--- /dev/null
+From 45da9c1767ac31857df572f0a909fbe88fd5a7e9 Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Tue, 2 Nov 2021 14:49:16 +0200
+Subject: btrfs: fix memory ordering between normal and ordered work functions
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+commit 45da9c1767ac31857df572f0a909fbe88fd5a7e9 upstream.
+
+Ordered work functions aren't guaranteed to be handled by the same thread
+which executed the normal work functions. The only way execution between
+normal/ordered functions is synchronized is via the WORK_DONE_BIT,
+unfortunately the used bitops don't guarantee any ordering whatsoever.
+
+This manifested as seemingly inexplicable crashes on ARM64, where
+async_chunk::inode is seen as non-null in async_cow_submit which causes
+submit_compressed_extents to be called and crash occurs because
+async_chunk::inode suddenly became NULL. The call trace was similar to:
+
+ pc : submit_compressed_extents+0x38/0x3d0
+ lr : async_cow_submit+0x50/0xd0
+ sp : ffff800015d4bc20
+
+ <registers omitted for brevity>
+
+ Call trace:
+ submit_compressed_extents+0x38/0x3d0
+ async_cow_submit+0x50/0xd0
+ run_ordered_work+0xc8/0x280
+ btrfs_work_helper+0x98/0x250
+ process_one_work+0x1f0/0x4ac
+ worker_thread+0x188/0x504
+ kthread+0x110/0x114
+ ret_from_fork+0x10/0x18
+
+Fix this by adding respective barrier calls which ensure that all
+accesses preceding setting of WORK_DONE_BIT are strictly ordered before
+setting the flag. At the same time add a read barrier after reading of
+WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads
+would be strictly ordered after reading the bit. This in turn ensures
+are all accesses before WORK_DONE_BIT are going to be strictly ordered
+before any access that can occur in ordered_func.
+
+Reported-by: Chris Murphy <lists@colorremedies.com>
+Fixes: 08a9ff326418 ("btrfs: Added btrfs_workqueue_struct implemented ordered execution based on kernel workqueue")
+CC: stable@vger.kernel.org # 4.4+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2011928
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Tested-by: Chris Murphy <chris@colorremedies.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/async-thread.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/btrfs/async-thread.c
++++ b/fs/btrfs/async-thread.c
+@@ -234,6 +234,13 @@ static void run_ordered_work(struct __bt
+ ordered_list);
+ if (!test_bit(WORK_DONE_BIT, &work->flags))
+ break;
++ /*
++ * Orders all subsequent loads after reading WORK_DONE_BIT,
++ * paired with the smp_mb__before_atomic in btrfs_work_helper
++ * this guarantees that the ordered function will see all
++ * updates from ordinary work function.
++ */
++ smp_rmb();
+
+ /*
+ * we are going to call the ordered done function, but
+@@ -317,6 +324,13 @@ static void btrfs_work_helper(struct wor
+ thresh_exec_hook(wq);
+ work->func(work);
+ if (need_order) {
++ /*
++ * Ensures all memory accesses done in the work function are
++ * ordered before setting the WORK_DONE_BIT. Ensuring the thread
++ * which is going to executed the ordered work sees them.
++ * Pairs with the smp_rmb in run_ordered_work.
++ */
++ smp_mb__before_atomic();
+ set_bit(WORK_DONE_BIT, &work->flags);
+ run_ordered_work(wq, work);
+ } else {
--- /dev/null
+From 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 Mon Sep 17 00:00:00 2001
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+Date: Thu, 28 Oct 2021 01:37:22 +0800
+Subject: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+commit 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 upstream.
+
+If the userspace tools switch from NL80211_IFTYPE_P2P_GO to
+NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it
+does not call the cleanup cfg80211_stop_ap(), this leads to the
+initialization of in-use data. For example, this path re-init the
+sdata->assigned_chanctx_list while it is still an element of
+assigned_vifs list, and makes that linked list corrupt.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+bbf402b783eeb6d908db@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20211027173722.777287-1-phind.uet@gmail.com
+Cc: stable@vger.kernel.org
+Fixes: ac800140c20e ("cfg80211: .stop_ap when interface is going down")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1044,6 +1044,7 @@ int cfg80211_change_iface(struct cfg8021
+
+ switch (otype) {
+ case NL80211_IFTYPE_AP:
++ case NL80211_IFTYPE_P2P_GO:
+ cfg80211_stop_ap(rdev, dev, true);
+ break;
+ case NL80211_IFTYPE_ADHOC:
--- /dev/null
+From 8a7eb2d476c6823cd44d8c25a6230a52417d7ef8 Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Mon, 1 Nov 2021 23:00:26 +0800
+Subject: Drivers: hv: balloon: Use VMBUS_RING_SIZE() wrapper for dm_ring_size
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+commit 8a7eb2d476c6823cd44d8c25a6230a52417d7ef8 upstream.
