--- /dev/null
+From c0b15c25d25171db4b70cc0b7dbc1130ee94017d Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Wed, 3 Feb 2021 23:00:57 +0000
+Subject: arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit c0b15c25d25171db4b70cc0b7dbc1130ee94017d upstream.
+
+The erratum 1024718 affects Cortex-A55 r0p0 to r2p0. However
+we apply the work around for r0p0 - r1p0. Unfortunately this
+won't be fixed for the future revisions for the CPU. Thus
+extend the work around for all versions of A55, to cover
+for r2p0 and any future revisions.
+
+Cc: stable@vger.kernel.org
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20210203230057.3961239-1-suzuki.poulose@arm.com
+[will: Update Kconfig help text]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig | 2 +-
+ arch/arm64/kernel/cpufeature.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -520,7 +520,7 @@ config ARM64_ERRATUM_1024718
+ help
+ This option adds a workaround for ARM Cortex-A55 Erratum 1024718.
+
+- Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect
++ Affected Cortex-A55 cores (all revisions) could cause incorrect
+ update of the hardware dirty bit when the DBM/AP bits are updated
+ without a break-before-make. The workaround is to disable the usage
+ of hardware DBM locally on the affected cores. CPUs not affected by
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -1457,7 +1457,7 @@ static bool cpu_has_broken_dbm(void)
+ /* List of CPUs which have broken DBM support. */
+ static const struct midr_range cpus[] = {
+ #ifdef CONFIG_ARM64_ERRATUM_1024718
+- MIDR_RANGE(MIDR_CORTEX_A55, 0, 0, 1, 0), // A55 r0p0 -r1p0
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
+ /* Kryo4xx Silver (rdpe => r1p0) */
+ MIDR_REV(MIDR_QCOM_KRYO_4XX_SILVER, 0xd, 0xe),
+ #endif
--- /dev/null
+From 656d1d58d8e0958d372db86c24f0b2ea36f50888 Mon Sep 17 00:00:00 2001
+From: qiuguorui1 <qiuguorui1@huawei.com>
+Date: Thu, 18 Feb 2021 20:59:00 +0800
+Subject: arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails
+
+From: qiuguorui1 <qiuguorui1@huawei.com>
+
+commit 656d1d58d8e0958d372db86c24f0b2ea36f50888 upstream.
+
+in function create_dtb(), if fdt_open_into() fails, we need to vfree
+buf before return.
+
+Fixes: 52b2a8af7436 ("arm64: kexec_file: load initrd and device-tree")
+Cc: stable@vger.kernel.org # v5.0
+Signed-off-by: qiuguorui1 <qiuguorui1@huawei.com>
+Link: https://lore.kernel.org/r/20210218125900.6810-1-qiuguorui1@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/machine_kexec_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/machine_kexec_file.c
++++ b/arch/arm64/kernel/machine_kexec_file.c
+@@ -182,8 +182,10 @@ static int create_dtb(struct kimage *ima
+
+ /* duplicate a device tree blob */
+ ret = fdt_open_into(initial_boot_params, buf, buf_size);
+- if (ret)
++ if (ret) {
++ vfree(buf);
+ return -EINVAL;
++ }
+
+ ret = setup_dtb(image, initrd_load_addr, initrd_len,
+ cmdline, buf);
--- /dev/null
+From f5c6d0fcf90ce07ee0d686d465b19b247ebd5ed7 Mon Sep 17 00:00:00 2001
+From: Shaoying Xu <shaoyi@amazon.com>
+Date: Tue, 16 Feb 2021 18:32:34 +0000
+Subject: arm64 module: set plt* section addresses to 0x0
+
+From: Shaoying Xu <shaoyi@amazon.com>
+
+commit f5c6d0fcf90ce07ee0d686d465b19b247ebd5ed7 upstream.
+
+These plt* and .text.ftrace_trampoline sections specified for arm64 have
+non-zero addressses. Non-zero section addresses in a relocatable ELF would
+confuse GDB when it tries to compute the section offsets and it ends up
+printing wrong symbol addresses. Therefore, set them to zero, which mirrors
+the change in commit 5d8591bc0fba ("module: set ksymtab/kcrctab* section
+addresses to 0x0").
+
+Reported-by: Frank van der Linden <fllinden@amazon.com>
+Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210216183234.GA23876@amazon.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/module.lds.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/include/asm/module.lds.h
++++ b/arch/arm64/include/asm/module.lds.h
+@@ -1,7 +1,7 @@
+ #ifdef CONFIG_ARM64_MODULE_PLTS
+ SECTIONS {
+- .plt (NOLOAD) : { BYTE(0) }
+- .init.plt (NOLOAD) : { BYTE(0) }
+- .text.ftrace_trampoline (NOLOAD) : { BYTE(0) }
++ .plt 0 (NOLOAD) : { BYTE(0) }
++ .init.plt 0 (NOLOAD) : { BYTE(0) }
++ .text.ftrace_trampoline 0 (NOLOAD) : { BYTE(0) }
+ }
+ #endif
--- /dev/null
+From a2c42bbabbe260b7626d8459093631a6e16ee0ee Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 18 Feb 2021 14:03:46 +0000
+Subject: arm64: spectre: Prevent lockdep splat on v4 mitigation enable path
+
+From: Will Deacon <will@kernel.org>
+
+commit a2c42bbabbe260b7626d8459093631a6e16ee0ee upstream.
+
+The Spectre-v4 workaround is re-configured when resuming from suspend,
+as the firmware may have re-enabled the mitigation despite the user
+previously asking for it to be disabled.
+
+Enabling or disabling the workaround can result in an undefined
+instruction exception on CPUs which implement PSTATE.SSBS but only allow
+it to be configured by adjusting the SPSR on exception return. We handle
+this by installing an 'undef hook' which effectively emulates the access.
+
+Installing this hook requires us to take a couple of spinlocks both to
+avoid corrupting the internal list of hooks but also to ensure that we
+don't run into an unhandled exception. Unfortunately, when resuming from
+suspend, we haven't yet called rcu_idle_exit() and so lockdep gets angry
+about "suspicious RCU usage". In doing so, it tries to print a warning,
+which leads it to get even more suspicious, this time about itself:
+
+ | rcu_scheduler_active = 2, debug_locks = 1
+ | RCU used illegally from extended quiescent state!
