From 30afd1b40e9a67b9a9fdc873142207522de68d62 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Nov 2020 10:19:58 +0100
Subject: [PATCH] 4.9-stable patches

added patches:
	i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
	input-sunkbd-avoid-use-after-free-in-teardown-paths.patch
	powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch
---
 ...sing-pca9546-definition-to-chip_desc.patch | 43 +++++++++
 ...oid-use-after-free-in-teardown-paths.patch | 94 +++++++++++++++++++
 ...fault-when-_page_accessed-is-not-set.patch | 63 +++++++++++++
 queue-4.9/series                              |  3 +
 4 files changed, 203 insertions(+)
 create mode 100644 queue-4.9/i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
 create mode 100644 queue-4.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch
 create mode 100644 queue-4.9/powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch

diff --git a/queue-4.9/i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch b/queue-4.9/i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
new file mode 100644
index 00000000000..f22dbac0f63
--- /dev/null
+++ b/queue-4.9/i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
@@ -0,0 +1,43 @@
+From dbe4d69d252e9e65c6c46826980b77b11a142065 Mon Sep 17 00:00:00 2001
+From: Mike Looijmans <mike.looijmans@topic.nl>
+Date: Thu, 23 Mar 2017 10:00:36 +0100
+Subject: i2c: mux: pca954x: Add missing pca9546 definition to chip_desc
+
+From: Mike Looijmans <mike.looijmans@topic.nl>
+
+commit dbe4d69d252e9e65c6c46826980b77b11a142065 upstream.
+
+The spec for the pca9546 was missing. This chip is the same as the pca9545
+except that it lacks interrupt lines. While the i2c_device_id table mapped
+the pca9546 to the pca9545 definition the compatible table did not.
+
+Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/muxes/i2c-mux-pca954x.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -96,6 +96,10 @@ static const struct chip_desc chips[] =
+ 		.nchans = 4,
+ 		.muxtype = pca954x_isswi,
+ 	},
++	[pca_9546] = {
++		.nchans = 4,
++		.muxtype = pca954x_isswi,
++	},
+ 	[pca_9547] = {
+ 		.nchans = 8,
+ 		.enable = 0x8,
+@@ -113,7 +117,7 @@ static const struct i2c_device_id pca954
+ 	{ "pca9543", pca_9543 },
+ 	{ "pca9544", pca_9544 },
+ 	{ "pca9545", pca_9545 },
+-	{ "pca9546", pca_9545 },
++	{ "pca9546", pca_9546 },
+ 	{ "pca9547", pca_9547 },
+ 	{ "pca9548", pca_9548 },
+ 	{ }
diff --git a/queue-4.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch b/queue-4.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch
new file mode 100644
index 00000000000..49a10907889
--- /dev/null
+++ b/queue-4.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch
@@ -0,0 +1,94 @@
+From 77e70d351db7de07a46ac49b87a6c3c7a60fca7e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 26 Oct 2020 13:36:17 -0700
+Subject: Input: sunkbd - avoid use-after-free in teardown paths
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 77e70d351db7de07a46ac49b87a6c3c7a60fca7e upstream.
+
+We need to make sure we cancel the reinit work before we tear down the
+driver structures.
+
+Reported-by: Bodong Zhao <nopitydays@gmail.com>
+Tested-by: Bodong Zhao <nopitydays@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/sunkbd.c |   41 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 33 insertions(+), 8 deletions(-)
+
+--- a/drivers/input/keyboard/sunkbd.c
++++ b/drivers/input/keyboard/sunkbd.c
+@@ -115,7 +115,8 @@ static irqreturn_t sunkbd_interrupt(stru
+ 	switch (data) {
+ 
+ 	case SUNKBD_RET_RESET:
+-		schedule_work(&sunkbd->tq);
++		if (sunkbd->enabled)
++			schedule_work(&sunkbd->tq);
+ 		sunkbd->reset = -1;
+ 		break;
+ 
+@@ -216,16 +217,12 @@ static int sunkbd_initialize(struct sunk
+ }
+ 
+ /*
+- * sunkbd_reinit() sets leds and beeps to a state the computer remembers they
+- * were in.
++ * sunkbd_set_leds_beeps() sets leds and beeps to a state the computer remembers
++ * they were in.
+  */
+ 
+-static void sunkbd_reinit(struct work_struct *work)
++static void sunkbd_set_leds_beeps(struct sunkbd *sunkbd)
+ {
+-	struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq);
+-
+-	wait_event_interruptible_timeout(sunkbd->wait, sunkbd->reset >= 0, HZ);
+-
+ 	serio_write(sunkbd->serio, SUNKBD_CMD_SETLED);
+ 	serio_write(sunkbd->serio,
+ 		(!!test_bit(LED_CAPSL,   sunkbd->dev->led) << 3) |
+@@ -238,11 +235,39 @@ static void sunkbd_reinit(struct work_st
+ 		SUNKBD_CMD_BELLOFF - !!test_bit(SND_BELL, sunkbd->dev->snd));
+ }
+ 
++
++/*
++ * sunkbd_reinit() wait for the keyboard reset to complete and restores state
++ * of leds and beeps.