+
+Baihua reported an error when boot an ARM64 guest with PAGE_SIZE=64k and
+BALLOON is enabled:
+
+ hv_vmbus: registering driver hv_balloon
+ hv_vmbus: probe failed for device 1eccfd72-4b41-45ef-b73a-4a6e44c12924 (-22)
+
+The cause of this is that the ringbuffer size for hv_balloon is not
+adjusted with VMBUS_RING_SIZE(), which makes the size not large enough
+for ringbuffers on guest with PAGE_SIZE=64k. Therefore use
+VMBUS_RING_SIZE() to calculate the ringbuffer size. Note that the old
+size (20 * 1024) counts a 4k header in the total size, while
+VMBUS_RING_SIZE() expects the parameter as the payload size, so use
+16 * 1024.
+
+Cc: <stable@vger.kernel.org> # 5.15.x
+Reported-by: Baihua Lu <baihua.lu@microsoft.com>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Tested-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Link: https://lore.kernel.org/r/20211101150026.736124-1-boqun.feng@gmail.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/hv_balloon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -480,7 +480,7 @@ module_param(pressure_report_delay, uint
+ MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure");
+ static atomic_t trans_id = ATOMIC_INIT(0);
+
+-static int dm_ring_size = 20 * 1024;
++static int dm_ring_size = VMBUS_RING_SIZE(16 * 1024);
+
+ /*
+ * Driver specific state.
--- /dev/null
+From 55eea8ef98641f6e1e1c202bd3a49a57c1dd4059 Mon Sep 17 00:00:00 2001
+From: Roman Li <Roman.Li@amd.com>
+Date: Fri, 30 Jul 2021 18:30:41 -0400
+Subject: drm/amd/display: Limit max DSC target bpp for specific monitors
+
+From: Roman Li <Roman.Li@amd.com>
+
+commit 55eea8ef98641f6e1e1c202bd3a49a57c1dd4059 upstream.
+
+[Why]
+Some monitors exhibit corruption at 16bpp DSC.
+
+[How]
+- Add helpers for patching edid caps.
+- Use it for limiting DSC target bitrate to 15bpp for known monitors
+
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
+Signed-off-by: Roman Li <Roman.Li@amd.com>
+Cc: stable@vger.kernel.org
+Tested-by: Daniel Wheeler <Daniel.Wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 35 ++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+@@ -40,6 +40,39 @@
+
+ #include "dm_helpers.h"
+
++struct monitor_patch_info {
++ unsigned int manufacturer_id;
++ unsigned int product_id;
++ void (*patch_func)(struct dc_edid_caps *edid_caps, unsigned int param);
++ unsigned int patch_param;
++};
++static void set_max_dsc_bpp_limit(struct dc_edid_caps *edid_caps, unsigned int param);
++
++static const struct monitor_patch_info monitor_patch_table[] = {
++{0x6D1E, 0x5BBF, set_max_dsc_bpp_limit, 15},
++{0x6D1E, 0x5B9A, set_max_dsc_bpp_limit, 15},
++};
++
++static void set_max_dsc_bpp_limit(struct dc_edid_caps *edid_caps, unsigned int param)
++{
++ if (edid_caps)
++ edid_caps->panel_patch.max_dsc_target_bpp_limit = param;
++}
++
++static int amdgpu_dm_patch_edid_caps(struct dc_edid_caps *edid_caps)
++{
++ int i, ret = 0;
++
++ for (i = 0; i < ARRAY_SIZE(monitor_patch_table); i++)
++ if ((edid_caps->manufacturer_id == monitor_patch_table[i].manufacturer_id)
++ && (edid_caps->product_id == monitor_patch_table[i].product_id)) {
++ monitor_patch_table[i].patch_func(edid_caps, monitor_patch_table[i].patch_param);
++ ret++;
++ }
++
++ return ret;
++}
++
+ /* dm_helpers_parse_edid_caps
+ *
+ * Parse edid caps
+@@ -125,6 +158,8 @@ enum dc_edid_status dm_helpers_parse_edi
+ kfree(sads);
+ kfree(sadb);
+
++ amdgpu_dm_patch_edid_caps(edid_caps);
++
+ return result;
+ }
+
--- /dev/null
+From 58065a1e524de30df9a2d8214661d5d7eed0a2d9 Mon Sep 17 00:00:00 2001
+From: Alvin Lee <Alvin.Lee2@amd.com>
+Date: Fri, 30 Jul 2021 16:55:06 -0400
+Subject: drm/amd/display: Update swizzle mode enums
+
+From: Alvin Lee <Alvin.Lee2@amd.com>
+
+commit 58065a1e524de30df9a2d8214661d5d7eed0a2d9 upstream.
