--- /dev/null
+From 889300de06d03e95c3d6ca4b2ba63961a1744cf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Oct 2021 15:04:45 -0700
+Subject: ACPI: AC: Quirk GK45 to skip reading _PSR
+
+From: Stefan Schaeckeler <schaecsn@gmx.net>
+
+[ Upstream commit 3d730ee686800d71ecc5c3cb8460dcdcdeaf38a3 ]
+
+Let GK45 not go into BIOS for determining the AC power state.
+
+The BIOS wrongly returns 0, so hardcode the power state to 1.
+
+The mini PC GK45 by Besstar Tech Lld. (aka Kodlix) just runs
+off AC. It does not include any batteries. Nevertheless BIOS
+reports AC off:
+
+root@kodlix:/usr/src/linux# cat /sys/class/power_supply/ADP1/online
+0
+
+root@kodlix:/usr/src/linux# modprobe acpi_dbg
+root@kodlix:/usr/src/linux# tools/power/acpi/acpidbg
+
+- find _PSR
+ \_SB.PCI0.SBRG.H_EC.ADP1._PSR Method 000000009283cee8 001 Args 0 Len 001C Aml 00000000f54e5f67
+
+- execute \_SB.PCI0.SBRG.H_EC.ADP1._PSR
+Evaluating \_SB.PCI0.SBRG.H_EC.ADP1._PSR
+Evaluation of \_SB.PCI0.SBRG.H_EC.ADP1._PSR returned object 00000000dc08c187, external buffer length 18
+ [Integer] = 0000000000000000
+
+that should be
+
+ [Integer] = 0000000000000001
+
+Signed-off-by: Stefan Schaeckeler <schaecsn@gmx.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ac.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/acpi/ac.c b/drivers/acpi/ac.c
+index 46a64e9fa7165..23ca1a1c67b75 100644
+--- a/drivers/acpi/ac.c
++++ b/drivers/acpi/ac.c
+@@ -64,6 +64,7 @@ static SIMPLE_DEV_PM_OPS(acpi_ac_pm, NULL, acpi_ac_resume);
+
+ static int ac_sleep_before_get_state_ms;
+ static int ac_check_pmic = 1;
++static int ac_only;
+
+ static struct acpi_driver acpi_ac_driver = {
+ .name = "ac",
+@@ -99,6 +100,11 @@ static int acpi_ac_get_state(struct acpi_ac *ac)
+ if (!ac)
+ return -EINVAL;
+
++ if (ac_only) {
++ ac->state = 1;
++ return 0;
++ }
++
+ status = acpi_evaluate_integer(ac->device->handle, "_PSR", NULL,
+ &ac->state);
+ if (ACPI_FAILURE(status)) {
+@@ -212,6 +218,12 @@ static int __init ac_do_not_check_pmic_quirk(const struct dmi_system_id *d)
+ return 0;
+ }
+
++static int __init ac_only_quirk(const struct dmi_system_id *d)
++{
++ ac_only = 1;
++ return 0;
++}
++
+ /* Please keep this list alphabetically sorted */
+ static const struct dmi_system_id ac_dmi_table[] __initconst = {
+ {
+@@ -221,6 +233,13 @@ static const struct dmi_system_id ac_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "EF20EA"),
+ },
+ },
++ {
++ /* Kodlix GK45 returning incorrect state */
++ .callback = ac_only_quirk,
++ .matches = {
++ DMI_MATCH(DMI_PRODUCT_NAME, "GK45"),
++ },
++ },
+ {
+ /* Lenovo Ideapad Miix 320, AXP288 PMIC, separate fuel-gauge */
+ .callback = ac_do_not_check_pmic_quirk,
+--
+2.33.0
+
--- /dev/null
+From bbf1a0adf8eb82a89edcd02beb1bdad7a08d8b62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 00:05:29 -0300
+Subject: ACPI: battery: Accept charges over the design capacity as full
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: André Almeida <andrealmeid@collabora.com>
+
+[ Upstream commit 2835f327bd1240508db2c89fe94a056faa53c49a ]
+
+Some buggy firmware and/or brand new batteries can support a charge that's
+slightly over the reported design capacity. In such cases, the kernel will
+report to userspace that the charging state of the battery is "Unknown",
+when in reality the battery charge is "Full", at least from the design
+capacity point of view. Make the fallback condition accepts capacities
+over the designed capacity so userspace knows that is full.
+
+Signed-off-by: André Almeida <andrealmeid@collabora.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 08ee1c7b12e00..e04352c1dc2ce 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -174,7 +174,7 @@ static int acpi_battery_is_charged(struct acpi_battery *battery)
+ return 1;
+
+ /* fallback to using design values for broken batteries */
+- if (battery->design_capacity == battery->capacity_now)
++ if (battery->design_capacity <= battery->capacity_now)
+ return 1;
+
+ /* we don't do any sort of metric based on percentages */
+--
+2.33.0
+
--- /dev/null
+From e82bb9f6b586ff0631d75ed274faaed7b4c7d406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 16:31:35 +0100
+Subject: ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 009a789443fe4c8e6b1ecb7c16b4865c026184cd ]
+
+The handling of PMIC register reads through writing 0 to address 4
+of the OpRegion is wrong. Instead of returning the read value
+through the value64, which is a no-op for function == ACPI_WRITE calls,
+store the value and then on a subsequent function == ACPI_READ with
+address == 3 (the address for the value field of the OpRegion)
+return the stored value.
+
+This has been tested on a Xiaomi Mi Pad 2 and makes the ACPI battery dev
+there mostly functional (unfortunately there are still other issues).
+
+Here are the SET() / GET() functions of the PMIC ACPI device,
+which use this OpRegion, which clearly show the new behavior to
+be correct:
+
+OperationRegion (REGS, 0x8F, Zero, 0x50)
+Field (REGS, ByteAcc, NoLock, Preserve)
+{
+ CLNT, 8,
+ SA, 8,
+ OFF, 8,
+ VAL, 8,
+ RWM, 8
+}
+
+Method (GET, 3, Serialized)
+{
+ If ((AVBE == One))
+ {
+ CLNT = Arg0
+ SA = Arg1
+ OFF = Arg2
+ RWM = Zero
+ If ((AVBG == One))
+ {
+ GPRW = Zero
+ }
+ }
+
+ Return (VAL) /* \_SB_.PCI0.I2C7.PMI5.VAL_ */
+}
+
+Method (SET, 4, Serialized)
+{
+ If ((AVBE == One))
+ {
+ CLNT = Arg0
+ SA = Arg1
+ OFF = Arg2
+ VAL = Arg3
+ RWM = One
+ If ((AVBG == One))
+ {
+ GPRW = One
+ }
+ }
+}
+
+Fixes: 0afa877a5650 ("ACPI / PMIC: intel: add REGS operation region support")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pmic/intel_pmic.c | 51 +++++++++++++++++++---------------
+ 1 file changed, 28 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/acpi/pmic/intel_pmic.c b/drivers/acpi/pmic/intel_pmic.c
+index a371f273f99dd..9cde299eba880 100644
+--- a/drivers/acpi/pmic/intel_pmic.c
++++ b/drivers/acpi/pmic/intel_pmic.c
+@@ -211,31 +211,36 @@ static acpi_status intel_pmic_regs_handler(u32 function,
+ void *handler_context, void *region_context)
+ {
+ struct intel_pmic_opregion *opregion = region_context;
+- int result = 0;
++ int result = -EINVAL;
++
++ if (function == ACPI_WRITE) {
++ switch (address) {
++ case 0:
++ return AE_OK;
++ case 1:
++ opregion->ctx.addr |= (*value64 & 0xff) << 8;
++ return AE_OK;
++ case 2:
++ opregion->ctx.addr |= *value64 & 0xff;
++ return AE_OK;
++ case 3:
++ opregion->ctx.val = *value64 & 0xff;
++ return AE_OK;
++ case 4:
++ if (*value64) {
++ result = regmap_write(opregion->regmap, opregion->ctx.addr,
++ opregion->ctx.val);
++ } else {
++ result = regmap_read(opregion->regmap, opregion->ctx.addr,
++ &opregion->ctx.val);
++ }
++ opregion->ctx.addr = 0;
++ }
++ }
+
+- switch (address) {
+- case 0:
+- return AE_OK;
+- case 1:
+- opregion->ctx.addr |= (*value64 & 0xff) << 8;
+- return AE_OK;
+- case 2:
+- opregion->ctx.addr |= *value64 & 0xff;
++ if (function == ACPI_READ && address == 3) {
++ *value64 = opregion->ctx.val;
+ return AE_OK;
+- case 3:
+- opregion->ctx.val = *value64 & 0xff;
+- return AE_OK;
+- case 4:
+- if (*value64) {
+- result = regmap_write(opregion->regmap, opregion->ctx.addr,
+- opregion->ctx.val);
+- } else {
+- result = regmap_read(opregion->regmap, opregion->ctx.addr,
+- &opregion->ctx.val);
+- if (result == 0)
+- *value64 = opregion->ctx.val;
+- }
+- memset(&opregion->ctx, 0x00, sizeof(opregion->ctx));
+ }
+
+ if (result < 0) {
+--
+2.33.0
+
--- /dev/null
+From 4f9e2617e168f5f9875808a50ea276e599fba056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 18:31:25 +0200
+Subject: ACPICA: Avoid evaluating methods too early during system resume
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d3c4b6f64ad356c0d9ddbcf73fa471e6a841cc5c ]
+
+ACPICA commit 0762982923f95eb652cf7ded27356b247c9774de
+
+During wakeup from system-wide sleep states, acpi_get_sleep_type_data()
+is called and it tries to get memory from the slab allocator in order
+to evaluate a control method, but if KFENCE is enabled in the kernel,
+the memory allocation attempt causes an IRQ work to be queued and a
+self-IPI to be sent to the CPU running the code which requires the
+memory controller to be ready, so if that happens too early in the
+wakeup path, it doesn't work.
+
+Prevent that from taking place by calling acpi_get_sleep_type_data()
+for S0 upfront, when preparing to enter a given sleep state, and
+saving the data obtained by it for later use during system wakeup.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214271
+Reported-by: Reik Keutterling <spielkind@gmail.com>
+Tested-by: Reik Keutterling <spielkind@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/acglobal.h | 2 ++
+ drivers/acpi/acpica/hwesleep.c | 8 ++------
+ drivers/acpi/acpica/hwsleep.c | 11 ++++-------
+ drivers/acpi/acpica/hwxfsleep.c | 7 +++++++
+ 4 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/acpi/acpica/acglobal.h b/drivers/acpi/acpica/acglobal.h
+index 2fee91f57b213..bd84d7f95e5f9 100644
+--- a/drivers/acpi/acpica/acglobal.h
++++ b/drivers/acpi/acpica/acglobal.h
+@@ -226,6 +226,8 @@ extern struct acpi_bit_register_info
+ acpi_gbl_bit_register_info[ACPI_NUM_BITREG];
+ ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a);
+ ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b);
++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a_s0);
++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b_s0);
+
+ /*****************************************************************************
+ *
+diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c
+index d9be5d0545d4c..4836a4b8b38b8 100644
+--- a/drivers/acpi/acpica/hwesleep.c
++++ b/drivers/acpi/acpica/hwesleep.c
+@@ -147,17 +147,13 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state)
+
+ acpi_status acpi_hw_extended_wake_prep(u8 sleep_state)
+ {
+- acpi_status status;
+ u8 sleep_type_value;
+
+ ACPI_FUNCTION_TRACE(hw_extended_wake_prep);
+
+- status = acpi_get_sleep_type_data(ACPI_STATE_S0,
+- &acpi_gbl_sleep_type_a,
+- &acpi_gbl_sleep_type_b);
+- if (ACPI_SUCCESS(status)) {
++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) {
+ sleep_type_value =
+- ((acpi_gbl_sleep_type_a << ACPI_X_SLEEP_TYPE_POSITION) &
++ ((acpi_gbl_sleep_type_a_s0 << ACPI_X_SLEEP_TYPE_POSITION) &
+ ACPI_X_SLEEP_TYPE_MASK);
+
+ (void)acpi_write((u64)(sleep_type_value | ACPI_X_SLEEP_ENABLE),
+diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c
+index 317ae870336b7..fcc84d196238a 100644
+--- a/drivers/acpi/acpica/hwsleep.c
++++ b/drivers/acpi/acpica/hwsleep.c
+@@ -179,7 +179,7 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state)
+
+ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state)
+ {
+- acpi_status status;
++ acpi_status status = AE_OK;
+ struct acpi_bit_register_info *sleep_type_reg_info;
+ struct acpi_bit_register_info *sleep_enable_reg_info;
+ u32 pm1a_control;
+@@ -192,10 +192,7 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state)
+ * This is unclear from the ACPI Spec, but it is required
+ * by some machines.
+ */
+- status = acpi_get_sleep_type_data(ACPI_STATE_S0,
+- &acpi_gbl_sleep_type_a,
+- &acpi_gbl_sleep_type_b);
+- if (ACPI_SUCCESS(status)) {
++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) {
+ sleep_type_reg_info =
+ acpi_hw_get_bit_register_info(ACPI_BITREG_SLEEP_TYPE);
+ sleep_enable_reg_info =
+@@ -216,9 +213,9 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state)
+
+ /* Insert the SLP_TYP bits */
+
+- pm1a_control |= (acpi_gbl_sleep_type_a <<
++ pm1a_control |= (acpi_gbl_sleep_type_a_s0 <<
+ sleep_type_reg_info->bit_position);
+- pm1b_control |= (acpi_gbl_sleep_type_b <<
++ pm1b_control |= (acpi_gbl_sleep_type_b_s0 <<
+ sleep_type_reg_info->bit_position);
+
+ /* Write the control registers and ignore any errors */
+diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c
+index a4b66f4b27141..f1645d87864c3 100644
+--- a/drivers/acpi/acpica/hwxfsleep.c
++++ b/drivers/acpi/acpica/hwxfsleep.c
+@@ -217,6 +217,13 @@ acpi_status acpi_enter_sleep_state_prep(u8 sleep_state)
+ return_ACPI_STATUS(status);
+ }
+
++ status = acpi_get_sleep_type_data(ACPI_STATE_S0,
++ &acpi_gbl_sleep_type_a_s0,
++ &acpi_gbl_sleep_type_b_s0);
++ if (ACPI_FAILURE(status)) {
++ acpi_gbl_sleep_type_a_s0 = ACPI_SLEEP_TYPE_INVALID;
++ }
++
+ /* Execute the _PTS method (Prepare To Sleep) */
+
+ arg_list.count = 1;
+--
+2.33.0
+
--- /dev/null
+From cbc9bfc7cade9012522fe793b1cfe5db12379c08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 20:42:59 +0300
+Subject: ALSA: hda: Fix hang during shutdown due to link reset
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit 0165c4e19f6ec76b535de090e4bd145c73810c51 ]
+
+During system shutdown codecs may be still active, and resetting the
+controller->codec HW link in this state - based on the bug reporter's
+tests - leads to the shutdown sequence to get stuck. This happens at
+least on the reporter's KBL system with an ALC662 codec.
+
+For now fix the issue by skipping the link reset step.
+
+Fixes: 472e18f63c42 ("ALSA: hda: Release controller display power during shutdown/reboot")
+References: https://bugzilla.kernel.org/show_bug.cgi?id=214045
+References: https://gitlab.freedesktop.org/drm/intel/-/issues/3618#note_1024665
+Reported-and-tested-by: youling257@gmail.com
+Cc: youling257@gmail.com
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20210816174259.2759103-1-imre.deak@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index e31eafe73661f..a0955e17adee9 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -936,10 +936,11 @@ static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev)
+ return azx_get_pos_posbuf(chip, azx_dev);
+ }
+
+-static void azx_shutdown_chip(struct azx *chip)
++static void __azx_shutdown_chip(struct azx *chip, bool skip_link_reset)
+ {
+ azx_stop_chip(chip);
+- azx_enter_link_reset(chip);
++ if (!skip_link_reset)
++ azx_enter_link_reset(chip);
+ azx_clear_irq_pending(chip);
+ display_power(chip, false);
+ }
+@@ -948,6 +949,11 @@ static void azx_shutdown_chip(struct azx *chip)
+ static DEFINE_MUTEX(card_list_lock);
+ static LIST_HEAD(card_list);
+
++static void azx_shutdown_chip(struct azx *chip)
++{
++ __azx_shutdown_chip(chip, false);
++}
++
+ static void azx_add_card_list(struct azx *chip)
+ {
+ struct hda_intel *hda = container_of(chip, struct hda_intel, chip);
+@@ -2461,7 +2467,7 @@ static void azx_shutdown(struct pci_dev *pci)
+ return;
+ chip = card->private_data;
+ if (chip && chip->running)
+- azx_shutdown_chip(chip);
++ __azx_shutdown_chip(chip, true);
+ }
+
+ /* PCI IDs */
+--
+2.33.0
+
--- /dev/null
+From 87b6a7667117eca5b49f631c11eb558fd602c116 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 09:29:33 +0200
+Subject: ALSA: hda: Reduce udelay() at SKL+ position reporting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 46243b85b0ec5d2cee7545e5ce18c015ce91957e ]
+
+The position reporting on Intel Skylake and later chips via
+azx_get_pos_skl() contains a udelay(20) call for the capture streams.
+A call for this alone doesn't sound too harmful. However, as the
+pointer PCM ops is one of the hottest path in the PCM operations --
+especially for the timer-scheduled operations like PulseAudio -- such
+a delay hogs CPU usage significantly in the total performance.
+
+The code there was taken from the original code in ASoC SST Skylake
+driver blindly. The udelay() is a workaround for the case where the
+reported position is behind the period boundary at the timing
+triggered from interrupts; applications often expect that the full
+data is available for the whole period when returned (and also that's
+the definition of the ALSA PCM period).
+
+OTOH, HD-audio (legacy) driver has already some workarounds for the
+delayed position reporting due to its relatively large FIFO, such as
+the BDL position adjustment and the delayed period-elapsed call in the
+work. That said, the udelay() is almost superfluous for HD-audio
+driver unlike SST, and we can drop the udelay().
+
+Though, the current code doesn't guarantee the full period readiness
+as mentioned in the above, but rather it checks the wallclock and
+detects the unexpected jump. That's one missing piece, and the drop
+of udelay() needs a bit more sanity checks for the delayed handling.
+
+This patch implements those: the drop of udelay() call in
+azx_get_pos_skl() and the more proper check of hwptr in
+azx_position_ok(). The latter change is applied only for the case
+where the stream is running in the normal mode without
+no_period_wakeup flag. When no_period_wakeup is set, it essentially
+ignores the period handling and rather concentrates only on the
+current position; which implies that we don't need to care about the
+period boundary at all.
+
+Fixes: f87e7f25893d ("ALSA: hda - Improved position reporting on SKL+")
+Reported-by: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210929072934.6809-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 1bae0746e7266..a8eae31e47efb 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -672,13 +672,17 @@ static int azx_position_check(struct azx *chip, struct azx_dev *azx_dev)
+ * the update-IRQ timing. The IRQ is issued before actually the
+ * data is processed. So, we need to process it afterwords in a
+ * workqueue.
++ *
++ * Returns 1 if OK to proceed, 0 for delay handling, -1 for skipping update
+ */
+ static int azx_position_ok(struct azx *chip, struct azx_dev *azx_dev)
+ {
+ struct snd_pcm_substream *substream = azx_dev->core.substream;
++ struct snd_pcm_runtime *runtime = substream->runtime;
+ int stream = substream->stream;
+ u32 wallclk;
+ unsigned int pos;
++ snd_pcm_uframes_t hwptr, target;
+
+ wallclk = azx_readl(chip, WALLCLK) - azx_dev->core.start_wallclk;
+ if (wallclk < (azx_dev->core.period_wallclk * 2) / 3)
+@@ -715,6 +719,24 @@ static int azx_position_ok(struct azx *chip, struct azx_dev *azx_dev)
+ /* NG - it's below the first next period boundary */
+ return chip->bdl_pos_adj ? 0 : -1;
+ azx_dev->core.start_wallclk += wallclk;
++
++ if (azx_dev->core.no_period_wakeup)
++ return 1; /* OK, no need to check period boundary */
++
++ if (runtime->hw_ptr_base != runtime->hw_ptr_interrupt)
++ return 1; /* OK, already in hwptr updating process */
++
++ /* check whether the period gets really elapsed */
++ pos = bytes_to_frames(runtime, pos);
++ hwptr = runtime->hw_ptr_base + pos;
++ if (hwptr < runtime->status->hw_ptr)
++ hwptr += runtime->buffer_size;
++ target = runtime->hw_ptr_interrupt + runtime->period_size;
++ if (hwptr < target) {
++ /* too early wakeup, process it later */
++ return chip->bdl_pos_adj ? 0 : -1;
++ }
++
+ return 1; /* OK, it's fine */
+ }
+
+@@ -909,11 +931,7 @@ static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev)
+ if (azx_dev->core.substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+ return azx_skl_get_dpib_pos(chip, azx_dev);
+
+- /* For capture, we need to read posbuf, but it requires a delay
+- * for the possible boundary overlap; the read of DPIB fetches the
+- * actual posbuf
+- */
+- udelay(20);
++ /* read of DPIB fetches the actual posbuf */
+ azx_skl_get_dpib_pos(chip, azx_dev);
+ return azx_get_pos_posbuf(chip, azx_dev);
+ }
+--
+2.33.0
+
--- /dev/null
+From b81b3ab0381d1252fe361f6a966cfc13deee7a21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 16:46:00 +0300
+Subject: ALSA: hda: Release controller display power during shutdown/reboot
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit 472e18f63c425dda97b888f40f858ea54e3efc17 ]
+
+Make sure the HDA driver's display power reference is released during
+shutdown/reboot.
+
+During the shutdown/reboot sequence the pci device core calls the
+pm_runtime_resume handler for all devices before calling the driver's
+shutdown callback and so the HDA driver's runtime resume callback will
+acquire a display power reference (on HSW/BDW). This triggers a power
+reference held WARN on HSW/BDW in the i915 driver's subsequent shutdown
+handler, which expects all display power references to be released by
+that time.
+
+Since the HDA controller is stopped in the shutdown handler in any case,
+let's follow here the same sequence as the one during runtime suspend.
+This will also reset the HDA link and drop the display power reference,
+getting rid of the above WARN.
+
+Tested on HSW.
+
+v2:
+- Fix the build for CONFIG_PM=n (Takashi)
+- s/__azx_runtime_suspend/azx_shutdown_chip/
+
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/3618
+References: https://lore.kernel.org/lkml/cea1f9a-52e0-b83-593d-52997fe1aaf6@er-systems.de
+Reported-and-tested-by: Thomas Voegtle <tv@lio96.de>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20210623134601.2128663-1-imre.deak@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index a8eae31e47efb..e31eafe73661f 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -936,6 +936,14 @@ static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev)
+ return azx_get_pos_posbuf(chip, azx_dev);
+ }
+
++static void azx_shutdown_chip(struct azx *chip)
++{
++ azx_stop_chip(chip);
++ azx_enter_link_reset(chip);
++ azx_clear_irq_pending(chip);
++ display_power(chip, false);
++}
++
+ #ifdef CONFIG_PM
+ static DEFINE_MUTEX(card_list_lock);
+ static LIST_HEAD(card_list);
+@@ -995,14 +1003,6 @@ static bool azx_is_pm_ready(struct snd_card *card)
+ return true;
+ }
+
+-static void __azx_runtime_suspend(struct azx *chip)
+-{
+- azx_stop_chip(chip);
+- azx_enter_link_reset(chip);
+- azx_clear_irq_pending(chip);
+- display_power(chip, false);
+-}
+-
+ static void __azx_runtime_resume(struct azx *chip)
+ {
+ struct hda_intel *hda = container_of(chip, struct hda_intel, chip);
+@@ -1081,7 +1081,7 @@ static int azx_suspend(struct device *dev)
+
+ chip = card->private_data;
+ bus = azx_bus(chip);
+- __azx_runtime_suspend(chip);
++ azx_shutdown_chip(chip);
+ if (bus->irq >= 0) {
+ free_irq(bus->irq, chip);
+ bus->irq = -1;
+@@ -1160,7 +1160,7 @@ static int azx_runtime_suspend(struct device *dev)
+ /* enable controller wake up event */
+ azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) | STATESTS_INT_MASK);
+
+- __azx_runtime_suspend(chip);
++ azx_shutdown_chip(chip);
+ trace_azx_runtime_suspend(chip);
+ return 0;
+ }
+@@ -2461,7 +2461,7 @@ static void azx_shutdown(struct pci_dev *pci)
+ return;
+ chip = card->private_data;
+ if (chip && chip->running)
+- azx_stop_chip(chip);
++ azx_shutdown_chip(chip);
+ }
+
+ /* PCI IDs */
+--
+2.33.0
+
--- /dev/null
+From 579442fbc2bcbcf56ff8631800248baed2611bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 09:29:34 +0200
+Subject: ALSA: hda: Use position buffer for SKL+ again
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit c4ca3871e21fa085096316f5f8d9975cf3dfde1d ]
+
+The commit f87e7f25893d ("ALSA: hda - Improved position reporting on
+SKL+") changed the PCM position report for SKL+ chips to use DPIB, but
+according to Pierre, DPIB is no best choice for the accurate position
+reports and it often reports too early. The recommended method is
+rather the classical position buffer.
+
+This patch makes the PCM position reporting on SKL+ back to the
+position buffer again.
+
+Fixes: f87e7f25893d ("ALSA: hda - Improved position reporting on SKL+")
+Suggested-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210929072934.6809-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 23 +----------------------
+ 1 file changed, 1 insertion(+), 22 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index a0955e17adee9..64115a796af06 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -915,27 +915,6 @@ static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev,
+ return substream->runtime->delay;
+ }
+
+-static unsigned int azx_skl_get_dpib_pos(struct azx *chip,
+- struct azx_dev *azx_dev)
+-{
+- return _snd_hdac_chip_readl(azx_bus(chip),
+- AZX_REG_VS_SDXDPIB_XBASE +
+- (AZX_REG_VS_SDXDPIB_XINTERVAL *
+- azx_dev->core.index));
+-}
+-
+-/* get the current DMA position with correction on SKL+ chips */
+-static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev)
+-{
+- /* DPIB register gives a more accurate position for playback */
+- if (azx_dev->core.substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- return azx_skl_get_dpib_pos(chip, azx_dev);
+-
+- /* read of DPIB fetches the actual posbuf */
+- azx_skl_get_dpib_pos(chip, azx_dev);
+- return azx_get_pos_posbuf(chip, azx_dev);
+-}
+-
+ static void __azx_shutdown_chip(struct azx *chip, bool skip_link_reset)
+ {
+ azx_stop_chip(chip);
+@@ -1632,7 +1611,7 @@ static void assign_position_fix(struct azx *chip, int fix)
+ [POS_FIX_POSBUF] = azx_get_pos_posbuf,
+ [POS_FIX_VIACOMBO] = azx_via_get_position,
+ [POS_FIX_COMBO] = azx_get_pos_lpib,
+- [POS_FIX_SKL] = azx_get_pos_skl,
++ [POS_FIX_SKL] = azx_get_pos_posbuf,
+ [POS_FIX_FIFO] = azx_get_pos_fifo,
+ };
+
+--
+2.33.0
+
--- /dev/null
+From bacf5f47401d6e90a73618cf6d3052a7768fa490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Oct 2020 07:24:22 -0700
+Subject: apparmor: fix error check
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit d108370c644b153382632b3e5511ade575c91c86 ]
+
+clang static analysis reports this representative problem:
+
+label.c:1463:16: warning: Assigned value is garbage or undefined
+ label->hname = name;
+ ^ ~~~~
+
+In aa_update_label_name(), this the problem block of code
+
+ if (aa_label_acntsxprint(&name, ...) == -1)
+ return res;
+
+On failure, aa_label_acntsxprint() has a more complicated return
+that just -1. So check for a negative return.
+
+It was also noted that the aa_label_acntsxprint() main comment refers
+to a nonexistent parameter, so clean up the comment.
+
+Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/label.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/label.c b/security/apparmor/label.c
+index e68bcedca976b..6222fdfebe4e5 100644
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1454,7 +1454,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp)
+ if (label->hname || labels_ns(label) != ns)
+ return res;
+
+- if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) == -1)
++ if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) < 0)
+ return res;
+
+ ls = labels_set(label);
+@@ -1704,7 +1704,7 @@ int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label,
+
+ /**
+ * aa_label_acntsxprint - allocate a __counted string buffer and print label
+- * @strp: buffer to write to. (MAY BE NULL if @size == 0)
++ * @strp: buffer to write to.
+ * @ns: namespace profile is being viewed from
+ * @label: label to view (NOT NULL)
+ * @flags: flags controlling what label info is printed
+--
+2.33.0
+
--- /dev/null
+From a3231869090a19ec231153a6f8f7400a3dbf0266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Sep 2021 10:49:04 +0800
+Subject: ar7: fix kernel builds for compiler test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 28b7ee33a2122569ac065cad578bf23f50cc65c3 ]
+
+TI AR7 Watchdog Timer is only build for 32bit.
+
+Avoid error like:
+In file included from drivers/watchdog/ar7_wdt.c:29:
+./arch/mips/include/asm/mach-ar7/ar7.h: In function ‘ar7_is_titan’:
+./arch/mips/include/asm/mach-ar7/ar7.h:111:24: error: implicit declaration of function ‘KSEG1ADDR’; did you mean ‘CKSEG1ADDR’? [-Werror=implicit-function-declaration]
+ 111 | return (readl((void *)KSEG1ADDR(AR7_REGS_GPIO + 0x24)) & 0xffff) ==
+ | ^~~~~~~~~
+ | CKSEG1ADDR
+
+Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible")
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210907024904.4127611-1-liu.yun@linux.dev
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig
+index db935d6b10c27..01ce3f41cc219 100644
+--- a/drivers/watchdog/Kconfig
++++ b/drivers/watchdog/Kconfig
+@@ -1723,7 +1723,7 @@ config SIBYTE_WDOG
+
+ config AR7_WDT
+ tristate "TI AR7 Watchdog Timer"
+- depends on AR7 || (MIPS && COMPILE_TEST)
++ depends on AR7 || (MIPS && 32BIT && COMPILE_TEST)
+ help
+ Hardware driver for the TI AR7 Watchdog Timer.
+
+--
+2.33.0
+
--- /dev/null
+From 6e433977eec808f41d972e49aa9783a70f32091b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 15:30:06 +0100
+Subject: ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 345dac33f58894a56d17b92a41be10e16585ceff ]
+
+When configuring the kernel for big-endian, we set either BE-8 or BE-32
+based on the CPU architecture level. Until linux-4.4, we did not have
+any ARMv7-M platform allowing big-endian builds, but now i.MX/Vybrid
+is in that category, adn we get a build error because of this:
+
+arch/arm/kernel/module-plts.c: In function 'get_module_plt':
+arch/arm/kernel/module-plts.c:60:46: error: implicit declaration of function '__opcode_to_mem_thumb32' [-Werror=implicit-function-declaration]
+
+This comes down to picking the wrong default, ARMv7-M uses BE8
+like ARMv7-A does. Changing the default gets the kernel to compile
+and presumably works.
+
+https://lore.kernel.org/all/1455804123-2526139-2-git-send-email-arnd@arndb.de/
+
+Tested-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
+index 02692fbe2db5c..423a97dd2f57c 100644
+--- a/arch/arm/mm/Kconfig
++++ b/arch/arm/mm/Kconfig
+@@ -753,7 +753,7 @@ config CPU_BIG_ENDIAN
+ config CPU_ENDIAN_BE8
+ bool
+ depends on CPU_BIG_ENDIAN
+- default CPU_V6 || CPU_V6K || CPU_V7
++ default CPU_V6 || CPU_V6K || CPU_V7 || CPU_V7M
+ help
+ Support for the BE-8 (big-endian) mode on ARMv6 and ARMv7 processors.
+
+--
+2.33.0
+
--- /dev/null
+From 28af02e1fc30808b2f2eb99253858d07305006f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 09:55:17 +0900
+Subject: ARM: clang: Do not rely on lr register for stacktrace
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit b3ea5d56f212ad81328c82454829a736197ebccc ]
+
+Currently the stacktrace on clang compiled arm kernel uses the 'lr'
+register to find the first frame address from pt_regs. However, that
+is wrong after calling another function, because the 'lr' register
+is used by 'bl' instruction and never be recovered.
+
+As same as gcc arm kernel, directly use the frame pointer (r11) of
+the pt_regs to find the first frame address.
+
+Note that this fixes kretprobe stacktrace issue only with
+CONFIG_UNWINDER_FRAME_POINTER=y. For the CONFIG_UNWINDER_ARM,
+we need another fix.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/stacktrace.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
+index 76ea4178a55cb..db798eac74315 100644
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -54,8 +54,7 @@ int notrace unwind_frame(struct stackframe *frame)
+
+ frame->sp = frame->fp;
+ frame->fp = *(unsigned long *)(fp);
+- frame->pc = frame->lr;
+- frame->lr = *(unsigned long *)(fp + 4);
++ frame->pc = *(unsigned long *)(fp + 4);
+ #else
+ /* check current frame pointer is within bounds */
+ if (fp < low + 12 || fp > high - 4)
+--
+2.33.0
+
--- /dev/null
+From 323dd4639f477166850796f6e153821a47e1bc9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 22:37:38 +0200
+Subject: ARM: dts: at91: tse850: the emac<->phy interface is rmii
+
+From: Peter Rosin <peda@axentia.se>
+
+[ Upstream commit dcdbc335a91a26e022a803e1a6b837266989c032 ]
+
+This went unnoticed until commit 7897b071ac3b ("net: macb: convert
+to phylink") which tickled the problem. The sama5d3 emac has never
+been capable of rgmii, and it all just happened to work before that
+commit.
+
+Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Link: https://lore.kernel.org/r/ea781f5e-422f-6cbf-3cf4-d5a7bac9392d@axentia.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91-tse850-3.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/at91-tse850-3.dts b/arch/arm/boot/dts/at91-tse850-3.dts
+index 3ca97b47c69ce..7e5c598e7e68f 100644
+--- a/arch/arm/boot/dts/at91-tse850-3.dts
++++ b/arch/arm/boot/dts/at91-tse850-3.dts
+@@ -262,7 +262,7 @@
+ &macb1 {
+ status = "okay";
+
+- phy-mode = "rgmii";
++ phy-mode = "rmii";
+
+ #address-cells = <1>;
+ #size-cells = <0>;
+--
+2.33.0
+
--- /dev/null
+From 198fec4401c4e1105de1b731b477d960eca83670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 08:57:02 +0200
+Subject: ARM: dts: BCM5301X: Fix memory nodes names
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit c5e1df3276d7a500678da9453be31a66ad115150 ]
+
+Thix fixes:
+arch/arm/boot/dts/bcm4708-netgear-r6250.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]}
+arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]}
+arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 402653184]]}
+arch/arm/boot/dts/bcm4709-linksys-ea9200.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]}
+arch/arm/boot/dts/bcm4709-netgear-r7000.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]}
+arch/arm/boot/dts/bcm4709-netgear-r8000.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]}
+arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728]]}
+arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 402653184]]}
+arch/arm/boot/dts/bcm53016-meraki-mr32.dt.yaml: /: memory: False schema does not allow {'reg': [[0, 134217728]], 'device_type': ['memory']}
+arch/arm/boot/dts/bcm94708.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728]]}
+arch/arm/boot/dts/bcm94709.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728]]}
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm4708-netgear-r6250.dts | 2 +-
+ arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts | 2 +-
+ arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts | 2 +-
+ arch/arm/boot/dts/bcm4709-linksys-ea9200.dts | 2 +-
+ arch/arm/boot/dts/bcm4709-netgear-r7000.dts | 2 +-
+ arch/arm/boot/dts/bcm4709-netgear-r8000.dts | 2 +-
+ arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts | 2 +-
+ arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts | 2 +-
+ arch/arm/boot/dts/bcm53016-meraki-mr32.dts | 2 +-
+ arch/arm/boot/dts/bcm94708.dts | 2 +-
+ arch/arm/boot/dts/bcm94709.dts | 2 +-
+ 11 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/arch/arm/boot/dts/bcm4708-netgear-r6250.dts b/arch/arm/boot/dts/bcm4708-netgear-r6250.dts
+index 61c7b137607e5..7900aac4f35a9 100644
+--- a/arch/arm/boot/dts/bcm4708-netgear-r6250.dts
++++ b/arch/arm/boot/dts/bcm4708-netgear-r6250.dts
+@@ -20,7 +20,7 @@
+ bootargs = "console=ttyS0,115200 earlycon";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x08000000>;
+diff --git a/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts b/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts
+index 6c6bb7b17d27a..7546c8d07bcd7 100644
+--- a/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts
++++ b/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts
+@@ -19,7 +19,7 @@
+ bootargs = "console=ttyS0,115200";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x08000000>;
+diff --git a/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts b/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts
+index d29e7f80ea6aa..beae9eab9cb8c 100644
+--- a/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts
++++ b/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts
+@@ -19,7 +19,7 @@
+ bootargs = "console=ttyS0,115200";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x18000000>;
+diff --git a/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts b/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts
+index 38fbefdf2e4e4..ee94455a7236d 100644
+--- a/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts
++++ b/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts
+@@ -16,7 +16,7 @@
+ bootargs = "console=ttyS0,115200";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x08000000>;
+diff --git a/arch/arm/boot/dts/bcm4709-netgear-r7000.dts b/arch/arm/boot/dts/bcm4709-netgear-r7000.dts
+index 7989a53597d4f..56d309dbc6b0d 100644
+--- a/arch/arm/boot/dts/bcm4709-netgear-r7000.dts
++++ b/arch/arm/boot/dts/bcm4709-netgear-r7000.dts
+@@ -19,7 +19,7 @@
+ bootargs = "console=ttyS0,115200";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x08000000>;
+diff --git a/arch/arm/boot/dts/bcm4709-netgear-r8000.dts b/arch/arm/boot/dts/bcm4709-netgear-r8000.dts
+index 87b655be674c5..184e3039aa864 100644
+--- a/arch/arm/boot/dts/bcm4709-netgear-r8000.dts
++++ b/arch/arm/boot/dts/bcm4709-netgear-r8000.dts
+@@ -30,7 +30,7 @@
+ bootargs = "console=ttyS0,115200";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x08000000>;
+diff --git a/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts b/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts
+index f806be5da7237..c2a266a439d05 100644
+--- a/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts
++++ b/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts
+@@ -15,7 +15,7 @@
+ bootargs = "console=ttyS0,115200 earlycon";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>;
+ };
+diff --git a/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts b/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts
+index 2666195b6ffeb..3d415d874bd39 100644
+--- a/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts
++++ b/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts
+@@ -16,7 +16,7 @@
+ bootargs = "earlycon";
+ };
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>,
+ <0x88000000 0x18000000>;
+diff --git a/arch/arm/boot/dts/bcm53016-meraki-mr32.dts b/arch/arm/boot/dts/bcm53016-meraki-mr32.dts
+index 3b978dc8997a4..612d61852bfb9 100644
+--- a/arch/arm/boot/dts/bcm53016-meraki-mr32.dts
++++ b/arch/arm/boot/dts/bcm53016-meraki-mr32.dts
+@@ -20,7 +20,7 @@
+ bootargs = " console=ttyS0,115200n8 earlycon";
+ };
+
+- memory {
++ memory@0 {
+ reg = <0x00000000 0x08000000>;
+ device_type = "memory";
+ };
+diff --git a/arch/arm/boot/dts/bcm94708.dts b/arch/arm/boot/dts/bcm94708.dts
+index 3d13e46c69494..d9eb2040b9631 100644
+--- a/arch/arm/boot/dts/bcm94708.dts
++++ b/arch/arm/boot/dts/bcm94708.dts
+@@ -38,7 +38,7 @@
+ model = "NorthStar SVK (BCM94708)";
+ compatible = "brcm,bcm94708", "brcm,bcm4708";
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>;
+ };
+diff --git a/arch/arm/boot/dts/bcm94709.dts b/arch/arm/boot/dts/bcm94709.dts
+index 5017b7b259cbe..618c812eef73e 100644
+--- a/arch/arm/boot/dts/bcm94709.dts
++++ b/arch/arm/boot/dts/bcm94709.dts
+@@ -38,7 +38,7 @@
+ model = "NorthStar SVK (BCM94709)";
+ compatible = "brcm,bcm94709", "brcm,bcm4709", "brcm,bcm4708";
+
+- memory {
++ memory@0 {
+ device_type = "memory";
+ reg = <0x00000000 0x08000000>;
+ };
+--
+2.33.0
+
--- /dev/null
+From 6c689e03cd538f7158304a06323653b22df23afc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Oct 2021 09:34:15 +0200
+Subject: arm: dts: omap3-gta04a4: accelerometer irq fix
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+[ Upstream commit 884ea75d79a36faf3731ad9d6b9c29f58697638d ]
+
+Fix typo in pinctrl. It did only work because the bootloader
+seems to have initialized it.
+
+Fixes: ee327111953b ("ARM: dts: omap3-gta04: Define and use bma180 irq pin")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap3-gta04.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/omap3-gta04.dtsi b/arch/arm/boot/dts/omap3-gta04.dtsi
+index 7b8c18e6605e4..80c9e5e34136a 100644
+--- a/arch/arm/boot/dts/omap3-gta04.dtsi
++++ b/arch/arm/boot/dts/omap3-gta04.dtsi
+@@ -515,7 +515,7 @@
+ compatible = "bosch,bma180";
+ reg = <0x41>;
+ pinctrl-names = "default";
+- pintcrl-0 = <&bma180_pins>;
++ pinctrl-0 = <&bma180_pins>;
+ interrupt-parent = <&gpio4>;
+ interrupts = <19 IRQ_TYPE_LEVEL_HIGH>; /* GPIO_115 */
+ };
+--
+2.33.0
+
--- /dev/null
+From 4060bab1f06207ade3236befd85e67d2ee9546f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 19:57:39 +0200
+Subject: ARM: dts: qcom: msm8974: Add xo_board reference clock to DSI0 PHY
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 8ccecf6c710b8c048eecc65709640642e5357d6e ]
+
+According to YAML validation, and for a future patchset putting this
+xo_board reference clock to use as VCO reference parent, add the missing
+clock to dsi_phy0.
+
+Fixes: 5a9fc531f6ec ("ARM: dts: msm8974: add display support")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20210830175739.143401-1-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-msm8974.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom-msm8974.dtsi b/arch/arm/boot/dts/qcom-msm8974.dtsi
+index 51f5f904f9eb9..5f7426fb4e419 100644
+--- a/arch/arm/boot/dts/qcom-msm8974.dtsi
++++ b/arch/arm/boot/dts/qcom-msm8974.dtsi
+@@ -1528,8 +1528,8 @@
+ #phy-cells = <0>;
+ qcom,dsi-phy-index = <0>;
+
+- clocks = <&mmcc MDSS_AHB_CLK>;
+- clock-names = "iface";
++ clocks = <&mmcc MDSS_AHB_CLK>, <&xo_board>;
++ clock-names = "iface", "ref";
+ };
+ };
+
+--
+2.33.0
+
--- /dev/null
+From 71a0d49661b73935a18cd9fd0e17c21b91ddc651 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 11:03:04 +0200
+Subject: ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
+
+From: Olivier Moysan <olivier.moysan@foss.st.com>
+
+[ Upstream commit 1a9a9d226f0f0ef5d9bf588ab432e0d679bb1954 ]
+
+Fix SAI2A and SAI2B pin muxings for AV96 board on STM32MP15.
+Change sai2a-4 & sai2a-5 to sai2a-2 & sai2a-2.
+Change sai2a-4 & sai2a-sleep-5 to sai2b-2 & sai2b-sleep-2
+
+Fixes: dcf185ca8175 ("ARM: dts: stm32: Add alternate pinmux for SAI2 pins on stm32mp15")
+
+Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32mp15-pinctrl.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi b/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi
+index dee4d32ab32c4..ccf66adbbf623 100644
+--- a/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi
++++ b/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi
+@@ -1091,7 +1091,7 @@
+ };
+ };
+
+- sai2a_pins_c: sai2a-4 {
++ sai2a_pins_c: sai2a-2 {
+ pins {
+ pinmux = <STM32_PINMUX('D', 13, AF10)>, /* SAI2_SCK_A */
+ <STM32_PINMUX('D', 11, AF10)>, /* SAI2_SD_A */
+@@ -1102,7 +1102,7 @@
+ };
+ };
+
+- sai2a_sleep_pins_c: sai2a-5 {
++ sai2a_sleep_pins_c: sai2a-2 {
+ pins {
+ pinmux = <STM32_PINMUX('D', 13, ANALOG)>, /* SAI2_SCK_A */
+ <STM32_PINMUX('D', 11, ANALOG)>, /* SAI2_SD_A */
+@@ -1147,14 +1147,14 @@
+ };
+ };
+
+- sai2b_pins_c: sai2a-4 {
++ sai2b_pins_c: sai2b-2 {
+ pins1 {
+ pinmux = <STM32_PINMUX('F', 11, AF10)>; /* SAI2_SD_B */
+ bias-disable;
+ };
+ };
+
+- sai2b_sleep_pins_c: sai2a-sleep-5 {
++ sai2b_sleep_pins_c: sai2b-sleep-2 {
+ pins {
+ pinmux = <STM32_PINMUX('F', 11, ANALOG)>; /* SAI2_SD_B */
+ };
+--
+2.33.0
+
--- /dev/null
+From 79639c8419610dcae71cfbdced1aa1a1ed16b4fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 18:02:21 +0200
+Subject: ARM: dts: stm32: fix SAI sub nodes register range
+
+From: Olivier Moysan <olivier.moysan@foss.st.com>
+
+[ Upstream commit 6f87a74d31277f0896dcf8c0850ec14bde03c423 ]
+
+The STM32 SAI subblocks registers offsets are in the range
+0x0004 (SAIx_CR1) to 0x0020 (SAIx_DR).
+The corresponding range length is 0x20 instead of 0x1c.
+Change reg property accordingly.
+
+Fixes: 5afd65c3a060 ("ARM: dts: stm32: add sai support on stm32mp157c")
+
+Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32mp151.dtsi | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp151.dtsi b/arch/arm/boot/dts/stm32mp151.dtsi
+index b479016fef008..7a0ef01de969e 100644
+--- a/arch/arm/boot/dts/stm32mp151.dtsi
++++ b/arch/arm/boot/dts/stm32mp151.dtsi
+@@ -811,7 +811,7 @@
+ #sound-dai-cells = <0>;
+
+ compatible = "st,stm32-sai-sub-a";
+- reg = <0x4 0x1c>;
++ reg = <0x4 0x20>;
+ clocks = <&rcc SAI1_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 87 0x400 0x01>;
+@@ -821,7 +821,7 @@
+ sai1b: audio-controller@4400a024 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-b";
+- reg = <0x24 0x1c>;
++ reg = <0x24 0x20>;
+ clocks = <&rcc SAI1_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 88 0x400 0x01>;
+@@ -842,7 +842,7 @@
+ sai2a: audio-controller@4400b004 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-a";
+- reg = <0x4 0x1c>;
++ reg = <0x4 0x20>;
+ clocks = <&rcc SAI2_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 89 0x400 0x01>;
+@@ -852,7 +852,7 @@
+ sai2b: audio-controller@4400b024 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-b";
+- reg = <0x24 0x1c>;
++ reg = <0x24 0x20>;
+ clocks = <&rcc SAI2_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 90 0x400 0x01>;
+@@ -873,7 +873,7 @@
+ sai3a: audio-controller@4400c004 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-a";
+- reg = <0x04 0x1c>;
++ reg = <0x04 0x20>;
+ clocks = <&rcc SAI3_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 113 0x400 0x01>;
+@@ -883,7 +883,7 @@
+ sai3b: audio-controller@4400c024 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-b";
+- reg = <0x24 0x1c>;
++ reg = <0x24 0x20>;
+ clocks = <&rcc SAI3_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 114 0x400 0x01>;
+@@ -1250,7 +1250,7 @@
+ sai4a: audio-controller@50027004 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-a";
+- reg = <0x04 0x1c>;
++ reg = <0x04 0x20>;
+ clocks = <&rcc SAI4_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 99 0x400 0x01>;
+@@ -1260,7 +1260,7 @@
+ sai4b: audio-controller@50027024 {
+ #sound-dai-cells = <0>;
+ compatible = "st,stm32-sai-sub-b";
+- reg = <0x24 0x1c>;
++ reg = <0x24 0x20>;
+ clocks = <&rcc SAI4_K>;
+ clock-names = "sai_ck";
+ dmas = <&dmamux1 100 0x400 0x01>;
+--
+2.33.0
+
--- /dev/null
+From 9fd3517b289eeeaedbc3e683cd061b788120829e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 14:13:24 +0200
+Subject: ARM: dts: stm32: Reduce DHCOR SPI NOR frequency to 50 MHz
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 2012579b31293d0a8cf2024e9dab66810bf1a15e ]
+
+The SPI NOR is a bit further away from the SoC on DHCOR than on DHCOM,
+which causes additional signal delay. At 108 MHz, this delay triggers
+a sporadic issue where the first bit of RX data is not received by the
+QSPI controller.
+
+There are two options of addressing this problem, either by using the
+DLYB block to compensate the extra delay, or by reducing the QSPI bus
+clock frequency. The former requires calibration and that is overly
+complex, so opt for the second option.
+
+Fixes: 76045bc457104 ("ARM: dts: stm32: Add QSPI NOR on AV96")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Cc: Patrice Chotard <patrice.chotard@foss.st.com>
+Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
+Cc: linux-stm32@st-md-mailman.stormreply.com
+To: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi
+index a9eb82b2f1704..5af32140e128b 100644
+--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi
++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi
+@@ -198,7 +198,7 @@
+ compatible = "jedec,spi-nor";
+ reg = <0>;
+ spi-rx-bus-width = <4>;
+- spi-max-frequency = <108000000>;
++ spi-max-frequency = <50000000>;
+ #address-cells = <1>;
+ #size-cells = <1>;
+ };
+--
+2.33.0
+
--- /dev/null
+From c83b22ae1da0439c92e4a88c99803e447321a14c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 20:35:57 +0800
+Subject: ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 2aa717473ce96c93ae43a5dc8c23cedc8ce7dd9f ]
+
+The s3c24xx_init_intc() returns an error pointer upon failure, not NULL.
+let's add an error pointer check in s3c24xx_handle_irq.
+
+s3c_intc[0] is not NULL or ERR, we can simplify the code.
+
+Fixes: 1f629b7a3ced ("ARM: S3C24XX: transform irq handling into a declarative form")
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Link: https://lore.kernel.org/r/20210901123557.1043953-1-liu.yun@linux.dev
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-s3c/irq-s3c24xx.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mach-s3c/irq-s3c24xx.c b/arch/arm/mach-s3c/irq-s3c24xx.c
+index 79b5f19af7a52..19fb9bdf446b4 100644
+--- a/arch/arm/mach-s3c/irq-s3c24xx.c
++++ b/arch/arm/mach-s3c/irq-s3c24xx.c
+@@ -360,11 +360,25 @@ static inline int s3c24xx_handle_intc(struct s3c_irq_intc *intc,
+ asmlinkage void __exception_irq_entry s3c24xx_handle_irq(struct pt_regs *regs)
+ {
+ do {
+- if (likely(s3c_intc[0]))
+- if (s3c24xx_handle_intc(s3c_intc[0], regs, 0))
+- continue;
++ /*
++ * For platform based machines, neither ERR nor NULL can happen here.
++ * The s3c24xx_handle_irq() will be set as IRQ handler iff this succeeds:
++ *
++ * s3c_intc[0] = s3c24xx_init_intc()
++ *
++ * If this fails, the next calls to s3c24xx_init_intc() won't be executed.
++ *
++ * For DT machine, s3c_init_intc_of() could set the IRQ handler without
++ * setting s3c_intc[0] only if it was called with num_ctrl=0. There is no
++ * such code path, so again the s3c_intc[0] will have a valid pointer if
++ * set_handle_irq() is called.
++ *
++ * Therefore in s3c24xx_handle_irq(), the s3c_intc[0] is always something.
++ */
++ if (s3c24xx_handle_intc(s3c_intc[0], regs, 0))
++ continue;
+
+- if (s3c_intc[2])
++ if (!IS_ERR_OR_NULL(s3c_intc[2]))
+ if (s3c24xx_handle_intc(s3c_intc[2], regs, 64))
+ continue;
+
+--
+2.33.0
+
--- /dev/null
+From bb061c0711ea57cdef081b8f7d4696b22c5c618f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Sep 2021 20:29:09 +0000
+Subject: arm64: dts: meson-g12a: Fix the pwm regulator supply properties
+
+From: Anand Moon <linux.amoon@gmail.com>
+
+[ Upstream commit 085675117ecf5e02c4220698fd549024ec64ad2c ]
+
+After enabling CONFIG_REGULATOR_DEBUG=y we observe below debug logs.
+Changes help link VDDCPU pwm regulator to 12V regulator supply
+instead of dummy regulator.
+
+[ 11.602281] pwm-regulator regulator-vddcpu: Looking up pwm-supply property
+ in node /regulator-vddcpu failed
+[ 11.602344] VDDCPU: supplied by regulator-dummy
+[ 11.602365] regulator-dummy: could not add device link regulator.11: -ENOENT
+[ 11.602548] VDDCPU: 721 <--> 1022 mV at 1022 mV, enabled
+
+Fixes: e9bc0765cc12 ("arm64: dts: meson-g12a: enable DVFS on G12A boards")
+
+Cc: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Anand Moon <linux.amoon@gmail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210919202918.3556-2-linux.amoon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts | 2 +-
+ arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts | 2 +-
+ arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts b/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts
+index b00d0468c7534..4d5b3e514b514 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts
+@@ -139,7 +139,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&dc_in>;
++ pwm-supply = <&dc_in>;
+
+ pwms = <&pwm_AO_cd 1 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts b/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts
+index a26bfe72550fe..4b5d11e56364d 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts
+@@ -139,7 +139,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&main_12v>;
++ pwm-supply = <&main_12v>;
+
+ pwms = <&pwm_AO_cd 1 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts b/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts
+index 463a72d6bb7c7..26b5d9327324a 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts
+@@ -139,7 +139,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&dc_in>;
++ pwm-supply = <&dc_in>;
+
+ pwms = <&pwm_AO_cd 1 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+--
+2.33.0
+
--- /dev/null
+From a97db19b8a8d97bf9e75f1c2fbf5246f3e37ea7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Sep 2021 20:29:10 +0000
+Subject: arm64: dts: meson-g12b: Fix the pwm regulator supply properties
+
+From: Anand Moon <linux.amoon@gmail.com>
+
+[ Upstream commit 62183863f708c2464769e0d477c8ce9f3d326feb ]
+
+After enabling CONFIG_REGULATOR_DEBUG=y we observer below debug logs.
+Changes help link VDDCP_A and VDDCPU_B pwm regulator to 12V regulator
+supply instead of dummy regulator.
+
+[ 4.147196] VDDCPU_A: will resolve supply early: pwm
+[ 4.147216] pwm-regulator regulator-vddcpu-a: Looking up pwm-supply from device tree
+[ 4.147227] pwm-regulator regulator-vddcpu-a: Looking up pwm-supply property in node /regulator-vddcpu-a failed
+[ 4.147258] VDDCPU_A: supplied by regulator-dummy
+[ 4.147288] regulator-dummy: could not add device link regulator.12: -ENOENT
+[ 4.147353] VDDCPU_A: 721 <--> 1022 mV at 871 mV, enabled
+[ 4.152014] VDDCPU_B: will resolve supply early: pwm
+[ 4.152035] pwm-regulator regulator-vddcpu-b: Looking up pwm-supply from device tree
+[ 4.152047] pwm-regulator regulator-vddcpu-b: Looking up pwm-supply property in node /regulator-vddcpu-b failed
+[ 4.152079] VDDCPU_B: supplied by regulator-dummy
+[ 4.152108] regulator-dummy: could not add device link regulator.13: -ENOENT
+
+Fixes: c6d29c66e582 ("arm64: dts: meson-g12b-khadas-vim3: add initial device-tree")
+Fixes: d14734a04a8a ("arm64: dts: meson-g12b-odroid-n2: enable DVFS")
+Fixes: 3cb74db9b256 ("arm64: dts: meson: convert ugoos-am6 to common w400 dtsi")
+
+Cc: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Anand Moon <linux.amoon@gmail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210919202918.3556-3-linux.amoon@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi | 4 ++--
+ arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi | 4 ++--
+ arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi
+index f42cf4b8af2d4..16dd409051b40 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi
+@@ -18,7 +18,7 @@
+ regulator-min-microvolt = <690000>;
+ regulator-max-microvolt = <1050000>;
+
+- vin-supply = <&dc_in>;
++ pwm-supply = <&dc_in>;
+
+ pwms = <&pwm_ab 0 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+@@ -37,7 +37,7 @@
+ regulator-min-microvolt = <690000>;
+ regulator-max-microvolt = <1050000>;
+
+- vin-supply = <&vsys_3v3>;
++ pwm-supply = <&vsys_3v3>;
+
+ pwms = <&pwm_AO_cd 1 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi
+index 39a09661c5f62..59b5f39088757 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi
+@@ -128,7 +128,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&main_12v>;
++ pwm-supply = <&main_12v>;
+
+ pwms = <&pwm_ab 0 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+@@ -147,7 +147,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&main_12v>;
++ pwm-supply = <&main_12v>;
+
+ pwms = <&pwm_AO_cd 1 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi
+index feb0885047400..b40d2c1002c92 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi
+@@ -96,7 +96,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&main_12v>;
++ pwm-supply = <&main_12v>;
+
+ pwms = <&pwm_ab 0 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+@@ -115,7 +115,7 @@
+ regulator-min-microvolt = <721000>;
+ regulator-max-microvolt = <1022000>;
+
+- vin-supply = <&main_12v>;
++ pwm-supply = <&main_12v>;
+
+ pwms = <&pwm_AO_cd 1 1250 0>;
+ pwm-dutycycle-range = <100 0>;
+--
+2.33.0
+
--- /dev/null
+From 84e0af97903026266c1d28e25e5b02b10260e487 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 20:18:10 +0200
+Subject: arm64: dts: qcom: msm8916: Fix Secondary MI2S bit clock
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit 8199a0b31e76d158ac14841e7119890461f8c595 ]
+
+At the moment, playing audio on Secondary MI2S will just end up getting
+stuck, without actually playing any audio. This happens because the wrong
+bit clock is configured when playing audio on Secondary MI2S.
+
+The PRI_I2S_CLK (better name: SPKR_I2S_CLK) is used by the SPKR audio mux
+block that provides both Primary and Secondary MI2S.
+
+The SEC_I2S_CLK (better name: MIC_I2S_CLK) is used by the MIC audio mux
+block that provides Tertiary MI2S. Quaternary MI2S is also part of the
+MIC audio mux but has its own clock (AUX_I2S_CLK).
+
+This means that (quite confusingly) the SEC_I2S_CLK is not actually
+used for Secondary MI2S as the name would suggest. Secondary MI2S
+needs to have the same clock as Primary MI2S configured.
+
+Fix the clock list for the lpass node in the device tree and add
+a comment to clarify this confusing naming. With these changes,
+audio can be played correctly on Secondary MI2S.
+
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Fixes: 3761a3618f55 ("arm64: dts: qcom: add lpass node")
+Tested-by: Vincent Knecht <vincent.knecht@mailoo.org>
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20210816181810.2242-1-stephan@gerhold.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index 0e34ed48b9fae..b1ffc056eea0b 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -1322,11 +1322,17 @@
+ lpass: audio-controller@7708000 {
+ status = "disabled";
+ compatible = "qcom,lpass-cpu-apq8016";
++
++ /*
++ * Note: Unlike the name would suggest, the SEC_I2S_CLK
++ * is actually only used by Tertiary MI2S while
++ * Primary/Secondary MI2S both use the PRI_I2S_CLK.
++ */
+ clocks = <&gcc GCC_ULTAUDIO_AHBFABRIC_IXFABRIC_CLK>,
+ <&gcc GCC_ULTAUDIO_PCNOC_MPORT_CLK>,
+ <&gcc GCC_ULTAUDIO_PCNOC_SWAY_CLK>,
+ <&gcc GCC_ULTAUDIO_LPAIF_PRI_I2S_CLK>,
+- <&gcc GCC_ULTAUDIO_LPAIF_SEC_I2S_CLK>,
++ <&gcc GCC_ULTAUDIO_LPAIF_PRI_I2S_CLK>,
+ <&gcc GCC_ULTAUDIO_LPAIF_SEC_I2S_CLK>,
+ <&gcc GCC_ULTAUDIO_LPAIF_AUX_I2S_CLK>;
+
+--
+2.33.0
+
--- /dev/null
+From 19f2665e17404bfab6e233e3c009a2911436666e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 13:29:43 +0200
+Subject: arm64: dts: qcom: pm8916: Remove wrong reg-names for rtc@6000
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit 483de2b44cd3a168458f8f9ff237e78a434729bc ]
+
+While removing the size from the "reg" properties in pm8916.dtsi,
+commit bd6429e81010 ("ARM64: dts: qcom: Remove size elements from
+pmic reg properties") mistakenly also removed the second register
+address for the rtc@6000 device. That one did not represent the size
+of the register region but actually the address of the second "alarm"
+register region of the rtc@6000 device.
+
+Now there are "reg-names" for two "reg" elements, but there is actually
+only one "reg" listed.
+
+Since the DT schema for "qcom,pm8941-rtc" only expects one "reg"
+element anyway, just drop the "reg-names" entirely to fix this.
+
+Fixes: bd6429e81010 ("ARM64: dts: qcom: Remove size elements from pmic reg properties")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20210928112945.25310-1-stephan@gerhold.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/pm8916.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/pm8916.dtsi b/arch/arm64/boot/dts/qcom/pm8916.dtsi
+index f931cb0de231f..42180f1b5dbbb 100644
+--- a/arch/arm64/boot/dts/qcom/pm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/pm8916.dtsi
+@@ -86,7 +86,6 @@
+ rtc@6000 {
+ compatible = "qcom,pm8941-rtc";
+ reg = <0x6000>;
+- reg-names = "rtc", "alarm";
+ interrupts = <0x0 0x61 0x1 IRQ_TYPE_EDGE_RISING>;
+ };
+
+--
+2.33.0
+
--- /dev/null
+From ebe549eacc237d6db28c2e66b4038174e859cdf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 08:50:23 +0200
+Subject: arm64: dts: renesas: beacon: Fix Ethernet PHY mode
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 59a8bda062f8646d99ff8c4956adf37dee1cb75e ]
+
+While networking works fine in RGMII mode when using the Linux generic
+PHY driver, it fails when using the Atheros PHY driver.
+Fix this by correcting the Ethernet PHY mode to RGMII-RXID, which works
+fine with both drivers.
+
+Fixes: a5200e63af57d05e ("arm64: dts: renesas: rzg2: Convert EtherAVB to explicit delay handling")
+Reported-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/2a4c15b2df23bb63f15abf9dfb88860477f4f523.1632465965.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi b/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi
+index 3c73dfc430afc..929c7910c68df 100644
+--- a/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi
++++ b/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi
+@@ -54,6 +54,7 @@
+ &avb {
+ pinctrl-0 = <&avb_pins>;
+ pinctrl-names = "default";
++ phy-mode = "rgmii-rxid";
+ phy-handle = <&phy0>;
+ rx-internal-delay-ps = <1800>;
+ tx-internal-delay-ps = <2000>;
+--
+2.33.0
+
--- /dev/null
+From 3564b934d97b6eeb4681980d30b2ca44a47db877 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 13:59:26 +0200
+Subject: arm64: dts: rockchip: Fix GPU register width for RK3328
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 932b4610f55b49f3a158b0db451137bab7ed0e1f ]
+
+As can be seen in RK3328's TRM the register range for the GPU is
+0xff300000 to 0xff330000.
+It would (and does in vendor kernel) overlap with the registers of
+the HEVC encoder (node/driver do not exist yet in upstream kernel).
+See already existing h265e_mmu node.
+
+Fixes: 752fbc0c8da7 ("arm64: dts: rockchip: add rk3328 mali gpu node")
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Link: https://lore.kernel.org/r/20210623115926.164861-1-knaerzche@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+index e546c9d1d6463..72112fe05a5c4 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+@@ -603,7 +603,7 @@
+
+ gpu: gpu@ff300000 {
+ compatible = "rockchip,rk3328-mali", "arm,mali-450";
+- reg = <0x0 0xff300000 0x0 0x40000>;
++ reg = <0x0 0xff300000 0x0 0x30000>;
+ interrupts = <GIC_SPI 90 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 87 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 93 IRQ_TYPE_LEVEL_HIGH>,
+--
+2.33.0
+
--- /dev/null
+From 81257dc5e9a4bddc1f3923a5fa0bc424b9c25e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 11:23:54 +0530
+Subject: arm64: dts: ti: k3-j721e-main: Fix "bus-range" upto 256 bus number
+ for PCIe
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 5f46633565b1c1e1840a927676065d72b442dac4 ]
+
+commit 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device
+tree nodes") restricted PCIe bus numbers from 0 to 15 (due to SMMU
+restriction in J721E). However since SMMU is not enabled, allow the full
+supported bus numbers from 0 to 255.
+
+Fixes: 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device tree nodes")
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/20210915055358.19997-3-kishon@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+index 4e010253b028a..85526f72b4616 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+@@ -629,7 +629,7 @@
+ clock-names = "fck";
+ #address-cells = <3>;
+ #size-cells = <2>;
+- bus-range = <0x0 0xf>;
++ bus-range = <0x0 0xff>;
+ vendor-id = <0x104c>;
+ device-id = <0xb00d>;
+ msi-map = <0x0 &gic_its 0x0 0x10000>;
+@@ -678,7 +678,7 @@
+ clock-names = "fck";
+ #address-cells = <3>;
+ #size-cells = <2>;
+- bus-range = <0x0 0xf>;
++ bus-range = <0x0 0xff>;
+ vendor-id = <0x104c>;
+ device-id = <0xb00d>;
+ msi-map = <0x0 &gic_its 0x10000 0x10000>;
+@@ -727,7 +727,7 @@
+ clock-names = "fck";
+ #address-cells = <3>;
+ #size-cells = <2>;
+- bus-range = <0x0 0xf>;
++ bus-range = <0x0 0xff>;
+ vendor-id = <0x104c>;
+ device-id = <0xb00d>;
+ msi-map = <0x0 &gic_its 0x20000 0x10000>;
+@@ -776,7 +776,7 @@
+ clock-names = "fck";
+ #address-cells = <3>;
+ #size-cells = <2>;
+- bus-range = <0x0 0xf>;
++ bus-range = <0x0 0xff>;
+ vendor-id = <0x104c>;
+ device-id = <0xb00d>;
+ msi-map = <0x0 &gic_its 0x30000 0x10000>;
+--
+2.33.0
+
--- /dev/null
+From 17a4ec58a4b5313e3b932c45e3ac48c3ae4442ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 11:23:53 +0530
+Subject: arm64: dts: ti: k3-j721e-main: Fix "max-virtual-functions" in PCIe EP
+ nodes
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 9af3ef954975c383eeb667aee207d9ce6fbef8c4 ]
+
+commit 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device
+tree nodes") added "max-virtual-functions" to have 16 bit values.
+Fix "max-virtual-functions" in PCIe endpoint (EP) nodes to have 8 bit
+values instead of 16.
+
+Fixes: 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device tree nodes")
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/20210915055358.19997-2-kishon@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+index 6ffdebd601223..4e010253b028a 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+@@ -656,7 +656,7 @@
+ clock-names = "fck";
+ cdns,max-outbound-regions = <16>;
+ max-functions = /bits/ 8 <6>;
+- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>;
++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>;
+ dma-coherent;
+ };
+
+@@ -705,7 +705,7 @@
+ clock-names = "fck";
+ cdns,max-outbound-regions = <16>;
+ max-functions = /bits/ 8 <6>;
+- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>;
++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>;
+ dma-coherent;
+ };
+
+@@ -754,7 +754,7 @@
+ clock-names = "fck";
+ cdns,max-outbound-regions = <16>;
+ max-functions = /bits/ 8 <6>;
+- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>;
++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>;
+ dma-coherent;
+ };
+
+@@ -803,7 +803,7 @@
+ clock-names = "fck";
+ cdns,max-outbound-regions = <16>;
+ max-functions = /bits/ 8 <6>;
+- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>;
++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>;
+ dma-coherent;
+ #address-cells = <2>;
+ #size-cells = <2>;
+--
+2.33.0
+
--- /dev/null
+From 700089fa5f30a5c351e1e401c2249ae828c83098 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 11:51:49 -0700
+Subject: arm64: mm: update max_pfn after memory hotplug
+
+From: Sudarshan Rajagopalan <quic_sudaraja@quicinc.com>
+
+[ Upstream commit 8fac67ca236b961b573355e203dbaf62a706a2e5 ]
+
+After new memory blocks have been hotplugged, max_pfn and max_low_pfn
+needs updating to reflect on new PFNs being hot added to system.
+Without this patch, debug-related functions that use max_pfn such as
+get_max_dump_pfn() or read_page_owner() will not work with any page in
+memory that is hot-added after boot.
+
+Fixes: 4ab215061554 ("arm64: Add memory hotplug support")
+Signed-off-by: Sudarshan Rajagopalan <quic_sudaraja@quicinc.com>
+Signed-off-by: Chris Goldsworthy <quic_cgoldswo@quicinc.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Georgi Djakov <quic_c_gdjako@quicinc.com>
+Tested-by: Georgi Djakov <quic_c_gdjako@quicinc.com>
+Link: https://lore.kernel.org/r/a51a27ee7be66024b5ce626310d673f24107bcb8.1632853776.git.quic_cgoldswo@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/mmu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
+index 58dc93e566179..2601a514d8c4a 100644
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -1492,6 +1492,11 @@ int arch_add_memory(int nid, u64 start, u64 size,
+ if (ret)
+ __remove_pgd_mapping(swapper_pg_dir,
+ __phys_to_virt(start), size);
++ else {
++ max_pfn = PFN_UP(start + size);
++ max_low_pfn = max_pfn;
++ }
++
+ return ret;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 055f446db4d776b0fcacaf5475cfd331ada07f0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 08:54:03 +0100
+Subject: arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c7c386fbc20262c1d911c615c65db6a58667d92c ]
+
+gcc warns about undefined behavior the vmalloc code when building
+with CONFIG_ARM64_PA_BITS_52, when the 'idx++' in the argument to
+__phys_to_pte_val() is evaluated twice:
+
+mm/vmalloc.c: In function 'vmap_pfn_apply':
+mm/vmalloc.c:2800:58: error: operation on 'data->idx' may be undefined [-Werror=sequence-point]
+ 2800 | *pte = pte_mkspecial(pfn_pte(data->pfns[data->idx++], data->prot));
+ | ~~~~~~~~~^~
+arch/arm64/include/asm/pgtable-types.h:25:37: note: in definition of macro '__pte'
+ 25 | #define __pte(x) ((pte_t) { (x) } )
+ | ^
+arch/arm64/include/asm/pgtable.h:80:15: note: in expansion of macro '__phys_to_pte_val'
+ 80 | __pte(__phys_to_pte_val((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot))
+ | ^~~~~~~~~~~~~~~~~
+mm/vmalloc.c:2800:30: note: in expansion of macro 'pfn_pte'
+ 2800 | *pte = pte_mkspecial(pfn_pte(data->pfns[data->idx++], data->prot));
+ | ^~~~~~~
+
+I have no idea why this never showed up earlier, but the safest
+workaround appears to be changing those macros into inline functions
+so the arguments get evaluated only once.
+
+Cc: Matthew Wilcox <willy@infradead.org>
+Fixes: 75387b92635e ("arm64: handle 52-bit physical addresses in page table entries")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20211105075414.2553155-1-arnd@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/pgtable.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index 10ffbc96ac31f..f3a70dc7c5942 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -69,9 +69,15 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)];
+ * page table entry, taking care of 52-bit addresses.
+ */
+ #ifdef CONFIG_ARM64_PA_BITS_52
+-#define __pte_to_phys(pte) \
+- ((pte_val(pte) & PTE_ADDR_LOW) | ((pte_val(pte) & PTE_ADDR_HIGH) << 36))
+-#define __phys_to_pte_val(phys) (((phys) | ((phys) >> 36)) & PTE_ADDR_MASK)
++static inline phys_addr_t __pte_to_phys(pte_t pte)
++{
++ return (pte_val(pte) & PTE_ADDR_LOW) |
++ ((pte_val(pte) & PTE_ADDR_HIGH) << 36);
++}
++static inline pteval_t __phys_to_pte_val(phys_addr_t phys)
++{
++ return (phys | (phys >> 36)) & PTE_ADDR_MASK;
++}
+ #else
+ #define __pte_to_phys(pte) (pte_val(pte) & PTE_ADDR_MASK)
+ #define __phys_to_pte_val(phys) (phys)
+--
+2.33.0
+
--- /dev/null
+From a609d2137d1384926dd4afba1def8c28d436672f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 15:09:01 +0100
+Subject: ASoC: cs42l42: Correct configuring of switch inversion from ts-inv
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 778a0cbef5fb76bf506f84938517bb77e7a1c478 ]
+
+The setting from the cirrus,ts-inv property should be applied to the
+TIP_SENSE_INV bit, as this is the one that actually affects the jack
+detect block. The TS_INV bit only swaps the meaning of the PLUG and
+UNPLUG interrupts and should always be 1 for the interrupts to have
+the normal meaning.
+
+Due to some misunderstanding the driver had been implemented to
+configure the TS_INV bit based on the jack switch polarity. This made
+the interrupts behave the correct way around, but left the jack detect
+block, button detect and analogue circuits always interpreting an open
+switch as unplugged.
+
+The signal chain inside the codec is:
+
+SENSE pin -> TIP_SENSE_INV -> TS_INV -> (invert) -> interrupts
+ |
+ v
+ Jack detect,
+ button detect and
+ analog control
+
+As the TIP_SENSE_INV already performs the necessary inversion the
+TS_INV bit never needs to change. It must always be 1 to yield the
+expected interrupt behaviour.
+
+Some extra confusion has arisen because of the additional invert in the
+interrupt path, meaning that a value applied to the TS_INV bit produces
+the opposite effect of applying it to the TIP_SENSE_INV bit. The ts-inv
+property has therefore always had the opposite effect to what might be
+expected (0 = inverted, 1 = not inverted). To maintain the meaning of
+the ts-inv property it must be inverted when applied to TIP_SENSE_INV.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20211028140902.11786-3-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index e56d3c9c39756..54c1ede59b8b7 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -1529,12 +1529,15 @@ static void cs42l42_setup_hs_type_detect(struct cs42l42_private *cs42l42)
+ (1 << CS42L42_HS_CLAMP_DISABLE_SHIFT));
+
+ /* Enable the tip sense circuit */
++ regmap_update_bits(cs42l42->regmap, CS42L42_TSENSE_CTL,
++ CS42L42_TS_INV_MASK, CS42L42_TS_INV_MASK);
++
+ regmap_update_bits(cs42l42->regmap, CS42L42_TIPSENSE_CTL,
+ CS42L42_TIP_SENSE_CTRL_MASK |
+ CS42L42_TIP_SENSE_INV_MASK |
+ CS42L42_TIP_SENSE_DEBOUNCE_MASK,
+ (3 << CS42L42_TIP_SENSE_CTRL_SHIFT) |
+- (0 << CS42L42_TIP_SENSE_INV_SHIFT) |
++ (!cs42l42->ts_inv << CS42L42_TIP_SENSE_INV_SHIFT) |
+ (2 << CS42L42_TIP_SENSE_DEBOUNCE_SHIFT));
+
+ /* Save the initial status of the tip sense */
+@@ -1578,10 +1581,6 @@ static int cs42l42_handle_device_data(struct device *dev,
+ cs42l42->ts_inv = CS42L42_TS_INV_DIS;
+ }
+
+- regmap_update_bits(cs42l42->regmap, CS42L42_TSENSE_CTL,
+- CS42L42_TS_INV_MASK,
+- (cs42l42->ts_inv << CS42L42_TS_INV_SHIFT));
+-
+ ret = device_property_read_u32(dev, "cirrus,ts-dbnc-rise", &val);
+ if (!ret) {
+ switch (val) {
+--
+2.33.0
+
--- /dev/null
+From 99d642ab85c5c8f80fe75f6942a401f2f2090baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 14:36:06 +0100
+Subject: ASoC: cs42l42: Correct some register default values
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit d591d4b32aa9552af14a0c7c586a2d3fe9ecc6e0 ]
+
+Some registers had wrong default values in cs42l42_reg_defaults[].
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20211015133619.4698-4-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 828dc78202e8b..8e44d0f34194e 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -91,7 +91,7 @@ static const struct reg_default cs42l42_reg_defaults[] = {
+ { CS42L42_ASP_RX_INT_MASK, 0x1F },
+ { CS42L42_ASP_TX_INT_MASK, 0x0F },
+ { CS42L42_CODEC_INT_MASK, 0x03 },
+- { CS42L42_SRCPL_INT_MASK, 0xFF },
++ { CS42L42_SRCPL_INT_MASK, 0x7F },
+ { CS42L42_VPMON_INT_MASK, 0x01 },
+ { CS42L42_PLL_LOCK_INT_MASK, 0x01 },
+ { CS42L42_TSRS_PLUG_INT_MASK, 0x0F },
+@@ -128,7 +128,7 @@ static const struct reg_default cs42l42_reg_defaults[] = {
+ { CS42L42_MIXER_CHA_VOL, 0x3F },
+ { CS42L42_MIXER_ADC_VOL, 0x3F },
+ { CS42L42_MIXER_CHB_VOL, 0x3F },
+- { CS42L42_EQ_COEF_IN0, 0x22 },
++ { CS42L42_EQ_COEF_IN0, 0x00 },
+ { CS42L42_EQ_COEF_IN1, 0x00 },
+ { CS42L42_EQ_COEF_IN2, 0x00 },
+ { CS42L42_EQ_COEF_IN3, 0x00 },
+--
+2.33.0
+
--- /dev/null
+From 0d7717c94bffc27b8e94d2270e89b4ca759667b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 14:36:08 +0100
+Subject: ASoC: cs42l42: Defer probe if request_threaded_irq() returns
+ EPROBE_DEFER
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0306988789d9d91a18ff70bd2bf165d3ae0ef1dd ]
+
+The driver can run without an interrupt so if devm_request_threaded_irq()
+failed, the probe() just carried on. But if this was EPROBE_DEFER the
+driver would continue without an interrupt instead of deferring to wait
+for the interrupt to become available.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20211015133619.4698-6-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 8e44d0f34194e..191431868c678 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -1796,8 +1796,9 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client,
+ NULL, cs42l42_irq_thread,
+ IRQF_ONESHOT | IRQF_TRIGGER_LOW,
+ "cs42l42", cs42l42);
+-
+- if (ret != 0)
++ if (ret == -EPROBE_DEFER)
++ goto err_disable;
++ else if (ret != 0)
+ dev_err(&i2c_client->dev,
+ "Failed to request IRQ: %d\n", ret);
+
+--
+2.33.0
+
--- /dev/null
+From 81b00696ffb18b115424566271caf104fd2ef375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Mar 2021 18:55:45 +0000
+Subject: ASoC: cs42l42: Disable regulators if probe fails
+
+From: Lucas Tanure <tanureal@opensource.cirrus.com>
+
+[ Upstream commit 1abca8e1c77bd9c5f5c0bed21c5b075b6852a178 ]
+
+In case of cs42l42_i2c_probe() fail, the regulators were left enabled.
