From: Greg Kroah-Hartman Date: Wed, 19 Aug 2020 11:53:18 +0000 (+0200) Subject: 5.8-stable patches X-Git-Tag: v4.14.194~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ef7a49e7f26a81054c3f0fab622198c75a6ba43;p=thirdparty%2Fkernel%2Fstable-queue.git 5.8-stable patches added patches: arm64-dts-qcom-sc7180-drop-the-unused-non-msa-sid.patch arm64-perf-correct-the-event-index-in-sysfs.patch cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch media-venus-fix-multiple-encoder-crash.patch media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch powerpc-ptdump-fix-build-failure-in-hashpagetable.c.patch xtensa-add-missing-exclusive-access-state-management.patch xtensa-fix-xtensa_pmu_setup-prototype.patch --- diff --git a/queue-5.8/arm64-dts-qcom-sc7180-drop-the-unused-non-msa-sid.patch b/queue-5.8/arm64-dts-qcom-sc7180-drop-the-unused-non-msa-sid.patch new file mode 100644 index 00000000000..e896b5aa465 --- /dev/null +++ b/queue-5.8/arm64-dts-qcom-sc7180-drop-the-unused-non-msa-sid.patch @@ -0,0 +1,55 @@ +From 08257610302159e08fd4f5d33787807374ea63c7 Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Tue, 30 Jun 2020 13:49:38 +0530 +Subject: arm64: dts: qcom: sc7180: Drop the unused non-MSA SID + +From: Sibi Sankar + +commit 08257610302159e08fd4f5d33787807374ea63c7 upstream. + +Having a non-MSA (Modem Self-Authentication) SID bypassed breaks modem +sandboxing i.e if a transaction were to originate from it, the hardware +memory protections units (XPUs) would fail to flag them (any transaction +originating from modem are historically termed as an MSA transaction). +Drop the unused non-MSA modem SID on SC7180 SoCs and cheza so that SMMU +continues to block them. + +Tested-by: Douglas Anderson +Reviewed-by: Sai Prakash Ranjan +Reviewed-by: Douglas Anderson +Fixes: bec71ba243e95 ("arm64: dts: qcom: sc7180: Update Q6V5 MSS node") +Fixes: 68aee4af5f620 ("arm64: dts: qcom: sdm845-cheza: Add iommus property") +Cc: stable@vger.kernel.org +Reported-by: Sai Prakash Ranjan +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200630081938.8131-1-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/qcom/sc7180-idp.dts | 2 +- + arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sc7180-idp.dts ++++ b/arch/arm64/boot/dts/qcom/sc7180-idp.dts +@@ -312,7 +312,7 @@ + &remoteproc_mpss { + status = "okay"; + compatible = "qcom,sc7180-mss-pil"; +- iommus = <&apps_smmu 0x460 0x1>, <&apps_smmu 0x444 0x3>; ++ iommus = <&apps_smmu 0x461 0x0>, <&apps_smmu 0x444 0x3>; + memory-region = <&mba_mem &mpss_mem>; + }; + +--- a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi +@@ -634,7 +634,7 @@ ap_ts_i2c: &i2c14 { + }; + + &mss_pil { +- iommus = <&apps_smmu 0x780 0x1>, ++ iommus = <&apps_smmu 0x781 0x0>, + <&apps_smmu 0x724 0x3>; + }; + diff --git a/queue-5.8/arm64-perf-correct-the-event-index-in-sysfs.patch b/queue-5.8/arm64-perf-correct-the-event-index-in-sysfs.patch new file mode 100644 index 00000000000..9d65d3fba4a --- /dev/null +++ b/queue-5.8/arm64-perf-correct-the-event-index-in-sysfs.patch @@ -0,0 +1,62 @@ +From 539707caa1a89ee4efc57b4e4231c20c46575ccc Mon Sep 17 00:00:00 2001 +From: Shaokun Zhang +Date: Thu, 18 Jun 2020 21:35:44 +0800 +Subject: arm64: perf: Correct the event index in sysfs + +From: Shaokun Zhang + +commit 539707caa1a89ee4efc57b4e4231c20c46575ccc upstream. + +When PMU event ID is equal or greater than 0x4000, it will be reduced +by 0x4000 and it is not the raw number in the sysfs. Let's correct it +and obtain the raw event ID. + +Before this patch: +cat /sys/bus/event_source/devices/armv8_pmuv3_0/events/sample_feed +event=0x001 +After this patch: +cat /sys/bus/event_source/devices/armv8_pmuv3_0/events/sample_feed +event=0x4001 + +Signed-off-by: Shaokun Zhang +Cc: Will Deacon +Cc: Mark Rutland +Cc: +Link: https://lore.kernel.org/r/1592487344-30555-3-git-send-email-zhangshaokun@hisilicon.com +[will: fixed formatting of 'if' condition] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/perf_event.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -155,7 +155,7 @@ armv8pmu_events_sysfs_show(struct device + + pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr); + +- return sprintf(page, "event=0x%03llx\n", pmu_attr->id); ++ return sprintf(page, "event=0x%04llx\n", pmu_attr->id); + } + + #define ARMV8_EVENT_ATTR(name, config) \ +@@ -244,10 +244,13 @@ armv8pmu_event_attr_is_visible(struct ko + test_bit(pmu_attr->id, cpu_pmu->pmceid_bitmap)) + return attr->mode; + +- pmu_attr->id -= ARMV8_PMUV3_EXT_COMMON_EVENT_BASE; +- if (pmu_attr->id < ARMV8_PMUV3_MAX_COMMON_EVENTS && +- test_bit(pmu_attr->id, cpu_pmu->pmceid_ext_bitmap)) +- return attr->mode; ++ if (pmu_attr->id >= ARMV8_PMUV3_EXT_COMMON_EVENT_BASE) { ++ u64 id = pmu_attr->id - ARMV8_PMUV3_EXT_COMMON_EVENT_BASE; ++ ++ if (id < ARMV8_PMUV3_MAX_COMMON_EVENTS && ++ test_bit(id, cpu_pmu->pmceid_ext_bitmap)) ++ return attr->mode; ++ } + + return 0; + } diff --git a/queue-5.8/cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch b/queue-5.8/cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch new file mode 100644 index 00000000000..c606a6bb5bc --- /dev/null +++ b/queue-5.8/cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch @@ -0,0 +1,164 @@ +From baf57b56d3604880ccb3956ec6c62ea894f5de99 Mon Sep 17 00:00:00 2001 +From: Paul Aurich +Date: Thu, 9 Jul 2020 22:01:16 -0700 +Subject: cifs: Fix leak when handling lease break for cached root fid + +From: Paul Aurich + +commit baf57b56d3604880ccb3956ec6c62ea894f5de99 upstream. + +Handling a lease break for the cached root didn't free the +smb2_lease_break_work allocation, resulting in a leak: + + unreferenced object 0xffff98383a5af480 (size 128): + comm "cifsd", pid 684, jiffies 4294936606 (age 534.868s) + hex dump (first 32 bytes): + c0 ff ff ff 1f 00 00 00 88 f4 5a 3a 38 98 ff ff ..........Z:8... + 88 f4 5a 3a 38 98 ff ff 80 88 d6 8a ff ff ff ff ..Z:8........... + backtrace: + [<0000000068957336>] smb2_is_valid_oplock_break+0x1fa/0x8c0 + [<0000000073b70b9e>] cifs_demultiplex_thread+0x73d/0xcc0 + [<00000000905fa372>] kthread+0x11c/0x150 + [<0000000079378e4e>] ret_from_fork+0x22/0x30 + +Avoid this leak by only allocating when necessary. + +Fixes: a93864d93977 ("cifs: add lease tracking to the cached root fid") +Signed-off-by: Paul Aurich +CC: Stable # v4.18+ +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 73 +++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 21 deletions(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -508,15 +508,31 @@ cifs_ses_oplock_break(struct work_struct + kfree(lw); + } + ++static void ++smb2_queue_pending_open_break(struct tcon_link *tlink, __u8 *lease_key, ++ __le32 new_lease_state) ++{ ++ struct smb2_lease_break_work *lw; ++ ++ lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); ++ if (!lw) { ++ cifs_put_tlink(tlink); ++ return; ++ } ++ ++ INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); ++ lw->tlink = tlink; ++ lw->lease_state = new_lease_state; ++ memcpy(lw->lease_key, lease_key, SMB2_LEASE_KEY_SIZE); ++ queue_work(cifsiod_wq, &lw->lease_break); ++} ++ + static bool +-smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, +- struct smb2_lease_break_work *lw) ++smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) + { +- bool found; + __u8 lease_state; + struct list_head *tmp; + struct cifsFileInfo *cfile; +- struct cifs_pending_open *open; + struct cifsInodeInfo *cinode; + int ack_req = le32_to_cpu(rsp->Flags & + SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); +@@ -546,22 +562,29 @@ smb2_tcon_has_lease(struct cifs_tcon *tc + cfile->oplock_level = lease_state; + + cifs_queue_oplock_break(cfile); +- kfree(lw); + return true; + } + +- found = false; ++ return false; ++} ++ ++static struct cifs_pending_open * ++smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, ++ struct smb2_lease_break *rsp) ++{ ++ __u8 lease_state = le32_to_cpu(rsp->NewLeaseState); ++ int ack_req = le32_to_cpu(rsp->Flags & ++ SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED); ++ struct cifs_pending_open *open; ++ struct cifs_pending_open *found = NULL; ++ + list_for_each_entry(open, &tcon->pending_opens, olist) { + if (memcmp(open->lease_key, rsp->LeaseKey, + SMB2_LEASE_KEY_SIZE)) + continue; + + if (!found && ack_req) { +- found = true; +- memcpy(lw->lease_key, open->lease_key, +- SMB2_LEASE_KEY_SIZE); +- lw->tlink = cifs_get_tlink(open->tlink); +- queue_work(cifsiod_wq, &lw->lease_break); ++ found = open; + } + + cifs_dbg(FYI, "found in the pending open list\n"); +@@ -582,14 +605,7 @@ smb2_is_valid_lease_break(char *buffer) + struct TCP_Server_Info *server; + struct cifs_ses *ses; + struct cifs_tcon *tcon; +- struct smb2_lease_break_work *lw; +- +- lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL); +- if (!lw) +- return false; +- +- INIT_WORK(&lw->lease_break, cifs_ses_oplock_break); +- lw->lease_state = rsp->NewLeaseState; ++ struct cifs_pending_open *open; + + cifs_dbg(FYI, "Checking for lease break\n"); + +@@ -607,11 +623,27 @@ smb2_is_valid_lease_break(char *buffer) + spin_lock(&tcon->open_file_lock); + cifs_stats_inc( + &tcon->stats.cifs_stats.num_oplock_brks); +- if (smb2_tcon_has_lease(tcon, rsp, lw)) { ++ if (smb2_tcon_has_lease(tcon, rsp)) { + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); + return true; + } ++ open = smb2_tcon_find_pending_open_lease(tcon, ++ rsp); ++ if (open) { ++ __u8 lease_key[SMB2_LEASE_KEY_SIZE]; ++ struct tcon_link *tlink; ++ ++ tlink = cifs_get_tlink(open->tlink); ++ memcpy(lease_key, open->lease_key, ++ SMB2_LEASE_KEY_SIZE); ++ spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_tcp_ses_lock); ++ smb2_queue_pending_open_break(tlink, ++ lease_key, ++ rsp->NewLeaseState); ++ return true; ++ } + spin_unlock(&tcon->open_file_lock); + + if (tcon->crfid.is_valid && +@@ -629,7 +661,6 @@ smb2_is_valid_lease_break(char *buffer) + } + } + spin_unlock(&cifs_tcp_ses_lock); +- kfree(lw); + cifs_dbg(FYI, "Can not process lease break - no lease matched\n"); + return false; + } diff --git a/queue-5.8/dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch b/queue-5.8/dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch new file mode 100644 index 00000000000..8d3b53a31a2 --- /dev/null +++ b/queue-5.8/dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch @@ -0,0 +1,34 @@ +From add48ba425192c6e04ce70549129cacd01e2a09e Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Mon, 27 Jul 2020 12:16:05 +0200 +Subject: dt-bindings: iio: io-channel-mux: Fix compatible string in example code + +From: Christian Eggers + +commit add48ba425192c6e04ce70549129cacd01e2a09e upstream. + +The correct compatible string is "gpio-mux" (see +bindings/mux/gpio-mux.txt). + +Cc: stable@vger.kernel.org # v4.13+ +Reviewed-by: Peter Rosin +Signed-off-by: Christian Eggers +Link: https://lore.kernel.org/r/20200727101605.24384-1-ceggers@arri.de +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt ++++ b/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt +@@ -21,7 +21,7 @@ controller state. The mux controller sta + + Example: + mux: mux-controller { +- compatible = "mux-gpio"; ++ compatible = "gpio-mux"; + #mux-control-cells = <0>; + + mux-gpios = <&pioA 0 GPIO_ACTIVE_HIGH>, diff --git a/queue-5.8/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch b/queue-5.8/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch new file mode 100644 index 00000000000..4b9af10e052 --- /dev/null +++ b/queue-5.8/iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch @@ -0,0 +1,47 @@ +From 65afb0932a81c1de719ceee0db0b276094b10ac8 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Mon, 6 Jul 2020 14:02:57 +0300 +Subject: iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() + +From: Alexandru Ardelean + +commit 65afb0932a81c1de719ceee0db0b276094b10ac8 upstream. + +There are 2 exit paths where the lock isn't held, but try to unlock the +mutex when exiting. In these places we should just return from the +function. + +A neater approach would be to cleanup the ad5592r_read_raw(), but that +would make this patch more difficult to backport to stable versions. + +Fixes 56ca9db862bf3: ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs") +Reported-by: Charles Stanhope +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/ad5592r-base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/dac/ad5592r-base.c ++++ b/drivers/iio/dac/ad5592r-base.c +@@ -413,7 +413,7 @@ static int ad5592r_read_raw(struct iio_d + s64 tmp = *val * (3767897513LL / 25LL); + *val = div_s64_rem(tmp, 1000000000LL, val2); + +- ret = IIO_VAL_INT_PLUS_MICRO; ++ return IIO_VAL_INT_PLUS_MICRO; + } else { + int mult; + +@@ -444,7 +444,7 @@ static int ad5592r_read_raw(struct iio_d + ret = IIO_VAL_INT; + break; + default: +- ret = -EINVAL; ++ return -EINVAL; + } + + unlock: diff --git a/queue-5.8/iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch b/queue-5.8/iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch new file mode 100644 index 00000000000..7e9aefa3995 --- /dev/null +++ b/queue-5.8/iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch @@ -0,0 +1,95 @@ +From a1bab9396c2d98c601ce81c27567159dfbc10c19 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Mon, 13 Jul 2020 13:40:19 +0200 +Subject: iio: imu: st_lsm6dsx: reset hw ts after resume + +From: Lorenzo Bianconi + +commit a1bab9396c2d98c601ce81c27567159dfbc10c19 upstream. + +Reset hw time samples generator after system resume in order to avoid +disalignment between system and device time reference since FIFO +batching and time samples generator are disabled during suspend. + +Fixes: 213451076bd3 ("iio: imu: st_lsm6dsx: add hw timestamp support") +Tested-by: Sean Nyekjaer +Signed-off-by: Lorenzo Bianconi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 3 +-- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 23 +++++++++++++++-------- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 2 +- + 3 files changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +@@ -436,8 +436,7 @@ int st_lsm6dsx_update_watermark(struct s + u16 watermark); + int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable); + int st_lsm6dsx_flush_fifo(struct st_lsm6dsx_hw *hw); +-int st_lsm6dsx_set_fifo_mode(struct st_lsm6dsx_hw *hw, +- enum st_lsm6dsx_fifo_mode fifo_mode); ++int st_lsm6dsx_resume_fifo(struct st_lsm6dsx_hw *hw); + int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw); + int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw); + int st_lsm6dsx_check_odr(struct st_lsm6dsx_sensor *sensor, u32 odr, u8 *val); +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +@@ -184,8 +184,8 @@ static int st_lsm6dsx_update_decimators( + return err; + } + +-int st_lsm6dsx_set_fifo_mode(struct st_lsm6dsx_hw *hw, +- enum st_lsm6dsx_fifo_mode fifo_mode) ++static int st_lsm6dsx_set_fifo_mode(struct st_lsm6dsx_hw *hw, ++ enum st_lsm6dsx_fifo_mode fifo_mode) + { + unsigned int data; + +@@ -302,6 +302,18 @@ static int st_lsm6dsx_reset_hw_ts(struct + return 0; + } + ++int st_lsm6dsx_resume_fifo(struct st_lsm6dsx_hw *hw) ++{ ++ int err; ++ ++ /* reset hw ts counter */ ++ err = st_lsm6dsx_reset_hw_ts(hw); ++ if (err < 0) ++ return err; ++ ++ return st_lsm6dsx_set_fifo_mode(hw, ST_LSM6DSX_FIFO_CONT); ++} ++ + /* + * Set max bulk read to ST_LSM6DSX_MAX_WORD_LEN/ST_LSM6DSX_MAX_TAGGED_WORD_LEN + * in order to avoid a kmalloc for each bus access +@@ -675,12 +687,7 @@ int st_lsm6dsx_update_fifo(struct st_lsm + goto out; + + if (fifo_mask) { +- /* reset hw ts counter */ +- err = st_lsm6dsx_reset_hw_ts(hw); +- if (err < 0) +- goto out; +- +- err = st_lsm6dsx_set_fifo_mode(hw, ST_LSM6DSX_FIFO_CONT); ++ err = st_lsm6dsx_resume_fifo(hw); + if (err < 