+
+[Why]
+Swizzle mode enum for DC_SW_VAR_R_X was existing,
+but not mapped correctly.
+
+[How]
+Update mapping and conversion for DC_SW_VAR_R_X.
+
+Reviewed-by: XiangBing Foo <XiangBing.Foo@amd.com>
+Reviewed-by: Martin Leung <Martin.Leung@amd.com>
+Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
+Signed-off-by: Alvin Lee <Alvin.Lee2@amd.com>
+Cc: stable@vger.kernel.org
+Tested-by: Daniel Wheeler <Daniel.Wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 4 +++-
+ drivers/gpu/drm/amd/display/dc/dml/display_mode_enums.h | 4 ++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+@@ -1854,7 +1854,9 @@ static void swizzle_to_dml_params(
+ case DC_SW_VAR_D_X:
+ *sw_mode = dm_sw_var_d_x;
+ break;
+-
++ case DC_SW_VAR_R_X:
++ *sw_mode = dm_sw_var_r_x;
++ break;
+ default:
+ ASSERT(0); /* Not supported */
+ break;
+--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_enums.h
++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_enums.h
+@@ -80,11 +80,11 @@ enum dm_swizzle_mode {
+ dm_sw_SPARE_13 = 24,
+ dm_sw_64kb_s_x = 25,
+ dm_sw_64kb_d_x = 26,
+- dm_sw_SPARE_14 = 27,
++ dm_sw_64kb_r_x = 27,
+ dm_sw_SPARE_15 = 28,
+ dm_sw_var_s_x = 29,
+ dm_sw_var_d_x = 30,
+- dm_sw_64kb_r_x,
++ dm_sw_var_r_x = 31,
+ dm_sw_gfx7_2d_thin_l_vp,
+ dm_sw_gfx7_2d_thin_gl,
+ };
--- /dev/null
+From 968219708108440b23bc292e0486e3cc1d9a1bed Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Tue, 9 Nov 2021 15:57:12 +0100
+Subject: fs: handle circular mappings correctly
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+commit 968219708108440b23bc292e0486e3cc1d9a1bed upstream.
+
+When calling setattr_prepare() to determine the validity of the attributes the
+ia_{g,u}id fields contain the value that will be written to inode->i_{g,u}id.
+When the {g,u}id attribute of the file isn't altered and the caller's fs{g,u}id
+matches the current {g,u}id attribute the attribute change is allowed.
+
+The value in ia_{g,u}id does already account for idmapped mounts and will have
+taken the relevant idmapping into account. So in order to verify that the
+{g,u}id attribute isn't changed we simple need to compare the ia_{g,u}id value
+against the inode's i_{g,u}id value.
+
+This only has any meaning for idmapped mounts as idmapping helpers are
+idempotent without them. And for idmapped mounts this really only has a meaning
+when circular idmappings are used, i.e. mappings where e.g. id 1000 is mapped
+to id 1001 and id 1001 is mapped to id 1000. Such ciruclar mappings can e.g. be
+useful when sharing the same home directory between multiple users at the same
+time.
