--- /dev/null
+From 8c60aa66a0aff2a638e366dff513e5a80f48edc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 14:15:38 -0600
+Subject: ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1527f69204fe35f341cb599f1cb01bd02daf4374 ]
+
+AMD requires that the SATA controller be configured for devsleep in order
+for S0i3 entry to work properly.
+
+commit b1a9585cc396 ("ata: ahci: Enable DEVSLP by default on x86 with
+SLP_S0") sets up a kernel policy to enable devsleep on Intel mobile
+platforms that are using s0ix. Add the PCI ID for the SATA controller in
+Green Sardine platforms to extend this policy by default for AMD based
+systems using s0i3 as well.
+
+Cc: Nehal-bakulchandra Shah <Nehal-bakulchandra.Shah@amd.com>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 8df0ec85cc7b9..505920d4530f8 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -436,6 +436,7 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* AMD */
+ { PCI_VDEVICE(AMD, 0x7800), board_ahci }, /* AMD Hudson-2 */
+ { PCI_VDEVICE(AMD, 0x7900), board_ahci }, /* AMD CZ */
++ { PCI_VDEVICE(AMD, 0x7901), board_ahci_mobile }, /* AMD Green Sardine */
+ /* AMD is using RAID class only for ahci controllers */
+ { PCI_VENDOR_ID_AMD, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_RAID << 8, 0xffffff, board_ahci },
+--
+2.33.0
+
--- /dev/null
+From cddc17d643d6b3e56ff62ede56eca05a148d95fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Nov 2021 22:24:40 -0500
+Subject: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit b922f622592af76b57cbc566eaeccda0b31a3496 ]
+
+This bug report shows up when running our research tools. The
+reports is SOOB read, but it seems SOOB write is also possible
+a few lines below.
+
+In details, fw.len and sw.len are inputs coming from io. A len
+over the size of self->rpc triggers SOOB. The patch fixes the
+bugs by adding sanity checks.
+
+The bugs are triggerable with compromised/malfunctioning devices.
+They are potentially exploitable given they first leak up to
+0xffff bytes and able to overwrite the region later.
+
+The patch is tested with QEMU emulater.
+This is NOT tested with a real device.
+
+Attached is the log we found by fuzzing.
+
+BUG: KASAN: slab-out-of-bounds in
+ hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+Read of size 4 at addr ffff888016260b08 by task modprobe/213
+CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1
+Call Trace:
+ dump_stack+0x76/0xa0
+ print_address_description.constprop.0+0x16/0x200
+ ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ __kasan_report.cold+0x37/0x7c
+ ? aq_hw_read_reg_bit+0x60/0x70 [atlantic]
+ ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ kasan_report+0xe/0x20
+ hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic]
+ hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic]
+ hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic]
+ ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic]
+ ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic]
+ hw_atl_utils_initfw+0x12a/0x1c8 [atlantic]
+ aq_nic_ndev_register+0x88/0x650 [atlantic]
+ ? aq_nic_ndev_init+0x235/0x3c0 [atlantic]
+ aq_pci_probe+0x731/0x9b0 [atlantic]
+ ? aq_pci_func_init+0xc0/0xc0 [atlantic]
+ local_pci_probe+0xd3/0x160
+ pci_device_probe+0x23f/0x3e0
+
+Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+index 096ec18e8f15a..49c80bac9ce28 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+@@ -459,6 +459,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
+ goto err_exit;
+
+ if (fw.len == 0xFFFFU) {
++ if (sw.len > sizeof(self->rpc)) {
++ printk(KERN_INFO "Invalid sw len: %x\n", sw.len);
++ err = -EINVAL;
++ goto err_exit;
++ }
+ err = hw_atl_utils_fw_rpc_call(self, sw.len);
+ if (err < 0)
+ goto err_exit;
+@@ -469,6 +474,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
+
+ if (rpc) {
+ if (fw.len) {
++ if (fw.len > sizeof(self->rpc)) {
++ printk(KERN_INFO "Invalid fw len: %x\n", fw.len);
++ err = -EINVAL;
++ goto err_exit;
++ }
+ err =
+ hw_atl_utils_fw_downld_dwords(self,
+ self->rpc_addr,
+--
+2.33.0
+
--- /dev/null
+From 6686594d00193ce0378cf9139bed9303df2abb81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 06:32:54 +0800
+Subject: btrfs: check-integrity: fix a warning on write caching disabled disk
+
+From: Wang Yugui <wangyugui@e16-tech.com>
+
+[ Upstream commit a91cf0ffbc244792e0b3ecf7d0fddb2f344b461f ]
+
+When a disk has write caching disabled, we skip submission of a bio with
+flush and sync requests before writing the superblock, since it's not
+needed. However when the integrity checker is enabled, this results in
+reports that there are metadata blocks referred by a superblock that
+were not properly flushed. So don't skip the bio submission only when
+the integrity checker is enabled for the sake of simplicity, since this
+is a debug tool and not meant for use in non-debug builds.
