--- /dev/null
+From 90d4d3f4ea45370d482fa609dbae4d2281b4074f Mon Sep 17 00:00:00 2001
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Fri, 17 Apr 2020 12:13:40 +0530
+Subject: ARM: dts: dra7: Fix bus_dma_limit for PCIe
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+commit 90d4d3f4ea45370d482fa609dbae4d2281b4074f upstream.
+
+Even though commit cfb5d65f2595 ("ARM: dts: dra7: Add bus_dma_limit
+for L3 bus") added bus_dma_limit for L3 bus, the PCIe controller
+gets incorrect value of bus_dma_limit.
+
+Fix it by adding empty dma-ranges property to axi@0 and axi@1
+(parent device tree node of PCIe controller).
+
+Cc: stable@kernel.org
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dra7.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -172,6 +172,7 @@
+ #address-cells = <1>;
+ ranges = <0x51000000 0x51000000 0x3000
+ 0x0 0x20000000 0x10000000>;
++ dma-ranges;
+ /**
+ * To enable PCI endpoint mode, disable the pcie1_rc
+ * node and enable pcie1_ep mode.
+@@ -185,7 +186,6 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x20013000 0x13000 0 0xffed000>;
+- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>;
+ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
+@@ -230,6 +230,7 @@
+ #address-cells = <1>;
+ ranges = <0x51800000 0x51800000 0x3000
+ 0x0 0x30000000 0x10000000>;
++ dma-ranges;
+ status = "disabled";
+ pcie2_rc: pcie@51800000 {
+ reg = <0x51800000 0x2000>, <0x51802000 0x14c>, <0x1000 0x2000>;
+@@ -240,7 +241,6 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x30013000 0x13000 0 0xffed000>;
+- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>;
+ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
--- /dev/null
+From 0caf34350a25907515d929a9c77b9b206aac6d1e Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Fri, 27 Mar 2020 10:36:24 -0300
+Subject: ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream.
+
+The I2C2 pins are already used and the following errors are seen:
+
+imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c
+imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22
+imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc
+imx-i2c 1001d000.i2c: Error applying setting, reverse things back
+imx-i2c: probe of 1001d000.i2c failed with error -22
+
+Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts
+@@ -75,8 +75,8 @@
+ imx27-phycard-s-rdk {
+ pinctrl_i2c1: i2c1grp {
+ fsl,pins = <
+- MX27_PAD_I2C2_SDA__I2C2_SDA 0x0
+- MX27_PAD_I2C2_SCL__I2C2_SCL 0x0
++ MX27_PAD_I2C_DATA__I2C_DATA 0x0
++ MX27_PAD_I2C_CLK__I2C_CLK 0x0
+ >;
+ };
+
--- /dev/null
+From cbe63a8358310244e6007398bd2c7c70c7fd51cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= <michal.vokac@ysoft.com>
+Date: Tue, 17 Mar 2020 09:46:28 +0100
+Subject: ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Vokáč <michal.vokac@ysoft.com>
+
+commit cbe63a8358310244e6007398bd2c7c70c7fd51cd upstream.
+
+The Y Soft yapp4 platform supports up to two Ethernet ports.
+The Ursa board though has only one Ethernet port populated and that is
+the port@2. Since the introduction of this platform into mainline a wrong
+port was deleted and the Ethernet could never work. Fix this by deleting
+the correct port node.
+
+Fixes: 87489ec3a77f ("ARM: dts: imx: Add Y Soft IOTA Draco, Hydra and Ursa boards")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6dl-yapp4-ursa.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6dl-yapp4-ursa.dts
++++ b/arch/arm/boot/dts/imx6dl-yapp4-ursa.dts
+@@ -38,7 +38,7 @@
+ };
+
+ &switch_ports {
+- /delete-node/ port@2;
++ /delete-node/ port@3;
+ };
+
+ &touchscreen {
--- /dev/null
+From a48137996063d22ffba77e077425f49873856ca5 Mon Sep 17 00:00:00 2001
+From: Adam McCoy <adam@forsedomani.com>
+Date: Wed, 13 May 2020 11:53:30 +0000
+Subject: cifs: fix leaked reference on requeued write
+
+From: Adam McCoy <adam@forsedomani.com>
+
+commit a48137996063d22ffba77e077425f49873856ca5 upstream.
