--- /dev/null
+From 2d766ce95b442bb00ac85bcdaac51af3eaada912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 13:14:40 +0100
+Subject: 6lowpan: iphc: Fix an off-by-one check of array index
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9af417610b6142e826fd1ee8ba7ff3e9a2133a5a ]
+
+The bounds check of id is off-by-one and the comparison should
+be >= rather >. Currently the WARN_ON_ONCE check does not stop
+the out of range indexing of &ldev->ctx.table[id] so also add
+a return path if the bounds are out of range.
+
+Addresses-Coverity: ("Illegal address computation").
+Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/6lowpan/debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/6lowpan/debugfs.c b/net/6lowpan/debugfs.c
+index 1c140af06d52..600b9563bfc5 100644
+--- a/net/6lowpan/debugfs.c
++++ b/net/6lowpan/debugfs.c
+@@ -170,7 +170,8 @@ static void lowpan_dev_debugfs_ctx_init(struct net_device *dev,
+ struct dentry *root;
+ char buf[32];
+
+- WARN_ON_ONCE(id > LOWPAN_IPHC_CTX_TABLE_SIZE);
++ if (WARN_ON_ONCE(id >= LOWPAN_IPHC_CTX_TABLE_SIZE))
++ return;
+
+ sprintf(buf, "%d", id);
+
+--
+2.30.2
+
--- /dev/null
+From 283c417b52414f28d135a48eaa312e6bf8ed6890 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 14:27:23 +0800
+Subject: ARM: dts: aspeed-g6: Fix HVI3C function-group in pinctrl dtsi
+
+From: Dylan Hung <dylan_hung@aspeedtech.com>
+
+[ Upstream commit 8c295b7f3d01359ff4336fcb6e406e6ed37957d6 ]
+
+The HVI3C shall be a group of I3C function, not an independent function.
+Correct the function name from "HVI3C" to "I3C".
+
+Signed-off-by: Dylan Hung <dylan_hung@aspeedtech.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes")
+Link: https://lore.kernel.org/r/20201029062723.20798-1-dylan_hung@aspeedtech.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
+index 5b8bf58e89cb..996e006e06c2 100644
+--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
+@@ -208,12 +208,12 @@
+ };
+
+ pinctrl_hvi3c3_default: hvi3c3_default {
+- function = "HVI3C3";
++ function = "I3C3";
+ groups = "HVI3C3";
+ };
+
+ pinctrl_hvi3c4_default: hvi3c4_default {
+- function = "HVI3C4";
++ function = "I3C4";
+ groups = "HVI3C4";
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 982ef3721518dc638c1bed36c6d7917d6aca8e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jul 2021 23:40:23 +0200
+Subject: ARM: dts: meson8: Use a higher default GPU clock frequency
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 44cf630bcb8c5ec78125805c9447dd5766792224 ]
+
+We are seeing "imprecise external abort (0x1406)" errors during boot
+(which then cause the whole board to hang) on Meson8 (but not Meson8m2).
+These are observed while trying to access the GPU's registers when the
+MALI clock is running at it's default setting of 24MHz. The 3.10 vendor
+kernel uses 318.75MHz as "default" GPU frequency. Using that makes the
+"imprecise external aborts" go away.
+Add the assigned-clocks and assigned-clock-rates properties to also bump
+the MALI clock to 318.75MHz before accessing any of it's registers.
+
+Fixes: 7d3f6b536e72c9 ("ARM: dts: meson8: add the Mali-450 MP6 GPU")
+Reported-by: Demetris Ierokipides <ierokipides.dem@gmail.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210711214023.2163565-1-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/boot/dts/meson8.dtsi b/arch/arm/boot/dts/meson8.dtsi
+index 3efe9d41c2bb..d7c9dbee0f01 100644
+--- a/arch/arm/boot/dts/meson8.dtsi
++++ b/arch/arm/boot/dts/meson8.dtsi
+@@ -241,8 +241,13 @@
+ "pp2", "ppmmu2", "pp4", "ppmmu4",
+ "pp5", "ppmmu5", "pp6", "ppmmu6";
+ resets = <&reset RESET_MALI>;
++
+ clocks = <&clkc CLKID_CLK81>, <&clkc CLKID_MALI>;
+ clock-names = "bus", "core";
++
++ assigned-clocks = <&clkc CLKID_MALI>;
++ assigned-clock-rates = <318750000>;
++
+ operating-points-v2 = <&gpu_opp_table>;
+ };
+ };
+--
+2.30.2
+
--- /dev/null
+From 93b189b4850999658f709d20e861a733d021ef4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 11:23:55 +0000
+Subject: ARM: dts: meson8b: ec100: Fix the pwm regulator supply properties
+
+From: Anand Moon <linux.amoon@gmail.com>
+
+[ Upstream commit 72ccc373b064ae3ac0c5b5f2306069b60ca118df ]
+
+After enabling CONFIG_REGULATOR_DEBUG=y we observer below debug logs.
+Changes help link VCCK and VDDEE pwm regulator to 5V regulator supply
+instead of dummy regulator.
+
+[ 7.117140] pwm-regulator regulator-vcck: Looking up pwm-supply from device tree
+[ 7.117153] pwm-regulator regulator-vcck: Looking up pwm-supply property in node /regulator-vcck failed
+[ 7.117184] VCCK: supplied by regulator-dummy
+[ 7.117194] regulator-dummy: could not add device link regulator.8: -ENOENT
+[ 7.117266] VCCK: 860 <--> 1140 mV at 986 mV, enabled
+[ 7.118498] VDDEE: will resolve supply early: pwm
+[ 7.118515] pwm-regulator regulator-vddee: Looking up pwm-supply from device tree
+[ 7.118526] pwm-regulator regulator-vddee: Looking up pwm-supply property in node /regulator-vddee failed
+[ 7.118553] VDDEE: supplied by regulator-dummy
+[ 7.118563] regulator-dummy: could not add device link regulator.9: -ENOENT
+
+Fixes: 087a1d8b4e4c ("ARM: dts: meson8b: ec100: add the VDDEE regulator")
+Fixes: 3e7db1c1b7a3 ("ARM: dts: meson8b: ec100: improve the description of the regulators")
+
+Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Anand Moon <linux.amoon@gmail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210705112358.3554-4-linux.amoon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8b-ec100.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/meson8b-ec100.dts b/arch/arm/boot/dts/meson8b-ec100.dts
+index bed1dfef1985..32d1c322dbc6 100644
+--- a/arch/arm/boot/dts/meson8b-ec100.dts
++++ b/arch/arm/boot/dts/meson8b-ec100.dts
+@@ -148,7 +148,7 @@
+ regulator-min-microvolt = <860000>;
+ regulator-max-microvolt = <1140000>;
+
+- vin-supply = <&vcc_5v>;
++ pwm-supply = <&vcc_5v>;
+
+ pwms = <&pwm_cd 0 1148 0>;
+ pwm-dutycycle-range = <100 0>;
+@@ -232,7 +232,7 @@
+ regulator-min-microvolt = <860000>;
+ regulator-max-microvolt = <1140000>;
+
+- vin-supply = <&vcc_5v>;
++ pwm-supply = <&vcc_5v>;
+
+ pwms = <&pwm_cd 1 1148 0>;
+ pwm-dutycycle-range = <100 0>;
+--
+2.30.2
+
--- /dev/null
+From 26ed7f7b4297039aaca1dff1b2d35ade4c86ea36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 11:23:54 +0000
+Subject: ARM: dts: meson8b: mxq: Fix the pwm regulator supply properties
+
+From: Anand Moon <linux.amoon@gmail.com>
+
+[ Upstream commit 632062e540becbbcb067523ec8bcadb1239d9578 ]
+
+After enabling CONFIG_REGULATOR_DEBUG=y we observer below debug logs.
+Changes help link VCCK and VDDEE pwm regulator to 5V regulator supply
+instead of dummy regulator.
+Add missing pwm-supply for regulator-vcck regulator node.
+
+[ 7.117140] pwm-regulator regulator-vcck: Looking up pwm-supply from device tree
+[ 7.117153] pwm-regulator regulator-vcck: Looking up pwm-supply property in node /regulator-vcck failed
+[ 7.117184] VCCK: supplied by regulator-dummy
+[ 7.117194] regulator-dummy: could not add device link regulator.8: -ENOENT
+[ 7.117266] VCCK: 860 <--> 1140 mV at 986 mV, enabled
+[ 7.118498] VDDEE: will resolve supply early: pwm
+[ 7.118515] pwm-regulator regulator-vddee: Looking up pwm-supply from device tree
+[ 7.118526] pwm-regulator regulator-vddee: Looking up pwm-supply property in node /regulator-vddee failed
+[ 7.118553] VDDEE: supplied by regulator-dummy
+[ 7.118563] regulator-dummy: could not add device link regulator.9: -ENOENT
+
+Fixes: dee51cd0d2e8 ("ARM: dts: meson8b: mxq: add the VDDEE regulator")
+Fixes: d94f60e3dfa0 ("ARM: dts: meson8b: mxq: improve support for the TRONFY MXQ S805")
+
+Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Anand Moon <linux.amoon@gmail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210705112358.3554-3-linux.amoon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8b-mxq.dts | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/meson8b-mxq.dts b/arch/arm/boot/dts/meson8b-mxq.dts
+index 6e39ad52e42d..ab8fe55963f7 100644
+--- a/arch/arm/boot/dts/meson8b-mxq.dts
++++ b/arch/arm/boot/dts/meson8b-mxq.dts
+@@ -39,6 +39,8 @@
+ regulator-min-microvolt = <860000>;
+ regulator-max-microvolt = <1140000>;
+
++ pwm-supply = <&vcc_5v>;
++
+ pwms = <&pwm_cd 0 1148 0>;
+ pwm-dutycycle-range = <100 0>;
+
+@@ -84,7 +86,7 @@
+ regulator-min-microvolt = <860000>;
+ regulator-max-microvolt = <1140000>;
+
+- vin-supply = <&vcc_5v>;
++ pwm-supply = <&vcc_5v>;
+
+ pwms = <&pwm_cd 1 1148 0>;
+ pwm-dutycycle-range = <100 0>;
+--
+2.30.2
+
--- /dev/null
+From f27d2fbcf5cad833946f0bdf60d2cb33fd8a8275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 11:23:53 +0000
+Subject: ARM: dts: meson8b: odroidc1: Fix the pwm regulator supply properties
+
+From: Anand Moon <linux.amoon@gmail.com>
+
+[ Upstream commit 876228e9f935f19c7afc7ba394d17e2ec9143b65 ]
+
+After enabling CONFIG_REGULATOR_DEBUG=y we observe below debug logs.
+Changes help link VCCK and VDDEE pwm regulator to 5V regulator supply
+instead of dummy regulator.
+
+[ 7.117140] pwm-regulator regulator-vcck: Looking up pwm-supply from device tree
+[ 7.117153] pwm-regulator regulator-vcck: Looking up pwm-supply property in node /regulator-vcck failed
+[ 7.117184] VCCK: supplied by regulator-dummy
+[ 7.117194] regulator-dummy: could not add device link regulator.8: -ENOENT
+[ 7.117266] VCCK: 860 <--> 1140 mV at 986 mV, enabled
+[ 7.118498] VDDEE: will resolve supply early: pwm
+[ 7.118515] pwm-regulator regulator-vddee: Looking up pwm-supply from device tree
+[ 7.118526] pwm-regulator regulator-vddee: Looking up pwm-supply property in node /regulator-vddee failed
+[ 7.118553] VDDEE: supplied by regulator-dummy
+[ 7.118563] regulator-dummy: could not add device link regulator.9: -ENOENT
+
+Fixes: 524d96083b66 ("ARM: dts: meson8b: odroidc1: add the CPU voltage regulator")
+Fixes: 8bdf38be712d ("ARM: dts: meson8b: odroidc1: add the VDDEE regulator")
+
+Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Anand Moon <linux.amoon@gmail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+[narmstrong: fixed typo in commit s/observer/observe/]
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210705112358.3554-2-linux.amoon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8b-odroidc1.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/meson8b-odroidc1.dts b/arch/arm/boot/dts/meson8b-odroidc1.dts
+index 0f9c71137bed..c413af9a7af8 100644
+--- a/arch/arm/boot/dts/meson8b-odroidc1.dts
++++ b/arch/arm/boot/dts/meson8b-odroidc1.dts
+@@ -130,7 +130,7 @@
+ regulator-min-microvolt = <860000>;
+ regulator-max-microvolt = <1140000>;
+
+- vin-supply = <&p5v0>;
++ pwm-supply = <&p5v0>;
+
+ pwms = <&pwm_cd 0 12218 0>;
+ pwm-dutycycle-range = <91 0>;
+@@ -162,7 +162,7 @@
+ regulator-min-microvolt = <860000>;
+ regulator-max-microvolt = <1140000>;
+
+- vin-supply = <&p5v0>;
++ pwm-supply = <&p5v0>;
+
+ pwms = <&pwm_cd 1 12218 0>;
+ pwm-dutycycle-range = <91 0>;
+--
+2.30.2
+
--- /dev/null
+From c5d306380d67778d8f18f6909cdd179c9b2196a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 09:21:10 +0200
+Subject: arm64: dts: exynos: correct GIC CPU interfaces address range on
+ Exynos7
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 01c72cad790cb6cd3ccbe4c1402b6cb6c6bbffd0 ]
+
+The GIC-400 CPU interfaces address range is defined as 0x2000-0x3FFF (by
+ARM).
+
+Reported-by: Sam Protsenko <semen.protsenko@linaro.org>
+Reported-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7")
+Link: https://lore.kernel.org/r/20210805072110.4730-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/exynos7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/exynos/exynos7.dtsi b/arch/arm64/boot/dts/exynos/exynos7.dtsi
+index 25549d9552ae..84f92b44c323 100644
+--- a/arch/arm64/boot/dts/exynos/exynos7.dtsi
++++ b/arch/arm64/boot/dts/exynos/exynos7.dtsi
+@@ -113,7 +113,7 @@
+ #address-cells = <0>;
+ interrupt-controller;
+ reg = <0x11001000 0x1000>,
+- <0x11002000 0x1000>,
++ <0x11002000 0x2000>,
+ <0x11004000 0x2000>,
+ <0x11006000 0x2000>;
+ };
+--
+2.30.2
+
--- /dev/null
+From 05e7d6f5338f01a266129ec4a4218adfad149194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 12:15:50 +0200
+Subject: arm64: dts: renesas: r8a77995: draak: Remove bogus adv7511w
+ properties
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 4ec82a7bb3db8c6005e715c63224c32d458917a2 ]
+
+The "max-clock" and "min-vrefresh" properties fail to validate with
+commit cfe34bb7a770c5d8 ("dt-bindings: drm: bridge: adi,adv7511.txt:
+convert to yaml"). Drop them, as they are parts of an out-of-tree
+workaround that is not needed upstream.
+
+Fixes: bcf3003438ea4645 ("arm64: dts: renesas: r8a77995: draak: Enable HDMI display output")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Link: https://lore.kernel.org/r/975b6686bc423421b147d367fe7fb9a0db99c5af.1625134398.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a77995-draak.dts | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a77995-draak.dts b/arch/arm64/boot/dts/renesas/r8a77995-draak.dts
+index 67634cb01d6b..cbdd46ed3ca6 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77995-draak.dts
++++ b/arch/arm64/boot/dts/renesas/r8a77995-draak.dts
+@@ -277,10 +277,6 @@
+ interrupt-parent = <&gpio1>;
+ interrupts = <28 IRQ_TYPE_LEVEL_LOW>;
+
+- /* Depends on LVDS */
+- max-clock = <135000000>;
+- min-vrefresh = <50>;
+-
+ adi,input-depth = <8>;
+ adi,input-colorspace = "rgb";
+ adi,input-clock = "1x";
+--
+2.30.2
+
--- /dev/null
+From 4230c0759f65c0ee8ecc70cd253e5844717a3591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 09:57:35 +0200
+Subject: ASoC: Intel: Skylake: Fix module resource and format selection
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit e8b374b649afe756c2470e0e6668022e90bf8518 ]
+
+Module configuration may differ between its instances depending on
+resources required and input and output audio format. Available
+parameters to select from are stored in module resource and interface
+(format) lists. These come from topology, together with description of
+each of pipe's modules.
+
+Ignoring index value provided by topology and relying always on 0th
+entry leads to unexpected module behavior due to under/overbudged
+resources assigned or impropper format selection. Fix by taking entry at
+index specified by topology.
+
+Fixes: f6fa56e22559 ("ASoC: Intel: Skylake: Parse and update module config structure")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Tested-by: Lukasz Majczak <lma@semihalf.com>
+Link: https://lore.kernel.org/r/20210818075742.1515155-5-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/skylake/skl-topology.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c
+index 104c73eb9769..254b796e635d 100644
+--- a/sound/soc/intel/skylake/skl-topology.c
++++ b/sound/soc/intel/skylake/skl-topology.c
+@@ -113,7 +113,7 @@ static int is_skl_dsp_widget_type(struct snd_soc_dapm_widget *w,
+
+ static void skl_dump_mconfig(struct skl_dev *skl, struct skl_module_cfg *mcfg)
+ {
+- struct skl_module_iface *iface = &mcfg->module->formats[0];
++ struct skl_module_iface *iface = &mcfg->module->formats[mcfg->fmt_idx];
+
+ dev_dbg(skl->dev, "Dumping config\n");
+ dev_dbg(skl->dev, "Input Format:\n");
+@@ -195,8 +195,8 @@ static void skl_tplg_update_params_fixup(struct skl_module_cfg *m_cfg,
+ struct skl_module_fmt *in_fmt, *out_fmt;
+
+ /* Fixups will be applied to pin 0 only */
+- in_fmt = &m_cfg->module->formats[0].inputs[0].fmt;
+- out_fmt = &m_cfg->module->formats[0].outputs[0].fmt;
++ in_fmt = &m_cfg->module->formats[m_cfg->fmt_idx].inputs[0].fmt;
++ out_fmt = &m_cfg->module->formats[m_cfg->fmt_idx].outputs[0].fmt;
+
+ if (params->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+ if (is_fe) {
+@@ -239,9 +239,9 @@ static void skl_tplg_update_buffer_size(struct skl_dev *skl,
+ /* Since fixups is applied to pin 0 only, ibs, obs needs
+ * change for pin 0 only
+ */
+- res = &mcfg->module->resources[0];
+- in_fmt = &mcfg->module->formats[0].inputs[0].fmt;
+- out_fmt = &mcfg->module->formats[0].outputs[0].fmt;
++ res = &mcfg->module->resources[mcfg->res_idx];
++ in_fmt = &mcfg->module->formats[mcfg->fmt_idx].inputs[0].fmt;
++ out_fmt = &mcfg->module->formats[mcfg->fmt_idx].outputs[0].fmt;
+
+ if (mcfg->m_type == SKL_MODULE_TYPE_SRCINT)
+ multiplier = 5;
+@@ -1631,11 +1631,12 @@ int skl_tplg_update_pipe_params(struct device *dev,
+ struct skl_module_cfg *mconfig,
+ struct skl_pipe_params *params)
+ {
+- struct skl_module_res *res = &mconfig->module->resources[0];
++ struct skl_module_res *res;
+ struct skl_dev *skl = get_skl_ctx(dev);
+ struct skl_module_fmt *format = NULL;
+ u8 cfg_idx = mconfig->pipe->cur_config_idx;
+
++ res = &mconfig->module->resources[mconfig->res_idx];
+ skl_tplg_fill_dma_id(mconfig, params);
+ mconfig->fmt_idx = mconfig->mod_cfg[cfg_idx].fmt_idx;
+ mconfig->res_idx = mconfig->mod_cfg[cfg_idx].res_idx;
+@@ -1644,9 +1645,9 @@ int skl_tplg_update_pipe_params(struct device *dev,
+ return 0;
+
+ if (params->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- format = &mconfig->module->formats[0].inputs[0].fmt;
++ format = &mconfig->module->formats[mconfig->fmt_idx].inputs[0].fmt;
+ else
+- format = &mconfig->module->formats[0].outputs[0].fmt;
++ format = &mconfig->module->formats[mconfig->fmt_idx].outputs[0].fmt;
+
+ /* set the hw_params */
+ format->s_freq = params->s_freq;
+--
+2.30.2
+
--- /dev/null
+From 77afec442960c8222f31416ea0fda1c3e7ce35cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 09:57:33 +0200
+Subject: ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 126b3422adc80f29d2129db7f61e0113a8a526c6 ]
+
+Advancing pointer initially fixed issue for some users but caused
+regression for others. Leave data as it to make it easier for end users
+to adjust their topology files if needed.
+
+Fixes: a8cd7066f042 ("ASoC: Intel: Skylake: Strip T and L from TLV IPCs")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Tested-by: Lukasz Majczak <lma@semihalf.com>
+Link: https://lore.kernel.org/r/20210818075742.1515155-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/skylake/skl-topology.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c
+index 1940b17f27ef..104c73eb9769 100644
+--- a/sound/soc/intel/skylake/skl-topology.c
++++ b/sound/soc/intel/skylake/skl-topology.c
+@@ -1463,12 +1463,6 @@ static int skl_tplg_tlv_control_set(struct snd_kcontrol *kcontrol,
+ struct skl_dev *skl = get_skl_ctx(w->dapm->dev);
+
+ if (ac->params) {
+- /*
+- * Widget data is expected to be stripped of T and L
+- */
+- size -= 2 * sizeof(unsigned int);
+- data += 2;
+-
+ if (size > ac->max)
+ return -EINVAL;
+ ac->size = size;
+--
+2.30.2
+
--- /dev/null
+From a925002e4999eb09c53e7ba382e9c750dbe4db26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 07:25:28 +0200
+Subject: ASoC: wcd9335: Disable irq on slave ports in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d3efd26af2e044ff2b48d38bb871630282d77e60 ]
+
+The probe calls 'wcd9335_setup_irqs()' to enable interrupts on all slave
+ports.
+This must be undone in the remove function.
+
+Add a 'wcd9335_teardown_irqs()' function that undoes 'wcd9335_setup_irqs()'
+function, and call it from the remove function.
+
+Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Message-Id: <8f761244d79bd4c098af8a482be9121d3a486d1b.1629091028.git.christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index 5ec63217ad02..016aff97e2fb 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -4076,6 +4076,16 @@ static int wcd9335_setup_irqs(struct wcd9335_codec *wcd)
+ return ret;
+ }
+
++static void wcd9335_teardown_irqs(struct wcd9335_codec *wcd)
++{
++ int i;
++
++ /* disable interrupts on all slave ports */
++ for (i = 0; i < WCD9335_SLIM_NUM_PORT_REG; i++)
++ regmap_write(wcd->if_regmap, WCD9335_SLIM_PGD_PORT_INT_EN0 + i,
++ 0x00);
++}
++
+ static void wcd9335_cdc_sido_ccl_enable(struct wcd9335_codec *wcd,
+ bool ccl_flag)
+ {
+@@ -4878,6 +4888,7 @@ static void wcd9335_codec_remove(struct snd_soc_component *comp)
+ struct wcd9335_codec *wcd = dev_get_drvdata(comp->dev);
+
+ wcd_clsh_ctrl_free(wcd->clsh_ctrl);
++ wcd9335_teardown_irqs(wcd);
+ }
+
+ static int wcd9335_codec_set_sysclk(struct snd_soc_component *comp,
+--
+2.30.2
+
--- /dev/null
+From a009cfc170c10911482be7600661720c475c2006 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 07:25:10 +0200
+Subject: ASoC: wcd9335: Fix a double irq free in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 7a6a723e98aa45f393e6add18f7309dfffa1b0e2 ]
+
+There is no point in calling 'free_irq()' explicitly for
+'WCD9335_IRQ_SLIMBUS' in the remove function.
+
+The irqs are requested in 'wcd9335_setup_irqs()' using a resource managed
+function (i.e. 'devm_request_threaded_irq()').
+'wcd9335_setup_irqs()' requests all what is defined in the 'wcd9335_irqs'
+structure.
+This structure has only one entry for 'WCD9335_IRQ_SLIMBUS'.
+
+So 'devm_request...irq()' + explicit 'free_irq()' would lead to a double
+free.
+
+Remove the unneeded 'free_irq()' from the remove function.
+
+Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Message-Id: <0614d63bc00edd7e81dd367504128f3d84f72efa.1629091028.git.christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index 81906c25e4a8..a31a20dcd6b5 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -4869,7 +4869,6 @@ static void wcd9335_codec_remove(struct snd_soc_component *comp)
+ struct wcd9335_codec *wcd = dev_get_drvdata(comp->dev);
+
+ wcd_clsh_ctrl_free(wcd->clsh_ctrl);
+- free_irq(regmap_irq_get_virq(wcd->irq_data, WCD9335_IRQ_SLIMBUS), wcd);
+ }
+
+ static int wcd9335_codec_set_sysclk(struct snd_soc_component *comp,
+--
+2.30.2
+
--- /dev/null
+From bd5723541c2db5e33cd691de6622e6501ba89b12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 07:25:20 +0200
+Subject: ASoC: wcd9335: Fix a memory leak in the error handling path of the
+ probe function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit fc6fc81caa63900cef9ebb8b2e365c3ed5a9effb ]
+
+If 'wcd9335_setup_irqs()' fails, me must release the memory allocated in
+'wcd_clsh_ctrl_alloc()', as already done in the remove function.
+
+Add an error handling path and the missing 'wcd_clsh_ctrl_free()' call.
+
+Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Message-Id: <6dc12372f09fabb70bf05941dbe6a1382dc93e43.1629091028.git.christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index a31a20dcd6b5..5ec63217ad02 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -4844,6 +4844,7 @@ static void wcd9335_codec_init(struct snd_soc_component *component)
+ static int wcd9335_codec_probe(struct snd_soc_component *component)
+ {
+ struct wcd9335_codec *wcd = dev_get_drvdata(component->dev);
++ int ret;
+ int i;
+
+ snd_soc_component_init_regmap(component, wcd->regmap);
+@@ -4861,7 +4862,15 @@ static int wcd9335_codec_probe(struct snd_soc_component *component)
+ for (i = 0; i < NUM_CODEC_DAIS; i++)
+ INIT_LIST_HEAD(&wcd->dai[i].slim_ch_list);
+
+- return wcd9335_setup_irqs(wcd);
++ ret = wcd9335_setup_irqs(wcd);
++ if (ret)
++ goto free_clsh_ctrl;
++
++ return 0;
++
++free_clsh_ctrl:
++ wcd_clsh_ctrl_free(wcd->clsh_ctrl);
++ return ret;
+ }
+
+ static void wcd9335_codec_remove(struct snd_soc_component *comp)
+--
+2.30.2
+
--- /dev/null
+From 36343a1bb833623331b1ef00dd6edd15768fde85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 14:34:38 +0300
+Subject: ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fd6729ec534cffbbeb3917761e6d1fe6a412d3fe ]
+
+This error path is unlikely because of it checked for NULL and
+returned -ENOMEM earlier in the function. But it should return
+an error code here as well if we ever do hit it because of a
+race condition or something.
+
+Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210813113438.GB30697@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index c610fe21c85c..31ffec3a5972 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -2510,8 +2510,10 @@ static int ath6kl_wmi_sync_point(struct wmi *wmi, u8 if_idx)
+ goto free_data_skb;
+
+ for (index = 0; index < num_pri_streams; index++) {
+- if (WARN_ON(!data_sync_bufs[index].skb))
++ if (WARN_ON(!data_sync_bufs[index].skb)) {
++ ret = -ENOMEM;
+ goto free_data_skb;
++ }
+
+ ep_id = ath6kl_ac2_endpoint_id(wmi->parent_dev,
+ data_sync_bufs[index].
+--
+2.30.2
+
--- /dev/null
+From 002cba1b574938679b4c34db1e4d58af07fb7d41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 08:40:26 +0200
+Subject: bcache: add proper error unwinding in bcache_device_init
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 224b0683228c5f332f9cee615d85e75e9a347170 ]
+
+Except for the IDA none of the allocations in bcache_device_init is
+unwound on error, fix that.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20210809064028.1198327-7-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index b0d569032dd4..efdf6ce0443e 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -839,20 +839,20 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size,
+ n = BITS_TO_LONGS(d->nr_stripes) * sizeof(unsigned long);
+ d->full_dirty_stripes = kvzalloc(n, GFP_KERNEL);
+ if (!d->full_dirty_stripes)
+- return -ENOMEM;
++ goto out_free_stripe_sectors_dirty;
+
+ idx = ida_simple_get(&bcache_device_idx, 0,
+ BCACHE_DEVICE_IDX_MAX, GFP_KERNEL);
+ if (idx < 0)
+- return idx;
++ goto out_free_full_dirty_stripes;
+
+ if (bioset_init(&d->bio_split, 4, offsetof(struct bbio, bio),
+ BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER))
+- goto err;
++ goto out_ida_remove;
+
+ d->disk = alloc_disk(BCACHE_MINORS);
+ if (!d->disk)
+- goto err;
++ goto out_bioset_exit;
+
+ set_capacity(d->disk, sectors);
+ snprintf(d->disk->disk_name, DISK_NAME_LEN, "bcache%i", idx);
+@@ -887,8 +887,14 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size,
+
+ return 0;
+
+-err:
++out_bioset_exit:
++ bioset_exit(&d->bio_split);
++out_ida_remove:
+ ida_simple_remove(&bcache_device_idx, idx);
++out_free_full_dirty_stripes:
++ kvfree(d->full_dirty_stripes);
++out_free_stripe_sectors_dirty:
++ kvfree(d->stripe_sectors_dirty);
+ return -ENOMEM;
+
+ }
+--
+2.30.2
+
--- /dev/null
+From b1d3f7850d6949ceafce81442edae935d1fd3b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 10:52:31 +0800
+Subject: bcma: Fix memory leak for internally-handled cores
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit b63aed3ff195130fef12e0af590f4838cf0201d8 ]
+
+kmemleak reported that dev_name() of internally-handled cores were leaked
+on driver unbinding. Let's use device_initialize() to take refcounts for
+them and put_device() to properly free the related stuff.
+
+While looking at it, there's another potential issue for those which should
+be *registered* into driver core. If device_register() failed, we put
+device once and freed bcma_device structures. In bcma_unregister_cores(),
+they're treated as unregistered and we hit both UAF and double-free. That
+smells not good and has also been fixed now.
+
+Fixes: ab54bc8460b5 ("bcma: fill core details for every device")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210727025232.663-2-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bcma/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
+index 6535614a7dc1..1df2b5801c3b 100644
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -236,6 +236,7 @@ EXPORT_SYMBOL(bcma_core_irq);
+
+ void bcma_prepare_core(struct bcma_bus *bus, struct bcma_device *core)
+ {
++ device_initialize(&core->dev);
+ core->dev.release = bcma_release_core_dev;
+ core->dev.bus = &bcma_bus_type;
+ dev_set_name(&core->dev, "bcma%d:%d", bus->num, core->core_index);
+@@ -277,11 +278,10 @@ static void bcma_register_core(struct bcma_bus *bus, struct bcma_device *core)
+ {
+ int err;
+
+- err = device_register(&core->dev);
++ err = device_add(&core->dev);
+ if (err) {
+ bcma_err(bus, "Could not register dev for core 0x%03X\n",
+ core->id.id);
+- put_device(&core->dev);
+ return;
+ }
+ core->dev_registered = true;
+@@ -372,7 +372,7 @@ void bcma_unregister_cores(struct bcma_bus *bus)
+ /* Now noone uses internally-handled cores, we can free them */
+ list_for_each_entry_safe(core, tmp, &bus->cores, list) {
+ list_del(&core->list);
+- kfree(core);
++ put_device(&core->dev);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 3cf70c9e964be9e1a1207816159567149a1b53b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 12:15:01 +0300
+Subject: block: nbd: add sanity check for first_minor
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b1a811633f7321cf1ae2bb76a66805b7720e44c9 ]
+
+Syzbot hit WARNING in internal_create_group(). The problem was in
+too big disk->first_minor.
+
+disk->first_minor is initialized by value, which comes from userspace
+and there wasn't any sanity checks about value correctness. It can cause
+duplicate creation of sysfs files/links, because disk->first_minor will
+be passed to MKDEV() which causes truncation to byte. Since maximum
+minor value is 0xff, let's check if first_minor is correct minor number.
+
+NOTE: the root case of the reported warning was in wrong error handling
+in register_disk(), but we can avoid passing knowingly wrong values to
+sysfs API, because sysfs error messages can confuse users. For example:
+user passed 1048576 as index, but sysfs complains about duplicate
+creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0.
+Log and reproducer for above example can be found on syzkaller bug
+report page.
+
+Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1
+Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
+Reported-by: syzbot+9937dc42271cd87d4b98@syzkaller.appspotmail.com
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 25e81b1a59a5..bc3ab98855cf 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1744,7 +1744,17 @@ static int nbd_dev_add(int index)
+ refcount_set(&nbd->refs, 1);
+ INIT_LIST_HEAD(&nbd->list);
+ disk->major = NBD_MAJOR;
++
++ /* Too big first_minor can cause duplicate creation of
++ * sysfs files/links, since first_minor will be truncated to
++ * byte in __device_add_disk().
++ */
+ disk->first_minor = index << part_shift;
++ if (disk->first_minor > 0xff) {
++ err = -EINVAL;
++ goto out_free_idr;
++ }
++
+ disk->fops = &nbd_fops;
+ disk->private_data = nbd;
+ sprintf(disk->disk_name, "nbd%d", index);
+--
+2.30.2
+
--- /dev/null
+From a3cc601a294c0618546a9b5bf6fe7eac3780f8e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 18:15:21 +0300
+Subject: Bluetooth: add timeout sanity check to hci_inquiry
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 ]
+
+Syzbot hit "task hung" bug in hci_req_sync(). The problem was in
+unreasonable huge inquiry timeout passed from userspace.
+Fix it by adding sanity check for timeout value to hci_inquiry().
+
+Since hci_inquiry() is the only user of hci_req_sync() with user
+controlled timeout value, it makes sense to check timeout value in
+hci_inquiry() and don't touch hci_req_sync().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 4e4972800370..bdd330527cfa 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1297,6 +1297,12 @@ int hci_inquiry(void __user *arg)
+ goto done;
+ }
+
++ /* Restrict maximum inquiry length to 60 seconds */
++ if (ir.length > 60) {
++ err = -EINVAL;
++ goto done;
++ }
++
+ hci_dev_lock(hdev);
+ if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
+ inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
+--
+2.30.2
+
--- /dev/null
+From 58baca46765c8a519f58bbc90a25ae8a51831422 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:14:10 +0800
+Subject: Bluetooth: fix repeated calls to sco_sock_kill
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 ]
+
+In commit 4e1a720d0312 ("Bluetooth: avoid killing an already killed
+socket"), a check was added to sco_sock_kill to skip killing a socket
+if the SOCK_DEAD flag was set.
+
+This was done after a trace for a use-after-free bug showed that the
+same sock pointer was being killed twice.
+
+Unfortunately, this check prevents sco_sock_kill from running on any
+socket. sco_sock_kill kills a socket only if it's zapped and orphaned,
+however sock_orphan announces that the socket is dead before detaching
+it. i.e., orphaned sockets have the SOCK_DEAD flag set.
+
+To fix this, we remove the check for SOCK_DEAD, and avoid repeated
+calls to sco_sock_kill by removing incorrect calls in:
+
+1. sco_sock_timeout. The socket should not be killed on timeout as
+further processing is expected to be done. For example,
+sco_sock_connect sets the timer then waits for the socket to be
+connected or for an error to be returned.
+
+2. sco_conn_del. This function should clean up resources for the
+connection, but the socket itself should be cleaned up in
+sco_sock_release.
+
+3. sco_sock_close. Calls to sco_sock_close in sco_sock_cleanup_listen
+and sco_sock_release are followed by sco_sock_kill. Hence the
+duplicated call should be removed.
+
+Fixes: 4e1a720d0312 ("Bluetooth: avoid killing an already killed socket")
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 335264706aae..1b7540cb8e5c 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -84,7 +84,6 @@ static void sco_sock_timeout(struct timer_list *t)
+ sk->sk_state_change(sk);
+ bh_unlock_sock(sk);
+
+- sco_sock_kill(sk);
+ sock_put(sk);
+ }
+
+@@ -176,7 +175,6 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ bh_unlock_sock(sk);
+- sco_sock_kill(sk);
+ sock_put(sk);
+ }
+
+@@ -393,8 +391,7 @@ static void sco_sock_cleanup_listen(struct sock *parent)
+ */
+ static void sco_sock_kill(struct sock *sk)
+ {
+- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
+- sock_flag(sk, SOCK_DEAD))
++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
+ return;
+
+ BT_DBG("sk %p state %d", sk, sk->sk_state);
+@@ -446,7 +443,6 @@ static void sco_sock_close(struct sock *sk)
+ lock_sock(sk);
+ __sco_sock_close(sk);
+ release_sock(sk);
+- sco_sock_kill(sk);
+ }
+
+ static void sco_sock_init(struct sock *sk, struct sock *parent)
+--
+2.30.2
+
--- /dev/null
+From 1519389c14f5b8dec9d9b4a8615138ee32bf4471 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 16:09:51 +0100
+Subject: Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer
+ overflow
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d ]
+
+An earlier commit replaced using batostr to using %pMR sprintf for the
+construction of session->name. Static analysis detected that this new
+method can use a total of 21 characters (including the trailing '\0')
+so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
+buffer overflows.