+
+Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210306185553.62053-8-tanureal@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 191431868c678..eb1fcc5be0573 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -1781,8 +1781,10 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client,
+ /* Reset the Device */
+ cs42l42->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev,
+ "reset", GPIOD_OUT_LOW);
+- if (IS_ERR(cs42l42->reset_gpio))
+- return PTR_ERR(cs42l42->reset_gpio);
++ if (IS_ERR(cs42l42->reset_gpio)) {
++ ret = PTR_ERR(cs42l42->reset_gpio);
++ goto err_disable;
++ }
+
+ if (cs42l42->reset_gpio) {
+ dev_dbg(&i2c_client->dev, "Found reset GPIO\n");
+@@ -1817,13 +1819,13 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client,
+ dev_err(&i2c_client->dev,
+ "CS42L42 Device ID (%X). Expected %X\n",
+ devid, CS42L42_CHIP_ID);
+- return ret;
++ goto err_disable;
+ }
+
+ ret = regmap_read(cs42l42->regmap, CS42L42_REVID, ®);
+ if (ret < 0) {
+ dev_err(&i2c_client->dev, "Get Revision ID failed\n");
+- return ret;
++ goto err_disable;
+ }
+
+ dev_info(&i2c_client->dev,
+@@ -1849,7 +1851,7 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client,
+ if (i2c_client->dev.of_node) {
+ ret = cs42l42_handle_device_data(i2c_client, cs42l42);
+ if (ret != 0)
+- return ret;
++ goto err_disable;
+ }
+
+ /* Setup headset detection */
+--
+2.33.0
+
--- /dev/null
+From 64fc5c96c323fab38f79246d7e9948b71f791a22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Apr 2021 16:53:02 +0100
+Subject: ASoC: cs42l42: Use device_property API instead of of_property
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ab78322a0dc8e5e472ff66ac7e18c94acc17587f ]
+
+Use the device_property APIs so that the code will work on devicetree
+and ACPI systems.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210426155303.853236-2-tanureal@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 60 +++++++++++++++-----------------------
+ 1 file changed, 24 insertions(+), 36 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index eb1fcc5be0573..e56d3c9c39756 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -20,10 +20,9 @@
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+ #include <linux/platform_device.h>
++#include <linux/property.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/gpio/consumer.h>
+-#include <linux/of.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_device.h>
+ #include <sound/core.h>
+ #include <sound/pcm.h>
+@@ -1554,17 +1553,15 @@ static const unsigned int threshold_defaults[] = {
+ CS42L42_HS_DET_LEVEL_1
+ };
+
+-static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
++static int cs42l42_handle_device_data(struct device *dev,
+ struct cs42l42_private *cs42l42)
+ {
+- struct device_node *np = i2c_client->dev.of_node;
+ unsigned int val;
+- unsigned int thresholds[CS42L42_NUM_BIASES];
++ u32 thresholds[CS42L42_NUM_BIASES];
+ int ret;
+ int i;
+
+- ret = of_property_read_u32(np, "cirrus,ts-inv", &val);
+-
++ ret = device_property_read_u32(dev, "cirrus,ts-inv", &val);
+ if (!ret) {
+ switch (val) {
+ case CS42L42_TS_INV_EN:
+@@ -1572,7 +1569,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ cs42l42->ts_inv = val;
+ break;
+ default:
+- dev_err(&i2c_client->dev,
++ dev_err(dev,
+ "Wrong cirrus,ts-inv DT value %d\n",
+ val);
+ cs42l42->ts_inv = CS42L42_TS_INV_DIS;
+@@ -1585,8 +1582,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ CS42L42_TS_INV_MASK,
+ (cs42l42->ts_inv << CS42L42_TS_INV_SHIFT));
+
+- ret = of_property_read_u32(np, "cirrus,ts-dbnc-rise", &val);
+-
++ ret = device_property_read_u32(dev, "cirrus,ts-dbnc-rise", &val);
+ if (!ret) {
+ switch (val) {
+ case CS42L42_TS_DBNCE_0:
+@@ -1600,7 +1596,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ cs42l42->ts_dbnc_rise = val;
+ break;
+ default:
+- dev_err(&i2c_client->dev,
++ dev_err(dev,
+ "Wrong cirrus,ts-dbnc-rise DT value %d\n",
+ val);
+ cs42l42->ts_dbnc_rise = CS42L42_TS_DBNCE_1000;
+@@ -1614,8 +1610,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ (cs42l42->ts_dbnc_rise <<
+ CS42L42_TS_RISE_DBNCE_TIME_SHIFT));
+
+- ret = of_property_read_u32(np, "cirrus,ts-dbnc-fall", &val);
+-
++ ret = device_property_read_u32(dev, "cirrus,ts-dbnc-fall", &val);
+ if (!ret) {
+ switch (val) {
+ case CS42L42_TS_DBNCE_0:
+@@ -1629,7 +1624,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ cs42l42->ts_dbnc_fall = val;
+ break;
+ default:
+- dev_err(&i2c_client->dev,
++ dev_err(dev,
+ "Wrong cirrus,ts-dbnc-fall DT value %d\n",
+ val);
+ cs42l42->ts_dbnc_fall = CS42L42_TS_DBNCE_0;
+@@ -1643,13 +1638,12 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ (cs42l42->ts_dbnc_fall <<
+ CS42L42_TS_FALL_DBNCE_TIME_SHIFT));
+
+- ret = of_property_read_u32(np, "cirrus,btn-det-init-dbnce", &val);
+-
++ ret = device_property_read_u32(dev, "cirrus,btn-det-init-dbnce", &val);
+ if (!ret) {
+ if (val <= CS42L42_BTN_DET_INIT_DBNCE_MAX)
+ cs42l42->btn_det_init_dbnce = val;
+ else {
+- dev_err(&i2c_client->dev,
++ dev_err(dev,
+ "Wrong cirrus,btn-det-init-dbnce DT value %d\n",
+ val);
+ cs42l42->btn_det_init_dbnce =
+@@ -1660,14 +1654,13 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ CS42L42_BTN_DET_INIT_DBNCE_DEFAULT;
+ }
+
+- ret = of_property_read_u32(np, "cirrus,btn-det-event-dbnce", &val);
+-
++ ret = device_property_read_u32(dev, "cirrus,btn-det-event-dbnce", &val);
+ if (!ret) {
+ if (val <= CS42L42_BTN_DET_EVENT_DBNCE_MAX)
+ cs42l42->btn_det_event_dbnce = val;
+ else {
+- dev_err(&i2c_client->dev,
+- "Wrong cirrus,btn-det-event-dbnce DT value %d\n", val);
++ dev_err(dev,
++ "Wrong cirrus,btn-det-event-dbnce DT value %d\n", val);
+ cs42l42->btn_det_event_dbnce =
+ CS42L42_BTN_DET_EVENT_DBNCE_DEFAULT;
+ }
+@@ -1676,19 +1669,17 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ CS42L42_BTN_DET_EVENT_DBNCE_DEFAULT;
+ }
+
+- ret = of_property_read_u32_array(np, "cirrus,bias-lvls",
+- (u32 *)thresholds, CS42L42_NUM_BIASES);
+-
++ ret = device_property_read_u32_array(dev, "cirrus,bias-lvls",
++ thresholds, ARRAY_SIZE(thresholds));
+ if (!ret) {
+ for (i = 0; i < CS42L42_NUM_BIASES; i++) {
+ if (thresholds[i] <= CS42L42_HS_DET_LEVEL_MAX)
+ cs42l42->bias_thresholds[i] = thresholds[i];
+ else {
+- dev_err(&i2c_client->dev,
+- "Wrong cirrus,bias-lvls[%d] DT value %d\n", i,
++ dev_err(dev,
++ "Wrong cirrus,bias-lvls[%d] DT value %d\n", i,
+ thresholds[i]);
+- cs42l42->bias_thresholds[i] =
+- threshold_defaults[i];
++ cs42l42->bias_thresholds[i] = threshold_defaults[i];
+ }
+ }
+ } else {
+@@ -1696,8 +1687,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ cs42l42->bias_thresholds[i] = threshold_defaults[i];
+ }
+
+- ret = of_property_read_u32(np, "cirrus,hs-bias-ramp-rate", &val);
+-
++ ret = device_property_read_u32(dev, "cirrus,hs-bias-ramp-rate", &val);
+ if (!ret) {
+ switch (val) {
+ case CS42L42_HSBIAS_RAMP_FAST_RISE_SLOW_FALL:
+@@ -1717,7 +1707,7 @@ static int cs42l42_handle_device_data(struct i2c_client *i2c_client,
+ cs42l42->hs_bias_ramp_time = CS42L42_HSBIAS_RAMP_TIME3;
+ break;
+ default:
+- dev_err(&i2c_client->dev,
++ dev_err(dev,
+ "Wrong cirrus,hs-bias-ramp-rate DT value %d\n",
+ val);
+ cs42l42->hs_bias_ramp_rate = CS42L42_HSBIAS_RAMP_SLOW;
+@@ -1848,11 +1838,9 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client,
+ (1 << CS42L42_ADC_PDN_SHIFT) |
+ (0 << CS42L42_PDN_ALL_SHIFT));
+
+- if (i2c_client->dev.of_node) {
+- ret = cs42l42_handle_device_data(i2c_client, cs42l42);
+- if (ret != 0)
+- goto err_disable;
+- }
++ ret = cs42l42_handle_device_data(&i2c_client->dev, cs42l42);
++ if (ret != 0)
++ goto err_disable;
+
+ /* Setup headset detection */
+ cs42l42_setup_hs_type_detect(cs42l42);
+--
+2.33.0
+
--- /dev/null
+From ca88bf3b9432b2609b37d68758656f43beda18b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 13:40:41 +0300
+Subject: ASoC: SOF: topology: do not power down primary core during topology
+ removal
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+[ Upstream commit ec626334eaffe101df9ed79e161eba95124e64ad ]
+
+When removing the topology components, do not power down
+the primary core. Doing so will result in an IPC timeout
+when the SOF PCI device runtime suspends.
+
+Fixes: 0dcdf84289fb ("ASoC: SOF: add a "core" parameter to widget loading functions")
+
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20211006104041.27183-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 69313fbdb636a..b6327c30c2b5a 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -2590,6 +2590,15 @@ static int sof_widget_unload(struct snd_soc_component *scomp,
+
+ /* power down the pipeline schedule core */
+ pipeline = swidget->private;
++
++ /*
++ * Runtime PM should still function normally if topology loading fails and
++ * it's components are unloaded. Do not power down the primary core so that the
++ * CTX_SAVE IPC can succeed during runtime suspend.
++ */
++ if (pipeline->core == SOF_DSP_PRIMARY_CORE)
++ break;
++
+ ret = snd_sof_dsp_core_power_down(sdev, 1 << pipeline->core);
+ if (ret < 0)
+ dev_err(scomp->dev, "error: powering down pipeline schedule core %d\n",
+--
+2.33.0
+
--- /dev/null
+From 57e77a3cd843f54a00814bf8e1378fe1645fa118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 13:18:35 +0300
+Subject: ataflop: potential out of bounds in do_format()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1ffec389a6431782a8a28805830b6fae9bf00af1 ]
+
+The function uses "type" as an array index:
+
+ q = unit[drive].disk[type]->queue;
+
+Unfortunately the bounds check on "type" isn't done until later in the
+function. Fix this by moving the bounds check to the start.
+
+Fixes: bf9c0538e485 ("ataflop: use a separate gendisk for each media format")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index e6264db11e415..0a86f9d3a3798 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -726,8 +726,12 @@ static int do_format(int drive, int type, struct atari_format_descr *desc)
+ unsigned long flags;
+ int ret;
+
+- if (type)
++ if (type) {
+ type--;
++ if (type >= NUM_DISK_MINORS ||
++ minor2disktype[type].drive_types > DriveType)
++ return -EINVAL;
++ }
+
+ q = unit[drive].disk[type]->queue;
+ blk_mq_freeze_queue(q);
+@@ -739,11 +743,6 @@ static int do_format(int drive, int type, struct atari_format_descr *desc)
+ local_irq_restore(flags);
+
+ if (type) {
+- if (type >= NUM_DISK_MINORS ||
+- minor2disktype[type].drive_types > DriveType) {
+- ret = -EINVAL;
+- goto out;
+- }
+ type = minor2disktype[type].index;
+ UDT = &atari_disk_type[type];
+ }
+--
+2.33.0
+
--- /dev/null
+From 70607d1cbf7be81efa046e41cac66398049862f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 16:04:33 -0700
+Subject: ataflop: remove ataflop_probe_lock mutex
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit 4ddb85d36613c45bde00d368bf9f357bd0708a0c ]
+
+Commit bf9c0538e485b591 ("ataflop: use a separate gendisk for each media
+format") introduced ataflop_probe_lock mutex, but forgot to unlock the
+mutex when atari_floppy_init() (i.e. module loading) succeeded. This will
+result in double lock deadlock if ataflop_probe() is called. Also,
+unregister_blkdev() must not be called from atari_floppy_init() with
+ataflop_probe_lock held when atari_floppy_init() failed, for
+ataflop_probe() waits for ataflop_probe_lock with major_names_lock held
+(i.e. AB-BA deadlock).
+
+__register_blkdev() needs to be called last in order to avoid calling
+ataflop_probe() when atari_floppy_init() is about to fail, for memory for
+completing already-started ataflop_probe() safely will be released as soon
+as atari_floppy_init() released ataflop_probe_lock mutex.
+
+As with commit 8b52d8be86d72308 ("loop: reorder loop_exit"),
+unregister_blkdev() needs to be called first in order to avoid calling
+ataflop_alloc_disk() from ataflop_probe() after del_gendisk() from
+atari_floppy_exit().
+
+By relocating __register_blkdev() / unregister_blkdev() as explained above,
+we can remove ataflop_probe_lock mutex, for probe function and __exit
+function are serialized by major_names_lock mutex.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: bf9c0538e485b591 ("ataflop: use a separate gendisk for each media format")
+Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Link: https://lore.kernel.org/r/20211103230437.1639990-11-mcgrof@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 47 +++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index 2d3a66362dcf9..3a29f1992d971 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -2016,8 +2016,6 @@ static int ataflop_alloc_disk(unsigned int drive, unsigned int type)
+ return 0;
+ }
+
+-static DEFINE_MUTEX(ataflop_probe_lock);
+-
+ static void ataflop_probe(dev_t dev)
+ {
+ int drive = MINOR(dev) & 3;
+@@ -2025,14 +2023,32 @@ static void ataflop_probe(dev_t dev)
+
+ if (drive >= FD_MAX_UNITS || type > NUM_DISK_MINORS)
+ return;
+- mutex_lock(&ataflop_probe_lock);
+ if (!unit[drive].disk[type]) {
+ if (ataflop_alloc_disk(drive, type) == 0) {
+ add_disk(unit[drive].disk[type]);
+ unit[drive].registered[type] = true;
+ }
+ }
+- mutex_unlock(&ataflop_probe_lock);
++}
++
++static void atari_floppy_cleanup(void)
++{
++ int i;
++ int type;
++
++ for (i = 0; i < FD_MAX_UNITS; i++) {
++ for (type = 0; type < NUM_DISK_MINORS; type++) {
++ if (!unit[i].disk[type])
++ continue;
++ del_gendisk(unit[i].disk[type]);
++ blk_cleanup_queue(unit[i].disk[type]->queue);
++ put_disk(unit[i].disk[type]);
++ }
++ blk_mq_free_tag_set(&unit[i].tag_set);
++ }
++
++ del_timer_sync(&fd_timer);
++ atari_stram_free(DMABuffer);
+ }
+
+ static void atari_cleanup_floppy_disk(struct atari_floppy_struct *fs)
+@@ -2058,11 +2074,6 @@ static int __init atari_floppy_init (void)
+ /* Amiga, Mac, ... don't have Atari-compatible floppy :-) */
+ return -ENODEV;
+
+- mutex_lock(&ataflop_probe_lock);
+- ret = __register_blkdev(FLOPPY_MAJOR, "fd", ataflop_probe);
+- if (ret)
+- goto out_unlock;
+-
+ for (i = 0; i < FD_MAX_UNITS; i++) {
+ memset(&unit[i].tag_set, 0, sizeof(unit[i].tag_set));
+ unit[i].tag_set.ops = &ataflop_mq_ops;
+@@ -2116,15 +2127,17 @@ static int __init atari_floppy_init (void)
+ UseTrackbuffer ? "" : "no ");
+ config_types();
+
+- return 0;
++ ret = __register_blkdev(FLOPPY_MAJOR, "fd", ataflop_probe);
++ if (ret) {
++ printk(KERN_ERR "atari_floppy_init: cannot register block device\n");
++ atari_floppy_cleanup();
++ }
++ return ret;
+
+ err:
+ while (--i >= 0)
+ atari_cleanup_floppy_disk(&unit[i]);
+
+- unregister_blkdev(FLOPPY_MAJOR, "fd");
+-out_unlock:
+- mutex_unlock(&ataflop_probe_lock);
+ return ret;
+ }
+
+@@ -2169,14 +2182,8 @@ __setup("floppy=", atari_floppy_setup);
+
+ static void __exit atari_floppy_exit(void)
+ {
+- int i;
+-
+- for (i = 0; i < FD_MAX_UNITS; i++)
+- atari_cleanup_floppy_disk(&unit[i]);
+ unregister_blkdev(FLOPPY_MAJOR, "fd");
+-
+- del_timer_sync(&fd_timer);
+- atari_stram_free( DMABuffer );
++ atari_floppy_cleanup();
+ }
+
+ module_init(atari_floppy_init)
+--
+2.33.0
+
--- /dev/null
+From 733dd2e9a54e23a799a415b865b86ac53477e175 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 15:58:38 +0100
+Subject: ataflop: use a separate gendisk for each media format
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit bf9c0538e485b591a2ee02d9adb8a99db4be5a2a ]
+
+The Atari floppy driver usually autodetects the media when used with the
+ormal /dev/fd? devices, which also are the only nodes created by udev.
+But it also supports various aliases that force a given media format.
+That is currently supported using the blk_register_region framework
+which finds the floppy gendisk even for a 'mismatched' dev_t. The
+problem with this (besides the code complexity) is that it creates
+multiple struct block_device instances for the whole device of a
+single gendisk, which can lead to interesting issues in code not
+aware of that fact.
+
+To fix this just create a separate gendisk for each of the aliases
+if they are accessed.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 135 +++++++++++++++++++++++++---------------
+ 1 file changed, 86 insertions(+), 49 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index cd612cd04767a..e6264db11e415 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -297,7 +297,7 @@ static struct atari_floppy_struct {
+ unsigned int wpstat; /* current state of WP signal (for
+ disk change detection) */
+ int flags; /* flags */
+- struct gendisk *disk;
++ struct gendisk *disk[NUM_DISK_MINORS];
+ int ref;
+ int type;
+ struct blk_mq_tag_set tag_set;
+@@ -720,12 +720,16 @@ static void fd_error( void )
+
+ static int do_format(int drive, int type, struct atari_format_descr *desc)
+ {
+- struct request_queue *q = unit[drive].disk->queue;
++ struct request_queue *q;
+ unsigned char *p;
+ int sect, nsect;
+ unsigned long flags;
+ int ret;
+
++ if (type)
++ type--;
++
++ q = unit[drive].disk[type]->queue;
+ blk_mq_freeze_queue(q);
+ blk_mq_quiesce_queue(q);
+
+@@ -735,7 +739,7 @@ static int do_format(int drive, int type, struct atari_format_descr *desc)
+ local_irq_restore(flags);
+
+ if (type) {
+- if (--type >= NUM_DISK_MINORS ||
++ if (type >= NUM_DISK_MINORS ||
+ minor2disktype[type].drive_types > DriveType) {
+ ret = -EINVAL;
+ goto out;
+@@ -1151,7 +1155,7 @@ static void fd_rwsec_done1(int status)
+ if (SUDT[-1].blocks > ReqBlock) {
+ /* try another disk type */
+ SUDT--;
+- set_capacity(unit[SelectedDrive].disk,
++ set_capacity(unit[SelectedDrive].disk[0],
+ SUDT->blocks);
+ } else
+ Probing = 0;
+@@ -1166,7 +1170,7 @@ static void fd_rwsec_done1(int status)
+ /* record not found, but not probing. Maybe stretch wrong ? Restart probing */
+ if (SUD.autoprobe) {
+ SUDT = atari_disk_type + StartDiskType[DriveType];
+- set_capacity(unit[SelectedDrive].disk,
++ set_capacity(unit[SelectedDrive].disk[0],
+ SUDT->blocks);
+ Probing = 1;
+ }
+@@ -1506,7 +1510,7 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ if (!UDT) {
+ Probing = 1;
+ UDT = atari_disk_type + StartDiskType[DriveType];
+- set_capacity(floppy->disk, UDT->blocks);
++ set_capacity(bd->rq->rq_disk, UDT->blocks);
+ UD.autoprobe = 1;
+ }
+ }
+@@ -1524,7 +1528,7 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ }
+ type = minor2disktype[type].index;
+ UDT = &atari_disk_type[type];
+- set_capacity(floppy->disk, UDT->blocks);
++ set_capacity(bd->rq->rq_disk, UDT->blocks);
+ UD.autoprobe = 0;
+ }
+
+@@ -1647,7 +1651,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode,
+ printk (KERN_INFO "floppy%d: setting %s %p!\n",
+ drive, dtp->name, dtp);
+ UDT = dtp;
+- set_capacity(floppy->disk, UDT->blocks);
++ set_capacity(disk, UDT->blocks);
+
+ if (cmd == FDDEFPRM) {
+ /* save settings as permanent default type */
+@@ -1691,7 +1695,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode,
+ return -EINVAL;
+
+ UDT = dtp;
+- set_capacity(floppy->disk, UDT->blocks);
++ set_capacity(disk, UDT->blocks);
+
+ return 0;
+ case FDMSGON:
+@@ -1714,7 +1718,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode,
+ UDT = NULL;
+ /* MSch: invalidate default_params */
+ default_params[drive].blocks = 0;
+- set_capacity(floppy->disk, MAX_DISK_SIZE * 2);
++ set_capacity(disk, MAX_DISK_SIZE * 2);
+ fallthrough;
+ case FDFMTEND:
+ case FDFLUSH:
+@@ -1950,14 +1954,50 @@ static const struct blk_mq_ops ataflop_mq_ops = {
+ .queue_rq = ataflop_queue_rq,
+ };
+
+-static struct kobject *floppy_find(dev_t dev, int *part, void *data)
++static int ataflop_alloc_disk(unsigned int drive, unsigned int type)
+ {
+- int drive = *part & 3;
+- int type = *part >> 2;
++ struct gendisk *disk;
++ int ret;
++
++ disk = alloc_disk(1);
++ if (!disk)
++ return -ENOMEM;
++
++ disk->queue = blk_mq_init_queue(&unit[drive].tag_set);
++ if (IS_ERR(disk->queue)) {
++ ret = PTR_ERR(disk->queue);
++ disk->queue = NULL;
++ put_disk(disk);
++ return ret;
++ }
++
++ disk->major = FLOPPY_MAJOR;
++ disk->first_minor = drive + (type << 2);
++ sprintf(disk->disk_name, "fd%d", drive);
++ disk->fops = &floppy_fops;
++ disk->events = DISK_EVENT_MEDIA_CHANGE;
++ disk->private_data = &unit[drive];
++ set_capacity(disk, MAX_DISK_SIZE * 2);
++
++ unit[drive].disk[type] = disk;
++ return 0;
++}
++
++static DEFINE_MUTEX(ataflop_probe_lock);
++
++static void ataflop_probe(dev_t dev)
++{
++ int drive = MINOR(dev) & 3;
++ int type = MINOR(dev) >> 2;
++
+ if (drive >= FD_MAX_UNITS || type > NUM_DISK_MINORS)
+- return NULL;
+- *part = 0;
+- return get_disk_and_module(unit[drive].disk);
++ return;
++ mutex_lock(&ataflop_probe_lock);
++ if (!unit[drive].disk[type]) {
++ if (ataflop_alloc_disk(drive, type) == 0)
++ add_disk(unit[drive].disk[type]);
++ }
++ mutex_unlock(&ataflop_probe_lock);
+ }
+
+ static int __init atari_floppy_init (void)
+@@ -1969,23 +2009,26 @@ static int __init atari_floppy_init (void)
+ /* Amiga, Mac, ... don't have Atari-compatible floppy :-) */
+ return -ENODEV;
+
+- if (register_blkdev(FLOPPY_MAJOR,"fd"))
+- return -EBUSY;
++ mutex_lock(&ataflop_probe_lock);
++ ret = __register_blkdev(FLOPPY_MAJOR, "fd", ataflop_probe);
++ if (ret)
++ goto out_unlock;
+
+ for (i = 0; i < FD_MAX_UNITS; i++) {
+- unit[i].disk = alloc_disk(1);
+- if (!unit[i].disk) {
+- ret = -ENOMEM;
++ memset(&unit[i].tag_set, 0, sizeof(unit[i].tag_set));
++ unit[i].tag_set.ops = &ataflop_mq_ops;
++ unit[i].tag_set.nr_hw_queues = 1;
++ unit[i].tag_set.nr_maps = 1;
++ unit[i].tag_set.queue_depth = 2;
++ unit[i].tag_set.numa_node = NUMA_NO_NODE;
++ unit[i].tag_set.flags = BLK_MQ_F_SHOULD_MERGE;
++ ret = blk_mq_alloc_tag_set(&unit[i].tag_set);
++ if (ret)
+ goto err;
+- }
+
+- unit[i].disk->queue = blk_mq_init_sq_queue(&unit[i].tag_set,
+- &ataflop_mq_ops, 2,
+- BLK_MQ_F_SHOULD_MERGE);
+- if (IS_ERR(unit[i].disk->queue)) {
+- put_disk(unit[i].disk);
+- ret = PTR_ERR(unit[i].disk->queue);
+- unit[i].disk->queue = NULL;
++ ret = ataflop_alloc_disk(i, 0);
++ if (ret) {
++ blk_mq_free_tag_set(&unit[i].tag_set);
+ goto err;
+ }
+ }
+@@ -2015,19 +2058,9 @@ static int __init atari_floppy_init (void)
+ for (i = 0; i < FD_MAX_UNITS; i++) {
+ unit[i].track = -1;
+ unit[i].flags = 0;
+- unit[i].disk->major = FLOPPY_MAJOR;
+- unit[i].disk->first_minor = i;
+- sprintf(unit[i].disk->disk_name, "fd%d", i);
+- unit[i].disk->fops = &floppy_fops;
+- unit[i].disk->events = DISK_EVENT_MEDIA_CHANGE;
+- unit[i].disk->private_data = &unit[i];
+- set_capacity(unit[i].disk, MAX_DISK_SIZE * 2);
+- add_disk(unit[i].disk);
++ add_disk(unit[i].disk[0]);
+ }
+
+- blk_register_region(MKDEV(FLOPPY_MAJOR, 0), 256, THIS_MODULE,
+- floppy_find, NULL, NULL);
+-
+ printk(KERN_INFO "Atari floppy driver: max. %cD, %strack buffering\n",
+ DriveType == 0 ? 'D' : DriveType == 1 ? 'H' : 'E',
+ UseTrackbuffer ? "" : "no ");
+@@ -2037,14 +2070,14 @@ static int __init atari_floppy_init (void)
+
+ err:
+ while (--i >= 0) {
+- struct gendisk *disk = unit[i].disk;
+-
+- blk_cleanup_queue(disk->queue);
++ blk_cleanup_queue(unit[i].disk[0]->queue);
++ put_disk(unit[i].disk[0]);
+ blk_mq_free_tag_set(&unit[i].tag_set);
+- put_disk(unit[i].disk);
+ }
+
+ unregister_blkdev(FLOPPY_MAJOR, "fd");
++out_unlock:
++ mutex_unlock(&ataflop_probe_lock);
+ return ret;
+ }
+
+@@ -2089,13 +2122,17 @@ __setup("floppy=", atari_floppy_setup);
+
+ static void __exit atari_floppy_exit(void)
+ {
+- int i;
+- blk_unregister_region(MKDEV(FLOPPY_MAJOR, 0), 256);
++ int i, type;
++
+ for (i = 0; i < FD_MAX_UNITS; i++) {
+- del_gendisk(unit[i].disk);
+- blk_cleanup_queue(unit[i].disk->queue);
++ for (type = 0; type < NUM_DISK_MINORS; type++) {
++ if (!unit[i].disk[type])
++ continue;
++ del_gendisk(unit[i].disk[type]);
++ blk_cleanup_queue(unit[i].disk[type]->queue);
++ put_disk(unit[i].disk[type]);
++ }
+ blk_mq_free_tag_set(&unit[i].tag_set);
+- put_disk(unit[i].disk);
+ }
+ unregister_blkdev(FLOPPY_MAJOR, "fd");
+
+--
+2.33.0
+
--- /dev/null
+From 52001db2bb7c91516d70abce0c8491097217a77c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 08:38:53 -0700
+Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in
+ channel_detector_create()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ]
+
+kzalloc() is used to allocate memory for cd->detectors, and if it fails,
+channel_detector_exit() behind the label fail will be called:
+ channel_detector_exit(dpd, cd);
+
+In channel_detector_exit(), cd->detectors is dereferenced through:
+ struct pri_detector *de = cd->detectors[i];
+
+To fix this possible null-pointer dereference, check cd->detectors before
+the for loop to dereference cd->detectors.
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
+index 0813473793df1..87369073098c8 100644
+--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
+@@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd,
+ if (cd == NULL)
+ return;
+ list_del(&cd->head);
+- for (i = 0; i < dpd->num_radar_types; i++) {
+- struct pri_detector *de = cd->detectors[i];
+- if (de != NULL)
+- de->exit(de);
++ if (cd->detectors) {
++ for (i = 0; i < dpd->num_radar_types; i++) {
++ struct pri_detector *de = cd->detectors[i];
++ if (de != NULL)
++ de->exit(de);
++ }
+ }
+ kfree(cd->detectors);
+ kfree(cd);
+--
+2.33.0
+
--- /dev/null
+From ba53988de4519dd789c013a70074cc8e968c42cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2019 19:21:31 +0200
+Subject: ath10k: fix max antenna gain unit
+
+From: Sven Eckelmann <seckelmann@datto.com>
+
+[ Upstream commit 0a491167fe0cf9f26062462de2a8688b96125d48 ]
+
+Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB
+steps). This isn't the case for max_antenna_gain - which is still expected
+by the firmware as dB.
+
+The firmware is converting it from dB to the internal (twicepower)
+representation when it calculates the limits of a channel. This can be seen
+in tpc_stats when configuring "12" as max_antenna_gain. Instead of the
+expected 12 (6 dB), the tpc_stats shows 24 (12 dB).
+
+Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057.
+
+Fixes: 02256930d9b8 ("ath10k: use proper tx power unit")
+Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20190611172131.6064-1-sven@narfation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 6 +++---
+ drivers/net/wireless/ath/ath10k/wmi.h | 3 +++
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 90dc48f66fbfe..c42977918e049 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -1041,7 +1041,7 @@ static int ath10k_monitor_vdev_start(struct ath10k *ar, int vdev_id)
+ arg.channel.min_power = 0;
+ arg.channel.max_power = channel->max_power * 2;
+ arg.channel.max_reg_power = channel->max_reg_power * 2;
+- arg.channel.max_antenna_gain = channel->max_antenna_gain * 2;
++ arg.channel.max_antenna_gain = channel->max_antenna_gain;
+
+ reinit_completion(&ar->vdev_setup_done);
+ reinit_completion(&ar->vdev_delete_done);
+@@ -1487,7 +1487,7 @@ static int ath10k_vdev_start_restart(struct ath10k_vif *arvif,
+ arg.channel.min_power = 0;
+ arg.channel.max_power = chandef->chan->max_power * 2;
+ arg.channel.max_reg_power = chandef->chan->max_reg_power * 2;
+- arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain * 2;
++ arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain;
+
+ if (arvif->vdev_type == WMI_VDEV_TYPE_AP) {
+ arg.ssid = arvif->u.ap.ssid;
+@@ -3258,7 +3258,7 @@ static int ath10k_update_channel_list(struct ath10k *ar)
+ ch->min_power = 0;
+ ch->max_power = channel->max_power * 2;
+ ch->max_reg_power = channel->max_reg_power * 2;
+- ch->max_antenna_gain = channel->max_antenna_gain * 2;
++ ch->max_antenna_gain = channel->max_antenna_gain;
+ ch->reg_class_id = 0; /* FIXME */
+
+ /* FIXME: why use only legacy modes, why not any
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
+index 66ecf09068c19..e244b7038e606 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.h
++++ b/drivers/net/wireless/ath/ath10k/wmi.h
+@@ -2066,7 +2066,9 @@ struct wmi_channel {
+ union {
+ __le32 reginfo1;
+ struct {
++ /* note: power unit is 1 dBm */
+ u8 antenna_max;
++ /* note: power unit is 0.5 dBm */
+ u8 max_tx_power;
+ } __packed;
+ } __packed;
+@@ -2086,6 +2088,7 @@ struct wmi_channel_arg {
+ u32 min_power;
+ u32 max_power;
+ u32 max_reg_power;
++ /* note: power unit is 1 dBm */
+ u32 max_antenna_gain;
+ u32 reg_class_id;
+ enum wmi_phy_mode mode;
+--
+2.33.0
+
--- /dev/null
+From 2a8f210400a9777e3e991e582eed1f88f54955ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:47 +0300
+Subject: ath10k: Fix missing frame timestamp for beacon/probe-resp
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit e6dfbc3ba90cc2b619229be56b485f085a0a8e1c ]
+
+When receiving a beacon or probe response, we should update the
+boottime_ns field which is the timestamp the frame was received at.
+(cf mac80211.h)
+
+This fixes a scanning issue with Android since it relies on this
+timestamp to determine when the AP has been seen for the last time
+(via the nl80211 BSS_LAST_SEEN_BOOTTIME parameter).
+
+Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices")
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1629811733-7927-1-git-send-email-loic.poulain@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index 37b53af760d76..85fe855ece097 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -2610,6 +2610,10 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
+ if (ieee80211_is_beacon(hdr->frame_control))
+ ath10k_mac_handle_beacon(ar, skb);
+
++ if (ieee80211_is_beacon(hdr->frame_control) ||
++ ieee80211_is_probe_resp(hdr->frame_control))
++ status->boottime_ns = ktime_get_boottime_ns();
++
+ ath10k_dbg(ar, ATH10K_DBG_MGMT,
+ "event mgmt rx skb %pK len %d ftype %02x stype %02x\n",
+ skb, skb->len,
+--
+2.33.0
+
--- /dev/null
+From be5488e9496c854b0afe46a8fb0f58840097deca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:47 +0300
+Subject: ath10k: high latency fixes for beacon buffer
+
+From: Alagu Sankar <alagusankar@silex-india.com>
+
+[ Upstream commit e263bdab9c0e8025fb7f41f153709a9cda51f6b6 ]
+
+Beacon buffer for high latency devices does not use DMA. other similar
+buffer allocation methods in the driver have already been modified for
+high latency path. Fix the beacon buffer allocation left out in the
+earlier high latency changes.
+
+Signed-off-by: Alagu Sankar <alagusankar@silex-india.com>
+Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com>
+[fabio: adapt it to use ar->bus_param.dev_type ]
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210818232627.2040121-1-festevam@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 31 ++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 36183fdfb7f03..90dc48f66fbfe 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -982,8 +982,12 @@ static void ath10k_mac_vif_beacon_cleanup(struct ath10k_vif *arvif)
+ ath10k_mac_vif_beacon_free(arvif);
+
+ if (arvif->beacon_buf) {
+- dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN,
+- arvif->beacon_buf, arvif->beacon_paddr);
++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL)
++ kfree(arvif->beacon_buf);
++ else
++ dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN,
++ arvif->beacon_buf,
++ arvif->beacon_paddr);
+ arvif->beacon_buf = NULL;
+ }
+ }
+@@ -5466,10 +5470,17 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
+ if (vif->type == NL80211_IFTYPE_ADHOC ||
+ vif->type == NL80211_IFTYPE_MESH_POINT ||
+ vif->type == NL80211_IFTYPE_AP) {
+- arvif->beacon_buf = dma_alloc_coherent(ar->dev,
+- IEEE80211_MAX_FRAME_LEN,
+- &arvif->beacon_paddr,
+- GFP_ATOMIC);
++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) {
++ arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN,
++ GFP_KERNEL);
++ arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
++ } else {
++ arvif->beacon_buf =
++ dma_alloc_coherent(ar->dev,
++ IEEE80211_MAX_FRAME_LEN,
++ &arvif->beacon_paddr,
++ GFP_ATOMIC);
++ }
+ if (!arvif->beacon_buf) {
+ ret = -ENOMEM;
+ ath10k_warn(ar, "failed to allocate beacon buffer: %d\n",
+@@ -5684,8 +5695,12 @@ err_vdev_delete:
+
+ err:
+ if (arvif->beacon_buf) {
+- dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN,
+- arvif->beacon_buf, arvif->beacon_paddr);
++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL)
++ kfree(arvif->beacon_buf);
++ else
++ dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN,
++ arvif->beacon_buf,
++ arvif->beacon_paddr);
+ arvif->beacon_buf = NULL;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From ae959f2b9882f953f3b76aefd2984a96419f8836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:47 +0300
+Subject: ath10k: sdio: Add missing BH locking around napi_schdule()
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 019edd01d174ce4bb2e517dd332922514d176601 ]
+
+On a i.MX-based board with a QCA9377 Wifi chip, the following errors
+are seen after launching the 'hostapd' application:
+
+hostapd /etc/wifi.conf
+Configuration file: /etc/wifi.conf
+wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+Using interface wlan0 with hwaddr 00:1f:7b:31:04:a0 and ssid "thessid"
+IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
+wlan0: interface state COUNTRY_UPDATE->ENABLED
+wlan0: AP-ENABLED
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+...
+
+Fix this problem by adding the BH locking around napi-schedule(),
+in the same way it was done in commit e63052a5dd3c ("mlx5e: add
+add missing BH locking around napi_schdule()").
+
+Its commit log provides the following explanation:
+
+"It's not correct to call napi_schedule() in pure process
+context. Because we use __raise_softirq_irqoff() we require
+callers to be in a context which will eventually lead to
+softirq handling (hardirq, bh disabled, etc.).
+
+With code as is users will see:
+
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+"
+
+Fixes: cfee8793a74d ("ath10k: enable napi on RX path for sdio")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210824144339.2796122-1-festevam@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/sdio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
+index 81ddaafb6721c..0fe639710a8bb 100644
+--- a/drivers/net/wireless/ath/ath10k/sdio.c
++++ b/drivers/net/wireless/ath/ath10k/sdio.c
+@@ -1363,8 +1363,11 @@ static void ath10k_rx_indication_async_work(struct work_struct *work)
+ ep->ep_ops.ep_rx_complete(ar, skb);
+ }
+
+- if (test_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags))
++ if (test_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags)) {
++ local_bh_disable();
+ napi_schedule(&ar->napi);
++ local_bh_enable();
++ }
+ }
+
+ static int ath10k_sdio_read_rtc_state(struct ath10k_sdio *ar_sdio, unsigned char *state)
+--
+2.33.0
+
--- /dev/null
+From b5736123f5ed00b8fb5ba15e034d918ecce9bf28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:45 +0300
+Subject: ath11k: add handler for scan event WMI_SCAN_EVENT_DEQUEUED
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit 441b3b5911f8ead7f2fe2336587b340a33044d58 ]
+
+When wlan interface is up, 11d scan is sent to the firmware, and the
+firmware needs to spend couple of seconds to complete the 11d scan. If
+immediately a normal scan from user space arrives to ath11k, then the
+normal scan request is also sent to the firmware, but the scan started
+event will be reported to ath11k until the 11d scan complete. When timed
+out for the scan started in ath11k, ath11k stops the normal scan and the
+firmware reports WMI_SCAN_EVENT_DEQUEUED to ath11k for the normal scan.
+ath11k has no handler for the event and then timed out for the scan
+completed in ath11k_scan_stop(), and ath11k prints the following error
+message.
+
+[ 1491.604750] ath11k_pci 0000:02:00.0: failed to receive scan abort comple: timed out
+[ 1491.604756] ath11k_pci 0000:02:00.0: failed to stop scan: -110
+[ 1491.604758] ath11k_pci 0000:02:00.0: failed to start hw scan: -110
+
+Add a handler for WMI_SCAN_EVENT_DEQUEUED and then complete the scan to
+get rid of the above error message.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210914164226.38843-1-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 2f777d61f9065..cf0f778b0cbc9 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -5856,6 +5856,8 @@ static void ath11k_scan_event(struct ath11k_base *ab, struct sk_buff *skb)
+ ath11k_wmi_event_scan_start_failed(ar);
+ break;
+ case WMI_SCAN_EVENT_DEQUEUED:
++ __ath11k_mac_scan_finish(ar);
++ break;
+ case WMI_SCAN_EVENT_PREEMPTED:
+ case WMI_SCAN_EVENT_RESTARTED:
+ case WMI_SCAN_EVENT_FOREIGN_CHAN_EXIT:
+--
+2.33.0
+
--- /dev/null
+From ca085d382d9d6d1be09c1c36cd3bb70b47251b06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 00:49:22 +0300
+Subject: ath11k: Align bss_chan_info structure with firmware
+
+From: Seevalamuthu Mariappan <seevalam@codeaurora.org>
+
+[ Upstream commit feab5bb8f1d4621025dceae7eef62d5f92de34ac ]
+
+pdev_id in structure 'wmi_pdev_bss_chan_info_event' is wrongly placed
+at the beginning. This causes invalid values in survey dump. Hence, align
+the structure with the firmware.
+
+Note: The firmware releases follow this order since the feature was
+implemented. Also, it is not changing across the branches including
+QCA6390.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01228-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Ritesh Singh <ritesi@codeaurora.org>
+Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210720214922.118078-3-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 1 +
+ drivers/net/wireless/ath/ath11k/wmi.h | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index eca86225a3413..fca71e00123d9 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -1333,6 +1333,7 @@ int ath11k_wmi_pdev_bss_chan_info_request(struct ath11k *ar,
+ WMI_TAG_PDEV_BSS_CHAN_INFO_REQUEST) |
+ FIELD_PREP(WMI_TLV_LEN, sizeof(*cmd) - TLV_HDR_SIZE);
+ cmd->req_type = type;
++ cmd->pdev_id = ar->pdev->pdev_id;
+
+ ath11k_dbg(ar->ab, ATH11K_DBG_WMI,
+ "WMI bss chan info req type %d\n", type);
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.h b/drivers/net/wireless/ath/ath11k/wmi.h
+index 5a32ba0eb4f57..c47adaab7918b 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.h
++++ b/drivers/net/wireless/ath/ath11k/wmi.h
+@@ -2935,6 +2935,7 @@ struct wmi_pdev_bss_chan_info_req_cmd {
+ u32 tlv_header;
+ /* ref wmi_bss_chan_info_req_type */
+ u32 req_type;
++ u32 pdev_id;
+ } __packed;
+
+ struct wmi_ap_ps_peer_cmd {
+@@ -4028,7 +4029,6 @@ struct wmi_vdev_stopped_event {
+ } __packed;
+
+ struct wmi_pdev_bss_chan_info_event {
+- u32 pdev_id;
+ u32 freq; /* Units in MHz */
+ u32 noise_floor; /* units are dBm */
+ /* rx clear - how often the channel was unused */
+@@ -4046,6 +4046,7 @@ struct wmi_pdev_bss_chan_info_event {
+ /*rx_cycle cnt for my bss in 64bits format */
+ u32 rx_bss_cycle_count_low;
+ u32 rx_bss_cycle_count_high;
++ u32 pdev_id;
+ } __packed;
+
+ #define WMI_VDEV_INSTALL_KEY_COMPL_STATUS_SUCCESS 0
+--
+2.33.0
+
--- /dev/null
+From f9fd79aece7a6055e4212fb23dd19f4b963986be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:05:40 +0300
+Subject: ath11k: Avoid race during regd updates
+
+From: Sriram R <srirrama@codeaurora.org>
+
+[ Upstream commit 1db2b0d0a39102238fcbf9092cefa65a710642e9 ]
+
+Whenever ath11k is bootup with a user country already set, cfg80211
+notifies this country info to ath11k soon after registration, where the
+notification is sent to the firmware for fetching the rules of this user
+country input.
+
+Multiple race conditions could be seen in this scenario where a new
+request is either lost as pointed in [1] or a new regd overwrites the
+default regd provided by the firmware during bootup. Note that, the
+default regd is used for intersection purpose and hence it should not be
+overwritten.
+
+The main reason as pointed by [1] is the usage of ATH11K_FLAG_REGISTERED
+flag which is updated after completion of core registration, whereas the
+reg notification from cfg80211 and wmi events for the corresponding
+request can happen much before that. Since the ATH11K_FLAG_REGISTERED is
+currently used to determine if the event containing reg rules belong to
+default regd or for user request, there is a possibility of the default
+regd getting overwritten.
+
+Since the default reg rules will be received only once per pdev on
+firmware load, the above flag based check can be replaced with a check
+to see if default_regd is already set, so that we can now always update
+the new_regd. Also if the new_regd is set, this will be always used to
+update the reg rules for the registered phy.
+
+[1] https://patchwork.kernel.org/project/linux-wireless/patch/1829665.1PRlr7bOQj@ripper/
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01460-QCAHKSWPL_SILICONZ-1
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+
+Signed-off-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210721212029.142388-4-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 2 +-
+ drivers/net/wireless/ath/ath11k/reg.c | 11 ++++++-----
+ drivers/net/wireless/ath/ath11k/reg.h | 2 +-
+ drivers/net/wireless/ath/ath11k/wmi.c | 16 ++++++----------
+ 4 files changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 63d70aecbd0f1..0924bc8b35205 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -6320,7 +6320,7 @@ static int __ath11k_mac_register(struct ath11k *ar)
+ ar->hw->wiphy->interface_modes &= ~BIT(NL80211_IFTYPE_MONITOR);
+
+ /* Apply the regd received during initialization */
+- ret = ath11k_regd_update(ar, true);
++ ret = ath11k_regd_update(ar);
+ if (ret) {
+ ath11k_err(ar->ab, "ath11k regd update failed: %d\n", ret);
+ goto err_unregister_hw;
+diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c
+index 678d0885fcee7..b8f9f34408879 100644
+--- a/drivers/net/wireless/ath/ath11k/reg.c
++++ b/drivers/net/wireless/ath/ath11k/reg.c
+@@ -198,7 +198,7 @@ static void ath11k_copy_regd(struct ieee80211_regdomain *regd_orig,
+ sizeof(struct ieee80211_reg_rule));
+ }
+
+-int ath11k_regd_update(struct ath11k *ar, bool init)
++int ath11k_regd_update(struct ath11k *ar)
+ {
+ struct ieee80211_regdomain *regd, *regd_copy = NULL;
+ int ret, regd_len, pdev_id;
+@@ -209,7 +209,10 @@ int ath11k_regd_update(struct ath11k *ar, bool init)
+
+ spin_lock_bh(&ab->base_lock);
+
+- if (init) {
++ /* Prefer the latest regd update over default if it's available */
++ if (ab->new_regd[pdev_id]) {
++ regd = ab->new_regd[pdev_id];
++ } else {
+ /* Apply the regd received during init through
+ * WMI_REG_CHAN_LIST_CC event. In case of failure to
+ * receive the regd, initialize with a default world
+@@ -222,8 +225,6 @@ int ath11k_regd_update(struct ath11k *ar, bool init)
+ "failed to receive default regd during init\n");
+ regd = (struct ieee80211_regdomain *)&ath11k_world_regd;
+ }
+- } else {
+- regd = ab->new_regd[pdev_id];
+ }
+
+ if (!regd) {
+@@ -680,7 +681,7 @@ void ath11k_regd_update_work(struct work_struct *work)
+ regd_update_work);
+ int ret;
+
+- ret = ath11k_regd_update(ar, false);
++ ret = ath11k_regd_update(ar);
+ if (ret) {
+ /* Firmware has already moved to the new regd. We need
+ * to maintain channel consistency across FW, Host driver
+diff --git a/drivers/net/wireless/ath/ath11k/reg.h b/drivers/net/wireless/ath/ath11k/reg.h
+index 39b7fc9435415..7dbbba9fae1d2 100644
+--- a/drivers/net/wireless/ath/ath11k/reg.h
++++ b/drivers/net/wireless/ath/ath11k/reg.h
+@@ -30,6 +30,6 @@ void ath11k_regd_update_work(struct work_struct *work);
+ struct ieee80211_regdomain *
+ ath11k_reg_build_regd(struct ath11k_base *ab,
+ struct cur_regulatory_info *reg_info, bool intersect);
+-int ath11k_regd_update(struct ath11k *ar, bool init);
++int ath11k_regd_update(struct ath11k *ar);
+ int ath11k_reg_update_chan_list(struct ath11k *ar);
+ #endif
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index cf0f778b0cbc9..e17419c8dde0d 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -5410,10 +5410,10 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk
+ }
+
+ spin_lock(&ab->base_lock);
+- if (test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags)) {
+- /* Once mac is registered, ar is valid and all CC events from
+- * fw is considered to be received due to user requests
+- * currently.
++ if (ab->default_regd[pdev_idx]) {
++ /* The initial rules from FW after WMI Init is to build
++ * the default regd. From then on, any rules updated for
++ * the pdev could be due to user reg changes.
+ * Free previously built regd before assigning the newly
+ * generated regd to ar. NULL pointer handling will be
+ * taken care by kfree itself.
+@@ -5423,13 +5423,9 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk
+ ab->new_regd[pdev_idx] = regd;
+ ieee80211_queue_work(ar->hw, &ar->regd_update_work);
+ } else {
+- /* Multiple events for the same *ar is not expected. But we
+- * can still clear any previously stored default_regd if we
+- * are receiving this event for the same radio by mistake.
+- * NULL pointer handling will be taken care by kfree itself.
++ /* This regd would be applied during mac registration and is
++ * held constant throughout for regd intersection purpose
+ */
+- kfree(ab->default_regd[pdev_idx]);
+- /* This regd would be applied during mac registration */
+ ab->default_regd[pdev_idx] = regd;
+ }
+ ab->dfs_region = reg_info->dfs_region;
+--
+2.33.0
+
--- /dev/null
+From 234c9cb0b1aa4485d1fb9589c78e0737d7ee79df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:05:40 +0300
+Subject: ath11k: Avoid reg rules update during firmware recovery
+
+From: Sriram R <srirrama@codeaurora.org>
+
+[ Upstream commit 69a0fcf8a9f2273040d03e5ee77c9689c09e9d3a ]
+
+During firmware recovery, the default reg rules which are
+received via WMI_REG_CHAN_LIST_CC_EVENT can overwrite
+the currently configured user regd.
+
+See below snap for example,
+
+root@OpenWrt:/# iw reg get | grep country
+country FR: DFS-ETSI
+country FR: DFS-ETSI
+country FR: DFS-ETSI
+country FR: DFS-ETSI
+
+root@OpenWrt:/# echo assert > /sys/kernel/debug/ath11k/ipq8074\ hw2.0/simulate_f
+w_crash
+<snip>
+[ 5290.471696] ath11k c000000.wifi1: pdev 1 successfully recovered
+
+root@OpenWrt:/# iw reg get | grep country
+country FR: DFS-ETSI
+country US: DFS-FCC
+country US: DFS-FCC
+country US: DFS-FCC
+
+In the above, the user configured country 'FR' is overwritten
+when the rules of default country 'US' are received and updated during
+recovery. Hence avoid processing of these rules in general
+during firmware recovery as they have been already applied during
+driver registration or after last set user country is configured.
+
+This scenario applies for both AP and STA devices basically because
+cfg80211 is not aware of the recovery and only the driver recovers, but
+changing or resetting of the reg domain during recovery is not needed so
+as to continue with the configured regdomain currently in use.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01460-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210721212029.142388-3-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index fca71e00123d9..2f777d61f9065 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -5362,6 +5362,17 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk
+
+ pdev_idx = reg_info->phy_id;
+
++ /* Avoid default reg rule updates sent during FW recovery if
++ * it is already available
++ */
++ spin_lock(&ab->base_lock);
++ if (test_bit(ATH11K_FLAG_RECOVERY, &ab->dev_flags) &&
++ ab->default_regd[pdev_idx]) {
++ spin_unlock(&ab->base_lock);
++ goto mem_free;
++ }
++ spin_unlock(&ab->base_lock);
++
+ if (pdev_idx >= ab->num_radios) {
+ /* Process the event for phy0 only if single_pdev_only
+ * is true. If pdev_idx is valid but not 0, discard the
+--
+2.33.0
+
--- /dev/null
+From f9904f0804aff2797708c39296ab636495209c84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:46 +0300
+Subject: ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected
+ packets
+
+From: Baochen Qiang <bqiang@codeaurora.org>
+
+[ Upstream commit 86a03dad0f5ad8182ed5fcf7bf3eec71cd96577c ]
+
+For fragmented packets, ath11k reassembles each fragment as a normal
+packet and then reinjects it into HW ring. In this case, the DMA
+direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise
+invalid payload will be reinjected to HW and then delivered to host.
+What is more, since arbitrary memory could be allocated to the frame, we
+don't know what kind of data is contained in the buffer reinjected.
+Thus, as a bad result, private info may be leaked.
+
+Note that this issue is only found on Intel platform.
+
+Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
+Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210916064617.20006-1-bqiang@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index 2bff8eb507d4d..7d6fd8155bb22 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -3273,7 +3273,7 @@ static int ath11k_dp_rx_h_defrag_reo_reinject(struct ath11k *ar, struct dp_rx_ti
+
+ paddr = dma_map_single(ab->dev, defrag_skb->data,
+ defrag_skb->len + skb_tailroom(defrag_skb),
+- DMA_FROM_DEVICE);
++ DMA_TO_DEVICE);
+ if (dma_mapping_error(ab->dev, paddr))
+ return -ENOMEM;
+
+@@ -3338,7 +3338,7 @@ err_free_idr:
+ spin_unlock_bh(&rx_refill_ring->idr_lock);
+ err_unmap_dma:
+ dma_unmap_single(ab->dev, paddr, defrag_skb->len + skb_tailroom(defrag_skb),
+- DMA_FROM_DEVICE);
++ DMA_TO_DEVICE);
+ return ret;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From f161114d7371d11a9fb57c3460e9a13ac7a99bc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:44 +0300
+Subject: ath11k: Fix memory leak in ath11k_qmi_driver_event_work
+
+From: Baochen Qiang <bqiang@codeaurora.org>
+
+[ Upstream commit 72de799aa9e3e064b35238ef053d2f0a49db055a ]
+
+The buffer pointed to by event is not freed in case
+ATH11K_FLAG_UNREGISTERING bit is set, resulting in
+memory leak, so fix it.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210913180246.193388-4-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/qmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c
+index 2ae7c6bf091e9..c842e275d1adf 100644
+--- a/drivers/net/wireless/ath/ath11k/qmi.c
++++ b/drivers/net/wireless/ath/ath11k/qmi.c
+@@ -2616,8 +2616,10 @@ static void ath11k_qmi_driver_event_work(struct work_struct *work)
+ list_del(&event->list);
+ spin_unlock(&qmi->event_lock);
+
+- if (test_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags))
++ if (test_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags)) {
++ kfree(event);
+ return;
++ }
+
+ switch (event->type) {
+ case ATH11K_QMI_EVENT_SERVER_ARRIVE:
+--
+2.33.0
+
--- /dev/null
+From e5a8079dd8cbb7cfa22e437d3dc5d42222857d4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:00:43 +0300
+Subject: ath11k: fix packet drops due to incorrect 6 GHz freq value in rx
+ status
+
+From: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+
+[ Upstream commit 9d6ae1f5cf733c0e8d7f904c501fd015c4b9f0f4 ]
+
+Frequency in rx status is being filled incorrectly in the 6 GHz band as
+channel number received is invalid in this case which is causing packet
+drops. So fix that.
+
+Fixes: 5dcf42f8b79d ("ath11k: Use freq instead of channel number in rx path")
+Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210722102054.43419-2-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 9 ++++++---
+ drivers/net/wireless/ath/ath11k/wmi.c | 10 +++++++---
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index 7d6fd8155bb22..2e77dca6b1ad6 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -2303,8 +2303,10 @@ static void ath11k_dp_rx_h_ppdu(struct ath11k *ar, struct hal_rx_desc *rx_desc,
+ channel_num = ath11k_dp_rx_h_msdu_start_freq(rx_desc);
+ center_freq = ath11k_dp_rx_h_msdu_start_freq(rx_desc) >> 16;
+
+- if (center_freq >= 5935 && center_freq <= 7105) {
++ if (center_freq >= ATH11K_MIN_6G_FREQ &&
++ center_freq <= ATH11K_MAX_6G_FREQ) {
+ rx_status->band = NL80211_BAND_6GHZ;
++ rx_status->freq = center_freq;
+ } else if (channel_num >= 1 && channel_num <= 14) {
+ rx_status->band = NL80211_BAND_2GHZ;
+ } else if (channel_num >= 36 && channel_num <= 173) {
+@@ -2322,8 +2324,9 @@ static void ath11k_dp_rx_h_ppdu(struct ath11k *ar, struct hal_rx_desc *rx_desc,
+ rx_desc, sizeof(struct hal_rx_desc));
+ }
+
+- rx_status->freq = ieee80211_channel_to_frequency(channel_num,
+- rx_status->band);
++ if (rx_status->band != NL80211_BAND_6GHZ)
++ rx_status->freq = ieee80211_channel_to_frequency(channel_num,
++ rx_status->band);
+
+ ath11k_dp_rx_h_rate(ar, rx_desc, rx_status);
+ }
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index e17419c8dde0d..74ebe8e7d1d81 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -5668,8 +5668,10 @@ static void ath11k_mgmt_rx_event(struct ath11k_base *ab, struct sk_buff *skb)
+ if (rx_ev.status & WMI_RX_STATUS_ERR_MIC)
+ status->flag |= RX_FLAG_MMIC_ERROR;
+
+- if (rx_ev.chan_freq >= ATH11K_MIN_6G_FREQ) {
++ if (rx_ev.chan_freq >= ATH11K_MIN_6G_FREQ &&
++ rx_ev.chan_freq <= ATH11K_MAX_6G_FREQ) {
+ status->band = NL80211_BAND_6GHZ;
++ status->freq = rx_ev.chan_freq;
+ } else if (rx_ev.channel >= 1 && rx_ev.channel <= 14) {
+ status->band = NL80211_BAND_2GHZ;
+ } else if (rx_ev.channel >= 36 && rx_ev.channel <= ATH11K_MAX_5G_CHAN) {
+@@ -5690,8 +5692,10 @@ static void ath11k_mgmt_rx_event(struct ath11k_base *ab, struct sk_buff *skb)
+
+ sband = &ar->mac.sbands[status->band];
+
+- status->freq = ieee80211_channel_to_frequency(rx_ev.channel,
+- status->band);
++ if (status->band != NL80211_BAND_6GHZ)
++ status->freq = ieee80211_channel_to_frequency(rx_ev.channel,
++ status->band);
++
+ status->signal = rx_ev.snr + ATH11K_DEFAULT_NOISE_FLOOR;
+ status->rate_idx = ath11k_mac_bitrate_to_idx(sband, rx_ev.rate / 100);
+
+--
+2.33.0
+
--- /dev/null
+From 7ac1c53f3b8870e1be73eabc231da203c0dce63e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:05:43 +0300
+Subject: ath11k: fix some sleeping in atomic bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit aadf7c81a0771b8f1c97dabca6a48bae1b387779 ]
+
+The ath11k_dbring_bufs_replenish() and ath11k_dbring_fill_bufs()
+take a "gfp" parameter but they since they take spinlocks, the
+allocations they do have to be atomic. This causes a bug because
+ath11k_dbring_buf_setup passes GFP_KERNEL for the gfp flags.
+
+The fix is to use GFP_ATOMIC and remove the unused parameters.
+
+Fixes: bd6478559e27 ("ath11k: Add direct buffer ring support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210812070434.GE31863@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dbring.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dbring.c b/drivers/net/wireless/ath/ath11k/dbring.c
+index 5e1f5437b4185..fd98ba5b1130b 100644
+--- a/drivers/net/wireless/ath/ath11k/dbring.c
++++ b/drivers/net/wireless/ath/ath11k/dbring.c
+@@ -8,8 +8,7 @@
+
+ static int ath11k_dbring_bufs_replenish(struct ath11k *ar,
+ struct ath11k_dbring *ring,
+- struct ath11k_dbring_element *buff,
+- gfp_t gfp)
++ struct ath11k_dbring_element *buff)
+ {
+ struct ath11k_base *ab = ar->ab;
+ struct hal_srng *srng;
+@@ -35,7 +34,7 @@ static int ath11k_dbring_bufs_replenish(struct ath11k *ar,
+ goto err;
+
+ spin_lock_bh(&ring->idr_lock);
+- buf_id = idr_alloc(&ring->bufs_idr, buff, 0, ring->bufs_max, gfp);
++ buf_id = idr_alloc(&ring->bufs_idr, buff, 0, ring->bufs_max, GFP_ATOMIC);
+ spin_unlock_bh(&ring->idr_lock);
+ if (buf_id < 0) {
+ ret = -ENOBUFS;
+@@ -72,8 +71,7 @@ err:
+ }
+
+ static int ath11k_dbring_fill_bufs(struct ath11k *ar,
+- struct ath11k_dbring *ring,
+- gfp_t gfp)
++ struct ath11k_dbring *ring)
+ {
+ struct ath11k_dbring_element *buff;
+ struct hal_srng *srng;
+@@ -92,11 +90,11 @@ static int ath11k_dbring_fill_bufs(struct ath11k *ar,
+ size = sizeof(*buff) + ring->buf_sz + align - 1;
+
+ while (num_remain > 0) {
+- buff = kzalloc(size, gfp);
++ buff = kzalloc(size, GFP_ATOMIC);
+ if (!buff)
+ break;
+
+- ret = ath11k_dbring_bufs_replenish(ar, ring, buff, gfp);
++ ret = ath11k_dbring_bufs_replenish(ar, ring, buff);
+ if (ret) {
+ ath11k_warn(ar->ab, "failed to replenish db ring num_remain %d req_ent %d\n",
+ num_remain, req_entries);
+@@ -176,7 +174,7 @@ int ath11k_dbring_buf_setup(struct ath11k *ar,
+ ring->hp_addr = ath11k_hal_srng_get_hp_addr(ar->ab, srng);
+ ring->tp_addr = ath11k_hal_srng_get_tp_addr(ar->ab, srng);
+
+- ret = ath11k_dbring_fill_bufs(ar, ring, GFP_KERNEL);
++ ret = ath11k_dbring_fill_bufs(ar, ring);
+
+ return ret;
+ }
+@@ -322,7 +320,7 @@ int ath11k_dbring_buffer_release_event(struct ath11k_base *ab,
+ }
+
+ memset(buff, 0, size);
+- ath11k_dbring_bufs_replenish(ar, ring, buff, GFP_ATOMIC);
++ ath11k_dbring_bufs_replenish(ar, ring, buff);
+ }
+
+ spin_unlock_bh(&srng->lock);
+--
+2.33.0
+
--- /dev/null
+From aa136f3a31622ca2ed568e675e383361160482b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 16:55:53 +0300
+Subject: ath9k: Fix potential interrupt storm on queue reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <ll@simonwunderlich.de>
+
+[ Upstream commit 4925642d541278575ad1948c5924d71ffd57ef14 ]
+
+In tests with two Lima boards from 8devices (QCA4531 based) on OpenWrt
+19.07 we could force a silent restart of a device with no serial
+output when we were sending a high amount of UDP traffic (iperf3 at 80
+MBit/s in both directions from external hosts, saturating the wifi and
+causing a load of about 4.5 to 6) and were then triggering an
+ath9k_queue_reset().
+
+Further debugging showed that the restart was caused by the ath79
+watchdog. With disabled watchdog we could observe that the device was
+constantly going into ath_isr() interrupt handler and was returning
+early after the ATH_OP_HW_RESET flag test, without clearing any
+interrupts. Even though ath9k_queue_reset() calls
+ath9k_hw_kill_interrupts().
+
+With JTAG we could observe the following race condition:
+
+1) ath9k_queue_reset()
+ ...
+ -> ath9k_hw_kill_interrupts()
+ -> set_bit(ATH_OP_HW_RESET, &common->op_flags);
+ ...
+ <- returns
+
+ 2) ath9k_tasklet()
+ ...
+ -> ath9k_hw_resume_interrupts()
+ ...
+ <- returns
+
+ 3) loops around:
+ ...
+ handle_int()
+ -> ath_isr()
+ ...
+ -> if (test_bit(ATH_OP_HW_RESET,
+ &common->op_flags))
+ return IRQ_HANDLED;
+
+ x) ath_reset_internal():
+ => never reached <=
+
+And in ath_isr() we would typically see the following interrupts /
+interrupt causes:
+
+* status: 0x00111030 or 0x00110030
+* async_cause: 2 (AR_INTR_MAC_IPQ)
+* sync_cause: 0
+
+So the ath9k_tasklet() reenables the ath9k interrupts
+through ath9k_hw_resume_interrupts() which ath9k_queue_reset() had just
+disabled. And ath_isr() then keeps firing because it returns IRQ_HANDLED
+without actually clearing the interrupt.
+
+To fix this IRQ storm also clear/disable the interrupts again when we
+are in reset state.
+
+Cc: Sven Eckelmann <sven@narfation.org>
+Cc: Simon Wunderlich <sw@simonwunderlich.de>
+Cc: Linus Lüssing <linus.luessing@c0d3.blue>
+Fixes: 872b5d814f99 ("ath9k: do not access hardware on IRQs during reset")
+Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210914192515.9273-3-linus.luessing@c0d3.blue
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index 5739c1dbf1661..af367696fd92f 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -533,8 +533,10 @@ irqreturn_t ath_isr(int irq, void *dev)
+ ath9k_debug_sync_cause(sc, sync_cause);
+ status &= ah->imask; /* discard unasked-for bits */
+
+- if (test_bit(ATH_OP_HW_RESET, &common->op_flags))
++ if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) {
++ ath9k_hw_kill_interrupts(sc->sc_ah);
+ return IRQ_HANDLED;
++ }
+
+ /*
+ * If there are no status bits set, then this interrupt was not
+--
+2.33.0
+
--- /dev/null
+From 971379e248ec1a88318e369e260f133517f54871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 16:45:08 +0200
+Subject: auxdisplay: ht16k33: Connect backlight to fbdev
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 80f9eb70fd9276938f0a131f76d438021bfd8b34 ]
+
+Currently /sys/class/graphics/fb0/bl_curve is not accessible (-ENODEV),
+as the driver does not connect the backlight to the frame buffer device.
+Fix this moving backlight initialization up, and filling in
+fb_info.bl_dev.
+
+Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Robin van der Gracht <robin@protonic.nl>
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/ht16k33.c | 56 ++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c
+index d8602843e8a53..b8c25a17186b5 100644
+--- a/drivers/auxdisplay/ht16k33.c
++++ b/drivers/auxdisplay/ht16k33.c
+@@ -418,6 +418,33 @@ static int ht16k33_probe(struct i2c_client *client,
+ if (err)
+ return err;
+
++ /* Backlight */
++ memset(&bl_props, 0, sizeof(struct backlight_properties));
++ bl_props.type = BACKLIGHT_RAW;
++ bl_props.max_brightness = MAX_BRIGHTNESS;
++
++ bl = devm_backlight_device_register(&client->dev, DRIVER_NAME"-bl",
++ &client->dev, priv,
++ &ht16k33_bl_ops, &bl_props);
++ if (IS_ERR(bl)) {
++ dev_err(&client->dev, "failed to register backlight\n");
++ return PTR_ERR(bl);
++ }
++
++ err = of_property_read_u32(node, "default-brightness-level",
++ &dft_brightness);
++ if (err) {
++ dft_brightness = MAX_BRIGHTNESS;
++ } else if (dft_brightness > MAX_BRIGHTNESS) {
++ dev_warn(&client->dev,
++ "invalid default brightness level: %u, using %u\n",
++ dft_brightness, MAX_BRIGHTNESS);
++ dft_brightness = MAX_BRIGHTNESS;
++ }
++
++ bl->props.brightness = dft_brightness;
++ ht16k33_bl_update_status(bl);
++
+ /* Framebuffer (2 bytes per column) */
+ BUILD_BUG_ON(PAGE_SIZE < HT16K33_FB_SIZE);
+ fbdev->buffer = (unsigned char *) get_zeroed_page(GFP_KERNEL);
+@@ -450,6 +477,7 @@ static int ht16k33_probe(struct i2c_client *client,
+ fbdev->info->screen_size = HT16K33_FB_SIZE;
+ fbdev->info->fix = ht16k33_fb_fix;
+ fbdev->info->var = ht16k33_fb_var;
++ fbdev->info->bl_dev = bl;
+ fbdev->info->pseudo_palette = NULL;
+ fbdev->info->flags = FBINFO_FLAG_DEFAULT;
+ fbdev->info->par = priv;
+@@ -462,34 +490,6 @@ static int ht16k33_probe(struct i2c_client *client,
+ if (err)
+ goto err_fbdev_unregister;
+
+- /* Backlight */
+- memset(&bl_props, 0, sizeof(struct backlight_properties));
+- bl_props.type = BACKLIGHT_RAW;
+- bl_props.max_brightness = MAX_BRIGHTNESS;
+-
+- bl = devm_backlight_device_register(&client->dev, DRIVER_NAME"-bl",
+- &client->dev, priv,
+- &ht16k33_bl_ops, &bl_props);
+- if (IS_ERR(bl)) {
+- dev_err(&client->dev, "failed to register backlight\n");
+- err = PTR_ERR(bl);
+- goto err_fbdev_unregister;
+- }
+-
+- err = of_property_read_u32(node, "default-brightness-level",
+- &dft_brightness);
+- if (err) {
+- dft_brightness = MAX_BRIGHTNESS;
+- } else if (dft_brightness > MAX_BRIGHTNESS) {
+- dev_warn(&client->dev,
+- "invalid default brightness level: %u, using %u\n",
+- dft_brightness, MAX_BRIGHTNESS);
+- dft_brightness = MAX_BRIGHTNESS;
+- }
+-
+- bl->props.brightness = dft_brightness;
+- ht16k33_bl_update_status(bl);
+-
+ ht16k33_fb_queue(priv);
+ return 0;
+
+--
+2.33.0
+
--- /dev/null
+From 24f7d3d098087b7edf3901d785ec8ab3f164ebd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 16:45:09 +0200
+Subject: auxdisplay: ht16k33: Fix frame buffer device blanking
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 840fe258332544aa7321921e1723d37b772af7a9 ]
+
+As the ht16k33 frame buffer sub-driver does not register an
+fb_ops.fb_blank() handler, blanking does not work:
+
+ $ echo 1 > /sys/class/graphics/fb0/blank
+ sh: write error: Invalid argument
+
+Fix this by providing a handler that always returns zero, to make sure
+blank events will be sent to the actual device handling the backlight.
+
+Reported-by: Robin van der Gracht <robin@protonic.nl>
+Suggested-by: Robin van der Gracht <robin@protonic.nl>
+Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/ht16k33.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c
+index b8c25a17186b5..7e3858c4e030f 100644
+--- a/drivers/auxdisplay/ht16k33.c
++++ b/drivers/auxdisplay/ht16k33.c
+@@ -219,6 +219,15 @@ static const struct backlight_ops ht16k33_bl_ops = {
+ .check_fb = ht16k33_bl_check_fb,
+ };
+
++/*
++ * Blank events will be passed to the actual device handling the backlight when
++ * we return zero here.
++ */
++static int ht16k33_blank(int blank, struct fb_info *info)
++{
++ return 0;
++}
++
+ static int ht16k33_mmap(struct fb_info *info, struct vm_area_struct *vma)
+ {
+ struct ht16k33_priv *priv = info->par;
+@@ -231,6 +240,7 @@ static const struct fb_ops ht16k33_fb_ops = {
+ .owner = THIS_MODULE,
+ .fb_read = fb_sys_read,
+ .fb_write = fb_sys_write,
++ .fb_blank = ht16k33_blank,
+ .fb_fillrect = sys_fillrect,
+ .fb_copyarea = sys_copyarea,
+ .fb_imageblit = sys_imageblit,
+--
+2.33.0
+
--- /dev/null
+From 8f774d02f5698c8cae7c14422e4f3a1e5fcf94f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 16:45:02 +0200
+Subject: auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit afcb5a811ff3ab3969f09666535eb6018a160358 ]
+
+While writing an empty string to a device attribute is a no-op, and thus
+does not need explicit safeguards, the user can still write a single
+newline to an attribute file:
+
+ echo > .../message
+
+If that happens, img_ascii_lcd_display() trims the newline, yielding an
+empty string, and causing an infinite loop in img_ascii_lcd_scroll().
+
+Fix this by adding a check for empty strings. Clear the display in case
+one is encountered.
+
+Fixes: 0cad855fbd083ee5 ("auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/img-ascii-lcd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/auxdisplay/img-ascii-lcd.c b/drivers/auxdisplay/img-ascii-lcd.c
+index 1cce409ce5cac..e33ce0151cdfd 100644
+--- a/drivers/auxdisplay/img-ascii-lcd.c
++++ b/drivers/auxdisplay/img-ascii-lcd.c
+@@ -280,6 +280,16 @@ static int img_ascii_lcd_display(struct img_ascii_lcd_ctx *ctx,
+ if (msg[count - 1] == '\n')
+ count--;
+
++ if (!count) {
++ /* clear the LCD */
++ devm_kfree(&ctx->pdev->dev, ctx->message);
++ ctx->message = NULL;
++ ctx->message_len = 0;
++ memset(ctx->curr, ' ', ctx->cfg->num_chars);
++ ctx->cfg->update(ctx);
++ return 0;
++ }
++
+ new_msg = devm_kmalloc(&ctx->pdev->dev, count + 1, GFP_KERNEL);
+ if (!new_msg)
+ return -ENOMEM;
+--
+2.33.0
+
--- /dev/null
+From ef6836bf442fc4cf81af37c8948f65081bb86d76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 10:36:22 +0300
+Subject: b43: fix a lower bounds test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 9b793db5fca44d01f72d3564a168171acf7c4076 ]
+
+The problem is that "channel" is an unsigned int, when it's less 5 the
+value of "channel - 5" is not a negative number as one would expect but
+is very high positive value instead.
+
+This means that "start" becomes a very high positive value. The result
+of that is that we never enter the "for (i = start; i <= end; i++) {"
+loop. Instead of storing the result from b43legacy_radio_aci_detect()
+it just uses zero.
+
+Fixes: ef1a628d83fc ("b43: Implement dynamic PHY API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211006073621.GE8404@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/phy_g.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/phy_g.c b/drivers/net/wireless/broadcom/b43/phy_g.c
+index d5a1a5c582366..ac72ca39e409b 100644
+--- a/drivers/net/wireless/broadcom/b43/phy_g.c
++++ b/drivers/net/wireless/broadcom/b43/phy_g.c
+@@ -2297,7 +2297,7 @@ static u8 b43_gphy_aci_scan(struct b43_wldev *dev)
+ b43_phy_mask(dev, B43_PHY_G_CRS, 0x7FFF);
+ b43_set_all_gains(dev, 3, 8, 1);
+
+- start = (channel - 5 > 0) ? channel - 5 : 1;
++ start = (channel > 5) ? channel - 5 : 1;
+ end = (channel + 5 < 14) ? channel + 5 : 13;
+
+ for (i = start; i <= end; i++) {
+--
+2.33.0
+
--- /dev/null
+From 8903536ce6ac0aa18c58da981d3e2d2366568066 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 10:35:42 +0300
+Subject: b43legacy: fix a lower bounds test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c1c8380b0320ab757e60ed90efc8b1992a943256 ]
+
+The problem is that "channel" is an unsigned int, when it's less 5 the
+value of "channel - 5" is not a negative number as one would expect but
+is very high positive value instead.
+
+This means that "start" becomes a very high positive value. The result
+of that is that we never enter the "for (i = start; i <= end; i++) {"
+loop. Instead of storing the result from b43legacy_radio_aci_detect()
+it just uses zero.
+
+Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211006073542.GD8404@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c
+index 06891b4f837b9..fdf78c10a05c2 100644
+--- a/drivers/net/wireless/broadcom/b43legacy/radio.c
++++ b/drivers/net/wireless/broadcom/b43legacy/radio.c
+@@ -283,7 +283,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev)
+ & 0x7FFF);
+ b43legacy_set_all_gains(dev, 3, 8, 1);
+
+- start = (channel - 5 > 0) ? channel - 5 : 1;
++ start = (channel > 5) ? channel - 5 : 1;
+ end = (channel + 5 < 14) ? channel + 5 : 13;
+
+ for (i = start; i <= end; i++) {
+--
+2.33.0
+
--- /dev/null
+From ac390f57524e054e6c17ae9ea70c9c34f24d4b7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 15:03:00 -0700
+Subject: block/ataflop: add registration bool before calling del_gendisk()
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+[ Upstream commit 573effb298011d3fcabc9b12025cf637f8a07911 ]
+
+The ataflop assumes del_gendisk() is safe to call, this is only
+true because add_disk() does not return a failure, but that will
+change soon. And so, before we get to adding error handling for
+that case, let's make sure we keep track of which disks actually
+get registered. Then we use this to only call del_gendisk for them.
+
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Link: https://lore.kernel.org/r/20210927220302.1073499-13-mcgrof@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index 359417a016e43..c8a999086060f 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -298,6 +298,7 @@ static struct atari_floppy_struct {
+ disk change detection) */
+ int flags; /* flags */
+ struct gendisk *disk[NUM_DISK_MINORS];
++ bool registered[NUM_DISK_MINORS];
+ int ref;
+ int type;
+ struct blk_mq_tag_set tag_set;
+@@ -2026,8 +2027,10 @@ static void ataflop_probe(dev_t dev)
+ return;
+ mutex_lock(&ataflop_probe_lock);
+ if (!unit[drive].disk[type]) {
+- if (ataflop_alloc_disk(drive, type) == 0)
++ if (ataflop_alloc_disk(drive, type) == 0) {
+ add_disk(unit[drive].disk[type]);
++ unit[drive].registered[type] = true;
++ }
+ }
+ mutex_unlock(&ataflop_probe_lock);
+ }
+@@ -2091,6 +2094,7 @@ static int __init atari_floppy_init (void)
+ unit[i].track = -1;
+ unit[i].flags = 0;
+ add_disk(unit[i].disk[0]);
++ unit[i].registered[0] = true;
+ }
+
+ printk(KERN_INFO "Atari floppy driver: max. %cD, %strack buffering\n",
+@@ -2159,7 +2163,8 @@ static void __exit atari_floppy_exit(void)
+ for (type = 0; type < NUM_DISK_MINORS; type++) {
+ if (!unit[i].disk[type])
+ continue;
+- del_gendisk(unit[i].disk[type]);
++ if (unit[i].registered[type])
++ del_gendisk(unit[i].disk[type]);
+ blk_cleanup_disk(unit[i].disk[type]);
+ }
+ blk_mq_free_tag_set(&unit[i].tag_set);
+--
+2.33.0
+
--- /dev/null
+From 09451954ade6946683001515407fa95a9ef916a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 19:13:21 +1300
+Subject: block: ataflop: fix breakage introduced at blk-mq refactoring
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit 86d46fdaa12ae5befc16b8d73fc85a3ca0399ea6 ]
+
+Refactoring of the Atari floppy driver when converting to blk-mq
+has broken the state machine in not-so-subtle ways:
+
+finish_fdc() must be called when operations on the floppy device
+have completed. This is crucial in order to relase the ST-DMA
+lock, which protects against concurrent access to the ST-DMA
+controller by other drivers (some DMA related, most just related
+to device register access - broken beyond compare, I know).
+
+When rewriting the driver's old do_request() function, the fact
+that finish_fdc() was called only when all queued requests had
+completed appears to have been overlooked. Instead, the new
+request function calls finish_fdc() immediately after the last
+request has been queued. finish_fdc() executes a dummy seek after
+most requests, and this overwrites the state machine's interrupt
+hander that was set up to wait for completion of the read/write
+request just prior. To make matters worse, finish_fdc() is called
+before device interrupts are re-enabled, making certain that the
+read/write interupt is missed.
+
+Shifting the finish_fdc() call into the read/write request
+completion handler ensures the driver waits for the request to
+actually complete. With a queue depth of 2, we won't see long
+request sequences, so calling finish_fdc() unconditionally just
+adds a little overhead for the dummy seeks, and keeps the code
+simple.
+
+While we're at it, kill ataflop_commit_rqs() which does nothing
+but run finish_fdc() unconditionally, again likely wiping out an
+in-flight request.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Fixes: 6ec3938cff95 ("ataflop: convert to blk-mq")
+CC: linux-block@vger.kernel.org
+CC: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Link: https://lore.kernel.org/r/20211019061321.26425-1-schmitzmic@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index 3e881fdb06e0a..cd612cd04767a 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -653,9 +653,6 @@ static inline void copy_buffer(void *from, void *to)
+ *p2++ = *p1++;
+ }
+
+-
+-
+-
+ /* General Interrupt Handling */
+
+ static void (*FloppyIRQHandler)( int status ) = NULL;
+@@ -1225,6 +1222,7 @@ static void fd_rwsec_done1(int status)
+ }
+ else {
+ /* all sectors finished */
++ finish_fdc();
+ fd_end_request_cur(BLK_STS_OK);
+ }
+ return;
+@@ -1472,15 +1470,6 @@ static void setup_req_params( int drive )
+ ReqTrack, ReqSector, (unsigned long)ReqData ));
+ }
+
+-static void ataflop_commit_rqs(struct blk_mq_hw_ctx *hctx)
+-{
+- spin_lock_irq(&ataflop_lock);
+- atari_disable_irq(IRQ_MFP_FDC);
+- finish_fdc();
+- atari_enable_irq(IRQ_MFP_FDC);
+- spin_unlock_irq(&ataflop_lock);
+-}
+-
+ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ const struct blk_mq_queue_data *bd)
+ {
+@@ -1488,6 +1477,8 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ int drive = floppy - unit;
+ int type = floppy->type;
+
++ DPRINT(("Queue request: drive %d type %d last %d\n", drive, type, bd->last));
++
+ spin_lock_irq(&ataflop_lock);
+ if (fd_request) {
+ spin_unlock_irq(&ataflop_lock);
+@@ -1547,8 +1538,6 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ setup_req_params( drive );
+ do_fd_action( drive );
+
+- if (bd->last)
+- finish_fdc();
+ atari_enable_irq( IRQ_MFP_FDC );
+
+ out:
+@@ -1959,7 +1948,6 @@ static const struct block_device_operations floppy_fops = {
+
+ static const struct blk_mq_ops ataflop_mq_ops = {
+ .queue_rq = ataflop_queue_rq,
+- .commit_rqs = ataflop_commit_rqs,
+ };
+
+ static struct kobject *floppy_find(dev_t dev, int *part, void *data)
+--
+2.33.0
+
--- /dev/null
+From 4ae8f8216a7e7cceb54e422b521a78f0c9148afc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Oct 2021 13:20:13 +1300
+Subject: block: ataflop: more blk-mq refactoring fixes
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit d28e4dff085c5a87025c9a0a85fb798bd8e9ca17 ]
+
+As it turns out, my earlier patch in commit 86d46fdaa12a (block:
+ataflop: fix breakage introduced at blk-mq refactoring) was
+incomplete. This patch fixes any remaining issues found during
+more testing and code review.
+
+Requests exceeding 4 k are handled in 4k segments but
+__blk_mq_end_request() is never called on these (still
+sectors outstanding on the request). With redo_fd_request()
+removed, there is no provision to kick off processing of the
+next segment, causing requests exceeding 4k to hang. (By
+setting /sys/block/fd0/queue/max_sectors_k <= 4 as workaround,
+this behaviour can be avoided).
+
+Instead of reintroducing redo_fd_request(), requeue the remainder
+of the request by calling blk_mq_requeue_request() on incomplete
+requests (i.e. when blk_update_request() still returns true), and
+rely on the block layer to queue the residual as new request.
+
+Both error handling and formatting needs to release the
+ST-DMA lock, so call finish_fdc() on these (this was previously
+handled by redo_fd_request()). finish_fdc() may be called
+legitimately without the ST-DMA lock held - make sure we only
+release the lock if we actually held it. In a similar way,
+early exit due to errors in ataflop_queue_rq() must release
+the lock.
+
+After minor errors, fd_error sets up to recalibrate the drive
+but never re-runs the current operation (another task handled by
+redo_fd_request() before). Call do_fd_action() to get the next
+steps (seek, retry read/write) underway.
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Fixes: 6ec3938cff95f (ataflop: convert to blk-mq)
+CC: linux-block@vger.kernel.org
+Link: https://lore.kernel.org/r/20211024002013.9332-1-schmitzmic@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 45 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index 0a86f9d3a3798..94b76c254db9b 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -456,10 +456,20 @@ static DEFINE_TIMER(fd_timer, check_change);
+
+ static void fd_end_request_cur(blk_status_t err)
+ {
++ DPRINT(("fd_end_request_cur(), bytes %d of %d\n",
++ blk_rq_cur_bytes(fd_request),
++ blk_rq_bytes(fd_request)));
++
+ if (!blk_update_request(fd_request, err,
+ blk_rq_cur_bytes(fd_request))) {
++ DPRINT(("calling __blk_mq_end_request()\n"));
+ __blk_mq_end_request(fd_request, err);
+ fd_request = NULL;
++ } else {
++ /* requeue rest of request */
++ DPRINT(("calling blk_mq_requeue_request()\n"));
++ blk_mq_requeue_request(fd_request, true);
++ fd_request = NULL;
+ }
+ }
+
+@@ -697,12 +707,21 @@ static void fd_error( void )
+ if (fd_request->error_count >= MAX_ERRORS) {
+ printk(KERN_ERR "fd%d: too many errors.\n", SelectedDrive );
+ fd_end_request_cur(BLK_STS_IOERR);
++ finish_fdc();
++ return;
+ }
+ else if (fd_request->error_count == RECALIBRATE_ERRORS) {
+ printk(KERN_WARNING "fd%d: recalibrating\n", SelectedDrive );
+ if (SelectedDrive != -1)
+ SUD.track = -1;
+ }
++ /* need to re-run request to recalibrate */
++ atari_disable_irq( IRQ_MFP_FDC );
++
++ setup_req_params( SelectedDrive );
++ do_fd_action( SelectedDrive );
++
++ atari_enable_irq( IRQ_MFP_FDC );
+ }
+
+
+@@ -729,8 +748,10 @@ static int do_format(int drive, int type, struct atari_format_descr *desc)
+ if (type) {
+ type--;
+ if (type >= NUM_DISK_MINORS ||
+- minor2disktype[type].drive_types > DriveType)
++ minor2disktype[type].drive_types > DriveType) {
++ finish_fdc();
+ return -EINVAL;
++ }
+ }
+
+ q = unit[drive].disk[type]->queue;
+@@ -748,6 +769,7 @@ static int do_format(int drive, int type, struct atari_format_descr *desc)
+ }
+
+ if (!UDT || desc->track >= UDT->blocks/UDT->spt/2 || desc->head >= 2) {
++ finish_fdc();
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -788,6 +810,7 @@ static int do_format(int drive, int type, struct atari_format_descr *desc)
+
+ wait_for_completion(&format_wait);
+
++ finish_fdc();
+ ret = FormatError ? -EIO : 0;
+ out:
+ blk_mq_unquiesce_queue(q);
+@@ -822,6 +845,7 @@ static void do_fd_action( int drive )
+ else {
+ /* all sectors finished */
+ fd_end_request_cur(BLK_STS_OK);
++ finish_fdc();
+ return;
+ }
+ }
+@@ -1225,8 +1249,8 @@ static void fd_rwsec_done1(int status)
+ }
+ else {
+ /* all sectors finished */
+- finish_fdc();
+ fd_end_request_cur(BLK_STS_OK);
++ finish_fdc();
+ }
+ return;
+
+@@ -1348,7 +1372,7 @@ static void fd_times_out(struct timer_list *unused)
+
+ static void finish_fdc( void )
+ {
+- if (!NeedSeek) {
++ if (!NeedSeek || !stdma_is_locked_by(floppy_irq)) {
+ finish_fdc_done( 0 );
+ }
+ else {
+@@ -1383,7 +1407,8 @@ static void finish_fdc_done( int dummy )
+ start_motor_off_timer();
+
+ local_irq_save(flags);
+- stdma_release();
++ if (stdma_is_locked_by(floppy_irq))
++ stdma_release();
+ local_irq_restore(flags);
+
+ DPRINT(("finish_fdc() finished\n"));
+@@ -1480,7 +1505,9 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ int drive = floppy - unit;
+ int type = floppy->type;
+
+- DPRINT(("Queue request: drive %d type %d last %d\n", drive, type, bd->last));
++ DPRINT(("Queue request: drive %d type %d sectors %d of %d last %d\n",
++ drive, type, blk_rq_cur_sectors(bd->rq),
++ blk_rq_sectors(bd->rq), bd->last));
+
+ spin_lock_irq(&ataflop_lock);
+ if (fd_request) {
+@@ -1502,6 +1529,7 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ /* drive not connected */
+ printk(KERN_ERR "Unknown Device: fd%d\n", drive );
+ fd_end_request_cur(BLK_STS_IOERR);
++ stdma_release();
+ goto out;
+ }
+
+@@ -1518,11 +1546,13 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx,
+ if (--type >= NUM_DISK_MINORS) {
+ printk(KERN_WARNING "fd%d: invalid disk format", drive );
+ fd_end_request_cur(BLK_STS_IOERR);
++ stdma_release();
+ goto out;
+ }
+ if (minor2disktype[type].drive_types > DriveType) {
+ printk(KERN_WARNING "fd%d: unsupported disk format", drive );
+ fd_end_request_cur(BLK_STS_IOERR);
++ stdma_release();
+ goto out;
+ }
+ type = minor2disktype[type].index;
+@@ -1623,6 +1653,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode,
+ /* what if type > 0 here? Overwrite specified entry ? */
+ if (type) {
+ /* refuse to re-set a predefined type for now */
++ finish_fdc();
+ return -EINVAL;
+ }
+
+@@ -1690,8 +1721,10 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode,
+
+ /* sanity check */
+ if (setprm.track != dtp->blocks/dtp->spt/2 ||
+- setprm.head != 2)
++ setprm.head != 2) {
++ finish_fdc();
+ return -EINVAL;
++ }
+
+ UDT = dtp;
+ set_capacity(disk, UDT->blocks);
+--
+2.33.0
+
--- /dev/null
+From d24593de8e05bbbaca47ce45586e189d680d2bdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 15:03:01 -0700
+Subject: block/ataflop: provide a helper for cleanup up an atari disk
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+[ Upstream commit deae1138d04758c7f8939fcb8aee330bc37e3015 ]
+
+Instead of using two separate code paths for cleaning up an atari disk,
+use one. We take the more careful approach to check for *all* disk
+types, as is done on exit. The init path didn't have that check as
+the alternative disk types are only probed for later, they are not
+initialized by default.
