--- /dev/null
+From cfd0d84ba28c18b531648c9d4a35ecca89ad9901 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@google.com>
+Date: Mon, 20 Dec 2021 11:01:50 -0800
+Subject: binder: fix async_free_space accounting for empty parcels
+
+From: Todd Kjos <tkjos@google.com>
+
+commit cfd0d84ba28c18b531648c9d4a35ecca89ad9901 upstream.
+
+In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+fixed a kernel structure visibility issue. As part of that patch,
+sizeof(void *) was used as the buffer size for 0-length data payloads so
+the driver could detect abusive clients sending 0-length asynchronous
+transactions to a server by enforcing limits on async_free_size.
+
+Unfortunately, on the "free" side, the accounting of async_free_space
+did not add the sizeof(void *) back. The result was that up to 8-bytes of
+async_free_space were leaked on every async transaction of 8-bytes or
+less. These small transactions are uncommon, so this accounting issue
+has gone undetected for several years.
+
+The fix is to use "buffer_size" (the allocated buffer size) instead of
+"size" (the logical buffer size) when updating the async_free_space
+during the free operation. These are the same except for this
+corner case of asynchronous transactions with payloads < 8 bytes.
+
+Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable@vger.kernel.org # 4.14+
+Link: https://lore.kernel.org/r/20211220190150.2107077-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -662,7 +662,7 @@ static void binder_free_buf_locked(struc
+ BUG_ON(buffer->user_data > alloc->buffer + alloc->buffer_size);
+
+ if (buffer->async_transaction) {
+- alloc->free_async_space += size + sizeof(struct binder_buffer);
++ alloc->free_async_space += buffer_size + sizeof(struct binder_buffer);
+
+ binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC_ASYNC,
+ "%d: binder_free_buf size %zd async free %zd\n",
--- /dev/null
+From 5e713c6afa34c0fd6f113bf7bb1c2847172d7b20 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 15 Dec 2021 22:13:56 -0500
+Subject: drm/amdgpu: add support for IP discovery gc_info table v2
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 5e713c6afa34c0fd6f113bf7bb1c2847172d7b20 upstream.
+
+Used on gfx9 based systems. Fixes incorrect CU counts reported
+in the kernel log.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1833
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 76 ++++++++++++++++++--------
+ drivers/gpu/drm/amd/include/discovery.h | 49 ++++++++++++++++
+ 2 files changed, 103 insertions(+), 22 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+@@ -372,10 +372,15 @@ int amdgpu_discovery_get_ip_version(stru
+ return -EINVAL;
+ }
+
++union gc_info {
++ struct gc_info_v1_0 v1;
++ struct gc_info_v2_0 v2;
++};
++
+ int amdgpu_discovery_get_gfx_info(struct amdgpu_device *adev)
+ {
+ struct binary_header *bhdr;
+- struct gc_info_v1_0 *gc_info;
++ union gc_info *gc_info;
+
+ if (!adev->mman.discovery_bin) {
+ DRM_ERROR("ip discovery uninitialized\n");
+@@ -383,27 +388,54 @@ int amdgpu_discovery_get_gfx_info(struct
+ }
+
+ bhdr = (struct binary_header *)adev->mman.discovery_bin;
+- gc_info = (struct gc_info_v1_0 *)(adev->mman.discovery_bin +
++ gc_info = (union gc_info *)(adev->mman.discovery_bin +
+ le16_to_cpu(bhdr->table_list[GC].offset));
+-
+- adev->gfx.config.max_shader_engines = le32_to_cpu(gc_info->gc_num_se);
+- adev->gfx.config.max_cu_per_sh = 2 * (le32_to_cpu(gc_info->gc_num_wgp0_per_sa) +
+- le32_to_cpu(gc_info->gc_num_wgp1_per_sa));
+- adev->gfx.config.max_sh_per_se = le32_to_cpu(gc_info->gc_num_sa_per_se);
+- adev->gfx.config.max_backends_per_se = le32_to_cpu(gc_info->gc_num_rb_per_se);