+
+Addresses-Coverity: ("Out-of-bounds write")
+Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/cmtp/cmtp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
+index c32638dddbf9..f6b9dc4e408f 100644
+--- a/net/bluetooth/cmtp/cmtp.h
++++ b/net/bluetooth/cmtp/cmtp.h
+@@ -26,7 +26,7 @@
+ #include <linux/types.h>
+ #include <net/bluetooth/bluetooth.h>
+
+-#define BTNAMSIZ 18
++#define BTNAMSIZ 21
+
+ /* CMTP ioctl defines */
+ #define CMTPCONNADD _IOW('C', 200, int)
+--
+2.30.2
+
--- /dev/null
+From a902841e50c94f4b03ad6425fe212aac95e36b47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:53:15 +0800
+Subject: Bluetooth: Move shutdown callback before flushing tx and rx queue
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 0ea53674d07fb6db2dd7a7ec2fdc85a12eb246c2 ]
+
+Commit 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues
+are flushed or cancelled") introduced a regression that makes mtkbtsdio
+driver stops working:
+[ 36.593956] Bluetooth: hci0: Firmware already downloaded
+[ 46.814613] Bluetooth: hci0: Execution of wmt command timed out
+[ 46.814619] Bluetooth: hci0: Failed to send wmt func ctrl (-110)
+
+The shutdown callback depends on the result of hdev->rx_work, so we
+should call it before flushing rx_work:
+-> btmtksdio_shutdown()
+ -> mtk_hci_wmt_sync()
+ -> __hci_cmd_send()
+ -> wait for BTMTKSDIO_TX_WAIT_VND_EVT gets cleared
+
+-> btmtksdio_recv_event()
+ -> hci_recv_frame()
+ -> queue_work(hdev->workqueue, &hdev->rx_work)
+ -> clears BTMTKSDIO_TX_WAIT_VND_EVT
+
+So move the shutdown callback before flushing TX/RX queue to resolve the
+issue.
+
+Reported-and-tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Tested-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Fixes: 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues are flushed or cancelled")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 83a07fca9000..4e4972800370 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1685,6 +1685,14 @@ int hci_dev_do_close(struct hci_dev *hdev)
+ hci_request_cancel_all(hdev);
+ hci_req_sync_lock(hdev);
+
++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
++ test_bit(HCI_UP, &hdev->flags)) {
++ /* Execute vendor specific shutdown routine */
++ if (hdev->shutdown)
++ hdev->shutdown(hdev);
++ }
++
+ if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
+ hci_req_sync_unlock(hdev);
+--
+2.30.2
+
--- /dev/null
+From 715ee83185c970255b9da7ba46c0a09573796910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 18:00:09 +0300
+Subject: Bluetooth: sco: prevent information leak in sco_conn_defer_accept()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 59da0b38bc2ea570ede23a3332ecb3e7574ce6b2 ]
+
+Smatch complains that some of these struct members are not initialized
+leading to a stack information disclosure:
+
+ net/bluetooth/sco.c:778 sco_conn_defer_accept() warn:
+ check that 'cp.retrans_effort' doesn't leak information
+
+This seems like a valid warning. I've added a default case to fix
+this issue.
+
+Fixes: 2f69a82acf6f ("Bluetooth: Use voice setting in deferred SCO connection request")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index b91d6b440fdf..335264706aae 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -761,6 +761,11 @@ static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting)
+ cp.max_latency = cpu_to_le16(0xffff);
+ cp.retrans_effort = 0xff;
+ break;
++ default:
++ /* use CVSD settings as fallback */
++ cp.max_latency = cpu_to_le16(0xffff);
++ cp.retrans_effort = 0xff;
++ break;
+ }
+
+ hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
+--
+2.30.2
+
--- /dev/null
+From cf42dca28ccca47514cc82c766cd096d6e505891 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 21:43:17 +0900
+Subject: bpf: Fix a typo of reuseport map in bpf.h.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit f170acda7ffaf0473d06e1e17c12cd9fd63904f5 ]
+
+Fix s/BPF_MAP_TYPE_REUSEPORT_ARRAY/BPF_MAP_TYPE_REUSEPORT_SOCKARRAY/ typo
+in bpf.h.
+
+Fixes: 2dbb9b9e6df6 ("bpf: Introduce BPF_PROG_TYPE_SK_REUSEPORT")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20210714124317.67526-1-kuniyu@amazon.co.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 2 +-
+ tools/include/uapi/linux/bpf.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 8649422e760c..63038eb23560 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -2264,7 +2264,7 @@ union bpf_attr {
+ * int bpf_sk_select_reuseport(struct sk_reuseport_md *reuse, struct bpf_map *map, void *key, u64 flags)
+ * Description
+ * Select a **SO_REUSEPORT** socket from a
+- * **BPF_MAP_TYPE_REUSEPORT_ARRAY** *map*.
++ * **BPF_MAP_TYPE_REUSEPORT_SOCKARRAY** *map*.
+ * It checks the selected socket is matching the incoming
+ * request in the socket buffer.
+ * Return
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index 8649422e760c..63038eb23560 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -2264,7 +2264,7 @@ union bpf_attr {
+ * int bpf_sk_select_reuseport(struct sk_reuseport_md *reuse, struct bpf_map *map, void *key, u64 flags)
+ * Description
+ * Select a **SO_REUSEPORT** socket from a
+- * **BPF_MAP_TYPE_REUSEPORT_ARRAY** *map*.
++ * **BPF_MAP_TYPE_REUSEPORT_SOCKARRAY** *map*.
+ * It checks the selected socket is matching the incoming
+ * request in the socket buffer.
+ * Return
+--
+2.30.2
+
--- /dev/null
+From 325e4ead6bdee51e292340268e2d49c2f3f67d73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 09:39:35 -0700
+Subject: bpf: Fix possible out of bound write in narrow load handling
+
+From: Andrey Ignatov <rdna@fb.com>
+
+[ Upstream commit d7af7e497f0308bc97809cc48b58e8e0f13887e1 ]
+
+Fix a verifier bug found by smatch static checker in [0].
+
+This problem has never been seen in prod to my best knowledge. Fixing it
+still seems to be a good idea since it's hard to say for sure whether
+it's possible or not to have a scenario where a combination of
+convert_ctx_access() and a narrow load would lead to an out of bound
+write.
+
+When narrow load is handled, one or two new instructions are added to
+insn_buf array, but before it was only checked that
+
+ cnt >= ARRAY_SIZE(insn_buf)
+
+And it's safe to add a new instruction to insn_buf[cnt++] only once. The
+second try will lead to out of bound write. And this is what can happen
+if `shift` is set.
+
+Fix it by making sure that if the BPF_RSH instruction has to be added in
+addition to BPF_AND then there is enough space for two more instructions
+in insn_buf.
+
+The full report [0] is below:
+
+kernel/bpf/verifier.c:12304 convert_ctx_accesses() warn: offset 'cnt' incremented past end of array
+kernel/bpf/verifier.c:12311 convert_ctx_accesses() warn: offset 'cnt' incremented past end of array
+
+kernel/bpf/verifier.c
+ 12282
+ 12283 insn->off = off & ~(size_default - 1);
+ 12284 insn->code = BPF_LDX | BPF_MEM | size_code;
+ 12285 }
+ 12286
+ 12287 target_size = 0;
+ 12288 cnt = convert_ctx_access(type, insn, insn_buf, env->prog,
+ 12289 &target_size);
+ 12290 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) ||
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Bounds check.
+
+ 12291 (ctx_field_size && !target_size)) {
+ 12292 verbose(env, "bpf verifier is misconfigured\n");
+ 12293 return -EINVAL;
+ 12294 }
+ 12295
+ 12296 if (is_narrower_load && size < target_size) {
+ 12297 u8 shift = bpf_ctx_narrow_access_offset(
+ 12298 off, size, size_default) * 8;
+ 12299 if (ctx_field_size <= 4) {
+ 12300 if (shift)
+ 12301 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH,
+ ^^^^^
+increment beyond end of array
+
+ 12302 insn->dst_reg,
+ 12303 shift);
+--> 12304 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,
+ ^^^^^
+out of bounds write
+
+ 12305 (1 << size * 8) - 1);
+ 12306 } else {
+ 12307 if (shift)
+ 12308 insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,
+ 12309 insn->dst_reg,
+ 12310 shift);
+ 12311 insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,
+ ^^^^^^^^^^^^^^^
+Same.
+
+ 12312 (1ULL << size * 8) - 1);
+ 12313 }
+ 12314 }
+ 12315
+ 12316 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+ 12317 if (!new_prog)
+ 12318 return -ENOMEM;
+ 12319
+ 12320 delta += cnt - 1;
+ 12321
+ 12322 /* keep walking new program and skip insns we just inserted */
+ 12323 env->prog = new_prog;
+ 12324 insn = new_prog->insnsi + i + delta;
+ 12325 }
+ 12326
+ 12327 return 0;
+ 12328 }
+
+[0] https://lore.kernel.org/bpf/20210817050843.GA21456@kili/
+
+v1->v2:
+- clarify that problem was only seen by static checker but not in prod;
+
+Fixes: 46f53a65d2de ("bpf: Allow narrow loads with offset > 0")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrey Ignatov <rdna@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20210820163935.1902398-1-rdna@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 80b219d27e37..c5ecb6147ea2 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8957,6 +8957,10 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env)
+ if (is_narrower_load && size < target_size) {
+ u8 shift = bpf_ctx_narrow_access_offset(
+ off, size, size_default) * 8;
++ if (shift && cnt + 1 >= ARRAY_SIZE(insn_buf)) {
++ verbose(env, "bpf verifier narrow ctx load misconfigured\n");
++ return -EINVAL;
++ }
+ if (ctx_field_size <= 4) {
+ if (shift)
+ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH,
+--
+2.30.2
+
--- /dev/null
+From 5b5d924c748a5936a67177abd98317d624d7782a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 10:18:15 +0000
+Subject: bpf: Fix potential memleak and UAF in the verifier.
+
+From: He Fengqing <hefengqing@huawei.com>
+
+[ Upstream commit 75f0fc7b48ad45a2e5736bcf8de26c8872fe8695 ]
+
+In bpf_patch_insn_data(), we first use the bpf_patch_insn_single() to
+insert new instructions, then use adjust_insn_aux_data() to adjust
+insn_aux_data. If the old env->prog have no enough room for new inserted
+instructions, we use bpf_prog_realloc to construct new_prog and free the
+old env->prog.
+
+There have two errors here. First, if adjust_insn_aux_data() return
+ENOMEM, we should free the new_prog. Second, if adjust_insn_aux_data()
+return ENOMEM, bpf_patch_insn_data() will return NULL, and env->prog has
+been freed in bpf_prog_realloc, but we will use it in bpf_check().
+
+So in this patch, we make the adjust_insn_aux_data() never fails. In
+bpf_patch_insn_data(), we first pre-malloc memory for the new
+insn_aux_data, then call bpf_patch_insn_single() to insert new
+instructions, at last call adjust_insn_aux_data() to adjust
+insn_aux_data.
+
+Fixes: 8041902dae52 ("bpf: adjust insn_aux_data when patching insns")
+Signed-off-by: He Fengqing <hefengqing@huawei.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20210714101815.164322-1-hefengqing@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 4deaf15b7618..80b219d27e37 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8401,10 +8401,11 @@ static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env)
+ * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
+ * [0, off) and [off, end) to new locations, so the patched range stays zero
+ */
+-static int adjust_insn_aux_data(struct bpf_verifier_env *env,
+- struct bpf_prog *new_prog, u32 off, u32 cnt)
++static void adjust_insn_aux_data(struct bpf_verifier_env *env,
++ struct bpf_insn_aux_data *new_data,
++ struct bpf_prog *new_prog, u32 off, u32 cnt)
+ {
+- struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
++ struct bpf_insn_aux_data *old_data = env->insn_aux_data;
+ struct bpf_insn *insn = new_prog->insnsi;
+ bool old_seen = old_data[off].seen;
+ u32 prog_len;
+@@ -8417,12 +8418,9 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env,
+ old_data[off].zext_dst = insn_has_def32(env, insn + off + cnt - 1);
+
+ if (cnt == 1)
+- return 0;
++ return;
+ prog_len = new_prog->len;
+- new_data = vzalloc(array_size(prog_len,
+- sizeof(struct bpf_insn_aux_data)));
+- if (!new_data)
+- return -ENOMEM;
++
+ memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
+ memcpy(new_data + off + cnt - 1, old_data + off,
+ sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+@@ -8433,7 +8431,6 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env,
+ }
+ env->insn_aux_data = new_data;
+ vfree(old_data);
+- return 0;
+ }
+
+ static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len)
+@@ -8454,6 +8451,14 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of
+ const struct bpf_insn *patch, u32 len)
+ {
+ struct bpf_prog *new_prog;
++ struct bpf_insn_aux_data *new_data = NULL;
++
++ if (len > 1) {
++ new_data = vzalloc(array_size(env->prog->len + len - 1,
++ sizeof(struct bpf_insn_aux_data)));
++ if (!new_data)
++ return NULL;
++ }
+
+ new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
+ if (IS_ERR(new_prog)) {
+@@ -8461,10 +8466,10 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of
+ verbose(env,
+ "insn %d cannot be patched due to 16-bit range\n",
+ env->insn_aux_data[off].orig_idx);
++ vfree(new_data);
+ return NULL;
+ }
+- if (adjust_insn_aux_data(env, new_prog, off, len))
+- return NULL;
++ adjust_insn_aux_data(env, new_data, new_prog, off, len);
+ adjust_subprog_starts(env, off, len);
+ return new_prog;
+ }
+--
+2.30.2
+
--- /dev/null
+From cc2adf3e9b9a75634213cabb039bfd8481206d45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 08:35:22 +0200
+Subject: brcmfmac: pcie: fix oops on failure to resume and reprobe
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+[ Upstream commit d745ca4f2c4ae9f1bd8cf7d8ac6e22d739bffd19 ]
+
+When resuming from suspend, brcmf_pcie_pm_leave_D3 will first attempt a
+hot resume and then fall back to removing the PCI device and then
+reprobing. If this probe fails, the kernel will oops, because brcmf_err,
+which is called to report the failure will dereference the stale bus
+pointer. Open code and use the default bus-less brcmf_err to avoid this.
+
+Fixes: 8602e62441ab ("brcmfmac: pass bus to the __brcmf_err() in pcie.c")
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210817063521.22450-1-a.fatoum@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+index bda042138e96..e6001f0a81a3 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+@@ -2073,7 +2073,7 @@ cleanup:
+
+ err = brcmf_pcie_probe(pdev, NULL);
+ if (err)
+- brcmf_err(bus, "probe after resume failed, err=%d\n", err);
++ __brcmf_err(NULL, __func__, "probe after resume failed, err=%d\n", err);
+
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From 15c03daa723321d9451f52a9dbaa2623b7dbecc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 17:34:20 -0400
+Subject: certs: Trigger creation of RSA module signing key if it's not an RSA
+ key
+
+From: Stefan Berger <stefanb@linux.ibm.com>
+
+[ Upstream commit ea35e0d5df6c92fa2e124bb1b91d09b2240715ba ]
+
+Address a kbuild issue where a developer created an ECDSA key for signing
+kernel modules and then builds an older version of the kernel, when bi-
+secting the kernel for example, that does not support ECDSA keys.
+
+If openssl is installed, trigger the creation of an RSA module signing
+key if it is not an RSA key.
+
+Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
+Cc: David Howells <dhowells@redhat.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ certs/Makefile | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/certs/Makefile b/certs/Makefile
+index f4b90bad8690..2baef6fba029 100644
+--- a/certs/Makefile
++++ b/certs/Makefile
+@@ -46,11 +46,19 @@ endif
+ redirect_openssl = 2>&1
+ quiet_redirect_openssl = 2>&1
+ silent_redirect_openssl = 2>/dev/null
++openssl_available = $(shell openssl help 2>/dev/null && echo yes)
+
+ # We do it this way rather than having a boolean option for enabling an
+ # external private key, because 'make randconfig' might enable such a
+ # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
+ ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
++
++ifeq ($(openssl_available),yes)
++X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
++
++$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
++endif
++
+ $(obj)/signing_key.pem: $(obj)/x509.genkey
+ @$(kecho) "###"
+ @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
+--
+2.30.2
+
--- /dev/null
+From a1417d477e2301a0377833cf256e6ced0e9e3bf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 10:18:27 -0400
+Subject: cgroup/cpuset: Fix a partition bug with hotplug
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 15d428e6fe77fffc3f4fff923336036f5496ef17 ]
+
+In cpuset_hotplug_workfn(), the detection of whether the cpu list
+has been changed is done by comparing the effective cpus of the top
+cpuset with the cpu_active_mask. However, in the rare case that just
+all the CPUs in the subparts_cpus are offlined, the detection fails
+and the partition states are not updated correctly. Fix it by forcing
+the cpus_updated flag to true in this particular case.
+
+Fixes: 4b842da276a8 ("cpuset: Make CPU hotplug work with partition")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cpuset.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index bab6a934862e..badfa8f15359 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -3166,6 +3166,13 @@ static void cpuset_hotplug_workfn(struct work_struct *work)
+ cpus_updated = !cpumask_equal(top_cpuset.effective_cpus, &new_cpus);
+ mems_updated = !nodes_equal(top_cpuset.effective_mems, new_mems);
+
++ /*
++ * In the rare case that hotplug removes all the cpus in subparts_cpus,
++ * we assumed that cpus are updated.
++ */
++ if (!cpus_updated && top_cpuset.nr_subparts_cpus)
++ cpus_updated = true;
++
+ /* synchronize cpus_allowed to cpu_active_mask */
+ if (cpus_updated) {
+ spin_lock_irq(&callback_lock);
+--
+2.30.2
+
--- /dev/null
+From c7b7ebc7098284b786310a20d9615872f325ccff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 12:27:09 +0200
+Subject: CIFS: Fix a potencially linear read overflow
+
+From: Len Baker <len.baker@gmx.com>
+
+[ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ]
+
+strlcpy() reads the entire source buffer first. This read may exceed the
+destination size limit. This is both inefficient and can lead to linear
+read overflows if a source string is not NUL-terminated.
+
+Also, the strnlen() call does not avoid the read overflow in the strlcpy
+function when a not NUL-terminated string is passed.
+
+So, replace this block by a call to kstrndup() that avoids this type of
+overflow and does the same.
+
+Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions")
+Signed-off-by: Len Baker <len.baker@gmx.com>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifs_unicode.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
+index 9bd03a231032..171ad8b42107 100644
+--- a/fs/cifs/cifs_unicode.c
++++ b/fs/cifs/cifs_unicode.c
+@@ -358,14 +358,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen,
+ if (!dst)
+ return NULL;
+ cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
+- NO_MAP_UNI_RSVD);
++ NO_MAP_UNI_RSVD);
+ } else {
+- len = strnlen(src, maxlen);
+- len++;
+- dst = kmalloc(len, GFP_KERNEL);
+- if (!dst)
+- return NULL;
+- strlcpy(dst, src, len);
++ dst = kstrndup(src, maxlen, GFP_KERNEL);
+ }
+
+ return dst;
+--
+2.30.2
+
--- /dev/null
+From 91cb645191d78591ddde4505e2b60cd8d84a691a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 14:34:43 +0200
+Subject: clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ
+ for clock source channel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Phong Hoang <phong.hoang.wz@renesas.com>
+
+[ Upstream commit be83c3b6e7b8ff22f72827a613bf6f3aa5afadbb ]
+
+If CMT instance has at least two channels, one channel will be used
+as a clock source and another one used as a clock event device.
+In that case, IRQ is not requested for clock source channel so
+sh_cmt_clock_event_program_verify() might work incorrectly.
+Besides, when a channel is only used for clock source, don't need to
+re-set the next match_value since it should be maximum timeout as
+it still is.
+
+On the other hand, due to no IRQ, total_cycles is not counted up
+when reaches compare match time (timer counter resets to zero),
+so sh_cmt_clocksource_read() returns unexpected value.
+Therefore, use 64-bit clocksoure's mask for 32-bit or 16-bit variants
+will also lead to wrong delta calculation. Hence, this mask should
+correspond to timer counter width, and above function just returns
+the raw value of timer counter register.
+
+Fixes: bfa76bb12f23 ("clocksource: sh_cmt: Request IRQ for clock event device only")
+Fixes: 37e7742c55ba ("clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines")
+Signed-off-by: Phong Hoang <phong.hoang.wz@renesas.com>
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210422123443.73334-1-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/sh_cmt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c
+index ef773db080e9..a0570213170d 100644
+--- a/drivers/clocksource/sh_cmt.c
++++ b/drivers/clocksource/sh_cmt.c
+@@ -568,7 +568,8 @@ static int sh_cmt_start(struct sh_cmt_channel *ch, unsigned long flag)
+ ch->flags |= flag;
+
+ /* setup timeout if no clockevent */
+- if ((flag == FLAG_CLOCKSOURCE) && (!(ch->flags & FLAG_CLOCKEVENT)))
++ if (ch->cmt->num_channels == 1 &&
++ flag == FLAG_CLOCKSOURCE && (!(ch->flags & FLAG_CLOCKEVENT)))
+ __sh_cmt_set_next(ch, ch->max_match_value);
+ out:
+ raw_spin_unlock_irqrestore(&ch->lock, flags);
+@@ -604,20 +605,25 @@ static struct sh_cmt_channel *cs_to_sh_cmt(struct clocksource *cs)
+ static u64 sh_cmt_clocksource_read(struct clocksource *cs)
+ {
+ struct sh_cmt_channel *ch = cs_to_sh_cmt(cs);
+- unsigned long flags;
+ u32 has_wrapped;
+- u64 value;
+- u32 raw;
+
+- raw_spin_lock_irqsave(&ch->lock, flags);
+- value = ch->total_cycles;
+- raw = sh_cmt_get_counter(ch, &has_wrapped);
++ if (ch->cmt->num_channels == 1) {
++ unsigned long flags;
++ u64 value;
++ u32 raw;
+
+- if (unlikely(has_wrapped))
+- raw += ch->match_value + 1;
+- raw_spin_unlock_irqrestore(&ch->lock, flags);
++ raw_spin_lock_irqsave(&ch->lock, flags);
++ value = ch->total_cycles;
++ raw = sh_cmt_get_counter(ch, &has_wrapped);
++
++ if (unlikely(has_wrapped))
++ raw += ch->match_value + 1;
++ raw_spin_unlock_irqrestore(&ch->lock, flags);
++
++ return value + raw;
++ }
+
+- return value + raw;
++ return sh_cmt_get_counter(ch, &has_wrapped);
+ }
+
+ static int sh_cmt_clocksource_enable(struct clocksource *cs)
+@@ -680,7 +686,7 @@ static int sh_cmt_register_clocksource(struct sh_cmt_channel *ch,
+ cs->disable = sh_cmt_clocksource_disable;
+ cs->suspend = sh_cmt_clocksource_suspend;
+ cs->resume = sh_cmt_clocksource_resume;
+- cs->mask = CLOCKSOURCE_MASK(sizeof(u64) * 8);
++ cs->mask = CLOCKSOURCE_MASK(ch->cmt->info->width);
+ cs->flags = CLOCK_SOURCE_IS_CONTINUOUS;
+
+ dev_info(&ch->cmt->pdev->dev, "ch%u: used as clock source\n",
+--
+2.30.2
+
--- /dev/null
+From c98462c859bec6fa5efcde35c5098dd13ad35ff7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 21:06:11 +0900
+Subject: counter: 104-quad-8: Return error when invalid mode during
+ ceiling_write
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+[ Upstream commit 728246e8f7269ecd35a2c6e6795323e6d8f48db7 ]
+
+The 104-QUAD-8 only has two count modes where a ceiling value makes
+sense: Range Limit and Modulo-N. Outside of these two modes, setting a
+ceiling value is an invalid operation -- so let's report it as such by
+returning -EINVAL.
+
+Fixes: fc069262261c ("counter: 104-quad-8: Add lock guards - generic interface")
+Acked-by: Syed Nayyar Waris <syednwaris@gmail.com>
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Link: https://lore.kernel.org/r/a2147f022829b66839a1db5530a7fada47856847.1627990337.git.vilhelm.gray@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/104-quad-8.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c
+index 5c23a9a56921..f261a57af1c0 100644
+--- a/drivers/counter/104-quad-8.c
++++ b/drivers/counter/104-quad-8.c
+@@ -1230,12 +1230,13 @@ static ssize_t quad8_count_ceiling_write(struct counter_device *counter,
+ case 1:
+ case 3:
+ quad8_preset_register_set(priv, count->id, ceiling);
+- break;
++ mutex_unlock(&priv->lock);
++ return len;
+ }
+
+ mutex_unlock(&priv->lock);
+
+- return len;
++ return -EINVAL;
+ }
+
+ static ssize_t quad8_count_preset_enable_read(struct counter_device *counter,
+--
+2.30.2
+
--- /dev/null
+From 69e8533d108a076b9a63f07bf37378d14ee2512c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 14:56:37 -0400
+Subject: crypto: mxs-dcp - Check for DMA mapping errors
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit df6313d707e575a679ada3313358289af24454c0 ]
+
+After calling dma_map_single(), we must also call dma_mapping_error().
+This fixes the following warning when compiling with CONFIG_DMA_API_DEBUG:
+
+[ 311.241478] WARNING: CPU: 0 PID: 428 at kernel/dma/debug.c:1027 check_unmap+0x79c/0x96c
+[ 311.249547] DMA-API: mxs-dcp 2280000.crypto: device driver failed to check map error[device address=0x00000000860cb080] [size=32 bytes] [mapped as single]
+
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mxs-dcp.c | 45 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
+index f8a48a84df2a..66fa524b6261 100644
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -168,15 +168,19 @@ static struct dcp *global_sdcp;
+
+ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx)
+ {
++ int dma_err;
+ struct dcp *sdcp = global_sdcp;
+ const int chan = actx->chan;
+ uint32_t stat;
+ unsigned long ret;
+ struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan];
+-
+ dma_addr_t desc_phys = dma_map_single(sdcp->dev, desc, sizeof(*desc),
+ DMA_TO_DEVICE);
+
++ dma_err = dma_mapping_error(sdcp->dev, desc_phys);
++ if (dma_err)
++ return dma_err;
++
+ reinit_completion(&sdcp->completion[chan]);
+
+ /* Clear status register. */
+@@ -214,18 +218,29 @@ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx)
+ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx,
+ struct ablkcipher_request *req, int init)
+ {
++ dma_addr_t key_phys, src_phys, dst_phys;
+ struct dcp *sdcp = global_sdcp;
+ struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan];
+ struct dcp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
+ int ret;
+
+- dma_addr_t key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key,
+- 2 * AES_KEYSIZE_128,
+- DMA_TO_DEVICE);
+- dma_addr_t src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf,
+- DCP_BUF_SZ, DMA_TO_DEVICE);
+- dma_addr_t dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf,
+- DCP_BUF_SZ, DMA_FROM_DEVICE);
++ key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key,
++ 2 * AES_KEYSIZE_128, DMA_TO_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, key_phys);
++ if (ret)
++ return ret;
++
++ src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf,
++ DCP_BUF_SZ, DMA_TO_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, src_phys);
++ if (ret)
++ goto err_src;
++
++ dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf,
++ DCP_BUF_SZ, DMA_FROM_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, dst_phys);
++ if (ret)
++ goto err_dst;
+
+ if (actx->fill % AES_BLOCK_SIZE) {
+ dev_err(sdcp->dev, "Invalid block size!\n");
+@@ -263,10 +278,12 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx,
+ ret = mxs_dcp_start_dma(actx);
+
+ aes_done_run:
++ dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE);
++err_dst:
++ dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE);
++err_src:
+ dma_unmap_single(sdcp->dev, key_phys, 2 * AES_KEYSIZE_128,
+ DMA_TO_DEVICE);
+- dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE);
+- dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE);
+
+ return ret;
+ }
+@@ -565,6 +582,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req)
+ dma_addr_t buf_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_in_buf,
+ DCP_BUF_SZ, DMA_TO_DEVICE);
+
++ ret = dma_mapping_error(sdcp->dev, buf_phys);
++ if (ret)
++ return ret;
++
+ /* Fill in the DMA descriptor. */
+ desc->control0 = MXS_DCP_CONTROL0_DECR_SEMAPHORE |
+ MXS_DCP_CONTROL0_INTERRUPT |
+@@ -597,6 +618,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req)
+ if (rctx->fini) {
+ digest_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_out_buf,
+ DCP_SHA_PAY_SZ, DMA_FROM_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, digest_phys);
++ if (ret)
++ goto done_run;
++
+ desc->control0 |= MXS_DCP_CONTROL0_HASH_TERM;
+ desc->payload = digest_phys;
+ }
+--
+2.30.2
+
--- /dev/null
+From 1b0231c6b1f4b277758674721fa5366b848e5039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 13:23:34 +0300
+Subject: crypto: omap-sham - clear dma flags only after
+ omap_sham_update_dma_stop()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit fe28140b3393b0ba1eb95cc109f974a7e58b26fd ]
+
+We should not clear FLAGS_DMA_ACTIVE before omap_sham_update_dma_stop() is
+done calling dma_unmap_sg(). We already clear FLAGS_DMA_ACTIVE at the
+end of omap_sham_update_dma_stop().
+
+The early clearing of FLAGS_DMA_ACTIVE is not causing issues as we do not
+need to defer anything based on FLAGS_DMA_ACTIVE currently. So this can be
+applied as clean-up.
+
+Cc: Lokesh Vutla <lokeshvutla@ti.com>
+Cc: Tero Kristo <kristo@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-sham.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
+index f80db1eb2994..f8a146554b1f 100644
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -1734,7 +1734,7 @@ static void omap_sham_done_task(unsigned long data)
+ if (test_and_clear_bit(FLAGS_OUTPUT_READY, &dd->flags))
+ goto finish;
+ } else if (test_bit(FLAGS_DMA_READY, &dd->flags)) {
+- if (test_and_clear_bit(FLAGS_DMA_ACTIVE, &dd->flags)) {
++ if (test_bit(FLAGS_DMA_ACTIVE, &dd->flags)) {
+ omap_sham_update_dma_stop(dd);
+ if (dd->err) {
+ err = dd->err;
+--
+2.30.2
+
--- /dev/null
+From fbfb42a0d367fe37b5c73cf3684c5e37c09d5e8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:28 +0100
+Subject: crypto: qat - do not export adf_iov_putmsg()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 645ae0af1840199086c33e4f841892ebee73f615 ]
+
+The function adf_iov_putmsg() is only used inside the intel_qat module
+therefore should not be exported.
+Remove EXPORT_SYMBOL for the function adf_iov_putmsg().
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index 9dab2cc11fdf..c64481160b71 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -231,7 +231,6 @@ int adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr)
+
+ return ret;
+ }
+-EXPORT_SYMBOL_GPL(adf_iov_putmsg);
+
+ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info)
+ {
+--
+2.30.2
+
--- /dev/null
+From a55a32b9dd67abec0ffadd9a93d715919a9e5a5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:13 +0100
+Subject: crypto: qat - do not ignore errors from enable_vf2pf_comms()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 5147f0906d50a9d26f2b8698cd06b5680e9867ff ]
+
+The function adf_dev_init() ignores the error code reported by
+enable_vf2pf_comms(). If the latter fails, e.g. the VF is not compatible
+with the pf, then the load of the VF driver progresses.
+This patch changes adf_dev_init() so that the error code from
+enable_vf2pf_comms() is returned to the caller.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c
+index 26556c713049..7a7d43c47534 100644
+--- a/drivers/crypto/qat/qat_common/adf_init.c
++++ b/drivers/crypto/qat/qat_common/adf_init.c
+@@ -105,6 +105,7 @@ int adf_dev_init(struct adf_accel_dev *accel_dev)
+ struct service_hndl *service;
+ struct list_head *list_itr;
+ struct adf_hw_device_data *hw_data = accel_dev->hw_device;
++ int ret;
+
+ if (!hw_data) {
+ dev_err(&GET_DEV(accel_dev),
+@@ -171,9 +172,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev)
+ }
+
+ hw_data->enable_error_correction(accel_dev);
+- hw_data->enable_vf2pf_comms(accel_dev);
++ ret = hw_data->enable_vf2pf_comms(accel_dev);
+
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(adf_dev_init);
+
+--
+2.30.2
+
--- /dev/null
+From b1d4defa1078941b5234f33cb03bf501c068222d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:22 +0100
+Subject: crypto: qat - fix naming for init/shutdown VF to PF notifications
+
+From: Marco Chiappero <marco.chiappero@intel.com>
+
+[ Upstream commit b90c1c4d3fa8cd90f4e8245b13564380fd0bfad1 ]
+
+At start and shutdown, VFs notify the PF about their state. These
+notifications are carried out through a message exchange using the PFVF
+protocol.
+
+Function names lead to believe they do perform init or shutdown logic.
+This is to fix the naming to better reflect their purpose.
+
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c | 4 ++--
+ drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c | 4 ++--
+ drivers/crypto/qat/qat_common/adf_common_drv.h | 8 ++++----
+ drivers/crypto/qat/qat_common/adf_vf2pf_msg.c | 12 ++++++------
+ .../qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c | 4 ++--
+ 5 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c b/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c
+index d2d0ae445fd8..7c7d49a8a403 100644
+--- a/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c
++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c
+@@ -123,10 +123,10 @@ void adf_init_hw_data_c3xxxiov(struct adf_hw_device_data *hw_data)
+ hw_data->enable_error_correction = adf_vf_void_noop;
+ hw_data->init_admin_comms = adf_vf_int_noop;
+ hw_data->exit_admin_comms = adf_vf_void_noop;
+- hw_data->send_admin_init = adf_vf2pf_init;
++ hw_data->send_admin_init = adf_vf2pf_notify_init;
+ hw_data->init_arb = adf_vf_int_noop;
+ hw_data->exit_arb = adf_vf_void_noop;
+- hw_data->disable_iov = adf_vf2pf_shutdown;
++ hw_data->disable_iov = adf_vf2pf_notify_shutdown;
+ hw_data->get_accel_mask = get_accel_mask;
+ hw_data->get_ae_mask = get_ae_mask;
+ hw_data->get_num_accels = get_num_accels;
+diff --git a/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c b/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c
+index 38e4bc04f407..90e8a7564756 100644
+--- a/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c
++++ b/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c
+@@ -123,10 +123,10 @@ void adf_init_hw_data_c62xiov(struct adf_hw_device_data *hw_data)
+ hw_data->enable_error_correction = adf_vf_void_noop;
+ hw_data->init_admin_comms = adf_vf_int_noop;
+ hw_data->exit_admin_comms = adf_vf_void_noop;
+- hw_data->send_admin_init = adf_vf2pf_init;
++ hw_data->send_admin_init = adf_vf2pf_notify_init;
+ hw_data->init_arb = adf_vf_int_noop;
+ hw_data->exit_arb = adf_vf_void_noop;
+- hw_data->disable_iov = adf_vf2pf_shutdown;
++ hw_data->disable_iov = adf_vf2pf_notify_shutdown;
+ hw_data->get_accel_mask = get_accel_mask;
+ hw_data->get_ae_mask = get_ae_mask;
+ hw_data->get_num_accels = get_num_accels;
+diff --git a/drivers/crypto/qat/qat_common/adf_common_drv.h b/drivers/crypto/qat/qat_common/adf_common_drv.h
+index d78f8d5c89c3..289dd7e48d4a 100644
+--- a/drivers/crypto/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h
+@@ -239,8 +239,8 @@ void adf_enable_vf2pf_interrupts(struct adf_accel_dev *accel_dev,
+ void adf_enable_pf2vf_interrupts(struct adf_accel_dev *accel_dev);
+ void adf_disable_pf2vf_interrupts(struct adf_accel_dev *accel_dev);
+
+-int adf_vf2pf_init(struct adf_accel_dev *accel_dev);
+-void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev);
++int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev);
++void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev);
+ int adf_init_pf_wq(void);
+ void adf_exit_pf_wq(void);
+ int adf_init_vf_wq(void);
+@@ -263,12 +263,12 @@ static inline void adf_disable_pf2vf_interrupts(struct adf_accel_dev *accel_dev)
+ {
+ }
+
+-static inline int adf_vf2pf_init(struct adf_accel_dev *accel_dev)
++static inline int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev)
+ {
+ return 0;
+ }
+
+-static inline void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev)
++static inline void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev)
+ {
+ }
+
+diff --git a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c
+index cd5f37dffe8a..1830194567e8 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c
+@@ -49,14 +49,14 @@
+ #include "adf_pf2vf_msg.h"
+
+ /**
+- * adf_vf2pf_init() - send init msg to PF
++ * adf_vf2pf_notify_init() - send init msg to PF
+ * @accel_dev: Pointer to acceleration VF device.
+ *
+ * Function sends an init messge from the VF to a PF
+ *
+ * Return: 0 on success, error code otherwise.
+ */
+-int adf_vf2pf_init(struct adf_accel_dev *accel_dev)
++int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev)
+ {
+ u32 msg = (ADF_VF2PF_MSGORIGIN_SYSTEM |
+ (ADF_VF2PF_MSGTYPE_INIT << ADF_VF2PF_MSGTYPE_SHIFT));
+@@ -69,17 +69,17 @@ int adf_vf2pf_init(struct adf_accel_dev *accel_dev)
+ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+ return 0;
+ }
+-EXPORT_SYMBOL_GPL(adf_vf2pf_init);
++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_init);
+
+ /**
+- * adf_vf2pf_shutdown() - send shutdown msg to PF
++ * adf_vf2pf_notify_shutdown() - send shutdown msg to PF
+ * @accel_dev: Pointer to acceleration VF device.