+ | 1 lock held by swapper/0:
+ | #0: (logbuf_lock){-.-.}-{2:2}, at: vprintk_emit+0x88/0x198
+ |
+ | Call trace:
+ | dump_backtrace+0x0/0x1d8
+ | show_stack+0x18/0x24
+ | dump_stack+0xe0/0x17c
+ | lockdep_rcu_suspicious+0x11c/0x134
+ | trace_lock_release+0xa0/0x160
+ | lock_release+0x3c/0x290
+ | _raw_spin_unlock+0x44/0x80
+ | vprintk_emit+0xbc/0x198
+ | vprintk_default+0x44/0x6c
+ | vprintk_func+0x1f4/0x1fc
+ | printk+0x54/0x7c
+ | lockdep_rcu_suspicious+0x30/0x134
+ | trace_lock_acquire+0xa0/0x188
+ | lock_acquire+0x50/0x2fc
+ | _raw_spin_lock+0x68/0x80
+ | spectre_v4_enable_mitigation+0xa8/0x30c
+ | __cpu_suspend_exit+0xd4/0x1a8
+ | cpu_suspend+0xa0/0x104
+ | psci_cpu_suspend_enter+0x3c/0x5c
+ | psci_enter_idle_state+0x44/0x74
+ | cpuidle_enter_state+0x148/0x2f8
+ | cpuidle_enter+0x38/0x50
+ | do_idle+0x1f0/0x2b4
+
+Prevent these splats by running __cpu_suspend_exit() with RCU watching.
+
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Boqun Feng <boqun.feng@gmail.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Saravana Kannan <saravanak@google.com>
+Suggested-by: "Paul E . McKenney" <paulmck@kernel.org>
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Fixes: c28762070ca6 ("arm64: Rewrite Spectre-v4 mitigation code")
+Cc: <stable@vger.kernel.org>
+Acked-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20210218140346.5224-1-will@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/suspend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/suspend.c
++++ b/arch/arm64/kernel/suspend.c
+@@ -120,7 +120,7 @@ int cpu_suspend(unsigned long arg, int (
+ if (!ret)
+ ret = -EOPNOTSUPP;
+ } else {
+- __cpu_suspend_exit();
++ RCU_NONIDLE(__cpu_suspend_exit());
+ }
+
+ unpause_graph_tracing();
--- /dev/null
+From d47422d953e258ad587b5edf2274eb95d08bdc7d Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Tue, 23 Feb 2021 16:25:34 +0800
+Subject: arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing
+
+From: He Zhe <zhe.he@windriver.com>
+
+commit d47422d953e258ad587b5edf2274eb95d08bdc7d upstream.
+
+As stated in linux/errno.h, ENOTSUPP should never be seen by user programs.
+When we set up uprobe with 32-bit perf and arm64 kernel, we would see the
+following vague error without useful hint.
+
+The sys_perf_event_open() syscall returned with 524 (INTERNAL ERROR:
+strerror_r(524, [buf], 128)=22)
+
+Use EOPNOTSUPP instead to indicate such cases.
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Link: https://lore.kernel.org/r/20210223082535.48730-1-zhe.he@windriver.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/probes/uprobes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/probes/uprobes.c
++++ b/arch/arm64/kernel/probes/uprobes.c
+@@ -38,7 +38,7 @@ int arch_uprobe_analyze_insn(struct arch
+
+ /* TODO: Currently we do not support AARCH32 instruction probing */
+ if (mm->context.flags & MMCF_AARCH32)
+- return -ENOTSUPP;
++ return -EOPNOTSUPP;
+ else if (!IS_ALIGNED(addr, AARCH64_INSN_SIZE))
+ return -EINVAL;
+
--- /dev/null
+From f72896063396b0cb205cbf0fd76ec6ab3ca11c8a Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Mon, 1 Feb 2021 11:13:51 -0700
+Subject: coresight: etm4x: Handle accesses to TRCSTALLCTLR
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit f72896063396b0cb205cbf0fd76ec6ab3ca11c8a upstream.
+
+TRCSTALLCTLR register is only implemented if
+
+ TRCIDR3.STALLCTL == 0b1
+
+Make sure the driver touches the register only it is implemented.
+
+Link: https://lore.kernel.org/r/20210127184617.3684379-1-suzuki.poulose@arm.com
+Cc: stable@vger.kernel.org
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20210201181351.1475223-32-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/coresight/coresight-etm4x-core.c | 9 ++++++---
+ drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 2 +-
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+@@ -131,7 +131,8 @@ static int etm4_enable_hw(struct etmv4_d
+ writel_relaxed(0x0, drvdata->base + TRCAUXCTLR);
+ writel_relaxed(config->eventctrl0, drvdata->base + TRCEVENTCTL0R);
+ writel_relaxed(config->eventctrl1, drvdata->base + TRCEVENTCTL1R);
+- writel_relaxed(config->stall_ctrl, drvdata->base + TRCSTALLCTLR);
++ if (drvdata->stallctl)
++ writel_relaxed(config->stall_ctrl, drvdata->base + TRCSTALLCTLR);
+ writel_relaxed(config->ts_ctrl, drvdata->base + TRCTSCTLR);
+ writel_relaxed(config->syncfreq, drvdata->base + TRCSYNCPR);
+ writel_relaxed(config->ccctlr, drvdata->base + TRCCCCTLR);
+@@ -1187,7 +1188,8 @@ static int etm4_cpu_save(struct etmv4_dr
+ state->trcauxctlr = readl(drvdata->base + TRCAUXCTLR);
+ state->trceventctl0r = readl(drvdata->base + TRCEVENTCTL0R);
+ state->trceventctl1r = readl(drvdata->base + TRCEVENTCTL1R);
+- state->trcstallctlr = readl(drvdata->base + TRCSTALLCTLR);
++ if (drvdata->stallctl)
++ state->trcstallctlr = readl(drvdata->base + TRCSTALLCTLR);
+ state->trctsctlr = readl(drvdata->base + TRCTSCTLR);
+ state->trcsyncpr = readl(drvdata->base + TRCSYNCPR);
+ state->trcccctlr = readl(drvdata->base + TRCCCCTLR);
+@@ -1297,7 +1299,8 @@ static void etm4_cpu_restore(struct etmv
+ writel_relaxed(state->trcauxctlr, drvdata->base + TRCAUXCTLR);
+ writel_relaxed(state->trceventctl0r, drvdata->base + TRCEVENTCTL0R);
+ writel_relaxed(state->trceventctl1r, drvdata->base + TRCEVENTCTL1R);
+- writel_relaxed(state->trcstallctlr, drvdata->base + TRCSTALLCTLR);
++ if (drvdata->stallctl)
++ writel_relaxed(state->trcstallctlr, drvdata->base + TRCSTALLCTLR);
+ writel_relaxed(state->trctsctlr, drvdata->base + TRCTSCTLR);
+ writel_relaxed(state->trcsyncpr, drvdata->base + TRCSYNCPR);
+ writel_relaxed(state->trcccctlr, drvdata->base + TRCCCCTLR);
+--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
+@@ -389,7 +389,7 @@ static ssize_t mode_store(struct device
+ config->eventctrl1 &= ~BIT(12);
+
+ /* bit[8], Instruction stall bit */
+- if (config->mode & ETM_MODE_ISTALL_EN)
++ if ((config->mode & ETM_MODE_ISTALL_EN) && (drvdata->stallctl == true))
+ config->stall_ctrl |= BIT(8);
+ else
+ config->stall_ctrl &= ~BIT(8);
--- /dev/null
+From 70779b897395b330ba5a47bed84f94178da599f9 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 20 Jan 2021 00:51:13 -0800
+Subject: fs/affs: release old buffer head on error path
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 70779b897395b330ba5a47bed84f94178da599f9 upstream.