+- adev->gfx.config.max_texture_channel_caches = le32_to_cpu(gc_info->gc_num_gl2c);
+- adev->gfx.config.max_gprs = le32_to_cpu(gc_info->gc_num_gprs);
+- adev->gfx.config.max_gs_threads = le32_to_cpu(gc_info->gc_num_max_gs_thds);
+- adev->gfx.config.gs_vgt_table_depth = le32_to_cpu(gc_info->gc_gs_table_depth);
+- adev->gfx.config.gs_prim_buffer_depth = le32_to_cpu(gc_info->gc_gsprim_buff_depth);
+- adev->gfx.config.double_offchip_lds_buf = le32_to_cpu(gc_info->gc_double_offchip_lds_buffer);
+- adev->gfx.cu_info.wave_front_size = le32_to_cpu(gc_info->gc_wave_size);
+- adev->gfx.cu_info.max_waves_per_simd = le32_to_cpu(gc_info->gc_max_waves_per_simd);
+- adev->gfx.cu_info.max_scratch_slots_per_cu = le32_to_cpu(gc_info->gc_max_scratch_slots_per_cu);
+- adev->gfx.cu_info.lds_size = le32_to_cpu(gc_info->gc_lds_size);
+- adev->gfx.config.num_sc_per_sh = le32_to_cpu(gc_info->gc_num_sc_per_se) /
+- le32_to_cpu(gc_info->gc_num_sa_per_se);
+- adev->gfx.config.num_packer_per_sc = le32_to_cpu(gc_info->gc_num_packer_per_sc);
+-
++ switch (gc_info->v1.header.version_major) {
++ case 1:
++ adev->gfx.config.max_shader_engines = le32_to_cpu(gc_info->v1.gc_num_se);
++ adev->gfx.config.max_cu_per_sh = 2 * (le32_to_cpu(gc_info->v1.gc_num_wgp0_per_sa) +
++ le32_to_cpu(gc_info->v1.gc_num_wgp1_per_sa));
++ adev->gfx.config.max_sh_per_se = le32_to_cpu(gc_info->v1.gc_num_sa_per_se);
++ adev->gfx.config.max_backends_per_se = le32_to_cpu(gc_info->v1.gc_num_rb_per_se);
++ adev->gfx.config.max_texture_channel_caches = le32_to_cpu(gc_info->v1.gc_num_gl2c);
++ adev->gfx.config.max_gprs = le32_to_cpu(gc_info->v1.gc_num_gprs);
++ adev->gfx.config.max_gs_threads = le32_to_cpu(gc_info->v1.gc_num_max_gs_thds);
++ adev->gfx.config.gs_vgt_table_depth = le32_to_cpu(gc_info->v1.gc_gs_table_depth);
++ adev->gfx.config.gs_prim_buffer_depth = le32_to_cpu(gc_info->v1.gc_gsprim_buff_depth);
++ adev->gfx.config.double_offchip_lds_buf = le32_to_cpu(gc_info->v1.gc_double_offchip_lds_buffer);
++ adev->gfx.cu_info.wave_front_size = le32_to_cpu(gc_info->v1.gc_wave_size);
++ adev->gfx.cu_info.max_waves_per_simd = le32_to_cpu(gc_info->v1.gc_max_waves_per_simd);
++ adev->gfx.cu_info.max_scratch_slots_per_cu = le32_to_cpu(gc_info->v1.gc_max_scratch_slots_per_cu);
++ adev->gfx.cu_info.lds_size = le32_to_cpu(gc_info->v1.gc_lds_size);
++ adev->gfx.config.num_sc_per_sh = le32_to_cpu(gc_info->v1.gc_num_sc_per_se) /
++ le32_to_cpu(gc_info->v1.gc_num_sa_per_se);
++ adev->gfx.config.num_packer_per_sc = le32_to_cpu(gc_info->v1.gc_num_packer_per_sc);
++ break;
++ case 2:
++ adev->gfx.config.max_shader_engines = le32_to_cpu(gc_info->v2.gc_num_se);
++ adev->gfx.config.max_cu_per_sh = le32_to_cpu(gc_info->v2.gc_num_cu_per_sh);
++ adev->gfx.config.max_sh_per_se = le32_to_cpu(gc_info->v2.gc_num_sh_per_se);
++ adev->gfx.config.max_backends_per_se = le32_to_cpu(gc_info->v2.gc_num_rb_per_se);
++ adev->gfx.config.max_texture_channel_caches = le32_to_cpu(gc_info->v2.gc_num_tccs);
++ adev->gfx.config.max_gprs = le32_to_cpu(gc_info->v2.gc_num_gprs);
++ adev->gfx.config.max_gs_threads = le32_to_cpu(gc_info->v2.gc_num_max_gs_thds);
++ adev->gfx.config.gs_vgt_table_depth = le32_to_cpu(gc_info->v2.gc_gs_table_depth);
++ adev->gfx.config.gs_prim_buffer_depth = le32_to_cpu(gc_info->v2.gc_gsprim_buff_depth);
++ adev->gfx.config.double_offchip_lds_buf = le32_to_cpu(gc_info->v2.gc_double_offchip_lds_buffer);
++ adev->gfx.cu_info.wave_front_size = le32_to_cpu(gc_info->v2.gc_wave_size);
++ adev->gfx.cu_info.max_waves_per_simd = le32_to_cpu(gc_info->v2.gc_max_waves_per_simd);
++ adev->gfx.cu_info.max_scratch_slots_per_cu = le32_to_cpu(gc_info->v2.gc_max_scratch_slots_per_cu);
++ adev->gfx.cu_info.lds_size = le32_to_cpu(gc_info->v2.gc_lds_size);