+ *
+ * Function sends a shutdown messge from the VF to a PF
+ *
+ * Return: void
+ */
+-void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev)
++void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev)
+ {
+ u32 msg = (ADF_VF2PF_MSGORIGIN_SYSTEM |
+ (ADF_VF2PF_MSGTYPE_SHUTDOWN << ADF_VF2PF_MSGTYPE_SHIFT));
+@@ -89,4 +89,4 @@ void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev)
+ dev_err(&GET_DEV(accel_dev),
+ "Failed to send Shutdown event to PF\n");
+ }
+-EXPORT_SYMBOL_GPL(adf_vf2pf_shutdown);
++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_shutdown);
+diff --git a/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c b/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c
+index a3b4dd8099a7..3a8361c83f0b 100644
+--- a/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c
++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c
+@@ -123,10 +123,10 @@ void adf_init_hw_data_dh895xcciov(struct adf_hw_device_data *hw_data)
+ hw_data->enable_error_correction = adf_vf_void_noop;
+ hw_data->init_admin_comms = adf_vf_int_noop;
+ hw_data->exit_admin_comms = adf_vf_void_noop;
+- hw_data->send_admin_init = adf_vf2pf_init;
++ hw_data->send_admin_init = adf_vf2pf_notify_init;
+ hw_data->init_arb = adf_vf_int_noop;
+ hw_data->exit_arb = adf_vf_void_noop;
+- hw_data->disable_iov = adf_vf2pf_shutdown;
++ hw_data->disable_iov = adf_vf2pf_notify_shutdown;
+ hw_data->get_accel_mask = get_accel_mask;
+ hw_data->get_ae_mask = get_ae_mask;
+ hw_data->get_num_accels = get_num_accels;
+--
+2.30.2
+
--- /dev/null
+From 69a77017ec1d0cf25b927c93746e1270a33cb34a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:19 +0100
+Subject: crypto: qat - fix reuse of completion variable
+
+From: Marco Chiappero <marco.chiappero@intel.com>
+
+[ Upstream commit 3d655732b0199562267a05c7ff69ecdd11632939 ]
+
+Use reinit_completion() to set to a clean state a completion variable,
+used to coordinate the VF to PF request-response flow, before every
+new VF request.
+
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index b3875fdf6cd7..9dab2cc11fdf 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -361,6 +361,8 @@ static int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev)
+ msg |= ADF_PFVF_COMPATIBILITY_VERSION << ADF_VF2PF_COMPAT_VER_REQ_SHIFT;
+ BUILD_BUG_ON(ADF_PFVF_COMPATIBILITY_VERSION > 255);
+
++ reinit_completion(&accel_dev->vf.iov_msg_completion);
++
+ /* Send request from VF to PF */
+ ret = adf_iov_putmsg(accel_dev, msg, 0);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From 95b20571ed039a850133685f4b22a65d44ef44be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:14 +0100
+Subject: crypto: qat - handle both source of interrupt in VF ISR
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 0a73c762e1eee33a5e5dc0e3488f1b7cd17249b3 ]
+
+The top half of the VF drivers handled only a source at the time.
+If an interrupt for PF2VF and bundle occurred at the same time, the ISR
+scheduled only the bottom half for PF2VF.
+This patch fixes the VF top half so that if both sources of interrupt
+trigger at the same time, both bottom halves are scheduled.
+
+This patch is based on earlier work done by Conor McLoughlin.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_vf_isr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+index df9a1f35b832..ef90902c8200 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+@@ -203,6 +203,7 @@ static irqreturn_t adf_isr(int irq, void *privdata)
+ struct adf_bar *pmisc =
+ &GET_BARS(accel_dev)[hw_data->get_misc_bar_id(hw_data)];
+ void __iomem *pmisc_bar_addr = pmisc->virt_addr;
++ bool handled = false;
+ u32 v_int;
+
+ /* Read VF INT source CSR to determine the source of VF interrupt */
+@@ -215,7 +216,7 @@ static irqreturn_t adf_isr(int irq, void *privdata)
+
+ /* Schedule tasklet to handle interrupt BH */
+ tasklet_hi_schedule(&accel_dev->vf.pf2vf_bh_tasklet);
+- return IRQ_HANDLED;
++ handled = true;
+ }
+
+ /* Check bundle interrupt */
+@@ -227,10 +228,10 @@ static irqreturn_t adf_isr(int irq, void *privdata)
+ WRITE_CSR_INT_FLAG_AND_COL(bank->csr_addr, bank->bank_number,
+ 0);
+ tasklet_hi_schedule(&bank->resp_handler);
+- return IRQ_HANDLED;
++ handled = true;
+ }
+
+- return IRQ_NONE;
++ return handled ? IRQ_HANDLED : IRQ_NONE;
+ }
+
+ static int adf_request_msi_irq(struct adf_accel_dev *accel_dev)
+--
+2.30.2
+
--- /dev/null
+From ca5f396d431851ce0d7156378c2dc01ce47c3246 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:10 +0100
+Subject: crypto: qat - use proper type for vf_mask
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 462354d986b6a89c6449b85f17aaacf44e455216 ]
+
+Replace vf_mask type with unsigned long to avoid a stack-out-of-bound.
+
+This is to fix the following warning reported by KASAN the first time
+adf_msix_isr_ae() gets called.
+
+ [ 692.091987] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x28/0x50
+ [ 692.092017] Read of size 8 at addr ffff88afdf789e60 by task swapper/32/0
+ [ 692.092076] Call Trace:
+ [ 692.092089] <IRQ>
+ [ 692.092101] dump_stack+0x9c/0xcf
+ [ 692.092132] print_address_description.constprop.0+0x18/0x130
+ [ 692.092164] ? find_first_bit+0x28/0x50
+ [ 692.092185] kasan_report.cold+0x7f/0x111
+ [ 692.092213] ? static_obj+0x10/0x80
+ [ 692.092234] ? find_first_bit+0x28/0x50
+ [ 692.092262] find_first_bit+0x28/0x50
+ [ 692.092288] adf_msix_isr_ae+0x16e/0x230 [intel_qat]
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_isr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_isr.c b/drivers/crypto/qat/qat_common/adf_isr.c
+index 4898ef41fd9f..7d319c5c071c 100644
+--- a/drivers/crypto/qat/qat_common/adf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_isr.c
+@@ -59,6 +59,8 @@
+ #include "adf_transport_access_macros.h"
+ #include "adf_transport_internal.h"
+
++#define ADF_MAX_NUM_VFS 32
++
+ static int adf_enable_msix(struct adf_accel_dev *accel_dev)
+ {
+ struct adf_accel_pci *pci_dev_info = &accel_dev->accel_pci_dev;
+@@ -111,7 +113,7 @@ static irqreturn_t adf_msix_isr_ae(int irq, void *dev_ptr)
+ struct adf_bar *pmisc =
+ &GET_BARS(accel_dev)[hw_data->get_misc_bar_id(hw_data)];
+ void __iomem *pmisc_bar_addr = pmisc->virt_addr;
+- u32 vf_mask;
++ unsigned long vf_mask;
+
+ /* Get the interrupt sources triggered by VFs */
+ vf_mask = ((ADF_CSR_RD(pmisc_bar_addr, ADF_ERRSOU5) &
+@@ -132,8 +134,7 @@ static irqreturn_t adf_msix_isr_ae(int irq, void *dev_ptr)
+ * unless the VF is malicious and is attempting to
+ * flood the host OS with VF2PF interrupts.
+ */
+- for_each_set_bit(i, (const unsigned long *)&vf_mask,
+- (sizeof(vf_mask) * BITS_PER_BYTE)) {
++ for_each_set_bit(i, &vf_mask, ADF_MAX_NUM_VFS) {
+ vf_info = accel_dev->pf.vf_info + i;
+
+ if (!__ratelimit(&vf_info->vf2pf_ratelimit)) {
+--
+2.30.2
+
--- /dev/null
+From 546cf043572cd0cd9321f92f104d59174d8a6113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 18:24:44 +0200
+Subject: debugfs: Return error during {full/open}_proxy_open() on rmmod
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 112cedc8e600b668688eb809bf11817adec58ddc ]
+
+If a kernel module gets unloaded then it printed report about a leak before
+commit 275678e7a9be ("debugfs: Check module state before warning in
+{full/open}_proxy_open()"). An additional check was added in this commit to
+avoid this printing. But it was forgotten that the function must return an
+error in this case because it was not actually opened.
+
+As result, the systems started to crash or to hang when a module was
+unloaded while something was trying to open a file.
+
+Fixes: 275678e7a9be ("debugfs: Check module state before warning in {full/open}_proxy_open()")
+Cc: Taehee Yoo <ap420073@gmail.com>
+Reported-by: Mário Lopes <ml@simonwunderlich.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Link: https://lore.kernel.org/r/20210802162444.7848-1-sven@narfation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/debugfs/file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
+index 943637298f65..a32c5c7dcfd8 100644
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -178,8 +178,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
+ if (!fops_get(real_fops)) {
+ #ifdef CONFIG_MODULES
+ if (real_fops->owner &&
+- real_fops->owner->state == MODULE_STATE_GOING)
++ real_fops->owner->state == MODULE_STATE_GOING) {
++ r = -ENXIO;
+ goto out;
++ }
+ #endif
+
+ /* Huh? Module did not clean up after itself at exit? */
+@@ -313,8 +315,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
+ if (!fops_get(real_fops)) {
+ #ifdef CONFIG_MODULES
+ if (real_fops->owner &&
+- real_fops->owner->state == MODULE_STATE_GOING)
++ real_fops->owner->state == MODULE_STATE_GOING) {
++ r = -ENXIO;
+ goto out;
++ }
+ #endif
+
+ /* Huh? Module did not cleanup after itself at exit? */
+--
+2.30.2
+
--- /dev/null
+From 2e100af2286e04b9f1f3d3d3d79e702629c86d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 01:22:15 +0800
+Subject: drm/amdgpu/acp: Make PM domain really work
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit aff890288de2d818e4f83ec40c9315e2d735df07 ]
+
+Devices created by mfd_add_hotplug_devices() don't really increase the
+index of its name, so get_mfd_cell_dev() cannot find any device, hence a
+NULL dev is passed to pm_genpd_add_device():
+[ 56.974926] (NULL device *): amdgpu: device acp_audio_dma.0.auto added to pm domain
+[ 56.974933] (NULL device *): amdgpu: Failed to add dev to genpd
+[ 56.974941] [drm:amdgpu_device_ip_init [amdgpu]] *ERROR* hw_init of IP block <acp_ip> failed -22
+[ 56.975810] amdgpu 0000:00:01.0: amdgpu: amdgpu_device_ip_init failed
+[ 56.975839] amdgpu 0000:00:01.0: amdgpu: Fatal error during GPU init
+[ 56.977136] ------------[ cut here ]------------
+[ 56.977143] kernel BUG at mm/slub.c:4206!
+[ 56.977158] invalid opcode: 0000 [#1] SMP NOPTI
+[ 56.977167] CPU: 1 PID: 1648 Comm: modprobe Not tainted 5.12.0-051200rc8-generic #202104182230
+[ 56.977175] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./FM2A68M-HD+, BIOS P5.20 02/13/2019
+[ 56.977180] RIP: 0010:kfree+0x3bf/0x410
+[ 56.977195] Code: 89 e7 48 d3 e2 f7 da e8 5f 0d 02 00 80 e7 02 75 3e 44 89 ee 4c 89 e7 e8 ef 5f fd ff e9 fa fe ff ff 49 8b 44 24 08 a8 01 75 b7 <0f> 0b 4c 8b 4d b0 48 8b 4d a8 48 89 da 4c 89 e6 41 b8 01 00 00 00
+[ 56.977202] RSP: 0018:ffffa48640ff79f0 EFLAGS: 00010246
+[ 56.977210] RAX: 0000000000000000 RBX: ffff9286127d5608 RCX: 0000000000000000
+[ 56.977215] RDX: 0000000000000000 RSI: ffffffffc099d0fb RDI: ffff9286127d5608
+[ 56.977220] RBP: ffffa48640ff7a48 R08: 0000000000000001 R09: 0000000000000001
+[ 56.977224] R10: 0000000000000000 R11: ffff9286087d8458 R12: fffff3ae0449f540
+[ 56.977229] R13: 0000000000000000 R14: dead000000000122 R15: dead000000000100
+[ 56.977234] FS: 00007f9de5929540(0000) GS:ffff928612e80000(0000) knlGS:0000000000000000
+[ 56.977240] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 56.977245] CR2: 00007f697dd97160 CR3: 00000001110f0000 CR4: 00000000001506e0
+[ 56.977251] Call Trace:
+[ 56.977261] amdgpu_dm_encoder_destroy+0x1b/0x30 [amdgpu]
+[ 56.978056] drm_mode_config_cleanup+0x4f/0x2e0 [drm]
+[ 56.978147] ? kfree+0x3dd/0x410
+[ 56.978157] ? drm_managed_release+0xc8/0x100 [drm]
+[ 56.978232] drm_mode_config_init_release+0xe/0x10 [drm]
+[ 56.978311] drm_managed_release+0x9d/0x100 [drm]
+[ 56.978388] devm_drm_dev_init_release+0x4d/0x70 [drm]
+[ 56.978450] devm_action_release+0x15/0x20
+[ 56.978459] release_nodes+0x77/0xc0
+[ 56.978469] devres_release_all+0x3f/0x50
+[ 56.978477] really_probe+0x245/0x460
+[ 56.978485] driver_probe_device+0xe9/0x160
+[ 56.978492] device_driver_attach+0xab/0xb0
+[ 56.978499] __driver_attach+0x8f/0x150
+[ 56.978506] ? device_driver_attach+0xb0/0xb0
+[ 56.978513] bus_for_each_dev+0x7e/0xc0
+[ 56.978521] driver_attach+0x1e/0x20
+[ 56.978528] bus_add_driver+0x135/0x1f0
+[ 56.978534] driver_register+0x91/0xf0
+[ 56.978540] __pci_register_driver+0x54/0x60
+[ 56.978549] amdgpu_init+0x77/0x1000 [amdgpu]
+[ 56.979246] ? 0xffffffffc0dbc000
+[ 56.979254] do_one_initcall+0x48/0x1d0
+[ 56.979265] ? kmem_cache_alloc_trace+0x120/0x230
+[ 56.979274] ? do_init_module+0x28/0x280
+[ 56.979282] do_init_module+0x62/0x280
+[ 56.979288] load_module+0x71c/0x7a0
+[ 56.979296] __do_sys_finit_module+0xc2/0x120
+[ 56.979305] __x64_sys_finit_module+0x1a/0x20
+[ 56.979311] do_syscall_64+0x38/0x90
+[ 56.979319] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 56.979328] RIP: 0033:0x7f9de54f989d
+[ 56.979335] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
+[ 56.979342] RSP: 002b:00007ffe3c395a28 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 56.979350] RAX: ffffffffffffffda RBX: 0000560df3ef4330 RCX: 00007f9de54f989d
+[ 56.979355] RDX: 0000000000000000 RSI: 0000560df3a07358 RDI: 000000000000000f
+[ 56.979360] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
+[ 56.979365] R10: 000000000000000f R11: 0000000000000246 R12: 0000560df3a07358
+[ 56.979369] R13: 0000000000000000 R14: 0000560df3ef4460 R15: 0000560df3ef4330
+[ 56.979377] Modules linked in: amdgpu(+) iommu_v2 gpu_sched drm_ttm_helper ttm drm_kms_helper cec rc_core i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt nft_counter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security ip_set nf_tables libcrc32c nfnetlink ip6_tables iptable_filter bpfilter input_leds binfmt_misc edac_mce_amd kvm_amd ccp kvm snd_hda_codec_realtek snd_hda_codec_generic crct10dif_pclmul snd_hda_codec_hdmi ledtrig_audio ghash_clmulni_intel aesni_intel snd_hda_intel snd_intel_dspcfg snd_seq_midi crypto_simd snd_intel_sdw_acpi cryptd snd_hda_codec snd_seq_midi_event snd_rawmidi snd_hda_core snd_hwdep snd_seq fam15h_power k10temp snd_pcm snd_seq_device snd_timer snd mac_hid soundcore sch_fq_codel nct6775 hwmon_vid drm ip_tables x_tables autofs4 dm_mirror dm_region_hash dm_log hid_generic usbhid hid uas usb_storage r8169 crc32_pclmul realtek ahci xhci_pci i2c_piix4
+[ 56.979521] xhci_pci_renesas libahci video
+[ 56.979541] ---[ end trace cb8f6a346f18da7b ]---
+
+Instead of finding MFD hotplugged device by its name, simply iterate
+over the child devices to avoid the issue.
+
+Squash in unused variable removal (Alex)
+
+BugLink: https://bugs.launchpad.net/bugs/1920674
+Fixes: 25030321ba28 ("drm/amd: add pm domain for ACP IP sub blocks")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 54 ++++++++++++-------------
+ 1 file changed, 26 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+index 82155ac3288a..64ee44c2fdd1 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+@@ -163,17 +163,28 @@ static int acp_poweron(struct generic_pm_domain *genpd)
+ return 0;
+ }
+
+-static struct device *get_mfd_cell_dev(const char *device_name, int r)
++static int acp_genpd_add_device(struct device *dev, void *data)
+ {
+- char auto_dev_name[25];
+- struct device *dev;
++ struct generic_pm_domain *gpd = data;
++ int ret;
+
+- snprintf(auto_dev_name, sizeof(auto_dev_name),
+- "%s.%d.auto", device_name, r);
+- dev = bus_find_device_by_name(&platform_bus_type, NULL, auto_dev_name);
+- dev_info(dev, "device %s added to pm domain\n", auto_dev_name);
++ ret = pm_genpd_add_device(gpd, dev);
++ if (ret)
++ dev_err(dev, "Failed to add dev to genpd %d\n", ret);
+
+- return dev;
++ return ret;
++}
++
++static int acp_genpd_remove_device(struct device *dev, void *data)
++{
++ int ret;
++
++ ret = pm_genpd_remove_device(dev);
++ if (ret)
++ dev_err(dev, "Failed to remove dev from genpd %d\n", ret);
++
++ /* Continue to remove */
++ return 0;
+ }
+
+ /**
+@@ -184,11 +195,10 @@ static struct device *get_mfd_cell_dev(const char *device_name, int r)
+ */
+ static int acp_hw_init(void *handle)
+ {
+- int r, i;
++ int r;
+ uint64_t acp_base;
+ u32 val = 0;
+ u32 count = 0;
+- struct device *dev;
+ struct i2s_platform_data *i2s_pdata = NULL;
+
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+@@ -344,15 +354,10 @@ static int acp_hw_init(void *handle)
+ if (r)
+ goto failure;
+
+- for (i = 0; i < ACP_DEVS ; i++) {
+- dev = get_mfd_cell_dev(adev->acp.acp_cell[i].name, i);
+- r = pm_genpd_add_device(&adev->acp.acp_genpd->gpd, dev);
+- if (r) {
+- dev_err(dev, "Failed to add dev to genpd\n");
+- goto failure;
+- }
+- }
+-
++ r = device_for_each_child(adev->acp.parent, &adev->acp.acp_genpd->gpd,
++ acp_genpd_add_device);
++ if (r)
++ goto failure;
+
+ /* Assert Soft reset of ACP */
+ val = cgs_read_register(adev->acp.cgs_device, mmACP_SOFT_RESET);
+@@ -413,10 +418,8 @@ failure:
+ */
+ static int acp_hw_fini(void *handle)
+ {
+- int i, ret;
+ u32 val = 0;
+ u32 count = 0;
+- struct device *dev;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
+ /* return early if no ACP */
+@@ -461,13 +464,8 @@ static int acp_hw_fini(void *handle)
+ udelay(100);
+ }
+
+- for (i = 0; i < ACP_DEVS ; i++) {
+- dev = get_mfd_cell_dev(adev->acp.acp_cell[i].name, i);
+- ret = pm_genpd_remove_device(dev);
+- /* If removal fails, dont giveup and try rest */
+- if (ret)
+- dev_err(dev, "remove dev from genpd failed\n");
+- }
++ device_for_each_child(adev->acp.parent, NULL,
++ acp_genpd_remove_device);
+
+ mfd_remove_devices(adev->acp.parent);
+ kfree(adev->acp.acp_res);
+--
+2.30.2
+
--- /dev/null
+From fc1826cbb4fa00f0d361e89c2113cce435ebf5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 02:05:19 +0300
+Subject: drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary
+ LMs
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit a41cdb693595ae1904dd793fc15d6954f4295e27 ]
+
+dpu_hw_ctl_clear_all_blendstages() clears settings for the few first LMs
+instead of mixers actually used for the CTL. Change it to clear
+necessary data, using provided mixer ids.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210704230519.4081467-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c
+index 179e8d52cadb..a08ca7a47400 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c
+@@ -281,10 +281,12 @@ static void dpu_hw_ctl_clear_all_blendstages(struct dpu_hw_ctl *ctx)
+ int i;
+
+ for (i = 0; i < ctx->mixer_count; i++) {
+- DPU_REG_WRITE(c, CTL_LAYER(LM_0 + i), 0);
+- DPU_REG_WRITE(c, CTL_LAYER_EXT(LM_0 + i), 0);
+- DPU_REG_WRITE(c, CTL_LAYER_EXT2(LM_0 + i), 0);
+- DPU_REG_WRITE(c, CTL_LAYER_EXT3(LM_0 + i), 0);
++ enum dpu_lm mixer_id = ctx->mixer_hw_caps[i].id;
++
++ DPU_REG_WRITE(c, CTL_LAYER(mixer_id), 0);
++ DPU_REG_WRITE(c, CTL_LAYER_EXT(mixer_id), 0);
++ DPU_REG_WRITE(c, CTL_LAYER_EXT2(mixer_id), 0);
++ DPU_REG_WRITE(c, CTL_LAYER_EXT3(mixer_id), 0);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5c374c7e1682f975a201a63d5b74f016bb0d6066 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 11:15:13 +0200
+Subject: drm/msm/dsi: Fix some reference counted resource leaks
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6977cc89c87506ff17e6c05f0e37f46752256e82 ]
+
+'of_find_device_by_node()' takes a reference that must be released when
+not needed anymore.
+This is expected to be done in 'dsi_destroy()'.
+
+However, there are 2 issues in 'dsi_get_phy()'.
+
+First, if 'of_find_device_by_node()' succeeds but 'platform_get_drvdata()'
+returns NULL, 'msm_dsi->phy_dev' will still be NULL, and the reference
+won't be released in 'dsi_destroy()'.
+
+Secondly, as 'of_find_device_by_node()' already takes a reference, there is
+no need for an additional 'get_device()'.
+
+Move the assignment to 'msm_dsi->phy_dev' a few lines above and remove the
+unneeded 'get_device()' to solve both issues.
+
+Fixes: ec31abf6684e ("drm/msm/dsi: Separate PHY to another platform device")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/f15bc57648a00e7c99f943903468a04639d50596.1628241097.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c
+index 55ea4bc2ee9c..0d37ae5b310c 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi.c
++++ b/drivers/gpu/drm/msm/dsi/dsi.c
+@@ -26,8 +26,10 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi)
+ }
+
+ phy_pdev = of_find_device_by_node(phy_node);
+- if (phy_pdev)
++ if (phy_pdev) {
+ msm_dsi->phy = platform_get_drvdata(phy_pdev);
++ msm_dsi->phy_dev = &phy_pdev->dev;
++ }
+
+ of_node_put(phy_node);
+
+@@ -36,8 +38,6 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi)
+ return -EPROBE_DEFER;
+ }
+
+- msm_dsi->phy_dev = get_device(&phy_pdev->dev);
+-
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 85269bea68fbdba2473a5c5e229bd3a6001942b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 14:38:56 +0000
+Subject: drm/panfrost: Fix missing clk_disable_unprepare() on error in
+ panfrost_clk_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit f42498705965bd4b026953c1892c686d8b1138e4 ]
+
+Fix the missing clk_disable_unprepare() before return
+from panfrost_clk_init() in the error handling case.
+
+Fixes: b681af0bc1cc ("drm: panfrost: add optional bus_clock")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210608143856.4154766-1-weiyongjun1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_device.c b/drivers/gpu/drm/panfrost/panfrost_device.c
+index 238fb6d54df4..413bf314a2bc 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_device.c
++++ b/drivers/gpu/drm/panfrost/panfrost_device.c
+@@ -59,7 +59,8 @@ static int panfrost_clk_init(struct panfrost_device *pfdev)
+ if (IS_ERR(pfdev->bus_clock)) {
+ dev_err(pfdev->dev, "get bus_clock failed %ld\n",
+ PTR_ERR(pfdev->bus_clock));
+- return PTR_ERR(pfdev->bus_clock);
++ err = PTR_ERR(pfdev->bus_clock);
++ goto disable_clock;
+ }
+
+ if (pfdev->bus_clock) {
+--
+2.30.2
+
--- /dev/null
+From 87835aa480c03e1cbfcc6aabd019c32019ef4168 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 10:57:00 -0700
+Subject: EDAC/i10nm: Fix NVDIMM detection
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 2294a7299f5e51667b841f63c6d69474491753fb ]
+
+MCDDRCFG is a per-channel register and uses bit{0,1} to indicate
+the NVDIMM presence on DIMM slot{0,1}. Current i10nm_edac driver
+wrongly uses MCDDRCFG as per-DIMM register and fails to detect
+the NVDIMM.
+
+Fix it by reading MCDDRCFG as per-channel register and using its
+bit{0,1} to check whether the NVDIMM is populated on DIMM slot{0,1}.
+
+Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors")
+Reported-by: Fan Du <fan.du@intel.com>
+Tested-by: Wen Jin <wen.jin@intel.com>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20210818175701.1611513-2-tony.luck@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/i10nm_base.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c
+index f72be5f94e6f..29576922df78 100644
+--- a/drivers/edac/i10nm_base.c
++++ b/drivers/edac/i10nm_base.c
+@@ -26,8 +26,8 @@
+ pci_read_config_dword((d)->uracu, 0xd8 + (i) * 4, &(reg))
+ #define I10NM_GET_DIMMMTR(m, i, j) \
+ readl((m)->mbase + 0x2080c + (i) * 0x4000 + (j) * 4)
+-#define I10NM_GET_MCDDRTCFG(m, i, j) \
+- readl((m)->mbase + 0x20970 + (i) * 0x4000 + (j) * 4)
++#define I10NM_GET_MCDDRTCFG(m, i) \
++ readl((m)->mbase + 0x20970 + (i) * 0x4000)
+ #define I10NM_GET_MCMTR(m, i) \
+ readl((m)->mbase + 0x20ef8 + (i) * 0x4000)
+
+@@ -156,11 +156,11 @@ static int i10nm_get_dimm_config(struct mem_ctl_info *mci)
+ continue;
+
+ ndimms = 0;
++ mcddrtcfg = I10NM_GET_MCDDRTCFG(imc, i);
+ for (j = 0; j < I10NM_NUM_DIMMS; j++) {
+ dimm = EDAC_DIMM_PTR(mci->layers, mci->dimms,
+ mci->n_layers, i, j, 0);
+ mtr = I10NM_GET_DIMMMTR(imc, i, j);
+- mcddrtcfg = I10NM_GET_MCDDRTCFG(imc, i, j);
+ edac_dbg(1, "dimmmtr 0x%x mcddrtcfg 0x%x (mc%d ch%d dimm%d)\n",
+ mtr, mcddrtcfg, imc->mc, i, j);
+
+--
+2.30.2
+
--- /dev/null
+From 1c29ca0e1632a13b4e703d59514f4c7243ff3d62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 17:18:31 +0800
+Subject: fcntl: fix potential deadlock for &fasync_struct.fa_lock
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 2f488f698fda820f8e6fa0407630154eceb145d6 ]
+
+There is an existing lock hierarchy of
+&dev->event_lock --> &fasync_struct.fa_lock --> &f->f_owner.lock
+from the following call chain:
+
+ input_inject_event():
+ spin_lock_irqsave(&dev->event_lock,...);
+ input_handle_event():
+ input_pass_values():
+ input_to_handler():
+ evdev_events():
+ evdev_pass_values():
+ spin_lock(&client->buffer_lock);
+ __pass_event():
+ kill_fasync():
+ kill_fasync_rcu():
+ read_lock(&fa->fa_lock);
+ send_sigio():
+ read_lock_irqsave(&fown->lock,...);
+
+&dev->event_lock is HARDIRQ-safe, so interrupts have to be disabled
+while grabbing &fasync_struct.fa_lock, otherwise we invert the lock
+hierarchy. However, since kill_fasync which calls kill_fasync_rcu is
+an exported symbol, it may not necessarily be called with interrupts
+disabled.
+
+As kill_fasync_rcu may be called with interrupts disabled (for
+example, in the call chain above), we replace calls to
+read_lock/read_unlock on &fasync_struct.fa_lock in kill_fasync_rcu
+with read_lock_irqsave/read_unlock_irqrestore.
+
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fcntl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/fcntl.c b/fs/fcntl.c
+index 3dc90e5293e6..fa0fdd829613 100644
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -993,13 +993,14 @@ static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band)
+ {
+ while (fa) {
+ struct fown_struct *fown;
++ unsigned long flags;
+
+ if (fa->magic != FASYNC_MAGIC) {
+ printk(KERN_ERR "kill_fasync: bad magic number in "
+ "fasync_struct!\n");
+ return;
+ }
+- read_lock(&fa->fa_lock);
++ read_lock_irqsave(&fa->fa_lock, flags);
+ if (fa->fa_file) {
+ fown = &fa->fa_file->f_owner;
+ /* Don't send SIGURG to processes which have not set a
+@@ -1008,7 +1009,7 @@ static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band)
+ if (!(sig == SIGURG && fown->signum == 0))
+ send_sigio(fown, fa->fa_fd, band);
+ }
+- read_unlock(&fa->fa_lock);
++ read_unlock_irqrestore(&fa->fa_lock, flags);
+ fa = rcu_dereference(fa->fa_next);
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From dccb4711c51eb792b3933fc4912732b606c98e07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 17:33:32 +0800
+Subject: genirq/timings: Fix error return code in irq_timings_test_irqs()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 290fdc4b7ef14e33d0e30058042b0e9bfd02b89b ]
+
+Return a negative error code from the error handling case instead of 0, as
+done elsewhere in this function.
+
+Fixes: f52da98d900e ("genirq/timings: Add selftest for irqs circular buffer")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20210811093333.2376-1-thunder.leizhen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/timings.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/irq/timings.c b/kernel/irq/timings.c
+index b5985da80acf..7ccc8edce46d 100644
+--- a/kernel/irq/timings.c
++++ b/kernel/irq/timings.c
+@@ -799,12 +799,14 @@ static int __init irq_timings_test_irqs(struct timings_intervals *ti)
+
+ __irq_timings_store(irq, irqs, ti->intervals[i]);
+ if (irqs->circ_timings[i & IRQ_TIMINGS_MASK] != index) {
++ ret = -EBADSLT;
+ pr_err("Failed to store in the circular buffer\n");
+ goto out;
+ }
+ }
+
+ if (irqs->count != ti->count) {
++ ret = -ERANGE;
+ pr_err("Count differs\n");
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From cf95c29cd603cc024ec839bb8aa1988b80062d64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 15:39:46 +0200
+Subject: hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 627ef5ae2df8eeccb20d5af0e4cfa4df9e61ed28 ]
+
+If __hrtimer_start_range_ns() is invoked with an already armed hrtimer then
+the timer has to be canceled first and then added back. If the timer is the
+first expiring timer then on removal the clockevent device is reprogrammed
+to the next expiring timer to avoid that the pending expiry fires needlessly.
+
+If the new expiry time ends up to be the first expiry again then the clock
+event device has to reprogrammed again.
+
+Avoid this by checking whether the timer is the first to expire and in that
+case, keep the timer on the current CPU and delay the reprogramming up to
+the point where the timer has been enqueued again.
+
+Reported-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20210713135157.873137732@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 60 ++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 53 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 1f3e3a17f67e..39beb9aaa24b 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1031,12 +1031,13 @@ static void __remove_hrtimer(struct hrtimer *timer,
+ * remove hrtimer, called with base lock held
+ */
+ static inline int
+-remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool restart)
++remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
++ bool restart, bool keep_local)
+ {
+ u8 state = timer->state;
+
+ if (state & HRTIMER_STATE_ENQUEUED) {
+- int reprogram;
++ bool reprogram;
+
+ /*
+ * Remove the timer and force reprogramming when high
+@@ -1049,8 +1050,16 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool rest
+ debug_deactivate(timer);
+ reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
+
++ /*
++ * If the timer is not restarted then reprogramming is
++ * required if the timer is local. If it is local and about
++ * to be restarted, avoid programming it twice (on removal
++ * and a moment later when it's requeued).
++ */
+ if (!restart)
+ state = HRTIMER_STATE_INACTIVE;
++ else
++ reprogram &= !keep_local;
+
+ __remove_hrtimer(timer, base, state, reprogram);
+ return 1;
+@@ -1104,9 +1113,31 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ struct hrtimer_clock_base *base)
+ {
+ struct hrtimer_clock_base *new_base;
++ bool force_local, first;
+
+- /* Remove an active timer from the queue: */
+- remove_hrtimer(timer, base, true);
++ /*
++ * If the timer is on the local cpu base and is the first expiring
++ * timer then this might end up reprogramming the hardware twice
++ * (on removal and on enqueue). To avoid that by prevent the
++ * reprogram on removal, keep the timer local to the current CPU
++ * and enforce reprogramming after it is queued no matter whether
++ * it is the new first expiring timer again or not.
++ */
++ force_local = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
++ force_local &= base->cpu_base->next_timer == timer;
++
++ /*
++ * Remove an active timer from the queue. In case it is not queued
++ * on the current CPU, make sure that remove_hrtimer() updates the
++ * remote data correctly.
++ *
++ * If it's on the current CPU and the first expiring timer, then
++ * skip reprogramming, keep the timer local and enforce
++ * reprogramming later if it was the first expiring timer. This
++ * avoids programming the underlying clock event twice (once at
++ * removal and once after enqueue).
++ */
++ remove_hrtimer(timer, base, true, force_local);
+
+ if (mode & HRTIMER_MODE_REL)
+ tim = ktime_add_safe(tim, base->get_time());
+@@ -1116,9 +1147,24 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ hrtimer_set_expires_range_ns(timer, tim, delta_ns);
+
+ /* Switch the timer base, if necessary: */
+- new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
++ if (!force_local) {
++ new_base = switch_hrtimer_base(timer, base,
++ mode & HRTIMER_MODE_PINNED);
++ } else {
++ new_base = base;
++ }
++
++ first = enqueue_hrtimer(timer, new_base, mode);
++ if (!force_local)
++ return first;
+
+- return enqueue_hrtimer(timer, new_base, mode);
++ /*
++ * Timer was forced to stay on the current CPU to avoid
++ * reprogramming on removal and enqueue. Force reprogram the
++ * hardware by evaluating the new first expiring timer.
++ */
++ hrtimer_force_reprogram(new_base->cpu_base, 1);
++ return 0;
+ }
+
+ /**
+@@ -1184,7 +1230,7 @@ int hrtimer_try_to_cancel(struct hrtimer *timer)
+ base = lock_hrtimer_base(timer, &flags);
+
+ if (!hrtimer_callback_running(timer))
+- ret = remove_hrtimer(timer, base, false);
++ ret = remove_hrtimer(timer, base, false, false);
+
+ unlock_hrtimer_base(timer, &flags);
+
+--
+2.30.2
+
--- /dev/null
+From 6107fed7625f067ae40140a7286e0535124894b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 15:39:48 +0200
+Subject: hrtimer: Ensure timerfd notification for HIGHRES=n
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 8c3b5e6ec0fee18bc2ce38d1dfe913413205f908 ]
+
+If high resolution timers are disabled the timerfd notification about a
+clock was set event is not happening for all cases which use
+clock_was_set_delayed() because that's a NOP for HIGHRES=n, which is wrong.
+
+Make clock_was_set_delayed() unconditially available to fix that.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20210713135158.196661266@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/hrtimer.h | 5 -----
+ kernel/time/hrtimer.c | 32 ++++++++++++++++----------------
+ kernel/time/tick-internal.h | 3 +++
+ 3 files changed, 19 insertions(+), 21 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 1f98b52118f0..48be92aded5e 100644
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -317,16 +317,12 @@ struct clock_event_device;
+
+ extern void hrtimer_interrupt(struct clock_event_device *dev);
+
+-extern void clock_was_set_delayed(void);
+-
+ extern unsigned int hrtimer_resolution;
+
+ #else
+
+ #define hrtimer_resolution (unsigned int)LOW_RES_NSEC
+
+-static inline void clock_was_set_delayed(void) { }
+-
+ #endif
+
+ static inline ktime_t
+@@ -350,7 +346,6 @@ hrtimer_expires_remaining_adjusted(const struct hrtimer *timer)
+ timer->base->get_time());
+ }
+
+-extern void clock_was_set(void);
+ #ifdef CONFIG_TIMERFD
+ extern void timerfd_clock_was_set(void);
+ #else
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 39beb9aaa24b..e1e8d5dab0c5 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -759,22 +759,6 @@ static void hrtimer_switch_to_hres(void)
+ retrigger_next_event(NULL);
+ }
+
+-static void clock_was_set_work(struct work_struct *work)
+-{
+- clock_was_set();
+-}
+-
+-static DECLARE_WORK(hrtimer_work, clock_was_set_work);
+-
+-/*
+- * Called from timekeeping and resume code to reprogram the hrtimer
+- * interrupt device on all cpus.
+- */
+-void clock_was_set_delayed(void)
+-{
+- schedule_work(&hrtimer_work);
+-}
+-
+ #else
+
+ static inline int hrtimer_is_hres_enabled(void) { return 0; }
+@@ -892,6 +876,22 @@ void clock_was_set(void)
+ timerfd_clock_was_set();
+ }
+
++static void clock_was_set_work(struct work_struct *work)
++{
++ clock_was_set();
++}
++
++static DECLARE_WORK(hrtimer_work, clock_was_set_work);
++
++/*
++ * Called from timekeeping and resume code to reprogram the hrtimer
++ * interrupt device on all cpus and to notify timerfd.
++ */
++void clock_was_set_delayed(void)
++{
++ schedule_work(&hrtimer_work);
++}
++
+ /*
+ * During resume we might have to reprogram the high resolution timer
+ * interrupt on all online CPUs. However, all other CPUs will be
+diff --git a/kernel/time/tick-internal.h b/kernel/time/tick-internal.h
+index 7b2496136729..5294f5b1f955 100644
+--- a/kernel/time/tick-internal.h
++++ b/kernel/time/tick-internal.h
+@@ -165,3 +165,6 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases);
+
+ extern u64 get_next_timer_interrupt(unsigned long basej, u64 basem);
+ void timer_clear_idle(void);
++
++void clock_was_set(void);
++void clock_was_set_delayed(void);
+--
+2.30.2
+
--- /dev/null
+From 3c4c942dc8779ddf7279af145c1305bd5a5e16e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 22:13:45 +0300
+Subject: i2c: highlander: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit f16a3bb69aa6baabf8f0aca982c8cf21e2a4f6bc ]
+
+The driver is written as if platform_get_irq() returns 0 on errors (while
+actually it returns a negative error code), blithely passing these error
+codes to request_irq() (which takes *unsigned* IRQ #) -- which fails with
+-EINVAL. Add the necessary error check to the pre-existing *if* statement
+forcing the driver into the polling mode...