+
+fstests/btrfs/220 trigger a check-integrity warning like the following
+when CONFIG_BTRFS_FS_CHECK_INTEGRITY=y and the disk with WCE=0.
+
+ btrfs: attempt to write superblock which references block M @5242880 (sdb2/5242880/0) which is not flushed out of disk's write cache (block flush_gen=1, dev->flush_gen=0)!
+ ------------[ cut here ]------------
+ WARNING: CPU: 28 PID: 843680 at fs/btrfs/check-integrity.c:2196 btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs]
+ CPU: 28 PID: 843680 Comm: umount Not tainted 5.15.0-0.rc5.39.el8.x86_64 #1
+ Hardware name: Dell Inc. Precision T7610/0NK70N, BIOS A18 09/11/2019
+ RIP: 0010:btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs]
+ RSP: 0018:ffffb642afb47940 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+ RDX: 00000000ffffffff RSI: ffff8b722fc97d00 RDI: ffff8b722fc97d00
+ RBP: ffff8b5601c00000 R08: 0000000000000000 R09: c0000000ffff7fff
+ R10: 0000000000000001 R11: ffffb642afb476f8 R12: ffffffffffffffff
+ R13: ffffb642afb47974 R14: ffff8b5499254c00 R15: 0000000000000003
+ FS: 00007f00a06d4080(0000) GS:ffff8b722fc80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fff5cff5ff0 CR3: 00000001c0c2a006 CR4: 00000000001706e0
+ Call Trace:
+ btrfsic_process_written_block+0x2f7/0x850 [btrfs]
+ __btrfsic_submit_bio.part.19+0x310/0x330 [btrfs]
+ ? bio_associate_blkg_from_css+0xa4/0x2c0
+ btrfsic_submit_bio+0x18/0x30 [btrfs]
+ write_dev_supers+0x81/0x2a0 [btrfs]
+ ? find_get_pages_range_tag+0x219/0x280
+ ? pagevec_lookup_range_tag+0x24/0x30
+ ? __filemap_fdatawait_range+0x6d/0xf0
+ ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
+ ? find_first_extent_bit+0x9b/0x160 [btrfs]
+ ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
+ write_all_supers+0x1b3/0xa70 [btrfs]
+ ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
+ btrfs_commit_transaction+0x59d/0xac0 [btrfs]
+ close_ctree+0x11d/0x339 [btrfs]
+ generic_shutdown_super+0x71/0x110
+ kill_anon_super+0x14/0x30
+ btrfs_kill_super+0x12/0x20 [btrfs]
+ deactivate_locked_super+0x31/0x70
+ cleanup_mnt+0xb8/0x140
+ task_work_run+0x6d/0xb0
+ exit_to_user_mode_prepare+0x1f0/0x200
+ syscall_exit_to_user_mode+0x12/0x30
+ do_syscall_64+0x46/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f009f711dfb
+ RSP: 002b:00007fff5cff7928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ RAX: 0000000000000000 RBX: 000055b68c6c9970 RCX: 00007f009f711dfb
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055b68c6c9b50
+ RBP: 0000000000000000 R08: 000055b68c6ca900 R09: 00007f009f795580
+ R10: 0000000000000000 R11: 0000000000000246 R12: 000055b68c6c9b50
+ R13: 00007f00a04bf184 R14: 0000000000000000 R15: 00000000ffffffff
+ ---[ end trace 2c4b82abcef9eec4 ]---
+ S-65536(sdb2/65536/1)
+ -->
+ M-1064960(sdb2/1064960/1)
+
+Reviewed-by: Filipe Manana <fdmanana@gmail.com>