+
+The reference count of the old buffer head should be decremented on path
+that fails to get the new buffer head.
+
+Fixes: 6b4657667ba0 ("fs/affs: add rename exchange")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/affs/namei.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/affs/namei.c
++++ b/fs/affs/namei.c
+@@ -460,8 +460,10 @@ affs_xrename(struct inode *old_dir, stru
+ return -EIO;
+
+ bh_new = affs_bread(sb, d_inode(new_dentry)->i_ino);
+- if (!bh_new)
++ if (!bh_new) {
++ affs_brelse(bh_old);
+ return -EIO;
++ }
+
+ /* Remove old header from its parent directory. */
+ affs_lock_dir(old_dir);
--- /dev/null
+From 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Wed, 24 Feb 2021 12:07:54 -0800
+Subject: hugetlb: fix copy_huge_page_from_user contig page struct assumption
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef upstream.
+
+page structs are not guaranteed to be contiguous for gigantic pages. The
+routine copy_huge_page_from_user can encounter gigantic pages, yet it
+assumes page structs are contiguous when copying pages from user space.
+
+Since page structs for the target gigantic page are not contiguous, the
+data copied from user space could overwrite other pages not associated
+with the gigantic page and cause data corruption.
+
+Non-contiguous page structs are generally not an issue. However, they can
+exist with a specific kernel configuration and hotplug operations. For
+example: Configure the kernel with CONFIG_SPARSEMEM and
+!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where
+the gigantic page will be allocated.
+
+Link: https://lkml.kernel.org/r/20210217184926.33567-2-mike.kravetz@oracle.com
+Fixes: 8fb5debc5fcd ("userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: Davidlohr Bueso <dbueso@suse.de>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Joao Martins <joao.m.martins@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -5203,17 +5203,19 @@ long copy_huge_page_from_user(struct pag
+ void *page_kaddr;
+ unsigned long i, rc = 0;
+ unsigned long ret_val = pages_per_huge_page * PAGE_SIZE;
++ struct page *subpage = dst_page;
+
+- for (i = 0; i < pages_per_huge_page; i++) {
++ for (i = 0; i < pages_per_huge_page;
++ i++, subpage = mem_map_next(subpage, dst_page, i)) {
+ if (allow_pagefault)
+- page_kaddr = kmap(dst_page + i);
++ page_kaddr = kmap(subpage);
+ else
+- page_kaddr = kmap_atomic(dst_page + i);
++ page_kaddr = kmap_atomic(subpage);
+ rc = copy_from_user(page_kaddr,
+ (const void __user *)(src + i * PAGE_SIZE),
+ PAGE_SIZE);
+ if (allow_pagefault)
+- kunmap(dst_page + i);
++ kunmap(subpage);
+ else
+ kunmap_atomic(page_kaddr);
+
--- /dev/null
+From dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Wed, 24 Feb 2021 12:07:50 -0800
+Subject: hugetlb: fix update_and_free_page contig page struct assumption
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 upstream.
+
+page structs are not guaranteed to be contiguous for gigantic pages. The
+routine update_and_free_page can encounter a gigantic page, yet it assumes
+page structs are contiguous when setting page flags in subpages.
+
+If update_and_free_page encounters non-contiguous page structs, we can see
+“BUG: Bad page state in process …” errors.
+
+Non-contiguous page structs are generally not an issue. However, they can
+exist with a specific kernel configuration and hotplug operations. For
+example: Configure the kernel with CONFIG_SPARSEMEM and
+!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where
+the gigantic page will be allocated. Zi Yan outlined steps to reproduce
+here [1].
+
+[1] https://lore.kernel.org/linux-mm/16F7C58B-4D79-41C5-9B64-A1A1628F4AF2@nvidia.com/
+
+Link: https://lkml.kernel.org/r/20210217184926.33567-1-mike.kravetz@oracle.com
+Fixes: 944d9fec8d7a ("hugetlb: add support for gigantic page allocation at runtime")
+Signed-off-by: Zi Yan <ziy@nvidia.com>
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: Davidlohr Bueso <dbueso@suse.de>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Joao Martins <joao.m.martins@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1312,14 +1312,16 @@ static inline void destroy_compound_giga
+ static void update_and_free_page(struct hstate *h, struct page *page)
+ {
+ int i;
++ struct page *subpage = page;
+
+ if (hstate_is_gigantic(h) && !gigantic_page_runtime_supported())
+ return;
+
+ h->nr_huge_pages--;
+ h->nr_huge_pages_node[page_to_nid(page)]--;
+- for (i = 0; i < pages_per_huge_page(h); i++) {
+- page[i].flags &= ~(1 << PG_locked | 1 << PG_error |
++ for (i = 0; i < pages_per_huge_page(h);
++ i++, subpage = mem_map_next(subpage, page, i)) {
++ subpage->flags &= ~(1 << PG_locked | 1 << PG_error |
+ 1 << PG_referenced | 1 << PG_dirty |
+ 1 << PG_active | 1 << PG_private |
+ 1 << PG_writeback);
--- /dev/null
+From dead723e6f049e9fb6b05e5b93456982798ea961 Mon Sep 17 00:00:00 2001
+From: "Isaac J. Manjarres" <isaacm@codeaurora.org>
+Date: Mon, 25 Jan 2021 13:52:25 -0800
+Subject: iommu/arm-smmu-qcom: Fix mask extraction for bootloader programmed SMRs
+
+From: Isaac J. Manjarres <isaacm@codeaurora.org>
+
+commit dead723e6f049e9fb6b05e5b93456982798ea961 upstream.
+
+When extracting the mask for a SMR that was programmed by the
+bootloader, the SMR's valid bit is also extracted and is treated
+as part of the mask, which is not correct. Consider the scenario
+where an SMMU master whose context is determined by a bootloader
+programmed SMR is removed (omitting parts of device/driver core):
+
+->iommu_release_device()
+ -> arm_smmu_release_device()
+ -> arm_smmu_master_free_smes()
+ -> arm_smmu_free_sme() /* Assume that the SME is now free */
+ -> arm_smmu_write_sme()
+ -> arm_smmu_write_smr() /* Construct SMR value using mask and SID */
+
+Since the valid bit was considered as part of the mask, the SMR will
+be programmed as valid.
