--- /dev/null
+From 2a2f461a68dd322494c2f0249bf01cdd3f7df3fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 19:23:08 +0200
+Subject: ARM: dts: imx53-ppd: Fix ACHC entry
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit cd7cd5b716d594e27a933c12f026d4f2426d7bf4 ]
+
+PPD has only one ACHC device, which effectively is a Kinetis
+microcontroller. It has one SPI interface used for normal
+communication. Additionally it's possible to flash the device
+firmware using NXP's EzPort protocol by correctly driving a
+second chip select pin and the device reset pin.
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://lore.kernel.org/r/20210802172309.164365-3-sebastian.reichel@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx53-ppd.dts | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx53-ppd.dts b/arch/arm/boot/dts/imx53-ppd.dts
+index f202396e3f2a..f346673d34ea 100644
+--- a/arch/arm/boot/dts/imx53-ppd.dts
++++ b/arch/arm/boot/dts/imx53-ppd.dts
+@@ -70,6 +70,12 @@ cko2_11M: sgtl-clock-cko2 {
+ clock-frequency = <11289600>;
+ };
+
++ achc_24M: achc-clock {
++ compatible = "fixed-clock";
++ #clock-cells = <0>;
++ clock-frequency = <24000000>;
++ };
++
+ sgtlsound: sound {
+ compatible = "fsl,imx53-cpuvo-sgtl5000",
+ "fsl,imx-audio-sgtl5000";
+@@ -287,16 +293,13 @@ &gpio4 11 GPIO_ACTIVE_LOW
+ &gpio4 12 GPIO_ACTIVE_LOW>;
+ status = "okay";
+
+- spidev0: spi@0 {
+- compatible = "ge,achc";
+- reg = <0>;
+- spi-max-frequency = <1000000>;
+- };
+-
+- spidev1: spi@1 {
+- compatible = "ge,achc";
+- reg = <1>;
+- spi-max-frequency = <1000000>;
++ spidev0: spi@1 {
++ compatible = "ge,achc", "nxp,kinetis-k20";
++ reg = <1>, <0>;
++ vdd-supply = <®_3v3>;
++ vdda-supply = <®_3v3>;
++ clocks = <&achc_24M>;
++ reset-gpios = <&gpio3 6 GPIO_ACTIVE_LOW>;
+ };
+
+ gpioxra0: gpio@2 {
+--
+2.30.2
+
--- /dev/null
+From f801425597a9d9007689117ea56bee0164233f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 15:14:53 +0200
+Subject: ARM: dts: qcom: apq8064: correct clock names
+
+From: David Heidelberg <david@ixit.cz>
+
+[ Upstream commit 0dc6c59892ead17a9febd11202c9f6794aac1895 ]
+
+Since new code doesn't take old clk names in account, it does fixes
+error:
+
+msm_dsi 4700000.mdss_dsi: dev_pm_opp_set_clkname: Couldn't find clock: -2
+
+and following kernel oops introduced by
+b0530eb1191 ("drm/msm/dpu: Use OPP API to set clk/perf state").
+
+Also removes warning about deprecated clock names.
+
+Tested against linux-5.10.y LTS on Nexus 7 2013.
+
+Reviewed-by: Brian Masney <masneyb@onstation.org>
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Link: https://lore.kernel.org/r/20210707131453.24041-1-david@ixit.cz
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index 4a99c9255104..d0153bbbdbeb 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -1296,9 +1296,9 @@ dsi0: mdss_dsi@4700000 {
+ <&mmcc DSI1_BYTE_CLK>,
+ <&mmcc DSI_PIXEL_CLK>,
+ <&mmcc DSI1_ESC_CLK>;
+- clock-names = "iface_clk", "bus_clk", "core_mmss_clk",
+- "src_clk", "byte_clk", "pixel_clk",
+- "core_clk";
++ clock-names = "iface", "bus", "core_mmss",
++ "src", "byte", "pixel",
++ "core";
+
+ assigned-clocks = <&mmcc DSI1_BYTE_SRC>,
+ <&mmcc DSI1_ESC_SRC>,
+--
+2.30.2
+
--- /dev/null
+From 7fade55807864b1a193585403a26385169552246 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:42:26 +0200
+Subject: ARM: tegra: tamonten: Fix UART pad setting
+
+From: Andreas Obergschwandtner <andreas.obergschwandtner@gmail.com>
+
+[ Upstream commit 2270ad2f4e123336af685ecedd1618701cb4ca1e ]
+
+This patch fixes the tristate and pullup configuration for UART 1 to 3
+on the Tamonten SOM.
+
+Signed-off-by: Andreas Obergschwandtner <andreas.obergschwandtner@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/tegra20-tamonten.dtsi | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/boot/dts/tegra20-tamonten.dtsi b/arch/arm/boot/dts/tegra20-tamonten.dtsi
+index 20137fc578b1..394a6b4dc69d 100644
+--- a/arch/arm/boot/dts/tegra20-tamonten.dtsi
++++ b/arch/arm/boot/dts/tegra20-tamonten.dtsi
+@@ -185,8 +185,9 @@ conf_ata {
+ nvidia,pins = "ata", "atb", "atc", "atd", "ate",
+ "cdev1", "cdev2", "dap1", "dtb", "gma",
+ "gmb", "gmc", "gmd", "gme", "gpu7",
+- "gpv", "i2cp", "pta", "rm", "slxa",
+- "slxk", "spia", "spib", "uac";
++ "gpv", "i2cp", "irrx", "irtx", "pta",
++ "rm", "slxa", "slxk", "spia", "spib",
++ "uac";
+ nvidia,pull = <TEGRA_PIN_PULL_NONE>;
+ nvidia,tristate = <TEGRA_PIN_DISABLE>;
+ };
+@@ -211,7 +212,7 @@ conf_crtp {
+ conf_ddc {
+ nvidia,pins = "ddc", "dta", "dtd", "kbca",
+ "kbcb", "kbcc", "kbcd", "kbce", "kbcf",
+- "sdc";
++ "sdc", "uad", "uca";
+ nvidia,pull = <TEGRA_PIN_PULL_UP>;
+ nvidia,tristate = <TEGRA_PIN_DISABLE>;
+ };
+@@ -221,10 +222,9 @@ conf_hdint {
+ "lvp0", "owc", "sdb";
+ nvidia,tristate = <TEGRA_PIN_ENABLE>;
+ };
+- conf_irrx {
+- nvidia,pins = "irrx", "irtx", "sdd", "spic",
+- "spie", "spih", "uaa", "uab", "uad",
+- "uca", "ucb";
++ conf_sdd {
++ nvidia,pins = "sdd", "spic", "spie", "spih",
++ "uaa", "uab", "ucb";
+ nvidia,pull = <TEGRA_PIN_PULL_UP>;
+ nvidia,tristate = <TEGRA_PIN_ENABLE>;
+ };
+--
+2.30.2
+
--- /dev/null
+From cd7e48ad1ae49ffe092e8ee85401c3f629e57204 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 11:38:25 +0530
+Subject: arm64: dts: qcom: sdm660: use reg value for memory node
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit c81210e38966cfa1c784364e4035081c3227cf5b ]
+
+memory node like other node should be node@reg, which is missing in this
+case, so fix it up
+
+arch/arm64/boot/dts/qcom/ipq8074-hk01.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 1073741824, 0, 536870912]]}
+
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Link: https://lore.kernel.org/r/20210308060826.3074234-18-vkoul@kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/ipq8074-hk01.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
+index c13ddee8262b..58acf21d8d33 100644
+--- a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
+@@ -28,7 +28,7 @@ chosen {
+ stdout-path = "serial0";
+ };
+
+- memory {
++ memory@40000000 {
+ device_type = "memory";
+ reg = <0x0 0x40000000 0x0 0x20000000>;
+ };
+--
+2.30.2
+
--- /dev/null
+From 6f688dd0be2c6f91e9e38b2a71d408fb5e909a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 16:24:56 +0200
+Subject: ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps
+ for the matching in-/output
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit dccd1dfd0770bfd494b68d1135b4547b2c602c42 ]
+
+Move the "Platform Clock" routes for the "Internal Mic" and "Speaker"
+routes to the intmic_*_map[] / *_spk_map[] arrays.
+
+This ensures that these "Platform Clock" routes do not get added when the
+BYT_RT5640_NO_INTERNAL_MIC_MAP / BYT_RT5640_NO_SPEAKERS quirks are used.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210802142501.991985-2-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index 186c0ee059da..c4d19b88d17d 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -293,9 +293,6 @@ static const struct snd_soc_dapm_widget byt_rt5640_widgets[] = {
+ static const struct snd_soc_dapm_route byt_rt5640_audio_map[] = {
+ {"Headphone", NULL, "Platform Clock"},
+ {"Headset Mic", NULL, "Platform Clock"},
+- {"Internal Mic", NULL, "Platform Clock"},
+- {"Speaker", NULL, "Platform Clock"},
+-
+ {"Headset Mic", NULL, "MICBIAS1"},
+ {"IN2P", NULL, "Headset Mic"},
+ {"Headphone", NULL, "HPOL"},
+@@ -303,19 +300,23 @@ static const struct snd_soc_dapm_route byt_rt5640_audio_map[] = {
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_dmic1_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"DMIC1", NULL, "Internal Mic"},
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_dmic2_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"DMIC2", NULL, "Internal Mic"},
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_in1_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"Internal Mic", NULL, "MICBIAS1"},
+ {"IN1P", NULL, "Internal Mic"},
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_in3_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"Internal Mic", NULL, "MICBIAS1"},
+ {"IN3P", NULL, "Internal Mic"},
+ };
+@@ -357,6 +358,7 @@ static const struct snd_soc_dapm_route byt_rt5640_ssp0_aif2_map[] = {
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_stereo_spk_map[] = {
++ {"Speaker", NULL, "Platform Clock"},
+ {"Speaker", NULL, "SPOLP"},
+ {"Speaker", NULL, "SPOLN"},
+ {"Speaker", NULL, "SPORP"},
+@@ -364,6 +366,7 @@ static const struct snd_soc_dapm_route byt_rt5640_stereo_spk_map[] = {
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_mono_spk_map[] = {
++ {"Speaker", NULL, "Platform Clock"},
+ {"Speaker", NULL, "SPOLP"},
+ {"Speaker", NULL, "SPOLN"},
+ };
+--
+2.30.2
+
--- /dev/null
+From 3b46f29b7d43b140e31c359772bd44ca840c38c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 12:01:50 +0800
+Subject: ASoC: rockchip: i2s: Fix regmap_ops hang
+
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+
+[ Upstream commit 53ca9b9777b95cdd689181d7c547e38dc79adad0 ]
+
+API 'set_fmt' maybe called when PD is off, in the situation,
+any register access will hang the system. so, enable PD
+before r/w register.
+
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Link: https://lore.kernel.org/r/1629950520-14190-4-git-send-email-sugar.zhang@rock-chips.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index b86f76c3598c..cab381c9dea1 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -189,7 +189,9 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ {
+ struct rk_i2s_dev *i2s = to_info(cpu_dai);
+ unsigned int mask = 0, val = 0;
++ int ret = 0;
+
++ pm_runtime_get_sync(cpu_dai->dev);
+ mask = I2S_CKR_MSS_MASK;
+ switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
+ case SND_SOC_DAIFMT_CBS_CFS:
+@@ -202,7 +204,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ i2s->is_master_mode = false;
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_CKR, mask, val);
+@@ -216,7 +219,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ val = I2S_CKR_CKP_POS;
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_CKR, mask, val);
+@@ -239,7 +243,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ val = I2S_TXCR_TFS_PCM | I2S_TXCR_PBM_MODE(1);
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_TXCR, mask, val);
+@@ -262,12 +267,16 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ val = I2S_RXCR_TFS_PCM | I2S_RXCR_PBM_MODE(1);
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_RXCR, mask, val);
+
+- return 0;
++err_pm_put:
++ pm_runtime_put(cpu_dai->dev);
++
++ return ret;
+ }
+
+ static int rockchip_i2s_hw_params(struct snd_pcm_substream *substream,
+--
+2.30.2
+
--- /dev/null
+From ae218e4c15890c04a16000e8eda8d717b0ec3969 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 12:02:36 +0800
+Subject: ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B
+
+From: Xiaotan Luo <lxt@rock-chips.com>
+
+[ Upstream commit 1bf56843e664eef2525bdbfae6a561e98910f676 ]
+
+- DSP_A: PCM delay 1 bit mode, L data MSB after FRM LRC
+- DSP_B: PCM no delay mode, L data MSB during FRM LRC
+
+Signed-off-by: Xiaotan Luo <lxt@rock-chips.com>
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Link: https://lore.kernel.org/r/1629950562-14281-3-git-send-email-sugar.zhang@rock-chips.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index cab381c9dea1..c6d11a59310f 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -236,12 +236,12 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_I2S:
+ val = I2S_TXCR_IBM_NORMAL;
+ break;
+- case SND_SOC_DAIFMT_DSP_A: /* PCM no delay mode */
+- val = I2S_TXCR_TFS_PCM;
+- break;
+- case SND_SOC_DAIFMT_DSP_B: /* PCM delay 1 mode */
++ case SND_SOC_DAIFMT_DSP_A: /* PCM delay 1 bit mode */
+ val = I2S_TXCR_TFS_PCM | I2S_TXCR_PBM_MODE(1);
+ break;
++ case SND_SOC_DAIFMT_DSP_B: /* PCM no delay mode */
++ val = I2S_TXCR_TFS_PCM;
++ break;
+ default:
+ ret = -EINVAL;
+ goto err_pm_put;
+@@ -260,12 +260,12 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_I2S:
+ val = I2S_RXCR_IBM_NORMAL;
+ break;
+- case SND_SOC_DAIFMT_DSP_A: /* PCM no delay mode */
+- val = I2S_RXCR_TFS_PCM;
+- break;
+- case SND_SOC_DAIFMT_DSP_B: /* PCM delay 1 mode */
++ case SND_SOC_DAIFMT_DSP_A: /* PCM delay 1 bit mode */
+ val = I2S_RXCR_TFS_PCM | I2S_RXCR_PBM_MODE(1);
+ break;
++ case SND_SOC_DAIFMT_DSP_B: /* PCM no delay mode */
++ val = I2S_RXCR_TFS_PCM;
++ break;
+ default:
+ ret = -EINVAL;
+ goto err_pm_put;
+--
+2.30.2
+
--- /dev/null
+From 2212947627037f51009e9fb743eb0a00098e1663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 15:51:30 +0300
+Subject: ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3ad4a31620355358316fa08fcfab37b9d6c33347 ]
+
+Last change to device managed APIs cleaned up error path to simple phy_exit()
+call, which in some cases has been executed with NULL parameter. This per se
+is not a problem, but rather logical misconception: no need to free resource
+when it's for sure has not been allocated yet. Fix the driver accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210727125130.19977-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_dwc_460ex.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
+index 6f142aa54f5f..8487048c5ec9 100644
+--- a/drivers/ata/sata_dwc_460ex.c
++++ b/drivers/ata/sata_dwc_460ex.c
+@@ -1253,24 +1253,20 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ irq = irq_of_parse_and_map(np, 0);
+ if (irq == NO_IRQ) {
+ dev_err(&ofdev->dev, "no SATA DMA irq\n");
+- err = -ENODEV;
+- goto error_out;
++ return -ENODEV;
+ }
+
+ #ifdef CONFIG_SATA_DWC_OLD_DMA
+ if (!of_find_property(np, "dmas", NULL)) {
+ err = sata_dwc_dma_init_old(ofdev, hsdev);
+ if (err)
+- goto error_out;
++ return err;
+ }
+ #endif
+
+ hsdev->phy = devm_phy_optional_get(hsdev->dev, "sata-phy");
+- if (IS_ERR(hsdev->phy)) {
+- err = PTR_ERR(hsdev->phy);
+- hsdev->phy = NULL;
+- goto error_out;
+- }
++ if (IS_ERR(hsdev->phy))
++ return PTR_ERR(hsdev->phy);
+
+ err = phy_init(hsdev->phy);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From d37a3aeb7ef025c1a53b6b5659ec654d3b38673b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 09:29:14 -0400
+Subject: ath9k: fix OOB read ar9300_eeprom_restore_internal
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ]
+
+Bad header can have large length field which can cause OOB.
+cptr is the last bytes for read, and the eeprom is parsed
+from high to low address. The OOB, triggered by the condition
+length > cptr could cause memory error with a read on
+negative index.
+
+There are some sanity check around length, but it is not
+compared with cptr (the remaining bytes). Here, the
+corrupted/bad EEPROM can cause panic.
+
+I was able to reproduce the crash, but I cannot find the
+log and the reproducer now. After I applied the patch, the
+bug is no longer reproducible.
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+index 983e1abbd9e4..4d45d5a8ad2e 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
+ "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
+ cptr, code, reference, length, major, minor);
+ if ((!AR_SREV_9485(ah) && length >= 1024) ||
+- (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
++ (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) ||
++ (length > cptr)) {
+ ath_dbg(common, EEPROM, "Skipping bad header\n");
+ cptr -= COMP_HDR_LEN;
+ continue;
+--
+2.30.2
+
--- /dev/null
+From 02c88416ab353d096b73fefbcb27d60023b92142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 12:05:16 +0800
+Subject: ath9k: fix sleeping in atomic context
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+[ Upstream commit 7c48662b9d56666219f526a71ace8c15e6e12f1f ]
+
+The problem is that gpio_free() can sleep and the cfg_soc() can be
+called with spinlocks held. One problematic call tree is:
+
+--> ath_reset_internal() takes &sc->sc_pcu_lock spin lock
+ --> ath9k_hw_reset()
+ --> ath9k_hw_gpio_request_in()
+ --> ath9k_hw_gpio_request()
+ --> ath9k_hw_gpio_cfg_soc()
+
+Remove gpio_free(), use error message instead, so we should make sure
+there is no GPIO conflict.
+
+Also remove ath9k_hw_gpio_free() from ath9k_hw_apply_gpio_override(),
+as gpio_mask will never be set for SOC chips.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1628481916-15030-1-git-send-email-miaoqing@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index 9f438d8e59f2..daad9e7b17cf 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -1622,7 +1622,6 @@ static void ath9k_hw_apply_gpio_override(struct ath_hw *ah)
+ ath9k_hw_gpio_request_out(ah, i, NULL,
+ AR_GPIO_OUTPUT_MUX_AS_OUTPUT);
+ ath9k_hw_set_gpio(ah, i, !!(ah->gpio_val & BIT(i)));
+- ath9k_hw_gpio_free(ah, i);
+ }
+ }
+
+@@ -2729,14 +2728,17 @@ static void ath9k_hw_gpio_cfg_output_mux(struct ath_hw *ah, u32 gpio, u32 type)
+ static void ath9k_hw_gpio_cfg_soc(struct ath_hw *ah, u32 gpio, bool out,
+ const char *label)
+ {
++ int err;
++
+ if (ah->caps.gpio_requested & BIT(gpio))
+ return;
+
+- /* may be requested by BSP, free anyway */
+- gpio_free(gpio);
+-
+- if (gpio_request_one(gpio, out ? GPIOF_OUT_INIT_LOW : GPIOF_IN, label))
++ err = gpio_request_one(gpio, out ? GPIOF_OUT_INIT_LOW : GPIOF_IN, label);
++ if (err) {
++ ath_err(ath9k_hw_common(ah), "request GPIO%d failed:%d\n",
++ gpio, err);
+ return;
++ }
+
+ ah->caps.gpio_requested |= BIT(gpio);
+ }
+--
+2.30.2
+
--- /dev/null
+From 54aa44596bf8d4bddc0735efdd1040096db28564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:14:06 +0800
+Subject: Bluetooth: avoid circular locks in sco_sock_connect
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab ]
+
+In a future patch, calls to bh_lock_sock in sco.c should be replaced
+by lock_sock now that none of the functions are run in IRQ context.
+
+However, doing so results in a circular locking dependency:
+
+======================================================
+WARNING: possible circular locking dependency detected
+5.14.0-rc4-syzkaller #0 Not tainted
+------------------------------------------------------
+syz-executor.2/14867 is trying to acquire lock:
+ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
+lock_sock include/net/sock.h:1613 [inline]
+ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
+sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191
+
+but task is already holding lock:
+ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at:
+hci_disconn_cfm include/net/bluetooth/hci_core.h:1497 [inline]
+ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at:
+hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1608
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (hci_cb_list_lock){+.+.}-{3:3}:
+ __mutex_lock_common kernel/locking/mutex.c:959 [inline]
+ __mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104
+ hci_connect_cfm include/net/bluetooth/hci_core.h:1482 [inline]
+ hci_remote_features_evt net/bluetooth/hci_event.c:3263 [inline]
+ hci_event_packet+0x2f4d/0x7c50 net/bluetooth/hci_event.c:6240
+ hci_rx_work+0x4f8/0xd30 net/bluetooth/hci_core.c:5122
+ process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
+ worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
+ kthread+0x3e5/0x4d0 kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+-> #1 (&hdev->lock){+.+.}-{3:3}:
+ __mutex_lock_common kernel/locking/mutex.c:959 [inline]
+ __mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104
+ sco_connect net/bluetooth/sco.c:245 [inline]
+ sco_sock_connect+0x227/0xa10 net/bluetooth/sco.c:601
+ __sys_connect_file+0x155/0x1a0 net/socket.c:1879
+ __sys_connect+0x161/0x190 net/socket.c:1896
+ __do_sys_connect net/socket.c:1906 [inline]
+ __se_sys_connect net/socket.c:1903 [inline]
+ __x64_sys_connect+0x6f/0xb0 net/socket.c:1903
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
+ check_prev_add kernel/locking/lockdep.c:3051 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3174 [inline]
+ validate_chain kernel/locking/lockdep.c:3789 [inline]
+ __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015
+ lock_acquire kernel/locking/lockdep.c:5625 [inline]
+ lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
+ lock_sock_nested+0xca/0x120 net/core/sock.c:3170
+ lock_sock include/net/sock.h:1613 [inline]
+ sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191
+ sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202
+ hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
+ hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
+ hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
+ hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
+ vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
+ __fput+0x288/0x920 fs/file_table.c:280
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:164
+ exit_task_work include/linux/task_work.h:32 [inline]
+ do_exit+0xbd4/0x2a60 kernel/exit.c:825
+ do_group_exit+0x125/0x310 kernel/exit.c:922
+ get_signal+0x47f/0x2160 kernel/signal.c:2808
+ arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
+ handle_signal_work kernel/entry/common.c:148 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
+ exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
+ syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
+ ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288
+
+other info that might help us debug this:
+
+Chain exists of:
+ sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(hci_cb_list_lock);
+ lock(&hdev->lock);
+ lock(hci_cb_list_lock);
+ lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
+
+ *** DEADLOCK ***
+
+The issue is that the lock hierarchy should go from &hdev->lock -->
+hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO. For example,
+one such call trace is:
+
+ hci_dev_do_close():
+ hci_dev_lock();
+ hci_conn_hash_flush():
+ hci_disconn_cfm():
+ mutex_lock(&hci_cb_list_lock);
+ sco_disconn_cfm():
+ sco_conn_del():
+ lock_sock(sk);
+
+However, in sco_sock_connect, we call lock_sock before calling
+hci_dev_lock inside sco_connect, thus inverting the lock hierarchy.
+
+We fix this by pulling the call to hci_dev_lock out from sco_connect.
+
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 39 ++++++++++++++++-----------------------
+ 1 file changed, 16 insertions(+), 23 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 3b3d3ef52ac2..007a01b08dbe 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -234,44 +234,32 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
+ return err;
+ }
+
+-static int sco_connect(struct sock *sk)
++static int sco_connect(struct hci_dev *hdev, struct sock *sk)
+ {
+ struct sco_conn *conn;
+ struct hci_conn *hcon;
+- struct hci_dev *hdev;
+ int err, type;
+
+ BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
+
+- hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
+- if (!hdev)
+- return -EHOSTUNREACH;
+-
+- hci_dev_lock(hdev);
+-
+ if (lmp_esco_capable(hdev) && !disable_esco)
+ type = ESCO_LINK;
+ else
+ type = SCO_LINK;
+
+ if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
+- (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
+- err = -EOPNOTSUPP;
+- goto done;
+- }
++ (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)))
++ return -EOPNOTSUPP;
+
+ hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
+ sco_pi(sk)->setting);
+- if (IS_ERR(hcon)) {
+- err = PTR_ERR(hcon);
+- goto done;
+- }
++ if (IS_ERR(hcon))
++ return PTR_ERR(hcon);
+
+ conn = sco_conn_add(hcon);
+ if (!conn) {
+ hci_conn_drop(hcon);
+- err = -ENOMEM;
+- goto done;
++ return -ENOMEM;
+ }
+
+ /* Update source addr of the socket */
+@@ -279,7 +267,7 @@ static int sco_connect(struct sock *sk)
+
+ err = sco_chan_add(conn, sk, NULL);
+ if (err)
+- goto done;
++ return err;
+
+ if (hcon->state == BT_CONNECTED) {
+ sco_sock_clear_timer(sk);
+@@ -289,9 +277,6 @@ static int sco_connect(struct sock *sk)
+ sco_sock_set_timer(sk, sk->sk_sndtimeo);
+ }
+
+-done:
+- hci_dev_unlock(hdev);
+- hci_dev_put(hdev);
+ return err;
+ }
+
+@@ -573,6 +558,7 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
+ {
+ struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
+ struct sock *sk = sock->sk;
++ struct hci_dev *hdev;
+ int err;
+
+ BT_DBG("sk %p", sk);
+@@ -587,12 +573,19 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
+ if (sk->sk_type != SOCK_SEQPACKET)
+ return -EINVAL;
+
++ hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR);
++ if (!hdev)
++ return -EHOSTUNREACH;
++ hci_dev_lock(hdev);
++
+ lock_sock(sk);
+
+ /* Set destination address and psm */
+ bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
+
+- err = sco_connect(sk);
++ err = sco_connect(hdev, sk);
++ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
+ if (err)
+ goto done;
+
+--
+2.30.2
+
--- /dev/null
+From 2d5b2285f4f8cef4d26dfe275103cbc33ab5c88c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 16:20:15 -0700
+Subject: Bluetooth: Fix handling of LE Enhanced Connection Complete
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit cafae4cd625502f65d1798659c1aa9b62d38cc56 ]
+
+LE Enhanced Connection Complete contains the Local RPA used in the
+connection which must be used when set otherwise there could problems
+when pairing since the address used by the remote stack could be the
+Local RPA:
+
+BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 4, Part E
+page 2396
+
+ 'Resolvable Private Address being used by the local device for this
+ connection. This is only valid when the Own_Address_Type (from the
+ HCI_LE_Create_Connection, HCI_LE_Set_Advertising_Parameters,
+ HCI_LE_Set_Extended_Advertising_Parameters, or
+ HCI_LE_Extended_Create_Connection commands) is set to 0x02 or
+ 0x03, and the Controller generated a resolvable private address for the
+ local device using a non-zero local IRK. For other Own_Address_Type
+ values, the Controller shall return all zeros.'