+
+Yes, there is a shared tag for all disks.
+
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Link: https://lore.kernel.org/r/20210927220302.1073499-14-mcgrof@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index c8a999086060f..2d3a66362dcf9 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -2035,6 +2035,20 @@ static void ataflop_probe(dev_t dev)
+ mutex_unlock(&ataflop_probe_lock);
+ }
+
++static void atari_cleanup_floppy_disk(struct atari_floppy_struct *fs)
++{
++ int type;
++
++ for (type = 0; type < NUM_DISK_MINORS; type++) {
++ if (!fs->disk[type])
++ continue;
++ if (fs->registered[type])
++ del_gendisk(fs->disk[type]);
++ blk_cleanup_disk(fs->disk[type]);
++ }
++ blk_mq_free_tag_set(&fs->tag_set);
++}
++
+ static int __init atari_floppy_init (void)
+ {
+ int i;
+@@ -2105,10 +2119,8 @@ static int __init atari_floppy_init (void)
+ return 0;
+
+ err:
+- while (--i >= 0) {
+- blk_cleanup_disk(unit[i].disk[0]);
+- blk_mq_free_tag_set(&unit[i].tag_set);
+- }
++ while (--i >= 0)
++ atari_cleanup_floppy_disk(&unit[i]);
+
+ unregister_blkdev(FLOPPY_MAJOR, "fd");
+ out_unlock:
+@@ -2157,18 +2169,10 @@ __setup("floppy=", atari_floppy_setup);
+
+ static void __exit atari_floppy_exit(void)
+ {
+- int i, type;
++ int i;
+
+- for (i = 0; i < FD_MAX_UNITS; i++) {
+- for (type = 0; type < NUM_DISK_MINORS; type++) {
+- if (!unit[i].disk[type])
+- continue;
+- if (unit[i].registered[type])
+- del_gendisk(unit[i].disk[type]);
+- blk_cleanup_disk(unit[i].disk[type]);
+- }
+- blk_mq_free_tag_set(&unit[i].tag_set);
+- }
++ for (i = 0; i < FD_MAX_UNITS; i++)
++ atari_cleanup_floppy_disk(&unit[i]);
+ unregister_blkdev(FLOPPY_MAJOR, "fd");
+
+ del_timer_sync(&fd_timer);
+--
+2.33.0
+
--- /dev/null
+From 70e64a2ff417290a5bf367f474cad610e0557dcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 15:02:59 -0700
+Subject: block/ataflop: use the blk_cleanup_disk() helper
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+[ Upstream commit 44a469b6acae6ad05c4acca8429467d1d50a8b8d ]
+
+Use the helper to replace two lines with one.
+
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Link: https://lore.kernel.org/r/20210927220302.1073499-12-mcgrof@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ataflop.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c
+index 94b76c254db9b..359417a016e43 100644
+--- a/drivers/block/ataflop.c
++++ b/drivers/block/ataflop.c
+@@ -2102,8 +2102,7 @@ static int __init atari_floppy_init (void)
+
+ err:
+ while (--i >= 0) {
+- blk_cleanup_queue(unit[i].disk[0]->queue);
+- put_disk(unit[i].disk[0]);
++ blk_cleanup_disk(unit[i].disk[0]);
+ blk_mq_free_tag_set(&unit[i].tag_set);
+ }
+
+@@ -2161,8 +2160,7 @@ static void __exit atari_floppy_exit(void)
+ if (!unit[i].disk[type])
+ continue;
+ del_gendisk(unit[i].disk[type]);
+- blk_cleanup_queue(unit[i].disk[type]->queue);
+- put_disk(unit[i].disk[type]);
++ blk_cleanup_disk(unit[i].disk[type]);
+ }
+ blk_mq_free_tag_set(&unit[i].tag_set);
+ }
+--
+2.33.0
+
--- /dev/null
+From 972b23269a5d89928e666a8eb9e30f27629df91f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 12:01:07 -0600
+Subject: block: bump max plugged deferred size from 16 to 32
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit ba0ffdd8ce48ad7f7e85191cd29f9674caca3745 ]
+
+Particularly for NVMe with efficient deferred submission for many
+requests, there are nice benefits to be seen by bumping the default max
+plug count from 16 to 32. This is especially true for virtualized setups,
+where the submit part is more expensive. But can be noticed even on
+native hardware.
+
+Reduce the multiple queue factor from 4 to 2, since we're changing the
+default size.
+
+While changing it, move the defines into the block layer private header.
+These aren't values that anyone outside of the block layer uses, or
+should use.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 4 ++--
+ block/blk.h | 6 ++++++
+ include/linux/blkdev.h | 2 --
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 69cc552c3dfc9..e4422a09b1265 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2116,14 +2116,14 @@ static void blk_add_rq_to_plug(struct blk_plug *plug, struct request *rq)
+ }
+
+ /*
+- * Allow 4x BLK_MAX_REQUEST_COUNT requests on plug queue for multiple
++ * Allow 2x BLK_MAX_REQUEST_COUNT requests on plug queue for multiple
+ * queues. This is important for md arrays to benefit from merging
+ * requests.
+ */
+ static inline unsigned short blk_plug_max_rq_count(struct blk_plug *plug)
+ {
+ if (plug->multiple_queues)
+- return BLK_MAX_REQUEST_COUNT * 4;
++ return BLK_MAX_REQUEST_COUNT * 2;
+ return BLK_MAX_REQUEST_COUNT;
+ }
+
+diff --git a/block/blk.h b/block/blk.h
+index f84c83300f6fa..997941cd999f6 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -188,6 +188,12 @@ bool blk_bio_list_merge(struct request_queue *q, struct list_head *list,
+ void blk_account_io_start(struct request *req);
+ void blk_account_io_done(struct request *req, u64 now);
+
++/*
++ * Plug flush limits
++ */
++#define BLK_MAX_REQUEST_COUNT 32
++#define BLK_PLUG_FLUSH_SIZE (128 * 1024)
++
+ /*
+ * Internal elevator interface
+ */
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 8aae375864b6b..4ba17736b614f 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -1248,8 +1248,6 @@ struct blk_plug {
+ bool multiple_queues;
+ bool nowait;
+ };
+-#define BLK_MAX_REQUEST_COUNT 16
+-#define BLK_PLUG_FLUSH_SIZE (128 * 1024)
+
+ struct blk_plug_cb;
+ typedef void (*blk_plug_cb_fn)(struct blk_plug_cb *, bool);
+--
+2.33.0
+
--- /dev/null
+From 9c89ca382365dd0103043a1888639f44690c9747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 08:21:40 -0600
+Subject: block: remove inaccurate requeue check
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 037057a5a979c7eeb2ee5d12cf4c24b805192c75 ]
+
+This check is meant to catch cases where a requeue is attempted on a
+request that is still inserted. It's never really been useful to catch any
+misuse, and now it's actively wrong. Outside of that, this should not be a
+BUG_ON() to begin with.
+
+Remove the check as it's now causing active harm, as requeue off the plug
+path will trigger it even though the request state is just fine.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Link: https://lore.kernel.org/linux-block/CAHj4cs80zAUc2grnCZ015-2Rvd-=gXRfB_dFKy=RTm+wRo09HQ@mail.gmail.com/
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index e4422a09b1265..15a11a217cd03 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -774,7 +774,6 @@ void blk_mq_requeue_request(struct request *rq, bool kick_requeue_list)
+ /* this request will be re-inserted to io scheduler queue */
+ blk_mq_sched_requeue_request(rq);
+
+- BUG_ON(!list_empty(&rq->queuelist));
+ blk_mq_add_to_requeue_list(rq, true, kick_requeue_list);
+ }
+ EXPORT_SYMBOL(blk_mq_requeue_request);
+--
+2.33.0
+
--- /dev/null
+From 7951b9ded894c09466280de9ec305223a632c0f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 21:49:45 +0800
+Subject: Bluetooth: btmtkuart: fix a memleak in mtk_hci_wmt_sync
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 3e5f2d90c28f9454e421108554707620bc23269d ]
+
+bdev->evt_skb will get freed in the normal path and one error path
+of mtk_hci_wmt_sync, while the other error paths do not free it,
+which may cause a memleak. This bug is suggested by a static analysis
+tool, please advise.
+
+Fixes: e0b67035a90b ("Bluetooth: mediatek: update the common setup between MT7622 and other devices")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtkuart.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c
+index 6c40bc75fb5b8..719d4685a2ddd 100644
+--- a/drivers/bluetooth/btmtkuart.c
++++ b/drivers/bluetooth/btmtkuart.c
+@@ -158,8 +158,10 @@ static int mtk_hci_wmt_sync(struct hci_dev *hdev,
+ int err;
+
+ hlen = sizeof(*hdr) + wmt_params->dlen;
+- if (hlen > 255)
+- return -EINVAL;
++ if (hlen > 255) {
++ err = -EINVAL;
++ goto err_free_skb;
++ }
+
+ hdr = (struct mtk_wmt_hdr *)&wc;
+ hdr->dir = 1;
+@@ -173,7 +175,7 @@ static int mtk_hci_wmt_sync(struct hci_dev *hdev,
+ err = __hci_cmd_send(hdev, 0xfc6f, hlen, &wc);
+ if (err < 0) {
+ clear_bit(BTMTKUART_TX_WAIT_VND_EVT, &bdev->tx_state);
+- return err;
++ goto err_free_skb;
+ }
+
+ /* The vendor specific WMT commands are all answered by a vendor
+@@ -190,13 +192,14 @@ static int mtk_hci_wmt_sync(struct hci_dev *hdev,
+ if (err == -EINTR) {
+ bt_dev_err(hdev, "Execution of wmt command interrupted");
+ clear_bit(BTMTKUART_TX_WAIT_VND_EVT, &bdev->tx_state);
+- return err;
++ goto err_free_skb;
+ }
+
+ if (err) {
+ bt_dev_err(hdev, "Execution of wmt command timed out");
+ clear_bit(BTMTKUART_TX_WAIT_VND_EVT, &bdev->tx_state);
+- return -ETIMEDOUT;
++ err = -ETIMEDOUT;
++ goto err_free_skb;
+ }
+
+ /* Parse and handle the return WMT event */
+--
+2.33.0
+
--- /dev/null
+From 9f368abc2e9a7a106d91ef729b59251eea1ea3f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 23:13:06 -0400
+Subject: Bluetooth: fix init and cleanup of sco_conn.timeout_work
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 49d8a5606428ca0962d09050a5af81461ff90fbb ]
+
+Before freeing struct sco_conn, all delayed timeout work should be
+cancelled. Otherwise, sco_sock_timeout could potentially use the
+sco_conn after it has been freed.
+
+Additionally, sco_conn.timeout_work should be initialized when the
+connection is allocated, not when the channel is added. This is
+because an sco_conn can create channels with multiple sockets over its
+lifetime, which happens if sockets are released but the connection
+isn't deleted.
+
+Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 93df269a64707..2f2b8ddc4dd5d 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -134,6 +134,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
+ return NULL;
+
+ spin_lock_init(&conn->lock);
++ INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
+
+ hcon->sco_data = conn;
+ conn->hcon = hcon;
+@@ -197,11 +198,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
+ sco_chan_del(sk, err);
+ bh_unlock_sock(sk);
+ sock_put(sk);
+-
+- /* Ensure no more work items will run before freeing conn. */
+- cancel_delayed_work_sync(&conn->timeout_work);
+ }
+
++ /* Ensure no more work items will run before freeing conn. */
++ cancel_delayed_work_sync(&conn->timeout_work);
++
+ hcon->sco_data = NULL;
+ kfree(conn);
+ }
+@@ -214,8 +215,6 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
+ sco_pi(sk)->conn = conn;
+ conn->sk = sk;
+
+- INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
+-
+ if (parent)
+ bt_accept_enqueue(parent, sk, true);
+ }
+--
+2.33.0
+
--- /dev/null
+From fcccb46d27569910232bbf33ff7566d6c5f48347 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 17:35:37 -0700
+Subject: Bluetooth: fix use-after-free error in lock_sock_nested()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c ]
+
+use-after-free error in lock_sock_nested is reported:
+
+[ 179.140137][ T3731] =====================================================
+[ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0
+[ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54
+[ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+[ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout
+[ 179.152730][ T3731] Call Trace:
+[ 179.153301][ T3731] dump_stack+0x24c/0x2e0
+[ 179.154063][ T3731] kmsan_report+0xfb/0x1e0
+[ 179.154855][ T3731] __msan_warning+0x5c/0xa0
+[ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0
+[ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180
+[ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890
+[ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20
+[ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180
+[ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0
+[ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420
+[ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50
+[ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180
+[ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0
+[ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050
+[ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70
+[ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590
+[ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20
+[ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560
+[ 179.168818][ T3731] process_one_work+0x121d/0x1ff0
+[ 179.169598][ T3731] worker_thread+0x121b/0x2370
+[ 179.170346][ T3731] kthread+0x4ef/0x610
+[ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0
+[ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110
+[ 179.172587][ T3731] ret_from_fork+0x1f/0x30
+[ 179.173348][ T3731]
+[ 179.173752][ T3731] Uninit was created at:
+[ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0
+[ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0
+[ 179.176060][ T3731] kfree+0x3a5/0x1180
+[ 179.176664][ T3731] __sk_destruct+0x8af/0xb80
+[ 179.177375][ T3731] __sk_free+0x812/0x8c0
+[ 179.178032][ T3731] sk_free+0x97/0x130
+[ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0
+[ 179.179457][ T3731] sock_close+0x150/0x450
+[ 179.180117][ T3731] __fput+0x6bd/0xf00
+[ 179.180787][ T3731] ____fput+0x37/0x40
+[ 179.181481][ T3731] task_work_run+0x140/0x280
+[ 179.182219][ T3731] do_exit+0xe51/0x3e60
+[ 179.182930][ T3731] do_group_exit+0x20e/0x450
+[ 179.183656][ T3731] get_signal+0x2dfb/0x38f0
+[ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10
+[ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560
+[ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60
+[ 179.186984][ T3731] do_syscall_64+0xc5/0x140
+[ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 179.188604][ T3731] =====================================================
+
+In our case, there are two Thread A and B:
+
+Context: Thread A: Context: Thread B:
+
+l2cap_chan_timeout() __se_sys_shutdown()
+ l2cap_chan_close() l2cap_sock_shutdown()
+ l2cap_chan_del() l2cap_chan_close()
+ l2cap_sock_teardown_cb() l2cap_sock_teardown_cb()
+
+Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED,
+and can be treated as killable in l2cap_sock_kill() if sock_orphan() has
+excuted, at this time we close sock through sock_close() which end to call
+l2cap_sock_kill() like Thread C:
+
+Context: Thread C:
+
+sock_close()
+ l2cap_sock_release()
+ sock_orphan()
+ l2cap_sock_kill() #free sock if refcnt is 1
+
+If C completed, Once A or B reaches l2cap_sock_teardown_cb() again,
+use-after-free happened.
+
+We should set chan->data to NULL if sock is destructed, for telling teardown
+operation is not allowed in l2cap_sock_teardown_cb(), and also we should
+avoid killing an already killed socket in l2cap_sock_close_cb().
+
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index c99d65ef13b1e..160c016a5dfb9 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1508,6 +1508,9 @@ static void l2cap_sock_close_cb(struct l2cap_chan *chan)
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return;
++
+ l2cap_sock_kill(sk);
+ }
+
+@@ -1516,6 +1519,9 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
+ struct sock *sk = chan->data;
+ struct sock *parent;
+
++ if (!sk)
++ return;
++
+ BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
+
+ /* This callback can be called both for server (BT_LISTEN)
+@@ -1707,8 +1713,10 @@ static void l2cap_sock_destruct(struct sock *sk)
+ {
+ BT_DBG("sk %p", sk);
+
+- if (l2cap_pi(sk)->chan)
++ if (l2cap_pi(sk)->chan) {
++ l2cap_pi(sk)->chan->data = NULL;
+ l2cap_chan_put(l2cap_pi(sk)->chan);
++ }
+
+ if (l2cap_pi(sk)->rx_busy_skb) {
+ kfree_skb(l2cap_pi(sk)->rx_busy_skb);
+--
+2.33.0
+
--- /dev/null
+From 893002d53ee332b013289193caa47577de5ab290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 18:18:18 +0200
+Subject: Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ]
+
+The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
+call that may be endlessly blocked by a task with userfaultd
+technique, and this will result in a hung task watchdog trigger.
+
+Just like the similar fix for hci_sock_sendmsg() in commit
+92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
+the memcpy_from_msg() out of lock_sock() for addressing the hang.
+
+This should be the last piece for fixing CVE-2021-3640 after a few
+already queued fixes.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 7c24a9acbc459..93df269a64707 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -281,7 +281,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
+ return err;
+ }
+
+-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
++static int sco_send_frame(struct sock *sk, void *buf, int len,
++ unsigned int msg_flags)
+ {
+ struct sco_conn *conn = sco_pi(sk)->conn;
+ struct sk_buff *skb;
+@@ -293,15 +294,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
+
+ BT_DBG("sk %p len %d", sk, len);
+
+- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
++ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
+ if (!skb)
+ return err;
+
+- if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
+- kfree_skb(skb);
+- return -EFAULT;
+- }
+-
++ memcpy(skb_put(skb, len), buf, len);
+ hci_send_sco(conn->hcon, skb);
+
+ return len;
+@@ -726,6 +723,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ size_t len)
+ {
+ struct sock *sk = sock->sk;
++ void *buf;
+ int err;
+
+ BT_DBG("sock %p, sk %p", sock, sk);
+@@ -737,14 +735,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ if (msg->msg_flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
++ buf = kmalloc(len, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ if (memcpy_from_msg(buf, msg, len)) {
++ kfree(buf);
++ return -EFAULT;
++ }
++
+ lock_sock(sk);
+
+ if (sk->sk_state == BT_CONNECTED)
+- err = sco_send_frame(sk, msg, len);
++ err = sco_send_frame(sk, buf, len, msg->msg_flags);
+ else
+ err = -ENOTCONN;
+
+ release_sock(sk);
++ kfree(buf);
+ return err;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From f158f621dbe457f7c8668f04d319d5cf14c93591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 17:37:33 +0800
+Subject: bonding: Fix a use-after-free problem when bond_sysfs_slave_add()
+ failed
+
+From: Huang Guobin <huangguobin4@huawei.com>
+
+[ Upstream commit b93c6a911a3fe926b00add28f3b932007827c4ca ]
+
+When I do fuzz test for bonding device interface, I got the following
+use-after-free Calltrace:
+
+==================================================================
+BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0
+Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365
+
+CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack_lvl+0x6c/0x8b
+ print_address_description.constprop.0+0x48/0x70
+ kasan_report.cold+0x82/0xdb
+ __asan_load8+0x69/0x90
+ bond_enslave+0x1521/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f19159cf577
+Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78
+RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577
+RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003
+RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000
+R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0
+R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0
+
+Allocated by task 7365:
+ kasan_save_stack+0x23/0x50
+ __kasan_kmalloc+0x83/0xa0
+ kmem_cache_alloc_trace+0x22e/0x470
+ bond_enslave+0x2e1/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Freed by task 7365:
+ kasan_save_stack+0x23/0x50
+ kasan_set_track+0x20/0x30
+ kasan_set_free_info+0x24/0x40
+ __kasan_slab_free+0xf2/0x130
+ kfree+0xd1/0x5c0
+ slave_kobj_release+0x61/0x90
+ kobject_put+0x102/0x180
+ bond_sysfs_slave_add+0x7a/0xa0
+ bond_enslave+0x11b6/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Last potentially related work creation:
+ kasan_save_stack+0x23/0x50
+ kasan_record_aux_stack+0xb7/0xd0
+ insert_work+0x43/0x190
+ __queue_work+0x2e3/0x970
+ delayed_work_timer_fn+0x3e/0x50
+ call_timer_fn+0x148/0x470
+ run_timer_softirq+0x8a8/0xc50
+ __do_softirq+0x107/0x55f
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x23/0x50
+ kasan_record_aux_stack+0xb7/0xd0
+ insert_work+0x43/0x190
+ __queue_work+0x2e3/0x970
+ __queue_delayed_work+0x130/0x180
+ queue_delayed_work_on+0xa7/0xb0
+ bond_enslave+0xe25/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff88825bc11c00
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 0 bytes inside of
+ 1024-byte region [ffff88825bc11c00, ffff88825bc12000)
+The buggy address belongs to the page:
+page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10
+head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
+raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0
+raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems
+when new_slave is accessed in the subsequent error handling process. Since
+new_slave will be put in the subsequent error handling process, remove the
+unnecessary put to fix it.
+In addition, when sysfs_create_file() fails, if some files have been crea-
+ted successfully, we need to call sysfs_remove_file() to remove them.
+Since there are sysfs_create_files() & sysfs_remove_files() can be used,
+use these two functions instead.
+
+Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after kobject_add)
+Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_sysfs_slave.c | 36 ++++++++------------------
+ 1 file changed, 11 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
+index fd07561da0348..6a6cdd0bb2585 100644
+--- a/drivers/net/bonding/bond_sysfs_slave.c
++++ b/drivers/net/bonding/bond_sysfs_slave.c
+@@ -108,15 +108,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
+ }
+ static SLAVE_ATTR_RO(ad_partner_oper_port_state);
+
+-static const struct slave_attribute *slave_attrs[] = {
+- &slave_attr_state,
+- &slave_attr_mii_status,
+- &slave_attr_link_failure_count,
+- &slave_attr_perm_hwaddr,
+- &slave_attr_queue_id,
+- &slave_attr_ad_aggregator_id,
+- &slave_attr_ad_actor_oper_port_state,
+- &slave_attr_ad_partner_oper_port_state,
++static const struct attribute *slave_attrs[] = {
++ &slave_attr_state.attr,
++ &slave_attr_mii_status.attr,
++ &slave_attr_link_failure_count.attr,
++ &slave_attr_perm_hwaddr.attr,
++ &slave_attr_queue_id.attr,
++ &slave_attr_ad_aggregator_id.attr,
++ &slave_attr_ad_actor_oper_port_state.attr,
++ &slave_attr_ad_partner_oper_port_state.attr,
+ NULL
+ };
+
+@@ -137,24 +137,10 @@ const struct sysfs_ops slave_sysfs_ops = {
+
+ int bond_sysfs_slave_add(struct slave *slave)
+ {
+- const struct slave_attribute **a;
+- int err;
+-
+- for (a = slave_attrs; *a; ++a) {
+- err = sysfs_create_file(&slave->kobj, &((*a)->attr));
+- if (err) {
+- kobject_put(&slave->kobj);
+- return err;
+- }
+- }
+-
+- return 0;
++ return sysfs_create_files(&slave->kobj, slave_attrs);
+ }
+
+ void bond_sysfs_slave_del(struct slave *slave)
+ {
+- const struct slave_attribute **a;
+-
+- for (a = slave_attrs; *a; ++a)
+- sysfs_remove_file(&slave->kobj, &((*a)->attr));
++ sysfs_remove_files(&slave->kobj, slave_attrs);
+ }
+--
+2.33.0
+
--- /dev/null
+From 057c5ff5c2b3ab0b93bac0514f29040be4e8c253 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 15:21:51 -0700
+Subject: bpf: Fix propagation of bounds from 64-bit min/max into 32-bit and
+ var_off.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit b9979db8340154526d9ab38a1883d6f6ba9b6d47 ]
+
+Before this fix:
+166: (b5) if r2 <= 0x1 goto pc+22
+from 166 to 189: R2=invP(id=1,umax_value=1,var_off=(0x0; 0xffffffff))
+
+After this fix:
+166: (b5) if r2 <= 0x1 goto pc+22
+from 166 to 189: R2=invP(id=1,umax_value=1,var_off=(0x0; 0x1))
+
+While processing BPF_JLE the reg_set_min_max() would set true_reg->umax_value = 1
+and call __reg_combine_64_into_32(true_reg).
+
+Without the fix it would not pass the condition:
+if (__reg64_bound_u32(reg->umin_value) && __reg64_bound_u32(reg->umax_value))
+
+since umin_value == 0 at this point.
+Before commit 10bf4e83167c the umin was incorrectly ingored.
+The commit 10bf4e83167c fixed the correctness issue, but pessimized
+propagation of 64-bit min max into 32-bit min max and corresponding var_off.
+
+Fixes: 10bf4e83167c ("bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211101222153.78759-1-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 +-
+ tools/testing/selftests/bpf/verifier/array_access.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 0c26757ea7fbb..c56739a4a4219 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1303,7 +1303,7 @@ static bool __reg64_bound_s32(s64 a)
+
+ static bool __reg64_bound_u32(u64 a)
+ {
+- return a > U32_MIN && a < U32_MAX;
++ return a >= U32_MIN && a <= U32_MAX;
+ }
+
+ static void __reg_combine_64_into_32(struct bpf_reg_state *reg)
+diff --git a/tools/testing/selftests/bpf/verifier/array_access.c b/tools/testing/selftests/bpf/verifier/array_access.c
+index 1b1c798e92489..1b138cd2b187d 100644
+--- a/tools/testing/selftests/bpf/verifier/array_access.c
++++ b/tools/testing/selftests/bpf/verifier/array_access.c
+@@ -186,7 +186,7 @@
+ },
+ .fixup_map_hash_48b = { 3 },
+ .errstr_unpriv = "R0 leaks addr",
+- .errstr = "R0 unbounded memory access",
++ .errstr = "invalid access to map value, value_size=48 off=44 size=8",
+ .result_unpriv = REJECT,
+ .result = REJECT,
+ .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+--
+2.33.0
+
--- /dev/null
+From 9dcf615d1357e9e5927dfbf7af39a2bb1bd73a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 15:21:52 -0700
+Subject: bpf: Fix propagation of signed bounds from 64-bit min/max into
+ 32-bit.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 388e2c0b978339dee9b0a81a2e546f8979e021e2 ]
+
+Similar to unsigned bounds propagation fix signed bounds.
+The 'Fixes' tag is a hint. There is no security bug here.
+The verifier was too conservative.
+
+Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211101222153.78759-2-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index c56739a4a4219..a15826a9a644f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1298,7 +1298,7 @@ static void __reg_combine_32_into_64(struct bpf_reg_state *reg)
+
+ static bool __reg64_bound_s32(s64 a)
+ {
+- return a > S32_MIN && a < S32_MAX;
++ return a >= S32_MIN && a <= S32_MAX;
+ }
+
+ static bool __reg64_bound_u32(u64 a)
+--
+2.33.0
+
--- /dev/null
+From f1e5813edb8366526f7622980093956808ce91b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 13:47:33 -0700
+Subject: bpf, sockmap: Remove unhash handler for BPF sockmap usage
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit b8b8315e39ffaca82e79d86dde26e9144addf66b ]
+
+We do not need to handle unhash from BPF side we can simply wait for the
+close to happen. The original concern was a socket could transition from
+ESTABLISHED state to a new state while the BPF hook was still attached.
+But, we convinced ourself this is no longer possible and we also improved
+BPF sockmap to handle listen sockets so this is no longer a problem.
+
+More importantly though there are cases where unhash is called when data is
+in the receive queue. The BPF unhash logic will flush this data which is
+wrong. To be correct it should keep the data in the receive queue and allow
+a receiving application to continue reading the data. This may happen when
+tcp_abort() is received for example. Instead of complicating the logic in
+unhash simply moving all this to tcp_close() hook solves this.
+
+Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Jussi Maki <joamaki@gmail.com>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20211103204736.248403-3-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 9194070c67250..6b745ce4108c8 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -573,7 +573,6 @@ static void tcp_bpf_rebuild_protos(struct proto prot[TCP_BPF_NUM_CFGS],
+ struct proto *base)
+ {
+ prot[TCP_BPF_BASE] = *base;
+- prot[TCP_BPF_BASE].unhash = sock_map_unhash;
+ prot[TCP_BPF_BASE].close = sock_map_close;
+ prot[TCP_BPF_BASE].recvmsg = tcp_bpf_recvmsg;
+ prot[TCP_BPF_BASE].stream_memory_read = tcp_bpf_stream_read;
+--
+2.33.0
+
--- /dev/null
+From 338bbd8f2fce5081b96a16531ccb07e62475b087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 13:47:35 -0700
+Subject: bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and
+ colliding
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit e0dc3b93bd7bcff8c3813d1df43e0908499c7cf0 ]
+
+Strparser is reusing the qdisc_skb_cb struct to stash the skb message handling
+progress, e.g. offset and length of the skb. First this is poorly named and
+inherits a struct from qdisc that doesn't reflect the actual usage of cb[] at
+this layer.
+
+But, more importantly strparser is using the following to access its metadata.
+
+ (struct _strp_msg *)((void *)skb->cb + offsetof(struct qdisc_skb_cb, data))
+
+Where _strp_msg is defined as:
+
+ struct _strp_msg {
+ struct strp_msg strp; /* 0 8 */
+ int accum_len; /* 8 4 */
+
+ /* size: 12, cachelines: 1, members: 2 */
+ /* last cacheline: 12 bytes */
+ };
+
+So we use 12 bytes of ->data[] in struct. However in BPF code running parser
+and verdict the user has read capabilities into the data[] array as well. Its
+not too problematic, but we should not be exposing internal state to BPF
+program. If its really needed then we can use the probe_read() APIs which allow
+reading kernel memory. And I don't believe cb[] layer poses any API breakage by
+moving this around because programs can't depend on cb[] across layers.
+
+In order to fix another issue with a ctx rewrite we need to stash a temp
+variable somewhere. To make this work cleanly this patch builds a cb struct
+for sk_skb types called sk_skb_cb struct. Then we can use this consistently
+in the strparser, sockmap space. Additionally we can start allowing ->cb[]
+write access after this.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Jussi Maki <joamaki@gmail.com>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20211103204736.248403-5-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/strparser.h | 16 +++++++++++++++-
+ net/core/filter.c | 21 +++++++++++++++++++++
+ net/strparser/strparser.c | 10 +---------
+ 3 files changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/strparser.h b/include/net/strparser.h
+index 1d20b98493a10..bec1439bd3be6 100644
+--- a/include/net/strparser.h
++++ b/include/net/strparser.h
+@@ -54,10 +54,24 @@ struct strp_msg {
+ int offset;
+ };
+
++struct _strp_msg {
++ /* Internal cb structure. struct strp_msg must be first for passing
++ * to upper layer.
++ */
++ struct strp_msg strp;
++ int accum_len;
++};
++
++struct sk_skb_cb {
++#define SK_SKB_CB_PRIV_LEN 20
++ unsigned char data[SK_SKB_CB_PRIV_LEN];
++ struct _strp_msg strp;
++};
++
+ static inline struct strp_msg *strp_msg(struct sk_buff *skb)
+ {
+ return (struct strp_msg *)((void *)skb->cb +
+- offsetof(struct qdisc_skb_cb, data));
++ offsetof(struct sk_skb_cb, strp));
+ }
+
+ /* Structure for an attached lower socket */
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 7ea752af7894d..abd58dce49bbc 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -9493,6 +9493,27 @@ static u32 sk_skb_convert_ctx_access(enum bpf_access_type type,
+ *insn++ = BPF_LDX_MEM(BPF_SIZEOF(void *), si->dst_reg,
+ si->src_reg, off);
+ break;
++ case offsetof(struct __sk_buff, cb[0]) ...
++ offsetofend(struct __sk_buff, cb[4]) - 1:
++ BUILD_BUG_ON(sizeof_field(struct sk_skb_cb, data) < 20);
++ BUILD_BUG_ON((offsetof(struct sk_buff, cb) +
++ offsetof(struct sk_skb_cb, data)) %
++ sizeof(__u64));
++
++ prog->cb_access = 1;
++ off = si->off;
++ off -= offsetof(struct __sk_buff, cb[0]);
++ off += offsetof(struct sk_buff, cb);
++ off += offsetof(struct sk_skb_cb, data);
++ if (type == BPF_WRITE)
++ *insn++ = BPF_STX_MEM(BPF_SIZE(si->code), si->dst_reg,
++ si->src_reg, off);
++ else
++ *insn++ = BPF_LDX_MEM(BPF_SIZE(si->code), si->dst_reg,
++ si->src_reg, off);
++ break;
++
++
+ default:
+ return bpf_convert_ctx_access(type, si, insn_buf, prog,
+ target_size);
+diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c
+index b3815c1e8f2ea..cd9954c4ad808 100644
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -27,18 +27,10 @@
+
+ static struct workqueue_struct *strp_wq;
+
+-struct _strp_msg {
+- /* Internal cb structure. struct strp_msg must be first for passing
+- * to upper layer.
+- */
+- struct strp_msg strp;
+- int accum_len;
+-};
+-
+ static inline struct _strp_msg *_strp_msg(struct sk_buff *skb)
+ {
+ return (struct _strp_msg *)((void *)skb->cb +
+- offsetof(struct qdisc_skb_cb, data));
++ offsetof(struct sk_skb_cb, strp));
+ }
+
+ /* Lower lock held */
+--
+2.33.0
+
--- /dev/null
+From 93a8c78358113572b1d291a956a294d27368fb6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 10:47:43 +0100
+Subject: bpftool: Avoid leaking the JSON writer prepared for program metadata
+
+From: Quentin Monnet <quentin@isovalent.com>
+
+[ Upstream commit e89ef634f81c9d90e1824ab183721f3b361472e6 ]
+
+Bpftool creates a new JSON object for writing program metadata in plain
+text mode, regardless of metadata being present or not. Then this writer
+is freed if any metadata has been found and printed, but it leaks
+otherwise. We cannot destroy the object unconditionally, because the
+destructor prints an undesirable line break. Instead, make sure the
+writer is created only after we have found program metadata to print.
+
+Found with valgrind.
+
+Fixes: aff52e685eb3 ("bpftool: Support dumping metadata")
+Signed-off-by: Quentin Monnet <quentin@isovalent.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20211022094743.11052-1-quentin@isovalent.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index 14237ffb90bae..592536904dde2 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -304,18 +304,12 @@ static void show_prog_metadata(int fd, __u32 num_maps)
+ if (printed_header)
+ jsonw_end_object(json_wtr);
+ } else {
+- json_writer_t *btf_wtr = jsonw_new(stdout);
++ json_writer_t *btf_wtr;
+ struct btf_dumper d = {
+ .btf = btf,
+- .jw = btf_wtr,
+ .is_plain_text = true,
+ };
+
+- if (!btf_wtr) {
+- p_err("jsonw alloc failed");
+- goto out_free;
+- }
+-
+ for (i = 0; i < vlen; i++, vsi++) {
+ t_var = btf__type_by_id(btf, vsi->type);
+ name = btf__name_by_offset(btf, t_var->name_off);
+@@ -325,6 +319,14 @@ static void show_prog_metadata(int fd, __u32 num_maps)
+
+ if (!printed_header) {
+ printf("\tmetadata:");
++
++ btf_wtr = jsonw_new(stdout);
++ if (!btf_wtr) {
++ p_err("jsonw alloc failed");
++ goto out_free;
++ }
++ d.jw = btf_wtr,
++
+ printed_header = true;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From f1f2253e236cf8374837fa626a170dc475363223 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 18:06:33 +0200
+Subject: brcmfmac: Add DMI nvram filename quirk for Cyberbook T116 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 49c3eb3036e6359c5c20fe76c611a2c0e0d4710e ]
+
+The Cyberbook T116 tablet contains quite generic names in the sys_vendor
+and product_name DMI strings, without this patch brcmfmac will try to load:
+"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which
+is way too generic.
+
+The nvram file shipped on the factory Android image contains the exact
+same settings as those used on the AcePC T8 mini PC, so point the new
+DMI nvram filename quirk to the acepc-t8 nvram file.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210928160633.96928-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+index 6d5188b78f2de..0af452dca7664 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -75,6 +75,16 @@ static const struct dmi_system_id dmi_platform_data[] = {
+ },
+ .driver_data = (void *)&acepc_t8_data,
+ },
++ {
++ /* Cyberbook T116 rugged tablet */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Default string"),
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "20170531"),
++ },
++ /* The factory image nvram file is identical to the ACEPC T8 one */
++ .driver_data = (void *)&acepc_t8_data,
++ },
+ {
+ /* Match for the GPDwin which unfortunately uses somewhat
+ * generic dmi strings, which is why we test for 4 strings.
+--
+2.33.0
+
--- /dev/null
+From 66f3f7a6b6dd6cc39a7b9e7de0cf7cb17c688826 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 17:01:14 -0400
+Subject: btrfs: do not take the uuid_mutex in btrfs_rm_device
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 8ef9dc0f14ba6124c62547a4fdc59b163d8b864e ]
+
+We got the following lockdep splat while running fstests (specifically
+btrfs/003 and btrfs/020 in a row) with the new rc. This was uncovered
+by 87579e9b7d8d ("loop: use worker per cgroup instead of kworker") which
+converted loop to using workqueues, which comes with lockdep
+annotations that don't exist with kworkers. The lockdep splat is as
+follows:
+
+ WARNING: possible circular locking dependency detected
+ 5.14.0-rc2-custom+ #34 Not tainted
+ ------------------------------------------------------
+ losetup/156417 is trying to acquire lock:
+ ffff9c7645b02d38 ((wq_completion)loop0){+.+.}-{0:0}, at: flush_workqueue+0x84/0x600
+
+ but task is already holding lock:
+ ffff9c7647395468 (&lo->lo_mutex){+.+.}-{3:3}, at: __loop_clr_fd+0x41/0x650 [loop]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #5 (&lo->lo_mutex){+.+.}-{3:3}:
+ __mutex_lock+0xba/0x7c0
+ lo_open+0x28/0x60 [loop]
+ blkdev_get_whole+0x28/0xf0
+ blkdev_get_by_dev.part.0+0x168/0x3c0
+ blkdev_open+0xd2/0xe0
+ do_dentry_open+0x163/0x3a0
+ path_openat+0x74d/0xa40
+ do_filp_open+0x9c/0x140
+ do_sys_openat2+0xb1/0x170
+ __x64_sys_openat+0x54/0x90
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ -> #4 (&disk->open_mutex){+.+.}-{3:3}:
+ __mutex_lock+0xba/0x7c0
+ blkdev_get_by_dev.part.0+0xd1/0x3c0
+ blkdev_get_by_path+0xc0/0xd0
+ btrfs_scan_one_device+0x52/0x1f0 [btrfs]
+ btrfs_control_ioctl+0xac/0x170 [btrfs]
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ -> #3 (uuid_mutex){+.+.}-{3:3}:
+ __mutex_lock+0xba/0x7c0
+ btrfs_rm_device+0x48/0x6a0 [btrfs]
+ btrfs_ioctl+0x2d1c/0x3110 [btrfs]
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ -> #2 (sb_writers#11){.+.+}-{0:0}:
+ lo_write_bvec+0x112/0x290 [loop]
+ loop_process_work+0x25f/0xcb0 [loop]
+ process_one_work+0x28f/0x5d0
+ worker_thread+0x55/0x3c0
+ kthread+0x140/0x170
+ ret_from_fork+0x22/0x30
+
+ -> #1 ((work_completion)(&lo->rootcg_work)){+.+.}-{0:0}:
+ process_one_work+0x266/0x5d0
+ worker_thread+0x55/0x3c0
+ kthread+0x140/0x170
+ ret_from_fork+0x22/0x30
+
+ -> #0 ((wq_completion)loop0){+.+.}-{0:0}:
+ __lock_acquire+0x1130/0x1dc0
+ lock_acquire+0xf5/0x320
+ flush_workqueue+0xae/0x600
+ drain_workqueue+0xa0/0x110
+ destroy_workqueue+0x36/0x250
+ __loop_clr_fd+0x9a/0x650 [loop]
+ lo_ioctl+0x29d/0x780 [loop]
+ block_ioctl+0x3f/0x50
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ other info that might help us debug this:
+ Chain exists of:
+ (wq_completion)loop0 --> &disk->open_mutex --> &lo->lo_mutex
+ Possible unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock(&lo->lo_mutex);
+ lock(&disk->open_mutex);
+ lock(&lo->lo_mutex);
+ lock((wq_completion)loop0);
+
+ *** DEADLOCK ***
+ 1 lock held by losetup/156417:
+ #0: ffff9c7647395468 (&lo->lo_mutex){+.+.}-{3:3}, at: __loop_clr_fd+0x41/0x650 [loop]
+
+ stack backtrace:
+ CPU: 8 PID: 156417 Comm: losetup Not tainted 5.14.0-rc2-custom+ #34
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ Call Trace:
+ dump_stack_lvl+0x57/0x72
+ check_noncircular+0x10a/0x120
+ __lock_acquire+0x1130/0x1dc0
+ lock_acquire+0xf5/0x320
+ ? flush_workqueue+0x84/0x600
+ flush_workqueue+0xae/0x600
+ ? flush_workqueue+0x84/0x600
+ drain_workqueue+0xa0/0x110
+ destroy_workqueue+0x36/0x250
+ __loop_clr_fd+0x9a/0x650 [loop]
+ lo_ioctl+0x29d/0x780 [loop]
+ ? __lock_acquire+0x3a0/0x1dc0
+ ? update_dl_rq_load_avg+0x152/0x360
+ ? lock_is_held_type+0xa5/0x120
+ ? find_held_lock.constprop.0+0x2b/0x80
+ block_ioctl+0x3f/0x50
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f645884de6b
+
+Usually the uuid_mutex exists to protect the fs_devices that map
+together all of the devices that match a specific uuid. In rm_device
+we're messing with the uuid of a device, so it makes sense to protect
+that here.
+
+However in doing that it pulls in a whole host of lockdep dependencies,
+as we call mnt_may_write() on the sb before we grab the uuid_mutex, thus
+we end up with the dependency chain under the uuid_mutex being added
+under the normal sb write dependency chain, which causes problems with
+loop devices.
+
+We don't need the uuid mutex here however. If we call
+btrfs_scan_one_device() before we scratch the super block we will find
+the fs_devices and not find the device itself and return EBUSY because
+the fs_devices is open. If we call it after the scratch happens it will
+not appear to be a valid btrfs file system.
+
+We do not need to worry about other fs_devices modifying operations here
+because we're protected by the exclusive operations locking.
+
+So drop the uuid_mutex here in order to fix the lockdep splat.
+
+A more detailed explanation from the discussion:
+
+We are worried about rm and scan racing with each other, before this
+change we'll zero the device out under the UUID mutex so when scan does
+run it'll make sure that it can go through the whole device scan thing
+without rm messing with us.
+
+We aren't worried if the scratch happens first, because the result is we
+don't think this is a btrfs device and we bail out.
+
+The only case we are concerned with is we scratch _after_ scan is able
+to read the superblock and gets a seemingly valid super block, so lets
+consider this case.
+
+Scan will call device_list_add() with the device we're removing. We'll
+call find_fsid_with_metadata_uuid() and get our fs_devices for this
+UUID. At this point we lock the fs_devices->device_list_mutex. This is
+what protects us in this case, but we have two cases here.
+
+1. We aren't to the device removal part of the RM. We found our device,
+ and device name matches our path, we go down and we set total_devices
+ to our super number of devices, which doesn't affect anything because
+ we haven't done the remove yet.
+
+2. We are past the device removal part, which is protected by the
+ device_list_mutex. Scan doesn't find the device, it goes down and
+ does the
+
+ if (fs_devices->opened)
+ return -EBUSY;
+
+ check and we bail out.
+
+Nothing about this situation is ideal, but the lockdep splat is real,
+and the fix is safe, tho admittedly a bit scary looking.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ copy more from the discussion ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/volumes.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index 8946355dfe448..d9e582e40b5b7 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2069,8 +2069,11 @@ int btrfs_rm_device(struct btrfs_fs_info *fs_info, const char *device_path,
+ u64 num_devices;
+ int ret = 0;
+
+- mutex_lock(&uuid_mutex);
+-
++ /*
++ * The device list in fs_devices is accessed without locks (neither
++ * uuid_mutex nor device_list_mutex) as it won't change on a mounted
++ * filesystem and another device rm cannot run.
++ */
+ num_devices = btrfs_num_devices(fs_info);
+
+ ret = btrfs_check_raid_min_devices(fs_info, num_devices - 1);
+@@ -2114,11 +2117,9 @@ int btrfs_rm_device(struct btrfs_fs_info *fs_info, const char *device_path,
+ mutex_unlock(&fs_info->chunk_mutex);
+ }
+
+- mutex_unlock(&uuid_mutex);
+ ret = btrfs_shrink_device(device, 0);
+ if (!ret)
+ btrfs_reada_remove_dev(device);
+- mutex_lock(&uuid_mutex);
+ if (ret)
+ goto error_undo;
+
+@@ -2194,7 +2195,6 @@ int btrfs_rm_device(struct btrfs_fs_info *fs_info, const char *device_path,
+ }
+
+ out:
+- mutex_unlock(&uuid_mutex);
+ return ret;
+
+ error_undo:
+--
+2.33.0
+
--- /dev/null
+From 241438392e60b69e53ff1f2c47295f47850cf58f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 14:44:36 +0000
+Subject: btrfs: reflink: initialize return value to 0 in btrfs_extent_same()
+
+From: Sidong Yang <realwakka@gmail.com>
+
+[ Upstream commit 44bee215f72f13874c0e734a0712c2e3264c0108 ]
+
+Fix a warning reported by smatch that ret could be returned without
+initialized. The dedupe operations are supposed to to return 0 for a 0
+length range but the caller does not pass olen == 0. To keep this
+behaviour and also fix the warning initialize ret to 0.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Sidong Yang <realwakka@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/reflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/reflink.c b/fs/btrfs/reflink.c
+index 96ef9fed9a656..3a3102bc15a05 100644
+--- a/fs/btrfs/reflink.c
++++ b/fs/btrfs/reflink.c
+@@ -634,7 +634,7 @@ static int btrfs_extent_same_range(struct inode *src, u64 loff, u64 len,
+ static int btrfs_extent_same(struct inode *src, u64 loff, u64 olen,
+ struct inode *dst, u64 dst_loff)
+ {
+- int ret;
++ int ret = 0;
+ u64 i, tail_len, chunk_count;
+ struct btrfs_root *root_dst = BTRFS_I(dst)->root;
+
+--
+2.33.0
+
--- /dev/null
+From 46944ab0b079958e42b2f5ec214e087c2a36faf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 15:22:00 +0800
+Subject: btrfs: subpage: make btrfs_submit_compressed_write() compatible
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit bbbff01a47bfe1b7733c5ccac6a78ff6d7a8954f ]
+
+There is a WARN_ON() checking if @start is aligned to PAGE_SIZE, not
+sectorsize, which will cause false alert for subpage. Fix it to check
+against sectorsize.
+
+Furthermore:
+
+- Use ASSERT() to do the check
+ So that in the future we may skip the check for production build
+
+- Also check alignment for @len
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/compression.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
+index 646416b5940e9..d3d119676a8c5 100644
+--- a/fs/btrfs/compression.c
++++ b/fs/btrfs/compression.c
+@@ -391,7 +391,8 @@ blk_status_t btrfs_submit_compressed_write(struct btrfs_inode *inode, u64 start,
+ blk_status_t ret;
+ int skip_sum = inode->flags & BTRFS_INODE_NODATASUM;
+
+- WARN_ON(!PAGE_ALIGNED(start));
++ ASSERT(IS_ALIGNED(start, fs_info->sectorsize) &&
++ IS_ALIGNED(len, fs_info->sectorsize));
+ cb = kmalloc(compressed_bio_size(fs_info, compressed_len), GFP_NOFS);
+ if (!cb)
+ return BLK_STS_RESOURCE;
+--
+2.33.0
+
--- /dev/null
+From 5242274939ce1b0f61b5c393ac9ceb5cd67ec984 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 12:42:25 +0300
+Subject: bus: ti-sysc: Fix timekeeping_suspended warning on resume
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit b3e9431854e8f305385d5de225441c0477b936cb ]
+
+On resume we can get a warning at kernel/time/timekeeping.c:824 for
+timekeeping_suspended.
+
+Let's fix this by adding separate functions for sysc_poll_reset_sysstatus()
+and sysc_poll_reset_sysconfig() and have the new functions handle also
+timekeeping_suspended.
+
+If iopoll at some point supports timekeeping_suspended, we can just drop
+the custom handling from these functions.
+
+Fixes: d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/ti-sysc.c | 65 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 53 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
+index 02341fd66e8d2..2ff437e5c7051 100644
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -17,6 +17,7 @@
+ #include <linux/of_platform.h>
+ #include <linux/slab.h>
+ #include <linux/sys_soc.h>
++#include <linux/timekeeping.h>
+ #include <linux/iopoll.h>
+
+ #include <linux/platform_data/ti-sysc.h>
+@@ -223,37 +224,77 @@ static u32 sysc_read_sysstatus(struct sysc *ddata)
+ return sysc_read(ddata, offset);
+ }
+
+-/* Poll on reset status */
+-static int sysc_wait_softreset(struct sysc *ddata)
++static int sysc_poll_reset_sysstatus(struct sysc *ddata)
+ {
+- u32 sysc_mask, syss_done, rstval;
+- int syss_offset, error = 0;
+-
+- if (ddata->cap->regbits->srst_shift < 0)
+- return 0;
+-
+- syss_offset = ddata->offsets[SYSC_SYSSTATUS];
+- sysc_mask = BIT(ddata->cap->regbits->srst_shift);
++ int error, retries;
++ u32 syss_done, rstval;
+
+ if (ddata->cfg.quirks & SYSS_QUIRK_RESETDONE_INVERTED)
+ syss_done = 0;
+ else
+ syss_done = ddata->cfg.syss_mask;
+
+- if (syss_offset >= 0) {
++ if (likely(!timekeeping_suspended)) {
+ error = readx_poll_timeout_atomic(sysc_read_sysstatus, ddata,
+ rstval, (rstval & ddata->cfg.syss_mask) ==
+ syss_done, 100, MAX_MODULE_SOFTRESET_WAIT);
++ } else {
++ retries = MAX_MODULE_SOFTRESET_WAIT;
++ while (retries--) {
++ rstval = sysc_read_sysstatus(ddata);
++ if ((rstval & ddata->cfg.syss_mask) == syss_done)
++ return 0;
++ udelay(2); /* Account for udelay flakeyness */
++ }
++ error = -ETIMEDOUT;
++ }
+
+- } else if (ddata->cfg.quirks & SYSC_QUIRK_RESET_STATUS) {
++ return error;
++}
++
++static int sysc_poll_reset_sysconfig(struct sysc *ddata)
++{
++ int error, retries;
++ u32 sysc_mask, rstval;
++
++ sysc_mask = BIT(ddata->cap->regbits->srst_shift);
++
++ if (likely(!timekeeping_suspended)) {
+ error = readx_poll_timeout_atomic(sysc_read_sysconfig, ddata,
+ rstval, !(rstval & sysc_mask),
+ 100, MAX_MODULE_SOFTRESET_WAIT);
++ } else {
++ retries = MAX_MODULE_SOFTRESET_WAIT;
++ while (retries--) {
++ rstval = sysc_read_sysconfig(ddata);
++ if (!(rstval & sysc_mask))
++ return 0;
++ udelay(2); /* Account for udelay flakeyness */
++ }
++ error = -ETIMEDOUT;
+ }
+
+ return error;
+ }
+
++/* Poll on reset status */
++static int sysc_wait_softreset(struct sysc *ddata)
++{
++ int syss_offset, error = 0;
++
++ if (ddata->cap->regbits->srst_shift < 0)
++ return 0;
++
++ syss_offset = ddata->offsets[SYSC_SYSSTATUS];
++
++ if (syss_offset >= 0)
++ error = sysc_poll_reset_sysstatus(ddata);
++ else if (ddata->cfg.quirks & SYSC_QUIRK_RESET_STATUS)
++ error = sysc_poll_reset_sysconfig(ddata);
++
++ return error;
++}
++
+ static int sysc_add_named_clock_from_child(struct sysc *ddata,
+ const char *name,
+ const char *optfck_name)
+--
+2.33.0
+
--- /dev/null
+From 4f4c1209663ae38f90f4e5c8a820def80698c6d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 17:00:04 +0200
+Subject: can: mcp251xfd: mcp251xfd_chip_start(): fix error handling for
+ mcp251xfd_chip_rx_int_enable()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 69c55f6e7669d46bb40e41f6e2b218428178368a ]
+
+This patch fixes the error handling for mcp251xfd_chip_rx_int_enable().
+Instead just returning the error, properly shut down the chip.
+
+Link: https://lore.kernel.org/all/20211106201526.44292-2-mkl@pengutronix.de
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+index 68ff931993c25..4e13f6dfb91a2 100644
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -1041,7 +1041,7 @@ static int mcp251xfd_chip_start(struct mcp251xfd_priv *priv)
+
+ err = mcp251xfd_chip_rx_int_enable(priv);
+ if (err)
+- return err;
++ goto out_chip_stop;
+
+ err = mcp251xfd_chip_ecc_init(priv);
+ if (err)
+--
+2.33.0
+
--- /dev/null
+From e58000155c07fd13e3b815fc2ece2e452b0e6f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 15:15:27 -0700
+Subject: cgroup: Fix rootcg cpu.stat guest double counting
+
+From: Dan Schatzberg <schatzberg.dan@gmail.com>
+
+[ Upstream commit 81c49d39aea8a10e6d05d3aa1cb65ceb721e19b0 ]
+
+In account_guest_time in kernel/sched/cputime.c guest time is
+attributed to both CPUTIME_NICE and CPUTIME_USER in addition to
+CPUTIME_GUEST_NICE and CPUTIME_GUEST respectively. Therefore, adding
+both to calculate usage results in double counting any guest time at
+the rootcg.
+
+Fixes: 936f2a70f207 ("cgroup: add cpu.stat file to root cgroup")
+Signed-off-by: Dan Schatzberg <schatzberg.dan@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/rstat.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c
+index d51175cedfca4..89ca9b61aa0d9 100644
+--- a/kernel/cgroup/rstat.c
++++ b/kernel/cgroup/rstat.c
+@@ -421,8 +421,6 @@ static void root_cgroup_cputime(struct task_cputime *cputime)
+ cputime->sum_exec_runtime += user;
+ cputime->sum_exec_runtime += sys;
+ cputime->sum_exec_runtime += cpustat[CPUTIME_STEAL];
+- cputime->sum_exec_runtime += cpustat[CPUTIME_GUEST];
+- cputime->sum_exec_runtime += cpustat[CPUTIME_GUEST_NICE];
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 48ae12695f623f2d46dae49bdc7df390bbea1256 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 18:53:08 -0400
+Subject: cgroup: Make rebind_subsystems() disable v2 controllers all at once
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 7ee285395b211cad474b2b989db52666e0430daf ]
+
+It was found that the following warning was displayed when remounting
+controllers from cgroup v2 to v1:
+
+[ 8042.997778] WARNING: CPU: 88 PID: 80682 at kernel/cgroup/cgroup.c:3130 cgroup_apply_control_disable+0x158/0x190
+ :
+[ 8043.091109] RIP: 0010:cgroup_apply_control_disable+0x158/0x190
+[ 8043.096946] Code: ff f6 45 54 01 74 39 48 8d 7d 10 48 c7 c6 e0 46 5a a4 e8 7b 67 33 00 e9 41 ff ff ff 49 8b 84 24 e8 01 00 00 0f b7 40 08 eb 95 <0f> 0b e9 5f ff ff ff 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3
+[ 8043.115692] RSP: 0018:ffffba8a47c23d28 EFLAGS: 00010202
+[ 8043.120916] RAX: 0000000000000036 RBX: ffffffffa624ce40 RCX: 000000000000181a
+[ 8043.128047] RDX: ffffffffa63c43e0 RSI: ffffffffa63c43e0 RDI: ffff9d7284ee1000
+[ 8043.135180] RBP: ffff9d72874c5800 R08: ffffffffa624b090 R09: 0000000000000004
+[ 8043.142314] R10: ffffffffa624b080 R11: 0000000000002000 R12: ffff9d7284ee1000
+[ 8043.149447] R13: ffff9d7284ee1000 R14: ffffffffa624ce70 R15: ffffffffa6269e20
+[ 8043.156576] FS: 00007f7747cff740(0000) GS:ffff9d7a5fc00000(0000) knlGS:0000000000000000
+[ 8043.164663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8043.170409] CR2: 00007f7747e96680 CR3: 0000000887d60001 CR4: 00000000007706e0
+[ 8043.177539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 8043.184673] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 8043.191804] PKRU: 55555554
+[ 8043.194517] Call Trace:
+[ 8043.196970] rebind_subsystems+0x18c/0x470
+[ 8043.201070] cgroup_setup_root+0x16c/0x2f0
+[ 8043.205177] cgroup1_root_to_use+0x204/0x2a0
+[ 8043.209456] cgroup1_get_tree+0x3e/0x120
+[ 8043.213384] vfs_get_tree+0x22/0xb0
+[ 8043.216883] do_new_mount+0x176/0x2d0
+[ 8043.220550] __x64_sys_mount+0x103/0x140
+[ 8043.224474] do_syscall_64+0x38/0x90
+[ 8043.228063] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+It was caused by the fact that rebind_subsystem() disables
+controllers to be rebound one by one. If more than one disabled
+controllers are originally from the default hierarchy, it means that
+cgroup_apply_control_disable() will be called multiple times for the
+same default hierarchy. A controller may be killed by css_kill() in
+the first round. In the second round, the killed controller may not be
+completely dead yet leading to the warning.
+
+To avoid this problem, we collect all the ssid's of controllers that
+needed to be disabled from the default hierarchy and then disable them
+in one go instead of one by one.
+
+Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 60d38e2f69dd8..a86857edaa571 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -1711,6 +1711,7 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+ struct cgroup *dcgrp = &dst_root->cgrp;
+ struct cgroup_subsys *ss;
+ int ssid, i, ret;
++ u16 dfl_disable_ss_mask = 0;
+
+ lockdep_assert_held(&cgroup_mutex);
+
+@@ -1727,8 +1728,28 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+ /* can't move between two non-dummy roots either */
+ if (ss->root != &cgrp_dfl_root && dst_root != &cgrp_dfl_root)
+ return -EBUSY;
++
++ /*
++ * Collect ssid's that need to be disabled from default
++ * hierarchy.
++ */
++ if (ss->root == &cgrp_dfl_root)
++ dfl_disable_ss_mask |= 1 << ssid;
++
+ } while_each_subsys_mask();
+
++ if (dfl_disable_ss_mask) {
++ struct cgroup *scgrp = &cgrp_dfl_root.cgrp;
++
++ /*
++ * Controllers from default hierarchy that need to be rebound
++ * are all disabled together in one go.
++ */
++ cgrp_dfl_root.subsys_mask &= ~dfl_disable_ss_mask;
++ WARN_ON(cgroup_apply_control(scgrp));
++ cgroup_finalize_control(scgrp, 0);
++ }
++
+ do_each_subsys_mask(ss, ssid, ss_mask) {
+ struct cgroup_root *src_root = ss->root;
+ struct cgroup *scgrp = &src_root->cgrp;
+@@ -1737,10 +1758,12 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+
+ WARN_ON(!css || cgroup_css(dcgrp, ss));
+
+- /* disable from the source */
+- src_root->subsys_mask &= ~(1 << ssid);
+- WARN_ON(cgroup_apply_control(scgrp));
+- cgroup_finalize_control(scgrp, 0);
++ if (src_root != &cgrp_dfl_root) {
++ /* disable from the source */
++ src_root->subsys_mask &= ~(1 << ssid);
++ WARN_ON(cgroup_apply_control(scgrp));
++ cgroup_finalize_control(scgrp, 0);
++ }
+
+ /* rebind */
+ RCU_INIT_POINTER(scgrp->subsys[ssid], NULL);
+--
+2.33.0
+
--- /dev/null
+From 71dc51aae419f6524af1070a4a85f1d7292ff6db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Sep 2021 10:26:33 +0200
+Subject: clk: at91: check pmc node status before registering syscore ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <clement.leger@bootlin.com>
+
+[ Upstream commit c405f5c15e9f6094f2fa1658e73e56f3058e2122 ]
+
+Currently, at91 pmc driver always register the syscore_ops whatever
+the status of the pmc node that has been found. When set as secure
+and disabled, the pmc should not be accessed or this will generate
+abort exceptions.
+To avoid this, add a check on node availability before registering
+the syscore operations.
+
+Signed-off-by: Clément Léger <clement.leger@bootlin.com>
+Link: https://lore.kernel.org/r/20210913082633.110168-1-clement.leger@bootlin.com
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Fixes: b3b02eac33ed ("clk: at91: Add sama5d2 suspend/resume")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/pmc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/clk/at91/pmc.c b/drivers/clk/at91/pmc.c
+index 20ee9dccee787..b40035b011d0a 100644
+--- a/drivers/clk/at91/pmc.c
++++ b/drivers/clk/at91/pmc.c
+@@ -267,6 +267,11 @@ static int __init pmc_register_ops(void)
+ if (!np)
+ return -ENODEV;
+
++ if (!of_device_is_available(np)) {
++ of_node_put(np);
++ return -ENODEV;
++ }
++
+ pmcreg = device_node_to_regmap(np);
+ of_node_put(np);
+ if (IS_ERR(pmcreg))
+--
+2.33.0
+
--- /dev/null
+From fba5ddb2e07e6ca32732ab64c2c482ca2d724855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 14:27:11 +0300
+Subject: clk: at91: sam9x60-pll: use DIV_ROUND_CLOSEST_ULL
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit f12d028b743bb6136da60b17228a1b6162886444 ]
+
+Use DIV_ROUND_CLOSEST_ULL() to avoid any inconsistency b/w the rate
+computed in sam9x60_frac_pll_recalc_rate() and the one computed in
+sam9x60_frac_pll_compute_mul_frac().
+
+Fixes: 43b1bb4a9b3e1 ("clk: at91: clk-sam9x60-pll: re-factor to support plls with multiple outputs")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20211011112719.3951784-8-claudiu.beznea@microchip.com
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-sam9x60-pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/at91/clk-sam9x60-pll.c b/drivers/clk/at91/clk-sam9x60-pll.c
+index 78f458a7b2ef4..5a9daa3643a72 100644
+--- a/drivers/clk/at91/clk-sam9x60-pll.c
++++ b/drivers/clk/at91/clk-sam9x60-pll.c
+@@ -71,8 +71,8 @@ static unsigned long sam9x60_frac_pll_recalc_rate(struct clk_hw *hw,
+ struct sam9x60_pll_core *core = to_sam9x60_pll_core(hw);
+ struct sam9x60_frac *frac = to_sam9x60_frac(core);
+
+- return (parent_rate * (frac->mul + 1) +
+- ((u64)parent_rate * frac->frac >> 22));
++ return parent_rate * (frac->mul + 1) +
++ DIV_ROUND_CLOSEST_ULL((u64)parent_rate * frac->frac, (1 << 22));
+ }
+
+ static int sam9x60_frac_pll_prepare(struct clk_hw *hw)
+--
+2.33.0
+
--- /dev/null
+From e45b94990e71c37b77fec338f686bf627ac088c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 09:02:26 +0200
+Subject: clk: mvebu: ap-cpu-clk: Fix a memory leak in error handling paths
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit af9617b419f77cf0b99702a7b2b0519da0d27715 ]
+
+If we exit the for_each_of_cpu_node loop early, the reference on the
+current node must be decremented, otherwise there is a leak.
+
+Fixes: f756e362d938 ("clk: mvebu: add CPU clock driver for Armada 7K/8K")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/545df946044fc1fc05a4217cdf0054be7a79e49e.1619161112.git.christophe.jaillet@wanadoo.fr
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mvebu/ap-cpu-clk.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/mvebu/ap-cpu-clk.c b/drivers/clk/mvebu/ap-cpu-clk.c
+index b4259b60dcfd6..25de4b6da776f 100644
+--- a/drivers/clk/mvebu/ap-cpu-clk.c
++++ b/drivers/clk/mvebu/ap-cpu-clk.c
+@@ -256,12 +256,15 @@ static int ap_cpu_clock_probe(struct platform_device *pdev)
+ int cpu, err;
+
+ err = of_property_read_u32(dn, "reg", &cpu);
+- if (WARN_ON(err))
++ if (WARN_ON(err)) {
++ of_node_put(dn);
+ return err;
++ }
+
+ /* If cpu2 or cpu3 is enabled */
+ if (cpu & APN806_CLUSTER_NUM_MASK) {
+ nclusters = 2;
++ of_node_put(dn);
+ break;
+ }
+ }
+@@ -288,8 +291,10 @@ static int ap_cpu_clock_probe(struct platform_device *pdev)
+ int cpu, err;
+
+ err = of_property_read_u32(dn, "reg", &cpu);
+- if (WARN_ON(err))
++ if (WARN_ON(err)) {
++ of_node_put(dn);
+ return err;
++ }
+
+ cluster_index = cpu & APN806_CLUSTER_NUM_MASK;
+ cluster_index >>= APN806_CLUSTER_NUM_OFFSET;
+@@ -301,6 +306,7 @@ static int ap_cpu_clock_probe(struct platform_device *pdev)
+ parent = of_clk_get(np, cluster_index);
+ if (IS_ERR(parent)) {
+ dev_err(dev, "Could not get the clock parent\n");
++ of_node_put(dn);
+ return -EINVAL;
+ }
+ parent_name = __clk_get_name(parent);
+@@ -319,8 +325,10 @@ static int ap_cpu_clock_probe(struct platform_device *pdev)
+ init.parent_names = &parent_name;
+
+ ret = devm_clk_hw_register(dev, &ap_cpu_clk[cluster_index].hw);
+- if (ret)
++ if (ret) {
++ of_node_put(dn);
+ return ret;
++ }
+ ap_cpu_data->hws[cluster_index] = &ap_cpu_clk[cluster_index].hw;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 58265d945cf44236225bd0abb5595ce71edc6403 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 10:57:47 -0700
+Subject: clocksource/drivers/timer-ti-dm: Select TIMER_OF
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit eda9a4f7af6ee47e9e131f20e4f8a41a97379293 ]
+
+When building OMAP_DM_TIMER without TIMER_OF, there are orphan sections
+due to the use of TIMER_OF_DELCARE() without CONFIG_TIMER_OF. Select
+CONFIG_TIMER_OF when enaling OMAP_DM_TIMER:
+
+arm-linux-gnueabi-ld: warning: orphan section `__timer_of_table' from `drivers/clocksource/timer-ti-dm-systimer.o' being placed in section `__timer_of_table'
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/202108282255.tkdt4ani-lkp@intel.com/
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
+Cc: Ladislav Michl <ladis@linux-mips.org>
+Cc: Grygorii Strashko <grygorii.strashko@ti.com>
+Cc: linux-omap@vger.kernel.org
+Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210828175747.3777891-1-keescook@chromium.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
+index 39f4d88662002..a0c6e88bebe08 100644
+--- a/drivers/clocksource/Kconfig
++++ b/drivers/clocksource/Kconfig
+@@ -24,6 +24,7 @@ config I8253_LOCK
+
+ config OMAP_DM_TIMER
+ bool
++ select TIMER_OF
+
+ config CLKBLD_I8253
+ def_bool y if CLKSRC_I8253 || CLKEVT_I8253 || I8253_LOCK
+--
+2.33.0
+
--- /dev/null
+From 182ceb5f46e7e73b53e1111b94747dcb2787e758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 18:34:40 +0000
+Subject: cpuidle: Fix kobject memory leaks in error paths
+
+From: Anel Orazgaliyeva <anelkz@amazon.de>
+
+[ Upstream commit e5f5a66c9aa9c331da5527c2e3fd9394e7091e01 ]
+
+Commit c343bf1ba5ef ("cpuidle: Fix three reference count leaks")
+fixes the cleanup of kobjects; however, it removes kfree() calls
+altogether, leading to memory leaks.
+
+Fix those and also defer the initialization of dev->kobj_dev until
+after the error check, so that we do not end up with a dangling
+pointer.
+
+Fixes: c343bf1ba5ef ("cpuidle: Fix three reference count leaks")
+Signed-off-by: Anel Orazgaliyeva <anelkz@amazon.de>
+Suggested-by: Aman Priyadarshi <apeureka@amazon.de>
+[ rjw: Subject edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/sysfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
+index 53ec9585ccd44..469e18547d06c 100644
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -488,6 +488,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device)
+ &kdev->kobj, "state%d", i);
+ if (ret) {
+ kobject_put(&kobj->kobj);
++ kfree(kobj);
+ goto error_state;
+ }
+ cpuidle_add_s2idle_attr_group(kobj);
+@@ -619,6 +620,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev)
+ &kdev->kobj, "driver");
+ if (ret) {
+ kobject_put(&kdrv->kobj);
++ kfree(kdrv);
+ return ret;
+ }
+
+@@ -705,7 +707,6 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ if (!kdev)
+ return -ENOMEM;
+ kdev->dev = dev;
+- dev->kobj_dev = kdev;
+
+ init_completion(&kdev->kobj_unregister);
+
+@@ -713,9 +714,11 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ "cpuidle");
+ if (error) {
+ kobject_put(&kdev->kobj);
++ kfree(kdev);
+ return error;
+ }
+
++ dev->kobj_dev = kdev;
+ kobject_uevent(&kdev->kobj, KOBJ_ADD);
+
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From 0cd1a6545aff058446009c5c315b2dc0f008a5d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 00:03:07 +0200
+Subject: crypto: caam - disable pkc for non-E SoCs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit f20311cc9c58052e0b215013046cbf390937910c ]
+
+On newer CAAM versions, not all accelerators are disabled if the SoC is
+a non-E variant. While the driver checks most of the modules for
+availability, there is one - PKHA - which sticks out. On non-E variants
+it is still reported as available, that is the number of instances is
+non-zero, but it has limited functionality. In particular it doesn't
+support encryption and decryption, but just signing and verifying. This
+is indicated by a bit in the PKHA_MISC field. Take this bit into account
+if we are checking for availability.
+
+This will the following error:
+[ 8.167817] caam_jr 8020000.jr: 20000b0f: CCB: desc idx 11: : Invalid CHA selected.
+
+Tested on an NXP LS1028A (non-E) SoC.
+
+Fixes: d239b10d4ceb ("crypto: caam - add register map changes cf. Era 10")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/caampkc.c | 19 +++++++++++++++----
+ drivers/crypto/caam/regs.h | 3 +++
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c
+index dd5f101e43f83..3acc825da4cca 100644
+--- a/drivers/crypto/caam/caampkc.c
++++ b/drivers/crypto/caam/caampkc.c
+@@ -1152,16 +1152,27 @@ static struct caam_akcipher_alg caam_rsa = {
+ int caam_pkc_init(struct device *ctrldev)
+ {
+ struct caam_drv_private *priv = dev_get_drvdata(ctrldev);
+- u32 pk_inst;
++ u32 pk_inst, pkha;
+ int err;
+ init_done = false;
+
+ /* Determine public key hardware accelerator presence. */
+- if (priv->era < 10)
++ if (priv->era < 10) {
+ pk_inst = (rd_reg32(&priv->ctrl->perfmon.cha_num_ls) &
+ CHA_ID_LS_PK_MASK) >> CHA_ID_LS_PK_SHIFT;
+- else
+- pk_inst = rd_reg32(&priv->ctrl->vreg.pkha) & CHA_VER_NUM_MASK;
++ } else {
++ pkha = rd_reg32(&priv->ctrl->vreg.pkha);
++ pk_inst = pkha & CHA_VER_NUM_MASK;
++
++ /*
++ * Newer CAAMs support partially disabled functionality. If this is the
++ * case, the number is non-zero, but this bit is set to indicate that
++ * no encryption or decryption is supported. Only signing and verifying
++ * is supported.
++ */
++ if (pkha & CHA_VER_MISC_PKHA_NO_CRYPT)
++ pk_inst = 0;
++ }
+
+ /* Do not register algorithms if PKHA is not present. */
+ if (!pk_inst)
+diff --git a/drivers/crypto/caam/regs.h b/drivers/crypto/caam/regs.h
+index af61f3a2c0d46..3738625c02509 100644
+--- a/drivers/crypto/caam/regs.h
++++ b/drivers/crypto/caam/regs.h
+@@ -322,6 +322,9 @@ struct version_regs {
+ /* CHA Miscellaneous Information - AESA_MISC specific */
+ #define CHA_VER_MISC_AES_GCM BIT(1 + CHA_VER_MISC_SHIFT)
+
++/* CHA Miscellaneous Information - PKHA_MISC specific */
++#define CHA_VER_MISC_PKHA_NO_CRYPT BIT(7 + CHA_VER_MISC_SHIFT)
++
+ /*
+ * caam_perfmon - Performance Monitor/Secure Memory Status/
+ * CAAM Global Status/Component Version IDs
+--
+2.33.0
+
--- /dev/null
+From 820b0cb97f55eee2b06f638a521f63362add1331 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 12:05:35 +0200
+Subject: crypto: ecc - fix CRYPTO_DEFAULT_RNG dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 38aa192a05f22f9778f9420e630f0322525ef12e ]
+
+The ecc.c file started out as part of the ECDH algorithm but got
+moved out into a standalone module later. It does not build without
+CRYPTO_DEFAULT_RNG, so now that other modules are using it as well we
+can run into this link error:
+
+aarch64-linux-ld: ecc.c:(.text+0xfc8): undefined reference to `crypto_default_rng'
+aarch64-linux-ld: ecc.c:(.text+0xff4): undefined reference to `crypto_put_default_rng'
+
+Move the 'select CRYPTO_DEFAULT_RNG' statement into the correct symbol.
+
+Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm")
+Fixes: 4e6602916bc6 ("crypto: ecdsa - Add support for ECDSA signature verification")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/Kconfig b/crypto/Kconfig
+index 774adc9846fa8..1157f82dc9cf4 100644
+--- a/crypto/Kconfig
++++ b/crypto/Kconfig
+@@ -238,12 +238,12 @@ config CRYPTO_DH
+
+ config CRYPTO_ECC
+ tristate
++ select CRYPTO_RNG_DEFAULT
+
+ config CRYPTO_ECDH
+ tristate "ECDH algorithm"
+ select CRYPTO_ECC
+ select CRYPTO_KPP
+- select CRYPTO_RNG_DEFAULT
+ help
+ Generic implementation of the ECDH algorithm
+
+--
+2.33.0
+
--- /dev/null
+From 83903cf6aa358b35972ea05e5d4872d814582f4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 14:30:28 -0400
+Subject: crypto: pcrypt - Delay write to padata->info
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 68b6dea802cea0dbdd8bd7ccc60716b5a32a5d8a ]
+
+These three events can race when pcrypt is used multiple times in a
+template ("pcrypt(pcrypt(...))"):
+
+ 1. [taskA] The caller makes the crypto request via crypto_aead_encrypt()
+ 2. [kworkerB] padata serializes the inner pcrypt request
+ 3. [kworkerC] padata serializes the outer pcrypt request
+
+3 might finish before the call to crypto_aead_encrypt() returns in 1,
+resulting in two possible issues.
+
+First, a use-after-free of the crypto request's memory when, for
+example, taskA writes to the outer pcrypt request's padata->info in
+pcrypt_aead_enc() after kworkerC completes the request.
+
+Second, the outer pcrypt request overwrites the inner pcrypt request's
+return code with -EINPROGRESS, making a successful request appear to
+fail. For instance, kworkerB writes the outer pcrypt request's
+padata->info in pcrypt_aead_done() and then taskA overwrites it
+in pcrypt_aead_enc().
+
+Avoid both situations by delaying the write of padata->info until after
+the inner crypto request's return code is checked. This prevents the
+use-after-free by not touching the crypto request's memory after the
+next-inner crypto request is made, and stops padata->info from being
+overwritten.
+
+Fixes: 5068c7a883d16 ("crypto: pcrypt - Add pcrypt crypto parallelization wrapper")
+Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/pcrypt.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index d569c7ed6c800..9d10b846ccf73 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -78,12 +78,14 @@ static void pcrypt_aead_enc(struct padata_priv *padata)
+ {
+ struct pcrypt_request *preq = pcrypt_padata_request(padata);
+ struct aead_request *req = pcrypt_request_ctx(preq);
++ int ret;
+
+- padata->info = crypto_aead_encrypt(req);
++ ret = crypto_aead_encrypt(req);
+
+- if (padata->info == -EINPROGRESS)
++ if (ret == -EINPROGRESS)
+ return;
+
++ padata->info = ret;
+ padata_do_serial(padata);
+ }
+
+@@ -123,12 +125,14 @@ static void pcrypt_aead_dec(struct padata_priv *padata)
+ {
+ struct pcrypt_request *preq = pcrypt_padata_request(padata);
+ struct aead_request *req = pcrypt_request_ctx(preq);
++ int ret;
+
+- padata->info = crypto_aead_decrypt(req);
++ ret = crypto_aead_decrypt(req);
+
+- if (padata->info == -EINPROGRESS)
++ if (ret == -EINPROGRESS)
+ return;
+
++ padata->info = ret;
+ padata_do_serial(padata);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 6e3f0e716b0c838390e1032ca41e53400893dc60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:44:29 +0100
+Subject: crypto: qat - detect PFVF collision after ACK
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 9b768e8a3909ac1ab39ed44a3933716da7761a6f ]
+
+Detect a PFVF collision between the local and the remote function by
+checking if the message on the PFVF CSR has been overwritten.
+This is done after the remote function confirms that the message has
+been received, by clearing the interrupt bit, or the maximum number of
+attempts (ADF_IOV_MSG_ACK_MAX_RETRY) to check the CSR has been exceeded.
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Co-developed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index e829c6aaf16fd..a5bd77d0f0487 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -150,6 +150,13 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr)
+ val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset);
+ } while ((val & int_bit) && (count++ < ADF_IOV_MSG_ACK_MAX_RETRY));
+
++ if (val != msg) {
++ dev_dbg(&GET_DEV(accel_dev),
++ "Collision - PFVF CSR overwritten by remote function\n");
++ ret = -EIO;
++ goto out;
++ }
++
+ if (val & int_bit) {
+ dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n");
+ val &= ~int_bit;
+--
+2.33.0
+
--- /dev/null
+From 1a75620bd32afe3e5e7fadb9a86d142694b6aa5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:44:30 +0100
+Subject: crypto: qat - disregard spurious PFVF interrupts
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 18fcba469ba5359c1de7e3fb16f7b9e8cd1b8e02 ]
+
+Upon receiving a PFVF message, check if the interrupt bit is set in the
+message. If it is not, that means that the interrupt was probably
+triggered by a collision. In this case, disregard the message and
+re-enable the interrupts.
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 6 ++++++
+ drivers/crypto/qat/qat_common/adf_vf_isr.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index a5bd77d0f0487..d7ca222f0df18 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -205,6 +205,11 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info)
+
+ /* Read message from the VF */
+ msg = ADF_CSR_RD(pmisc_addr, hw_data->get_pf2vf_offset(vf_nr));
++ if (!(msg & ADF_VF2PF_INT)) {
++ dev_info(&GET_DEV(accel_dev),
++ "Spurious VF2PF interrupt, msg %X. Ignored\n", msg);
++ goto out;
++ }
+
+ /* To ACK, clear the VF2PFINT bit */
+ msg &= ~ADF_VF2PF_INT;
+@@ -288,6 +293,7 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info)
+ if (resp && adf_iov_putmsg(accel_dev, resp, vf_nr))
+ dev_err(&GET_DEV(accel_dev), "Failed to send response to VF\n");
+
++out:
+ /* re-enable interrupt on PF from this VF */
+ adf_enable_vf2pf_interrupts(accel_dev, (1 << vf_nr));
+ return;
+diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+index 024401ec9d1ae..fa1b3a94155cc 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+@@ -79,6 +79,11 @@ static void adf_pf2vf_bh_handler(void *data)
+
+ /* Read the message from PF */
+ msg = ADF_CSR_RD(pmisc_bar_addr, hw_data->get_pf2vf_offset(0));
++ if (!(msg & ADF_PF2VF_INT)) {
++ dev_info(&GET_DEV(accel_dev),
++ "Spurious PF2VF interrupt, msg %X. Ignored\n", msg);
++ goto out;
++ }
+
+ if (!(msg & ADF_PF2VF_MSGORIGIN_SYSTEM))
+ /* Ignore legacy non-system (non-kernel) PF2VF messages */
+@@ -127,6 +132,7 @@ static void adf_pf2vf_bh_handler(void *data)
+ msg &= ~ADF_PF2VF_INT;
+ ADF_CSR_WR(pmisc_bar_addr, hw_data->get_pf2vf_offset(0), msg);
+
++out:
+ /* Re-enable PF2VF interrupts */
+ adf_enable_pf2vf_interrupts(accel_dev);
+ return;
+--
+2.33.0
+
--- /dev/null
+From b74bc96b54dc1f97529a99e1ac5a56feb52a73be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Nov 2021 15:55:16 +0530
+Subject: cxgb4: fix eeprom len when diagnostics not implemented
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 4ca110bf8d9b31a60f8f8ff6706ea147d38ad97c ]
+
+Ensure diagnostics monitoring support is implemented for the SFF 8472
+compliant port module and set the correct length for ethtool port
+module eeprom read.
+
+Fixes: f56ec6766dcf ("cxgb4: Add support for ethtool i2c dump")
+Signed-off-by: Manoj Malviya <manojmalviya@chelsio.com>
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 7 +++++--
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.h | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+index 83ed10ac86606..7080cb6c83e4a 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+@@ -2011,12 +2011,15 @@ static int cxgb4_get_module_info(struct net_device *dev,
+ if (ret)
+ return ret;
+
+- if (!sff8472_comp || (sff_diag_type & 4)) {
++ if (!sff8472_comp || (sff_diag_type & SFP_DIAG_ADDRMODE)) {
+ modinfo->type = ETH_MODULE_SFF_8079;
+ modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN;
+ } else {
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
++ if (sff_diag_type & SFP_DIAG_IMPLEMENTED)
++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
++ else
++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN / 2;
+ }
+ break;
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h
+index 002fc62ea7262..63bc956d20376 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h
+@@ -293,6 +293,8 @@ enum {
+ #define I2C_PAGE_SIZE 0x100
+ #define SFP_DIAG_TYPE_ADDR 0x5c
+ #define SFP_DIAG_TYPE_LEN 0x1
++#define SFP_DIAG_ADDRMODE BIT(2)
++#define SFP_DIAG_IMPLEMENTED BIT(6)
+ #define SFF_8472_COMP_ADDR 0x5e
+ #define SFF_8472_COMP_LEN 0x1
+ #define SFF_REV_ADDR 0x1
+--
+2.33.0
+
--- /dev/null
+From e09b55d6d82a87dfb565b74aa4270eb2aa059086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 18:01:08 +0530
+Subject: dma-buf: WARN on dmabuf release with pending attachments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Charan Teja Reddy <charante@codeaurora.org>
+
+[ Upstream commit f492283b157053e9555787262f058ae33096f568 ]
+
+It is expected from the clients to follow the below steps on an imported
+dmabuf fd:
+a) dmabuf = dma_buf_get(fd) // Get the dmabuf from fd
+b) dma_buf_attach(dmabuf); // Clients attach to the dmabuf
+ o Here the kernel does some slab allocations, say for
+dma_buf_attachment and may be some other slab allocation in the
+dmabuf->ops->attach().