+
+Failed async writes that are requeued may not clean up a refcount
+on the file, which can result in a leaked open. This scenario arises
+very reliably when using persistent handles and a reconnect occurs
+while writing.
+
+cifs_writev_requeue only releases the reference if the write fails
+(rc != 0). The server->ops->async_writev operation will take its own
+reference, so the initial reference can always be released.
+
+Signed-off-by: Adam McCoy <adam@forsedomani.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifssmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -2138,8 +2138,8 @@ cifs_writev_requeue(struct cifs_writedat
+ }
+ }
+
++ kref_put(&wdata2->refcount, cifs_writedata_release);
+ if (rc) {
+- kref_put(&wdata2->refcount, cifs_writedata_release);
+ if (is_retryable_error(rc))
+ continue;
+ i += nr_pages;
--- /dev/null
+From 975f543e7522e17b8a4bf34d7daeac44819aee5a Mon Sep 17 00:00:00 2001
+From: Tom St Denis <tom.stdenis@amd.com>
+Date: Thu, 7 May 2020 08:35:40 -0400
+Subject: drm/amd/amdgpu: add raven1 part to the gfxoff quirk list
+
+From: Tom St Denis <tom.stdenis@amd.com>
+
+commit 975f543e7522e17b8a4bf34d7daeac44819aee5a upstream.
+
+On my raven1 system (rev c6) with VBIOS 113-RAVEN-114 GFXOFF is
+not stable (resulting in large block tiling noise in some applications).
+
+Disabling GFXOFF via the quirk list fixes the problems for me.
+
+Signed-off-by: Tom St Denis <tom.stdenis@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -1177,6 +1177,8 @@ static const struct amdgpu_gfxoff_quirk
+ { 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc8 },
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=207171 */
+ { 0x1002, 0x15dd, 0x103c, 0x83e7, 0xd3 },
++ /* GFXOFF is unstable on C6 parts with a VBIOS 113-RAVEN-114 */
++ { 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc6 },
+ { 0, 0, 0, 0, 0 },
+ };
+
--- /dev/null
+From 626bf90fe03fa080d8df06bb0397c95c53ae8e27 Mon Sep 17 00:00:00 2001
+From: Simon Ser <contact@emersion.fr>
+Date: Mon, 30 Mar 2020 09:23:21 +0000
+Subject: drm/amd/display: add basic atomic check for cursor plane
+
+From: Simon Ser <contact@emersion.fr>
+
+commit 626bf90fe03fa080d8df06bb0397c95c53ae8e27 upstream.
+
+This patch adds a basic cursor check when an atomic test-only commit is
+performed. The position and size of the cursor plane is checked.
+
+This should fix user-space relying on atomic checks to assign buffers to
+planes.