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 93 ++++++++++++++++++++++++++-------------
+ 1 file changed, 62 insertions(+), 31 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 714a45355610..937cada5595e 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4801,9 +4801,64 @@ static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
+ }
+ #endif
+
++static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
++ u8 bdaddr_type, bdaddr_t *local_rpa)
++{
++ if (conn->out) {
++ conn->dst_type = bdaddr_type;
++ conn->resp_addr_type = bdaddr_type;
++ bacpy(&conn->resp_addr, bdaddr);
++
++ /* Check if the controller has set a Local RPA then it must be
++ * used instead or hdev->rpa.
++ */
++ if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
++ conn->init_addr_type = ADDR_LE_DEV_RANDOM;
++ bacpy(&conn->init_addr, local_rpa);
++ } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
++ conn->init_addr_type = ADDR_LE_DEV_RANDOM;
++ bacpy(&conn->init_addr, &conn->hdev->rpa);
++ } else {
++ hci_copy_identity_address(conn->hdev, &conn->init_addr,
++ &conn->init_addr_type);
++ }
++ } else {
++ conn->resp_addr_type = conn->hdev->adv_addr_type;
++ /* Check if the controller has set a Local RPA then it must be
++ * used instead or hdev->rpa.
++ */
++ if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
++ conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
++ bacpy(&conn->resp_addr, local_rpa);
++ } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
++ /* In case of ext adv, resp_addr will be updated in
++ * Adv Terminated event.
++ */
++ if (!ext_adv_capable(conn->hdev))
++ bacpy(&conn->resp_addr,
++ &conn->hdev->random_addr);
++ } else {
++ bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
++ }
++
++ conn->init_addr_type = bdaddr_type;
++ bacpy(&conn->init_addr, bdaddr);
++
++ /* For incoming connections, set the default minimum
++ * and maximum connection interval. They will be used
++ * to check if the parameters are in range and if not
++ * trigger the connection update procedure.
++ */
++ conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
++ conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
++ }
++}
++
+ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
+- bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
+- u16 interval, u16 latency, u16 supervision_timeout)
++ bdaddr_t *bdaddr, u8 bdaddr_type,
++ bdaddr_t *local_rpa, u8 role, u16 handle,
++ u16 interval, u16 latency,
++ u16 supervision_timeout)
+ {
+ struct hci_conn_params *params;
+ struct hci_conn *conn;
+@@ -4851,32 +4906,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
+ cancel_delayed_work(&conn->le_conn_timeout);
+ }
+
+- if (!conn->out) {
+- /* Set the responder (our side) address type based on
+- * the advertising address type.
+- */
+- conn->resp_addr_type = hdev->adv_addr_type;
+- if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
+- /* In case of ext adv, resp_addr will be updated in
+- * Adv Terminated event.
+- */
+- if (!ext_adv_capable(hdev))
+- bacpy(&conn->resp_addr, &hdev->random_addr);
+- } else {
+- bacpy(&conn->resp_addr, &hdev->bdaddr);
+- }
+-
+- conn->init_addr_type = bdaddr_type;
+- bacpy(&conn->init_addr, bdaddr);
+-
+- /* For incoming connections, set the default minimum
+- * and maximum connection interval. They will be used
+- * to check if the parameters are in range and if not
+- * trigger the connection update procedure.
+- */
+- conn->le_conn_min_interval = hdev->le_conn_min_interval;
+- conn->le_conn_max_interval = hdev->le_conn_max_interval;
+- }
++ le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
+
+ /* Lookup the identity address from the stored connection
+ * address and address type.
+@@ -4974,7 +5004,7 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+ le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
+- ev->role, le16_to_cpu(ev->handle),
++ NULL, ev->role, le16_to_cpu(ev->handle),
+ le16_to_cpu(ev->interval),
+ le16_to_cpu(ev->latency),
+ le16_to_cpu(ev->supervision_timeout));
+@@ -4988,7 +5018,7 @@ static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
+ BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+ le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
+- ev->role, le16_to_cpu(ev->handle),
++ &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
+ le16_to_cpu(ev->interval),
+ le16_to_cpu(ev->latency),
+ le16_to_cpu(ev->supervision_timeout));
+@@ -5019,7 +5049,8 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ if (conn) {
+ struct adv_info *adv_instance;
+
+- if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
++ if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
++ bacmp(&conn->resp_addr, BDADDR_ANY))
+ return;
+
+ if (!hdev->cur_adv_instance) {
+--
+2.30.2
+
--- /dev/null
+From 4ea99258895128cb5082c4ae7f358967c9f2bc78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:14:05 +0800
+Subject: Bluetooth: schedule SCO timeouts with delayed_work
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit ba316be1b6a00db7126ed9a39f9bee434a508043 ]
+
+struct sock.sk_timer should be used as a sock cleanup timer. However,
+SCO uses it to implement sock timeouts.
+
+This causes issues because struct sock.sk_timer's callback is run in
+an IRQ context, and the timer callback function sco_sock_timeout takes
+a spin lock on the socket. However, other functions such as
+sco_conn_del and sco_conn_ready take the spin lock with interrupts
+enabled.
+
+This inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} lock usage could
+lead to deadlocks as reported by Syzbot [1]:
+ CPU0
+ ----
+ lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
+ <Interrupt>
+ lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
+
+To fix this, we use delayed work to implement SCO sock timouts
+instead. This allows us to avoid taking the spin lock on the socket in
+an IRQ context, and corrects the misuse of struct sock.sk_timer.
+
+As a note, cancel_delayed_work is used instead of
+cancel_delayed_work_sync in sco_sock_set_timer and
+sco_sock_clear_timer to avoid a deadlock. In the future, the call to
+bh_lock_sock inside sco_sock_timeout should be changed to lock_sock to
+synchronize with other functions using lock_sock. However, since
+sco_sock_set_timer and sco_sock_clear_timer are sometimes called under
+the locked socket (in sco_connect and __sco_sock_close),
+cancel_delayed_work_sync might cause them to sleep until an
+sco_sock_timeout that has started finishes running. But
+sco_sock_timeout would also sleep until it can grab the lock_sock.
+
+Using cancel_delayed_work is fine because sco_sock_timeout does not
+change from run to run, hence there is no functional difference
+between:
+1. waiting for a timeout to finish running before scheduling another
+timeout
+2. scheduling another timeout while a timeout is running.
+
+Link: https://syzkaller.appspot.com/bug?id=9089d89de0502e120f234ca0fc8a703f7368b31e [1]
+Reported-by: syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com
+Tested-by: syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 35 +++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 2fbea653540b..3b3d3ef52ac2 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -48,6 +48,8 @@ struct sco_conn {
+ spinlock_t lock;
+ struct sock *sk;
+
++ struct delayed_work timeout_work;
++
+ unsigned int mtu;
+ };
+
+@@ -73,9 +75,20 @@ struct sco_pinfo {
+ #define SCO_CONN_TIMEOUT (HZ * 40)
+ #define SCO_DISCONN_TIMEOUT (HZ * 2)
+
+-static void sco_sock_timeout(struct timer_list *t)
++static void sco_sock_timeout(struct work_struct *work)
+ {
+- struct sock *sk = from_timer(sk, t, sk_timer);
++ struct sco_conn *conn = container_of(work, struct sco_conn,
++ timeout_work.work);
++ struct sock *sk;
++
++ sco_conn_lock(conn);
++ sk = conn->sk;
++ if (sk)
++ sock_hold(sk);
++ sco_conn_unlock(conn);
++
++ if (!sk)
++ return;
+
+ BT_DBG("sock %p state %d", sk, sk->sk_state);
+
+@@ -89,14 +102,21 @@ static void sco_sock_timeout(struct timer_list *t)
+
+ static void sco_sock_set_timer(struct sock *sk, long timeout)
+ {
++ if (!sco_pi(sk)->conn)
++ return;
++
+ BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
+- sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
++ cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
++ schedule_delayed_work(&sco_pi(sk)->conn->timeout_work, timeout);
+ }
+
+ static void sco_sock_clear_timer(struct sock *sk)
+ {
++ if (!sco_pi(sk)->conn)
++ return;
++
+ BT_DBG("sock %p state %d", sk, sk->sk_state);
+- sk_stop_timer(sk, &sk->sk_timer);
++ cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
+ }
+
+ /* ---- SCO connections ---- */
+@@ -176,6 +196,9 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
+ sco_chan_del(sk, err);
+ bh_unlock_sock(sk);
+ sock_put(sk);
++
++ /* Ensure no more work items will run before freeing conn. */
++ cancel_delayed_work_sync(&conn->timeout_work);
+ }
+
+ hcon->sco_data = NULL;
+@@ -190,6 +213,8 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
+ sco_pi(sk)->conn = conn;
+ conn->sk = sk;
+
++ INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
++
+ if (parent)
+ bt_accept_enqueue(parent, sk, true);
+ }
+@@ -484,8 +509,6 @@ static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,
+
+ sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
+
+- timer_setup(&sk->sk_timer, sco_sock_timeout, 0);
+-
+ bt_sock_link(&sco_sk_list, sk);
+ return sk;
+ }
+--
+2.30.2
+
--- /dev/null
+From 4bc179fd8b0b1b04de7359879c1002fc5e2c63b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 15:51:04 +0800
+Subject: Bluetooth: skip invalid hci_sync_conn_complete_evt
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 92fe24a7db751b80925214ede43f8d2be792ea7b ]
+
+Syzbot reported a corrupted list in kobject_add_internal [1]. This
+happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
+status 0 are sent for the same HCI connection. This causes us to
+register the device more than once which corrupts the kset list.
+
+As this is forbidden behavior, we add a check for whether we're
+trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
+times for one connection. If that's the case, the event is invalid, so
+we report an error that the device is misbehaving, and ignore the
+packet.
+
+Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
+Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
+Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 45cc864cf2b3..714a45355610 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4083,6 +4083,21 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+
+ switch (ev->status) {
+ case 0x00:
++ /* The synchronous connection complete event should only be
++ * sent once per new connection. Receiving a successful
++ * complete event when the connection status is already
++ * BT_CONNECTED means that the device is misbehaving and sent
++ * multiple complete event packets for the same new connection.
++ *
++ * Registering the device more than once can corrupt kernel
++ * memory, hence upon detecting this invalid event, we report
++ * an error and ignore the packet.
++ */
++ if (conn->state == BT_CONNECTED) {
++ bt_dev_err(hdev, "Ignoring connect complete event for existing connection");
++ goto unlock;
++ }
++
+ conn->handle = __le16_to_cpu(ev->handle);
+ conn->state = BT_CONNECTED;
+ conn->type = ev->link_type;
+--
+2.30.2
+
--- /dev/null
+From f0279c4180cd24b082b0e5ba1380cbc2dd55411b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 10:19:11 +0800
+Subject: bonding: 3ad: fix the concurrency between __bond_release_one() and
+ bond_3ad_state_machine_handler()
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit 220ade77452c15ecb1ab94c3f8aaeb6d033c3582 ]
+
+Some time ago, I reported a calltrace issue
+"did not find a suitable aggregator", please see[1].
+After a period of analysis and reproduction, I find
+that this problem is caused by concurrency.
+
+Before the problem occurs, the bond structure is like follows:
+
+bond0 - slaver0(eth0) - agg0.lag_ports -> port0 - port1
+ \
+ port0
+ \
+ slaver1(eth1) - agg1.lag_ports -> NULL
+ \
+ port1
+
+If we run 'ifenslave bond0 -d eth1', the process is like below:
+
+excuting __bond_release_one()
+|
+bond_upper_dev_unlink()[step1]
+| | |
+| | bond_3ad_lacpdu_recv()
+| | ->bond_3ad_rx_indication()
+| | spin_lock_bh()
+| | ->ad_rx_machine()
+| | ->__record_pdu()[step2]
+| | spin_unlock_bh()
+| | |
+| bond_3ad_state_machine_handler()
+| spin_lock_bh()
+| ->ad_port_selection_logic()
+| ->try to find free aggregator[step3]
+| ->try to find suitable aggregator[step4]
+| ->did not find a suitable aggregator[step5]
+| spin_unlock_bh()
+| |
+| |
+bond_3ad_unbind_slave() |
+spin_lock_bh()
+spin_unlock_bh()
+
+step1: already removed slaver1(eth1) from list, but port1 remains
+step2: receive a lacpdu and update port0
+step3: port0 will be removed from agg0.lag_ports. The struct is
+ "agg0.lag_ports -> port1" now, and agg0 is not free. At the
+ same time, slaver1/agg1 has been removed from the list by step1.
+ So we can't find a free aggregator now.
+step4: can't find suitable aggregator because of step2
+step5: cause a calltrace since port->aggregator is NULL
+
+To solve this concurrency problem, put bond_upper_dev_unlink()
+after bond_3ad_unbind_slave(). In this way, we can invalid the port
+first and skip this port in bond_3ad_state_machine_handler(). This
+eliminates the situation that the slaver has been removed from the
+list but the port is still valid.
+
+[1]https://lore.kernel.org/netdev/10374.1611947473@famine/
+
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index c814b266af79..d6c5f41b17f7 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1912,7 +1912,6 @@ static int __bond_release_one(struct net_device *bond_dev,
+ /* recompute stats just before removing the slave */
+ bond_get_stats(bond->dev, &bond->bond_stats);
+
+- bond_upper_dev_unlink(bond, slave);
+ /* unregister rx_handler early so bond_handle_frame wouldn't be called
+ * for this slave anymore.
+ */
+@@ -1921,6 +1920,8 @@ static int __bond_release_one(struct net_device *bond_dev,
+ if (BOND_MODE(bond) == BOND_MODE_8023AD)
+ bond_3ad_unbind_slave(slave);
+
++ bond_upper_dev_unlink(bond, slave);
++
+ if (bond_mode_can_use_xmit_hash(bond))
+ bond_update_slave_arr(bond, slave);
+
+--
+2.30.2
+
--- /dev/null
+From bc0fccc371e8e360c158d0a4704fce6c3c17f7b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 18:47:41 +0200
+Subject: bpf: Fix off-by-one in tail call count limiting
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit b61a28cf11d61f512172e673b8f8c4a6c789b425 ]
+
+Before, the interpreter allowed up to MAX_TAIL_CALL_CNT + 1 tail calls.
+Now precisely MAX_TAIL_CALL_CNT is allowed, which is in line with the
+behavior of the x86 JITs.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210728164741.350370-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 341402bc1202..5a417309cc2d 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1200,7 +1200,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
+
+ if (unlikely(index >= array->map.max_entries))
+ goto out;
+- if (unlikely(tail_call_cnt > MAX_TAIL_CALL_CNT))
++ if (unlikely(tail_call_cnt >= MAX_TAIL_CALL_CNT))
+ goto out;
+
+ tail_call_cnt++;
+--
+2.30.2
+
--- /dev/null
+From 13ec889013a6b7a98f59fc532f3d4d9081894b8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 12:38:22 +0200
+Subject: bpf/tests: Do not PASS tests without actually testing the result
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit 2b7e9f25e590726cca76700ebdb10e92a7a72ca1 ]
+
+Each test case can have a set of sub-tests, where each sub-test can
+run the cBPF/eBPF test snippet with its own data_size and expected
+result. Before, the end of the sub-test array was indicated by both
+data_size and result being zero. However, most or all of the internal
+eBPF tests has a data_size of zero already. When such a test also had
+an expected value of zero, the test was never run but reported as
+PASS anyway.
+
+Now the test runner always runs the first sub-test, regardless of the
+data_size and result values. The sub-test array zero-termination only
+applies for any additional sub-tests.
+
+There are other ways fix it of course, but this solution at least
+removes the surprise of eBPF tests with a zero result always succeeding.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210721103822.3755111-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_bpf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index 98074a3bc161..49d79079e8b3 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -6687,7 +6687,14 @@ static int run_one(const struct bpf_prog *fp, struct bpf_test *test)
+ u64 duration;
+ u32 ret;
+
+- if (test->test[i].data_size == 0 &&
++ /*
++ * NOTE: Several sub-tests may be present, in which case
++ * a zero {data_size, result} tuple indicates the end of
++ * the sub-test array. The first test is always run,
++ * even if both data_size and result happen to be zero.
++ */
++ if (i > 0 &&
++ test->test[i].data_size == 0 &&
+ test->test[i].result == 0)
+ break;
+
+--
+2.30.2
+
--- /dev/null
+From d210077a7f759ac1a799c4663f313056b17b58c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 12:40:58 +0200
+Subject: bpf/tests: Fix copy-and-paste error in double word test
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit ae7f47041d928b1a2f28717d095b4153c63cbf6a ]
+
+This test now operates on DW as stated instead of W, which was
+already covered by another test.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210721104058.3755254-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_bpf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index 08d3d59dca17..98074a3bc161 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -4293,8 +4293,8 @@ static struct bpf_test tests[] = {
+ .u.insns_int = {
+ BPF_LD_IMM64(R0, 0),
+ BPF_LD_IMM64(R1, 0xffffffffffffffffLL),
+- BPF_STX_MEM(BPF_W, R10, R1, -40),
+- BPF_LDX_MEM(BPF_W, R0, R10, -40),
++ BPF_STX_MEM(BPF_DW, R10, R1, -40),
++ BPF_LDX_MEM(BPF_DW, R0, R10, -40),
+ BPF_EXIT_INSN(),
+ },
+ INTERNAL,
+--
+2.30.2
+
--- /dev/null
+From 99c623e9bc043f3ff44d7f76e961c70d9a00d64b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 22:55:10 +0800
+Subject: cifs: fix wrong release in sess_alloc_buffer() failed path
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit d72c74197b70bc3c95152f351a568007bffa3e11 ]
+
+smb_buf is allocated by small_smb_init_no_tc(), and buf type is
+CIFS_SMALL_BUFFER, so we should use cifs_small_buf_release() to
+release it in failed path.
+
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/sess.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index aa23c00367ec..0113dba28eb0 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -602,7 +602,7 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct)
+ return 0;
+
+ out_free_smb_buf:
+- kfree(smb_buf);
++ cifs_small_buf_release(smb_buf);
+ sess_data->iov[0].iov_base = NULL;
+ sess_data->iov[0].iov_len = 0;
+ sess_data->buf0_type = CIFS_NO_BUFFER;
+--
+2.30.2
+
--- /dev/null
+From 491e0988ccacdf3b96647440884505c5adfc5970 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 14:56:38 -0400
+Subject: crypto: mxs-dcp - Use sg_mapping_iter to copy data
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit 2e6d793e1bf07fe5e20cfbbdcec9e1af7e5097eb ]
+
+This uses the sg_pcopy_from_buffer to copy data, instead of doing it
+ourselves.
+
+In addition to reducing code size, this fixes the following oops
+resulting from failing to kmap the page:
+
+[ 68.896381] Unable to handle kernel NULL pointer dereference at virtual address 00000ab8
+[ 68.904539] pgd = 3561adb3
+[ 68.907475] [00000ab8] *pgd=00000000
+[ 68.911153] Internal error: Oops: 805 [#1] ARM
+[ 68.915618] Modules linked in: cfg80211 rfkill des_generic libdes arc4 libarc4 cbc ecb algif_skcipher sha256_generic libsha256 sha1_generic hmac aes_generic libaes cmac sha512_generic md5 md4 algif_hash af_alg i2c_imx i2c_core ci_hdrc_imx ci_hdrc mxs_dcp ulpi roles udc_core imx_sdma usbmisc_imx usb_common firmware_class virt_dma phy_mxs_usb nf_tables nfnetlink ip_tables x_tables ipv6 autofs4
+[ 68.950741] CPU: 0 PID: 139 Comm: mxs_dcp_chan/ae Not tainted 5.10.34 #296
+[ 68.958501] Hardware name: Freescale i.MX6 Ultralite (Device Tree)
+[ 68.964710] PC is at memcpy+0xa8/0x330
+[ 68.968479] LR is at 0xd7b2bc9d
+[ 68.971638] pc : [<c053e7c8>] lr : [<d7b2bc9d>] psr: 000f0013
+[ 68.977920] sp : c2cbbee4 ip : 00000010 fp : 00000010
+[ 68.983159] r10: 00000000 r9 : c3283a40 r8 : 1a5a6f08
+[ 68.988402] r7 : 4bfe0ecc r6 : 76d8a220 r5 : c32f9050 r4 : 00000001
+[ 68.994945] r3 : 00000ab8 r2 : fffffff0 r1 : c32f9050 r0 : 00000ab8
+[ 69.001492] Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 69.008646] Control: 10c53c7d Table: 83664059 DAC: 00000051
+[ 69.014414] Process mxs_dcp_chan/ae (pid: 139, stack limit = 0x667b57ab)
+[ 69.021133] Stack: (0xc2cbbee4 to 0xc2cbc000)
+[ 69.025519] bee0: c32f9050 c3235408 00000010 00000010 00000ab8 00000001 bf10406c
+[ 69.033720] bf00: 00000000 00000000 00000010 00000000 c32355d0 832fb080 00000000 c13de2fc
+[ 69.041921] bf20: c3628010 00000010 c33d5780 00000ab8 bf1067e8 00000002 c21e5010 c2cba000
+[ 69.050125] bf40: c32f8040 00000000 bf106a40 c32f9040 c3283a80 00000001 bf105240 c3234040
+[ 69.058327] bf60: ffffe000 c3204100 c2c69800 c2cba000 00000000 bf103b84 00000000 c2eddc54
+[ 69.066530] bf80: c3204144 c0140d1c c2cba000 c2c69800 c0140be8 00000000 00000000 00000000
+[ 69.074730] bfa0: 00000000 00000000 00000000 c0100114 00000000 00000000 00000000 00000000
+[ 69.082932] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 69.091131] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[ 69.099364] [<c053e7c8>] (memcpy) from [<bf10406c>] (dcp_chan_thread_aes+0x4e8/0x840 [mxs_dcp])
+[ 69.108117] [<bf10406c>] (dcp_chan_thread_aes [mxs_dcp]) from [<c0140d1c>] (kthread+0x134/0x160)
+[ 69.116941] [<c0140d1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20)
+[ 69.124178] Exception stack(0xc2cbbfb0 to 0xc2cbbff8)
+[ 69.129250] bfa0: 00000000 00000000 00000000 00000000
+[ 69.137450] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 69.145648] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 69.152289] Code: e320f000 e4803004 e4804004 e4805004 (e4806004)
+
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mxs-dcp.c | 36 +++++++++---------------------------
+ 1 file changed, 9 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
+index d220e6a3f836..da834ae3586b 100644
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -297,21 +297,20 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
+
+ struct scatterlist *dst = req->dst;
+ struct scatterlist *src = req->src;
+- const int nents = sg_nents(req->src);
++ int dst_nents = sg_nents(dst);
+
+ const int out_off = DCP_BUF_SZ;
+ uint8_t *in_buf = sdcp->coh->aes_in_buf;
+ uint8_t *out_buf = sdcp->coh->aes_out_buf;
+
+- uint8_t *out_tmp, *src_buf, *dst_buf = NULL;
+ uint32_t dst_off = 0;
++ uint8_t *src_buf = NULL;
+ uint32_t last_out_len = 0;
+
+ uint8_t *key = sdcp->coh->aes_key;
+
+ int ret = 0;
+- int split = 0;
+- unsigned int i, len, clen, rem = 0, tlen = 0;
++ unsigned int i, len, clen, tlen = 0;
+ int init = 0;
+ bool limit_hit = false;
+
+@@ -329,7 +328,7 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
+ memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128);
+ }
+
+- for_each_sg(req->src, src, nents, i) {
++ for_each_sg(req->src, src, sg_nents(src), i) {
+ src_buf = sg_virt(src);
+ len = sg_dma_len(src);
+ tlen += len;
+@@ -354,34 +353,17 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
+ * submit the buffer.