+
+Fix the SMR mask extraction step for bootloader programmed SMRs
+by masking out the valid bit when we know that we're already
+working with a valid SMR.
+
+Fixes: 07a7f2caaa5a ("iommu/arm-smmu-qcom: Read back stream mappings")
+Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/1611611545-19055-1-git-send-email-isaacm@codeaurora.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -65,6 +65,8 @@ static int qcom_smmu_cfg_probe(struct ar
+ smr = arm_smmu_gr0_read(smmu, ARM_SMMU_GR0_SMR(i));
+
+ if (FIELD_GET(ARM_SMMU_SMR_VALID, smr)) {
++ /* Ignore valid bit for SMR mask extraction. */
++ smr &= ~ARM_SMMU_SMR_VALID;
+ smmu->smrs[i].id = FIELD_GET(ARM_SMMU_SMR_ID, smr);
+ smmu->smrs[i].mask = FIELD_GET(ARM_SMMU_SMR_MASK, smr);
+ smmu->smrs[i].valid = true;
--- /dev/null
+From a04aead144fd938c2d9869eb187e5b9ea0009bae Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 18 Feb 2021 07:16:59 -0500
+Subject: KVM: nSVM: fix running nested guests when npt=0
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit a04aead144fd938c2d9869eb187e5b9ea0009bae upstream.
+
+In case of npt=0 on host, nSVM needs the same .inject_page_fault tweak
+as VMX has, to make sure that shadow mmu faults are injected as vmexits.
+
+It is not clear why this is needed at all, but for now keep the same
+code as VMX and we'll fix it for both.
+
+Based on a patch by Maxim Levitsky <mlevitsk@redhat.com>.
+
+Fixes: 7c86663b68ba ("KVM: nSVM: inject exceptions via svm_check_nested_events")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/nested.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/x86/kvm/svm/nested.c
++++ b/arch/x86/kvm/svm/nested.c
+@@ -51,6 +51,23 @@ static void nested_svm_inject_npf_exit(s
+ nested_svm_vmexit(svm);
+ }
+
++static void svm_inject_page_fault_nested(struct kvm_vcpu *vcpu, struct x86_exception *fault)
++{
++ struct vcpu_svm *svm = to_svm(vcpu);
++ WARN_ON(!is_guest_mode(vcpu));
++
++ if (vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_EXCEPTION_OFFSET + PF_VECTOR) &&
++ !svm->nested.nested_run_pending) {
++ svm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + PF_VECTOR;
++ svm->vmcb->control.exit_code_hi = 0;
++ svm->vmcb->control.exit_info_1 = fault->error_code;
++ svm->vmcb->control.exit_info_2 = fault->address;
++ nested_svm_vmexit(svm);
++ } else {
++ kvm_inject_page_fault(vcpu, fault);
++ }
++}
++
+ static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -446,6 +463,9 @@ int enter_svm_guest_mode(struct vcpu_svm
+ if (ret)
+ return ret;
+
++ if (!npt_enabled)
++ svm->vcpu.arch.mmu->inject_page_fault = svm_inject_page_fault_nested;
++
+ svm_set_gif(svm, true);
+
+ return 0;
--- /dev/null
+From 6e2b7044c199229a3d20cefbd3184968238c4184 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Wed, 24 Feb 2021 12:09:39 -0800
+Subject: mm, compaction: make fast_isolate_freepages() stay within zone
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit 6e2b7044c199229a3d20cefbd3184968238c4184 upstream.
+
+Compaction always operates on pages from a single given zone when
+isolating both pages to migrate and freepages. Pageblock boundaries are
+intersected with zone boundaries to be safe in case zone starts or ends in
+the middle of pageblock. The use of pageblock_pfn_to_page() protects
+against non-contiguous pageblocks.
+
+The functions fast_isolate_freepages() and fast_isolate_around() don't
+currently protect the fast freepage isolation thoroughly enough against
+these corner cases, and can result in freepage isolation operate outside
+of zone boundaries:
+
+ - in fast_isolate_freepages() if we get a pfn from the first pageblock
+ of a zone that starts in the middle of that pageblock, 'highest' can
+ be a pfn outside of the zone.
+
+ If we fail to isolate anything in this function, we may then call
+ fast_isolate_around() on a pfn outside of the zone and there
+ effectively do a set_pageblock_skip(page_to_pfn(highest)) which may
+ currently hit a VM_BUG_ON() in some configurations
+
+ - fast_isolate_around() checks only the zone end boundary and not
+ beginning, nor that the pageblock is contiguous (with
+ pageblock_pfn_to_page()) so it's possible that we end up calling
+ isolate_freepages_block() on a range of pfn's from two different
+ zones and end up e.g. isolating freepages under the wrong zone's
+ lock.
+
+This patch should fix the above issues.
+
+Link: https://lkml.kernel.org/r/20210217173300.6394-1-vbabka@suse.cz
+Fixes: 5a811889de10 ("mm, compaction: use free lists to quickly locate a migration target")
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/compaction.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -1248,7 +1248,7 @@ static void
+ fast_isolate_around(struct compact_control *cc, unsigned long pfn, unsigned long nr_isolated)
+ {
+ unsigned long start_pfn, end_pfn;
+- struct page *page = pfn_to_page(pfn);
++ struct page *page;
+
+ /* Do not search around if there are enough pages already */
+ if (cc->nr_freepages >= cc->nr_migratepages)
+@@ -1259,8 +1259,12 @@ fast_isolate_around(struct compact_contr
+ return;
+
+ /* Pageblock boundaries */
+- start_pfn = pageblock_start_pfn(pfn);
+- end_pfn = min(pageblock_end_pfn(pfn), zone_end_pfn(cc->zone)) - 1;
++ start_pfn = max(pageblock_start_pfn(pfn), cc->zone->zone_start_pfn);
++ end_pfn = min(pageblock_end_pfn(pfn), zone_end_pfn(cc->zone));
++
++ page = pageblock_pfn_to_page(start_pfn, end_pfn, cc->zone);
++ if (!page)
++ return;
+
+ /* Scan before */
+ if (start_pfn != pfn) {
+@@ -1362,7 +1366,8 @@ fast_isolate_freepages(struct compact_co
+ pfn = page_to_pfn(freepage);
+
+ if (pfn >= highest)
+- highest = pageblock_start_pfn(pfn);
++ highest = max(pageblock_start_pfn(pfn),
++ cc->zone->zone_start_pfn);
+
+ if (pfn >= low_pfn) {
+ cc->fast_search_fail = 0;
+@@ -1432,7 +1437,8 @@ fast_isolate_freepages(struct compact_co
+ } else {
+ if (cc->direct_compaction && pfn_valid(min_pfn)) {
+ page = pageblock_pfn_to_page(min_pfn,
+- pageblock_end_pfn(min_pfn),
++ min(pageblock_end_pfn(min_pfn),
++ zone_end_pfn(cc->zone)),
+ cc->zone);
+ cc->free_pfn = min_pfn;
+ }
--- /dev/null
+From 1685bde6b9af55923180a76152036c7fb7176db0 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Wed, 24 Feb 2021 12:04:22 -0800
+Subject: mm: memcontrol: fix get_active_memcg return value
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 1685bde6b9af55923180a76152036c7fb7176db0 upstream.