++ adev->gfx.config.num_sc_per_sh = le32_to_cpu(gc_info->v2.gc_num_sc_per_se) /
++ le32_to_cpu(gc_info->v2.gc_num_sh_per_se);
++ adev->gfx.config.num_packer_per_sc = le32_to_cpu(gc_info->v2.gc_num_packer_per_sc);
++ break;
++ default:
++ dev_err(adev->dev,
++ "Unhandled GC info table %d.%d\n",
++ gc_info->v1.header.version_major,
++ gc_info->v1.header.version_minor);
++ return -EINVAL;
++ }
+ return 0;
+ }
+--- a/drivers/gpu/drm/amd/include/discovery.h
++++ b/drivers/gpu/drm/amd/include/discovery.h
+@@ -143,6 +143,55 @@ struct gc_info_v1_0 {
+ uint32_t gc_num_gl2a;
+ };
+
++struct gc_info_v1_1 {
++ struct gpu_info_header header;
++
++ uint32_t gc_num_se;
++ uint32_t gc_num_wgp0_per_sa;
++ uint32_t gc_num_wgp1_per_sa;
++ uint32_t gc_num_rb_per_se;
++ uint32_t gc_num_gl2c;
++ uint32_t gc_num_gprs;
++ uint32_t gc_num_max_gs_thds;
++ uint32_t gc_gs_table_depth;
++ uint32_t gc_gsprim_buff_depth;
++ uint32_t gc_parameter_cache_depth;
++ uint32_t gc_double_offchip_lds_buffer;
++ uint32_t gc_wave_size;
++ uint32_t gc_max_waves_per_simd;
++ uint32_t gc_max_scratch_slots_per_cu;
++ uint32_t gc_lds_size;
++ uint32_t gc_num_sc_per_se;
++ uint32_t gc_num_sa_per_se;
++ uint32_t gc_num_packer_per_sc;
++ uint32_t gc_num_gl2a;
++ uint32_t gc_num_tcp_per_sa;
++ uint32_t gc_num_sdp_interface;
++ uint32_t gc_num_tcps;
++};
++
++struct gc_info_v2_0 {
++ struct gpu_info_header header;
++
++ uint32_t gc_num_se;
++ uint32_t gc_num_cu_per_sh;
++ uint32_t gc_num_sh_per_se;
++ uint32_t gc_num_rb_per_se;
++ uint32_t gc_num_tccs;
++ uint32_t gc_num_gprs;
++ uint32_t gc_num_max_gs_thds;
++ uint32_t gc_gs_table_depth;
++ uint32_t gc_gsprim_buff_depth;
++ uint32_t gc_parameter_cache_depth;
++ uint32_t gc_double_offchip_lds_buffer;
++ uint32_t gc_wave_size;
++ uint32_t gc_max_waves_per_simd;
++ uint32_t gc_max_scratch_slots_per_cu;
++ uint32_t gc_lds_size;
++ uint32_t gc_num_sc_per_se;
++ uint32_t gc_num_packer_per_sc;
++};
++
+ typedef struct harvest_info_header {
+ uint32_t signature; /* Table Signature */
+ uint32_t version; /* Table Version */
--- /dev/null
+From b7865173cf6ae59942e2c69326a06e1c1df5ecf6 Mon Sep 17 00:00:00 2001
+From: chen gong <curry.gong@amd.com>
+Date: Thu, 9 Dec 2021 19:47:10 +0800
+Subject: drm/amdgpu: When the VCN(1.0) block is suspended, powergating is explicitly enabled
+
+From: chen gong <curry.gong@amd.com>
+
+commit b7865173cf6ae59942e2c69326a06e1c1df5ecf6 upstream.
+
+Play a video on the raven (or PCO, raven2) platform, and then do the S3
+test. When resume, the following error will be reported:
+
+amdgpu 0000:02:00.0: [drm:amdgpu_ring_test_helper [amdgpu]] *ERROR* ring
+vcn_dec test failed (-110)
+[drm:amdgpu_device_ip_resume_phase2 [amdgpu]] *ERROR* resume of IP block
+<vcn_v1_0> failed -110
+amdgpu 0000:02:00.0: amdgpu: amdgpu_device_ip_resume failed (-110).
+PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110
+
+[why]
+When playing the video: The power state flag of the vcn block is set to
+POWER_STATE_ON.
+
+When doing suspend: There is no change to the power state flag of the
+vcn block, it is still POWER_STATE_ON.
+
+When doing resume: Need to open the power gate of the vcn block and set
+the power state flag of the VCN block to POWER_STATE_ON.
+But at this time, the power state flag of the vcn block is already
+POWER_STATE_ON. The power status flag check in the "8f2cdef drm/amd/pm:
+avoid duplicate powergate/ungate setting" patch will return the
+amdgpu_dpm_set_powergating_by_smu function directly.
+As a result, the gate of the power was not opened, causing the
+subsequent ring test to fail.
+
+[how]
+In the suspend function of the vcn block, explicitly change the power
+state flag of the vcn block to POWER_STATE_OFF.