+ */
+ if (actx->fill == out_off || sg_is_last(src) ||
+- limit_hit) {
++ limit_hit) {
+ ret = mxs_dcp_run_aes(actx, req, init);
+ if (ret)
+ return ret;
+ init = 0;
+
+- out_tmp = out_buf;
++ sg_pcopy_from_buffer(dst, dst_nents, out_buf,
++ actx->fill, dst_off);
++ dst_off += actx->fill;
+ last_out_len = actx->fill;
+- while (dst && actx->fill) {
+- if (!split) {
+- dst_buf = sg_virt(dst);
+- dst_off = 0;
+- }
+- rem = min(sg_dma_len(dst) - dst_off,
+- actx->fill);
+-
+- memcpy(dst_buf + dst_off, out_tmp, rem);
+- out_tmp += rem;
+- dst_off += rem;
+- actx->fill -= rem;
+-
+- if (dst_off == sg_dma_len(dst)) {
+- dst = sg_next(dst);
+- split = 0;
+- } else {
+- split = 1;
+- }
+- }
++ actx->fill = 0;
+ }
+ } while (len);
+
+--
+2.30.2
+
--- /dev/null
+From 00a9b3fcdfc08b3f4f96526c0f2f3ba823150ec0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 16:04:12 +0300
+Subject: docs: Fix infiniband uverbs minor number
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 8d7e415d55610d503fdb8815344846b72d194a40 ]
+
+Starting from the beginning of infiniband subsystem, the uverbs char
+devices start from 192 as a minor number, see
+commit bc38a6abdd5a ("[PATCH] IB uverbs: core implementation").
+
+This patch updates the admin guide documentation to reflect it.
+
+Fixes: 9d85025b0418 ("docs-rst: create an user's manual book")
+Link: https://lore.kernel.org/r/bad03e6bcde45550c01e12908a6fe7dfa4770703.1627477347.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/admin-guide/devices.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/admin-guide/devices.txt b/Documentation/admin-guide/devices.txt
+index 1649117e6087..9cd7926c8781 100644
+--- a/Documentation/admin-guide/devices.txt
++++ b/Documentation/admin-guide/devices.txt
+@@ -2993,10 +2993,10 @@
+ 65 = /dev/infiniband/issm1 Second InfiniBand IsSM device
+ ...
+ 127 = /dev/infiniband/issm63 63rd InfiniBand IsSM device
+- 128 = /dev/infiniband/uverbs0 First InfiniBand verbs device
+- 129 = /dev/infiniband/uverbs1 Second InfiniBand verbs device
++ 192 = /dev/infiniband/uverbs0 First InfiniBand verbs device
++ 193 = /dev/infiniband/uverbs1 Second InfiniBand verbs device
+ ...
+- 159 = /dev/infiniband/uverbs31 31st InfiniBand verbs device
++ 223 = /dev/infiniband/uverbs31 31st InfiniBand verbs device
+
+ 232 char Biometric Devices
+ 0 = /dev/biometric/sensor0/fingerprint first fingerprint sensor on first device
+--
+2.30.2
+
--- /dev/null
+From a86b8b72928fa5979a35f122935bc6ad20325c9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 11:00:44 -0400
+Subject: drm/amd/amdgpu: Update debugfs link_settings output link_rate field
+ in hex
+
+From: Anson Jacob <Anson.Jacob@amd.com>
+
+[ Upstream commit 1a394b3c3de2577f200cb623c52a5c2b82805cec ]
+
+link_rate is updated via debugfs using hex values, set it to output
+in hex as well.
+
+eg: Resolution: 1920x1080@144Hz
+cat /sys/kernel/debug/dri/0/DP-1/link_settings
+Current: 4 0x14 0 Verified: 4 0x1e 0 Reported: 4 0x1e 16 Preferred: 0 0x0 0
+
+echo "4 0x1e" > /sys/kernel/debug/dri/0/DP-1/link_settings
+
+cat /sys/kernel/debug/dri/0/DP-1/link_settings
+Current: 4 0x1e 0 Verified: 4 0x1e 0 Reported: 4 0x1e 16 Preferred: 4 0x1e 0
+
+Signed-off-by: Anson Jacob <Anson.Jacob@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index 0d9e410ca01e..dbfe5623997d 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -92,29 +92,29 @@ static ssize_t dp_link_settings_read(struct file *f, char __user *buf,
+
+ rd_buf_ptr = rd_buf;
+
+- str_len = strlen("Current: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Current: %d %d %d ",
++ str_len = strlen("Current: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Current: %d 0x%x %d ",
+ link->cur_link_settings.lane_count,
+ link->cur_link_settings.link_rate,
+ link->cur_link_settings.link_spread);
+ rd_buf_ptr += str_len;
+
+- str_len = strlen("Verified: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Verified: %d %d %d ",
++ str_len = strlen("Verified: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Verified: %d 0x%x %d ",
+ link->verified_link_cap.lane_count,
+ link->verified_link_cap.link_rate,
+ link->verified_link_cap.link_spread);
+ rd_buf_ptr += str_len;
+
+- str_len = strlen("Reported: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Reported: %d %d %d ",
++ str_len = strlen("Reported: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Reported: %d 0x%x %d ",
+ link->reported_link_cap.lane_count,
+ link->reported_link_cap.link_rate,
+ link->reported_link_cap.link_spread);
+ rd_buf_ptr += str_len;
+
+- str_len = strlen("Preferred: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Preferred: %d %d %d\n",
++ str_len = strlen("Preferred: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Preferred: %d 0x%x %d\n",
+ link->preferred_link_setting.lane_count,
+ link->preferred_link_setting.link_rate,
+ link->preferred_link_setting.link_spread);
+--
+2.30.2
+
--- /dev/null
+From 5dedb66e9676dfb1d2061a22b31931d7126fad25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Aug 2021 08:12:08 +0800
+Subject: f2fs: fix to account missing .skipped_gc_rwsem
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ad126ebddecbf696e0cf214ff56c7b170fa9f0f7 ]
+
+There is a missing place we forgot to account .skipped_gc_rwsem, fix it.
+
+Fixes: 6f8d4455060d ("f2fs: avoid fi->i_gc_rwsem[WRITE] lock in f2fs_gc")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/gc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index 700c39ec99f5..38299ccfdf6e 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -998,8 +998,10 @@ static void gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
+ bool locked = false;
+
+ if (S_ISREG(inode->i_mode)) {
+- if (!down_write_trylock(&fi->i_gc_rwsem[READ]))
++ if (!down_write_trylock(&fi->i_gc_rwsem[READ])) {
++ sbi->skipped_gc_rwsem++;
+ continue;
++ }
+ if (!down_write_trylock(
+ &fi->i_gc_rwsem[WRITE])) {
+ sbi->skipped_gc_rwsem++;
+--
+2.30.2
+
--- /dev/null
+From abe3ff4c63b77538c468d988fb1803484c9f7684 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 19:34:19 +0800
+Subject: f2fs: fix to unmap pages from userspace process in punch_hole()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit c8dc3047c48540183744f959412d44b08c5435e1 ]
+
+We need to unmap pages from userspace process before removing pagecache
+in punch_hole() like we did in f2fs_setattr().
+
+Similar change:
+commit 5e44f8c374dc ("ext4: hole-punch use truncate_pagecache_range")
+
+Fixes: fbfa2cc58d53 ("f2fs: add file operations")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 95330dfdbb1a..2a7249496c57 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -957,7 +957,6 @@ static int punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ }
+
+ if (pg_start < pg_end) {
+- struct address_space *mapping = inode->i_mapping;
+ loff_t blk_start, blk_end;
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+
+@@ -969,8 +968,7 @@ static int punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ down_write(&F2FS_I(inode)->i_mmap_sem);
+
+- truncate_inode_pages_range(mapping, blk_start,
+- blk_end - 1);
++ truncate_pagecache_range(inode, blk_start, blk_end - 1);
+
+ f2fs_lock_op(sbi);
+ ret = f2fs_truncate_hole(inode, pg_start, pg_end);
+--
+2.30.2
+
--- /dev/null
+From cdf18973ec9e4c19f04119c2aa87e26c9d7ff792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 14:25:11 -0500
+Subject: flow_dissector: Fix out-of-bounds warnings
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 323e0cb473e2a8706ff162b6b4f4fa16023c9ba7 ]
+
+Fix the following out-of-bounds warnings:
+
+ net/core/flow_dissector.c: In function '__skb_flow_dissect':
+>> net/core/flow_dissector.c:1104:4: warning: 'memcpy' offset [24, 39] from the object at '<unknown>' is out of the bounds of referenced subobject 'saddr' with type 'struct in6_addr' at offset 8 [-Warray-bounds]
+ 1104 | memcpy(&key_addrs->v6addrs, &iph->saddr,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1105 | sizeof(key_addrs->v6addrs));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from include/linux/ipv6.h:5,
+ from net/core/flow_dissector.c:6:
+ include/uapi/linux/ipv6.h:133:18: note: subobject 'saddr' declared here
+ 133 | struct in6_addr saddr;
+ | ^~~~~
+>> net/core/flow_dissector.c:1059:4: warning: 'memcpy' offset [16, 19] from the object at '<unknown>' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 12 [-Warray-bounds]
+ 1059 | memcpy(&key_addrs->v4addrs, &iph->saddr,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1060 | sizeof(key_addrs->v4addrs));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from include/linux/ip.h:17,
+ from net/core/flow_dissector.c:5:
+ include/uapi/linux/ip.h:103:9: note: subobject 'saddr' declared here
+ 103 | __be32 saddr;
+ | ^~~~~
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). So, the compiler legitimately complains about it. As these
+are just a couple of members, fix this by copying each one of them in
+separate calls to memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 994dd1520f07..949694c70cbc 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -694,8 +694,10 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
+ FLOW_DISSECTOR_KEY_IPV4_ADDRS,
+ target_container);
+
+- memcpy(&key_addrs->v4addrs, &iph->saddr,
+- sizeof(key_addrs->v4addrs));
++ memcpy(&key_addrs->v4addrs.src, &iph->saddr,
++ sizeof(key_addrs->v4addrs.src));
++ memcpy(&key_addrs->v4addrs.dst, &iph->daddr,
++ sizeof(key_addrs->v4addrs.dst));
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
+ }
+
+@@ -744,8 +746,10 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
+ FLOW_DISSECTOR_KEY_IPV6_ADDRS,
+ target_container);
+
+- memcpy(&key_addrs->v6addrs, &iph->saddr,
+- sizeof(key_addrs->v6addrs));
++ memcpy(&key_addrs->v6addrs.src, &iph->saddr,
++ sizeof(key_addrs->v6addrs.src));
++ memcpy(&key_addrs->v6addrs.dst, &iph->daddr,
++ sizeof(key_addrs->v6addrs.dst));
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From eb1f81e2f2d58049da0c3d00444dafbdb0f424eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 14:21:00 +0100
+Subject: fscache: Fix cookie key hashing
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 35b72573e977ed6b18b094136a4fa3e0ffb13603 ]
+
+The current hash algorithm used for hashing cookie keys is really bad,
+producing almost no dispersion (after a test kernel build, ~30000 files
+were split over just 18 out of the 32768 hash buckets).
+
+Borrow the full_name_hash() hash function into fscache to do the hashing
+for cookie keys and, in the future, volume keys.
+
+I don't want to use full_name_hash() as-is because I want the hash value to
+be consistent across arches and over time as the hash value produced may
+get used on disk.
+
+I can also optimise parts of it away as the key will always be a padded
+array of aligned 32-bit words.
+
+Fixes: ec0328e46d6e ("fscache: Maintain a catalogue of allocated cookies")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+cc: linux-cachefs@redhat.com
+Link: https://lore.kernel.org/r/162431201844.2908479.8293647220901514696.stgit@warthog.procyon.org.uk/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/cookie.c | 14 +-------------
+ fs/fscache/internal.h | 2 ++
+ fs/fscache/main.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 13 deletions(-)
+
+diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
+index c550512ce335..2ff05adfc22a 100644
+--- a/fs/fscache/cookie.c
++++ b/fs/fscache/cookie.c
+@@ -78,10 +78,8 @@ void fscache_free_cookie(struct fscache_cookie *cookie)
+ static int fscache_set_key(struct fscache_cookie *cookie,
+ const void *index_key, size_t index_key_len)
+ {
+- unsigned long long h;
+ u32 *buf;
+ int bufs;
+- int i;
+
+ bufs = DIV_ROUND_UP(index_key_len, sizeof(*buf));
+
+@@ -95,17 +93,7 @@ static int fscache_set_key(struct fscache_cookie *cookie,
+ }
+
+ memcpy(buf, index_key, index_key_len);
+-
+- /* Calculate a hash and combine this with the length in the first word
+- * or first half word
+- */
+- h = (unsigned long)cookie->parent;
+- h += index_key_len + cookie->type;
+-
+- for (i = 0; i < bufs; i++)
+- h += buf[i];
+-
+- cookie->key_hash = h ^ (h >> 32);
++ cookie->key_hash = fscache_hash(0, buf, bufs);
+ return 0;
+ }
+
+diff --git a/fs/fscache/internal.h b/fs/fscache/internal.h
+index d6209022e965..cc87288a5448 100644
+--- a/fs/fscache/internal.h
++++ b/fs/fscache/internal.h
+@@ -101,6 +101,8 @@ extern struct workqueue_struct *fscache_object_wq;
+ extern struct workqueue_struct *fscache_op_wq;
+ DECLARE_PER_CPU(wait_queue_head_t, fscache_object_cong_wait);
+
++extern unsigned int fscache_hash(unsigned int salt, unsigned int *data, unsigned int n);
++
+ static inline bool fscache_object_congested(void)
+ {
+ return workqueue_congested(WORK_CPU_UNBOUND, fscache_object_wq);
+diff --git a/fs/fscache/main.c b/fs/fscache/main.c
+index 30ad89db1efc..aa49234e9520 100644
+--- a/fs/fscache/main.c
++++ b/fs/fscache/main.c
+@@ -98,6 +98,45 @@ static struct ctl_table fscache_sysctls_root[] = {
+ };
+ #endif
+
++/*
++ * Mixing scores (in bits) for (7,20):
++ * Input delta: 1-bit 2-bit
++ * 1 round: 330.3 9201.6
++ * 2 rounds: 1246.4 25475.4
++ * 3 rounds: 1907.1 31295.1
++ * 4 rounds: 2042.3 31718.6
++ * Perfect: 2048 31744
++ * (32*64) (32*31/2 * 64)
++ */
++#define HASH_MIX(x, y, a) \
++ ( x ^= (a), \
++ y ^= x, x = rol32(x, 7),\
++ x += y, y = rol32(y,20),\
++ y *= 9 )
++
++static inline unsigned int fold_hash(unsigned long x, unsigned long y)
++{
++ /* Use arch-optimized multiply if one exists */
++ return __hash_32(y ^ __hash_32(x));
++}
++
++/*
++ * Generate a hash. This is derived from full_name_hash(), but we want to be
++ * sure it is arch independent and that it doesn't change as bits of the
++ * computed hash value might appear on disk. The caller also guarantees that
++ * the hashed data will be a series of aligned 32-bit words.
++ */
++unsigned int fscache_hash(unsigned int salt, unsigned int *data, unsigned int n)
++{
++ unsigned int a, x = 0, y = salt;
++
++ for (; n; n--) {
++ a = *data++;
++ HASH_MIX(x, y, a);
++ }
++ return fold_hash(x, y);
++}
++
+ /*
+ * initialise the fs caching module
+ */
+--
+2.30.2
+
--- /dev/null
+From 56f89ad64e260b5d075f1adbb972cf038c81d043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 12:41:49 -0500
+Subject: gfs2: Don't call dlm after protocol is unmounted
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit d1340f80f0b8066321b499a376780da00560e857 ]
+
+In the gfs2 withdraw sequence, the dlm protocol is unmounted with a call
+to lm_unmount. After a withdraw, users are allowed to unmount the
+withdrawn file system. But at that point we may still have glocks left
+over that we need to free via unmount's call to gfs2_gl_hash_clear.
+These glocks may have never been completed because of whatever problem
+caused the withdraw (IO errors or whatever).
+
+Before this patch, function gdlm_put_lock would still try to call into
+dlm to unlock these leftover glocks, which resulted in dlm returning
+-EINVAL because the lock space was abandoned. These glocks were never
+freed because there was no mechanism after that to free them.
+
+This patch adds a check to gdlm_put_lock to see if the locking protocol
+was inactive (DFL_UNMOUNT flag) and if so, free the glock and not
+make the invalid call into dlm.
+
+I could have combined this "if" with the one that follows, related to
+leftover glock LVBs, but I felt the code was more readable with its own
+if clause.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/lock_dlm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c
+index 56dddc1f8ddd..9e90e42c495e 100644
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -295,6 +295,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl)
+ gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT);
+ gfs2_update_request_times(gl);
+
++ /* don't want to call dlm if we've unmounted the lock protocol */
++ if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) {
++ gfs2_glock_free(gl);
++ return;
++ }
+ /* don't want to skip dlm_unlock writing the lvb when lock has one */
+
+ if (test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags) &&
+--
+2.30.2
+
--- /dev/null
+From 2e1b6d7cf5b1c534a5e26c0f6ce823fd8ebb2939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 04:34:58 -0700
+Subject: gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible
+ uninitialized-variable access in amdgpu_i2c_router_select_ddc_port()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit a211260c34cfadc6068fece8c9e99e0fe1e2a2b6 ]
+
+The variable val is declared without initialization, and its address is
+passed to amdgpu_i2c_get_byte(). In this function, the value of val is
+accessed in:
+ DRM_DEBUG("i2c 0x%02x 0x%02x read failed\n",
+ addr, *val);
+
+Also, when amdgpu_i2c_get_byte() returns, val may remain uninitialized,
+but it is accessed in:
+ val &= ~amdgpu_connector->router.ddc_mux_control_pin;
+
+To fix this possible uninitialized-variable access, initialize val to 0 in
+amdgpu_i2c_router_select_ddc_port().
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c
+index f2739995c335..199eccee0b0b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c
+@@ -338,7 +338,7 @@ static void amdgpu_i2c_put_byte(struct amdgpu_i2c_chan *i2c_bus,
+ void
+ amdgpu_i2c_router_select_ddc_port(const struct amdgpu_connector *amdgpu_connector)
+ {
+- u8 val;
++ u8 val = 0;
+
+ if (!amdgpu_connector->router.ddc_valid)
+ return;
+--
+2.30.2
+
--- /dev/null
+From df03f34dab570a5938c201cbdb004189a9204338 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 11:25:50 -0700
+Subject: HID: input: do not report stylus battery state as "full"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit f4abaa9eebde334045ed6ac4e564d050f1df3013 ]
+
+The power supply states of discharging, charging, full, etc, represent
+state of charging, not the capacity level of the battery (for which
+we have a separate property). Current HID usage tables to not allow
+for expressing charging state of the batteries found in generic
+styli, so we should simply assume that the battery is discharging
+even if current capacity is at 100% when battery strength reporting
+is done via HID interface. In fact, we were doing just that before
+commit 581c4484769e.
+
+This change helps UIs to not mis-represent fully charged batteries in
+styli as being charging/topping-off.
+
+Fixes: 581c4484769e ("HID: input: map digitizer battery usage")
+Reported-by: Kenneth Albanowski <kenalba@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 4dd151b2924e..d56ef395eb69 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -427,8 +427,6 @@ static int hidinput_get_battery_property(struct power_supply *psy,
+
+ if (dev->battery_status == HID_BATTERY_UNKNOWN)
+ val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
+- else if (dev->battery_capacity == 100)
+- val->intval = POWER_SUPPLY_STATUS_FULL;
+ else
+ val->intval = POWER_SUPPLY_STATUS_DISCHARGING;
+ break;
+--
+2.30.2
+
--- /dev/null
+From bd7a4844586b96efa67a1003c8e4b06c6d1aa2a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 09:43:11 +0200
+Subject: hvsi: don't panic on tty_register_driver failure
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 7ccbdcc4d08a6d7041e4849219bbb12ffa45db4c ]
+
+The alloc_tty_driver failure is handled gracefully in hvsi_init. But
+tty_register_driver is not. panic is called if that one fails.
+
+So handle the failure of tty_register_driver gracefully too. This will
+keep at least the console functional as it was enabled earlier by
+console_initcall in hvsi_console_init. Instead of shooting down the
+whole system.
+
+This means, we disable interrupts and restore hvsi_wait back to
+poll_for_state().
+
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20210723074317.32690-3-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/hvc/hvsi.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c
+index 66f95f758be0..73226337f561 100644
+--- a/drivers/tty/hvc/hvsi.c
++++ b/drivers/tty/hvc/hvsi.c
+@@ -1038,7 +1038,7 @@ static const struct tty_operations hvsi_ops = {
+
+ static int __init hvsi_init(void)
+ {
+- int i;
++ int i, ret;
+
+ hvsi_driver = alloc_tty_driver(hvsi_count);
+ if (!hvsi_driver)
+@@ -1069,12 +1069,25 @@ static int __init hvsi_init(void)
+ }
+ hvsi_wait = wait_for_state; /* irqs active now */
+
+- if (tty_register_driver(hvsi_driver))
+- panic("Couldn't register hvsi console driver\n");
++ ret = tty_register_driver(hvsi_driver);
++ if (ret) {
++ pr_err("Couldn't register hvsi console driver\n");
++ goto err_free_irq;
++ }
+
+ printk(KERN_DEBUG "HVSI: registered %i devices\n", hvsi_count);
+
+ return 0;
++err_free_irq:
++ hvsi_wait = poll_for_state;
++ for (i = 0; i < hvsi_count; i++) {
++ struct hvsi_struct *hp = &hvsi_ports[i];
++
++ free_irq(hp->virq, hp);
++ }
++ tty_driver_kref_put(hvsi_driver);
++
++ return ret;
+ }
+ device_initcall(hvsi_init);
+
+--
+2.30.2
+
--- /dev/null
+From 99784586f836726e456f0cf281f289478d292ac7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 17:32:37 +0100
+Subject: iio: dac: ad5624r: Fix incorrect handling of an optional regulator.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 97683c851f9cdbd3ea55697cbe2dcb6af4287bbd ]
+
+The naming of the regulator is problematic. VCC is usually a supply
+voltage whereas these devices have a separate VREF pin.
+
+Secondly, the regulator core might have provided a stub regulator if
+a real regulator wasn't provided. That would in turn have failed to
+provide a voltage when queried. So reality was that there was no way
+to use the internal reference.
+
+In order to avoid breaking any dts out in the wild, make sure to fallback
+to the original vcc naming if vref is not available.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Acked-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210627163244.1090296-9-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/dac/ad5624r_spi.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/dac/ad5624r_spi.c b/drivers/iio/dac/ad5624r_spi.c
+index 13fdb4dfe356..cc3a24c43e57 100644
+--- a/drivers/iio/dac/ad5624r_spi.c
++++ b/drivers/iio/dac/ad5624r_spi.c
+@@ -230,7 +230,7 @@ static int ad5624r_probe(struct spi_device *spi)
+ if (!indio_dev)
+ return -ENOMEM;
+ st = iio_priv(indio_dev);
+- st->reg = devm_regulator_get(&spi->dev, "vcc");
++ st->reg = devm_regulator_get_optional(&spi->dev, "vref");
+ if (!IS_ERR(st->reg)) {
+ ret = regulator_enable(st->reg);
+ if (ret)
+@@ -241,6 +241,22 @@ static int ad5624r_probe(struct spi_device *spi)
+ goto error_disable_reg;
+
+ voltage_uv = ret;
++ } else {
++ if (PTR_ERR(st->reg) != -ENODEV)
++ return PTR_ERR(st->reg);
++ /* Backwards compatibility. This naming is not correct */
++ st->reg = devm_regulator_get_optional(&spi->dev, "vcc");
++ if (!IS_ERR(st->reg)) {
++ ret = regulator_enable(st->reg);
++ if (ret)
++ return ret;
++
++ ret = regulator_get_voltage(st->reg);
++ if (ret < 0)
++ goto error_disable_reg;
++
++ voltage_uv = ret;
++ }
+ }
+
+ spi_set_drvdata(spi, indio_dev);
+--
+2.30.2
+
--- /dev/null
+From c547c83bada92fa78eb115a876657c7aa0d66781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 14:52:51 -0500
+Subject: ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 6321c7acb82872ef6576c520b0e178eaad3a25c0 ]
+
+Fix the following out-of-bounds warning:
+
+ In function 'ip_copy_addrs',
+ inlined from '__ip_queue_xmit' at net/ipv4/ip_output.c:517:2:
+net/ipv4/ip_output.c:449:2: warning: 'memcpy' offset [40, 43] from the object at 'fl' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 36 [-Warray-bounds]
+ 449 | memcpy(&iph->saddr, &fl4->saddr,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 450 | sizeof(fl4->saddr) + sizeof(fl4->daddr));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). This causes a legitimate compiler warning because memcpy()
+overruns the length of &iph->saddr and &fl4->saddr. As these are just
+a couple of struct members, fix this by using direct assignments,
+instead of memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_output.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index e63905f7f6f9..25beecee8949 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -419,8 +419,9 @@ static void ip_copy_addrs(struct iphdr *iph, const struct flowi4 *fl4)
+ {
+ BUILD_BUG_ON(offsetof(typeof(*fl4), daddr) !=
+ offsetof(typeof(*fl4), saddr) + sizeof(fl4->saddr));
+- memcpy(&iph->saddr, &fl4->saddr,
+- sizeof(fl4->saddr) + sizeof(fl4->daddr));
++
++ iph->saddr = fl4->saddr;
++ iph->daddr = fl4->daddr;
+ }
+
+ /* Note: skb->sk can be different from sk, in case of tunnels */
+--
+2.30.2
+
--- /dev/null
+From e4b18c776fe02a6141205c1fa74a4f5a1298686b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 13:28:57 +0200
+Subject: media: dib8000: rewrite the init prbs logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8db11aebdb8f93f46a8513c22c9bd52fa23263aa ]
+
+The logic at dib8000_get_init_prbs() has a few issues:
+
+1. the tables used there has an extra unused value at the beginning;
+2. the dprintk() message doesn't write the right value when
+ transmission mode is not 8K;
+3. the array overflow validation is done by the callers.