++ */
++
++static void sunkbd_reinit(struct work_struct *work)
++{
++	struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq);
++
++	/*
++	 * It is OK that we check sunkbd->enabled without pausing serio,
++	 * as we only want to catch true->false transition that will
++	 * happen once and we will be woken up for it.
++	 */
++	wait_event_interruptible_timeout(sunkbd->wait,
++					 sunkbd->reset >= 0 || !sunkbd->enabled,
++					 HZ);
++
++	if (sunkbd->reset >= 0 && sunkbd->enabled)
++		sunkbd_set_leds_beeps(sunkbd);
++}
++
+ static void sunkbd_enable(struct sunkbd *sunkbd, bool enable)
+ {
+ 	serio_pause_rx(sunkbd->serio);
+ 	sunkbd->enabled = enable;
+ 	serio_continue_rx(sunkbd->serio);
++
++	if (!enable) {
++		wake_up_interruptible(&sunkbd->wait);
++		cancel_work_sync(&sunkbd->tq);
++	}
+ }
+ 
+ /*
diff --git a/queue-4.9/powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch b/queue-4.9/powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch
new file mode 100644
index 00000000000..c6a7f8c6f4a
--- /dev/null
+++ b/queue-4.9/powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch
@@ -0,0 +1,63 @@
+From 29daf869cbab69088fe1755d9dd224e99ba78b56 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Mon, 12 Oct 2020 08:54:31 +0000
+Subject: powerpc/8xx: Always fault when _PAGE_ACCESSED is not set
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 29daf869cbab69088fe1755d9dd224e99ba78b56 upstream.
+
+The kernel expects pte_young() to work regardless of CONFIG_SWAP.
+
+Make sure a minor fault is taken to set _PAGE_ACCESSED when it
+is not already set, regardless of the selection of CONFIG_SWAP.
+
+This adds at least 3 instructions to the TLB miss exception
+handlers fast path. Following patch will reduce this overhead.
+
+Also update the rotation instruction to the correct number of bits
+to reflect all changes done to _PAGE_ACCESSED over time.
+
+Fixes: d069cb4373fe ("powerpc/8xx: Don't touch ACCESSED when no SWAP.")
+Fixes: 5f356497c384 ("powerpc/8xx: remove unused _PAGE_WRITETHRU")
+Fixes: e0a8e0d90a9f ("powerpc/8xx: Handle PAGE_USER via APG bits")
+Fixes: 5b2753fc3e8a ("powerpc/8xx: Implementation of PAGE_EXEC")
+Fixes: a891c43b97d3 ("powerpc/8xx: Prepare handlers for _PAGE_HUGE for 512k pages.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/af834e8a0f1fa97bfae65664950f0984a70c4750.1602492856.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/head_8xx.S |    8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/kernel/head_8xx.S
++++ b/arch/powerpc/kernel/head_8xx.S
+@@ -359,11 +359,9 @@ InstructionTLBMiss:
+ 	/* Load the MI_TWC with the attributes for this "segment." */
+ 	MTSPR_CPU6(SPRN_MI_TWC, r11, r3)	/* Set segment attributes */
+ 
+-#ifdef CONFIG_SWAP
+-	rlwinm	r11, r10, 32-5, _PAGE_PRESENT
++	rlwinm	r11, r10, 32-11, _PAGE_PRESENT
+ 	and	r11, r11, r10
+ 	rlwimi	r10, r11, 0, _PAGE_PRESENT
+-#endif
+ 	li	r11, RPN_PATTERN
+ 	/* The Linux PTE won't go exactly into the MMU TLB.
+ 	 * Software indicator bits 20-23 and 28 must be clear.
+@@ -443,11 +441,9 @@ _ENTRY(DTLBMiss_jmp)
+ 	 * r11 = ((r10 & PRESENT) & ((r10 & ACCESSED) >> 5));
+ 	 * r10 = (r10 & ~PRESENT) | r11;
+ 	 */
+-#ifdef CONFIG_SWAP
+-	rlwinm	r11, r10, 32-5, _PAGE_PRESENT
++	rlwinm	r11, r10, 32-11, _PAGE_PRESENT
+ 	and	r11, r11, r10
+ 	rlwimi	r10, r11, 0, _PAGE_PRESENT
+-#endif
+ 	/* The Linux PTE won't go exactly into the MMU TLB.
+ 	 * Software indicator bits 22 and 28 must be clear.
+ 	 * Software indicator bits 24, 25, 26, and 27 must be
diff --git a/queue-4.9/series b/queue-4.9/series
index 0ccbf9e8916..108a7caf211 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -8,3 +8,6 @@ powerpc-uaccess-evaluate-macro-arguments-once-before-user-access-is-allowed.patc
 powerpc-64s-flush-l1d-after-user-accesses.patch
 i2c-imx-use-clk-notifier-for-rate-changes.patch
 i2c-imx-fix-external-abort-on-interrupt-in-exit-paths.patch
+i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
+powerpc-8xx-always-fault-when-_page_accessed-is-not-set.patch
+input-sunkbd-avoid-use-after-free-in-teardown-paths.patch
-- 
2.47.3