From 5d37a31c726851aa973c7f51cb7e038bd50bf36d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 24 Jul 2019 14:17:57 +0200 Subject: [PATCH] 5.2-stable patches added patches: bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch ecryptfs-fix-a-couple-type-promotion-bugs.patch gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch intel_th-msu-fix-single-mode-with-disabled-iommu.patch intel_th-msu-remove-set-but-not-used-variable-last.patch mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch powerpc-mm-32s-fix-condition-that-is-always-true.patch powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch powerpc-powernv-npu-fix-reference-leak.patch powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch powerpc-pseries-fix-xive-off-command-line.patch powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch --- ...icrosoft-surface-precision-mouse-bug.patch | 67 +++++ ...tfs-fix-a-couple-type-promotion-bugs.patch | 51 ++++ ...c-fix-saturation-bit-offset-in-tpmem.patch | 36 +++ ...-fix-single-mode-with-disabled-iommu.patch | 40 +++ ...emove-set-but-not-used-variable-last.patch | 44 ++++ ...dhci-msm-fix-mutex-while-in-spinlock.patch | 57 ++++ ...-level-time-calculation-of-r-w-cycle.patch | 81 ++++++ ...-badly-if-the-last-page-has-bitflips.patch | 42 +++ ...el-panic-triggered-by-invalid-kprobe.patch | 63 +++++ ...traced-processes-in-regset-functions.patch | 41 +++ ...due-invalid-values-in-iaoq0-or-iaoq1.patch | 84 ++++++ ...spend-resume-when-ibats-4-7-are-used.patch | 249 ++++++++++++++++++ ...2s-fix-condition-that-is-always-true.patch | 33 +++ ...ix-stale-iommu-table-base-after-vfio.patch | 63 +++++ ...-of-sprn_ldbar-for-power9-stop-state.patch | 45 ++++ ...werpc-powernv-npu-fix-reference-leak.patch | 70 +++++ ...-fix-oops-in-hotplug-memory-notifier.patch | 39 +++ ...pc-pseries-fix-xive-off-command-line.patch | 171 ++++++++++++ ...-gprs-while-returning-from-exception.patch | 116 ++++++++ queue-5.2/series | 19 ++ 20 files changed, 1411 insertions(+) create mode 100644 queue-5.2/bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch create mode 100644 queue-5.2/ecryptfs-fix-a-couple-type-promotion-bugs.patch create mode 100644 queue-5.2/gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch create mode 100644 queue-5.2/intel_th-msu-fix-single-mode-with-disabled-iommu.patch create mode 100644 queue-5.2/intel_th-msu-remove-set-but-not-used-variable-last.patch create mode 100644 queue-5.2/mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch create mode 100644 queue-5.2/mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch create mode 100644 queue-5.2/mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch create mode 100644 queue-5.2/parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch create mode 100644 queue-5.2/parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch create mode 100644 queue-5.2/parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch create mode 100644 queue-5.2/powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch create mode 100644 queue-5.2/powerpc-mm-32s-fix-condition-that-is-always-true.patch create mode 100644 queue-5.2/powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch create mode 100644 queue-5.2/powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch create mode 100644 queue-5.2/powerpc-powernv-npu-fix-reference-leak.patch create mode 100644 queue-5.2/powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch create mode 100644 queue-5.2/powerpc-pseries-fix-xive-off-command-line.patch create mode 100644 queue-5.2/powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch diff --git a/queue-5.2/bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch b/queue-5.2/bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch new file mode 100644 index 00000000000..d9bad8eb770 --- /dev/null +++ b/queue-5.2/bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch @@ -0,0 +1,67 @@ +From 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 Mon Sep 17 00:00:00 2001 +From: Szymon Janc +Date: Wed, 19 Jun 2019 00:47:47 +0200 +Subject: Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug + +From: Szymon Janc + +commit 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 upstream. + +Microsoft Surface Precision Mouse provides bogus identity address when +pairing. It connects with Static Random address but provides Public +Address in SMP Identity Address Information PDU. Address has same +value but type is different. Workaround this by dropping IRK if ID +address discrepancy is detected. + +> HCI Event: LE Meta Event (0x3e) plen 19 + LE Connection Complete (0x01) + Status: Success (0x00) + Handle: 75 + Role: Master (0x00) + Peer address type: Random (0x01) + Peer address: E0:52:33:93:3B:21 (Static) + Connection interval: 50.00 msec (0x0028) + Connection latency: 0 (0x0000) + Supervision timeout: 420 msec (0x002a) + Master clock accuracy: 0x00 + +.... + +> ACL Data RX: Handle 75 flags 0x02 dlen 12 + SMP: Identity Address Information (0x09) len 7 + Address type: Public (0x00) + Address: E0:52:33:93:3B:21 + +Signed-off-by: Szymon Janc +Tested-by: Maarten Fonville +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199461 +Cc: stable@vger.kernel.org +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/smp.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2579,6 +2579,19 @@ static int smp_cmd_ident_addr_info(struc + goto distribute; + } + ++ /* Drop IRK if peer is using identity address during pairing but is ++ * providing different address as identity information. ++ * ++ * Microsoft Surface Precision Mouse is known to have this bug. ++ */ ++ if (hci_is_identity_address(&hcon->dst, hcon->dst_type) && ++ (bacmp(&info->bdaddr, &hcon->dst) || ++ info->addr_type != hcon->dst_type)) { ++ bt_dev_err(hcon->hdev, ++ "ignoring IRK with invalid identity address"); ++ goto distribute; ++ } ++ + bacpy(&smp->id_addr, &info->bdaddr); + smp->id_addr_type = info->addr_type; + diff --git a/queue-5.2/ecryptfs-fix-a-couple-type-promotion-bugs.patch b/queue-5.2/ecryptfs-fix-a-couple-type-promotion-bugs.patch new file mode 100644 index 00000000000..1ccc5e37c97 --- /dev/null +++ b/queue-5.2/ecryptfs-fix-a-couple-type-promotion-bugs.patch @@ -0,0 +1,51 @@ +From 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:35:56 +0300 +Subject: eCryptfs: fix a couple type promotion bugs + +From: Dan Carpenter + +commit 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c upstream. + +ECRYPTFS_SIZE_AND_MARKER_BYTES is type size_t, so if "rc" is negative +that gets type promoted to a high positive value and treated as success. + +Fixes: 778aeb42a708 ("eCryptfs: Cleanup and