+
+Rewrite the code to fix such issues.
+
+This should also shut up those smatch warnings:
+
+ drivers/media/dvb-frontends/dib8000.c:2125 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14
+ drivers/media/dvb-frontends/dib8000.c:2129 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_2k' 14 <= 14
+ drivers/media/dvb-frontends/dib8000.c:2131 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_4k' 14 <= 14
+ drivers/media/dvb-frontends/dib8000.c:2134 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib8000.c | 58 +++++++++++++++++++--------
+ 1 file changed, 41 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
+index 3c3f8cb14845..5fa787e023c7 100644
+--- a/drivers/media/dvb-frontends/dib8000.c
++++ b/drivers/media/dvb-frontends/dib8000.c
+@@ -2110,32 +2110,55 @@ static void dib8000_load_ana_fe_coefs(struct dib8000_state *state, const s16 *an
+ dib8000_write_word(state, 117 + mode, ana_fe[mode]);
+ }
+
+-static const u16 lut_prbs_2k[14] = {
+- 0, 0x423, 0x009, 0x5C7, 0x7A6, 0x3D8, 0x527, 0x7FF, 0x79B, 0x3D6, 0x3A2, 0x53B, 0x2F4, 0x213
++static const u16 lut_prbs_2k[13] = {
++ 0x423, 0x009, 0x5C7,
++ 0x7A6, 0x3D8, 0x527,
++ 0x7FF, 0x79B, 0x3D6,
++ 0x3A2, 0x53B, 0x2F4,
++ 0x213
+ };
+-static const u16 lut_prbs_4k[14] = {
+- 0, 0x208, 0x0C3, 0x7B9, 0x423, 0x5C7, 0x3D8, 0x7FF, 0x3D6, 0x53B, 0x213, 0x029, 0x0D0, 0x48E
++
++static const u16 lut_prbs_4k[13] = {
++ 0x208, 0x0C3, 0x7B9,
++ 0x423, 0x5C7, 0x3D8,
++ 0x7FF, 0x3D6, 0x53B,
++ 0x213, 0x029, 0x0D0,
++ 0x48E
+ };
+-static const u16 lut_prbs_8k[14] = {
+- 0, 0x740, 0x069, 0x7DD, 0x208, 0x7B9, 0x5C7, 0x7FF, 0x53B, 0x029, 0x48E, 0x4C4, 0x367, 0x684
++
++static const u16 lut_prbs_8k[13] = {
++ 0x740, 0x069, 0x7DD,
++ 0x208, 0x7B9, 0x5C7,
++ 0x7FF, 0x53B, 0x029,
++ 0x48E, 0x4C4, 0x367,
++ 0x684
+ };
+
+ static u16 dib8000_get_init_prbs(struct dib8000_state *state, u16 subchannel)
+ {
+ int sub_channel_prbs_group = 0;
++ int prbs_group;
+
+- sub_channel_prbs_group = (subchannel / 3) + 1;
+- dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", sub_channel_prbs_group, subchannel, lut_prbs_8k[sub_channel_prbs_group]);
++ sub_channel_prbs_group = subchannel / 3;
++ if (sub_channel_prbs_group >= ARRAY_SIZE(lut_prbs_2k))
++ return 0;
+
+ switch (state->fe[0]->dtv_property_cache.transmission_mode) {
+ case TRANSMISSION_MODE_2K:
+- return lut_prbs_2k[sub_channel_prbs_group];
++ prbs_group = lut_prbs_2k[sub_channel_prbs_group];
++ break;
+ case TRANSMISSION_MODE_4K:
+- return lut_prbs_4k[sub_channel_prbs_group];
++ prbs_group = lut_prbs_4k[sub_channel_prbs_group];
++ break;
+ default:
+ case TRANSMISSION_MODE_8K:
+- return lut_prbs_8k[sub_channel_prbs_group];
++ prbs_group = lut_prbs_8k[sub_channel_prbs_group];
+ }
++
++ dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n",
++ sub_channel_prbs_group, subchannel, prbs_group);
++
++ return prbs_group;
+ }
+
+ static void dib8000_set_13seg_channel(struct dib8000_state *state)
+@@ -2412,10 +2435,8 @@ static void dib8000_set_isdbt_common_channel(struct dib8000_state *state, u8 seq
+ /* TSB or ISDBT ? apply it now */
+ if (c->isdbt_sb_mode) {
+ dib8000_set_sb_channel(state);
+- if (c->isdbt_sb_subchannel < 14)
+- init_prbs = dib8000_get_init_prbs(state, c->isdbt_sb_subchannel);
+- else
+- init_prbs = 0;
++ init_prbs = dib8000_get_init_prbs(state,
++ c->isdbt_sb_subchannel);
+ } else {
+ dib8000_set_13seg_channel(state);
+ init_prbs = 0xfff;
+@@ -3007,6 +3028,7 @@ static int dib8000_tune(struct dvb_frontend *fe)
+
+ unsigned long *timeout = &state->timeout;
+ unsigned long now = jiffies;
++ u16 init_prbs;
+ #ifdef DIB8000_AGC_FREEZE
+ u16 agc1, agc2;
+ #endif
+@@ -3305,8 +3327,10 @@ static int dib8000_tune(struct dvb_frontend *fe)
+ break;
+
+ case CT_DEMOD_STEP_11: /* 41 : init prbs autosearch */
+- if (state->subchannel <= 41) {
+- dib8000_set_subchannel_prbs(state, dib8000_get_init_prbs(state, state->subchannel));
++ init_prbs = dib8000_get_init_prbs(state, state->subchannel);
++
++ if (init_prbs) {
++ dib8000_set_subchannel_prbs(state, init_prbs);
+ *tune_state = CT_DEMOD_STEP_9;
+ } else {
+ *tune_state = CT_DEMOD_STOP;
+--
+2.30.2
+
--- /dev/null
+From dff46ae68d5883194686ca22b7e1a52a17eb657f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 13:22:33 +0200
+Subject: media: imx258: Limit the max analogue gain to 480
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Umang Jain <umang.jain@ideasonboard.com>
+
+[ Upstream commit f809665ee75fff3f4ea8907f406a66d380aeb184 ]
+
+The range for analog gain mentioned in the datasheet is [0, 480].
+The real gain formula mentioned in the datasheet is:
+
+ Gain = 512 / (512 – X)
+
+Hence, values larger than 511 clearly makes no sense. The gain
+register field is also documented to be of 9-bits in the datasheet.
+
+Certainly, it is enough to infer that, the kernel driver currently
+advertises an arbitrary analog gain max. Fix it by rectifying the
+value as per the data sheet i.e. 480.
+
+Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx258.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/imx258.c b/drivers/media/i2c/imx258.c
+index 68ce63333744..85395813c0f2 100644
+--- a/drivers/media/i2c/imx258.c
++++ b/drivers/media/i2c/imx258.c
+@@ -46,7 +46,7 @@
+ /* Analog gain control */
+ #define IMX258_REG_ANALOG_GAIN 0x0204
+ #define IMX258_ANA_GAIN_MIN 0
+-#define IMX258_ANA_GAIN_MAX 0x1fff
++#define IMX258_ANA_GAIN_MAX 480
+ #define IMX258_ANA_GAIN_STEP 1
+ #define IMX258_ANA_GAIN_DEFAULT 0x0
+
+--
+2.30.2
+
--- /dev/null
+From a2325a289b176662d8063c0e1663ff29ce543e85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 13:22:32 +0200
+Subject: media: imx258: Rectify mismatch of VTS value
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 51f93add3669f1b1f540de1cf397815afbd4c756 ]
+
+The frame_length_lines (0x0340) registers are hard-coded as follows:
+
+- 4208x3118
+ frame_length_lines = 0x0c50
+
+- 2104x1560
+ frame_length_lines = 0x0638
+
+- 1048x780
+ frame_length_lines = 0x034c
+
+The driver exposes the V4L2_CID_VBLANK control in read-only mode and
+sets its value to vts_def - height, where vts_def is a mode-dependent
+value coming from the supported_modes array. It is set using one of
+the following macros defined in the driver:
+
+ #define IMX258_VTS_30FPS 0x0c98
+ #define IMX258_VTS_30FPS_2K 0x0638
+ #define IMX258_VTS_30FPS_VGA 0x034c
+
+There's a clear mismatch in the value for the full resolution mode i.e.
+IMX258_VTS_30FPS. Fix it by rectifying the macro with the value set for
+the frame_length_lines register as stated above.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx258.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/imx258.c b/drivers/media/i2c/imx258.c
+index 31a1e2294843..68ce63333744 100644
+--- a/drivers/media/i2c/imx258.c
++++ b/drivers/media/i2c/imx258.c
+@@ -22,7 +22,7 @@
+ #define IMX258_CHIP_ID 0x0258
+
+ /* V_TIMING internal */
+-#define IMX258_VTS_30FPS 0x0c98
++#define IMX258_VTS_30FPS 0x0c50
+ #define IMX258_VTS_30FPS_2K 0x0638
+ #define IMX258_VTS_30FPS_VGA 0x034c
+ #define IMX258_VTS_MAX 0xffff
+--
+2.30.2
+
--- /dev/null
+From d6b76ba2db141a3db858866531b994db758167ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 12:46:28 +0200
+Subject: media: TDA1997x: fix tda1997x_query_dv_timings() return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Hałasa <khalasa@piap.pl>
+
+[ Upstream commit 7dee1030871a48d4f3c5a74227a4b4188463479a ]
+
+Correctly propagate the tda1997x_detect_std error value.
+
+Signed-off-by: Krzysztof Hałasa <khalasa@piap.pl>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tda1997x.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c
+index dab441bbc9f0..4f8dc3f56785 100644
+--- a/drivers/media/i2c/tda1997x.c
++++ b/drivers/media/i2c/tda1997x.c
+@@ -1695,14 +1695,15 @@ static int tda1997x_query_dv_timings(struct v4l2_subdev *sd,
+ struct v4l2_dv_timings *timings)
+ {
+ struct tda1997x_state *state = to_state(sd);
++ int ret;
+
+ v4l_dbg(1, debug, state->client, "%s\n", __func__);
+ memset(timings, 0, sizeof(struct v4l2_dv_timings));
+ mutex_lock(&state->lock);
+- tda1997x_detect_std(state, timings);
++ ret = tda1997x_detect_std(state, timings);
+ mutex_unlock(&state->lock);
+
+- return 0;
++ return ret;
+ }
+
+ static const struct v4l2_subdev_video_ops tda1997x_video_ops = {
+--
+2.30.2
+
--- /dev/null
+From 0ee3f50a716f6da9e7febe8501b13605d20a3078 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 16:44:32 +0200
+Subject: media: tegra-cec: Handle errors of clk_prepare_enable()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 38367073c796a37a61549b1f66a71b3adb03802d ]
+
+tegra_cec_probe() and tegra_cec_resume() ignored possible errors of
+clk_prepare_enable(). The patch fixes this.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/tegra-cec/tegra_cec.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/tegra-cec/tegra_cec.c b/drivers/media/platform/tegra-cec/tegra_cec.c
+index aba488cd0e64..a2c20ca799c4 100644
+--- a/drivers/media/platform/tegra-cec/tegra_cec.c
++++ b/drivers/media/platform/tegra-cec/tegra_cec.c
+@@ -383,7 +383,11 @@ static int tegra_cec_probe(struct platform_device *pdev)
+ return -ENOENT;
+ }
+
+- clk_prepare_enable(cec->clk);
++ ret = clk_prepare_enable(cec->clk);
++ if (ret) {
++ dev_err(&pdev->dev, "Unable to prepare clock for CEC\n");
++ return ret;
++ }
+
+ /* set context info. */
+ cec->dev = &pdev->dev;
+@@ -462,9 +466,7 @@ static int tegra_cec_resume(struct platform_device *pdev)
+
+ dev_notice(&pdev->dev, "Resuming\n");
+
+- clk_prepare_enable(cec->clk);
+-
+- return 0;
++ return clk_prepare_enable(cec->clk);
+ }
+ #endif
+
+--
+2.30.2
+
--- /dev/null
+From a553f062186c0bee2e0f81b5624ad6423e475c28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 10:22:59 +0200
+Subject: media: v4l2-dv-timings.c: fix wrong condition in two for-loops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4108b3e6db31acc4c68133290bbcc87d4db905c9 ]
+
+These for-loops should test against v4l2_dv_timings_presets[i].bt.width,
+not if i < v4l2_dv_timings_presets[i].bt.width. Luckily nothing ever broke,
+since the smallest width is still a lot higher than the total number of
+presets, but it is wrong.
+
+The last item in the presets array is all 0, so the for-loop must stop
+when it reaches that sentinel.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Krzysztof Hałasa <khalasa@piap.pl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-dv-timings.c b/drivers/media/v4l2-core/v4l2-dv-timings.c
+index a24b40dfec97..af38c989ff33 100644
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -196,7 +196,7 @@ bool v4l2_find_dv_timings_cap(struct v4l2_dv_timings *t,
+ if (!v4l2_valid_dv_timings(t, cap, fnc, fnc_handle))
+ return false;
+
+- for (i = 0; i < v4l2_dv_timings_presets[i].bt.width; i++) {
++ for (i = 0; v4l2_dv_timings_presets[i].bt.width; i++) {
+ if (v4l2_valid_dv_timings(v4l2_dv_timings_presets + i, cap,
+ fnc, fnc_handle) &&
+ v4l2_match_dv_timings(t, v4l2_dv_timings_presets + i,
+@@ -218,7 +218,7 @@ bool v4l2_find_dv_timings_cea861_vic(struct v4l2_dv_timings *t, u8 vic)
+ {
+ unsigned int i;
+
+- for (i = 0; i < v4l2_dv_timings_presets[i].bt.width; i++) {
++ for (i = 0; v4l2_dv_timings_presets[i].bt.width; i++) {
+ const struct v4l2_bt_timings *bt =
+ &v4l2_dv_timings_presets[i].bt;
+
+--
+2.30.2
+
--- /dev/null
+From b00dc552906f57a258f531b0ece6750a092d0354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 09:19:51 +0200
+Subject: MIPS: Malta: fix alignment of the devicetree buffer
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit bea6a94a279bcbe6b2cde348782b28baf12255a5 ]
+
+Starting with following patch MIPS Malta is not able to boot:
+| commit 79edff12060fe7772af08607eff50c0e2486c5ba
+| Author: Rob Herring <robh@kernel.org>
+| scripts/dtc: Update to upstream version v1.6.0-51-g183df9e9c2b9
+
+The reason is the alignment test added to the fdt_ro_probe_(). To fix
+this issue, we need to make sure that fdt_buf is aligned.
+
+Since the dtc patch was designed to uncover potential issue, I handle
+initial MIPS Malta patch as initial bug.
+
+Fixes: e81a8c7dabac ("MIPS: Malta: Setup RAM regions via DT")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mti-malta/malta-dtshim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/mti-malta/malta-dtshim.c b/arch/mips/mti-malta/malta-dtshim.c
+index 7859b6e49863..5b5d78a7882a 100644
+--- a/arch/mips/mti-malta/malta-dtshim.c
++++ b/arch/mips/mti-malta/malta-dtshim.c
+@@ -26,7 +26,7 @@
+ #define ROCIT_CONFIG_GEN1_MEMMAP_SHIFT 8
+ #define ROCIT_CONFIG_GEN1_MEMMAP_MASK (0xf << 8)
+
+-static unsigned char fdt_buf[16 << 10] __initdata;
++static unsigned char fdt_buf[16 << 10] __initdata __aligned(8);
+
+ /* determined physical memory size, not overridden by command line args */
+ extern unsigned long physical_memsize;
+--
+2.30.2
+
--- /dev/null
+From 95e3dfe08fa907cbad9850ef363be66b45797ddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 00:47:26 +0530
+Subject: mmc: core: Return correct emmc response in case of ioctl error
+
+From: Nishad Kamdar <nishadkamdar@gmail.com>
+
+[ Upstream commit e72a55f2e5ddcfb3dce0701caf925ce435b87682 ]
+
+When a read/write command is sent via ioctl to the kernel,
+and the command fails, the actual error response of the emmc
+is not sent to the user.
+
+IOCTL read/write tests are carried out using commands
+17 (Single BLock Read), 24 (Single Block Write),
+18 (Multi Block Read), 25 (Multi Block Write)
+
+The tests are carried out on a 64Gb emmc device. All of these
+tests try to access an "out of range" sector address (0x09B2FFFF).
+
+It is seen that without the patch the response received by the user
+is not OUT_OF_RANGE error (R1 response 31st bit is not set) as per
+JEDEC specification. After applying the patch proper response is seen.
+This is because the function returns without copying the response to
+the user in case of failure. This patch fixes the issue.
+
+Hence, this memcpy is required whether we get an error response or not.
+Therefor it is moved up from the current position up to immediately
+after we have called mmc_wait_for_req().
+
+The test code and the output of only the CMD17 is included in the
+commit to limit the message length.
+
+CMD17 (Test Code Snippet):
+==========================
+ printf("Forming CMD%d\n", opt_idx);
+ /* single block read */
+ cmd.blksz = 512;
+ cmd.blocks = 1;
+ cmd.write_flag = 0;
+ cmd.opcode = 17;
+ //cmd.arg = atoi(argv[3]);
+ cmd.arg = 0x09B2FFFF;
+ /* Expecting response R1B */
+ cmd.flags = MMC_RSP_SPI_R1 | MMC_RSP_R1 | MMC_CMD_ADTC;
+
+ memset(data, 0, sizeof(__u8) * 512);
+ mmc_ioc_cmd_set_data(cmd, data);
+
+ printf("Sending CMD%d: ARG[0x%08x]\n", opt_idx, cmd.arg);
+ if(ioctl(fd, MMC_IOC_CMD, &cmd))
+ perror("Error");
+
+ printf("\nResponse: %08x\n", cmd.response[0]);
+
+CMD17 (Output without patch):
+=============================
+test@test-LIVA-Z:~$ sudo ./mmc cmd_test /dev/mmcblk0 17
+Entering the do_mmc_commands:Device: /dev/mmcblk0 nargs:4
+Entering the do_mmc_commands:Device: /dev/mmcblk0 options[17, 0x09B2FFF]
+Forming CMD17
+Sending CMD17: ARG[0x09b2ffff]
+Error: Connection timed out
+
+Response: 00000000
+(Incorrect response)
+
+CMD17 (Output with patch):
+==========================
+test@test-LIVA-Z:~$ sudo ./mmc cmd_test /dev/mmcblk0 17
+[sudo] password for test:
+Entering the do_mmc_commands:Device: /dev/mmcblk0 nargs:4
+Entering the do_mmc_commands:Device: /dev/mmcblk0 options[17, 09B2FFFF]
+Forming CMD17
+Sending CMD17: ARG[0x09b2ffff]
+Error: Connection timed out
+
+Response: 80000900
+(Correct OUT_OF_ERROR response as per JEDEC specification)
+
+Signed-off-by: Nishad Kamdar <nishadkamdar@gmail.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Link: https://lore.kernel.org/r/20210824191726.8296-1-nishadkamdar@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/block.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
+index 7b2bb32e3555..d1cc0fdbc51c 100644
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -592,6 +592,7 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md,
+ }
+
+ mmc_wait_for_req(card->host, &mrq);
++ memcpy(&idata->ic.response, cmd.resp, sizeof(cmd.resp));
+
+ if (cmd.error) {
+ dev_err(mmc_dev(card->host), "%s: cmd error %d\n",
+@@ -641,8 +642,6 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md,
+ if (idata->ic.postsleep_min_us)
+ usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
+
+- memcpy(&(idata->ic.response), cmd.resp, sizeof(cmd.resp));
+-
+ if (idata->rpmb || (cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) {
+ /*
+ * Ensure RPMB/R1B command has completed by polling CMD13
+--
+2.30.2
+
--- /dev/null
+From cf028910ce1955f9013073a461023b72483af4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 04:46:14 -0700
+Subject: mmc: rtsx_pci: Fix long reads when clock is prescaled
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+[ Upstream commit 3ac5e45291f3f0d699a721357380d4593bc2dcb3 ]
+
+For unexplained reasons, the prescaler register for this device needs to
+be cleared (set to 1) while performing a data read or else the command
+will hang. This does not appear to affect the real clock rate sent out
+on the bus, so I assume it's purely to work around a hardware bug.
+
+During normal operation, the prescaler is already set to 1, so nothing
+needs to be done. However, in "initial mode" (which is used for sub-MHz
+clock speeds, like the core sets while enumerating cards), it's set to
+128 and so we need to reset it during data reads. We currently fail to
+do this for long reads.
+
+This has no functional affect on the driver's operation currently
+written, as the MMC core always sets a clock above 1MHz before
+attempting any long reads. However, the core could conceivably set any
+clock speed at any time and the driver should still work, so I think
+this fix is worthwhile.
+
+I personally encountered this issue while performing data recovery on an
+external chip. My connections had poor signal integrity, so I modified
+the core code to reduce the clock speed. Without this change, I saw the
+card enumerate but was unable to actually read any data.
+
+Writes don't seem to work in the situation described above even with
+this change (and even if the workaround is extended to encompass data
+write commands). I was not able to find a way to get them working.
+
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Link: https://lore.kernel.org/r/2fef280d8409ab0100c26c6ac7050227defd098d.1627818365.git.tommyhebb@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/rtsx_pci_sdmmc.c | 36 ++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c
+index 02de6a5701d6..c1de8fa50fe8 100644
+--- a/drivers/mmc/host/rtsx_pci_sdmmc.c
++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
+@@ -551,9 +551,22 @@ static int sd_write_long_data(struct realtek_pci_sdmmc *host,
+ return 0;
+ }
+
++static inline void sd_enable_initial_mode(struct realtek_pci_sdmmc *host)
++{
++ rtsx_pci_write_register(host->pcr, SD_CFG1,
++ SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_128);
++}
++
++static inline void sd_disable_initial_mode(struct realtek_pci_sdmmc *host)
++{
++ rtsx_pci_write_register(host->pcr, SD_CFG1,
++ SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0);
++}
++
+ static int sd_rw_multi(struct realtek_pci_sdmmc *host, struct mmc_request *mrq)
+ {
+ struct mmc_data *data = mrq->data;
++ int err;
+
+ if (host->sg_count < 0) {
+ data->error = host->sg_count;
+@@ -562,22 +575,19 @@ static int sd_rw_multi(struct realtek_pci_sdmmc *host, struct mmc_request *mrq)
+ return data->error;
+ }
+
+- if (data->flags & MMC_DATA_READ)
+- return sd_read_long_data(host, mrq);
++ if (data->flags & MMC_DATA_READ) {
++ if (host->initial_mode)
++ sd_disable_initial_mode(host);
+
+- return sd_write_long_data(host, mrq);
+-}
++ err = sd_read_long_data(host, mrq);
+
+-static inline void sd_enable_initial_mode(struct realtek_pci_sdmmc *host)
+-{
+- rtsx_pci_write_register(host->pcr, SD_CFG1,
+- SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_128);
+-}
++ if (host->initial_mode)
++ sd_enable_initial_mode(host);
+
+-static inline void sd_disable_initial_mode(struct realtek_pci_sdmmc *host)
+-{
+- rtsx_pci_write_register(host->pcr, SD_CFG1,
+- SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0);
++ return err;
++ }
++
++ return sd_write_long_data(host, mrq);
+ }
+
+ static void sd_normal_rw(struct realtek_pci_sdmmc *host,
+--
+2.30.2
+
--- /dev/null
+From 67db728dbfa284d8718dee517233250f45b34bdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 16:13:54 +0530
+Subject: mmc: sdhci-of-arasan: Check return value of non-void funtions
+
+From: Manish Narani <manish.narani@xilinx.com>
+
+[ Upstream commit 66bad6ed2204fdb78a0a8fb89d824397106a5471 ]
+
+At a couple of places, the return values of the non-void functions were
+not getting checked. This was reported by the coverity tool. Modify the
+code to check the return values of the same.
+
+Addresses-Coverity: ("check_return")
+Signed-off-by: Manish Narani <manish.narani@xilinx.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1623753837-21035-5-git-send-email-manish.narani@xilinx.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-arasan.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci-of-arasan.c b/drivers/mmc/host/sdhci-of-arasan.c
+index 9c77bfe4334f..d1a2418b0c5e 100644
+--- a/drivers/mmc/host/sdhci-of-arasan.c
++++ b/drivers/mmc/host/sdhci-of-arasan.c
+@@ -185,7 +185,12 @@ static void sdhci_arasan_set_clock(struct sdhci_host *host, unsigned int clock)
+ * through low speeds without power cycling.
+ */
+ sdhci_set_clock(host, host->max_clk);
+- phy_power_on(sdhci_arasan->phy);
++ if (phy_power_on(sdhci_arasan->phy)) {
++ pr_err("%s: Cannot power on phy.\n",
++ mmc_hostname(host->mmc));
++ return;
++ }
++
+ sdhci_arasan->is_phy_on = true;
+
+ /*
+@@ -221,7 +226,12 @@ static void sdhci_arasan_set_clock(struct sdhci_host *host, unsigned int clock)
+ msleep(20);
+
+ if (ctrl_phy) {
+- phy_power_on(sdhci_arasan->phy);
++ if (phy_power_on(sdhci_arasan->phy)) {
++ pr_err("%s: Cannot power on phy.\n",
++ mmc_hostname(host->mmc));
++ return;
++ }
++
+ sdhci_arasan->is_phy_on = true;
+ }
+ }
+@@ -395,7 +405,9 @@ static int sdhci_arasan_suspend(struct device *dev)
+ ret = phy_power_off(sdhci_arasan->phy);
+ if (ret) {
+ dev_err(dev, "Cannot power off phy.\n");
+- sdhci_resume_host(host);
++ if (sdhci_resume_host(host))
++ dev_err(dev, "Cannot resume host.\n");
++
+ return ret;
+ }
+ sdhci_arasan->is_phy_on = false;
+--
+2.30.2
+
--- /dev/null
+From 9c0c25f059f5765799b19b17f997ad75c4392312 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:13:40 -0700
+Subject: net: ethernet: stmmac: Do not use unreachable() in
+ ipq806x_gmac_probe()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 4367355dd90942a71641c98c40c74589c9bddf90 ]
+
+When compiling with clang in certain configurations, an objtool warning
+appears:
+
+drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.o: warning: objtool:
+ipq806x_gmac_probe() falls through to next function phy_modes()
+
+This happens because the unreachable annotation in the third switch
+statement is not eliminated. The compiler should know that the first
+default case would prevent the second and third from being reached as
+the comment notes but sanitizer options can make it harder for the
+compiler to reason this out.