+
+Fixes: 4ad48e6ab18c ("i2c: Renesas Highlander FPGA SMBus support")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-highlander.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-highlander.c b/drivers/i2c/busses/i2c-highlander.c
+index ff340d7ae2e5..6a880c262380 100644
+--- a/drivers/i2c/busses/i2c-highlander.c
++++ b/drivers/i2c/busses/i2c-highlander.c
+@@ -379,7 +379,7 @@ static int highlander_i2c_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, dev);
+
+ dev->irq = platform_get_irq(pdev, 0);
+- if (iic_force_poll)
++ if (dev->irq < 0 || iic_force_poll)
+ dev->irq = 0;
+
+ if (dev->irq) {
+--
+2.30.2
+
--- /dev/null
+From 7505ddd80d46161376b21c8293f86b853de62536 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 23:35:09 +0300
+Subject: i2c: iop3xx: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit a1299505162ad00def3573260c2c68b9c8e8d697 ]
+
+When adding the code to handle platform_get_irq*() errors in the commit
+489447380a29 ("handle errors returned by platform_get_irq*()"), the
+actual error code was enforced to be -ENXIO in the driver for some
+strange reason. This didn't matter much until the deferred probing was
+introduced -- which requires an actual error code to be propagated
+upstream from the failure site.
+
+While fixing this, also stop overriding the errors from request_irq() to
+-EIO (done since the pre-git era).
+
+Fixes: 489447380a29 ("[PATCH] handle errors returned by platform_get_irq*()")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-iop3xx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-iop3xx.c b/drivers/i2c/busses/i2c-iop3xx.c
+index 2f8b8050a223..899624721c1e 100644
+--- a/drivers/i2c/busses/i2c-iop3xx.c
++++ b/drivers/i2c/busses/i2c-iop3xx.c
+@@ -467,16 +467,14 @@ iop3xx_i2c_probe(struct platform_device *pdev)
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
+- ret = -ENXIO;
++ ret = irq;
+ goto unmap;
+ }
+ ret = request_irq(irq, iop3xx_i2c_irq_handler, 0,
+ pdev->name, adapter_data);
+
+- if (ret) {
+- ret = -EIO;
++ if (ret)
+ goto unmap;
+- }
+
+ memcpy(new_adapter->name, pdev->name, strlen(pdev->name));
+ new_adapter->owner = THIS_MODULE;
+--
+2.30.2
+
--- /dev/null
+From 45d61557d91086f8503dbff4bef1880b6d29c246 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jul 2021 17:38:45 +0300
+Subject: i2c: mt65xx: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 58fb7c643d346e2364404554f531cfa6a1a3917c ]
+
+Iff platform_get_irq() returns 0, the driver's probe() method will return 0
+early (as if the method's call was successful). Let's consider IRQ0 valid
+for simplicity -- devm_request_irq() can always override that decision...
+
+Fixes: ce38815d39ea ("I2C: mediatek: Add driver for MediaTek I2C controller")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Reviewed-by: Qii Wang <qii.wang@mediatek.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mt65xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c
+index e1ef0122ef75..5587e7c549c4 100644
+--- a/drivers/i2c/busses/i2c-mt65xx.c
++++ b/drivers/i2c/busses/i2c-mt65xx.c
+@@ -932,7 +932,7 @@ static int mtk_i2c_probe(struct platform_device *pdev)
+ return PTR_ERR(i2c->pdmabase);
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0)
++ if (irq < 0)
+ return irq;
+
+ init_completion(&i2c->msg_complete);
+--
+2.30.2
+
--- /dev/null
+From b857347b4749fd85c47aa68d20df371b59f6a4d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jul 2021 17:45:25 +0300
+Subject: i2c: s3c2410: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit d6840a5e370b7ea4fde16ce2caf431bcc87f9a75 ]
+
+Iff platform_get_irq() returns 0, the driver's probe() method will return 0
+early (as if the method's call was successful). Let's consider IRQ0 valid
+for simplicity -- devm_request_irq() can always override that decision...
+
+Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-s3c2410.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
+index d6322698b245..e6f927c6f8af 100644
+--- a/drivers/i2c/busses/i2c-s3c2410.c
++++ b/drivers/i2c/busses/i2c-s3c2410.c
+@@ -1141,7 +1141,7 @@ static int s3c24xx_i2c_probe(struct platform_device *pdev)
+ */
+ if (!(i2c->quirks & QUIRK_POLL)) {
+ i2c->irq = ret = platform_get_irq(pdev, 0);
+- if (ret <= 0) {
++ if (ret < 0) {
+ dev_err(&pdev->dev, "cannot find IRQ\n");
+ clk_unprepare(i2c->clk);
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From f82d33abf2865248841cc5fa043914af3dd8a745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 19:02:10 -0700
+Subject: ipv4: fix endianness issue in inet_rtm_getroute_build_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 92548b0ee220e000d81c27ac9a80e0ede895a881 ]
+
+The UDP length field should be in network order.
+This removes the following sparse error:
+
+net/ipv4/route.c:3173:27: warning: incorrect type in assignment (different base types)
+net/ipv4/route.c:3173:27: expected restricted __be16 [usertype] len
+net/ipv4/route.c:3173:27: got unsigned long
+
+Fixes: 404eb77ea766 ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Roopa Prabhu <roopa@nvidia.com>
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 03f35764a40e..539492998864 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -3004,7 +3004,7 @@ static struct sk_buff *inet_rtm_getroute_build_skb(__be32 src, __be32 dst,
+ udph = skb_put_zero(skb, sizeof(struct udphdr));
+ udph->source = sport;
+ udph->dest = dport;
+- udph->len = sizeof(struct udphdr);
++ udph->len = htons(sizeof(struct udphdr));
+ udph->check = 0;
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From 58d1925b20dfc4f5deb8170fe5a1bf4b1b7fab37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 15:16:15 -0700
+Subject: ipv4: make exception cache less predictible
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ]
+
+Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in
+fnhe_hashfun()"), an attacker can still use brute force to learn
+some secrets from a victim linux host.
+
+One way to defeat these attacks is to make the max depth of the hash
+table bucket a random value.
+
+Before this patch, each bucket of the hash table used to store exceptions
+could contain 6 items under attack.
+
+After the patch, each bucket would contains a random number of items,
+between 6 and 10. The attacker can no longer infer secrets.
+
+This is slightly increasing memory size used by the hash table,
+by 50% in average, we do not expect this to be a problem.
+
+This patch is more complex than the prior one (IPv6 equivalent),
+because IPv4 was reusing the oldest entry.
+Since we need to be able to evict more than one entry per
+update_or_create_fnhe() call, I had to replace
+fnhe_oldest() with fnhe_remove_oldest().
+
+Also note that we will queue extra kfree_rcu() calls under stress,
+which hopefully wont be a too big issue.
+
+Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Keyu Man <kman001@ucr.edu>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Tested-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 46 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 0e976848d4bb..03f35764a40e 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -610,18 +610,25 @@ static void fnhe_flush_routes(struct fib_nh_exception *fnhe)
+ }
+ }
+
+-static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash)
++static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash)
+ {
+- struct fib_nh_exception *fnhe, *oldest;
++ struct fib_nh_exception __rcu **fnhe_p, **oldest_p;
++ struct fib_nh_exception *fnhe, *oldest = NULL;
+
+- oldest = rcu_dereference(hash->chain);
+- for (fnhe = rcu_dereference(oldest->fnhe_next); fnhe;
+- fnhe = rcu_dereference(fnhe->fnhe_next)) {
+- if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp))
++ for (fnhe_p = &hash->chain; ; fnhe_p = &fnhe->fnhe_next) {
++ fnhe = rcu_dereference_protected(*fnhe_p,
++ lockdep_is_held(&fnhe_lock));
++ if (!fnhe)
++ break;
++ if (!oldest ||
++ time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) {
+ oldest = fnhe;
++ oldest_p = fnhe_p;
++ }
+ }
+ fnhe_flush_routes(oldest);
+- return oldest;
++ *oldest_p = oldest->fnhe_next;
++ kfree_rcu(oldest, rcu);
+ }
+
+ static inline u32 fnhe_hashfun(__be32 daddr)
+@@ -700,16 +707,21 @@ static void update_or_create_fnhe(struct fib_nh_common *nhc, __be32 daddr,
+ if (rt)
+ fill_route_from_fnhe(rt, fnhe);
+ } else {
+- if (depth > FNHE_RECLAIM_DEPTH)
+- fnhe = fnhe_oldest(hash);
+- else {
+- fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC);
+- if (!fnhe)
+- goto out_unlock;
+-
+- fnhe->fnhe_next = hash->chain;
+- rcu_assign_pointer(hash->chain, fnhe);
++ /* Randomize max depth to avoid some side channels attacks. */
++ int max_depth = FNHE_RECLAIM_DEPTH +
++ prandom_u32_max(FNHE_RECLAIM_DEPTH);
++
++ while (depth > max_depth) {
++ fnhe_remove_oldest(hash);
++ depth--;
+ }
++
++ fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC);
++ if (!fnhe)
++ goto out_unlock;
++
++ fnhe->fnhe_next = hash->chain;
++
+ fnhe->fnhe_genid = genid;
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+@@ -717,6 +729,8 @@ static void update_or_create_fnhe(struct fib_nh_common *nhc, __be32 daddr,
+ fnhe->fnhe_mtu_locked = lock;
+ fnhe->fnhe_expires = max(1UL, expires);
+
++ rcu_assign_pointer(hash->chain, fnhe);
++
+ /* Exception created; mark the cached routes for the nexthop
+ * stale, so anyone caching it rechecks if this exception
+ * applies to them.
+--
+2.30.2
+
--- /dev/null
+From ebd6255b19bb67b8fa8e27c8917690a233ad2747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 15:16:14 -0700
+Subject: ipv6: make exception cache less predictible
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a00df2caffed3883c341d5685f830434312e4a43 ]
+
+Even after commit 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()"),
+an attacker can still use brute force to learn some secrets from a victim
+linux host.
+
+One way to defeat these attacks is to make the max depth of the hash
+table bucket a random value.
+
+Before this patch, each bucket of the hash table used to store exceptions
+could contain 6 items under attack.
+
+After the patch, each bucket would contains a random number of items,
+between 6 and 10. The attacker can no longer infer secrets.
+
+This is slightly increasing memory size used by the hash table,
+we do not expect this to be a problem.
+
+Following patch is dealing with the same issue in IPv4.
+
+Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Keyu Man <kman001@ucr.edu>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index d6fc22f7d7a6..575bd0f1b008 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1667,6 +1667,7 @@ static int rt6_insert_exception(struct rt6_info *nrt,
+ struct in6_addr *src_key = NULL;
+ struct rt6_exception *rt6_ex;
+ struct fib6_nh *nh = res->nh;
++ int max_depth;
+ int err = 0;
+
+ spin_lock_bh(&rt6_exception_lock);
+@@ -1721,7 +1722,9 @@ static int rt6_insert_exception(struct rt6_info *nrt,
+ bucket->depth++;
+ net->ipv6.rt6_stats->fib_rt_cache++;
+
+- if (bucket->depth > FIB6_MAX_DEPTH)
++ /* Randomize max depth to avoid some side channels attacks. */
++ max_depth = FIB6_MAX_DEPTH + prandom_u32_max(FIB6_MAX_DEPTH);
++ while (bucket->depth > max_depth)
+ rt6_exception_remove_oldest(bucket);
+
+ out:
+--
+2.30.2
+
--- /dev/null
+From d6d9c8b18bceaf63bf92359f3fa8c62631938aa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 18:24:37 +0200
+Subject: isofs: joliet: Fix iocharset=utf8 mount option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 28ce50f8d96ec9035f60c9348294ea26b94db944 ]
+
+Currently iocharset=utf8 mount option is broken. To use UTF-8 as iocharset,
+it is required to use utf8 mount option.
+
+Fix iocharset=utf8 mount option to use be equivalent to the utf8 mount
+option.
+
+If UTF-8 as iocharset is used then s_nls_iocharset is set to NULL. So
+simplify code around, remove s_utf8 field as to distinguish between UTF-8
+and non-UTF-8 it is needed just to check if s_nls_iocharset is set to NULL
+or not.
+
+Link: https://lore.kernel.org/r/20210808162453.1653-5-pali@kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/isofs/inode.c | 27 +++++++++++++--------------
+ fs/isofs/isofs.h | 1 -
+ fs/isofs/joliet.c | 4 +---
+ 3 files changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
+index 62c0462dc89f..bf30f6ce8dd1 100644
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -155,7 +155,6 @@ struct iso9660_options{
+ unsigned int overriderockperm:1;
+ unsigned int uid_set:1;
+ unsigned int gid_set:1;
+- unsigned int utf8:1;
+ unsigned char map;
+ unsigned char check;
+ unsigned int blocksize;
+@@ -355,7 +354,6 @@ static int parse_options(char *options, struct iso9660_options *popt)
+ popt->gid = GLOBAL_ROOT_GID;
+ popt->uid = GLOBAL_ROOT_UID;
+ popt->iocharset = NULL;
+- popt->utf8 = 0;
+ popt->overriderockperm = 0;
+ popt->session=-1;
+ popt->sbsector=-1;
+@@ -388,10 +386,13 @@ static int parse_options(char *options, struct iso9660_options *popt)
+ case Opt_cruft:
+ popt->cruft = 1;
+ break;
++#ifdef CONFIG_JOLIET
+ case Opt_utf8:
+- popt->utf8 = 1;
++ kfree(popt->iocharset);
++ popt->iocharset = kstrdup("utf8", GFP_KERNEL);
++ if (!popt->iocharset)
++ return 0;
+ break;
+-#ifdef CONFIG_JOLIET
+ case Opt_iocharset:
+ kfree(popt->iocharset);
+ popt->iocharset = match_strdup(&args[0]);
+@@ -494,7 +495,6 @@ static int isofs_show_options(struct seq_file *m, struct dentry *root)
+ if (sbi->s_nocompress) seq_puts(m, ",nocompress");
+ if (sbi->s_overriderockperm) seq_puts(m, ",overriderockperm");
+ if (sbi->s_showassoc) seq_puts(m, ",showassoc");
+- if (sbi->s_utf8) seq_puts(m, ",utf8");
+
+ if (sbi->s_check) seq_printf(m, ",check=%c", sbi->s_check);
+ if (sbi->s_mapping) seq_printf(m, ",map=%c", sbi->s_mapping);
+@@ -517,9 +517,10 @@ static int isofs_show_options(struct seq_file *m, struct dentry *root)
+ seq_printf(m, ",fmode=%o", sbi->s_fmode);
+
+ #ifdef CONFIG_JOLIET
+- if (sbi->s_nls_iocharset &&
+- strcmp(sbi->s_nls_iocharset->charset, CONFIG_NLS_DEFAULT) != 0)
++ if (sbi->s_nls_iocharset)
+ seq_printf(m, ",iocharset=%s", sbi->s_nls_iocharset->charset);
++ else
++ seq_puts(m, ",iocharset=utf8");
+ #endif
+ return 0;
+ }
+@@ -867,14 +868,13 @@ root_found:
+ sbi->s_nls_iocharset = NULL;
+
+ #ifdef CONFIG_JOLIET
+- if (joliet_level && opt.utf8 == 0) {
++ if (joliet_level) {
+ char *p = opt.iocharset ? opt.iocharset : CONFIG_NLS_DEFAULT;
+- sbi->s_nls_iocharset = load_nls(p);
+- if (! sbi->s_nls_iocharset) {
+- /* Fail only if explicit charset specified */
+- if (opt.iocharset)
++ if (strcmp(p, "utf8") != 0) {
++ sbi->s_nls_iocharset = opt.iocharset ?
++ load_nls(opt.iocharset) : load_nls_default();
++ if (!sbi->s_nls_iocharset)
+ goto out_freesbi;
+- sbi->s_nls_iocharset = load_nls_default();
+ }
+ }
+ #endif
+@@ -890,7 +890,6 @@ root_found:
+ sbi->s_gid = opt.gid;
+ sbi->s_uid_set = opt.uid_set;
+ sbi->s_gid_set = opt.gid_set;
+- sbi->s_utf8 = opt.utf8;
+ sbi->s_nocompress = opt.nocompress;
+ sbi->s_overriderockperm = opt.overriderockperm;
+ /*
+diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
+index 055ec6c586f7..dcdc191ed183 100644
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -44,7 +44,6 @@ struct isofs_sb_info {
+ unsigned char s_session;
+ unsigned int s_high_sierra:1;
+ unsigned int s_rock:2;
+- unsigned int s_utf8:1;
+ unsigned int s_cruft:1; /* Broken disks with high byte of length
+ * containing junk */
+ unsigned int s_nocompress:1;
+diff --git a/fs/isofs/joliet.c b/fs/isofs/joliet.c
+index be8b6a9d0b92..c0f04a1e7f69 100644
+--- a/fs/isofs/joliet.c
++++ b/fs/isofs/joliet.c
+@@ -41,14 +41,12 @@ uni16_to_x8(unsigned char *ascii, __be16 *uni, int len, struct nls_table *nls)
+ int
+ get_joliet_filename(struct iso_directory_record * de, unsigned char *outname, struct inode * inode)
+ {
+- unsigned char utf8;
+ struct nls_table *nls;
+ unsigned char len = 0;
+
+- utf8 = ISOFS_SB(inode->i_sb)->s_utf8;
+ nls = ISOFS_SB(inode->i_sb)->s_nls_iocharset;
+
+- if (utf8) {
++ if (!nls) {
+ len = utf16s_to_utf8s((const wchar_t *) de->name,
+ de->name_len[0] >> 1, UTF16_BIG_ENDIAN,
+ outname, PAGE_SIZE);
+--
+2.30.2
+
--- /dev/null
+From 21ad1397f5f3f11a4f304ad928a9dd9e640ead45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 May 2021 14:19:33 +0300
+Subject: leds: lt3593: Put fwnode in any case during ->probe()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 7e1baaaa2407a642ea19b58e214fab9a69cda1d7 ]
+
+device_get_next_child_node() bumps a reference counting of a returned variable.
+We have to balance it whenever we return to the caller.
+
+Fixes: 8cd7d6daba93 ("leds: lt3593: Add device tree probing glue")
+Cc: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lt3593.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/leds/leds-lt3593.c b/drivers/leds/leds-lt3593.c
+index c94995f0daa2..03ae33093ce6 100644
+--- a/drivers/leds/leds-lt3593.c
++++ b/drivers/leds/leds-lt3593.c
+@@ -103,10 +103,9 @@ static int lt3593_led_probe(struct platform_device *pdev)
+ init_data.default_label = ":";
+
+ ret = devm_led_classdev_register_ext(dev, &led_data->cdev, &init_data);
+- if (ret < 0) {
+- fwnode_handle_put(child);
++ fwnode_handle_put(child);
++ if (ret < 0)
+ return ret;
+- }
+
+ led_data->cdev.dev->of_node = dev->of_node;
+ platform_set_drvdata(pdev, led_data);
+--
+2.30.2
+
--- /dev/null
+From 9da8081e79fd66ba00b2aa1ecf7898a209c2dcb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Feb 2021 12:52:08 +0100
+Subject: leds: trigger: audio: Add an activate callback to ensure the initial
+ brightness is set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 64f67b5240db79eceb0bd57dae8e591fd3103ba0 ]
+
+Some 2-in-1s with a detachable (USB) keyboard(dock) have mute-LEDs in
+the speaker- and/or mic-mute keys on the keyboard.
+
+Examples of this are the Lenovo Thinkpad10 tablet (with its USB kbd-dock)
+and the HP x2 10 series.
+
+The detachable nature of these keyboards means that the keyboard and
+thus the mute LEDs may show up after the user (or userspace restoring
+old mixer settings) has muted the speaker and/or mic.
+
+Current LED-class devices with a default_trigger of "audio-mute" or
+"audio-micmute" initialize the brightness member of led_classdev with
+ledtrig_audio_get() before registering the LED.
+
+This makes the software state after attaching the keyboard match the
+actual audio mute state, e.g. cat /sys/class/leds/foo/brightness will
+show the right value.
+
+But before this commit nothing was actually calling the led_classdev's
+brightness_set[_blocking] callback so the value returned by
+ledtrig_audio_get() was never actually being sent to the hw, leading
+to the mute LEDs staying in their default power-on state, after
+attaching the keyboard, even if ledtrig_audio_get() returned a different
+state.
+
+This could be fixed by having the individual LED drivers call
+brightness_set[_blocking] themselves after registering the LED,
+but this really is something which should be done by a led-trigger
+activate callback.
+
+Add an activate callback for this, fixing the issue of the
+mute LEDs being out of sync after (re)attaching the keyboard.
+
+Cc: Takashi Iwai <tiwai@suse.de>
+Fixes: faa2541f5b1a ("leds: trigger: Introduce audio mute LED trigger")
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/trigger/ledtrig-audio.c | 37 ++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/leds/trigger/ledtrig-audio.c b/drivers/leds/trigger/ledtrig-audio.c
+index f76621e88482..c6b437e6369b 100644
+--- a/drivers/leds/trigger/ledtrig-audio.c
++++ b/drivers/leds/trigger/ledtrig-audio.c
+@@ -6,10 +6,33 @@
+ #include <linux/kernel.h>
+ #include <linux/leds.h>
+ #include <linux/module.h>
++#include "../leds.h"
+
+-static struct led_trigger *ledtrig_audio[NUM_AUDIO_LEDS];
+ static enum led_brightness audio_state[NUM_AUDIO_LEDS];
+
++static int ledtrig_audio_mute_activate(struct led_classdev *led_cdev)
++{
++ led_set_brightness_nosleep(led_cdev, audio_state[LED_AUDIO_MUTE]);
++ return 0;
++}
++
++static int ledtrig_audio_micmute_activate(struct led_classdev *led_cdev)
++{
++ led_set_brightness_nosleep(led_cdev, audio_state[LED_AUDIO_MICMUTE]);
++ return 0;
++}
++
++static struct led_trigger ledtrig_audio[NUM_AUDIO_LEDS] = {
++ [LED_AUDIO_MUTE] = {
++ .name = "audio-mute",
++ .activate = ledtrig_audio_mute_activate,
++ },
++ [LED_AUDIO_MICMUTE] = {
++ .name = "audio-micmute",
++ .activate = ledtrig_audio_micmute_activate,
++ },
++};
++
+ enum led_brightness ledtrig_audio_get(enum led_audio type)
+ {
+ return audio_state[type];
+@@ -19,24 +42,22 @@ EXPORT_SYMBOL_GPL(ledtrig_audio_get);
+ void ledtrig_audio_set(enum led_audio type, enum led_brightness state)
+ {
+ audio_state[type] = state;
+- led_trigger_event(ledtrig_audio[type], state);
++ led_trigger_event(&ledtrig_audio[type], state);
+ }
+ EXPORT_SYMBOL_GPL(ledtrig_audio_set);
+
+ static int __init ledtrig_audio_init(void)
+ {
+- led_trigger_register_simple("audio-mute",
+- &ledtrig_audio[LED_AUDIO_MUTE]);
+- led_trigger_register_simple("audio-micmute",
+- &ledtrig_audio[LED_AUDIO_MICMUTE]);
++ led_trigger_register(&ledtrig_audio[LED_AUDIO_MUTE]);
++ led_trigger_register(&ledtrig_audio[LED_AUDIO_MICMUTE]);
+ return 0;
+ }
+ module_init(ledtrig_audio_init);
+
+ static void __exit ledtrig_audio_exit(void)
+ {
+- led_trigger_unregister_simple(ledtrig_audio[LED_AUDIO_MUTE]);
+- led_trigger_unregister_simple(ledtrig_audio[LED_AUDIO_MICMUTE]);
++ led_trigger_unregister(&ledtrig_audio[LED_AUDIO_MUTE]);
++ led_trigger_unregister(&ledtrig_audio[LED_AUDIO_MICMUTE]);
+ }
+ module_exit(ledtrig_audio_exit);
+
+--
+2.30.2
+
--- /dev/null
+From 7d046e44ddc7b12ebdd309c0eb3adbd76487586f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 16:53:32 +0800
+Subject: lib/mpi: use kcalloc in mpi_resize
+
+From: Hongbo Li <herberthbli@tencent.com>
+
+[ Upstream commit b6f756726e4dfe75be1883f6a0202dcecdc801ab ]
+
+We should set the additional space to 0 in mpi_resize().
+So use kcalloc() instead of kmalloc_array().
+
+In lib/mpi/ec.c:
+/****************
+ * Resize the array of A to NLIMBS. the additional space is cleared
+ * (set to 0) [done by m_realloc()]
+ */
+int mpi_resize(MPI a, unsigned nlimbs)
+
+Like the comment of kernel's mpi_resize() said, the additional space
+need to be set to 0, but when a->d is not NULL, it does not set.
+
+The kernel's mpi lib is from libgcrypt, the mpi resize in libgcrypt
+is _gcry_mpi_resize() which set the additional space to 0.
+
+This bug may cause mpi api which use mpi_resize() get wrong result
+under the condition of using the additional space without initiation.
+If this condition is not met, the bug would not be triggered.
+Currently in kernel, rsa, sm2 and dh use mpi lib, and they works well,
+so the bug is not triggered in these cases.
+
+add_points_edwards() use the additional space directly, so it will
+get a wrong result.
+
+Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
+Signed-off-by: Hongbo Li <herberthbli@tencent.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/mpiutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/mpi/mpiutil.c b/lib/mpi/mpiutil.c
+index 20ed0f766787..00825028cc84 100644
+--- a/lib/mpi/mpiutil.c
++++ b/lib/mpi/mpiutil.c
+@@ -91,7 +91,7 @@ int mpi_resize(MPI a, unsigned nlimbs)
+ return 0; /* no need to do it */
+
+ if (a->d) {
+- p = kmalloc_array(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
++ p = kcalloc(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
+ memcpy(p, a->d, a->alloced * sizeof(mpi_limb_t));
+--
+2.30.2
+
--- /dev/null
+From b92849bba8a44b262471f19243bd493ca0556979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 10:44:47 +0900
+Subject: libata: fix ata_host_start()
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+[ Upstream commit 355a8031dc174450ccad2a61c513ad7222d87a97 ]
+
+The loop on entry of ata_host_start() may not initialize host->ops to a
+non NULL value. The test on the host_stop field of host->ops must then
+be preceded by a check that host->ops is not NULL.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20210816014456.2191776-3-damien.lemoal@wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index f67b3fb33d57..7788af0ca109 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6394,7 +6394,7 @@ int ata_host_start(struct ata_host *host)
+ have_stop = 1;
+ }
+
+- if (host->ops->host_stop)
++ if (host->ops && host->ops->host_stop)
+ have_stop = 1;
+
+ if (have_stop) {
+--
+2.30.2
+
--- /dev/null
+From df41a4b1392a5ba1ff086c674a432c86af6cdfbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 09:33:28 -0400
+Subject: lockd: Fix invalid lockowner cast after vfs_test_lock
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit cd2d644ddba183ec7b451b7c20d5c7cc06fcf0d7 ]
+
+After calling vfs_test_lock() the pointer to a conflicting lock can be
+returned, and that lock is not guarunteed to be owned by nlm. In that
+case, we cannot cast it to struct nlm_lockowner. Instead return the pid
+of that conflicting lock.
+
+Fixes: 646d73e91b42 ("lockd: Show pid of lockd for remote locks")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/lockd/svclock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/lockd/svclock.c b/fs/lockd/svclock.c
+index 61d3cc2283dc..498cb70c2c0d 100644
+--- a/fs/lockd/svclock.c
++++ b/fs/lockd/svclock.c
+@@ -634,7 +634,7 @@ nlmsvc_testlock(struct svc_rqst *rqstp, struct nlm_file *file,
+ conflock->caller = "somehost"; /* FIXME */
+ conflock->len = strlen(conflock->caller);
+ conflock->oh.len = 0; /* don't return OH info */
+- conflock->svid = ((struct nlm_lockowner *)lock->fl.fl_owner)->pid;
++ conflock->svid = lock->fl.fl_pid;
+ conflock->fl.fl_type = lock->fl.fl_type;
+ conflock->fl.fl_start = lock->fl.fl_start;
+ conflock->fl.fl_end = lock->fl.fl_end;
+--
+2.30.2
+
--- /dev/null
+From 3b4fdc6de8461cae126a1f31940d6434ab586fbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 17:35:18 +0200
+Subject: locking/mutex: Fix HANDOFF condition
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 048661a1f963e9517630f080687d48af79ed784c ]
+
+Yanfei reported that setting HANDOFF should not depend on recomputing
+@first, only on @first state. Which would then give:
+
+ if (ww_ctx || !first)
+ first = __mutex_waiter_is_first(lock, &waiter);
+ if (first)
+ __mutex_set_flag(lock, MUTEX_FLAG_HANDOFF);
+
+But because 'ww_ctx || !first' is basically 'always' and the test for
+first is relatively cheap, omit that first branch entirely.
+
+Reported-by: Yanfei Xu <yanfei.xu@windriver.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Reviewed-by: Yanfei Xu <yanfei.xu@windriver.com>
+Link: https://lore.kernel.org/r/20210630154114.896786297@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/mutex.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
+index c0c7784f074b..b02fff28221f 100644
+--- a/kernel/locking/mutex.c
++++ b/kernel/locking/mutex.c
+@@ -938,7 +938,6 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
+ struct ww_acquire_ctx *ww_ctx, const bool use_ww_ctx)
+ {
+ struct mutex_waiter waiter;
+- bool first = false;
+ struct ww_mutex *ww;
+ int ret;
+
+@@ -1017,6 +1016,8 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
+
+ set_current_state(state);
+ for (;;) {
++ bool first;
++
+ /*
+ * Once we hold wait_lock, we're serialized against
+ * mutex_unlock() handing the lock off to us, do a trylock
+@@ -1045,15 +1046,9 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
+ spin_unlock(&lock->wait_lock);
+ schedule_preempt_disabled();
+
+- /*
+- * ww_mutex needs to always recheck its position since its waiter
+- * list is not FIFO ordered.
+- */
+- if (ww_ctx || !first) {
+- first = __mutex_waiter_is_first(lock, &waiter);
+- if (first)
+- __mutex_set_flag(lock, MUTEX_FLAG_HANDOFF);
+- }
++ first = __mutex_waiter_is_first(lock, &waiter);
++ if (first)
++ __mutex_set_flag(lock, MUTEX_FLAG_HANDOFF);
+
+ set_current_state(state);
+ /*
+--
+2.30.2
+
--- /dev/null
+From 6fb85f40c98cc0eb74f0e4daf15da1f085f181ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 23:47:27 +0300
+Subject: m68k: emu: Fix invalid free in nfeth_cleanup()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 761608f5cf70e8876c2f0e39ca54b516bdcb7c12 ]
+
+In the for loop all nfeth_dev array members should be freed, not only
+the first one. Freeing only the first array member can cause
+double-free bugs and memory leaks.
+
+Fixes: 9cd7b148312f ("m68k/atari: ARAnyM - Add support for network access")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20210705204727.10743-1-paskripkin@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/emu/nfeth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/m68k/emu/nfeth.c b/arch/m68k/emu/nfeth.c
+index a4ebd2445eda..e5831cd293d0 100644
+--- a/arch/m68k/emu/nfeth.c
++++ b/arch/m68k/emu/nfeth.c
+@@ -254,8 +254,8 @@ static void __exit nfeth_cleanup(void)
+
+ for (i = 0; i < MAX_UNIT; i++) {
+ if (nfeth_dev[i]) {
+- unregister_netdev(nfeth_dev[0]);
+- free_netdev(nfeth_dev[0]);
++ unregister_netdev(nfeth_dev[i]);
++ free_netdev(nfeth_dev[i]);
+ }
+ }
+ free_irq(nfEtherIRQ, nfeth_interrupt);
+--
+2.30.2
+
--- /dev/null
+From e5f43df139c98ba58006a1c70948544ed1328dce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 16:51:28 +0800
+Subject: mac80211: Fix insufficient headroom issue for AMSDU
+
+From: Chih-Kang Chang <gary.chang@realtek.com>
+
+[ Upstream commit f50d2ff8f016b79a2ff4acd5943a1eda40c545d4 ]
+
+ieee80211_amsdu_realloc_pad() fails to account for extra_tx_headroom,
+the original reserved headroom might be eaten. Add the necessary
+extra_tx_headroom.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20210816085128.10931-2-pkshih@realtek.com
+[fix indentation]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 538722522ffe..4dfac7a25e5a 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3189,7 +3189,9 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
+ if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
+ return true;
+
+- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
++ if (!ieee80211_amsdu_realloc_pad(local, skb,
++ sizeof(*amsdu_hdr) +
++ local->hw.extra_tx_headroom))
+ return false;
+
+ data = skb_push(skb, sizeof(*amsdu_hdr));
+--
+2.30.2
+
--- /dev/null
+From 70145e92db950019f081d960fca2221c0db33da4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 16:57:08 +0200
+Subject: media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit 44693d74f5653f82cd7ca0fe730eed0f6b83306a ]
+
+The frame memory control register value is currently determined
+before userspace selects the final capture format and never corrected.
+Update ctx->frame_mem_ctrl in __coda_start_decoding() to fix decoding
+into YUV420 or YVU420 capture buffers.
+
+Reported-by: Andrej Picej <andrej.picej@norik.com>
+Fixes: 497e6b8559a6 ("media: coda: add sequence initialization work")
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 00c7bed3dd57..e6b68be09f8f 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2023,17 +2023,25 @@ static int __coda_start_decoding(struct coda_ctx *ctx)
+ u32 src_fourcc, dst_fourcc;
+ int ret;
+
++ q_data_src = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_OUTPUT);
++ q_data_dst = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_CAPTURE);
++ src_fourcc = q_data_src->fourcc;
++ dst_fourcc = q_data_dst->fourcc;
++
+ if (!ctx->initialized) {
+ ret = __coda_decoder_seq_init(ctx);
+ if (ret < 0)
+ return ret;
++ } else {
++ ctx->frame_mem_ctrl &= ~(CODA_FRAME_CHROMA_INTERLEAVE | (0x3 << 9) |
++ CODA9_FRAME_TILED2LINEAR);
++ if (dst_fourcc == V4L2_PIX_FMT_NV12 || dst_fourcc == V4L2_PIX_FMT_YUYV)
++ ctx->frame_mem_ctrl |= CODA_FRAME_CHROMA_INTERLEAVE;
++ if (ctx->tiled_map_type == GDI_TILED_FRAME_MB_RASTER_MAP)
++ ctx->frame_mem_ctrl |= (0x3 << 9) |
++ ((ctx->use_vdoa) ? 0 : CODA9_FRAME_TILED2LINEAR);
+ }
+
+- q_data_src = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_OUTPUT);
+- q_data_dst = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_CAPTURE);
+- src_fourcc = q_data_src->fourcc;
+- dst_fourcc = q_data_dst->fourcc;
+-
+ coda_write(dev, ctx->parabuf.paddr, CODA_REG_BIT_PARA_BUF_ADDR);
+
+ ret = coda_alloc_framebuffers(ctx, q_data_dst, src_fourcc);
+--
+2.30.2
+
--- /dev/null
+From 23fd194936f8f46ca0486fbdf7cc2bf7ab6d165e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 21:54:31 +0200
+Subject: media: cxd2880-spi: Fix an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit dcb0145821017e929a733e2271c85c6f82b9c9f8 ]
+
+If an error occurs after a successful 'regulator_enable()' call,
+'regulator_disable()' must be called.
+
+Fix the error handling path of the probe accordingly.
+
+Fixes: cb496cd472af ("media: cxd2880-spi: Add optional vcc regulator")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/spi/cxd2880-spi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/spi/cxd2880-spi.c b/drivers/media/spi/cxd2880-spi.c
+index 4077217777f9..93194f03764d 100644
+--- a/drivers/media/spi/cxd2880-spi.c
++++ b/drivers/media/spi/cxd2880-spi.c
+@@ -524,13 +524,13 @@ cxd2880_spi_probe(struct spi_device *spi)
+ if (IS_ERR(dvb_spi->vcc_supply)) {
+ if (PTR_ERR(dvb_spi->vcc_supply) == -EPROBE_DEFER) {
+ ret = -EPROBE_DEFER;
+- goto fail_adapter;
++ goto fail_regulator;
+ }
+ dvb_spi->vcc_supply = NULL;
+ } else {
+ ret = regulator_enable(dvb_spi->vcc_supply);
+ if (ret)
+- goto fail_adapter;
++ goto fail_regulator;
+ }
+
+ dvb_spi->spi = spi;
+@@ -618,6 +618,9 @@ fail_frontend:
+ fail_attach:
+ dvb_unregister_adapter(&dvb_spi->adapter);
+ fail_adapter:
++ if (!dvb_spi->vcc_supply)
++ regulator_disable(dvb_spi->vcc_supply);
++fail_regulator:
+ kfree(dvb_spi);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 774adfd59fe44caf543112f1bf2c353f899cf269 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 07:07:28 +0200
+Subject: media: dvb-usb: Fix error handling in dvb_usb_i2c_init
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 131ae388b88e3daf4cb0721ed4b4cb8bfc201465 ]
+
+In dvb_usb_i2c_init, if i2c_add_adapter fails, it only prints an error
+message, and then continues to set DVB_USB_STATE_I2C. This affects the
+logic of dvb_usb_i2c_exit, which leads to that, the deletion of i2c_adap
+even if the i2c_add_adapter fails.
+
+Fix this by returning at the failure of i2c_add_adapter and then move
+dvb_usb_i2c_exit out of the error handling code of dvb_usb_i2c_init.
