ] 8 |
+- * [ local_tmp_var ] 8 |
++ * [ local_tmp_var ] 16 |
+ * fp (r31) --> [ ebpf stack space ] upto 512 |
+ * [ frame header ] 32/112 |
+ * sp (r1) ---> [ stack pointer ] --------------
+ */
+
+ /* for gpr non volatile registers BPG_REG_6 to 10 */
+-#define BPF_PPC_STACK_SAVE (6*8)
++#define BPF_PPC_STACK_SAVE (5*8)
+ /* for bpf JIT code internal usage */
+-#define BPF_PPC_STACK_LOCALS 16
++#define BPF_PPC_STACK_LOCALS 24
+ /* stack frame excluding BPF stack, ensure this is quadword aligned */
+ #define BPF_PPC_STACKFRAME (STACK_FRAME_MIN_SIZE + \
+ BPF_PPC_STACK_LOCALS + BPF_PPC_STACK_SAVE)
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -19,6 +19,7 @@
+ #include <linux/if_vlan.h>
+ #include <asm/kprobes.h>
+ #include <linux/bpf.h>
++#include <asm/security_features.h>
+
+ #include "bpf_jit64.h"
+
+@@ -60,9 +61,9 @@ static inline bool bpf_has_stack_frame(s
+ * [ prev sp ] <-------------
+ * [ ... ] |
+ * sp (r1) ---> [ stack pointer ] --------------
+- * [ nv gpr save area ] 6*8
++ * [ nv gpr save area ] 5*8
+ * [ tail_call_cnt ] 8
+- * [ local_tmp_var ] 8
++ * [ local_tmp_var ] 16
+ * [ unused red zone ] 208 bytes protected
+ */
+ static int bpf_jit_stack_local(struct codegen_context *ctx)
+@@ -70,12 +71,12 @@ static int bpf_jit_stack_local(struct co
+ if (bpf_has_stack_frame(ctx))
+ return STACK_FRAME_MIN_SIZE + ctx->stack_size;
+ else
+- return -(BPF_PPC_STACK_SAVE + 16);
++ return -(BPF_PPC_STACK_SAVE + 24);
+ }
+
+ static int bpf_jit_stack_tailcallcnt(struct codegen_context *ctx)
+ {
+- return bpf_jit_stack_local(ctx) + 8;
++ return bpf_jit_stack_local(ctx) + 16;
+ }
+
+ static int bpf_jit_stack_offsetof(struct codegen_context *ctx, int reg)
+@@ -268,11 +269,34 @@ static int bpf_jit_emit_tail_call(u32 *i
+ return 0;
+ }
+
++/*
++ * We spill into the redzone always, even if the bpf program has its own stackframe.
++ * Offsets hardcoded based on BPF_PPC_STACK_SAVE -- see bpf_jit_stack_local()
++ */
++void bpf_stf_barrier(void);
++
++asm (
++" .global bpf_stf_barrier ;"
++" bpf_stf_barrier: ;"
++" std 21,-64(1) ;"
++" std 22,-56(1) ;"
++" sync ;"
++" ld 21,-64(1) ;"
++" ld 22,-56(1) ;"
++" ori 31,31,0 ;"
++" .rept 14 ;"
++" b 1f ;"
++" 1: ;"
++" .endr ;"
++" blr ;"
++);
++
+ /* Assemble the body code between the prologue & epilogue */
+ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
+ struct codegen_context *ctx,
+ u32 *addrs, bool extra_pass)
+ {
++ enum stf_barrier_type stf_barrier = stf_barrier_type_get();
+ const struct bpf_insn *insn = fp->insnsi;
+ int flen = fp->len;
+ int i, ret;
+@@ -615,6 +639,30 @@ emit_clear:
+ * BPF_ST NOSPEC (speculation barrier)
+ */
+ case BPF_ST | BPF_NOSPEC:
++ if (!security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) ||
++ (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) &&
++ (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) || !cpu_has_feature(CPU_FTR_HVMODE))))
++ break;
++
++ switch (stf_barrier) {
++ case STF_BARRIER_EIEIO:
++ EMIT(0x7c0006ac | 0x02000000);
++ break;
++ case STF_BARRIER_SYNC_ORI:
++ EMIT(PPC_INST_SYNC);
++ PPC_LD(b2p[TMP_REG_1], 13, 0);
++ PPC_ORI(31, 31, 0);
++ break;
++ case STF_BARRIER_FALLBACK:
++ EMIT(PPC_INST_MFLR | ___PPC_RT(b2p[TMP_REG_1]));