+
+As an example consider a directory with two files: /source/file1 owned by
+{g,u}id 1000 and /source/file2 owned by {g,u}id 1001. Assume we create an
+idmapped mount at /target with an idmapping that maps files owned by {g,u}id
+1000 to being owned by {g,u}id 1001 and files owned by {g,u}id 1001 to being
+owned by {g,u}id 1000. In effect, the idmapped mount at /target switches the
+ownership of /source/file1 and source/file2, i.e. /target/file1 will be owned
+by {g,u}id 1001 and /target/file2 will be owned by {g,u}id 1000.
+
+This means that a user with fs{g,u}id 1000 must be allowed to setattr
+/target/file2 from {g,u}id 1000 to {g,u}id 1000. Similar, a user with fs{g,u}id
+1001 must be allowed to setattr /target/file1 from {g,u}id 1001 to {g,u}id
+1001. Conversely, a user with fs{g,u}id 1000 must fail to setattr /target/file1
+from {g,u}id 1001 to {g,u}id 1000. And a user with fs{g,u}id 1001 must fail to
+setattr /target/file2 from {g,u}id 1000 to {g,u}id 1000. Both cases must fail
+with EPERM for non-capable callers.
+
+Before this patch we could end up denying legitimate attribute changes and
+allowing invalid attribute changes when circular mappings are used. To even get
+into this situation the caller must've been privileged both to create that
+mapping and to create that idmapped mount.
+
+This hasn't been seen in the wild anywhere but came up when expanding the
+testsuite during work on a series of hardening patches. All idmapped fstests
+pass without any regressions and we add new tests to verify the behavior of
+circular mappings.
+
+Link: https://lore.kernel.org/r/20211109145713.1868404-1-brauner@kernel.org
+Fixes: 2f221d6f7b88 ("attr: handle idmapped mounts")
+Cc: Seth Forshee <seth.forshee@digitalocean.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: stable@vger.kernel.org
+CC: linux-fsdevel@vger.kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Seth Forshee <sforshee@digitalocean.com>
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/attr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/attr.c
++++ b/fs/attr.c
+@@ -35,7 +35,7 @@ static bool chown_ok(struct user_namespa
+ kuid_t uid)
+ {
+ kuid_t kuid = i_uid_into_mnt(mnt_userns, inode);
+- if (uid_eq(current_fsuid(), kuid) && uid_eq(uid, kuid))
++ if (uid_eq(current_fsuid(), kuid) && uid_eq(uid, inode->i_uid))
+ return true;
+ if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
+ return true;
+@@ -62,7 +62,7 @@ static bool chgrp_ok(struct user_namespa
+ {
+ kgid_t kgid = i_gid_into_mnt(mnt_userns, inode);
+ if (uid_eq(current_fsuid(), i_uid_into_mnt(mnt_userns, inode)) &&
+- (in_group_p(gid) || gid_eq(gid, kgid)))
++ (in_group_p(gid) || gid_eq(gid, inode->i_gid)))
+ return true;
+ if (capable_wrt_inode_uidgid(mnt_userns, inode, CAP_CHOWN))
+ return true;
--- /dev/null
+From f6ab25d41b18f3d26883cb9c20875e1a85c4f05b Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 10 Nov 2021 22:22:01 +0100
+Subject: mac80211: drop check for DONT_REORDER in __ieee80211_select_queue
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit f6ab25d41b18f3d26883cb9c20875e1a85c4f05b upstream.
+
+When __ieee80211_select_queue is called, skb->cb has not been cleared yet,
+which means that info->control.flags can contain garbage.
+In some cases this leads to IEEE80211_TX_CTRL_DONT_REORDER being set, causing
+packets marked for other queues to randomly end up in BE instead.
+
+This flag only needs to be checked in ieee80211_select_queue_80211, since
+the radiotap parser is the only piece of code that sets it
+
+Fixes: 66d06c84730c ("mac80211: adhere to Tx control flag that prevents frame reordering")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20211110212201.35452-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/wme.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/mac80211/wme.c
++++ b/net/mac80211/wme.c
+@@ -143,7 +143,6 @@ u16 ieee80211_select_queue_80211(struct
+ u16 __ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta, struct sk_buff *skb)
+ {
+- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ struct mac80211_qos_map *qos_map;
+ bool qos;
+
+@@ -156,7 +155,7 @@ u16 __ieee80211_select_queue(struct ieee
+ else
+ qos = false;
+
+- if (!qos || (info->control.flags & IEEE80211_TX_CTRL_DONT_REORDER)) {
++ if (!qos) {
+ skb->priority = 0; /* required for correct WPA/11i MIC */
+ return IEEE80211_AC_BE;
+ }
--- /dev/null
+From c033a38a81bc539d6c0db8c5387e0b14d819a0cf Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 9 Nov 2021 10:02:04 +0100
+Subject: mac80211: fix radiotap header generation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c033a38a81bc539d6c0db8c5387e0b14d819a0cf upstream.