optimize ecryptfs_lookup_interpose()") +Signed-off-by: Dan Carpenter +[tyhicks: Use "if/else if" rather than "if/if"] +Cc: stable@vger.kernel.org +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -1004,8 +1004,10 @@ int ecryptfs_read_and_validate_header_re + + rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES, + inode); +- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) +- return rc >= 0 ? -EINVAL : rc; ++ if (rc < 0) ++ return rc; ++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) ++ return -EINVAL; + rc = ecryptfs_validate_marker(marker); + if (!rc) + ecryptfs_i_size_init(file_size, inode); +@@ -1367,8 +1369,10 @@ int ecryptfs_read_and_validate_xattr_reg + ecryptfs_inode_to_lower(inode), + ECRYPTFS_XATTR_NAME, file_size, + ECRYPTFS_SIZE_AND_MARKER_BYTES); +- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) +- return rc >= 0 ? -EINVAL : rc; ++ if (rc < 0) ++ return rc; ++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES) ++ return -EINVAL; + rc = ecryptfs_validate_marker(marker); + if (!rc) + ecryptfs_i_size_init(file_size, inode); diff --git a/queue-5.2/gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch b/queue-5.2/gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch new file mode 100644 index 00000000000..c18bcefa1b6 --- /dev/null +++ b/queue-5.2/gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch @@ -0,0 +1,36 @@ +From 3d1f62c686acdedf5ed9642b763f3808d6a47d1e Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Tue, 21 May 2019 18:03:13 -0700 +Subject: gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM + +From: Steve Longerbeam + +commit 3d1f62c686acdedf5ed9642b763f3808d6a47d1e upstream. + +The saturation bit was being set at bit 9 in the second 32-bit word +of the TPMEM CSC. This isn't correct, the saturation bit is bit 42, +which is bit 10 of the second word. + +Fixes: 1aa8ea0d2bd5d ("gpu: ipu-v3: Add Image Converter unit") + +Signed-off-by: Steve Longerbeam +Reviewed-by: Philipp Zabel +Cc: stable@vger.kernel.org +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/ipu-v3/ipu-ic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/ipu-v3/ipu-ic.c ++++ b/drivers/gpu/ipu-v3/ipu-ic.c +@@ -251,7 +251,7 @@ static int init_csc(struct ipu_ic *ic, + writel(param, base++); + + param = ((a[0] & 0x1fe0) >> 5) | (params->scale << 8) | +- (params->sat << 9); ++ (params->sat << 10); + writel(param, base++); + + param = ((a[1] & 0x1f) << 27) | ((c[0][1] & 0x1ff) << 18) | diff --git a/queue-5.2/intel_th-msu-fix-single-mode-with-disabled-iommu.patch b/queue-5.2/intel_th-msu-fix-single-mode-with-disabled-iommu.patch new file mode 100644 index 00000000000..b53db0cf014 --- /dev/null +++ b/queue-5.2/intel_th-msu-fix-single-mode-with-disabled-iommu.patch @@ -0,0 +1,40 @@ +From 918b8646497b5dba6ae82d4a7325f01b258972b9 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 21 Jun 2019 19:19:29 +0300 +Subject: intel_th: msu: Fix single mode with disabled IOMMU + +From: Alexander Shishkin + +commit 918b8646497b5dba6ae82d4a7325f01b258972b9 upstream. + +Commit 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU") switched +the single mode code to use dma mapping pages obtained from the page +allocator, but with IOMMU disabled, that may lead to using SWIOTLB bounce +buffers and without additional sync'ing, produces empty trace buffers. + +Fix this by using a DMA32 GFP flag to the page allocation in single mode, +as the device supports full 32-bit DMA addressing. + +Signed-off-by: Alexander Shishkin +Fixes: 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU") +Reviewed-by: Andy Shevchenko +Reported-by: Ammy Yi +Cc: stable +Link: https://lore.kernel.org/r/20190621161930.60785-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -667,7 +667,7 @@ static int msc_buffer_contig_alloc(struc + goto err_out; + + ret = -ENOMEM; +- page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order); ++ page = alloc_pages(GFP_KERNEL | __GFP_ZERO | GFP_DMA32, order); + if (!page) + goto err_free_sgt; + diff --git a/queue-5.2/intel_th-msu-remove-set-but-not-used-variable-last.patch b/queue-5.2/intel_th-msu-remove-set-but-not-used-variable-last.patch new file mode 100644 index 00000000000..5d7c90b4c8d --- /dev/null +++ b/queue-5.2/intel_th-msu-remove-set-but-not-used-variable-last.patch @@ -0,0 +1,44 @@ +From 9800db282dff675dd700d5985d90b605c34b5ccd Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 21 Jun 2019 19:19:28 +0300 +Subject: intel_th: msu: Remove set but not used variable 'last' + +From: YueHaibing + +commit 9800db282dff675dd700d5985d90b605c34b5ccd upstream. + +Commit aad14ad3cf3a ("intel_th: msu: Add current window tracking") added +the following gcc warning: + +> drivers/hwtracing/intel_th/msu.c: In function msc_win_switch: +> drivers/hwtracing/intel_th/msu.c:1389:21: warning: variable last set but +> not used [-Wunused-but-set-variable] + +Fix it by removing the variable. + +Signed-off-by: YueHaibing +Fixes: aad14ad3cf3a ("intel_th: msu: Add current window tracking") +Reviewed-by: Andy Shevchenko +Signed-off-by: Alexander Shishkin +Cc: stable +Link: https://lore.kernel.org/r/20190621161930.60785-3-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -1400,10 +1400,9 @@ static int intel_th_msc_init(struct msc + + static void msc_win_switch(struct msc *msc) + { +- struct msc_window *last, *first; ++ struct msc_window *first; + + first = list_first_entry(&msc->win_list, struct msc_window, entry); +- last = list_last_entry(&msc->win_list, struct msc_window, entry); + + if (msc_is_last_win(msc->cur_win)) + msc->cur_win = first; diff --git a/queue-5.2/mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch b/queue-5.2/mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch new file mode 100644 index 00000000000..3e19c99744d --- /dev/null +++ b/queue-5.2/mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch @@ -0,0 +1,57 @@ +From 5e6b6651d22de109ebf48ca00d0373bc2c0cc080 Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Mon, 1 Jul 2019 17:01:25 +0200 +Subject: mmc: sdhci-msm: fix mutex while in spinlock + +From: Jorge Ramirez-Ortiz + +commit 5e6b6651d22de109ebf48ca00d0373bc2c0cc080 upstream. + +mutexes can sleep and therefore should not be taken while holding a +spinlock. move clk_get_rate (can sleep) outside the spinlock protected +region. + +Fixes: 83736352e0ca ("mmc: sdhci-msm: Update DLL reset sequence") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Bjorn Andersson +Reviewed-by: Vinod Koul +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-msm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -575,11 +575,14 @@ static int msm_init_cm_dll(struct sdhci_ + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); + int wait_cnt = 50; +- unsigned long flags; ++ unsigned long flags, xo_clk = 0; + u32 config; + const struct sdhci_msm_offset *msm_offset = + msm_host->offset; + ++ if (msm_host->use_14lpp_dll_reset && !IS_ERR_OR_NULL(msm_host->xo_clk)) ++ xo_clk = clk_get_rate(msm_host->xo_clk); ++ + spin_lock_irqsave(&host->lock, flags); + + /* +@@ -627,10 +630,10 @@ static int msm_init_cm_dll(struct sdhci_ + config &= CORE_FLL_CYCLE_CNT; + if (config) + mclk_freq = DIV_ROUND_CLOSEST_ULL((host->clock * 8), +- clk_get_rate(msm_host->xo_clk)); ++ xo_clk); + else + mclk_freq = DIV_ROUND_CLOSEST_ULL((host->clock * 4), +- clk_get_rate(msm_host->xo_clk)); ++ xo_clk); + + config = readl_relaxed(host->ioaddr + + msm_offset->core_dll_config_2); diff --git a/queue-5.2/mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch b/queue-5.2/mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch new file mode 100644 index 00000000000..9f688eec23d --- /dev/null +++ b/queue-5.2/mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch @@ -0,0 +1,81 @@ +From e1884ffddacc0424d7e785e6f8087bd12f7196db Mon Sep 17 00:00:00 2001 +From: Xiaolei Li +Date: Tue, 7 May 2019 18:25:38 +0800 +Subject: mtd: rawnand: mtk: Correct low level time calculation of r/w cycle + +From: Xiaolei Li + +commit e1884ffddacc0424d7e785e6f8087bd12f7196db upstream. + +At present, the flow of calculating AC timing of read/write cycle in SDR +mode is that: +At first, calculate high hold time which is valid for both read and write +cycle using the max value between tREH_min and tWH_min. +Secondly, calculate WE# pulse width using tWP_min. +Thridly, calculate RE# pulse width using the bigger one between tREA_max +and tRP_min. + +But NAND SPEC shows that Controller should also meet write/read cycle time. +That is write cycle time should be more than tWC_min and read cycle should +be more than tRC_min. Obviously, we do not achieve that now. + +This patch corrects the low level time calculation to meet minimum +read/write cycle time required. After getting the high hold time, WE# low +level time will be promised to meet tWP_min and tWC_min requirement, +and RE# low level time will be promised to meet tREA_max, tRP_min and +tRC_min requirement. + +Fixes: edfee3619c49 ("mtd: nand: mtk: add ->setup_data_interface() hook") +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Xiaolei Li +Reviewed-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/raw/mtk_nand.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/mtk_nand.c ++++ b/drivers/mtd/nand/raw/mtk_nand.c +@@ -500,7 +500,8 @@ static int mtk_nfc_setup_data_interface( + { + struct mtk_nfc *nfc = nand_get_controller_data(chip); + const struct nand_sdr_timings *timings; +- u32 rate, tpoecs, tprecs, tc2r, tw2r, twh, twst, trlt; ++ u32 rate, tpoecs, tprecs, tc2r, tw2r, twh, twst = 0, trlt = 0; ++ u32 thold; + + timings = nand_get_sdr_timings(conf); + if (IS_ERR(timings)) +@@ -536,11 +537,28 @@ static int mtk_nfc_setup_data_interface( + twh = DIV_ROUND_UP(twh * rate, 1000000) - 1; + twh &= 0xf; + +- twst = timings->tWP_min / 1000; ++ /* Calculate real WE#/RE# hold time in nanosecond */ ++ thold = (twh + 1) * 1000000 / rate; ++ /* nanosecond to picosecond */ ++ thold *= 1000; ++ ++ /* ++ * WE# low level time should be expaned to meet WE# pulse time ++ * and WE# cycle time at the same time. ++ */ ++ if (thold < timings->tWC_min) ++ twst = timings->tWC_min - thold; ++ twst = max(timings->tWP_min, twst) / 1000; + twst = DIV_ROUND_UP(twst * rate, 1000000) - 1; + twst &= 0xf; + +- trlt = max(timings->tREA_max, timings->tRP_min) / 1000; ++ /* ++ * RE# low level time should be expaned to meet RE# pulse time, ++ * RE# access time and RE# cycle time at the same time. ++ */ ++ if (thold < timings->tRC_min) ++ trlt = timings->tRC_min - thold; ++ trlt = max3(trlt, timings->tREA_max, timings->tRP_min) / 1000; + trlt = DIV_ROUND_UP(trlt * rate, 1000000) - 1; + trlt &= 0xf; + diff --git a/queue-5.2/mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch b/queue-5.2/mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch new file mode 100644 index 00000000000..fcf5524637c --- /dev/null +++ b/queue-5.2/mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch @@ -0,0 +1,42 @@ +From b83408b580eccf8d2797cd6cb9ae42c2a28656a7 Mon Sep 17 00:00:00 2001 +From: liaoweixiong +Date: Fri, 28 Jun 2019 12:14:46 +0800 +Subject: mtd: spinand: read returns badly if the last page has bitflips + +From: liaoweixiong + +commit b83408b580eccf8d2797cd6cb9ae42c2a28656a7 upstream. + +In case of the last page containing bitflips (ret > 0), +spinand_mtd_read() will return that number of bitflips for the last +page while it should instead return max_bitflips like it does when the +last page read returns with 0. + +Signed-off-by: Weixiong Liao +Reviewed-by: Boris Brezillon +Reviewed-by: Frieder Schrempf +Cc: stable@vger.kernel.org +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/spi/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -511,12 +511,12 @@ static int spinand_mtd_read(struct mtd_i + if (ret == -EBADMSG) { + ecc_failed = true; + mtd->ecc_stats.failed++; +- ret = 0; + } else { + mtd->ecc_stats.corrected += ret; + max_bitflips = max_t(unsigned int, max_bitflips, ret); + } + ++ ret = 0; + ops->retlen += iter.req.datalen; + ops->oobretlen += iter.req.ooblen; + } diff --git a/queue-5.2/parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch b/queue-5.2/parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch new file mode 100644 index 00000000000..e5ef6d86775 --- /dev/null +++ b/queue-5.2/parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch @@ -0,0 +1,63 @@ +From 59a783dbc0d5fd6792aabff933055373b6dcbf2a Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 16 Jul 2019 21:16:26 +0200 +Subject: parisc: Avoid kernel panic triggered by invalid kprobe + +From: Helge Deller + +commit 59a783dbc0d5fd6792aabff933055373b6dcbf2a upstream. + +When running gdb I was able to trigger this kernel panic: + + Kernel Fault: Code=26 (Data memory access rights trap) at addr 0000000000000060 + CPU: 0 PID: 1401 Comm: gdb-crash Not tainted 5.2.0-rc7-64bit+ #1053 + + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI + PSW: 00001000000001000000000000001111 Not tainted + r00-03 000000000804000f 0000000040dee1a0 0000000040c78cf0 00000000b8d50160 + r04-07 0000000040d2b1a0 000000004360a098 00000000bbbe87b8 0000000000000003 + r08-11 00000000fac20a70 00000000fac24160 00000000fac1bbe0 0000000000000000 + r12-15 00000000fabfb79a 00000000fac244a4 0000000000010000 0000000000000001 + r16-19 00000000bbbe87b8 00000000f8f02910 0000000000010034 