++ PPC_LI64(12, dereference_kernel_function_descriptor(bpf_stf_barrier));
++ PPC_MTCTR(12);
++ EMIT(PPC_INST_BCTR | 0x1);
++ PPC_MTLR(b2p[TMP_REG_1]);
++ break;
++ case STF_BARRIER_NONE:
++ break;
++ }
+ break;
+
+ /*
--- /dev/null
+From foo@baz Mon Nov 15 03:31:22 PM CET 2021
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Mon, 15 Nov 2021 16:35:30 +0530
+Subject: powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
+To: <stable@vger.kernel.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>, Daniel Borkmann <daniel@iogearbox.net>
+Message-ID: <5e5c7b933e9da0cb509a1172b7a2c2d17796e952.1636968020.git.naveen.n.rao@linux.vnet.ibm.com>
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+upstream commit 5855c4c1f415ca3ba1046e77c0b3d3dfc96c9025
+
+We aren't handling subtraction involving an immediate value of
+0x80000000 properly. Fix the same.
+
+Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+[mpe: Fold in fix from Naveen to use imm <= 32768]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/fc4b1276eb10761fd7ce0814c8dd089da2815251.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
+[adjust macros to account for commits 0654186510a40e and 3a181237916310]
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit_comp64.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -326,18 +326,25 @@ static int bpf_jit_build_body(struct bpf
+ PPC_SUB(dst_reg, dst_reg, src_reg);
+ goto bpf_alu32_trunc;
+ case BPF_ALU | BPF_ADD | BPF_K: /* (u32) dst += (u32) imm */
+- case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
+ case BPF_ALU64 | BPF_ADD | BPF_K: /* dst += imm */
++ if (!imm) {
++ goto bpf_alu32_trunc;
++ } else if (imm >= -32768 && imm < 32768) {
++ PPC_ADDI(dst_reg, dst_reg, IMM_L(imm));
++ } else {
++ PPC_LI32(b2p[TMP_REG_1], imm);
++ PPC_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]);
++ }
++ goto bpf_alu32_trunc;
++ case BPF_ALU | BPF_SUB | BPF_K: /* (u32) dst -= (u32) imm */
+ case BPF_ALU64 | BPF_SUB | BPF_K: /* dst -= imm */
+- if (BPF_OP(code) == BPF_SUB)
+- imm = -imm;
+- if (imm) {
+- if (imm >= -32768 && imm < 32768)
+- PPC_ADDI(dst_reg, dst_reg, IMM_L(imm));
+- else {
+- PPC_LI32(b2p[TMP_REG_1], imm);
+- PPC_ADD(dst_reg, dst_reg, b2p[TMP_REG_1]);
+- }
++ if (!imm) {
++ goto bpf_alu32_trunc;
++ } else if (imm > -32768 && imm <= 32768) {
++ PPC_ADDI(dst_reg, dst_reg, IMM_L(-imm));
++ } else {
++ PPC_LI32(b2p[TMP_REG_1], imm);
++ PPC_SUB(dst_reg, dst_reg, b2p[TMP_REG_1]);
+ }
+ goto bpf_alu32_trunc;
+ case BPF_ALU | BPF_MUL | BPF_X: /* (u32) dst *= (u32) src */
--- /dev/null
+From foo@baz Mon Nov 15 03:31:22 PM CET 2021
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Mon, 15 Nov 2021 16:35:29 +0530
+Subject: powerpc/bpf: Validate branch ranges
+To: <stable@vger.kernel.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>, Daniel Borkmann <daniel@iogearbox.net>
+Message-ID: <cc064b884ea7bb5f2f07147589c8a46addd6ed0d.1636968020.git.naveen.n.rao@linux.vnet.ibm.com>
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+upstream commit 3832ba4e283d7052b783dab8311df7e3590fed93
+
+Add checks to ensure that we never emit branch instructions with
+truncated branch offsets.