+
+Fixes: 13a79f14ab28 ("media: dvb-usb: Fix memory leak at error in dvb_usb_device_init()")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-i2c.c | 9 +++++++--
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 2 +-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-i2c.c b/drivers/media/usb/dvb-usb/dvb-usb-i2c.c
+index 2e07106f4680..bc4b2abdde1a 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-i2c.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-i2c.c
+@@ -17,7 +17,8 @@ int dvb_usb_i2c_init(struct dvb_usb_device *d)
+
+ if (d->props.i2c_algo == NULL) {
+ err("no i2c algorithm specified");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err;
+ }
+
+ strscpy(d->i2c_adap.name, d->desc->name, sizeof(d->i2c_adap.name));
+@@ -27,11 +28,15 @@ int dvb_usb_i2c_init(struct dvb_usb_device *d)
+
+ i2c_set_adapdata(&d->i2c_adap, d);
+
+- if ((ret = i2c_add_adapter(&d->i2c_adap)) < 0)
++ ret = i2c_add_adapter(&d->i2c_adap);
++ if (ret < 0) {
+ err("could not add i2c adapter");
++ goto err;
++ }
+
+ d->state |= DVB_USB_STATE_I2C;
+
++err:
+ return ret;
+ }
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index f57c4627624f..e7720ff11d3d 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -194,8 +194,8 @@ static int dvb_usb_init(struct dvb_usb_device *d, short *adapter_nums)
+
+ err_adapter_init:
+ dvb_usb_adapter_exit(d);
+-err_i2c_init:
+ dvb_usb_i2c_exit(d);
++err_i2c_init:
+ if (d->priv && d->props.priv_destroy)
+ d->props.priv_destroy(d);
+ err_priv_init:
+--
+2.30.2
+
--- /dev/null
+From acb1a64abf37a23a8bc22e75d47ef2a7f0f48d06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 07:33:27 +0200
+Subject: media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit c5453769f77ce19a5b03f1f49946fd3f8a374009 ]
+
+If dibusb_read_eeprom_byte fails, the mac address is not initialized.
+And nova_t_read_mac_address does not handle this failure, which leads to
+the uninit-value in dvb_usb_adapter_dvb_init.
+
+Fix this by handling the failure of dibusb_read_eeprom_byte.
+
+Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com
+Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/nova-t-usb2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/nova-t-usb2.c b/drivers/media/usb/dvb-usb/nova-t-usb2.c
+index e368935a5089..c16d4f162495 100644
+--- a/drivers/media/usb/dvb-usb/nova-t-usb2.c
++++ b/drivers/media/usb/dvb-usb/nova-t-usb2.c
+@@ -130,7 +130,7 @@ ret:
+
+ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6])
+ {
+- int i;
++ int i, ret;
+ u8 b;
+
+ mac[0] = 0x00;
+@@ -139,7 +139,9 @@ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6])
+
+ /* this is a complete guess, but works for my box */
+ for (i = 136; i < 139; i++) {
+- dibusb_read_eeprom_byte(d,i, &b);
++ ret = dibusb_read_eeprom_byte(d, i, &b);
++ if (ret)
++ return ret;
+
+ mac[5 - (i - 136)] = b;
+ }
+--
+2.30.2
+
--- /dev/null
+From b8072a27748821bff7909d8c7d6270bb279a095f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 07:59:04 +0200
+Subject: media: dvb-usb: fix uninit-value in vp702x_read_mac_addr
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 797c061ad715a9a1480eb73f44b6939fbe3209ed ]
+
+If vp702x_usb_in_op fails, the mac address is not initialized.
+And vp702x_read_mac_addr does not handle this failure, which leads to
+the uninit-value in dvb_usb_adapter_dvb_init.
+
+Fix this by handling the failure of vp702x_usb_in_op.
+
+Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/vp702x.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/vp702x.c b/drivers/media/usb/dvb-usb/vp702x.c
+index 381b5c898a07..b7ee972455e5 100644
+--- a/drivers/media/usb/dvb-usb/vp702x.c
++++ b/drivers/media/usb/dvb-usb/vp702x.c
+@@ -291,16 +291,22 @@ static int vp702x_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ static int vp702x_read_mac_addr(struct dvb_usb_device *d,u8 mac[6])
+ {
+ u8 i, *buf;
++ int ret;
+ struct vp702x_device_state *st = d->priv;
+
+ mutex_lock(&st->buf_mutex);
+ buf = st->buf;
+- for (i = 6; i < 12; i++)
+- vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, &buf[i - 6], 1);
++ for (i = 6; i < 12; i++) {
++ ret = vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1,
++ &buf[i - 6], 1);
++ if (ret < 0)
++ goto err;
++ }
+
+ memcpy(mac, buf, 6);
++err:
+ mutex_unlock(&st->buf_mutex);
+- return 0;
++ return ret;
+ }
+
+ static int vp702x_frontend_attach(struct dvb_usb_adapter *adap)
+--
+2.30.2
+
--- /dev/null
+From 8f3394036d911bc942e982576d0b4ac082a69099 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 11:34:09 +0200
+Subject: media: em28xx-input: fix refcount bug in em28xx_usb_disconnect
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 6fa54bc713c262e1cfbc5613377ef52280d7311f ]
+
+If em28xx_ir_init fails, it would decrease the refcount of dev. However,
+in the em28xx_ir_fini, when ir is NULL, it goes to ref_put and decrease
+the refcount of dev. This will lead to a refcount bug.
+
+Fix this bug by removing the kref_put in the error handling code
+of em28xx_ir_init.
+
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x18e/0x1a0 lib/refcount.c:28
+Modules linked in:
+CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.13.0 #3
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:refcount_warn_saturate+0x18e/0x1a0 lib/refcount.c:28
+Call Trace:
+ kref_put.constprop.0+0x60/0x85 include/linux/kref.h:69
+ em28xx_usb_disconnect.cold+0xd7/0xdc drivers/media/usb/em28xx/em28xx-cards.c:4150
+ usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458
+ __device_release_driver drivers/base/dd.c:1201 [inline]
+ device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1232
+ bus_remove_device+0x108/0x160 drivers/base/bus.c:529
+ device_del+0x1fe/0x510 drivers/base/core.c:3540
+ usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419
+ usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2221
+ hub_port_connect drivers/usb/core/hub.c:5151 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5440 [inline]
+ port_event drivers/usb/core/hub.c:5586 [inline]
+ hub_event+0xf81/0x1d40 drivers/usb/core/hub.c:5668
+ process_one_work+0x2c9/0x610 kernel/workqueue.c:2276
+ process_scheduled_works kernel/workqueue.c:2338 [inline]
+ worker_thread+0x333/0x5b0 kernel/workqueue.c:2424
+ kthread+0x188/0x1d0 kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Fixes: ac5688637144 ("media: em28xx: Fix possible memory leak of em28xx struct")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-input.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
+index 59529cbf9cd0..0b6d77c3bec8 100644
+--- a/drivers/media/usb/em28xx/em28xx-input.c
++++ b/drivers/media/usb/em28xx/em28xx-input.c
+@@ -842,7 +842,6 @@ error:
+ kfree(ir);
+ ref_put:
+ em28xx_shutdown_buttons(dev);
+- kref_put(&dev->ref, em28xx_free_device);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2ef678c0c8969b04023b44a438d2108a7d8d5e44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 21:45:42 +0200
+Subject: media: go7007: remove redundant initialization
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 6f5885a7750545973bf1a942d2f0f129aef0aa06 ]
+
+In go7007_alloc() kzalloc() is used for struct go7007
+allocation. It means that there is no need in zeroing
+any members, because kzalloc will take care of it.
+
+Removing these reduntant initialization steps increases
+execution speed a lot:
+
+ Before:
+ + 86.802 us | go7007_alloc();
+ After:
+ + 29.595 us | go7007_alloc();
+
+Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-driver.c | 26 ------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
+index 153a0c3e3da6..b9302d77d6c8 100644
+--- a/drivers/media/usb/go7007/go7007-driver.c
++++ b/drivers/media/usb/go7007/go7007-driver.c
+@@ -691,49 +691,23 @@ struct go7007 *go7007_alloc(const struct go7007_board_info *board,
+ struct device *dev)
+ {
+ struct go7007 *go;
+- int i;
+
+ go = kzalloc(sizeof(struct go7007), GFP_KERNEL);
+ if (go == NULL)
+ return NULL;
+ go->dev = dev;
+ go->board_info = board;
+- go->board_id = 0;
+ go->tuner_type = -1;
+- go->channel_number = 0;
+- go->name[0] = 0;
+ mutex_init(&go->hw_lock);
+ init_waitqueue_head(&go->frame_waitq);
+ spin_lock_init(&go->spinlock);
+ go->status = STATUS_INIT;
+- memset(&go->i2c_adapter, 0, sizeof(go->i2c_adapter));
+- go->i2c_adapter_online = 0;
+- go->interrupt_available = 0;
+ init_waitqueue_head(&go->interrupt_waitq);
+- go->input = 0;
+ go7007_update_board(go);
+- go->encoder_h_halve = 0;
+- go->encoder_v_halve = 0;
+- go->encoder_subsample = 0;
+ go->format = V4L2_PIX_FMT_MJPEG;
+ go->bitrate = 1500000;
+ go->fps_scale = 1;
+- go->pali = 0;
+ go->aspect_ratio = GO7007_RATIO_1_1;
+- go->gop_size = 0;
+- go->ipb = 0;
+- go->closed_gop = 0;
+- go->repeat_seqhead = 0;
+- go->seq_header_enable = 0;
+- go->gop_header_enable = 0;
+- go->dvd_mode = 0;
+- go->interlace_coding = 0;
+- for (i = 0; i < 4; ++i)
+- go->modet[i].enable = 0;
+- for (i = 0; i < 1624; ++i)
+- go->modet_map[i] = 0;
+- go->audio_deliver = NULL;
+- go->audio_enabled = 0;
+
+ return go;
+ }
+--
+2.30.2
+
--- /dev/null
+From f27d8174e91439c93a7a35849f6d4ab16f7227a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:13:55 +0200
+Subject: media: TDA1997x: enable EDID support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Hałasa <khalasa@piap.pl>
+
+[ Upstream commit ea3e1c36e38810427485f06c2becc1f29e54521d ]
+
+Without this patch, the TDA19971 chip's EDID is inactive.
+EDID never worked with this driver, it was all tested with HDMI signal
+sources which don't need EDID support.
+
+Signed-off-by: Krzysztof Halasa <khalasa@piap.pl>
+Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tda1997x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c
+index e43d8327b810..1088161498df 100644
+--- a/drivers/media/i2c/tda1997x.c
++++ b/drivers/media/i2c/tda1997x.c
+@@ -2233,6 +2233,7 @@ static int tda1997x_core_init(struct v4l2_subdev *sd)
+ /* get initial HDMI status */
+ state->hdmi_status = io_read(sd, REG_HDMI_FLAGS);
+
++ io_write(sd, REG_EDID_ENABLE, EDID_ENABLE_A_EN | EDID_ENABLE_B_EN);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 8d8a64476f3a0afc89e4807c45d760732f9e79f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 14:30:25 +0200
+Subject: media: venus: venc: Fix potential null pointer dereference on pointer
+ fmt
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 09ea9719a423fc675d40dd05407165e161ea0c48 ]
+
+Currently the call to find_format can potentially return a NULL to
+fmt and the nullpointer is later dereferenced on the assignment of
+pixmp->num_planes = fmt->num_planes. Fix this by adding a NULL pointer
+check and returning NULL for the failure case.
+
+Addresses-Coverity: ("Dereference null return")
+
+Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/venc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
+index 30028ceb548b..766ca497f856 100644
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -308,6 +308,8 @@ venc_try_fmt_common(struct venus_inst *inst, struct v4l2_format *f)
+ else
+ return NULL;
+ fmt = find_format(inst, pixmp->pixelformat, f->type);
++ if (!fmt)
++ return NULL;
+ }
+
+ pixmp->width = clamp(pixmp->width, frame_width_min(inst),
+--
+2.30.2
+
--- /dev/null
+From a9629823807a1ead58e5bd01653159bf722f668b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 12:47:52 -0700
+Subject: mm/swap: consider max pages in iomap_swapfile_add_extent
+
+From: Xu Yu <xuyu@linux.alibaba.com>
+
+[ Upstream commit 36ca7943ac18aebf8aad4c50829eb2ea5ec847df ]
+
+When the max pages (last_page in the swap header + 1) is smaller than
+the total pages (inode size) of the swapfile, iomap_swapfile_activate
+overwrites sis->max with total pages.
+
+However, frontswap_map is a swap page state bitmap allocated using the
+initial sis->max page count read from the swap header. If swapfile
+activation increases sis->max, it's possible for the frontswap code to
+walk off the end of the bitmap, thereby corrupting kernel memory.
+
+[djwong: modify the description a bit; the original paragraph reads:
+
+"However, frontswap_map is allocated using max pages. When test and clear
+the sis offset, which is larger than max pages, of frontswap_map in
+__frontswap_invalidate_page(), neighbors of frontswap_map may be
+overwritten, i.e., slab is polluted."
+
+Note also that this bug resulted in a behavioral change: activating a
+swap file that was formatted and later extended results in all pages
+being activated, not the number of pages recorded in the swap header.]
+
+This fixes the issue by considering the limitation of max pages of swap
+info in iomap_swapfile_add_extent().
+
+To reproduce the case, compile kernel with slub RED ZONE, then run test:
+$ sudo stress-ng -a 1 -x softlockup,resources -t 72h --metrics --times \
+ --verify -v -Y /root/tmpdir/stress-ng/stress-statistic-12.yaml \
+ --log-file /root/tmpdir/stress-ng/stress-logfile-12.txt \
+ --temp-path /root/tmpdir/stress-ng/
+
+We'll get the error log as below:
+
+[ 1151.015141] =============================================================================
+[ 1151.016489] BUG kmalloc-16 (Not tainted): Right Redzone overwritten
+[ 1151.017486] -----------------------------------------------------------------------------
+[ 1151.017486]
+[ 1151.018997] Disabling lock debugging due to kernel taint
+[ 1151.019873] INFO: 0x0000000084e43932-0x0000000098d17cae @offset=7392. First byte 0x0 instead of 0xcc
+[ 1151.021303] INFO: Allocated in __do_sys_swapon+0xcf6/0x1170 age=43417 cpu=9 pid=3816
+[ 1151.022538] __slab_alloc+0xe/0x20
+[ 1151.023069] __kmalloc_node+0xfd/0x4b0
+[ 1151.023704] __do_sys_swapon+0xcf6/0x1170
+[ 1151.024346] do_syscall_64+0x33/0x40
+[ 1151.024925] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1151.025749] INFO: Freed in put_cred_rcu+0xa1/0xc0 age=43424 cpu=3 pid=2041
+[ 1151.026889] kfree+0x276/0x2b0
+[ 1151.027405] put_cred_rcu+0xa1/0xc0
+[ 1151.027949] rcu_do_batch+0x17d/0x410
+[ 1151.028566] rcu_core+0x14e/0x2b0
+[ 1151.029084] __do_softirq+0x101/0x29e
+[ 1151.029645] asm_call_irq_on_stack+0x12/0x20
+[ 1151.030381] do_softirq_own_stack+0x37/0x40
+[ 1151.031037] do_softirq.part.15+0x2b/0x30
+[ 1151.031710] __local_bh_enable_ip+0x4b/0x50
+[ 1151.032412] copy_fpstate_to_sigframe+0x111/0x360
+[ 1151.033197] __setup_rt_frame+0xce/0x480
+[ 1151.033809] arch_do_signal+0x1a3/0x250
+[ 1151.034463] exit_to_user_mode_prepare+0xcf/0x110
+[ 1151.035242] syscall_exit_to_user_mode+0x27/0x190
+[ 1151.035970] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1151.036795] INFO: Slab 0x000000003b9de4dc objects=44 used=9 fp=0x00000000539e349e flags=0xfffffc0010201
+[ 1151.038323] INFO: Object 0x000000004855ba01 @offset=7376 fp=0x0000000000000000
+[ 1151.038323]
+[ 1151.039683] Redzone 000000008d0afd3d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+[ 1151.041180] Object 000000004855ba01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[ 1151.042714] Redzone 0000000084e43932: 00 00 00 c0 cc cc cc cc ........
+[ 1151.044120] Padding 000000000864c042: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
+[ 1151.045615] CPU: 5 PID: 3816 Comm: stress-ng Tainted: G B 5.10.50+ #7
+[ 1151.046846] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+[ 1151.048633] Call Trace:
+[ 1151.049072] dump_stack+0x57/0x6a
+[ 1151.049585] check_bytes_and_report+0xed/0x110
+[ 1151.050320] check_object+0x1eb/0x290
+[ 1151.050924] ? __x64_sys_swapoff+0x39a/0x540
+[ 1151.051646] free_debug_processing+0x151/0x350
+[ 1151.052333] __slab_free+0x21a/0x3a0
+[ 1151.052938] ? _cond_resched+0x2d/0x40
+[ 1151.053529] ? __vunmap+0x1de/0x220
+[ 1151.054139] ? __x64_sys_swapoff+0x39a/0x540
+[ 1151.054796] ? kfree+0x276/0x2b0
+[ 1151.055307] kfree+0x276/0x2b0
+[ 1151.055832] __x64_sys_swapoff+0x39a/0x540
+[ 1151.056466] do_syscall_64+0x33/0x40
+[ 1151.057084] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1151.057866] RIP: 0033:0x150340b0ffb7
+[ 1151.058481] Code: Unable to access opcode bytes at RIP 0x150340b0ff8d.
+[ 1151.059537] RSP: 002b:00007fff7f4ee238 EFLAGS: 00000246 ORIG_RAX: 00000000000000a8
+[ 1151.060768] RAX: ffffffffffffffda RBX: 00007fff7f4ee66c RCX: 0000150340b0ffb7
+[ 1151.061904] RDX: 000000000000000a RSI: 0000000000018094 RDI: 00007fff7f4ee860
+[ 1151.063033] RBP: 00007fff7f4ef980 R08: 0000000000000000 R09: 0000150340a672bd
+[ 1151.064135] R10: 00007fff7f4edca0 R11: 0000000000000246 R12: 0000000000018094
+[ 1151.065253] R13: 0000000000000005 R14: 000000000160d930 R15: 00007fff7f4ee66c
+[ 1151.066413] FIX kmalloc-16: Restoring 0x0000000084e43932-0x0000000098d17cae=0xcc
+[ 1151.066413]
+[ 1151.067890] FIX kmalloc-16: Object at 0x000000004855ba01 not freed
+
+Fixes: 67482129cdab ("iomap: add a swapfile activation function")
+Fixes: a45c0eccc564 ("iomap: move the swapfile code into a separate file")
+Signed-off-by: Gang Deng <gavin.dg@linux.alibaba.com>
+Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/iomap/swapfile.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/iomap/swapfile.c b/fs/iomap/swapfile.c
+index bd0cc3dcc980..2d18246f6726 100644
+--- a/fs/iomap/swapfile.c
++++ b/fs/iomap/swapfile.c
+@@ -30,11 +30,16 @@ static int iomap_swapfile_add_extent(struct iomap_swapfile_info *isi)
+ {
+ struct iomap *iomap = &isi->iomap;
+ unsigned long nr_pages;
++ unsigned long max_pages;
+ uint64_t first_ppage;
+ uint64_t first_ppage_reported;
+ uint64_t next_ppage;
+ int error;
+
++ if (unlikely(isi->nr_pages >= isi->sis->max))
++ return 0;
++ max_pages = isi->sis->max - isi->nr_pages;
++
+ /*
+ * Round the start up and the end down so that the physical
+ * extent aligns to a page boundary.
+@@ -47,6 +52,7 @@ static int iomap_swapfile_add_extent(struct iomap_swapfile_info *isi)
+ if (first_ppage >= next_ppage)
+ return 0;
+ nr_pages = next_ppage - first_ppage;
++ nr_pages = min(nr_pages, max_pages);
+
+ /*
+ * Calculate how much swap space we're adding; the first page contains
+--
+2.30.2
+
--- /dev/null
+From bfcc77852aad2360ebe9922b7edb9da701e06c40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:16:43 +0300
+Subject: mmc: dw_mmc: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit c3ff0189d3bc9c03845fe37472c140f0fefd0c79 ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For dw_mmc, this is probably not currently an issue but is still good to
+fix though.
+
+Fixes: 3fc7eaef44db ("mmc: dw_mmc: Add external dma interface support")
+Cc: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: Jaehoon Chung <jh80.chung@samsung.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210810081644.19353-2-tony@atomide.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/dw_mmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
+index 6ace82028667..7b280cb36327 100644
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -782,6 +782,7 @@ static int dw_mci_edmac_start_dma(struct dw_mci *host,
+ int ret = 0;
+
+ /* Set external dma config: burst size, burst width */
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.dst_addr = host->phy_regs + fifo_offset;
+ cfg.src_addr = cfg.dst_addr;
+ cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+--
+2.30.2
+
--- /dev/null
+From 2ed3844c7fe9343686404d7b0a36f0b932aa52fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:16:44 +0300
+Subject: mmc: moxart: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit ee5165354d498e5bceb0b386e480ac84c5f8c28c ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For moxart, this is probably not currently an issue but is still good to
+fix though.
+
+Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver")
+Cc: Jonas Jensen <jonas.jensen@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210810081644.19353-3-tony@atomide.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
+index a0670e9cd012..5553a5643f40 100644
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -631,6 +631,7 @@ static int moxart_probe(struct platform_device *pdev)
+ host->dma_chan_tx, host->dma_chan_rx);
+ host->have_dma = true;
+
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+ cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+
+--
+2.30.2
+
--- /dev/null
+From 1b60d5df7846b23937ebb95ad0e91c15d8d42b30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 19:35:30 +0300
+Subject: net: cipso: fix warnings in netlbl_cipsov4_add_std
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 8ca34a13f7f9b3fa2c464160ffe8cc1a72088204 ]
+
+Syzbot reported warning in netlbl_cipsov4_add(). The
+problem was in too big doi_def->map.std->lvl.local_size
+passed to kcalloc(). Since this value comes from userpace there is
+no need to warn if value is not correct.
+
+The same problem may occur with other kcalloc() calls in
+this function, so, I've added __GFP_NOWARN flag to all
+kcalloc() calls there.
+
+Reported-and-tested-by: syzbot+cdd51ee2e6b0b2e18c0d@syzkaller.appspotmail.com
+Fixes: 96cb8e3313c7 ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_cipso_v4.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
+index 4cb43a2c07d1..8cd3daf0e3db 100644
+--- a/net/netlabel/netlabel_cipso_v4.c
++++ b/net/netlabel/netlabel_cipso_v4.c
+@@ -187,14 +187,14 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ }
+ doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->lvl.local == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+ }
+ doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->lvl.cipso == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+@@ -263,7 +263,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ doi_def->map.std->cat.local = kcalloc(
+ doi_def->map.std->cat.local_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->cat.local == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+@@ -271,7 +271,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ doi_def->map.std->cat.cipso = kcalloc(
+ doi_def->map.std->cat.cipso_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->cat.cipso == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+--
+2.30.2
+
--- /dev/null
+From 1139168ef5d2212f399cdfea8b932dd0b694825d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 17:20:04 +0300
+Subject: net/mlx5e: Prohibit inner indir TIRs in IPoIB
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 9c43f3865c2a03be104f1c1d5e9129c2a2bdba88 ]
+
+TIR's rx_hash_field_selector_inner can be enabled only when
+tunneled_offload_en = 1. tunneled_offload_en is filled according to the
+tunneled_offload_en field in struct mlx5e_params, which is false in the
+IPoIB profile. On the other hand, the IPoIB profile passes inner_ttc =
+true to mlx5e_create_indirect_tirs, which potentially allows the latter
+function to attempt to create inner indirect TIRs without having
+tunneled_offload_en set.
+
+This commit prohibits this behavior by passing inner_ttc = false to
+mlx5e_create_indirect_tirs. The latter function won't attempt to create
+inner indirect TIRs.
+
+As inner indirect TIRs are not created in the IPoIB profile (this commit
+blocks it explicitly, and even before they would have failed to be
+created), the call to mlx5e_create_inner_ttc_table in
+mlx5i_create_flow_steering is a no-op and can be removed.
+
+Fixes: 46dc933cee82 ("net/mlx5e: Provide explicit directive if to create inner indirect tirs")
+Fixes: 458821c72bd0 ("net/mlx5e: IPoIB, Add inner TTC table to IPoIB flow steering")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en/fs.h | 6 ------
+ .../net/ethernet/mellanox/mlx5/core/en_fs.c | 10 +++++-----
+ .../ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 18 ++----------------
+ 3 files changed, 7 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
+index d48292ccda29..9239d767443f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
+@@ -234,18 +234,12 @@ struct ttc_params {
+
+ void mlx5e_set_ttc_basic_params(struct mlx5e_priv *priv, struct ttc_params *ttc_params);
+ void mlx5e_set_ttc_ft_params(struct ttc_params *ttc_params);
+-void mlx5e_set_inner_ttc_ft_params(struct ttc_params *ttc_params);
+
+ int mlx5e_create_ttc_table(struct mlx5e_priv *priv, struct ttc_params *params,
+ struct mlx5e_ttc_table *ttc);
+ void mlx5e_destroy_ttc_table(struct mlx5e_priv *priv,
+ struct mlx5e_ttc_table *ttc);
+
+-int mlx5e_create_inner_ttc_table(struct mlx5e_priv *priv, struct ttc_params *params,
+- struct mlx5e_ttc_table *ttc);
+-void mlx5e_destroy_inner_ttc_table(struct mlx5e_priv *priv,
+- struct mlx5e_ttc_table *ttc);
+-
+ void mlx5e_destroy_flow_table(struct mlx5e_flow_table *ft);
+
+ void mlx5e_enable_cvlan_filter(struct mlx5e_priv *priv);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+index c4ac7a9968d1..c3b9278486a1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+@@ -1123,7 +1123,7 @@ void mlx5e_set_ttc_basic_params(struct mlx5e_priv *priv,
+ ttc_params->inner_ttc = &priv->fs.inner_ttc;
+ }
+
+-void mlx5e_set_inner_ttc_ft_params(struct ttc_params *ttc_params)
++static void mlx5e_set_inner_ttc_ft_params(struct ttc_params *ttc_params)
+ {
+ struct mlx5_flow_table_attr *ft_attr = &ttc_params->ft_attr;
+
+@@ -1142,8 +1142,8 @@ void mlx5e_set_ttc_ft_params(struct ttc_params *ttc_params)
+ ft_attr->prio = MLX5E_NIC_PRIO;
+ }
+
+-int mlx5e_create_inner_ttc_table(struct mlx5e_priv *priv, struct ttc_params *params,
+- struct mlx5e_ttc_table *ttc)
++static int mlx5e_create_inner_ttc_table(struct mlx5e_priv *priv, struct ttc_params *params,
++ struct mlx5e_ttc_table *ttc)
+ {
+ struct mlx5e_flow_table *ft = &ttc->ft;
+ int err;
+@@ -1173,8 +1173,8 @@ err:
+ return err;
+ }
+
+-void mlx5e_destroy_inner_ttc_table(struct mlx5e_priv *priv,
+- struct mlx5e_ttc_table *ttc)
++static void mlx5e_destroy_inner_ttc_table(struct mlx5e_priv *priv,
++ struct mlx5e_ttc_table *ttc)
+ {
+ if (!mlx5e_tunnel_inner_ft_supported(priv->mdev))
+ return;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+index 0fed2419623d..1f3d12faa2a5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+@@ -319,17 +319,6 @@ static int mlx5i_create_flow_steering(struct mlx5e_priv *priv)
+ }
+
+ mlx5e_set_ttc_basic_params(priv, &ttc_params);
+- mlx5e_set_inner_ttc_ft_params(&ttc_params);
+- for (tt = 0; tt < MLX5E_NUM_INDIR_TIRS; tt++)
+- ttc_params.indir_tirn[tt] = priv->inner_indir_tir[tt].tirn;
+-
+- err = mlx5e_create_inner_ttc_table(priv, &ttc_params, &priv->fs.inner_ttc);
+- if (err) {
+- netdev_err(priv->netdev, "Failed to create inner ttc table, err=%d\n",
+- err);
+- goto err_destroy_arfs_tables;
+- }
+-
+ mlx5e_set_ttc_ft_params(&ttc_params);
+ for (tt = 0; tt < MLX5E_NUM_INDIR_TIRS; tt++)
+ ttc_params.indir_tirn[tt] = priv->indir_tir[tt].tirn;
+@@ -338,13 +327,11 @@ static int mlx5i_create_flow_steering(struct mlx5e_priv *priv)
+ if (err) {
+ netdev_err(priv->netdev, "Failed to create ttc table, err=%d\n",
+ err);
+- goto err_destroy_inner_ttc_table;
++ goto err_destroy_arfs_tables;
+ }
+
+ return 0;
+
+-err_destroy_inner_ttc_table:
+- mlx5e_destroy_inner_ttc_table(priv, &priv->fs.inner_ttc);
+ err_destroy_arfs_tables:
+ mlx5e_arfs_destroy_tables(priv);
+
+@@ -354,7 +341,6 @@ err_destroy_arfs_tables:
+ static void mlx5i_destroy_flow_steering(struct mlx5e_priv *priv)
+ {
+ mlx5e_destroy_ttc_table(priv, &priv->fs.ttc);
+- mlx5e_destroy_inner_ttc_table(priv, &priv->fs.inner_ttc);
+ mlx5e_arfs_destroy_tables(priv);
+ }
+
+@@ -379,7 +365,7 @@ static int mlx5i_init_rx(struct mlx5e_priv *priv)
+ if (err)
+ goto err_destroy_indirect_rqts;
+
+- err = mlx5e_create_indirect_tirs(priv, true);
++ err = mlx5e_create_indirect_tirs(priv, false);
+ if (err)
+ goto err_destroy_direct_rqts;
+
+--
+2.30.2
+
--- /dev/null
+From 67b4aaa50462f624762ea890a422a5dc0559acce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 16:23:15 +0200
+Subject: net: qualcomm: fix QCA7000 checksum handling
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 429205da6c834447a57279af128bdd56ccd5225e ]
+
+Based on tests the QCA7000 doesn't support checksum offloading. So assume
+ip_summed is CHECKSUM_NONE and let the kernel take care of the checksum
+handling. This fixes data transfer issues in noisy environments.
+
+Reported-by: Michael Heimpold <michael.heimpold@in-tech.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 2 +-
+ drivers/net/ethernet/qualcomm/qca_uart.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index baac016f3ec0..15591ad5fe4e 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -434,7 +434,7 @@ qcaspi_receive(struct qcaspi *qca)
+ skb_put(qca->rx_skb, retcode);
+ qca->rx_skb->protocol = eth_type_trans(
+ qca->rx_skb, qca->rx_skb->dev);
+- qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
++ skb_checksum_none_assert(qca->rx_skb);
+ netif_rx_ni(qca->rx_skb);
+ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
+ net_dev->mtu + VLAN_ETH_HLEN);
+diff --git a/drivers/net/ethernet/qualcomm/qca_uart.c b/drivers/net/ethernet/qualcomm/qca_uart.c
+index 0981068504fa..ade70f5df496 100644
+--- a/drivers/net/ethernet/qualcomm/qca_uart.c
++++ b/drivers/net/ethernet/qualcomm/qca_uart.c
+@@ -107,7 +107,7 @@ qca_tty_receive(struct serdev_device *serdev, const unsigned char *data,
+ skb_put(qca->rx_skb, retcode);
+ qca->rx_skb->protocol = eth_type_trans(
+ qca->rx_skb, qca->rx_skb->dev);
+- qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
++ skb_checksum_none_assert(qca->rx_skb);
+ netif_rx_ni(qca->rx_skb);
+ qca->rx_skb = netdev_alloc_skb_ip_align(netdev,
+ netdev->mtu +
+--
+2.30.2
+
--- /dev/null
+From 53266e67b2075adccf579b640bab7a43e1bc0a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 23:58:01 +0800
+Subject: net: sched: Fix qdisc_rate_table refcount leak when get tcf_block
+ failed
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit c66070125837900163b81a03063ddd657a7e9bfb ]
+
+The reference counting issue happens in one exception handling path of
+cbq_change_class(). When failing to get tcf_block, the function forgets
+to decrease the refcount of "rtab" increased by qdisc_put_rtab(),
+causing a refcount leak.
+
+Fix this issue by jumping to "failure" label when get tcf_block failed.
+
+Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/r/1630252681-71588-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cbq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
+index 39b427dc7512..e5972889cd81 100644
+--- a/net/sched/sch_cbq.c
++++ b/net/sched/sch_cbq.c
+@@ -1614,7 +1614,7 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t
+ err = tcf_block_get(&cl->block, &cl->filter_list, sch, extack);
+ if (err) {
+ kfree(cl);
+- return err;
++ goto failure;
+ }
+
+ if (tca[TCA_RATE]) {
+--
+2.30.2
+
--- /dev/null
+From d28be31fdf24c43e55bf91a7cb1a5f56403cc388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 16:41:43 -0400
+Subject: nfsd4: Fix forced-expiry locking
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit f7104cc1a9159cd0d3e8526cb638ae0301de4b61 ]
+
+This should use the network-namespace-wide client_lock, not the
+per-client cl_lock.
+
+You shouldn't see any bugs unless you're actually using the
+forced-expiry interface introduced by 89c905beccbb.
+
+Fixes: 89c905beccbb "nfsd: allow forced expiration of NFSv4 clients"
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 8cb2f744dde6..3283cc2a4e42 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -2572,9 +2572,9 @@ static void force_expire_client(struct nfs4_client *clp)
+ struct nfsd_net *nn = net_generic(clp->net, nfsd_net_id);
+ bool already_expired;
+
+- spin_lock(&clp->cl_lock);
++ spin_lock(&nn->client_lock);
+ clp->cl_time = 0;
+- spin_unlock(&clp->cl_lock);
++ spin_unlock(&nn->client_lock);
+
+ wait_event(expiry_wq, atomic_read(&clp->cl_rpc_users) == 0);
+ spin_lock(&nn->client_lock);
+--
+2.30.2
+
--- /dev/null
+From e98d5b9a20ffb63c61d6ae32f63d6b3938c07b68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 17:41:20 +0800
+Subject: nvme-rdma: don't update queue count when failing to set io queues
+
+From: Ruozhu Li <liruozhu@huawei.com>
+
+[ Upstream commit 85032874f80ba17bf187de1d14d9603bf3f582b8 ]
+
+We update ctrl->queue_count and schedule another reconnect when io queue
+count is zero.But we will never try to create any io queue in next reco-
+nnection, because ctrl->queue_count already set to zero.We will end up
+having an admin-only session in Live state, which is exactly what we try
+to avoid in the original patch.
+Update ctrl->queue_count after queue_count zero checking to fix it.
+
+Signed-off-by: Ruozhu Li <liruozhu@huawei.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index b8c0f75bfb7b..dcc3d2393605 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -665,13 +665,13 @@ static int nvme_rdma_alloc_io_queues(struct nvme_rdma_ctrl *ctrl)
+ if (ret)
+ return ret;
+
+- ctrl->ctrl.queue_count = nr_io_queues + 1;
+- if (ctrl->ctrl.queue_count < 2) {
++ if (nr_io_queues == 0) {
+ dev_err(ctrl->ctrl.device,
+ "unable to set any I/O queues\n");
+ return -ENOMEM;
+ }
+
++ ctrl->ctrl.queue_count = nr_io_queues + 1;
+ dev_info(ctrl->ctrl.device,
+ "creating %d I/O queues.\n", nr_io_queues);
+
+--
+2.30.2
+
--- /dev/null
+From 3c288683fe838af1da94af80267634796a32469c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 11:50:23 +0800
+Subject: nvme-tcp: don't update queue count when failing to set io queues
+
+From: Ruozhu Li <liruozhu@huawei.com>
+
+[ Upstream commit 664227fde63844d69e9ec9e90a8a7801e6ff072d ]
+
+We update ctrl->queue_count and schedule another reconnect when io queue
+count is zero.But we will never try to create any io queue in next reco-
+nnection, because ctrl->queue_count already set to zero.We will end up
+having an admin-only session in Live state, which is exactly what we try
+to avoid in the original patch.
+Update ctrl->queue_count after queue_count zero checking to fix it.
+
+Signed-off-by: Ruozhu Li <liruozhu@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 718152adc625..f6427a10a990 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1649,13 +1649,13 @@ static int nvme_tcp_alloc_io_queues(struct nvme_ctrl *ctrl)
+ if (ret)
+ return ret;
+
+- ctrl->queue_count = nr_io_queues + 1;
+- if (ctrl->queue_count < 2) {
++ if (nr_io_queues == 0) {
+ dev_err(ctrl->device,
+ "unable to set any I/O queues\n");
+ return -ENOMEM;
+ }
+
++ ctrl->queue_count = nr_io_queues + 1;
+ dev_info(ctrl->device,
+ "creating %d I/O queues.\n", nr_io_queues);
+
+--
+2.30.2
+
--- /dev/null
+From e37b96d2e3bea7a95392a0e54e4c38b2a5c92068 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 09:20:14 +0300
+Subject: nvmet: pass back cntlid on successful completion
+
+From: Amit Engel <amit.engel@dell.com>
+
+[ Upstream commit e804d5abe2d74cfe23f5f83be580d1cdc9307111 ]
+
+According to the NVMe specification, the response dword 0 value of the
+Connect command is based on status code: return cntlid for successful
+compeltion return IPO and IATTR for connect invalid parameters. Fix
+a missing error information for a zero sized queue, and return the
+cntlid also for I/O queue Connect commands.