+
+BugLink: https://gitlab.freedesktop.org/drm/amd/-/issues/1828
+Signed-off-by: chen gong <curry.gong@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v1_0.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v1_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v1_0.c
+@@ -254,6 +254,13 @@ static int vcn_v1_0_suspend(void *handle
+ {
+ int r;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
++ bool idle_work_unexecuted;
++
++ idle_work_unexecuted = cancel_delayed_work_sync(&adev->vcn.idle_work);
++ if (idle_work_unexecuted) {
++ if (adev->pm.dpm_enabled)
++ amdgpu_dpm_enable_uvd(adev, false);
++ }
+
+ r = vcn_v1_0_hw_fini(adev);
+ if (r)
--- /dev/null
+From 9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 30 Dec 2021 20:57:46 -0800
+Subject: Input: appletouch - initialize work before device registration
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0 upstream.
+
+Syzbot has reported warning in __flush_work(). This warning is caused by
+work->func == NULL, which means missing work initialization.
+
+This may happen, since input_dev->close() calls
+cancel_work_sync(&dev->work), but dev->work initalization happens _after_
+input_register_device() call.
+
+So this patch moves dev->work initialization before registering input
+device
+
+Fixes: 5a6eb676d3bc ("Input: appletouch - improve powersaving for Geyser3 devices")
+Reported-and-tested-by: syzbot+b88c5eae27386b252bbd@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20211230141151.17300-1-paskripkin@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/appletouch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/mouse/appletouch.c
++++ b/drivers/input/mouse/appletouch.c
+@@ -916,6 +916,8 @@ static int atp_probe(struct usb_interfac
+ set_bit(BTN_TOOL_TRIPLETAP, input_dev->keybit);
+ set_bit(BTN_LEFT, input_dev->keybit);
+
++ INIT_WORK(&dev->work, atp_reinit);
++
+ error = input_register_device(dev->input);
+ if (error)
+ goto err_free_buffer;
+@@ -923,8 +925,6 @@ static int atp_probe(struct usb_interfac
+ /* save our data pointer in this interface device */
+ usb_set_intfdata(iface, dev);
+
+- INIT_WORK(&dev->work, atp_reinit);
+-
+ return 0;
+
+ err_free_buffer:
--- /dev/null
+From bc7ec91718c49d938849697cfad98fcd9877cc26 Mon Sep 17 00:00:00 2001
+From: "Leo L. Schwab" <ewhac@ewhac.org>
+Date: Thu, 30 Dec 2021 21:05:00 -0800
+Subject: Input: spaceball - fix parsing of movement data packets
+
+From: Leo L. Schwab <ewhac@ewhac.org>
+
+commit bc7ec91718c49d938849697cfad98fcd9877cc26 upstream.
+
+The spaceball.c module was not properly parsing the movement reports
+coming from the device. The code read axis data as signed 16-bit
+little-endian values starting at offset 2.
+
+In fact, axis data in Spaceball movement reports are signed 16-bit
+big-endian values starting at offset 3. This was determined first by
+visually inspecting the data packets, and later verified by consulting:
+http://spacemice.org/pdf/SpaceBall_2003-3003_Protocol.pdf
+
+If this ever worked properly, it was in the time before Git...
+
+Signed-off-by: Leo L. Schwab <ewhac@ewhac.org>
+Link: https://lore.kernel.org/r/20211221101630.1146385-1-ewhac@ewhac.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/spaceball.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/joystick/spaceball.c
++++ b/drivers/input/joystick/spaceball.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/input.h>
+ #include <linux/serio.h>
++#include <asm/unaligned.h>
+
+ #define DRIVER_DESC "SpaceTec SpaceBall 2003/3003/4000 FLX driver"
+
+@@ -75,9 +76,15 @@ static void spaceball_process_packet(str
+
+ case 'D': /* Ball data */
+ if (spaceball->idx != 15) return;
+- for (i = 0; i < 6; i++)
++ /*
++ * Skip first three bytes; read six axes worth of data.
++ * Axis values are signed 16-bit big-endian.
++ */
++ data += 3;
++ for (i = 0; i < ARRAY_SIZE(spaceball_axes); i++) {
+ input_report_abs(dev, spaceball_axes[i],
+- (__s16)((data[2 * i + 3] << 8) | data[2 * i + 2]));
++ (__s16)get_unaligned_be16(&data[i * 2]));
++ }
+ break;
+
+ case 'K': /* Button data */
--- /dev/null
+From e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Tue, 28 Dec 2021 18:41:45 +0800
+Subject: net: fix use-after-free in tw_timer_handler
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 upstream.
+
+A real world panic issue was found as follow in Linux 5.4.
+
+ BUG: unable to handle page fault for address: ffffde49a863de28
+ PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
+ RIP: 0010:tw_timer_handler+0x20/0x40
+ Call Trace:
+ <IRQ>
+ call_timer_fn+0x2b/0x120
+ run_timer_softirq+0x1ef/0x450
+ __do_softirq+0x10d/0x2b8
+ irq_exit+0xc7/0xd0
+ smp_apic_timer_interrupt+0x68/0x120
+ apic_timer_interrupt+0xf/0x20
+
+This issue was also reported since 2017 in the thread [1],
+unfortunately, the issue was still can be reproduced after fixing
+DCCP.