+
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/71d33a6b7603ec1013c9734dd8bdd4ff5e929142.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
+[include header, drop ppc32 changes]
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/net/bpf_jit.h | 26 ++++++++++++++++++++------
+ arch/powerpc/net/bpf_jit_comp64.c | 10 +++++++---
+ 2 files changed, 27 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/net/bpf_jit.h
++++ b/arch/powerpc/net/bpf_jit.h
+@@ -15,6 +15,7 @@
+ #ifndef __ASSEMBLY__
+
+ #include <asm/types.h>
++#include <asm/code-patching.h>
+
+ #ifdef PPC64_ELF_ABI_v1
+ #define FUNCTION_DESCR_SIZE 24
+@@ -176,13 +177,26 @@
+ #define PPC_NEG(d, a) EMIT(PPC_INST_NEG | ___PPC_RT(d) | ___PPC_RA(a))
+
+ /* Long jump; (unconditional 'branch') */
+-#define PPC_JMP(dest) EMIT(PPC_INST_BRANCH | \
+- (((dest) - (ctx->idx * 4)) & 0x03fffffc))
++#define PPC_JMP(dest) \
++ do { \
++ long offset = (long)(dest) - (ctx->idx * 4); \
++ if (!is_offset_in_branch_range(offset)) { \
++ pr_err_ratelimited("Branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx); \
++ return -ERANGE; \
++ } \
++ EMIT(PPC_INST_BRANCH | (offset & 0x03fffffc)); \
++ } while (0)
+ /* "cond" here covers BO:BI fields. */
+-#define PPC_BCC_SHORT(cond, dest) EMIT(PPC_INST_BRANCH_COND | \
+- (((cond) & 0x3ff) << 16) | \
+- (((dest) - (ctx->idx * 4)) & \
+- 0xfffc))
++#define PPC_BCC_SHORT(cond, dest) \
++ do { \
++ long offset = (long)(dest) - (ctx->idx * 4); \
++ if (!is_offset_in_cond_branch_range(offset)) { \
++ pr_err_ratelimited("Conditional branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx); \
++ return -ERANGE; \
++ } \
++ EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc)); \
++ } while (0)
++
+ /* Sign-extended 32-bit immediate load */
+ #define PPC_LI32(d, i) do { \
+ if ((int)(uintptr_t)(i) >= -32768 && \
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -202,7 +202,7 @@ static void bpf_jit_emit_func_call(u32 *
+ PPC_BLRL();
+ }
+
+-static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
++static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)
+ {
+ /*
+ * By now, the eBPF program has already setup parameters in r3, r4 and r5
+@@ -263,7 +263,9 @@ static void bpf_jit_emit_tail_call(u32 *
+ bpf_jit_emit_common_epilogue(image, ctx);
+
+ PPC_BCTR();
++
+ /* out: */
++ return 0;
+ }
+
+ /* Assemble the body code between the prologue & epilogue */
+@@ -273,7 +275,7 @@ static int bpf_jit_build_body(struct bpf
+ {
+ const struct bpf_insn *insn = fp->insnsi;
+ int flen = fp->len;
+- int i;
++ int i, ret;
+
+ /* Start of epilogue code - will only be valid 2nd pass onwards */
+ u32 exit_addr = addrs[flen];
+@@ -863,7 +865,9 @@ cond_branch:
+ */
+ case BPF_JMP | BPF_TAIL_CALL:
+ ctx->seen |= SEEN_TAILCALL;
+- bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
++ ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);
++ if (ret < 0)
++ return ret;
+ break;
+
+ default:
--- /dev/null
+From foo@baz Mon Nov 15 03:31:22 PM CET 2021
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Mon, 15 Nov 2021 16:35:28 +0530
+Subject: powerpc/lib: Add helper to check if offset is within conditional branch range
+To: <stable@vger.kernel.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>, Daniel Borkmann <daniel@iogearbox.net>
+Message-ID: <7b757e056b85dc60a0ab84dafb6b648d017a02ea.1636968020.git.naveen.n.rao@linux.vnet.ibm.com>
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+upstream commit 4549c3ea3160fa8b3f37dfe2f957657bb265eda9
+
+Add a helper to check if a given offset is within the branch range for a
+powerpc conditional branch instruction, and update some sites to use the
+new helper.