+Signed-off-by: Wang Yugui <wangyugui@e16-tech.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index c326535d5a80a..2ac920bdf4df5 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3579,11 +3579,23 @@ static void btrfs_end_empty_barrier(struct bio *bio)
+ */
+ static void write_dev_flush(struct btrfs_device *device)
+ {
+- struct request_queue *q = bdev_get_queue(device->bdev);
+ struct bio *bio = device->flush_bio;
+
++#ifndef CONFIG_BTRFS_FS_CHECK_INTEGRITY
++ /*
++ * When a disk has write caching disabled, we skip submission of a bio
++ * with flush and sync requests before writing the superblock, since
++ * it's not needed. However when the integrity checker is enabled, this
++ * results in reports that there are metadata blocks referred by a
++ * superblock that were not properly flushed. So don't skip the bio
++ * submission only when the integrity checker is enabled for the sake
++ * of simplicity, since this is a debug tool and not meant for use in
++ * non-debug builds.
++ */
++ struct request_queue *q = bdev_get_queue(device->bdev);
+ if (!test_bit(QUEUE_FLAG_WC, &q->queue_flags))
+ return;
++#endif
+
+ bio_reset(bio);
+ bio->bi_end_io = btrfs_end_empty_barrier;
+--
+2.33.0
+
--- /dev/null
+From c26eb15c39e70473a0cc1b354fb77a08201c27d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 11:44:53 +0800
+Subject: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array
+ overflow in hns_dsaf_ge_srst_by_port()
+
+From: Teng Qi <starmiku1207184332@gmail.com>
+
+[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ]
+
+The if statement:
+ if (port >= DSAF_GE_NUM)
+ return;
+
+limits the value of port less than DSAF_GE_NUM (i.e., 8).
+However, if the value of port is 6 or 7, an array overflow could occur:
+ port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
+
+because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
+
+To fix this possible array overflow, we first check port and if it is
+greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+index 16294cd3c9545..4ceacb1c154dc 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+@@ -402,6 +402,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
+ return;
+
+ if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
++ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
++ We need check to prevent array overflow */
++ if (port >= DSAF_MAX_PORT_NUM)
++ return;
+ reg_val_1 = 0x1 << port;
+ port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
+ /* there is difference between V1 and V2 in register.*/
+--
+2.33.0
+
--- /dev/null
+From 6dd0e79fe878238dea1f2c4ead187e80ecbc916c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Nov 2021 00:18:56 +0100
+Subject: gfs2: Fix length of holes reported at end-of-file
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit f3506eee81d1f700d9ee2d2f4a88fddb669ec032 ]
+
+Fix the length of holes reported at the end of a file: the length is
+relative to the beginning of the extent, not the seek position which is
+rounded down to the filesystem block size.