+
+In commit 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header
+bitmap") we accidentally pointed the position to the wrong place, so
+we overwrite a present bitmap, and thus cause all kinds of trouble.
+
+To see the issue, note that the previous code read:
+
+ pos = (void *)(it_present + 1);
+
+The requirement now is that we need to calculate pos via it_optional,
+to not trigger the compiler hardening checks, as:
+
+ pos = (void *)&rthdr->it_optional[...];
+
+Rewriting the original expression, we get (obviously, since that just
+adds "+ x - x" terms):
+
+ pos = (void *)(it_present + 1 + rthdr->it_optional - rthdr->it_optional)
+
+and moving the "+ rthdr->it_optional" outside to be used as an array:
+
+ pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional];
+
+The original is off by one, fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 8c89f7b3d3f2 ("mac80211: Use flex-array for radiotap header bitmap")
+Reported-by: Sid Hayn <sidhayn@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Tested-by: Sid Hayn <sidhayn@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20211109100203.c61007433ed6.I1dade57aba7de9c4f48d68249adbae62636fd98c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -364,7 +364,7 @@ ieee80211_add_rx_radiotap_header(struct
+ * the compiler to think we have walked past the end of the
+ * struct member.
+ */
+- pos = (void *)&rthdr->it_optional[it_present - rthdr->it_optional];
++ pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional];
+
+ /* the order of the following fields is important */
+
--- /dev/null
+From 3751c3d34cd5a750c86d1c8eaf217d8faf7f9325 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 15 Nov 2021 16:21:23 +0100
+Subject: net: stmmac: Fix signed/unsigned wreckage
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 3751c3d34cd5a750c86d1c8eaf217d8faf7f9325 upstream.
+
+The recent addition of timestamp correction to compensate the CDC error
+introduced a subtle signed/unsigned bug in stmmac_get_tx_hwtstamp() while
+it managed for some obscure reason to avoid that in stmmac_get_rx_hwtstamp().
+
+The issue is:
+
+ s64 adjust = 0;
+ u64 ns;
+
+ adjust += -(2 * (NSEC_PER_SEC / priv->plat->clk_ptp_rate));
+ ns += adjust;
+
+works by chance on 64bit, but falls apart on 32bit because the compiler
+knows that adjust fits into 32bit and then treats the addition as a u64 +
+u32 resulting in an off by ~2 seconds failure.
+
+The RX variant uses an u64 for adjust and does the adjustment via
+
+ ns -= adjust;
+
+because consistency is obviously overrated.
+
+Get rid of the pointless zero initialized adjust variable and do:
+
+ ns -= (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate;
+
+which is obviously correct and spares the adjust obfuscation. Aside of that
+it yields a more accurate result because the multiplication takes place
+before the integer divide truncation and not afterwards.
+
+Stick the calculation into an inline so it can't be accidentally
+disimproved. Return an u32 from that inline as the result is guaranteed
+to fit which lets the compiler optimize the substraction.