+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/442b69a34ced32ca346a0d9a855f3f6cfdbbbd41.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/code-patching.h | 1 +
+ arch/powerpc/lib/code-patching.c | 7 ++++++-
+ arch/powerpc/net/bpf_jit.h | 7 +------
+ 3 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/powerpc/include/asm/code-patching.h
++++ b/arch/powerpc/include/asm/code-patching.h
+@@ -26,6 +26,7 @@
+ #define BRANCH_ABSOLUTE 0x2
+
+ bool is_offset_in_branch_range(long offset);
++bool is_offset_in_cond_branch_range(long offset);
+ unsigned int create_branch(const unsigned int *addr,
+ unsigned long target, int flags);
+ unsigned int create_cond_branch(const unsigned int *addr,
+--- a/arch/powerpc/lib/code-patching.c
++++ b/arch/powerpc/lib/code-patching.c
+@@ -243,6 +243,11 @@ bool is_offset_in_branch_range(long offs
+ return (offset >= -0x2000000 && offset <= 0x1fffffc && !(offset & 0x3));
+ }
+
++bool is_offset_in_cond_branch_range(long offset)
++{
++ return offset >= -0x8000 && offset <= 0x7fff && !(offset & 0x3);
++}
++
+ /*
+ * Helper to check if a given instruction is a conditional branch
+ * Derived from the conditional checks in analyse_instr()
+@@ -296,7 +301,7 @@ unsigned int create_cond_branch(const un
+ offset = offset - (unsigned long)addr;
+
+ /* Check we can represent the target in the instruction format */
+- if (offset < -0x8000 || offset > 0x7FFF || offset & 0x3)
++ if (!is_offset_in_cond_branch_range(offset))
+ return 0;
+
+ /* Mask out the flags and target, so they don't step on each other. */
+--- a/arch/powerpc/net/bpf_jit.h
++++ b/arch/powerpc/net/bpf_jit.h
+@@ -221,11 +221,6 @@
+ #define PPC_FUNC_ADDR(d,i) do { PPC_LI32(d, i); } while(0)
+ #endif
+
+-static inline bool is_nearbranch(int offset)
+-{
+- return (offset < 32768) && (offset >= -32768);
+-}
+-
+ /*
+ * The fly in the ointment of code size changing from pass to pass is
+ * avoided by padding the short branch case with a NOP. If code size differs
+@@ -234,7 +229,7 @@ static inline bool is_nearbranch(int off
+ * state.