+
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Reported-by: Roman Gilg <subdiff@gmail.com>
+References: https://github.com/emersion/libliftoff/issues/46
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Harry Wentland <hwentlan@amd.com>
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 26 ++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7716,6 +7716,7 @@ static int dm_update_plane_state(struct
+ struct drm_crtc_state *old_crtc_state, *new_crtc_state;
+ struct dm_crtc_state *dm_new_crtc_state, *dm_old_crtc_state;
+ struct dm_plane_state *dm_new_plane_state, *dm_old_plane_state;
++ struct amdgpu_crtc *new_acrtc;
+ bool needs_reset;
+ int ret = 0;
+
+@@ -7725,9 +7726,30 @@ static int dm_update_plane_state(struct
+ dm_new_plane_state = to_dm_plane_state(new_plane_state);
+ dm_old_plane_state = to_dm_plane_state(old_plane_state);
+
+- /*TODO Implement atomic check for cursor plane */
+- if (plane->type == DRM_PLANE_TYPE_CURSOR)
++ /*TODO Implement better atomic check for cursor plane */
++ if (plane->type == DRM_PLANE_TYPE_CURSOR) {
++ if (!enable || !new_plane_crtc ||
++ drm_atomic_plane_disabling(plane->state, new_plane_state))
++ return 0;
++
++ new_acrtc = to_amdgpu_crtc(new_plane_crtc);
++
++ if ((new_plane_state->crtc_w > new_acrtc->max_cursor_width) ||
++ (new_plane_state->crtc_h > new_acrtc->max_cursor_height)) {
++ DRM_DEBUG_ATOMIC("Bad cursor size %d x %d\n",
++ new_plane_state->crtc_w, new_plane_state->crtc_h);
++ return -EINVAL;
++ }
++
++ if (new_plane_state->crtc_x <= -new_acrtc->max_cursor_width ||
++ new_plane_state->crtc_y <= -new_acrtc->max_cursor_height) {
++ DRM_DEBUG_ATOMIC("Bad cursor position %d, %d\n",
++ new_plane_state->crtc_x, new_plane_state->crtc_y);
++ return -EINVAL;
++ }
++
+ return 0;
++ }
+
+ needs_reset = should_reset_plane(state, plane, old_plane_state,
+ new_plane_state);
--- /dev/null
+From 4457a9db2bdec2360ddb15242341696108167886 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Mon, 4 May 2020 10:58:28 +0300
+Subject: drm/i915/tgl+: Fix interrupt handling for DP AUX transactions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 4457a9db2bdec2360ddb15242341696108167886 upstream.
+
+Unmask/enable AUX interrupts on all ports on TGL+. So far the interrupts
+worked only on port A, which meant each transaction on other ports took
+10ms.
+
+Cc: <stable@vger.kernel.org> # v5.4+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200504075828.20348-1-imre.deak@intel.com
+(cherry picked from commit 054318c7e35f1d7d06b216143fff5f32405047ee)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_irq.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_irq.c
++++ b/drivers/gpu/drm/i915/i915_irq.c
+@@ -3324,7 +3324,7 @@ static void gen8_de_irq_postinstall(stru
+ u32 de_pipe_masked = gen8_de_pipe_fault_mask(dev_priv) |
+ GEN8_PIPE_CDCLK_CRC_DONE;
+ u32 de_pipe_enables;
+- u32 de_port_masked = GEN8_AUX_CHANNEL_A;
++ u32 de_port_masked = gen8_de_port_aux_mask(dev_priv);
+ u32 de_port_enables;
+ u32 de_misc_masked = GEN8_DE_EDP_PSR;
+ enum pipe pipe;
+@@ -3332,18 +3332,8 @@ static void gen8_de_irq_postinstall(stru
+ if (INTEL_GEN(dev_priv) <= 10)
+ de_misc_masked |= GEN8_DE_MISC_GSE;
+
+- if (INTEL_GEN(dev_priv) >= 9) {
+- de_port_masked |= GEN9_AUX_CHANNEL_B | GEN9_AUX_CHANNEL_C |
+- GEN9_AUX_CHANNEL_D;
+- if (IS_GEN9_LP(dev_priv))
+- de_port_masked |= BXT_DE_PORT_GMBUS;
+- }
+-
+- if (INTEL_GEN(dev_priv) >= 11)
+- de_port_masked |= ICL_AUX_CHANNEL_E;
+-
+- if (IS_CNL_WITH_PORT_F(dev_priv) || INTEL_GEN(dev_priv) >= 11)
+- de_port_masked |= CNL_AUX_CHANNEL_F;
++ if (IS_GEN9_LP(dev_priv))
++ de_port_masked |= BXT_DE_PORT_GMBUS;
+
+ de_pipe_enables = de_pipe_masked | GEN8_PIPE_VBLANK |
+ GEN8_PIPE_FIFO_UNDERRUN;
--- /dev/null
+From 37486135d3a7b03acc7755b63627a130437f066a Mon Sep 17 00:00:00 2001
+From: Babu Moger <babu.moger@amd.com>
+Date: Tue, 12 May 2020 18:59:06 -0500
+Subject: KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c
+
+From: Babu Moger <babu.moger@amd.com>
+
+commit 37486135d3a7b03acc7755b63627a130437f066a upstream.