+c) Client may need to do dma_buf_map_attachment().
+d) Accordingly dma_buf_unmap_attachment() should be called.
+e) dma_buf_detach () // Clients detach to the dmabuf.
+ o Here the slab allocations made in b) are freed.
+f) dma_buf_put(dmabuf) // Can free the dmabuf if it is the last
+reference.
+
+Now say an erroneous client failed at step c) above thus it directly
+called dma_buf_put(), step f) above. Considering that it may be the last
+reference to the dmabuf, buffer will be freed with pending attachments
+left to the dmabuf which can show up as the 'memory leak'. This should
+at least be reported as the WARN().
+
+Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627043468-16381-1-git-send-email-charante@codeaurora.org
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/dma-buf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
+index 922416b3aaceb..93e9bf7382595 100644
+--- a/drivers/dma-buf/dma-buf.c
++++ b/drivers/dma-buf/dma-buf.c
+@@ -79,6 +79,7 @@ static void dma_buf_release(struct dentry *dentry)
+ if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
+ dma_resv_fini(dmabuf->resv);
+
++ WARN_ON(!list_empty(&dmabuf->attachments));
+ module_put(dmabuf->owner);
+ kfree(dmabuf->name);
+ kfree(dmabuf);
+--
+2.33.0
+
--- /dev/null
+From b567003f7f4e29f6e0ba6773319907d3fae733a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 14:12:28 +0300
+Subject: dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 320c88a3104dc955f928a1eecebd551ff89530c0 ]
+
+AT_XDMAC_CC_PERID() should be used to setup bits 24..30 of XDMAC_CC
+register. Using it without parenthesis around 0x7f & (i) will lead to
+setting all the time zero for bits 24..30 of XDMAC_CC as the << operator
+has higher precedence over bitwise &. Thus, add paranthesis around
+0x7f & (i).
+
+Fixes: 15a03850ab8f ("dmaengine: at_xdmac: fix macro typo")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20211007111230.2331837-3-claudiu.beznea@microchip.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index 3b53115db2686..627ad74c879fd 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -145,7 +145,7 @@
+ #define AT_XDMAC_CC_WRIP (0x1 << 23) /* Write in Progress (read only) */
+ #define AT_XDMAC_CC_WRIP_DONE (0x0 << 23)
+ #define AT_XDMAC_CC_WRIP_IN_PROGRESS (0x1 << 23)
+-#define AT_XDMAC_CC_PERID(i) (0x7f & (i) << 24) /* Channel Peripheral Identifier */
++#define AT_XDMAC_CC_PERID(i) ((0x7f & (i)) << 24) /* Channel Peripheral Identifier */
+ #define AT_XDMAC_CDS_MSP 0x2C /* Channel Data Stride Memory Set Pattern */
+ #define AT_XDMAC_CSUS 0x30 /* Channel Source Microblock Stride */
+ #define AT_XDMAC_CDUS 0x34 /* Channel Destination Microblock Stride */
+--
+2.33.0
+
--- /dev/null
+From 80dbcfc1517f91a8a2eb805f0e176904defa3138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Oct 2021 15:41:01 +0200
+Subject: dmaengine: dmaengine_desc_callback_valid(): Check for
+ `callback_result`
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit e7e1e880b114ca640a2f280b0d5d38aed98f98c6 ]
+
+Before the `callback_result` callback was introduced drivers coded their
+invocation to the callback in a similar way to:
+
+ if (cb->callback) {
+ spin_unlock(&dma->lock);
+ cb->callback(cb->callback_param);
+ spin_lock(&dma->lock);
+ }
+
+With the introduction of `callback_result` two helpers where introduced to
+transparently handle both types of callbacks. And drivers where updated to
+look like this:
+
+ if (dmaengine_desc_callback_valid(cb)) {
+ spin_unlock(&dma->lock);
+ dmaengine_desc_callback_invoke(cb, ...);
+ spin_lock(&dma->lock);
+ }
+
+dmaengine_desc_callback_invoke() correctly handles both `callback_result`
+and `callback`. But we forgot to update the dmaengine_desc_callback_valid()
+function to check for `callback_result`. As a result DMA descriptors that
+use the `callback_result` rather than `callback` don't have their callback
+invoked by drivers that follow the pattern above.
+
+Fix this by checking for both `callback` and `callback_result` in
+dmaengine_desc_callback_valid().
+
+Fixes: f067025bc676 ("dmaengine: add support to provide error result from a DMA transation")
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/20211023134101.28042-1-lars@metafoo.de
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmaengine.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/dmaengine.h b/drivers/dma/dmaengine.h
+index 1bfbd64b13717..53f16d3f00294 100644
+--- a/drivers/dma/dmaengine.h
++++ b/drivers/dma/dmaengine.h
+@@ -176,7 +176,7 @@ dmaengine_desc_get_callback_invoke(struct dma_async_tx_descriptor *tx,
+ static inline bool
+ dmaengine_desc_callback_valid(struct dmaengine_desc_callback *cb)
+ {
+- return (cb->callback) ? true : false;
++ return cb->callback || cb->callback_result;
+ }
+
+ struct dma_chan *dma_get_slave_channel(struct dma_chan *chan);
+--
+2.33.0
+
--- /dev/null
+From 133b45c915120e0d3e3f94312af19a0ecd4ae54b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 16:57:14 +0800
+Subject: driver core: Fix possible memory leak in device_link_add()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit df0a18149474c7e6b21f6367fbc6bc8d0f192444 ]
+
+I got memory leak as follows:
+
+unreferenced object 0xffff88801f0b2200 (size 64):
+ comm "i2c-lis2hh12-21", pid 5455, jiffies 4294944606 (age 15.224s)
+ hex dump (first 32 bytes):
+ 72 65 67 75 6c 61 74 6f 72 3a 72 65 67 75 6c 61 regulator:regula
+ 74 6f 72 2e 30 2d 2d 69 32 63 3a 31 2d 30 30 31 tor.0--i2c:1-001
+ backtrace:
+ [<00000000bf5b0c3b>] __kmalloc_track_caller+0x19f/0x3a0
+ [<0000000050da42d9>] kvasprintf+0xb5/0x150
+ [<000000004bbbed13>] kvasprintf_const+0x60/0x190
+ [<00000000cdac7480>] kobject_set_name_vargs+0x56/0x150
+ [<00000000bf83f8e8>] dev_set_name+0xc0/0x100
+ [<00000000cc1cf7e3>] device_link_add+0x6b4/0x17c0
+ [<000000009db9faed>] _regulator_get+0x297/0x680
+ [<00000000845e7f2b>] _devm_regulator_get+0x5b/0xe0
+ [<000000003958ee25>] st_sensors_power_enable+0x71/0x1b0 [st_sensors]
+ [<000000005f450f52>] st_accel_i2c_probe+0xd9/0x150 [st_accel_i2c]
+ [<00000000b5f2ab33>] i2c_device_probe+0x4d8/0xbe0
+ [<0000000070fb977b>] really_probe+0x299/0xc30
+ [<0000000088e226ce>] __driver_probe_device+0x357/0x500
+ [<00000000c21dda32>] driver_probe_device+0x4e/0x140
+ [<000000004e650441>] __device_attach_driver+0x257/0x340
+ [<00000000cf1891b8>] bus_for_each_drv+0x166/0x1e0
+
+When device_register() returns an error, the name allocated in dev_set_name()
+will be leaked, the put_device() should be used instead of kfree() to give up
+the device reference, then the name will be freed in kobject_cleanup() and the
+references of consumer and supplier will be decreased in device_link_release_fn().
+
+Fixes: 287905e68dd2 ("driver core: Expose device link details in sysfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Saravana Kannan <saravanak@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210930085714.2057460-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index 2bc4db5ffe445..389d13616d1df 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -668,9 +668,7 @@ struct device_link *device_link_add(struct device *consumer,
+ dev_bus_name(supplier), dev_name(supplier),
+ dev_bus_name(consumer), dev_name(consumer));
+ if (device_register(&link->link_dev)) {
+- put_device(consumer);
+- put_device(supplier);
+- kfree(link);
++ put_device(&link->link_dev);
+ link = NULL;
+ goto out;
+ }
+--
+2.33.0
+
--- /dev/null
+From 07ef27a746c53bb9d3240fbccfb36fb51871d5d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Sep 2021 18:29:36 -0400
+Subject: drm/amd/display: dcn20_resource_construct reduce scope of FPU enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anson Jacob <Anson.Jacob@amd.com>
+
+[ Upstream commit bc39a69a2ac484e6575a958567c162ef56c9f278 ]
+
+Limit when FPU is enabled to only functions that does FPU operations for
+dcn20_resource_construct, which gets called during driver
+initialization.
+
+Enabling FPU operation disables preemption. Sleeping functions(mutex
+(un)lock, memory allocation using GFP_KERNEL, etc.) should not be called
+when preemption is disabled.
+
+Fixes the following case caught by enabling
+CONFIG_DEBUG_ATOMIC_SLEEP in kernel config
+[ 1.338434] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281
+[ 1.347395] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 197, name: systemd-udevd
+[ 1.356356] CPU: 7 PID: 197 Comm: systemd-udevd Not tainted 5.13.0+ #3
+[ 1.356358] Hardware name: System manufacturer System Product Name/PRIME X570-PRO, BIOS 3405 02/01/2021
+[ 1.356360] Call Trace:
+[ 1.356361] dump_stack+0x6b/0x86
+[ 1.356366] ___might_sleep.cold+0x87/0x98
+[ 1.356370] __might_sleep+0x4b/0x80
+[ 1.356372] mutex_lock+0x21/0x50
+[ 1.356376] smu_get_uclk_dpm_states+0x3f/0x80 [amdgpu]
+[ 1.356538] pp_nv_get_uclk_dpm_states+0x35/0x50 [amdgpu]
+[ 1.356711] init_soc_bounding_box+0xf9/0x210 [amdgpu]
+[ 1.356892] ? create_object+0x20d/0x340
+[ 1.356897] ? dcn20_resource_construct+0x46f/0xd30 [amdgpu]
+[ 1.357077] dcn20_resource_construct+0x4b1/0xd30 [amdgpu]
+...
+
+Tested on: 5700XT (NAVI10 0x1002:0x731F 0x1DA2:0xE410 0xC1)
+
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Anson Jacob <Anson.Jacob@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Acked-by: Agustin Gutierrez <agustin.gutierrez@amd.com>
+Signed-off-by: Anson Jacob <Anson.Jacob@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/dcn20/dcn20_resource.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+index 5dbc290bcbe86..3121816546467 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+@@ -3754,16 +3754,22 @@ static bool init_soc_bounding_box(struct dc *dc,
+ clock_limits_available = (status == PP_SMU_RESULT_OK);
+ }
+
+- if (clock_limits_available && uclk_states_available && num_states)
++ if (clock_limits_available && uclk_states_available && num_states) {
++ DC_FP_START();
+ dcn20_update_bounding_box(dc, loaded_bb, &max_clocks, uclk_states, num_states);
+- else if (clock_limits_available)
++ DC_FP_END();
++ } else if (clock_limits_available) {
++ DC_FP_START();
+ dcn20_cap_soc_clocks(loaded_bb, max_clocks);
++ DC_FP_END();
++ }
+ }
+
+ loaded_ip->max_num_otg = pool->base.res_cap->num_timing_generator;
+ loaded_ip->max_num_dpp = pool->base.pipe_count;
++ DC_FP_START();
+ dcn20_patch_bounding_box(dc, loaded_bb);
+-
++ DC_FP_END();
+ return true;
+ }
+
+@@ -3783,8 +3789,6 @@ static bool dcn20_resource_construct(
+ enum dml_project dml_project_version =
+ get_dml_project_version(ctx->asic_id.hw_internal_rev);
+
+- DC_FP_START();
+-
+ ctx->dc_bios->regs = &bios_regs;
+ pool->base.funcs = &dcn20_res_pool_funcs;
+
+@@ -4128,12 +4132,10 @@ static bool dcn20_resource_construct(
+ pool->base.oem_device = NULL;
+ }
+
+- DC_FP_END();
+ return true;
+
+ create_fail:
+
+- DC_FP_END();
+ dcn20_resource_destruct(pool);
+
+ return false;
+--
+2.33.0
+
--- /dev/null
+From 83a8c7e3f4149c7890e44ecb17eaa9fb9cff4f24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 12:54:07 -0400
+Subject: drm/amdgpu: Fix MMIO access page fault
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit c03509cbc01559549700e14c4a6239f2572ab4ba ]
+
+Add more guards to MMIO access post device
+unbind/unplug
+
+Bug: https://bugs.archlinux.org/task/72092?project=1&order=dateopened&sort=desc&pagenum=1
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: James Zhu <James.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 8 ++++++--
+ drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 17 +++++++++++------
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
+index f493b5c3d382b..79bcc78f77045 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
+@@ -22,6 +22,7 @@
+ */
+
+ #include <linux/firmware.h>
++#include <drm/drm_drv.h>
+
+ #include "amdgpu.h"
+ #include "amdgpu_vcn.h"
+@@ -192,11 +193,14 @@ static int vcn_v2_0_sw_init(void *handle)
+ */
+ static int vcn_v2_0_sw_fini(void *handle)
+ {
+- int r;
++ int r, idx;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+ volatile struct amdgpu_fw_shared *fw_shared = adev->vcn.inst->fw_shared_cpu_addr;
+
+- fw_shared->present_flag_0 = 0;
++ if (drm_dev_enter(&adev->ddev, &idx)) {
++ fw_shared->present_flag_0 = 0;
++ drm_dev_exit(idx);
++ }
+
+ amdgpu_virt_free_mm_table(adev);
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
+index ce64d4016f903..381839d005db9 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
+@@ -22,6 +22,7 @@
+ */
+
+ #include <linux/firmware.h>
++#include <drm/drm_drv.h>
+
+ #include "amdgpu.h"
+ #include "amdgpu_vcn.h"
+@@ -233,17 +234,21 @@ static int vcn_v2_5_sw_init(void *handle)
+ */
+ static int vcn_v2_5_sw_fini(void *handle)
+ {
+- int i, r;
++ int i, r, idx;
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+ volatile struct amdgpu_fw_shared *fw_shared;
+
+- for (i = 0; i < adev->vcn.num_vcn_inst; i++) {
+- if (adev->vcn.harvest_config & (1 << i))
+- continue;
+- fw_shared = adev->vcn.inst[i].fw_shared_cpu_addr;
+- fw_shared->present_flag_0 = 0;
++ if (drm_dev_enter(&adev->ddev, &idx)) {
++ for (i = 0; i < adev->vcn.num_vcn_inst; i++) {
++ if (adev->vcn.harvest_config & (1 << i))
++ continue;
++ fw_shared = adev->vcn.inst[i].fw_shared_cpu_addr;
++ fw_shared->present_flag_0 = 0;
++ }
++ drm_dev_exit(idx);
+ }
+
++
+ if (amdgpu_sriov_vf(adev))
+ amdgpu_virt_free_mm_table(adev);
+
+--
+2.33.0
+
--- /dev/null
+From 28d593637871d06ad8676e7dd3414e7f1436ed24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 14:58:10 +0200
+Subject: drm/amdgpu: fix warning for overflow check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 335aea75b0d95518951cad7c4c676e6f1c02c150 ]
+
+The overflow check in amdgpu_bo_list_create() causes a warning with
+clang-14 on 64-bit architectures, since the limit can never be
+exceeded.
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c:74:18: error: result of comparison of constant 256204778801521549 with expression of type 'unsigned int' is always false [-Werror,-Wtautological-constant-out-of-range-compare]
+ if (num_entries > (SIZE_MAX - sizeof(struct amdgpu_bo_list))
+ ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The check remains useful for 32-bit architectures, so just avoid the
+warning by using size_t as the type for the count.
+
+Fixes: 920990cb080a ("drm/amdgpu: allocate the bo_list array after the list")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+index 15c45b2a39835..714178f1b6c6e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+@@ -61,7 +61,7 @@ static void amdgpu_bo_list_free(struct kref *ref)
+
+ int amdgpu_bo_list_create(struct amdgpu_device *adev, struct drm_file *filp,
+ struct drm_amdgpu_bo_list_entry *info,
+- unsigned num_entries, struct amdgpu_bo_list **result)
++ size_t num_entries, struct amdgpu_bo_list **result)
+ {
+ unsigned last_entry = 0, first_userptr = num_entries;
+ struct amdgpu_bo_list_entry *array;
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h
+index a130e766cbdbe..529d52a204cf4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h
+@@ -60,7 +60,7 @@ int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in,
+ int amdgpu_bo_list_create(struct amdgpu_device *adev,
+ struct drm_file *filp,
+ struct drm_amdgpu_bo_list_entry *info,
+- unsigned num_entries,
++ size_t num_entries,
+ struct amdgpu_bo_list **list);
+
+ static inline struct amdgpu_bo_list_entry *
+--
+2.33.0
+
--- /dev/null
+From 8a471a496132dd3e71ac0941861d98e4dacbbc16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 13:26:19 -0400
+Subject: drm/amdgpu/gmc6: fix DMA mask from 44 to 40 bits
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 403475be6d8b122c3e6b8a47e075926d7299e5ef ]
+
+The DMA mask on SI parts is 40 bits not 44. Copy
+paste typo.
+
+Fixes: 244511f386ccb9 ("drm/amdgpu: simplify and cleanup setting the dma mask")
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1762
+Acked-by: Christian König <christian.koenig@amd.com>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c
+index 95a9117e95640..861d0cc45fc10 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c
+@@ -842,12 +842,12 @@ static int gmc_v6_0_sw_init(void *handle)
+
+ adev->gmc.mc_mask = 0xffffffffffULL;
+
+- r = dma_set_mask_and_coherent(adev->dev, DMA_BIT_MASK(44));
++ r = dma_set_mask_and_coherent(adev->dev, DMA_BIT_MASK(40));
+ if (r) {
+ dev_warn(adev->dev, "No suitable DMA available.\n");
+ return r;
+ }
+- adev->need_swiotlb = drm_need_swiotlb(44);
++ adev->need_swiotlb = drm_need_swiotlb(40);
+
+ r = gmc_v6_0_init_microcode(adev);
+ if (r) {
+--
+2.33.0
+
--- /dev/null
+From baf4ecb0924c6f4e16ef6b1fac8d2f66664f9ece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 20:42:31 +0800
+Subject: drm/amdkfd: fix resume error when iommu disabled in Picasso
+
+From: Yifan Zhang <yifan1.zhang@amd.com>
+
+[ Upstream commit 6f4b590aae217da16cfa44039a2abcfb209137ab ]
+
+When IOMMU disabled in sbios and kfd in iommuv2 path,
+IOMMU resume failure blocks system resume. Don't allow kfd to
+use iommu v2 when iommu is disabled.
+
+Reported-by: youling <youling257@gmail.com>
+Tested-by: youling <youling257@gmail.com>
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Reviewed-by: James Zhu <James.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+index 903170e59342c..5751bddc9cadd 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -744,6 +744,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd,
+ kfd_double_confirm_iommu_support(kfd);
+
+ if (kfd_iommu_device_init(kfd)) {
++ kfd->use_iommu_v2 = false;
+ dev_err(kfd_device, "Error initializing iommuv2\n");
+ goto device_iommu_error;
+ }
+--
+2.33.0
+
--- /dev/null
+From 52c900be3a9998158529e3a3c437b5275a97fb80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 10:57:33 -0700
+Subject: drm/msm: Fix potential NULL dereference in DPU SSPP
+
+From: Jessica Zhang <jesszhan@codeaurora.org>
+
+[ Upstream commit 8bf71a5719b6cc5b6ba358096081e5d50ea23ab6 ]
+
+Move initialization of sblk in _sspp_subblk_offset() after NULL check to
+avoid potential NULL pointer dereference.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jessica Zhang <jesszhan@codeaurora.org>
+Link: https://lore.kernel.org/r/20211020175733.3379-1-jesszhan@codeaurora.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c
+index c940b69435e16..016c462bdb5d2 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c
+@@ -138,11 +138,13 @@ static int _sspp_subblk_offset(struct dpu_hw_pipe *ctx,
+ u32 *idx)
+ {
+ int rc = 0;
+- const struct dpu_sspp_sub_blks *sblk = ctx->cap->sblk;
++ const struct dpu_sspp_sub_blks *sblk;
+
+- if (!ctx)
++ if (!ctx || !ctx->cap || !ctx->cap->sblk)
+ return -EINVAL;
+
++ sblk = ctx->cap->sblk;
++
+ switch (s_id) {
+ case DPU_SSPP_SRC:
+ *idx = sblk->src_blk.base;
+@@ -419,7 +421,7 @@ static void _dpu_hw_sspp_setup_scaler3(struct dpu_hw_pipe *ctx,
+
+ (void)pe;
+ if (_sspp_subblk_offset(ctx, DPU_SSPP_SCALER_QSEED3, &idx) || !sspp
+- || !scaler3_cfg || !ctx || !ctx->cap || !ctx->cap->sblk)
++ || !scaler3_cfg)
+ return;
+
+ dpu_hw_setup_scaler3(&ctx->hw, scaler3_cfg, idx,
+--
+2.33.0
+
--- /dev/null
+From 8d41983789c9b49b86a092b22a5045eea2688879 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 13:38:06 +0300
+Subject: drm/msm: potential error pointer dereference in init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit b6816441a14bbe356ba8590de79cfea2de6a085c ]
+
+The msm_iommu_new() returns error pointers on failure so check for that
+to avoid an Oops.
+
+Fixes: ccac7ce373c1 ("drm/msm: Refactor address space initialization")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20211004103806.GD25015@kili
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index c8217f4858a15..b4a2e8eb35dd2 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -846,6 +846,10 @@ static int _dpu_kms_mmu_init(struct dpu_kms *dpu_kms)
+ return 0;
+
+ mmu = msm_iommu_new(dpu_kms->dev->dev, domain);
++ if (IS_ERR(mmu)) {
++ iommu_domain_free(domain);
++ return PTR_ERR(mmu);
++ }
+ aspace = msm_gem_address_space_create(mmu, "dpu1",
+ 0x1000, 0x100000000 - 0x1000);
+
+--
+2.33.0
+
--- /dev/null
+From d7c0f67630b52530e42e9bb1f5724ee029a91e5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 10:25:54 -0600
+Subject: drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture()
+
+From: Tim Gardner <tim.gardner@canonical.com>
+
+[ Upstream commit b220c154832c5cd0df34cbcbcc19d7135c16e823 ]
+
+Coverity complains of a possible NULL dereference:
+
+CID 120718 (#1 of 1): Dereference null return value (NULL_RETURNS)
+23. dereference: Dereferencing a pointer that might be NULL state->bos when
+ calling msm_gpu_crashstate_get_bo. [show details]
+301 msm_gpu_crashstate_get_bo(state, submit->bos[i].obj,
+302 submit->bos[i].iova, submit->bos[i].flags);
+
+Fix this by employing the same state->bos NULL check as is used in the next
+for loop.
+
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: Sean Paul <sean@poorly.run>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: linux-arm-msm@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: freedreno@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210929162554.14295-1-tim.gardner@canonical.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
+index 55d16489d0f3f..90c26da109026 100644
+--- a/drivers/gpu/drm/msm/msm_gpu.c
++++ b/drivers/gpu/drm/msm/msm_gpu.c
+@@ -376,7 +376,7 @@ static void msm_gpu_crashstate_capture(struct msm_gpu *gpu,
+ state->bos = kcalloc(nr,
+ sizeof(struct msm_gpu_state_bo), GFP_KERNEL);
+
+- for (i = 0; i < submit->nr_bos; i++) {
++ for (i = 0; state->bos && i < submit->nr_bos; i++) {
+ if (should_dump(submit, i)) {
+ msm_gpu_crashstate_get_bo(state, submit->bos[i].obj,
+ submit->bos[i].iova, submit->bos[i].flags);
+--
+2.33.0
+
--- /dev/null
+From 5439513ae72fde87d1e90a8a36e70cd400c7c53b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 11:13:15 +0300
+Subject: drm/msm: uninitialized variable in msm_gem_import()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2203bd0e5c12ffc53ffdd4fbd7b12d6ba27e0424 ]
+
+The msm_gem_new_impl() function cleans up after itself so there is no
+need to call drm_gem_object_put(). Conceptually, it does not make sense
+to call a kref_put() function until after the reference counting has
+been initialized which happens immediately after this call in the
+drm_gem_(private_)object_init() functions.
+
+In the msm_gem_import() function the "obj" pointer is uninitialized, so
+it will lead to a crash.
+
+Fixes: 05b849111c07 ("drm/msm: prime support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211013081315.GG6010@kili
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
+index 04be4cfcccc18..819567e40565c 100644
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -1061,7 +1061,7 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev,
+
+ ret = msm_gem_new_impl(dev, size, flags, &obj);
+ if (ret)
+- goto fail;
++ return ERR_PTR(ret);
+
+ msm_obj = to_msm_bo(obj);
+
+@@ -1149,7 +1149,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
+
+ ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj);
+ if (ret)
+- goto fail;
++ return ERR_PTR(ret);
+
+ drm_gem_private_object_init(dev, obj, size);
+
+--
+2.33.0
+
--- /dev/null
+From 8306aff5cfa6624dabe33cfa7e152d5c8b511f33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Sep 2021 20:26:33 +0800
+Subject: drm/nouveau/svm: Fix refcount leak bug and missing check against null
+ bug
+
+From: Chenyuan Mi <cymi20@fudan.edu.cn>
+
+[ Upstream commit 6bb8c2d51811eb5e6504f49efe3b089d026009d2 ]
+
+The reference counting issue happens in one exception handling path of
+nouveau_svmm_bind(). When cli->svm.svmm is null, the function forgets
+to decrease the refcount of mm increased by get_task_mm(), causing a
+refcount leak.
+
+Fix this issue by using mmput() to decrease the refcount in the
+exception handling path.
+
+Also, the function forgets to do check against null when get mm
+by get_task_mm().
+
+Fix this issue by adding null check after get mm by get_task_mm().
+
+Signed-off-by: Chenyuan Mi <cymi20@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Fixes: 822cab6150d3 ("drm/nouveau/svm: check for SVM initialized before migrating")
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Ben Skeggs <bskeggs@redhat.com>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210907122633.16665-1-cymi20@fudan.edu.cn
+Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/14
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_svm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_svm.c b/drivers/gpu/drm/nouveau/nouveau_svm.c
+index 1c3f890377d2c..f67700c028c75 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_svm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_svm.c
+@@ -156,10 +156,14 @@ nouveau_svmm_bind(struct drm_device *dev, void *data,
+ */
+
+ mm = get_task_mm(current);
++ if (!mm) {
++ return -EINVAL;
++ }
+ mmap_read_lock(mm);
+
+ if (!cli->svm.svmm) {
+ mmap_read_unlock(mm);
++ mmput(mm);
+ return -EINVAL;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 04eafd85f1cf8796701e94755944b1e610c72ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 13:04:26 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200
+ 2-in-1
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit a53f1dd3ab9fec715c6c2e8e01bf4d3c07eef8e5 ]
+
+The KD Kurio Smart C15200 2-in-1 uses a panel which has been mounted 90
+degrees rotated. Add a quirk for this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-3-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 5d0942e3985b2..cf4db2cdebbbd 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -205,6 +205,13 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "TW891"),
+ },
+ .driver_data = (void *)&itworks_tw891,
++ }, { /* KD Kurio Smart C15200 2-in-1 */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "KD Interactive"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Kurio Smart"),
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "KDM960BCP"),
++ },
++ .driver_data = (void *)&lcd800x1280_rightside_up,
+ }, { /*
+ * Lenovo Ideapad Miix 310 laptop, only some production batches
+ * have a portrait screen, the resolution checks makes the quirk
+--
+2.33.0
+
--- /dev/null
+From b2dd971b5980978cf1d072022f0207245321b9c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 13:04:27 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book
+ 10.6
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 88fa1fde918951c175ae5ea0f31efc4bb1736ab9 ]
+
+The Samsung Galaxy Book 10.6 uses a panel which has been mounted
+90 degrees rotated. Add a quirk for this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-4-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index cf4db2cdebbbd..926094b83e2f4 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -109,6 +109,12 @@ static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = {
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+ };
+
++static const struct drm_dmi_panel_orientation_data lcd1280x1920_rightside_up = {
++ .width = 1280,
++ .height = 1920,
++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
++};
++
+ static const struct dmi_system_id orientation_data[] = {
+ { /* Acer One 10 (S1003) */
+ .matches = {
+@@ -249,6 +255,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Default string"),
+ },
+ .driver_data = (void *)&onegx1_pro,
++ }, { /* Samsung GalaxyBook 10.6 */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galaxy Book 10.6"),
++ },
++ .driver_data = (void *)&lcd1280x1920_rightside_up,
+ }, { /* VIOS LTH17 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"),
+--
+2.33.0
+
--- /dev/null
+From a13d856a9f11ab8325e5355a03fe8fbd4c871840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Sep 2021 10:24:40 +0000
+Subject: drm/panel-orientation-quirks: add Valve Steam Deck
+
+From: Simon Ser <contact@emersion.fr>
+
+[ Upstream commit 9eeb7b4e40bfd69d8aaa920c7e9df751c9e11dce ]
+
+Valve's Steam Deck has a 800x1280 LCD screen.
+
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Cc: Jared Baldridge <jrb@expunge.us>
+Cc: Emil Velikov <emil.l.velikov@gmail.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210911102430.253986-1-contact@emersion.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 926094b83e2f4..a950d5db211c5 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -261,6 +261,13 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galaxy Book 10.6"),
+ },
+ .driver_data = (void *)&lcd1280x1920_rightside_up,
++ }, { /* Valve Steam Deck */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Valve"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Jupiter"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"),
++ },
++ .driver_data = (void *)&lcd800x1280_rightside_up,
+ }, { /* VIOS LTH17 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"),
+--
+2.33.0
+
--- /dev/null
+From 4c2c7bda66b932a74d31265fb682fc1df67c1103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 13:04:25 +0200
+Subject: drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk
+ (v2)
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 820a2ab23d5eab4ccfb82581eda8ad4acf18458f ]
+
+2 improvements to the Lenovo Ideapad D330 panel-orientation quirks:
+
+1. Some versions of the Lenovo Ideapad D330 have a DMI_PRODUCT_NAME of
+"81H3" and others have "81MD". Testing has shown that the "81MD" also has
+a 90 degree mounted panel. Drop the DMI_PRODUCT_NAME from the existing
+quirk so that the existing quirk matches both variants.
+
+2. Some of the Lenovo Ideapad D330 models have a HD (800x1280) screen
+instead of a FHD (1200x1920) screen (both are mounted right-side-up) add
+a second Lenovo Ideapad D330 quirk for the HD version.
+
+Changes in v2:
+- Add a new quirk for Lenovo Ideapad D330 models with a HD screen instead
+ of a FHD screen
+
+Link: https://github.com/systemd/systemd/pull/18884
+Acked-by: Simon Ser <contact@emersion.fr>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-2-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index e1b2ce4921ae7..5d0942e3985b2 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -223,10 +223,15 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo MIIX 320-10ICR"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
+- }, { /* Lenovo Ideapad D330 */
++ }, { /* Lenovo Ideapad D330-10IGM (HD) */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
++ },
++ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* Lenovo Ideapad D330-10IGM (FHD) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "81H3"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
+--
+2.33.0
+
--- /dev/null
+From 86188c4d2fc28c6726885c86fe8e8bd0e20aad47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 02:37:06 -0400
+Subject: drm/plane-helper: fix uninitialized variable reference
+
+From: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+
+[ Upstream commit 7be28bd73f23e53d6e7f5fe891ba9503fc0c7210 ]
+
+drivers/gpu/drm/drm_plane_helper.c: In function 'drm_primary_helper_update':
+drivers/gpu/drm/drm_plane_helper.c:113:32: error: 'visible' is used uninitialized [-Werror=uninitialized]
+ 113 | struct drm_plane_state plane_state = {
+ | ^~~~~~~~~~~
+drivers/gpu/drm/drm_plane_helper.c:178:14: note: 'visible' was declared here
+ 178 | bool visible;
+ | ^~~~~~~
+cc1: all warnings being treated as errors
+
+visible is an output, not an input. in practice this use might turn out
+OK but it's still UB.
+
+Fixes: df86af9133b4 ("drm/plane-helper: Add drm_plane_helper_check_state()")
+Reviewed-by: Simon Ser <contact@emersion.fr>
+Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211007063706.305984-1-alex_y_xu@yahoo.ca
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_plane_helper.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_plane_helper.c b/drivers/gpu/drm/drm_plane_helper.c
+index 3aae7ea522f23..c3f2292dc93d5 100644
+--- a/drivers/gpu/drm/drm_plane_helper.c
++++ b/drivers/gpu/drm/drm_plane_helper.c
+@@ -123,7 +123,6 @@ static int drm_plane_helper_check_update(struct drm_plane *plane,
+ .crtc_w = drm_rect_width(dst),
+ .crtc_h = drm_rect_height(dst),
+ .rotation = rotation,
+- .visible = *visible,
+ };
+ struct drm_crtc_state crtc_state = {
+ .crtc = crtc,
+--
+2.33.0
+
--- /dev/null
+From f7ff803891fdf992ed2d05773e89c4d66ad2ece5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 12:41:02 +0100
+Subject: drm/ttm: stop calling tt_swapin in vm_access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+[ Upstream commit f5d28856b89baab4232a9f841e565763fcebcdf9 ]
+
+In commit:
+
+commit 09ac4fcb3f255e9225967c75f5893325c116cdbe
+Author: Felix Kuehling <Felix.Kuehling@amd.com>
+Date: Thu Jul 13 17:01:16 2017 -0400
+
+ drm/ttm: Implement vm_operations_struct.access v2
+
+we added the vm_access hook, where we also directly call tt_swapin for
+some reason. If something is swapped-out then the ttm_tt must also be
+unpopulated, and since access_kmap should also call tt_populate, if
+needed, then swapping-in will already be handled there.
+
+If anything, calling tt_swapin directly here would likely always fail
+since the tt->pages won't yet be populated, or worse since the tt->pages
+array is never actually cleared in unpopulate this might lead to a nasty
+uaf.
+
+Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Christian König <christian.koenig@amd.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210927114114.152310-1-matthew.auld@intel.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c
+index 98a006fc30a58..0b1daf442425f 100644
+--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
+@@ -500,11 +500,6 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr,
+
+ switch (bo->mem.mem_type) {
+ case TTM_PL_SYSTEM:
+- if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) {
+- ret = ttm_tt_swapin(bo->ttm);
+- if (unlikely(ret != 0))
+- return ret;
+- }
+ fallthrough;
+ case TTM_PL_TT:
+ ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write);
+--
+2.33.0
+
--- /dev/null
+From 44bbf50c228d19e1b295bd49edf63d0edd3a3dda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 12:05:07 +0200
+Subject: drm/v3d: fix wait for TMU write combiner flush
+
+From: Iago Toral Quiroga <itoral@igalia.com>
+
+[ Upstream commit e4f868191138975f2fdf2f37c11318b47db4acc9 ]
+
+The hardware sets the TMUWCF bit back to 0 when the TMU write
+combiner flush completes so we should be checking for that instead
+of the L2TFLS bit.
+
+v2 (Melissa Wen):
+ - Add Signed-off-by and Fixes tags.
+ - Change the error message for the timeout to be more clear.
+
+Fixes spurious Vulkan CTS failures in:
+dEQP-VK.binding_model.descriptorset_random.*
+
+Fixes: d223f98f02099 ("drm/v3d: Add support for compute shader dispatch.")
+Signed-off-by: Iago Toral Quiroga <itoral@igalia.com>
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210915100507.3945-1-itoral@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/v3d/v3d_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
+index 182c586525eb8..64fe63c1938f5 100644
+--- a/drivers/gpu/drm/v3d/v3d_gem.c
++++ b/drivers/gpu/drm/v3d/v3d_gem.c
+@@ -195,8 +195,8 @@ v3d_clean_caches(struct v3d_dev *v3d)
+
+ V3D_CORE_WRITE(core, V3D_CTL_L2TCACTL, V3D_L2TCACTL_TMUWCF);
+ if (wait_for(!(V3D_CORE_READ(core, V3D_CTL_L2TCACTL) &
+- V3D_L2TCACTL_L2TFLS), 100)) {
+- DRM_ERROR("Timeout waiting for L1T write combiner flush\n");
++ V3D_L2TCACTL_TMUWCF), 100)) {
++ DRM_ERROR("Timeout waiting for TMU write combiner flush\n");
+ }
+
+ mutex_lock(&v3d->cache_clean_lock);
+--
+2.33.0
+
--- /dev/null
+From 359ada242f56c214d6d84b4cef8be33a054b0ae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 15:44:19 +0000
+Subject: EDAC/amd64: Handle three rank interleaving mode
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit 9f4873fb6af7966de8fcbd95c36b61351c1c4b1f ]
+
+AMD Rome systems and later support interleaving between three identical
+ranks within a channel.
+
+Check for this mode by counting the number of enabled chip selects and
+comparing their masks. If there are exactly three enabled chip selects
+and their masks are identical, then three rank interleaving is enabled.
+
+The size of a rank is determined from its mask value. However, three
+rank interleaving doesn't follow the method of swapping an interleave
+bit with the most significant bit. Rather, the interleave bit is flipped
+and the most significant bit remains the same. There is only a single
+interleave bit in this case.
+
+Account for this when determining the chip select size by keeping the
+most significant bit at its original value and ignoring any zero bits.
+This will return a full bitmask in [MSB:1].
+
+Fixes: e53a3b267fb0 ("EDAC/amd64: Find Chip Select memory size using Address Mask")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20211005154419.2060504-1-yazen.ghannam@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/amd64_edac.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
+index b36d5879b91e0..f5635dfa9acf6 100644
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -786,12 +786,14 @@ static void debug_dump_dramcfg_low(struct amd64_pvt *pvt, u32 dclr, int chan)
+ #define CS_ODD_PRIMARY BIT(1)
+ #define CS_EVEN_SECONDARY BIT(2)
+ #define CS_ODD_SECONDARY BIT(3)
++#define CS_3R_INTERLEAVE BIT(4)
+
+ #define CS_EVEN (CS_EVEN_PRIMARY | CS_EVEN_SECONDARY)
+ #define CS_ODD (CS_ODD_PRIMARY | CS_ODD_SECONDARY)
+
+ static int f17_get_cs_mode(int dimm, u8 ctrl, struct amd64_pvt *pvt)
+ {
++ u8 base, count = 0;
+ int cs_mode = 0;
+
+ if (csrow_enabled(2 * dimm, ctrl, pvt))
+@@ -804,6 +806,20 @@ static int f17_get_cs_mode(int dimm, u8 ctrl, struct amd64_pvt *pvt)
+ if (csrow_sec_enabled(2 * dimm + 1, ctrl, pvt))
+ cs_mode |= CS_ODD_SECONDARY;
+
++ /*
++ * 3 Rank inteleaving support.
++ * There should be only three bases enabled and their two masks should
++ * be equal.
++ */
++ for_each_chip_select(base, ctrl, pvt)
++ count += csrow_enabled(base, ctrl, pvt);
++
++ if (count == 3 &&
++ pvt->csels[ctrl].csmasks[0] == pvt->csels[ctrl].csmasks[1]) {
++ edac_dbg(1, "3R interleaving in use.\n");
++ cs_mode |= CS_3R_INTERLEAVE;
++ }
++
+ return cs_mode;
+ }
+
+@@ -1612,10 +1628,14 @@ static int f17_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc,
+ *
+ * The MSB is the number of bits in the full mask because BIT[0] is
+ * always 0.
++ *
++ * In the special 3 Rank interleaving case, a single bit is flipped
++ * without swapping with the most significant bit. This can be handled
++ * by keeping the MSB where it is and ignoring the single zero bit.
+ */
+ msb = fls(addr_mask_orig) - 1;
+ weight = hweight_long(addr_mask_orig);
+- num_zero_bits = msb - weight;
++ num_zero_bits = msb - weight - !!(cs_mode & CS_3R_INTERLEAVE);
+
+ /* Take the number of zero bits off from the top of the mask. */
+ addr_mask_deinterleaved = GENMASK_ULL(msb - num_zero_bits, 1);
+--
+2.33.0
+
--- /dev/null
+From 9f277b6d8af66ac78aaf81eae24887ea53d07383 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 15:43:11 +0800
+Subject: erofs: don't trigger WARN() when decompression fails
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit a0961f351d82d43ab0b845304caa235dfe249ae9 ]
+
+syzbot reported a WARNING [1] due to corrupted compressed data.
+
+As Dmitry said, "If this is not a kernel bug, then the code should
+not use WARN. WARN if for kernel bugs and is recognized as such by
+all testing systems and humans."
+
+[1] https://lore.kernel.org/r/000000000000b3586105cf0ff45e@google.com
+
+Link: https://lore.kernel.org/r/20211025074311.130395-1-hsiangkao@linux.alibaba.com
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Reported-by: syzbot+d8aaffc3719597e8cfb4@syzkaller.appspotmail.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/decompressor.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
+index cbadbf55c6c20..8a6260aac26cb 100644
+--- a/fs/erofs/decompressor.c
++++ b/fs/erofs/decompressor.c
+@@ -170,7 +170,6 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out)
+ erofs_err(rq->sb, "failed to decompress %d in[%u, %u] out[%u]",
+ ret, inlen, inputmargin, rq->outputsize);
+
+- WARN_ON(1);
+ print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
+ 16, 1, src + inputmargin, inlen, true);
+ print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
+--
+2.33.0
+
--- /dev/null
+From bc4ac19db34c089b4dcdb9b93288b83cf84a2fd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 15:02:36 -0700
+Subject: ethtool: fix ethtool msg len calculation for pause stats
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 1aabe578dd86e9f2867c4db4fba9a15f4ba1825d ]
+
+ETHTOOL_A_PAUSE_STAT_MAX is the MAX attribute id,
+so we need to subtract non-stats and add one to
+get a count (IOW -2+1 == -1).
+
+Otherwise we'll see:
+
+ ethnl cmd 21: calculated reply length 40, but consumed 52
+
+Fixes: 9a27a33027f2 ("ethtool: add standard pause stats")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ethtool_netlink.h | 3 +++
+ include/uapi/linux/ethtool_netlink.h | 4 +++-
+ net/ethtool/pause.c | 3 +--
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/ethtool_netlink.h b/include/linux/ethtool_netlink.h
+index 1e7bf78cb3829..aba348d58ff61 100644
+--- a/include/linux/ethtool_netlink.h
++++ b/include/linux/ethtool_netlink.h
+@@ -10,6 +10,9 @@
+ #define __ETHTOOL_LINK_MODE_MASK_NWORDS \
+ DIV_ROUND_UP(__ETHTOOL_LINK_MODE_MASK_NBITS, 32)
+
++#define ETHTOOL_PAUSE_STAT_CNT (__ETHTOOL_A_PAUSE_STAT_CNT - \
++ ETHTOOL_A_PAUSE_STAT_TX_FRAMES)
++
+ enum ethtool_multicast_groups {
+ ETHNL_MCGRP_MONITOR,
+ };
+diff --git a/include/uapi/linux/ethtool_netlink.h b/include/uapi/linux/ethtool_netlink.h
+index e2bf36e6964b6..c94fa29415021 100644
+--- a/include/uapi/linux/ethtool_netlink.h
++++ b/include/uapi/linux/ethtool_netlink.h
+@@ -394,7 +394,9 @@ enum {
+ ETHTOOL_A_PAUSE_STAT_TX_FRAMES,
+ ETHTOOL_A_PAUSE_STAT_RX_FRAMES,
+
+- /* add new constants above here */
++ /* add new constants above here
++ * adjust ETHTOOL_PAUSE_STAT_CNT if adding non-stats!
++ */
+ __ETHTOOL_A_PAUSE_STAT_CNT,
+ ETHTOOL_A_PAUSE_STAT_MAX = (__ETHTOOL_A_PAUSE_STAT_CNT - 1)
+ };
+diff --git a/net/ethtool/pause.c b/net/ethtool/pause.c
+index d4ac02718b72a..c7bc704c8862a 100644
+--- a/net/ethtool/pause.c
++++ b/net/ethtool/pause.c
+@@ -62,8 +62,7 @@ static int pause_reply_size(const struct ethnl_req_info *req_base,
+
+ if (req_base->flags & ETHTOOL_FLAG_STATS)
+ n += nla_total_size(0) + /* _PAUSE_STATS */
+- nla_total_size_64bit(sizeof(u64)) *
+- (ETHTOOL_A_PAUSE_STAT_MAX - 2);
++ nla_total_size_64bit(sizeof(u64)) * ETHTOOL_PAUSE_STAT_CNT;
+ return n;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 63a06894c93f714c3717627932bbdb1833bec51f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 13:00:14 -0700
+Subject: firmware: qcom_scm: Fix error retval in
+ __qcom_scm_is_call_available()
+
+From: Guru Das Srinagesh <quic_gurus@quicinc.com>
+
+[ Upstream commit 38212b2a8a6fc4c3a6fa99d7445b833bedc9a67c ]
+
+Since __qcom_scm_is_call_available() returns bool, have it return false
+instead of -EINVAL if an invalid SMC convention is detected.
+
+This fixes the Smatch static checker warning:
+
+ drivers/firmware/qcom_scm.c:255 __qcom_scm_is_call_available()
+ warn: signedness bug returning '(-22)'
+
+Fixes: 9d11af8b06a8 ("firmware: qcom_scm: Make __qcom_scm_is_call_available() return bool")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Guru Das Srinagesh <quic_gurus@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/1633982414-28347-1-git-send-email-quic_gurus@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/qcom_scm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/qcom_scm.c b/drivers/firmware/qcom_scm.c
+index c5b20bdc08e9d..e10a99860ca4b 100644
+--- a/drivers/firmware/qcom_scm.c
++++ b/drivers/firmware/qcom_scm.c
+@@ -252,7 +252,7 @@ static bool __qcom_scm_is_call_available(struct device *dev, u32 svc_id,
+ break;
+ default:
+ pr_err("Unknown SMC convention being used\n");
+- return -EINVAL;
++ return false;
+ }
+
+ ret = qcom_scm_call(dev, &desc, &res);
+--
+2.33.0
+
--- /dev/null
+From ee8e7a9dd256b9251ddb72fa8b3879e319b06a40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 18:02:30 +0200
+Subject: Fix user namespace leak
+
+From: Alexey Gladkov <legion@kernel.org>
+
+[ Upstream commit d5f458a979650e5ed37212f6134e4ee2b28cb6ed ]
+
+Fixes: 61ca2c4afd9d ("NFS: Only reference user namespace from nfs4idmap struct instead of cred")
+Signed-off-by: Alexey Gladkov <legion@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4idmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
+index 8d8aba305ecca..f331866dd4182 100644
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -487,7 +487,7 @@ nfs_idmap_new(struct nfs_client *clp)
+ err_destroy_pipe:
+ rpc_destroy_pipe_data(idmap->idmap_pipe);
+ err:
+- get_user_ns(idmap->user_ns);
++ put_user_ns(idmap->user_ns);
+ kfree(idmap);
+ return error;
+ }
+--
+2.33.0
+
--- /dev/null
+From fa32d2ce73542cff009aa0adb1783a2db35da935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 00:00:20 -0800
+Subject: fs: orangefs: fix error return code of orangefs_revalidate_lookup()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 4c2b46c824a78fc8190d8eafaaea5a9078fe7479 ]
+
+When op_alloc() returns NULL to new_op, no error return code of
+orangefs_revalidate_lookup() is assigned.
+To fix this bug, ret is assigned with -ENOMEM in this case.
+
+Fixes: 8bb8aefd5afb ("OrangeFS: Change almost all instances of the string PVFS2 to OrangeFS.")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/dcache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c
+index fe484cf93e5cd..8bbe9486e3a62 100644
+--- a/fs/orangefs/dcache.c
++++ b/fs/orangefs/dcache.c
+@@ -26,8 +26,10 @@ static int orangefs_revalidate_lookup(struct dentry *dentry)
+ gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__);
+
+ new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP);
+- if (!new_op)
++ if (!new_op) {
++ ret = -ENOMEM;
+ goto out_put_parent;
++ }
+
+ new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW;
+ new_op->upcall.req.lookup.parent_refn = parent->refn;
+--
+2.33.0
+
--- /dev/null
+From 67ba04a3dfb1fe6781d1bbc19cf942f9ffbb976a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 09:54:38 -0700
+Subject: fs/proc/uptime.c: Fix idle time reporting in /proc/uptime
+
+From: Josh Don <joshdon@google.com>
+
+[ Upstream commit a130e8fbc7de796eb6e680724d87f4737a26d0ac ]
+
+/proc/uptime reports idle time by reading the CPUTIME_IDLE field from
+the per-cpu kcpustats. However, on NO_HZ systems, idle time is not
+continually updated on idle cpus, leading this value to appear
+incorrectly small.
+
+/proc/stat performs an accounting update when reading idle time; we
+can use the same approach for uptime.
+
+With this patch, /proc/stat and /proc/uptime now agree on idle time.
+Additionally, the following shows idle time tick up consistently on an
+idle machine:
+
+ (while true; do cat /proc/uptime; sleep 1; done) | awk '{print $2-prev; prev=$2}'
+
+Reported-by: Luigi Rizzo <lrizzo@google.com>
+Signed-off-by: Josh Don <joshdon@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lkml.kernel.org/r/20210827165438.3280779-1-joshdon@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/stat.c | 4 ++--
+ fs/proc/uptime.c | 14 +++++++++-----
+ include/linux/kernel_stat.h | 1 +
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
+index 4695b6de31512..3bed48d8228b4 100644
+--- a/fs/proc/stat.c
++++ b/fs/proc/stat.c
+@@ -23,7 +23,7 @@
+
+ #ifdef arch_idle_time
+
+-static u64 get_idle_time(struct kernel_cpustat *kcs, int cpu)
++u64 get_idle_time(struct kernel_cpustat *kcs, int cpu)
+ {
+ u64 idle;
+
+@@ -45,7 +45,7 @@ static u64 get_iowait_time(struct kernel_cpustat *kcs, int cpu)
+
+ #else
+
+-static u64 get_idle_time(struct kernel_cpustat *kcs, int cpu)
++u64 get_idle_time(struct kernel_cpustat *kcs, int cpu)
+ {
+ u64 idle, idle_usecs = -1ULL;
+
+diff --git a/fs/proc/uptime.c b/fs/proc/uptime.c
+index 5a1b228964fb7..deb99bc9b7e6b 100644
+--- a/fs/proc/uptime.c
++++ b/fs/proc/uptime.c
+@@ -12,18 +12,22 @@ static int uptime_proc_show(struct seq_file *m, void *v)
+ {
+ struct timespec64 uptime;
+ struct timespec64 idle;
+- u64 nsec;
++ u64 idle_nsec;
+ u32 rem;
+ int i;
+
+- nsec = 0;
+- for_each_possible_cpu(i)
+- nsec += (__force u64) kcpustat_cpu(i).cpustat[CPUTIME_IDLE];
++ idle_nsec = 0;
++ for_each_possible_cpu(i) {
++ struct kernel_cpustat kcs;
++
++ kcpustat_cpu_fetch(&kcs, i);
++ idle_nsec += get_idle_time(&kcs, i);
++ }
+
+ ktime_get_boottime_ts64(&uptime);
+ timens_add_boottime(&uptime);
+
+- idle.tv_sec = div_u64_rem(nsec, NSEC_PER_SEC, &rem);
++ idle.tv_sec = div_u64_rem(idle_nsec, NSEC_PER_SEC, &rem);
+ idle.tv_nsec = rem;
+ seq_printf(m, "%lu.%02lu %lu.%02lu\n",
+ (unsigned long) uptime.tv_sec,
+diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h
+index 89f0745c096d4..8fff3500d50ee 100644
+--- a/include/linux/kernel_stat.h
++++ b/include/linux/kernel_stat.h
+@@ -103,6 +103,7 @@ extern void account_system_index_time(struct task_struct *, u64,
+ enum cpu_usage_stat);
+ extern void account_steal_time(u64);
+ extern void account_idle_time(u64);
++extern u64 get_idle_time(struct kernel_cpustat *kcs, int cpu);
+
+ #ifdef CONFIG_VIRT_CPU_ACCOUNTING_NATIVE
+ static inline void account_process_tick(struct task_struct *tsk, int user)
+--
+2.33.0
+
--- /dev/null
+From 8c97589f6b303a86bd8d582806c6d0053e6c269d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 20:03:03 -0700
+Subject: fscrypt: allow 256-bit master keys with AES-256-XTS
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 7f595d6a6cdc336834552069a2e0a4f6d4756ddf ]
+
+fscrypt currently requires a 512-bit master key when AES-256-XTS is
+used, since AES-256-XTS keys are 512-bit and fscrypt requires that the
+master key be at least as long any key that will be derived from it.
+
+However, this is overly strict because AES-256-XTS doesn't actually have
+a 512-bit security strength, but rather 256-bit. The fact that XTS
+takes twice the expected key size is a quirk of the XTS mode. It is
+sufficient to use 256 bits of entropy for AES-256-XTS, provided that it
+is first properly expanded into a 512-bit key, which HKDF-SHA512 does.
+
+Therefore, relax the check of the master key size to use the security
+strength of the derived key rather than the size of the derived key
+(except for v1 encryption policies, which don't use HKDF).
+
+Besides making things more flexible for userspace, this is needed in
+order for the use of a KDF which only takes a 256-bit key to be
+introduced into the fscrypt key hierarchy. This will happen with
+hardware-wrapped keys support, as all known hardware which supports that
+feature uses an SP800-108 KDF using AES-256-CMAC, so the wrapped keys
+are wrapped 256-bit AES keys. Moreover, there is interest in fscrypt
+supporting the same type of AES-256-CMAC based KDF in software as an
+alternative to HKDF-SHA512. There is no security problem with such
+features, so fix the key length check to work properly with them.
+
+Reviewed-by: Paul Crowley <paulcrowley@google.com>
+Link: https://lore.kernel.org/r/20210921030303.5598-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/filesystems/fscrypt.rst | 10 ++---
+ fs/crypto/fscrypt_private.h | 5 ++-
+ fs/crypto/hkdf.c | 11 ++++--
+ fs/crypto/keysetup.c | 57 +++++++++++++++++++++------
+ 4 files changed, 61 insertions(+), 22 deletions(-)
+
+diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst
+index 44b67ebd6e40d..936fae06db770 100644
+--- a/Documentation/filesystems/fscrypt.rst
++++ b/Documentation/filesystems/fscrypt.rst
+@@ -176,11 +176,11 @@ Master Keys
+
+ Each encrypted directory tree is protected by a *master key*. Master
+ keys can be up to 64 bytes long, and must be at least as long as the
+-greater of the key length needed by the contents and filenames
+-encryption modes being used. For example, if AES-256-XTS is used for
+-contents encryption, the master key must be 64 bytes (512 bits). Note
+-that the XTS mode is defined to require a key twice as long as that
+-required by the underlying block cipher.
++greater of the security strength of the contents and filenames
++encryption modes being used. For example, if any AES-256 mode is
++used, the master key must be at least 256 bits, i.e. 32 bytes. A
++stricter requirement applies if the key is used by a v1 encryption
++policy and AES-256-XTS is used; such keys must be 64 bytes.
+
+ To "unlock" an encrypted directory tree, userspace must provide the
+ appropriate master key. There can be any number of master keys, each
+diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
+index 322ecae9a7580..052ad40ecdb28 100644
+--- a/fs/crypto/fscrypt_private.h
++++ b/fs/crypto/fscrypt_private.h
+@@ -557,8 +557,9 @@ int __init fscrypt_init_keyring(void);
+ struct fscrypt_mode {
+ const char *friendly_name;
+ const char *cipher_str;
+- int keysize;
+- int ivsize;
++ int keysize; /* key size in bytes */
++ int security_strength; /* security strength in bytes */
++ int ivsize; /* IV size in bytes */
+ int logged_impl_name;
+ enum blk_crypto_mode_num blk_crypto_mode;
+ };
+diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c
+index 0cba7928446d3..24172bf3e8c6f 100644
+--- a/fs/crypto/hkdf.c
++++ b/fs/crypto/hkdf.c
+@@ -16,9 +16,14 @@
+
+ /*
+ * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses
+- * SHA-512 because it is reasonably secure and efficient; and since it produces
+- * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of
+- * entropy from the master key and requires only one iteration of HKDF-Expand.
++ * SHA-512 because it is well-established, secure, and reasonably efficient.
++ *
++ * HKDF-SHA256 was also considered, as its 256-bit security strength would be
++ * sufficient here. A 512-bit security strength is "nice to have", though.
++ * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256. In the
++ * common case of deriving an AES-256-XTS key (512 bits), that can result in
++ * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of
++ * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two.
+ */
+ #define HKDF_HMAC_ALG "hmac(sha512)"
+ #define HKDF_HASHLEN SHA512_DIGEST_SIZE
+diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c
+index 9a6f9a188efb9..73d96e35d9ae4 100644
+--- a/fs/crypto/keysetup.c
++++ b/fs/crypto/keysetup.c
+@@ -19,6 +19,7 @@ struct fscrypt_mode fscrypt_modes[] = {
+ .friendly_name = "AES-256-XTS",
+ .cipher_str = "xts(aes)",
+ .keysize = 64,
++ .security_strength = 32,
+ .ivsize = 16,
+ .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS,
+ },
+@@ -26,12 +27,14 @@ struct fscrypt_mode fscrypt_modes[] = {
+ .friendly_name = "AES-256-CTS-CBC",
+ .cipher_str = "cts(cbc(aes))",
+ .keysize = 32,
++ .security_strength = 32,
+ .ivsize = 16,
+ },
+ [FSCRYPT_MODE_AES_128_CBC] = {
+ .friendly_name = "AES-128-CBC-ESSIV",
+ .cipher_str = "essiv(cbc(aes),sha256)",
+ .keysize = 16,
++ .security_strength = 16,
+ .ivsize = 16,
+ .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV,
+ },
+@@ -39,12 +42,14 @@ struct fscrypt_mode fscrypt_modes[] = {
+ .friendly_name = "AES-128-CTS-CBC",
+ .cipher_str = "cts(cbc(aes))",
+ .keysize = 16,
++ .security_strength = 16,
+ .ivsize = 16,
+ },
+ [FSCRYPT_MODE_ADIANTUM] = {
+ .friendly_name = "Adiantum",
+ .cipher_str = "adiantum(xchacha12,aes)",
+ .keysize = 32,
++ .security_strength = 32,
+ .ivsize = 32,
+ .blk_crypto_mode = BLK_ENCRYPTION_MODE_ADIANTUM,
+ },
+@@ -357,6 +362,45 @@ static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci,
+ return 0;
+ }
+
++/*
++ * Check whether the size of the given master key (@mk) is appropriate for the
++ * encryption settings which a particular file will use (@ci).
++ *
++ * If the file uses a v1 encryption policy, then the master key must be at least
++ * as long as the derived key, as this is a requirement of the v1 KDF.
++ *
++ * Otherwise, the KDF can accept any size key, so we enforce a slightly looser
++ * requirement: we require that the size of the master key be at least the
++ * maximum security strength of any algorithm whose key will be derived from it
++ * (but in practice we only need to consider @ci->ci_mode, since any other
++ * possible subkeys such as DIRHASH and INODE_HASH will never increase the
++ * required key size over @ci->ci_mode). This allows AES-256-XTS keys to be
++ * derived from a 256-bit master key, which is cryptographically sufficient,
++ * rather than requiring a 512-bit master key which is unnecessarily long. (We
++ * still allow 512-bit master keys if the user chooses to use them, though.)
++ */
++static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk,
++ const struct fscrypt_info *ci)
++{
++ unsigned int min_keysize;
++
++ if (ci->ci_policy.version == FSCRYPT_POLICY_V1)
++ min_keysize = ci->ci_mode->keysize;
++ else
++ min_keysize = ci->ci_mode->security_strength;
++
++ if (mk->mk_secret.size < min_keysize) {
++ fscrypt_warn(NULL,
++ "key with %s %*phN is too short (got %u bytes, need %u+ bytes)",
++ master_key_spec_type(&mk->mk_spec),
++ master_key_spec_len(&mk->mk_spec),
++ (u8 *)&mk->mk_spec.u,
++ mk->mk_secret.size, min_keysize);
++ return false;
++ }
++ return true;
++}
++
+ /*
+ * Find the master key, then set up the inode's actual encryption key.
+ *
+@@ -422,18 +466,7 @@ static int setup_file_encryption_key(struct fscrypt_info *ci,
+ goto out_release_key;
+ }
+
+- /*
+- * Require that the master key be at least as long as the derived key.
+- * Otherwise, the derived key cannot possibly contain as much entropy as
+- * that required by the encryption mode it will be used for. For v1
+- * policies it's also required for the KDF to work at all.
+- */
+- if (mk->mk_secret.size < ci->ci_mode->keysize) {
+- fscrypt_warn(NULL,
+- "key with %s %*phN is too short (got %u bytes, need %u+ bytes)",
+- master_key_spec_type(&mk_spec),
+- master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u,
+- mk->mk_secret.size, ci->ci_mode->keysize);
++ if (!fscrypt_valid_master_key_size(mk, ci)) {
+ err = -ENOKEY;
+ goto out_release_key;
+ }
+--
+2.33.0
+
--- /dev/null
+From 5e5ed430baf809e7b1d9dc6f25b0361afff5baaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 20:53:02 +0200
+Subject: gfs2: Cancel remote delete work asynchronously
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 486408d690e130c3adacf816754b97558d715f46 ]
+
+In gfs2_inode_lookup and gfs2_create_inode, we're calling
+gfs2_cancel_delete_work which currently cancels any remote delete work
+(delete_work_func) synchronously. This means that if the work is
+currently running, it will wait for it to finish. We're doing this to
+pevent a previous instance of an inode from having any influence on the
+next instance.
+
+However, delete_work_func uses gfs2_inode_lookup internally, and we can
+end up in a deadlock when delete_work_func gets interrupted at the wrong
+time. For example,
+
+ (1) An inode's iopen glock has delete work queued, but the inode
+ itself has been evicted from the inode cache.
+
+ (2) The delete work is preempted before reaching gfs2_inode_lookup.
+
+ (3) Another process recreates the inode (gfs2_create_inode). It tries
+ to cancel any outstanding delete work, which blocks waiting for
+ the ongoing delete work to finish.
+
+ (4) The delete work calls gfs2_inode_lookup, which blocks waiting for
+ gfs2_create_inode to instantiate and unlock the new inode =>
+ deadlock.
+
+It turns out that when the delete work notices that its inode has been
+re-instantiated, it will do nothing. This means that it's safe to
+cancel the delete work asynchronously. This prevents the kind of
+deadlock described above.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index 03c3407c8e26f..533adcd480310 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1911,7 +1911,7 @@ bool gfs2_queue_delete_work(struct gfs2_glock *gl, unsigned long delay)
+
+ void gfs2_cancel_delete_work(struct gfs2_glock *gl)
+ {
+- if (cancel_delayed_work_sync(&gl->gl_delete)) {
++ if (cancel_delayed_work(&gl->gl_delete)) {
+ clear_bit(GLF_PENDING_DELETE, &gl->gl_flags);
+ gfs2_glock_put(gl);
+ }
+--
+2.33.0
+
--- /dev/null
+From 3c21dadcf4e60deed18d1ba8eed7a91fe0798cc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 15:57:44 +0200
+Subject: gfs2: Fix glock_hash_walk bugs
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 7427f3bb49d81525b7dd1d0f7c5f6bbc752e6f0e ]
+
+So far, glock_hash_walk took a reference on each glock it iterated over, and it
+was the examiner's responsibility to drop those references. Dropping the final
+reference to a glock can sleep and the examiners are called in a RCU critical
+section with spin locks held, so examiners that didn't need the extra reference
+had to drop it asynchronously via gfs2_glock_queue_put or similar. This wasn't
+done correctly in thaw_glock which did call gfs2_glock_put, and not at all in
+dump_glock_func.
+
+Change glock_hash_walk to not take glock references at all. That way, the
+examiners that don't need them won't have to bother with slow asynchronous
+puts, and the examiners that do need references can take them themselves.
+
+Reported-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index 533adcd480310..dd052101e2266 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1885,10 +1885,10 @@ static void glock_hash_walk(glock_examiner examiner, const struct gfs2_sbd *sdp)
+ do {
+ rhashtable_walk_start(&iter);
+
+- while ((gl = rhashtable_walk_next(&iter)) && !IS_ERR(gl))
+- if (gl->gl_name.ln_sbd == sdp &&
+- lockref_get_not_dead(&gl->gl_lockref))
++ while ((gl = rhashtable_walk_next(&iter)) && !IS_ERR(gl)) {
++ if (gl->gl_name.ln_sbd == sdp)
+ examiner(gl);
++ }
+
+ rhashtable_walk_stop(&iter);
+ } while (cond_resched(), gl == ERR_PTR(-EAGAIN));
+@@ -1930,7 +1930,6 @@ static void flush_delete_work(struct gfs2_glock *gl)
+ &gl->gl_delete, 0);
+ }
+ }
+- gfs2_glock_queue_work(gl, 0);
+ }
+
+ void gfs2_flush_delete_work(struct gfs2_sbd *sdp)
+@@ -1947,10 +1946,10 @@ void gfs2_flush_delete_work(struct gfs2_sbd *sdp)
+
+ static void thaw_glock(struct gfs2_glock *gl)
+ {
+- if (!test_and_clear_bit(GLF_FROZEN, &gl->gl_flags)) {
+- gfs2_glock_put(gl);
++ if (!test_and_clear_bit(GLF_FROZEN, &gl->gl_flags))
++ return;
++ if (!lockref_get_not_dead(&gl->gl_lockref))
+ return;
+- }
+ set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
+ gfs2_glock_queue_work(gl, 0);
+ }
+@@ -1966,9 +1965,12 @@ static void clear_glock(struct gfs2_glock *gl)
+ gfs2_glock_remove_from_lru(gl);
+
+ spin_lock(&gl->gl_lockref.lock);
+- if (gl->gl_state != LM_ST_UNLOCKED)
+- handle_callback(gl, LM_ST_UNLOCKED, 0, false);
+- __gfs2_glock_queue_work(gl, 0);
++ if (!__lockref_is_dead(&gl->gl_lockref)) {
++ gl->gl_lockref.count++;
++ if (gl->gl_state != LM_ST_UNLOCKED)
++ handle_callback(gl, LM_ST_UNLOCKED, 0, false);
++ __gfs2_glock_queue_work(gl, 0);
++ }
+ spin_unlock(&gl->gl_lockref.lock);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 6dbf80ba4931ea399371d7bfcf830d2182d3478c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 16:06:18 -0400
+Subject: gre/sit: Don't generate link-local addr if addr_gen_mode is
+ IN6_ADDR_GEN_MODE_NONE
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit 61e18ce7348bfefb5688a8bcd4b4d6b37c0f9b2a ]
+
+When addr_gen_mode is set to IN6_ADDR_GEN_MODE_NONE, the link-local addr
+should not be generated. But it isn't the case for GRE (as well as GRE6)
+and SIT tunnels. Make it so that tunnels consider the addr_gen_mode,
+especially for IN6_ADDR_GEN_MODE_NONE.
+
+Do this in add_v4_addrs() to cover both GRE and SIT only if the addr
+scope is link.
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Link: https://lore.kernel.org/r/20211020200618.467342-1-ssuryaextr@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 884d430e23cb3..29526937077b3 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3097,6 +3097,9 @@ static void sit_add_v4_addrs(struct inet6_dev *idev)
+ memcpy(&addr.s6_addr32[3], idev->dev->dev_addr, 4);
+
+ if (idev->dev->flags&IFF_POINTOPOINT) {
++ if (idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_NONE)
++ return;
++
+ addr.s6_addr32[0] = htonl(0xfe800000);
+ scope = IFA_LINK;
+ plen = 64;
+--
+2.33.0
+
--- /dev/null
+From 68eb69bc2fb87dc4067781706c2b7355032e7273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 14:47:36 +0300
+Subject: gve: Fix off by one in gve_tx_timeout()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1c360cc1cc883fbdf0a258b4df376571fbeac5ee ]
+
+The priv->ntfy_blocks[] has "priv->num_ntfy_blks" elements so this >
+needs to be >= to prevent an off by one bug. The priv->ntfy_blocks[]
+array is allocated in gve_alloc_notify_blocks().
+
+Fixes: 87a7f321bb6a ("gve: Recover from queue stall due to missed IRQ")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 3e96b2a11c5bf..6cb75bb1ed052 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -959,7 +959,7 @@ static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue)
+ goto reset;
+
+ ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue);
+- if (ntfy_idx > priv->num_ntfy_blks)
++ if (ntfy_idx >= priv->num_ntfy_blks)
+ goto reset;
+
+ block = &priv->ntfy_blocks[ntfy_idx];
+--
+2.33.0
+
--- /dev/null
+From 8571a986349ccc743396411f05795e5a8d35906c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 08:36:47 -0700
+Subject: gve: Recover from queue stall due to missed IRQ
+
+From: John Fraker <jfraker@google.com>
+
+[ Upstream commit 87a7f321bb6a45e54b7d6c90d032ee5636a6ad97 ]
+
+Don't always reset the driver on a TX timeout. Attempt to
+recover by kicking the queue in case an IRQ was missed.
+
+Fixes: 9e5f7d26a4c08 ("gve: Add workqueue and reset support")
+Signed-off-by: John Fraker <jfraker@google.com>
+Signed-off-by: David Awogbemila <awogbemila@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve.h | 4 +-
+ drivers/net/ethernet/google/gve/gve_adminq.h | 1 +
+ drivers/net/ethernet/google/gve/gve_main.c | 48 +++++++++++++++++++-
+ 3 files changed, 51 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h
+index cfb174624d4ee..5c9a4d4362c7b 100644
+--- a/drivers/net/ethernet/google/gve/gve.h
++++ b/drivers/net/ethernet/google/gve/gve.h
+@@ -28,7 +28,7 @@
+ #define GVE_MIN_MSIX 3
+
+ /* Numbers of gve tx/rx stats in stats report. */
+-#define GVE_TX_STATS_REPORT_NUM 5
++#define GVE_TX_STATS_REPORT_NUM 6
+ #define GVE_RX_STATS_REPORT_NUM 2
+
+ /* Interval to schedule a stats report update, 20000ms. */
+@@ -147,7 +147,9 @@ struct gve_tx_ring {
+ u32 q_num ____cacheline_aligned; /* queue idx */
+ u32 stop_queue; /* count of queue stops */
+ u32 wake_queue; /* count of queue wakes */
++ u32 queue_timeout; /* count of queue timeouts */
+ u32 ntfy_id; /* notification block index */
++ u32 last_kick_msec; /* Last time the queue was kicked */
+ dma_addr_t bus; /* dma address of the descr ring */
+ dma_addr_t q_resources_bus; /* dma address of the queue resources */
+ struct u64_stats_sync statss; /* sync stats for 32bit archs */
+diff --git a/drivers/net/ethernet/google/gve/gve_adminq.h b/drivers/net/ethernet/google/gve/gve_adminq.h
+index 015796a20118b..8dbc2c03fbbdd 100644
+--- a/drivers/net/ethernet/google/gve/gve_adminq.h
++++ b/drivers/net/ethernet/google/gve/gve_adminq.h
+@@ -212,6 +212,7 @@ enum gve_stat_names {
+ TX_LAST_COMPLETION_PROCESSED = 5,
+ RX_NEXT_EXPECTED_SEQUENCE = 6,
+ RX_BUFFERS_POSTED = 7,
++ TX_TIMEOUT_CNT = 8,
+ // stats from NIC
+ RX_QUEUE_DROP_CNT = 65,
+ RX_NO_BUFFERS_POSTED = 66,
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index fd52218f48846..3e96b2a11c5bf 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -23,6 +23,9 @@
+ #define GVE_VERSION "1.0.0"
+ #define GVE_VERSION_PREFIX "GVE-"
+
++// Minimum amount of time between queue kicks in msec (10 seconds)
++#define MIN_TX_TIMEOUT_GAP (1000 * 10)
++
+ const char gve_version_str[] = GVE_VERSION;
+ static const char gve_version_prefix[] = GVE_VERSION_PREFIX;
+
+@@ -943,9 +946,47 @@ static void gve_turnup(struct gve_priv *priv)
+
+ static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue)
+ {
+- struct gve_priv *priv = netdev_priv(dev);
++ struct gve_notify_block *block;
++ struct gve_tx_ring *tx = NULL;
++ struct gve_priv *priv;
++ u32 last_nic_done;
++ u32 current_time;
++ u32 ntfy_idx;
++
++ netdev_info(dev, "Timeout on tx queue, %d", txqueue);
++ priv = netdev_priv(dev);
++ if (txqueue > priv->tx_cfg.num_queues)
++ goto reset;
++
++ ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue);
++ if (ntfy_idx > priv->num_ntfy_blks)
++ goto reset;
++
++ block = &priv->ntfy_blocks[ntfy_idx];
++ tx = block->tx;
+
++ current_time = jiffies_to_msecs(jiffies);
++ if (tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time)
++ goto reset;
++
++ /* Check to see if there are missed completions, which will allow us to
++ * kick the queue.
++ */
++ last_nic_done = gve_tx_load_event_counter(priv, tx);
++ if (last_nic_done - tx->done) {
++ netdev_info(dev, "Kicking queue %d", txqueue);
++ iowrite32be(GVE_IRQ_MASK, gve_irq_doorbell(priv, block));
++ napi_schedule(&block->napi);
++ tx->last_kick_msec = current_time;
++ goto out;
++ } // Else reset.
++
++reset:
+ gve_schedule_reset(priv);
++
++out:
++ if (tx)
++ tx->queue_timeout++;
+ priv->tx_timeo_cnt++;
+ }
+
+@@ -1028,6 +1069,11 @@ void gve_handle_report_stats(struct gve_priv *priv)
+ .value = cpu_to_be64(priv->tx[idx].done),
+ .queue_id = cpu_to_be32(idx),
+ };
++ stats[stats_idx++] = (struct stats) {
++ .stat_name = cpu_to_be32(TX_TIMEOUT_CNT),
++ .value = cpu_to_be64(priv->tx[idx].queue_timeout),
++ .queue_id = cpu_to_be32(idx),
++ };
+ }
+ }
+ /* rx stats */
+--
+2.33.0
+
--- /dev/null
+From 410275216f9ac93eb0325ac523b3641e869ac840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 17:29:16 +0200
+Subject: HID: u2fzero: clarify error check and length calculations
+
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+
+[ Upstream commit b7abf78b7a6c4a29a6e0ba0bb883fe44a2f3d693 ]
+
+The previous commit fixed handling of incomplete packets but broke error
+handling: offsetof returns an unsigned value (size_t), but when compared
+against the signed return value, the return value is interpreted as if
+it were unsigned, so negative return values are never less than the
+offset.
+
+To make the code easier to read, calculate the minimal packet length
+once and separately, and assign it to a signed int variable to eliminate
+unsigned math and the need for type casts. It then becomes immediately
+obvious how the actual data length is calculated and why the return
+value cannot be less than the minimal length.
+
+Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data")
+Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
+Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-u2fzero.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
+index d70cd3d7f583b..94f78ffb76d04 100644
+--- a/drivers/hid/hid-u2fzero.c
++++ b/drivers/hid/hid-u2fzero.c
+@@ -191,6 +191,8 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
+ struct u2f_hid_msg resp;
+ int ret;
+ size_t actual_length;
++ /* valid packets must have a correct header */
++ int min_length = offsetof(struct u2f_hid_msg, init.data);
+
+ if (!dev->present) {
+ hid_dbg(dev->hdev, "device not present");
+@@ -200,12 +202,12 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data,
+ ret = u2fzero_recv(dev, &req, &resp);
+
+ /* ignore errors or packets without data */
+- if (ret < offsetof(struct u2f_hid_msg, init.data))
++ if (ret < min_length)
+ return 0;
+
+ /* only take the minimum amount of data it is safe to take */
+- actual_length = min3((size_t)ret - offsetof(struct u2f_hid_msg,
+- init.data), U2F_HID_MSG_LEN(resp), max);
++ actual_length = min3((size_t)ret - min_length,
++ U2F_HID_MSG_LEN(resp), max);
+
+ memcpy(data, resp.init.data, actual_length);
+
+--
+2.33.0
+
--- /dev/null
+From e88c4368807c500256bd54e85ac7199a687b18a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 17:29:17 +0200
+Subject: HID: u2fzero: properly handle timeouts in usb_submit_urb
+
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+
+[ Upstream commit 43775e62c4b784f44a159e13ba80e6146a42d502 ]
+
+The wait_for_completion_timeout function returns 0 if timed out or a
+positive value if completed. Hence, "less than zero" comparison always
+misses timeouts and doesn't kill the URB as it should, leading to
+re-sending it while it is active.
+
+Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG")
+Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-u2fzero.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
+index 94f78ffb76d04..67ae2b18e33ac 100644
+--- a/drivers/hid/hid-u2fzero.c
++++ b/drivers/hid/hid-u2fzero.c
+@@ -132,7 +132,7 @@ static int u2fzero_recv(struct u2fzero_device *dev,
+
+ ret = (wait_for_completion_timeout(
+ &ctx.done, msecs_to_jiffies(USB_CTRL_SET_TIMEOUT)));
+- if (ret < 0) {
++ if (ret == 0) {
+ usb_kill_urb(dev->urb);
+ hid_err(hdev, "urb submission timed out");
+ } else {
+--
+2.33.0
+
--- /dev/null
+From ec93ecec40c3b30de188940b41ba0cf9364f2629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 19:27:58 +0800
+Subject: hwmon: Fix possible memleak in __hwmon_device_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ada61aa0b1184a8fda1a89a340c7d6cc4e59aee5 ]
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff888102740438 (size 8):
+ comm "27", pid 859, jiffies 4295031351 (age 143.992s)
+ hex dump (first 8 bytes):
+ 68 77 6d 6f 6e 30 00 00 hwmon0..
+ backtrace:
+ [<00000000544b5996>] __kmalloc_track_caller+0x1a6/0x300
+ [<00000000df0d62b9>] kvasprintf+0xad/0x140
+ [<00000000d3d2a3da>] kvasprintf_const+0x62/0x190
+ [<000000005f8f0f29>] kobject_set_name_vargs+0x56/0x140
+ [<00000000b739e4b9>] dev_set_name+0xb0/0xe0
+ [<0000000095b69c25>] __hwmon_device_register+0xf19/0x1e50 [hwmon]
+ [<00000000a7e65b52>] hwmon_device_register_with_info+0xcb/0x110 [hwmon]
+ [<000000006f181e86>] devm_hwmon_device_register_with_info+0x85/0x100 [hwmon]
+ [<0000000081bdc567>] tmp421_probe+0x2d2/0x465 [tmp421]
+ [<00000000502cc3f8>] i2c_device_probe+0x4e1/0xbb0
+ [<00000000f90bda3b>] really_probe+0x285/0xc30
+ [<000000007eac7b77>] __driver_probe_device+0x35f/0x4f0
+ [<000000004953d43d>] driver_probe_device+0x4f/0x140
+ [<000000002ada2d41>] __device_attach_driver+0x24c/0x330
+ [<00000000b3977977>] bus_for_each_drv+0x15d/0x1e0
+ [<000000005bf2a8e3>] __device_attach+0x267/0x410
+
+When device_register() returns an error, the name allocated in
+dev_set_name() will be leaked, the put_device() should be used
+instead of calling hwmon_dev_release() to give up the device
+reference, then the name will be freed in kobject_cleanup().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: bab2243ce189 ("hwmon: Introduce hwmon_device_register_with_groups")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211012112758.2681084-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/hwmon.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
+index 6c684058bfdfc..e5a83f7492677 100644
+--- a/drivers/hwmon/hwmon.c
++++ b/drivers/hwmon/hwmon.c
+@@ -760,8 +760,10 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
+ dev_set_drvdata(hdev, drvdata);
+ dev_set_name(hdev, HWMON_ID_FORMAT, id);
+ err = device_register(hdev);
+- if (err)
+- goto free_hwmon;
++ if (err) {
++ put_device(hdev);
++ goto ida_remove;
++ }
+
+ INIT_LIST_HEAD(&hwdev->tzdata);
+
+--
+2.33.0
+
--- /dev/null
+From 8971582b15439892ef6249823560ef4778e296b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 02:22:38 -0700
+Subject: hwmon: (pmbus/lm25066) Let compiler determine outer dimension of
+ lm25066_coeff
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+[ Upstream commit b7931a7b0e0df4d2a25fedd895ad32c746b77bc1 ]
+
+Maintaining this manually is error prone (there are currently only
+five chips supported, not six); gcc can do it for us automatically.
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Fixes: 666c14906b49 ("hwmon: (pmbus/lm25066) Drop support for LM25063")
+Link: https://lore.kernel.org/r/20210928092242.30036-5-zev@bewilderbeest.net
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pmbus/lm25066.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/pmbus/lm25066.c b/drivers/hwmon/pmbus/lm25066.c
+index d14f923b3740d..17199a1104c72 100644
+--- a/drivers/hwmon/pmbus/lm25066.c
++++ b/drivers/hwmon/pmbus/lm25066.c
+@@ -51,7 +51,7 @@ struct __coeff {
+ #define PSC_CURRENT_IN_L (PSC_NUM_CLASSES)
+ #define PSC_POWER_L (PSC_NUM_CLASSES + 1)
+
+-static struct __coeff lm25066_coeff[6][PSC_NUM_CLASSES + 2] = {
++static struct __coeff lm25066_coeff[][PSC_NUM_CLASSES + 2] = {
+ [lm25056] = {
+ [PSC_VOLTAGE_IN] = {
+ .m = 16296,
+--
+2.33.0
+
--- /dev/null
+From 02c0df915be6743134e066743b635deae30cf51c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 21:12:42 +0200
+Subject: hwrng: mtk - Force runtime pm ops for sleep ops
+
+From: Markus Schneider-Pargmann <msp@baylibre.com>
+
+[ Upstream commit b6f5f0c8f72d348b2d07b20d7b680ef13a7ffe98 ]
+
+Currently mtk_rng_runtime_suspend/resume is called for both runtime pm
+and system sleep operations.
+
+This is wrong as these should only be runtime ops as the name already
+suggests. Currently freezing the system will lead to a call to
+mtk_rng_runtime_suspend even if the device currently isn't active. This
+leads to a clock warning because it is disabled/unprepared although it
+isn't enabled/prepared currently.
+
+This patch fixes this by only setting the runtime pm ops and forces to
+call the runtime pm ops from the system sleep ops as well if active but
+not otherwise.
+
+Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support")
+Signed-off-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/mtk-rng.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c
+index 8ad7b515a51b8..6c00ea0085553 100644
+--- a/drivers/char/hw_random/mtk-rng.c
++++ b/drivers/char/hw_random/mtk-rng.c
+@@ -166,8 +166,13 @@ static int mtk_rng_runtime_resume(struct device *dev)
+ return mtk_rng_init(&priv->rng);
+ }
+
+-static UNIVERSAL_DEV_PM_OPS(mtk_rng_pm_ops, mtk_rng_runtime_suspend,
+- mtk_rng_runtime_resume, NULL);
++static const struct dev_pm_ops mtk_rng_pm_ops = {
++ SET_RUNTIME_PM_OPS(mtk_rng_runtime_suspend,
++ mtk_rng_runtime_resume, NULL)
++ SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
++ pm_runtime_force_resume)
++};
++
+ #define MTK_RNG_PM_OPS (&mtk_rng_pm_ops)
+ #else /* CONFIG_PM */
+ #define MTK_RNG_PM_OPS NULL
+--
+2.33.0
+
--- /dev/null
+From a754b9e2d91386aa81454effd1ecb8df616ab314 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Sep 2021 18:14:10 +0800
+Subject: i2c: mediatek: fixing the incorrect register offset
+
+From: Kewei Xu <kewei.xu@mediatek.com>
+
+[ Upstream commit b8228aea5a19d5111a7bf44f7de6749d1f5d487a ]
+
+The reason for the modification here is that the previous
+offset information is incorrect, OFFSET_DEBUGSTAT = 0xE4 is
+the correct value.