+
+We use a global percpu int_active_memcg variable to store the remote memcg
+when we are in the interrupt context. But get_active_memcg always return
+the current->active_memcg or root_mem_cgroup. The remote memcg (set in
+the interrupt context) is ignored. This is not what we want. So fix it.
+
+Link: https://lkml.kernel.org/r/20210223091101.42150-1-songmuchun@bytedance.com
+Fixes: 37d5985c003d ("mm: kmem: prepare remote memcg charging infra for interrupt contexts")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1083,13 +1083,9 @@ static __always_inline struct mem_cgroup
+
+ rcu_read_lock();
+ memcg = active_memcg();
+- if (memcg) {
+- /* current->active_memcg must hold a ref. */
+- if (WARN_ON_ONCE(!css_tryget(&memcg->css)))
+- memcg = root_mem_cgroup;
+- else
+- memcg = current->active_memcg;
+- }
++ /* remote memcg must hold a ref. */
++ if (memcg && WARN_ON_ONCE(!css_tryget(&memcg->css)))
++ memcg = root_mem_cgroup;
+ rcu_read_unlock();
+
+ return memcg;
--- /dev/null
+From cae3af62b33aa931427a0f211e04347b22180b36 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Wed, 24 Feb 2021 12:04:19 -0800
+Subject: mm: memcontrol: fix swap undercounting in cgroup2
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit cae3af62b33aa931427a0f211e04347b22180b36 upstream.
+
+When pages are swapped in, the VM may retain the swap copy to avoid
+repeated writes in the future. It's also retained if shared pages are
+faulted back in some processes, but not in others. During that time we
+have an in-memory copy of the page, as well as an on-swap copy. Cgroup1
+and cgroup2 handle these overlapping lifetimes slightly differently due to
+the nature of how they account memory and swap:
+
+Cgroup1 has a unified memory+swap counter that tracks a data page
+regardless whether it's in-core or swapped out. On swapin, we transfer
+the charge from the swap entry to the newly allocated swapcache page, even
+though the swap entry might stick around for a while. That's why we have
+a mem_cgroup_uncharge_swap() call inside mem_cgroup_charge().
+
+Cgroup2 tracks memory and swap as separate, independent resources and thus
+has split memory and swap counters. On swapin, we charge the newly
+allocated swapcache page as memory, while the swap slot in turn must
+remain charged to the swap counter as long as its allocated too.
+
+The cgroup2 logic was broken by commit 2d1c498072de ("mm: memcontrol: make
+swap tracking an integral part of memory control"), because it
+accidentally removed the do_memsw_account() check in the branch inside
+mem_cgroup_uncharge() that was supposed to tell the difference between the
+charge transfer in cgroup1 and the separate counters in cgroup2.
+
+As a result, cgroup2 currently undercounts retained swap to varying
+degrees: swap slots are cached up to 50% of the configured limit or total
+available swap space; partially faulted back shared pages are only limited
+by physical capacity. This in turn allows cgroups to significantly
+overconsume their alloted swap space.
+
+Add the do_memsw_account() check back to fix this problem.
+
+Link: https://lkml.kernel.org/r/20210217153237.92484-1-songmuchun@bytedance.com
+Fixes: 2d1c498072de ("mm: memcontrol: make swap tracking an integral part of memory control")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: <stable@vger.kernel.org> [5.8+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -6808,7 +6808,19 @@ int mem_cgroup_charge(struct page *page,
+ memcg_check_events(memcg, page);
+ local_irq_enable();
+
+- if (PageSwapCache(page)) {
++ /*
++ * Cgroup1's unified memory+swap counter has been charged with the
++ * new swapcache page, finish the transfer by uncharging the swap
++ * slot. The swap slot would also get uncharged when it dies, but
++ * it can stick around indefinitely and we'd count the page twice
++ * the entire time.
++ *
++ * Cgroup2 has separate resource counters for memory and swap,
++ * so this is a non-issue here. Memory and swap charge lifetimes
++ * correspond 1:1 to page and swap slot lifetimes: we charge the
++ * page to memory here, and uncharge swap when the slot is freed.
++ */
++ if (do_memsw_account() && PageSwapCache(page)) {
+ swp_entry_t entry = { .val = page_private(page) };
+ /*
+ * The swap entry might not get freed for a long time,
--- /dev/null
+From 519983645a9f2ec339cabfa0c6ef7b09be985dd0 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 24 Feb 2021 12:09:15 -0800
+Subject: mm/vmscan: restore zone_reclaim_mode ABI
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 519983645a9f2ec339cabfa0c6ef7b09be985dd0 upstream.
+
+I went to go add a new RECLAIM_* mode for the zone_reclaim_mode sysctl.
+Like a good kernel developer, I also went to go update the
+documentation. I noticed that the bits in the documentation didn't
+match the bits in the #defines.
+
+The VM never explicitly checks the RECLAIM_ZONE bit. The bit is,
+however implicitly checked when checking 'node_reclaim_mode==0'. The
+RECLAIM_ZONE #define was removed in a cleanup. That, by itself is fine.
+
+But, when the bit was removed (bit 0) the _other_ bit locations also got
+changed. That's not OK because the bit values are documented to mean
+one specific thing. Users surely do not expect the meaning to change
+from kernel to kernel.
+
+The end result is that if someone had a script that did:
+
+ sysctl vm.zone_reclaim_mode=1
+
+it would have gone from enabling node reclaim for clean unmapped pages
+to writing out pages during node reclaim after the commit in question.
+That's not great.
+
+Put the bits back the way they were and add a comment so something like
+this is a bit harder to do again. Update the documentation to make it
+clear that the first bit is ignored.