+
+Signed-off-by: Amit Engel <amit.engel@dell.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fabrics-cmd.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
+index 4e9004fe5c6f..5e47395afc1d 100644
+--- a/drivers/nvme/target/fabrics-cmd.c
++++ b/drivers/nvme/target/fabrics-cmd.c
+@@ -116,6 +116,7 @@ static u16 nvmet_install_queue(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
+ if (!sqsize) {
+ pr_warn("queue size zero!\n");
+ req->error_loc = offsetof(struct nvmf_connect_command, sqsize);
++ req->cqe->result.u32 = IPO_IATTR_CONNECT_SQE(sqsize);
+ ret = NVME_SC_CONNECT_INVALID_PARAM | NVME_SC_DNR;
+ goto err;
+ }
+@@ -250,11 +251,11 @@ static void nvmet_execute_io_connect(struct nvmet_req *req)
+ }
+
+ status = nvmet_install_queue(ctrl, req);
+- if (status) {
+- /* pass back cntlid that had the issue of installing queue */
+- req->cqe->result.u16 = cpu_to_le16(ctrl->cntlid);
++ if (status)
+ goto out_ctrl_put;
+- }
++
++ /* pass back cntlid for successful completion */
++ req->cqe->result.u16 = cpu_to_le16(ctrl->cntlid);
+
+ pr_debug("adding queue %d to ctrl %d.\n", qid, ctrl->cntlid);
+
+--
+2.30.2
+
--- /dev/null
+From 4e0b2e4414d228c042cdd432a90898f24925f38a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 23:30:43 +0530
+Subject: octeontx2-af: Fix loop in free and unmap counter
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 6537e96d743b89294b397b4865c6c061abae31b0 ]
+
+When the given counter does not belong to the entry
+then code ends up in infinite loop because the loop
+cursor, entry is not getting updated further. This
+patch fixes that by updating entry for every iteration.
+
+Fixes: a958dd59f9ce ("octeontx2-af: Map or unmap NPC MCAM entry and counter")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+index d82a519a0cd9..f9f246c82c97 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+@@ -2013,10 +2013,11 @@ int rvu_mbox_handler_npc_mcam_unmap_counter(struct rvu *rvu,
+ index = find_next_bit(mcam->bmap, mcam->bmap_entries, entry);
+ if (index >= mcam->bmap_entries)
+ break;
++ entry = index + 1;
++
+ if (mcam->entry2cntr_map[index] != req->cntr)
+ continue;
+
+- entry = index + 1;
+ npc_unmap_mcam_entry_and_cntr(rvu, mcam, blkaddr,
+ index, req->cntr);
+ }
+--
+2.30.2
+
--- /dev/null
+From d993acad36395acc313f74bef426bac59efb9fbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 17:54:28 +0200
+Subject: PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit da9f2150684ea684a7ddd6d7f0e38b2bdf43dcd8 ]
+
+It is inconsistent to return PCI_D0 from pci_target_state() instead
+of the original target state if 'wakeup' is true and the device
+cannot signal PME from D0.
+
+This only happens when the device cannot signal PME from the original
+target state and any shallower power states (including D0) and that
+case is effectively equivalent to the one in which PME singaling is
+not supported at all. Since the original target state is returned in
+the latter case, make the function do that in the former one too.
+
+Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/
+Fixes: 666ff6f83e1d ("PCI/PM: Avoid using device_may_wakeup() for runtime PM")
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reported-by: Utkarsh H Patel <utkarsh.h.patel@intel.com>
+Reported-by: Koba Ko <koba.ko@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 3c3bc9f58498..9c4ac6face3b 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2357,16 +2357,20 @@ static pci_power_t pci_target_state(struct pci_dev *dev, bool wakeup)
+ if (dev->current_state == PCI_D3cold)
+ target_state = PCI_D3cold;
+
+- if (wakeup) {
++ if (wakeup && dev->pme_support) {
++ pci_power_t state = target_state;
++
+ /*
+ * Find the deepest state from which the device can generate
+ * PME#.
+ */
+- if (dev->pme_support) {
+- while (target_state
+- && !(dev->pme_support & (1 << target_state)))
+- target_state--;
+- }
++ while (state && !(dev->pme_support & (1 << state)))
++ state--;
++
++ if (state)
++ return state;
++ else if (dev->pme_support & 1)
++ return PCI_D0;
+ }
+
+ return target_state;
+--
+2.30.2
+
--- /dev/null
+From 6ad0a517a683265ae3ef434f1f8e4ca17480ef90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:49:10 +0200
+Subject: PCI: PM: Enable PME if it can be signaled from D3cold
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 0e00392a895c95c6d12d42158236c8862a2f43f2 ]
+
+PME signaling is only enabled by __pci_enable_wake() if the target
+device can signal PME from the given target power state (to avoid
+pointless reconfiguration of the device), but if the hierarchy above
+the device goes into D3cold, the device itself will end up in D3cold
+too, so if it can signal PME from D3cold, it should be enabled to
+do so in __pci_enable_wake().
+
+[Note that if the device does not end up in D3cold and it cannot
+ signal PME from the original target power state, it will not signal
+ PME, so in that case the behavior does not change.]
+
+Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/
+Fixes: 5bcc2fb4e815 ("PCI PM: Simplify PCI wake-up code")
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reported-by: Utkarsh H Patel <utkarsh.h.patel@intel.com>
+Reported-by: Koba Ko <koba.ko@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 9c4ac6face3b..58c33b65d451 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2253,7 +2253,14 @@ static int __pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable
+ if (enable) {
+ int error;
+
+- if (pci_pme_capable(dev, state))
++ /*
++ * Enable PME signaling if the device can signal PME from
++ * D3cold regardless of whether or not it can signal PME from
++ * the current target state, because that will allow it to
++ * signal PME when the hierarchy above it goes into D3cold and
++ * the device itself ends up in D3cold as a result of that.
++ */
++ if (pci_pme_capable(dev, state) || pci_pme_capable(dev, PCI_D3cold))
+ pci_pme_active(dev, true);
+ else
+ ret = 1;
+--
+2.30.2
+
--- /dev/null
+From cf5e64229796f7e4e95e099222940d7adb20f4ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 11:27:43 +0100
+Subject: PM: EM: Increase energy calculation precision
+
+From: Lukasz Luba <lukasz.luba@arm.com>
+
+[ Upstream commit 7fcc17d0cb12938d2b3507973a6f93fc9ed2c7a1 ]
+
+The Energy Model (EM) provides useful information about device power in
+each performance state to other subsystems like: Energy Aware Scheduler
+(EAS). The energy calculation in EAS does arithmetic operation based on
+the EM em_cpu_energy(). Current implementation of that function uses
+em_perf_state::cost as a pre-computed cost coefficient equal to:
+cost = power * max_frequency / frequency.
+The 'power' is expressed in milli-Watts (or in abstract scale).
+
+There are corner cases when the EAS energy calculation for two Performance
+Domains (PDs) return the same value. The EAS compares these values to
+choose smaller one. It might happen that this values are equal due to
+rounding error. In such scenario, we need better resolution, e.g. 1000
+times better. To provide this possibility increase the resolution in the
+em_perf_state::cost for 64-bit architectures. The cost of increasing
+resolution on 32-bit is pretty high (64-bit division) and is not justified
+since there are no new 32bit big.LITTLE EAS systems expected which would
+benefit from this higher resolution.
+
+This patch allows to avoid the rounding to milli-Watt errors, which might
+occur in EAS energy estimation for each PD. The rounding error is common
+for small tasks which have small utilization value.
+
+There are two places in the code where it makes a difference:
+1. In the find_energy_efficient_cpu() where we are searching for
+best_delta. We might suffer there when two PDs return the same result,
+like in the example below.
+
+Scenario:
+Low utilized system e.g. ~200 sum_util for PD0 and ~220 for PD1. There
+are quite a few small tasks ~10-15 util. These tasks would suffer for
+the rounding error. These utilization values are typical when running games
+on Android. One of our partners has reported 5..10mA less battery drain
+when running with increased resolution.
+
+Some details:
+We have two PDs: PD0 (big) and PD1 (little)
+Let's compare w/o patch set ('old') and w/ patch set ('new')
+We are comparing energy w/ task and w/o task placed in the PDs
+
+a) 'old' w/o patch set, PD0
+task_util = 13
+cost = 480
+sum_util_w/o_task = 215
+sum_util_w_task = 228
+scale_cpu = 1024
+energy_w/o_task = 480 * 215 / 1024 = 100.78 => 100
+energy_w_task = 480 * 228 / 1024 = 106.87 => 106
+energy_diff = 106 - 100 = 6
+(this is equal to 'old' PD1's energy_diff in 'c)')
+
+b) 'new' w/ patch set, PD0
+task_util = 13
+cost = 480 * 1000 = 480000
+sum_util_w/o_task = 215
+sum_util_w_task = 228
+energy_w/o_task = 480000 * 215 / 1024 = 100781
+energy_w_task = 480000 * 228 / 1024 = 106875
+energy_diff = 106875 - 100781 = 6094
+(this is not equal to 'new' PD1's energy_diff in 'd)')
+
+c) 'old' w/o patch set, PD1
+task_util = 13
+cost = 160
+sum_util_w/o_task = 283
+sum_util_w_task = 293
+scale_cpu = 355
+energy_w/o_task = 160 * 283 / 355 = 127.55 => 127
+energy_w_task = 160 * 296 / 355 = 133.41 => 133
+energy_diff = 133 - 127 = 6
+(this is equal to 'old' PD0's energy_diff in 'a)')
+
+d) 'new' w/ patch set, PD1
+task_util = 13
+cost = 160 * 1000 = 160000
+sum_util_w/o_task = 283
+sum_util_w_task = 293
+scale_cpu = 355
+energy_w/o_task = 160000 * 283 / 355 = 127549
+energy_w_task = 160000 * 296 / 355 = 133408
+energy_diff = 133408 - 127549 = 5859
+(this is not equal to 'new' PD0's energy_diff in 'b)')
+
+2. Difference in the 6% energy margin filter at the end of
+find_energy_efficient_cpu(). With this patch the margin comparison also
+has better resolution, so it's possible to have better task placement
+thanks to that.
+
+Fixes: 27871f7a8a341ef ("PM: Introduce an Energy Model management framework")
+Reported-by: CCJ Yeh <CCj.Yeh@mediatek.com>
+Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Lukasz Luba <lukasz.luba@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/energy_model.h | 16 ++++++++++++++++
+ kernel/power/energy_model.c | 4 +++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/energy_model.h b/include/linux/energy_model.h
+index 73f8c3cb9588..9ee6ccc18424 100644
+--- a/include/linux/energy_model.h
++++ b/include/linux/energy_model.h
+@@ -42,6 +42,22 @@ struct em_perf_domain {
+
+ #define EM_CPU_MAX_POWER 0xFFFF
+
++/*
++ * Increase resolution of energy estimation calculations for 64-bit
++ * architectures. The extra resolution improves decision made by EAS for the
++ * task placement when two Performance Domains might provide similar energy
++ * estimation values (w/o better resolution the values could be equal).
++ *
++ * We increase resolution only if we have enough bits to allow this increased
++ * resolution (i.e. 64-bit). The costs for increasing resolution when 32-bit
++ * are pretty high and the returns do not justify the increased costs.
++ */
++#ifdef CONFIG_64BIT
++#define em_scale_power(p) ((p) * 1000)
++#else
++#define em_scale_power(p) (p)
++#endif
++
+ struct em_data_callback {
+ /**
+ * active_power() - Provide power at the next capacity state of a CPU
+diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c
+index 8dac32bd9089..7ef35eb985ba 100644
+--- a/kernel/power/energy_model.c
++++ b/kernel/power/energy_model.c
+@@ -149,7 +149,9 @@ static struct em_perf_domain *em_create_pd(cpumask_t *span, int nr_states,
+ /* Compute the cost of each capacity_state. */
+ fmax = (u64) table[nr_states - 1].frequency;
+ for (i = 0; i < nr_states; i++) {
+- table[i].cost = div64_u64(fmax * table[i].power,
++ unsigned long power_res = em_scale_power(table[i].power);
++
++ table[i].cost = div64_u64(fmax * power_res,
+ table[i].frequency);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From aa5e3faefa976cf96a362308cdb4659d6da96594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 14:55:10 +0200
+Subject: posix-cpu-timers: Force next expiration recalc after itimer reset
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 406dd42bd1ba0c01babf9cde169bb319e52f6147 ]
+
+When an itimer deactivates a previously armed expiration, it simply doesn't
+do anything. As a result the process wide cputime counter keeps running and
+the tick dependency stays set until it reaches the old ghost expiration
+value.
+
+This can be reproduced with the following snippet:
+
+ void trigger_process_counter(void)
+ {
+ struct itimerval n = {};
+
+ n.it_value.tv_sec = 100;
+ setitimer(ITIMER_VIRTUAL, &n, NULL);
+ n.it_value.tv_sec = 0;
+ setitimer(ITIMER_VIRTUAL, &n, NULL);
+ }
+
+Fix this with resetting the relevant base expiration. This is similar to
+disarming a timer.
+
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210726125513.271824-4-frederic@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/posix-cpu-timers.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
+index eacb0ca30193..30e061b210b7 100644
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -1201,8 +1201,6 @@ void set_process_cpu_timer(struct task_struct *tsk, unsigned int clkid,
+ }
+ }
+
+- if (!*newval)
+- return;
+ *newval += now;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 6362f59496b7c7658f47907efcd0d47d07105d1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 15:30:59 +0200
+Subject: power: supply: axp288_fuel_gauge: Report register-address on readb /
+ writeb errors
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit caa534c3ba40c6e8352b42cbbbca9ba481814ac8 ]
+
+When fuel_gauge_reg_readb()/_writeb() fails, report which register we
+were trying to read / write when the error happened.
+
+Also reword the message a bit:
+- Drop the axp288 prefix, dev_err() already prints this
+- Switch from telegram / abbreviated style to a normal sentence, aligning
+ the message with those from fuel_gauge_read_*bit_word()
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/axp288_fuel_gauge.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c
+index f40fa0e63b6e..993e4a4a34b3 100644
+--- a/drivers/power/supply/axp288_fuel_gauge.c
++++ b/drivers/power/supply/axp288_fuel_gauge.c
+@@ -149,7 +149,7 @@ static int fuel_gauge_reg_readb(struct axp288_fg_info *info, int reg)
+ }
+
+ if (ret < 0) {
+- dev_err(&info->pdev->dev, "axp288 reg read err:%d\n", ret);
++ dev_err(&info->pdev->dev, "Error reading reg 0x%02x err: %d\n", reg, ret);
+ return ret;
+ }
+
+@@ -163,7 +163,7 @@ static int fuel_gauge_reg_writeb(struct axp288_fg_info *info, int reg, u8 val)
+ ret = regmap_write(info->regmap, reg, (unsigned int)val);
+
+ if (ret < 0)
+- dev_err(&info->pdev->dev, "axp288 reg write err:%d\n", ret);
++ dev_err(&info->pdev->dev, "Error writing reg 0x%02x err: %d\n", reg, ret);
+
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From ab3ef1bbb649d11e956622e9f5dd1ae7bcd72ed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 18:50:14 +0200
+Subject: power: supply: max17042_battery: fix typo in MAx17042_TOFF
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit ed0d0a0506025f06061325cedae1bbebd081620a ]
+
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max17042_battery.c | 2 +-
+ include/linux/power/max17042_battery.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c
+index fa862f0380c4..ab4740c3bf57 100644
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -726,7 +726,7 @@ static inline void max17042_override_por_values(struct max17042_chip *chip)
+ struct max17042_config_data *config = chip->pdata->config_data;
+
+ max17042_override_por(map, MAX17042_TGAIN, config->tgain);
+- max17042_override_por(map, MAx17042_TOFF, config->toff);
++ max17042_override_por(map, MAX17042_TOFF, config->toff);
+ max17042_override_por(map, MAX17042_CGAIN, config->cgain);
+ max17042_override_por(map, MAX17042_COFF, config->coff);
+
+diff --git a/include/linux/power/max17042_battery.h b/include/linux/power/max17042_battery.h
+index 4badd5322949..2f9ff5017f12 100644
+--- a/include/linux/power/max17042_battery.h
++++ b/include/linux/power/max17042_battery.h
+@@ -69,7 +69,7 @@ enum max17042_register {
+ MAX17042_RelaxCFG = 0x2A,
+ MAX17042_MiscCFG = 0x2B,
+ MAX17042_TGAIN = 0x2C,
+- MAx17042_TOFF = 0x2D,
++ MAX17042_TOFF = 0x2D,
+ MAX17042_CGAIN = 0x2E,
+ MAX17042_COFF = 0x2F,
+
+--
+2.30.2
+
--- /dev/null
+From a3bbac80c9a0695fcf63ee4a3fdff268228ccd24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 May 2021 00:56:23 +0900
+Subject: rcu/tree: Handle VM stoppage in stall detection
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+[ Upstream commit ccfc9dd6914feaa9a81f10f9cce56eb0f7712264 ]
+
+The soft watchdog timer function checks if a virtual machine
+was suspended and hence what looks like a lockup in fact
+is a false positive.
+
+This is what kvm_check_and_clear_guest_paused() does: it
+tests guest PVCLOCK_GUEST_STOPPED (which is set by the host)
+and if it's set then we need to touch all watchdogs and bail
+out.
+
+Watchdog timer function runs from IRQ, so PVCLOCK_GUEST_STOPPED
+check works fine.
+
+There is, however, one more watchdog that runs from IRQ, so
+watchdog timer fn races with it, and that watchdog is not aware
+of PVCLOCK_GUEST_STOPPED - RCU stall detector.
+
+apic_timer_interrupt()
+ smp_apic_timer_interrupt()
+ hrtimer_interrupt()
+ __hrtimer_run_queues()
+ tick_sched_timer()
+ tick_sched_handle()
+ update_process_times()
+ rcu_sched_clock_irq()
+
+This triggers RCU stalls on our devices during VM resume.
+
+If tick_sched_handle()->rcu_sched_clock_irq() runs on a VCPU
+before watchdog_timer_fn()->kvm_check_and_clear_guest_paused()
+then there is nothing on this VCPU that touches watchdogs and
+RCU reads stale gp stall timestamp and new jiffies value, which
+makes it think that RCU has stalled.
+
+Make RCU stall watchdog aware of PVCLOCK_GUEST_STOPPED and
+don't report RCU stalls when we resume the VM.
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_stall.h | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
+index c0b8c458d8a6..b8c9744ad595 100644
+--- a/kernel/rcu/tree_stall.h
++++ b/kernel/rcu/tree_stall.h
+@@ -7,6 +7,8 @@
+ * Author: Paul E. McKenney <paulmck@linux.ibm.com>
+ */
+
++#include <linux/kvm_para.h>
++
+ //////////////////////////////////////////////////////////////////////////////
+ //
+ // Controlling CPU stall warnings, including delay calculation.
+@@ -525,6 +527,14 @@ static void check_cpu_stall(struct rcu_data *rdp)
+ (READ_ONCE(rnp->qsmask) & rdp->grpmask) &&
+ cmpxchg(&rcu_state.jiffies_stall, js, jn) == js) {
+
++ /*
++ * If a virtual machine is stopped by the host it can look to
++ * the watchdog like an RCU stall. Check to see if the host
++ * stopped the vm.
++ */
++ if (kvm_check_and_clear_guest_paused())
++ return;
++
+ /* We haven't checked in, so go dump stack. */
+ print_cpu_stall();
+ if (rcu_cpu_stall_ftrace_dump)
+@@ -534,6 +544,14 @@ static void check_cpu_stall(struct rcu_data *rdp)
+ ULONG_CMP_GE(j, js + RCU_STALL_RAT_DELAY) &&
+ cmpxchg(&rcu_state.jiffies_stall, js, jn) == js) {
+
++ /*
++ * If a virtual machine is stopped by the host it can look to
++ * the watchdog like an RCU stall. Check to see if the host
++ * stopped the vm.
++ */
++ if (kvm_check_and_clear_guest_paused())
++ return;
++
+ /* They had a few time units to dump stack, so complain. */
+ print_other_cpu_stall(gs2);
+ if (rcu_cpu_stall_ftrace_dump)
+--
+2.30.2
+
--- /dev/null
+From b0bde41dc75827fe0f4ab2ed18ad332e77462a89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 23:26:30 +0900
+Subject: regmap: fix the offset of register error log
+
+From: Jeongtae Park <jeongtae.park@gmail.com>
+
+[ Upstream commit 1852f5ed358147095297a09cc3c6f160208a676d ]
+
+This patch fixes the offset of register error log
+by using regmap_get_offset().
+
+Signed-off-by: Jeongtae Park <jeongtae.park@gmail.com>
+Link: https://lore.kernel.org/r/20210701142630.44936-1-jeongtae.park@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index e0893f1b1452..43c0452a8ba9 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1505,7 +1505,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg,
+ if (ret) {
+ dev_err(map->dev,
+ "Error in caching of register: %x ret: %d\n",
+- reg + i, ret);
++ reg + regmap_get_offset(map, i), ret);
+ return ret;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 985cf3356e41bc697741855a33fde91fadc63ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 11:37:04 +0800
+Subject: regulator: vctrl: Avoid lockdep warning in enable/disable ops
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 21e39809fd7c4b8ff3662f23e0168e87594c8ca8 ]
+
+vctrl_enable() and vctrl_disable() call regulator_enable() and
+regulator_disable(), respectively. However, vctrl_* are regulator ops
+and should not be calling the locked regulator APIs. Doing so results in
+a lockdep warning.
+
+Instead of exporting more internal regulator ops, model the ctrl supply
+as an actual supply to vctrl-regulator. At probe time this driver still
+needs to use the consumer API to fetch its constraints, but otherwise
+lets the regulator core handle the upstream supply for it.
+
+The enable/disable/is_enabled ops are not removed, but now only track
+state internally. This preserves the original behavior with the ops
+being available, but one could argue that the original behavior was
+already incorrect: the internal state would not match the upstream
+supply if that supply had another consumer that enabled the supply,
+while vctrl-regulator was not enabled.
+
+The lockdep warning is as follows:
+
+ WARNING: possible circular locking dependency detected
+ 5.14.0-rc6 #2 Not tainted
+ ------------------------------------------------------
+ swapper/0/1 is trying to acquire lock:
+ ffffffc011306d00 (regulator_list_mutex){+.+.}-{3:3}, at:
+ regulator_lock_dependent (arch/arm64/include/asm/current.h:19
+ include/linux/ww_mutex.h:111
+ drivers/regulator/core.c:329)
+
+ but task is already holding lock:
+ ffffff8004a77160 (regulator_ww_class_mutex){+.+.}-{3:3}, at:
+ regulator_lock_recursive (drivers/regulator/core.c:156
+ drivers/regulator/core.c:263)
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (regulator_ww_class_mutex){+.+.}-{3:3}:
+ __mutex_lock_common (include/asm-generic/atomic-instrumented.h:606
+ include/asm-generic/atomic-long.h:29
+ kernel/locking/mutex.c:103
+ kernel/locking/mutex.c:144
+ kernel/locking/mutex.c:963)
+ ww_mutex_lock (kernel/locking/mutex.c:1199)
+ regulator_lock_recursive (drivers/regulator/core.c:156
+ drivers/regulator/core.c:263)
+ regulator_lock_dependent (drivers/regulator/core.c:343)
+ regulator_enable (drivers/regulator/core.c:2808)
+ set_machine_constraints (drivers/regulator/core.c:1536)
+ regulator_register (drivers/regulator/core.c:5486)
+ devm_regulator_register (drivers/regulator/devres.c:196)
+ reg_fixed_voltage_probe (drivers/regulator/fixed.c:289)
+ platform_probe (drivers/base/platform.c:1427)
+ [...]
+
+ -> #1 (regulator_ww_class_acquire){+.+.}-{0:0}:
+ regulator_lock_dependent (include/linux/ww_mutex.h:129
+ drivers/regulator/core.c:329)
+ regulator_enable (drivers/regulator/core.c:2808)
+ set_machine_constraints (drivers/regulator/core.c:1536)
+ regulator_register (drivers/regulator/core.c:5486)
+ devm_regulator_register (drivers/regulator/devres.c:196)
+ reg_fixed_voltage_probe (drivers/regulator/fixed.c:289)
+ [...]
+
+ -> #0 (regulator_list_mutex){+.+.}-{3:3}:
+ __lock_acquire (kernel/locking/lockdep.c:3052 (discriminator 4)
+ kernel/locking/lockdep.c:3174 (discriminator 4)
+ kernel/locking/lockdep.c:3789 (discriminator 4)
+ kernel/locking/lockdep.c:5015 (discriminator 4))
+ lock_acquire (arch/arm64/include/asm/percpu.h:39
+ kernel/locking/lockdep.c:438
+ kernel/locking/lockdep.c:5627)
+ __mutex_lock_common (include/asm-generic/atomic-instrumented.h:606
+ include/asm-generic/atomic-long.h:29
+ kernel/locking/mutex.c:103
+ kernel/locking/mutex.c:144
+ kernel/locking/mutex.c:963)
+ mutex_lock_nested (kernel/locking/mutex.c:1125)
+ regulator_lock_dependent (arch/arm64/include/asm/current.h:19
+ include/linux/ww_mutex.h:111
+ drivers/regulator/core.c:329)
+ regulator_enable (drivers/regulator/core.c:2808)
+ vctrl_enable (drivers/regulator/vctrl-regulator.c:400)
+ _regulator_do_enable (drivers/regulator/core.c:2617)
+ _regulator_enable (drivers/regulator/core.c:2764)
+ regulator_enable (drivers/regulator/core.c:308
+ drivers/regulator/core.c:2809)
+ _set_opp (drivers/opp/core.c:819 drivers/opp/core.c:1072)
+ dev_pm_opp_set_rate (drivers/opp/core.c:1164)
+ set_target (drivers/cpufreq/cpufreq-dt.c:62)
+ __cpufreq_driver_target (drivers/cpufreq/cpufreq.c:2216
+ drivers/cpufreq/cpufreq.c:2271)
+ cpufreq_online (drivers/cpufreq/cpufreq.c:1488 (discriminator 2))
+ cpufreq_add_dev (drivers/cpufreq/cpufreq.c:1563)
+ subsys_interface_register (drivers/base/bus.c:?)
+ cpufreq_register_driver (drivers/cpufreq/cpufreq.c:2819)
+ dt_cpufreq_probe (drivers/cpufreq/cpufreq-dt.c:344)
+ [...]
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ regulator_list_mutex --> regulator_ww_class_acquire --> regulator_ww_class_mutex
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(regulator_ww_class_mutex);
+ lock(regulator_ww_class_acquire);
+ lock(regulator_ww_class_mutex);
+ lock(regulator_list_mutex);
+
+ *** DEADLOCK ***
+
+ 6 locks held by swapper/0/1:
+ #0: ffffff8002d32188 (&dev->mutex){....}-{3:3}, at:
+ __device_driver_lock (drivers/base/dd.c:1030)
+ #1: ffffffc0111a0520 (cpu_hotplug_lock){++++}-{0:0}, at:
+ cpufreq_register_driver (drivers/cpufreq/cpufreq.c:2792 (discriminator 2))
+ #2: ffffff8002a8d918 (subsys mutex#9){+.+.}-{3:3}, at:
+ subsys_interface_register (drivers/base/bus.c:1033)
+ #3: ffffff800341bb90 (&policy->rwsem){+.+.}-{3:3}, at:
+ cpufreq_online (include/linux/bitmap.h:285
+ include/linux/cpumask.h:405
+ drivers/cpufreq/cpufreq.c:1399)
+ #4: ffffffc011f0b7b8 (regulator_ww_class_acquire){+.+.}-{0:0}, at:
+ regulator_enable (drivers/regulator/core.c:2808)
+ #5: ffffff8004a77160 (regulator_ww_class_mutex){+.+.}-{3:3}, at:
+ regulator_lock_recursive (drivers/regulator/core.c:156
+ drivers/regulator/core.c:263)
+
+ stack backtrace:
+ CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.14.0-rc6 #2 7c8f8996d021ed0f65271e6aeebf7999de74a9fa
+ Hardware name: Google Scarlet (DT)
+ Call trace:
+ dump_backtrace (arch/arm64/kernel/stacktrace.c:161)
+ show_stack (arch/arm64/kernel/stacktrace.c:218)
+ dump_stack_lvl (lib/dump_stack.c:106 (discriminator 2))
+ dump_stack (lib/dump_stack.c:113)
+ print_circular_bug (kernel/locking/lockdep.c:?)
+ check_noncircular (kernel/locking/lockdep.c:?)
+ __lock_acquire (kernel/locking/lockdep.c:3052 (discriminator 4)
+ kernel/locking/lockdep.c:3174 (discriminator 4)
+ kernel/locking/lockdep.c:3789 (discriminator 4)
+ kernel/locking/lockdep.c:5015 (discriminator 4))
+ lock_acquire (arch/arm64/include/asm/percpu.h:39
+ kernel/locking/lockdep.c:438
+ kernel/locking/lockdep.c:5627)
+ __mutex_lock_common (include/asm-generic/atomic-instrumented.h:606
+ include/asm-generic/atomic-long.h:29
+ kernel/locking/mutex.c:103
+ kernel/locking/mutex.c:144
+ kernel/locking/mutex.c:963)
+ mutex_lock_nested (kernel/locking/mutex.c:1125)
+ regulator_lock_dependent (arch/arm64/include/asm/current.h:19
+ include/linux/ww_mutex.h:111
+ drivers/regulator/core.c:329)
+ regulator_enable (drivers/regulator/core.c:2808)
+ vctrl_enable (drivers/regulator/vctrl-regulator.c:400)
+ _regulator_do_enable (drivers/regulator/core.c:2617)
+ _regulator_enable (drivers/regulator/core.c:2764)
+ regulator_enable (drivers/regulator/core.c:308
+ drivers/regulator/core.c:2809)
+ _set_opp (drivers/opp/core.c:819 drivers/opp/core.c:1072)
+ dev_pm_opp_set_rate (drivers/opp/core.c:1164)
+ set_target (drivers/cpufreq/cpufreq-dt.c:62)
+ __cpufreq_driver_target (drivers/cpufreq/cpufreq.c:2216
+ drivers/cpufreq/cpufreq.c:2271)
+ cpufreq_online (drivers/cpufreq/cpufreq.c:1488 (discriminator 2))
+ cpufreq_add_dev (drivers/cpufreq/cpufreq.c:1563)
+ subsys_interface_register (drivers/base/bus.c:?)
+ cpufreq_register_driver (drivers/cpufreq/cpufreq.c:2819)
+ dt_cpufreq_probe (drivers/cpufreq/cpufreq-dt.c:344)
+ [...]
+
+Reported-by: Brian Norris <briannorris@chromium.org>
+Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking")
+Fixes: e9153311491d ("regulator: vctrl-regulator: Avoid deadlock getting and setting the voltage")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20210825033704.3307263-3-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/vctrl-regulator.c | 72 +++++++++++++++++------------
+ 1 file changed, 42 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/regulator/vctrl-regulator.c b/drivers/regulator/vctrl-regulator.c
+index 93d33201ffe0..d2a37978fc3a 100644
+--- a/drivers/regulator/vctrl-regulator.c
++++ b/drivers/regulator/vctrl-regulator.c
+@@ -37,7 +37,6 @@ struct vctrl_voltage_table {
+ struct vctrl_data {
+ struct regulator_dev *rdev;
+ struct regulator_desc desc;
+- struct regulator *ctrl_reg;
+ bool enabled;
+ unsigned int min_slew_down_rate;
+ unsigned int ovp_threshold;
+@@ -82,7 +81,12 @@ static int vctrl_calc_output_voltage(struct vctrl_data *vctrl, int ctrl_uV)
+ static int vctrl_get_voltage(struct regulator_dev *rdev)
+ {
+ struct vctrl_data *vctrl = rdev_get_drvdata(rdev);
+- int ctrl_uV = regulator_get_voltage_rdev(vctrl->ctrl_reg->rdev);
++ int ctrl_uV;
++
++ if (!rdev->supply)
++ return -EPROBE_DEFER;
++
++ ctrl_uV = regulator_get_voltage_rdev(rdev->supply->rdev);
+
+ return vctrl_calc_output_voltage(vctrl, ctrl_uV);
+ }
+@@ -92,14 +96,19 @@ static int vctrl_set_voltage(struct regulator_dev *rdev,
+ unsigned int *selector)
+ {
+ struct vctrl_data *vctrl = rdev_get_drvdata(rdev);
+- struct regulator *ctrl_reg = vctrl->ctrl_reg;
+- int orig_ctrl_uV = regulator_get_voltage_rdev(ctrl_reg->rdev);
+- int uV = vctrl_calc_output_voltage(vctrl, orig_ctrl_uV);
++ int orig_ctrl_uV;
++ int uV;
+ int ret;
+
++ if (!rdev->supply)
++ return -EPROBE_DEFER;
++
++ orig_ctrl_uV = regulator_get_voltage_rdev(rdev->supply->rdev);
++ uV = vctrl_calc_output_voltage(vctrl, orig_ctrl_uV);
++
+ if (req_min_uV >= uV || !vctrl->ovp_threshold)
+ /* voltage rising or no OVP */
+- return regulator_set_voltage_rdev(ctrl_reg->rdev,
++ return regulator_set_voltage_rdev(rdev->supply->rdev,
+ vctrl_calc_ctrl_voltage(vctrl, req_min_uV),
+ vctrl_calc_ctrl_voltage(vctrl, req_max_uV),
+ PM_SUSPEND_ON);
+@@ -117,7 +126,7 @@ static int vctrl_set_voltage(struct regulator_dev *rdev,
+ next_uV = max_t(int, req_min_uV, uV - max_drop_uV);
+ next_ctrl_uV = vctrl_calc_ctrl_voltage(vctrl, next_uV);
+
+- ret = regulator_set_voltage_rdev(ctrl_reg->rdev,
++ ret = regulator_set_voltage_rdev(rdev->supply->rdev,
+ next_ctrl_uV,
+ next_ctrl_uV,
+ PM_SUSPEND_ON);
+@@ -134,7 +143,7 @@ static int vctrl_set_voltage(struct regulator_dev *rdev,
+
+ err:
+ /* Try to go back to original voltage */
+- regulator_set_voltage_rdev(ctrl_reg->rdev, orig_ctrl_uV, orig_ctrl_uV,
++ regulator_set_voltage_rdev(rdev->supply->rdev, orig_ctrl_uV, orig_ctrl_uV,
+ PM_SUSPEND_ON);
+
+ return ret;
+@@ -151,16 +160,18 @@ static int vctrl_set_voltage_sel(struct regulator_dev *rdev,
+ unsigned int selector)
+ {
+ struct vctrl_data *vctrl = rdev_get_drvdata(rdev);
+- struct regulator *ctrl_reg = vctrl->ctrl_reg;
+ unsigned int orig_sel = vctrl->sel;
+ int ret;
+
++ if (!rdev->supply)
++ return -EPROBE_DEFER;
++
+ if (selector >= rdev->desc->n_voltages)
+ return -EINVAL;
+
+ if (selector >= vctrl->sel || !vctrl->ovp_threshold) {
+ /* voltage rising or no OVP */
+- ret = regulator_set_voltage_rdev(ctrl_reg->rdev,
++ ret = regulator_set_voltage_rdev(rdev->supply->rdev,
+ vctrl->vtable[selector].ctrl,
+ vctrl->vtable[selector].ctrl,
+ PM_SUSPEND_ON);
+@@ -179,7 +190,7 @@ static int vctrl_set_voltage_sel(struct regulator_dev *rdev,
+ else
+ next_sel = vctrl->vtable[vctrl->sel].ovp_min_sel;
+
+- ret = regulator_set_voltage_rdev(ctrl_reg->rdev,
++ ret = regulator_set_voltage_rdev(rdev->supply->rdev,
+ vctrl->vtable[next_sel].ctrl,
+ vctrl->vtable[next_sel].ctrl,
+ PM_SUSPEND_ON);
+@@ -202,7 +213,7 @@ static int vctrl_set_voltage_sel(struct regulator_dev *rdev,
+ err:
+ if (vctrl->sel != orig_sel) {
+ /* Try to go back to original voltage */
+- if (!regulator_set_voltage_rdev(ctrl_reg->rdev,
++ if (!regulator_set_voltage_rdev(rdev->supply->rdev,
+ vctrl->vtable[orig_sel].ctrl,
+ vctrl->vtable[orig_sel].ctrl,
+ PM_SUSPEND_ON))
+@@ -234,10 +245,6 @@ static int vctrl_parse_dt(struct platform_device *pdev,
+ u32 pval;
+ u32 vrange_ctrl[2];
+
+- vctrl->ctrl_reg = devm_regulator_get(&pdev->dev, "ctrl");
+- if (IS_ERR(vctrl->ctrl_reg))
+- return PTR_ERR(vctrl->ctrl_reg);
+-
+ ret = of_property_read_u32(np, "ovp-threshold-percent", &pval);
+ if (!ret) {
+ vctrl->ovp_threshold = pval;
+@@ -315,11 +322,11 @@ static int vctrl_cmp_ctrl_uV(const void *a, const void *b)
+ return at->ctrl - bt->ctrl;
+ }
+
+-static int vctrl_init_vtable(struct platform_device *pdev)
++static int vctrl_init_vtable(struct platform_device *pdev,
++ struct regulator *ctrl_reg)
+ {
+ struct vctrl_data *vctrl = platform_get_drvdata(pdev);
+ struct regulator_desc *rdesc = &vctrl->desc;
+- struct regulator *ctrl_reg = vctrl->ctrl_reg;
+ struct vctrl_voltage_range *vrange_ctrl = &vctrl->vrange.ctrl;
+ int n_voltages;
+ int ctrl_uV;
+@@ -395,23 +402,19 @@ static int vctrl_init_vtable(struct platform_device *pdev)
+ static int vctrl_enable(struct regulator_dev *rdev)
+ {
+ struct vctrl_data *vctrl = rdev_get_drvdata(rdev);
+- int ret = regulator_enable(vctrl->ctrl_reg);
+
+- if (!ret)
+- vctrl->enabled = true;
++ vctrl->enabled = true;
+
+- return ret;
++ return 0;
+ }
+
+ static int vctrl_disable(struct regulator_dev *rdev)
+ {
+ struct vctrl_data *vctrl = rdev_get_drvdata(rdev);
+- int ret = regulator_disable(vctrl->ctrl_reg);
+
+- if (!ret)
+- vctrl->enabled = false;
++ vctrl->enabled = false;
+
+- return ret;
++ return 0;
+ }
+
+ static int vctrl_is_enabled(struct regulator_dev *rdev)
+@@ -447,6 +450,7 @@ static int vctrl_probe(struct platform_device *pdev)
+ struct regulator_desc *rdesc;
+ struct regulator_config cfg = { };
+ struct vctrl_voltage_range *vrange_ctrl;
++ struct regulator *ctrl_reg;
+ int ctrl_uV;
+ int ret;
+
+@@ -461,15 +465,20 @@ static int vctrl_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ ctrl_reg = devm_regulator_get(&pdev->dev, "ctrl");
++ if (IS_ERR(ctrl_reg))
++ return PTR_ERR(ctrl_reg);
++
+ vrange_ctrl = &vctrl->vrange.ctrl;
+
+ rdesc = &vctrl->desc;
+ rdesc->name = "vctrl";
+ rdesc->type = REGULATOR_VOLTAGE;
+ rdesc->owner = THIS_MODULE;
++ rdesc->supply_name = "ctrl";
+
+- if ((regulator_get_linear_step(vctrl->ctrl_reg) == 1) ||
+- (regulator_count_voltages(vctrl->ctrl_reg) == -EINVAL)) {
++ if ((regulator_get_linear_step(ctrl_reg) == 1) ||
++ (regulator_count_voltages(ctrl_reg) == -EINVAL)) {
+ rdesc->continuous_voltage_range = true;
+ rdesc->ops = &vctrl_ops_cont;
+ } else {
+@@ -486,12 +495,12 @@ static int vctrl_probe(struct platform_device *pdev)
+ cfg.init_data = init_data;
+
+ if (!rdesc->continuous_voltage_range) {
+- ret = vctrl_init_vtable(pdev);
++ ret = vctrl_init_vtable(pdev, ctrl_reg);
+ if (ret)
+ return ret;
+
+ /* Use locked consumer API when not in regulator framework */
+- ctrl_uV = regulator_get_voltage(vctrl->ctrl_reg);
++ ctrl_uV = regulator_get_voltage(ctrl_reg);
+ if (ctrl_uV < 0) {
+ dev_err(&pdev->dev, "failed to get control voltage\n");
+ return ctrl_uV;
+@@ -514,6 +523,9 @@ static int vctrl_probe(struct platform_device *pdev)
+ }
+ }
+
++ /* Drop ctrl-supply here in favor of regulator core managed supply */
++ devm_regulator_put(ctrl_reg);
++
+ vctrl->rdev = devm_regulator_register(&pdev->dev, rdesc, &cfg);
+ if (IS_ERR(vctrl->rdev)) {
+ ret = PTR_ERR(vctrl->rdev);
+--
+2.30.2
+
--- /dev/null
+From 19c8de85bb943fbdda1fe187f337212ba144f828 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 11:37:03 +0800
+Subject: regulator: vctrl: Use locked regulator_get_voltage in probe path
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 98e47570ba985f2310586c80409238200fa3170f ]
+
+In commit e9153311491d ("regulator: vctrl-regulator: Avoid deadlock getting
+and setting the voltage"), all calls to get/set the voltage of the
+control regulator were switched to unlocked versions to avoid deadlocks.