+
+The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
+namespace is destroyed since tcp_sk_ops is registered befrore
+ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
+in the list of pernet_list. There will be a use-after-free on
+net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
+if there are some inflight time-wait timers.
+
+This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
+NET_ADD_STATS_BH") since the net_statistics is a global variable
+instead of dynamic allocation and freeing. Actually, commit
+61a7e26028b9 ("mib: put net statistics on struct net") introduces
+the bug since it put net statistics on struct net and free it when
+net namespace is destroyed.
+
+Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
+and replace pr_crit() with panic() since continuing is meaningless
+when init_ipv4_mibs() fails.
+
+[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
+
+Fixes: 61a7e26028b9 ("mib: put net statistics on struct net")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Cong Wang <cong.wang@bytedance.com>
+Cc: Fam Zheng <fam.zheng@bytedance.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211228104145.9426-1-songmuchun@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/af_inet.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -2003,6 +2003,10 @@ static int __init inet_init(void)
+
+ ip_init();
+
++ /* Initialise per-cpu ipv4 mibs */
++ if (init_ipv4_mibs())
++ panic("%s: Cannot init ipv4 mibs\n", __func__);
++
+ /* Setup TCP slab cache for open requests. */
+ tcp_init();
+
+@@ -2033,12 +2037,6 @@ static int __init inet_init(void)
+
+ if (init_inet_pernet_ops())
+ pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__);
+- /*
+- * Initialise per-cpu ipv4 mibs
+- */
+-
+- if (init_ipv4_mibs())
+- pr_crit("%s: Cannot init ipv4 mibs\n", __func__);
+
+ ipv4_proc_init();
+
--- /dev/null
+From 79b69a83705e621b258ac6d8ae6d3bfdb4b930aa Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Sun, 26 Dec 2021 13:03:47 +0100
+Subject: nfc: uapi: use kernel size_t to fix user-space builds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 79b69a83705e621b258ac6d8ae6d3bfdb4b930aa upstream.
+
+Fix user-space builds if it includes /usr/include/linux/nfc.h before
+some of other headers:
+
+ /usr/include/linux/nfc.h:281:9: error: unknown type name ‘size_t’
+ 281 | size_t service_name_len;
+ | ^~~~~~
+
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/nfc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/nfc.h
++++ b/include/uapi/linux/nfc.h
+@@ -278,7 +278,7 @@ struct sockaddr_nfc_llcp {
+ __u8 dsap; /* Destination SAP, if known */
+ __u8 ssap; /* Source SAP to be bound to */
+ char service_name[NFC_LLCP_MAX_SERVICE_NAME]; /* Service name URI */;
+- size_t service_name_len;
++ __kernel_size_t service_name_len;
+ };
+
+ /* NFC socket protocols */
--- /dev/null
+From 5e0c325cdb714409a5b242c9e73a1b61157abb36 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 15 Dec 2021 10:06:35 +0200
+Subject: perf script: Fix CPU filtering of a script's switch events
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 5e0c325cdb714409a5b242c9e73a1b61157abb36 upstream.
+
+CPU filtering was not being applied to a script's switch events.
+
+Fixes: 5bf83c29a0ad2e78 ("perf script: Add scripting operation process_switch()")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Riccardo Mancini <rickyman7@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211215080636.149562-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-script.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -2354,7 +2354,7 @@ static int process_switch_event(struct p
+ if (perf_event__process_switch(tool, event, sample, machine) < 0)
+ return -1;
+
+- if (scripting_ops && scripting_ops->process_switch)
++ if (scripting_ops && scripting_ops->process_switch && !filter_cpu(sample))
+ scripting_ops->process_switch(event, sample, machine);
+
+ if (!script->show_switch_events)
--- /dev/null
+From 142c779d05d1fef75134c3cb63f52ccbc96d9e1f Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Mon, 20 Dec 2021 11:05:14 -0800
+Subject: scsi: vmw_pvscsi: Set residual data length conditionally
+
+From: Alexey Makhalov <amakhalov@vmware.com>
+
+commit 142c779d05d1fef75134c3cb63f52ccbc96d9e1f upstream.
+
+The PVSCSI implementation in the VMware hypervisor under specific
+configuration ("SCSI Bus Sharing" set to "Physical") returns zero dataLen
+in the completion descriptor for READ CAPACITY(16). As a result, the kernel
+can not detect proper disk geometry. This can be recognized by the kernel
+message:
+
+ [ 0.776588] sd 1:0:0:0: [sdb] Sector size 0 reported, assuming 512.
+
+The PVSCSI implementation in QEMU does not set dataLen at all, keeping it
+zeroed. This leads to a boot hang as was reported by Shmulik Ladkani.
+
+It is likely that the controller returns the garbage at the end of the
+buffer. Residual length should be set by the driver in that case. The SCSI
+layer will erase corresponding data. See commit bdb2b8cab439 ("[SCSI] erase
+invalid data returned by device") for details.