+
+Link: https://lkml.kernel.org/r/20210219172555.FF0CDF23@viggo.jf.intel.com
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Fixes: 648b5cf368e0 ("mm/vmscan: remove unused RECLAIM_OFF/RECLAIM_ZONE")
+Reviewed-by: Ben Widawsky <ben.widawsky@intel.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Christoph Lameter <cl@linux.com>
+Cc: Alex Shi <alex.shi@linux.alibaba.com>
+Cc: Daniel Wagner <dwagner@suse.de>
+Cc: "Tobin C. Harding" <tobin@kernel.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Qian Cai <cai@lca.pw>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/sysctl/vm.rst | 10 +++++-----
+ mm/vmscan.c | 9 +++++++--
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/Documentation/admin-guide/sysctl/vm.rst
++++ b/Documentation/admin-guide/sysctl/vm.rst
+@@ -978,11 +978,11 @@ that benefit from having their data cach
+ left disabled as the caching effect is likely to be more important than
+ data locality.
+
+-zone_reclaim may be enabled if it's known that the workload is partitioned
+-such that each partition fits within a NUMA node and that accessing remote
+-memory would cause a measurable performance reduction. The page allocator
+-will then reclaim easily reusable pages (those page cache pages that are
+-currently not used) before allocating off node pages.
++Consider enabling one or more zone_reclaim mode bits if it's known that the
++workload is partitioned such that each partition fits within a NUMA node
++and that accessing remote memory would cause a measurable performance
++reduction. The page allocator will take additional actions before
++allocating off node pages.
+
+ Allowing zone reclaim to write out pages stops processes that are
+ writing large amounts of data from dirtying pages on other nodes. Zone
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -4084,8 +4084,13 @@ module_init(kswapd_init)
+ */
+ int node_reclaim_mode __read_mostly;
+
+-#define RECLAIM_WRITE (1<<0) /* Writeout pages during reclaim */
+-#define RECLAIM_UNMAP (1<<1) /* Unmap pages during reclaim */
++/*
++ * These bit locations are exposed in the vm.zone_reclaim_mode sysctl
++ * ABI. New bits are OK, but existing bits can never change.
++ */
++#define RECLAIM_ZONE (1<<0) /* Run shrink_inactive_list on the zone */
++#define RECLAIM_WRITE (1<<1) /* Writeout pages during reclaim */
++#define RECLAIM_UNMAP (1<<2) /* Unmap pages during reclaim */
+
+ /*
+ * Priority for NODE_RECLAIM. This determines the fraction of pages
--- /dev/null
+From 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d Mon Sep 17 00:00:00 2001
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Date: Fri, 2 Oct 2020 14:18:02 +0900
+Subject: mtd: spi-nor: core: Add erase size check for erase command initialization
+
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+
+commit 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d upstream.
+
+Even if erase type is same as previous region, erase size can be different
+if the previous region is overlaid region. Since 'region->size' is assigned
+to 'cmd->size' for overlaid region, comparing 'erase->size' and 'cmd->size'
+can detect previous overlaid region.
+
+Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories")
+Cc: stable@vger.kernel.org
+Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+[ta: Add Fixes tag and Cc to stable]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/13d47e8d8991b8a7fd8cc7b9e2a5319c56df35cc.1601612872.git.Takahiro.Kuwano@infineon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -1364,6 +1364,7 @@ static int spi_nor_init_erase_cmd_list(s
+ goto destroy_erase_cmd_list;
+
+ if (prev_erase != erase ||
++ erase->size != cmd->size ||
+ region->offset & SNOR_OVERLAID_REGION) {
+ cmd = spi_nor_init_erase_cmd(region, erase);
+ if (IS_ERR(cmd)) {
--- /dev/null
+From 969b276718de37dfe66fce3a5633f611e8cd58fd Mon Sep 17 00:00:00 2001
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Date: Fri, 2 Oct 2020 14:18:01 +0900
+Subject: mtd: spi-nor: core: Fix erase type discovery for overlaid region
+
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+
+commit 969b276718de37dfe66fce3a5633f611e8cd58fd upstream.
+
+In case of overlaid regions in which their biggest erase size command
+overpasses in size the region's size, only the non-overlaid portion of
+the sector gets erased. For example, if a Sector Erase command is applied
+to a 256-kB range that is overlaid by 4-kB sectors, the overlaid 4-kB
+sectors are not affected by the erase.
+For overlaid regions, 'region->size' is assigned to 'cmd->size' later in
+spi_nor_init_erase_cmd(), so 'erase->size' can be greater than 'len'.
+
+Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories")
+Cc: stable@vger.kernel.org
+Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+[ta: Update commit description, add Fixes tag and Cc to stable]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/fa5d8b944a5cca488ac54ba37c95e775ac2deb34.1601612872.git.Takahiro.Kuwano@infineon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/core.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -1212,14 +1212,15 @@ spi_nor_find_best_erase_type(const struc
+
+ erase = &map->erase_type[i];
+
++ /* Alignment is not mandatory for overlaid regions */
++ if (region->offset & SNOR_OVERLAID_REGION &&
++ region->size <= len)
++ return erase;
++
+ /* Don't erase more than what the user has asked for. */
+ if (erase->size > len)
+ continue;
+
+- /* Alignment is not mandatory for overlaid regions */
+- if (region->offset & SNOR_OVERLAID_REGION)
+- return erase;
+-
+ spi_nor_div_by_erase_size(erase, addr, &rem);
+ if (rem)
+ continue;
--- /dev/null
+From fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 21 Jan 2021 01:18:47 -0800
+Subject: mtd: spi-nor: hisi-sfc: Put child node np on error path
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 upstream.
+
+Put the child node np when it fails to get or register device.
+
+Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+[ta: Add Fixes tag and Cc stable]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20210121091847.85362-1-bianpan2016@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/controllers/hisi-sfc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/spi-nor/controllers/hisi-sfc.c
++++ b/drivers/mtd/spi-nor/controllers/hisi-sfc.c
+@@ -399,8 +399,10 @@ static int hisi_spi_nor_register_all(str
+
+ for_each_available_child_of_node(dev->of_node, np) {
+ ret = hisi_spi_nor_register(np, host);
+- if (ret)
++ if (ret) {
++ of_node_put(np);
+ goto fail;
++ }
+
+ if (host->num_chip == HIFMC_MAX_CHIP_NUM) {
+ dev_warn(dev, "Flash device number exceeds the maximum chipselect number\n");
--- /dev/null
+From 9166f4af32db74e1544a2149aef231ff24515ea3 Mon Sep 17 00:00:00 2001
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Date: Fri, 2 Oct 2020 14:18:00 +0900
+Subject: mtd: spi-nor: sfdp: Fix last erase region marking
+
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+
+commit 9166f4af32db74e1544a2149aef231ff24515ea3 upstream.
+
+The place of spi_nor_region_mark_end() must be moved, because 'i' is
+re-used for the index of erase[].