+ */
+ #define PPC_BCC(cond, dest) do { \
+- if (is_nearbranch((dest) - (ctx->idx * 4))) { \
++ if (is_offset_in_cond_branch_range((long)(dest) - (ctx->idx * 4))) { \
+ PPC_BCC_SHORT(cond, dest); \
+ PPC_NOP(); \
+ } else { \
--- /dev/null
+From foo@baz Mon Nov 15 03:31:22 PM CET 2021
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Mon, 15 Nov 2021 16:35:31 +0530
+Subject: powerpc/security: Add a helper to query stf_barrier type
+To: <stable@vger.kernel.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>, Daniel Borkmann <daniel@iogearbox.net>
+Message-ID: <962f76e4e51c5e97c26188195a9e8c2bde8f9ba9.1636968020.git.naveen.n.rao@linux.vnet.ibm.com>
+
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+
+upstream commit 030905920f32e91a52794937f67434ac0b3ea41a
+
+Add a helper to return the stf_barrier type for the current processor.
+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/3bd5d7f96ea1547991ac2ce3137dc2b220bae285.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/security_features.h | 5 +++++
+ arch/powerpc/kernel/security.c | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+--- a/arch/powerpc/include/asm/security_features.h
++++ b/arch/powerpc/include/asm/security_features.h
+@@ -39,6 +39,11 @@ static inline bool security_ftr_enabled(
+ return !!(powerpc_security_features & feature);
+ }
+
++#ifdef CONFIG_PPC_BOOK3S_64
++enum stf_barrier_type stf_barrier_type_get(void);
++#else
++static inline enum stf_barrier_type stf_barrier_type_get(void) { return STF_BARRIER_NONE; }
++#endif
+
+ // Features indicating support for Spectre/Meltdown mitigations
+
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -248,6 +248,11 @@ static int __init handle_no_stf_barrier(
+
+ early_param("no_stf_barrier", handle_no_stf_barrier);
+
++enum stf_barrier_type stf_barrier_type_get(void)
++{
++ return stf_enabled_flush_types;
++}
++
+ /* This is the generic flag used by other architectures */
+ static int __init handle_ssbd(char *p)
+ {
--- /dev/null
+From a4751f157c194431fae9e9c493f456df8272b871 Mon Sep 17 00:00:00 2001
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+Date: Fri, 5 Nov 2021 16:44:51 +0100
+Subject: s390/cio: check the subchannel validity for dev_busid
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+commit a4751f157c194431fae9e9c493f456df8272b871 upstream.
+
+Check the validity of subchanel before reading other fields in
+the schib.
+
+Fixes: d3683c055212 ("s390/cio: add dev_busid sysfs entry for each subchannel")
+CC: <stable@vger.kernel.org>
+Reported-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Link: https://lore.kernel.org/r/20211105154451.847288-1-vneethv@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/css.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/cio/css.c
++++ b/drivers/s390/cio/css.c
+@@ -371,8 +371,8 @@ static ssize_t dev_busid_show(struct dev
+ struct subchannel *sch = to_subchannel(dev);
+ struct pmcw *pmcw = &sch->schib.pmcw;
+
+- if ((pmcw->st == SUBCHANNEL_TYPE_IO ||
+- pmcw->st == SUBCHANNEL_TYPE_MSG) && pmcw->dnv)
++ if ((pmcw->st == SUBCHANNEL_TYPE_IO && pmcw->dnv) ||
++ (pmcw->st == SUBCHANNEL_TYPE_MSG && pmcw->w))
+ return sysfs_emit(buf, "0.%x.%04x\n", sch->schid.ssid,
+ pmcw->dev);
+ else
--- /dev/null
+From 213fca9e23b59581c573d558aa477556f00b8198 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@linux.ibm.com>
+Date: Tue, 2 Nov 2021 10:55:30 +0100
+Subject: s390/tape: fix timer initialization in tape_std_assign()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+commit 213fca9e23b59581c573d558aa477556f00b8198 upstream.
+
+commit 9c6c273aa424 ("timer: Remove init_timer_on_stack() in favor
+of timer_setup_on_stack()") changed the timer setup from
+init_timer_on_stack(() to timer_setup(), but missed to change the
+mod_timer() call. And while at it, use msecs_to_jiffies() instead
+of the open coded timeout calculation.