+
+Fixes: 25708278f810 ("i2c: mediatek: Add i2c support for MediaTek MT8183")
+Signed-off-by: Kewei Xu <kewei.xu@mediatek.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Qii Wang <qii.wang@mediatek.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mt65xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c
+index 0af2784cbd0d9..265635db29aa5 100644
+--- a/drivers/i2c/busses/i2c-mt65xx.c
++++ b/drivers/i2c/busses/i2c-mt65xx.c
+@@ -195,7 +195,7 @@ static const u16 mt_i2c_regs_v2[] = {
+ [OFFSET_CLOCK_DIV] = 0x48,
+ [OFFSET_SOFTRESET] = 0x50,
+ [OFFSET_SCL_MIS_COMP_POINT] = 0x90,
+- [OFFSET_DEBUGSTAT] = 0xe0,
++ [OFFSET_DEBUGSTAT] = 0xe4,
+ [OFFSET_DEBUGCTRL] = 0xe8,
+ [OFFSET_FIFO_STAT] = 0xf4,
+ [OFFSET_FIFO_THRESH] = 0xf8,
+--
+2.33.0
+
--- /dev/null
+From 8a62c09201ec9c23167e893d7172f97ead666e1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 22:48:08 +0200
+Subject: i2c: xlr: Fix a resource leak in the error handling path of
+ 'xlr_i2c_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 7f98960c046ee1136e7096aee168eda03aef8a5d ]
+
+A successful 'clk_prepare()' call should be balanced by a corresponding
+'clk_unprepare()' call in the error handling path of the probe, as already
+done in the remove function.
+
+More specifically, 'clk_prepare_enable()' is used, but 'clk_disable()' is
+also already called. So just the unprepare step has still to be done.
+
+Update the error handling path accordingly.
+
+Fixes: 75d31c2372e4 ("i2c: xlr: add support for Sigma Designs controller variant")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-xlr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-xlr.c b/drivers/i2c/busses/i2c-xlr.c
+index 126d1393e548b..9ce20652d4942 100644
+--- a/drivers/i2c/busses/i2c-xlr.c
++++ b/drivers/i2c/busses/i2c-xlr.c
+@@ -431,11 +431,15 @@ static int xlr_i2c_probe(struct platform_device *pdev)
+ i2c_set_adapdata(&priv->adap, priv);
+ ret = i2c_add_numbered_adapter(&priv->adap);
+ if (ret < 0)
+- return ret;
++ goto err_unprepare_clk;
+
+ platform_set_drvdata(pdev, priv);
+ dev_info(&priv->adap.dev, "Added I2C Bus.\n");
+ return 0;
++
++err_unprepare_clk:
++ clk_unprepare(clk);
++ return ret;
+ }
+
+ static int xlr_i2c_remove(struct platform_device *pdev)
+--
+2.33.0
+
--- /dev/null
+From c92481180a82cc60f750d976173d676a9ac4a431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Sep 2021 10:12:24 -0700
+Subject: ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c15b5fc054c3d6c97e953617605235c5cb8ce979 ]
+
+When CONFIG_PRINTK is not set, the CMPXCHG_BUGCHECK() macro calls
+_printk(), but _printk() is a static inline function, not available
+as an extern.
+Since the purpose of the macro is to print the BUGCHECK info,
+make this config option depend on PRINTK.
+
+Fixes multiple occurrences of this build error:
+
+../include/linux/printk.h:208:5: error: static declaration of '_printk' follows non-static declaration
+ 208 | int _printk(const char *s, ...)
+ | ^~~~~~~
+In file included from ../arch/ia64/include/asm/cmpxchg.h:5,
+../arch/ia64/include/uapi/asm/cmpxchg.h:146:28: note: previous declaration of '_printk' with type 'int(const char *, ...)'
+ 146 | extern int _printk(const char *fmt, ...);
+
+Cc: linux-ia64@vger.kernel.org
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Chris Down <chris@chrisdown.name>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/ia64/Kconfig.debug b/arch/ia64/Kconfig.debug
+index 40ca23bd228d6..2ce008e2d1644 100644
+--- a/arch/ia64/Kconfig.debug
++++ b/arch/ia64/Kconfig.debug
+@@ -39,7 +39,7 @@ config DISABLE_VHPT
+
+ config IA64_DEBUG_CMPXCHG
+ bool "Turn on compare-and-exchange bug checking (slow!)"
+- depends on DEBUG_KERNEL
++ depends on DEBUG_KERNEL && PRINTK
+ help
+ Selecting this option turns on bug checking for the IA-64
+ compare-and-exchange instructions. This is slow! Itaniums
+--
+2.33.0
+
--- /dev/null
+From 40561aa60fcefcb2f0b81ea7794f5202ffc0562b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 15:03:14 -0700
+Subject: ibmvnic: don't stop queue in xmit
+
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+
+[ Upstream commit 8878e46fcfd46b19964bd90e13b25dd94cbfc9be ]
+
+If adapter's resetting bit is on, discard the packet but don't stop the
+transmit queue - instead leave that to the reset code. With this change,
+it is possible that we may get several calls to ibmvnic_xmit() that simply
+discard packets and return.
+
+But if we stop the queue here, we might end up doing so just after
+__ibmvnic_open() started the queues (during a hard/soft reset) and before
+the ->resetting bit was cleared. If that happens, there will be no one to
+restart queue and transmissions will be blocked indefinitely.
+
+This can cause a TIMEOUT reset and with auto priority failover enabled,
+an unnecessary FAILOVER reset to less favored backing device and then a
+FAILOVER back to the most favored backing device. If we hit the window
+repeatedly, we can get stuck in a loop of TIMEOUT, FAILOVER, FAILOVER
+resets leaving the adapter unusable for extended periods of time.
+
+Fixes: 7f5b030830fe ("ibmvnic: Free skb's in cases of failure in transmit")
+Reported-by: Abdul Haleem <abdhalee@in.ibm.com>
+Reported-by: Vaishnavi Bhat <vaish123@in.ibm.com>
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Reviewed-by: Dany Madden <drt@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index bb8d0a0f48ee0..c470dbc03a23e 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1548,8 +1548,6 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
+ netdev_tx_t ret = NETDEV_TX_OK;
+
+ if (test_bit(0, &adapter->resetting)) {
+- if (!netif_subqueue_stopped(netdev, skb))
+- netif_stop_subqueue(netdev, queue_num);
+ dev_kfree_skb_any(skb);
+
+ tx_send_failed++;
+--
+2.33.0
+
--- /dev/null
+From 1303c709c2bf85cc4547f02604499a1c8fae9a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 15:03:15 -0700
+Subject: ibmvnic: Process crqs after enabling interrupts
+
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+
+[ Upstream commit 6e20d00158f31f7631d68b86996b7e951c4451c8 ]
+
+Soon after registering a CRQ it is possible that we get a fail over or
+maybe a CRQ_INIT from the VIOS while interrupts were disabled.
+
+Look for any such CRQs after enabling interrupts.
+
+Otherwise we can intermittently fail to bring up ibmvnic adapters during
+boot, specially in kexec/kdump kernels.
+
+Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
+Reported-by: Vaishnavi Bhat <vaish123@in.ibm.com>
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Reviewed-by: Dany Madden <drt@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index c470dbc03a23e..4f99d97638248 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -5185,6 +5185,9 @@ static int init_crq_queue(struct ibmvnic_adapter *adapter)
+ crq->cur = 0;
+ spin_lock_init(&crq->lock);
+
++ /* process any CRQs that were queued before we enabled interrupts */
++ tasklet_schedule(&adapter->tasklet);
++
+ return retrc;
+
+ req_irq_failed:
+--
+2.33.0
+
--- /dev/null
+From b746f8b0dc296ccebc25dededed852cca036eb2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 14:38:08 -0700
+Subject: ice: Fix not stopping Tx queues for VFs
+
+From: Brett Creeley <brett.creeley@intel.com>
+
+[ Upstream commit b385cca47363316c6d9a74ae9db407bbc281f815 ]
+
+When a VF is removed and/or reset its Tx queues need to be
+stopped from the PF. This is done by calling the ice_dis_vf_qs()
+function, which calls ice_vsi_stop_lan_tx_rings(). Currently
+ice_dis_vf_qs() is protected by the VF state bit ICE_VF_STATE_QS_ENA.
+Unfortunately, this is causing the Tx queues to not be disabled in some
+cases and when the VF tries to re-enable/reconfigure its Tx queues over
+virtchnl the op is failing. This is because a VF can be reset and/or
+removed before the ICE_VF_STATE_QS_ENA bit is set, but the Tx queues
+were already configured via ice_vsi_cfg_single_txq() in the
+VIRTCHNL_OP_CONFIG_VSI_QUEUES op. However, the ICE_VF_STATE_QS_ENA bit
+is set on a successful VIRTCHNL_OP_ENABLE_QUEUES, which will always
+happen after the VIRTCHNL_OP_CONFIG_VSI_QUEUES op.
+
+This was causing the following error message when loading the ice
+driver, creating VFs, and modifying VF trust in an endless loop:
+
+[35274.192484] ice 0000:88:00.0: Failed to set LAN Tx queue context, error: ICE_ERR_PARAM
+[35274.193074] ice 0000:88:00.0: VF 0 failed opcode 6, retval: -5
+[35274.193640] iavf 0000:88:01.0: PF returned error -5 (IAVF_ERR_PARAM) to our request 6
+
+Fix this by always calling ice_dis_vf_qs() and silencing the error
+message in ice_vsi_stop_tx_ring() since the calling code ignores the
+return anyway. Also, all other places that call ice_vsi_stop_tx_ring()
+catch the error, so this doesn't affect those flows since there was no
+change to the values the function returns.
+
+Other solutions were considered (i.e. tracking which VF queues had been
+"started/configured" in VIRTCHNL_OP_CONFIG_VSI_QUEUES, but it seemed
+more complicated than it was worth. This solution also brings in the
+chance for other unexpected conditions due to invalid state bit checks.
+So, the proposed solution seemed like the best option since there is no
+harm in failing to stop Tx queues that were never started.
+
+This issue can be seen using the following commands:
+
+for i in {0..50}; do
+ rmmod ice
+ modprobe ice
+
+ sleep 1
+
+ echo 1 > /sys/class/net/ens785f0/device/sriov_numvfs
+ echo 1 > /sys/class/net/ens785f1/device/sriov_numvfs
+
+ ip link set ens785f1 vf 0 trust on
+ ip link set ens785f0 vf 0 trust on
+
+ sleep 2
+
+ echo 0 > /sys/class/net/ens785f0/device/sriov_numvfs
+ echo 0 > /sys/class/net/ens785f1/device/sriov_numvfs
+ sleep 1
+ echo 1 > /sys/class/net/ens785f0/device/sriov_numvfs
+ echo 1 > /sys/class/net/ens785f1/device/sriov_numvfs
+
+ ip link set ens785f1 vf 0 trust on
+ ip link set ens785f0 vf 0 trust on
+done
+
+Fixes: 77ca27c41705 ("ice: add support for virtchnl_queue_select.[tx|rx]_queues bitmap")
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_base.c | 2 +-
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 6 ++----
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c
+index fe4320e2d1f2f..1929847b8c404 100644
+--- a/drivers/net/ethernet/intel/ice/ice_base.c
++++ b/drivers/net/ethernet/intel/ice/ice_base.c
+@@ -839,7 +839,7 @@ ice_vsi_stop_tx_ring(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src,
+ } else if (status == ICE_ERR_DOES_NOT_EXIST) {
+ dev_dbg(ice_pf_to_dev(vsi->back), "LAN Tx queues do not exist, nothing to disable\n");
+ } else if (status) {
+- dev_err(ice_pf_to_dev(vsi->back), "Failed to disable LAN Tx queues, error: %s\n",
++ dev_dbg(ice_pf_to_dev(vsi->back), "Failed to disable LAN Tx queues, error: %s\n",
+ ice_stat_str(status));
+ return -ENODEV;
+ }
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index 22e23199c92c1..69ce5d60a8570 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -362,8 +362,7 @@ void ice_free_vfs(struct ice_pf *pf)
+
+ /* Avoid wait time by stopping all VFs at the same time */
+ ice_for_each_vf(pf, i)
+- if (test_bit(ICE_VF_STATE_QS_ENA, pf->vf[i].vf_states))
+- ice_dis_vf_qs(&pf->vf[i]);
++ ice_dis_vf_qs(&pf->vf[i]);
+
+ tmp = pf->num_alloc_vfs;
+ pf->num_qps_per_vf = 0;
+@@ -1291,8 +1290,7 @@ bool ice_reset_vf(struct ice_vf *vf, bool is_vflr)
+
+ vsi = pf->vsi[vf->lan_vsi_idx];
+
+- if (test_bit(ICE_VF_STATE_QS_ENA, vf->vf_states))
+- ice_dis_vf_qs(vf);
++ ice_dis_vf_qs(vf);
+
+ /* Call Disable LAN Tx queue AQ whether or not queues are
+ * enabled. This is needed for successful completion of VFR.
+--
+2.33.0
+
--- /dev/null
+From 2f1f23f8238764d08e52f64790007d624677e578 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 08:40:03 -0700
+Subject: ice: Fix replacing VF hardware MAC to existing MAC filter
+
+From: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+
+[ Upstream commit ce572a5b88d5ca6737b5e23da9892792fd708ad3 ]
+
+VF was not able to change its hardware MAC address in case
+the new address was already present in the MAC filter list.
+Change the handling of VF add mac request to not return
+if requested MAC address is already present on the list
+and check if its hardware MAC needs to be updated in this case.
+
+Fixes: ed4c068d46f6 ("ice: Enable ip link show on the PF to display VF unicast MAC(s)")
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Tested-by: Tony Brelinski <tony.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index c9f82fd3cf48d..22e23199c92c1 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -3068,6 +3068,7 @@ ice_vc_add_mac_addr(struct ice_vf *vf, struct ice_vsi *vsi, u8 *mac_addr)
+ {
+ struct device *dev = ice_pf_to_dev(vf->pf);
+ enum ice_status status;
++ int ret = 0;
+
+ /* default unicast MAC already added */
+ if (ether_addr_equal(mac_addr, vf->dflt_lan_addr.addr))
+@@ -3080,13 +3081,18 @@ ice_vc_add_mac_addr(struct ice_vf *vf, struct ice_vsi *vsi, u8 *mac_addr)
+
+ status = ice_fltr_add_mac(vsi, mac_addr, ICE_FWD_TO_VSI);
+ if (status == ICE_ERR_ALREADY_EXISTS) {
+- dev_err(dev, "MAC %pM already exists for VF %d\n", mac_addr,
++ dev_dbg(dev, "MAC %pM already exists for VF %d\n", mac_addr,
+ vf->vf_id);
+- return -EEXIST;
++ /* don't return since we might need to update
++ * the primary MAC in ice_vfhw_mac_add() below
++ */
++ ret = -EEXIST;
+ } else if (status) {
+ dev_err(dev, "Failed to add MAC %pM for VF %d\n, error %s\n",
+ mac_addr, vf->vf_id, ice_stat_str(status));
+ return -EIO;
++ } else {
++ vf->num_mac++;
+ }
+
+ /* Set the default LAN address to the latest unicast MAC address added
+@@ -3096,9 +3102,7 @@ ice_vc_add_mac_addr(struct ice_vf *vf, struct ice_vsi *vsi, u8 *mac_addr)
+ if (is_unicast_ether_addr(mac_addr))
+ ether_addr_copy(vf->dflt_lan_addr.addr, mac_addr);
+
+- vf->num_mac++;
+-
+- return 0;
++ return ret;
+ }
+
+ /**
+--
+2.33.0
+
--- /dev/null
+From 183e3237230c795ed20146bb0da0dbec3d82c590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Sep 2021 16:14:19 +0200
+Subject: iio: adis: do not disabe IRQs in 'adis_init()'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit b600bd7eb333554518b4dd36b882b2ae58a5149e ]
+
+With commit ecb010d441088 ("iio: imu: adis: Refactor adis_initial_startup")
+we are doing a HW or SW reset to the device which means that we'll get
+the default state of the data ready pin (which is enabled). Hence there's
+no point in disabling the IRQ in the init function. Moreover, this
+function is intended to initialize internal data structures and not
+really do anything on the device.
+
+As a result of this, some devices were left with the data ready pin enabled
+after probe which was not the desired behavior. Thus, we move the call to
+'adis_enable_irq()' to the initial startup function where it makes more
+sense for it to be.
+
+Note that for devices that cannot mask/unmask the pin, it makes no sense
+to call the function at this point since the IRQ should not have been
+yet requested. This will be improved in a follow up change.
+
+Fixes: ecb010d441088 ("iio: imu: adis: Refactor adis_initial_startup")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210903141423.517028-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
+index f8b7837d8b8f6..715eef81bc248 100644
+--- a/drivers/iio/imu/adis.c
++++ b/drivers/iio/imu/adis.c
+@@ -434,6 +434,8 @@ int __adis_initial_startup(struct adis *adis)
+ if (ret)
+ return ret;
+
++ adis_enable_irq(adis, false);
++
+ if (!adis->data->prod_id_reg)
+ return 0;
+
+@@ -530,7 +532,7 @@ int adis_init(struct adis *adis, struct iio_dev *indio_dev,
+ adis->current_page = 0;
+ }
+
+- return adis_enable_irq(adis, false);
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(adis_init);
+
+--
+2.33.0
+
--- /dev/null
+From c24e465047ee95cb59ffa63cff35c149dbee7bb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 22:54:51 +0300
+Subject: iio: st_sensors: Call st_sensors_power_enable() from bus drivers
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7db4f2cacbede1c6d95552c0d10e77398665a733 ]
+
+In case we would initialize two IIO devices from one physical device,
+we shouldn't have a clash on regulators. That's why move
+st_sensors_power_enable() call from core to bus drivers.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210414195454.84183-4-andriy.shevchenko@linux.intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/st_accel_core.c | 21 +++++----------------
+ drivers/iio/accel/st_accel_i2c.c | 17 +++++++++++++++--
+ drivers/iio/accel/st_accel_spi.c | 17 +++++++++++++++--
+ drivers/iio/gyro/st_gyro_core.c | 15 +++------------
+ drivers/iio/gyro/st_gyro_i2c.c | 17 +++++++++++++++--
+ drivers/iio/gyro/st_gyro_spi.c | 17 +++++++++++++++--
+ drivers/iio/magnetometer/st_magn_core.c | 15 +++------------
+ drivers/iio/magnetometer/st_magn_i2c.c | 14 +++++++++++++-
+ drivers/iio/magnetometer/st_magn_spi.c | 14 +++++++++++++-
+ drivers/iio/pressure/st_pressure_core.c | 15 +++------------
+ drivers/iio/pressure/st_pressure_i2c.c | 17 +++++++++++++++--
+ drivers/iio/pressure/st_pressure_spi.c | 17 +++++++++++++++--
+ 12 files changed, 130 insertions(+), 66 deletions(-)
+
+diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c
+index 43c50167d220c..bde0ca3ef7a4c 100644
+--- a/drivers/iio/accel/st_accel_core.c
++++ b/drivers/iio/accel/st_accel_core.c
+@@ -1255,13 +1255,9 @@ int st_accel_common_probe(struct iio_dev *indio_dev)
+ indio_dev->modes = INDIO_DIRECT_MODE;
+ indio_dev->info = &accel_info;
+
+- err = st_sensors_power_enable(indio_dev);
+- if (err)
+- return err;
+-
+ err = st_sensors_verify_id(indio_dev);
+ if (err < 0)
+- goto st_accel_power_off;
++ return err;
+
+ adata->num_data_channels = ST_ACCEL_NUMBER_DATA_CHANNELS;
+ indio_dev->num_channels = ST_SENSORS_NUMBER_ALL_CHANNELS;
+@@ -1270,10 +1266,8 @@ int st_accel_common_probe(struct iio_dev *indio_dev)
+ channels = devm_kmemdup(&indio_dev->dev,
+ adata->sensor_settings->ch,
+ channels_size, GFP_KERNEL);
+- if (!channels) {
+- err = -ENOMEM;
+- goto st_accel_power_off;
+- }
++ if (!channels)
++ return -ENOMEM;
+
+ if (apply_acpi_orientation(indio_dev, channels))
+ dev_warn(&indio_dev->dev,
+@@ -1288,11 +1282,11 @@ int st_accel_common_probe(struct iio_dev *indio_dev)
+
+ err = st_sensors_init_sensor(indio_dev, pdata);
+ if (err < 0)
+- goto st_accel_power_off;
++ return err;
+
+ err = st_accel_allocate_ring(indio_dev);
+ if (err < 0)
+- goto st_accel_power_off;
++ return err;
+
+ if (adata->irq > 0) {
+ err = st_sensors_allocate_trigger(indio_dev,
+@@ -1315,9 +1309,6 @@ st_accel_device_register_error:
+ st_sensors_deallocate_trigger(indio_dev);
+ st_accel_probe_trigger_error:
+ st_accel_deallocate_ring(indio_dev);
+-st_accel_power_off:
+- st_sensors_power_disable(indio_dev);
+-
+ return err;
+ }
+ EXPORT_SYMBOL(st_accel_common_probe);
+@@ -1326,8 +1317,6 @@ void st_accel_common_remove(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *adata = iio_priv(indio_dev);
+
+- st_sensors_power_disable(indio_dev);
+-
+ iio_device_unregister(indio_dev);
+ if (adata->irq > 0)
+ st_sensors_deallocate_trigger(indio_dev);
+diff --git a/drivers/iio/accel/st_accel_i2c.c b/drivers/iio/accel/st_accel_i2c.c
+index 360e16f2cadb9..95e305b88d5ed 100644
+--- a/drivers/iio/accel/st_accel_i2c.c
++++ b/drivers/iio/accel/st_accel_i2c.c
+@@ -174,16 +174,29 @@ static int st_accel_i2c_probe(struct i2c_client *client)
+ if (ret < 0)
+ return ret;
+
++ ret = st_sensors_power_enable(indio_dev);
++ if (ret)
++ return ret;
++
+ ret = st_accel_common_probe(indio_dev);
+ if (ret < 0)
+- return ret;
++ goto st_accel_power_off;
+
+ return 0;
++
++st_accel_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return ret;
+ }
+
+ static int st_accel_i2c_remove(struct i2c_client *client)
+ {
+- st_accel_common_remove(i2c_get_clientdata(client));
++ struct iio_dev *indio_dev = i2c_get_clientdata(client);
++
++ st_sensors_power_disable(indio_dev);
++
++ st_accel_common_remove(indio_dev);
+
+ return 0;
+ }
+diff --git a/drivers/iio/accel/st_accel_spi.c b/drivers/iio/accel/st_accel_spi.c
+index 568ff1bae0eee..83d3308ce5ccc 100644
+--- a/drivers/iio/accel/st_accel_spi.c
++++ b/drivers/iio/accel/st_accel_spi.c
+@@ -123,16 +123,29 @@ static int st_accel_spi_probe(struct spi_device *spi)
+ if (err < 0)
+ return err;
+
++ err = st_sensors_power_enable(indio_dev);
++ if (err)
++ return err;
++
+ err = st_accel_common_probe(indio_dev);
+ if (err < 0)
+- return err;
++ goto st_accel_power_off;
+
+ return 0;
++
++st_accel_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return err;
+ }
+
+ static int st_accel_spi_remove(struct spi_device *spi)
+ {
+- st_accel_common_remove(spi_get_drvdata(spi));
++ struct iio_dev *indio_dev = spi_get_drvdata(spi);
++
++ st_sensors_power_disable(indio_dev);
++
++ st_accel_common_remove(indio_dev);
+
+ return 0;
+ }
+diff --git a/drivers/iio/gyro/st_gyro_core.c b/drivers/iio/gyro/st_gyro_core.c
+index c8aa051995d3b..8c87f85f20bd1 100644
+--- a/drivers/iio/gyro/st_gyro_core.c
++++ b/drivers/iio/gyro/st_gyro_core.c
+@@ -466,13 +466,9 @@ int st_gyro_common_probe(struct iio_dev *indio_dev)
+ indio_dev->modes = INDIO_DIRECT_MODE;
+ indio_dev->info = &gyro_info;
+
+- err = st_sensors_power_enable(indio_dev);
+- if (err)
+- return err;
+-
+ err = st_sensors_verify_id(indio_dev);
+ if (err < 0)
+- goto st_gyro_power_off;
++ return err;
+
+ gdata->num_data_channels = ST_GYRO_NUMBER_DATA_CHANNELS;
+ indio_dev->channels = gdata->sensor_settings->ch;
+@@ -485,11 +481,11 @@ int st_gyro_common_probe(struct iio_dev *indio_dev)
+
+ err = st_sensors_init_sensor(indio_dev, pdata);
+ if (err < 0)
+- goto st_gyro_power_off;
++ return err;
+
+ err = st_gyro_allocate_ring(indio_dev);
+ if (err < 0)
+- goto st_gyro_power_off;
++ return err;
+
+ if (gdata->irq > 0) {
+ err = st_sensors_allocate_trigger(indio_dev,
+@@ -512,9 +508,6 @@ st_gyro_device_register_error:
+ st_sensors_deallocate_trigger(indio_dev);
+ st_gyro_probe_trigger_error:
+ st_gyro_deallocate_ring(indio_dev);
+-st_gyro_power_off:
+- st_sensors_power_disable(indio_dev);
+-
+ return err;
+ }
+ EXPORT_SYMBOL(st_gyro_common_probe);
+@@ -523,8 +516,6 @@ void st_gyro_common_remove(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *gdata = iio_priv(indio_dev);
+
+- st_sensors_power_disable(indio_dev);
+-
+ iio_device_unregister(indio_dev);
+ if (gdata->irq > 0)
+ st_sensors_deallocate_trigger(indio_dev);
+diff --git a/drivers/iio/gyro/st_gyro_i2c.c b/drivers/iio/gyro/st_gyro_i2c.c
+index 8190966e6ff0a..a25cc0379e163 100644
+--- a/drivers/iio/gyro/st_gyro_i2c.c
++++ b/drivers/iio/gyro/st_gyro_i2c.c
+@@ -86,16 +86,29 @@ static int st_gyro_i2c_probe(struct i2c_client *client,
+ if (err < 0)
+ return err;
+
++ err = st_sensors_power_enable(indio_dev);
++ if (err)
++ return err;
++
+ err = st_gyro_common_probe(indio_dev);
+ if (err < 0)
+- return err;
++ goto st_gyro_power_off;
+
+ return 0;
++
++st_gyro_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return err;
+ }
+
+ static int st_gyro_i2c_remove(struct i2c_client *client)
+ {
+- st_gyro_common_remove(i2c_get_clientdata(client));
++ struct iio_dev *indio_dev = i2c_get_clientdata(client);
++
++ st_sensors_power_disable(indio_dev);
++
++ st_gyro_common_remove(indio_dev);
+
+ return 0;
+ }
+diff --git a/drivers/iio/gyro/st_gyro_spi.c b/drivers/iio/gyro/st_gyro_spi.c
+index efb862763ca3d..18d6a2aeda45a 100644
+--- a/drivers/iio/gyro/st_gyro_spi.c
++++ b/drivers/iio/gyro/st_gyro_spi.c
+@@ -90,16 +90,29 @@ static int st_gyro_spi_probe(struct spi_device *spi)
+ if (err < 0)
+ return err;
+
++ err = st_sensors_power_enable(indio_dev);
++ if (err)
++ return err;
++
+ err = st_gyro_common_probe(indio_dev);
+ if (err < 0)
+- return err;
++ goto st_gyro_power_off;
+
+ return 0;
++
++st_gyro_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return err;
+ }
+
+ static int st_gyro_spi_remove(struct spi_device *spi)
+ {
+- st_gyro_common_remove(spi_get_drvdata(spi));
++ struct iio_dev *indio_dev = spi_get_drvdata(spi);
++
++ st_sensors_power_disable(indio_dev);
++
++ st_gyro_common_remove(indio_dev);
+
+ return 0;
+ }
+diff --git a/drivers/iio/magnetometer/st_magn_core.c b/drivers/iio/magnetometer/st_magn_core.c
+index 79de721e60159..0fc38f17dbe04 100644
+--- a/drivers/iio/magnetometer/st_magn_core.c
++++ b/drivers/iio/magnetometer/st_magn_core.c
+@@ -494,13 +494,9 @@ int st_magn_common_probe(struct iio_dev *indio_dev)
+ indio_dev->modes = INDIO_DIRECT_MODE;
+ indio_dev->info = &magn_info;
+
+- err = st_sensors_power_enable(indio_dev);
+- if (err)
+- return err;
+-
+ err = st_sensors_verify_id(indio_dev);
+ if (err < 0)
+- goto st_magn_power_off;
++ return err;
+
+ mdata->num_data_channels = ST_MAGN_NUMBER_DATA_CHANNELS;
+ indio_dev->channels = mdata->sensor_settings->ch;
+@@ -511,11 +507,11 @@ int st_magn_common_probe(struct iio_dev *indio_dev)
+
+ err = st_sensors_init_sensor(indio_dev, NULL);
+ if (err < 0)
+- goto st_magn_power_off;
++ return err;
+
+ err = st_magn_allocate_ring(indio_dev);
+ if (err < 0)
+- goto st_magn_power_off;
++ return err;
+
+ if (mdata->irq > 0) {
+ err = st_sensors_allocate_trigger(indio_dev,
+@@ -538,9 +534,6 @@ st_magn_device_register_error:
+ st_sensors_deallocate_trigger(indio_dev);
+ st_magn_probe_trigger_error:
+ st_magn_deallocate_ring(indio_dev);
+-st_magn_power_off:
+- st_sensors_power_disable(indio_dev);
+-
+ return err;
+ }
+ EXPORT_SYMBOL(st_magn_common_probe);
+@@ -549,8 +542,6 @@ void st_magn_common_remove(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *mdata = iio_priv(indio_dev);
+
+- st_sensors_power_disable(indio_dev);
+-
+ iio_device_unregister(indio_dev);
+ if (mdata->irq > 0)
+ st_sensors_deallocate_trigger(indio_dev);
+diff --git a/drivers/iio/magnetometer/st_magn_i2c.c b/drivers/iio/magnetometer/st_magn_i2c.c
+index c6bb4ce775943..7a7ab27379fc1 100644
+--- a/drivers/iio/magnetometer/st_magn_i2c.c
++++ b/drivers/iio/magnetometer/st_magn_i2c.c
+@@ -78,16 +78,28 @@ static int st_magn_i2c_probe(struct i2c_client *client,
+ if (err < 0)
+ return err;
+
++ err = st_sensors_power_enable(indio_dev);
++ if (err)
++ return err;
++
+ err = st_magn_common_probe(indio_dev);
+ if (err < 0)
+- return err;
++ goto st_magn_power_off;
+
+ return 0;
++
++st_magn_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return err;
+ }
+
+ static int st_magn_i2c_remove(struct i2c_client *client)
+ {
+ struct iio_dev *indio_dev = i2c_get_clientdata(client);
++
++ st_sensors_power_disable(indio_dev);
++
+ st_magn_common_remove(indio_dev);
+
+ return 0;
+diff --git a/drivers/iio/magnetometer/st_magn_spi.c b/drivers/iio/magnetometer/st_magn_spi.c
+index 3d08d74c367da..ee352f083c020 100644
+--- a/drivers/iio/magnetometer/st_magn_spi.c
++++ b/drivers/iio/magnetometer/st_magn_spi.c
+@@ -72,16 +72,28 @@ static int st_magn_spi_probe(struct spi_device *spi)
+ if (err < 0)
+ return err;
+
++ err = st_sensors_power_enable(indio_dev);
++ if (err)
++ return err;
++
+ err = st_magn_common_probe(indio_dev);
+ if (err < 0)
+- return err;
++ goto st_magn_power_off;
+
+ return 0;
++
++st_magn_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return err;
+ }
+
+ static int st_magn_spi_remove(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev = spi_get_drvdata(spi);
++
++ st_sensors_power_disable(indio_dev);
++
+ st_magn_common_remove(indio_dev);
+
+ return 0;
+diff --git a/drivers/iio/pressure/st_pressure_core.c b/drivers/iio/pressure/st_pressure_core.c
+index 789a2928504a7..7912b5a683955 100644
+--- a/drivers/iio/pressure/st_pressure_core.c
++++ b/drivers/iio/pressure/st_pressure_core.c
+@@ -689,13 +689,9 @@ int st_press_common_probe(struct iio_dev *indio_dev)
+ indio_dev->modes = INDIO_DIRECT_MODE;
+ indio_dev->info = &press_info;
+
+- err = st_sensors_power_enable(indio_dev);
+- if (err)
+- return err;
+-
+ err = st_sensors_verify_id(indio_dev);
+ if (err < 0)
+- goto st_press_power_off;
++ return err;
+
+ /*
+ * Skip timestamping channel while declaring available channels to
+@@ -718,11 +714,11 @@ int st_press_common_probe(struct iio_dev *indio_dev)
+
+ err = st_sensors_init_sensor(indio_dev, pdata);
+ if (err < 0)
+- goto st_press_power_off;
++ return err;
+
+ err = st_press_allocate_ring(indio_dev);
+ if (err < 0)
+- goto st_press_power_off;
++ return err;
+
+ if (press_data->irq > 0) {
+ err = st_sensors_allocate_trigger(indio_dev,
+@@ -745,9 +741,6 @@ st_press_device_register_error:
+ st_sensors_deallocate_trigger(indio_dev);
+ st_press_probe_trigger_error:
+ st_press_deallocate_ring(indio_dev);
+-st_press_power_off:
+- st_sensors_power_disable(indio_dev);
+-
+ return err;
+ }
+ EXPORT_SYMBOL(st_press_common_probe);
+@@ -756,8 +749,6 @@ void st_press_common_remove(struct iio_dev *indio_dev)
+ {
+ struct st_sensor_data *press_data = iio_priv(indio_dev);
+
+- st_sensors_power_disable(indio_dev);
+-
+ iio_device_unregister(indio_dev);
+ if (press_data->irq > 0)
+ st_sensors_deallocate_trigger(indio_dev);
+diff --git a/drivers/iio/pressure/st_pressure_i2c.c b/drivers/iio/pressure/st_pressure_i2c.c
+index 09c6903f99b87..f0a5af314ceb8 100644
+--- a/drivers/iio/pressure/st_pressure_i2c.c
++++ b/drivers/iio/pressure/st_pressure_i2c.c
+@@ -98,16 +98,29 @@ static int st_press_i2c_probe(struct i2c_client *client,
+ if (ret < 0)
+ return ret;
+
++ ret = st_sensors_power_enable(indio_dev);
++ if (ret)
++ return ret;
++
+ ret = st_press_common_probe(indio_dev);
+ if (ret < 0)
+- return ret;
++ goto st_press_power_off;
+
+ return 0;
++
++st_press_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return ret;
+ }
+
+ static int st_press_i2c_remove(struct i2c_client *client)
+ {
+- st_press_common_remove(i2c_get_clientdata(client));
++ struct iio_dev *indio_dev = i2c_get_clientdata(client);
++
++ st_sensors_power_disable(indio_dev);
++
++ st_press_common_remove(indio_dev);
+
+ return 0;
+ }
+diff --git a/drivers/iio/pressure/st_pressure_spi.c b/drivers/iio/pressure/st_pressure_spi.c
+index b5ee3ec2764ff..b48cf7d01cd74 100644
+--- a/drivers/iio/pressure/st_pressure_spi.c
++++ b/drivers/iio/pressure/st_pressure_spi.c
+@@ -82,16 +82,29 @@ static int st_press_spi_probe(struct spi_device *spi)
+ if (err < 0)
+ return err;
+
++ err = st_sensors_power_enable(indio_dev);
++ if (err)
++ return err;
++
+ err = st_press_common_probe(indio_dev);
+ if (err < 0)
+- return err;
++ goto st_press_power_off;
+
+ return 0;
++
++st_press_power_off:
++ st_sensors_power_disable(indio_dev);
++
++ return err;
+ }
+
+ static int st_press_spi_remove(struct spi_device *spi)
+ {
+- st_press_common_remove(spi_get_drvdata(spi));
++ struct iio_dev *indio_dev = spi_get_drvdata(spi);
++
++ st_sensors_power_disable(indio_dev);
++
++ st_press_common_remove(indio_dev);
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 76fd4936c6d673bb0b38a9537bfff94ac5830c9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Aug 2021 14:22:00 +0300
+Subject: iio: st_sensors: disable regulators after device unregistration
+
+From: Alexandru Ardelean <aardelean@deviqon.com>
+
+[ Upstream commit 9f0b3e0cc0c88618aa9e5cecef747b1337ae0a5d ]
+
+Up until commit ea7e586bdd331 ("iio: st_sensors: move regulator retrieveal
+to core") only the ST pressure driver seems to have had any regulator
+disable. After that commit, the regulator handling was moved into the
+common st_sensors logic.
+
+In all instances of this regulator handling, the regulators were disabled
+before unregistering the IIO device.
+This can cause issues where the device would be powered down and still be
+available to userspace, allowing it to send invalid/garbage data.
+
+This change moves the st_sensors_power_disable() after the common probe
+functions. These common probe functions also handle unregistering the IIO
+device.
+
+Fixes: 774487611c949 ("iio: pressure-core: st: Provide support for the Vdd power supply")
+Fixes: ea7e586bdd331 ("iio: st_sensors: move regulator retrieveal to core")
+Cc: Lee Jones <lee.jones@linaro.org>
+Cc: Denis CIOCCA <denis.ciocca@st.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Alexandru Ardelean <aardelean@deviqon.com>
+Link: https://lore.kernel.org/r/20210823112204.243255-2-aardelean@deviqon.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/st_accel_i2c.c | 4 ++--
+ drivers/iio/accel/st_accel_spi.c | 4 ++--
+ drivers/iio/gyro/st_gyro_i2c.c | 4 ++--
+ drivers/iio/gyro/st_gyro_spi.c | 4 ++--
+ drivers/iio/magnetometer/st_magn_i2c.c | 4 ++--
+ drivers/iio/magnetometer/st_magn_spi.c | 4 ++--
+ drivers/iio/pressure/st_pressure_i2c.c | 4 ++--
+ drivers/iio/pressure/st_pressure_spi.c | 4 ++--
+ 8 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/iio/accel/st_accel_i2c.c b/drivers/iio/accel/st_accel_i2c.c
+index 95e305b88d5ed..02c823b93ecd4 100644
+--- a/drivers/iio/accel/st_accel_i2c.c
++++ b/drivers/iio/accel/st_accel_i2c.c
+@@ -194,10 +194,10 @@ static int st_accel_i2c_remove(struct i2c_client *client)
+ {
+ struct iio_dev *indio_dev = i2c_get_clientdata(client);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_accel_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/accel/st_accel_spi.c b/drivers/iio/accel/st_accel_spi.c
+index 83d3308ce5ccc..386ae18d5f269 100644
+--- a/drivers/iio/accel/st_accel_spi.c
++++ b/drivers/iio/accel/st_accel_spi.c
+@@ -143,10 +143,10 @@ static int st_accel_spi_remove(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev = spi_get_drvdata(spi);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_accel_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/gyro/st_gyro_i2c.c b/drivers/iio/gyro/st_gyro_i2c.c
+index a25cc0379e163..3ed5779779465 100644
+--- a/drivers/iio/gyro/st_gyro_i2c.c
++++ b/drivers/iio/gyro/st_gyro_i2c.c
+@@ -106,10 +106,10 @@ static int st_gyro_i2c_remove(struct i2c_client *client)
+ {
+ struct iio_dev *indio_dev = i2c_get_clientdata(client);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_gyro_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/gyro/st_gyro_spi.c b/drivers/iio/gyro/st_gyro_spi.c
+index 18d6a2aeda45a..c04bcf2518c11 100644
+--- a/drivers/iio/gyro/st_gyro_spi.c
++++ b/drivers/iio/gyro/st_gyro_spi.c
+@@ -110,10 +110,10 @@ static int st_gyro_spi_remove(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev = spi_get_drvdata(spi);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_gyro_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/magnetometer/st_magn_i2c.c b/drivers/iio/magnetometer/st_magn_i2c.c
+index 7a7ab27379fc1..4b6a251dd44ef 100644
+--- a/drivers/iio/magnetometer/st_magn_i2c.c
++++ b/drivers/iio/magnetometer/st_magn_i2c.c
+@@ -98,10 +98,10 @@ static int st_magn_i2c_remove(struct i2c_client *client)
+ {
+ struct iio_dev *indio_dev = i2c_get_clientdata(client);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_magn_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/magnetometer/st_magn_spi.c b/drivers/iio/magnetometer/st_magn_spi.c
+index ee352f083c020..501eff32df783 100644
+--- a/drivers/iio/magnetometer/st_magn_spi.c
++++ b/drivers/iio/magnetometer/st_magn_spi.c
+@@ -92,10 +92,10 @@ static int st_magn_spi_remove(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev = spi_get_drvdata(spi);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_magn_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/pressure/st_pressure_i2c.c b/drivers/iio/pressure/st_pressure_i2c.c
+index f0a5af314ceb8..8c26ff61e56ad 100644
+--- a/drivers/iio/pressure/st_pressure_i2c.c
++++ b/drivers/iio/pressure/st_pressure_i2c.c
+@@ -118,10 +118,10 @@ static int st_press_i2c_remove(struct i2c_client *client)
+ {
+ struct iio_dev *indio_dev = i2c_get_clientdata(client);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_press_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+diff --git a/drivers/iio/pressure/st_pressure_spi.c b/drivers/iio/pressure/st_pressure_spi.c
+index b48cf7d01cd74..8cf8cd3b4554a 100644
+--- a/drivers/iio/pressure/st_pressure_spi.c
++++ b/drivers/iio/pressure/st_pressure_spi.c
+@@ -102,10 +102,10 @@ static int st_press_spi_remove(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev = spi_get_drvdata(spi);
+
+- st_sensors_power_disable(indio_dev);
+-
+ st_press_common_remove(indio_dev);
+
++ st_sensors_power_disable(indio_dev);
++
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 33f3c1d1a80127b4f045cd3ad309e00abda8a873 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 19:03:47 +0200
+Subject: iov_iter: Fix iov_iter_get_pages{,_alloc} page fault return value
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 814a66741b9ffb5e1ba119e368b178edb0b7322d ]
+
+Both iov_iter_get_pages and iov_iter_get_pages_alloc return the number
+of bytes of the iovec they could get the pages for. When they cannot
+get any pages, they're supposed to return 0, but when the start of the
+iovec isn't page aligned, the calculation goes wrong and they return a
+negative value. Fix both functions.
+
+In addition, change iov_iter_get_pages_alloc to return NULL in that case
+to prevent resource leaks.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/iov_iter.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 537bfdc8cd095..b364231b5fc8c 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -1343,7 +1343,7 @@ ssize_t iov_iter_get_pages(struct iov_iter *i,
+ res = get_user_pages_fast(addr, n,
+ iov_iter_rw(i) != WRITE ? FOLL_WRITE : 0,
+ pages);
+- if (unlikely(res < 0))
++ if (unlikely(res <= 0))
+ return res;
+ return (res == n ? len : res * PAGE_SIZE) - *start;
+ 0;}),({
+@@ -1424,8 +1424,9 @@ ssize_t iov_iter_get_pages_alloc(struct iov_iter *i,
+ return -ENOMEM;
+ res = get_user_pages_fast(addr, n,
+ iov_iter_rw(i) != WRITE ? FOLL_WRITE : 0, p);
+- if (unlikely(res < 0)) {
++ if (unlikely(res <= 0)) {
+ kvfree(p);
++ *pages = NULL;
+ return res;
+ }
+ *pages = p;
+--
+2.33.0
+
--- /dev/null
+From a3d8ac4ac0565f47cd18b899a45cc0f6917482ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 11:36:20 -0500
+Subject: ipmi: Disable some operations during a panic
+
+From: Corey Minyard <cminyard@mvista.com>
+
+[ Upstream commit b36eb5e7b75a756baa64909a176dd4269ee05a8b ]
+
+Don't do kfree or other risky things when oops_in_progress is set.
+It's easy enough to avoid doing them
+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 10 +++++++---
+ drivers/char/ipmi/ipmi_watchdog.c | 17 ++++++++++++-----
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index 8774a3b8ff959..abb865b1dff29 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -4802,7 +4802,9 @@ static atomic_t recv_msg_inuse_count = ATOMIC_INIT(0);
+ static void free_smi_msg(struct ipmi_smi_msg *msg)
+ {
+ atomic_dec(&smi_msg_inuse_count);
+- kfree(msg);
++ /* Try to keep as much stuff out of the panic path as possible. */
++ if (!oops_in_progress)
++ kfree(msg);
+ }
+
+ struct ipmi_smi_msg *ipmi_alloc_smi_msg(void)
+@@ -4821,7 +4823,9 @@ EXPORT_SYMBOL(ipmi_alloc_smi_msg);
+ static void free_recv_msg(struct ipmi_recv_msg *msg)
+ {
+ atomic_dec(&recv_msg_inuse_count);
+- kfree(msg);
++ /* Try to keep as much stuff out of the panic path as possible. */
++ if (!oops_in_progress)
++ kfree(msg);
+ }
+
+ static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void)
+@@ -4839,7 +4843,7 @@ static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void)
+
+ void ipmi_free_recv_msg(struct ipmi_recv_msg *msg)
+ {
+- if (msg->user)
++ if (msg->user && !oops_in_progress)
+ kref_put(&msg->user->refcount, free_user);
+ msg->done(msg);
+ }
+diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
+index 6384510c48d6b..92eda5b2f1341 100644
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -342,13 +342,17 @@ static atomic_t msg_tofree = ATOMIC_INIT(0);
+ static DECLARE_COMPLETION(msg_wait);
+ static void msg_free_smi(struct ipmi_smi_msg *msg)
+ {
+- if (atomic_dec_and_test(&msg_tofree))
+- complete(&msg_wait);
++ if (atomic_dec_and_test(&msg_tofree)) {
++ if (!oops_in_progress)
++ complete(&msg_wait);
++ }
+ }
+ static void msg_free_recv(struct ipmi_recv_msg *msg)
+ {
+- if (atomic_dec_and_test(&msg_tofree))
+- complete(&msg_wait);
++ if (atomic_dec_and_test(&msg_tofree)) {
++ if (!oops_in_progress)
++ complete(&msg_wait);
++ }
+ }
+ static struct ipmi_smi_msg smi_msg = {
+ .done = msg_free_smi
+@@ -434,8 +438,10 @@ static int _ipmi_set_timeout(int do_heartbeat)
+ rv = __ipmi_set_timeout(&smi_msg,
+ &recv_msg,
+ &send_heartbeat_now);
+- if (rv)
++ if (rv) {
++ atomic_set(&msg_tofree, 0);
+ return rv;
++ }
+
+ wait_for_completion(&msg_wait);
+
+@@ -580,6 +586,7 @@ restart:
+ &recv_msg,
+ 1);
+ if (rv) {
++ atomic_set(&msg_tofree, 0);
+ pr_warn("heartbeat send failure: %d\n", rv);
+ return rv;
+ }
+--
+2.33.0
+
--- /dev/null
+From 531e889f4ed336a30ff80dc9f3993fdce9c5509e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 17:25:22 +0100
+Subject: irq: mips: avoid nested irq_enter()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit c65b52d02f6c1a06ddb20cba175ad49eccd6410d ]
+
+As bcm6345_l1_irq_handle() is a chained irqchip handler, it will be
+invoked within the context of the root irqchip handler, which must have
+entered IRQ context already.
+
+When bcm6345_l1_irq_handle() calls arch/mips's do_IRQ() , this will nest
+another call to irq_enter(), and the resulting nested increment to
+`rcu_data.dynticks_nmi_nesting` will cause rcu_is_cpu_rrupt_from_idle()
+to fail to identify wakeups from idle, resulting in failure to preempt,
+and RCU stalls.
+
+Chained irqchip handlers must invoke IRQ handlers by way of thee core
+irqchip code, i.e. generic_handle_irq() or generic_handle_domain_irq()
+and should not call do_IRQ(), which is intended only for root irqchip
+handlers.
+
+Fix bcm6345_l1_irq_handle() by calling generic_handle_irq() directly.
+
+Fixes: c7c42ec2baa1de7a ("irqchips/bmips: Add bcm6345-l1 interrupt controller")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-bcm6345-l1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-bcm6345-l1.c b/drivers/irqchip/irq-bcm6345-l1.c
+index e3483789f4df3..1bd0621c4ce2a 100644
+--- a/drivers/irqchip/irq-bcm6345-l1.c
++++ b/drivers/irqchip/irq-bcm6345-l1.c
+@@ -140,7 +140,7 @@ static void bcm6345_l1_irq_handle(struct irq_desc *desc)
+ for_each_set_bit(hwirq, &pending, IRQS_PER_WORD) {
+ irq = irq_linear_revmap(intc->domain, base + hwirq);
+ if (irq)
+- do_IRQ(irq);
++ generic_handle_irq(irq);
+ else
+ spurious_interrupt();
+ }
+--
+2.33.0
+
--- /dev/null
+From 0e63f24d5ae0fef7f76469369adbb770e113cf59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Oct 2021 11:43:40 +0300
+Subject: iwlwifi: mvm: disable RX-diversity in powersave
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e5322b9ab5f63536c41301150b7ce64605ce52cc ]
+
+Just like we have default SMPS mode as dynamic in powersave,
+we should not enable RX-diversity in powersave, to reduce
+power consumption when connected to a non-MIMO AP.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211017113927.fc896bc5cdaa.I1d11da71b8a5cbe921a37058d5f578f1b14a2023@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+index 3123036978a59..caf38ef64d3ce 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+@@ -741,6 +741,9 @@ bool iwl_mvm_rx_diversity_allowed(struct iwl_mvm *mvm)
+
+ lockdep_assert_held(&mvm->mutex);
+
++ if (iwlmvm_mod_params.power_scheme != IWL_POWER_SCHEME_CAM)
++ return false;
++
+ if (num_of_ant(iwl_mvm_get_valid_rx_ant(mvm)) == 1)
+ return false;
+
+--
+2.33.0
+
--- /dev/null
+From 40b12bc39502d960b4685bcdcf816ac0c0b08253 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 10:37:41 +0800
+Subject: JFS: fix memleak in jfs_mount
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit c48a14dca2cb57527dde6b960adbe69953935f10 ]
+
+In jfs_mount, when diMount(ipaimap2) fails, it goes to errout35. However,
+the following code does not free ipaimap2 allocated by diReadSpecial.
+
+Fix this by refactoring the error handling code of jfs_mount. To be
+specific, modify the lable name and free ipaimap2 when the above error
+ocurrs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_mount.c | 51 ++++++++++++++++++++--------------------------
+ 1 file changed, 22 insertions(+), 29 deletions(-)
+
+diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c
+index 5d7d7170c03c0..aa4ff7bcaff23 100644
+--- a/fs/jfs/jfs_mount.c
++++ b/fs/jfs/jfs_mount.c
+@@ -81,14 +81,14 @@ int jfs_mount(struct super_block *sb)
+ * (initialize mount inode from the superblock)
+ */
+ if ((rc = chkSuper(sb))) {
+- goto errout20;
++ goto out;
+ }
+
+ ipaimap = diReadSpecial(sb, AGGREGATE_I, 0);
+ if (ipaimap == NULL) {
+ jfs_err("jfs_mount: Failed to read AGGREGATE_I");
+ rc = -EIO;
+- goto errout20;
++ goto out;
+ }
+ sbi->ipaimap = ipaimap;
+
+@@ -99,7 +99,7 @@ int jfs_mount(struct super_block *sb)
+ */
+ if ((rc = diMount(ipaimap))) {
+ jfs_err("jfs_mount: diMount(ipaimap) failed w/rc = %d", rc);
+- goto errout21;
++ goto err_ipaimap;
+ }
+
+ /*
+@@ -108,7 +108,7 @@ int jfs_mount(struct super_block *sb)
+ ipbmap = diReadSpecial(sb, BMAP_I, 0);
+ if (ipbmap == NULL) {
+ rc = -EIO;
+- goto errout22;
++ goto err_umount_ipaimap;
+ }
+
+ jfs_info("jfs_mount: ipbmap:0x%p", ipbmap);
+@@ -120,7 +120,7 @@ int jfs_mount(struct super_block *sb)
+ */
+ if ((rc = dbMount(ipbmap))) {
+ jfs_err("jfs_mount: dbMount failed w/rc = %d", rc);
+- goto errout22;
++ goto err_ipbmap;
+ }
+
+ /*
+@@ -139,7 +139,7 @@ int jfs_mount(struct super_block *sb)
+ if (!ipaimap2) {
+ jfs_err("jfs_mount: Failed to read AGGREGATE_I");
+ rc = -EIO;
+- goto errout35;
++ goto err_umount_ipbmap;
+ }
+ sbi->ipaimap2 = ipaimap2;
+
+@@ -151,7 +151,7 @@ int jfs_mount(struct super_block *sb)
+ if ((rc = diMount(ipaimap2))) {
+ jfs_err("jfs_mount: diMount(ipaimap2) failed, rc = %d",
+ rc);
+- goto errout35;
++ goto err_ipaimap2;
+ }
+ } else
+ /* Secondary aggregate inode table is not valid */
+@@ -168,7 +168,7 @@ int jfs_mount(struct super_block *sb)
+ jfs_err("jfs_mount: Failed to read FILESYSTEM_I");
+ /* open fileset secondary inode allocation map */
+ rc = -EIO;
+- goto errout40;
++ goto err_umount_ipaimap2;
+ }
+ jfs_info("jfs_mount: ipimap:0x%p", ipimap);
+
+@@ -178,41 +178,34 @@ int jfs_mount(struct super_block *sb)
+ /* initialize fileset inode allocation map */
+ if ((rc = diMount(ipimap))) {
+ jfs_err("jfs_mount: diMount failed w/rc = %d", rc);
+- goto errout41;
++ goto err_ipimap;
+ }
+
+- goto out;
++ return rc;
+
+ /*
+ * unwind on error
+ */
+- errout41: /* close fileset inode allocation map inode */
++err_ipimap:
++ /* close fileset inode allocation map inode */
+ diFreeSpecial(ipimap);
+-
+- errout40: /* fileset closed */
+-
++err_umount_ipaimap2:
+ /* close secondary aggregate inode allocation map */
+- if (ipaimap2) {
++ if (ipaimap2)
+ diUnmount(ipaimap2, 1);
++err_ipaimap2:
++ /* close aggregate inodes */
++ if (ipaimap2)
+ diFreeSpecial(ipaimap2);
+- }
+-
+- errout35:
+-
+- /* close aggregate block allocation map */
++err_umount_ipbmap: /* close aggregate block allocation map */
+ dbUnmount(ipbmap, 1);
++err_ipbmap: /* close aggregate inodes */
+ diFreeSpecial(ipbmap);
+-
+- errout22: /* close aggregate inode allocation map */
+-
++err_umount_ipaimap: /* close aggregate inode allocation map */
+ diUnmount(ipaimap, 1);
+-
+- errout21: /* close aggregate inodes */
++err_ipaimap: /* close aggregate inodes */
+ diFreeSpecial(ipaimap);
+- errout20: /* aggregate closed */
+-
+- out:
+-
++out:
+ if (rc)
+ jfs_err("Mount JFS Failure: %d", rc);
+
+--
+2.33.0
+
--- /dev/null
+From 234fc5a6298de9a93487fcfd8e938cfd4ea3cada Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 14:40:30 +0800
+Subject: kernel/sched: Fix sched_fork() access an invalid sched_task_group
+
+From: Zhang Qiao <zhangqiao22@huawei.com>
+
+[ Upstream commit 4ef0c5c6b5ba1f38f0ea1cedad0cad722f00c14a ]
+
+There is a small race between copy_process() and sched_fork()
+where child->sched_task_group point to an already freed pointer.
+
+ parent doing fork() | someone moving the parent
+ | to another cgroup
+ -------------------------------+-------------------------------
+ copy_process()
+ + dup_task_struct()<1>
+ parent move to another cgroup,
+ and free the old cgroup. <2>
+ + sched_fork()
+ + __set_task_cpu()<3>
+ + task_fork_fair()
+ + sched_slice()<4>
+
+In the worst case, this bug can lead to "use-after-free" and
+cause panic as shown above:
+
+ (1) parent copy its sched_task_group to child at <1>;
+
+ (2) someone move the parent to another cgroup and free the old
+ cgroup at <2>;
+
+ (3) the sched_task_group and cfs_rq that belong to the old cgroup
+ will be accessed at <3> and <4>, which cause a panic:
+
+ [] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ [] PGD 8000001fa0a86067 P4D 8000001fa0a86067 PUD 2029955067 PMD 0
+ [] Oops: 0000 [#1] SMP PTI
+ [] CPU: 7 PID: 648398 Comm: ebizzy Kdump: loaded Tainted: G OE --------- - - 4.18.0.x86_64+ #1
+ [] RIP: 0010:sched_slice+0x84/0xc0
+
+ [] Call Trace:
+ [] task_fork_fair+0x81/0x120
+ [] sched_fork+0x132/0x240
+ [] copy_process.part.5+0x675/0x20e0
+ [] ? __handle_mm_fault+0x63f/0x690
+ [] _do_fork+0xcd/0x3b0
+ [] do_syscall_64+0x5d/0x1d0
+ [] entry_SYSCALL_64_after_hwframe+0x65/0xca
+ [] RIP: 0033:0x7f04418cd7e1
+
+Between cgroup_can_fork() and cgroup_post_fork(), the cgroup
+membership and thus sched_task_group can't change. So update child's
+sched_task_group at sched_post_fork() and move task_fork() and
+__set_task_cpu() (where accees the sched_task_group) from sched_fork()
+to sched_post_fork().
+
+Fixes: 8323f26ce342 ("sched: Fix race in task_group")
+Signed-off-by: Zhang Qiao <zhangqiao22@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lkml.kernel.org/r/20210915064030.2231-1-zhangqiao22@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/task.h | 3 ++-
+ kernel/fork.c | 2 +-
+ kernel/sched/core.c | 43 +++++++++++++++++++-------------------
+ 3 files changed, 25 insertions(+), 23 deletions(-)
+
+diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h
+index 85fb2f34c59b7..24cacb1ca654d 100644
+--- a/include/linux/sched/task.h
++++ b/include/linux/sched/task.h
+@@ -55,7 +55,8 @@ extern asmlinkage void schedule_tail(struct task_struct *prev);
+ extern void init_idle(struct task_struct *idle, int cpu);
+
+ extern int sched_fork(unsigned long clone_flags, struct task_struct *p);
+-extern void sched_post_fork(struct task_struct *p);
++extern void sched_post_fork(struct task_struct *p,
++ struct kernel_clone_args *kargs);
+ extern void sched_dead(struct task_struct *p);
+
+ void __noreturn do_task_dead(void);
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 3f96400a0ac61..773b44be81f9d 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -2310,7 +2310,7 @@ static __latent_entropy struct task_struct *copy_process(
+ write_unlock_irq(&tasklist_lock);
+
+ proc_fork_connector(p);
+- sched_post_fork(p);
++ sched_post_fork(p, args);
+ cgroup_post_fork(p, args);
+ perf_event_fork(p);
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index e4551d1736fa3..bc8ff11e60242 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3231,8 +3231,6 @@ static inline void init_schedstats(void) {}
+ */
+ int sched_fork(unsigned long clone_flags, struct task_struct *p)
+ {
+- unsigned long flags;
+-
+ __sched_fork(clone_flags, p);
+ /*
+ * We mark the process as NEW here. This guarantees that
+@@ -3278,24 +3276,6 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p)
+
+ init_entity_runnable_average(&p->se);
+
+- /*
+- * The child is not yet in the pid-hash so no cgroup attach races,
+- * and the cgroup is pinned to this child due to cgroup_fork()
+- * is ran before sched_fork().
+- *
+- * Silence PROVE_RCU.
+- */
+- raw_spin_lock_irqsave(&p->pi_lock, flags);
+- rseq_migrate(p);
+- /*
+- * We're setting the CPU for the first time, we don't migrate,
+- * so use __set_task_cpu().
+- */
+- __set_task_cpu(p, smp_processor_id());
+- if (p->sched_class->task_fork)
+- p->sched_class->task_fork(p);
+- raw_spin_unlock_irqrestore(&p->pi_lock, flags);
+-
+ #ifdef CONFIG_SCHED_INFO
+ if (likely(sched_info_on()))
+ memset(&p->sched_info, 0, sizeof(p->sched_info));
+@@ -3311,8 +3291,29 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p)
+ return 0;
+ }
+
+-void sched_post_fork(struct task_struct *p)
++void sched_post_fork(struct task_struct *p, struct kernel_clone_args *kargs)
+ {
++ unsigned long flags;
++#ifdef CONFIG_CGROUP_SCHED
++ struct task_group *tg;
++#endif
++
++ raw_spin_lock_irqsave(&p->pi_lock, flags);
++#ifdef CONFIG_CGROUP_SCHED
++ tg = container_of(kargs->cset->subsys[cpu_cgrp_id],
++ struct task_group, css);
++ p->sched_task_group = autogroup_task_group(p, tg);
++#endif
++ rseq_migrate(p);
++ /*
++ * We're setting the CPU for the first time, we don't migrate,
++ * so use __set_task_cpu().
++ */
++ __set_task_cpu(p, smp_processor_id());
++ if (p->sched_class->task_fork)
++ p->sched_class->task_fork(p);
++ raw_spin_unlock_irqrestore(&p->pi_lock, flags);
++
+ uclamp_post_fork(p);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From d6de9f558db16586237c389cb80e99dbcad29135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 23:38:37 +0900
+Subject: kprobes: Do not use local variable when creating debugfs file
+
+From: Punit Agrawal <punitagrawal@gmail.com>
+
+[ Upstream commit 8f7262cd66699a4b02eb7549b35c81b2116aad95 ]
+
+debugfs_create_file() takes a pointer argument that can be used during
+file operation callbacks (accessible via i_private in the inode
+structure). An obvious requirement is for the pointer to refer to
+valid memory when used.
+
+When creating the debugfs file to dynamically enable / disable
+kprobes, a pointer to local variable is passed to
+debugfs_create_file(); which will go out of scope when the init
+function returns. The reason this hasn't triggered random memory
+corruption is because the pointer is not accessed during the debugfs
+file callbacks.
+
+Since the enabled state is managed by the kprobes_all_disabled global
+variable, the local variable is not needed. Fix the incorrect (and
+unnecessary) usage of local variable during debugfs_file_create() by
+passing NULL instead.
+
+Link: https://lkml.kernel.org/r/163163031686.489837.4476867635937014973.stgit@devnote2
+
+Fixes: bf8f6e5b3e51 ("Kprobes: The ON/OFF knob thru debugfs")
+Signed-off-by: Punit Agrawal <punitagrawal@gmail.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kprobes.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index f590e9ff37062..66a6ba81edb1e 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -2943,13 +2943,12 @@ static const struct file_operations fops_kp = {
+ static int __init debugfs_kprobe_init(void)
+ {
+ struct dentry *dir;
+- unsigned int value = 1;
+
+ dir = debugfs_create_dir("kprobes", NULL);
+
+ debugfs_create_file("list", 0400, dir, NULL, &kprobes_fops);
+
+- debugfs_create_file("enabled", 0600, dir, &value, &fops_kp);
++ debugfs_create_file("enabled", 0600, dir, NULL, &fops_kp);
+
+ debugfs_create_file("blacklist", 0400, dir, NULL,
+ &kprobe_blacklist_fops);
+--
+2.33.0
+
--- /dev/null
+From 419b245d2366eecb392321d83813fa1d3a6d9316 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 17:26:48 +0200
+Subject: KVM: s390: Fix handle_sske page fault handling
+
+From: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+
+[ Upstream commit 85f517b29418158d3e6e90c3f0fc01b306d2f1a1 ]
+
+If handle_sske cannot set the storage key, because there is no
+page table entry or no present large page entry, it calls
+fixup_user_fault.
+However, currently, if the call succeeds, handle_sske returns
+-EAGAIN, without having set the storage key.
+Instead, retry by continue'ing the loop without incrementing the
+address.
+The same issue in handle_pfmf was fixed by
+a11bdb1a6b78 ("KVM: s390: Fix pfmf and conditional skey emulation").
+
+Fixes: bd096f644319 ("KVM: s390: Add skey emulation fault handling")
+Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20211022152648.26536-1-scgl@linux.ibm.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/priv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
+index cd74989ce0b02..3b1a498e58d25 100644
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -397,6 +397,8 @@ static int handle_sske(struct kvm_vcpu *vcpu)
+ mmap_read_unlock(current->mm);
+ if (rc == -EFAULT)
+ return kvm_s390_inject_program_int(vcpu, PGM_ADDRESSING);
++ if (rc == -EAGAIN)
++ continue;
+ if (rc < 0)
+ return rc;
+ start += PAGE_SIZE;
+--
+2.33.0
+
--- /dev/null
+From aa206e62dbef5c32aacacec3a302ef5b17e290f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 15:24:50 +0200
+Subject: KVM: s390: pv: avoid double free of sida page
+
+From: Claudio Imbrenda <imbrenda@linux.ibm.com>
+
+[ Upstream commit d4074324b07a94a1fca476d452dfbb3a4e7bf656 ]
+
+If kvm_s390_pv_destroy_cpu is called more than once, we risk calling
+free_page on a random page, since the sidad field is aliased with the
+gbea, which is not guaranteed to be zero.
+
+This can happen, for example, if userspace calls the KVM_PV_DISABLE
+IOCTL, and it fails, and then userspace calls the same IOCTL again.
+This scenario is only possible if KVM has some serious bug or if the
+hardware is broken.
+
+The solution is to simply return successfully immediately if the vCPU
+was already non secure.
+
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Fixes: 19e1227768863a1469797c13ef8fea1af7beac2c ("KVM: S390: protvirt: Introduce instruction data area bounce buffer")
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Message-Id: <20210920132502.36111-3-imbrenda@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/pv.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/arch/s390/kvm/pv.c b/arch/s390/kvm/pv.c
+index f5847f9dec7c9..74265304dd9cd 100644
+--- a/arch/s390/kvm/pv.c
++++ b/arch/s390/kvm/pv.c
+@@ -16,18 +16,17 @@
+
+ int kvm_s390_pv_destroy_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc)
+ {
+- int cc = 0;
++ int cc;
+
+- if (kvm_s390_pv_cpu_get_handle(vcpu)) {
+- cc = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu),
+- UVC_CMD_DESTROY_SEC_CPU, rc, rrc);
++ if (!kvm_s390_pv_cpu_get_handle(vcpu))
++ return 0;
++
++ cc = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu), UVC_CMD_DESTROY_SEC_CPU, rc, rrc);
++
++ KVM_UV_EVENT(vcpu->kvm, 3, "PROTVIRT DESTROY VCPU %d: rc %x rrc %x",
++ vcpu->vcpu_id, *rc, *rrc);
++ WARN_ONCE(cc, "protvirt destroy cpu failed rc %x rrc %x", *rc, *rrc);
+
+- KVM_UV_EVENT(vcpu->kvm, 3,
+- "PROTVIRT DESTROY VCPU %d: rc %x rrc %x",
+- vcpu->vcpu_id, *rc, *rrc);
+- WARN_ONCE(cc, "protvirt destroy cpu failed rc %x rrc %x",
+- *rc, *rrc);
+- }
+ /* Intended memory leak for something that should never happen. */
+ if (!cc)
+ free_pages(vcpu->arch.pv.stor_base,
+--
+2.33.0
+
--- /dev/null
+From 4c2796b1eecf72d70f76278cf4dece5568fb664c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 15:24:51 +0200
+Subject: KVM: s390: pv: avoid stalls for kvm_s390_pv_init_vm
+
+From: Claudio Imbrenda <imbrenda@linux.ibm.com>
+
+[ Upstream commit 1e2aa46de526a5adafe580bca4c25856bb06f09e ]
+
+When the system is heavily overcommitted, kvm_s390_pv_init_vm might
+generate stall notifications.
+
+Fix this by using uv_call_sched instead of just uv_call. This is ok because
+we are not holding spinlocks.
+
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Fixes: 214d9bbcd3a672 ("s390/mm: provide memory management functions for protected KVM guests")
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Message-Id: <20210920132502.36111-4-imbrenda@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/pv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kvm/pv.c b/arch/s390/kvm/pv.c
+index 74265304dd9cd..8228878872228 100644
+--- a/arch/s390/kvm/pv.c
++++ b/arch/s390/kvm/pv.c
+@@ -190,7 +190,7 @@ int kvm_s390_pv_init_vm(struct kvm *kvm, u16 *rc, u16 *rrc)
+ uvcb.conf_base_stor_origin = (u64)kvm->arch.pv.stor_base;
+ uvcb.conf_virt_stor_origin = (u64)kvm->arch.pv.stor_var;
+
+- cc = uv_call(0, (u64)&uvcb);
++ cc = uv_call_sched(0, (u64)&uvcb);
+ *rc = uvcb.header.rc;
+ *rrc = uvcb.header.rrc;
+ KVM_UV_EVENT(kvm, 3, "PROTVIRT CREATE VM: handle %llx len %llx rc %x rrc %x",
+--
+2.33.0
+
--- /dev/null
+From d596e3e28fff3565f51796051d59e85e1eb485df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Feb 2021 03:17:19 +0000
+Subject: KVM: selftests: Add operand to vmsave/vmload/vmrun in svm.c
+
+From: Ricardo Koller <ricarkol@google.com>
+
+[ Upstream commit 47bc726fe8d1910872dc3d7e7ec70f8b9e6043b7 ]
+
+Building the KVM selftests with LLVM's integrated assembler fails with:
+
+ $ CFLAGS=-fintegrated-as make -C tools/testing/selftests/kvm CC=clang
+ lib/x86_64/svm.c:77:16: error: too few operands for instruction
+ asm volatile ("vmsave\n\t" : : "a" (vmcb_gpa) : "memory");
+ ^
+ <inline asm>:1:2: note: instantiated into assembly here
+ vmsave
+ ^
+ lib/x86_64/svm.c:134:3: error: too few operands for instruction
+ "vmload\n\t"
+ ^
+ <inline asm>:1:2: note: instantiated into assembly here
+ vmload
+ ^
+This is because LLVM IAS does not currently support calling vmsave,
+vmload, or vmload without an explicit %rax operand.
+
+Add an explicit operand to vmsave, vmload, and vmrum in svm.c. Fixing
+this was suggested by Sean Christopherson.
+
+Tested: building without this error in clang 11. The following patch
+(not queued yet) needs to be applied to solve the other remaining error:
+"selftests: kvm: remove reassignment of non-absolute variables".
+
+Suggested-by: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/kvm/X+Df2oQczVBmwEzi@google.com/
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Ricardo Koller <ricarkol@google.com>
+Message-Id: <20210210031719.769837-1-ricarkol@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/lib/x86_64/svm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/kvm/lib/x86_64/svm.c b/tools/testing/selftests/kvm/lib/x86_64/svm.c
+index 3a5c72ed2b792..827fe6028dd42 100644
+--- a/tools/testing/selftests/kvm/lib/x86_64/svm.c
++++ b/tools/testing/selftests/kvm/lib/x86_64/svm.c
+@@ -74,7 +74,7 @@ void generic_svm_setup(struct svm_test_data *svm, void *guest_rip, void *guest_r
+ wrmsr(MSR_VM_HSAVE_PA, svm->save_area_gpa);
+
+ memset(vmcb, 0, sizeof(*vmcb));
+- asm volatile ("vmsave\n\t" : : "a" (vmcb_gpa) : "memory");
++ asm volatile ("vmsave %0\n\t" : : "a" (vmcb_gpa) : "memory");
+ vmcb_set_seg(&save->es, get_es(), 0, -1U, data_seg_attr);
+ vmcb_set_seg(&save->cs, get_cs(), 0, -1U, code_seg_attr);
+ vmcb_set_seg(&save->ss, get_ss(), 0, -1U, data_seg_attr);
+@@ -131,19 +131,19 @@ void generic_svm_setup(struct svm_test_data *svm, void *guest_rip, void *guest_r
+ void run_guest(struct vmcb *vmcb, uint64_t vmcb_gpa)
+ {
+ asm volatile (
+- "vmload\n\t"
++ "vmload %[vmcb_gpa]\n\t"
+ "mov rflags, %%r15\n\t" // rflags
+ "mov %%r15, 0x170(%[vmcb])\n\t"
+ "mov guest_regs, %%r15\n\t" // rax
+ "mov %%r15, 0x1f8(%[vmcb])\n\t"
+ LOAD_GPR_C
+- "vmrun\n\t"
++ "vmrun %[vmcb_gpa]\n\t"
+ SAVE_GPR_C
+ "mov 0x170(%[vmcb]), %%r15\n\t" // rflags
+ "mov %%r15, rflags\n\t"
+ "mov 0x1f8(%[vmcb]), %%r15\n\t" // rax
+ "mov %%r15, guest_regs\n\t"
+- "vmsave\n\t"
++ "vmsave %[vmcb_gpa]\n\t"
+ : : [vmcb] "r" (vmcb), [vmcb_gpa] "a" (vmcb_gpa)
+ : "r15", "memory");
+ }
+--
+2.33.0
+
--- /dev/null
+From ca1bc52df04fe3937900a4ea14de5b5aa2c5c735 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 17:36:49 -0700
+Subject: KVM: selftests: Fix nested SVM tests when built with clang
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit ed290e1c20da19fa100a3e0f421aa31b65984960 ]
+
+Though gcc conveniently compiles a simple memset to "rep stos," clang
+prefers to call the libc version of memset. If a test is dynamically
+linked, the libc memset isn't available in L1 (nor is the PLT or the
+GOT, for that matter). Even if the test is statically linked, the libc
+memset may choose to use some CPU features, like AVX, which may not be
+enabled in L1. Note that __builtin_memset doesn't solve the problem,
+because (a) the compiler is free to call memset anyway, and (b)
+__builtin_memset may also choose to use features like AVX, which may
+not be available in L1.
+
+To avoid a myriad of problems, use an explicit "rep stos" to clear the
+VMCB in generic_svm_setup(), which is called both from L0 and L1.
+
+Reported-by: Ricardo Koller <ricarkol@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Fixes: 20ba262f8631a ("selftests: KVM: AMD Nested test infrastructure")
+Message-Id: <20210930003649.4026553-1-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/lib/x86_64/svm.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kvm/lib/x86_64/svm.c b/tools/testing/selftests/kvm/lib/x86_64/svm.c
+index 827fe6028dd42..a58507a7b5d6d 100644
+--- a/tools/testing/selftests/kvm/lib/x86_64/svm.c
++++ b/tools/testing/selftests/kvm/lib/x86_64/svm.c
+@@ -57,6 +57,18 @@ static void vmcb_set_seg(struct vmcb_seg *seg, u16 selector,
+ seg->base = base;
+ }
+
++/*
++ * Avoid using memset to clear the vmcb, since libc may not be
++ * available in L1 (and, even if it is, features that libc memset may
++ * want to use, like AVX, may not be enabled).
++ */
++static void clear_vmcb(struct vmcb *vmcb)
++{
++ int n = sizeof(*vmcb) / sizeof(u32);
++
++ asm volatile ("rep stosl" : "+c"(n), "+D"(vmcb) : "a"(0) : "memory");
++}
++
+ void generic_svm_setup(struct svm_test_data *svm, void *guest_rip, void *guest_rsp)
+ {
+ struct vmcb *vmcb = svm->vmcb;
+@@ -73,7 +85,7 @@ void generic_svm_setup(struct svm_test_data *svm, void *guest_rip, void *guest_r
+ wrmsr(MSR_EFER, efer | EFER_SVME);
+ wrmsr(MSR_VM_HSAVE_PA, svm->save_area_gpa);
+
+- memset(vmcb, 0, sizeof(*vmcb));
++ clear_vmcb(vmcb);
+ asm volatile ("vmsave %0\n\t" : : "a" (vmcb_gpa) : "memory");
+ vmcb_set_seg(&save->es, get_es(), 0, -1U, data_seg_attr);
+ vmcb_set_seg(&save->cs, get_cs(), 0, -1U, code_seg_attr);
+--
+2.33.0
+
--- /dev/null
+From 473f1810903767c17a720269f2615698c347e97e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 15:02:18 -0700
+Subject: leaking_addresses: Always print a trailing newline
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit cf2a85efdade117e2169d6e26641016cbbf03ef0 ]
+
+For files that lack trailing newlines and match a leaking address (e.g.
+wchan[1]), the leaking_addresses.pl report would run together with the
+next line, making things look corrupted.
+
+Unconditionally remove the newline on input, and write it back out on
+output.
+
+[1] https://lore.kernel.org/all/20210103142726.GC30643@xsang-OptiPlex-9020/
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20211008111626.151570317@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/leaking_addresses.pl | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
+index b2d8b8aa2d99e..8f636a23bc3f2 100755
+--- a/scripts/leaking_addresses.pl
++++ b/scripts/leaking_addresses.pl
+@@ -455,8 +455,9 @@ sub parse_file
+
+ open my $fh, "<", $file or return;
+ while ( <$fh> ) {
++ chomp;
+ if (may_leak_address($_)) {
+- print $file . ': ' . $_;
++ printf("$file: $_\n");
+ }
+ }
+ close $fh;
+--
+2.33.0
+
--- /dev/null
+From f90ca68341e524ccf41a0995a33b34ae9a71dfc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 05:31:39 +0800
+Subject: lib/xz: Avoid overlapping memcpy() with invalid input with in-place
+ decompression
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 83d3c4f22a36d005b55f44628f46cc0d319a75e8 ]
+
+With valid files, the safety margin described in lib/decompress_unxz.c
+ensures that these buffers cannot overlap. But if the uncompressed size
+of the input is larger than the caller thought, which is possible when
+the input file is invalid/corrupt, the buffers can overlap. Obviously
+the result will then be garbage (and usually the decoder will return
+an error too) but no other harm will happen when such an over-run occurs.
+
+This change only affects uncompressed LZMA2 chunks and so this
+should have no effect on performance.
+
+Link: https://lore.kernel.org/r/20211010213145.17462-2-xiang@kernel.org
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/decompress_unxz.c | 2 +-
+ lib/xz/xz_dec_lzma2.c | 21 +++++++++++++++++++--
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/lib/decompress_unxz.c b/lib/decompress_unxz.c
+index 25d59a95bd668..abea25310ac73 100644
+--- a/lib/decompress_unxz.c
++++ b/lib/decompress_unxz.c
+@@ -167,7 +167,7 @@
+ * memeq and memzero are not used much and any remotely sane implementation
+ * is fast enough. memcpy/memmove speed matters in multi-call mode, but
+ * the kernel image is decompressed in single-call mode, in which only
+- * memcpy speed can matter and only if there is a lot of uncompressible data
++ * memmove speed can matter and only if there is a lot of uncompressible data
+ * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the
+ * functions below should just be kept small; it's probably not worth
+ * optimizing for speed.
+diff --git a/lib/xz/xz_dec_lzma2.c b/lib/xz/xz_dec_lzma2.c
+index 65a1aad8c223b..a18b52759fd91 100644
+--- a/lib/xz/xz_dec_lzma2.c
++++ b/lib/xz/xz_dec_lzma2.c
+@@ -387,7 +387,14 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b,
+
+ *left -= copy_size;
+
+- memcpy(dict->buf + dict->pos, b->in + b->in_pos, copy_size);
++ /*
++ * If doing in-place decompression in single-call mode and the
++ * uncompressed size of the file is larger than the caller
++ * thought (i.e. it is invalid input!), the buffers below may
++ * overlap and cause undefined behavior with memcpy().
++ * With valid inputs memcpy() would be fine here.
++ */
++ memmove(dict->buf + dict->pos, b->in + b->in_pos, copy_size);
+ dict->pos += copy_size;
+
+ if (dict->full < dict->pos)
+@@ -397,7 +404,11 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b,
+ if (dict->pos == dict->end)
+ dict->pos = 0;
+
+- memcpy(b->out + b->out_pos, b->in + b->in_pos,
++ /*
++ * Like above but for multi-call mode: use memmove()
++ * to avoid undefined behavior with invalid input.
++ */
++ memmove(b->out + b->out_pos, b->in + b->in_pos,
+ copy_size);
+ }
+
+@@ -421,6 +432,12 @@ static uint32_t dict_flush(struct dictionary *dict, struct xz_buf *b)
+ if (dict->pos == dict->end)
+ dict->pos = 0;
+
++ /*
++ * These buffers cannot overlap even if doing in-place
++ * decompression because in multi-call mode dict->buf
++ * has been allocated by us in this file; it's not
++ * provided by the caller like in single-call mode.
++ */
+ memcpy(b->out + b->out_pos, dict->buf + dict->start,
+ copy_size);
+ }
+--
+2.33.0
+
--- /dev/null
+From c27f79403dfa0609b8add1d52577bb12a1caa862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 05:31:40 +0800
+Subject: lib/xz: Validate the value before assigning it to an enum variable
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 4f8d7abaa413c34da9d751289849dbfb7c977d05 ]
+
+This might matter, for example, if the underlying type of enum xz_check
+was a signed char. In such a case the validation wouldn't have caught an
+unsupported header. I don't know if this problem can occur in the kernel
+on any arch but it's still good to fix it because some people might copy
+the XZ code to their own projects from Linux instead of the upstream
+XZ Embedded repository.
+
+This change may increase the code size by a few bytes. An alternative
+would have been to use an unsigned int instead of enum xz_check but
+using an enumeration looks cleaner.
+
+Link: https://lore.kernel.org/r/20211010213145.17462-3-xiang@kernel.org
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/xz/xz_dec_stream.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xz/xz_dec_stream.c b/lib/xz/xz_dec_stream.c
+index 32ab2a08b7cbc..a30e3308035fa 100644
+--- a/lib/xz/xz_dec_stream.c
++++ b/lib/xz/xz_dec_stream.c
+@@ -402,12 +402,12 @@ static enum xz_ret dec_stream_header(struct xz_dec *s)
+ * we will accept other check types too, but then the check won't
+ * be verified and a warning (XZ_UNSUPPORTED_CHECK) will be given.
+ */
++ if (s->temp.buf[HEADER_MAGIC_SIZE + 1] > XZ_CHECK_MAX)
++ return XZ_OPTIONS_ERROR;
++
+ s->check_type = s->temp.buf[HEADER_MAGIC_SIZE + 1];
+
+ #ifdef XZ_DEC_ANY_CHECK
+- if (s->check_type > XZ_CHECK_MAX)
+- return XZ_OPTIONS_ERROR;
+-
+ if (s->check_type > XZ_CHECK_CRC32)
+ return XZ_UNSUPPORTED_CHECK;
+ #else
+--
+2.33.0
+
--- /dev/null
+From 352521fc41c7fd61c99612aaed889eaf91f6ebc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Jan 2021 23:03:41 -0800
+Subject: libbpf: Allow loading empty BTFs
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit b8d52264df85ec12f370c0a8b28d0ac59a05877a ]
+
+Empty BTFs do come up (e.g., simple kernel modules with no new types and
+strings, compared to the vmlinux BTF) and there is nothing technically wrong
+with them. So remove unnecessary check preventing loading empty BTFs.
+
+Fixes: d8123624506c ("libbpf: Fix BTF data layout checks and allow empty BTF")
+Reported-by: Christopher William Snowhill <chris@kode54.net>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210110070341.1380086-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index 987c1515b828b..c8c751265e23a 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -210,11 +210,6 @@ static int btf_parse_hdr(struct btf *btf)
+ }
+
+ meta_left = btf->raw_size - sizeof(*hdr);
+- if (!meta_left) {
+- pr_debug("BTF has no data\n");
+- return -EINVAL;
+- }
+-
+ if (meta_left < hdr->str_off + hdr->str_len) {
+ pr_debug("Invalid BTF total size:%u\n", btf->raw_size);
+ return -EINVAL;
+--
+2.33.0
+
--- /dev/null
+From ef8e12695ff5f0da79b2329bc46eff8e2b8a9fa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Nov 2020 20:33:57 -0800
+Subject: libbpf: Fix BTF data layout checks and allow empty BTF
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit d8123624506cd62730c9cd9c7672c698e462703d ]
+
+Make data section layout checks stricter, disallowing overlap of types and
+strings data.
+
+Additionally, allow BTFs with no type data. There is nothing inherently wrong
+with having BTF with no types (put potentially with some strings). This could
+be a situation with kernel module BTFs, if module doesn't introduce any new
+type information.
+
+Also fix invalid offset alignment check for btf->hdr->type_off.