+
+Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table")
+Cc: stable@vger.kernel.org
+Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+[ta: Add Fixes tag and Cc to stable]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/02ce8d84b7989ebee33382f6494df53778dd508e.1601612872.git.Takahiro.Kuwano@infineon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/sfdp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/mtd/spi-nor/sfdp.c
++++ b/drivers/mtd/spi-nor/sfdp.c
+@@ -830,6 +830,7 @@ spi_nor_init_non_uniform_erase_map(struc
+ offset = (region[i].offset & ~SNOR_ERASE_FLAGS_MASK) +
+ region[i].size;
+ }
++ spi_nor_region_mark_end(®ion[i - 1]);
+
+ save_uniform_erase_type = map->uniform_erase_type;
+ map->uniform_erase_type = spi_nor_sort_erase_mask(map,
+@@ -853,8 +854,6 @@ spi_nor_init_non_uniform_erase_map(struc
+ if (!(regions_erase_type & BIT(erase[i].idx)))
+ spi_nor_set_erase_type(&erase[i], 0, 0xFF);
+
+- spi_nor_region_mark_end(®ion[i - 1]);
+-
+ return 0;
+ }
+
--- /dev/null
+From abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 Mon Sep 17 00:00:00 2001
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+Date: Fri, 2 Oct 2020 14:17:59 +0900
+Subject: mtd: spi-nor: sfdp: Fix wrong erase type bitmask for overlaid region
+
+From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+
+commit abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 upstream.
+
+At the time spi_nor_region_check_overlay() is called, the erase types are
+sorted in ascending order of erase size. The 'erase_type' should be masked
+with 'BIT(erase[i].idx)' instead of 'BIT(i)'.
+
+Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table")
+Cc: stable@vger.kernel.org
+Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
+[ta: Add Fixes tag and Cc to stable]
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/fd90c40d5b626a1319a78fc2bcee79a8871d4d57.1601612872.git.Takahiro.Kuwano@infineon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/sfdp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/spi-nor/sfdp.c
++++ b/drivers/mtd/spi-nor/sfdp.c
+@@ -760,7 +760,7 @@ spi_nor_region_check_overlay(struct spi_
+ int i;
+
+ for (i = 0; i < SNOR_ERASE_TYPE_MAX; i++) {
+- if (!(erase_type & BIT(i)))
++ if (!(erase[i].size && erase_type & BIT(erase[i].idx)))
+ continue;
+ if (region->size & erase[i].size_mask) {
+ spi_nor_region_mark_overlay(region);
--- /dev/null
+From f3d60f2a25e4417e1676161fe42115de3e3f98a2 Mon Sep 17 00:00:00 2001
+From: Tobias Klauser <tklauser@distanz.ch>
+Date: Tue, 16 Feb 2021 18:33:05 +0100
+Subject: riscv: Disable KSAN_SANITIZE for vDSO
+
+From: Tobias Klauser <tklauser@distanz.ch>
+
+commit f3d60f2a25e4417e1676161fe42115de3e3f98a2 upstream.
+
+We use the generic C VDSO implementations of a handful of clock-related
+functions. When kasan is enabled this results in asan stub calls that
+are unlikely to be resolved by userspace, this just disables KASAN
+when building the VDSO.
+
+Verified the fix on a kernel with KASAN enabled using vDSO selftests.
+
+Link: https://lore.kernel.org/lkml/CACT4Y+ZNJBnkKHXUf=tm_yuowvZvHwN=0rmJ=7J+xFd+9r_6pQ@mail.gmail.com/
+Tested-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+[Palmer: commit text]
+Fixes: ad5d1122b82f ("riscv: use vDSO common flow to reduce the latency of the time-related functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/vdso/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -32,9 +32,10 @@ CPPFLAGS_vdso.lds += -P -C -U$(ARCH)
+ # Disable -pg to prevent insert call site
+ CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os
+
+-# Disable gcov profiling for VDSO code
++# Disable profiling and instrumentation for VDSO code
+ GCOV_PROFILE := n
+ KCOV_INSTRUMENT := n
++KASAN_SANITIZE := n
+
+ # Force dependency
+ $(obj)/vdso.o: $(obj)/vdso.so
--- /dev/null
+From b3656d8227f4c45812c6b40815d8f4e446ed372a Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Thu, 25 Feb 2021 17:22:25 -0800
+Subject: seq_file: document how per-entry resources are managed.
+
+From: NeilBrown <neilb@suse.de>
+
+commit b3656d8227f4c45812c6b40815d8f4e446ed372a upstream.
+
+Patch series "Fix some seq_file users that were recently broken".
+
+A recent change to seq_file broke some users which were using seq_file
+in a non-"standard" way ... though the "standard" isn't documented, so
+they can be excused. The result is a possible leak - of memory in one
+case, of references to a 'transport' in the other.
+
+These three patches:
+ 1/ document and explain the problem
+ 2/ fix the problem user in x86
+ 3/ fix the problem user in net/sctp
+
+This patch (of 3):
+
+Users of seq_file will sometimes find it convenient to take a resource,
+such as a lock or memory allocation, in the ->start or ->next operations.
+These are per-entry resources, distinct from per-session resources which
+are taken in ->start and released in ->stop.
+
+The preferred management of these is release the resource on the
+subsequent call to ->next or ->stop.
+
+However prior to Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file
+iteration code and interface") it happened that ->show would always be
+called after ->start or ->next, and a few users chose to release the
+resource in ->show.
+
+This is no longer reliable. Since the mentioned commit, ->next will
+always come after a successful ->show (to ensure m->index is updated
+correctly), so the original ordering cannot be maintained.
+
+This patch updates the documentation to clearly state the required
+behaviour. Other patches will fix the few problematic users.
+
+[akpm@linux-foundation.org: fix typo, per Willy]
+
+Link: https://lkml.kernel.org/r/161248518659.21478.2484341937387294998.stgit@noble1
+Link: https://lkml.kernel.org/r/161248539020.21478.3147971477400875336.stgit@noble1
+Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Cc: Xin Long <lucien.xin@gmail.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/filesystems/seq_file.rst | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/Documentation/filesystems/seq_file.rst
++++ b/Documentation/filesystems/seq_file.rst
+@@ -217,6 +217,12 @@ between the calls to start() and stop(),
+ is a reasonable thing to do. The seq_file code will also avoid taking any
+ other locks while the iterator is active.
+
++The iterater value returned by start() or next() is guaranteed to be
++passed to a subsequent next() or stop() call. This allows resources
++such as locks that were taken to be reliably released. There is *no*
++guarantee that the iterator will be passed to show(), though in practice
++it often will be.