+
+Though rdpkru and wrpkru are contingent upon CR4.PKE, the PKRU
+resource isn't. It can be read with XSAVE and written with XRSTOR.
+So, if we don't set the guest PKRU value here(kvm_load_guest_xsave_state),
+the guest can read the host value.
+
+In case of kvm_load_host_xsave_state, guest with CR4.PKE clear could
+potentially use XRSTOR to change the host PKRU value.
+
+While at it, move pkru state save/restore to common code and the
+host_pkru field to kvm_vcpu_arch. This will let SVM support protection keys.
+
+Cc: stable@vger.kernel.org
+Reported-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Babu Moger <babu.moger@amd.com>
+Message-Id: <158932794619.44260.14508381096663848853.stgit@naples-babu.amd.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 1 +
+ arch/x86/kvm/vmx/vmx.c | 18 ------------------
+ arch/x86/kvm/x86.c | 17 +++++++++++++++++
+ 3 files changed, 18 insertions(+), 18 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -574,6 +574,7 @@ struct kvm_vcpu_arch {
+ unsigned long cr4;
+ unsigned long cr4_guest_owned_bits;
+ unsigned long cr8;
++ u32 host_pkru;
+ u32 pkru;
+ u32 hflags;
+ u64 efer;
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -1380,7 +1380,6 @@ void vmx_vcpu_load(struct kvm_vcpu *vcpu
+
+ vmx_vcpu_pi_load(vcpu, cpu);
+
+- vmx->host_pkru = read_pkru();
+ vmx->host_debugctlmsr = get_debugctlmsr();
+ }
+
+@@ -6538,11 +6537,6 @@ static void vmx_vcpu_run(struct kvm_vcpu
+
+ kvm_load_guest_xsave_state(vcpu);
+
+- if (static_cpu_has(X86_FEATURE_PKU) &&
+- kvm_read_cr4_bits(vcpu, X86_CR4_PKE) &&
+- vcpu->arch.pkru != vmx->host_pkru)
+- __write_pkru(vcpu->arch.pkru);
+-
+ pt_guest_enter(vmx);
+
+ atomic_switch_perf_msrs(vmx);
+@@ -6631,18 +6625,6 @@ static void vmx_vcpu_run(struct kvm_vcpu
+
+ pt_guest_exit(vmx);
+
+- /*
+- * eager fpu is enabled if PKEY is supported and CR4 is switched
+- * back on host, so it is safe to read guest PKRU from current
+- * XSAVE.