+
+Cc: stable@vger.kernel.org
+Fixes: 9c6c273aa424 ("timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack()")
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/char/tape_std.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/s390/char/tape_std.c
++++ b/drivers/s390/char/tape_std.c
+@@ -53,7 +53,6 @@ int
+ tape_std_assign(struct tape_device *device)
+ {
+ int rc;
+- struct timer_list timeout;
+ struct tape_request *request;
+
+ request = tape_alloc_request(2, 11);
+@@ -70,7 +69,7 @@ tape_std_assign(struct tape_device *devi
+ * So we set up a timeout for this call.
+ */
+ timer_setup(&request->timer, tape_std_assign_timeout, 0);
+- mod_timer(&timeout, jiffies + 2 * HZ);
++ mod_timer(&request->timer, jiffies + msecs_to_jiffies(2000));
+
+ rc = tape_do_io_interruptible(device, request);
+
arm-9156-1-drop-cc-option-fallbacks-for-architecture-selection.patch
f2fs-should-use-gfp_nofs-for-directory-inodes.patch
9p-net-fix-missing-error-check-in-p9_check_errors.patch
+powerpc-lib-add-helper-to-check-if-offset-is-within-conditional-branch-range.patch
+powerpc-bpf-validate-branch-ranges.patch
+powerpc-bpf-fix-bpf_sub-when-imm-0x80000000.patch
+powerpc-security-add-a-helper-to-query-stf_barrier-type.patch
+powerpc-bpf-emit-stf-barrier-instruction-sequences-for-bpf_nospec.patch
+mm-oom-pagefault_out_of_memory-don-t-force-global-oom-for-dying-tasks.patch
+mm-oom-do-not-trigger-out_of_memory-from-the-pf.patch
+backlight-gpio-backlight-correct-initial-power-state-handling.patch
+video-backlight-drop-maximum-brightness-override-for-brightness-zero.patch
+s390-cio-check-the-subchannel-validity-for-dev_busid.patch
+s390-tape-fix-timer-initialization-in-tape_std_assign.patch
--- /dev/null
+From 33a5471f8da976bf271a1ebbd6b9d163cb0cb6aa Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 21 Sep 2021 19:35:06 +0200
+Subject: video: backlight: Drop maximum brightness override for brightness zero
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Vasut <marex@denx.de>
+
+commit 33a5471f8da976bf271a1ebbd6b9d163cb0cb6aa upstream.
+
+The note in c2adda27d202f ("video: backlight: Add of_find_backlight helper
+in backlight.c") says that gpio-backlight uses brightness as power state.
+This has been fixed since in ec665b756e6f7 ("backlight: gpio-backlight:
+Correct initial power state handling") and other backlight drivers do not
+require this workaround. Drop the workaround.
+
+This fixes the case where e.g. pwm-backlight can perfectly well be set to
+brightness 0 on boot in DT, which without this patch leads to the display
+brightness to be max instead of off.
+
+Fixes: c2adda27d202f ("video: backlight: Add of_find_backlight helper in backlight.c")
+Cc: <stable@vger.kernel.org> # 5.4+
+Cc: <stable@vger.kernel.org> # 4.19.x: ec665b756e6f7: backlight: gpio-backlight: Correct initial power state handling
+Signed-off-by: Marek Vasut <marex@denx.de>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/backlight/backlight.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/video/backlight/backlight.c
++++ b/drivers/video/backlight/backlight.c
+@@ -610,12 +610,6 @@ struct backlight_device *of_find_backlig
+ of_node_put(np);
+ if (!bd)
+ return ERR_PTR(-EPROBE_DEFER);
+- /*
+- * Note: gpio_backlight uses brightness as
+- * power state during probe
+- */
+- if (!bd->props.brightness)
+- bd->props.brightness = bd->props.max_brightness;
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