+However, the call in the probe path is done without regulator locks
+held. In this case the locked version should be used.
+
+Switch back to the locked regulator_get_voltage() in the probe path to
+avoid any mishaps.
+
+Fixes: e9153311491d ("regulator: vctrl-regulator: Avoid deadlock getting and setting the voltage")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20210825033704.3307263-2-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/vctrl-regulator.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/vctrl-regulator.c b/drivers/regulator/vctrl-regulator.c
+index cbadb1c99679..93d33201ffe0 100644
+--- a/drivers/regulator/vctrl-regulator.c
++++ b/drivers/regulator/vctrl-regulator.c
+@@ -490,7 +490,8 @@ static int vctrl_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- ctrl_uV = regulator_get_voltage_rdev(vctrl->ctrl_reg->rdev);
++ /* Use locked consumer API when not in regulator framework */
++ ctrl_uV = regulator_get_voltage(vctrl->ctrl_reg);
+ if (ctrl_uV < 0) {
+ dev_err(&pdev->dev, "failed to get control voltage\n");
+ return ctrl_uV;
+--
+2.30.2
+
--- /dev/null
+From 373b1818326cc14b26edb059b398648d24e5c27d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 21:39:47 +0300
+Subject: rsi: fix an error code in rsi_probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 9adcdf6758d7c4c9bdaf22d78eb9fcae260ed113 ]
+
+Return -ENODEV instead of success for unsupported devices.
+
+Fixes: 54fdb318c111 ("rsi: add new device model for 9116")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210816183947.GA2119@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
+index a296f4e0d324..e8aa3d4bda88 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -806,6 +806,7 @@ static int rsi_probe(struct usb_interface *pfunction,
+ } else {
+ rsi_dbg(ERR_ZONE, "%s: Unsupported RSI device id 0x%x\n",
+ __func__, id->idProduct);
++ status = -ENODEV;
+ goto err1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a18295c043c94f1093a118236991bc7f23e8cf2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 13:37:46 +0300
+Subject: rsi: fix error code in rsi_load_9116_firmware()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d0f8430332a16c7baa80ce2886339182c5d85f37 ]
+
+This code returns success if the kmemdup() fails, but obviously it
+should return -ENOMEM instead.
+
+Fixes: e5a1ecc97e5f ("rsi: add firmware loading for 9116 device")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210805103746.GA26417@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_hal.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c b/drivers/net/wireless/rsi/rsi_91x_hal.c
+index 03791f3fe480..5e6c5d13319d 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
+@@ -1038,8 +1038,10 @@ static int rsi_load_9116_firmware(struct rsi_hw *adapter)
+ }
+
+ ta_firmware = kmemdup(fw_entry->data, fw_entry->size, GFP_KERNEL);
+- if (!ta_firmware)
++ if (!ta_firmware) {
++ status = -ENOMEM;
+ goto fail_release_fw;
++ }
+ fw_p = ta_firmware;
+ instructions_sz = fw_entry->size;
+ rsi_dbg(INFO_ZONE, "FW Length = %d bytes\n", instructions_sz);
+--
+2.30.2
+
--- /dev/null
+From 9dcf67f515ac157370520d6652c7f7ecb317b083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Apr 2021 10:52:38 +0200
+Subject: s390/cio: add dev_busid sysfs entry for each subchannel
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit d3683c055212bf910d4e318f7944910ce10dbee6 ]
+
+Introduce dev_busid, which exports the device-id associated with the
+io-subchannel (and message-subchannel). The dev_busid indicates that of
+the device which may be physically installed on the corrosponding
+subchannel. The dev_busid value "none" indicates that the subchannel
+is not valid, there is no I/O device currently associated with the
+subchannel.
+
+The dev_busid information would be helpful to write device-specific
+udev-rules associated with the subchannel. The dev_busid interface would
+be available even when the sch is not bound to any driver or if there is
+no operational device connected on it. Hence this attribute can be used to
+write udev-rules which are specific to the device associated with the
+subchannel.
+
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/css.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
+index 5734a78dbb8e..7950ac59b174 100644
+--- a/drivers/s390/cio/css.c
++++ b/drivers/s390/cio/css.c
+@@ -426,9 +426,26 @@ static ssize_t pimpampom_show(struct device *dev,
+ }
+ static DEVICE_ATTR_RO(pimpampom);
+
++static ssize_t dev_busid_show(struct device *dev,
++ struct device_attribute *attr,
++ char *buf)
++{
++ struct subchannel *sch = to_subchannel(dev);
++ struct pmcw *pmcw = &sch->schib.pmcw;
++
++ if ((pmcw->st == SUBCHANNEL_TYPE_IO ||
++ pmcw->st == SUBCHANNEL_TYPE_MSG) && pmcw->dnv)
++ return sysfs_emit(buf, "0.%x.%04x\n", sch->schid.ssid,
++ pmcw->dev);
++ else
++ return sysfs_emit(buf, "none\n");
++}
++static DEVICE_ATTR_RO(dev_busid);
++
+ static struct attribute *io_subchannel_type_attrs[] = {
+ &dev_attr_chpids.attr,
+ &dev_attr_pimpampom.attr,
++ &dev_attr_dev_busid.attr,
+ NULL,
+ };
+ ATTRIBUTE_GROUPS(io_subchannel_type);
+--
+2.30.2
+
--- /dev/null
+From 5ab1efaf3bbcc8e8a104d0116e9e06f33c035e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 15:05:03 +0200
+Subject: s390/debug: fix debug area life cycle
+
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+
+[ Upstream commit 9372a82892c2caa6bccab9a4081166fa769699f8 ]
+
+Currently allocation and registration of s390dbf debug areas are tied
+together. As a result, a debug area cannot be unregistered and
+re-registered while any process has an associated debugfs file open.
+
+Fix this by splitting alloc/release from register/unregister.
+
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/debug.c | 102 +++++++++++++++++++++------------------
+ 1 file changed, 56 insertions(+), 46 deletions(-)
+
+diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
+index 7184d55d87aa..b1aadc3ad065 100644
+--- a/arch/s390/kernel/debug.c
++++ b/arch/s390/kernel/debug.c
+@@ -327,24 +327,6 @@ static debug_info_t *debug_info_create(const char *name, int pages_per_area,
+ goto out;
+
+ rc->mode = mode & ~S_IFMT;
+-
+- /* create root directory */
+- rc->debugfs_root_entry = debugfs_create_dir(rc->name,
+- debug_debugfs_root_entry);
+-
+- /* append new element to linked list */
+- if (!debug_area_first) {
+- /* first element in list */
+- debug_area_first = rc;
+- rc->prev = NULL;
+- } else {
+- /* append element to end of list */
+- debug_area_last->next = rc;
+- rc->prev = debug_area_last;
+- }
+- debug_area_last = rc;
+- rc->next = NULL;
+-
+ refcount_set(&rc->ref_count, 1);
+ out:
+ return rc;
+@@ -404,27 +386,10 @@ static void debug_info_get(debug_info_t *db_info)
+ */
+ static void debug_info_put(debug_info_t *db_info)
+ {
+- int i;
+-
+ if (!db_info)
+ return;
+- if (refcount_dec_and_test(&db_info->ref_count)) {
+- for (i = 0; i < DEBUG_MAX_VIEWS; i++) {
+- if (!db_info->views[i])
+- continue;
+- debugfs_remove(db_info->debugfs_entries[i]);
+- }
+- debugfs_remove(db_info->debugfs_root_entry);
+- if (db_info == debug_area_first)
+- debug_area_first = db_info->next;
+- if (db_info == debug_area_last)
+- debug_area_last = db_info->prev;
+- if (db_info->prev)
+- db_info->prev->next = db_info->next;
+- if (db_info->next)
+- db_info->next->prev = db_info->prev;
++ if (refcount_dec_and_test(&db_info->ref_count))
+ debug_info_free(db_info);
+- }
+ }
+
+ /*
+@@ -648,6 +613,31 @@ static int debug_close(struct inode *inode, struct file *file)
+ return 0; /* success */
+ }
+
++/* Create debugfs entries and add to internal list. */
++static void _debug_register(debug_info_t *id)
++{
++ /* create root directory */
++ id->debugfs_root_entry = debugfs_create_dir(id->name,
++ debug_debugfs_root_entry);
++
++ /* append new element to linked list */
++ if (!debug_area_first) {
++ /* first element in list */
++ debug_area_first = id;
++ id->prev = NULL;
++ } else {
++ /* append element to end of list */
++ debug_area_last->next = id;
++ id->prev = debug_area_last;
++ }
++ debug_area_last = id;
++ id->next = NULL;
++
++ debug_register_view(id, &debug_level_view);
++ debug_register_view(id, &debug_flush_view);
++ debug_register_view(id, &debug_pages_view);
++}
++
+ /**
+ * debug_register_mode() - creates and initializes debug area.
+ *
+@@ -677,19 +667,16 @@ debug_info_t *debug_register_mode(const char *name, int pages_per_area,
+ if ((uid != 0) || (gid != 0))
+ pr_warn("Root becomes the owner of all s390dbf files in sysfs\n");
+ BUG_ON(!initialized);
+- mutex_lock(&debug_mutex);
+
+ /* create new debug_info */
+ rc = debug_info_create(name, pages_per_area, nr_areas, buf_size, mode);
+- if (!rc)
+- goto out;
+- debug_register_view(rc, &debug_level_view);
+- debug_register_view(rc, &debug_flush_view);
+- debug_register_view(rc, &debug_pages_view);
+-out:
+- if (!rc)
++ if (rc) {
++ mutex_lock(&debug_mutex);
++ _debug_register(rc);
++ mutex_unlock(&debug_mutex);
++ } else {
+ pr_err("Registering debug feature %s failed\n", name);
+- mutex_unlock(&debug_mutex);
++ }
+ return rc;
+ }
+ EXPORT_SYMBOL(debug_register_mode);
+@@ -718,6 +705,27 @@ debug_info_t *debug_register(const char *name, int pages_per_area,
+ }
+ EXPORT_SYMBOL(debug_register);
+
++/* Remove debugfs entries and remove from internal list. */
++static void _debug_unregister(debug_info_t *id)
++{
++ int i;
++
++ for (i = 0; i < DEBUG_MAX_VIEWS; i++) {
++ if (!id->views[i])
++ continue;
++ debugfs_remove(id->debugfs_entries[i]);
++ }
++ debugfs_remove(id->debugfs_root_entry);
++ if (id == debug_area_first)
++ debug_area_first = id->next;
++ if (id == debug_area_last)
++ debug_area_last = id->prev;
++ if (id->prev)
++ id->prev->next = id->next;
++ if (id->next)
++ id->next->prev = id->prev;
++}
++
+ /**
+ * debug_unregister() - give back debug area.
+ *
+@@ -731,8 +739,10 @@ void debug_unregister(debug_info_t *id)
+ if (!id)
+ return;
+ mutex_lock(&debug_mutex);
+- debug_info_put(id);
++ _debug_unregister(id);
+ mutex_unlock(&debug_mutex);
++
++ debug_info_put(id);
+ }
+ EXPORT_SYMBOL(debug_unregister);
+
+--
+2.30.2
+
--- /dev/null
+From a0326ff018e190f8c3e2ad3f3c3f846cd2b608b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:55:08 +0200
+Subject: s390/kasan: fix large PMD pages address alignment check
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit ddd63c85ef67ea9ea7282ad35eafb6568047126e ]
+
+It is currently possible to initialize a large PMD page when
+the address is not aligned on page boundary.
+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/kasan_init.c | 41 +++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/arch/s390/mm/kasan_init.c b/arch/s390/mm/kasan_init.c
+index 460f25572940..5182e0836ca7 100644
+--- a/arch/s390/mm/kasan_init.c
++++ b/arch/s390/mm/kasan_init.c
+@@ -101,6 +101,9 @@ static void __init kasan_early_vmemmap_populate(unsigned long address,
+ pgt_prot = pgprot_val(PAGE_KERNEL_EXEC);
+ sgt_prot = pgprot_val(SEGMENT_KERNEL_EXEC);
+
++ /*
++ * The first 1MB of 1:1 mapping is mapped with 4KB pages
++ */
+ while (address < end) {
+ pg_dir = pgd_offset_k(address);
+ if (pgd_none(*pg_dir)) {
+@@ -146,30 +149,26 @@ static void __init kasan_early_vmemmap_populate(unsigned long address,
+
+ pm_dir = pmd_offset(pu_dir, address);
+ if (pmd_none(*pm_dir)) {
+- if (mode == POPULATE_ZERO_SHADOW &&
+- IS_ALIGNED(address, PMD_SIZE) &&
++ if (IS_ALIGNED(address, PMD_SIZE) &&
+ end - address >= PMD_SIZE) {
+- pmd_populate(&init_mm, pm_dir,
+- kasan_early_shadow_pte);
+- address = (address + PMD_SIZE) & PMD_MASK;
+- continue;
+- }
+- /* the first megabyte of 1:1 is mapped with 4k pages */
+- if (has_edat && address && end - address >= PMD_SIZE &&
+- mode != POPULATE_ZERO_SHADOW) {
+- void *page;
+-
+- if (mode == POPULATE_ONE2ONE) {
+- page = (void *)address;
+- } else {
+- page = kasan_early_alloc_segment();
+- memset(page, 0, _SEGMENT_SIZE);
++ if (mode == POPULATE_ZERO_SHADOW) {
++ pmd_populate(&init_mm, pm_dir, kasan_early_shadow_pte);
++ address = (address + PMD_SIZE) & PMD_MASK;
++ continue;
++ } else if (has_edat && address) {
++ void *page;
++
++ if (mode == POPULATE_ONE2ONE) {
++ page = (void *)address;
++ } else {
++ page = kasan_early_alloc_segment();
++ memset(page, 0, _SEGMENT_SIZE);
++ }
++ pmd_val(*pm_dir) = __pa(page) | sgt_prot;
++ address = (address + PMD_SIZE) & PMD_MASK;
++ continue;
+ }
+- pmd_val(*pm_dir) = __pa(page) | sgt_prot;
+- address = (address + PMD_SIZE) & PMD_MASK;
+- continue;
+ }
+-
+ pt_dir = kasan_early_pte_alloc();
+ pmd_populate(&init_mm, pm_dir, pt_dir);
+ } else if (pmd_large(*pm_dir)) {
+--
+2.30.2
+
--- /dev/null
+From 1cfcd381f1423936d7e432b8143f2b5e45f5a654 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 15:59:25 +0200
+Subject: sched/deadline: Fix missing clock update in migrate_task_rq_dl()
+
+From: Dietmar Eggemann <dietmar.eggemann@arm.com>
+
+[ Upstream commit b4da13aa28d4fd0071247b7b41c579ee8a86c81a ]
+
+A missing clock update is causing the following warning:
+
+rq->clock_update_flags < RQCF_ACT_SKIP
+WARNING: CPU: 112 PID: 2041 at kernel/sched/sched.h:1453
+sub_running_bw.isra.0+0x190/0x1a0
+...
+CPU: 112 PID: 2041 Comm: sugov:112 Tainted: G W 5.14.0-rc1 #1
+Hardware name: WIWYNN Mt.Jade Server System
+B81.030Z1.0007/Mt.Jade Motherboard, BIOS 1.6.20210526 (SCP:
+1.06.20210526) 2021/05/26
+...
+Call trace:
+ sub_running_bw.isra.0+0x190/0x1a0
+ migrate_task_rq_dl+0xf8/0x1e0
+ set_task_cpu+0xa8/0x1f0
+ try_to_wake_up+0x150/0x3d4
+ wake_up_q+0x64/0xc0
+ __up_write+0xd0/0x1c0
+ up_write+0x4c/0x2b0
+ cppc_set_perf+0x120/0x2d0
+ cppc_cpufreq_set_target+0xe0/0x1a4 [cppc_cpufreq]
+ __cpufreq_driver_target+0x74/0x140
+ sugov_work+0x64/0x80
+ kthread_worker_fn+0xe0/0x230
+ kthread+0x138/0x140
+ ret_from_fork+0x10/0x18
+
+The task causing this is the `cppc_fie` DL task introduced by
+commit 1eb5dde674f5 ("cpufreq: CPPC: Add support for frequency
+invariance").
+
+With CONFIG_ACPI_CPPC_CPUFREQ_FIE=y and schedutil cpufreq governor on
+slow-switching system (like on this Ampere Altra WIWYNN Mt. Jade Arm
+Server):
+
+DL task `curr=sugov:112` lets `p=cppc_fie` migrate and since the latter
+is in `non_contending` state, migrate_task_rq_dl() calls
+
+ sub_running_bw()->__sub_running_bw()->cpufreq_update_util()->
+ rq_clock()->assert_clock_updated()
+
+on p.
+
+Fix this by updating the clock for a non_contending task in
+migrate_task_rq_dl() before calling sub_running_bw().
+
+Reported-by: Bruno Goncalves <bgoncalv@redhat.com>
+Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://lore.kernel.org/r/20210804135925.3734605-1-dietmar.eggemann@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 7ab0b80cb12d..2bda9fdba31c 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1654,6 +1654,7 @@ static void migrate_task_rq_dl(struct task_struct *p, int new_cpu __maybe_unused
+ */
+ raw_spin_lock(&rq->lock);
+ if (p->dl.dl_non_contending) {
++ update_rq_clock(rq);
+ sub_running_bw(&p->dl, &rq->dl);
+ p->dl.dl_non_contending = 0;
+ /*
+--
+2.30.2
+
--- /dev/null
+From a7f218da6c576ab4c992733486e0951b72f55b3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 11:11:01 +0100
+Subject: sched/deadline: Fix reset_on_fork reporting of DL tasks
+
+From: Quentin Perret <qperret@google.com>
+
+[ Upstream commit f95091536f78971b269ec321b057b8d630b0ad8a ]
+
+It is possible for sched_getattr() to incorrectly report the state of
+the reset_on_fork flag when called on a deadline task.
+
+Indeed, if the flag was set on a deadline task using sched_setattr()
+with flags (SCHED_FLAG_RESET_ON_FORK | SCHED_FLAG_KEEP_PARAMS), then
+p->sched_reset_on_fork will be set, but __setscheduler() will bail out
+early, which means that the dl_se->flags will not get updated by
+__setscheduler_params()->__setparam_dl(). Consequently, if
+sched_getattr() is then called on the task, __getparam_dl() will
+override kattr.sched_flags with the now out-of-date copy in dl_se->flags
+and report the stale value to userspace.
+
+To fix this, make sure to only copy the flags that are relevant to
+sched_deadline to and from the dl_se->flags field.
+
+Signed-off-by: Quentin Perret <qperret@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210727101103.2729607-2-qperret@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 7 ++++---
+ kernel/sched/sched.h | 2 ++
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 3cf776d5bce8..7ab0b80cb12d 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2622,7 +2622,7 @@ void __setparam_dl(struct task_struct *p, const struct sched_attr *attr)
+ dl_se->dl_runtime = attr->sched_runtime;
+ dl_se->dl_deadline = attr->sched_deadline;
+ dl_se->dl_period = attr->sched_period ?: dl_se->dl_deadline;
+- dl_se->flags = attr->sched_flags;
++ dl_se->flags = attr->sched_flags & SCHED_DL_FLAGS;
+ dl_se->dl_bw = to_ratio(dl_se->dl_period, dl_se->dl_runtime);
+ dl_se->dl_density = to_ratio(dl_se->dl_deadline, dl_se->dl_runtime);
+ }
+@@ -2635,7 +2635,8 @@ void __getparam_dl(struct task_struct *p, struct sched_attr *attr)
+ attr->sched_runtime = dl_se->dl_runtime;
+ attr->sched_deadline = dl_se->dl_deadline;
+ attr->sched_period = dl_se->dl_period;
+- attr->sched_flags = dl_se->flags;
++ attr->sched_flags &= ~SCHED_DL_FLAGS;
++ attr->sched_flags |= dl_se->flags;
+ }
+
+ /*
+@@ -2710,7 +2711,7 @@ bool dl_param_changed(struct task_struct *p, const struct sched_attr *attr)
+ if (dl_se->dl_runtime != attr->sched_runtime ||
+ dl_se->dl_deadline != attr->sched_deadline ||
+ dl_se->dl_period != attr->sched_period ||
+- dl_se->flags != attr->sched_flags)
++ dl_se->flags != (attr->sched_flags & SCHED_DL_FLAGS))
+ return true;
+
+ return false;
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 4e490e3db2f8..fe755c1a0af9 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -209,6 +209,8 @@ static inline int task_has_dl_policy(struct task_struct *p)
+ */
+ #define SCHED_FLAG_SUGOV 0x10000000
+
++#define SCHED_DL_FLAGS (SCHED_FLAG_RECLAIM | SCHED_FLAG_DL_OVERRUN | SCHED_FLAG_SUGOV)
++
+ static inline bool dl_entity_is_special(struct sched_dl_entity *dl_se)
+ {
+ #ifdef CONFIG_CPU_FREQ_GOV_SCHEDUTIL
+--
+2.30.2
+
--- /dev/null
+From c2372c13319d867f1732cc533caf54a8c436fedb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 11:21:53 +0100
+Subject: sched: Fix UCLAMP_FLAG_IDLE setting
+
+From: Quentin Perret <qperret@google.com>
+
+[ Upstream commit ca4984a7dd863f3e1c0df775ae3e744bff24c303 ]
+
+The UCLAMP_FLAG_IDLE flag is set on a runqueue when dequeueing the last
+uclamp active task (that is, when buckets.tasks reaches 0 for all
+buckets) to maintain the last uclamp.max and prevent blocked util from
+suddenly becoming visible.
+
+However, there is an asymmetry in how the flag is set and cleared which
+can lead to having the flag set whilst there are active tasks on the rq.
+Specifically, the flag is cleared in the uclamp_rq_inc() path, which is
+called at enqueue time, but set in uclamp_rq_dec_id() which is called
+both when dequeueing a task _and_ in the update_uclamp_active() path. As
+a result, when both uclamp_rq_{dec,ind}_id() are called from
+update_uclamp_active(), the flag ends up being set but not cleared,
+hence leaving the runqueue in a broken state.
+
+Fix this by clearing the flag in update_uclamp_active() as well.
+
+Fixes: e496187da710 ("sched/uclamp: Enforce last task's UCLAMP_MAX")
+Reported-by: Rick Yiu <rickyiu@google.com>
+Signed-off-by: Quentin Perret <qperret@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Qais Yousef <qais.yousef@arm.com>
+Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Link: https://lore.kernel.org/r/20210805102154.590709-2-qperret@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 8294debf68c4..5dc43d37e6a2 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1110,6 +1110,23 @@ static inline void uclamp_rq_dec(struct rq *rq, struct task_struct *p)
+ uclamp_rq_dec_id(rq, p, clamp_id);
+ }
+
++static inline void uclamp_rq_reinc_id(struct rq *rq, struct task_struct *p,
++ enum uclamp_id clamp_id)
++{
++ if (!p->uclamp[clamp_id].active)
++ return;
++
++ uclamp_rq_dec_id(rq, p, clamp_id);
++ uclamp_rq_inc_id(rq, p, clamp_id);
++
++ /*
++ * Make sure to clear the idle flag if we've transiently reached 0
++ * active tasks on rq.
++ */
++ if (clamp_id == UCLAMP_MAX && (rq->uclamp_flags & UCLAMP_FLAG_IDLE))
++ rq->uclamp_flags &= ~UCLAMP_FLAG_IDLE;
++}
++
+ static inline void
+ uclamp_update_active(struct task_struct *p)
+ {
+@@ -1133,12 +1150,8 @@ uclamp_update_active(struct task_struct *p)
+ * affecting a valid clamp bucket, the next time it's enqueued,
+ * it will already see the updated clamp bucket value.
+ */
+- for_each_clamp_id(clamp_id) {
+- if (p->uclamp[clamp_id].active) {
+- uclamp_rq_dec_id(rq, p, clamp_id);
+- uclamp_rq_inc_id(rq, p, clamp_id);
+- }
+- }
++ for_each_clamp_id(clamp_id)
++ uclamp_rq_reinc_id(rq, p, clamp_id);
+
+ task_rq_unlock(rq, p, &rf);
+ }
+--
+2.30.2
+
--- /dev/null
+locking-mutex-fix-handoff-condition.patch
+regmap-fix-the-offset-of-register-error-log.patch
+crypto-mxs-dcp-check-for-dma-mapping-errors.patch
+sched-deadline-fix-reset_on_fork-reporting-of-dl-tas.patch
+power-supply-axp288_fuel_gauge-report-register-addre.patch
+crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch
+sched-deadline-fix-missing-clock-update-in-migrate_t.patch
+rcu-tree-handle-vm-stoppage-in-stall-detection.patch
+posix-cpu-timers-force-next-expiration-recalc-after-.patch
+hrtimer-avoid-double-reprogramming-in-__hrtimer_star.patch
+hrtimer-ensure-timerfd-notification-for-highres-n.patch
+udf-check-lvid-earlier.patch
+udf-fix-iocharset-utf8-mount-option.patch
+isofs-joliet-fix-iocharset-utf8-mount-option.patch
+bcache-add-proper-error-unwinding-in-bcache_device_i.patch
+nvme-tcp-don-t-update-queue-count-when-failing-to-se.patch
+nvme-rdma-don-t-update-queue-count-when-failing-to-s.patch
+nvmet-pass-back-cntlid-on-successful-completion.patch
+power-supply-max17042_battery-fix-typo-in-max17042_t.patch
+s390-cio-add-dev_busid-sysfs-entry-for-each-subchann.patch
+libata-fix-ata_host_start.patch
+crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch
+crypto-qat-handle-both-source-of-interrupt-in-vf-isr.patch
+crypto-qat-fix-reuse-of-completion-variable.patch
+crypto-qat-fix-naming-for-init-shutdown-vf-to-pf-not.patch
+crypto-qat-do-not-export-adf_iov_putmsg.patch
+fcntl-fix-potential-deadlock-for-fasync_struct.fa_lo.patch
+udf_get_extendedattr-had-no-boundary-checks.patch
+s390-kasan-fix-large-pmd-pages-address-alignment-che.patch
+s390-debug-fix-debug-area-life-cycle.patch
+m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch
+sched-fix-uclamp_flag_idle-setting.patch
+spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch
+spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch
+genirq-timings-fix-error-return-code-in-irq_timings_.patch
+lib-mpi-use-kcalloc-in-mpi_resize.patch
+clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch
+block-nbd-add-sanity-check-for-first_minor.patch
+crypto-qat-use-proper-type-for-vf_mask.patch
+certs-trigger-creation-of-rsa-module-signing-key-if-.patch
+regulator-vctrl-use-locked-regulator_get_voltage-in-.patch
+regulator-vctrl-avoid-lockdep-warning-in-enable-disa.patch
+spi-sprd-fix-the-wrong-wdg_load_val.patch
+spi-spi-zynq-qspi-use-wait_for_completion_timeout-to.patch
+edac-i10nm-fix-nvdimm-detection.patch
+drm-panfrost-fix-missing-clk_disable_unprepare-on-er.patch
+media-tda1997x-enable-edid-support.patch
+soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch
+media-cxd2880-spi-fix-an-error-handling-path.patch
+bpf-fix-a-typo-of-reuseport-map-in-bpf.h.patch
+bpf-fix-potential-memleak-and-uaf-in-the-verifier.patch
+arm-dts-aspeed-g6-fix-hvi3c-function-group-in-pinctr.patch
+arm64-dts-renesas-r8a77995-draak-remove-bogus-adv751.patch
+soc-qcom-rpmhpd-use-corner-in-power_off.patch
+media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch
+media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch
+media-dvb-usb-fix-error-handling-in-dvb_usb_i2c_init.patch
+media-go7007-remove-redundant-initialization.patch
+media-coda-fix-frame_mem_ctrl-for-yuv420-and-yvu420-.patch
+bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch
+6lowpan-iphc-fix-an-off-by-one-check-of-array-index.patch
+drm-amdgpu-acp-make-pm-domain-really-work.patch
+tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch
+arm-dts-meson8-use-a-higher-default-gpu-clock-freque.patch
+arm-dts-meson8b-odroidc1-fix-the-pwm-regulator-suppl.patch
+arm-dts-meson8b-mxq-fix-the-pwm-regulator-supply-pro.patch
+arm-dts-meson8b-ec100-fix-the-pwm-regulator-supply-p.patch
+net-mlx5e-prohibit-inner-indir-tirs-in-ipoib.patch
+cgroup-cpuset-fix-a-partition-bug-with-hotplug.patch
+net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch
+i2c-highlander-add-irq-check.patch
+leds-lt3593-put-fwnode-in-any-case-during-probe.patch
+leds-trigger-audio-add-an-activate-callback-to-ensur.patch
+media-em28xx-input-fix-refcount-bug-in-em28xx_usb_di.patch
+media-venus-venc-fix-potential-null-pointer-derefere.patch
+pci-pm-avoid-forcing-pci_d0-for-wakeup-reasons-incon.patch
+pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch
+soc-qcom-smsm-fix-missed-interrupts-if-state-changes.patch
+debugfs-return-error-during-full-open-_proxy_open-on.patch
+bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch
+pm-em-increase-energy-calculation-precision.patch
+drm-msm-dpu-make-dpu_hw_ctl_clear_all_blendstages-cl.patch
+arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch
+counter-104-quad-8-return-error-when-invalid-mode-du.patch
+bluetooth-fix-repeated-calls-to-sco_sock_kill.patch
+drm-msm-dsi-fix-some-reference-counted-resource-leak.patch
+usb-gadget-udc-at91-add-irq-check.patch
+usb-phy-fsl-usb-add-irq-check.patch
+usb-phy-twl6030-add-irq-checks.patch
+usb-gadget-udc-renesas_usb3-fix-soc_device_match-abu.patch
+bluetooth-move-shutdown-callback-before-flushing-tx-.patch
+usb-host-ohci-tmio-add-irq-check.patch
+usb-phy-tahvo-add-irq-check.patch
+mac80211-fix-insufficient-headroom-issue-for-amsdu.patch
+lockd-fix-invalid-lockowner-cast-after-vfs_test_lock.patch
+nfsd4-fix-forced-expiry-locking.patch
+usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch
+mm-swap-consider-max-pages-in-iomap_swapfile_add_ext.patch
+bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch
+i2c-iop3xx-fix-deferred-probing.patch
+i2c-s3c2410-fix-irq-check.patch
+rsi-fix-error-code-in-rsi_load_9116_firmware.patch
+rsi-fix-an-error-code-in-rsi_probe.patch
+asoc-intel-skylake-leave-data-as-is-when-invoking-tl.patch
+asoc-intel-skylake-fix-module-resource-and-format-se.patch
+mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch
+mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch
+bpf-fix-possible-out-of-bound-write-in-narrow-load-h.patch
+cifs-fix-a-potencially-linear-read-overflow.patch
+i2c-mt65xx-fix-irq-check.patch
+usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch
+usb-bdc-fix-an-error-handling-path-in-bdc_probe-when.patch
+tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch
+asoc-wcd9335-fix-a-double-irq-free-in-the-remove-fun.patch
+asoc-wcd9335-fix-a-memory-leak-in-the-error-handling.patch
+asoc-wcd9335-disable-irq-on-slave-ports-in-the-remov.patch
+ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch
+bcma-fix-memory-leak-for-internally-handled-cores.patch
+brcmfmac-pcie-fix-oops-on-failure-to-resume-and-repr.patch
+ipv6-make-exception-cache-less-predictible.patch
+ipv4-make-exception-cache-less-predictible.patch
+net-sched-fix-qdisc_rate_table-refcount-leak-when-ge.patch
+net-qualcomm-fix-qca7000-checksum-handling.patch
+octeontx2-af-fix-loop-in-free-and-unmap-counter.patch
+ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch
--- /dev/null
+From 3586cc6c9e3c67d78a36877a5816fbc2771abe99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 17:54:15 -0700
+Subject: soc: qcom: rpmhpd: Use corner in power_off
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit d43b3a989bc8c06fd4bbb69a7500d180db2d68e8 ]
+
+rpmhpd_aggregate_corner() takes a corner as parameter, but in
+rpmhpd_power_off() the code requests the level of the first corner
+instead.
+
+In all (known) current cases the first corner has level 0, so this
+change should be a nop, but in case that there's a power domain with a
+non-zero lowest level this makes sure that rpmhpd_power_off() actually
+requests the lowest level - which is the closest to "power off" we can
+get.
+
+While touching the code, also skip the unnecessary zero-initialization
+of "ret".
+
+Fixes: 279b7e8a62cc ("soc: qcom: rpmhpd: Add RPMh power domain driver")
+Reviewed-by: Rajendra Nayak <rnayak@codeaurora.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Sibi Sankar <sibis@codeaurora.org>
+Tested-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20210703005416.2668319-2-bjorn.andersson@linaro.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/rpmhpd.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soc/qcom/rpmhpd.c b/drivers/soc/qcom/rpmhpd.c
+index 51850cc68b70..aa24237a7840 100644
+--- a/drivers/soc/qcom/rpmhpd.c
++++ b/drivers/soc/qcom/rpmhpd.c
+@@ -235,12 +235,11 @@ static int rpmhpd_power_on(struct generic_pm_domain *domain)
+ static int rpmhpd_power_off(struct generic_pm_domain *domain)
+ {
+ struct rpmhpd *pd = domain_to_rpmhpd(domain);
+- int ret = 0;
++ int ret;
+
+ mutex_lock(&rpmhpd_lock);
+
+- ret = rpmhpd_aggregate_corner(pd, pd->level[0]);
+-
++ ret = rpmhpd_aggregate_corner(pd, 0);
+ if (!ret)
+ pd->enabled = false;
+
+--
+2.30.2
+
--- /dev/null
+From b2a655a91a1cd7b1194c6261ef136231acfeb9d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 15:57:03 +0200
+Subject: soc: qcom: smsm: Fix missed interrupts if state changes while masked
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit e3d4571955050736bbf3eda0a9538a09d9fcfce8 ]
+
+The SMSM driver detects interrupt edges by tracking the last state
+it has seen (and has triggered the interrupt handler for). This works
+fine, but only if the interrupt does not change state while masked.
+
+For example, if an interrupt is unmasked while the state is HIGH,
+the stored last_value for that interrupt might still be LOW. Then,
+when the remote processor triggers smsm_intr() we assume that nothing
+has changed, even though the state might have changed from HIGH to LOW.
+
+Attempt to fix this by checking the current remote state before
+unmasking an IRQ. Use atomic operations to avoid the interrupt handler
+from interfering with the unmask function.
+
+This fixes modem crashes in some edge cases with the BAM-DMUX driver.