+- */
+- if (static_cpu_has(X86_FEATURE_PKU) &&
+- kvm_read_cr4_bits(vcpu, X86_CR4_PKE)) {
+- vcpu->arch.pkru = rdpkru();
+- if (vcpu->arch.pkru != vmx->host_pkru)
+- __write_pkru(vmx->host_pkru);
+- }
+-
+ kvm_load_host_xsave_state(vcpu);
+
+ vmx->nested.nested_run_pending = 0;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -809,11 +809,25 @@ void kvm_load_guest_xsave_state(struct k
+ vcpu->arch.ia32_xss != host_xss)
+ wrmsrl(MSR_IA32_XSS, vcpu->arch.ia32_xss);
+ }
++
++ if (static_cpu_has(X86_FEATURE_PKU) &&
++ (kvm_read_cr4_bits(vcpu, X86_CR4_PKE) ||
++ (vcpu->arch.xcr0 & XFEATURE_MASK_PKRU)) &&
++ vcpu->arch.pkru != vcpu->arch.host_pkru)
++ __write_pkru(vcpu->arch.pkru);
+ }
+ EXPORT_SYMBOL_GPL(kvm_load_guest_xsave_state);
+
+ void kvm_load_host_xsave_state(struct kvm_vcpu *vcpu)
+ {
++ if (static_cpu_has(X86_FEATURE_PKU) &&
++ (kvm_read_cr4_bits(vcpu, X86_CR4_PKE) ||
++ (vcpu->arch.xcr0 & XFEATURE_MASK_PKRU))) {
++ vcpu->arch.pkru = rdpkru();
++ if (vcpu->arch.pkru != vcpu->arch.host_pkru)
++ __write_pkru(vcpu->arch.host_pkru);
++ }
++
+ if (kvm_read_cr4_bits(vcpu, X86_CR4_OSXSAVE)) {
+
+ if (vcpu->arch.xcr0 != host_xcr0)
+@@ -3529,6 +3543,9 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
+
+ kvm_x86_ops->vcpu_load(vcpu, cpu);
+
++ /* Save host pkru register if supported */
++ vcpu->arch.host_pkru = read_pkru();
++
+ /* Apply any externally detected TSC adjustments (due to suspend) */
+ if (unlikely(vcpu->arch.tsc_offset_adjustment)) {
+ adjust_tsc_offset_host(vcpu, vcpu->arch.tsc_offset_adjustment);
--- /dev/null
+From 82152d424b6cb6fc1ede7d03d69c04e786688740 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 6 Jul 2018 15:04:24 -0400
+Subject: Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Jones <pjones@redhat.com>
+
+commit 82152d424b6cb6fc1ede7d03d69c04e786688740 upstream.
+
+This was sort of annoying me:
+
+random:~$ dmesg | tail -1
+[523884.039227] [drm] Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.
+random:~$ dmesg | grep -c "Reducing the compressed"
+47
+
+This patch makes it DRM_INFO_ONCE() just like the similar message
+farther down in that function is pr_info_once().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1745
+Link: https://patchwork.freedesktop.org/patch/msgid/20180706190424.29194-1-pjones@redhat.com
+[vsyrjala: Rebase due to per-device logging]
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit 6b7fc6a3e6af4ff5773949d0fed70d8e7f68d5ce)
+[Rodrigo: port back to DRM_INFO_ONCE]
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/display/intel_fbc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_fbc.c
++++ b/drivers/gpu/drm/i915/display/intel_fbc.c
+@@ -478,8 +478,7 @@ static int intel_fbc_alloc_cfb(struct dr
+ if (!ret)
+ goto err_llb;
+ else if (ret > 1) {
+- DRM_INFO("Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.\n");
+-
++ DRM_INFO_ONCE("Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.\n");
+ }
+
+ fbc->threshold = ret;
--- /dev/null
+From 4833ce06e6855d526234618b746ffb71d6612c9a Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 20 Apr 2020 07:47:05 +0000
+Subject: powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 4833ce06e6855d526234618b746ffb71d6612c9a upstream.
+
+gpr2 is not a parametre of kuap_check(), it doesn't exist.
+
+Use gpr instead.