++
+
+ Formatted output
+ ================
entry-explicitly-flush-pending-rcuog-wakeup-before-last-rescheduling-point.patch
entry-kvm-explicitly-flush-pending-rcuog-wakeup-before-last-rescheduling-point.patch
kprobes-fix-to-delay-the-kprobes-jump-optimization.patch
+arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch
+iommu-arm-smmu-qcom-fix-mask-extraction-for-bootloader-programmed-smrs.patch
+arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch
+arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch
+arm64-module-set-plt-section-addresses-to-0x0.patch
+arm64-spectre-prevent-lockdep-splat-on-v4-mitigation-enable-path.patch
+riscv-disable-ksan_sanitize-for-vdso.patch
+watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch
+watchdog-mei_wdt-request-stop-on-unregister.patch
+coresight-etm4x-handle-accesses-to-trcstallctlr.patch
+mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch
+mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch
+mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch
+mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch
+mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch
+fs-affs-release-old-buffer-head-on-error-path.patch
+seq_file-document-how-per-entry-resources-are-managed.patch
+x86-fix-seq_file-iteration-for-pat-memtype.c.patch
+mm-memcontrol-fix-swap-undercounting-in-cgroup2.patch
+mm-memcontrol-fix-get_active_memcg-return-value.patch
+hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch
+hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch
+mm-vmscan-restore-zone_reclaim_mode-abi.patch
+mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch
+kvm-nsvm-fix-running-nested-guests-when-npt-0.patch
--- /dev/null
+From 740c0a57b8f1e36301218bf549f3c9cc833a60be Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Sun, 24 Jan 2021 13:49:38 +0200
+Subject: watchdog: mei_wdt: request stop on unregister
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 740c0a57b8f1e36301218bf549f3c9cc833a60be upstream.
+
+The MEI bus has a special behavior on suspend it destroys
+all the attached devices, this is due to the fact that also
+firmware context is not persistent across power flows.
+
+If watchdog on MEI bus is ticking before suspending the firmware
+times out and reports that the OS is missing watchdog tick.
+Send the stop command to the firmware on watchdog unregistered
+to eliminate the false event on suspend.
+This does not make the things worse from the user-space perspective
+as a user-space should re-open watchdog device after
+suspending before this patch.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210124114938.373885-1-tomas.winkler@intel.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/mei_wdt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/watchdog/mei_wdt.c
++++ b/drivers/watchdog/mei_wdt.c
+@@ -382,6 +382,7 @@ static int mei_wdt_register(struct mei_w
+
+ watchdog_set_drvdata(&wdt->wdd, wdt);
+ watchdog_stop_on_reboot(&wdt->wdd);
++ watchdog_stop_on_unregister(&wdt->wdd);
+
+ ret = watchdog_register_device(&wdt->wdd);
+ if (ret)
--- /dev/null
+From a4f3407c41605d14f09e490045d0609990cd5d94 Mon Sep 17 00:00:00 2001
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Date: Tue, 26 Jan 2021 20:32:41 +0530
+Subject: watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ
+
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+
+commit a4f3407c41605d14f09e490045d0609990cd5d94 upstream.
+
+As per register documentation, QCOM_WDT_ENABLE_IRQ which is BIT(1)
+of watchdog control register is wakeup interrupt enable bit and
+not related to bark interrupt at all, BIT(0) is used for that.
+So remove incorrect usage of this bit when supporting bark irq for
+pre-timeout notification. Currently with this bit set and bark
+interrupt specified, pre-timeout notification and/or watchdog
+reset/bite does not occur.
+
+Fixes: 36375491a439 ("watchdog: qcom: support pre-timeout when the bark irq is available")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20210126150241.10009-1-saiprakash.ranjan@codeaurora.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/qcom-wdt.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+--- a/drivers/watchdog/qcom-wdt.c
++++ b/drivers/watchdog/qcom-wdt.c
+@@ -22,7 +22,6 @@ enum wdt_reg {
+ };
+
+ #define QCOM_WDT_ENABLE BIT(0)
+-#define QCOM_WDT_ENABLE_IRQ BIT(1)
+
+ static const u32 reg_offset_data_apcs_tmr[] = {
+ [WDT_RST] = 0x38,
+@@ -63,16 +62,6 @@ struct qcom_wdt *to_qcom_wdt(struct watc
+ return container_of(wdd, struct qcom_wdt, wdd);
+ }
+
+-static inline int qcom_get_enable(struct watchdog_device *wdd)
+-{
+- int enable = QCOM_WDT_ENABLE;
+-
+- if (wdd->pretimeout)
+- enable |= QCOM_WDT_ENABLE_IRQ;
+-
+- return enable;
+-}
+-
+ static irqreturn_t qcom_wdt_isr(int irq, void *arg)
+ {
+ struct watchdog_device *wdd = arg;
+@@ -91,7 +80,7 @@ static int qcom_wdt_start(struct watchdo
+ writel(1, wdt_addr(wdt, WDT_RST));
+ writel(bark * wdt->rate, wdt_addr(wdt, WDT_BARK_TIME));
+ writel(wdd->timeout * wdt->rate, wdt_addr(wdt, WDT_BITE_TIME));
+- writel(qcom_get_enable(wdd), wdt_addr(wdt, WDT_EN));
++ writel(QCOM_WDT_ENABLE, wdt_addr(wdt, WDT_EN));
+ return 0;
+ }
+
--- /dev/null
+From 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Thu, 25 Feb 2021 17:22:29 -0800
+Subject: x86: fix seq_file iteration for pat/memtype.c
+
+From: NeilBrown <neilb@suse.de>
+
+commit 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 upstream.
+
+The memtype seq_file iterator allocates a buffer in the ->start and ->next
+functions and frees it in the ->show function. The preferred handling for
+such resources is to free them in the subsequent ->next or ->stop function
+call.
+
+Since Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration
+code and interface") there is no guarantee that ->show will be called
+after ->next, so this function can now leak memory.
+
+So move the freeing of the buffer to ->next and ->stop.
+
+Link: https://lkml.kernel.org/r/161248539022.21478.13874455485854739066.stgit@noble1
+Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Cc: Xin Long <lucien.xin@gmail.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/pat/memtype.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/mm/pat/memtype.c
++++ b/arch/x86/mm/pat/memtype.c
+@@ -1164,12 +1164,14 @@ static void *memtype_seq_start(struct se
+
+ static void *memtype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ {
++ kfree(v);
+ ++*pos;
+ return memtype_get_idx(*pos);
+ }
+
+ static void memtype_seq_stop(struct seq_file *seq, void *v)
+ {
++ kfree(v);
+ }
+
+ static int memtype_seq_show(struct seq_file *seq, void *v)
+@@ -1181,8 +1183,6 @@ static int memtype_seq_show(struct seq_f
+ entry_print->end,
+ cattr_name(entry_print->type));
+
+- kfree(entry_print);
+-
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