+
+This bug went unnoticed for some time, but is now caught by the
+following assertion in iomap_iter_done():
+
+ WARN_ON_ONCE(iter->iomap.offset + iter->iomap.length <= iter->pos)
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/bmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
+index 43f53020553b5..53ba5019ad063 100644
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -943,7 +943,7 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,
+ else if (height == ip->i_height)
+ ret = gfs2_hole_size(inode, lblock, len, mp, iomap);
+ else
+- iomap->length = size - pos;
++ iomap->length = size - iomap->offset;
+ } else if (flags & IOMAP_WRITE) {
+ u64 alloc_size;
+
+--
+2.33.0
+
--- /dev/null
+From 6276b3a7750b0800a62ea3e0b375a937d16232e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 15:01:18 +0800
+Subject: net: ethernet: dec: tulip: de4x5: fix possible array overflows in
+ type3_infoblock()
+
+From: Teng Qi <starmiku1207184332@gmail.com>
+
+[ Upstream commit 0fa68da72c3be09e06dd833258ee89c33374195f ]
+
+The definition of macro MOTO_SROM_BUG is:
+ #define MOTO_SROM_BUG (lp->active == 8 && (get_unaligned_le32(
+ dev->dev_addr) & 0x00ffffff) == 0x3e0008)
+
+and the if statement
+ if (MOTO_SROM_BUG) lp->active = 0;
+
+using this macro indicates lp->active could be 8. If lp->active is 8 and
+the second comparison of this macro is false. lp->active will remain 8 in:
+ lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].mci = *p;
+
+However, the length of array lp->phy is 8, so array overflows can occur.
+To fix these possible array overflows, we first check lp->active and then
+return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8).
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
+index a80252973171f..c97fc0e384ca6 100644
+--- a/drivers/net/ethernet/dec/tulip/de4x5.c
++++ b/drivers/net/ethernet/dec/tulip/de4x5.c
+@@ -4708,6 +4708,10 @@ type3_infoblock(struct net_device *dev, u_char count, u_char *p)
+ lp->ibn = 3;
+ lp->active = *p++;
+ if (MOTO_SROM_BUG) lp->active = 0;
++ /* if (MOTO_SROM_BUG) statement indicates lp->active could
++ * be 8 (i.e. the size of array lp->phy) */
++ if (WARN_ON(lp->active >= ARRAY_SIZE(lp->phy)))
++ return -EINVAL;
+ lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2;
+--
+2.33.0
+
--- /dev/null
+From b0b6552fb6d8572f5931d0417b9b2dd5856d733a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 16:14:48 +0800
+Subject: net: return correct error code
+
+From: liuguoqiang <liuguoqiang@uniontech.com>
+
+[ Upstream commit 6def480181f15f6d9ec812bca8cbc62451ba314c ]
+
+When kmemdup called failed and register_net_sysctl return NULL, should
+return ENOMEM instead of ENOBUFS
+
+Signed-off-by: liuguoqiang <liuguoqiang@uniontech.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 12a2cea9d606a..e2ab8cdb71347 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -2354,7 +2354,7 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name,
+ free:
+ kfree(t);
+ out:
+- return -ENOBUFS;
++ return -ENOMEM;
+ }
+
+ static void __devinet_sysctl_unregister(struct net *net,
+--
+2.33.0
+
--- /dev/null
+From 7719843a73b87fb9d0ff3998f9b011db5b22f575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 13:46:32 +0800
+Subject: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be
+ out of bound
+
+From: zhangyue <zhangyue1@kylinos.cn>
+
+[ Upstream commit 61217be886b5f7402843677e4be7e7e83de9cb41 ]
+
+In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the
+'for' end, the 'k' is 8.
+
+At this time, the array 'lp->phy[8]' may be out of bound.
+
+Signed-off-by: zhangyue <zhangyue1@kylinos.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/de4x5.c | 30 +++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
+index c813e6f2b371e..a80252973171f 100644
+--- a/drivers/net/ethernet/dec/tulip/de4x5.c
++++ b/drivers/net/ethernet/dec/tulip/de4x5.c
+@@ -4999,19 +4999,23 @@ mii_get_phy(struct net_device *dev)
+ }
+ if ((j == limit) && (i < DE4X5_MAX_MII)) {
+ for (k=0; k < DE4X5_MAX_PHY && lp->phy[k].id; k++);
+- lp->phy[k].addr = i;
+- lp->phy[k].id = id;
+- lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */
+- lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */
+- lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */
+- lp->mii_cnt++;
+- lp->active++;
+- printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name);
+- j = de4x5_debug;
+- de4x5_debug |= DEBUG_MII;
+- de4x5_dbg_mii(dev, k);
+- de4x5_debug = j;
+- printk("\n");
++ if (k < DE4X5_MAX_PHY) {
++ lp->phy[k].addr = i;
++ lp->phy[k].id = id;
++ lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */
++ lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */
++ lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */
++ lp->mii_cnt++;
++ lp->active++;
++ printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name);
++ j = de4x5_debug;
++ de4x5_debug |= DEBUG_MII;
++ de4x5_dbg_mii(dev, k);
++ de4x5_debug = j;
++ printk("\n");
++ } else {
++ goto purgatory;
++ }
+ }
+ }
+ purgatory:
+--
+2.33.0
+
--- /dev/null
+From be5dbcc82829cf568632539a3f27a66d2e29f3f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 23:12:47 -0800
+Subject: perf hist: Fix memory leak of a perf_hpp_fmt
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 0ca1f534a776cc7d42f2c33da4732b74ec2790cd ]
+
+perf_hpp__column_unregister() removes an entry from a list but doesn't
+free the memory causing a memory leak spotted by leak sanitizer.