+
+Help the compiler out by eliminating the unreachable() annotation and
+unifying the default case error handling so that there is no objtool
+warning, the meaning of the code stays the same, and there is less
+duplication.
+
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/stmicro/stmmac/dwmac-ipq806x.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+index 0f56f8e33691..03b11f191c26 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -288,10 +288,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ val &= ~NSS_COMMON_GMAC_CTL_PHY_IFACE_SEL;
+ break;
+ default:
+- dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n",
+- phy_modes(gmac->phy_mode));
+- err = -EINVAL;
+- goto err_remove_config_dt;
++ goto err_unsupported_phy;
+ }
+ regmap_write(gmac->nss_common, NSS_COMMON_GMAC_CTL(gmac->id), val);
+
+@@ -308,10 +305,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ NSS_COMMON_CLK_SRC_CTRL_OFFSET(gmac->id);
+ break;
+ default:
+- dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n",
+- phy_modes(gmac->phy_mode));
+- err = -EINVAL;
+- goto err_remove_config_dt;
++ goto err_unsupported_phy;
+ }
+ regmap_write(gmac->nss_common, NSS_COMMON_CLK_SRC_CTRL, val);
+
+@@ -328,8 +322,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id);
+ break;
+ default:
+- /* We don't get here; the switch above will have errored out */
+- unreachable();
++ goto err_unsupported_phy;
+ }
+ regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val);
+
+@@ -360,6 +353,11 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+
+ return 0;
+
++err_unsupported_phy:
++ dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n",
++ phy_modes(gmac->phy_mode));
++ err = -EINVAL;
++
+ err_remove_config_dt:
+ stmmac_remove_config_dt(pdev, plat_dat);
+
+--
+2.30.2
+
--- /dev/null
+From 4e2b33cc3d6fb08a3e361de67235c235759abd79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 18:28:01 +0800
+Subject: net: fix NULL pointer reference in cipso_v4_doi_free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: 王贇 <yun.wang@linux.alibaba.com>
+
+[ Upstream commit 733c99ee8be9a1410287cdbb943887365e83b2d6 ]
+
+In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc
+failed, we sometime observe panic:
+
+ BUG: kernel NULL pointer dereference, address:
+ ...
+ RIP: 0010:cipso_v4_doi_free+0x3a/0x80
+ ...
+ Call Trace:
+ netlbl_cipsov4_add_std+0xf4/0x8c0
+ netlbl_cipsov4_add+0x13f/0x1b0
+ genl_family_rcv_msg_doit.isra.15+0x132/0x170
+ genl_rcv_msg+0x125/0x240
+
+This is because in cipso_v4_doi_free() there is no check
+on 'doi_def->map.std' when 'doi_def->type' equal 1, which
+is possibe, since netlbl_cipsov4_add_std() haven't initialize
+it before alloc 'doi_def->map.std'.
+
+This patch just add the check to prevent panic happen for similar
+cases.
+
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_cipso_v4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
+index 0559d442ad80..e252f62bb8c2 100644
+--- a/net/netlabel/netlabel_cipso_v4.c
++++ b/net/netlabel/netlabel_cipso_v4.c
+@@ -156,8 +156,8 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ return -ENOMEM;
+ doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
+ if (doi_def->map.std == NULL) {
+- ret_val = -ENOMEM;
+- goto add_std_failure;
++ kfree(doi_def);
++ return -ENOMEM;
+ }
+ doi_def->type = CIPSO_V4_MAP_TRANS;
+
+--
+2.30.2
+
--- /dev/null
+From d4908a6dadb0cbfac87a1fa8a61c92053adac759 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 16:40:18 +0800
+Subject: net: w5100: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit a39ff4a47f3e1da3b036817ef436b1a9be10783a ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wiznet/w5100.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/wiznet/w5100.c b/drivers/net/ethernet/wiznet/w5100.c
+index d8ba512f166a..41040756307a 100644
+--- a/drivers/net/ethernet/wiznet/w5100.c
++++ b/drivers/net/ethernet/wiznet/w5100.c
+@@ -1059,6 +1059,8 @@ static int w5100_mmio_probe(struct platform_device *pdev)
+ mac_addr = data->mac_addr;
+
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!mem)
++ return -EINVAL;
+ if (resource_size(mem) < W5100_BUS_DIRECT_SIZE)
+ ops = &w5100_mmio_indirect_ops;
+ else
+--
+2.30.2
+
--- /dev/null
+From b50754027d180fd81766d01d054f14620a2d1b21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 13:18:16 +0800
+Subject: netlink: Deal with ESRCH error in nlmsg_notify()
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit fef773fc8110d8124c73a5e6610f89e52814637d ]
+
+Yonghong Song report:
+The bpf selftest tc_bpf failed with latest bpf-next.
+The following is the command to run and the result:
+$ ./test_progs -n 132
+[ 40.947571] bpf_testmod: loading out-of-tree module taints kernel.
+test_tc_bpf:PASS:test_tc_bpf__open_and_load 0 nsec
+test_tc_bpf:PASS:bpf_tc_hook_create(BPF_TC_INGRESS) 0 nsec
+test_tc_bpf:PASS:bpf_tc_hook_create invalid hook.attach_point 0 nsec
+test_tc_bpf_basic:PASS:bpf_obj_get_info_by_fd 0 nsec
+test_tc_bpf_basic:PASS:bpf_tc_attach 0 nsec
+test_tc_bpf_basic:PASS:handle set 0 nsec
+test_tc_bpf_basic:PASS:priority set 0 nsec
+test_tc_bpf_basic:PASS:prog_id set 0 nsec
+test_tc_bpf_basic:PASS:bpf_tc_attach replace mode 0 nsec
+test_tc_bpf_basic:PASS:bpf_tc_query 0 nsec
+test_tc_bpf_basic:PASS:handle set 0 nsec
+test_tc_bpf_basic:PASS:priority set 0 nsec
+test_tc_bpf_basic:PASS:prog_id set 0 nsec
+libbpf: Kernel error message: Failed to send filter delete notification
+test_tc_bpf_basic:FAIL:bpf_tc_detach unexpected error: -3 (errno 3)
+test_tc_bpf:FAIL:test_tc_internal ingress unexpected error: -3 (errno 3)
+
+The failure seems due to the commit
+ cfdf0d9ae75b ("rtnetlink: use nlmsg_notify() in rtnetlink_send()")
+
+Deal with ESRCH error in nlmsg_notify() even the report variable is zero.
+
+Reported-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Link: https://lore.kernel.org/r/20210719051816.11762-1-yajun.deng@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index ac3fe507bc1c..b0fd268ed65e 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2498,13 +2498,15 @@ int nlmsg_notify(struct sock *sk, struct sk_buff *skb, u32 portid,
+ /* errors reported via destination sk->sk_err, but propagate
+ * delivery errors if NETLINK_BROADCAST_ERROR flag is set */
+ err = nlmsg_multicast(sk, skb, exclude_portid, group, flags);
++ if (err == -ESRCH)
++ err = 0;
+ }
+
+ if (report) {
+ int err2;
+
+ err2 = nlmsg_unicast(sk, skb, portid);
+- if (!err || err == -ESRCH)
++ if (!err)
+ err = err2;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 7039e066e9b8314aac06ed2af512854d2d09324f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 15:47:22 +0100
+Subject: of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 6211e9cb2f8faf7faae0b6caf844bfe9527cc607 ]
+
+Trying to boot without SYSFS, but with OF_DYNAMIC quickly
+results in a crash:
+
+[ 0.088460] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070
+[...]
+[ 0.103927] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.14.0-rc3 #4179
+[ 0.105810] Hardware name: linux,dummy-virt (DT)
+[ 0.107147] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
+[ 0.108876] pc : kernfs_find_and_get_ns+0x3c/0x7c
+[ 0.110244] lr : kernfs_find_and_get_ns+0x3c/0x7c
+[...]
+[ 0.134087] Call trace:
+[ 0.134800] kernfs_find_and_get_ns+0x3c/0x7c
+[ 0.136054] safe_name+0x4c/0xd0
+[ 0.136994] __of_attach_node_sysfs+0xf8/0x124
+[ 0.138287] of_core_init+0x90/0xfc
+[ 0.139296] driver_init+0x30/0x4c
+[ 0.140283] kernel_init_freeable+0x160/0x1b8
+[ 0.141543] kernel_init+0x30/0x140
+[ 0.142561] ret_from_fork+0x10/0x18
+
+While not having sysfs isn't a very common option these days,
+it is still expected that such configuration would work.
+
+Paper over it by bailing out from __of_attach_node_sysfs() if
+CONFIG_SYSFS isn't enabled.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210820144722.169226-1-maz@kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/kobj.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/of/kobj.c b/drivers/of/kobj.c
+index a32e60b024b8..6675b5e56960 100644
+--- a/drivers/of/kobj.c
++++ b/drivers/of/kobj.c
+@@ -119,7 +119,7 @@ int __of_attach_node_sysfs(struct device_node *np)
+ struct property *pp;
+ int rc;
+
+- if (!of_kset)
++ if (!IS_ENABLED(CONFIG_SYSFS) || !of_kset)
+ return 0;
+
+ np->kobj.kset = of_kset;
+--
+2.30.2
+
--- /dev/null
+From f5114cb71fba1b8c3445b41b86ec7828e6e01167 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 19:33:09 -0700
+Subject: openrisc: don't printk() unconditionally
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 946e1052cdcc7e585ee5d1e72528ca49fb295243 ]
+
+Don't call printk() when CONFIG_PRINTK is not set.
+Fixes the following build errors:
+
+or1k-linux-ld: arch/openrisc/kernel/entry.o: in function `_external_irq_handler':
+(.text+0x804): undefined reference to `printk'
+(.text+0x804): relocation truncated to fit: R_OR1K_INSN_REL_26 against undefined symbol `printk'
+
+Fixes: 9d02a4283e9c ("OpenRISC: Boot code")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Jonas Bonn <jonas@southpole.se>
+Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
+Cc: Stafford Horne <shorne@gmail.com>
+Cc: openrisc@lists.librecores.org
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/entry.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S
+index 01b59d2ce174..c2c3ce8a0f84 100644
+--- a/arch/openrisc/kernel/entry.S
++++ b/arch/openrisc/kernel/entry.S
+@@ -551,6 +551,7 @@ EXCEPTION_ENTRY(_external_irq_handler)
+ l.bnf 1f // ext irq enabled, all ok.
+ l.nop
+
++#ifdef CONFIG_PRINTK
+ l.addi r1,r1,-0x8
+ l.movhi r3,hi(42f)
+ l.ori r3,r3,lo(42f)
+@@ -564,6 +565,7 @@ EXCEPTION_ENTRY(_external_irq_handler)
+ .string "\n\rESR interrupt bug: in _external_irq_handler (ESR %x)\n\r"
+ .align 4
+ .previous
++#endif
+
+ l.ori r4,r4,SPR_SR_IEE // fix the bug
+ // l.sw PT_SR(r1),r4
+--
+2.30.2
+
--- /dev/null
+From 2e9a05fbf38df077490bf591045fcf1ab6299267 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 11:07:10 +0100
+Subject: parport: remove non-zero check on count
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 0be883a0d795d9146f5325de582584147dd0dcdc ]
+
+The check for count appears to be incorrect since a non-zero count
+check occurs a couple of statements earlier. Currently the check is
+always false and the dev->port->irq != PARPORT_IRQ_NONE part of the
+check is never tested and the if statement is dead-code. Fix this
+by removing the check on count.
+
+Note that this code is pre-git history, so I can't find a sha for
+it.
+
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Addresses-Coverity: ("Logically dead code")
+Link: https://lore.kernel.org/r/20210730100710.27405-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/ieee1284_ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/parport/ieee1284_ops.c b/drivers/parport/ieee1284_ops.c
+index 5d41dda6da4e..75daa16f38b7 100644
+--- a/drivers/parport/ieee1284_ops.c
++++ b/drivers/parport/ieee1284_ops.c
+@@ -535,7 +535,7 @@ size_t parport_ieee1284_ecp_read_data (struct parport *port,
+ goto out;
+
+ /* Yield the port for a while. */
+- if (count && dev->port->irq != PARPORT_IRQ_NONE) {
++ if (dev->port->irq != PARPORT_IRQ_NONE) {
+ parport_release (dev);
+ schedule_timeout_interruptible(msecs_to_jiffies(40));
+ parport_claim_or_block (dev);
+--
+2.30.2
+
--- /dev/null
+From 8509357ac7dfbbd8d177b7db9e457ef4bad5463b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 15:25:06 +0200
+Subject: PCI: Use pci_update_current_state() in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 14858dcc3b3587f4bb5c48e130ee7d68fc2b0a29 ]
+
+Updating the current_state field of struct pci_dev the way it is done
+in pci_enable_device_flags() before calling do_pci_enable_device() may
+not work. For example, if the given PCI device depends on an ACPI
+power resource whose _STA method initially returns 0 ("off"), but the
+config space of the PCI device is accessible and the power state
+retrieved from the PCI_PM_CTRL register is D0, the current_state
+field in the struct pci_dev representing that device will get out of
+sync with the power.state of its ACPI companion object and that will
+lead to power management issues going forward.
+
+To avoid such issues, make pci_enable_device_flags() call
+pci_update_current_state() which takes ACPI device power management
+into account, if present, to retrieve the current power state of the
+device.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 1a78bf39ee9a..077cc0512dd2 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1591,11 +1591,7 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+ * so that things like MSI message writing will behave as expected
+ * (e.g. if the device really is in D0 at enable time).
+ */
+- if (dev->pm_cap) {
+- u16 pmcsr;
+- pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+- dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+- }
++ pci_update_current_state(dev, dev->current_state);
+
+ if (atomic_inc_return(&dev->enable_cnt) > 1)
+ return 0; /* already enabled */
+--
+2.30.2
+
--- /dev/null
+From 7a458674714a127adb4d24213b8b55926607afb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 22:29:05 +0300
+Subject: pinctrl: samsung: Fix pinctrl bank pin count
+
+From: Jaehyoung Choi <jkkkkk.choi@samsung.com>
+
+[ Upstream commit 70115558ab02fe8d28a6634350b3491a542aaa02 ]
+
+Commit 1abd18d1a51a ("pinctrl: samsung: Register pinctrl before GPIO")
+changes the order of GPIO and pinctrl registration: now pinctrl is
+registered before GPIO. That means gpio_chip->ngpio is not set when
+samsung_pinctrl_register() called, and one cannot rely on that value
+anymore. Use `pin_bank->nr_pins' instead of `pin_bank->gpio_chip.ngpio'
+to fix mentioned inconsistency.
+
+Fixes: 1abd18d1a51a ("pinctrl: samsung: Register pinctrl before GPIO")
+Signed-off-by: Jaehyoung Choi <jkkkkk.choi@samsung.com>
+Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20210730192905.7173-1-semen.protsenko@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/samsung/pinctrl-samsung.c b/drivers/pinctrl/samsung/pinctrl-samsung.c
+index c05217edcb0e..82407e4a1642 100644
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -918,7 +918,7 @@ static int samsung_pinctrl_register(struct platform_device *pdev,
+ pin_bank->grange.pin_base = drvdata->pin_base
+ + pin_bank->pin_base;
+ pin_bank->grange.base = pin_bank->grange.pin_base;
+- pin_bank->grange.npins = pin_bank->gpio_chip.ngpio;
++ pin_bank->grange.npins = pin_bank->nr_pins;
+ pin_bank->grange.gc = &pin_bank->gpio_chip;
+ pinctrl_add_gpio_range(drvdata->pctl_dev, &pin_bank->grange);
+ }
+--
+2.30.2
+
--- /dev/null
+From aa7d82634c2b69bfc5c7315f9563914e5fcb758a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 11:39:29 +0800
+Subject: pinctrl: single: Fix error return code in
+ pcs_parse_bits_in_pinctrl_entry()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d789a490d32fdf0465275e3607f8a3bc87d3f3ba ]
+
+Fix to return -ENOTSUPP instead of 0 when PCS_HAS_PINCONF is true, which
+is the same as that returned in pcs_parse_pinconf().
+
+Fixes: 4e7e8017a80e ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210722033930.4034-2-thunder.leizhen@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index 04a4e761e9a9..c2f807bf3489 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1201,6 +1201,7 @@ static int pcs_parse_bits_in_pinctrl_entry(struct pcs_device *pcs,
+
+ if (PCS_HAS_PINCONF) {
+ dev_err(pcs->dev, "pinconf not supported\n");
++ res = -ENOTSUPP;
+ goto free_pingroups;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2ded3820353249d47eee9085632a5f66cd48c01b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 16:08:22 +0200
+Subject: platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from
+ run_smbios_call
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 0487d4fc42d7f31a56cfd9e2237f9ebd889e6112 ]
+
+As pointed out be Kees Cook if we return -EIO because the
+obj->type != ACPI_TYPE_BUFFER, then we must kfree the
+output buffer before the return.
+
+Fixes: 1a258e670434 ("platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver")
+Reported-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210826140822.71198-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell-smbios-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/dell-smbios-wmi.c b/drivers/platform/x86/dell-smbios-wmi.c
+index ccccce9b67ef..0ebcf412f6ca 100644
+--- a/drivers/platform/x86/dell-smbios-wmi.c
++++ b/drivers/platform/x86/dell-smbios-wmi.c
+@@ -72,6 +72,7 @@ static int run_smbios_call(struct wmi_device *wdev)
+ if (obj->type == ACPI_TYPE_INTEGER)
+ dev_dbg(&wdev->dev, "SMBIOS call failed: %llu\n",
+ obj->integer.value);
++ kfree(output.pointer);
+ return -EIO;
+ }
+ memcpy(&priv->buf->std, obj->buffer.pointer, obj->buffer.length);
+--
+2.30.2
+
--- /dev/null
+From 84c5569fcdad6df48117eb4e528cfa0f582030cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 20:01:03 +0200
+Subject: powerpc/stacktrace: Include linux/delay.h
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit a6cae77f1bc89368a4e2822afcddc45c3062d499 ]
+
+commit 7c6986ade69e ("powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()")
+introduces udelay() call without including the linux/delay.h header.
+This may happen to work on master but the header that declares the
+functionshould be included nonetheless.
+
+Fixes: 7c6986ade69e ("powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210729180103.15578-1-msuchanek@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/stacktrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/stacktrace.c b/arch/powerpc/kernel/stacktrace.c
+index 23b5f755e419..dadcc8bab336 100644
+--- a/arch/powerpc/kernel/stacktrace.c
++++ b/arch/powerpc/kernel/stacktrace.c
+@@ -8,6 +8,7 @@
+ * Copyright 2018 Nick Piggin, Michael Ellerman, IBM Corp.
+ */
+
++#include <linux/delay.h>
+ #include <linux/export.h>
+ #include <linux/kallsyms.h>
+ #include <linux/module.h>
+--
+2.30.2
+
--- /dev/null
+From fb409932ab282ca592e8c6f7b272c5b18af319f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 17:08:55 +0300
+Subject: RDMA/iwcm: Release resources if iw_cm module initialization fails
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit e677b72a0647249370f2635862bf0241c86f66ad ]
+
+The failure during iw_cm module initialization partially left the system
+with unreleased memory and other resources. Rewrite the module init/exit
+routines in such way that netlink commands will be opened only after
+successful initialization.
+
+Fixes: b493d91d333e ("iwcm: common code for port mapper")
+Link: https://lore.kernel.org/r/b01239f99cb1a3e6d2b0694c242d89e6410bcd93.1627048781.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/iwcm.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
+index 99dd8452724d..57aec656ab7f 100644
+--- a/drivers/infiniband/core/iwcm.c
++++ b/drivers/infiniband/core/iwcm.c
+@@ -1173,29 +1173,34 @@ static int __init iw_cm_init(void)
+
+ ret = iwpm_init(RDMA_NL_IWCM);
+ if (ret)
+- pr_err("iw_cm: couldn't init iwpm\n");
+- else
+- rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table);
++ return ret;
++
+ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0);
+ if (!iwcm_wq)
+- return -ENOMEM;
++ goto err_alloc;
+
+ iwcm_ctl_table_hdr = register_net_sysctl(&init_net, "net/iw_cm",
+ iwcm_ctl_table);
+ if (!iwcm_ctl_table_hdr) {
+ pr_err("iw_cm: couldn't register sysctl paths\n");
+- destroy_workqueue(iwcm_wq);
+- return -ENOMEM;
++ goto err_sysctl;
+ }
+
++ rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table);
+ return 0;
++
++err_sysctl:
++ destroy_workqueue(iwcm_wq);
++err_alloc:
++ iwpm_exit(RDMA_NL_IWCM);
++ return -ENOMEM;
+ }
+
+ static void __exit iw_cm_cleanup(void)
+ {
++ rdma_nl_unregister(RDMA_NL_IWCM);
+ unregister_net_sysctl_table(iwcm_ctl_table_hdr);
+ destroy_workqueue(iwcm_wq);
+- rdma_nl_unregister(RDMA_NL_IWCM);
+ iwpm_exit(RDMA_NL_IWCM);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b6593a4d489a3e37ba70007d5cd067ba9bc9432d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 15:35:01 +0300
+Subject: Revert "USB: xhci: fix U1/U2 handling for hardware with
+ XHCI_INTEL_HOST quirk set"
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 2847c46c61486fd8bca9136a6e27177212e78c69 ]
+
+This reverts commit 5d5323a6f3625f101dbfa94ba3ef7706cce38760.
+
+That commit effectively disabled Intel host initiated U1/U2 lpm for devices
+with periodic endpoints.
+
+Before that commit we disabled host initiated U1/U2 lpm if the exit latency
+was larger than any periodic endpoint service interval, this is according
+to xhci spec xhci 1.1 specification section 4.23.5.2
+
+After that commit we incorrectly checked that service interval was smaller
+than U1/U2 inactivity timeout. This is not relevant, and can't happen for
+Intel hosts as previously set U1/U2 timeout = 105% * service interval.
+
+Patch claimed it solved cases where devices can't be enumerated because of
+bandwidth issues. This might be true but it's a side effect of accidentally
+turning off lpm.
+
+exit latency calculations have been revised since then
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210820123503.2605901-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index c4e3760abd5b..bebab0ec2978 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4580,19 +4580,19 @@ static u16 xhci_calculate_u1_timeout(struct xhci_hcd *xhci,
+ {
+ unsigned long long timeout_ns;
+
+- if (xhci->quirks & XHCI_INTEL_HOST)
+- timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc);
+- else
+- timeout_ns = udev->u1_params.sel;
+-
+ /* Prevent U1 if service interval is shorter than U1 exit latency */
+ if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
+- if (xhci_service_interval_to_ns(desc) <= timeout_ns) {
++ if (xhci_service_interval_to_ns(desc) <= udev->u1_params.mel) {
+ dev_dbg(&udev->dev, "Disable U1, ESIT shorter than exit latency\n");
+ return USB3_LPM_DISABLED;
+ }
+ }
+
++ if (xhci->quirks & XHCI_INTEL_HOST)
++ timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc);
++ else
++ timeout_ns = udev->u1_params.sel;
++
+ /* The U1 timeout is encoded in 1us intervals.
+ * Don't return a timeout of zero, because that's USB3_LPM_DISABLED.
+ */
+@@ -4644,19 +4644,19 @@ static u16 xhci_calculate_u2_timeout(struct xhci_hcd *xhci,
+ {
+ unsigned long long timeout_ns;
+
+- if (xhci->quirks & XHCI_INTEL_HOST)
+- timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc);
+- else
+- timeout_ns = udev->u2_params.sel;
+-
+ /* Prevent U2 if service interval is shorter than U2 exit latency */
+ if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
+- if (xhci_service_interval_to_ns(desc) <= timeout_ns) {
++ if (xhci_service_interval_to_ns(desc) <= udev->u2_params.mel) {
+ dev_dbg(&udev->dev, "Disable U2, ESIT shorter than exit latency\n");
+ return USB3_LPM_DISABLED;
+ }
+ }
+
++ if (xhci->quirks & XHCI_INTEL_HOST)
++ timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc);
++ else
++ timeout_ns = udev->u2_params.sel;
++
+ /* The U2 timeout is encoded in 256us intervals */
+ timeout_ns = DIV_ROUND_UP_ULL(timeout_ns, 256 * 1000);
+ /* If the necessary timeout value is bigger than what we can set in the
+--
+2.30.2
+
--- /dev/null
+From dec6898e9dd07b51e480b582fcd4215b16a50fee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 16:41:42 -0400
+Subject: rpc: fix gss_svc_init cleanup on failure
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 5a4753446253a427c0ff1e433b9c4933e5af207c ]
+
+The failure case here should be rare, but it's obviously wrong.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
+index a85d78d2bdb7..d9d03881e4de 100644
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1914,7 +1914,7 @@ gss_svc_init_net(struct net *net)
+ goto out2;
+ return 0;
+ out2:
+- destroy_use_gss_proxy_proc_entry(net);
++ rsi_cache_destroy_net(net);
+ out1:
+ rsc_cache_destroy_net(net);
+ return rv;
+--
+2.30.2
+
--- /dev/null
+From 2d5f6f7e8dce45c42c999e14e606e05e7fe1dfb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 19:26:01 +0200
+Subject: s390/jump_label: print real address in a case of a jump label bug
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 5492886c14744d239e87f1b0b774b5a341e755cc ]
+
+In case of a jump label print the real address of the piece of code
+where a mismatch was detected. This is right before the system panics,
+so there is nothing revealed.