+
+Fixes: a68c31fc01ef ("powerpc/32s: Implement Kernel Userspace Access Protection")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/ea599546f2a7771bde551393889e44e6b2632332.1587368807.git.christophe.leroy@c-s.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/book3s/32/kup.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/book3s/32/kup.h
++++ b/arch/powerpc/include/asm/book3s/32/kup.h
+@@ -75,7 +75,7 @@
+
+ .macro kuap_check current, gpr
+ #ifdef CONFIG_PPC_KUAP_DEBUG
+- lwz \gpr2, KUAP(thread)
++ lwz \gpr, KUAP(thread)
+ 999: twnei \gpr, 0
+ EMIT_BUG_ENTRY 999b, __FILE__, __LINE__, (BUGFLAG_WARNING | BUGFLAG_ONCE)
+ #endif
--- /dev/null
+From e963b7a28b2bf2416304e1a15df967fcf662aff5 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Sat, 9 May 2020 09:42:14 +0000
+Subject: powerpc/vdso32: Fallback on getres syscall when clock is unknown
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit e963b7a28b2bf2416304e1a15df967fcf662aff5 upstream.
+
+There are other clocks than the standard ones, for instance
+per process clocks. Therefore, being above the last standard clock
+doesn't mean it is a bad clock. So, fallback to syscall instead
+of returning -EINVAL inconditionaly.
+
+Fixes: e33ffc956b08 ("powerpc/vdso32: implement clock_getres entirely")
+Cc: stable@vger.kernel.org # v5.6+
+Reported-by: Aurelien Jarno <aurelien@aurel32.net>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Tested-by: Aurelien Jarno <aurelien@aurel32.net>
+Link: https://lore.kernel.org/r/7316a9e2c0c2517923eb4b0411c4a08d15e675a4.1589017281.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/vdso32/gettimeofday.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
+@@ -218,11 +218,11 @@ V_FUNCTION_BEGIN(__kernel_clock_getres)
+ blr
+
+ /*
+- * invalid clock
++ * syscall fallback
+ */
+ 99:
+- li r3, EINVAL
+- crset so
++ li r0,__NR_clock_getres
++ sc
+ blr
+ .cfi_endproc
+ V_FUNCTION_END(__kernel_clock_getres)
usb-core-hub-limit-hub_quirk_disable_autosuspend-to-usb5534b.patch
usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch
usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch
+usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch
+usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch
+make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch
+arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch
+arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch
+arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch
+drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch
+drm-amd-amdgpu-add-raven1-part-to-the-gfxoff-quirk-list.patch
+drm-i915-tgl-fix-interrupt-handling-for-dp-aux-transactions.patch
+powerpc-vdso32-fallback-on-getres-syscall-when-clock-is-unknown.patch
+powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch
+cifs-fix-leaked-reference-on-requeued-write.patch
+kvm-x86-fix-pkru-save-restore-when-guest-cr4.pke-0-move-it-to-x86.c.patch
+x86-fix-early-boot-crash-on-gcc-10-third-try.patch
--- /dev/null
+From 15753588bcd4bbffae1cca33c8ced5722477fe1f Mon Sep 17 00:00:00 2001
+From: Kyungtae Kim <kt0755@gmail.com>
+Date: Sun, 10 May 2020 05:43:34 +0000
+Subject: USB: gadget: fix illegal array access in binding with UDC
+
+From: Kyungtae Kim <kt0755@gmail.com>
+
+commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream.
+
+FuzzUSB (a variant of syzkaller) found an illegal array access
+using an incorrect index while binding a gadget with UDC.
+
+Reference: https://www.spinics.net/lists/linux-usb/msg194331.html
+
+This bug occurs when a size variable used for a buffer
+is misused to access its strcpy-ed buffer.
+Given a buffer along with its size variable (taken from user input),
+from which, a new buffer is created using kstrdup().
+Due to the original buffer containing 0 value in the middle,
+the size of the kstrdup-ed buffer becomes smaller than that of the original.
+So accessing the kstrdup-ed buffer with the same size variable
+triggers memory access violation.
+
+The fix makes sure no zero value in the buffer,
+by comparing the strlen() of the orignal buffer with the size variable,
+so that the access to the kstrdup-ed buffer is safe.