+Specifically, the BAM-DMUX interrupt handler is not called for the
+HIGH -> LOW smsm state transition if the BAM-DMUX driver is loaded
+(and therefore unmasks the interrupt) after the modem was already started:
+
+qcom-q6v5-mss 4080000.remoteproc: fatal error received: a2_task.c:3188:
+ Assert FALSE failed: A2 DL PER deadlock timer expired waiting for Apps ACK
+
+Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20210712135703.324748-2-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/smsm.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c
+index 70c3c90b997c..c428d0f78816 100644
+--- a/drivers/soc/qcom/smsm.c
++++ b/drivers/soc/qcom/smsm.c
+@@ -109,7 +109,7 @@ struct smsm_entry {
+ DECLARE_BITMAP(irq_enabled, 32);
+ DECLARE_BITMAP(irq_rising, 32);
+ DECLARE_BITMAP(irq_falling, 32);
+- u32 last_value;
++ unsigned long last_value;
+
+ u32 *remote_state;
+ u32 *subscription;
+@@ -204,8 +204,7 @@ static irqreturn_t smsm_intr(int irq, void *data)
+ u32 val;
+
+ val = readl(entry->remote_state);
+- changed = val ^ entry->last_value;
+- entry->last_value = val;
++ changed = val ^ xchg(&entry->last_value, val);
+
+ for_each_set_bit(i, entry->irq_enabled, 32) {
+ if (!(changed & BIT(i)))
+@@ -266,6 +265,12 @@ static void smsm_unmask_irq(struct irq_data *irqd)
+ struct qcom_smsm *smsm = entry->smsm;
+ u32 val;
+
++ /* Make sure our last cached state is up-to-date */
++ if (readl(entry->remote_state) & BIT(irq))
++ set_bit(irq, &entry->last_value);
++ else
++ clear_bit(irq, &entry->last_value);
++
+ set_bit(irq, entry->irq_enabled);
+
+ if (entry->subscription) {
+--
+2.30.2
+
--- /dev/null
+From fdbb8611941a37b8f7c9e967d11f80ea0024945f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Feb 2021 15:38:55 +0100
+Subject: soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 2a1c55d4762dd34a8b0f2e36fb01b7b16b60735b ]
+
+Merely enabling CONFIG_COMPILE_TEST should not enable additional code.
+To fix this, restrict the automatic enabling of ROCKCHIP_GRF to
+ARCH_ROCKCHIP, and ask the user in case of compile-testing.
+
+Fixes: 4c58063d4258f6be ("soc: rockchip: add driver handling grf setup")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20210208143855.418374-1-geert+renesas@glider.be
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/rockchip/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/rockchip/Kconfig b/drivers/soc/rockchip/Kconfig
+index b71b73bf5fc5..785990720479 100644
+--- a/drivers/soc/rockchip/Kconfig
++++ b/drivers/soc/rockchip/Kconfig
+@@ -6,8 +6,8 @@ if ARCH_ROCKCHIP || COMPILE_TEST
+ #
+
+ config ROCKCHIP_GRF
+- bool
+- default y
++ bool "Rockchip General Register Files support" if COMPILE_TEST
++ default y if ARCH_ROCKCHIP
+ help
+ The General Register Files are a central component providing
+ special additional settings registers for a lot of soc-components.
+--
+2.30.2
+
--- /dev/null
+From cf437420e79e737510b6078dee7f8e4abb7b4e0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:17:26 +0300
+Subject: spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 209ab223ad5b18e437289235e3bde12593b94ac4 ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For spi-fsl-dspi, this is probably not currently an issue but is still
+good to fix though.
+
+Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid")
+Cc: Sanchayan Maity <maitysanchayan@gmail.com>
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20210810081727.19491-1-tony@atomide.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index 40dccc580e86..3e0200618af3 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -423,6 +423,7 @@ static int dspi_request_dma(struct fsl_dspi *dspi, phys_addr_t phy_addr)
+ goto err_rx_dma_buf;
+ }
+
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.src_addr = phy_addr + SPI_POPR;
+ cfg.dst_addr = phy_addr + SPI_PUSHR;
+ cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+--
+2.30.2
+
--- /dev/null
+From 34b4b1a4fd03a6460380876e454edb28ce795244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:17:27 +0300
+Subject: spi: spi-pic32: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 976c1de1de147bb7f4e0d87482f375221c05aeaf ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For spi-pic32, this is probably not currently an issue but is still good to
+fix though.
+
+Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver")
+Cc: Purna Chandra Mandal <purna.mandal@microchip.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210810081727.19491-2-tony@atomide.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pic32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-pic32.c b/drivers/spi/spi-pic32.c
+index 8272bde5d706..b5268b0d7b4c 100644
+--- a/drivers/spi/spi-pic32.c
++++ b/drivers/spi/spi-pic32.c
+@@ -361,6 +361,7 @@ static int pic32_spi_dma_config(struct pic32_spi *pic32s, u32 dma_width)
+ struct dma_slave_config cfg;
+ int ret;
+
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.device_fc = true;
+ cfg.src_addr = pic32s->dma_base + buf_offset;
+ cfg.dst_addr = pic32s->dma_base + buf_offset;
+--
+2.30.2
+
--- /dev/null
+From f8ba9a0c519147a38b27b11bb31b0ebdff179cea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 08:59:30 +0800
+Subject: spi: spi-zynq-qspi: use wait_for_completion_timeout to make
+ zynq_qspi_exec_mem_op not interruptible
+
+From: Quanyang Wang <quanyang.wang@windriver.com>
+
+[ Upstream commit 26cfc0dbe43aae60dc03af27077775244f26c167 ]
+
+The function wait_for_completion_interruptible_timeout will return
+-ERESTARTSYS immediately when receiving SIGKILL signal which is sent
+by "jffs2_gcd_mtd" during umounting jffs2. This will break the SPI memory
+operation because the data transmitting may begin before the command or
+address transmitting completes. Use wait_for_completion_timeout to prevent
+the process from being interruptible.
+
+Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
+Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
+Link: https://lore.kernel.org/r/20210826005930.20572-1-quanyang.wang@windriver.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-zynq-qspi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
+index 5cf6993ddce5..1ced6eb8b330 100644
+--- a/drivers/spi/spi-zynq-qspi.c
++++ b/drivers/spi/spi-zynq-qspi.c
+@@ -533,7 +533,7 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
+ zynq_qspi_write_op(xqspi, ZYNQ_QSPI_FIFO_DEPTH, true);
+ zynq_qspi_write(xqspi, ZYNQ_QSPI_IEN_OFFSET,
+ ZYNQ_QSPI_IXR_RXTX_MASK);
+- if (!wait_for_completion_interruptible_timeout(&xqspi->data_completion,
++ if (!wait_for_completion_timeout(&xqspi->data_completion,
+ msecs_to_jiffies(1000)))
+ err = -ETIMEDOUT;
+ }
+@@ -551,7 +551,7 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
+ zynq_qspi_write_op(xqspi, ZYNQ_QSPI_FIFO_DEPTH, true);
+ zynq_qspi_write(xqspi, ZYNQ_QSPI_IEN_OFFSET,
+ ZYNQ_QSPI_IXR_RXTX_MASK);
+- if (!wait_for_completion_interruptible_timeout(&xqspi->data_completion,
++ if (!wait_for_completion_timeout(&xqspi->data_completion,
+ msecs_to_jiffies(1000)))
+ err = -ETIMEDOUT;
+ }
+@@ -567,7 +567,7 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
+ zynq_qspi_write_op(xqspi, ZYNQ_QSPI_FIFO_DEPTH, true);
+ zynq_qspi_write(xqspi, ZYNQ_QSPI_IEN_OFFSET,
+ ZYNQ_QSPI_IXR_RXTX_MASK);
+- if (!wait_for_completion_interruptible_timeout(&xqspi->data_completion,
++ if (!wait_for_completion_timeout(&xqspi->data_completion,
+ msecs_to_jiffies(1000)))
+ err = -ETIMEDOUT;
+
+@@ -591,7 +591,7 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
+ zynq_qspi_write_op(xqspi, ZYNQ_QSPI_FIFO_DEPTH, true);
+ zynq_qspi_write(xqspi, ZYNQ_QSPI_IEN_OFFSET,
+ ZYNQ_QSPI_IXR_RXTX_MASK);
+- if (!wait_for_completion_interruptible_timeout(&xqspi->data_completion,
++ if (!wait_for_completion_timeout(&xqspi->data_completion,
+ msecs_to_jiffies(1000)))
+ err = -ETIMEDOUT;
+ }
+--
+2.30.2
+
--- /dev/null
+From 4a3e5372162c033da3339bbfb4084b62897a0f09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 17:15:46 +0800
+Subject: spi: sprd: Fix the wrong WDG_LOAD_VAL
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+[ Upstream commit 245ca2cc212bb2a078332ec99afbfbb202f44c2d ]
+
+Use 50ms as default timeout value and the time clock is 32768HZ.
+The original value of WDG_LOAD_VAL is not correct, so this patch
+fixes it.
+
+Fixes: ac1775012058 ("spi: sprd: Add the support of restarting the system")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Link: https://lore.kernel.org/r/20210826091549.2138125-2-zhang.lyra@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sprd-adi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c
+index 09f983524d51..e804a3854c35 100644
+--- a/drivers/spi/spi-sprd-adi.c
++++ b/drivers/spi/spi-sprd-adi.c
+@@ -102,7 +102,7 @@
+ #define HWRST_STATUS_WATCHDOG 0xf0
+
+ /* Use default timeout 50 ms that converts to watchdog values */
+-#define WDG_LOAD_VAL ((50 * 1000) / 32768)
++#define WDG_LOAD_VAL ((50 * 32768) / 1000)
+ #define WDG_LOAD_MASK GENMASK(15, 0)
+ #define WDG_UNLOCK_KEY 0xe551
+
+--
+2.30.2
+
--- /dev/null
+From d111cb056f302a1bab43a9268b483dd7adb77077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 13:05:41 -0700
+Subject: tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+[ Upstream commit 525e2f9fd0229eb10cb460a9e6d978257f24804e ]
+
+st->bucket stores the current bucket number.
+st->offset stores the offset within this bucket that is the sk to be
+seq_show(). Thus, st->offset only makes sense within the same
+st->bucket.
+
+These two variables are an optimization for the common no-lseek case.
+When resuming the seq_file iteration (i.e. seq_start()),
+tcp_seek_last_pos() tries to continue from the st->offset
+at bucket st->bucket.
+
+However, it is possible that the bucket pointed by st->bucket
+has changed and st->offset may end up skipping the whole st->bucket
+without finding a sk. In this case, tcp_seek_last_pos() currently
+continues to satisfy the offset condition in the next (and incorrect)
+bucket. Instead, regardless of the offset value, the first sk of the
+next bucket should be returned. Thus, "bucket == st->bucket" check is
+added to tcp_seek_last_pos().
+
+The chance of hitting this is small and the issue is a decade old,
+so targeting for the next tree.
+
+Fixes: a8b690f98baf ("tcp: Fix slowness in read /proc/net/tcp")
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210701200541.1033917-1-kafai@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 91788ff19a5d..2ce85e52aea7 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2304,6 +2304,7 @@ static void *tcp_get_idx(struct seq_file *seq, loff_t pos)
+ static void *tcp_seek_last_pos(struct seq_file *seq)
+ {
+ struct tcp_iter_state *st = seq->private;
++ int bucket = st->bucket;
+ int offset = st->offset;
+ int orig_num = st->num;
+ void *rc = NULL;
+@@ -2314,7 +2315,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq)
+ break;
+ st->state = TCP_SEQ_STATE_LISTENING;
+ rc = listening_get_next(seq, NULL);
+- while (offset-- && rc)
++ while (offset-- && rc && bucket == st->bucket)
+ rc = listening_get_next(seq, rc);
+ if (rc)
+ break;
+@@ -2325,7 +2326,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq)
+ if (st->bucket > tcp_hashinfo.ehash_mask)
+ break;
+ rc = established_get_first(seq);
+- while (offset-- && rc)
++ while (offset-- && rc && bucket == st->bucket)
+ rc = established_get_next(seq, rc);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e4fd3c661204caf949fe64d4448640350cd91b3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 10:10:33 +0800
+Subject: tty: serial: fsl_lpuart: fix the wrong mapbase value
+
+From: Andy Duan <fugang.duan@nxp.com>
+
+[ Upstream commit d5c38948448abc2bb6b36dbf85a554bf4748885e ]
+
+Register offset needs to be applied on mapbase also.
+dma_tx/rx_request use the physical address of UARTDATA.
+Register offset is currently only applied to membase (the
+corresponding virtual addr) but not on mapbase.
+
+Fixes: 24b1e5f0e83c ("tty: serial: lpuart: add imx7ulp support")
+Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com>
+Signed-off-by: Adriana Reus <adriana.reus@nxp.com>
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Signed-off-by: Andy Duan <fugang.duan@nxp.com>
+Link: https://lore.kernel.org/r/20210819021033.32606-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index b053345dfd1a..13e705b53217 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -2414,7 +2414,7 @@ static int lpuart_probe(struct platform_device *pdev)
+ return PTR_ERR(sport->port.membase);
+
+ sport->port.membase += sdata->reg_off;
+- sport->port.mapbase = res->start;
++ sport->port.mapbase = res->start + sdata->reg_off;
+ sport->port.dev = &pdev->dev;
+ sport->port.type = PORT_LPUART;
+ sport->devtype = sdata->devtype;
+--
+2.30.2
+
--- /dev/null
+From fc78f37c2458e4156fe90aefb6720a863cf10438 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 11:39:03 +0200
+Subject: udf: Check LVID earlier
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d ]
+
+We were checking validity of LVID entries only when getting
+implementation use information from LVID in udf_sb_lvidiu(). However if
+the LVID is suitably corrupted, it can cause problems also to code such
+as udf_count_free() which doesn't use udf_sb_lvidiu(). So check validity
+of LVID already when loading it from the disk and just disable LVID
+altogether when it is not valid.
+
+Reported-by: syzbot+7fbfe5fed73ebb675748@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 8bb001c7927f..a1efcf0593cb 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -108,16 +108,10 @@ struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(struct super_block *sb)
+ return NULL;
+ lvid = (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data;
+ partnum = le32_to_cpu(lvid->numOfPartitions);
+- if ((sb->s_blocksize - sizeof(struct logicalVolIntegrityDescImpUse) -
+- offsetof(struct logicalVolIntegrityDesc, impUse)) /
+- (2 * sizeof(uint32_t)) < partnum) {
+- udf_err(sb, "Logical volume integrity descriptor corrupted "
+- "(numOfPartitions = %u)!\n", partnum);
+- return NULL;
+- }
+ /* The offset is to skip freeSpaceTable and sizeTable arrays */
+ offset = partnum * 2 * sizeof(uint32_t);
+- return (struct logicalVolIntegrityDescImpUse *)&(lvid->impUse[offset]);
++ return (struct logicalVolIntegrityDescImpUse *)
++ (((uint8_t *)(lvid + 1)) + offset);
+ }
+
+ /* UDF filesystem type */
+@@ -1548,6 +1542,7 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_
+ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct logicalVolIntegrityDesc *lvid;
+ int indirections = 0;
++ u32 parts, impuselen;
+
+ while (++indirections <= UDF_MAX_LVID_NESTING) {
+ final_bh = NULL;
+@@ -1574,15 +1569,27 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_
+
+ lvid = (struct logicalVolIntegrityDesc *)final_bh->b_data;
+ if (lvid->nextIntegrityExt.extLength == 0)
+- return;
++ goto check;
+
+ loc = leea_to_cpu(lvid->nextIntegrityExt);
+ }
+
+ udf_warn(sb, "Too many LVID indirections (max %u), ignoring.\n",
+ UDF_MAX_LVID_NESTING);
++out_err:
+ brelse(sbi->s_lvid_bh);
+ sbi->s_lvid_bh = NULL;
++ return;
++check:
++ parts = le32_to_cpu(lvid->numOfPartitions);
++ impuselen = le32_to_cpu(lvid->lengthOfImpUse);
++ if (parts >= sb->s_blocksize || impuselen >= sb->s_blocksize ||
++ sizeof(struct logicalVolIntegrityDesc) + impuselen +
++ 2 * parts * sizeof(u32) > sb->s_blocksize) {
++ udf_warn(sb, "Corrupted LVID (parts=%u, impuselen=%u), "
++ "ignoring.\n", parts, impuselen);
++ goto out_err;
++ }
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 9778f2391703cf2fbe82c56c0eb54c14a83e4d92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 18:24:36 +0200
+Subject: udf: Fix iocharset=utf8 mount option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit b645333443712d2613e4e863f81090d5dc509657 ]
+
+Currently iocharset=utf8 mount option is broken. To use UTF-8 as iocharset,
+it is required to use utf8 mount option.
+
+Fix iocharset=utf8 mount option to use be equivalent to the utf8 mount
+option.
+
+If UTF-8 as iocharset is used then s_nls_map is set to NULL. So simplify
+code around, remove UDF_FLAG_NLS_MAP and UDF_FLAG_UTF8 flags as to
+distinguish between UTF-8 and non-UTF-8 it is needed just to check if
+s_nls_map set to NULL or not.
+
+Link: https://lore.kernel.org/r/20210808162453.1653-4-pali@kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 50 ++++++++++++++++++------------------------------
+ fs/udf/udf_sb.h | 2 --
+ fs/udf/unicode.c | 4 ++--
+ 3 files changed, 21 insertions(+), 35 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index a1efcf0593cb..5663bae95700 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -343,10 +343,10 @@ static int udf_show_options(struct seq_file *seq, struct dentry *root)
+ seq_printf(seq, ",lastblock=%u", sbi->s_last_block);
+ if (sbi->s_anchor != 0)
+ seq_printf(seq, ",anchor=%u", sbi->s_anchor);
+- if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8))
+- seq_puts(seq, ",utf8");
+- if (UDF_QUERY_FLAG(sb, UDF_FLAG_NLS_MAP) && sbi->s_nls_map)
++ if (sbi->s_nls_map)
+ seq_printf(seq, ",iocharset=%s", sbi->s_nls_map->charset);
++ else
++ seq_puts(seq, ",iocharset=utf8");
+
+ return 0;
+ }
+@@ -551,19 +551,24 @@ static int udf_parse_options(char *options, struct udf_options *uopt,
+ /* Ignored (never implemented properly) */
+ break;
+ case Opt_utf8:
+- uopt->flags |= (1 << UDF_FLAG_UTF8);
++ if (!remount) {
++ unload_nls(uopt->nls_map);
++ uopt->nls_map = NULL;
++ }
+ break;
+ case Opt_iocharset:
+ if (!remount) {
+- if (uopt->nls_map)
+- unload_nls(uopt->nls_map);
+- /*
+- * load_nls() failure is handled later in
+- * udf_fill_super() after all options are
+- * parsed.
+- */
++ unload_nls(uopt->nls_map);
++ uopt->nls_map = NULL;
++ }
++ /* When nls_map is not loaded then UTF-8 is used */
++ if (!remount && strcmp(args[0].from, "utf8") != 0) {
+ uopt->nls_map = load_nls(args[0].from);
+- uopt->flags |= (1 << UDF_FLAG_NLS_MAP);
++ if (!uopt->nls_map) {
++ pr_err("iocharset %s not found\n",
++ args[0].from);
++ return 0;
++ }
+ }
+ break;
+ case Opt_uforget:
+@@ -2152,21 +2157,6 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent)
+ if (!udf_parse_options((char *)options, &uopt, false))
+ goto parse_options_failure;
+
+- if (uopt.flags & (1 << UDF_FLAG_UTF8) &&
+- uopt.flags & (1 << UDF_FLAG_NLS_MAP)) {
+- udf_err(sb, "utf8 cannot be combined with iocharset\n");
+- goto parse_options_failure;
+- }
+- if ((uopt.flags & (1 << UDF_FLAG_NLS_MAP)) && !uopt.nls_map) {
+- uopt.nls_map = load_nls_default();
+- if (!uopt.nls_map)
+- uopt.flags &= ~(1 << UDF_FLAG_NLS_MAP);
+- else
+- udf_debug("Using default NLS map\n");
+- }
+- if (!(uopt.flags & (1 << UDF_FLAG_NLS_MAP)))
+- uopt.flags |= (1 << UDF_FLAG_UTF8);
+-
+ fileset.logicalBlockNum = 0xFFFFFFFF;
+ fileset.partitionReferenceNum = 0xFFFF;
+
+@@ -2321,8 +2311,7 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent)
+ error_out:
+ iput(sbi->s_vat_inode);
+ parse_options_failure:
+- if (uopt.nls_map)
+- unload_nls(uopt.nls_map);
++ unload_nls(uopt.nls_map);
+ if (lvid_open)
+ udf_close_lvid(sb);
+ brelse(sbi->s_lvid_bh);
+@@ -2372,8 +2361,7 @@ static void udf_put_super(struct super_block *sb)
+ sbi = UDF_SB(sb);
+
+ iput(sbi->s_vat_inode);
+- if (UDF_QUERY_FLAG(sb, UDF_FLAG_NLS_MAP))
+- unload_nls(sbi->s_nls_map);
++ unload_nls(sbi->s_nls_map);
+ if (!sb_rdonly(sb))
+ udf_close_lvid(sb);
+ brelse(sbi->s_lvid_bh);
+diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h
+index 3d83be54c474..8eace7a633d3 100644
+--- a/fs/udf/udf_sb.h
++++ b/fs/udf/udf_sb.h
+@@ -20,8 +20,6 @@
+ #define UDF_FLAG_UNDELETE 6
+ #define UDF_FLAG_UNHIDE 7
+ #define UDF_FLAG_VARCONV 8
+-#define UDF_FLAG_NLS_MAP 9
+-#define UDF_FLAG_UTF8 10
+ #define UDF_FLAG_UID_FORGET 11 /* save -1 for uid to disk */
+ #define UDF_FLAG_GID_FORGET 12
+ #define UDF_FLAG_UID_SET 13
+diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
+index 5fcfa96463eb..622569007b53 100644
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -177,7 +177,7 @@ static int udf_name_from_CS0(struct super_block *sb,
+ return 0;
+ }
+
+- if (UDF_QUERY_FLAG(sb, UDF_FLAG_NLS_MAP))
++ if (UDF_SB(sb)->s_nls_map)
+ conv_f = UDF_SB(sb)->s_nls_map->uni2char;
+ else
+ conv_f = NULL;
+@@ -285,7 +285,7 @@ static int udf_name_to_CS0(struct super_block *sb,
+ if (ocu_max_len <= 0)
+ return 0;
+
+- if (UDF_QUERY_FLAG(sb, UDF_FLAG_NLS_MAP))
++ if (UDF_SB(sb)->s_nls_map)
+ conv_f = UDF_SB(sb)->s_nls_map->char2uni;
+ else
+ conv_f = NULL;
+--
+2.30.2
+
--- /dev/null
+From 800d1a14cb0e20dccce1199fc40ca13f1dae0d97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Aug 2021 11:33:32 +0200
+Subject: udf_get_extendedattr() had no boundary checks.
+
+From: Stian Skjelstad <stian.skjelstad@gmail.com>
+
+[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ]
+
+When parsing the ExtendedAttr data, malicous or corrupt attribute length
+could cause kernel hangs and buffer overruns in some special cases.
+
+Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com
+Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/misc.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/udf/misc.c b/fs/udf/misc.c
+index 401e64cde1be..853bcff51043 100644
+--- a/fs/udf/misc.c
++++ b/fs/udf/misc.c
+@@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type,
+ else
+ offset = le32_to_cpu(eahd->appAttrLocation);
+
+- while (offset < iinfo->i_lenEAttr) {
++ while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
++ uint32_t attrLength;
++
+ gaf = (struct genericFormat *)&ea[offset];
++ attrLength = le32_to_cpu(gaf->attrLength);
++
++ /* Detect undersized elements and buffer overflows */
++ if ((attrLength < sizeof(*gaf)) ||
++ (attrLength > (iinfo->i_lenEAttr - offset)))
++ break;
++
+ if (le32_to_cpu(gaf->attrType) == type &&
+ gaf->attrSubtype == subtype)
+ return gaf;
+ else
+- offset += le32_to_cpu(gaf->attrLength);
++ offset += attrLength;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4d30efd6cffa3f7be0e0f65bf0f1db5fb2455f19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 21:32:38 +0200
+Subject: usb: bdc: Fix an error handling path in 'bdc_probe()' when no
+ suitable DMA config is available
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d2f42e09393c774ab79088d8e3afcc62b3328fc9 ]
+
+If no suitable DMA configuration is available, a previous 'bdc_phy_init()'
+call must be undone by a corresponding 'bdc_phy_exit()' call.
+
+Branch to the existing error handling path instead of returning
+directly.
+
+Fixes: cc29d4f67757 ("usb: bdc: Add support for USB phy")
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/0c5910979f39225d5d8fe68c9ab1c147c68ddee1.1629314734.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/bdc/bdc_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
+index 3d33499db50b..845aead48d85 100644
+--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
+@@ -565,7 +565,8 @@ static int bdc_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(dev,
+ "No suitable DMA config available, abort\n");
+- return -ENOTSUPP;
++ ret = -ENOTSUPP;
++ goto phycleanup;
+ }
+ dev_dbg(dev, "Using 32-bit address\n");
+ }
+--
+2.30.2
+
--- /dev/null
+From 9a62d46cbaf2e4e3333fb24878c94daf93bf7018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 20:09:02 +0300
+Subject: usb: ehci-orion: Handle errors of clk_prepare_enable() in probe
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 4720f1bf4ee4a784d9ece05420ba33c9222a3004 ]
+
+ehci_orion_drv_probe() did not account for possible errors of
+clk_prepare_enable() that in particular could cause invocation of
+clk_disable_unprepare() on clocks that were not prepared/enabled yet,
+e.g. in remove or on handling errors of usb_add_hcd() in probe. Though,
+there were several patches fixing different issues with clocks in this
+driver, they did not solve this problem.
+
+Add handling of errors of clk_prepare_enable() in ehci_orion_drv_probe()
+to avoid calls of clk_disable_unprepare() without previous successful
+invocation of clk_prepare_enable().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 8c869edaee07 ("ARM: Orion: EHCI: Add support for enabling clocks")
+Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
+Link: https://lore.kernel.org/r/20210825170902.11234-1-novikov@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-orion.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c
+index a319b1df3011..3626758b3e2a 100644
+--- a/drivers/usb/host/ehci-orion.c
++++ b/drivers/usb/host/ehci-orion.c
+@@ -264,8 +264,11 @@ static int ehci_orion_drv_probe(struct platform_device *pdev)
+ * the clock does not exists.
+ */
+ priv->clk = devm_clk_get(&pdev->dev, NULL);
+- if (!IS_ERR(priv->clk))
+- clk_prepare_enable(priv->clk);
++ if (!IS_ERR(priv->clk)) {
++ err = clk_prepare_enable(priv->clk);
++ if (err)
++ goto err_put_hcd;
++ }
+
+ priv->phy = devm_phy_optional_get(&pdev->dev, "usb");
+ if (IS_ERR(priv->phy)) {
+@@ -311,6 +314,7 @@ static int ehci_orion_drv_probe(struct platform_device *pdev)
+ err_dis_clk:
+ if (!IS_ERR(priv->clk))
+ clk_disable_unprepare(priv->clk);
++err_put_hcd:
+ usb_put_hcd(hcd);
+ err:
+ dev_err(&pdev->dev, "init %s fail, %d\n",
+--
+2.30.2
+
--- /dev/null
+From d2b5af4c1c4ab270f7d91a8513c3db852080984b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 17:12:47 +0300
+Subject: usb: gadget: mv_u3d: request_irq() after initializing UDC
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit 2af0c5ffadaf9d13eca28409d4238b4e672942d3 ]
+
+If IRQ occurs between calling request_irq() and mv_u3d_eps_init(),
+then null pointer dereference occurs since u3d->eps[] wasn't
+initialized yet but used in mv_u3d_nuke().
+
+The patch puts registration of the interrupt handler after
+initializing of neccesery data.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210818141247.4794-1-lutovinova@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/mv_u3d_core.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c
+index 35e02a8d0091..bdba3f48c052 100644
+--- a/drivers/usb/gadget/udc/mv_u3d_core.c
++++ b/drivers/usb/gadget/udc/mv_u3d_core.c
+@@ -1922,14 +1922,6 @@ static int mv_u3d_probe(struct platform_device *dev)
+ goto err_get_irq;
+ }
+ u3d->irq = r->start;
+- if (request_irq(u3d->irq, mv_u3d_irq,
+- IRQF_SHARED, driver_name, u3d)) {
+- u3d->irq = 0;
+- dev_err(&dev->dev, "Request irq %d for u3d failed\n",
+- u3d->irq);
+- retval = -ENODEV;
+- goto err_request_irq;
+- }
+
+ /* initialize gadget structure */
+ u3d->gadget.ops = &mv_u3d_ops; /* usb_gadget_ops */
+@@ -1942,6 +1934,15 @@ static int mv_u3d_probe(struct platform_device *dev)
+
+ mv_u3d_eps_init(u3d);
+
++ if (request_irq(u3d->irq, mv_u3d_irq,
++ IRQF_SHARED, driver_name, u3d)) {
++ u3d->irq = 0;
++ dev_err(&dev->dev, "Request irq %d for u3d failed\n",
++ u3d->irq);
++ retval = -ENODEV;
++ goto err_request_irq;
++ }
++
+ /* external vbus detection */
+ if (u3d->vbus) {
+ u3d->clock_gating = 1;
+@@ -1965,8 +1966,8 @@ static int mv_u3d_probe(struct platform_device *dev)
+
+ err_unregister:
+ free_irq(u3d->irq, u3d);
+-err_request_irq:
+ err_get_irq:
++err_request_irq:
+ kfree(u3d->status_req);
+ err_alloc_status_req:
+ kfree(u3d->eps);
+--
+2.30.2
+
--- /dev/null
+From e7b4a3edb16382a73c34f358338e125f106db461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 23:27:28 +0300
+Subject: usb: gadget: udc: at91: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 50855c31573b02963f0aa2aacfd4ea41c31ae0e0 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original
+error code. Stop calling devm_request_irq() with the invalid IRQ #s.
+
+Fixes: 8b2e76687b39 ("USB: AT91 UDC updates, mostly power management")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Link: https://lore.kernel.org/r/6654a224-739a-1a80-12f0-76d920f87b6c@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/at91_udc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/at91_udc.c b/drivers/usb/gadget/udc/at91_udc.c
+index 194ffb1ed462..d7714c94b119 100644
+--- a/drivers/usb/gadget/udc/at91_udc.c
++++ b/drivers/usb/gadget/udc/at91_udc.c
+@@ -1878,7 +1878,9 @@ static int at91udc_probe(struct platform_device *pdev)
+ clk_disable(udc->iclk);
+
+ /* request UDC and maybe VBUS irqs */
+- udc->udp_irq = platform_get_irq(pdev, 0);
++ udc->udp_irq = retval = platform_get_irq(pdev, 0);
++ if (retval < 0)
++ goto err_unprepare_iclk;
+ retval = devm_request_irq(dev, udc->udp_irq, at91_udc_irq, 0,
+ driver_name, udc);
+ if (retval) {
+--
+2.30.2
+
--- /dev/null
+From 8993ba6a0feeb5a83a88fcbcdf25377f9f4d3202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 17:52:54 +0200
+Subject: usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit cea45a3bd2dd4d9c35581328f571afd32b3c9f48 ]
+
+soc_device_match() is intended as a last resort, to handle e.g. quirks
+that cannot be handled by matching based on a compatible value.
+
+As the device nodes for the Renesas USB 3.0 Peripheral Controller on
+R-Car E3 and RZ/G2E do have SoC-specific compatible values, the latter
+can and should be used to match against these devices.
+
+This also fixes support for the USB 3.0 Peripheral Controller on the
+R-Car E3e (R8A779M6) SoC, which is a different grading of the R-Car E3
+(R8A77990) SoC, using the same SoC-specific compatible value.
+
+Fixes: 30025efa8b5e75f5 ("usb: gadget: udc: renesas_usb3: add support for r8a77990")
+Fixes: 546970fdab1da5fe ("usb: gadget: udc: renesas_usb3: add support for r8a774c0")
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/760981fb4cd110d7cbfc9dcffa365e7c8b25c6e5.1628696960.git.geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
+index 08a93cf68eff..b6653bc7acc2 100644
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2692,10 +2692,15 @@ static const struct renesas_usb3_priv renesas_usb3_priv_r8a77990 = {
+
+ static const struct of_device_id usb3_of_match[] = {
+ {
++ .compatible = "renesas,r8a774c0-usb3-peri",
++ .data = &renesas_usb3_priv_r8a77990,
++ }, {
+ .compatible = "renesas,r8a7795-usb3-peri",
+ .data = &renesas_usb3_priv_gen3,
+- },
+- {
++ }, {
++ .compatible = "renesas,r8a77990-usb3-peri",
++ .data = &renesas_usb3_priv_r8a77990,
++ }, {
+ .compatible = "renesas,rcar-gen3-usb3-peri",
+ .data = &renesas_usb3_priv_gen3,
+ },
+@@ -2704,18 +2709,10 @@ static const struct of_device_id usb3_of_match[] = {
+ MODULE_DEVICE_TABLE(of, usb3_of_match);
+
+ static const struct soc_device_attribute renesas_usb3_quirks_match[] = {
+- {
+- .soc_id = "r8a774c0",
+- .data = &renesas_usb3_priv_r8a77990,
+- },
+ {
+ .soc_id = "r8a7795", .revision = "ES1.*",
+ .data = &renesas_usb3_priv_r8a7795_es1,
+ },
+- {
+- .soc_id = "r8a77990",
+- .data = &renesas_usb3_priv_r8a77990,
+- },
+ { /* sentinel */ },
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 7f667b60c9d9b5191c7c5c66cc756e4e70546b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:30:18 +0300
+Subject: usb: host: ohci-tmio: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 4ac5132e8a4300637a2da8f5d6bc7650db735b8a ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to usb_add_hcd() (which takes
+*unsigned* IRQ #), causing request_irq() that it calls to fail with
+-EINVAL, overriding an original error code. Stop calling usb_add_hcd()
+with the invalid IRQ #s.
+
+Fixes: 78c73414f4f6 ("USB: ohci: add support for tmio-ohci cell")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/402e1a45-a0a4-0e08-566a-7ca1331506b1@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ohci-tmio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/host/ohci-tmio.c b/drivers/usb/host/ohci-tmio.c
+index fb6f5e9ae5c6..fed43c6dd85c 100644
+--- a/drivers/usb/host/ohci-tmio.c
++++ b/drivers/usb/host/ohci-tmio.c
+@@ -202,6 +202,9 @@ static int ohci_hcd_tmio_drv_probe(struct platform_device *dev)
+ if (!cell)
+ return -EINVAL;
+
++ if (irq < 0)
++ return irq;
++
+ hcd = usb_create_hcd(&ohci_tmio_hc_driver, &dev->dev, dev_name(&dev->dev));
+ if (!hcd) {
+ ret = -ENOMEM;
+--
+2.30.2
+
--- /dev/null
+From c2235e9014d26d7a529282cb4595a6b9067af2d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 23:50:18 +0300
+Subject: usb: phy: fsl-usb: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit ecc2f30dbb25969908115c81ec23650ed982b004 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original
+error code. Stop calling request_irq() with the invalid IRQ #s.
+
+Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/b0a86089-8b8b-122e-fd6d-73e8c2304964@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/phy/phy-fsl-usb.c b/drivers/usb/phy/phy-fsl-usb.c
+index b451f4695f3f..446c7bf67873 100644
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -873,6 +873,8 @@ int usb_otg_start(struct platform_device *pdev)
+
+ /* request irq */
+ p_otg->irq = platform_get_irq(pdev, 0);
++ if (p_otg->irq < 0)
++ return p_otg->irq;
+ status = request_irq(p_otg->irq, fsl_otg_isr,
+ IRQF_SHARED, driver_name, p_otg);
+ if (status) {
+--
+2.30.2
+
--- /dev/null
+From 77bab70b2bc1af106057c08fe52c77977636d86a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:32:38 +0300
+Subject: usb: phy: tahvo: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 0d45a1373e669880b8beaecc8765f44cb0241e47 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_threaded_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an
+original error code. Stop calling request_threaded_irq() with the invalid
+IRQ #s.
+
+Fixes: 9ba96ae5074c ("usb: omap1: Tahvo USB transceiver driver")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/8280d6a4-8e9a-7cfe-1aa9-db586dc9afdf@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-tahvo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c
+index baebb1f5a973..a3e043e3e4aa 100644
+--- a/drivers/usb/phy/phy-tahvo.c
++++ b/drivers/usb/phy/phy-tahvo.c
+@@ -393,7 +393,9 @@ static int tahvo_usb_probe(struct platform_device *pdev)
+
+ dev_set_drvdata(&pdev->dev, tu);
+
+- tu->irq = platform_get_irq(pdev, 0);
++ tu->irq = ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ return ret;
+ ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt,
+ IRQF_ONESHOT,
+ "tahvo-vbus", tu);
+--
+2.30.2
+
--- /dev/null
+From c719228497ccc7c310672a7c030d993f7d237352 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 23:53:16 +0300
+Subject: usb: phy: twl6030: add IRQ checks
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 0881e22c06e66af0b64773c91c8868ead3d01aa1 ]
+
+The driver neglects to check the result of platform_get_irq()'s calls and
+blithely passes the negative error codes to request_threaded_irq() (which
+takes *unsigned* IRQ #), causing them both to fail with -EINVAL, overriding
+an original error code. Stop calling request_threaded_irq() with the
+invalid IRQ #s.
+
+Fixes: c33fad0c3748 ("usb: otg: Adding twl6030-usb transceiver driver for OMAP4430")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/9507f50b-50f1-6dc4-f57c-3ed4e53a1c25@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-twl6030-usb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/phy/phy-twl6030-usb.c b/drivers/usb/phy/phy-twl6030-usb.c
+index 9a7e655d5280..9337c30f0743 100644
+--- a/drivers/usb/phy/phy-twl6030-usb.c
++++ b/drivers/usb/phy/phy-twl6030-usb.c
+@@ -348,6 +348,11 @@ static int twl6030_usb_probe(struct platform_device *pdev)
+ twl->irq2 = platform_get_irq(pdev, 1);
+ twl->linkstat = MUSB_UNKNOWN;
+
++ if (twl->irq1 < 0)
++ return twl->irq1;
++ if (twl->irq2 < 0)
++ return twl->irq2;
++
+ twl->comparator.set_vbus = twl6030_set_vbus;
+ twl->comparator.start_srp = twl6030_start_srp;
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