+
+Fixes: 8a138aed4a80 ("bpf: btf: Add BTF support to libbpf")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20201105043402.2530976-8-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index 231b07203e3d2..987c1515b828b 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -215,22 +215,18 @@ static int btf_parse_hdr(struct btf *btf)
+ return -EINVAL;
+ }
+
+- if (meta_left < hdr->type_off) {
+- pr_debug("Invalid BTF type section offset:%u\n", hdr->type_off);
++ if (meta_left < hdr->str_off + hdr->str_len) {
++ pr_debug("Invalid BTF total size:%u\n", btf->raw_size);
+ return -EINVAL;
+ }
+
+- if (meta_left < hdr->str_off) {
+- pr_debug("Invalid BTF string section offset:%u\n", hdr->str_off);
++ if (hdr->type_off + hdr->type_len > hdr->str_off) {
++ pr_debug("Invalid BTF data sections layout: type data at %u + %u, strings data at %u + %u\n",
++ hdr->type_off, hdr->type_len, hdr->str_off, hdr->str_len);
+ return -EINVAL;
+ }
+
+- if (hdr->type_off >= hdr->str_off) {
+- pr_debug("BTF type section offset >= string section offset. No type?\n");
+- return -EINVAL;
+- }
+-
+- if (hdr->type_off & 0x02) {
++ if (hdr->type_off % 4) {
+ pr_debug("BTF type section is not aligned to 4 bytes\n");
+ return -EINVAL;
+ }
+--
+2.33.0
+
--- /dev/null
+From 72d17515addb7f7035a30c2fe15de55a1a83db9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 17:31:57 -0700
+Subject: libbpf: Fix BTF header parsing checks
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit c825f5fee19caf301d9821cd79abaa734322de26 ]
+
+Original code assumed fixed and correct BTF header length. That's not
+always the case, though, so fix this bug with a proper additional check.
+And use actual header length instead of sizeof(struct btf_header) in
+sanity checks.
+
+Fixes: 8a138aed4a80 ("bpf: btf: Add BTF support to libbpf")
+Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211023003157.726961-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index c15eb14a711e5..e6f644cdc9f15 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -205,13 +205,19 @@ static int btf_parse_hdr(struct btf *btf)
+ }
+ btf_bswap_hdr(hdr);
+ } else if (hdr->magic != BTF_MAGIC) {
+- pr_debug("Invalid BTF magic:%x\n", hdr->magic);
++ pr_debug("Invalid BTF magic: %x\n", hdr->magic);
+ return -EINVAL;
+ }
+
+- meta_left = btf->raw_size - sizeof(*hdr);
++ if (btf->raw_size < hdr->hdr_len) {
++ pr_debug("BTF header len %u larger than data size %u\n",
++ hdr->hdr_len, btf->raw_size);
++ return -EINVAL;
++ }
++
++ meta_left = btf->raw_size - hdr->hdr_len;
+ if (meta_left < (long long)hdr->str_off + hdr->str_len) {
+- pr_debug("Invalid BTF total size:%u\n", btf->raw_size);
++ pr_debug("Invalid BTF total size: %u\n", btf->raw_size);
+ return -EINVAL;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From c00a945fcc4cbacc6c9a0ee6253375072a079574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 03:08:26 +0200
+Subject: libbpf: Fix endianness detection in BPF_CORE_READ_BITFIELD_PROBED()
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 45f2bebc8079788f62f22d9e8b2819afb1789d7b ]
+
+__BYTE_ORDER is supposed to be defined by a libc, and __BYTE_ORDER__ -
+by a compiler. bpf_core_read.h checks __BYTE_ORDER == __LITTLE_ENDIAN,
+which is true if neither are defined, leading to incorrect behavior on
+big-endian hosts if libc headers are not included, which is often the
+case.
+
+Fixes: ee26dade0e3b ("libbpf: Add support for relocatable bitfields")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20211026010831.748682-2-iii@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_core_read.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
+index 4538ed762a209..f05cfc082915d 100644
+--- a/tools/lib/bpf/bpf_core_read.h
++++ b/tools/lib/bpf/bpf_core_read.h
+@@ -40,7 +40,7 @@ enum bpf_enum_value_kind {
+ #define __CORE_RELO(src, field, info) \
+ __builtin_preserve_field_info((src)->field, BPF_FIELD_##info)
+
+-#if __BYTE_ORDER == __LITTLE_ENDIAN
++#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+ #define __CORE_BITFIELD_PROBE_READ(dst, src, fld) \
+ bpf_probe_read_kernel( \
+ (void *)dst, \
+--
+2.33.0
+
--- /dev/null
+From 61a68930fc1cef41218a24c6f08f22cd5865691c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 17:31:56 -0700
+Subject: libbpf: Fix overflow in BTF sanity checks
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 5245dafe3d49efba4d3285cf27ee1cc1eeafafc6 ]
+
+btf_header's str_off+str_len or type_off+type_len can overflow as they
+are u32s. This will lead to bypassing the sanity checks during BTF
+parsing, resulting in crashes afterwards. Fix by using 64-bit signed
+integers for comparison.
+
+Fixes: d8123624506c ("libbpf: Fix BTF data layout checks and allow empty BTF")
+Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211023003157.726961-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index c8c751265e23a..c15eb14a711e5 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -210,12 +210,12 @@ static int btf_parse_hdr(struct btf *btf)
+ }
+
+ meta_left = btf->raw_size - sizeof(*hdr);
+- if (meta_left < hdr->str_off + hdr->str_len) {
++ if (meta_left < (long long)hdr->str_off + hdr->str_len) {
+ pr_debug("Invalid BTF total size:%u\n", btf->raw_size);
+ return -EINVAL;
+ }
+
+- if (hdr->type_off + hdr->type_len > hdr->str_off) {
++ if ((long long)hdr->type_off + hdr->type_len > hdr->str_off) {
+ pr_debug("Invalid BTF data sections layout: type data at %u + %u, strings data at %u + %u\n",
+ hdr->type_off, hdr->type_len, hdr->str_off, hdr->str_len);
+ return -EINVAL;
+--
+2.33.0
+
--- /dev/null
+From 2ff62472eb79c3005d31466ac3bb52c40a9f52af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 20:03:45 +0800
+Subject: libertas: Fix possible memory leak in probe and disconnect
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 9692151e2fe7a326bafe99836fd1f20a2cc3a049 ]
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff88812c7d7400 (size 512):
+ comm "kworker/6:1", pid 176, jiffies 4295003332 (age 822.830s)
+ hex dump (first 32 bytes):
+ 00 68 1e 04 81 88 ff ff 01 00 00 00 00 00 00 00 .h..............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
+ [<ffffffff8167f627>] kmem_cache_alloc_trace+0x1f7/0x470
+ [<ffffffffa02c9873>] if_usb_probe+0x63/0x446 [usb8xxx]
+ [<ffffffffa022668a>] usb_probe_interface+0x1aa/0x3c0 [usbcore]
+ [<ffffffff82b59630>] really_probe+0x190/0x480
+ [<ffffffff82b59a19>] __driver_probe_device+0xf9/0x180
+ [<ffffffff82b59af3>] driver_probe_device+0x53/0x130
+ [<ffffffff82b5a075>] __device_attach_driver+0x105/0x130
+ [<ffffffff82b55949>] bus_for_each_drv+0x129/0x190
+ [<ffffffff82b593c9>] __device_attach+0x1c9/0x270
+ [<ffffffff82b5a250>] device_initial_probe+0x20/0x30
+ [<ffffffff82b579c2>] bus_probe_device+0x142/0x160
+ [<ffffffff82b52e49>] device_add+0x829/0x1300
+ [<ffffffffa02229b1>] usb_set_configuration+0xb01/0xcc0 [usbcore]
+ [<ffffffffa0235c4e>] usb_generic_driver_probe+0x6e/0x90 [usbcore]
+ [<ffffffffa022641f>] usb_probe_device+0x6f/0x130 [usbcore]
+
+cardp is missing being freed in the error handling path of the probe
+and the path of the disconnect, which will cause memory leak.
+
+This patch adds the missing kfree().
+
+Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211020120345.2016045-3-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/if_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c
+index 20436a289d5cd..5d6dc1dd050d4 100644
+--- a/drivers/net/wireless/marvell/libertas/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas/if_usb.c
+@@ -292,6 +292,7 @@ err_add_card:
+ if_usb_reset_device(cardp);
+ dealloc:
+ if_usb_free(cardp);
++ kfree(cardp);
+
+ error:
+ return r;
+@@ -316,6 +317,7 @@ static void if_usb_disconnect(struct usb_interface *intf)
+
+ /* Unlink and free urb */
+ if_usb_free(cardp);
++ kfree(cardp);
+
+ usb_set_intfdata(intf, NULL);
+ usb_put_dev(interface_to_usbdev(intf));
+--
+2.33.0
+
--- /dev/null
+From c3344c064a8b9b28d7009739b72c9ec6426ffd7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 20:03:44 +0800
+Subject: libertas_tf: Fix possible memory leak in probe and disconnect
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit d549107305b4634c81223a853701c06bcf657bc3 ]
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff88810a2ddc00 (size 512):
+ comm "kworker/6:1", pid 176, jiffies 4295009893 (age 757.220s)
+ hex dump (first 32 bytes):
+ 00 50 05 18 81 88 ff ff 00 00 00 00 00 00 00 00 .P..............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
+ [<ffffffff8167f627>] kmem_cache_alloc_trace+0x1f7/0x470
+ [<ffffffffa02a1530>] if_usb_probe+0x60/0x37c [libertas_tf_usb]
+ [<ffffffffa022668a>] usb_probe_interface+0x1aa/0x3c0 [usbcore]
+ [<ffffffff82b59630>] really_probe+0x190/0x480
+ [<ffffffff82b59a19>] __driver_probe_device+0xf9/0x180
+ [<ffffffff82b59af3>] driver_probe_device+0x53/0x130
+ [<ffffffff82b5a075>] __device_attach_driver+0x105/0x130
+ [<ffffffff82b55949>] bus_for_each_drv+0x129/0x190
+ [<ffffffff82b593c9>] __device_attach+0x1c9/0x270
+ [<ffffffff82b5a250>] device_initial_probe+0x20/0x30
+ [<ffffffff82b579c2>] bus_probe_device+0x142/0x160
+ [<ffffffff82b52e49>] device_add+0x829/0x1300
+ [<ffffffffa02229b1>] usb_set_configuration+0xb01/0xcc0 [usbcore]
+ [<ffffffffa0235c4e>] usb_generic_driver_probe+0x6e/0x90 [usbcore]
+ [<ffffffffa022641f>] usb_probe_device+0x6f/0x130 [usbcore]
+
+cardp is missing being freed in the error handling path of the probe
+and the path of the disconnect, which will cause memory leak.
+
+This patch adds the missing kfree().
+
+Fixes: c305a19a0d0a ("libertas_tf: usb specific functions")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211020120345.2016045-2-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+index a92916dc81a96..ecce8b56f8a28 100644
+--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+@@ -230,6 +230,7 @@ static int if_usb_probe(struct usb_interface *intf,
+
+ dealloc:
+ if_usb_free(cardp);
++ kfree(cardp);
+ error:
+ lbtf_deb_leave(LBTF_DEB_MAIN);
+ return -ENOMEM;
+@@ -254,6 +255,7 @@ static void if_usb_disconnect(struct usb_interface *intf)
+
+ /* Unlink and free urb */
+ if_usb_free(cardp);
++ kfree(cardp);
+
+ usb_set_intfdata(intf, NULL);
+ usb_put_dev(interface_to_usbdev(intf));
+--
+2.33.0
+
--- /dev/null
+From 65ea595cad08f9b5b8ab7add33a7bdf9b5b21646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 14:42:14 -0700
+Subject: llc: fix out-of-bound array index in llc_sk_dev_hash()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8ac9dfd58b138f7e82098a4e0a0d46858b12215b ]
+
+Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed.
+
+This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative
+if @ifindex is negative.
+
+We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned.
+
+In this patch I chose to use hash_32() to get more entropy
+from @ifindex, like llc_sk_laddr_hashfn().
+
+UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26
+index -43 is out of range for type 'hlist_head [64]'
+CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
+ __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291
+ llc_sk_dev_hash include/net/llc.h:75 [inline]
+ llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697
+ llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404
+ __sys_bind+0x1e9/0x250 net/socket.c:1693
+ __do_sys_bind net/socket.c:1704 [inline]
+ __se_sys_bind net/socket.c:1702 [inline]
+ __x64_sys_bind+0x6f/0xb0 net/socket.c:1702
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fa503407ae9
+
+Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/llc.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/llc.h b/include/net/llc.h
+index df282d9b40170..9c10b121b49b0 100644
+--- a/include/net/llc.h
++++ b/include/net/llc.h
+@@ -72,7 +72,9 @@ struct llc_sap {
+ static inline
+ struct hlist_head *llc_sk_dev_hash(struct llc_sap *sap, int ifindex)
+ {
+- return &sap->sk_dev_hash[ifindex % LLC_SK_DEV_HASH_ENTRIES];
++ u32 bucket = hash_32(ifindex, LLC_SK_DEV_HASH_BITS);
++
++ return &sap->sk_dev_hash[bucket];
+ }
+
+ static inline
+--
+2.33.0
+
--- /dev/null
+From c9c8ce1122f9c5d1454f79a2766d1e7e99647883 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Sep 2021 10:40:01 +0200
+Subject: lockdep: Let lock_is_held_type() detect recursive read as read
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 2507003a1d10917c9158077bf6030719d02c941e ]
+
+lock_is_held_type(, 1) detects acquired read locks. It only recognized
+locks acquired with lock_acquire_shared(). Read locks acquired with
+lock_acquire_shared_recursive() are not recognized because a `2' is
+stored as the read value.
+
+Rework the check to additionally recognise lock's read value one and two
+as a read held lock.
+
+Fixes: e918188611f07 ("locking: More accurate annotations for read_lock()")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Boqun Feng <boqun.feng@gmail.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Link: https://lkml.kernel.org/r/20210903084001.lblecrvz4esl4mrr@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 2823329143503..1f6a2f1226fa9 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -5303,7 +5303,7 @@ int __lock_is_held(const struct lockdep_map *lock, int read)
+ struct held_lock *hlock = curr->held_locks + i;
+
+ if (match_held_lock(hlock, lock)) {
+- if (read == -1 || hlock->read == read)
++ if (read == -1 || !!hlock->read == read)
+ return 1;
+
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From 5752456195c2ad49a176a7b5cee19909a365c66f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 11:41:10 +0200
+Subject: locking/lockdep: Avoid RCU-induced noinstr fail
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit ce0b9c805dd66d5e49fd53ec5415ae398f4c56e6 ]
+
+vmlinux.o: warning: objtool: look_up_lock_class()+0xc7: call to rcu_read_lock_any_held() leaves .noinstr.text section
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210624095148.311980536@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 5184f68968158..2823329143503 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -887,7 +887,7 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass)
+ if (DEBUG_LOCKS_WARN_ON(!irqs_disabled()))
+ return NULL;
+
+- hlist_for_each_entry_rcu(class, hash_head, hash_entry) {
++ hlist_for_each_entry_rcu_notrace(class, hash_head, hash_entry) {
+ if (class->key == key) {
+ /*
+ * Huh! same key, different name? Did someone trample
+--
+2.33.0
+
--- /dev/null
+From eb83e57257ca6cd4baf6768fb32ca4ec39e1dab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Oct 2021 17:02:23 -0700
+Subject: m68k: set a default value for MEMORY_RESERVE
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1aaa557b2db95c9506ed0981bc34505c32d6b62b ]
+
+'make randconfig' can produce a .config file with
+"CONFIG_MEMORY_RESERVE=" (no value) since it has no default.
+When a subsequent 'make all' is done, kconfig restarts the config
+and prompts for a value for MEMORY_RESERVE. This breaks
+scripting/automation where there is no interactive user input.
+
+Add a default value for MEMORY_RESERVE. (Any integer value will
+work here for kconfig.)
+
+Fixes a kconfig warning:
+
+.config:214:warning: symbol value '' invalid for MEMORY_RESERVE
+* Restart config...
+Memory reservation (MiB) (MEMORY_RESERVE) [] (NEW)
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # from beginning of git history
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Greg Ungerer <gerg@linux-m68k.org>
+Cc: linux-m68k@lists.linux-m68k.org
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.machine | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine
+index e161a4e1493b4..51a878803fb6d 100644
+--- a/arch/m68k/Kconfig.machine
++++ b/arch/m68k/Kconfig.machine
+@@ -191,6 +191,7 @@ config INIT_LCD
+ config MEMORY_RESERVE
+ int "Memory reservation (MiB)"
+ depends on (UCSIMM || UCDIMM)
++ default 0
+ help
+ Reserve certain memory regions on 68x328 based boards.
+
+--
+2.33.0
+
--- /dev/null
+From 87da66d84d38c058f432e5bb9fa6a222277c4c65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 22:59:33 +0800
+Subject: md: update superblock after changing rdev flags in state_store
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit 8b9e2291e355a0eafdd5b1e21a94a6659f24b351 ]
+
+When the in memory flag is changed, we need to persist the change in the
+rdev superblock flags. This is needed for "writemostly" and "failfast".
+
+Reviewed-by: Li Feng <fengli@smartx.com>
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index f16f190546ef3..7871e7dcd4836 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3024,7 +3024,11 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
+ * -write_error - clears WriteErrorSeen
+ * {,-}failfast - set/clear FailFast
+ */
++
++ struct mddev *mddev = rdev->mddev;
+ int err = -EINVAL;
++ bool need_update_sb = false;
++
+ if (cmd_match(buf, "faulty") && rdev->mddev->pers) {
+ md_error(rdev->mddev, rdev);
+ if (test_bit(Faulty, &rdev->flags))
+@@ -3039,7 +3043,6 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
+ if (rdev->raid_disk >= 0)
+ err = -EBUSY;
+ else {
+- struct mddev *mddev = rdev->mddev;
+ err = 0;
+ if (mddev_is_clustered(mddev))
+ err = md_cluster_ops->remove_disk(mddev, rdev);
+@@ -3056,10 +3059,12 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
+ } else if (cmd_match(buf, "writemostly")) {
+ set_bit(WriteMostly, &rdev->flags);
+ mddev_create_serial_pool(rdev->mddev, rdev, false);
++ need_update_sb = true;
+ err = 0;
+ } else if (cmd_match(buf, "-writemostly")) {
+ mddev_destroy_serial_pool(rdev->mddev, rdev, false);
+ clear_bit(WriteMostly, &rdev->flags);
++ need_update_sb = true;
+ err = 0;
+ } else if (cmd_match(buf, "blocked")) {
+ set_bit(Blocked, &rdev->flags);
+@@ -3085,9 +3090,11 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
+ err = 0;
+ } else if (cmd_match(buf, "failfast")) {
+ set_bit(FailFast, &rdev->flags);
++ need_update_sb = true;
+ err = 0;
+ } else if (cmd_match(buf, "-failfast")) {
+ clear_bit(FailFast, &rdev->flags);
++ need_update_sb = true;
+ err = 0;
+ } else if (cmd_match(buf, "-insync") && rdev->raid_disk >= 0 &&
+ !test_bit(Journal, &rdev->flags)) {
+@@ -3166,6 +3173,8 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
+ clear_bit(ExternalBbl, &rdev->flags);
+ err = 0;
+ }
++ if (need_update_sb)
++ md_update_sb(mddev, 1);
+ if (!err)
+ sysfs_notify_dirent_safe(rdev->sysfs_state);
+ return err ? err : len;
+--
+2.33.0
+
--- /dev/null
+From 975f64b10bc3c67424c55fa1bff36e3ed00b3a4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 14:03:10 +0100
+Subject: media: allegro: ignore interrupt if mailbox is not initialized
+
+From: Michael Tretter <m.tretter@pengutronix.de>
+
+[ Upstream commit 1ecda6393db4be44aba27a243e648dc98c9b92e3 ]
+
+The mailbox is initialized after the interrupt handler is installed. As
+the firmware is loaded and started even later, it should not happen that
+the interrupt occurs without the mailbox being initialized.
+
+As the Linux Driver Verification project (linuxtesting.org) keeps
+reporting this as an error, add a check to ignore interrupts before the
+mailbox is initialized to fix this potential null pointer dereference.
+
+Reported-by: Yuri Savinykh <s02190703@gse.cs.msu.ru>
+Reported-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/allegro-dvt/allegro-core.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/staging/media/allegro-dvt/allegro-core.c b/drivers/staging/media/allegro-dvt/allegro-core.c
+index 640451134072b..28b6ba895ccd5 100644
+--- a/drivers/staging/media/allegro-dvt/allegro-core.c
++++ b/drivers/staging/media/allegro-dvt/allegro-core.c
+@@ -1802,6 +1802,15 @@ static irqreturn_t allegro_irq_thread(int irq, void *data)
+ {
+ struct allegro_dev *dev = data;
+
++ /*
++ * The firmware is initialized after the mailbox is setup. We further
++ * check the AL5_ITC_CPU_IRQ_STA register, if the firmware actually
++ * triggered the interrupt. Although this should not happen, make sure
++ * that we ignore interrupts, if the mailbox is not initialized.
++ */
++ if (!dev->mbox_status)
++ return IRQ_NONE;
++
+ allegro_mbox_notify(dev->mbox_status);
+
+ return IRQ_HANDLED;
+--
+2.33.0
+
--- /dev/null
+From 4c0b40e25dcc65b753cbcf10257e6e0a6101af88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 18:29:43 +0200
+Subject: media: atomisp: Fix error handling in probe
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit e16f5e39acd6d10cc63ae39bc0a77188ed828f22 ]
+
+There were several issues with handling errors in lm3554_probe():
+- Probe did not set the error code when v4l2_ctrl_handler_init() failed.
+- It intermixed gotos for handling errors of v4l2_ctrl_handler_init()
+ and media_entity_pads_init().
+- It did not set the error code for failures of v4l2_ctrl_new_custom().
+- Probe did not free resources in case of failures of
+ atomisp_register_i2c_module().
+
+The patch fixes all these issues.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Link: https://lore.kernel.org/linux-media/20210810162943.19852-1-novikov@ispras.ru
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/atomisp/i2c/atomisp-lm3554.c | 37 ++++++++++++-------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c b/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c
+index 0ab67b2aec671..8739f0874103e 100644
+--- a/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c
++++ b/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c
+@@ -836,7 +836,6 @@ static int lm3554_probe(struct i2c_client *client)
+ int err = 0;
+ struct lm3554 *flash;
+ unsigned int i;
+- int ret;
+
+ flash = kzalloc(sizeof(*flash), GFP_KERNEL);
+ if (!flash)
+@@ -845,7 +844,7 @@ static int lm3554_probe(struct i2c_client *client)
+ flash->pdata = lm3554_platform_data_func(client);
+ if (IS_ERR(flash->pdata)) {
+ err = PTR_ERR(flash->pdata);
+- goto fail1;
++ goto free_flash;
+ }
+
+ v4l2_i2c_subdev_init(&flash->sd, client, &lm3554_ops);
+@@ -853,12 +852,12 @@ static int lm3554_probe(struct i2c_client *client)
+ flash->sd.flags |= V4L2_SUBDEV_FL_HAS_DEVNODE;
+ flash->mode = ATOMISP_FLASH_MODE_OFF;
+ flash->timeout = LM3554_MAX_TIMEOUT / LM3554_TIMEOUT_STEPSIZE - 1;
+- ret =
++ err =
+ v4l2_ctrl_handler_init(&flash->ctrl_handler,
+ ARRAY_SIZE(lm3554_controls));
+- if (ret) {
++ if (err) {
+ dev_err(&client->dev, "error initialize a ctrl_handler.\n");
+- goto fail3;
++ goto unregister_subdev;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(lm3554_controls); i++)
+@@ -867,14 +866,15 @@ static int lm3554_probe(struct i2c_client *client)
+
+ if (flash->ctrl_handler.error) {
+ dev_err(&client->dev, "ctrl_handler error.\n");
+- goto fail3;
++ err = flash->ctrl_handler.error;
++ goto free_handler;
+ }
+
+ flash->sd.ctrl_handler = &flash->ctrl_handler;
+ err = media_entity_pads_init(&flash->sd.entity, 0, NULL);
+ if (err) {
+ dev_err(&client->dev, "error initialize a media entity.\n");
+- goto fail2;
++ goto free_handler;
+ }
+
+ flash->sd.entity.function = MEDIA_ENT_F_FLASH;
+@@ -885,16 +885,27 @@ static int lm3554_probe(struct i2c_client *client)
+
+ err = lm3554_gpio_init(client);
+ if (err) {
+- dev_err(&client->dev, "gpio request/direction_output fail");
+- goto fail3;
++ dev_err(&client->dev, "gpio request/direction_output fail.\n");
++ goto cleanup_media;
++ }
++
++ err = atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH);
++ if (err) {
++ dev_err(&client->dev, "fail to register atomisp i2c module.\n");
++ goto uninit_gpio;
+ }
+- return atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH);
+-fail3:
++
++ return 0;
++
++uninit_gpio:
++ lm3554_gpio_uninit(client);
++cleanup_media:
+ media_entity_cleanup(&flash->sd.entity);
++free_handler:
+ v4l2_ctrl_handler_free(&flash->ctrl_handler);
+-fail2:
++unregister_subdev:
+ v4l2_device_unregister_subdev(&flash->sd);
+-fail1:
++free_flash:
+ kfree(flash);
+
+ return err;
+--
+2.33.0
+
--- /dev/null
+From cbb155734161ad074086321212277981cfc7c44b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 10:50:10 +0200
+Subject: media: cx23885: Fix snd_card_free call on null card pointer
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 7266dda2f1dfe151b12ef0c14eb4d4e622fb211c ]
+
+Currently a call to snd_card_new that fails will set card with a NULL
+pointer, this causes a null pointer dereference on the error cleanup
+path when card it passed to snd_card_free. Fix this by adding a new
+error exit path that does not call snd_card_free and exiting via this
+new path.
+
+Addresses-Coverity: ("Explicit null dereference")
+
+Fixes: 9e44d63246a9 ("[media] cx23885: Add ALSA support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23885-alsa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/cx23885/cx23885-alsa.c b/drivers/media/pci/cx23885/cx23885-alsa.c
+index 13689c5dd47ff..9154031c087d4 100644
+--- a/drivers/media/pci/cx23885/cx23885-alsa.c
++++ b/drivers/media/pci/cx23885/cx23885-alsa.c
+@@ -550,7 +550,7 @@ struct cx23885_audio_dev *cx23885_audio_register(struct cx23885_dev *dev)
+ SNDRV_DEFAULT_IDX1, SNDRV_DEFAULT_STR1,
+ THIS_MODULE, sizeof(struct cx23885_audio_dev), &card);
+ if (err < 0)
+- goto error;
++ goto error_msg;
+
+ chip = (struct cx23885_audio_dev *) card->private_data;
+ chip->dev = dev;
+@@ -576,6 +576,7 @@ struct cx23885_audio_dev *cx23885_audio_register(struct cx23885_dev *dev)
+
+ error:
+ snd_card_free(card);
++error_msg:
+ pr_err("%s(): Failed to register analog audio adapter\n",
+ __func__);
+
+--
+2.33.0
+
--- /dev/null
+From abe1605a9a4e8b3c6c11babb438741fa86843ea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 18:07:49 +0200
+Subject: media: cxd2880-spi: Fix a null pointer dereference on error handling
+ path
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 11b982e950d2138e90bd120501df10a439006ff8 ]
+
+Currently the null pointer check on dvb_spi->vcc_supply is inverted and
+this leads to only null values of the dvb_spi->vcc_supply being passed
+to the call of regulator_disable causing null pointer dereferences.
+Fix this by only calling regulator_disable if dvb_spi->vcc_supply is
+not null.
+
+Addresses-Coverity: ("Dereference after null check")
+
+Fixes: dcb014582101 ("media: cxd2880-spi: Fix an error handling path")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/spi/cxd2880-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/spi/cxd2880-spi.c b/drivers/media/spi/cxd2880-spi.c
+index 93194f03764d2..11273be702b6e 100644
+--- a/drivers/media/spi/cxd2880-spi.c
++++ b/drivers/media/spi/cxd2880-spi.c
+@@ -618,7 +618,7 @@ fail_frontend:
+ fail_attach:
+ dvb_unregister_adapter(&dvb_spi->adapter);
+ fail_adapter:
+- if (!dvb_spi->vcc_supply)
++ if (dvb_spi->vcc_supply)
+ regulator_disable(dvb_spi->vcc_supply);
+ fail_regulator:
+ kfree(dvb_spi);
+--
+2.33.0
+
--- /dev/null
+From 7b30efc42216ef588bbc18ef3eb940cbd9072b25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Aug 2021 11:48:03 +0200
+Subject: media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 69a10678e2fba3d182e78ea041f2d1b1a6058764 ]
+
+mn88443x_cmn_power_on() did not handle possible errors of
+clk_prepare_enable() and always finished successfully so that its caller
+mn88443x_probe() did not care about failed preparing/enabling of clocks
+as well.
+
+Add missed error handling in both mn88443x_cmn_power_on() and
+mn88443x_probe(). This required to change the return value of the former
+from "void" to "int".
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 0f408ce8941f ("media: dvb-frontends: add Socionext MN88443x ISDB-S/T demodulator driver")
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
+Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/mn88443x.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/mn88443x.c b/drivers/media/dvb-frontends/mn88443x.c
+index e4528784f8477..fff212c0bf3b5 100644
+--- a/drivers/media/dvb-frontends/mn88443x.c
++++ b/drivers/media/dvb-frontends/mn88443x.c
+@@ -204,11 +204,18 @@ struct mn88443x_priv {
+ struct regmap *regmap_t;
+ };
+
+-static void mn88443x_cmn_power_on(struct mn88443x_priv *chip)
++static int mn88443x_cmn_power_on(struct mn88443x_priv *chip)
+ {
++ struct device *dev = &chip->client_s->dev;
+ struct regmap *r_t = chip->regmap_t;
++ int ret;
+
+- clk_prepare_enable(chip->mclk);
++ ret = clk_prepare_enable(chip->mclk);
++ if (ret) {
++ dev_err(dev, "Failed to prepare and enable mclk: %d\n",
++ ret);
++ return ret;
++ }
+
+ gpiod_set_value_cansleep(chip->reset_gpio, 1);
+ usleep_range(100, 1000);
+@@ -222,6 +229,8 @@ static void mn88443x_cmn_power_on(struct mn88443x_priv *chip)
+ } else {
+ regmap_write(r_t, HIZSET3, 0x8f);
+ }
++
++ return 0;
+ }
+
+ static void mn88443x_cmn_power_off(struct mn88443x_priv *chip)
+@@ -738,7 +747,10 @@ static int mn88443x_probe(struct i2c_client *client,
+ chip->fe.demodulator_priv = chip;
+ i2c_set_clientdata(client, chip);
+
+- mn88443x_cmn_power_on(chip);
++ ret = mn88443x_cmn_power_on(chip);
++ if (ret)
++ goto err_i2c_t;
++
+ mn88443x_s_sleep(chip);
+ mn88443x_t_sleep(chip);
+
+--
+2.33.0
+
--- /dev/null
+From 76eb9946b24c0c5c5a0a390e07d9d81fcc3b8723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 16:34:20 +0200
+Subject: media: dvb-usb: fix ununit-value in az6027_rc_query
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit afae4ef7d5ad913cab1316137854a36bea6268a5 ]
+
+Syzbot reported ununit-value bug in az6027_rc_query(). The problem was
+in missing state pointer initialization. Since this function does nothing
+we can simply initialize state to REMOTE_NO_KEY_PRESSED.
+
+Reported-and-tested-by: syzbot+2cd8c5db4a85f0a04142@syzkaller.appspotmail.com
+
+Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/az6027.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
+index 1c39b61cde29b..86788771175b7 100644
+--- a/drivers/media/usb/dvb-usb/az6027.c
++++ b/drivers/media/usb/dvb-usb/az6027.c
+@@ -391,6 +391,7 @@ static struct rc_map_table rc_map_az6027_table[] = {
+ /* remote control stuff (does not work with my box) */
+ static int az6027_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
++ *state = REMOTE_NO_KEY_PRESSED;
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 5371bf89ec75db9615b479ab02ca0f3a2d0d8aeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 22:23:33 +0200
+Subject: media: em28xx: add missing em28xx_close_extension
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 2c98b8a3458df03abdc6945bbef67ef91d181938 ]
+
+If em28xx dev has ->dev_next pointer, we need to delete ->dev_next list
+node from em28xx_extension_devlist on disconnect to avoid UAF bugs and
+corrupted list bugs, since driver frees this pointer on disconnect.
+
+Reported-and-tested-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
+
+Fixes: 1a23f81b7dc3 ("V4L/DVB (9979): em28xx: move usb probe code to a proper place")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
+index 5144888ae36f7..cf45cc566cbe2 100644
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -4089,8 +4089,11 @@ static void em28xx_usb_disconnect(struct usb_interface *intf)
+
+ em28xx_close_extension(dev);
+
+- if (dev->dev_next)
++ if (dev->dev_next) {
++ em28xx_close_extension(dev->dev_next);
+ em28xx_release_resources(dev->dev_next);
++ }
++
+ em28xx_release_resources(dev);
+
+ if (dev->dev_next) {
+--
+2.33.0
+
--- /dev/null
+From c6e28917751af1f23f3794a467f0c13aa0707729 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Sep 2021 18:07:02 +0200
+Subject: media: em28xx: Don't use ops->suspend if it is NULL
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 51fa3b70d27342baf1ea8aaab3e96e5f4f26d5b2 ]
+
+The call to ops->suspend for the dev->dev_next case can currently
+trigger a call on a null function pointer if ops->suspend is null.
+Skip over the use of function ops->suspend if it is null.
+
+Addresses-Coverity: ("Dereference after null check")
+
+Fixes: be7fd3c3a8c5 ("media: em28xx: Hauppauge DualHD second tuner functionality")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c
+index 3daa64bb1e1d9..af9216278024f 100644
+--- a/drivers/media/usb/em28xx/em28xx-core.c
++++ b/drivers/media/usb/em28xx/em28xx-core.c
+@@ -1152,8 +1152,9 @@ int em28xx_suspend_extension(struct em28xx *dev)
+ dev_info(&dev->intf->dev, "Suspending extensions\n");
+ mutex_lock(&em28xx_devlist_mutex);
+ list_for_each_entry(ops, &em28xx_extension_devlist, next) {
+- if (ops->suspend)
+- ops->suspend(dev);
++ if (!ops->suspend)
++ continue;
++ ops->suspend(dev);
+ if (dev->dev_next)
+ ops->suspend(dev->dev_next);
+ }
+--
+2.33.0
+
--- /dev/null
+From a61f99205e6074bdbbdb6e77d31b25836666ab75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Sep 2021 01:28:08 +0200
+Subject: media: i2c: ths8200 needs V4L2_ASYNC
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit e4625044d656f3c33ece0cc9da22577bc10ca5d3 ]
+
+Fix the build errors reported by the kernel test robot by
+selecting V4L2_ASYNC:
+
+mips-linux-ld: drivers/media/i2c/ths8200.o: in function `ths8200_remove':
+ths8200.c:(.text+0x1ec): undefined reference to `v4l2_async_unregister_subdev'
+mips-linux-ld: drivers/media/i2c/ths8200.o: in function `ths8200_probe':
+ths8200.c:(.text+0x404): undefined reference to `v4l2_async_register_subdev'
+
+Fixes: ed29f89497006 ("media: i2c: ths8200: support asynchronous probing")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig
+index 878f66ef2719f..5f5a3915ac778 100644
+--- a/drivers/media/i2c/Kconfig
++++ b/drivers/media/i2c/Kconfig
+@@ -595,6 +595,7 @@ config VIDEO_AK881X
+ config VIDEO_THS8200
+ tristate "Texas Instruments THS8200 video encoder"
+ depends on VIDEO_V4L2 && I2C
++ select V4L2_ASYNC
+ help
+ Support for the Texas Instruments THS8200 video encoder.
+
+--
+2.33.0
+
--- /dev/null
+From 4c95740685c9b1a1fe10aa2f5632b6c22a3ed7b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 10:47:46 +0200
+Subject: media: imx: set a media_device bus_info string
+
+From: Martin Kepplinger <martin.kepplinger@puri.sm>
+
+[ Upstream commit 6d0d779b212c27293d9ccb4da092ff0ccb6efa39 ]
+
+Some tools like v4l2-compliance let users select a media device based
+on the bus_info string which can be quite convenient. Use a unique
+string for that.
+
+This also fixes the following v4l2-compliance warning:
+warn: v4l2-test-media.cpp(52): empty bus_info
+
+Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-dev-common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/media/imx/imx-media-dev-common.c b/drivers/staging/media/imx/imx-media-dev-common.c
+index 5fe4b22ab8473..7e0d769566bdd 100644
+--- a/drivers/staging/media/imx/imx-media-dev-common.c
++++ b/drivers/staging/media/imx/imx-media-dev-common.c
+@@ -363,6 +363,8 @@ struct imx_media_dev *imx_media_dev_init(struct device *dev,
+ imxmd->v4l2_dev.notify = imx_media_notify;
+ strscpy(imxmd->v4l2_dev.name, "imx-media",
+ sizeof(imxmd->v4l2_dev.name));
++ snprintf(imxmd->md.bus_info, sizeof(imxmd->md.bus_info),
++ "platform:%s", dev_name(imxmd->md.dev));
+
+ media_device_init(&imxmd->md);
+
+--
+2.33.0
+
--- /dev/null
+From d896ef04de70adb4583c6a8d7d13beaf11d42547 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 00:26:21 +0200
+Subject: media: ipu3-imgu: imgu_fmt: Handle properly try
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 553481e38045f349bb9aa596d03bebd020020c9c ]
+
+For a try_fmt call, the node noes not need to be enabled.
+
+Fixes v4l2-compliance
+
+fail: v4l2-test-formats.cpp(717): Video Output Multiplanar is valid, but
+ no TRY_FMT was implemented
+test VIDIOC_TRY_FMT: FAIL
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3-v4l2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
+index e0179616a29cf..7926a777cbc8b 100644
+--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
+@@ -696,7 +696,7 @@ static int imgu_fmt(struct imgu_device *imgu, unsigned int pipe, int node,
+
+ /* CSS expects some format on OUT queue */
+ if (i != IPU3_CSS_QUEUE_OUT &&
+- !imgu_pipe->nodes[inode].enabled) {
++ !imgu_pipe->nodes[inode].enabled && !try) {
+ fmts[i] = NULL;
+ continue;
+ }
+--
+2.33.0
+
--- /dev/null
+From 8abb58f0938bbbabf72bb47577d7df43a2b673bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 00:26:22 +0200
+Subject: media: ipu3-imgu: VIDIOC_QUERYCAP: Fix bus_info
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit ea2b9a33711604e91f8c826f4dcb3c12baa1990a ]
+
+bus_info field had a different value for the media entity and the video
+device.
+
+Fixes v4l2-compliance:
+
+v4l2-compliance.cpp(637): media bus_info 'PCI:0000:00:05.0' differs from
+ V4L2 bus_info 'PCI:viewfinder'
+
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3-v4l2.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
+index 7926a777cbc8b..103f84466f6fc 100644
+--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
+@@ -592,11 +592,12 @@ static const struct imgu_fmt *find_format(struct v4l2_format *f, u32 type)
+ static int imgu_vidioc_querycap(struct file *file, void *fh,
+ struct v4l2_capability *cap)
+ {
+- struct imgu_video_device *node = file_to_intel_imgu_node(file);
++ struct imgu_device *imgu = video_drvdata(file);
+
+ strscpy(cap->driver, IMGU_NAME, sizeof(cap->driver));
+ strscpy(cap->card, IMGU_NAME, sizeof(cap->card));
+- snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s", node->name);
++ snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s",
++ pci_name(imgu->pci_dev));
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From c1833feabb155e77b9382ff34cf29b37acfa1dbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 09:14:10 +0100
+Subject: media: ir_toy: assignment to be16 should be of correct type
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit febfe985fc2ea052a363f6525ff624b8efd5273c ]
+
+commit f0c15b360fb6 ("media: ir_toy: prevent device from hanging during
+transmit") removed a cpu_to_be16() cast, which causes a sparse warning.
+
+Fixes: f0c15b360fb6 ("media: ir_toy: prevent device from hanging during transmit")
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ir_toy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ir_toy.c b/drivers/media/rc/ir_toy.c
+index 48d52baec1a1c..1aa7989e756cc 100644
+--- a/drivers/media/rc/ir_toy.c
++++ b/drivers/media/rc/ir_toy.c
+@@ -310,7 +310,7 @@ static int irtoy_tx(struct rc_dev *rc, uint *txbuf, uint count)
+ buf[i] = cpu_to_be16(v);
+ }
+
+- buf[count] = 0xffff;
++ buf[count] = cpu_to_be16(0xffff);
+
+ irtoy->tx_buf = buf;
+ irtoy->tx_len = size;
+--
+2.33.0
+
--- /dev/null
+From 58d3b1dc13ea74c59478be28b0cbe24fc0212ebf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 22:31:10 +0200
+Subject: media: mceusb: return without resubmitting URB in case of -EPROTO
+ error.
+
+From: Rajat Asthana <rajatasthana4@gmail.com>
+
+[ Upstream commit 476db72e521983ecb847e4013b263072bb1110fc ]
+
+Syzkaller reported a warning called "rcu detected stall in dummy_timer".
+
+The error seems to be an error in mceusb_dev_recv(). In the case of
+-EPROTO error, the routine immediately resubmits the URB. Instead it
+should return without resubmitting URB.
+
+Reported-by: syzbot+4d3749e9612c2cfab956@syzkaller.appspotmail.com
+Signed-off-by: Rajat Asthana <rajatasthana4@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/mceusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
+index 5642595a057ec..8870c4e6c5f44 100644
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1386,6 +1386,7 @@ static void mceusb_dev_recv(struct urb *urb)
+ case -ECONNRESET:
+ case -ENOENT:
+ case -EILSEQ:
++ case -EPROTO:
+ case -ESHUTDOWN:
+ usb_unlink_urb(urb);
+ return;
+--
+2.33.0
+
--- /dev/null
+From 522b2f387883c92c4fbd23a2e192d29c3d156293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 09:35:15 +0200
+Subject: media: mt9p031: Fix corrupted frame after restarting stream
+
+From: Dirk Bender <d.bender@phytec.de>
+
+[ Upstream commit 0961ba6dd211a4a52d1dd4c2d59be60ac2dc08c7 ]
+
+To prevent corrupted frames after starting and stopping the sensor its
+datasheet specifies a specific pause sequence to follow:
+
+Stopping:
+ Set Pause_Restart Bit -> Set Restart Bit -> Set Chip_Enable Off
+
+Restarting:
+ Set Chip_Enable On -> Clear Pause_Restart Bit
+
+The Restart Bit is cleared automatically and must not be cleared
+manually as this would cause undefined behavior.
+
+Signed-off-by: Dirk Bender <d.bender@phytec.de>
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/mt9p031.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c
+index dc23b9ed510a4..18440c5104ad9 100644
+--- a/drivers/media/i2c/mt9p031.c
++++ b/drivers/media/i2c/mt9p031.c
+@@ -78,7 +78,9 @@
+ #define MT9P031_PIXEL_CLOCK_INVERT (1 << 15)
+ #define MT9P031_PIXEL_CLOCK_SHIFT(n) ((n) << 8)
+ #define MT9P031_PIXEL_CLOCK_DIVIDE(n) ((n) << 0)
+-#define MT9P031_FRAME_RESTART 0x0b
++#define MT9P031_RESTART 0x0b
++#define MT9P031_FRAME_PAUSE_RESTART (1 << 1)
++#define MT9P031_FRAME_RESTART (1 << 0)
+ #define MT9P031_SHUTTER_DELAY 0x0c
+ #define MT9P031_RST 0x0d
+ #define MT9P031_RST_ENABLE 1
+@@ -445,9 +447,23 @@ static int mt9p031_set_params(struct mt9p031 *mt9p031)
+ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable)
+ {
+ struct mt9p031 *mt9p031 = to_mt9p031(subdev);
++ struct i2c_client *client = v4l2_get_subdevdata(subdev);
++ int val;
+ int ret;
+
+ if (!enable) {
++ /* enable pause restart */
++ val = MT9P031_FRAME_PAUSE_RESTART;
++ ret = mt9p031_write(client, MT9P031_RESTART, val);
++ if (ret < 0)
++ return ret;
++
++ /* enable restart + keep pause restart set */
++ val |= MT9P031_FRAME_RESTART;
++ ret = mt9p031_write(client, MT9P031_RESTART, val);
++ if (ret < 0)
++ return ret;
++
+ /* Stop sensor readout */
+ ret = mt9p031_set_output_control(mt9p031,
+ MT9P031_OUTPUT_CONTROL_CEN, 0);
+@@ -467,6 +483,16 @@ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable)
+ if (ret < 0)
+ return ret;
+
++ /*
++ * - clear pause restart
++ * - don't clear restart as clearing restart manually can cause
++ * undefined behavior
++ */
++ val = MT9P031_FRAME_RESTART;
++ ret = mt9p031_write(client, MT9P031_RESTART, val);
++ if (ret < 0)
++ return ret;
++
+ return mt9p031_pll_enable(mt9p031);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 238c350033ce8df5da1a3af08383186a8f017d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 22:21:25 +0200
+Subject: media: mtk-vpu: Fix a resource leak in the error handling path of
+ 'mtk_vpu_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2143ad413c05c7be24c3a92760e367b7f6aaac92 ]
+
+A successful 'clk_prepare()' call should be balanced by a corresponding
+'clk_unprepare()' call in the error handling path of the probe, as already
+done in the remove function.
+
+Update the error handling path accordingly.
+
+Fixes: 3003a180ef6b ("[media] VPU: mediatek: support Mediatek VPU")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Houlong Wei <houlong.wei@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vpu/mtk_vpu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c
+index 36cb9b6131f7e..c62eb212cca92 100644
+--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c
++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c
+@@ -820,7 +820,8 @@ static int mtk_vpu_probe(struct platform_device *pdev)
+ vpu->wdt.wq = create_singlethread_workqueue("vpu_wdt");
+ if (!vpu->wdt.wq) {
+ dev_err(dev, "initialize wdt workqueue failed\n");
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto clk_unprepare;
+ }
+ INIT_WORK(&vpu->wdt.ws, vpu_wdt_reset_func);
+ mutex_init(&vpu->vpu_mutex);
+@@ -914,6 +915,8 @@ disable_vpu_clk:
+ vpu_clock_disable(vpu);
+ workqueue_destroy:
+ destroy_workqueue(vpu->wdt.wq);
++clk_unprepare:
++ clk_unprepare(vpu->clk);
+
+ return ret;
+ }
+--
+2.33.0
+
--- /dev/null
+From d02c179904101aac1a566f208d518bc7d9e127bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 08:01:05 +0200
+Subject: media: netup_unidvb: handle interrupt properly according to the
+ firmware
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit dbb4cfea6efe979ed153bd59a6a527a90d3d0ab3 ]
+
+The interrupt handling should be related to the firmware version. If
+the driver matches an old firmware, then the driver should not handle
+interrupt such as i2c or dma, otherwise it will cause some errors.
+
+This log reveals it:
+
+[ 27.708641] INFO: trying to register non-static key.
+[ 27.710851] The code is fine but needs lockdep annotation, or maybe
+[ 27.712010] you didn't initialize this object before use?
+[ 27.712396] turning off the locking correctness validator.
+[ 27.712787] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169
+[ 27.713349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 27.714149] Call Trace:
+[ 27.714329] <IRQ>
+[ 27.714480] dump_stack+0xba/0xf5
+[ 27.714737] register_lock_class+0x873/0x8f0
+[ 27.715052] ? __lock_acquire+0x323/0x1930
+[ 27.715353] __lock_acquire+0x75/0x1930
+[ 27.715636] lock_acquire+0x1dd/0x3e0
+[ 27.715905] ? netup_i2c_interrupt+0x19/0x310
+[ 27.716226] _raw_spin_lock_irqsave+0x4b/0x60
+[ 27.716544] ? netup_i2c_interrupt+0x19/0x310
+[ 27.716863] netup_i2c_interrupt+0x19/0x310
+[ 27.717178] netup_unidvb_isr+0xd3/0x160
+[ 27.717467] __handle_irq_event_percpu+0x53/0x3e0
+[ 27.717808] handle_irq_event_percpu+0x35/0x90
+[ 27.718129] handle_irq_event+0x39/0x60
+[ 27.718409] handle_fasteoi_irq+0xc2/0x1d0
+[ 27.718707] __common_interrupt+0x7f/0x150
+[ 27.719008] common_interrupt+0xb4/0xd0
+[ 27.719289] </IRQ>
+[ 27.719446] asm_common_interrupt+0x1e/0x40
+[ 27.719747] RIP: 0010:native_safe_halt+0x17/0x20
+[ 27.720084] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6
+[ 27.721386] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
+[ 27.721758] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+[ 27.722262] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6
+[ 27.722770] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001
+[ 27.723277] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408
+[ 27.723781] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000
+[ 27.724289] default_idle+0x9/0x10
+[ 27.724537] arch_cpu_idle+0xa/0x10
+[ 27.724791] default_idle_call+0x6e/0x250
+[ 27.725082] do_idle+0x1f0/0x2d0
+[ 27.725326] cpu_startup_entry+0x18/0x20
+[ 27.725613] start_secondary+0x11f/0x160
+[ 27.725902] secondary_startup_64_no_verify+0xb0/0xbb
+[ 27.726272] BUG: kernel NULL pointer dereference, address: 0000000000000002
+[ 27.726768] #PF: supervisor read access in kernel mode
+[ 27.727138] #PF: error_code(0x0000) - not-present page
+[ 27.727507] PGD 8000000118688067 P4D 8000000118688067 PUD 10feab067 PMD 0
+[ 27.727999] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 27.728302] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169
+[ 27.728861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 27.729660] RIP: 0010:netup_i2c_interrupt+0x23/0x310
+[ 27.730019] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02
+[ 27.731339] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046
+[ 27.731716] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000
+[ 27.732223] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8
+[ 27.732727] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001
+[ 27.733239] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000
+[ 27.733745] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400
+[ 27.734251] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 27.734821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 27.735228] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0
+[ 27.735735] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 27.736241] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 27.736744] Call Trace:
+[ 27.736924] <IRQ>
+[ 27.737074] netup_unidvb_isr+0xd3/0x160
+[ 27.737363] __handle_irq_event_percpu+0x53/0x3e0
+[ 27.737706] handle_irq_event_percpu+0x35/0x90
+[ 27.738028] handle_irq_event+0x39/0x60
+[ 27.738306] handle_fasteoi_irq+0xc2/0x1d0
+[ 27.738602] __common_interrupt+0x7f/0x150
+[ 27.738899] common_interrupt+0xb4/0xd0
+[ 27.739176] </IRQ>
+[ 27.739331] asm_common_interrupt+0x1e/0x40
+[ 27.739633] RIP: 0010:native_safe_halt+0x17/0x20
+[ 27.739967] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6
+[ 27.741275] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
+[ 27.741647] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+[ 27.742148] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6
+[ 27.742652] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001
+[ 27.743154] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408
+[ 27.743652] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000
+[ 27.744157] default_idle+0x9/0x10
+[ 27.744405] arch_cpu_idle+0xa/0x10
+[ 27.744658] default_idle_call+0x6e/0x250
+[ 27.744948] do_idle+0x1f0/0x2d0
+[ 27.745190] cpu_startup_entry+0x18/0x20
+[ 27.745475] start_secondary+0x11f/0x160
+[ 27.745761] secondary_startup_64_no_verify+0xb0/0xbb
+[ 27.746123] Modules linked in:
+[ 27.746348] Dumping ftrace buffer:
+[ 27.746596] (ftrace buffer empty)
+[ 27.746852] CR2: 0000000000000002
+[ 27.747094] ---[ end trace ebafd46f83ab946d ]---
+[ 27.747424] RIP: 0010:netup_i2c_interrupt+0x23/0x310
+[ 27.747778] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02
+[ 27.749082] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046
+[ 27.749461] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000
+[ 27.749966] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8
+[ 27.750471] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001
+[ 27.750976] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000
+[ 27.751480] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400
+[ 27.751986] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 27.752560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 27.752970] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0
+[ 27.753481] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 27.753984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 27.754487] Kernel panic - not syncing: Fatal exception in interrupt
+[ 27.755033] Dumping ftrace buffer:
+[ 27.755279] (ftrace buffer empty)
+[ 27.755534] Kernel Offset: disabled
+[ 27.755785] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../pci/netup_unidvb/netup_unidvb_core.c | 27 +++++++++++--------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+index 6f3125c2d0976..77bae14685513 100644
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+@@ -258,19 +258,24 @@ static irqreturn_t netup_unidvb_isr(int irq, void *dev_id)
+ if ((reg40 & AVL_IRQ_ASSERTED) != 0) {
+ /* IRQ is being signaled */
+ reg_isr = readw(ndev->bmmio0 + REG_ISR);
+- if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) {
+- iret = netup_i2c_interrupt(&ndev->i2c[0]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) {
+- iret = netup_i2c_interrupt(&ndev->i2c[1]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_SPI) {
++ if (reg_isr & NETUP_UNIDVB_IRQ_SPI)
+ iret = netup_spi_interrupt(ndev->spi);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) {
+- iret = netup_dma_interrupt(&ndev->dma[0]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) {
+- iret = netup_dma_interrupt(&ndev->dma[1]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) {
+- iret = netup_ci_interrupt(ndev);
++ else if (!ndev->old_fw) {
++ if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) {
++ iret = netup_i2c_interrupt(&ndev->i2c[0]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) {
++ iret = netup_i2c_interrupt(&ndev->i2c[1]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) {
++ iret = netup_dma_interrupt(&ndev->dma[0]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) {
++ iret = netup_dma_interrupt(&ndev->dma[1]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) {
++ iret = netup_ci_interrupt(ndev);
++ } else {
++ goto err;
++ }
+ } else {
++err:
+ dev_err(&pci_dev->dev,
+ "%s(): unknown interrupt 0x%x\n",
+ __func__, reg_isr);
+--
+2.33.0
+
--- /dev/null
+From 58e7e09dc8dd201e7beea6c58d2bb736f0cfbd68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 21:46:08 +0200
+Subject: media: radio-wl1273: Avoid card name truncation
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit dfadec236aa99f6086141949c9dc3ec50f3ff20d ]
+
+The "card" string only holds 31 characters (and the terminating NUL).
+In order to avoid truncation, use a shorter card description instead of
+the current result, "Texas Instruments Wl1273 FM Rad".
+
+Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/radio-wl1273.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/radio/radio-wl1273.c b/drivers/media/radio/radio-wl1273.c
+index 1123768731676..484046471c03f 100644
+--- a/drivers/media/radio/radio-wl1273.c
++++ b/drivers/media/radio/radio-wl1273.c
+@@ -1279,7 +1279,7 @@ static int wl1273_fm_vidioc_querycap(struct file *file, void *priv,
+
+ strscpy(capability->driver, WL1273_FM_DRIVER_NAME,
+ sizeof(capability->driver));
+- strscpy(capability->card, "Texas Instruments Wl1273 FM Radio",
++ strscpy(capability->card, "TI Wl1273 FM Radio",
+ sizeof(capability->card));
+ strscpy(capability->bus_info, radio->bus_type,
+ sizeof(capability->bus_info));
+--
+2.33.0
+
--- /dev/null
+From bee09ea56b962c86d7df0653b47f059a36229d75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 19:18:16 +0200
+Subject: media: rcar-csi2: Add checking to rcsi2_start_receiver()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit fc41665498332ad394b7db37f23e9394096ddc71 ]
+
+If rcsi2_code_to_fmt() return NULL, then null pointer dereference occurs
+in the next cycle. That should not be possible now but adding checking
+protects from future bugs.
+The patch adds checking if format is NULL.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-vin/rcar-csi2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
+index 79f229756805e..d2d87a204e918 100644
+--- a/drivers/media/platform/rcar-vin/rcar-csi2.c
++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
+@@ -544,6 +544,8 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv)
+
+ /* Code is validated in set_fmt. */
+ format = rcsi2_code_to_fmt(priv->mf.code);
++ if (!format)
++ return -EINVAL;
+
+ /*
+ * Enable all supported CSI-2 channels with virtual channel and
+--
+2.33.0
+
--- /dev/null
+From 017f72f5b7654cc01e7cbc18e30f1099b1387e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 15:32:28 +0200
+Subject: media: s5p-mfc: Add checking to s5p_mfc_probe().
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit cdfaf4752e6915a4b455ad4400133e540e4dc965 ]
+
+If of_device_get_match_data() return NULL,
+then null pointer dereference occurs in s5p_mfc_init_pm().
+The patch adds checking if dev->variant is NULL.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index c763c0a03140c..f336a95432732 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1288,6 +1288,10 @@ static int s5p_mfc_probe(struct platform_device *pdev)
+ }
+
+ dev->variant = of_device_get_match_data(&pdev->dev);
++ if (!dev->variant) {
++ dev_err(&pdev->dev, "Failed to get device MFC hardware variant information\n");
++ return -ENOENT;
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ dev->regs_base = devm_ioremap_resource(&pdev->dev, res);
+--
+2.33.0
+
--- /dev/null
+From 0d73ebf073823bdd14a8e3490e28703b1043e906 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 09:55:35 +0200
+Subject: media: s5p-mfc: fix possible null-pointer dereference in
+ s5p_mfc_probe()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 8515965e5e33f4feb56134348c95953f3eadfb26 ]
+
+The variable pdev is assigned to dev->plat_dev, and dev->plat_dev is
+checked in:
+ if (!dev->plat_dev)
+
+This indicates both dev->plat_dev and pdev can be NULL. If so, the
+function dev_err() is called to print error information.
+ dev_err(&pdev->dev, "No platform data specified\n");
+
+However, &pdev->dev is an illegal address, and it is dereferenced in
+dev_err().
+
+To fix this possible null-pointer dereference, replace dev_err() with
+mfc_err().
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index eba2b9f040df0..c763c0a03140c 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1283,7 +1283,7 @@ static int s5p_mfc_probe(struct platform_device *pdev)
+ spin_lock_init(&dev->condlock);
+ dev->plat_dev = pdev;
+ if (!dev->plat_dev) {
+- dev_err(&pdev->dev, "No platform data specified\n");
++ mfc_err("No platform data specified\n");
+ return -ENODEV;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From dc53ebff692a043e944ae42068a0519f7d1c8c49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 21:46:09 +0200
+Subject: media: si470x: Avoid card name truncation
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 2908249f3878a591f7918368fdf0b7b0a6c3158c ]
+
+The "card" string only holds 31 characters (and the terminating NUL).
+In order to avoid truncation, use a shorter card description instead of
+the current result, "Silicon Labs Si470x FM Radio Re".
+
+Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 78656acdcf48 ("V4L/DVB (7038): USB radio driver for Silicon Labs Si470x FM Radio Receivers")
+Fixes: cc35bbddfe10 ("V4L/DVB (12416): radio-si470x: add i2c driver for si470x")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/si470x/radio-si470x-i2c.c | 2 +-
+ drivers/media/radio/si470x/radio-si470x-usb.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c
+index f491420d7b538..a972c0705ac79 100644
+--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
+@@ -11,7 +11,7 @@
+
+ /* driver definitions */
+ #define DRIVER_AUTHOR "Joonyoung Shim <jy0922.shim@samsung.com>";
+-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver"
++#define DRIVER_CARD "Silicon Labs Si470x FM Radio"
+ #define DRIVER_DESC "I2C radio driver for Si470x FM Radio Receivers"
+ #define DRIVER_VERSION "1.0.2"
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
+index fedff68d8c496..3f8634a465730 100644
+--- a/drivers/media/radio/si470x/radio-si470x-usb.c
++++ b/drivers/media/radio/si470x/radio-si470x-usb.c
+@@ -16,7 +16,7 @@
+
+ /* driver definitions */
+ #define DRIVER_AUTHOR "Tobias Lorenz <tobias.lorenz@gmx.net>"
+-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver"
++#define DRIVER_CARD "Silicon Labs Si470x FM Radio"
+ #define DRIVER_DESC "USB radio driver for Si470x FM Radio Receivers"
+ #define DRIVER_VERSION "1.0.10"
+
+--
+2.33.0
+
--- /dev/null
+From 141639c8cdbd7d02d6cd7dcd50e45b5bab8bb3d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 17:06:26 +0200
+Subject: media: stm32: Potential NULL pointer dereference in dcmi_irq_thread()
+
+From: Dmitriy Ulitin <ulitin@ispras.ru>
+
+[ Upstream commit 548fa43a58696450c15b8f5564e99589c5144664 ]
+
+At the moment of enabling irq handling:
+
+1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
+1923 dcmi_irq_thread, IRQF_ONESHOT,
+1924 dev_name(&pdev->dev), dcmi);
+
+there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
+If an interrupt occurs in the interval between the installation of the
+interrupt handler and the initialization of this field, NULL pointer
+dereference happens.
+
+This field is dereferenced in the handler function without any check:
+
+457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
+458 dcmi->misr & IT_FRAME) {
+
+The patch moves interrupt handler installation
+after initialization of the sd_format field that happens in
+dcmi_graph_notify_complete() via dcmi_set_default_fmt().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Dmitriy Ulitin <ulitin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/stm32/stm32-dcmi.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
+index fd1c41cba52fc..233e4d3feacd9 100644
+--- a/drivers/media/platform/stm32/stm32-dcmi.c
++++ b/drivers/media/platform/stm32/stm32-dcmi.c
+@@ -135,6 +135,7 @@ struct stm32_dcmi {
+ int sequence;
+ struct list_head buffers;
+ struct dcmi_buf *active;
++ int irq;
+
+ struct v4l2_device v4l2_dev;
+ struct video_device *vdev;
+@@ -1720,6 +1721,14 @@ static int dcmi_graph_notify_complete(struct v4l2_async_notifier *notifier)
+ return ret;
+ }
+
++ ret = devm_request_threaded_irq(dcmi->dev, dcmi->irq, dcmi_irq_callback,
++ dcmi_irq_thread, IRQF_ONESHOT,
++ dev_name(dcmi->dev), dcmi);
++ if (ret) {
++ dev_err(dcmi->dev, "Unable to request irq %d\n", dcmi->irq);
++ return ret;
++ }
++
+ return 0;
+ }
+
+@@ -1881,6 +1890,8 @@ static int dcmi_probe(struct platform_device *pdev)
+ if (irq <= 0)
+ return irq ? irq : -ENXIO;
+
++ dcmi->irq = irq;
++
+ dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!dcmi->res) {
+ dev_err(&pdev->dev, "Could not get resource\n");
+@@ -1893,14 +1904,6 @@ static int dcmi_probe(struct platform_device *pdev)
+ return PTR_ERR(dcmi->regs);
+ }
+
+- ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
+- dcmi_irq_thread, IRQF_ONESHOT,
+- dev_name(&pdev->dev), dcmi);
+- if (ret) {
+- dev_err(&pdev->dev, "Unable to request irq %d\n", irq);
+- return ret;
+- }
+-
+ mclk = devm_clk_get(&pdev->dev, "mclk");
+ if (IS_ERR(mclk)) {
+ if (PTR_ERR(mclk) != -EPROBE_DEFER)
+--
+2.33.0
+
--- /dev/null
+From 588828563b1f6554c0d506d4593803acec4fcb4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 19:00:43 +0200
+Subject: media: TDA1997x: handle short reads of hdmi info frame.
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 48d219f9cc667bc6fbc3e3af0b1bfd75db94fce4 ]
+
+Static analysis reports this representative problem
+
+tda1997x.c:1939: warning: 7th function call argument is an uninitialized
+value
+
+The 7th argument is buffer[0], which is set in the earlier call to
+io_readn(). When io_readn() call to io_read() fails with the first
+read, buffer[0] is not set and 0 is returned and stored in len.
+
+The later call to hdmi_infoframe_unpack()'s size parameter is the
+static size of buffer, always 40, so a short read is not caught
+in hdmi_infoframe_unpacks()'s checking. The variable len should be
+used instead.
+
+Zero initialize buffer to 0 so it is in a known start state.
+
+Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tda1997x.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c
+index 17cc69c3227f8..8476330964fc7 100644
+--- a/drivers/media/i2c/tda1997x.c
++++ b/drivers/media/i2c/tda1997x.c
+@@ -1247,13 +1247,13 @@ tda1997x_parse_infoframe(struct tda1997x_state *state, u16 addr)
+ {
+ struct v4l2_subdev *sd = &state->sd;
+ union hdmi_infoframe frame;
+- u8 buffer[40];
++ u8 buffer[40] = { 0 };
+ u8 reg;
+ int len, err;
+
+ /* read data */
+ len = io_readn(sd, addr, sizeof(buffer), buffer);
+- err = hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer));
++ err = hdmi_infoframe_unpack(&frame, buffer, len);
+ if (err) {
+ v4l_err(state->client,
+ "failed parsing %d byte infoframe: 0x%04x/0x%02x\n",
+@@ -1927,13 +1927,13 @@ static int tda1997x_log_infoframe(struct v4l2_subdev *sd, int addr)
+ {
+ struct tda1997x_state *state = to_state(sd);
+ union hdmi_infoframe frame;
+- u8 buffer[40];
++ u8 buffer[40] = { 0 };
+ int len, err;
+
+ /* read data */
+ len = io_readn(sd, addr, sizeof(buffer), buffer);
+ v4l2_dbg(1, debug, sd, "infoframe: addr=%d len=%d\n", addr, len);
+- err = hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer));
++ err = hdmi_infoframe_unpack(&frame, buffer, len);
+ if (err) {
+ v4l_err(state->client,
+ "failed parsing %d byte infoframe: 0x%04x/0x%02x\n",
+--
+2.33.0
+
--- /dev/null
+From dec4448aeb56298b0fc36963456b78fb0daffb00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 21:46:10 +0200
+Subject: media: tm6000: Avoid card name truncation
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 42bb98e420d454fef3614b70ea11cc59068395f6 ]
+
+The "card" string only holds 31 characters (and the terminating NUL).
+In order to avoid truncation, use a shorter card description instead of
+the current result, "Trident TVMaster TM5600/6000/60".
+
+Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: e28f49b0b2a8 ("V4L/DVB: tm6000: fix some info messages")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/tm6000/tm6000-video.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c
+index 2df736c029d6e..01071e6cd7574 100644
+--- a/drivers/media/usb/tm6000/tm6000-video.c
++++ b/drivers/media/usb/tm6000/tm6000-video.c
+@@ -854,8 +854,7 @@ static int vidioc_querycap(struct file *file, void *priv,
+ struct tm6000_core *dev = ((struct tm6000_fh *)priv)->dev;
+
+ strscpy(cap->driver, "tm6000", sizeof(cap->driver));
+- strscpy(cap->card, "Trident TVMaster TM5600/6000/6010",
+- sizeof(cap->card));
++ strscpy(cap->card, "Trident TM5600/6000/6010", sizeof(cap->card));
+ usb_make_path(dev->udev, cap->bus_info, sizeof(cap->bus_info));
+ cap->capabilities = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_READWRITE |
+ V4L2_CAP_DEVICE_CAPS;
+--
+2.33.0
+
--- /dev/null
+From 0714b3c22863529404e97c72f71e339e14d92699 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Dec 2020 07:16:06 +0100
+Subject: media: usb: dvd-usb: fix uninit-value bug in
+ dibusb_read_eeprom_byte()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+[ Upstream commit 899a61a3305d49e8a712e9ab20d0db94bde5929f ]
+
+In dibusb_read_eeprom_byte(), if dibusb_i2c_msg() fails, val gets
+assigned an value that's not properly initialized.
+Using kzalloc() in place of kmalloc() for the buffer fixes this issue,
+as the val can now be set to 0 in the event dibusb_i2c_msg() fails.
+
+Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com
+Tested-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dibusb-common.c b/drivers/media/usb/dvb-usb/dibusb-common.c
+index 02b51d1a1b67c..aff60c10cb0b2 100644
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -223,7 +223,7 @@ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
+ u8 *buf;
+ int rc;
+
+- buf = kmalloc(2, GFP_KERNEL);
++ buf = kzalloc(2, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+--
+2.33.0
+
--- /dev/null
+From b2bcf459594ae9ad07e6aadde6b23c1770c762af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 14:29:09 +0200
+Subject: media: uvcvideo: Return -EIO for control errors
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit ffccdde5f0e17d2f0d788a9d831a027187890eaa ]
+
+The device is doing something unexpected with the control. Either because
+the protocol is not properly implemented or there has been a HW error.
+
+Fixes v4l2-compliance:
+
+Control ioctls (Input 0):
+ fail: v4l2-test-controls.cpp(448): s_ctrl returned an error (22)
+ test VIDIOC_G/S_CTRL: FAIL
+ fail: v4l2-test-controls.cpp(698): s_ext_ctrls returned an error (22)
+ test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL
+
+Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index 5878c78334862..b8477fa93b7d7 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -112,6 +112,11 @@ int uvc_query_ctrl(struct uvc_device *dev, u8 query, u8 unit,
+ case 5: /* Invalid unit */
+ case 6: /* Invalid control */
+ case 7: /* Invalid Request */
++ /*
++ * The firmware has not properly implemented
++ * the control or there has been a HW error.
++ */
++ return -EIO;
+ case 8: /* Invalid value within range */
+ return -EINVAL;
+ default: /* reserved or unknown */
+--
+2.33.0
+
--- /dev/null
+From f5ba8a43d6b1fc8a3171fbf207b4f53f9ce1bbc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 14:29:08 +0200
+Subject: media: uvcvideo: Set capability in s_param
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 97a2777a96070afb7da5d587834086c0b586c8cc ]
+
+Fixes v4l2-compliance:
+
+Format ioctls (Input 0):
+ warn: v4l2-test-formats.cpp(1339): S_PARM is supported but doesn't report V4L2_CAP_TIMEPERFRAME
+ fail: v4l2-test-formats.cpp(1241): node->has_frmintervals && !cap->capability
+
+Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 5f0e2fa69da5c..753b8a99e08fc 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -471,10 +471,13 @@ static int uvc_v4l2_set_streamparm(struct uvc_streaming *stream,
+ uvc_simplify_fraction(&timeperframe.numerator,
+ &timeperframe.denominator, 8, 333);
+
+- if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE)
++ if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+ parm->parm.capture.timeperframe = timeperframe;
+- else
++ parm->parm.capture.capability = V4L2_CAP_TIMEPERFRAME;
++ } else {
+ parm->parm.output.timeperframe = timeperframe;
++ parm->parm.output.capability = V4L2_CAP_TIMEPERFRAME;
++ }
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 0416ca49c2383f70c426575322ae7456a11b29ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 14:29:13 +0200
+Subject: media: uvcvideo: Set unique vdev name based in type
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit e3f60e7e1a2b451f538f9926763432249bcf39c4 ]
+
+All the entities must have a unique name. We can have a descriptive and
+unique name by appending the function and the entity->id.
+
+This is even resilent to multi chain devices.
+
+Fixes v4l2-compliance:
+Media Controller ioctls:
+ fail: v4l2-test-media.cpp(205): v2_entity_names_set.find(key) != v2_entity_names_set.end()
+ test MEDIA_IOC_G_TOPOLOGY: FAIL
+ fail: v4l2-test-media.cpp(394): num_data_links != num_links
+ test MEDIA_IOC_ENUM_ENTITIES/LINKS: FAIL
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 282f3d2388cc2..447b6a198926e 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2065,6 +2065,7 @@ int uvc_register_video_device(struct uvc_device *dev,
+ const struct v4l2_file_operations *fops,
+ const struct v4l2_ioctl_ops *ioctl_ops)
+ {
++ const char *name;
+ int ret;
+
+ /* Initialize the video buffers queue. */
+@@ -2093,16 +2094,20 @@ int uvc_register_video_device(struct uvc_device *dev,
+ case V4L2_BUF_TYPE_VIDEO_CAPTURE:
+ default:
+ vdev->device_caps = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_STREAMING;
++ name = "Video Capture";
+ break;
+ case V4L2_BUF_TYPE_VIDEO_OUTPUT:
+ vdev->device_caps = V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_STREAMING;
++ name = "Video Output";
+ break;
+ case V4L2_BUF_TYPE_META_CAPTURE:
+ vdev->device_caps = V4L2_CAP_META_CAPTURE | V4L2_CAP_STREAMING;
++ name = "Metadata";
+ break;
+ }
+
+- strscpy(vdev->name, dev->name, sizeof(vdev->name));
++ snprintf(vdev->name, sizeof(vdev->name), "%s %u", name,
++ stream->header.bTerminalLink);
+
+ /*
+ * Set the driver data before calling video_register_device, otherwise
+--
+2.33.0
+
--- /dev/null
+From 440f1cd258d22d4d4040c593888eccb79a6d383e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 14:29:06 +0200
+Subject: media: v4l2-ioctl: S_CTRL output the right value
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit c87ed93574e3cd8346c05bd934c617596c12541b ]
+
+If the driver does not implement s_ctrl, but it does implement
+s_ext_ctrls, we convert the call.
+
+When that happens we have also to convert back the response from
+s_ext_ctrls.
+
+Fixes v4l2_compliance:
+Control ioctls (Input 0):
+ fail: v4l2-test-controls.cpp(411): returned control value out of range
+ fail: v4l2-test-controls.cpp(507): invalid control 00980900
+ test VIDIOC_G/S_CTRL: FAIL
+
+Fixes: 35ea11ff8471 ("V4L/DVB (8430): videodev: move some functions from v4l2-dev.h to v4l2-common.h or v4l2-ioctl.h")
+Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
+index 42958ce22de19..4ffa14e44efe4 100644
+--- a/drivers/media/v4l2-core/v4l2-ioctl.c
++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
+@@ -2263,6 +2263,7 @@ static int v4l_s_ctrl(const struct v4l2_ioctl_ops *ops,
+ test_bit(V4L2_FL_USES_V4L2_FH, &vfd->flags) ? fh : NULL;
+ struct v4l2_ext_controls ctrls;
+ struct v4l2_ext_control ctrl;
++ int ret;
+
+ if (vfh && vfh->ctrl_handler)
+ return v4l2_s_ctrl(vfh, vfh->ctrl_handler, p);
+@@ -2278,9 +2279,11 @@ static int v4l_s_ctrl(const struct v4l2_ioctl_ops *ops,
+ ctrls.controls = &ctrl;
+ ctrl.id = p->id;
+ ctrl.value = p->value;
+- if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL))
+- return ops->vidioc_s_ext_ctrls(file, fh, &ctrls);
+- return -EINVAL;
++ if (!check_ext_ctrls(&ctrls, VIDIOC_S_CTRL))
++ return -EINVAL;
++ ret = ops->vidioc_s_ext_ctrls(file, fh, &ctrls);
++ p->value = ctrl.value;
++ return ret;
+ }
+
+ static int v4l_g_ext_ctrls(const struct v4l2_ioctl_ops *ops,
+--
+2.33.0
+
--- /dev/null
+From e0a90b6f2bb8a58e93e952af32aadfcc7309ff13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Sep 2021 23:14:32 +0800
+Subject: memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 4ed2f3545c2e5acfbccd7f85fea5b1a82e9862d7 ]
+
+The error handling code of fsl_ifc_ctrl_probe is problematic. When
+fsl_ifc_ctrl_init fails or request_irq of fsl_ifc_ctrl_dev->irq fails,
+it forgets to free the irq and nand_irq. Meanwhile, if request_irq of
+fsl_ifc_ctrl_dev->nand_irq fails, it will still free nand_irq even if
+the request_irq is not successful.
+
+Fix this by refactoring the error handling code.
+
+Fixes: d2ae2e20fbdd ("driver/memory:Move Freescale IFC driver to a common driver")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20210925151434.8170-1-mudongliangabcd@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/fsl_ifc.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c
+index d062c2f8250f4..75a8c38df9394 100644
+--- a/drivers/memory/fsl_ifc.c
++++ b/drivers/memory/fsl_ifc.c
+@@ -263,7 +263,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+
+ ret = fsl_ifc_ctrl_init(fsl_ifc_ctrl_dev);
+ if (ret < 0)
+- goto err;
++ goto err_unmap_nandirq;
+
+ init_waitqueue_head(&fsl_ifc_ctrl_dev->nand_wait);
+
+@@ -272,7 +272,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+ if (ret != 0) {
+ dev_err(&dev->dev, "failed to install irq (%d)\n",
+ fsl_ifc_ctrl_dev->irq);
+- goto err_irq;
++ goto err_unmap_nandirq;
+ }
+
+ if (fsl_ifc_ctrl_dev->nand_irq) {
+@@ -281,17 +281,16 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+ if (ret != 0) {
+ dev_err(&dev->dev, "failed to install irq (%d)\n",
+ fsl_ifc_ctrl_dev->nand_irq);
+- goto err_nandirq;
++ goto err_free_irq;
+ }
+ }
+
+ return 0;
+
+-err_nandirq:
+- free_irq(fsl_ifc_ctrl_dev->nand_irq, fsl_ifc_ctrl_dev);
+- irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq);
+-err_irq:
++err_free_irq:
+ free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev);
++err_unmap_nandirq:
++ irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq);
+ irq_dispose_mapping(fsl_ifc_ctrl_dev->irq);
+ err:
+ iounmap(fsl_ifc_ctrl_dev->gregs);
+--
+2.33.0
+
--- /dev/null
+From dd0d1096f5b7c97bd577b31807210d1142b764f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 11:44:47 +0200
+Subject: memstick: avoid out-of-range warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 4853396f03c3019eccf5cd113e464231e9ddf0b3 ]
+
+clang-14 complains about a sanity check that always passes when the
+page size is 64KB or larger:
+
+drivers/memstick/core/ms_block.c:1739:21: error: result of comparison of constant 65536 with expression of type 'unsigned short' is always false [-Werror,-Wtautological-constant-out-of-range-compare]
+ if (msb->page_size > PAGE_SIZE) {
+ ~~~~~~~~~~~~~~ ^ ~~~~~~~~~
+
+This is fine, it will still work on all architectures, so just shut
+up that warning with a cast.
+
+Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20210927094520.696665-1-arnd@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/core/ms_block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c
+index 8004dd64d09a8..bc1f484f50f1d 100644
+--- a/drivers/memstick/core/ms_block.c
++++ b/drivers/memstick/core/ms_block.c
+@@ -1727,7 +1727,7 @@ static int msb_init_card(struct memstick_dev *card)
+ msb->pages_in_block = boot_block->attr.block_size * 2;
+ msb->block_size = msb->page_size * msb->pages_in_block;
+
+- if (msb->page_size > PAGE_SIZE) {
++ if ((size_t)msb->page_size > PAGE_SIZE) {
+ /* this isn't supported by linux at all, anyway*/
+ dbg("device page %d size isn't supported", msb->page_size);
+ return -EINVAL;
+--
+2.33.0
+
--- /dev/null
+From 1496bc74f3256921f1061b0e7f553aa46ba645c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 15:39:12 +0300
+Subject: memstick: jmb38x_ms: use appropriate free function in
+ jmb38x_ms_alloc_host()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit beae4a6258e64af609ad5995cc6b6056eb0d898e ]
+
+The "msh" pointer is device managed, meaning that memstick_alloc_host()
+calls device_initialize() on it. That means that it can't be free
+using kfree() but must instead be freed with memstick_free_host().
+Otherwise it leads to a tiny memory leak of device resources.
+
+Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211011123912.GD15188@kili
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/jmb38x_ms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/memstick/host/jmb38x_ms.c b/drivers/memstick/host/jmb38x_ms.c
+index e83c3ada9389e..9e8cccbd2817e 100644
+--- a/drivers/memstick/host/jmb38x_ms.c
++++ b/drivers/memstick/host/jmb38x_ms.c
+@@ -882,7 +882,7 @@ static struct memstick_host *jmb38x_ms_alloc_host(struct jmb38x_ms *jm, int cnt)
+
+ iounmap(host->addr);
+ err_out_free:
+- kfree(msh);
++ memstick_free_host(msh);
+ return NULL;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 89dab8bca9e61bf6e1ce2c461f8d8753dce66499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 11:26:21 +0000
+Subject: memstick: r592: Fix a UAF bug when removing the driver
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 738216c1953e802aa9f930c5d15b8f9092c847ff ]
+
+In r592_remove(), the driver will free dma after freeing the host, which
+may cause a UAF bug.
+
+The following log reveals it:
+
+[ 45.361796 ] BUG: KASAN: use-after-free in r592_remove+0x269/0x350 [r592]
+[ 45.364286 ] Call Trace:
+[ 45.364472 ] dump_stack_lvl+0xa8/0xd1
+[ 45.364751 ] print_address_description+0x87/0x3b0
+[ 45.365137 ] kasan_report+0x172/0x1c0
+[ 45.365415 ] ? r592_remove+0x269/0x350 [r592]
+[ 45.365834 ] ? r592_remove+0x269/0x350 [r592]
+[ 45.366168 ] __asan_report_load8_noabort+0x14/0x20
+[ 45.366531 ] r592_remove+0x269/0x350 [r592]
+[ 45.378785 ]
+[ 45.378903 ] Allocated by task 4674:
+[ 45.379162 ] ____kasan_kmalloc+0xb5/0xe0
+[ 45.379455 ] __kasan_kmalloc+0x9/0x10
+[ 45.379730 ] __kmalloc+0x150/0x280
+[ 45.379984 ] memstick_alloc_host+0x2a/0x190
+[ 45.380664 ]
+[ 45.380781 ] Freed by task 5509:
+[ 45.381014 ] kasan_set_track+0x3d/0x70
+[ 45.381293 ] kasan_set_free_info+0x23/0x40
+[ 45.381635 ] ____kasan_slab_free+0x10b/0x140
+[ 45.381950 ] __kasan_slab_free+0x11/0x20
+[ 45.382241 ] slab_free_freelist_hook+0x81/0x150
+[ 45.382575 ] kfree+0x13e/0x290
+[ 45.382805 ] memstick_free+0x1c/0x20
+[ 45.383070 ] device_release+0x9c/0x1d0
+[ 45.383349 ] kobject_put+0x2ef/0x4c0
+[ 45.383616 ] put_device+0x1f/0x30
+[ 45.383865 ] memstick_free_host+0x24/0x30
+[ 45.384162 ] r592_remove+0x242/0x350 [r592]
+[ 45.384473 ] pci_device_remove+0xa9/0x250
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Link: https://lore.kernel.org/r/1634383581-11055-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/r592.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
+index d2ef46337191c..eaa2a94d18be4 100644
+--- a/drivers/memstick/host/r592.c
++++ b/drivers/memstick/host/r592.c
+@@ -837,15 +837,15 @@ static void r592_remove(struct pci_dev *pdev)
+ }
+ memstick_remove_host(dev->host);
+
++ if (dev->dummy_dma_page)
++ dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page,
++ dev->dummy_dma_page_physical_address);
++
+ free_irq(dev->irq, dev);
+ iounmap(dev->mmio);
+ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ memstick_free_host(dev->host);
+-
+- if (dev->dummy_dma_page)
+- dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page,
+- dev->dummy_dma_page_physical_address);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+--
+2.33.0
+
--- /dev/null
+From b899e84b246655ea9d5478d897b74920b8be5c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 07:51:26 -0400
+Subject: mfd: core: Add missing of_node_put for loop iteration
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 002be81140075e17a1ebd5c3c55e356fbab0ddad ]
+
+Early exits from for_each_child_of_node() should decrement the
+node reference counter. Reported by Coccinelle:
+
+ drivers/mfd/mfd-core.c:197:2-24: WARNING:
+ Function "for_each_child_of_node" should have of_node_put() before goto around lines 209.
+
+Fixes: c94bb233a9fe ("mfd: Make MFD core code Device Tree and IRQ domain aware")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20210528115126.18370-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/mfd-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
+index fc00aaccb5f72..a3a6faa99de05 100644
+--- a/drivers/mfd/mfd-core.c
++++ b/drivers/mfd/mfd-core.c
+@@ -210,6 +210,7 @@ static int mfd_add_device(struct device *parent, int id,
+ if (of_device_is_compatible(np, cell->of_compatible)) {
+ /* Ignore 'disabled' devices error free */
+ if (!of_device_is_available(np)) {
++ of_node_put(np);
+ ret = 0;
+ goto fail_alias;
+ }
+@@ -217,6 +218,7 @@ static int mfd_add_device(struct device *parent, int id,
+ ret = mfd_match_of_node_to_dev(pdev, np, cell);
+ if (ret == -EAGAIN)
+ continue;
++ of_node_put(np);
+ if (ret)
+ goto fail_alias;
+
+--
+2.33.0
+
--- /dev/null
+From 17a14d4c29e0ec1238e60099579deddc7859db29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 11:58:16 +0200
+Subject: mips: cm: Convert to bitfield API to fix out-of-bounds access
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 18b8f5b6fc53d097cadb94a93d8d6566ba88e389 ]
+
+mips_cm_error_report() extracts the cause and other cause from the error
+register using shifts. This works fine for the former, as it is stored
+in the top bits, and the shift will thus remove all non-related bits.