+
+Cc: stable@vger.kernel.org
+Fixes: 3600be5f58c1 ("net: stmmac: add timestamp correction to rid CDC sync error")
+Reported-by: Benedikt Spranger <b.spranger@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Benedikt Spranger <b.spranger@linutronix.de>
+Tested-by: Kurt Kanzenbach <kurt@linutronix.de> # Intel EHL
+Link: https://lore.kernel.org/r/87mtm578cs.ffs@tglx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 23 +++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -511,6 +511,14 @@ bool stmmac_eee_init(struct stmmac_priv
+ return true;
+ }
+
++static inline u32 stmmac_cdc_adjust(struct stmmac_priv *priv)
++{
++ /* Correct the clk domain crossing(CDC) error */
++ if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate)
++ return (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate;
++ return 0;
++}
++
+ /* stmmac_get_tx_hwtstamp - get HW TX timestamps
+ * @priv: driver private structure
+ * @p : descriptor pointer
+@@ -524,7 +532,6 @@ static void stmmac_get_tx_hwtstamp(struc
+ {
+ struct skb_shared_hwtstamps shhwtstamp;
+ bool found = false;
+- s64 adjust = 0;
+ u64 ns = 0;
+
+ if (!priv->hwts_tx_en)
+@@ -543,12 +550,7 @@ static void stmmac_get_tx_hwtstamp(struc
+ }
+
+ if (found) {
+- /* Correct the clk domain crossing(CDC) error */
+- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) {
+- adjust += -(2 * (NSEC_PER_SEC /
+- priv->plat->clk_ptp_rate));
+- ns += adjust;
+- }
++ ns -= stmmac_cdc_adjust(priv);
+
+ memset(&shhwtstamp, 0, sizeof(struct skb_shared_hwtstamps));
+ shhwtstamp.hwtstamp = ns_to_ktime(ns);
+@@ -573,7 +575,6 @@ static void stmmac_get_rx_hwtstamp(struc
+ {
+ struct skb_shared_hwtstamps *shhwtstamp = NULL;
+ struct dma_desc *desc = p;
+- u64 adjust = 0;
+ u64 ns = 0;
+
+ if (!priv->hwts_rx_en)
+@@ -586,11 +587,7 @@ static void stmmac_get_rx_hwtstamp(struc
+ if (stmmac_get_rx_timestamp_status(priv, p, np, priv->adv_ts)) {
+ stmmac_get_timestamp(priv, desc, priv->adv_ts, &ns);
+
+- /* Correct the clk domain crossing(CDC) error */
+- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) {
+- adjust += 2 * (NSEC_PER_SEC / priv->plat->clk_ptp_rate);
+- ns -= adjust;
+- }
++ ns -= stmmac_cdc_adjust(priv);
+
+ netdev_dbg(priv->dev, "get valid RX hw timestamp %llu\n", ns);
+ shhwtstamp = skb_hwtstamps(skb);
--- /dev/null
+From bec05f33ebc1006899c6d3e59a00c58881fe7626 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Sun, 14 Nov 2021 17:08:17 +0100
+Subject: parisc/sticon: fix reverse colors
+
+From: Sven Schnelle <svens@stackframe.org>
+
+commit bec05f33ebc1006899c6d3e59a00c58881fe7626 upstream.
+
+sticon_build_attr() checked the reverse argument and flipped
+background and foreground color, but returned the non-reverse
+value afterwards. Fix this and also add two local variables
+for foreground and background color to make the code easier
+to read.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/console/sticon.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/video/console/sticon.c
++++ b/drivers/video/console/sticon.c
+@@ -332,13 +332,13 @@ static u8 sticon_build_attr(struct vc_da
+ bool blink, bool underline, bool reverse,
+ bool italic)
+ {
+- u8 attr = ((color & 0x70) >> 1) | ((color & 7));
++ u8 fg = color & 7;
++ u8 bg = (color & 0x70) >> 4;
+
+- if (reverse) {
+- color = ((color >> 3) & 0x7) | ((color & 0x7) << 3);
+- }
+-
+- return attr;
++ if (reverse)
++ return (fg << 3) | bg;
++ else
++ return (bg << 3) | fg;
+ }
+
+ static void sticon_invert_region(struct vc_data *conp, u16 *p, int count)
udf-fix-crash-after-seekdir.patch
spi-fix-use-after-free-of-the-add_lock-mutex.patch
net-stmmac-socfpga-add-runtime-suspend-resume-callback-for-stratix10-platform.patch
+drivers-hv-balloon-use-vmbus_ring_size-wrapper-for-dm_ring_size.patch
+btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch
+fs-handle-circular-mappings-correctly.patch
+net-stmmac-fix-signed-unsigned-wreckage.patch
+parisc-sticon-fix-reverse-colors.patch
+cfg80211-call-cfg80211_stop_ap-when-switch-from-p2p_go-type.patch
+mac80211-fix-radiotap-header-generation.patch
+mac80211-drop-check-for-dont_reorder-in-__ieee80211_select_queue.patch
+drm-amd-display-update-swizzle-mode-enums.patch
+drm-amd-display-limit-max-dsc-target-bpp-for-specific-monitors.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