+
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/jump_label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/jump_label.c b/arch/s390/kernel/jump_label.c
+index 68f415e334a5..10009a0cdb37 100644
+--- a/arch/s390/kernel/jump_label.c
++++ b/arch/s390/kernel/jump_label.c
+@@ -41,7 +41,7 @@ static void jump_label_bug(struct jump_entry *entry, struct insn *expected,
+ unsigned char *ipe = (unsigned char *)expected;
+ unsigned char *ipn = (unsigned char *)new;
+
+- pr_emerg("Jump label code mismatch at %pS [%p]\n", ipc, ipc);
++ pr_emerg("Jump label code mismatch at %pS [%px]\n", ipc, ipc);
+ pr_emerg("Found: %6ph\n", ipc);
+ pr_emerg("Expected: %6ph\n", ipe);
+ pr_emerg("New: %6ph\n", ipn);
+--
+2.30.2
+
--- /dev/null
+From 57c04367fb06472ceb610564053b25007642a858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 04:10:55 +0000
+Subject: samples: bpf: Fix tracex7 error raised on the missing argument
+
+From: Juhee Kang <claudiajkang@gmail.com>
+
+[ Upstream commit 7d07006f05922b95518be403f08ef8437b67aa32 ]
+
+The current behavior of 'tracex7' doesn't consist with other bpf samples
+tracex{1..6}. Other samples do not require any argument to run with, but
+tracex7 should be run with btrfs device argument. (it should be executed
+with test_override_return.sh)
+
+Currently, tracex7 doesn't have any description about how to run this
+program and raises an unexpected error. And this result might be
+confusing since users might not have a hunch about how to run this
+program.
+
+ // Current behavior
+ # ./tracex7
+ sh: 1: Syntax error: word unexpected (expecting ")")
+ // Fixed behavior
+ # ./tracex7
+ ERROR: Run with the btrfs device argument!
+
+In order to fix this error, this commit adds logic to report a message
+and exit when running this program with a missing argument.
+
+Additionally in test_override_return.sh, there is a problem with
+multiple directory(tmpmnt) creation. So in this commit adds a line with
+removing the directory with every execution.
+
+Signed-off-by: Juhee Kang <claudiajkang@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210727041056.23455-1-claudiajkang@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/test_override_return.sh | 1 +
+ samples/bpf/tracex7_user.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/samples/bpf/test_override_return.sh b/samples/bpf/test_override_return.sh
+index e68b9ee6814b..35db26f736b9 100755
+--- a/samples/bpf/test_override_return.sh
++++ b/samples/bpf/test_override_return.sh
+@@ -1,5 +1,6 @@
+ #!/bin/bash
+
++rm -r tmpmnt
+ rm -f testfile.img
+ dd if=/dev/zero of=testfile.img bs=1M seek=1000 count=1
+ DEVICE=$(losetup --show -f testfile.img)
+diff --git a/samples/bpf/tracex7_user.c b/samples/bpf/tracex7_user.c
+index ea6dae78f0df..2ed13e9f3fcb 100644
+--- a/samples/bpf/tracex7_user.c
++++ b/samples/bpf/tracex7_user.c
+@@ -13,6 +13,11 @@ int main(int argc, char **argv)
+ char command[256];
+ int ret;
+
++ if (!argv[1]) {
++ fprintf(stderr, "ERROR: Run with the btrfs device argument!\n");
++ return 0;
++ }
++
+ snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+
+ if (load_bpf_file(filename)) {
+--
+2.30.2
+
--- /dev/null
+From 29e0432c132d02dfdbf90f1ddcd6582c540f38e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:47:53 +0300
+Subject: scsi: qedi: Fix error codes in qedi_alloc_global_queues()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4dbe57d46d54a847875fa33e7d05877bb341585e ]
+
+This function had some left over code that returned 1 on error instead
+negative error codes. Convert everything to use negative error codes. The
+caller treats all non-zero returns the same so this does not affect run
+time.
+
+A couple places set "rc" instead of "status" so those error paths ended up
+returning success by mistake. Get rid of the "rc" variable and use
+"status" everywhere.
+
+Remove the bogus "status = 0" initialization, as a future proofing measure
+so the compiler will warn about uninitialized error codes.
+
+Link: https://lore.kernel.org/r/20210810084753.GD23810@kili
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
+index 7665fd641886..ab66e1f0fdfa 100644
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -1507,7 +1507,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
+ {
+ u32 *list;
+ int i;
+- int status = 0, rc;
++ int status;
+ u32 *pbl;
+ dma_addr_t page;
+ int num_pages;
+@@ -1518,14 +1518,14 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
+ */
+ if (!qedi->num_queues) {
+ QEDI_ERR(&qedi->dbg_ctx, "No MSI-X vectors available!\n");
+- return 1;
++ return -ENOMEM;
+ }
+
+ /* Make sure we allocated the PBL that will contain the physical
+ * addresses of our queues
+ */
+ if (!qedi->p_cpuq) {
+- status = 1;
++ status = -EINVAL;
+ goto mem_alloc_failure;
+ }
+
+@@ -1540,13 +1540,13 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
+ "qedi->global_queues=%p.\n", qedi->global_queues);
+
+ /* Allocate DMA coherent buffers for BDQ */
+- rc = qedi_alloc_bdq(qedi);
+- if (rc)
++ status = qedi_alloc_bdq(qedi);
++ if (status)
+ goto mem_alloc_failure;
+
+ /* Allocate DMA coherent buffers for NVM_ISCSI_CFG */
+- rc = qedi_alloc_nvm_iscsi_cfg(qedi);
+- if (rc)
++ status = qedi_alloc_nvm_iscsi_cfg(qedi);
++ if (status)
+ goto mem_alloc_failure;
+
+ /* Allocate a CQ and an associated PBL for each MSI-X
+--
+2.30.2
+
--- /dev/null
+From 781c3808e458443242a4e76fcbe85628199b4351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 09:55:53 +0800
+Subject: selftests/bpf: Enlarge select() timeout for test_maps
+
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+
+[ Upstream commit 2d82d73da35b72b53fe0d96350a2b8d929d07e42 ]
+
+0Day robot observed that it's easily timeout on a heavy load host.
+-------------------
+ # selftests: bpf: test_maps
+ # Fork 1024 tasks to 'test_update_delete'
+ # Fork 1024 tasks to 'test_update_delete'
+ # Fork 100 tasks to 'test_hashmap'
+ # Fork 100 tasks to 'test_hashmap_percpu'
+ # Fork 100 tasks to 'test_hashmap_sizes'
+ # Fork 100 tasks to 'test_hashmap_walk'
+ # Fork 100 tasks to 'test_arraymap'
+ # Fork 100 tasks to 'test_arraymap_percpu'
+ # Failed sockmap unexpected timeout
+ not ok 3 selftests: bpf: test_maps # exit=1
+ # selftests: bpf: test_lru_map
+ # nr_cpus:8
+-------------------
+Since this test will be scheduled by 0Day to a random host that could have
+only a few cpus(2-8), enlarge the timeout to avoid a false NG report.
+
+In practice, i tried to pin it to only one cpu by 'taskset 0x01 ./test_maps',
+and knew 10S is likely enough, but i still perfer to a larger value 30.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20210820015556.23276-2-lizhijian@cn.fujitsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_maps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
+index 4e202217fae1..87ba89df9802 100644
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -796,7 +796,7 @@ static void test_sockmap(int tasks, void *data)
+
+ FD_ZERO(&w);
+ FD_SET(sfd[3], &w);
+- to.tv_sec = 1;
++ to.tv_sec = 30;
+ to.tv_usec = 0;
+ s = select(sfd[3] + 1, &w, NULL, NULL, &to);
+ if (s == -1) {
+--
+2.30.2
+
--- /dev/null
+From 342348096399bdc6e8106f0acf5e4acc4ea43dc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jun 2021 06:11:51 +0200
+Subject: serial: 8250: Define RX trigger levels for OxSemi 950 devices
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit d7aff291d069c4418285f3c8ee27b0ff67ce5998 ]
+
+Oxford Semiconductor 950 serial port devices have a 128-byte FIFO and in
+the enhanced (650) mode, which we select in `autoconfig_has_efr' with
+the ECB bit set in the EFR register, they support the receive interrupt
+trigger level selectable with FCR bits 7:6 from the set of 16, 32, 112,
+120. This applies to the original OX16C950 discrete UART[1] as well as
+950 cores embedded into more complex devices.
+
+For these devices we set the default to 112, which sets an excessively
+high level of 112 or 7/8 of the FIFO capacity, unlike with other port
+types where we choose at most 1/2 of their respective FIFO capacities.
+Additionally we don't make the trigger level configurable. Consequently
+frequent input overruns happen with high bit rates where hardware flow
+control cannot be used (e.g. terminal applications) even with otherwise
+highly-performant systems.
+
+Lower the default receive interrupt trigger level to 32 then, and make
+it configurable. Document the trigger levels along with other port
+types, including the set of 16, 32, 64, 112 for the transmit interrupt
+as well[2].
+
+References:
+
+[1] "OX16C950 rev B High Performance UART with 128 byte FIFOs", Oxford
+ Semiconductor, Inc., DS-0031, Sep 05, Table 10: "Receiver Trigger
+ Levels", p. 22
+
+[2] same, Table 9: "Transmit Interrupt Trigger Levels", p. 22
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2106260608480.37803@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 3 ++-
+ include/uapi/linux/serial_reg.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index 68f71298c11b..39e821d6e537 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -132,7 +132,8 @@ static const struct serial8250_config uart_config[] = {
+ .name = "16C950/954",
+ .fifo_size = 128,
+ .tx_loadsz = 128,
+- .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10,
++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_01,
++ .rxtrig_bytes = {16, 32, 112, 120},
+ /* UART_CAP_EFR breaks billionon CF bluetooth card. */
+ .flags = UART_CAP_FIFO | UART_CAP_SLEEP,
+ },
+diff --git a/include/uapi/linux/serial_reg.h b/include/uapi/linux/serial_reg.h
+index be07b5470f4b..f51bc8f36813 100644
+--- a/include/uapi/linux/serial_reg.h
++++ b/include/uapi/linux/serial_reg.h
+@@ -62,6 +62,7 @@
+ * ST16C654: 8 16 56 60 8 16 32 56 PORT_16654
+ * TI16C750: 1 16 32 56 xx xx xx xx PORT_16750
+ * TI16C752: 8 16 56 60 8 16 32 56
++ * OX16C950: 16 32 112 120 16 32 64 112 PORT_16C950
+ * Tegra: 1 4 8 14 16 8 4 1 PORT_TEGRA
+ */
+ #define UART_FCR_R_TRIG_00 0x00
+--
+2.30.2
+
--- /dev/null
+From c4373913e760dea4fc5a1109abd42d2feb2a83f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 15:07:17 +0200
+Subject: serial: 8250_pci: make setup_port() parameters explicitly unsigned
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 3a96e97ab4e835078e6f27b7e1c0947814df3841 ]
+
+The bar and offset parameters to setup_port() are used in pointer math,
+and while it would be very difficult to get them to wrap as a negative
+number, just be "safe" and make them unsigned so that static checkers do
+not trip over them unintentionally.
+
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Reported-by: Jordy Zomer <jordy@pwning.systems>
+Link: https://lore.kernel.org/r/20210726130717.2052096-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
+index 725e5842b8ac..f54c18e4ae90 100644
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -70,7 +70,7 @@ static void moan_device(const char *str, struct pci_dev *dev)
+
+ static int
+ setup_port(struct serial_private *priv, struct uart_8250_port *port,
+- int bar, int offset, int regshift)
++ u8 bar, unsigned int offset, int regshift)
+ {
+ struct pci_dev *dev = priv->dev;
+
+--
+2.30.2
+
--- /dev/null
+From b282c122892da66619162f895baee738b2d14a1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 18:22:01 +0200
+Subject: serial: sh-sci: fix break handling for sysrq
+
+From: Ulrich Hecht <uli+renesas@fpond.eu>
+
+[ Upstream commit 87b8061bad9bd4b549b2daf36ffbaa57be2789a2 ]
+
+This fixes two issues that cause the sysrq sequence to be inadvertently
+aborted on SCIF serial consoles:
+
+- a NUL character remains in the RX queue after a break has been detected,
+ which is then passed on to uart_handle_sysrq_char()
+- the break interrupt is handled twice on controllers with multiplexed ERI
+ and BRI interrupts
+
+Signed-off-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Link: https://lore.kernel.org/r/20210816162201.28801-1-uli+renesas@fpond.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sh-sci.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
+index db5b11879910..6f44c5f0ef3a 100644
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1750,6 +1750,10 @@ static irqreturn_t sci_br_interrupt(int irq, void *ptr)
+
+ /* Handle BREAKs */
+ sci_handle_breaks(port);
++
++ /* drop invalid character received before break was detected */
++ serial_port_in(port, SCxRDR);
++
+ sci_clear_SCxSR(port, SCxSR_BREAK_CLEAR(port));
+
+ return IRQ_HANDLED;
+@@ -1829,7 +1833,8 @@ static irqreturn_t sci_mpxed_interrupt(int irq, void *ptr)
+ ret = sci_er_interrupt(irq, ptr);
+
+ /* Break Interrupt */
+- if ((ssr_status & SCxSR_BRK(port)) && err_enabled)
++ if (s->irqs[SCIx_ERI_IRQ] != s->irqs[SCIx_BRI_IRQ] &&
++ (ssr_status & SCxSR_BRK(port)) && err_enabled)
+ ret = sci_br_interrupt(irq, ptr);
+
+ /* Overrun Interrupt */
+--
+2.30.2
+
pci-xilinx-nwl-enable-the-clock-through-ccf.patch
pci-aardvark-increase-polling-delay-to-1.5s-while-waiting-for-pio-response.patch
pci-aardvark-fix-masking-and-unmasking-legacy-intx-interrupts.patch
+hid-input-do-not-report-stylus-battery-state-as-full.patch
+rdma-iwcm-release-resources-if-iw_cm-module-initiali.patch
+docs-fix-infiniband-uverbs-minor-number.patch
+pinctrl-samsung-fix-pinctrl-bank-pin-count.patch
+vfio-use-config-not-menuconfig-for-vfio_noiommu.patch
+powerpc-stacktrace-include-linux-delay.h.patch
+openrisc-don-t-printk-unconditionally.patch
+pinctrl-single-fix-error-return-code-in-pcs_parse_bi.patch
+scsi-qedi-fix-error-codes-in-qedi_alloc_global_queue.patch
+platform-x86-dell-smbios-wmi-add-missing-kfree-in-er.patch
+fscache-fix-cookie-key-hashing.patch
+f2fs-fix-to-account-missing-.skipped_gc_rwsem.patch
+f2fs-fix-to-unmap-pages-from-userspace-process-in-pu.patch
+mips-malta-fix-alignment-of-the-devicetree-buffer.patch
+userfaultfd-prevent-concurrent-api-initialization.patch
+media-dib8000-rewrite-the-init-prbs-logic.patch
+crypto-mxs-dcp-use-sg_mapping_iter-to-copy-data.patch
+pci-use-pci_update_current_state-in-pci_enable_devic.patch
+tipc-keep-the-skb-in-rcv-queue-until-the-whole-data-.patch
+iio-dac-ad5624r-fix-incorrect-handling-of-an-optiona.patch
+arm-dts-qcom-apq8064-correct-clock-names.patch
+video-fbdev-kyro-fix-a-dos-bug-by-restricting-user-i.patch
+netlink-deal-with-esrch-error-in-nlmsg_notify.patch
+smack-fix-wrong-semantics-in-smk_access_entry.patch
+usb-host-fotg210-fix-the-endpoint-s-transactional-op.patch
+usb-host-fotg210-fix-the-actual_length-of-an-iso-pac.patch
+usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch
+usb-gadget-composite-allow-bmaxpower-0-if-self-power.patch
+staging-board-fix-uninitialized-spinlock-when-attach.patch
+tty-serial-jsm-hold-port-lock-when-reporting-modem-l.patch
+drm-amd-amdgpu-update-debugfs-link_settings-output-l.patch
+bpf-tests-fix-copy-and-paste-error-in-double-word-te.patch
+bpf-tests-do-not-pass-tests-without-actually-testing.patch
+video-fbdev-asiliantfb-error-out-if-pixclock-equals-.patch
+video-fbdev-kyro-error-out-if-pixclock-equals-zero.patch
+video-fbdev-riva-error-out-if-pixclock-equals-zero.patch
+ipv4-ip_output.c-fix-out-of-bounds-warning-in-ip_cop.patch
+flow_dissector-fix-out-of-bounds-warnings.patch
+s390-jump_label-print-real-address-in-a-case-of-a-ju.patch
+serial-8250-define-rx-trigger-levels-for-oxsemi-950-.patch
+xtensa-iss-don-t-panic-in-rs_init.patch
+hvsi-don-t-panic-on-tty_register_driver-failure.patch
+serial-8250_pci-make-setup_port-parameters-explicitl.patch
+staging-ks7010-fix-the-initialization-of-the-sleep_s.patch
+samples-bpf-fix-tracex7-error-raised-on-the-missing-.patch
+ata-sata_dwc_460ex-no-need-to-call-phy_exit-befre-ph.patch
+bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch
+bonding-3ad-fix-the-concurrency-between-__bond_relea.patch
+asoc-intel-bytcr_rt5640-move-platform-clock-routes-t.patch
+bpf-fix-off-by-one-in-tail-call-count-limiting.patch
+media-imx258-rectify-mismatch-of-vts-value.patch
+media-imx258-limit-the-max-analogue-gain-to-480.patch
+media-v4l2-dv-timings.c-fix-wrong-condition-in-two-f.patch
+media-tda1997x-fix-tda1997x_query_dv_timings-return-.patch
+media-tegra-cec-handle-errors-of-clk_prepare_enable.patch
+arm-dts-imx53-ppd-fix-achc-entry.patch
+arm64-dts-qcom-sdm660-use-reg-value-for-memory-node.patch
+net-ethernet-stmmac-do-not-use-unreachable-in-ipq806.patch
+bluetooth-schedule-sco-timeouts-with-delayed_work.patch
+bluetooth-avoid-circular-locks-in-sco_sock_connect.patch
+gpu-drm-amd-amdgpu-amdgpu_i2c-fix-possible-uninitial.patch
+arm-tegra-tamonten-fix-uart-pad-setting.patch
+bluetooth-fix-handling-of-le-enhanced-connection-com.patch
+serial-sh-sci-fix-break-handling-for-sysrq.patch
+tcp-enable-data-less-empty-cookie-syn-with-tfo_serve.patch
+rpc-fix-gss_svc_init-cleanup-on-failure.patch
+staging-rts5208-fix-get_ms_information-heap-buffer-s.patch
+gfs2-don-t-call-dlm-after-protocol-is-unmounted.patch
+of-don-t-allow-__of_attached_node_sysfs-without-conf.patch
+mmc-sdhci-of-arasan-check-return-value-of-non-void-f.patch
+mmc-rtsx_pci-fix-long-reads-when-clock-is-prescaled.patch
+selftests-bpf-enlarge-select-timeout-for-test_maps.patch
+mmc-core-return-correct-emmc-response-in-case-of-ioc.patch
+cifs-fix-wrong-release-in-sess_alloc_buffer-failed-p.patch
+revert-usb-xhci-fix-u1-u2-handling-for-hardware-with.patch
+usb-musb-musb_dsps-request_irq-after-initializing-mu.patch
+usbip-give-back-urbs-for-unsent-unlink-requests-duri.patch
+usbip-vhci_hcd-usb-port-can-get-stuck-in-the-disable.patch
+asoc-rockchip-i2s-fix-regmap_ops-hang.patch
+asoc-rockchip-i2s-fixup-config-for-daifmt_dsp_a-b.patch
+parport-remove-non-zero-check-on-count.patch
+ath9k-fix-oob-read-ar9300_eeprom_restore_internal.patch
+ath9k-fix-sleeping-in-atomic-context.patch
+net-fix-null-pointer-reference-in-cipso_v4_doi_free.patch
+net-w5100-check-return-value-after-calling-platform_.patch
--- /dev/null
+From d9166e905d483f3f26b1e14da334c39e93808af0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 17:17:24 +0800
+Subject: Smack: Fix wrong semantics in smk_access_entry()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 6d14f5c7028eea70760df284057fe198ce7778dd ]
+
+In the smk_access_entry() function, if no matching rule is found
+in the rust_list, a negative error code will be used to perform bit
+operations with the MAY_ enumeration value. This is semantically
+wrong. This patch fixes this issue.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_access.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index a7855c61c05c..07d23b4f76f3 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -85,23 +85,22 @@ int log_policy = SMACK_AUDIT_DENIED;
+ int smk_access_entry(char *subject_label, char *object_label,
+ struct list_head *rule_list)
+ {
+- int may = -ENOENT;
+ struct smack_rule *srp;
+
+ list_for_each_entry_rcu(srp, rule_list, list) {
+ if (srp->smk_object->smk_known == object_label &&
+ srp->smk_subject->smk_known == subject_label) {
+- may = srp->smk_access;
+- break;
++ int may = srp->smk_access;
++ /*
++ * MAY_WRITE implies MAY_LOCK.
++ */
++ if ((may & MAY_WRITE) == MAY_WRITE)
++ may |= MAY_LOCK;
++ return may;
+ }
+ }
+
+- /*
+- * MAY_WRITE implies MAY_LOCK.
+- */
+- if ((may & MAY_WRITE) == MAY_WRITE)
+- may |= MAY_LOCK;
+- return may;
++ return -ENOENT;
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From c28cfad8899b93dba6c5f40793c4087a157f74a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 12:13:46 +0200
+Subject: staging: board: Fix uninitialized spinlock when attaching genpd
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit df00609821bf17f50a75a446266d19adb8339d84 ]
+
+On Armadillo-800-EVA with CONFIG_DEBUG_SPINLOCK=y:
+
+ BUG: spinlock bad magic on CPU#0, swapper/1
+ lock: lcdc0_device+0x10c/0x308, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+ CPU: 0 PID: 1 Comm: swapper Not tainted 5.11.0-rc5-armadillo-00036-gbbca04be7a80-dirty #287
+ Hardware name: Generic R8A7740 (Flattened Device Tree)
+ [<c010c3c8>] (unwind_backtrace) from [<c010a49c>] (show_stack+0x10/0x14)
+ [<c010a49c>] (show_stack) from [<c0159534>] (do_raw_spin_lock+0x20/0x94)
+ [<c0159534>] (do_raw_spin_lock) from [<c040858c>] (dev_pm_get_subsys_data+0x8c/0x11c)
+ [<c040858c>] (dev_pm_get_subsys_data) from [<c05fbcac>] (genpd_add_device+0x78/0x2b8)
+ [<c05fbcac>] (genpd_add_device) from [<c0412db4>] (of_genpd_add_device+0x34/0x4c)
+ [<c0412db4>] (of_genpd_add_device) from [<c0a1ea74>] (board_staging_register_device+0x11c/0x148)
+ [<c0a1ea74>] (board_staging_register_device) from [<c0a1eac4>] (board_staging_register_devices+0x24/0x28)
+
+of_genpd_add_device() is called before platform_device_register(), as it
+needs to attach the genpd before the device is probed. But the spinlock
+is only initialized when the device is registered.
+
+Fix this by open-coding the spinlock initialization, cfr.
+device_pm_init_common() in the internal drivers/base code, and in the
+SuperH early platform code.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/57783ece7ddae55f2bda2f59f452180bff744ea0.1626257398.git.geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/board/board.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/board/board.c b/drivers/staging/board/board.c
+index cb6feb34dd40..f980af037345 100644
+--- a/drivers/staging/board/board.c
++++ b/drivers/staging/board/board.c
+@@ -136,6 +136,7 @@ int __init board_staging_register_clock(const struct board_staging_clk *bsc)
+ static int board_staging_add_dev_domain(struct platform_device *pdev,
+ const char *domain)
+ {
++ struct device *dev = &pdev->dev;
+ struct of_phandle_args pd_args;
+ struct device_node *np;
+
+@@ -148,7 +149,11 @@ static int board_staging_add_dev_domain(struct platform_device *pdev,
+ pd_args.np = np;
+ pd_args.args_count = 0;
+
+- return of_genpd_add_device(&pd_args, &pdev->dev);
++ /* Initialization similar to device_pm_init_common() */
++ spin_lock_init(&dev->power.lock);
++ dev->power.early_init = true;
++
++ return of_genpd_add_device(&pd_args, dev);
+ }
+ #else
+ static inline int board_staging_add_dev_domain(struct platform_device *pdev,
+--
+2.30.2
+
--- /dev/null
+From 700fbe33c5de43cac770e15bc513ca52b83b1f91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:45:11 +0200
+Subject: staging: ks7010: Fix the initialization of the 'sleep_status'
+ structure
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 56315e55119c0ea57e142b6efb7c31208628ad86 ]
+
+'sleep_status' has 3 atomic_t members. Initialize the 3 of them instead of
+initializing only 2 of them and setting 0 twice to the same variable.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/d2e52a33a9beab41879551d0ae2fdfc99970adab.1626856991.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/ks7010/ks7010_sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/ks7010/ks7010_sdio.c b/drivers/staging/ks7010/ks7010_sdio.c
+index 74551eb717fc..79d0513bd282 100644
+--- a/drivers/staging/ks7010/ks7010_sdio.c
++++ b/drivers/staging/ks7010/ks7010_sdio.c
+@@ -938,9 +938,9 @@ static void ks7010_private_init(struct ks_wlan_private *priv,
+ memset(&priv->wstats, 0, sizeof(priv->wstats));
+
+ /* sleep mode */
++ atomic_set(&priv->sleepstatus.status, 0);
+ atomic_set(&priv->sleepstatus.doze_request, 0);
+ atomic_set(&priv->sleepstatus.wakeup_request, 0);
+- atomic_set(&priv->sleepstatus.wakeup_request, 0);
+
+ trx_device_init(priv);
+ hostif_init(priv);
+--
+2.30.2
+
--- /dev/null
+From 46de7e8ac114c269f33a2355d0f42df37f82311b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 21:42:52 -0700
+Subject: staging: rts5208: Fix get_ms_information() heap buffer size
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit cbe34165cc1b7d1110b268ba8b9f30843c941639 ]
+
+Fix buf allocation size (it needs to be 2 bytes larger). Found when
+__alloc_size() annotations were added to kmalloc() interfaces.