+
+Add the free while at the same time reducing the scope of the function
+to static.
+
+Signed-off-by: Ian Rogers <irogers@google.com>
+Reviewed-by: Kajol Jain <kjain@linux.ibm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20211118071247.2140392-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/hist.c | 28 ++++++++++++++--------------
+ tools/perf/util/hist.h | 1 -
+ 2 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c
+index fe3dfaa64a916..4afb63cea41b9 100644
+--- a/tools/perf/ui/hist.c
++++ b/tools/perf/ui/hist.c
+@@ -468,6 +468,18 @@ struct perf_hpp_list perf_hpp_list = {
+ #undef __HPP_SORT_ACC_FN
+ #undef __HPP_SORT_RAW_FN
+
++static void fmt_free(struct perf_hpp_fmt *fmt)
++{
++ /*
++ * At this point fmt should be completely
++ * unhooked, if not it's a bug.
++ */
++ BUG_ON(!list_empty(&fmt->list));
++ BUG_ON(!list_empty(&fmt->sort_list));
++
++ if (fmt->free)
++ fmt->free(fmt);
++}
+
+ void perf_hpp__init(void)
+ {
+@@ -531,9 +543,10 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list,
+ list_add(&format->sort_list, &list->sorts);
+ }
+
+-void perf_hpp__column_unregister(struct perf_hpp_fmt *format)
++static void perf_hpp__column_unregister(struct perf_hpp_fmt *format)
+ {
+ list_del_init(&format->list);
++ fmt_free(format);
+ }
+
+ void perf_hpp__cancel_cumulate(void)
+@@ -605,19 +618,6 @@ void perf_hpp__append_sort_keys(struct perf_hpp_list *list)
+ }
+
+
+-static void fmt_free(struct perf_hpp_fmt *fmt)
+-{
+- /*
+- * At this point fmt should be completely
+- * unhooked, if not it's a bug.
+- */
+- BUG_ON(!list_empty(&fmt->list));
+- BUG_ON(!list_empty(&fmt->sort_list));
+-
+- if (fmt->free)
+- fmt->free(fmt);
+-}
+-
+ void perf_hpp__reset_output_field(struct perf_hpp_list *list)
+ {
+ struct perf_hpp_fmt *fmt, *tmp;
+diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h
+index 7173e1f410930..899c1ca5e7dce 100644
+--- a/tools/perf/util/hist.h
++++ b/tools/perf/util/hist.h
+@@ -346,7 +346,6 @@ enum {
+ };
+
+ void perf_hpp__init(void);
+-void perf_hpp__column_unregister(struct perf_hpp_fmt *format);
+ void perf_hpp__cancel_cumulate(void);
+ void perf_hpp__setup_output_field(struct perf_hpp_list *list);
+ void perf_hpp__reset_output_field(struct perf_hpp_list *list);
+--
+2.33.0
+
--- /dev/null
+From 1e69ffdbe6752945243d0318ff8490e31aa17866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 14:06:48 +0800
+Subject: platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3
+ deep
+
+From: Slark Xiao <slark_xiao@163.com>
+
+[ Upstream commit 39f53292181081d35174a581a98441de5da22bc9 ]
+
+When WWAN device wake from S3 deep, under thinkpad platform,
+WWAN would be disabled. This disable status could be checked
+by command 'nmcli r wwan' or 'rfkill list'.