+
+Commit e662502b3a78 ("scsi: vmw_pvscsi: Set correct residual data length")
+introduced the issue by setting residual length unconditionally, causing
+the SCSI layer to erase the useful payload beyond dataLen when this value
+is returned as 0.
+
+As a result, considering existing issues in implementations of PVSCSI
+controllers, we do not want to call scsi_set_resid() when dataLen ==
+0. Calling scsi_set_resid() has no effect if dataLen equals buffer length.
+
+Link: https://lore.kernel.org/lkml/20210824120028.30d9c071@blondie/
+Link: https://lore.kernel.org/r/20211220190514.55935-1-amakhalov@vmware.com
+Fixes: e662502b3a78 ("scsi: vmw_pvscsi: Set correct residual data length")
+Cc: Matt Wang <wwentao@vmware.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Vishal Bhakta <vbhakta@vmware.com>
+Cc: VMware PV-Drivers <pv-drivers@vmware.com>
+Cc: James E.J. Bottomley <jejb@linux.ibm.com>
+Cc: linux-scsi@vger.kernel.org
+Cc: stable@vger.kernel.org
+Reported-and-suggested-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/vmw_pvscsi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/vmw_pvscsi.c
++++ b/drivers/scsi/vmw_pvscsi.c
+@@ -591,9 +591,12 @@ static void pvscsi_complete_request(stru
+ * Commands like INQUIRY may transfer less data than
+ * requested by the initiator via bufflen. Set residual
+ * count to make upper layer aware of the actual amount
+- * of data returned.
++ * of data returned. There are cases when controller
++ * returns zero dataLen with non zero data - do not set
++ * residual count in that case.
+ */
+- scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen);
++ if (e->dataLen && (e->dataLen < scsi_bufflen(cmd)))
++ scsi_set_resid(cmd, scsi_bufflen(cmd) - e->dataLen);
+ cmd->result = (DID_OK << 16);
+ break;
+
net-ncsi-check-for-error-return-from-call-to-nla_put.patch
fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch
i2c-validate-user-data-in-compat-ioctl.patch
+nfc-uapi-use-kernel-size_t-to-fix-user-space-builds.patch
+uapi-fix-linux-nfc.h-userspace-compilation-errors.patch
+drm-amdgpu-when-the-vcn-1.0-block-is-suspended-powergating-is-explicitly-enabled.patch
+drm-amdgpu-add-support-for-ip-discovery-gc_info-table-v2.patch
+xhci-fresco-fl1100-controller-should-not-have-broken_msi-quirk-set.patch
+usb-gadget-f_fs-clear-ffs_eventfd-in-ffs_data_clear.patch
+usb-mtu3-add-memory-barrier-before-set-gpd-s-hwo.patch
+usb-mtu3-fix-list_head-check-warning.patch
+usb-mtu3-set-interval-of-fs-intr-and-isoc-endpoint.patch
+binder-fix-async_free_space-accounting-for-empty-parcels.patch
+scsi-vmw_pvscsi-set-residual-data-length-conditionally.patch
+input-appletouch-initialize-work-before-device-registration.patch
+input-spaceball-fix-parsing-of-movement-data-packets.patch
+net-fix-use-after-free-in-tw_timer_handler.patch
+perf-script-fix-cpu-filtering-of-a-script-s-switch-events.patch
--- /dev/null
+From 7175f02c4e5f5a9430113ab9ca0fd0ce98b28a51 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Sun, 26 Dec 2021 16:01:27 +0300
+Subject: uapi: fix linux/nfc.h userspace compilation errors
+
+From: Dmitry V. Levin <ldv@altlinux.org>
+
+commit 7175f02c4e5f5a9430113ab9ca0fd0ce98b28a51 upstream.
+
+Replace sa_family_t with __kernel_sa_family_t to fix the following
+linux/nfc.h userspace compilation errors:
+
+/usr/include/linux/nfc.h:266:2: error: unknown type name 'sa_family_t'
+ sa_family_t sa_family;
+/usr/include/linux/nfc.h:274:2: error: unknown type name 'sa_family_t'
+ sa_family_t sa_family;
+
+Fixes: 23b7869c0fd0 ("NFC: add the NFC socket raw protocol")
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/nfc.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/uapi/linux/nfc.h
++++ b/include/uapi/linux/nfc.h
+@@ -263,7 +263,7 @@ enum nfc_sdp_attr {
+ #define NFC_SE_ENABLED 0x1
+
+ struct sockaddr_nfc {
+- sa_family_t sa_family;
++ __kernel_sa_family_t sa_family;
+ __u32 dev_idx;
+ __u32 target_idx;
+ __u32 nfc_protocol;
+@@ -271,7 +271,7 @@ struct sockaddr_nfc {
+
+ #define NFC_LLCP_MAX_SERVICE_NAME 63
+ struct sockaddr_nfc_llcp {
+- sa_family_t sa_family;
++ __kernel_sa_family_t sa_family;
+ __u32 dev_idx;
+ __u32 target_idx;
+ __u32 nfc_protocol;
--- /dev/null
+From b1e0887379422975f237d43d8839b751a6bcf154 Mon Sep 17 00:00:00 2001
+From: Vincent Pelletier <plr.vincent@gmail.com>
+Date: Sat, 18 Dec 2021 02:18:40 +0000
+Subject: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
+
+From: Vincent Pelletier <plr.vincent@gmail.com>
+
+commit b1e0887379422975f237d43d8839b751a6bcf154 upstream.