+
+In file included from ./include/linux/string.h:253,
+ from ./include/linux/bitmap.h:10,
+ from ./include/linux/cpumask.h:12,
+ from ./arch/x86/include/asm/paravirt.h:17,
+ from ./arch/x86/include/asm/irqflags.h:63,
+ from ./include/linux/irqflags.h:16,
+ from ./include/linux/rcupdate.h:26,
+ from ./include/linux/rculist.h:11,
+ from ./include/linux/pid.h:5,
+ from ./include/linux/sched.h:14,
+ from ./include/linux/blkdev.h:5,
+ from drivers/staging/rts5208/rtsx_scsi.c:12:
+In function 'get_ms_information',
+ inlined from 'ms_sp_cmnd' at drivers/staging/rts5208/rtsx_scsi.c:2877:12,
+ inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3247:12:
+./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' forming offset [106, 107] is out
+ of the bounds [0, 106] [-Warray-bounds]
+ 54 | #define __underlying_memcpy __builtin_memcpy
+ | ^
+./include/linux/fortify-string.h:417:2: note: in expansion of macro '__underlying_memcpy'
+ 417 | __underlying_##op(p, q, __fortify_size); \
+ | ^~~~~~~~~~~~~
+./include/linux/fortify-string.h:463:26: note: in expansion of macro '__fortify_memcpy_chk'
+ 463 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
+ | ^~~~~~~~~~~~~~~~~~~~
+drivers/staging/rts5208/rtsx_scsi.c:2851:3: note: in expansion of macro 'memcpy'
+ 2851 | memcpy(buf + i, ms_card->raw_sys_info, 96);
+ | ^~~~~~
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-staging@lists.linux.dev
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210818044252.1533634-1-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rts5208/rtsx_scsi.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
+index c9a6d97938f6..68889d082c3c 100644
+--- a/drivers/staging/rts5208/rtsx_scsi.c
++++ b/drivers/staging/rts5208/rtsx_scsi.c
+@@ -2841,10 +2841,10 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip)
+ }
+
+ if (dev_info_id == 0x15) {
+- buf_len = 0x3A;
++ buf_len = 0x3C;
+ data_len = 0x3A;
+ } else {
+- buf_len = 0x6A;
++ buf_len = 0x6C;
+ data_len = 0x6A;
+ }
+
+@@ -2895,11 +2895,7 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip)
+ }
+
+ rtsx_stor_set_xfer_buf(buf, buf_len, srb);
+-
+- if (dev_info_id == 0x15)
+- scsi_set_resid(srb, scsi_bufflen(srb) - 0x3C);
+- else
+- scsi_set_resid(srb, scsi_bufflen(srb) - 0x6C);
++ scsi_set_resid(srb, scsi_bufflen(srb) - buf_len);
+
+ kfree(buf);
+ return STATUS_SUCCESS;
+--
+2.30.2
+
--- /dev/null
+From e46f553106b58162c9eeace06ab19f930e27400a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 20:51:06 +0000
+Subject: tcp: enable data-less, empty-cookie SYN with
+ TFO_SERVER_COOKIE_NOT_REQD
+
+From: Luke Hsiao <lukehsiao@google.com>
+
+[ Upstream commit e3faa49bcecdfcc80e94dd75709d6acb1a5d89f6 ]
+
+Since the original TFO server code was implemented in commit
+168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef ("tcp: TCP Fast Open Server -
+main code path") the TFO server code has supported the sysctl bit flag
+TFO_SERVER_COOKIE_NOT_REQD. Currently, when the TFO_SERVER_ENABLE and
+TFO_SERVER_COOKIE_NOT_REQD sysctl bit flags are set, a server connection
+will accept a SYN with N bytes of data (N > 0) that has no TFO cookie,
+create a new fast open connection, process the incoming data in the SYN,
+and make the connection ready for accepting. After accepting, the
+connection is ready for read()/recvmsg() to read the N bytes of data in
+the SYN, ready for write()/sendmsg() calls and data transmissions to
+transmit data.
+
+This commit changes an edge case in this feature by changing this
+behavior to apply to (N >= 0) bytes of data in the SYN rather than only
+(N > 0) bytes of data in the SYN. Now, a server will accept a data-less
+SYN without a TFO cookie if TFO_SERVER_COOKIE_NOT_REQD is set.
+
+Caveat! While this enables a new kind of TFO (data-less empty-cookie
+SYN), some firewall rules setup may not work if they assume such packets
+are not legit TFOs and will filter them.
+
+Signed-off-by: Luke Hsiao <lukehsiao@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210816205105.2533289-1-luke.w.hsiao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_fastopen.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 2ab371f55525..119d2c2f3b04 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -342,8 +342,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
+ return NULL;
+ }
+
+- if (syn_data &&
+- tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
++ if (tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
+ goto fastopen;
+
+ if (foc->len >= 0 && /* Client presents or requests a cookie */
+--
+2.30.2
+
--- /dev/null
+From fa4079b1f79476542b63f95aa13c460a85805802 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 17:44:07 -0400
+Subject: tipc: keep the skb in rcv queue until the whole data is read
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f4919ff59c2828064b4156e3c3600a169909bcf4 ]
+
+Currently, when userspace reads a datagram with a buffer that is
+smaller than this datagram, the data will be truncated and only
+part of it can be received by users. It doesn't seem right that
+users don't know the datagram size and have to use a huge buffer
+to read it to avoid the truncation.
+
+This patch to fix it by keeping the skb in rcv queue until the
+whole data is read by users. Only the last msg of the datagram
+will be marked with MSG_EOR, just as TCP/SCTP does.
+
+Note that this will work as above only when MSG_EOR is set in the
+flags parameter of recvmsg(), so that it won't break any old user
+applications.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 6aead6deaa6c..e9acbb290d71 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1716,6 +1716,7 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+ bool connected = !tipc_sk_type_connectionless(sk);
+ struct tipc_sock *tsk = tipc_sk(sk);
+ int rc, err, hlen, dlen, copy;
++ struct tipc_skb_cb *skb_cb;
+ struct sk_buff_head xmitq;
+ struct tipc_msg *hdr;
+ struct sk_buff *skb;
+@@ -1739,6 +1740,7 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+ if (unlikely(rc))
+ goto exit;
+ skb = skb_peek(&sk->sk_receive_queue);
++ skb_cb = TIPC_SKB_CB(skb);
+ hdr = buf_msg(skb);
+ dlen = msg_data_sz(hdr);
+ hlen = msg_hdr_sz(hdr);
+@@ -1758,18 +1760,33 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+
+ /* Capture data if non-error msg, otherwise just set return value */
+ if (likely(!err)) {
+- copy = min_t(int, dlen, buflen);
+- if (unlikely(copy != dlen))
+- m->msg_flags |= MSG_TRUNC;
+- rc = skb_copy_datagram_msg(skb, hlen, m, copy);
++ int offset = skb_cb->bytes_read;
++
++ copy = min_t(int, dlen - offset, buflen);
++ rc = skb_copy_datagram_msg(skb, hlen + offset, m, copy);
++ if (unlikely(rc))
++ goto exit;
++ if (unlikely(offset + copy < dlen)) {
++ if (flags & MSG_EOR) {
++ if (!(flags & MSG_PEEK))
++ skb_cb->bytes_read = offset + copy;
++ } else {
++ m->msg_flags |= MSG_TRUNC;
++ skb_cb->bytes_read = 0;
++ }
++ } else {
++ if (flags & MSG_EOR)
++ m->msg_flags |= MSG_EOR;
++ skb_cb->bytes_read = 0;
++ }
+ } else {
+ copy = 0;
+ rc = 0;
+- if (err != TIPC_CONN_SHUTDOWN && connected && !m->msg_control)
++ if (err != TIPC_CONN_SHUTDOWN && connected && !m->msg_control) {
+ rc = -ECONNRESET;
++ goto exit;
++ }
+ }
+- if (unlikely(rc))
+- goto exit;
+
+ /* Mark message as group event if applicable */
+ if (unlikely(grp_evt)) {
+@@ -1792,9 +1809,10 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+ tipc_node_distr_xmit(sock_net(sk), &xmitq);
+ }
+
+- tsk_advance_rx_queue(sk);
++ if (!skb_cb->bytes_read)
++ tsk_advance_rx_queue(sk);
+
+- if (likely(!connected))
++ if (likely(!connected) || skb_cb->bytes_read)
+ goto exit;
+
+ /* Send connection flow control advertisement when applicable */
+--
+2.30.2
+
--- /dev/null
+From 7d0a3ce30291589e552160a6168899f72cd91662 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 05:53:23 +0000
+Subject: tty: serial: jsm: hold port lock when reporting modem line changes
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 240e126c28df084222f0b661321e8e3ecb0d232e ]
+
+uart_handle_dcd_change() requires a port lock to be held and will emit a
+warning when lockdep is enabled.
+
+Held corresponding lock to fix the following warnings.
+
+[ 132.528648] WARNING: CPU: 5 PID: 11600 at drivers/tty/serial/serial_core.c:3046 uart_handle_dcd_change+0xf4/0x120
+[ 132.530482] Modules linked in:
+[ 132.531050] CPU: 5 PID: 11600 Comm: jsm Not tainted 5.14.0-rc1-00003-g7fef2edf7cc7-dirty #31
+[ 132.535268] RIP: 0010:uart_handle_dcd_change+0xf4/0x120
+[ 132.557100] Call Trace:
+[ 132.557562] ? __free_pages+0x83/0xb0
+[ 132.558213] neo_parse_modem+0x156/0x220
+[ 132.558897] neo_param+0x399/0x840
+[ 132.559495] jsm_tty_open+0x12f/0x2d0
+[ 132.560131] uart_startup.part.18+0x153/0x340
+[ 132.560888] ? lock_is_held_type+0xe9/0x140
+[ 132.561660] uart_port_activate+0x7f/0xe0
+[ 132.562351] ? uart_startup.part.18+0x340/0x340
+[ 132.563003] tty_port_open+0x8d/0xf0
+[ 132.563523] ? uart_set_options+0x1e0/0x1e0
+[ 132.564125] uart_open+0x24/0x40
+[ 132.564604] tty_open+0x15c/0x630
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Link: https://lore.kernel.org/r/1626242003-3809-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/jsm/jsm_neo.c | 2 ++
+ drivers/tty/serial/jsm/jsm_tty.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/tty/serial/jsm/jsm_neo.c b/drivers/tty/serial/jsm/jsm_neo.c
+index bf0e2a4cb0ce..c6f927a76c3b 100644
+--- a/drivers/tty/serial/jsm/jsm_neo.c
++++ b/drivers/tty/serial/jsm/jsm_neo.c
+@@ -815,7 +815,9 @@ static void neo_parse_isr(struct jsm_board *brd, u32 port)
+ /* Parse any modem signal changes */
+ jsm_dbg(INTR, &ch->ch_bd->pci_dev,
+ "MOD_STAT: sending to parse_modem_sigs\n");
++ spin_lock_irqsave(&ch->uart_port.lock, lock_flags);
+ neo_parse_modem(ch, readb(&ch->ch_neo_uart->msr));
++ spin_unlock_irqrestore(&ch->uart_port.lock, lock_flags);
+ }
+ }
+
+diff --git a/drivers/tty/serial/jsm/jsm_tty.c b/drivers/tty/serial/jsm/jsm_tty.c
+index 689774c073ca..8438454ca653 100644
+--- a/drivers/tty/serial/jsm/jsm_tty.c
++++ b/drivers/tty/serial/jsm/jsm_tty.c
+@@ -187,6 +187,7 @@ static void jsm_tty_break(struct uart_port *port, int break_state)
+
+ static int jsm_tty_open(struct uart_port *port)
+ {
++ unsigned long lock_flags;
+ struct jsm_board *brd;
+ struct jsm_channel *channel =
+ container_of(port, struct jsm_channel, uart_port);
+@@ -240,6 +241,7 @@ static int jsm_tty_open(struct uart_port *port)
+ channel->ch_cached_lsr = 0;
+ channel->ch_stops_sent = 0;
+
++ spin_lock_irqsave(&port->lock, lock_flags);
+ termios = &port->state->port.tty->termios;
+ channel->ch_c_cflag = termios->c_cflag;
+ channel->ch_c_iflag = termios->c_iflag;
+@@ -259,6 +261,7 @@ static int jsm_tty_open(struct uart_port *port)
+ jsm_carrier(channel);
+
+ channel->ch_open_count++;
++ spin_unlock_irqrestore(&port->lock, lock_flags);
+
+ jsm_dbg(OPEN, &channel->ch_bd->pci_dev, "finish\n");
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From ed98e460ae007125e6c1b320339172b91e1327a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 01:09:07 -0700
+Subject: usb: gadget: composite: Allow bMaxPower=0 if self-powered
+
+From: Jack Pham <jackp@codeaurora.org>
+
+[ Upstream commit bcacbf06c891374e7fdd7b72d11cda03b0269b43 ]
+
+Currently the composite driver encodes the MaxPower field of
+the configuration descriptor by reading the c->MaxPower of the
+usb_configuration only if it is non-zero, otherwise it falls back
+to using the value hard-coded in CONFIG_USB_GADGET_VBUS_DRAW.
+However, there are cases when a configuration must explicitly set
+bMaxPower to 0, particularly if its bmAttributes also has the
+Self-Powered bit set, which is a valid combination.
+
+This is specifically called out in the USB PD specification section
+9.1, in which a PDUSB device "shall report zero in the bMaxPower
+field after negotiating a mutually agreeable Contract", and also
+verified by the USB Type-C Functional Test TD.4.10.2 Sink Power
+Precedence Test.
+
+The fix allows the c->MaxPower to be used for encoding the bMaxPower
+even if it is 0, if the self-powered bit is also set. An example
+usage of this would be for a ConfigFS gadget to be dynamically
+updated by userspace when the Type-C connection is determined to be
+operating in Power Delivery mode.
+
+Co-developed-by: Ronak Vijay Raheja <rraheja@codeaurora.org>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Ronak Vijay Raheja <rraheja@codeaurora.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Link: https://lore.kernel.org/r/20210720080907.30292-1-jackp@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index d85bb3ba8263..a76ed4acb570 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -481,7 +481,7 @@ static u8 encode_bMaxPower(enum usb_device_speed speed,
+ {
+ unsigned val;
+
+- if (c->MaxPower)
++ if (c->MaxPower || (c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))
+ val = c->MaxPower;
+ else
+ val = CONFIG_USB_GADGET_VBUS_DRAW;
+@@ -891,7 +891,11 @@ static int set_config(struct usb_composite_dev *cdev,
+ }
+
+ /* when we return, be sure our power usage is valid */
+- power = c->MaxPower ? c->MaxPower : CONFIG_USB_GADGET_VBUS_DRAW;
++ if (c->MaxPower || (c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))
++ power = c->MaxPower;
++ else
++ power = CONFIG_USB_GADGET_VBUS_DRAW;
++
+ if (gadget->speed < USB_SPEED_SUPER)
+ power = min(power, 500U);
+ else
+--
+2.30.2
+
--- /dev/null
+From f6474c1b3fb379f2d472909666471925396a4f8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 04:48:34 -0700
+Subject: usb: gadget: u_ether: fix a potential null pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ]
+
+f_ncm tx timeout can call us with null skb to flush
+a pending frame. In this case skb is NULL to begin
+with but ceases to be null after dev->wrap() completes.
+
+In such a case in->maxpacket will be read, even though
+we've failed to check that 'in' is not NULL.
+
+Though I've never observed this fail in practice,
+however the 'flush operation' simply does not make sense with
+a null usb IN endpoint - there's nowhere to flush to...
+(note that we're the gadget/device, and IN is from the point
+ of view of the host, so here IN actually means outbound...)
+
+Cc: Brooke Basile <brookebasile@gmail.com>
+Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index 156651df6b4d..d7a12161e553 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -491,8 +491,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
+ }
+ spin_unlock_irqrestore(&dev->lock, flags);
+
+- if (skb && !in) {
+- dev_kfree_skb_any(skb);
++ if (!in) {
++ if (skb)
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5981f2426356cf0c5285525f116b9768da12d407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 20:57:47 +0800
+Subject: usb: host: fotg210: fix the actual_length of an iso packet
+
+From: Kelly Devilliv <kelly.devilliv@gmail.com>
+
+[ Upstream commit 091cb2f782f32ab68c6f5f326d7868683d3d4875 ]
+
+We should acquire the actual_length of an iso packet
+from the iTD directly using FOTG210_ITD_LENGTH() macro.
+
+Signed-off-by: Kelly Devilliv <kelly.devilliv@gmail.com>
+Link: https://lore.kernel.org/r/20210627125747.127646-4-kelly.devilliv@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 5 ++---
+ drivers/usb/host/fotg210.h | 5 -----
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index 4e98f7b492df..157742431961 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -4459,13 +4459,12 @@ static bool itd_complete(struct fotg210_hcd *fotg210, struct fotg210_itd *itd)
+
+ /* HC need not update length with this error */
+ if (!(t & FOTG210_ISOC_BABBLE)) {
+- desc->actual_length =
+- fotg210_itdlen(urb, desc, t);
++ desc->actual_length = FOTG210_ITD_LENGTH(t);
+ urb->actual_length += desc->actual_length;
+ }
+ } else if (likely((t & FOTG210_ISOC_ACTIVE) == 0)) {
+ desc->status = 0;
+- desc->actual_length = fotg210_itdlen(urb, desc, t);
++ desc->actual_length = FOTG210_ITD_LENGTH(t);
+ urb->actual_length += desc->actual_length;
+ } else {
+ /* URB was too late */
+diff --git a/drivers/usb/host/fotg210.h b/drivers/usb/host/fotg210.h
+index 7fcd785c7bc8..0f1da9503bc6 100644
+--- a/drivers/usb/host/fotg210.h
++++ b/drivers/usb/host/fotg210.h
+@@ -683,11 +683,6 @@ static inline unsigned fotg210_read_frame_index(struct fotg210_hcd *fotg210)
+ return fotg210_readl(fotg210, &fotg210->regs->frame_index);
+ }
+
+-#define fotg210_itdlen(urb, desc, t) ({ \
+- usb_pipein((urb)->pipe) ? \
+- (desc)->length - FOTG210_ITD_LENGTH(t) : \
+- FOTG210_ITD_LENGTH(t); \
+-})
+ /*-------------------------------------------------------------------------*/
+
+ #endif /* __LINUX_FOTG210_H */
+--
+2.30.2
+
--- /dev/null
+From e929ae11b6ae50cdad705d6ae1e78dc3b5ffd10e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 20:57:46 +0800
+Subject: usb: host: fotg210: fix the endpoint's transactional opportunities
+ calculation
+
+From: Kelly Devilliv <kelly.devilliv@gmail.com>
+
+[ Upstream commit c2e898764245c852bc8ee4857613ba4f3a6d761d ]
+
+Now that usb_endpoint_maxp() only returns the lowest
+11 bits from wMaxPacketSize, we should make use of the
+usb_endpoint_* helpers instead and remove the unnecessary
+max_packet()/hb_mult() macro.
+
+Signed-off-by: Kelly Devilliv <kelly.devilliv@gmail.com>
+Link: https://lore.kernel.org/r/20210627125747.127646-3-kelly.devilliv@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 36 ++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index 226b38274a6e..4e98f7b492df 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -2509,11 +2509,6 @@ static unsigned qh_completions(struct fotg210_hcd *fotg210,
+ return count;
+ }
+
+-/* high bandwidth multiplier, as encoded in highspeed endpoint descriptors */
+-#define hb_mult(wMaxPacketSize) (1 + (((wMaxPacketSize) >> 11) & 0x03))
+-/* ... and packet size, for any kind of endpoint descriptor */
+-#define max_packet(wMaxPacketSize) ((wMaxPacketSize) & 0x07ff)
+-
+ /* reverse of qh_urb_transaction: free a list of TDs.
+ * used for cleanup after errors, before HC sees an URB's TDs.
+ */
+@@ -2599,7 +2594,7 @@ static struct list_head *qh_urb_transaction(struct fotg210_hcd *fotg210,
+ token |= (1 /* "in" */ << 8);
+ /* else it's already initted to "out" pid (0 << 8) */
+
+- maxpacket = max_packet(usb_maxpacket(urb->dev, urb->pipe, !is_input));
++ maxpacket = usb_maxpacket(urb->dev, urb->pipe, !is_input);
+
+ /*
+ * buffer gets wrapped in one or more qtds;
+@@ -2713,9 +2708,11 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ gfp_t flags)
+ {
+ struct fotg210_qh *qh = fotg210_qh_alloc(fotg210, flags);
++ struct usb_host_endpoint *ep;
+ u32 info1 = 0, info2 = 0;
+ int is_input, type;
+ int maxp = 0;
++ int mult;
+ struct usb_tt *tt = urb->dev->tt;
+ struct fotg210_qh_hw *hw;
+
+@@ -2730,14 +2727,15 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+
+ is_input = usb_pipein(urb->pipe);
+ type = usb_pipetype(urb->pipe);
+- maxp = usb_maxpacket(urb->dev, urb->pipe, !is_input);
++ ep = usb_pipe_endpoint(urb->dev, urb->pipe);
++ maxp = usb_endpoint_maxp(&ep->desc);
++ mult = usb_endpoint_maxp_mult(&ep->desc);
+
+ /* 1024 byte maxpacket is a hardware ceiling. High bandwidth
+ * acts like up to 3KB, but is built from smaller packets.
+ */
+- if (max_packet(maxp) > 1024) {
+- fotg210_dbg(fotg210, "bogus qh maxpacket %d\n",
+- max_packet(maxp));
++ if (maxp > 1024) {
++ fotg210_dbg(fotg210, "bogus qh maxpacket %d\n", maxp);
+ goto done;
+ }
+
+@@ -2751,8 +2749,7 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ */
+ if (type == PIPE_INTERRUPT) {
+ qh->usecs = NS_TO_US(usb_calc_bus_time(USB_SPEED_HIGH,
+- is_input, 0,
+- hb_mult(maxp) * max_packet(maxp)));
++ is_input, 0, mult * maxp));
+ qh->start = NO_FRAME;
+
+ if (urb->dev->speed == USB_SPEED_HIGH) {
+@@ -2789,7 +2786,7 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ think_time = tt ? tt->think_time : 0;
+ qh->tt_usecs = NS_TO_US(think_time +
+ usb_calc_bus_time(urb->dev->speed,
+- is_input, 0, max_packet(maxp)));
++ is_input, 0, maxp));
+ qh->period = urb->interval;
+ if (qh->period > fotg210->periodic_size) {
+ qh->period = fotg210->periodic_size;
+@@ -2852,11 +2849,11 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ * to help them do so. So now people expect to use
+ * such nonconformant devices with Linux too; sigh.
+ */
+- info1 |= max_packet(maxp) << 16;
++ info1 |= maxp << 16;
+ info2 |= (FOTG210_TUNE_MULT_HS << 30);
+ } else { /* PIPE_INTERRUPT */
+- info1 |= max_packet(maxp) << 16;
+- info2 |= hb_mult(maxp) << 30;
++ info1 |= maxp << 16;
++ info2 |= mult << 30;
+ }
+ break;
+ default:
+@@ -3926,6 +3923,7 @@ static void iso_stream_init(struct fotg210_hcd *fotg210,
+ int is_input;
+ long bandwidth;
+ unsigned multi;
++ struct usb_host_endpoint *ep;
+
+ /*
+ * this might be a "high bandwidth" highspeed endpoint,
+@@ -3933,14 +3931,14 @@ static void iso_stream_init(struct fotg210_hcd *fotg210,
+ */
+ epnum = usb_pipeendpoint(pipe);
+ is_input = usb_pipein(pipe) ? USB_DIR_IN : 0;
+- maxp = usb_maxpacket(dev, pipe, !is_input);
++ ep = usb_pipe_endpoint(dev, pipe);
++ maxp = usb_endpoint_maxp(&ep->desc);
+ if (is_input)
+ buf1 = (1 << 11);
+ else
+ buf1 = 0;
+
+- maxp = max_packet(maxp);
+- multi = hb_mult(maxp);
++ multi = usb_endpoint_maxp_mult(&ep->desc);
+ buf1 |= maxp;
+ maxp *= multi;
+
+--
+2.30.2
+
--- /dev/null
+From 2ad99c749c31f710db29f240331a6253ae16fa03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 19:33:23 +0300
+Subject: usb: musb: musb_dsps: request_irq() after initializing musb
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit 7c75bde329d7e2a93cf86a5c15c61f96f1446cdc ]
+
+If IRQ occurs between calling dsps_setup_optional_vbus_irq()
+and dsps_create_musb_pdev(), then null pointer dereference occurs
+since glue->musb wasn't initialized yet.