+
+BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200
+drivers/usb/gadget/configfs.c:266
+Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208
+
+CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
+ __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:641
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+ gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
+ flush_write_buffer fs/configfs/file.c:251 [inline]
+ configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
+ __vfs_write+0x85/0x110 fs/read_write.c:494
+ vfs_write+0x1cd/0x510 fs/read_write.c:558
+ ksys_write+0x18a/0x220 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __x64_sys_write+0x73/0xb0 fs/read_write.c:620
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Signed-off-by: Kyungtae Kim <kt0755@gmail.com>
+Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store
+ char *name;
+ int ret;
+
++ if (strlen(page) < len)
++ return -EOVERFLOW;
++
+ name = kstrdup(page, GFP_KERNEL);
+ if (!name)
+ return -ENOMEM;
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
---
drivers/usb/host/xhci-plat.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- /dev/null
+From 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a Mon Sep 17 00:00:00 2001
+From: Sriharsha Allenki <sallenki@codeaurora.org>
+Date: Thu, 14 May 2020 14:04:31 +0300
+Subject: usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list
+
+From: Sriharsha Allenki <sallenki@codeaurora.org>
+
+commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream.
+
+On platforms with IOMMU enabled, multiple SGs can be coalesced into one
+by the IOMMU driver. In that case the SG list processing as part of the
+completion of a urb on a bulk endpoint can result into a NULL pointer
+dereference with the below stack dump.
+
+<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
+<6> pgd = c0004000
+<6> [0000000c] *pgd=00000000
+<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+<2> PC is at xhci_queue_bulk_tx+0x454/0x80c
+<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c
+<2> pc : [<c08907c4>] lr : [<c08907bc>] psr: 000000d3
+<2> sp : ca337c80 ip : 00000000 fp : ffffffff
+<2> r10: 00000000 r9 : 50037000 r8 : 00004000
+<2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000
+<2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000
+<2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none
+<2> Control: 10c0383d Table: b412c06a DAC: 00000051
+<6> Process usb-storage (pid: 5961, stack limit = 0xca336210)
+<snip>
+<2> [<c08907c4>] (xhci_queue_bulk_tx)
+<2> [<c0881b3c>] (xhci_urb_enqueue)
+<2> [<c0831068>] (usb_hcd_submit_urb)
+<2> [<c08350b4>] (usb_sg_wait)
+<2> [<c089f384>] (usb_stor_bulk_transfer_sglist)
+<2> [<c089f2c0>] (usb_stor_bulk_srb)
+<2> [<c089fe38>] (usb_stor_Bulk_transport)
+<2> [<c089f468>] (usb_stor_invoke_transport)
+<2> [<c08a11b4>] (usb_stor_control_thread)
+<2> [<c014a534>] (kthread)
+
+The above NULL pointer dereference is the result of block_len and the
+sent_len set to zero after the first SG of the list when IOMMU driver
+is enabled. Because of this the loop of processing the SGs has run
+more than num_sgs which resulted in a sg_next on the last SG of the
+list which has SG_END set.
+
+Fix this by check for the sg before any attributes of the sg are
+accessed.
+
+[modified reason for null pointer dereference in commit message subject -Mathias]
+Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -3425,8 +3425,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *
+ /* New sg entry */
+ --num_sgs;
+ sent_len -= block_len;
+- if (num_sgs != 0) {
+- sg = sg_next(sg);
++ sg = sg_next(sg);
++ if (num_sgs != 0 && sg) {
+ block_len = sg_dma_len(sg);
+ addr = (u64) sg_dma_address(sg);
+ addr += sent_len;
--- /dev/null
+From a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 22 Apr 2020 18:11:30 +0200
+Subject: x86: Fix early boot crash on gcc-10, third try
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream.
+
+... or the odyssey of trying to disable the stack protector for the
+function which generates the stack canary value.