+
+ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
+ffs_ep0_release, so it ends up being called twice when userland closes ep0
+and then unmounts f_fs.
+If userland provided an eventfd along with function's USB descriptors, it
+ends up calling eventfd_ctx_put as many times, causing a refcount
+underflow.
+NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
+
+Also, set epfiles to NULL right after de-allocating it, for readability.
+
+For completeness, ffs_data_clear actually ends up being called thrice, the
+last call being before the whole ffs structure gets freed, so when this
+specific sequence happens there is a second underflow happening (but not
+being reported):
+
+/sys/kernel/debug/tracing# modprobe usb_f_fs
+/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
+/sys/kernel/debug/tracing# echo function > current_tracer
+/sys/kernel/debug/tracing# echo 1 > tracing_on
+(setup gadget, run and kill function userland process, teardown gadget)
+/sys/kernel/debug/tracing# echo 0 > tracing_on
+/sys/kernel/debug/tracing# cat trace
+ smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
+ smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
+ smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put
+
+Warning output corresponding to above trace:
+[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
+[ 1946.293094] refcount_t: underflow; use-after-free.
+[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
+[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
+[ 1946.417950] Hardware name: BCM2835
+[ 1946.425442] Backtrace:
+[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
+[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
+[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
+[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
+[ 1946.482067] r5:c04a948c r4:c0a71dc8
+[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
+[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
+[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
+[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
+[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
+[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
+[ 1946.582664] r5:c3b84c00 r4:c2695b00
+[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
+[ 1946.609608] r5:bf54d014 r4:c2695b00
+[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
+[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
+[ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c)
+[ 1946.664893] r5:bf54d014 r4:c229f000
+[ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64)
+[ 1946.690722] r5:c2a09000 r4:c229f000
+[ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c)
+[ 1946.715553] r5:c2a09000 r4:00000000
+[ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20)
+[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
+[ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8)
+[ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c)
+[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
+[ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20)
+[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
+[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430
+[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
+[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
+[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
+[ 1946.881914] r4:bef867a0
+[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---
+
+Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
+Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1772,11 +1772,15 @@ static void ffs_data_clear(struct ffs_da
+
+ BUG_ON(ffs->gadget);
+
+- if (ffs->epfiles)
++ if (ffs->epfiles) {
+ ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
++ ffs->epfiles = NULL;
++ }
+
+- if (ffs->ffs_eventfd)
++ if (ffs->ffs_eventfd) {
+ eventfd_ctx_put(ffs->ffs_eventfd);
++ ffs->ffs_eventfd = NULL;
++ }
+
+ kfree(ffs->raw_descs_data);
+ kfree(ffs->raw_strings);
+@@ -1789,7 +1793,6 @@ static void ffs_data_reset(struct ffs_da
+
+ ffs_data_clear(ffs);
+
+- ffs->epfiles = NULL;
+ ffs->raw_descs_data = NULL;
+ ffs->raw_descs = NULL;
+ ffs->raw_strings = NULL;
--- /dev/null
+From a7aae769ca626819a7f9f078ebdc69a8a1b00c81 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Sat, 18 Dec 2021 17:57:47 +0800
+Subject: usb: mtu3: add memory barrier before set GPD's HWO
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit a7aae769ca626819a7f9f078ebdc69a8a1b00c81 upstream.
+
+There is a seldom issue that the controller access invalid address
+and trigger devapc or emimpu violation. That is due to memory access
+is out of order and cause gpd data is not correct.
+Add mb() to prohibit compiler or cpu from reordering to make sure GPD
+is fully written before setting its HWO.
+
+Fixes: 48e0d3735aa5 ("usb: mtu3: supports new QMU format")
+Cc: stable@vger.kernel.org
+Reported-by: Eddie Hung <eddie.hung@mediatek.com>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20211218095749.6250-2-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/mtu3/mtu3_qmu.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/mtu3/mtu3_qmu.c
++++ b/drivers/usb/mtu3/mtu3_qmu.c
+@@ -273,6 +273,8 @@ static int mtu3_prepare_tx_gpd(struct mt
+ gpd->dw3_info |= cpu_to_le32(GPD_EXT_FLAG_ZLP);
+ }
+
++ /* prevent reorder, make sure GPD's HWO is set last */
++ mb();
+ gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO);
+
+ mreq->gpd = gpd;
+@@ -306,6 +308,8 @@ static int mtu3_prepare_rx_gpd(struct mt
+ gpd->next_gpd = cpu_to_le32(lower_32_bits(enq_dma));
+ ext_addr |= GPD_EXT_NGP(mtu, upper_32_bits(enq_dma));
+ gpd->dw3_info = cpu_to_le32(ext_addr);
++ /* prevent reorder, make sure GPD's HWO is set last */
++ mb();
+ gpd->dw0_info |= cpu_to_le32(GPD_FLAGS_IOC | GPD_FLAGS_HWO);
+
+ mreq->gpd = gpd;
+@@ -445,7 +449,8 @@ static void qmu_tx_zlp_error_handler(str
+ return;
+ }
+ mtu3_setbits(mbase, MU3D_EP_TXCR0(mep->epnum), TX_TXPKTRDY);
+-
++ /* prevent reorder, make sure GPD's HWO is set last */
++ mb();
+ /* by pass the current GDP */
+ gpd_current->dw0_info |= cpu_to_le32(GPD_FLAGS_BPS | GPD_FLAGS_HWO);
+
--- /dev/null
+From 8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Sat, 18 Dec 2021 17:57:48 +0800
+Subject: usb: mtu3: fix list_head check warning
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit 8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf upstream.