0000000000000000 + r20-23 00000000fac24630 00000000fac24630 000000006474e552 00000000fac1aa52 + r24-27 0000000000000028 00000000bbbe87b8 00000000bbbe87b8 0000000040d2b1a0 + r28-31 0000000000000000 00000000b8d501c0 00000000b8d501f0 0000000003424000 + sr00-03 0000000000423000 0000000000000000 0000000000000000 0000000000423000 + sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040c78cf0 0000000040c78cf4 + IIR: 539f00c0 ISR: 0000000000000000 IOR: 0000000000000060 + CPU: 0 CR30: 00000000b8d50000 CR31: 00000000d22345e2 + ORIG_R28: 0000000040250798 + IAOQ[0]: parisc_kprobe_ss_handler+0x58/0x170 + IAOQ[1]: parisc_kprobe_ss_handler+0x5c/0x170 + RP(r2): parisc_kprobe_ss_handler+0x58/0x170 + Backtrace: + [<0000000040206ff8>] handle_interruption+0x178/0xbb8 + Kernel panic - not syncing: Kernel Fault + +Avoid this panic by checking the return value of kprobe_running() and +skip kprobe if none is currently active. + +Cc: # v5.2 +Acked-by: Sven Schnelle +Tested-by: Rolf Eike Beer +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/kprobes.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/parisc/kernel/kprobes.c ++++ b/arch/parisc/kernel/kprobes.c +@@ -133,6 +133,9 @@ int __kprobes parisc_kprobe_ss_handler(s + struct kprobe_ctlblk *kcb = get_kprobe_ctlblk(); + struct kprobe *p = kprobe_running(); + ++ if (!p) ++ return 0; ++ + if (regs->iaoq[0] != (unsigned long)p->ainsn.insn+4) + return 0; + diff --git a/queue-5.2/parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch b/queue-5.2/parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch new file mode 100644 index 00000000000..c91939b1f5e --- /dev/null +++ b/queue-5.2/parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch @@ -0,0 +1,41 @@ +From 34c32fc603311a72cb558e5e337555434f64c27b Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 4 Jul 2019 03:44:17 +0200 +Subject: parisc: Ensure userspace privilege for ptraced processes in regset functions + +From: Helge Deller + +commit 34c32fc603311a72cb558e5e337555434f64c27b upstream. + +On parisc the privilege level of a process is stored in the lowest two bits of +the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0 +for the kernel and privilege level 3 for user-space. So userspace should not be +allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege +level to e.g. 0 to try to gain kernel privileges. + +This patch prevents such modifications in the regset support functions by +always setting the two lowest bits to one (which relates to privilege level 3 +for user-space) if IAOQ0 or IAOQ1 are modified via ptrace regset calls. + +Link: https://bugs.gentoo.org/481768 +Cc: # v4.7+ +Tested-by: Rolf Eike Beer +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/ptrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/ptrace.c ++++ b/arch/parisc/kernel/ptrace.c +@@ -496,7 +496,8 @@ static void set_reg(struct pt_regs *regs + return; + case RI(iaoq[0]): + case RI(iaoq[1]): +- regs->iaoq[num - RI(iaoq[0])] = val; ++ /* set 2 lowest bits to ensure userspace privilege: */ ++ regs->iaoq[num - RI(iaoq[0])] = val | 3; + return; + case RI(sar): regs->sar = val; + return; diff --git a/queue-5.2/parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch b/queue-5.2/parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch new file mode 100644 index 00000000000..145db8444fe --- /dev/null +++ b/queue-5.2/parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch @@ -0,0 +1,84 @@ +From 10835c854685393a921b68f529bf740fa7c9984d Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 16 Jul 2019 21:43:11 +0200 +Subject: parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1 + +From: Helge Deller + +commit 10835c854685393a921b68f529bf740fa7c9984d upstream. + +On parisc the privilege level of a process is stored in the lowest two bits of +the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0 +for the kernel and privilege level 3 for user-space. So userspace should not be +allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege +level to e.g. 0 to try to gain kernel privileges. + +This patch prevents such modifications by always setting the two lowest bits to +one (which relates to privilege level 3 for user-space) if IAOQ0 or IAOQ1 are +modified via ptrace calls in the native and compat ptrace paths. + +Link: https://bugs.gentoo.org/481768 +Reported-by: Jeroen Roovers +Cc: +Tested-by: Rolf Eike Beer +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/ptrace.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/arch/parisc/kernel/ptrace.c ++++ b/arch/parisc/kernel/ptrace.c +@@ -167,6 +167,9 @@ long arch_ptrace(struct task_struct *chi + if ((addr & (sizeof(unsigned long)-1)) || + addr >= sizeof(struct pt_regs)) + break; ++ if (addr == PT_IAOQ0 || addr == PT_IAOQ1) { ++ data |= 3; /* ensure userspace privilege */ ++ } + if ((addr >= PT_GR1 && addr <= PT_GR31) || + addr == PT_IAOQ0 || addr == PT_IAOQ1 || + (addr >= PT_FR0 && addr <= PT_FR31 + 4) || +@@ -228,16 +231,18 @@ long arch_ptrace(struct task_struct *chi + + static compat_ulong_t translate_usr_offset(compat_ulong_t offset) + { +- if (offset < 0) +- return sizeof(struct pt_regs); +- else if (offset <= 32*4) /* gr[0..31] */ +- return offset * 2 + 4; +- else if (offset <= 32*4+32*8) /* gr[0..31] + fr[0..31] */ +- return offset + 32*4; +- else if (offset < sizeof(struct pt_regs)/2 + 32*4) +- return offset * 2 + 4 - 32*8; ++ compat_ulong_t pos; ++ ++ if (offset < 32*4) /* gr[0..31] */ ++ pos = offset * 2 + 4; ++ else if (offset < 32*4+32*8) /* fr[0] ... fr[31] */ ++ pos = (offset - 32*4) + PT_FR0; ++ else if (offset < sizeof(struct pt_regs)/2 + 32*4) /* sr[0] ... ipsw */ ++ pos = (offset - 32*4 - 32*8) * 2 + PT_SR0 + 4; + else +- return sizeof(struct pt_regs); ++ pos = sizeof(struct pt_regs); ++ ++ return pos; + } + + long compat_arch_ptrace(struct task_struct *child, compat_long_t request, +@@ -281,9 +286,12 @@ long compat_arch_ptrace(struct task_stru + addr = translate_usr_offset(addr); + if (addr >= sizeof(struct pt_regs)) + break; ++ if (addr == PT_IAOQ0+4 || addr == PT_IAOQ1+4) { ++ data |= 3; /* ensure userspace privilege */ ++ } + if (addr >= PT_FR0 && addr <= PT_FR31 + 4) { + /* Special case, fp regs are 64 bits anyway */ +- *(__u64 *) ((char *) task_regs(child) + addr) = data; ++ *(__u32 *) ((char *) task_regs(child) + addr) = data; + ret = 0; + } + else if ((addr >= PT_GR1+4 && addr <= PT_GR31+4) || diff --git a/queue-5.2/powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch b/queue-5.2/powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch new file mode 100644 index 00000000000..9e222562dea --- /dev/null +++ b/queue-5.2/powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch @@ -0,0 +1,249 @@ +From 6ecb78ef56e08d2119d337ae23cb951a640dc52d Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 17 Jun 2019 21:42:14 +0000 +Subject: powerpc/32s: fix suspend/resume when IBATs 4-7 are used + +From: Christophe Leroy + +commit 6ecb78ef56e08d2119d337ae23cb951a640dc52d upstream. + +Previously, only IBAT1 and IBAT2 were used to map kernel linear mem. +Since commit 63b2bc619565 ("powerpc/mm/32s: Use BATs for +STRICT_KERNEL_RWX"), we may have all 8 BATs used for mapping +kernel text. But the suspend/restore functions only save/restore +BATs 0 to 3, and clears BATs 4 to 7. + +Make suspend and restore functions respectively save and reload +the 8 BATs on CPUs having MMU_FTR_USE_HIGH_BATS feature. + +Reported-by: Andreas Schwab +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/swsusp_32.S | 73 ++++++++++++++++++++++++++++---- + arch/powerpc/platforms/powermac/sleep.S | 68 +++++++++++++++++++++++++++-- + 2 files changed, 128 insertions(+), 13 deletions(-) + +--- a/arch/powerpc/kernel/swsusp_32.S ++++ b/arch/powerpc/kernel/swsusp_32.S +@@ -25,11 +25,19 @@ + #define SL_IBAT2 0x48 + #define SL_DBAT3 0x50 + #define SL_IBAT3 0x58 +-#define SL_TB 0x60 +-#define SL_R2 0x68 +-#define SL_CR 0x6c +-#define SL_LR 0x70 +-#define SL_R12 0x74 /* r12 to r31 */ ++#define SL_DBAT4 0x60 ++#define SL_IBAT4 0x68 ++#define SL_DBAT5 0x70 ++#define SL_IBAT5 0x78 ++#define SL_DBAT6 0x80 ++#define SL_IBAT6 0x88 ++#define SL_DBAT7 0x90 ++#define SL_IBAT7 0x98 ++#define SL_TB 0xa0 ++#define SL_R2 0xa8 ++#define SL_CR 0xac ++#define SL_LR 0xb0 ++#define SL_R12 0xb4 /* r12 to r31 */ + #define SL_SIZE (SL_R12 + 80) + + .section .data +@@ -114,6 +122,41 @@ _GLOBAL(swsusp_arch_suspend) + mfibatl r4,3 + stw r4,SL_IBAT3+4(r11) + ++BEGIN_MMU_FTR_SECTION ++ mfspr r4,SPRN_DBAT4U ++ stw r4,SL_DBAT4(r11) ++ mfspr r4,SPRN_DBAT4L ++ stw r4,SL_DBAT4+4(r11) ++ mfspr r4,SPRN_DBAT5U ++ stw r4,SL_DBAT5(r11) ++ mfspr r4,SPRN_DBAT5L ++ stw r4,SL_DBAT5+4(r11) ++ mfspr r4,SPRN_DBAT6U ++ stw r4,SL_DBAT6(r11) ++ mfspr r4,SPRN_DBAT6L ++ stw r4,SL_DBAT6+4(r11) ++ mfspr r4,SPRN_DBAT7U ++ stw r4,SL_DBAT7(r11) ++ mfspr r4,SPRN_DBAT7L ++ stw r4,SL_DBAT7+4(r11) ++ mfspr r4,SPRN_IBAT4U ++ stw r4,SL_IBAT4(r11) ++ mfspr r4,SPRN_IBAT4L ++ stw r4,SL_IBAT4+4(r11) ++ mfspr r4,SPRN_IBAT5U ++ stw r4,SL_IBAT5(r11) ++ mfspr r4,SPRN_IBAT5L ++ stw r4,SL_IBAT5+4(r11) ++ mfspr r4,SPRN_IBAT6U ++ stw r4,SL_IBAT6(r11) ++ mfspr r4,SPRN_IBAT6L ++ stw r4,SL_IBAT6+4(r11) ++ mfspr r4,SPRN_IBAT7U ++ stw r4,SL_IBAT7(r11) ++ mfspr r4,SPRN_IBAT7L ++ stw r4,SL_IBAT7+4(r11) ++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS) ++ + #if 0 + /* Backup various CPU config stuffs */ + bl __save_cpu_setup +@@ -279,27 +322,41 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + mtibatu 3,r4 + lwz r4,SL_IBAT3+4(r11) + mtibatl 3,r4 +-#endif +- + BEGIN_MMU_FTR_SECTION +- li r4,0 ++ lwz r4,SL_DBAT4(r11) + mtspr SPRN_DBAT4U,r4 ++ lwz r4,SL_DBAT4+4(r11) + mtspr SPRN_DBAT4L,r4 ++ lwz r4,SL_DBAT5(r11) + mtspr SPRN_DBAT5U,r4 ++ lwz r4,SL_DBAT5+4(r11) + mtspr SPRN_DBAT5L,r4 ++ lwz r4,SL_DBAT6(r11) + mtspr SPRN_DBAT6U,r4 ++ lwz r4,SL_DBAT6+4(r11) + mtspr SPRN_DBAT6L,r4 ++ lwz r4,SL_DBAT7(r11) + mtspr SPRN_DBAT7U,r4 ++ lwz r4,SL_DBAT7+4(r11) + mtspr SPRN_DBAT7L,r4 ++ lwz r4,SL_IBAT4(r11) + mtspr SPRN_IBAT4U,r4 ++ lwz r4,SL_IBAT4+4(r11) + mtspr SPRN_IBAT4L,r4 ++ lwz r4,SL_IBAT5(r11) + mtspr SPRN_IBAT5U,r4 ++ lwz r4,SL_IBAT5+4(r11) + mtspr SPRN_IBAT5L,r4 ++ lwz r4,SL_IBAT6(r11) + mtspr SPRN_IBAT6U,r4 ++ lwz r4,SL_IBAT6+4(r11) + mtspr SPRN_IBAT6L,r4 ++ lwz r4,SL_IBAT7(r11) + mtspr SPRN_IBAT7U,r4 ++ lwz r4,SL_IBAT7+4(r11) + mtspr SPRN_IBAT7L,r4 + END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS) ++#endif + + /* Flush all TLBs */ + lis r4,0x1000 +--- a/arch/powerpc/platforms/powermac/sleep.S ++++ b/arch/powerpc/platforms/powermac/sleep.S +@@ -33,10 +33,18 @@ + #define SL_IBAT2 0x48 + #define SL_DBAT3 0x50 + #define SL_IBAT3 0x58 +-#define SL_TB 0x60 +-#define SL_R2 0x68 +-#define SL_CR 0x6c +-#define SL_R12 0x70 /* r12 to r31 */ ++#define SL_DBAT4 0x60 ++#define SL_IBAT4 0x68 ++#define SL_DBAT5 0x70 ++#define SL_IBAT5 0x78 ++#define SL_DBAT6 0x80 ++#define SL_IBAT6 0x88 ++#define SL_DBAT7 0x90 ++#define SL_IBAT7 0x98 ++#define SL_TB 0xa0 ++#define SL_R2 0xa8 ++#define SL_CR 0xac ++#define SL_R12 0xb0 /* r12 to r31 */ + #define SL_SIZE (SL_R12 + 80) + + .section .text +@@ -121,6 +129,41 @@ _GLOBAL(low_sleep_handler) + mfibatl r4,3 + stw r4,SL_IBAT3+4(r1) + ++BEGIN_MMU_FTR_SECTION ++ mfspr r4,SPRN_DBAT4U ++ stw r4,SL_DBAT4(r1) ++ mfspr r4,SPRN_DBAT4L ++ stw r4,SL_DBAT4+4(r1) ++ mfspr r4,SPRN_DBAT5U ++ stw r4,SL_DBAT5(r1) ++ mfspr r4,SPRN_DBAT5L ++ stw r4,SL_DBAT5+4(r1) ++ mfspr r4,SPRN_DBAT6U ++ stw r4,SL_DBAT6(r1) ++ mfspr r4,SPRN_DBAT6L ++ stw r4,SL_DBAT6+4(r1) ++ mfspr r4,SPRN_DBAT7U ++ stw r4,SL_DBAT7(r1) ++ mfspr r4,SPRN_DBAT7L ++ stw r4,SL_DBAT7+4(r1) ++ mfspr r4,SPRN_IBAT4U ++ stw r4,SL_IBAT4(r1) ++ mfspr r4,SPRN_IBAT4L ++ stw r4,SL_IBAT4+4(r1) ++ mfspr r4,SPRN_IBAT5U ++ stw r4,SL_IBAT5(r1) ++ mfspr r4,SPRN_IBAT5L ++ stw r4,SL_IBAT5+4(r1) ++ mfspr r4,SPRN_IBAT6U ++ stw r4,SL_IBAT6(r1) ++ mfspr r4,SPRN_IBAT6L ++ stw r4,SL_IBAT6+4(r1) ++ mfspr r4,SPRN_IBAT7U ++ stw r4,SL_IBAT7(r1) ++ mfspr r4,SPRN_IBAT7L ++ stw r4,SL_IBAT7+4(r1) ++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS) ++ + /* Backup various CPU config stuffs */ + bl __save_cpu_setup + +@@ -321,22 +364,37 @@ grackle_wake_up: + mtibatl 3,r4 + + BEGIN_MMU_FTR_SECTION +- li r4,0 ++ lwz r4,SL_DBAT4(r1) + mtspr SPRN_DBAT4U,r4 ++ lwz r4,SL_DBAT4+4(r1) + mtspr SPRN_DBAT4L,r4 ++ lwz r4,SL_DBAT5(r1) + mtspr SPRN_DBAT5U,r4 ++ lwz r4,SL_DBAT5+4(r1) + mtspr SPRN_DBAT5L,r4 ++ lwz r4,SL_DBAT6(r1) + mtspr SPRN_DBAT6U,r4 ++ lwz r4,SL_DBAT6+4(r1) + mtspr SPRN_DBAT6L,r4 ++ lwz r4,SL_DBAT7(r1) + mtspr SPRN_DBAT7U,r4 ++ lwz r4,SL_DBAT7+4(r1) + mtspr SPRN_DBAT7L,r4 ++ lwz r4,SL_IBAT4(r1) + mtspr SPRN_IBAT4U,r4 ++ lwz r4,SL_IBAT4+4(r1) + mtspr SPRN_IBAT4L,r4 ++ lwz r4,SL_IBAT5(r1) + mtspr SPRN_IBAT5U,r4 ++ lwz r4,SL_IBAT5+4(r1) + mtspr SPRN_IBAT5L,r4 ++ lwz r4,SL_IBAT6(r1) + mtspr SPRN_IBAT6U,r4 ++ lwz r4,SL_IBAT6+4(r1) + mtspr SPRN_IBAT6L,r4 ++ lwz r4,SL_IBAT7(r1) + mtspr SPRN_IBAT7U,r4 ++ lwz r4,SL_IBAT7+4(r1) + mtspr SPRN_IBAT7L,r4 + END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS) + diff --git a/queue-5.2/powerpc-mm-32s-fix-condition-that-is-always-true.patch b/queue-5.2/powerpc-mm-32s-fix-condition-that-is-always-true.patch new file mode 100644 index 00000000000..bda482835c4 --- /dev/null +++ b/queue-5.2/powerpc-mm-32s-fix-condition-that-is-always-true.patch @@ -0,0 +1,33 @@ +From 