+
+The whole story started with Sergei reporting a boot crash with a kernel
+built with gcc-10:
+
+ Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139
+ Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013
+ Call Trace:
+ dump_stack
+ panic
+ ? start_secondary
+ __stack_chk_fail
+ start_secondary
+ secondary_startup_64
+ -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary
+
+This happens because gcc-10 tail-call optimizes the last function call
+in start_secondary() - cpu_startup_entry() - and thus emits a stack
+canary check which fails because the canary value changes after the
+boot_init_stack_canary() call.
+
+To fix that, the initial attempt was to mark the one function which
+generates the stack canary with:
+
+ __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused)
+
+however, using the optimize attribute doesn't work cumulatively
+as the attribute does not add to but rather replaces previously
+supplied optimization options - roughly all -fxxx options.
+
+The key one among them being -fno-omit-frame-pointer and thus leading to
+not present frame pointer - frame pointer which the kernel needs.
+
+The next attempt to prevent compilers from tail-call optimizing
+the last function call cpu_startup_entry(), shy of carving out
+start_secondary() into a separate compilation unit and building it with
+-fno-stack-protector, was to add an empty asm("").
+
+This current solution was short and sweet, and reportedly, is supported
+by both compilers but we didn't get very far this time: future (LTO?)
+optimization passes could potentially eliminate this, which leads us
+to the third attempt: having an actual memory barrier there which the
+compiler cannot ignore or move around etc.
+
+That should hold for a long time, but hey we said that about the other
+two solutions too so...
+
+Reported-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/stackprotector.h | 7 ++++++-
+ arch/x86/kernel/smpboot.c | 8 ++++++++
+ arch/x86/xen/smp_pv.c | 1 +
+ include/linux/compiler.h | 6 ++++++
+ init/main.c | 2 ++
+ 5 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/stackprotector.h
++++ b/arch/x86/include/asm/stackprotector.h
+@@ -55,8 +55,13 @@
+ /*
+ * Initialize the stackprotector canary value.
+ *
+- * NOTE: this must only be called from functions that never return,
++ * NOTE: this must only be called from functions that never return
+ * and it must always be inlined.
++ *
++ * In addition, it should be called from a compilation unit for which
++ * stack protector is disabled. Alternatively, the caller should not end
++ * with a function call which gets tail-call optimized as that would
++ * lead to checking a modified canary value.
+ */
+ static __always_inline void boot_init_stack_canary(void)
+ {
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -262,6 +262,14 @@ static void notrace start_secondary(void
+
+ wmb();
+ cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
++
++ /*
++ * Prevent tail call to cpu_startup_entry() because the stack protector
++ * guard has been changed a couple of function calls up, in
++ * boot_init_stack_canary() and must not be checked before tail calling
++ * another function.
++ */
++ prevent_tail_call_optimization();
+ }
+
+ /**
+--- a/arch/x86/xen/smp_pv.c
++++ b/arch/x86/xen/smp_pv.c
+@@ -92,6 +92,7 @@ asmlinkage __visible void cpu_bringup_an
+ cpu_bringup();
+ boot_init_stack_canary();
+ cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
++ prevent_tail_call_optimization();
+ }
+
+ void xen_smp_intr_free_pv(unsigned int cpu)
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -356,4 +356,10 @@ static inline void *offset_to_ptr(const
+ /* &a[0] degrades to a pointer: a different type from an array */
+ #define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
+
++/*
++ * This is needed in functions which generate the stack canary, see
++ * arch/x86/kernel/smpboot.c::start_secondary() for an example.
++ */
++#define prevent_tail_call_optimization() mb()
++
+ #endif /* __LINUX_COMPILER_H */
+--- a/init/main.c
++++ b/init/main.c
+@@ -1032,6 +1032,8 @@ asmlinkage __visible void __init start_k
+
+ /* Do the rest non-__init'ed, we're now alive */
+ arch_call_rest_init();
++
++ prevent_tail_call_optimization();
+ }
+
+ /* Call all constructor functions linked into the kernel. */
projects / thirdparty / kernel / stable-queue.git / commitdiff