+However, the latter is stored in the bottom bits, hence thus needs masking
+to get rid of non-related bits. Without such masking, using it as an
+index into the cm2_causes[] array will lead to an out-of-bounds access,
+probably causing a crash.
+
+Fix this by using FIELD_GET() instead. Bite the bullet and convert all
+MIPS CM handling to the bitfield API, to improve readability and safety.
+
+Fixes: 3885c2b463f6a236 ("MIPS: CM: Add support for reporting CM cache errors")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mips-cm.h | 12 ++++++------
+ arch/mips/kernel/mips-cm.c | 21 ++++++++++-----------
+ 2 files changed, 16 insertions(+), 17 deletions(-)
+
+diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h
+index aeae2effa123d..23c67c0871b17 100644
+--- a/arch/mips/include/asm/mips-cm.h
++++ b/arch/mips/include/asm/mips-cm.h
+@@ -11,6 +11,7 @@
+ #ifndef __MIPS_ASM_MIPS_CM_H__
+ #define __MIPS_ASM_MIPS_CM_H__
+
++#include <linux/bitfield.h>
+ #include <linux/bitops.h>
+ #include <linux/errno.h>
+
+@@ -153,8 +154,8 @@ GCR_ACCESSOR_RO(32, 0x030, rev)
+ #define CM_GCR_REV_MINOR GENMASK(7, 0)
+
+ #define CM_ENCODE_REV(major, minor) \
+- (((major) << __ffs(CM_GCR_REV_MAJOR)) | \
+- ((minor) << __ffs(CM_GCR_REV_MINOR)))
++ (FIELD_PREP(CM_GCR_REV_MAJOR, major) | \
++ FIELD_PREP(CM_GCR_REV_MINOR, minor))
+
+ #define CM_REV_CM2 CM_ENCODE_REV(6, 0)
+ #define CM_REV_CM2_5 CM_ENCODE_REV(7, 0)
+@@ -362,10 +363,10 @@ static inline int mips_cm_revision(void)
+ static inline unsigned int mips_cm_max_vp_width(void)
+ {
+ extern int smp_num_siblings;
+- uint32_t cfg;
+
+ if (mips_cm_revision() >= CM_REV_CM3)
+- return read_gcr_sys_config2() & CM_GCR_SYS_CONFIG2_MAXVPW;
++ return FIELD_GET(CM_GCR_SYS_CONFIG2_MAXVPW,
++ read_gcr_sys_config2());
+
+ if (mips_cm_present()) {
+ /*
+@@ -373,8 +374,7 @@ static inline unsigned int mips_cm_max_vp_width(void)
+ * number of VP(E)s, and if that ever changes then this will
+ * need revisiting.
+ */
+- cfg = read_gcr_cl_config() & CM_GCR_Cx_CONFIG_PVPE;
+- return (cfg >> __ffs(CM_GCR_Cx_CONFIG_PVPE)) + 1;
++ return FIELD_GET(CM_GCR_Cx_CONFIG_PVPE, read_gcr_cl_config()) + 1;
+ }
+
+ if (IS_ENABLED(CONFIG_SMP))
+diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
+index f60af512c8773..72c8374a39002 100644
+--- a/arch/mips/kernel/mips-cm.c
++++ b/arch/mips/kernel/mips-cm.c
+@@ -221,8 +221,7 @@ static void mips_cm_probe_l2sync(void)
+ phys_addr_t addr;
+
+ /* L2-only sync was introduced with CM major revision 6 */
+- major_rev = (read_gcr_rev() & CM_GCR_REV_MAJOR) >>
+- __ffs(CM_GCR_REV_MAJOR);
++ major_rev = FIELD_GET(CM_GCR_REV_MAJOR, read_gcr_rev());
+ if (major_rev < 6)
+ return;
+
+@@ -305,13 +304,13 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core,
+ preempt_disable();
+
+ if (cm_rev >= CM_REV_CM3) {
+- val = core << __ffs(CM3_GCR_Cx_OTHER_CORE);
+- val |= vp << __ffs(CM3_GCR_Cx_OTHER_VP);
++ val = FIELD_PREP(CM3_GCR_Cx_OTHER_CORE, core) |
++ FIELD_PREP(CM3_GCR_Cx_OTHER_VP, vp);
+
+ if (cm_rev >= CM_REV_CM3_5) {
+ val |= CM_GCR_Cx_OTHER_CLUSTER_EN;
+- val |= cluster << __ffs(CM_GCR_Cx_OTHER_CLUSTER);
+- val |= block << __ffs(CM_GCR_Cx_OTHER_BLOCK);
++ val |= FIELD_PREP(CM_GCR_Cx_OTHER_CLUSTER, cluster);
++ val |= FIELD_PREP(CM_GCR_Cx_OTHER_BLOCK, block);
+ } else {
+ WARN_ON(cluster != 0);
+ WARN_ON(block != CM_GCR_Cx_OTHER_BLOCK_LOCAL);
+@@ -341,7 +340,7 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core,
+ spin_lock_irqsave(&per_cpu(cm_core_lock, curr_core),
+ per_cpu(cm_core_lock_flags, curr_core));
+
+- val = core << __ffs(CM_GCR_Cx_OTHER_CORENUM);
++ val = FIELD_PREP(CM_GCR_Cx_OTHER_CORENUM, core);
+ }
+
+ write_gcr_cl_other(val);
+@@ -385,8 +384,8 @@ void mips_cm_error_report(void)
+ cm_other = read_gcr_error_mult();
+
+ if (revision < CM_REV_CM3) { /* CM2 */
+- cause = cm_error >> __ffs(CM_GCR_ERROR_CAUSE_ERRTYPE);
+- ocause = cm_other >> __ffs(CM_GCR_ERROR_MULT_ERR2ND);
++ cause = FIELD_GET(CM_GCR_ERROR_CAUSE_ERRTYPE, cm_error);
++ ocause = FIELD_GET(CM_GCR_ERROR_MULT_ERR2ND, cm_other);
+
+ if (!cause)
+ return;
+@@ -444,8 +443,8 @@ void mips_cm_error_report(void)
+ ulong core_id_bits, vp_id_bits, cmd_bits, cmd_group_bits;
+ ulong cm3_cca_bits, mcp_bits, cm3_tr_bits, sched_bit;
+
+- cause = cm_error >> __ffs64(CM3_GCR_ERROR_CAUSE_ERRTYPE);
+- ocause = cm_other >> __ffs(CM_GCR_ERROR_MULT_ERR2ND);
++ cause = FIELD_GET(CM3_GCR_ERROR_CAUSE_ERRTYPE, cm_error);
++ ocause = FIELD_GET(CM_GCR_ERROR_MULT_ERR2ND, cm_other);
+
+ if (!cause)
+ return;
+--
+2.33.0
+
--- /dev/null
+From d0cfb6e627a41a81b4d799daa0534dea5036e2e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 23:20:58 +0200
+Subject: MIPS: lantiq: dma: add small delay after reset
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit c12aa581f6d5e80c3c3675ab26a52c2b3b62f76e ]
+
+Reading the DMA registers immediately after the reset causes
+Data Bus Error. Adding a small delay fixes this issue.
+
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/xway/dma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c
+index aeb1b989cd4ee..24c6267f78698 100644
+--- a/arch/mips/lantiq/xway/dma.c
++++ b/arch/mips/lantiq/xway/dma.c
+@@ -11,6 +11,7 @@
+ #include <linux/export.h>
+ #include <linux/spinlock.h>
+ #include <linux/clk.h>
++#include <linux/delay.h>
+ #include <linux/err.h>
+
+ #include <lantiq_soc.h>
+@@ -221,6 +222,8 @@ ltq_dma_init(struct platform_device *pdev)
+ clk_enable(clk);
+ ltq_dma_w32_mask(0, DMA_RESET, LTQ_DMA_CTRL);
+
++ usleep_range(1, 10);
++
+ /* disable all interrupts */
+ ltq_dma_w32(0, LTQ_DMA_IRNEN);
+
+--
+2.33.0
+
--- /dev/null
+From 51ee8d241752b959cc6edccba6a5470b4377087a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 23:21:00 +0200
+Subject: MIPS: lantiq: dma: fix burst length for DEU
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 5ad74d39c51dd41b3c819f4f5396655f0629b4fd ]
+
+The current definition of 2W burst length is invalid.
+This patch fixes it. Current downstream DEU driver doesn't
+use DMA. An incorrect burst length value doesn't cause any
+errors. This patch also adds other burst length values.
+
+Fixes: dfec1a827d2b ("MIPS: Lantiq: Add DMA support")
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/xway/dma.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c
+index e45077aecf83a..ab13e257132af 100644
+--- a/arch/mips/lantiq/xway/dma.c
++++ b/arch/mips/lantiq/xway/dma.c
+@@ -40,7 +40,11 @@
+ #define DMA_IRQ_ACK 0x7e /* IRQ status register */
+ #define DMA_POLL BIT(31) /* turn on channel polling */
+ #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */
+-#define DMA_2W_BURST BIT(1) /* 2 word burst length */
++#define DMA_PCTRL_2W_BURST 0x1 /* 2 word burst length */
++#define DMA_PCTRL_4W_BURST 0x2 /* 4 word burst length */
++#define DMA_PCTRL_8W_BURST 0x3 /* 8 word burst length */
++#define DMA_TX_BURST_SHIFT 4 /* tx burst shift */
++#define DMA_RX_BURST_SHIFT 2 /* rx burst shift */
+ #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */
+ #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */
+
+@@ -191,7 +195,8 @@ ltq_dma_init_port(int p)
+ break;
+
+ case DMA_PORT_DEU:
+- ltq_dma_w32((DMA_2W_BURST << 4) | (DMA_2W_BURST << 2),
++ ltq_dma_w32((DMA_PCTRL_2W_BURST << DMA_TX_BURST_SHIFT) |
++ (DMA_PCTRL_2W_BURST << DMA_RX_BURST_SHIFT),
+ LTQ_DMA_PCTRL);
+ break;
+
+--
+2.33.0
+
--- /dev/null
+From 2cdfe8fb35633008fe05c1325dcfcc023fb9f0b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 23:20:59 +0200
+Subject: MIPS: lantiq: dma: reset correct number of channel
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 5ca9ce2ba4d5884cd94d1a856c675ab1242cd242 ]
+
+Different SoCs have a different number of channels, e.g .:
+* amazon-se has 10 channels,
+* danube+ar9 have 20 channels,
+* vr9 has 28 channels,
+* ar10 has 24 channels.
+
+We can read the ID register and, depending on the reported
+number of channels, reset the appropriate number of channels.
+
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/xway/dma.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c
+index 24c6267f78698..e45077aecf83a 100644
+--- a/arch/mips/lantiq/xway/dma.c
++++ b/arch/mips/lantiq/xway/dma.c
+@@ -30,6 +30,7 @@
+ #define LTQ_DMA_PCTRL 0x44
+ #define LTQ_DMA_IRNEN 0xf4
+
++#define DMA_ID_CHNR GENMASK(26, 20) /* channel number */
+ #define DMA_DESCPT BIT(3) /* descriptor complete irq */
+ #define DMA_TX BIT(8) /* TX channel direction */
+ #define DMA_CHAN_ON BIT(0) /* channel on / off bit */
+@@ -40,7 +41,6 @@
+ #define DMA_POLL BIT(31) /* turn on channel polling */
+ #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */
+ #define DMA_2W_BURST BIT(1) /* 2 word burst length */
+-#define DMA_MAX_CHANNEL 20 /* the soc has 20 channels */
+ #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */
+ #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */
+
+@@ -206,7 +206,7 @@ ltq_dma_init(struct platform_device *pdev)
+ {
+ struct clk *clk;
+ struct resource *res;
+- unsigned id;
++ unsigned int id, nchannels;
+ int i;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+@@ -228,17 +228,18 @@ ltq_dma_init(struct platform_device *pdev)
+ ltq_dma_w32(0, LTQ_DMA_IRNEN);
+
+ /* reset/configure each channel */
+- for (i = 0; i < DMA_MAX_CHANNEL; i++) {
++ id = ltq_dma_r32(LTQ_DMA_ID);
++ nchannels = ((id & DMA_ID_CHNR) >> 20);
++ for (i = 0; i < nchannels; i++) {
+ ltq_dma_w32(i, LTQ_DMA_CS);
+ ltq_dma_w32(DMA_CHAN_RST, LTQ_DMA_CCTRL);
+ ltq_dma_w32(DMA_POLL | DMA_CLK_DIV4, LTQ_DMA_CPOLL);
+ ltq_dma_w32_mask(DMA_CHAN_ON, 0, LTQ_DMA_CCTRL);
+ }
+
+- id = ltq_dma_r32(LTQ_DMA_ID);
+ dev_info(&pdev->dev,
+ "Init done - hw rev: %X, ports: %d, channels: %d\n",
+- id & 0x1f, (id >> 16) & 0xf, id >> 20);
++ id & 0x1f, (id >> 16) & 0xf, nchannels);
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From a52a461afb6ada16471c667863d86b43f072df56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Sep 2021 14:19:08 +0800
+Subject: MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 7f3b3c2bfa9c93ab9b5595543496f570983dc330 ]
+
+mach/loongson64 fails to build when the FPU support is disabled:
+
+arch/mips/loongson64/cop2-ex.c:45:15: error: implicit declaration of function ‘__is_fpu_owner’; did you mean ‘is_fpu_owner’? [-Werror=implicit-function-declaration]
+arch/mips/loongson64/cop2-ex.c:98:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:99:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:131:43: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:137:38: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:203:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:219:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:283:38: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:301:38: error: ‘struct thread_struct’ has no member named ‘fpu’
+
+Fixes: ef2f826c8f2f ("MIPS: Loongson-3: Enable the COP2 usage")
+Suggested-by: Huacai Chen <chenhuacai@kernel.org>
+Reviewed-by: Huacai Chen <chenhuacai@kernel.org>
+Reported-by: k2ci robot <kernel-bot@kylinos.cn>
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 1a63f592034eb..5c6e9ed9b2a75 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -1380,6 +1380,7 @@ config CPU_LOONGSON64
+ select MIPS_ASID_BITS_VARIABLE
+ select MIPS_PGD_C0_CONTEXT
+ select MIPS_L1_CACHE_SHIFT_6
++ select MIPS_FP_SUPPORT
+ select GPIOLIB
+ select SWIOTLB
+ select HAVE_KVM
+--
+2.33.0
+
--- /dev/null
+From 5515e996f8aa0a45d6ef24aa99e6870cb07e372b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 13:45:03 -0700
+Subject: mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and
+ zs_unregister_migration()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit afe8605ca45424629fdddfd85984b442c763dc47 ]
+
+There is one possible race window between zs_pool_dec_isolated() and
+zs_unregister_migration() because wait_for_isolated_drain() checks the
+isolated count without holding class->lock and there is no order inside
+zs_pool_dec_isolated(). Thus the below race window could be possible:
+
+ zs_pool_dec_isolated zs_unregister_migration
+ check pool->destroying != 0
+ pool->destroying = true;
+ smp_mb();
+ wait_for_isolated_drain()
+ wait for pool->isolated_pages == 0
+ atomic_long_dec(&pool->isolated_pages);
+ atomic_long_read(&pool->isolated_pages) == 0
+
+Since we observe the pool->destroying (false) before atomic_long_dec()
+for pool->isolated_pages, waking pool->migration_wait up is missed.
+
+Fix this by ensure checking pool->destroying happens after the
+atomic_long_dec(&pool->isolated_pages).
+
+Link: https://lkml.kernel.org/r/20210708115027.7557-1-linmiaohe@huawei.com
+Fixes: 701d678599d0 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Henry Burns <henryburns@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/zsmalloc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
+index 7a0b79b0a6899..73cd50735df29 100644
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1835,10 +1835,11 @@ static inline void zs_pool_dec_isolated(struct zs_pool *pool)
+ VM_BUG_ON(atomic_long_read(&pool->isolated_pages) <= 0);
+ atomic_long_dec(&pool->isolated_pages);
+ /*
+- * There's no possibility of racing, since wait_for_isolated_drain()
+- * checks the isolated count under &class->lock after enqueuing
+- * on migration_wait.
++ * Checking pool->destroying must happen after atomic_long_dec()
++ * for pool->isolated_pages above. Paired with the smp_mb() in
++ * zs_unregister_migration().
+ */
++ smp_mb__after_atomic();
+ if (atomic_long_read(&pool->isolated_pages) == 0 && pool->destroying)
+ wake_up_all(&pool->migration_wait);
+ }
+--
+2.33.0
+
--- /dev/null
+From c2c75b931018f198c0b49d88e4f983e99d1130cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Oct 2021 12:19:18 +0800
+Subject: mmc: moxart: Fix reference count leaks in moxart_probe
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+[ Upstream commit 8105c2abbf36296bf38ca44f55ee45d160db476a ]
+
+The issue happens in several error handling paths on two refcounted
+object related to the object "host" (dma_chan_rx, dma_chan_tx). In
+these paths, the function forgets to decrement one or both objects'
+reference count increased earlier by dma_request_chan(), causing
+reference count leaks.
+
+Fix it by balancing the refcounts of both objects in some error
+handling paths. In correspondence with the changes in moxart_probe(),
+IS_ERR() is replaced with IS_ERR_OR_NULL() in moxart_remove() as well.
+
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Link: https://lore.kernel.org/r/20211009041918.28419-1-xiongx18@fudan.edu.cn
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
+index 2e4a7c6971dc9..dcd128ecdf15b 100644
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -624,6 +624,14 @@ static int moxart_probe(struct platform_device *pdev)
+ ret = -EPROBE_DEFER;
+ goto out;
+ }
++ if (!IS_ERR(host->dma_chan_tx)) {
++ dma_release_channel(host->dma_chan_tx);
++ host->dma_chan_tx = NULL;
++ }
++ if (!IS_ERR(host->dma_chan_rx)) {
++ dma_release_channel(host->dma_chan_rx);
++ host->dma_chan_rx = NULL;
++ }
+ dev_dbg(dev, "PIO mode transfer enabled\n");
+ host->have_dma = false;
+ } else {
+@@ -678,6 +686,10 @@ static int moxart_probe(struct platform_device *pdev)
+ return 0;
+
+ out:
++ if (!IS_ERR_OR_NULL(host->dma_chan_tx))
++ dma_release_channel(host->dma_chan_tx);
++ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
++ dma_release_channel(host->dma_chan_rx);
+ if (mmc)
+ mmc_free_host(mmc);
+ return ret;
+@@ -690,9 +702,9 @@ static int moxart_remove(struct platform_device *pdev)
+
+ dev_set_drvdata(&pdev->dev, NULL);
+
+- if (!IS_ERR(host->dma_chan_tx))
++ if (!IS_ERR_OR_NULL(host->dma_chan_tx))
+ dma_release_channel(host->dma_chan_tx);
+- if (!IS_ERR(host->dma_chan_rx))
++ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ dma_release_channel(host->dma_chan_rx);
+ mmc_remove_host(mmc);
+ mmc_free_host(mmc);
+--
+2.33.0
+
--- /dev/null
+From b1dfb8a4b71e45cf958877c7d70e84123701f90f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 08:21:44 +0200
+Subject: mmc: mxs-mmc: disable regulator on error and in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ce5f6c2c9b0fcb4094f8e162cfd37fb4294204f7 ]
+
+The 'reg_vmmc' regulator is enabled in the probe. It is never disabled.
+Neither in the error handling path of the probe nor in the remove
+function.
+
+Register a devm_action to disable it when needed.
+
+Fixes: 4dc5a79f1350 ("mmc: mxs-mmc: enable regulator for mmc slot")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/4aadb3c97835f7b80f00819c3d549e6130384e67.1634365151.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mxs-mmc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c
+index 4fbbff03137c3..2ec3eb651d6b5 100644
+--- a/drivers/mmc/host/mxs-mmc.c
++++ b/drivers/mmc/host/mxs-mmc.c
+@@ -565,6 +565,11 @@ static const struct of_device_id mxs_mmc_dt_ids[] = {
+ };
+ MODULE_DEVICE_TABLE(of, mxs_mmc_dt_ids);
+
++static void mxs_mmc_regulator_disable(void *regulator)
++{
++ regulator_disable(regulator);
++}
++
+ static int mxs_mmc_probe(struct platform_device *pdev)
+ {
+ const struct of_device_id *of_id =
+@@ -606,6 +611,11 @@ static int mxs_mmc_probe(struct platform_device *pdev)
+ "Failed to enable vmmc regulator: %d\n", ret);
+ goto out_mmc_free;
+ }
++
++ ret = devm_add_action_or_reset(&pdev->dev, mxs_mmc_regulator_disable,
++ reg_vmmc);
++ if (ret)
++ goto out_mmc_free;
+ }
+
+ ssp->clk = devm_clk_get(&pdev->dev, NULL);
+--
+2.33.0
+
--- /dev/null
+From 7d7b60051b663b0af4e0fbe2459481ce936ab9a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 14:00:26 +0300
+Subject: mmc: sdhci-omap: Fix context restore
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit d806e334d0390502cd2a820ad33d65d7f9bba618 ]
+
+We need to restore context in a specified order with HCTL set in two
+phases. This is similar to what omap_hsmmc_context_restore() is doing.
+Otherwise SDIO can stop working on resume.
+
+And for PM runtime and SDIO cards, we need to also save SYSCTL, IE and
+ISE.
+
+This should not be a problem currently, and these patches can be applied
+whenever suitable.
+
+Fixes: ee0f309263a6 ("mmc: sdhci-omap: Add Support for Suspend/Resume")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210921110029.21944-3-tony@atomide.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-omap.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c
+index 8a669f57f14b3..53c362bb28661 100644
+--- a/drivers/mmc/host/sdhci-omap.c
++++ b/drivers/mmc/host/sdhci-omap.c
+@@ -62,6 +62,8 @@
+ #define SDHCI_OMAP_IE 0x234
+ #define INT_CC_EN BIT(0)
+
++#define SDHCI_OMAP_ISE 0x238
++
+ #define SDHCI_OMAP_AC12 0x23c
+ #define AC12_V1V8_SIGEN BIT(19)
+ #define AC12_SCLK_SEL BIT(23)
+@@ -113,6 +115,8 @@ struct sdhci_omap_host {
+ u32 hctl;
+ u32 sysctl;
+ u32 capa;
++ u32 ie;
++ u32 ise;
+ };
+
+ static void sdhci_omap_start_clock(struct sdhci_omap_host *omap_host);
+@@ -1246,14 +1250,23 @@ static void sdhci_omap_context_save(struct sdhci_omap_host *omap_host)
+ {
+ omap_host->con = sdhci_omap_readl(omap_host, SDHCI_OMAP_CON);
+ omap_host->hctl = sdhci_omap_readl(omap_host, SDHCI_OMAP_HCTL);
++ omap_host->sysctl = sdhci_omap_readl(omap_host, SDHCI_OMAP_SYSCTL);
+ omap_host->capa = sdhci_omap_readl(omap_host, SDHCI_OMAP_CAPA);
++ omap_host->ie = sdhci_omap_readl(omap_host, SDHCI_OMAP_IE);
++ omap_host->ise = sdhci_omap_readl(omap_host, SDHCI_OMAP_ISE);
+ }
+
++/* Order matters here, HCTL must be restored in two phases */
+ static void sdhci_omap_context_restore(struct sdhci_omap_host *omap_host)
+ {
+- sdhci_omap_writel(omap_host, SDHCI_OMAP_CON, omap_host->con);
+ sdhci_omap_writel(omap_host, SDHCI_OMAP_HCTL, omap_host->hctl);
+ sdhci_omap_writel(omap_host, SDHCI_OMAP_CAPA, omap_host->capa);
++ sdhci_omap_writel(omap_host, SDHCI_OMAP_HCTL, omap_host->hctl);
++
++ sdhci_omap_writel(omap_host, SDHCI_OMAP_SYSCTL, omap_host->sysctl);
++ sdhci_omap_writel(omap_host, SDHCI_OMAP_CON, omap_host->con);
++ sdhci_omap_writel(omap_host, SDHCI_OMAP_IE, omap_host->ie);
++ sdhci_omap_writel(omap_host, SDHCI_OMAP_ISE, omap_host->ise);
+ }
+
+ static int __maybe_unused sdhci_omap_suspend(struct device *dev)
+--
+2.33.0
+
--- /dev/null
+From ad5ae5f1f31561ec180eed1395eb15ba89b1a994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 14:00:25 +0300
+Subject: mmc: sdhci-omap: Fix NULL pointer exception if regulator is not
+ configured
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 8e0e7bd38b1ec7f9e5d18725ad41828be4e09859 ]
+
+If sdhci-omap is configured for an unused device instance and the device
+is not set as disabled, we can get a NULL pointer dereference:
+
+Unable to handle kernel NULL pointer dereference at virtual address
+00000045
+...
+(regulator_set_voltage) from [<c07d7008>] (mmc_regulator_set_ocr+0x44/0xd0)
+(mmc_regulator_set_ocr) from [<c07e2d80>] (sdhci_set_ios+0xa4/0x490)
+(sdhci_set_ios) from [<c07ea690>] (sdhci_omap_set_ios+0x124/0x160)
+(sdhci_omap_set_ios) from [<c07c8e94>] (mmc_power_up.part.0+0x3c/0x154)
+(mmc_power_up.part.0) from [<c07c9d20>] (mmc_start_host+0x88/0x9c)
+(mmc_start_host) from [<c07cad34>] (mmc_add_host+0x58/0x7c)
+(mmc_add_host) from [<c07e2574>] (__sdhci_add_host+0xf0/0x22c)
+(__sdhci_add_host) from [<c07eaf68>] (sdhci_omap_probe+0x318/0x72c)
+(sdhci_omap_probe) from [<c06a39d8>] (platform_probe+0x58/0xb8)
+
+AFAIK we are not seeing this with the devices configured in the mainline
+kernel but this can cause issues for folks bringing up their boards.
+
+Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210921110029.21944-2-tony@atomide.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-omap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c
+index 7893fd3599b61..8a669f57f14b3 100644
+--- a/drivers/mmc/host/sdhci-omap.c
++++ b/drivers/mmc/host/sdhci-omap.c
+@@ -682,7 +682,8 @@ static void sdhci_omap_set_power(struct sdhci_host *host, unsigned char mode,
+ {
+ struct mmc_host *mmc = host->mmc;
+
+- mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd);
++ if (!IS_ERR(mmc->supply.vmmc))
++ mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd);
+ }
+
+ static int sdhci_omap_enable_dma(struct sdhci_host *host)
+--
+2.33.0
+
--- /dev/null
+From a4f7a788645d7fcd65b0f212af2ca2ee70dfcd32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 23:53:22 +0200
+Subject: mt76: mt7615: fix endianness warning in mt7615_mac_write_txwi
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d81bfb41e30c42531536c5d2baa4d275a8309715 ]
+
+Fix the following sparse warning in mt7615_mac_write_txwi routine:
+drivers/net/wireless/mediatek/mt76/mt7615/mac.c:758:17:
+ warning: incorrect type in assignment
+ expected restricted __le32 [usertype]
+ got unsigned long
+
+Fixes: 04b8e65922f63 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
+Fixes: d4bf77bd74930 ("mt76: mt7615: introduce mt7663u support to mt7615_write_txwi")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index f44f478bb970e..424be103093c6 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -672,12 +672,15 @@ int mt7615_mac_write_txwi(struct mt7615_dev *dev, __le32 *txwi,
+ if (info->flags & IEEE80211_TX_CTL_NO_ACK)
+ txwi[3] |= cpu_to_le32(MT_TXD3_NO_ACK);
+
+- txwi[7] = FIELD_PREP(MT_TXD7_TYPE, fc_type) |
+- FIELD_PREP(MT_TXD7_SUB_TYPE, fc_stype) |
+- FIELD_PREP(MT_TXD7_SPE_IDX, 0x18);
+- if (!is_mmio)
+- txwi[8] = FIELD_PREP(MT_TXD8_L_TYPE, fc_type) |
+- FIELD_PREP(MT_TXD8_L_SUB_TYPE, fc_stype);
++ val = FIELD_PREP(MT_TXD7_TYPE, fc_type) |
++ FIELD_PREP(MT_TXD7_SUB_TYPE, fc_stype) |
++ FIELD_PREP(MT_TXD7_SPE_IDX, 0x18);
++ txwi[7] = cpu_to_le32(val);
++ if (!is_mmio) {
++ val = FIELD_PREP(MT_TXD8_L_TYPE, fc_type) |
++ FIELD_PREP(MT_TXD8_L_SUB_TYPE, fc_stype);
++ txwi[8] = cpu_to_le32(val);
++ }
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From f80e1917968adf312ad5dffc6e67fc82964beaf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 09:48:30 +0200
+Subject: mt76: mt76x02: fix endianness warnings in mt76x02_mac.c
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit c33edef520213feccebc22c9474c685b9fb60611 ]
+
+Fix the following sparse warning in mt76x02_mac_write_txwi and
+mt76x02_mac_tx_rate_val routines:
+drivers/net/wireless/mediatek/mt76/mt76x02_mac.c:237:19:
+ warning: restricted __le16 degrades to intege
+ warning: cast from restricted __le16
+drivers/net/wireless/mediatek/mt76/mt76x02_mac.c:383:28:
+ warning: incorrect type in assignment (different base types)
+ expected restricted __le16 [usertype] rate
+ got unsigned long
+
+Fixes: db9f11d3433f7 ("mt76: store wcid tx rate info in one u32 reduce locking")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
+index da6d3f51f6d47..677082d8659a6 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
+@@ -176,7 +176,7 @@ void mt76x02_mac_wcid_set_drop(struct mt76x02_dev *dev, u8 idx, bool drop)
+ mt76_wr(dev, MT_WCID_DROP(idx), (val & ~bit) | (bit * drop));
+ }
+
+-static __le16
++static u16
+ mt76x02_mac_tx_rate_val(struct mt76x02_dev *dev,
+ const struct ieee80211_tx_rate *rate, u8 *nss_val)
+ {
+@@ -222,14 +222,14 @@ mt76x02_mac_tx_rate_val(struct mt76x02_dev *dev,
+ rateval |= MT_RXWI_RATE_SGI;
+
+ *nss_val = nss;
+- return cpu_to_le16(rateval);
++ return rateval;
+ }
+
+ void mt76x02_mac_wcid_set_rate(struct mt76x02_dev *dev, struct mt76_wcid *wcid,
+ const struct ieee80211_tx_rate *rate)
+ {
+ s8 max_txpwr_adj = mt76x02_tx_get_max_txpwr_adj(dev, rate);
+- __le16 rateval;
++ u16 rateval;
+ u32 tx_info;
+ s8 nss;
+
+@@ -342,7 +342,7 @@ void mt76x02_mac_write_txwi(struct mt76x02_dev *dev, struct mt76x02_txwi *txwi,
+ struct ieee80211_key_conf *key = info->control.hw_key;
+ u32 wcid_tx_info;
+ u16 rate_ht_mask = FIELD_PREP(MT_RXWI_RATE_PHY, BIT(1) | BIT(2));
+- u16 txwi_flags = 0;
++ u16 txwi_flags = 0, rateval;
+ u8 nss;
+ s8 txpwr_adj, max_txpwr_adj;
+ u8 ccmp_pn[8], nstreams = dev->chainmask & 0xf;
+@@ -380,14 +380,15 @@ void mt76x02_mac_write_txwi(struct mt76x02_dev *dev, struct mt76x02_txwi *txwi,
+
+ if (wcid && (rate->idx < 0 || !rate->count)) {
+ wcid_tx_info = wcid->tx_info;
+- txwi->rate = FIELD_GET(MT_WCID_TX_INFO_RATE, wcid_tx_info);
++ rateval = FIELD_GET(MT_WCID_TX_INFO_RATE, wcid_tx_info);
+ max_txpwr_adj = FIELD_GET(MT_WCID_TX_INFO_TXPWR_ADJ,
+ wcid_tx_info);
+ nss = FIELD_GET(MT_WCID_TX_INFO_NSS, wcid_tx_info);
+ } else {
+- txwi->rate = mt76x02_mac_tx_rate_val(dev, rate, &nss);
++ rateval = mt76x02_mac_tx_rate_val(dev, rate, &nss);
+ max_txpwr_adj = mt76x02_tx_get_max_txpwr_adj(dev, rate);
+ }
++ txwi->rate = cpu_to_le16(rateval);
+
+ txpwr_adj = mt76x02_tx_get_txpwr_adj(dev, dev->txpower_conf,
+ max_txpwr_adj);
+--
+2.33.0
+
--- /dev/null
+From 9e523da02888aa007cf7bcda289f3681a478df36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 15:56:10 +0800
+Subject: mt76: mt7915: fix an off-by-one bound check
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit d45dac0732a287fc371a23f257cce04e65627947 ]
+
+The bounds check on datalen is off-by-one, so fix it.
+
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index ea71409751519..7c2d09a64882e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -830,7 +830,7 @@ static void mt7915_check_he_obss_narrow_bw_ru_iter(struct wiphy *wiphy,
+
+ elem = ieee80211_bss_get_elem(bss, WLAN_EID_EXT_CAPABILITY);
+
+- if (!elem || elem->datalen < 10 ||
++ if (!elem || elem->datalen <= 10 ||
+ !(elem->data[10] &
+ WLAN_EXT_CAPA10_OBSS_NARROW_BW_RU_TOLERANCE_SUPPORT))
+ data->tolerated = false;
+--
+2.33.0
+
--- /dev/null
+From 9851b5775cc253f4ccac19075801594829ffd47e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 16:07:04 +0800
+Subject: mt76: mt7915: fix muar_idx in mt7915_mcu_alloc_sta_req()
+
+From: Shayne Chen <shayne.chen@mediatek.com>
+
+[ Upstream commit 161cc13912d3c3e8857001988dfba39be842454a ]
+
+For broadcast/multicast wcid, the muar_idx should be 0xe.
+
+Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index 63bc4577c5c57..7b6e9a5352b35 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -631,7 +631,7 @@ mt7915_mcu_alloc_sta_req(struct mt7915_dev *dev, struct mt7915_vif *mvif,
+ .bss_idx = mvif->idx,
+ .wlan_idx_lo = msta ? to_wcid_lo(msta->wcid.idx) : 0,
+ .wlan_idx_hi = msta ? to_wcid_hi(msta->wcid.idx) : 0,
+- .muar_idx = msta ? mvif->omac_idx : 0,
++ .muar_idx = msta && msta->wcid.sta ? mvif->omac_idx : 0xe,
+ .is_tlv_append = 1,
+ };
+ struct sk_buff *skb;
+--
+2.33.0
+
--- /dev/null
+From b212e600e9d7629d52a9a612028154e75234b830 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 18:42:51 +0200
+Subject: mt76: mt7915: fix possible infinite loop release semaphore
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit e500c9470e26be66eb2bc6de773ae9091149118a ]
+
+Fix possible infinite loop in mt7915_load_patch if
+mt7915_mcu_patch_sem_ctrl always returns an error.
+
+Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index 7c2d09a64882e..c36c7b0e918a4 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -2648,7 +2648,7 @@ out:
+ default:
+ ret = -EAGAIN;
+ dev_err(dev->mt76.dev, "Failed to release patch semaphore\n");
+- goto out;
++ break;
+ }
+ release_firmware(fw);
+
+--
+2.33.0
+
--- /dev/null
+From a3dd4b2fc5f93993489e99dfa41b2aaa0144c461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 16:07:02 +0800
+Subject: mt76: mt7915: fix sta_rec_wtbl tag len
+
+From: Shayne Chen <shayne.chen@mediatek.com>
+
+[ Upstream commit afa0370f3a3a64af6d368da0bedd72ab2a026cd0 ]
+
+Fix tag len error for sta_rec_wtbl, which causes fw parsing error for
+the tags placed behind it.
+
+Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index c36c7b0e918a4..63bc4577c5c57 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -667,7 +667,7 @@ mt7915_mcu_alloc_wtbl_req(struct mt7915_dev *dev, struct mt7915_sta *msta,
+ }
+
+ if (sta_hdr)
+- sta_hdr->len = cpu_to_le16(sizeof(hdr));
++ le16_add_cpu(&sta_hdr->len, sizeof(hdr));
+
+ return skb_put_data(nskb, &hdr, sizeof(hdr));
+ }
+--
+2.33.0
+
--- /dev/null
+From 922bafc83cf942b46969de5fb2097538daaa546d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 13:39:52 -0700
+Subject: mtd: core: don't remove debugfs directory if device is in use
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+[ Upstream commit c13de2386c78e890d4ae6f01a85eefd0b293fb08 ]
+
+Previously, if del_mtd_device() failed with -EBUSY due to a non-zero
+usecount, a subsequent call to attempt the deletion again would try to
+remove a debugfs directory that had already been removed and panic.
+With this change the second call can instead proceed safely.
+
+Fixes: e8e3edb95ce6 ("mtd: create per-device and module-scope debugfs entries")
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211014203953.5424-1-zev@bewilderbeest.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdcore.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
+index 1c8c407286783..a5197a4819025 100644
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -721,8 +721,6 @@ int del_mtd_device(struct mtd_info *mtd)
+
+ mutex_lock(&mtd_table_mutex);
+
+- debugfs_remove_recursive(mtd->dbg.dfs_dir);
+-
+ if (idr_find(&mtd_idr, mtd->index) != mtd) {
+ ret = -ENODEV;
+ goto out_error;
+@@ -738,6 +736,8 @@ int del_mtd_device(struct mtd_info *mtd)
+ mtd->index, mtd->name, mtd->usecount);
+ ret = -EBUSY;
+ } else {
++ debugfs_remove_recursive(mtd->dbg.dfs_dir);
++
+ /* Try to remove the NVMEM provider */
+ if (mtd->nvmem)
+ nvmem_unregister(mtd->nvmem);
+--
+2.33.0
+
--- /dev/null
+From 809b5661c24ac9f148481ddf2980adf86c9f9bbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:45:29 +0300
+Subject: mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 78e4d342187625585932bb437ec26e1060f7fc6f ]
+
+hisi_spi_nor_probe() invokes clk_disable_unprepare() on all paths after
+successful call of clk_prepare_enable(). Besides, the clock is enabled by
+hispi_spi_nor_prep() and disabled by hispi_spi_nor_unprep(). So at remove
+time it is not possible to have the clock enabled. The patch removes
+excessive clk_disable_unprepare() from hisi_spi_nor_remove().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver")
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Link: https://lore.kernel.org/r/20210709144529.31379-1-novikov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/controllers/hisi-sfc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mtd/spi-nor/controllers/hisi-sfc.c b/drivers/mtd/spi-nor/controllers/hisi-sfc.c
+index 440fc5ae7d34c..fd2c19a047485 100644
+--- a/drivers/mtd/spi-nor/controllers/hisi-sfc.c
++++ b/drivers/mtd/spi-nor/controllers/hisi-sfc.c
+@@ -477,7 +477,6 @@ static int hisi_spi_nor_remove(struct platform_device *pdev)
+
+ hisi_spi_nor_unregister_all(host);
+ mutex_destroy(&host->lock);
+- clk_disable_unprepare(host->clk);
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 208fd59a0eafbc05cfd07bbdcdc1420aa9dc0598 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 21:59:08 +0200
+Subject: mwifiex: Properly initialize private structure on interface type
+ changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Dreßler <verdre@v0yd.nl>
+
+[ Upstream commit c606008b70627a2fc485732a53cc22f0f66d0981 ]
+
+When creating a new virtual interface in mwifiex_add_virtual_intf(), we
+update our internal driver states like bss_type, bss_priority, bss_role
+and bss_mode to reflect the mode the firmware will be set to.
+
+When switching virtual interface mode using
+mwifiex_init_new_priv_params() though, we currently only update bss_mode
+and bss_role. In order for the interface mode switch to actually work,
+we also need to update bss_type to its proper value, so do that.
+
+This fixes a crash of the firmware (because the driver tries to execute
+commands that are invalid in AP mode) when switching from station mode
+to AP mode.
+
+Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210914195909.36035-9-verdre@v0yd.nl
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index 7a4e3c693d38b..3d1b5d3d295ae 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -908,16 +908,20 @@ mwifiex_init_new_priv_params(struct mwifiex_private *priv,
+ switch (type) {
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_ADHOC:
+- priv->bss_role = MWIFIEX_BSS_ROLE_STA;
++ priv->bss_role = MWIFIEX_BSS_ROLE_STA;
++ priv->bss_type = MWIFIEX_BSS_TYPE_STA;
+ break;
+ case NL80211_IFTYPE_P2P_CLIENT:
+- priv->bss_role = MWIFIEX_BSS_ROLE_STA;
++ priv->bss_role = MWIFIEX_BSS_ROLE_STA;
++ priv->bss_type = MWIFIEX_BSS_TYPE_P2P;
+ break;
+ case NL80211_IFTYPE_P2P_GO:
+- priv->bss_role = MWIFIEX_BSS_ROLE_UAP;
++ priv->bss_role = MWIFIEX_BSS_ROLE_UAP;
++ priv->bss_type = MWIFIEX_BSS_TYPE_P2P;
+ break;
+ case NL80211_IFTYPE_AP:
+ priv->bss_role = MWIFIEX_BSS_ROLE_UAP;
++ priv->bss_type = MWIFIEX_BSS_TYPE_UAP;
+ break;
+ default:
+ mwifiex_dbg(adapter, ERROR,
+--
+2.33.0
+
--- /dev/null
+From dfa17dd994e9ad818a68a45c6cb79b282c954e51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 21:59:03 +0200
+Subject: mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Dreßler <verdre@v0yd.nl>
+
+[ Upstream commit c2e9666cdffd347460a2b17988db4cfaf2a68fb9 ]
+
+We currently handle changing from the P2P to the STATION virtual
+interface type slightly different than changing from P2P to ADHOC: When
+changing to STATION, we don't send the SET_BSS_MODE command. We do send
+that command on all other type-changes though, and it probably makes
+sense to send the command since after all we just changed our BSS_MODE.
+Looking at prior changes to this part of the code, it seems that this is
+simply a leftover from old refactorings.
+
+Since sending the SET_BSS_MODE command is the only difference between
+mwifiex_change_vif_to_sta_adhoc() and the current code, we can now use
+mwifiex_change_vif_to_sta_adhoc() for both switching to ADHOC and
+STATION interface type.
+
+This does not fix any particular bug and just "looked right", so there's
+a small chance it might be a regression.
+
+Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210914195909.36035-4-verdre@v0yd.nl
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/marvell/mwifiex/cfg80211.c | 22 ++++---------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+index a6b9dc6700b14..7a4e3c693d38b 100644
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -1229,29 +1229,15 @@ mwifiex_cfg80211_change_virtual_intf(struct wiphy *wiphy,
+ break;
+ case NL80211_IFTYPE_P2P_CLIENT:
+ case NL80211_IFTYPE_P2P_GO:
++ if (mwifiex_cfg80211_deinit_p2p(priv))
++ return -EFAULT;
++
+ switch (type) {
+- case NL80211_IFTYPE_STATION:
+- if (mwifiex_cfg80211_deinit_p2p(priv))
+- return -EFAULT;
+- priv->adapter->curr_iface_comb.p2p_intf--;
+- priv->adapter->curr_iface_comb.sta_intf++;
+- dev->ieee80211_ptr->iftype = type;
+- if (mwifiex_deinit_priv_params(priv))
+- return -1;
+- if (mwifiex_init_new_priv_params(priv, dev, type))
+- return -1;
+- if (mwifiex_sta_init_cmd(priv, false, false))
+- return -1;
+- break;
+ case NL80211_IFTYPE_ADHOC:
+- if (mwifiex_cfg80211_deinit_p2p(priv))
+- return -EFAULT;
++ case NL80211_IFTYPE_STATION:
+ return mwifiex_change_vif_to_sta_adhoc(dev, curr_iftype,
+ type, params);
+- break;
+ case NL80211_IFTYPE_AP:
+- if (mwifiex_cfg80211_deinit_p2p(priv))
+- return -EFAULT;
+ return mwifiex_change_vif_to_ap(dev, curr_iftype, type,
+ params);
+ case NL80211_IFTYPE_UNSPECIFIED:
+--
+2.33.0
+
--- /dev/null
+From d552040990b64f6833939fbd407dc5695b661ea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 17:32:43 +0200
+Subject: mwifiex: Send DELBA requests according to spec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Dreßler <verdre@v0yd.nl>
+
+[ Upstream commit cc8a8bc37466f79b24d972555237f3d591150602 ]
+
+While looking at on-air packets using Wireshark, I noticed we're never
+setting the initiator bit when sending DELBA requests to the AP: While
+we set the bit on our del_ba_param_set bitmask, we forget to actually
+copy that bitmask over to the command struct, which means we never
+actually set the initiator bit.
+
+Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command
+struct.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
+Acked-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211016153244.24353-5-verdre@v0yd.nl
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c
+index 6696bce561786..cf08a4af84d6d 100644
+--- a/drivers/net/wireless/marvell/mwifiex/11n.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n.c
+@@ -657,14 +657,15 @@ int mwifiex_send_delba(struct mwifiex_private *priv, int tid, u8 *peer_mac,
+ uint16_t del_ba_param_set;
+
+ memset(&delba, 0, sizeof(delba));
+- delba.del_ba_param_set = cpu_to_le16(tid << DELBA_TID_POS);
+
+- del_ba_param_set = le16_to_cpu(delba.del_ba_param_set);
++ del_ba_param_set = tid << DELBA_TID_POS;
++
+ if (initiator)
+ del_ba_param_set |= IEEE80211_DELBA_PARAM_INITIATOR_MASK;
+ else
+ del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK;
+
++ delba.del_ba_param_set = cpu_to_le16(del_ba_param_set);
+ memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN);
+
+ /* We don't wait for the response of this command */
+--
+2.33.0
+
--- /dev/null
+From 2f71a6557fee8804a1f728aa483801821edbf008 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 04:02:59 +0000
+Subject: mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ]
+
+When the driver fails to request the firmware, it calls its error
+handler. In the error handler, the driver detaches device from driver
+first before releasing the firmware, which can cause a use-after-free bug.
+
+Fix this by releasing firmware first.
+
+The following log reveals it:
+
+[ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010143 ] Workqueue: events request_firmware_work_func
+[ 9.010830 ] Call Trace:
+[ 9.010830 ] dump_stack_lvl+0xa8/0xd1
+[ 9.010830 ] print_address_description+0x87/0x3b0
+[ 9.010830 ] kasan_report+0x172/0x1c0
+[ 9.010830 ] ? mutex_unlock+0xd/0x10
+[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010830 ] __asan_report_load8_noabort+0x14/0x20
+[ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0
+[ 9.010830 ] request_firmware_work_func+0x172/0x250
+[ 9.010830 ] ? read_lock_is_recursive+0x20/0x20
+[ 9.010830 ] ? process_one_work+0x7a1/0x1100
+[ 9.010830 ] ? request_firmware_nowait+0x460/0x460
+[ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20
+[ 9.010830 ] process_one_work+0x9bb/0x1100
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index 27b7d4b779e0b..dc91ac8cbd48b 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -5796,8 +5796,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context)
+ fail:
+ priv->fw_state = FW_STATE_ERROR;
+ complete(&priv->firmware_loading_complete);
+- device_release_driver(&priv->pdev->dev);
+ mwl8k_release_firmware(priv);
++ device_release_driver(&priv->pdev->dev);
+ }
+
+ #define MAX_RESTART_ATTEMPTS 1
+--
+2.33.0
+
--- /dev/null
+From ab408c4487923898ada72bb3751179d17320122e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 15:27:27 +0530
+Subject: net: amd-xgbe: Toggle PLL settings during rate change
+
+From: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+
+[ Upstream commit daf182d360e509a494db18666799f4e85d83dda0 ]
+
+For each rate change command submission, the FW has to do a phy
+power off sequence internally. For this to happen correctly, the
+PLL re-initialization control setting has to be turned off before
+sending mailbox commands and re-enabled once the command submission
+is complete.
+
+Without the PLL control setting, the link up takes longer time in a
+fixed phy configuration.
+
+Fixes: 47f164deab22 ("amd-xgbe: Add PCI device support")
+Co-developed-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h | 8 ++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 20 +++++++++++++++++++-
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+index b2cd3bdba9f89..533b8519ec352 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1331,6 +1331,10 @@
+ #define MDIO_VEND2_PMA_CDR_CONTROL 0x8056
+ #endif
+
++#ifndef MDIO_VEND2_PMA_MISC_CTRL0
++#define MDIO_VEND2_PMA_MISC_CTRL0 0x8090
++#endif
++
+ #ifndef MDIO_CTRL1_SPEED1G
+ #define MDIO_CTRL1_SPEED1G (MDIO_CTRL1_SPEED10G & ~BMCR_SPEED100)
+ #endif
+@@ -1389,6 +1393,10 @@
+ #define XGBE_PMA_RX_RST_0_RESET_ON 0x10
+ #define XGBE_PMA_RX_RST_0_RESET_OFF 0x00
+
++#define XGBE_PMA_PLL_CTRL_MASK BIT(15)
++#define XGBE_PMA_PLL_CTRL_ENABLE BIT(15)
++#define XGBE_PMA_PLL_CTRL_DISABLE 0x0000
++
+ /* Bit setting and getting macros
+ * The get macro will extract the current bit field value from within
+ * the variable
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 18e48b3bc402b..213769054391c 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -1977,12 +1977,26 @@ static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata)
+ }
+ }
+
++static void xgbe_phy_pll_ctrl(struct xgbe_prv_data *pdata, bool enable)
++{
++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_MISC_CTRL0,
++ XGBE_PMA_PLL_CTRL_MASK,
++ enable ? XGBE_PMA_PLL_CTRL_ENABLE
++ : XGBE_PMA_PLL_CTRL_DISABLE);
++
++ /* Wait for command to complete */
++ usleep_range(100, 200);
++}
++
+ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata,
+ unsigned int cmd, unsigned int sub_cmd)
+ {
+ unsigned int s0 = 0;
+ unsigned int wait;
+
++ /* Disable PLL re-initialization during FW command processing */
++ xgbe_phy_pll_ctrl(pdata, false);
++
+ /* Log if a previous command did not complete */
+ if (XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) {
+ netif_dbg(pdata, link, pdata->netdev,
+@@ -2003,7 +2017,7 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata,
+ wait = XGBE_RATECHANGE_COUNT;
+ while (wait--) {
+ if (!XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS))
+- return;
++ goto reenable_pll;
+
+ usleep_range(1000, 2000);
+ }
+@@ -2013,6 +2027,10 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata,
+
+ /* Reset on error */
+ xgbe_phy_rx_reset(pdata);
++
++reenable_pll:
++ /* Enable PLL re-initialization */
++ xgbe_phy_pll_ctrl(pdata, true);
+ }
+
+ static void xgbe_phy_rrc(struct xgbe_prv_data *pdata)
+--
+2.33.0
+
--- /dev/null
+From 2ebe700f7611b64d9f7836645d383d19ffd37cce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 11:15:55 -0700
+Subject: net: annotate data-race in neigh_output()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d18785e213866935b4c3dc0c33c3e18801ce0ce8 ]
+
+neigh_output() reads n->nud_state and hh->hh_len locklessly.
+
+This is fine, but we need to add annotations and document this.
+
+We evaluate skip_cache first to avoid reading these fields
+if the cache has to by bypassed.
+
+syzbot report:
+
+BUG: KCSAN: data-race in __neigh_event_send / ip_finish_output2
+
+write to 0xffff88810798a885 of 1 bytes by interrupt on cpu 1:
+ __neigh_event_send+0x40d/0xac0 net/core/neighbour.c:1128
+ neigh_event_send include/net/neighbour.h:444 [inline]
+ neigh_resolve_output+0x104/0x410 net/core/neighbour.c:1476
+ neigh_output include/net/neighbour.h:510 [inline]
+ ip_finish_output2+0x80a/0xaa0 net/ipv4/ip_output.c:221
+ ip_finish_output+0x3b5/0x510 net/ipv4/ip_output.c:309
+ NF_HOOK_COND include/linux/netfilter.h:296 [inline]
+ ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:423
+ dst_output include/net/dst.h:450 [inline]
+ ip_local_out+0x164/0x220 net/ipv4/ip_output.c:126
+ __ip_queue_xmit+0x9d3/0xa20 net/ipv4/ip_output.c:525
+ ip_queue_xmit+0x34/0x40 net/ipv4/ip_output.c:539
+ __tcp_transmit_skb+0x142a/0x1a00 net/ipv4/tcp_output.c:1405
+ tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline]
+ tcp_xmit_probe_skb net/ipv4/tcp_output.c:4011 [inline]
+ tcp_write_wakeup+0x4a9/0x810 net/ipv4/tcp_output.c:4064
+ tcp_send_probe0+0x2c/0x2b0 net/ipv4/tcp_output.c:4079
+ tcp_probe_timer net/ipv4/tcp_timer.c:398 [inline]
+ tcp_write_timer_handler+0x394/0x520 net/ipv4/tcp_timer.c:626
+ tcp_write_timer+0xb9/0x180 net/ipv4/tcp_timer.c:642
+ call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1421
+ expire_timers+0x135/0x240 kernel/time/timer.c:1466
+ __run_timers+0x368/0x430 kernel/time/timer.c:1734
+ run_timer_softirq+0x19/0x30 kernel/time/timer.c:1747
+ __do_softirq+0x12c/0x26e kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu kernel/softirq.c:636 [inline]
+ irq_exit_rcu+0x4e/0xa0 kernel/softirq.c:648
+ sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1097
+ asm_sysvec_apic_timer_interrupt+0x12/0x20
+ native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
+ arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
+ acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline]
+ acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline]
+ acpi_idle_enter+0x258/0x2e0 drivers/acpi/processor_idle.c:688
+ cpuidle_enter_state+0x2b4/0x760 drivers/cpuidle/cpuidle.c:237
+ cpuidle_enter+0x3c/0x60 drivers/cpuidle/cpuidle.c:351
+ call_cpuidle kernel/sched/idle.c:158 [inline]
+ cpuidle_idle_call kernel/sched/idle.c:239 [inline]
+ do_idle+0x1a3/0x250 kernel/sched/idle.c:306
+ cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:403
+ secondary_startup_64_no_verify+0xb1/0xbb
+
+read to 0xffff88810798a885 of 1 bytes by interrupt on cpu 0:
+ neigh_output include/net/neighbour.h:507 [inline]
+ ip_finish_output2+0x79a/0xaa0 net/ipv4/ip_output.c:221
+ ip_finish_output+0x3b5/0x510 net/ipv4/ip_output.c:309
+ NF_HOOK_COND include/linux/netfilter.h:296 [inline]
+ ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:423
+ dst_output include/net/dst.h:450 [inline]
+ ip_local_out+0x164/0x220 net/ipv4/ip_output.c:126
+ __ip_queue_xmit+0x9d3/0xa20 net/ipv4/ip_output.c:525
+ ip_queue_xmit+0x34/0x40 net/ipv4/ip_output.c:539
+ __tcp_transmit_skb+0x142a/0x1a00 net/ipv4/tcp_output.c:1405
+ tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline]
+ tcp_xmit_probe_skb net/ipv4/tcp_output.c:4011 [inline]
+ tcp_write_wakeup+0x4a9/0x810 net/ipv4/tcp_output.c:4064
+ tcp_send_probe0+0x2c/0x2b0 net/ipv4/tcp_output.c:4079
+ tcp_probe_timer net/ipv4/tcp_timer.c:398 [inline]
+ tcp_write_timer_handler+0x394/0x520 net/ipv4/tcp_timer.c:626
+ tcp_write_timer+0xb9/0x180 net/ipv4/tcp_timer.c:642
+ call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1421
+ expire_timers+0x135/0x240 kernel/time/timer.c:1466
+ __run_timers+0x368/0x430 kernel/time/timer.c:1734
+ run_timer_softirq+0x19/0x30 kernel/time/timer.c:1747
+ __do_softirq+0x12c/0x26e kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu kernel/softirq.c:636 [inline]
+ irq_exit_rcu+0x4e/0xa0 kernel/softirq.c:648
+ sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1097
+ asm_sysvec_apic_timer_interrupt+0x12/0x20
+ native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline]
+ arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline]
+ acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline]
+ acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline]
+ acpi_idle_enter+0x258/0x2e0 drivers/acpi/processor_idle.c:688
+ cpuidle_enter_state+0x2b4/0x760 drivers/cpuidle/cpuidle.c:237
+ cpuidle_enter+0x3c/0x60 drivers/cpuidle/cpuidle.c:351
+ call_cpuidle kernel/sched/idle.c:158 [inline]
+ cpuidle_idle_call kernel/sched/idle.c:239 [inline]
+ do_idle+0x1a3/0x250 kernel/sched/idle.c:306
+ cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:403
+ rest_init+0xee/0x100 init/main.c:734
+ arch_call_rest_init+0xa/0xb
+ start_kernel+0x5e4/0x669 init/main.c:1142
+ secondary_startup_64_no_verify+0xb1/0xbb
+
+value changed: 0x20 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/neighbour.h | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index 22ced1381ede5..990f9b1d17092 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -504,10 +504,15 @@ static inline int neigh_output(struct neighbour *n, struct sk_buff *skb,
+ {
+ const struct hh_cache *hh = &n->hh;
+
+- if ((n->nud_state & NUD_CONNECTED) && hh->hh_len && !skip_cache)
++ /* n->nud_state and hh->hh_len could be changed under us.
++ * neigh_hh_output() is taking care of the race later.
++ */
++ if (!skip_cache &&
++ (READ_ONCE(n->nud_state) & NUD_CONNECTED) &&
++ READ_ONCE(hh->hh_len))
+ return neigh_hh_output(hh, skb);
+- else
+- return n->output(n, skb);
++
++ return n->output(n, skb);
+ }
+
+ static inline struct neighbour *
+--
+2.33.0
+
--- /dev/null
+From cf743da3b64cc06ca6ad0ed35cd3ae3ec1f4e083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 18:23:41 +0300
+Subject: net: davinci_emac: Fix interrupt pacing disable
+
+From: Maxim Kiselev <bigunclemax@gmail.com>
+
+[ Upstream commit d52bcb47bdf971a59a2467975d2405fcfcb2fa19 ]
+
+This patch allows to use 0 for `coal->rx_coalesce_usecs` param to
+disable rx irq coalescing.
+
+Previously we could enable rx irq coalescing via ethtool
+(For ex: `ethtool -C eth0 rx-usecs 2000`) but we couldn't disable
+it because this part rejects 0 value:
+
+ if (!coal->rx_coalesce_usecs)
+ return -EINVAL;
+
+Fixes: 84da2658a619 ("TI DaVinci EMAC : Implement interrupt pacing functionality.")
+Signed-off-by: Maxim Kiselev <bigunclemax@gmail.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Link: https://lore.kernel.org/r/20211101152343.4193233-1-bigunclemax@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index 03055c96f0760..ad5293571af4d 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -412,8 +412,20 @@ static int emac_set_coalesce(struct net_device *ndev,
+ u32 int_ctrl, num_interrupts = 0;
+ u32 prescale = 0, addnl_dvdr = 1, coal_intvl = 0;
+
+- if (!coal->rx_coalesce_usecs)
+- return -EINVAL;
++ if (!coal->rx_coalesce_usecs) {
++ priv->coal_intvl = 0;
++
++ switch (priv->version) {
++ case EMAC_VERSION_2:
++ emac_ctrl_write(EMAC_DM646X_CMINTCTRL, 0);
++ break;
++ default:
++ emac_ctrl_write(EMAC_CTRL_EWINTTCNT, 0);
++ break;
++ }
++
++ return 0;
++ }
+
+ coal_intvl = coal->rx_coalesce_usecs;
+
+--
+2.33.0
+
--- /dev/null
+From 73d9637a60bf6a53a4a2debc9869c2ad6de10bd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 21:43:08 +0300
+Subject: net: dsa: lantiq_gswip: serialize access to the PCE table
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 49753a75b9a32de4c0393bb8d1e51ea223fda8e4 ]
+
+Looking at the code, the GSWIP switch appears to hold bridging service
+structures (VLANs, FDBs, forwarding rules) in PCE table entries.
+Hardware access to the PCE table is non-atomic, and is comprised of
+several register reads and writes.
+
+These accesses are currently serialized by the rtnl_lock, but DSA is
+changing its driver API and that lock will no longer be held when
+calling ->port_fdb_add() and ->port_fdb_del().
+
+So this driver needs to serialize the access to the PCE table using its
+own locking scheme. This patch adds that.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lantiq_gswip.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c
+index 4d23a7aba7961..f54e7f48b0dd7 100644
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -274,6 +274,7 @@ struct gswip_priv {
+ int num_gphy_fw;
+ struct gswip_gphy_fw *gphy_fw;
+ u32 port_vlan_filter;
++ struct mutex pce_table_lock;
+ };
+
+ struct gswip_pce_table_entry {
+@@ -521,10 +522,14 @@ static int gswip_pce_table_entry_read(struct gswip_priv *priv,
+ u16 addr_mode = tbl->key_mode ? GSWIP_PCE_TBL_CTRL_OPMOD_KSRD :
+ GSWIP_PCE_TBL_CTRL_OPMOD_ADRD;
+
++ mutex_lock(&priv->pce_table_lock);
++
+ err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL,
+ GSWIP_PCE_TBL_CTRL_BAS);
+- if (err)
++ if (err) {
++ mutex_unlock(&priv->pce_table_lock);
+ return err;
++ }
+
+ gswip_switch_w(priv, tbl->index, GSWIP_PCE_TBL_ADDR);
+ gswip_switch_mask(priv, GSWIP_PCE_TBL_CTRL_ADDR_MASK |
+@@ -534,8 +539,10 @@ static int gswip_pce_table_entry_read(struct gswip_priv *priv,
+
+ err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL,
+ GSWIP_PCE_TBL_CTRL_BAS);
+- if (err)
++ if (err) {
++ mutex_unlock(&priv->pce_table_lock);
+ return err;
++ }
+
+ for (i = 0; i < ARRAY_SIZE(tbl->key); i++)
+ tbl->key[i] = gswip_switch_r(priv, GSWIP_PCE_TBL_KEY(i));
+@@ -551,6 +558,8 @@ static int gswip_pce_table_entry_read(struct gswip_priv *priv,
+ tbl->valid = !!(crtl & GSWIP_PCE_TBL_CTRL_VLD);
+ tbl->gmap = (crtl & GSWIP_PCE_TBL_CTRL_GMAP_MASK) >> 7;
+
++ mutex_unlock(&priv->pce_table_lock);
++
+ return 0;
+ }
+
+@@ -563,10 +572,14 @@ static int gswip_pce_table_entry_write(struct gswip_priv *priv,
+ u16 addr_mode = tbl->key_mode ? GSWIP_PCE_TBL_CTRL_OPMOD_KSWR :
+ GSWIP_PCE_TBL_CTRL_OPMOD_ADWR;
+
++ mutex_lock(&priv->pce_table_lock);
++
+ err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL,
+ GSWIP_PCE_TBL_CTRL_BAS);
+- if (err)
++ if (err) {
++ mutex_unlock(&priv->pce_table_lock);
+ return err;
++ }
+
+ gswip_switch_w(priv, tbl->index, GSWIP_PCE_TBL_ADDR);
+ gswip_switch_mask(priv, GSWIP_PCE_TBL_CTRL_ADDR_MASK |
+@@ -598,8 +611,12 @@ static int gswip_pce_table_entry_write(struct gswip_priv *priv,
+ crtl |= GSWIP_PCE_TBL_CTRL_BAS;
+ gswip_switch_w(priv, crtl, GSWIP_PCE_TBL_CTRL);
+
+- return gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL,
+- GSWIP_PCE_TBL_CTRL_BAS);
++ err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL,
++ GSWIP_PCE_TBL_CTRL_BAS);
++
++ mutex_unlock(&priv->pce_table_lock);
++
++ return err;
+ }
+
+ /* Add the LAN port into a bridge with the CPU port by
+@@ -2040,6 +2057,7 @@ static int gswip_probe(struct platform_device *pdev)
+ priv->ds->priv = priv;
+ priv->ds->ops = &gswip_switch_ops;
+ priv->dev = dev;
++ mutex_init(&priv->pce_table_lock);
+ version = gswip_switch_r(priv, GSWIP_VERSION);
+
+ /* bring up the mdio bus */
+--
+2.33.0
+
--- /dev/null
+From a16e0e13f3f45fa83cb4d26009aa501f2414d244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Sep 2021 00:59:27 +0200
+Subject: net: dsa: rtl8366rb: Fix off-by-one bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 5f5f12f5d4b108399130bb5c11f07765851d9cdb ]
+
+The max VLAN number with non-4K VLAN activated is 15, and the
+range is 0..15. Not 16.
+
+The impact should be low since we by default have 4K VLAN and
+thus have 4095 VLANs to play with in this switch. There will
+not be a problem unless the code is rewritten to only use
+16 VLANs.
+
+Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
+Cc: Mauri Sandberg <sandberg@mailfence.com>
+Cc: DENG Qingfang <dqfext@gmail.com>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Alvin Å ipraga <alsi@bang-olufsen.dk>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rtl8366rb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c
+index cfe56960f44b9..12d7e5cd31974 100644
+--- a/drivers/net/dsa/rtl8366rb.c
++++ b/drivers/net/dsa/rtl8366rb.c
+@@ -1343,7 +1343,7 @@ static int rtl8366rb_set_mc_index(struct realtek_smi *smi, int port, int index)
+
+ static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan)
+ {
+- unsigned int max = RTL8366RB_NUM_VLANS;
++ unsigned int max = RTL8366RB_NUM_VLANS - 1;
+
+ if (smi->vlan4k_enabled)
+ max = RTL8366RB_NUM_VIDS - 1;
+--
+2.33.0
+
--- /dev/null
+From f45c359768892577a8dfc7bd568ba14f375c680d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 12:19:50 -0600
+Subject: net: enetc: unmap DMA in enetc_send_cmd()
+
+From: Tim Gardner <tim.gardner@canonical.com>
+
+[ Upstream commit cd4bc63de774eee95e9bac26a565cd80e0fca421 ]
+
+Coverity complains of a possible dereference of a null return value.
+
+ 5. returned_null: kzalloc returns NULL. [show details]
+ 6. var_assigned: Assigning: si_data = NULL return value from kzalloc.
+488 si_data = kzalloc(data_size, __GFP_DMA | GFP_KERNEL);
+489 cbd.length = cpu_to_le16(data_size);
+490
+491 dma = dma_map_single(&priv->si->pdev->dev, si_data,
+492 data_size, DMA_FROM_DEVICE);
+
+While this kzalloc() is unlikely to fail, I did notice that the function
+returned without unmapping si_data.
+
+Fix this by refactoring the error paths and checking for kzalloc()
+failure.
+
+Fixes: 888ae5a3952ba ("net: enetc: add tc flower psfp offload driver")
+Cc: Claudiu Manoil <claudiu.manoil@nxp.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org (open list)
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+Acked-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/freescale/enetc/enetc_qos.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+index dbceb99c4441a..9e6988fd3787a 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+@@ -486,14 +486,16 @@ static int enetc_streamid_hw_set(struct enetc_ndev_priv *priv,
+
+ data_size = sizeof(struct streamid_data);
+ si_data = kzalloc(data_size, __GFP_DMA | GFP_KERNEL);
++ if (!si_data)
++ return -ENOMEM;
+ cbd.length = cpu_to_le16(data_size);
+
+ dma = dma_map_single(&priv->si->pdev->dev, si_data,
+ data_size, DMA_FROM_DEVICE);
+ if (dma_mapping_error(&priv->si->pdev->dev, dma)) {
+ netdev_err(priv->si->ndev, "DMA mapping failed!\n");
+- kfree(si_data);
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto out;
+ }
+
+ cbd.addr[0] = lower_32_bits(dma);
+@@ -513,12 +515,10 @@ static int enetc_streamid_hw_set(struct enetc_ndev_priv *priv,
+
+ err = enetc_send_cmd(priv->si, &cbd);
+ if (err)
+- return -EINVAL;
++ goto out;
+
+- if (!enable) {
+- kfree(si_data);
+- return 0;
+- }
++ if (!enable)
++ goto out;
+
+ /* Enable the entry overwrite again incase space flushed by hardware */
+ memset(&cbd, 0, sizeof(cbd));
+@@ -563,6 +563,10 @@ static int enetc_streamid_hw_set(struct enetc_ndev_priv *priv,
+ }
+
+ err = enetc_send_cmd(priv->si, &cbd);
++out:
++ if (!dma_mapping_error(&priv->si->pdev->dev, dma))
++ dma_unmap_single(&priv->si->pdev->dev, dma, data_size, DMA_FROM_DEVICE);
++
+ kfree(si_data);
+
+ return err;
+--
+2.33.0
+
--- /dev/null
+From 7d84086b2e8ef8af63b26ea5386442760018bd9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 21:42:56 +0800
+Subject: net: hns3: allow configure ETS bandwidth of all TCs
+
+From: Guangbin Huang <huangguangbin2@huawei.com>
+
+[ Upstream commit 688db0c7a4a69ddc8b8143a1cac01eb20082a3aa ]
+
+Currently, driver only allow configuring ETS bandwidth of TCs according
+to the max TC number queried from firmware. However, the hardware actually
+supports 8 TCs and users may need to configure ETS bandwidth of all TCs,
+so remove the restriction.
+
+Fixes: 330baff5423b ("net: hns3: add ETS TC weight setting in SSU module")
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 9 +--------
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+index 8e6085753b9f2..5bab885744fc8 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+@@ -126,7 +126,7 @@ static int hclge_ets_validate(struct hclge_dev *hdev, struct ieee_ets *ets,
+ if (ret)
+ return ret;
+
+- for (i = 0; i < hdev->tc_max; i++) {
++ for (i = 0; i < HNAE3_MAX_TC; i++) {
+ switch (ets->tc_tsa[i]) {
+ case IEEE_8021QAZ_TSA_STRICT:
+ if (hdev->tm_info.tc_info[i].tc_sch_mode !=
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+index 71aa6d16fc19e..9168e39b63641 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -1039,7 +1039,6 @@ static int hclge_tm_pri_tc_base_dwrr_cfg(struct hclge_dev *hdev)
+
+ static int hclge_tm_ets_tc_dwrr_cfg(struct hclge_dev *hdev)
+ {
+-#define DEFAULT_TC_WEIGHT 1
+ #define DEFAULT_TC_OFFSET 14
+
+ struct hclge_ets_tc_weight_cmd *ets_weight;
+@@ -1052,13 +1051,7 @@ static int hclge_tm_ets_tc_dwrr_cfg(struct hclge_dev *hdev)
+ for (i = 0; i < HNAE3_MAX_TC; i++) {
+ struct hclge_pg_info *pg_info;
+
+- ets_weight->tc_weight[i] = DEFAULT_TC_WEIGHT;
+-
+- if (!(hdev->hw_tc_map & BIT(i)))
+- continue;
+-
+- pg_info =
+- &hdev->tm_info.pg_info[hdev->tm_info.tc_info[i].pgid];
++ pg_info = &hdev->tm_info.pg_info[hdev->tm_info.tc_info[i].pgid];
+ ets_weight->tc_weight[i] = pg_info->tc_dwrr[i];
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 411093e8b1c55a2c41072426a7f185976166a3e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 21:42:53 +0800
+Subject: net: hns3: fix kernel crash when unload VF while it is being reset
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit e140c7983e3054be0652bf914f4454f16c5520b0 ]
+
+When fully configure VLANs for a VF, then unload the VF while
+triggering a reset to PF, will cause a kernel crash because the
+irq is already uninit.
+
+[ 293.177579] ------------[ cut here ]------------
+[ 293.183502] kernel BUG at drivers/pci/msi.c:352!
+[ 293.189547] Internal error: Oops - BUG: 0 [#1] SMP
+......
+[ 293.390124] Workqueue: hclgevf hclgevf_service_task [hclgevf]
+[ 293.402627] pstate: 80c00009 (Nzcv daif +PAN +UAO)
+[ 293.414324] pc : free_msi_irqs+0x19c/0x1b8
+[ 293.425429] lr : free_msi_irqs+0x18c/0x1b8
+[ 293.436545] sp : ffff00002716fbb0
+[ 293.446950] x29: ffff00002716fbb0 x28: 0000000000000000
+[ 293.459519] x27: 0000000000000000 x26: ffff45b91ea16b00
+[ 293.472183] x25: 0000000000000000 x24: ffffa587b08f4700
+[ 293.484717] x23: ffffc591ac30e000 x22: ffffa587b08f8428
+[ 293.497190] x21: ffffc591ac30e300 x20: 0000000000000000
+[ 293.509594] x19: ffffa58a062a8300 x18: 0000000000000000
+[ 293.521949] x17: 0000000000000000 x16: ffff45b91dcc3f48
+[ 293.534013] x15: 0000000000000000 x14: 0000000000000000
+[ 293.545883] x13: 0000000000000040 x12: 0000000000000228
+[ 293.557508] x11: 0000000000000020 x10: 0000000000000040
+[ 293.568889] x9 : ffff45b91ea1e190 x8 : ffffc591802d0000
+[ 293.580123] x7 : ffffc591802d0148 x6 : 0000000000000120
+[ 293.591190] x5 : ffffc591802d0000 x4 : 0000000000000000
+[ 293.602015] x3 : 0000000000000000 x2 : 0000000000000000
+[ 293.612624] x1 : 00000000000004a4 x0 : ffffa58a1e0c6b80
+[ 293.623028] Call trace:
+[ 293.630340] free_msi_irqs+0x19c/0x1b8
+[ 293.638849] pci_disable_msix+0x118/0x140
+[ 293.647452] pci_free_irq_vectors+0x20/0x38
+[ 293.656081] hclgevf_uninit_msi+0x44/0x58 [hclgevf]
+[ 293.665309] hclgevf_reset_rebuild+0x1ac/0x2e0 [hclgevf]
+[ 293.674866] hclgevf_reset+0x358/0x400 [hclgevf]
+[ 293.683545] hclgevf_reset_service_task+0xd0/0x1b0 [hclgevf]
+[ 293.693325] hclgevf_service_task+0x4c/0x2e8 [hclgevf]
+[ 293.702307] process_one_work+0x1b0/0x448
+[ 293.710034] worker_thread+0x54/0x468
+[ 293.717331] kthread+0x134/0x138
+[ 293.724114] ret_from_fork+0x10/0x18
+[ 293.731324] Code: f940b000 b4ffff00 a903e7b8 f90017b6 (d4210000)
+
+This patch fixes the problem by waiting for the VF reset done
+while unloading the VF.
+
+Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 +++++
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 2 ++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index a47f23f27a11c..e27af38f6b161 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2887,7 +2887,10 @@ static void hclgevf_uninit_client_instance(struct hnae3_client *client,
+
+ /* un-init roce, if it exists */
+ if (hdev->roce_client) {
++ while (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state))
++ msleep(HCLGEVF_WAIT_RESET_DONE);
+ clear_bit(HCLGEVF_STATE_ROCE_REGISTERED, &hdev->state);
++
+ hdev->roce_client->ops->uninit_instance(&hdev->roce, 0);
+ hdev->roce_client = NULL;
+ hdev->roce.client = NULL;
+@@ -2896,6 +2899,8 @@ static void hclgevf_uninit_client_instance(struct hnae3_client *client,
+ /* un-init nic/unic, if this was not called by roce client */
+ if (client->ops->uninit_instance && hdev->nic_client &&
+ client->type != HNAE3_CLIENT_ROCE) {
++ while (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state))
++ msleep(HCLGEVF_WAIT_RESET_DONE);
+ clear_bit(HCLGEVF_STATE_NIC_REGISTERED, &hdev->state);
+
+ client->ops->uninit_instance(&hdev->nic, 0);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h
+index 526a62f970466..c9b0fa5e8589d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h
+@@ -106,6 +106,8 @@
+ #define HCLGEVF_VF_RST_ING 0x07008
+ #define HCLGEVF_VF_RST_ING_BIT BIT(16)
+
++#define HCLGEVF_WAIT_RESET_DONE 100
++
+ #define HCLGEVF_RSS_IND_TBL_SIZE 512
+ #define HCLGEVF_RSS_SET_BITMAP_MSK 0xffff
+ #define HCLGEVF_RSS_KEY_SIZE 40
+--
+2.33.0
+
--- /dev/null
+From 73d324e1ff8fb87307e5f6e1e69c817c5fe5a161 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 14:12:35 +0200
+Subject: net, neigh: Fix NTF_EXT_LEARNED in combination with NTF_USE
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit e4400bbf5b15750e1b59bf4722d18d99be60c69f ]
+
+The NTF_EXT_LEARNED neigh flag is usually propagated back to user space
+upon dump of the neighbor table. However, when used in combination with
+NTF_USE flag this is not the case despite exempting the entry from the
+garbage collector. This results in inconsistent state since entries are
+typically marked in neigh->flags with NTF_EXT_LEARNED, but here they are
+not. Fix it by propagating the creation flag to ___neigh_create().
+
+Before fix:
+
+ # ./ip/ip n replace 192.168.178.30 dev enp5s0 use extern_learn
+ # ./ip/ip n
+ 192.168.178.30 dev enp5s0 lladdr f4:8c:50:5e:71:9a REACHABLE
+ [...]
+
+After fix:
+
+ # ./ip/ip n replace 192.168.178.30 dev enp5s0 use extern_learn
+ # ./ip/ip n
+ 192.168.178.30 dev enp5s0 lladdr f4:8c:50:5e:71:9a extern_learn REACHABLE
+ [...]
+
+Fixes: 9ce33e46531d ("neighbour: support for NTF_EXT_LEARNED flag")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Roopa Prabhu <roopa@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index c452ebf209394..01e243a578e9c 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -380,7 +380,7 @@ EXPORT_SYMBOL(neigh_ifdown);
+
+ static struct neighbour *neigh_alloc(struct neigh_table *tbl,
+ struct net_device *dev,
+- bool exempt_from_gc)
++ u8 flags, bool exempt_from_gc)
+ {
+ struct neighbour *n = NULL;
+ unsigned long now = jiffies;
+@@ -413,6 +413,7 @@ do_alloc:
+ n->updated = n->used = now;
+ n->nud_state = NUD_NONE;
+ n->output = neigh_blackhole;
++ n->flags = flags;
+ seqlock_init(&n->hh.hh_lock);
+ n->parms = neigh_parms_clone(&tbl->parms);
+ timer_setup(&n->timer, neigh_timer_handler, 0);
+@@ -576,19 +577,18 @@ struct neighbour *neigh_lookup_nodev(struct neigh_table *tbl, struct net *net,
+ }
+ EXPORT_SYMBOL(neigh_lookup_nodev);
+
+-static struct neighbour *___neigh_create(struct neigh_table *tbl,
+- const void *pkey,
+- struct net_device *dev,
+- bool exempt_from_gc, bool want_ref)
++static struct neighbour *
++___neigh_create(struct neigh_table *tbl, const void *pkey,
++ struct net_device *dev, u8 flags,
++ bool exempt_from_gc, bool want_ref)
+ {
+- struct neighbour *n1, *rc, *n = neigh_alloc(tbl, dev, exempt_from_gc);
+- u32 hash_val;
+- unsigned int key_len = tbl->key_len;
+- int error;
++ u32 hash_val, key_len = tbl->key_len;
++ struct neighbour *n1, *rc, *n;
+ struct neigh_hash_table *nht;
++ int error;
+
++ n = neigh_alloc(tbl, dev, flags, exempt_from_gc);
+ trace_neigh_create(tbl, dev, pkey, n, exempt_from_gc);
+-
+ if (!n) {
+ rc = ERR_PTR(-ENOBUFS);
+ goto out;
+@@ -675,7 +675,7 @@ out_neigh_release:
+ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
+ struct net_device *dev, bool want_ref)
+ {
+- return ___neigh_create(tbl, pkey, dev, false, want_ref);
++ return ___neigh_create(tbl, pkey, dev, 0, false, want_ref);
+ }
+ EXPORT_SYMBOL(__neigh_create);
+
+@@ -1950,7 +1950,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
+
+ exempt_from_gc = ndm->ndm_state & NUD_PERMANENT ||
+ ndm->ndm_flags & NTF_EXT_LEARNED;
+- neigh = ___neigh_create(tbl, dst, dev, exempt_from_gc, true);
++ neigh = ___neigh_create(tbl, dst, dev,
++ ndm->ndm_flags & NTF_EXT_LEARNED,
++ exempt_from_gc, true);
+ if (IS_ERR(neigh)) {
+ err = PTR_ERR(neigh);
+ goto out;
+--
+2.33.0
+
--- /dev/null
+From 603e545aa2053020bfd09dba2005315df833e3d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 17:04:10 +0800
+Subject: net: net_namespace: Fix undefined member in key_remove_domain()
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit aed0826b0cf2e488900ab92193893e803d65c070 ]
+
+The key_domain member in struct net only exists if we define CONFIG_KEYS.
+So we should add the define when we used key_domain.
+
+Fixes: 9b242610514f ("keys: Network namespace domain tag")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/net_namespace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index 5c9d95f30be60..ac852db83de9f 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -486,7 +486,9 @@ struct net *copy_net_ns(unsigned long flags,
+
+ if (rv < 0) {
+ put_userns:
++#ifdef CONFIG_KEYS
+ key_remove_domain(net->key_domain);
++#endif
+ put_user_ns(user_ns);
+ net_drop_ns(net);
+ dec_ucounts:
+@@ -618,7 +620,9 @@ static void cleanup_net(struct work_struct *work)
+ list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) {
+ list_del_init(&net->exit_list);
+ dec_net_namespaces(net->ucounts);
++#ifdef CONFIG_KEYS
+ key_remove_domain(net->key_domain);
++#endif
+ put_user_ns(net->user_ns);
+ net_drop_ns(net);
+ }
+--
+2.33.0
+
--- /dev/null
+From 10c0d229b20b27e4b1a864120ab7cadf130d45f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 22:08:28 +0100
+Subject: net: phy: fix duplex out of sync problem while changing settings
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit a4db9055fdb9cf607775c66d39796caf6439ec92 ]
+
+As reported by Zhang there's a small issue if in forced mode the duplex
+mode changes with the link staying up [0]. In this case the MAC isn't
+notified about the change.
+
+The proposed patch relies on the phylib state machine and ignores the
+fact that there are drivers that uses phylib but not the phylib state
+machine. So let's don't change the behavior for such drivers and fix
+it w/o re-adding state PHY_FORCING for the case that phylib state
+machine is used.
+
+[0] https://lore.kernel.org/netdev/a5c26ffd-4ee4-a5e6-4103-873208ce0dc5@huawei.com/T/
+
+Fixes: 2bd229df5e2e ("net: phy: remove state PHY_FORCING")
+Reported-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Tested-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/7b8b9456-a93f-abbc-1dc5-a2c2542f932c@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
+index 5ee7cde0c2e97..db7866b6f7525 100644
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -831,7 +831,12 @@ int phy_ethtool_ksettings_set(struct phy_device *phydev,
+ phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl;
+
+ /* Restart the PHY */
+- _phy_start_aneg(phydev);
++ if (phy_is_started(phydev)) {
++ phydev->state = PHY_UP;
++ phy_trigger_machine(phydev);
++ } else {
++ _phy_start_aneg(phydev);
++ }
+
+ mutex_unlock(&phydev->lock);
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From 41d9e4e3adacafab7a6e298ca87e857f3e75c06d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 12:34:02 +0200
+Subject: net: phy: micrel: make *-skew-ps check more lenient
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit 67ca5159dbe2edb5dae7544447b8677d2596933a ]
+
+It seems reasonable to fine-tune only some of the skew values when using
+one of the rgmii-*id PHY modes, and even when all skew values are
+specified, using the correct ID PHY mode makes sense for documentation
+purposes. Such a configuration also appears in the binding docs in
+Documentation/devicetree/bindings/net/micrel-ksz90x1.txt, so the driver
+should not warn about it.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20211012103402.21438-1-matthias.schiffer@ew.tq-group.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 69b20a466c61c..b341a8be09f92 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -732,9 +732,9 @@ static int ksz9031_config_init(struct phy_device *phydev)
+ MII_KSZ9031RN_TX_DATA_PAD_SKEW, 4,
+ tx_data_skews, 4, &update);
+
+- if (update && phydev->interface != PHY_INTERFACE_MODE_RGMII)
++ if (update && !phy_interface_is_rgmii(phydev))
+ phydev_warn(phydev,
+- "*-skew-ps values should be used only with phy-mode = \"rgmii\"\n");
++ "*-skew-ps values should be used only with RGMII PHY modes\n");
+
+ /* Silicon Errata Sheet (DS80000691D or DS80000692D):
+ * When the device links in the 1000BASE-T slave mode only,
+--
+2.33.0
+
--- /dev/null
+From ed9dc0dc4f99eceadc2c640779034371d696ffba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 15:55:34 +0100
+Subject: net: phylink: avoid mvneta warning when setting pause parameters
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit fd8d9731bcdfb22d28e45bce789bcb211c868c78 ]
+
+mvneta does not support asymetric pause modes, and it flags this by the
+lack of AsymPause in the supported field. When setting pause modes, we
+check that pause->rx_pause == pause->tx_pause, but only when pause
+autoneg is enabled. When pause autoneg is disabled, we still allow
+pause->rx_pause != pause->tx_pause, which is incorrect when the MAC
+does not support asymetric pause, and causes mvneta to issue a warning.