46c2478af610efb3212b8b08f74389d69899ef70 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Mon, 17 Jun 2019 23:22:20 +0200 +Subject: powerpc/mm/32s: fix condition that is always true + +From: Andreas Schwab + +commit 46c2478af610efb3212b8b08f74389d69899ef70 upstream. + +Move a misplaced paren that makes the condition always true. + +Fixes: 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX") +Cc: stable@vger.kernel.org # v5.1+ +Signed-off-by: Andreas Schwab +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pgtable_32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -360,7 +360,7 @@ void mark_initmem_nx(void) + unsigned long numpages = PFN_UP((unsigned long)_einittext) - + PFN_DOWN((unsigned long)_sinittext); + +- if (v_block_mapped((unsigned long)_stext) + 1) ++ if (v_block_mapped((unsigned long)_stext + 1)) + mmu_mark_initmem_nx(); + else + change_page_attr(page, numpages, PAGE_KERNEL); diff --git a/queue-5.2/powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch b/queue-5.2/powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch new file mode 100644 index 00000000000..675ad63b866 --- /dev/null +++ b/queue-5.2/powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch @@ -0,0 +1,63 @@ +From 5636427d087a55842c1a199dfb839e6545d30e5d Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Fri, 28 Jun 2019 16:53:00 +1000 +Subject: powerpc/powernv: Fix stale iommu table base after VFIO + +From: Alexey Kardashevskiy + +commit 5636427d087a55842c1a199dfb839e6545d30e5d upstream. + +The powernv platform uses @dma_iommu_ops for non-bypass DMA. These ops +need an iommu_table pointer which is stored in +dev->archdata.iommu_table_base. It is initialized during +pcibios_setup_device() which handles boot time devices. However when a +device is taken from the system in order to pass it through, the +default IOMMU table is destroyed but the pointer in a device is not +updated; also when a device is returned back to the system, a new +table pointer is not stored in dev->archdata.iommu_table_base either. +So when a just returned device tries using IOMMU, it crashes on +accessing stale iommu_table or its members. + +This calls set_iommu_table_base() when the default window is created. +Note it used to be there before but was wrongly removed (see "fixes"). +It did not appear before as these days most devices simply use bypass. + +This adds set_iommu_table_base(NULL) when a device is taken from the +system to make it clear that IOMMU DMA cannot be used past that point. + +Fixes: c4e9d3c1e65a ("powerpc/powernv/pseries: Rework device adding to IOMMU groups") +Cc: stable@vger.kernel.org # v5.0+ +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -2456,6 +2456,14 @@ static long pnv_pci_ioda2_setup_default_ + if (!pnv_iommu_bypass_disabled) + pnv_pci_ioda2_set_bypass(pe, true); + ++ /* ++ * Set table base for the case of IOMMU DMA use. Usually this is done ++ * from dma_dev_setup() which is not called when a device is returned ++ * from VFIO so do it here. ++ */ ++ if (pe->pdev) ++ set_iommu_table_base(&pe->pdev->dev, tbl); ++ + return 0; + } + +@@ -2543,6 +2551,8 @@ static void pnv_ioda2_take_ownership(str + pnv_pci_ioda2_unset_window(&pe->table_group, 0); + if (pe->pbus) + pnv_ioda_setup_bus_dma(pe, pe->pbus); ++ else if (pe->pdev) ++ set_iommu_table_base(&pe->pdev->dev, NULL); + iommu_tce_table_put(tbl); + } + diff --git a/queue-5.2/powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch b/queue-5.2/powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch new file mode 100644 index 00000000000..0087be3a473 --- /dev/null +++ b/queue-5.2/powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch @@ -0,0 +1,45 @@ +From f5a9e488d62360c91c5770bd55a0b40e419a71ce Mon Sep 17 00:00:00 2001 +From: Athira Rajeev +Date: Tue, 2 Jul 2019 16:28:36 +0530 +Subject: powerpc/powernv/idle: Fix restore of SPRN_LDBAR for POWER9 stop state. + +From: Athira Rajeev + +commit f5a9e488d62360c91c5770bd55a0b40e419a71ce upstream. + +commit 10d91611f426 ("powerpc/64s: Reimplement book3s idle code in C") +reimplemented book3S code to pltform/powernv/idle.c. But when doing so +missed to add the per-thread LDBAR update in the core_woken path of +the power9_idle_stop(). Patch fixes the same. + +Fixes: 10d91611f426 ("powerpc/64s: Reimplement book3s idle code in C") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Athira Rajeev +Signed-off-by: Madhavan Srinivasan +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190702105836.26695-1-maddy@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/idle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/idle.c ++++ b/arch/powerpc/platforms/powernv/idle.c +@@ -758,7 +758,6 @@ static unsigned long power9_idle_stop(un + mtspr(SPRN_PTCR, sprs.ptcr); + mtspr(SPRN_RPR, sprs.rpr); + mtspr(SPRN_TSCR, sprs.tscr); +- mtspr(SPRN_LDBAR, sprs.ldbar); + + if (pls >= pnv_first_tb_loss_level) { + /* TB loss */ +@@ -790,6 +789,7 @@ core_woken: + mtspr(SPRN_MMCR0, sprs.mmcr0); + mtspr(SPRN_MMCR1, sprs.mmcr1); + mtspr(SPRN_MMCR2, sprs.mmcr2); ++ mtspr(SPRN_LDBAR, sprs.ldbar); + + mtspr(SPRN_SPRG3, local_paca->sprg_vdso); + diff --git a/queue-5.2/powerpc-powernv-npu-fix-reference-leak.patch b/queue-5.2/powerpc-powernv-npu-fix-reference-leak.patch new file mode 100644 index 00000000000..86035d1ca7f --- /dev/null +++ b/queue-5.2/powerpc-powernv-npu-fix-reference-leak.patch @@ -0,0 +1,70 @@ +From 02c5f5394918b9b47ff4357b1b18335768cd867d Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 19 Apr 2019 17:34:13 +0200 +Subject: powerpc/powernv/npu: Fix reference leak + +From: Greg Kurz + +commit 02c5f5394918b9b47ff4357b1b18335768cd867d upstream. + +Since 902bdc57451c, get_pci_dev() calls pci_get_domain_bus_and_slot(). This +has the effect of incrementing the reference count of the PCI device, as +explained in drivers/pci/search.c: + + * Given a PCI domain, bus, and slot/function number, the desired PCI + * device is located in the list of PCI devices. If the device is + * found, its reference count is increased and this function returns a + * pointer to its data structure. The caller must decrement the + * reference count by calling pci_dev_put(). If no device is found, + * %NULL is returned. + +Nothing was done to call pci_dev_put() and the reference count of GPU and +NPU PCI devices rockets up. + +A natural way to fix this would be to teach the callers about the change, +so that they call pci_dev_put() when done with the pointer. This turns +out to be quite intrusive, as it affects many paths in npu-dma.c, +pci-ioda.c and vfio_pci_nvlink2.c. Also, the issue appeared in 4.16 and +some affected code got moved around since then: it would be problematic +to backport the fix to stable releases. + +All that code never cared for reference counting anyway. Call pci_dev_put() +from get_pci_dev() to revert to the previous behavior. + +Fixes: 902bdc57451c ("powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn") +Cc: stable@vger.kernel.org # v4.16 +Signed-off-by: Greg Kurz +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/npu-dma.