+
+This is caused by uninitialization of list_head.
+
+BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
+
+Call trace:
+dump_backtrace+0x0/0x298
+show_stack+0x24/0x34
+dump_stack+0x130/0x1a8
+print_address_description+0x88/0x56c
+__kasan_report+0x1b8/0x2a0
+kasan_report+0x14/0x20
+__asan_load8+0x9c/0xa0
+__list_del_entry_valid+0x34/0xe4
+mtu3_req_complete+0x4c/0x300 [mtu3]
+mtu3_gadget_stop+0x168/0x448 [mtu3]
+usb_gadget_unregister_driver+0x204/0x3a0
+unregister_gadget_item+0x44/0xa4
+
+Fixes: 83374e035b62 ("usb: mtu3: add tracepoints to help debug")
+Cc: stable@vger.kernel.org
+Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20211218095749.6250-3-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/mtu3/mtu3_gadget.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/mtu3/mtu3_gadget.c
++++ b/drivers/usb/mtu3/mtu3_gadget.c
+@@ -235,6 +235,7 @@ struct usb_request *mtu3_alloc_request(s
+ mreq->request.dma = DMA_ADDR_INVALID;
+ mreq->epnum = mep->epnum;
+ mreq->mep = mep;
++ INIT_LIST_HEAD(&mreq->list);
+ trace_mtu3_alloc_request(mreq);
+
+ return &mreq->request;
--- /dev/null
+From 43f3b8cbcf93da7c2755af4a543280c31f4adf16 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Sat, 18 Dec 2021 17:57:49 +0800
+Subject: usb: mtu3: set interval of FS intr and isoc endpoint
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit 43f3b8cbcf93da7c2755af4a543280c31f4adf16 upstream.
+
+Add support to set interval also for FS intr and isoc endpoint.
+
+Fixes: 4d79e042ed8b ("usb: mtu3: add support for usb3.1 IP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20211218095749.6250-4-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/mtu3/mtu3_gadget.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/mtu3/mtu3_gadget.c
++++ b/drivers/usb/mtu3/mtu3_gadget.c
+@@ -93,6 +93,13 @@ static int mtu3_ep_enable(struct mtu3_ep
+ mult = usb_endpoint_maxp_mult(desc) - 1;
+ }
+ break;
++ case USB_SPEED_FULL:
++ if (usb_endpoint_xfer_isoc(desc))
++ interval = clamp_val(desc->bInterval, 1, 16);
++ else if (usb_endpoint_xfer_int(desc))
++ interval = clamp_val(desc->bInterval, 1, 255);
++
++ break;
+ default:
+ break; /*others are ignored */
+ }
--- /dev/null
+From e4844092581ceec22489b66c42edc88bc6079783 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 21 Dec 2021 13:28:25 +0200
+Subject: xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit e4844092581ceec22489b66c42edc88bc6079783 upstream.
+
+The Fresco Logic FL1100 controller needs the TRUST_TX_LENGTH quirk like
+other Fresco controllers, but should not have the BROKEN_MSI quirks set.
+
+BROKEN_MSI quirk causes issues in detecting usb drives connected to docks
+with this FL1100 controller.
+The BROKEN_MSI flag was apparently accidentally set together with the
+TRUST_TX_LENGTH quirk
+
+Original patch went to stable so this should go there as well.
+
+Fixes: ea0f69d82119 ("xhci: Enable trust tx length quirk for Fresco FL11 USB controller")
+Cc: stable@vger.kernel.org
+cc: Nikolay Martynov <mar.kolya@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211221112825.54690-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -122,7 +122,6 @@ static void xhci_pci_quirks(struct devic
+ /* Look for vendor-specific quirks */
+ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
+ (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK ||
+- pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 ||
+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) {
+ if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK &&
+ pdev->revision == 0x0) {
+@@ -157,6 +156,10 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+
++ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100)
++ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
++
+ if (pdev->vendor == PCI_VENDOR_ID_NEC)
+ xhci->quirks |= XHCI_NEC_HOST;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