0) + goto out; + } +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c +@@ -2458,7 +2458,7 @@ static int __maybe_unused st_lsm6dsx_res + } + + if (hw->fifo_mask) +- err = st_lsm6dsx_set_fifo_mode(hw, ST_LSM6DSX_FIFO_CONT); ++ err = st_lsm6dsx_resume_fifo(hw); + + return err; + } diff --git a/queue-5.8/media-venus-fix-multiple-encoder-crash.patch b/queue-5.8/media-venus-fix-multiple-encoder-crash.patch new file mode 100644 index 00000000000..4fd44453492 --- /dev/null +++ b/queue-5.8/media-venus-fix-multiple-encoder-crash.patch @@ -0,0 +1,42 @@ +From e0eb34810113dbbf1ace57440cf48d514312a373 Mon Sep 17 00:00:00 2001 +From: Mansur Alisha Shaik +Date: Fri, 1 May 2020 08:28:00 +0200 +Subject: media: venus: fix multiple encoder crash + +From: Mansur Alisha Shaik + +commit e0eb34810113dbbf1ace57440cf48d514312a373 upstream. + +Currently we are considering the instances which are available +in core->inst list for load calculation in min_loaded_core() +function, but this is incorrect because by the time we call +decide_core() for second instance, the third instance not +filled yet codec_freq_data pointer. + +Solve this by considering the instances whose session has started. + +Cc: stable@vger.kernel.org # v5.7+ +Fixes: 4ebf969375bc ("media: venus: introduce core selection") +Tested-by: Douglas Anderson +Signed-off-by: Mansur Alisha Shaik +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/qcom/venus/pm_helpers.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -496,6 +496,10 @@ min_loaded_core(struct venus_inst *inst, + list_for_each_entry(inst_pos, &core->instances, list) { + if (inst_pos == inst) + continue; ++ ++ if (inst_pos->state != INST_START) ++ continue; ++ + vpp_freq = inst_pos->clk_data.codec_freq_data->vpp_freq; + coreid = inst_pos->clk_data.core_id; + diff --git a/queue-5.8/media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch b/queue-5.8/media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch new file mode 100644 index 00000000000..540205bf6fe --- /dev/null +++ b/queue-5.8/media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch @@ -0,0 +1,102 @@ +From c92d30e4b78dc331909f8c6056c2792aa14e2166 Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Tue, 2 Jun 2020 21:50:16 +0200 +Subject: media: vsp1: dl: Fix NULL pointer dereference on unbind + +From: Eugeniu Rosca + +commit c92d30e4b78dc331909f8c6056c2792aa14e2166 upstream. + +In commit f3b98e3c4d2e16 ("media: vsp1: Provide support for extended +command pools"), the vsp pointer used for referencing the VSP1 device +structure from a command pool during vsp1_dl_ext_cmd_pool_destroy() was +not populated. + +Correctly assign the pointer to prevent the following +null-pointer-dereference when removing the device: + +[*] h3ulcb-kf #> +echo fea28000.vsp > /sys/bus/platform/devices/fea28000.vsp/driver/unbind + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=00000007318be000 + [0000000000000028] pgd=00000007333a1003, pud=00000007333a6003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] PREEMPT SMP + Modules linked in: + CPU: 1 PID: 486 Comm: sh Not tainted 5.7.0-rc6-arm64-renesas-00118-ge644645abf47 #185 + Hardware name: Renesas H3ULCB Kingfisher board based on r8a77951 (DT) + pstate: 40000005 (nZcv daif -PAN -UAO) + pc : vsp1_dlm_destroy+0xe4/0x11c + lr : vsp1_dlm_destroy+0xc8/0x11c + sp : ffff800012963b60 + x29: ffff800012963b60 x28: ffff0006f83fc440 + x27: 0000000000000000 x26: ffff0006f5e13e80 + x25: ffff0006f5e13ed0 x24: ffff0006f5e13ed0 + x23: ffff0006f5e13ed0 x22: dead000000000122 + x21: ffff0006f5e3a080 x20: ffff0006f5df2938 + x19: ffff0006f5df2980 x18: 0000000000000003 + x17: 0000000000000000 x16: 0000000000000016 + x15: 0000000000000003 x14: 00000000000393c0 + x13: ffff800011a5ec18 x12: ffff800011d8d000 + x11: ffff0006f83fcc68 x10: ffff800011a53d70 + x9 : ffff8000111f3000 x8 : 0000000000000000 + x7 : 0000000000210d00 x6 : 0000000000000000 + x5 : ffff800010872e60 x4 : 0000000000000004 + x3 : 0000000078068000 x2 : ffff800012781000 + x1 : 0000000000002c00 x0 : 0000000000000000 + Call trace: + vsp1_dlm_destroy+0xe4/0x11c + vsp1_wpf_destroy+0x10/0x20 + vsp1_entity_destroy+0x24/0x4c + vsp1_destroy_entities+0x54/0x130 + vsp1_remove+0x1c/0x40 + platform_drv_remove+0x28/0x50 + __device_release_driver+0x178/0x220 + device_driver_detach+0x44/0xc0 + unbind_store+0xe0/0x104 + drv_attr_store+0x20/0x30 + sysfs_kf_write+0x48/0x70 + kernfs_fop_write+0x148/0x230 + __vfs_write+0x18/0x40 + vfs_write+0xdc/0x1c4 + ksys_write+0x68/0xf0 + __arm64_sys_write+0x18/0x20 + el0_svc_common.constprop.0+0x70/0x170 + do_el0_svc+0x20/0x80 + el0_sync_handler+0x134/0x1b0 + el0_sync+0x140/0x180 + Code: b40000c2 f9403a60 d2800084 a9400663 (f9401400) + ---[ end trace 3875369841fb288a ]--- + +Fixes: f3b98e3c4d2e16 ("media: vsp1: Provide support for extended command pools") +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Eugeniu Rosca +Reviewed-by: Kieran Bingham +Tested-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vsp1/vsp1_dl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/vsp1/vsp1_dl.c ++++ b/drivers/media/platform/vsp1/vsp1_dl.c +@@ -431,6 +431,8 @@ vsp1_dl_cmd_pool_create(struct vsp1_devi + if (!pool) + return NULL; + ++ pool->vsp1 = vsp1; ++ + spin_lock_init(&pool->lock); + INIT_LIST_HEAD(&pool->free); + diff --git a/queue-5.8/pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch b/queue-5.8/pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch new file mode 100644 index 00000000000..e24a55a9cb5 --- /dev/null +++ b/queue-5.8/pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch @@ -0,0 +1,68 @@ +From 1c95348ba327fe8621d3680890c2341523d3524a Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 22 Jun 2020 23:45:47 +0200 +Subject: pinctrl: ingenic: Enhance support for IRQ_TYPE_EDGE_BOTH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Cercueil + +commit 1c95348ba327fe8621d3680890c2341523d3524a upstream. + +Ingenic SoCs don't natively support registering an interrupt for both +rising and falling edges. This has to be emulated in software. + +Until now, this was emulated by switching back and forth between +IRQ_TYPE_EDGE_RISING and IRQ_TYPE_EDGE_FALLING according to the level of +the GPIO. While this worked most of the time, when used with GPIOs that +need debouncing, some events would be lost. For instance, between the +time a falling-edge interrupt happens and the interrupt handler +configures the hardware for rising-edge, the level of the pin may have +already risen, and the rising-edge event is lost. + +To address that issue, instead of switching back and forth between +IRQ_TYPE_EDGE_RISING and IRQ_TYPE_EDGE_FALLING, we now switch back and +forth between IRQ_TYPE_LEVEL_LOW and IRQ_TYPE_LEVEL_HIGH. Since we +always switch in the interrupt handler, they actually permit to detect +level changes. In the example above, if the pin level rises before +switching the IRQ type from IRQ_TYPE_LEVEL_LOW to IRQ_TYPE_LEVEL_HIGH, +a new interrupt will raise as soon as the handler exits, and the +rising-edge event will be properly detected. + +Fixes: e72394e2ea19 ("pinctrl: ingenic: Merge GPIO functionality") +Reported-by: João Henrique +Signed-off-by: Paul Cercueil +Tested-by: João Henrique +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200622214548.265417-1-paul@crapouillou.net +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-ingenic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-ingenic.c ++++ b/drivers/pinctrl/pinctrl-ingenic.c +@@ -1810,9 +1810,9 @@ static void ingenic_gpio_irq_ack(struct + */ + high = ingenic_gpio_get_value(jzgc, irq); + if (high) +- irq_set_type(jzgc, irq, IRQ_TYPE_EDGE_FALLING); ++ irq_set_type(jzgc, irq, IRQ_TYPE_LEVEL_LOW); + else +- irq_set_type(jzgc, irq, IRQ_TYPE_EDGE_RISING); ++ irq_set_type(jzgc, irq, IRQ_TYPE_LEVEL_HIGH); + } + + if (jzgc->jzpc->info->version >= ID_JZ4760) +@@ -1848,7 +1848,7 @@ static int ingenic_gpio_irq_set_type(str + */ + bool high = ingenic_gpio_get_value(jzgc, irqd->hwirq); + +- type = high ? IRQ_TYPE_EDGE_FALLING : IRQ_TYPE_EDGE_RISING; ++ type = high ? IRQ_TYPE_LEVEL_LOW : IRQ_TYPE_LEVEL_HIGH; + } + + irq_set_type(jzgc, irqd->hwirq, type); diff --git a/queue-5.8/pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch b/queue-5.8/pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch new file mode 100644 index 00000000000..98801f6ce05 --- /dev/null +++ b/queue-5.8/pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch @@ -0,0 +1,42 @@ +From 84e7a946da71f678affacea301f6d5cb4d9784e8 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 22 Jun 2020 23:45:48 +0200 +Subject: pinctrl: ingenic: Properly detect GPIO direction when configured for IRQ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Cercueil + +commit 84e7a946da71f678affacea301f6d5cb4d9784e8 upstream. + +The PAT1 register contains information about the IRQ type (edge/level) +for input GPIOs with IRQ enabled, and the direction for non-IRQ GPIOs. +So it makes sense to read it only if the GPIO has no interrupt +configured, otherwise input GPIOs configured for level IRQs are +misdetected as output GPIOs. + +Fixes: ebd6651418b6 ("pinctrl: ingenic: Implement .get_direction for GPIO chips") +Reported-by: João Henrique +Signed-off-by: Paul Cercueil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200622214548.265417-2-paul@crapouillou.net +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-ingenic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-ingenic.c ++++ b/drivers/pinctrl/pinctrl-ingenic.c +@@ -1955,7 +1955,8 @@ static int ingenic_gpio_get_direction(st + unsigned int pin = gc->base + offset; + + if (jzpc->info->version >= ID_JZ4760) { +- if (ingenic_get_pin_config(jzpc, pin, JZ4760_GPIO_PAT1)) ++ if (ingenic_get_pin_config(jzpc, pin, JZ4760_GPIO_INT) || ++ ingenic_get_pin_config(jzpc, pin, JZ4760_GPIO_PAT1)) + return GPIO_LINE_DIRECTION_IN; + return GPIO_LINE_DIRECTION_OUT; + } diff --git a/queue-5.8/powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch b/queue-5.8/powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch new file mode 100644 index 00000000000..ed29c0ef08c --- /dev/null +++ b/queue-5.8/powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch @@ -0,0 +1,184 @@ +From 63dee5df43a31f3844efabc58972f0a206ca4534 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 24 Jul 2020 19:25:25 +1000 +Subject: powerpc: Allow 4224 bytes of stack expansion for the signal frame + +From: Michael Ellerman + +commit 63dee5df43a31f3844efabc58972f0a206ca4534 upstream. + +We have powerpc specific logic in our page fault handling to decide if +an access to an unmapped address below the stack pointer should expand +the stack VMA. + +The code was originally added in 2004 "ported from 2.4". The rough +logic is that the stack is allowed to grow to 1MB with no extra +checking. Over 1MB the access must be within 2048 bytes of the stack +pointer, or be from a user instruction that updates the stack pointer. + +The 2048 byte allowance below the stack pointer is there to cover the +288 byte "red zone" as well as the "about 1.5kB" needed by the signal +delivery code. + +Unfortunately since then the signal frame has expanded, and is now +4224 bytes on 64-bit kernels with transactional memory enabled. This +means if a process has consumed more than 1MB of stack, and its stack +pointer lies less than 4224 bytes from the next page boundary, signal +delivery will fault when trying to expand the stack and the process +will see a SEGV. + +The total size of the signal frame is the size of struct rt_sigframe +(which includes the red zone) plus __SIGNAL_FRAMESIZE (128 bytes on +64-bit). + +The 2048 byte allowance was correct until 2008 as the signal frame +was: + +struct rt_sigframe { + struct ucontext uc; /* 0 1440 */ + /* --- cacheline 11 boundary (1408 bytes) was 32 bytes ago --- */ + long unsigned int _unused[2]; /* 1440 16 */ + unsigned int tramp[6]; /* 1456 24 */ + struct siginfo * pinfo; /* 1480 8 */ + void * puc; /* 1488 8 */ + struct siginfo info; /* 1496 128 */ + /* --- cacheline 12 boundary (1536 bytes) was 88 bytes ago --- */ + char abigap[288]; /* 1624 288 */ + + /* size: 1920, cachelines: 15, members: 7 */ + /* padding: 8 */ +}; + +1920 + 128 = 2048 + +Then in commit ce48b2100785 ("powerpc: Add VSX context save/restore, +ptrace and signal support") (Jul 2008) the signal frame expanded to +2304 bytes: + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ <-- + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + long unsigned int _unused[2]; /* 1696 16 */ + unsigned int tramp[6]; /* 1712 24 */ + struct siginfo * pinfo; /* 1736 8 */ + void * puc; /* 1744 8 */ + struct siginfo info; /* 1752 128 */ + /* --- cacheline 14 boundary (1792 bytes) was 88 bytes ago --- */ + char abigap[288]; /* 1880 288 */ + + /* size: 2176, cachelines: 17, members: 7 */ + /* padding: 8 */ +}; + +2176 + 128 = 2304 + +At this point we should have been exposed to the bug, though as far as +I know it was never reported. I no longer have a system old enough to +easily test on. + +Then in 2010 commit 320b2b8de126 ("mm: keep a guard page below a +grow-down stack segment") caused our stack expansion code to never +trigger, as there was always a VMA found for a write up to PAGE_SIZE +below r1. + +That meant the bug was hidden as we continued to expand the signal +frame in commit 2b0a576d15e0 ("powerpc: Add new transactional memory +state to the signal context") (Feb 2013): + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + struct ucontext uc_transact; /* 1696 1696 */ <-- + /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ + long unsigned int _unused[2]; /* 3392 16 */ + unsigned int tramp[6]; /* 3408 24 */ + struct siginfo * pinfo; /* 3432 8 */ + void * puc; /* 3440 8 */ + struct siginfo info; /* 3448 128 */ + /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ + char abigap[288]; /* 3576 288 */ + + /* size: 3872, cachelines: 31, members: 8 */ + /* padding: 8 */ + /* last cacheline: 32 bytes */ +}; + +3872 + 128 = 4000 + +And commit 573ebfa6601f ("powerpc: Increase stack redzone for 64-bit +userspace to 512 bytes") (Feb 2014): + +struct rt_sigframe { + struct ucontext uc; /* 0 1696 */ + /* --- cacheline 13 boundary (1664 bytes) was 32 bytes ago --- */ + struct ucontext uc_transact; /* 1696 1696 */ + /* --- cacheline 26 boundary (3328 bytes) was 64 bytes ago --- */ + long unsigned int _unused[2]; /* 3392 16 */ + unsigned int tramp[6]; /* 3408 24 */ + struct siginfo * pinfo; /* 3432 8 */ + void * puc; /* 3440 8 */ + struct siginfo info; /* 3448 128 */ + /* --- cacheline 27 boundary (3456 bytes) was 120 bytes ago --- */ + char abigap[512]; /* 3576 512 */ <-- + + /* size: 4096, cachelines: 32, members: 8 */ + /* padding: 8 */ +}; + +4096 + 128 = 4224 + +Then finally in 2017, commit 1be7107fbe18 ("mm: larger stack guard +gap, between vmas") exposed us to the existing bug, because it changed +the stack VMA to be the correct/real size, meaning our stack expansion +code is now triggered. + +Fix it by increasing the allowance to 4224 bytes. + +Hard-coding 4224 is obviously unsafe against future expansions of the +signal frame in the same way as the existing code. We can't easily use +sizeof() because the signal frame structure is not in a header. We +will either fix that, or rip out all the custom stack expansion +checking logic entirely. + +Fixes: ce48b2100785 ("powerpc: Add VSX context save/restore, ptrace and signal support") +Cc: stable@vger.kernel.org # v2.6.27+ +Reported-by: Tom Lane +Tested-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200724092528.1578671-2-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/fault.