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -28,9 +28,22 @@ static DEFINE_SPINLOCK(npu_context_lock) + static struct pci_dev *get_pci_dev(struct device_node *dn) + { + struct pci_dn *pdn = PCI_DN(dn); ++ struct pci_dev *pdev; + +- return pci_get_domain_bus_and_slot(pci_domain_nr(pdn->phb->bus), ++ pdev = pci_get_domain_bus_and_slot(pci_domain_nr(pdn->phb->bus), + pdn->busno, pdn->devfn); ++ ++ /* ++ * pci_get_domain_bus_and_slot() increased the reference count of ++ * the PCI device, but callers don't need that actually as the PE ++ * already holds a reference to the device. Since callers aren't ++ * aware of the reference count change, call pci_dev_put() now to ++ * avoid leaks. ++ */ ++ if (pdev) ++ pci_dev_put(pdev); ++ ++ return pdev; + } + + /* Given a NPU device get the associated PCI device. */ diff --git a/queue-5.2/powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch b/queue-5.2/powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch new file mode 100644 index 00000000000..7bb3ca66c5d --- /dev/null +++ b/queue-5.2/powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch @@ -0,0 +1,39 @@ +From 0aa82c482ab2ece530a6f44897b63b274bb43c8e Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Fri, 7 Jun 2019 00:04:07 -0500 +Subject: powerpc/pseries: Fix oops in hotplug memory notifier + +From: Nathan Lynch + +commit 0aa82c482ab2ece530a6f44897b63b274bb43c8e upstream. + +During post-migration device tree updates, we can oops in +pseries_update_drconf_memory() if the source device tree has an +ibm,dynamic-memory-v2 property and the destination has a +ibm,dynamic_memory (v1) property. The notifier processes an "update" +for the ibm,dynamic-memory property but it's really an add in this +scenario. So make sure the old property object is there before +dereferencing it. + +Fixes: 2b31e3aec1db ("powerpc/drmem: Add support for ibm, dynamic-memory-v2 property") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -976,6 +976,9 @@ static int pseries_update_drconf_memory( + if (!memblock_size) + return -EINVAL; + ++ if (!pr->old_prop) ++ return 0; ++ + p = (__be32 *) pr->old_prop->value; + if (!p) + return -EINVAL; diff --git a/queue-5.2/powerpc-pseries-fix-xive-off-command-line.patch b/queue-5.2/powerpc-pseries-fix-xive-off-command-line.patch new file mode 100644 index 00000000000..a7e551e5597 --- /dev/null +++ b/queue-5.2/powerpc-pseries-fix-xive-off-command-line.patch @@ -0,0 +1,171 @@ +From a3bf9fbdad600b1e4335dd90979f8d6072e4f602 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Wed, 15 May 2019 12:05:01 +0200 +Subject: powerpc/pseries: Fix xive=off command line +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kurz + +commit a3bf9fbdad600b1e4335dd90979f8d6072e4f602 upstream. + +On POWER9, if the hypervisor supports XIVE exploitation mode, the +guest OS will unconditionally requests for the XIVE interrupt mode +even if XIVE was deactivated with the kernel command line xive=off. +Later on, when the spapr XIVE init code handles xive=off, it disables +XIVE and tries to fall back on the legacy mode XICS. + +This discrepency causes a kernel panic because the hypervisor is +configured to provide the XIVE interrupt mode to the guest : + + kernel BUG at arch/powerpc/sysdev/xics/xics-common.c:135! + ... + NIP xics_smp_probe+0x38/0x98 + LR xics_smp_probe+0x2c/0x98 + Call Trace: + xics_smp_probe+0x2c/0x98 (unreliable) + pSeries_smp_probe+0x40/0xa0 + smp_prepare_cpus+0x62c/0x6ec + kernel_init_freeable+0x148/0x448 + kernel_init+0x2c/0x148 + ret_from_kernel_thread+0x5c/0x68 + +Look for xive=off during prom_init and don't ask for XIVE in this +case. One exception though: if the host only supports XIVE, we still +want to boot so we ignore xive=off. + +Similarly, have the spapr XIVE init code to looking at the interrupt +mode negotiated during CAS, and ignore xive=off if the hypervisor only +supports XIVE. + +Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller") +Cc: stable@vger.kernel.org # v4.20 +Reported-by: Pavithra R. Prakash +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/prom_init.c | 16 +++++++++++- + arch/powerpc/sysdev/xive/spapr.c | 52 ++++++++++++++++++++++++++++++++++++++- + 2 files changed, 66 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -168,6 +168,7 @@ static unsigned long __prombss prom_tce_ + + #ifdef CONFIG_PPC_PSERIES + static bool __prombss prom_radix_disable; ++static bool __prombss prom_xive_disable; + #endif + + struct platform_support { +@@ -804,6 +805,12 @@ static void __init early_cmdline_parse(v + } + if (prom_radix_disable) + prom_debug("Radix disabled from cmdline\n"); ++ ++ opt = prom_strstr(prom_cmd_line, "xive=off"); ++ if (opt) { ++ prom_xive_disable = true; ++ prom_debug("XIVE disabled from cmdline\n"); ++ } + #endif /* CONFIG_PPC_PSERIES */ + } + +@@ -1212,10 +1219,17 @@ static void __init prom_parse_xive_model + switch (val) { + case OV5_FEAT(OV5_XIVE_EITHER): /* Either Available */ + prom_debug("XIVE - either mode supported\n"); +- support->xive = true; ++ support->xive = !prom_xive_disable; + break; + case OV5_FEAT(OV5_XIVE_EXPLOIT): /* Only Exploitation mode */ + prom_debug("XIVE - exploitation mode supported\n"); ++ if (prom_xive_disable) { ++ /* ++ * If we __have__ to do XIVE, we're better off ignoring ++ * the command line rather than not booting. ++ */ ++ prom_printf("WARNING: Ignoring cmdline option xive=off\n"); ++ } + support->xive = true; + break; + case OV5_FEAT(OV5_XIVE_LEGACY): /* Only Legacy mode */ +--- a/arch/powerpc/sysdev/xive/spapr.c ++++ b/arch/powerpc/sysdev/xive/spapr.