+
+Issue analysis as below:
+ When host resume from S3 deep, thinkpad_acpi driver would
+call hotkey_resume() function. Finnaly, it will use
+wan_get_status to check the current status of WWAN device.
+During this resume progress, wan_get_status would always
+return off even WWAN boot up completely.
+ In patch V2, Hans said 'sw_state should be unchanged
+after a suspend/resume. It's better to drop the
+tpacpi_rfk_update_swstate call all together from the
+resume path'.
+ And it's confimed by Lenovo that GWAN is no longer
+ available from WHL generation because the design does not
+ match with current pin control.
+
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Link: https://lore.kernel.org/r/20211108060648.8212-1-slark_xiao@163.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index fa8bcbe3d2762..912ce5cb2f084 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -1198,15 +1198,6 @@ static int tpacpi_rfk_update_swstate(const struct tpacpi_rfk *tp_rfk)
+ return status;
+ }
+
+-/* Query FW and update rfkill sw state for all rfkill switches */
+-static void tpacpi_rfk_update_swstate_all(void)
+-{
+- unsigned int i;
+-
+- for (i = 0; i < TPACPI_RFK_SW_MAX; i++)
+- tpacpi_rfk_update_swstate(tpacpi_rfkill_switches[i]);
+-}
+-
+ /*
+ * Sync the HW-blocking state of all rfkill switches,
+ * do notice it causes the rfkill core to schedule uevents
+@@ -3145,9 +3136,6 @@ static void tpacpi_send_radiosw_update(void)
+ if (wlsw == TPACPI_RFK_RADIO_OFF)
+ tpacpi_rfk_update_hwblock_state(true);
+
+- /* Sync sw blocking state */
+- tpacpi_rfk_update_swstate_all();
+-
+ /* Sync hw blocking state last if it is hw-unblocked */
+ if (wlsw == TPACPI_RFK_RADIO_ON)
+ tpacpi_rfk_update_hwblock_state(false);
+--
+2.33.0
+
--- /dev/null
+From a0f6055a15037b0582f71843928ad2a8a8ff0d4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 13:38:17 +0200
+Subject: s390/setup: avoid using memblock_enforce_memory_limit
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 5dbc4cb4667457b0c53bcd7bff11500b3c362975 ]
+
+There is a difference in how architectures treat "mem=" option. For some
+that is an amount of online memory, for s390 and x86 this is the limiting
+max address. Some memblock api like memblock_enforce_memory_limit()
+take limit argument and explicitly treat it as the size of online memory,
+and use __find_max_addr to convert it to an actual max address. Current
+s390 usage:
+
+memblock_enforce_memory_limit(memblock_end_of_DRAM());
+
+yields different results depending on presence of memory holes (offline
+memory blocks in between online memory). If there are no memory holes
+limit == max_addr in memblock_enforce_memory_limit() and it does trim
+online memory and reserved memory regions. With memory holes present it
+actually does nothing.
+
+Since we already use memblock_remove() explicitly to trim online memory
+regions to potential limit (think mem=, kdump, addressing limits, etc.)
+drop the usage of memblock_enforce_memory_limit() altogether. Trimming
+reserved regions should not be required, since we now use
+memblock_set_current_limit() to limit allocations and any explicit memory
+reservations above the limit is an actual problem we should not hide.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/setup.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
+index e8bfd29bb1f9f..098794fc5dc81 100644
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -703,9 +703,6 @@ static void __init setup_memory(void)
+ storage_key_init_range(reg->base, reg->base + reg->size);
+ }
+ psw_set_key(PAGE_DEFAULT_KEY);
+-
+- /* Only cosmetics */
+- memblock_enforce_memory_limit(memblock_end_of_DRAM());
+ }
+
+ /*
+--
+2.33.0
+
--- /dev/null
+From 8702e10abcf6eb3a612ad5ce34a8f54c2da2124d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 17:10:47 -0500
+Subject: scsi: iscsi: Unblock session then wake up error handler
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit a0c2f8b6709a9a4af175497ca65f93804f57b248 ]
+
+We can race where iscsi_session_recovery_timedout() has woken up the error
+handler thread and it's now setting the devices to offline, and
+session_recovery_timedout()'s call to scsi_target_unblock() is also trying
+to set the device's state to transport-offline. We can then get a mix of
+states.
