From dd7d4703e9de73153bd239afcf67c77cdb7f7cf8 Mon Sep 17 00:00:00 2001
From: Christian Lamparter <chunkeey@gmail.com>
Date: Fri, 26 Nov 2021 09:35:45 +0100
Subject: [PATCH] mpc85xx: backport "fix oops when CONFIG_FSL_PMC=n"

Martin Kennedy reported:
|Presently, I get this kernel panic on mpc85xx (Aerohive HiveAP 370)
|on OpenWrt 'master' which occurs right as the second processor is
|initialized:
|
|[    0.478804] rcu: Hierarchical SRCU implementation.
|[    0.535569] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
|[    0.627233] smp: Bringing up secondary CPUs ...
|[    0.681659] kernel tried to execute user page (0) - exploit attempt? (uid: 0)
|[    0.766618] BUG: Unable to handle kernel instruction fetch (NULL pointer?)
|[    0.848899] Faulting instruction address: 0x00000000
|[    0.908273] Oops: Kernel access of bad area, sig: 11 [#1]
|[    0.972851] BE PAGE_SIZE=4K SMP NR_CPUS=2 P1020 RDB
|[    1.031179] Modules linked in:
|[    1.067640] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.10.80 #0
|[    1.139507] NIP:  00000000 LR: c0021d2c CTR: 00000000
|[    1.199921] REGS: c1051cf0 TRAP: 0400   Not tainted  (5.10.80)
|[...]
|[    1.758220] NIP [00000000] 0x0
|[    1.794688] LR [c0021d2c] smp_85xx_kick_cpu+0xe8/0x568
|[    1.856126] Call Trace:
|[    1.885295] [c1051da8] [c0021cb8] smp_85xx_kick_cpu+0x74/0x568 (unreliable)
|[    1.968633] [c1051de8] [c0011460] __cpu_up+0xc0/0x228
|[    2.029038] [c1051e18] [c0031bbc] bringup_cpu+0x30/0x224
|[    2.092572] [c1051e48] [c0031f3c] cpu_up.constprop.0+0x180/0x33c
|[..]
|[    2.727952] ---[ end trace 9b796a4bafb6bc14 ]---
|[    3.800879] Kernel panic - not syncing: Fatal exception
|[    3.862353] Rebooting in 1 seconds..
|[    5.905097] System Halted, OK to turn off power
|
|I bisected this down to commit 3ae5da5adce9 ("kernel: bump 5.10 to 5.10.80");
|that is, I don't get the panic right before this commit, but I do after.

He reported the issue upstream and Xiaoming Ni from huawei came up with
the patch (that is on it's way to upstream). While the AP370 is not in
Openwrt, this will likely affect other SMP P1020 devices OpenWrt ships
with: like the AP330, Enterasys WS-AP3710i, etc.

Reported-by: Martin Kennedy <hurricos@gmail.com>
Tested-by: Martin Kennedy <hurricos@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
---
 ...-85xx-fix-oops-when-CONFIG_FSL_PMC-n.patch | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 target/linux/mpc85xx/patches-5.10/002-powerpc-85xx-fix-oops-when-CONFIG_FSL_PMC-n.patch

diff --git a/target/linux/mpc85xx/patches-5.10/002-powerpc-85xx-fix-oops-when-CONFIG_FSL_PMC-n.patch b/target/linux/mpc85xx/patches-5.10/002-powerpc-85xx-fix-oops-when-CONFIG_FSL_PMC-n.patch
new file mode 100644
index 0000000000..e9c2ec7032
--- /dev/null
+++ b/target/linux/mpc85xx/patches-5.10/002-powerpc-85xx-fix-oops-when-CONFIG_FSL_PMC-n.patch
@@ -0,0 +1,55 @@
+From e7757563e621522f5cd862b3aff473aedf8b66c0 Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Fri, 26 Nov 2021 12:11:53 +0800
+Subject: [PATCH] powerpc/85xx: fix oops when CONFIG_FSL_PMC=n
+
+When CONFIG_FSL_PMC is set to n, no value is assigned to cpu_up_prepare
+ in the mpc85xx_pm_ops structure. As a result, oops is triggered in
+ smp_85xx_start_cpu().
+
+	[    0.627233] smp: Bringing up secondary CPUs ...
+	[    0.681659] kernel tried to execute user page (0) - exploit attempt? (uid: 0)
+	[    0.766618] BUG: Unable to handle kernel instruction fetch (NULL pointer?)
+	[    0.848899] Faulting instruction address: 0x00000000
+	[    0.908273] Oops: Kernel access of bad area, sig: 11 [#1]
+	...
+	[    1.758220] NIP [00000000] 0x0
+	[    1.794688] LR [c0021d2c] smp_85xx_kick_cpu+0xe8/0x568
+	[    1.856126] Call Trace:
+	[    1.885295] [c1051da8] [c0021cb8] smp_85xx_kick_cpu+0x74/0x568 (unreliable)
+	[    1.968633] [c1051de8] [c0011460] __cpu_up+0xc0/0x228
+	[    2.029038] [c1051e18] [c0031bbc] bringup_cpu+0x30/0x224
+	[    2.092572] [c1051e48] [c0031f3c] cpu_up.constprop.0+0x180/0x33c
+	[    2.164443] [c1051e88] [c00322e8] bringup_nonboot_cpus+0x88/0xc8
+	[    2.236326] [c1051eb8] [c07e67bc] smp_init+0x30/0x78
+	[    2.295698] [c1051ed8] [c07d9e28] kernel_init_freeable+0x118/0x2a8
+	[    2.369641] [c1051f18] [c00032d8] kernel_init+0x14/0x124
+	[    2.433176] [c1051f38] [c0010278] ret_from_kernel_thread+0x14/0x1c
+
+Fixes: c45361abb9185b ("powerpc/85xx: fix timebase sync issue when
+ CONFIG_HOTPLUG_CPU=n")
+Link: https://lore.kernel.org/lkml/CANA18Uyba4kMJQrbCSZVTFep2Exe5izE45whNJgwwUvNSEcNLg@mail.gmail.com/
+Reported-by: Martin Kennedy <hurricos@gmail.com>
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Tested-by: Martin Kennedy <hurricos@gmail.com>
+Cc: stable@vger.kernel.org
+--- a/arch/powerpc/platforms/85xx/smp.c
++++ b/arch/powerpc/platforms/85xx/smp.c
+@@ -220,7 +220,7 @@ static int smp_85xx_start_cpu(int cpu)
+ 	local_irq_save(flags);
+ 	hard_irq_disable();
+ 
+-	if (qoriq_pm_ops)
++	if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare)
+ 		qoriq_pm_ops->cpu_up_prepare(cpu);
+ 
+ 	/* if cpu is not spinning, reset it */
+@@ -292,7 +292,7 @@ static int smp_85xx_kick_cpu(int nr)
+ 		booting_thread_hwid = cpu_thread_in_core(nr);
+ 		primary = cpu_first_thread_sibling(nr);
+ 
+-		if (qoriq_pm_ops)
++		if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare)
+ 			qoriq_pm_ops->cpu_up_prepare(nr);
+ 
+ 		/*