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -659,6 +660,55 @@ static bool xive_get_max_prio(u8 *max_pr + return true; + } + ++static const u8 *get_vec5_feature(unsigned int index) ++{ ++ unsigned long root, chosen; ++ int size; ++ const u8 *vec5; ++ ++ root = of_get_flat_dt_root(); ++ chosen = of_get_flat_dt_subnode_by_name(root, "chosen"); ++ if (chosen == -FDT_ERR_NOTFOUND) ++ return NULL; ++ ++ vec5 = of_get_flat_dt_prop(chosen, "ibm,architecture-vec-5", &size); ++ if (!vec5) ++ return NULL; ++ ++ if (size <= index) ++ return NULL; ++ ++ return vec5 + index; ++} ++ ++static bool xive_spapr_disabled(void) ++{ ++ const u8 *vec5_xive; ++ ++ vec5_xive = get_vec5_feature(OV5_INDX(OV5_XIVE_SUPPORT)); ++ if (vec5_xive) { ++ u8 val; ++ ++ val = *vec5_xive & OV5_FEAT(OV5_XIVE_SUPPORT); ++ switch (val) { ++ case OV5_FEAT(OV5_XIVE_EITHER): ++ case OV5_FEAT(OV5_XIVE_LEGACY): ++ break; ++ case OV5_FEAT(OV5_XIVE_EXPLOIT): ++ /* Hypervisor only supports XIVE */ ++ if (xive_cmdline_disabled) ++ pr_warn("WARNING: Ignoring cmdline option xive=off\n"); ++ return false; ++ default: ++ pr_warn("%s: Unknown xive support option: 0x%x\n", ++ __func__, val); ++ break; ++ } ++ } ++ ++ return xive_cmdline_disabled; ++} ++ + bool __init xive_spapr_init(void) + { + struct device_node *np; +@@ -671,7 +721,7 @@ bool __init xive_spapr_init(void) + const __be32 *reg; + int i; + +- if (xive_cmdline_disabled) ++ if (xive_spapr_disabled()) + return false; + + pr_devel("%s()\n", __func__); diff --git a/queue-5.2/powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch b/queue-5.2/powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch new file mode 100644 index 00000000000..5f046eeb203 --- /dev/null +++ b/queue-5.2/powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch @@ -0,0 +1,116 @@ +From f474c28fbcbe42faca4eb415172c07d76adcb819 Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Thu, 13 Jun 2019 09:00:14 +0530 +Subject: powerpc/watchpoint: Restore NV GPRs while returning from exception + +From: Ravi Bangoria + +commit f474c28fbcbe42faca4eb415172c07d76adcb819 upstream. + +powerpc hardware triggers watchpoint before executing the instruction. +To make trigger-after-execute behavior, kernel emulates the +instruction. If the instruction is 'load something into non-volatile +register', exception handler should restore emulated register state +while returning back, otherwise there will be register state +corruption. eg, adding a watchpoint on a list can corrput the list: + + # cat /proc/kallsyms | grep kthread_create_list + c00000000121c8b8 d kthread_create_list + +Add watchpoint on kthread_create_list->prev: + + # perf record -e mem:0xc00000000121c8c0 + +Run some workload such that new kthread gets invoked. eg, I just +logged out from console: + + list_add corruption. next->prev should be prev (c000000001214e00), \ + but was c00000000121c8b8. (next=c00000000121c8b8). + WARNING: CPU: 59 PID: 309 at lib/list_debug.c:25 __list_add_valid+0xb4/0xc0 + CPU: 59 PID: 309 Comm: kworker/59:0 Kdump: loaded Not tainted 5.1.0-rc7+ #69 + ... + NIP __list_add_valid+0xb4/0xc0 + LR __list_add_valid+0xb0/0xc0 + Call Trace: + __list_add_valid+0xb0/0xc0 (unreliable) + __kthread_create_on_node+0xe0/0x260 + kthread_create_on_node+0x34/0x50 + create_worker+0xe8/0x260 + worker_thread+0x444/0x560 + kthread+0x160/0x1a0 + ret_from_kernel_thread+0x5c/0x70 + +List corruption happened because it uses 'load into non-volatile +register' instruction: + +Snippet from __kthread_create_on_node: + + c000000000136be8: addis r29,r2,-19 + c000000000136bec: ld r29,31424(r29) + if (!__list_add_valid(new, prev, next)) + c000000000136bf0: mr r3,r30 + c000000000136bf4: mr r5,r28 + c000000000136bf8: mr r4,r29 + c000000000136bfc: bl c00000000059a2f8 <__list_add_valid+0x8> + +Register state from WARN_ON(): + + GPR00: c00000000059a3a0 c000007ff23afb50 c000000001344e00 0000000000000075 + GPR04: 0000000000000000 0000000000000000 0000001852af8bc1 0000000000000000 + GPR08: 0000000000000001 0000000000000007 0000000000000006 00000000000004aa + GPR12: 0000000000000000 c000007ffffeb080 c000000000137038 c000005ff62aaa00 + GPR16: 0000000000000000 0000000000000000 c000007fffbe7600 c000007fffbe7370 + GPR20: c000007fffbe7320 c000007fffbe7300 c000000001373a00 0000000000000000 + GPR24: fffffffffffffef7 c00000000012e320 c000007ff23afcb0 c000000000cb8628 + GPR28: c00000000121c8b8 c000000001214e00 c000007fef5b17e8 c000007fef5b17c0 + +Watchpoint hit at 0xc000000000136bec. + + addis r29,r2,-19 + => r29 = 0xc000000001344e00 + (-19 << 16) + => r29 = 0xc000000001214e00 + + ld r29,31424(r29) + => r29 = *(0xc000000001214e00 + 31424) + => r29 = *(0xc00000000121c8c0) + +0xc00000000121c8c0 is where we placed a watchpoint and thus this +instruction was emulated by emulate_step. But because handle_dabr_fault +did not restore emulated register state, r29 still contains stale +value in above register state. + +Fixes: 5aae8a5370802 ("powerpc, hw_breakpoints: Implement hw_breakpoints for 64-bit server processors") +Signed-off-by: Ravi Bangoria +Cc: stable@vger.kernel.org # 2.6.36+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/exceptions-64s.S | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -1746,7 +1746,7 @@ handle_page_fault: + addi r3,r1,STACK_FRAME_OVERHEAD + bl do_page_fault + cmpdi r3,0 +- beq+ 12f ++ beq+ ret_from_except_lite + bl save_nvgprs + mr r5,r3 + addi r3,r1,STACK_FRAME_OVERHEAD +@@ -1761,7 +1761,12 @@ handle_dabr_fault: + ld r5,_DSISR(r1) + addi r3,r1,STACK_FRAME_OVERHEAD + bl do_break +-12: b ret_from_except_lite ++ /* ++ * do_break() may have changed the NV GPRS while handling a breakpoint. ++ * If so, we need to restore them with their updated values. Don't use ++ * ret_from_except_lite here. ++ */ ++ b ret_from_except + + + #ifdef CONFIG_PPC_BOOK3S_64 diff --git a/queue-5.2/series b/queue-5.2/series index b6296bffaa5..ba60f6e0b41 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -380,3 +380,22 @@ mm-z3fold.c-lock-z3fold-page-before-__setpagemovable.patch coda-pass-the-host-file-in-vma-vm_file-on-mmap.patch include-asm-generic-bug.h-fix-cut-here-for-warn_on-for-__warn_taint-architectures.patch resource-fix-locking-in-find_next_iomem_res.patch +gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch +parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch +parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch +parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch +powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch +powerpc-mm-32s-fix-condition-that-is-always-true.patch +powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch +powerpc-powernv-npu-fix-reference-leak.patch +powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch +powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch +powerpc-pseries-fix-xive-off-command-line.patch +powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch +mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch +ecryptfs-fix-a-couple-type-promotion-bugs.patch +mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch +mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch +intel_th-msu-remove-set-but-not-used-variable-last.patch +intel_th-msu-fix-single-mode-with-disabled-iommu.patch +bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch -- 2.47.3