+
+For the case where we can't relogin we want the devices to be in
+transport-offline so when we have repaired the connection
+__iscsi_unblock_session() can set the state back to running.
+
+Set the device state then call into libiscsi to wake up the error handler.
+
+Link: https://lore.kernel.org/r/20211105221048.6541-2-michael.christie@oracle.com
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index c06e648a415b5..79581771e6f61 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -1892,12 +1892,12 @@ static void session_recovery_timedout(struct work_struct *work)
+ }
+ spin_unlock_irqrestore(&session->lock, flags);
+
+- if (session->transport->session_recovery_timedout)
+- session->transport->session_recovery_timedout(session);
+-
+ ISCSI_DBG_TRANS_SESSION(session, "Unblocking SCSI target\n");
+ scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE);
+ ISCSI_DBG_TRANS_SESSION(session, "Completed unblocking SCSI target\n");
++
++ if (session->transport->session_recovery_timedout)
++ session->transport->session_recovery_timedout(session);
+ }
+
+ static void __iscsi_unblock_session(struct work_struct *work)
+--
+2.33.0
+
shm-extend-forced-shm-destroy-to-support-objects-from-several-ipc-nses.patch
nfsv42-fix-pagecache-invalidation-after-copy-clone.patch
of-clk-make-linux-of_clk.h-self-contained.patch
+gfs2-fix-length-of-holes-reported-at-end-of-file.patch
+atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch
+net-return-correct-error-code.patch
+platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch
+s390-setup-avoid-using-memblock_enforce_memory_limit.patch
+btrfs-check-integrity-fix-a-warning-on-write-caching.patch
+thermal-core-reset-previous-low-and-high-trip-during.patch
+scsi-iscsi-unblock-session-then-wake-up-error-handle.patch
+ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch
+ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch
+net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch
+net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch
+perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch
--- /dev/null
+From f578e1431119137c65b1c5a3bbcd1108a0b796e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 01:30:40 +0530
+Subject: thermal: core: Reset previous low and high trip during thermal zone
+ init
+
+From: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
+
+[ Upstream commit 99b63316c39988039965693f5f43d8b4ccb1c86c ]
+
+During the suspend is in process, thermal_zone_device_update bails out
+thermal zone re-evaluation for any sensor trip violation without
+setting next valid trip to that sensor. It assumes during resume
+it will re-evaluate same thermal zone and update trip. But when it is
+in suspend temperature goes down and on resume path while updating
+thermal zone if temperature is less than previously violated trip,
+thermal zone set trip function evaluates the same previous high and
+previous low trip as new high and low trip. Since there is no change
+in high/low trip, it bails out from thermal zone set trip API without
+setting any trip. It leads to a case where sensor high trip or low
+trip is disabled forever even though thermal zone has a valid high
+or low trip.
+
+During thermal zone device init, reset thermal zone previous high
+and low trip. It resolves above mentioned scenario.
+
+Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
+Reviewed-by: Thara Gopinath <thara.gopinath@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index ae60599c462b9..6c7825c581b5f 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -454,6 +454,8 @@ static void thermal_zone_device_init(struct thermal_zone_device *tz)
+ {
+ struct thermal_instance *pos;
+ tz->temperature = THERMAL_TEMP_INVALID;
++ tz->prev_low_trip = -INT_MAX;
++ tz->prev_high_trip = INT_MAX;
+ list_for_each_entry(pos, &tz->thermal_instances, tz_node)
+ pos->initialized = false;
+ }
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