+
+The patch puts initializing of neccesery data before registration
+of the interrupt handler.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210819163323.17714-1-lutovinova@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/musb_dsps.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c
+index 403eb97915f8..2f6708b8b5c2 100644
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -892,23 +892,22 @@ static int dsps_probe(struct platform_device *pdev)
+ if (!glue->usbss_base)
+ return -ENXIO;
+
+- if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) {
+- ret = dsps_setup_optional_vbus_irq(pdev, glue);
+- if (ret)
+- goto err_iounmap;
+- }
+-
+ platform_set_drvdata(pdev, glue);
+ pm_runtime_enable(&pdev->dev);
+ ret = dsps_create_musb_pdev(glue, pdev);
+ if (ret)
+ goto err;
+
++ if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) {
++ ret = dsps_setup_optional_vbus_irq(pdev, glue);
++ if (ret)
++ goto err;
++ }
++
+ return 0;
+
+ err:
+ pm_runtime_disable(&pdev->dev);
+-err_iounmap:
+ iounmap(glue->usbss_base);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From b15b02a0a0f4684b8a4068492b8c71ea4d7a300d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Aug 2021 00:31:21 +0530
+Subject: usbip: give back URBs for unsent unlink requests during cleanup
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+[ Upstream commit 258c81b341c8025d79073ce2d6ce19dcdc7d10d2 ]
+
+In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
+not given back. This sometimes causes usb_kill_urb to wait indefinitely
+for that urb to be given back. syzbot has reported a hung task issue [1]
+for this.
+
+To fix this, give back the urbs corresponding to unsent unlink requests
+(unlink_tx list) similar to how urbs corresponding to unanswered unlink
+requests (unlink_rx list) are given back.
+
+[1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
+
+Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
+Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210820190122.16379-2-mail@anirudhrb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/vhci_hcd.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
+index b13ed5a7618d..a4ead4099869 100644
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -957,8 +957,32 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
+ spin_lock(&vdev->priv_lock);
+
+ list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
++ struct urb *urb;
++
++ /* give back urb of unsent unlink request */
+ pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
++
++ urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
++ if (!urb) {
++ list_del(&unlink->list);
++ kfree(unlink);
++ continue;
++ }
++
++ urb->status = -ENODEV;
++
++ usb_hcd_unlink_urb_from_ep(hcd, urb);
++
+ list_del(&unlink->list);
++
++ spin_unlock(&vdev->priv_lock);
++ spin_unlock_irqrestore(&vhci->lock, flags);
++
++ usb_hcd_giveback_urb(hcd, urb, urb->status);
++
++ spin_lock_irqsave(&vhci->lock, flags);
++ spin_lock(&vdev->priv_lock);
++
+ kfree(unlink);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 0873e89d5a28441ee19f8ad22e9c565bfe4156e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 16:59:37 -0600
+Subject: usbip:vhci_hcd USB port can get stuck in the disabled state
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 66cce9e73ec61967ed1f97f30cee79bd9a2bb7ee ]
+
+When a remote usb device is attached to the local Virtual USB
+Host Controller Root Hub port, the bound device driver may send
+a port reset command.
+
+vhci_hcd accepts port resets only when the device doesn't have
+port address assigned to it. When reset happens device is in
+assigned/used state and vhci_hcd rejects it leaving the port in
+a stuck state.
+
+This problem was found when a blue-tooth or xbox wireless dongle
+was passed through using usbip.
+
+A few drivers reset the port during probe including mt76 driver
+specific to this bug report. Fix the problem with a change to
+honor reset requests when device is in used state (VDEV_ST_USED).
+
+Reported-and-tested-by: Michael <msbroadf@gmail.com>
+Suggested-by: Michael <msbroadf@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20210819225937.41037-1-skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/vhci_hcd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
+index a4ead4099869..202dc76f7beb 100644
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -455,8 +455,14 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ vhci_hcd->port_status[rhport] &= ~(1 << USB_PORT_FEAT_RESET);
+ vhci_hcd->re_timeout = 0;
+
++ /*
++ * A few drivers do usb reset during probe when
++ * the device could be in VDEV_ST_USED state
++ */
+ if (vhci_hcd->vdev[rhport].ud.status ==
+- VDEV_ST_NOTASSIGNED) {
++ VDEV_ST_NOTASSIGNED ||
++ vhci_hcd->vdev[rhport].ud.status ==
++ VDEV_ST_USED) {
+ usbip_dbg_vhci_rh(
+ " enable rhport %d (status %u)\n",
+ rhport,
+--
+2.30.2
+
--- /dev/null
+From 260f589732ddc0703832d049582bb1fa91214609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 14:58:59 -0700
+Subject: userfaultfd: prevent concurrent API initialization
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit 22e5fe2a2a279d9a6fcbdfb4dffe73821bef1c90 ]
+
+userfaultfd assumes that the enabled features are set once and never
+changed after UFFDIO_API ioctl succeeded.
+
+However, currently, UFFDIO_API can be called concurrently from two
+different threads, succeed on both threads and leave userfaultfd's
+features in non-deterministic state. Theoretically, other uffd operations
+(ioctl's and page-faults) can be dispatched while adversely affected by
+such changes of features.
+
+Moreover, the writes to ctx->state and ctx->features are not ordered,
+which can - theoretically, again - let userfaultfd_ioctl() think that
+userfaultfd API completed, while the features are still not initialized.
+
+To avoid races, it is arguably best to get rid of ctx->state. Since there
+are only 2 states, record the API initialization in ctx->features as the
+uppermost bit and remove ctx->state.
+
+Link: https://lkml.kernel.org/r/20210808020724.1022515-3-namit@vmware.com
+Fixes: 9cd75c3cd4c3d ("userfaultfd: non-cooperative: add ability to report non-PF events from uffd descriptor")
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/userfaultfd.c | 93 +++++++++++++++++++++++-------------------------
+ 1 file changed, 45 insertions(+), 48 deletions(-)
+
+diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
+index d269d1139f7f..23c8efc967af 100644
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -32,11 +32,6 @@
+
+ static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly;
+
+-enum userfaultfd_state {
+- UFFD_STATE_WAIT_API,
+- UFFD_STATE_RUNNING,
+-};
+-
+ /*
+ * Start with fault_pending_wqh and fault_wqh so they're more likely
+ * to be in the same cacheline.
+@@ -68,8 +63,6 @@ struct userfaultfd_ctx {
+ unsigned int flags;
+ /* features requested from the userspace */
+ unsigned int features;
+- /* state machine */
+- enum userfaultfd_state state;
+ /* released */
+ bool released;
+ /* memory mappings are changing because of non-cooperative event */
+@@ -103,6 +96,14 @@ struct userfaultfd_wake_range {
+ unsigned long len;
+ };
+
++/* internal indication that UFFD_API ioctl was successfully executed */
++#define UFFD_FEATURE_INITIALIZED (1u << 31)
++
++static bool userfaultfd_is_initialized(struct userfaultfd_ctx *ctx)
++{
++ return ctx->features & UFFD_FEATURE_INITIALIZED;
++}
++
+ static int userfaultfd_wake_function(wait_queue_entry_t *wq, unsigned mode,
+ int wake_flags, void *key)
+ {
+@@ -700,7 +701,6 @@ int dup_userfaultfd(struct vm_area_struct *vma, struct list_head *fcs)
+
+ atomic_set(&ctx->refcount, 1);
+ ctx->flags = octx->flags;
+- ctx->state = UFFD_STATE_RUNNING;
+ ctx->features = octx->features;
+ ctx->released = false;
+ ctx->mmap_changing = false;
+@@ -981,38 +981,33 @@ static __poll_t userfaultfd_poll(struct file *file, poll_table *wait)
+
+ poll_wait(file, &ctx->fd_wqh, wait);
+
+- switch (ctx->state) {
+- case UFFD_STATE_WAIT_API:
++ if (!userfaultfd_is_initialized(ctx))
+ return EPOLLERR;
+- case UFFD_STATE_RUNNING:
+- /*
+- * poll() never guarantees that read won't block.
+- * userfaults can be waken before they're read().
+- */
+- if (unlikely(!(file->f_flags & O_NONBLOCK)))
+- return EPOLLERR;
+- /*
+- * lockless access to see if there are pending faults
+- * __pollwait last action is the add_wait_queue but
+- * the spin_unlock would allow the waitqueue_active to
+- * pass above the actual list_add inside
+- * add_wait_queue critical section. So use a full
+- * memory barrier to serialize the list_add write of
+- * add_wait_queue() with the waitqueue_active read
+- * below.
+- */
+- ret = 0;
+- smp_mb();
+- if (waitqueue_active(&ctx->fault_pending_wqh))
+- ret = EPOLLIN;
+- else if (waitqueue_active(&ctx->event_wqh))
+- ret = EPOLLIN;
+-
+- return ret;
+- default:
+- WARN_ON_ONCE(1);
++
++ /*
++ * poll() never guarantees that read won't block.
++ * userfaults can be waken before they're read().
++ */
++ if (unlikely(!(file->f_flags & O_NONBLOCK)))
+ return EPOLLERR;
+- }
++ /*
++ * lockless access to see if there are pending faults
++ * __pollwait last action is the add_wait_queue but
++ * the spin_unlock would allow the waitqueue_active to
++ * pass above the actual list_add inside
++ * add_wait_queue critical section. So use a full
++ * memory barrier to serialize the list_add write of
++ * add_wait_queue() with the waitqueue_active read
++ * below.
++ */
++ ret = 0;
++ smp_mb();
++ if (waitqueue_active(&ctx->fault_pending_wqh))
++ ret = EPOLLIN;
++ else if (waitqueue_active(&ctx->event_wqh))
++ ret = EPOLLIN;
++
++ return ret;
+ }
+
+ static const struct file_operations userfaultfd_fops;
+@@ -1206,7 +1201,7 @@ static ssize_t userfaultfd_read(struct file *file, char __user *buf,
+ struct uffd_msg msg;
+ int no_wait = file->f_flags & O_NONBLOCK;
+
+- if (ctx->state == UFFD_STATE_WAIT_API)
++ if (!userfaultfd_is_initialized(ctx))
+ return -EINVAL;
+
+ for (;;) {
+@@ -1808,9 +1803,10 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx,
+ static inline unsigned int uffd_ctx_features(__u64 user_features)
+ {
+ /*
+- * For the current set of features the bits just coincide
++ * For the current set of features the bits just coincide. Set
++ * UFFD_FEATURE_INITIALIZED to mark the features as enabled.
+ */
+- return (unsigned int)user_features;
++ return (unsigned int)user_features | UFFD_FEATURE_INITIALIZED;
+ }
+
+ /*
+@@ -1823,12 +1819,10 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
+ {
+ struct uffdio_api uffdio_api;
+ void __user *buf = (void __user *)arg;
++ unsigned int ctx_features;
+ int ret;
+ __u64 features;
+
+- ret = -EINVAL;
+- if (ctx->state != UFFD_STATE_WAIT_API)
+- goto out;
+ ret = -EFAULT;
+ if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api)))
+ goto out;
+@@ -1845,9 +1839,13 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
+ ret = -EFAULT;
+ if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
+ goto out;
+- ctx->state = UFFD_STATE_RUNNING;
++
+ /* only enable the requested features for this uffd context */
+- ctx->features = uffd_ctx_features(features);
++ ctx_features = uffd_ctx_features(features);
++ ret = -EINVAL;
++ if (cmpxchg(&ctx->features, 0, ctx_features) != 0)
++ goto err_out;
++
+ ret = 0;
+ out:
+ return ret;
+@@ -1864,7 +1862,7 @@ static long userfaultfd_ioctl(struct file *file, unsigned cmd,
+ int ret = -EINVAL;
+ struct userfaultfd_ctx *ctx = file->private_data;
+
+- if (cmd != UFFDIO_API && ctx->state == UFFD_STATE_WAIT_API)
++ if (cmd != UFFDIO_API && !userfaultfd_is_initialized(ctx))
+ return -EINVAL;
+
+ switch(cmd) {
+@@ -1962,7 +1960,6 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
+ atomic_set(&ctx->refcount, 1);
+ ctx->flags = flags;
+ ctx->features = 0;
+- ctx->state = UFFD_STATE_WAIT_API;
+ ctx->released = false;
+ ctx->mmap_changing = false;
+ ctx->mm = current->mm;
+--
+2.30.2
+
--- /dev/null
+From 95726e055068fc8e7ee7ee8dec4766b2b3798557 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 15:39:12 -0300
+Subject: vfio: Use config not menuconfig for VFIO_NOIOMMU
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 26c22cfde5dd6e63f25c48458b0185dcb0fbb2fd ]
+
+VFIO_NOIOMMU is supposed to be an element in the VFIO menu, not start
+a new menu. Correct this copy-paste mistake.
+
+Fixes: 03a76b60f8ba ("vfio: Include No-IOMMU mode")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Link: https://lore.kernel.org/r/0-v1-3f0b685c3679+478-vfio_menuconfig_jgg@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/Kconfig b/drivers/vfio/Kconfig
+index c84333eb5eb5..b7765271d0fb 100644
+--- a/drivers/vfio/Kconfig
++++ b/drivers/vfio/Kconfig
+@@ -29,7 +29,7 @@ menuconfig VFIO
+
+ If you don't know what to do here, say N.
+
+-menuconfig VFIO_NOIOMMU
++config VFIO_NOIOMMU
+ bool "VFIO No-IOMMU support"
+ depends on VFIO
+ help
+--
+2.30.2
+
--- /dev/null
+From 5f13799011f947070deca2d1f243c5e714484492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 10:03:53 +0000
+Subject: video: fbdev: asiliantfb: Error out if 'pixclock' equals zero
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ]
+
+The userspace program could pass any values to the driver through
+ioctl() interface. If the driver doesn't check the value of 'pixclock',
+it may cause divide error.
+
+Fix this by checking whether 'pixclock' is zero first.
+
+The following log reveals it:
+
+[ 43.861711] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 43.861737] CPU: 2 PID: 11764 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #224
+[ 43.861756] RIP: 0010:asiliantfb_check_var+0x4e/0x730
+[ 43.861843] Call Trace:
+[ 43.861848] ? asiliantfb_remove+0x190/0x190
+[ 43.861858] fb_set_var+0x2e4/0xeb0
+[ 43.861866] ? fb_blank+0x1a0/0x1a0
+[ 43.861873] ? lock_acquire+0x1ef/0x530
+[ 43.861884] ? lock_release+0x810/0x810
+[ 43.861892] ? lock_is_held_type+0x100/0x140
+[ 43.861903] ? ___might_sleep+0x1ee/0x2d0
+[ 43.861914] ? __mutex_lock+0x620/0x1190
+[ 43.861921] ? do_fb_ioctl+0x313/0x700
+[ 43.861929] ? mutex_lock_io_nested+0xfa0/0xfa0
+[ 43.861936] ? __this_cpu_preempt_check+0x1d/0x30
+[ 43.861944] ? _raw_spin_unlock_irqrestore+0x46/0x60
+[ 43.861952] ? lockdep_hardirqs_on+0x59/0x100
+[ 43.861959] ? _raw_spin_unlock_irqrestore+0x46/0x60
+[ 43.861967] ? trace_hardirqs_on+0x6a/0x1c0
+[ 43.861978] do_fb_ioctl+0x31e/0x700
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-2-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/asiliantfb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c
+index ea31054a28ca..c1d6e6336225 100644
+--- a/drivers/video/fbdev/asiliantfb.c
++++ b/drivers/video/fbdev/asiliantfb.c
+@@ -227,6 +227,9 @@ static int asiliantfb_check_var(struct fb_var_screeninfo *var,
+ {
+ unsigned long Ftarget, ratio, remainder;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ ratio = 1000000 / var->pixclock;
+ remainder = 1000000 % var->pixclock;
+ Ftarget = 1000000 * ratio + (1000000 * remainder) / var->pixclock;
+--
+2.30.2
+
--- /dev/null
+From 33b0e792d25c0473a935b1dbc2baeee5706678af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 10:03:54 +0000
+Subject: video: fbdev: kyro: Error out if 'pixclock' equals zero
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 1520b4b7ba964f8eec2e7dd14c571d50de3e5191 ]
+
+The userspace program could pass any values to the driver through
+ioctl() interface. if the driver doesn't check the value of 'pixclock',
+it may cause divide error because the value of 'lineclock' and
+'frameclock' will be zero.
+
+Fix this by checking whether 'pixclock' is zero in kyrofb_check_var().
+
+The following log reveals it:
+
+[ 103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1b1a0-dirty #118
+[ 103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80
+[ 103.074045] Call Trace:
+[ 103.074048] ? ___might_sleep+0x1ee/0x2d0
+[ 103.074060] ? kyrofb_ioctl+0x330/0x330
+[ 103.074069] fb_set_var+0x5bf/0xeb0
+[ 103.074078] ? fb_blank+0x1a0/0x1a0
+[ 103.074085] ? lock_acquire+0x3bd/0x530
+[ 103.074094] ? lock_release+0x810/0x810
+[ 103.074103] ? ___might_sleep+0x1ee/0x2d0
+[ 103.074114] ? __mutex_lock+0x620/0x1190
+[ 103.074126] ? trace_hardirqs_on+0x6a/0x1c0
+[ 103.074137] do_fb_ioctl+0x31e/0x700
+[ 103.074144] ? fb_getput_cmap+0x280/0x280
+[ 103.074152] ? rcu_read_lock_sched_held+0x11/0x80
+[ 103.074162] ? rcu_read_lock_sched_held+0x11/0x80
+[ 103.074171] ? __sanitizer_cov_trace_switch+0x67/0xf0
+[ 103.074181] ? __sanitizer_cov_trace_const_cmp2+0x20/0x80
+[ 103.074191] ? do_vfs_ioctl+0x14b/0x16c0
+[ 103.074199] ? vfs_fileattr_set+0xb60/0xb60
+[ 103.074207] ? rcu_read_lock_sched_held+0x11/0x80
+[ 103.074216] ? lock_release+0x483/0x810
+[ 103.074224] ? __fget_files+0x217/0x3d0
+[ 103.074234] ? __fget_files+0x239/0x3d0
+[ 103.074243] ? do_fb_ioctl+0x700/0x700
+[ 103.074250] fb_ioctl+0xe6/0x130
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-3-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/kyro/fbdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c
+index d7aa431e6846..74bf26b527b9 100644
+--- a/drivers/video/fbdev/kyro/fbdev.c
++++ b/drivers/video/fbdev/kyro/fbdev.c
+@@ -399,6 +399,9 @@ static int kyrofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
+ struct kyrofb_info *par = info->par;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (var->bits_per_pixel != 16 && var->bits_per_pixel != 32) {
+ printk(KERN_WARNING "kyrofb: depth not supported: %u\n", var->bits_per_pixel);
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 61172df6732e89a663c019f88ead050bc7227aac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 04:09:22 +0000
+Subject: video: fbdev: kyro: fix a DoS bug by restricting user input
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 98a65439172dc69cb16834e62e852afc2adb83ed ]
+
+The user can pass in any value to the driver through the 'ioctl'
+interface. The driver dost not check, which may cause DoS bugs.
+
+The following log reveals it:
+
+divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+RIP: 0010:SetOverlayViewPort+0x133/0x5f0 drivers/video/fbdev/kyro/STG4000OverlayDevice.c:476
+Call Trace:
+ kyro_dev_overlay_viewport_set drivers/video/fbdev/kyro/fbdev.c:378 [inline]
+ kyrofb_ioctl+0x2eb/0x330 drivers/video/fbdev/kyro/fbdev.c:603
+ do_fb_ioctl+0x1f3/0x700 drivers/video/fbdev/core/fbmem.c:1171
+ fb_ioctl+0xeb/0x130 drivers/video/fbdev/core/fbmem.c:1185
+ vfs_ioctl fs/ioctl.c:48 [inline]
+ __do_sys_ioctl fs/ioctl.c:753 [inline]
+ __se_sys_ioctl fs/ioctl.c:739 [inline]
+ __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739
+ do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1626235762-2590-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/kyro/fbdev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c
+index a7bd9f25911b..d7aa431e6846 100644
+--- a/drivers/video/fbdev/kyro/fbdev.c
++++ b/drivers/video/fbdev/kyro/fbdev.c
+@@ -372,6 +372,11 @@ static int kyro_dev_overlay_viewport_set(u32 x, u32 y, u32 ulWidth, u32 ulHeight
+ /* probably haven't called CreateOverlay yet */
+ return -EINVAL;
+
++ if (ulWidth == 0 || ulWidth == 0xffffffff ||
++ ulHeight == 0 || ulHeight == 0xffffffff ||
++ (x < 2 && ulWidth + 2 == 0))
++ return -EINVAL;
++
+ /* Stop Ramdac Output */
+ DisableRamdacOutput(deviceInfo.pSTGReg);
+
+--
+2.30.2
+
--- /dev/null
+From 8eb852ef9775caca4ea5a8d5174bf344729091cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 10:03:55 +0000
+Subject: video: fbdev: riva: Error out if 'pixclock' equals zero
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit f92763cb0feba247e0939ed137b495601fd072a5 ]
+
+The userspace program could pass any values to the driver through
+ioctl() interface. If the driver doesn't check the value of 'pixclock',
+it may cause divide error.
+
+Fix this by checking whether 'pixclock' is zero first.
+
+The following log reveals it:
+
+[ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222
+[ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70
+[ 33.396969] Call Trace:
+[ 33.396973] ? debug_smp_processor_id+0x1c/0x20
+[ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90
+[ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0
+[ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0
+[ 33.397014] ? vprintk_emit+0x110/0x4b0
+[ 33.397024] ? vprintk_default+0x26/0x30
+[ 33.397033] ? vprintk+0x9c/0x1f0
+[ 33.397041] ? printk+0xba/0xed
+[ 33.397054] ? record_print_text.cold+0x16/0x16
+[ 33.397063] ? __kasan_check_read+0x11/0x20
+[ 33.397074] ? profile_tick+0xc0/0x100
+[ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80
+[ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0
+[ 33.397102] rivafb_set_par+0xbe/0x610
+[ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0
+[ 33.397119] fb_set_var+0x5bf/0xeb0
+[ 33.397127] ? fb_blank+0x1a0/0x1a0
+[ 33.397134] ? lock_acquire+0x1ef/0x530
+[ 33.397143] ? lock_release+0x810/0x810
+[ 33.397151] ? lock_is_held_type+0x100/0x140
+[ 33.397159] ? ___might_sleep+0x1ee/0x2d0
+[ 33.397170] ? __mutex_lock+0x620/0x1190
+[ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0
+[ 33.397190] do_fb_ioctl+0x31e/0x700
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-4-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/riva/fbdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/fbdev.c
+index cc242ba057d3..dfa81b641f9f 100644
+--- a/drivers/video/fbdev/riva/fbdev.c
++++ b/drivers/video/fbdev/riva/fbdev.c
+@@ -1088,6 +1088,9 @@ static int rivafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ int mode_valid = 0;
+
+ NVTRACE_ENTER();
++ if (!var->pixclock)
++ return -EINVAL;
++
+ switch (var->bits_per_pixel) {
+ case 1 ... 8:
+ var->red.offset = var->green.offset = var->blue.offset = 0;
+--
+2.30.2
+
--- /dev/null
+From 049031c0a7db2ca0b692ccb2635c611f42b08bd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 09:43:10 +0200
+Subject: xtensa: ISS: don't panic in rs_init
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 23411c720052ad860b3e579ee4873511e367130a ]
+
+While alloc_tty_driver failure in rs_init would mean we have much bigger
+problem, there is no reason to panic when tty_register_driver fails
+there. It can fail for various reasons.
+
+So handle the failure gracefully. Actually handle them both while at it.
+This will make at least the console functional as it was enabled earlier
+by console_initcall in iss_console_init. Instead of shooting down the
+whole system.
+
+We move tty_port_init() after alloc_tty_driver(), so that we don't need
+to destroy the port in case the latter function fails.
+
+Cc: Chris Zankel <chris@zankel.net>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: linux-xtensa@linux-xtensa.org
+Acked-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20210723074317.32690-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/platforms/iss/console.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/arch/xtensa/platforms/iss/console.c b/arch/xtensa/platforms/iss/console.c
+index af81a62faba6..e7faea3d73d3 100644
+--- a/arch/xtensa/platforms/iss/console.c
++++ b/arch/xtensa/platforms/iss/console.c
+@@ -168,9 +168,13 @@ static const struct tty_operations serial_ops = {
+
+ int __init rs_init(void)
+ {
+- tty_port_init(&serial_port);
++ int ret;
+
+ serial_driver = alloc_tty_driver(SERIAL_MAX_NUM_LINES);
++ if (!serial_driver)
++ return -ENOMEM;
++
++ tty_port_init(&serial_port);
+
+ pr_info("%s %s\n", serial_name, serial_version);
+
+@@ -190,8 +194,15 @@ int __init rs_init(void)
+ tty_set_operations(serial_driver, &serial_ops);
+ tty_port_link_device(&serial_port, serial_driver, 0);
+
+- if (tty_register_driver(serial_driver))
+- panic("Couldn't register serial driver\n");
++ ret = tty_register_driver(serial_driver);
++ if (ret) {
++ pr_err("Couldn't register serial driver\n");
++ tty_driver_kref_put(serial_driver);
++ tty_port_destroy(&serial_port);
++
++ return ret;
++ }
++
+ return 0;
+ }
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