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -267,6 +267,9 @@ static bool bad_kernel_fault(struct pt_r + return false; + } + ++// This comes from 64-bit struct rt_sigframe + __SIGNAL_FRAMESIZE ++#define SIGFRAME_MAX_SIZE (4096 + 128) ++ + static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address, + struct vm_area_struct *vma, unsigned int flags, + bool *must_retry) +@@ -274,7 +277,7 @@ static bool bad_stack_expansion(struct p + /* + * N.B. The POWER/Open ABI allows programs to access up to + * 288 bytes below the stack pointer. +- * The kernel signal delivery code writes up to about 1.5kB ++ * The kernel signal delivery code writes a bit over 4KB + * below the stack pointer (r1) before decrementing it. + * The exec code can write slightly over 640kB to the stack + * before setting the user r1. Thus we allow the stack to +@@ -299,7 +302,7 @@ static bool bad_stack_expansion(struct p + * between the last mapped region and the stack will + * expand the stack rather than segfaulting. + */ +- if (address + 2048 >= uregs->gpr[1]) ++ if (address + SIGFRAME_MAX_SIZE >= uregs->gpr[1]) + return false; + + if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) && diff --git a/queue-5.8/powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch b/queue-5.8/powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch new file mode 100644 index 00000000000..ced8e21f9f0 --- /dev/null +++ b/queue-5.8/powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch @@ -0,0 +1,66 @@ +From 0c83b277ada72b585e6a3e52b067669df15bcedb Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 4 Aug 2020 22:44:06 +1000 +Subject: powerpc: Fix circular dependency between percpu.h and mmu.h + +From: Michael Ellerman + +commit 0c83b277ada72b585e6a3e52b067669df15bcedb upstream. + +Recently random.h started including percpu.h (see commit +f227e3ec3b5c ("random32: update the net random state on interrupt and +activity")), which broke corenet64_smp_defconfig: + + In file included from /linux/arch/powerpc/include/asm/paca.h:18, + from /linux/arch/powerpc/include/asm/percpu.h:13, + from /linux/include/linux/random.h:14, + from /linux/lib/uuid.c:14: + /linux/arch/powerpc/include/asm/mmu.h:139:22: error: unknown type name 'next_tlbcam_idx' + 139 | DECLARE_PER_CPU(int, next_tlbcam_idx); + +This is due to a circular header dependency: + asm/mmu.h includes asm/percpu.h, which includes asm/paca.h, which + includes asm/mmu.h + +Which means DECLARE_PER_CPU() isn't defined when mmu.h needs it. + +We can fix it by moving the include of paca.h below the include of +asm-generic/percpu.h. + +This moves the include of paca.h out of the #ifdef __powerpc64__, but +that is OK because paca.h is almost entirely inside #ifdef +CONFIG_PPC64 anyway. + +It also moves the include of paca.h out of the #ifdef CONFIG_SMP, +which could possibly break something, but seems to have no ill +effects. + +Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity") +Cc: stable@vger.kernel.org # v5.8 +Reported-by: Stephen Rothwell +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200804130558.292328-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/percpu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/percpu.h ++++ b/arch/powerpc/include/asm/percpu.h +@@ -10,8 +10,6 @@ + + #ifdef CONFIG_SMP + +-#include +- + #define __my_cpu_offset local_paca->data_offset + + #endif /* CONFIG_SMP */ +@@ -19,4 +17,6 @@ + + #include + ++#include ++ + #endif /* _ASM_POWERPC_PERCPU_H_ */ diff --git a/queue-5.8/powerpc-ptdump-fix-build-failure-in-hashpagetable.c.patch b/queue-5.8/powerpc-ptdump-fix-build-failure-in-hashpagetable.c.patch new file mode 100644 index 00000000000..f01eb473f98 --- /dev/null +++ b/queue-5.8/powerpc-ptdump-fix-build-failure-in-hashpagetable.c.patch @@ -0,0 +1,36 @@ +From 7c466b0807960edc13e4b855be85ea765df9a6cd Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 15 Jun 2020 13:18:39 +0000 +Subject: powerpc/ptdump: Fix build failure in hashpagetable.c + +From: Christophe Leroy + +commit 7c466b0807960edc13e4b855be85ea765df9a6cd upstream. + +H_SUCCESS is only defined when CONFIG_PPC_PSERIES is defined. + +!= H_SUCCESS means != 0. Modify the test accordingly. + +Fixes: 65e701b2d2a8 ("powerpc/ptdump: drop non vital #ifdefs") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/795158fc1d2b3dff3bf7347881947a887ea9391a.1592227105.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/ptdump/hashpagetable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/mm/ptdump/hashpagetable.c ++++ b/arch/powerpc/mm/ptdump/hashpagetable.c +@@ -258,7 +258,7 @@ static int pseries_find(unsigned long ea + for (i = 0; i < HPTES_PER_GROUP; i += 4, hpte_group += 4) { + lpar_rc = plpar_pte_read_4(0, hpte_group, (void *)ptes); + +- if (lpar_rc != H_SUCCESS) ++ if (lpar_rc) + continue; + for (j = 0; j < 4; j++) { + if (HPTE_V_COMPARE(ptes[j].v, want_v) && diff --git a/queue-5.8/series b/queue-5.8/series index 6178089ab7c..c917e8ae253 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -39,3 +39,18 @@ btrfs-trim-fix-underflow-in-trim-length-to-prevent-access-beyond-device-boundary btrfs-make-sure-sb_i_version-doesn-t-get-unset-by-remount.patch btrfs-fix-return-value-mixup-in-btrfs_get_extent.patch btrfs-check-correct-variable-after-allocation-in-btrfs_backref_iter_alloc.patch +arm64-dts-qcom-sc7180-drop-the-unused-non-msa-sid.patch +arm64-perf-correct-the-event-index-in-sysfs.patch +dt-bindings-iio-io-channel-mux-fix-compatible-string-in-example-code.patch +iio-dac-ad5592r-fix-unbalanced-mutex-unlocks-in-ad5592r_read_raw.patch +iio-imu-st_lsm6dsx-reset-hw-ts-after-resume.patch +xtensa-add-missing-exclusive-access-state-management.patch +xtensa-fix-xtensa_pmu_setup-prototype.patch +cifs-fix-leak-when-handling-lease-break-for-cached-root-fid.patch +powerpc-ptdump-fix-build-failure-in-hashpagetable.c.patch +powerpc-allow-4224-bytes-of-stack-expansion-for-the-signal-frame.patch +powerpc-fix-circular-dependency-between-percpu.h-and-mmu.h.patch +pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch +pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch +media-venus-fix-multiple-encoder-crash.patch +media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch diff --git a/queue-5.8/xtensa-add-missing-exclusive-access-state-management.patch b/queue-5.8/xtensa-add-missing-exclusive-access-state-management.patch new file mode 100644 index 00000000000..00bf6c23505 --- /dev/null +++ b/queue-5.8/xtensa-add-missing-exclusive-access-state-management.patch @@ -0,0 +1,80 @@ +From a0fc1436f1f4f84e93144480bf30e0c958d135b6 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 31 Jul 2020 12:38:05 -0700 +Subject: xtensa: add missing exclusive access state management + +From: Max Filippov + +commit a0fc1436f1f4f84e93144480bf30e0c958d135b6 upstream. + +The result of the s32ex opcode is recorded in the ATOMCTL special +register and must be retrieved with the getex opcode. Context switch +between s32ex and getex may trash the ATOMCTL register and result in +duplicate update or missing update of the atomic variable. +Add atomctl8 field to the struct thread_info and use getex to swap +ATOMCTL bit 8 as a part of context switch. +Clear exclusive access monitor on kernel entry. + +Cc: stable@vger.kernel.org +Fixes: f7c34874f04a ("xtensa: add exclusive atomics support") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/include/asm/thread_info.h | 4 ++++ + arch/xtensa/kernel/asm-offsets.c | 3 +++ + arch/xtensa/kernel/entry.S | 11 +++++++++++ + 3 files changed, 18 insertions(+) + +--- a/arch/xtensa/include/asm/thread_info.h ++++ b/arch/xtensa/include/asm/thread_info.h +@@ -55,6 +55,10 @@ struct thread_info { + mm_segment_t addr_limit; /* thread address space */ + + unsigned long cpenable; ++#if XCHAL_HAVE_EXCLUSIVE ++ /* result of the most recent exclusive store */ ++ unsigned long atomctl8; ++#endif + + /* Allocate storage for extra user states and coprocessor states. */ + #if XTENSA_HAVE_COPROCESSORS +--- a/arch/xtensa/kernel/asm-offsets.c ++++ b/arch/xtensa/kernel/asm-offsets.c +@@ -93,6 +93,9 @@ int main(void) + DEFINE(THREAD_RA, offsetof (struct task_struct, thread.ra)); + DEFINE(THREAD_SP, offsetof (struct task_struct, thread.sp)); + DEFINE(THREAD_CPENABLE, offsetof (struct thread_info, cpenable)); ++#if XCHAL_HAVE_EXCLUSIVE ++ DEFINE(THREAD_ATOMCTL8, offsetof (struct thread_info, atomctl8)); ++#endif + #if XTENSA_HAVE_COPROCESSORS + DEFINE(THREAD_XTREGS_CP0, offsetof(struct thread_info, xtregs_cp.cp0)); + DEFINE(THREAD_XTREGS_CP1, offsetof(struct thread_info, xtregs_cp.cp1)); +--- a/arch/xtensa/kernel/entry.S ++++ b/arch/xtensa/kernel/entry.S +@@ -374,6 +374,11 @@ common_exception: + s32i a2, a1, PT_LCOUNT + #endif + ++#if XCHAL_HAVE_EXCLUSIVE ++ /* Clear exclusive access monitor set by interrupted code */ ++ clrex ++#endif ++ + /* It is now save to restore the EXC_TABLE_FIXUP variable. */ + + rsr a2, exccause +@@ -2020,6 +2025,12 @@ ENTRY(_switch_to) + s32i a3, a4, THREAD_CPENABLE + #endif + ++#if XCHAL_HAVE_EXCLUSIVE ++ l32i a3, a5, THREAD_ATOMCTL8 ++ getex a3 ++ s32i a3, a4, THREAD_ATOMCTL8 ++#endif ++ + /* Flush register file. */ + + spill_registers_kernel diff --git a/queue-5.8/xtensa-fix-xtensa_pmu_setup-prototype.patch b/queue-5.8/xtensa-fix-xtensa_pmu_setup-prototype.patch new file mode 100644 index 00000000000..5e621291883 --- /dev/null +++ b/queue-5.8/xtensa-fix-xtensa_pmu_setup-prototype.patch @@ -0,0 +1,38 @@ +From 6d65d3769d1910379e1cfa61ebf387efc6bfb22c Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 31 Jul 2020 12:37:32 -0700 +Subject: xtensa: fix xtensa_pmu_setup prototype +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Max Filippov + +commit 6d65d3769d1910379e1cfa61ebf387efc6bfb22c upstream. + +Fix the following build error in configurations with +CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS=y: + + arch/xtensa/kernel/perf_event.c:420:29: error: passing argument 3 of + ‘cpuhp_setup_state’ from incompatible pointer type + +Cc: stable@vger.kernel.org +Fixes: 25a77b55e74c ("xtensa/perf: Convert the hotplug notifier to state machine callbacks") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/perf_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/perf_event.c ++++ b/arch/xtensa/kernel/perf_event.c +@@ -399,7 +399,7 @@ static struct pmu xtensa_pmu = { + .read = xtensa_pmu_read, + }; + +-static int xtensa_pmu_setup(int cpu) ++static int xtensa_pmu_setup(unsigned int cpu) + { + unsigned i; +