+
+Fix this by removing the test for pause->autoneg, so we always check
+that pause->rx_pause == pause->tx_pause for network devices that do not
+support AsymPause.
+
+Fixes: 9525ae83959b ("phylink: add phylink infrastructure")
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phylink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
+index 025c3246f3396..899496f089d2e 100644
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -1610,7 +1610,7 @@ int phylink_ethtool_set_pauseparam(struct phylink *pl,
+ return -EOPNOTSUPP;
+
+ if (!phylink_test(pl->supported, Asym_Pause) &&
+- !pause->autoneg && pause->rx_pause != pause->tx_pause)
++ pause->rx_pause != pause->tx_pause)
+ return -EINVAL;
+
+ pause_state = 0;
+--
+2.33.0
+
--- /dev/null
+From 48f75ce1c47ae0b5ccbd2609fe1ba52a31ace19a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 10:08:15 -0800
+Subject: net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6dc25401cba4d428328eade8ceae717633fdd702 ]
+
+1) if q->tk_offset == TK_OFFS_MAX, then get_tcp_tstamp() calls
+ ktime_mono_to_any() with out-of-bound value.
+
+2) if q->tk_offset is changed in taprio_parse_clockid(),
+ taprio_get_time() might also call ktime_mono_to_any()
+ with out-of-bound value as sysbot found:
+
+UBSAN: array-index-out-of-bounds in kernel/time/timekeeping.c:908:27
+index 3 is out of range for type 'ktime_t *[3]'
+CPU: 1 PID: 25668 Comm: kworker/u4:0 Not tainted 5.15.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
+ __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291
+ ktime_mono_to_any+0x1d4/0x1e0 kernel/time/timekeeping.c:908
+ get_tcp_tstamp net/sched/sch_taprio.c:322 [inline]
+ get_packet_txtime net/sched/sch_taprio.c:353 [inline]
+ taprio_enqueue_one+0x5b0/0x1460 net/sched/sch_taprio.c:420
+ taprio_enqueue+0x3b1/0x730 net/sched/sch_taprio.c:485
+ dev_qdisc_enqueue+0x40/0x300 net/core/dev.c:3785
+ __dev_xmit_skb net/core/dev.c:3869 [inline]
+ __dev_queue_xmit+0x1f6e/0x3630 net/core/dev.c:4194
+ batadv_send_skb_packet+0x4a9/0x5f0 net/batman-adv/send.c:108
+ batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
+ batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]
+ batadv_iv_send_outstanding_bat_ogm_packet+0x6d7/0x8e0 net/batman-adv/bat_iv_ogm.c:1701
+ process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
+ worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
+ kthread+0x405/0x4f0 kernel/kthread.c:327
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Fixes: 7ede7b03484b ("taprio: make clock reference conversions easier")
+Fixes: 54002066100b ("taprio: Adjust timestamps for TCP packets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vedang Patel <vedang.patel@intel.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://lore.kernel.org/r/20211108180815.1822479-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_taprio.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index 93899559ba6d2..806babdd838d2 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -94,18 +94,22 @@ static ktime_t sched_base_time(const struct sched_gate_list *sched)
+ return ns_to_ktime(sched->base_time);
+ }
+
+-static ktime_t taprio_get_time(struct taprio_sched *q)
++static ktime_t taprio_mono_to_any(const struct taprio_sched *q, ktime_t mono)
+ {
+- ktime_t mono = ktime_get();
++ /* This pairs with WRITE_ONCE() in taprio_parse_clockid() */
++ enum tk_offsets tk_offset = READ_ONCE(q->tk_offset);
+
+- switch (q->tk_offset) {
++ switch (tk_offset) {
+ case TK_OFFS_MAX:
+ return mono;
+ default:
+- return ktime_mono_to_any(mono, q->tk_offset);
++ return ktime_mono_to_any(mono, tk_offset);
+ }
++}
+
+- return KTIME_MAX;
++static ktime_t taprio_get_time(const struct taprio_sched *q)
++{
++ return taprio_mono_to_any(q, ktime_get());
+ }
+
+ static void taprio_free_sched_cb(struct rcu_head *head)
+@@ -321,7 +325,7 @@ static ktime_t get_tcp_tstamp(struct taprio_sched *q, struct sk_buff *skb)
+ return 0;
+ }
+
+- return ktime_mono_to_any(skb->skb_mstamp_ns, q->tk_offset);
++ return taprio_mono_to_any(q, skb->skb_mstamp_ns);
+ }
+
+ /* There are a few scenarios where we will have to modify the txtime from
+@@ -1341,6 +1345,7 @@ static int taprio_parse_clockid(struct Qdisc *sch, struct nlattr **tb,
+ }
+ } else if (tb[TCA_TAPRIO_ATTR_SCHED_CLOCKID]) {
+ int clockid = nla_get_s32(tb[TCA_TAPRIO_ATTR_SCHED_CLOCKID]);
++ enum tk_offsets tk_offset;
+
+ /* We only support static clockids and we don't allow
+ * for it to be modified after the first init.
+@@ -1355,22 +1360,24 @@ static int taprio_parse_clockid(struct Qdisc *sch, struct nlattr **tb,
+
+ switch (clockid) {
+ case CLOCK_REALTIME:
+- q->tk_offset = TK_OFFS_REAL;
++ tk_offset = TK_OFFS_REAL;
+ break;
+ case CLOCK_MONOTONIC:
+- q->tk_offset = TK_OFFS_MAX;
++ tk_offset = TK_OFFS_MAX;
+ break;
+ case CLOCK_BOOTTIME:
+- q->tk_offset = TK_OFFS_BOOT;
++ tk_offset = TK_OFFS_BOOT;
+ break;
+ case CLOCK_TAI:
+- q->tk_offset = TK_OFFS_TAI;
++ tk_offset = TK_OFFS_TAI;
+ break;
+ default:
+ NL_SET_ERR_MSG(extack, "Invalid 'clockid'");
+ err = -EINVAL;
+ goto out;
+ }
++ /* This pairs with READ_ONCE() in taprio_mono_to_any */
++ WRITE_ONCE(q->tk_offset, tk_offset);
+
+ q->clockid = clockid;
+ } else {
+--
+2.33.0
+
--- /dev/null
+From b179ed4e3835524f9217543bd756fde43be5d178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Sep 2021 15:53:30 -0700
+Subject: net: sched: update default qdisc visibility after Tx queue cnt
+ changes
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 1e080f17750d1083e8a32f7b350584ae1cd7ff20 ]
+
+mq / mqprio make the default child qdiscs visible. They only do
+so for the qdiscs which are within real_num_tx_queues when the
+device is registered. Depending on order of calls in the driver,
+or if user space changes config via ethtool -L the number of
+qdiscs visible under tc qdisc show will differ from the number
+of queues. This is confusing to users and potentially to system
+configuration scripts which try to make sure qdiscs have the
+right parameters.
+
+Add a new Qdisc_ops callback and make relevant qdiscs TTRT.
+
+Note that this uncovers the "shortcut" created by
+commit 1f27cde313d7 ("net: sched: use pfifo_fast for non real queues")
+The default child qdiscs beyond initial real_num_tx are always
+pfifo_fast, no matter what the sysfs setting is. Fixing this
+gets a little tricky because we'd need to keep a reference
+on whatever the default qdisc was at the time of creation.
+In practice this is likely an non-issue the qdiscs likely have
+to be configured to non-default settings, so whatever user space
+is doing such configuration can replace the pfifos... now that
+it will see them.
+
+Reported-by: Matthew Massey <matthewmassey@fb.com>
+Reviewed-by: Dave Taht <dave.taht@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 4 ++++
+ net/core/dev.c | 2 ++
+ net/sched/sch_generic.c | 9 +++++++++
+ net/sched/sch_mq.c | 24 ++++++++++++++++++++++++
+ net/sched/sch_mqprio.c | 23 +++++++++++++++++++++++
+ 5 files changed, 62 insertions(+)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index f8631ad3c8686..9226a84dcc14d 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -302,6 +302,8 @@ struct Qdisc_ops {
+ struct netlink_ext_ack *extack);
+ void (*attach)(struct Qdisc *sch);
+ int (*change_tx_queue_len)(struct Qdisc *, unsigned int);
++ void (*change_real_num_tx)(struct Qdisc *sch,
++ unsigned int new_real_tx);
+
+ int (*dump)(struct Qdisc *, struct sk_buff *);
+ int (*dump_stats)(struct Qdisc *, struct gnet_dump *);
+@@ -683,6 +685,8 @@ void qdisc_class_hash_grow(struct Qdisc *, struct Qdisc_class_hash *);
+ void qdisc_class_hash_destroy(struct Qdisc_class_hash *);
+
+ int dev_qdisc_change_tx_queue_len(struct net_device *dev);
++void dev_qdisc_change_real_num_tx(struct net_device *dev,
++ unsigned int new_real_tx);
+ void dev_init_scheduler(struct net_device *dev);
+ void dev_shutdown(struct net_device *dev);
+ void dev_activate(struct net_device *dev);
+diff --git a/net/core/dev.c b/net/core/dev.c
+index e14294e9ba321..7dd7b9fb600c8 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2973,6 +2973,8 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
+ if (dev->num_tc)
+ netif_setup_tc(dev, txq);
+
++ dev_qdisc_change_real_num_tx(dev, txq);
++
+ dev->real_num_tx_queues = txq;
+
+ if (disabling) {
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index 05aa2571a4095..6a9c1a39874a0 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1303,6 +1303,15 @@ static int qdisc_change_tx_queue_len(struct net_device *dev,
+ return 0;
+ }
+
++void dev_qdisc_change_real_num_tx(struct net_device *dev,
++ unsigned int new_real_tx)
++{
++ struct Qdisc *qdisc = dev->qdisc;
++
++ if (qdisc->ops->change_real_num_tx)
++ qdisc->ops->change_real_num_tx(qdisc, new_real_tx);
++}
++
+ int dev_qdisc_change_tx_queue_len(struct net_device *dev)
+ {
+ bool up = dev->flags & IFF_UP;
+diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
+index e79f1afe0cfd6..db18d8a860f9c 100644
+--- a/net/sched/sch_mq.c
++++ b/net/sched/sch_mq.c
+@@ -125,6 +125,29 @@ static void mq_attach(struct Qdisc *sch)
+ priv->qdiscs = NULL;
+ }
+
++static void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx)
++{
++#ifdef CONFIG_NET_SCHED
++ struct net_device *dev = qdisc_dev(sch);
++ struct Qdisc *qdisc;
++ unsigned int i;
++
++ for (i = new_real_tx; i < dev->real_num_tx_queues; i++) {
++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping;
++ /* Only update the default qdiscs we created,
++ * qdiscs with handles are always hashed.
++ */
++ if (qdisc != &noop_qdisc && !qdisc->handle)
++ qdisc_hash_del(qdisc);
++ }
++ for (i = dev->real_num_tx_queues; i < new_real_tx; i++) {
++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping;
++ if (qdisc != &noop_qdisc && !qdisc->handle)
++ qdisc_hash_add(qdisc, false);
++ }
++#endif
++}
++
+ static int mq_dump(struct Qdisc *sch, struct sk_buff *skb)
+ {
+ struct net_device *dev = qdisc_dev(sch);
+@@ -288,6 +311,7 @@ struct Qdisc_ops mq_qdisc_ops __read_mostly = {
+ .init = mq_init,
+ .destroy = mq_destroy,
+ .attach = mq_attach,
++ .change_real_num_tx = mq_change_real_num_tx,
+ .dump = mq_dump,
+ .owner = THIS_MODULE,
+ };
+diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
+index 5eb3b1b7ae5e7..50e15add6068f 100644
+--- a/net/sched/sch_mqprio.c
++++ b/net/sched/sch_mqprio.c
+@@ -306,6 +306,28 @@ static void mqprio_attach(struct Qdisc *sch)
+ priv->qdiscs = NULL;
+ }
+
++static void mqprio_change_real_num_tx(struct Qdisc *sch,
++ unsigned int new_real_tx)
++{
++ struct net_device *dev = qdisc_dev(sch);
++ struct Qdisc *qdisc;
++ unsigned int i;
++
++ for (i = new_real_tx; i < dev->real_num_tx_queues; i++) {
++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping;
++ /* Only update the default qdiscs we created,
++ * qdiscs with handles are always hashed.
++ */
++ if (qdisc != &noop_qdisc && !qdisc->handle)
++ qdisc_hash_del(qdisc);
++ }
++ for (i = dev->real_num_tx_queues; i < new_real_tx; i++) {
++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping;
++ if (qdisc != &noop_qdisc && !qdisc->handle)
++ qdisc_hash_add(qdisc, false);
++ }
++}
++
+ static struct netdev_queue *mqprio_queue_get(struct Qdisc *sch,
+ unsigned long cl)
+ {
+@@ -629,6 +651,7 @@ static struct Qdisc_ops mqprio_qdisc_ops __read_mostly = {
+ .init = mqprio_init,
+ .destroy = mqprio_destroy,
+ .attach = mqprio_attach,
++ .change_real_num_tx = mqprio_change_real_num_tx,
+ .dump = mqprio_dump,
+ .owner = THIS_MODULE,
+ };
+--
+2.33.0
+
--- /dev/null
+From 67e735d7440fa0437821b4c040c51252595ad215 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 15:02:34 +0800
+Subject: net/smc: fix sk_refcnt underflow on linkdown and fallback
+
+From: Dust Li <dust.li@linux.alibaba.com>
+
+[ Upstream commit e5d5aadcf3cd59949316df49c27cb21788d7efe4 ]
+
+We got the following WARNING when running ab/nginx
+test with RDMA link flapping (up-down-up).
+The reason is when smc_sock fallback and at linkdown
+happens simultaneously, we may got the following situation:
+
+__smc_lgr_terminate()
+ --> smc_conn_kill()
+ --> smc_close_active_abort()
+ smc_sock->sk_state = SMC_CLOSED
+ sock_put(smc_sock)
+
+smc_sock was set to SMC_CLOSED and sock_put() been called
+when terminate the link group. But later application call
+close() on the socket, then we got:
+
+__smc_release():
+ if (smc_sock->fallback)
+ smc_sock->sk_state = SMC_CLOSED
+ sock_put(smc_sock)
+
+Again we set the smc_sock to CLOSED through it's already
+in CLOSED state, and double put the refcnt, so the following
+warning happens:
+
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 5 PID: 860 at lib/refcount.c:28 refcount_warn_saturate+0x8d/0xf0
+Modules linked in:
+CPU: 5 PID: 860 Comm: nginx Not tainted 5.10.46+ #403
+Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x8d/0xf0
+Code: 05 5c 1e b5 01 01 e8 52 25 bc ff 0f 0b c3 80 3d 4f 1e b5 01 00 75 ad 48
+
+RSP: 0018:ffffc90000527e50 EFLAGS: 00010286
+RAX: 0000000000000026 RBX: ffff8881300df2c0 RCX: 0000000000000027
+RDX: 0000000000000000 RSI: ffff88813bd58040 RDI: ffff88813bd58048
+RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000001
+R10: ffff8881300df2c0 R11: ffffc90000527c78 R12: ffff8881300df340
+R13: ffff8881300df930 R14: ffff88810b3dad80 R15: ffff8881300df4f8
+FS: 00007f739de8fb80(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000a01b008 CR3: 0000000111b64003 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ smc_release+0x353/0x3f0
+ __sock_release+0x3d/0xb0
+ sock_close+0x11/0x20
+ __fput+0x93/0x230
+ task_work_run+0x65/0xa0
+ exit_to_user_mode_prepare+0xf9/0x100
+ syscall_exit_to_user_mode+0x27/0x190
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This patch adds check in __smc_release() to make
+sure we won't do an extra sock_put() and set the
+socket to CLOSED when its already in CLOSED state.
+
+Fixes: 51f1de79ad8e (net/smc: replace sock_put worker by socket refcounting)
+Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index cc2af94e74507..cfb5b9be0569d 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -146,14 +146,18 @@ static int __smc_release(struct smc_sock *smc)
+ sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_shutdown |= SHUTDOWN_MASK;
+ } else {
+- if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT)
+- sock_put(sk); /* passive closing */
+- if (sk->sk_state == SMC_LISTEN) {
+- /* wake up clcsock accept */
+- rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
++ if (sk->sk_state != SMC_CLOSED) {
++ if (sk->sk_state != SMC_LISTEN &&
++ sk->sk_state != SMC_INIT)
++ sock_put(sk); /* passive closing */
++ if (sk->sk_state == SMC_LISTEN) {
++ /* wake up clcsock accept */
++ rc = kernel_sock_shutdown(smc->clcsock,
++ SHUT_RDWR);
++ }
++ sk->sk_state = SMC_CLOSED;
++ sk->sk_state_change(sk);
+ }
+- sk->sk_state = SMC_CLOSED;
+- sk->sk_state_change(sk);
+ smc_restore_fallback_changes(smc);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From bdef5b614044188127351278aced7a99a4ad56b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 22:28:54 +0200
+Subject: net: stmmac: allow a tc-taprio base-time of zero
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit f64ab8e4f368f48afb08ae91928e103d17b235e9 ]
+
+Commit fe28c53ed71d ("net: stmmac: fix taprio configuration when
+base_time is in the past") allowed some base time values in the past,
+but apparently not all, the base-time value of 0 (Jan 1st 1970) is still
+explicitly denied by the driver.
+
+Remove the bogus check.
+
+Fixes: b60189e0392f ("net: stmmac: Integrate EST with TAPRIO scheduler API")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+index 6399803061158..43165c662740d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+@@ -679,8 +679,6 @@ static int tc_setup_taprio(struct stmmac_priv *priv,
+ goto disable;
+ if (qopt->num_entries >= dep)
+ return -EINVAL;
+- if (!qopt->base_time)
+- return -ERANGE;
+ if (!qopt->cycle_time)
+ return -ERANGE;
+
+--
+2.33.0
+
--- /dev/null
+From 2f6839e907e6239a078ecd14967a569c7b8690ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 06:37:39 -0700
+Subject: net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 ]
+
+sk_stream_kill_queues() can be called on close when there are
+still outstanding skbs to transmit. Those skbs may try to queue
+notifications to the error queue (e.g. timestamps).
+If sk_stream_kill_queues() purges the queue without taking
+its lock the queue may get corrupted, and skbs leaked.
+
+This shows up as a warning about an rmem leak:
+
+WARNING: CPU: 24 PID: 0 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x...
+
+The leak is always a multiple of 0x300 bytes (the value is in
+%rax on my builds, so RAX: 0000000000000300). 0x300 is truesize of
+an empty sk_buff. Indeed if we dump the socket state at the time
+of the warning the sk_error_queue is often (but not always)
+corrupted. The ->next pointer points back at the list head,
+but not the ->prev pointer. Indeed we can find the leaked skb
+by scanning the kernel memory for something that looks like
+an skb with ->sk = socket in question, and ->truesize = 0x300.
+The contents of ->cb[] of the skb confirms the suspicion that
+it is indeed a timestamp notification (as generated in
+__skb_complete_tx_timestamp()).
+
+Removing purging of sk_error_queue should be okay, since
+inet_sock_destruct() does it again once all socket refs
+are gone. Eric suggests this may cause sockets that go
+thru disconnect() to maintain notifications from the
+previous incarnations of the socket, but that should be
+okay since the race was there anyway, and disconnect()
+is not exactly dependable.
+
+Thanks to Jonathan Lemon and Omar Sandoval for help at various
+stages of tracing the issue.
+
+Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 4f1d4aa5fb38d..a166a32b411fa 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -195,9 +195,6 @@ void sk_stream_kill_queues(struct sock *sk)
+ /* First the read buffer. */
+ __skb_queue_purge(&sk->sk_receive_queue);
+
+- /* Next, the error queue. */
+- __skb_queue_purge(&sk->sk_error_queue);
+-
+ /* Next, the write queue. */
+ WARN_ON(!skb_queue_empty(&sk->sk_write_queue));
+
+--
+2.33.0
+
--- /dev/null
+From 49013ce38a0df7816a7db876e8b800d6c7177c30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 16:00:51 +0200
+Subject: net-sysfs: try not to restart the syscall if it will fail eventually
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 146e5e733310379f51924111068f08a3af0db830 ]
+
+Due to deadlocks in the networking subsystem spotted 12 years ago[1],
+a workaround was put in place[2] to avoid taking the rtnl lock when it
+was not available and restarting the syscall (back to VFS, letting
+userspace spin). The following construction is found a lot in the net
+sysfs and sysctl code:
+
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+This can be problematic when multiple userspace threads use such
+interfaces in a short period, making them to spin a lot. This happens
+for example when adding and moving virtual interfaces: userspace
+programs listening on events, such as systemd-udevd and NetworkManager,
+do trigger actions reading files in sysfs. It gets worse when a lot of
+virtual interfaces are created concurrently, say when creating
+containers at boot time.
+
+Returning early without hitting the above pattern when the syscall will
+fail eventually does make things better. While it is not a fix for the
+issue, it does ease things.
+
+[1] https://lore.kernel.org/netdev/49A4D5D5.5090602@trash.net/
+ https://lore.kernel.org/netdev/m14oyhis31.fsf@fess.ebiederm.org/
+ and https://lore.kernel.org/netdev/20090226084924.16cb3e08@nehalam/
+[2] Rightfully, those deadlocks are *hard* to solve.
+
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/net-sysfs.c | 55 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 55 insertions(+)
+
+diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
+index cc5f760c78250..af59123601055 100644
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -175,6 +175,14 @@ static int change_carrier(struct net_device *dev, unsigned long new_carrier)
+ static ssize_t carrier_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t len)
+ {
++ struct net_device *netdev = to_net_dev(dev);
++
++ /* The check is also done in change_carrier; this helps returning early
++ * without hitting the trylock/restart in netdev_store.
++ */
++ if (!netdev->netdev_ops->ndo_change_carrier)
++ return -EOPNOTSUPP;
++
+ return netdev_store(dev, attr, buf, len, change_carrier);
+ }
+
+@@ -196,6 +204,12 @@ static ssize_t speed_show(struct device *dev,
+ struct net_device *netdev = to_net_dev(dev);
+ int ret = -EINVAL;
+
++ /* The check is also done in __ethtool_get_link_ksettings; this helps
++ * returning early without hitting the trylock/restart below.
++ */
++ if (!netdev->ethtool_ops->get_link_ksettings)
++ return ret;
++
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+@@ -216,6 +230,12 @@ static ssize_t duplex_show(struct device *dev,
+ struct net_device *netdev = to_net_dev(dev);
+ int ret = -EINVAL;
+
++ /* The check is also done in __ethtool_get_link_ksettings; this helps
++ * returning early without hitting the trylock/restart below.
++ */
++ if (!netdev->ethtool_ops->get_link_ksettings)
++ return ret;
++
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+@@ -468,6 +488,14 @@ static ssize_t proto_down_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t len)
+ {
++ struct net_device *netdev = to_net_dev(dev);
++
++ /* The check is also done in change_proto_down; this helps returning
++ * early without hitting the trylock/restart in netdev_store.
++ */
++ if (!netdev->netdev_ops->ndo_change_proto_down)
++ return -EOPNOTSUPP;
++
+ return netdev_store(dev, attr, buf, len, change_proto_down);
+ }
+ NETDEVICE_SHOW_RW(proto_down, fmt_dec);
+@@ -478,6 +506,12 @@ static ssize_t phys_port_id_show(struct device *dev,
+ struct net_device *netdev = to_net_dev(dev);
+ ssize_t ret = -EINVAL;
+
++ /* The check is also done in dev_get_phys_port_id; this helps returning
++ * early without hitting the trylock/restart below.
++ */
++ if (!netdev->netdev_ops->ndo_get_phys_port_id)
++ return -EOPNOTSUPP;
++
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+@@ -500,6 +534,13 @@ static ssize_t phys_port_name_show(struct device *dev,
+ struct net_device *netdev = to_net_dev(dev);
+ ssize_t ret = -EINVAL;
+
++ /* The checks are also done in dev_get_phys_port_name; this helps
++ * returning early without hitting the trylock/restart below.
++ */
++ if (!netdev->netdev_ops->ndo_get_phys_port_name &&
++ !netdev->netdev_ops->ndo_get_devlink_port)
++ return -EOPNOTSUPP;
++
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+@@ -522,6 +563,14 @@ static ssize_t phys_switch_id_show(struct device *dev,
+ struct net_device *netdev = to_net_dev(dev);
+ ssize_t ret = -EINVAL;
+
++ /* The checks are also done in dev_get_phys_port_name; this helps
++ * returning early without hitting the trylock/restart below. This works
++ * because recurse is false when calling dev_get_port_parent_id.
++ */
++ if (!netdev->netdev_ops->ndo_get_port_parent_id &&
++ !netdev->netdev_ops->ndo_get_devlink_port)
++ return -EOPNOTSUPP;
++
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+@@ -1179,6 +1228,12 @@ static ssize_t tx_maxrate_store(struct netdev_queue *queue,
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
++ /* The check is also done later; this helps returning early without
++ * hitting the trylock/restart below.
++ */
++ if (!dev->netdev_ops->ndo_set_tx_maxrate)
++ return -EOPNOTSUPP;
++
+ err = kstrtou32(buf, 10, &rate);
+ if (err < 0)
+ return err;
+--
+2.33.0
+
--- /dev/null
+From 14d47dcd5beaaee0cfa7448650826a043bb27786 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 10:12:18 +0800
+Subject: net: vlan: fix a UAF in vlan_dev_real_dev()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 563bcbae3ba233c275c244bfce2efe12938f5363 ]
+
+The real_dev of a vlan net_device may be freed after
+unregister_vlan_dev(). Access the real_dev continually by
+vlan_dev_real_dev() will trigger the UAF problem for the
+real_dev like following:
+
+==================================================================
+BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120
+Call Trace:
+ kasan_report.cold+0x83/0xdf
+ vlan_dev_real_dev+0xf9/0x120
+ is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0
+ is_eth_port_of_netdev_filter+0x28/0x40
+ ib_enum_roce_netdev+0x1a3/0x300
+ ib_enum_all_roce_netdevs+0xc7/0x140
+ netdevice_event_work_handler+0x9d/0x210
+...
+
+Freed by task 9288:
+ kasan_save_stack+0x1b/0x40
+ kasan_set_track+0x1c/0x30
+ kasan_set_free_info+0x20/0x30
+ __kasan_slab_free+0xfc/0x130
+ slab_free_freelist_hook+0xdd/0x240
+ kfree+0xe4/0x690
+ kvfree+0x42/0x50
+ device_release+0x9f/0x240
+ kobject_put+0x1c8/0x530
+ put_device+0x1b/0x30
+ free_netdev+0x370/0x540
+ ppp_destroy_interface+0x313/0x3d0
+...
+
+Move the put_device(real_dev) to vlan_dev_free(). Ensure
+real_dev not be freed before vlan_dev unregistered.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+e4df4e1389e28972e955@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan.c | 3 ---
+ net/8021q/vlan_dev.c | 3 +++
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
+index 15bbfaf943fd1..ad3780067a7d8 100644
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -120,9 +120,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
+ }
+
+ vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
+-
+- /* Get rid of the vlan's reference to real_dev */
+- dev_put(real_dev);
+ }
+
+ int vlan_check_real_dev(struct net_device *real_dev,
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index ec8408d1638fb..c7eba7dab0938 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -813,6 +813,9 @@ static void vlan_dev_free(struct net_device *dev)
+
+ free_percpu(vlan->vlan_pcpu_stats);
+ vlan->vlan_pcpu_stats = NULL;
++
++ /* Get rid of the vlan's reference to real_dev */
++ dev_put(vlan->real_dev);
+ }
+
+ void vlan_setup(struct net_device *dev)
+--
+2.33.0
+
--- /dev/null
+From e492d9791d37c57deb08ee9bb9ecb82e9bf40ff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 11:26:49 +0200
+Subject: netfilter: conntrack: set on IPS_ASSURED if flows enters internal
+ stream state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit b7b1d02fc43925a4d569ec221715db2dfa1ce4f5 ]
+
+The internal stream state sets the timeout to 120 seconds 2 seconds
+after the creation of the flow, attach this internal stream state to the
+IPS_ASSURED flag for consistent event reporting.
+
+Before this patch:
+
+ [NEW] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
+ [UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
+ [UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
+ [DESTROY] udp 17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
+
+Note IPS_ASSURED for the flow not yet in the internal stream state.
+
+after this update:
+
+ [NEW] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
+ [UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
+ [UPDATE] udp 17 120 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
+ [DESTROY] udp 17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
+
+Before this patch, short-lived UDP flows never entered IPS_ASSURED, so
+they were already candidate flow to be deleted by early_drop under
+stress.
+
+Before this patch, IPS_ASSURED is set on regardless the internal stream
+state, attach this internal stream state to IPS_ASSURED.
+
+packet #1 (original direction) enters NEW state
+packet #2 (reply direction) enters ESTABLISHED state, sets on IPS_SEEN_REPLY
+paclet #3 (any direction) sets on IPS_ASSURED (if 2 seconds since the
+ creation has passed by).
+
+Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_udp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
+index af402f458ee02..0528e9c26cebd 100644
+--- a/net/netfilter/nf_conntrack_proto_udp.c
++++ b/net/netfilter/nf_conntrack_proto_udp.c
+@@ -105,10 +105,13 @@ int nf_conntrack_udp_packet(struct nf_conn *ct,
+ */
+ if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
+ unsigned long extra = timeouts[UDP_CT_UNREPLIED];
++ bool stream = false;
+
+ /* Still active after two seconds? Extend timeout. */
+- if (time_after(jiffies, ct->proto.udp.stream_ts))
++ if (time_after(jiffies, ct->proto.udp.stream_ts)) {
+ extra = timeouts[UDP_CT_REPLIED];
++ stream = true;
++ }
+
+ nf_ct_refresh_acct(ct, ctinfo, skb, extra);
+
+@@ -117,7 +120,7 @@ int nf_conntrack_udp_packet(struct nf_conn *ct,
+ return NF_ACCEPT;
+
+ /* Also, more likely to be important, and not a probe */
+- if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
++ if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
+ nf_conntrack_event_cache(IPCT_ASSURED, ct);
+ } else {
+ nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]);
+--
+2.33.0
+
--- /dev/null
+From cadb7b0ca2e8d86c2ba50b1038c194a3e165178b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 18:08:10 +0200
+Subject: netfilter: nfnetlink_queue: fix OOB when mac header was cleared
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ]
+
+On 64bit platforms the MAC header is set to 0xffff on allocation and
+also when a helper like skb_unset_mac_header() is called.
+
+dev_parse_header may call skb_mac_header() which assumes valid mac offset:
+
+ BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90
+ Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364
+ Call Trace:
+ memcpy+0x20/0x60
+ eth_header_parse+0x75/0x90
+ __nfqnl_enqueue_packet+0x1a61/0x3380
+ __nf_queue+0x597/0x1300
+ nf_queue+0xf/0x40
+ nf_hook_slow+0xed/0x190
+ nf_hook+0x184/0x440
+ ip_output+0x1c0/0x2a0
+ nf_reinject+0x26f/0x700
+ nfqnl_recv_verdict+0xa16/0x18b0
+ nfnetlink_rcv_msg+0x506/0xe70
+
+The existing code only works if the skb has a mac header.
+
+Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index d1d8bca03b4f0..98994fe677fe9 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -562,7 +562,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ goto nla_put_failure;
+
+ if (indev && entskb->dev &&
+- entskb->mac_header != entskb->network_header) {
++ skb_mac_header_was_set(entskb)) {
+ struct nfqnl_msg_packet_hw phw;
+ int len;
+
+--
+2.33.0
+
--- /dev/null
+From 020568a166dadb9a9bee77bcfa1039d6508d2c68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Sep 2021 22:40:26 +0200
+Subject: netfilter: nft_dynset: relax superfluous check on set updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 7b1394892de8d95748d05e3ee41e85edb4abbfa1 ]
+
+Relax this condition to make add and update commands idempotent for sets
+with no timeout. The eval function already checks if the set element
+timeout is available and updates it if the update command is used.
+
+Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_dynset.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index 5c84a968dae29..58904bee1a0df 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -141,17 +141,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+ return -EBUSY;
+
+ priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP]));
+- switch (priv->op) {
+- case NFT_DYNSET_OP_ADD:
+- case NFT_DYNSET_OP_DELETE:
+- break;
+- case NFT_DYNSET_OP_UPDATE:
+- if (!(set->flags & NFT_SET_TIMEOUT))
+- return -EOPNOTSUPP;
+- break;
+- default:
++ if (priv->op > NFT_DYNSET_OP_DELETE)
+ return -EOPNOTSUPP;
+- }
+
+ timeout = 0;
+ if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
+--
+2.33.0
+
--- /dev/null
+From fb64a4968b70be9dfb2d992de0dc18ece2a92a4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 06:36:36 -0700
+Subject: nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
+
+From: Chengfeng Ye <cyeaa@connect.ust.hk>
+
+[ Upstream commit 9fec40f850658e00a14a7dd9e06f7fbc7e59cc4a ]
+
+skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs,
+but follow error handler branch when pn533_fill_fragment_skbs()
+fails, skb is freed again, results in double free issue. Fix this
+by not free skb in error path of pn533_fill_fragment_skbs.
+
+Fixes: 963a82e07d4e ("NFC: pn533: Split large Tx frames in chunks")
+Fixes: 93ad42020c2d ("NFC: pn533: Target mode Tx fragmentation support")
+Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/pn533.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
+index 18e3435ab8f33..d2c0116157759 100644
+--- a/drivers/nfc/pn533/pn533.c
++++ b/drivers/nfc/pn533/pn533.c
+@@ -2258,7 +2258,7 @@ static int pn533_fill_fragment_skbs(struct pn533 *dev, struct sk_buff *skb)
+ frag = pn533_alloc_skb(dev, frag_size);
+ if (!frag) {
+ skb_queue_purge(&dev->fragment_skb);
+- break;
++ return -ENOMEM;
+ }
+
+ if (!dev->tgt_mode) {
+@@ -2329,7 +2329,7 @@ static int pn533_transceive(struct nfc_dev *nfc_dev,
+ /* jumbo frame ? */
+ if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) {
+ rc = pn533_fill_fragment_skbs(dev, skb);
+- if (rc <= 0)
++ if (rc < 0)
+ goto error;
+
+ skb = skb_dequeue(&dev->fragment_skb);
+@@ -2401,7 +2401,7 @@ static int pn533_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb)
+ /* let's split in multiple chunks if size's too big */
+ if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) {
+ rc = pn533_fill_fragment_skbs(dev, skb);
+- if (rc <= 0)
++ if (rc < 0)
+ goto error;
+
+ /* get the first skb */
+--
+2.33.0
+
--- /dev/null
+From 3b6190891fc6ff1ad1af3fa523e4a94f37772cdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 14:05:02 -0400
+Subject: NFS: Fix an Oops in pnfs_mark_request_commit()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit f0caea8882a7412a2ad4d8274f0280cdf849c9e2 ]
+
+Olga reports seeing the following Oops when doing O_DIRECT writes to a
+pNFS flexfiles server:
+
+Oops: 0000 [#1] SMP PTI
+CPU: 1 PID: 234186 Comm: kworker/u8:1 Not tainted 5.15.0-rc4+ #4
+Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.13.0-2.module+el8.3.0+7353+9de0a3cc 04/01/2014
+Workqueue: nfsiod rpc_async_release [sunrpc]
+RIP: 0010:nfs_mark_request_commit+0x12/0x30 [nfs]
+Code: ff ff be 03 00 00 00 e8 ac 34 83 eb e9 29 ff ff
+ff e8 22 bc d7 eb 66 90 0f 1f 44 00 00 48 85 f6 74 16 48 8b 42 10 48
+8b 40 18 <48> 8b 40 18 48 85 c0 74 05 e9 70 fc 15 ec 48 89 d6 e9 68 ed
+ff ff
+RSP: 0018:ffffa82f0159fe00 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: ffff8f3393141880 RCX: 0000000000000000
+RDX: ffffa82f0159fe08 RSI: ffff8f3381252500 RDI: ffff8f3393141880
+RBP: ffff8f33ac317c00 R08: 0000000000000000 R09: ffff8f3487724cb0
+R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000001
+R13: ffff8f3485bccee0 R14: ffff8f33ac317c10 R15: ffff8f33ac317cd8
+FS: 0000000000000000(0000) GS:ffff8f34fbc80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000018 CR3: 0000000122120006 CR4: 0000000000770ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ nfs_direct_write_completion+0x13b/0x250 [nfs]
+ rpc_free_task+0x39/0x60 [sunrpc]
+ rpc_async_release+0x29/0x40 [sunrpc]
+ process_one_work+0x1ce/0x370
+ worker_thread+0x30/0x380
+ ? process_one_work+0x370/0x370
+ kthread+0x11a/0x140
+ ? set_kthread_struct+0x40/0x40
+ ret_from_fork+0x22/0x30
+
+Reported-by: Olga Kornievskaia <aglo@umich.edu>
+Fixes: 9c455a8c1e14 ("NFS/pNFS: Clean up pNFS commit operations")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
+index 132a345e93731..0212fe32e63aa 100644
+--- a/fs/nfs/pnfs.h
++++ b/fs/nfs/pnfs.h
+@@ -515,7 +515,7 @@ pnfs_mark_request_commit(struct nfs_page *req, struct pnfs_layout_segment *lseg,
+ {
+ struct pnfs_ds_commit_info *fl_cinfo = cinfo->ds;
+
+- if (!lseg || !fl_cinfo->ops->mark_request_commit)
++ if (!lseg || !fl_cinfo->ops || !fl_cinfo->ops->mark_request_commit)
+ return false;
+ fl_cinfo->ops->mark_request_commit(req, lseg, cinfo, ds_commit_idx);
+ return true;
+--
+2.33.0
+
--- /dev/null
+From 1435ca0d1ffe0afd8783af57142528216ae160f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 15:44:16 -0400
+Subject: NFS: Fix deadlocks in nfs_scan_commit_list()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 64a93dbf25d3a1368bb58ddf0f61d0a92d7479e3 ]
+
+Partially revert commit 2ce209c42c01 ("NFS: Wait for requests that are
+locked on the commit list"), since it can lead to deadlocks between
+commit requests and nfs_join_page_group().
+For now we should assume that any locked requests on the commit list are
+either about to be removed and committed by another task, or the writes
+they describe are about to be retransmitted. In either case, we should
+not need to worry.
+
+Fixes: 2ce209c42c01 ("NFS: Wait for requests that are locked on the commit list")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/write.c | 17 ++---------------
+ 1 file changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 639c34fec04a8..dc7201c83bc29 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1034,25 +1034,11 @@ nfs_scan_commit_list(struct list_head *src, struct list_head *dst,
+ struct nfs_page *req, *tmp;
+ int ret = 0;
+
+-restart:
+ list_for_each_entry_safe(req, tmp, src, wb_list) {
+ kref_get(&req->wb_kref);
+ if (!nfs_lock_request(req)) {
+- int status;
+-
+- /* Prevent deadlock with nfs_lock_and_join_requests */
+- if (!list_empty(dst)) {
+- nfs_release_request(req);
+- continue;
+- }
+- /* Ensure we make progress to prevent livelock */
+- mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+- status = nfs_wait_on_request(req);
+ nfs_release_request(req);
+- mutex_lock(&NFS_I(cinfo->inode)->commit_mutex);
+- if (status < 0)
+- break;
+- goto restart;
++ continue;
+ }
+ nfs_request_remove_commit_list(req, cinfo);
+ clear_bit(PG_COMMIT_TO_DS, &req->wb_flags);
+@@ -1924,6 +1910,7 @@ static int __nfs_commit_inode(struct inode *inode, int how,
+ int may_wait = how & FLUSH_SYNC;
+ int ret, nscan;
+
++ how &= ~FLUSH_SYNC;
+ nfs_init_cinfo_from_inode(&cinfo, inode);
+ nfs_commit_begin(cinfo.mds);
+ for (;;) {
+--
+2.33.0
+
--- /dev/null
+From ddf366daf1a93a3249a9e6a4897a0c978fad35cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 08:12:53 -0400
+Subject: NFS: Fix dentry verifier races
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit cec08f452a687fce9dfdf47946d00a1d12a8bec5 ]
+
+If the directory changed while we were revalidating the dentry, then
+don't update the dentry verifier. There is no value in setting the
+verifier to an older value, and we could end up overwriting a more up to
+date verifier from a parallel revalidation.
+
+Fixes: efeda80da38d ("NFSv4: Fix revalidation of dentries with delegations")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Tested-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/dir.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
+index c837675cd395a..8b963c72dd3b1 100644
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1061,13 +1061,12 @@ static bool nfs_verifier_is_delegated(struct dentry *dentry)
+ static void nfs_set_verifier_locked(struct dentry *dentry, unsigned long verf)
+ {
+ struct inode *inode = d_inode(dentry);
++ struct inode *dir = d_inode(dentry->d_parent);
+
+- if (!nfs_verifier_is_delegated(dentry) &&
+- !nfs_verify_change_attribute(d_inode(dentry->d_parent), verf))
+- goto out;
++ if (!nfs_verify_change_attribute(dir, verf))
++ return;
+ if (inode && NFS_PROTO(inode)->have_delegation(inode, FMODE_READ))
+ nfs_set_verifier_delegated(&verf);
+-out:
+ dentry->d_time = verf;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 0c927559b26c95d666de47401bda311e5c86d290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 15:37:42 -0400
+Subject: NFS: Fix up commit deadlocks
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 133a48abf6ecc535d7eddc6da1c3e4c972445882 ]
+
+If O_DIRECT bumps the commit_info rpcs_out field, then that could lead
+to fsync() hangs. The fix is to ensure that O_DIRECT calls
+nfs_commit_end().
+
+Fixes: 723c921e7dfc ("sched/wait, fs/nfs: Convert wait_on_atomic_t() usage to the new wait_var_event() API")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/direct.c | 2 +-
+ fs/nfs/pnfs_nfs.c | 2 --
+ fs/nfs/write.c | 9 ++++++---
+ include/linux/nfs_fs.h | 1 +
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
+index 2e894fec036b0..3c0335c15a730 100644
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -620,7 +620,7 @@ static void nfs_direct_commit_complete(struct nfs_commit_data *data)
+ nfs_unlock_and_release_request(req);
+ }
+
+- if (atomic_dec_and_test(&cinfo.mds->rpcs_out))
++ if (nfs_commit_end(cinfo.mds))
+ nfs_direct_write_complete(dreq);
+ }
+
+diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c
+index 37b52b53a7e53..7b9d701bef016 100644
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -468,7 +468,6 @@ pnfs_bucket_alloc_ds_commits(struct list_head *list,
+ goto out_error;
+ data->ds_commit_index = i;
+ list_add_tail(&data->list, list);
+- atomic_inc(&cinfo->mds->rpcs_out);
+ nreq++;
+ }
+ mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex);
+@@ -520,7 +519,6 @@ pnfs_generic_commit_pagelist(struct inode *inode, struct list_head *mds_pages,
+ data->ds_commit_index = -1;
+ list_splice_init(mds_pages, &data->pages);
+ list_add_tail(&data->list, &list);
+- atomic_inc(&cinfo->mds->rpcs_out);
+ nreq++;
+ }
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index dc7201c83bc29..bde4c362841f0 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1649,10 +1649,13 @@ static void nfs_commit_begin(struct nfs_mds_commit_info *cinfo)
+ atomic_inc(&cinfo->rpcs_out);
+ }
+
+-static void nfs_commit_end(struct nfs_mds_commit_info *cinfo)
++bool nfs_commit_end(struct nfs_mds_commit_info *cinfo)
+ {
+- if (atomic_dec_and_test(&cinfo->rpcs_out))
++ if (atomic_dec_and_test(&cinfo->rpcs_out)) {
+ wake_up_var(&cinfo->rpcs_out);
++ return true;
++ }
++ return false;
+ }
+
+ void nfs_commitdata_release(struct nfs_commit_data *data)
+@@ -1752,6 +1755,7 @@ void nfs_init_commit(struct nfs_commit_data *data,
+ data->res.fattr = &data->fattr;
+ data->res.verf = &data->verf;
+ nfs_fattr_init(&data->fattr);
++ nfs_commit_begin(cinfo->mds);
+ }
+ EXPORT_SYMBOL_GPL(nfs_init_commit);
+
+@@ -1797,7 +1801,6 @@ nfs_commit_list(struct inode *inode, struct list_head *head, int how,
+
+ /* Set up the argument struct */
+ nfs_init_commit(data, head, NULL, cinfo);
+- atomic_inc(&cinfo->mds->rpcs_out);
+ return nfs_initiate_commit(NFS_CLIENT(inode), data, NFS_PROTO(inode),
+ data->mds_ops, how, RPC_TASK_CRED_NOREF);
+ }
+diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
+index 91a6525a98cb7..aff5cd382fef5 100644
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -553,6 +553,7 @@ extern int nfs_wb_page_cancel(struct inode *inode, struct page* page);
+ extern int nfs_commit_inode(struct inode *, int);
+ extern struct nfs_commit_data *nfs_commitdata_alloc(bool never_fail);
+ extern void nfs_commit_free(struct nfs_commit_data *data);
++bool nfs_commit_end(struct nfs_mds_commit_info *cinfo);
+
+ static inline int
+ nfs_have_writebacks(struct inode *inode)
+--
+2.33.0
+
--- /dev/null
+From 98b213eedbd908994c332800e9dc5f59b34abee6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 12:30:32 -0400
+Subject: nfsd: don't alloc under spinlock in rpc_parse_scope_id
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 9b6e27d01adcec58e046c624874f8a124e8b07ec ]
+
+Dan Carpenter says:
+
+ The patch d20c11d86d8f: "nfsd: Protect session creation and client
+ confirm using client_lock" from Jul 30, 2014, leads to the following
+ Smatch static checker warning:
+
+ net/sunrpc/addr.c:178 rpc_parse_scope_id()
+ warn: sleeping in atomic context
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: d20c11d86d8f ("nfsd: Protect session creation and client...")
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/addr.c | 40 ++++++++++++++++++----------------------
+ 1 file changed, 18 insertions(+), 22 deletions(-)
+
+diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c
+index 6e4dbd577a39f..d435bffc61999 100644
+--- a/net/sunrpc/addr.c
++++ b/net/sunrpc/addr.c
+@@ -162,8 +162,10 @@ static int rpc_parse_scope_id(struct net *net, const char *buf,
+ const size_t buflen, const char *delim,
+ struct sockaddr_in6 *sin6)
+ {
+- char *p;
++ char p[IPV6_SCOPE_ID_LEN + 1];
+ size_t len;
++ u32 scope_id = 0;
++ struct net_device *dev;
+
+ if ((buf + buflen) == delim)
+ return 1;
+@@ -175,29 +177,23 @@ static int rpc_parse_scope_id(struct net *net, const char *buf,
+ return 0;
+
+ len = (buf + buflen) - delim - 1;
+- p = kmemdup_nul(delim + 1, len, GFP_KERNEL);
+- if (p) {
+- u32 scope_id = 0;
+- struct net_device *dev;
+-
+- dev = dev_get_by_name(net, p);
+- if (dev != NULL) {
+- scope_id = dev->ifindex;
+- dev_put(dev);
+- } else {
+- if (kstrtou32(p, 10, &scope_id) != 0) {
+- kfree(p);
+- return 0;
+- }
+- }
+-
+- kfree(p);
+-
+- sin6->sin6_scope_id = scope_id;
+- return 1;
++ if (len > IPV6_SCOPE_ID_LEN)
++ return 0;
++
++ memcpy(p, delim + 1, len);
++ p[len] = 0;
++
++ dev = dev_get_by_name(net, p);
++ if (dev != NULL) {
++ scope_id = dev->ifindex;
++ dev_put(dev);
++ } else {
++ if (kstrtou32(p, 10, &scope_id) != 0)
++ return 0;
+ }
+
+- return 0;
++ sin6->sin6_scope_id = scope_id;
++ return 1;
+ }
+
+ static size_t rpc_pton6(struct net *net, const char *buf, const size_t buflen,
+--
+2.33.0
+
--- /dev/null
+From 1e8c085c24a0b088fd66dcd185b2a790f914396e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 21:56:40 -0400
+Subject: NFSv4: Fix a regression in nfs_set_open_stateid_locked()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 01d29f87fcfef38d51ce2b473981a5c1e861ac0a ]
+
+If we already hold open state on the client, yet the server gives us a
+completely different stateid to the one we already hold, then we
+currently treat it as if it were an out-of-sequence update, and wait for
+5 seconds for other updates to come in.
+This commit fixes the behaviour so that we immediately start processing
+of the new stateid, and then leave it to the call to
+nfs4_test_and_free_stateid() to decide what to do with the old stateid.
+
+Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 5365000e83bd6..3106bd28b1132 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1590,15 +1590,16 @@ static bool nfs_stateid_is_sequential(struct nfs4_state *state,
+ {
+ if (test_bit(NFS_OPEN_STATE, &state->flags)) {
+ /* The common case - we're updating to a new sequence number */
+- if (nfs4_stateid_match_other(stateid, &state->open_stateid) &&
+- nfs4_stateid_is_next(&state->open_stateid, stateid)) {
+- return true;
++ if (nfs4_stateid_match_other(stateid, &state->open_stateid)) {
++ if (nfs4_stateid_is_next(&state->open_stateid, stateid))
++ return true;
++ return false;
+ }
+- } else {
+- /* This is the first OPEN in this generation */
+- if (stateid->seqid == cpu_to_be32(1))
+- return true;
++ /* The server returned a new stateid */
+ }
++ /* This is the first OPEN in this generation */
++ if (stateid->seqid == cpu_to_be32(1))
++ return true;
+ return false;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From e37dba785e9d95242d4ff8adf0904c97189e57d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 07:59:10 +0200
+Subject: nvme: drop scan_lock and always kick requeue list when removing
+ namespaces
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 2b81a5f015199f3d585ce710190a9e87714d3c1e ]
+
+When reading the partition table on initial scan hits an I/O error the
+I/O will hang with the scan_mutex held:
+
+[<0>] do_read_cache_page+0x49b/0x790
+[<0>] read_part_sector+0x39/0xe0
+[<0>] read_lba+0xf9/0x1d0
+[<0>] efi_partition+0xf1/0x7f0
+[<0>] bdev_disk_changed+0x1ee/0x550
+[<0>] blkdev_get_whole+0x81/0x90
+[<0>] blkdev_get_by_dev+0x128/0x2e0
+[<0>] device_add_disk+0x377/0x3c0
+[<0>] nvme_mpath_set_live+0x130/0x1b0 [nvme_core]
+[<0>] nvme_mpath_add_disk+0x150/0x160 [nvme_core]
+[<0>] nvme_alloc_ns+0x417/0x950 [nvme_core]
+[<0>] nvme_validate_or_alloc_ns+0xe9/0x1e0 [nvme_core]
+[<0>] nvme_scan_work+0x168/0x310 [nvme_core]
+[<0>] process_one_work+0x231/0x420
+
+and trying to delete the controller will deadlock as it tries to grab
+the scan mutex:
+
+[<0>] nvme_mpath_clear_ctrl_paths+0x25/0x80 [nvme_core]
+[<0>] nvme_remove_namespaces+0x31/0xf0 [nvme_core]
+[<0>] nvme_do_delete_ctrl+0x4b/0x80 [nvme_core]
+
+As we're now properly ordering the namespace list there is no need to
+hold the scan_mutex in nvme_mpath_clear_ctrl_paths() anymore.
+And we always need to kick the requeue list as the path will be marked
+as unusable and I/O will be requeued _without_ a current path.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 46a1e24ba6f47..18a756444d5a9 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -135,13 +135,12 @@ void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl)
+ {
+ struct nvme_ns *ns;
+
+- mutex_lock(&ctrl->scan_lock);
+ down_read(&ctrl->namespaces_rwsem);
+- list_for_each_entry(ns, &ctrl->namespaces, list)
+- if (nvme_mpath_clear_current_path(ns))
+- kblockd_schedule_work(&ns->head->requeue_work);
++ list_for_each_entry(ns, &ctrl->namespaces, list) {
++ nvme_mpath_clear_current_path(ns);
++ kblockd_schedule_work(&ns->head->requeue_work);
++ }
+ up_read(&ctrl->namespaces_rwsem);
+- mutex_unlock(&ctrl->scan_lock);
+ }
+
+ static bool nvme_path_is_disabled(struct nvme_ns *ns)
+--
+2.33.0
+
--- /dev/null
+From afa638a4f7f4905ffe260fe43d27308f7d0b93cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Oct 2021 11:58:16 +0300
+Subject: nvme-rdma: fix error code in nvme_rdma_setup_ctrl
+
+From: Max Gurtovoy <mgurtovoy@nvidia.com>
+
+[ Upstream commit 09748122009aed7bfaa7acc33c10c083a4758322 ]
+
+In case that icdoff is not zero or mandatory keyed sgls are not
+supported by the NVMe/RDMA target, we'll go to error flow but we'll
+return 0 to the caller. Fix it by returning an appropriate error code.
+
+Fixes: c66e2998c8ca ("nvme-rdma: centralize controller setup sequence")
+Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 51f4647ea2142..1b90563818434 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -1103,11 +1103,13 @@ static int nvme_rdma_setup_ctrl(struct nvme_rdma_ctrl *ctrl, bool new)
+ return ret;
+
+ if (ctrl->ctrl.icdoff) {
++ ret = -EOPNOTSUPP;
+ dev_err(ctrl->ctrl.device, "icdoff is not supported!\n");
+ goto destroy_admin;
+ }
+
+ if (!(ctrl->ctrl.sgls & (1 << 2))) {
++ ret = -EOPNOTSUPP;
+ dev_err(ctrl->ctrl.device,
+ "Mandatory keyed sgls are not supported!\n");
+ goto destroy_admin;
+--
+2.33.0
+
--- /dev/null
+From e586c6f92a3b03cc9f8cd1257dd59698f43f2551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 08:09:43 +0000
+Subject: nvmet: fix use-after-free when a port is removed
+
+From: Israel Rukshin <israelr@nvidia.com>
+
+[ Upstream commit e3e19dcc4c416d65f99f13d55be2b787f8d0050e ]
+
+When a port is removed through configfs, any connected controllers
+are starting teardown flow asynchronously and can still send commands.
+This causes a use-after-free bug for any command that dereferences
+req->port (like in nvmet_parse_io_cmd).
+
+To fix this, wait for all the teardown scheduled works to complete
+(like release_work at rdma/tcp drivers). This ensures there are no
+active controllers when the port is eventually removed.
+
+Signed-off-by: Israel Rukshin <israelr@nvidia.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/configfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
+index 37e1d7784e175..9aed5cc710960 100644
+--- a/drivers/nvme/target/configfs.c
++++ b/drivers/nvme/target/configfs.c
+@@ -1462,6 +1462,8 @@ static void nvmet_port_release(struct config_item *item)
+ {
+ struct nvmet_port *port = to_nvmet_port(item);
+
++ /* Let inflight controllers teardown complete */
++ flush_scheduled_work();
+ list_del(&port->global_entry);
+
+ kfree(port->ana_state);
+--
+2.33.0
+
--- /dev/null
+From 15e6c15b6284a271a43dd362248800641b693045 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 08:09:44 +0000
+Subject: nvmet-rdma: fix use-after-free when a port is removed
+
+From: Israel Rukshin <israelr@nvidia.com>
+
+[ Upstream commit fcf73a804c7d6bbf0ea63531c6122aa363852e04 ]
+
+When removing a port, all its controllers are being removed, but there
+are queues on the port that doesn't belong to any controller (during
+connection time). This causes a use-after-free bug for any command
+that dereferences req->port (like in nvmet_alloc_ctrl). Those queues
+should be destroyed before freeing the port via configfs. Destroy the
+remaining queues after the RDMA-CM was destroyed guarantees that no
+new queue will be created.
+
+Signed-off-by: Israel Rukshin <israelr@nvidia.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/rdma.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index 7d607f435e366..6d5552f2f184a 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -1819,12 +1819,36 @@ restart:
+ mutex_unlock(&nvmet_rdma_queue_mutex);
+ }
+
++static void nvmet_rdma_destroy_port_queues(struct nvmet_rdma_port *port)
++{
++ struct nvmet_rdma_queue *queue, *tmp;
++ struct nvmet_port *nport = port->nport;
++
++ mutex_lock(&nvmet_rdma_queue_mutex);
++ list_for_each_entry_safe(queue, tmp, &nvmet_rdma_queue_list,
++ queue_list) {
++ if (queue->port != nport)
++ continue;
++
++ list_del_init(&queue->queue_list);
++ __nvmet_rdma_queue_disconnect(queue);
++ }
++ mutex_unlock(&nvmet_rdma_queue_mutex);
++}
++
+ static void nvmet_rdma_disable_port(struct nvmet_rdma_port *port)
+ {
+ struct rdma_cm_id *cm_id = xchg(&port->cm_id, NULL);
+
+ if (cm_id)
+ rdma_destroy_id(cm_id);
++
++ /*
++ * Destroy the remaining queues, which are not belong to any
++ * controller yet. Do it here after the RDMA-CM was destroyed
++ * guarantees that no new queue will be created.
++ */
++ nvmet_rdma_destroy_port_queues(port);
+ }
+
+ static int nvmet_rdma_enable_port(struct nvmet_rdma_port *port)
+--
+2.33.0
+
--- /dev/null
+From 7d8fca6315053b34663436101343eecf4dbb7bcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 08:09:45 +0000
+Subject: nvmet-tcp: fix use-after-free when a port is removed
+
+From: Israel Rukshin <israelr@nvidia.com>
+
+[ Upstream commit 2351ead99ce9164fb42555aee3f96af84c4839e9 ]
+
+When removing a port, all its controllers are being removed, but there
+are queues on the port that doesn't belong to any controller (during
+connection time). This causes a use-after-free bug for any command
+that dereferences req->port (like in nvmet_alloc_ctrl). Those queues
+should be destroyed before freeing the port via configfs. Destroy
+the remaining queues after the accept_work was cancelled guarantees
+that no new queue will be created.
+
+Signed-off-by: Israel Rukshin <israelr@nvidia.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 58dc517fe8678..1251fd6e92780 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -1708,6 +1708,17 @@ err_port:
+ return ret;
+ }
+
++static void nvmet_tcp_destroy_port_queues(struct nvmet_tcp_port *port)
++{
++ struct nvmet_tcp_queue *queue;
++
++ mutex_lock(&nvmet_tcp_queue_mutex);
++ list_for_each_entry(queue, &nvmet_tcp_queue_list, queue_list)
++ if (queue->port == port)
++ kernel_sock_shutdown(queue->sock, SHUT_RDWR);
++ mutex_unlock(&nvmet_tcp_queue_mutex);
++}
++
+ static void nvmet_tcp_remove_port(struct nvmet_port *nport)
+ {
+ struct nvmet_tcp_port *port = nport->priv;
+@@ -1717,6 +1728,11 @@ static void nvmet_tcp_remove_port(struct nvmet_port *nport)
+ port->sock->sk->sk_user_data = NULL;
+ write_unlock_bh(&port->sock->sk->sk_callback_lock);
+ cancel_work_sync(&port->accept_work);
++ /*
++ * Destroy the remaining queues, which are not belong to any
++ * controller yet.
++ */
++ nvmet_tcp_destroy_port_queues(port);
+
+ sock_release(port->sock);
+ kfree(port);
+--
+2.33.0
+
--- /dev/null
+From d6dc91b95654dc658ac15ea0aa2ead34fccd8247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 15:29:25 -0600
+Subject: objtool: Add xen_start_kernel() to noreturn list
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit c26acfbbfbc2ae4167e33825793e85e1a53058d8 ]
+
+xen_start_kernel() doesn't return. Annotate it as such so objtool can
+follow the code flow.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lore.kernel.org/r/930deafa89256c60b180442df59a1bbae48f30ab.1611263462.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index 5c83f73ad6687..ec15cadbb3d3e 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -156,6 +156,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
+ "machine_real_restart",
+ "rewind_stack_do_exit",
+ "kunit_try_catch_throw",
++ "xen_start_kernel",
+ };
+
+ if (!func)
+--
+2.33.0
+
--- /dev/null
+From 96fa53410fe4654949377a9b1f7dda41460d9e09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 16:12:05 +0100
+Subject: objtool: Fix static_call list generation
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit a958c4fea768d2c378c89032ab41d38da2a24422 ]
+
+Currently, objtool generates tail call entries in add_jump_destination()
+but waits until validate_branch() to generate the regular call entries.
+Move these to add_call_destination() for consistency.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Link: https://lkml.kernel.org/r/20210326151259.691529901@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index 4261f93ce06f9..8932f41c387ff 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -954,6 +954,11 @@ static int add_call_destinations(struct objtool_file *file)
+ } else
+ insn->call_dest = reloc->sym;
+
++ if (insn->call_dest && insn->call_dest->static_call_tramp) {
++ list_add_tail(&insn->static_call_node,
++ &file->static_call_list);
++ }
++
+ /*
+ * Many compilers cannot disable KCOV with a function attribute
+ * so they need a little help, NOP out any KCOV calls from noinstr
+@@ -1668,6 +1673,9 @@ static int decode_sections(struct objtool_file *file)
+ if (ret)
+ return ret;
+
++ /*
++ * Must be before add_{jump_call}_destination.
++ */
+ ret = read_static_call_tramps(file);
+ if (ret)
+ return ret;
+@@ -1680,6 +1688,10 @@ static int decode_sections(struct objtool_file *file)
+ if (ret)
+ return ret;
+
++ /*
++ * Must be before add_call_destination(); it changes INSN_CALL to
++ * INSN_JUMP.
++ */
+ ret = read_intra_function_calls(file);
+ if (ret)
+ return ret;
+@@ -2534,11 +2546,6 @@ static int validate_branch(struct objtool_file *file, struct symbol *func,
+ if (dead_end_function(file, insn->call_dest))
+ return 0;
+
+- if (insn->type == INSN_CALL && insn->call_dest->static_call_tramp) {
+- list_add_tail(&insn->static_call_node,
+- &file->static_call_list);
+- }
+-
+ break;
+
+ case INSN_JUMP_CONDITIONAL:
+--
+2.33.0
+
--- /dev/null
+From 9681fe1f26622d6eaec6279606d992c790f0ef76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 20:32:25 -0500
+Subject: of: unittest: fix EXPECT text for gpio hog errors
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+[ Upstream commit e85860e5bc077865a04f0a88d0b0335d3200484a ]
+
+The console message text for gpio hog errors does not match
+what unittest expects.
+
+Fixes: f4056e705b2ef ("of: unittest: add overlay gpio test to catch gpio hog problem")
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Link: https://lore.kernel.org/r/20211029013225.2048695-1-frowand.list@gmail.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index eb51bc1474401..1d4b0b7d0cc10 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -1682,19 +1682,19 @@ static void __init of_unittest_overlay_gpio(void)
+ */
+
+ EXPECT_BEGIN(KERN_INFO,
+- "GPIO line <<int>> (line-B-input) hogged as input\n");
++ "gpio-<<int>> (line-B-input): hogged as input\n");
+
+ EXPECT_BEGIN(KERN_INFO,
+- "GPIO line <<int>> (line-A-input) hogged as input\n");
++ "gpio-<<int>> (line-A-input): hogged as input\n");
+
+ ret = platform_driver_register(&unittest_gpio_driver);
+ if (unittest(ret == 0, "could not register unittest gpio driver\n"))
+ return;
+
+ EXPECT_END(KERN_INFO,
+- "GPIO line <<int>> (line-A-input) hogged as input\n");
++ "gpio-<<int>> (line-A-input): hogged as input\n");
+ EXPECT_END(KERN_INFO,
+- "GPIO line <<int>> (line-B-input) hogged as input\n");
++ "gpio-<<int>> (line-B-input): hogged as input\n");
+
+ unittest(probe_pass_count + 2 == unittest_gpio_probe_pass_count,
+ "unittest_gpio_probe() failed or not called\n");
+@@ -1721,7 +1721,7 @@ static void __init of_unittest_overlay_gpio(void)
+ chip_request_count = unittest_gpio_chip_request_count;
+
+ EXPECT_BEGIN(KERN_INFO,
+- "GPIO line <<int>> (line-D-input) hogged as input\n");
++ "gpio-<<int>> (line-D-input): hogged as input\n");
+
+ /* overlay_gpio_03 contains gpio node and child gpio hog node */
+
+@@ -1729,7 +1729,7 @@ static void __init of_unittest_overlay_gpio(void)
+ "Adding overlay 'overlay_gpio_03' failed\n");
+
+ EXPECT_END(KERN_INFO,
+- "GPIO line <<int>> (line-D-input) hogged as input\n");
++ "gpio-<<int>> (line-D-input): hogged as input\n");
+
+ unittest(probe_pass_count + 1 == unittest_gpio_probe_pass_count,
+ "unittest_gpio_probe() failed or not called\n");
+@@ -1768,7 +1768,7 @@ static void __init of_unittest_overlay_gpio(void)
+ */
+
+ EXPECT_BEGIN(KERN_INFO,
+- "GPIO line <<int>> (line-C-input) hogged as input\n");
++ "gpio-<<int>> (line-C-input): hogged as input\n");
+
+ /* overlay_gpio_04b contains child gpio hog node */
+
+@@ -1776,7 +1776,7 @@ static void __init of_unittest_overlay_gpio(void)
+ "Adding overlay 'overlay_gpio_04b' failed\n");
+
+ EXPECT_END(KERN_INFO,
+- "GPIO line <<int>> (line-C-input) hogged as input\n");
++ "gpio-<<int>> (line-C-input): hogged as input\n");
+
+ unittest(chip_request_count + 1 == unittest_gpio_chip_request_count,
+ "unittest_gpio_chip_request() called %d times (expected 1 time)\n",
+--
+2.33.0
+
--- /dev/null
+From d2fea2a7909fa398bf82fcdb598c74ca542a6e2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 20:19:33 +0900
+Subject: openrisc: fix SMP tlb flush NULL pointer dereference
+
+From: Stafford Horne <shorne@gmail.com>
+
+[ Upstream commit 27dff9a9c247d4e38d82c2e7234914cfe8499294 ]
+
+Throughout the OpenRISC kernel port VMA is passed as NULL when flushing
+kernel tlb entries. Somehow this was missed when I was testing
+c28b27416da9 ("openrisc: Implement proper SMP tlb flushing") and now the
+SMP kernel fails to completely boot.
+
+In OpenRISC VMA is used only to determine which cores need to have their
+TLB entries flushed.
+
+This patch updates the logic to flush tlbs on all cores when the VMA is
+passed as NULL. Also, we update places VMA is passed as NULL to use
+flush_tlb_kernel_range instead. Now, the only place VMA is passed as
+NULL is in the implementation of flush_tlb_kernel_range.
+
+Fixes: c28b27416da9 ("openrisc: Implement proper SMP tlb flushing")
+Reported-by: Jan Henrik Weinstock <jan.weinstock@rwth-aachen.de>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/dma.c | 4 ++--
+ arch/openrisc/kernel/smp.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/arch/openrisc/kernel/dma.c b/arch/openrisc/kernel/dma.c
+index 1b16d97e7da7f..a82b2caaa560d 100644
+--- a/arch/openrisc/kernel/dma.c
++++ b/arch/openrisc/kernel/dma.c
+@@ -33,7 +33,7 @@ page_set_nocache(pte_t *pte, unsigned long addr,
+ * Flush the page out of the TLB so that the new page flags get
+ * picked up next time there's an access
+ */
+- flush_tlb_page(NULL, addr);
++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
+
+ /* Flush page out of dcache */
+ for (cl = __pa(addr); cl < __pa(next); cl += cpuinfo->dcache_block_size)
+@@ -56,7 +56,7 @@ page_clear_nocache(pte_t *pte, unsigned long addr,
+ * Flush the page out of the TLB so that the new page flags get
+ * picked up next time there's an access
+ */
+- flush_tlb_page(NULL, addr);
++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
+
+ return 0;
+ }
+diff --git a/arch/openrisc/kernel/smp.c b/arch/openrisc/kernel/smp.c
+index e4dad76066aed..18b320a06fe56 100644
+--- a/arch/openrisc/kernel/smp.c
++++ b/arch/openrisc/kernel/smp.c
+@@ -261,7 +261,7 @@ static inline void ipi_flush_tlb_range(void *info)
+ local_flush_tlb_range(NULL, fd->addr1, fd->addr2);
+ }
+
+-static void smp_flush_tlb_range(struct cpumask *cmask, unsigned long start,
++static void smp_flush_tlb_range(const struct cpumask *cmask, unsigned long start,
+ unsigned long end)
+ {
+ unsigned int cpuid;
+@@ -309,7 +309,9 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long uaddr)
+ void flush_tlb_range(struct vm_area_struct *vma,
+ unsigned long start, unsigned long end)
+ {
+- smp_flush_tlb_range(mm_cpumask(vma->vm_mm), start, end);
++ const struct cpumask *cmask = vma ? mm_cpumask(vma->vm_mm)
++ : cpu_online_mask;
++ smp_flush_tlb_range(cmask, start, end);
+ }
+
+ /* Instruction cache invalidate - performed on each cpu */
+--
+2.33.0
+
--- /dev/null
+From c3168ae10a4c08bff378394e3629f0c23c42eb87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 15:46:52 +0800
+Subject: opp: Fix return in _opp_add_static_v2()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 27ff8187f13ecfec8a26fb1928e906f46f326cc5 ]
+
+Fix sparse warning:
+drivers/opp/of.c:924 _opp_add_static_v2() warn: passing zero to 'ERR_PTR'
+
+For duplicate OPPs 'ret' be set to zero.
+
+Fixes: deac8703da5f ("PM / OPP: _of_add_opp_table_v2(): increment count only if OPP is added")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/opp/of.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/opp/of.c b/drivers/opp/of.c
+index f83f4f6d70349..5de46aa99d243 100644
+--- a/drivers/opp/of.c
++++ b/drivers/opp/of.c
+@@ -827,7 +827,7 @@ free_required_opps:
+ free_opp:
+ _opp_free(new_opp);
+
+- return ERR_PTR(ret);
++ return ret ? ERR_PTR(ret) : NULL;
+ }
+
+ /* Initializes OPP tables based on new bindings */
+--
+2.33.0
+
--- /dev/null
+From 170c68e2151138c96b05c82f482f2dff4f6c4839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Oct 2021 20:24:39 +0200
+Subject: parisc: fix warning in flush_tlb_all
+
+From: Sven Schnelle <svens@stackframe.org>
+
+[ Upstream commit 1030d681319b43869e0d5b568b9d0226652d1a6f ]
+
+I've got the following splat after enabling preemption:
+
+[ 3.724721] BUG: using __this_cpu_add() in preemptible [00000000] code: swapper/0/1
+[ 3.734630] caller is __this_cpu_preempt_check+0x38/0x50
+[ 3.740635] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc4-64bit+ #324
+[ 3.744605] Hardware name: 9000/785/C8000
+[ 3.744605] Backtrace:
+[ 3.744605] [<00000000401d9d58>] show_stack+0x74/0xb0
+[ 3.744605] [<0000000040c27bd4>] dump_stack_lvl+0x10c/0x188
+[ 3.744605] [<0000000040c27c84>] dump_stack+0x34/0x48
+[ 3.744605] [<0000000040c33438>] check_preemption_disabled+0x178/0x1b0
+[ 3.744605] [<0000000040c334f8>] __this_cpu_preempt_check+0x38/0x50
+[ 3.744605] [<00000000401d632c>] flush_tlb_all+0x58/0x2e0
+[ 3.744605] [<00000000401075c0>] 0x401075c0
+[ 3.744605] [<000000004010b8fc>] 0x4010b8fc
+[ 3.744605] [<00000000401080fc>] 0x401080fc
+[ 3.744605] [<00000000401d5224>] do_one_initcall+0x128/0x378
+[ 3.744605] [<0000000040102de8>] 0x40102de8
+[ 3.744605] [<0000000040c33864>] kernel_init+0x60/0x3a8
+[ 3.744605] [<00000000401d1020>] ret_from_kernel_thread+0x20/0x28
+[ 3.744605]
+
+Fix this by moving the __inc_irq_stat() into the locked section.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/mm/init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
+index 3ec633b11b542..8f10cc6ee0fce 100644
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -844,9 +844,9 @@ void flush_tlb_all(void)
+ {
+ int do_recycle;
+
+- __inc_irq_stat(irq_tlb_count);
+ do_recycle = 0;
+ spin_lock(&sid_lock);
++ __inc_irq_stat(irq_tlb_count);
+ if (dirty_space_ids > RECYCLE_THRESHOLD) {
+ BUG_ON(recycle_inuse); /* FIXME: Use a semaphore/wait queue here */
+ get_dirty_sids(&recycle_ndirty,recycle_dirty_array);
+@@ -865,8 +865,8 @@ void flush_tlb_all(void)
+ #else
+ void flush_tlb_all(void)
+ {
+- __inc_irq_stat(irq_tlb_count);
+ spin_lock(&sid_lock);
++ __inc_irq_stat(irq_tlb_count);
+ flush_tlb_all_local(NULL);
+ recycle_sids();
+ spin_unlock(&sid_lock);
+--
+2.33.0
+
--- /dev/null
+From e9ab29a4754b0cdfdbc8860361ed2ef74ddd885c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 21:49:23 +0200
+Subject: parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
+
+From: Sven Schnelle <svens@stackframe.org>
+
+[ Upstream commit 66e29fcda1824f0427966fbee2bd2c85bf362c82 ]
+
+With idle polling, IPIs are not sent when a CPU idle, but queued
+and run later from do_idle(). The default kgdb_call_nmi_hook()
+implementation gets the pointer to struct pt_regs from get_irq_reqs(),
+which doesn't work in that case because it was not called from the
+IPI interrupt handler. Fix it by defining our own kgdb_roundup()
+function which sents an IPI_ENTER_KGDB. When that IPI is received
+on the target CPU kgdb_nmicallback() is called.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/smp.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/kernel/smp.c b/arch/parisc/kernel/smp.c
+index 1405b603b91b6..cf92ece20b757 100644
+--- a/arch/parisc/kernel/smp.c
++++ b/arch/parisc/kernel/smp.c
+@@ -29,6 +29,7 @@
+ #include <linux/bitops.h>
+ #include <linux/ftrace.h>
+ #include <linux/cpu.h>
++#include <linux/kgdb.h>
+
+ #include <linux/atomic.h>
+ #include <asm/current.h>
+@@ -69,7 +70,10 @@ enum ipi_message_type {
+ IPI_CALL_FUNC,
+ IPI_CPU_START,
+ IPI_CPU_STOP,
+- IPI_CPU_TEST
++ IPI_CPU_TEST,
++#ifdef CONFIG_KGDB
++ IPI_ENTER_KGDB,
++#endif
+ };
+
+
+@@ -167,7 +171,12 @@ ipi_interrupt(int irq, void *dev_id)
+ case IPI_CPU_TEST:
+ smp_debug(100, KERN_DEBUG "CPU%d is alive!\n", this_cpu);
+ break;
+-
++#ifdef CONFIG_KGDB
++ case IPI_ENTER_KGDB:
++ smp_debug(100, KERN_DEBUG "CPU%d ENTER_KGDB\n", this_cpu);
++ kgdb_nmicallback(raw_smp_processor_id(), get_irq_regs());
++ break;
++#endif
+ default:
+ printk(KERN_CRIT "Unknown IPI num on CPU%d: %lu\n",
+ this_cpu, which);
+@@ -226,6 +235,12 @@ send_IPI_allbutself(enum ipi_message_type op)
+ }
+ }
+
++#ifdef CONFIG_KGDB
++void kgdb_roundup_cpus(void)
++{
++ send_IPI_allbutself(IPI_ENTER_KGDB);
++}
++#endif
+
+ inline void
+ smp_send_stop(void) { send_IPI_allbutself(IPI_CPU_STOP); }
+--
+2.33.0
+
--- /dev/null
+From 92be405f50b251a632f1ffb95d8d60a0e35da079 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Oct 2021 23:15:17 +0200
+Subject: parisc/unwind: fix unwinder when CONFIG_64BIT is enabled
+
+From: Sven Schnelle <svens@stackframe.org>
+
+[ Upstream commit 8e0ba125c2bf1030af3267058019ba86da96863f ]
+
+With 64 bit kernels unwind_special() is not working because
+it compares the pc to the address of the function descriptor.
+Add a helper function that compares pc with the dereferenced
+address. This fixes all of the backtraces on my c8000. Without
+this changes, a lot of backtraces are missing in kdb or the
+show-all-tasks command from /proc/sysrq-trigger.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/unwind.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c
+index 87ae476d1c4f5..86a57fb0e6fae 100644
+--- a/arch/parisc/kernel/unwind.c
++++ b/arch/parisc/kernel/unwind.c
+@@ -21,6 +21,8 @@
+ #include <asm/ptrace.h>
+
+ #include <asm/unwind.h>
++#include <asm/switch_to.h>
++#include <asm/sections.h>
+
+ /* #define DEBUG 1 */
+ #ifdef DEBUG
+@@ -203,6 +205,11 @@ int __init unwind_init(void)
+ return 0;
+ }
+
++static bool pc_is_kernel_fn(unsigned long pc, void *fn)
++{
++ return (unsigned long)dereference_kernel_function_descriptor(fn) == pc;
++}
++
+ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int frame_size)
+ {
+ /*
+@@ -221,7 +228,7 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int
+ extern void * const _call_on_stack;
+ #endif /* CONFIG_IRQSTACKS */
+
+- if (pc == (unsigned long) &handle_interruption) {
++ if (pc_is_kernel_fn(pc, handle_interruption)) {
+ struct pt_regs *regs = (struct pt_regs *)(info->sp - frame_size - PT_SZ_ALGN);
+ dbg("Unwinding through handle_interruption()\n");
+ info->prev_sp = regs->gr[30];
+@@ -229,13 +236,13 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int
+ return 1;
+ }
+
+- if (pc == (unsigned long) &ret_from_kernel_thread ||
+- pc == (unsigned long) &syscall_exit) {
++ if (pc_is_kernel_fn(pc, ret_from_kernel_thread) ||
++ pc_is_kernel_fn(pc, syscall_exit)) {
+ info->prev_sp = info->prev_ip = 0;
+ return 1;
+ }
+
+- if (pc == (unsigned long) &intr_return) {
++ if (pc_is_kernel_fn(pc, intr_return)) {
+ struct pt_regs *regs;
+
+ dbg("Found intr_return()\n");
+@@ -246,20 +253,20 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int
+ return 1;
+ }
+
+- if (pc == (unsigned long) &_switch_to_ret) {
++ if (pc_is_kernel_fn(pc, _switch_to) ||
++ pc_is_kernel_fn(pc, _switch_to_ret)) {
+ info->prev_sp = info->sp - CALLEE_SAVE_FRAME_SIZE;
+ info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET);
+ return 1;
+ }
+
+ #ifdef CONFIG_IRQSTACKS
+- if (pc == (unsigned long) &_call_on_stack) {
++ if (pc_is_kernel_fn(pc, _call_on_stack)) {
+ info->prev_sp = *(unsigned long *)(info->sp - FRAME_SIZE - REG_SZ);
+ info->prev_ip = *(unsigned long *)(info->sp - FRAME_SIZE - RP_OFFSET);
+ return 1;
+ }
+ #endif
+-
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 46a773a9ab25a9b505dbfd8ccce3876ae17aa7e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 20:09:42 +0200
+Subject: PCI: aardvark: Don't spam about PIO Response Status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 464de7e7fff767e87429cd7be09c4f2cb50a6ccb ]
+
+Use dev_dbg() instead of dev_err() in advk_pcie_check_pio_status().
+
+For example CRS is not an error status, it just says that the request
+should be retried.
+
+Link: https://lore.kernel.org/r/20211005180952.6812-4-kabel@kernel.org
+Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-aardvark.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c
+index ec7bafbe813f0..65762fddd9fc0 100644
+--- a/drivers/pci/controller/pci-aardvark.c
++++ b/drivers/pci/controller/pci-aardvark.c
+@@ -778,7 +778,7 @@ static int advk_pcie_check_pio_status(struct advk_pcie *pcie, bool allow_crs, u3
+ else
+ str_posted = "Posted";
+
+- dev_err(dev, "%s PIO Response Status: %s, %#x @ %#x\n",
++ dev_dbg(dev, "%s PIO Response Status: %s, %#x @ %#x\n",
+ str_posted, strcomp_status, reg, advk_readl(pcie, PIO_ADDR_LS));
+
+ return -EFAULT;
+--
+2.33.0
+
--- /dev/null
+From e15056caadb6fba663d6c6cd366580e9e39971b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 20:09:43 +0200
+Subject: PCI: aardvark: Fix preserving PCI_EXP_RTCTL_CRSSVE flag on emulated
+ bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit d419052bc6c60fa4ab2b5a51d5f1e55a66e2b4ff ]
+
+Commit 43f5c77bcbd2 ("PCI: aardvark: Fix reporting CRS value") started
+using CRSSVE flag for handling CRS responses.
+
+PCI_EXP_RTCTL_CRSSVE flag is stored only in emulated config space buffer
+and there is handler for PCI_EXP_RTCTL register. So every read operation
+from config space automatically clears CRSSVE flag as it is not defined in
+PCI_EXP_RTCTL read handler.
+
+Fix this by reading current CRSSVE bit flag from emulated space buffer and
+appending it to PCI_EXP_RTCTL read response.
+
+Link: https://lore.kernel.org/r/20211005180952.6812-5-kabel@kernel.org
+Fixes: 43f5c77bcbd2 ("PCI: aardvark: Fix reporting CRS value")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-aardvark.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c
+index 65762fddd9fc0..5b34dea80885d 100644
+--- a/drivers/pci/controller/pci-aardvark.c
++++ b/drivers/pci/controller/pci-aardvark.c
+@@ -885,6 +885,7 @@ advk_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge,
+ case PCI_EXP_RTCTL: {
+ u32 val = advk_readl(pcie, PCIE_ISR0_MASK_REG);
+ *value = (val & PCIE_MSG_PM_PME_MASK) ? 0 : PCI_EXP_RTCTL_PMEIE;
++ *value |= le16_to_cpu(bridge->pcie_conf.rootctl) & PCI_EXP_RTCTL_CRSSVE;
+ *value |= PCI_EXP_RTCAP_CRSVIS << 16;
+ return PCI_BRIDGE_EMUL_HANDLED;
+ }
+--
+2.33.0
+
--- /dev/null
+From c423029c4b8367c1e6c5666698266f595585a8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 09:22:59 +0900
+Subject: PCI: uniphier: Serialize INTx masking/unmasking and fix the bit
+ operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 4caab28a6215da5f3c1b505ff08810bc6acfe365 ]
+
+The condition register PCI_RCV_INTX is used in irq_mask() and irq_unmask()
+callbacks. Accesses to register can occur at the same time without a lock.
+Add a lock into each callback to prevent the issue.
+
+And INTX mask and unmask fields in PCL_RCV_INTX register should only be
+set/reset for each bit. Clearing by PCL_RCV_INTX_ALL_MASK should be
+removed.
+
+INTX status fields in PCL_RCV_INTX register only indicates each INTX
+interrupt status, so the handler can't clear by writing 1 to the field.
+The status is expected to be cleared by the interrupt origin.
+The ack function has no meaning, so should remove it.
+
+Suggested-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/1631924579-24567-1-git-send-email-hayashi.kunihiko@socionext.com
+Fixes: 7e6d5cd88a6f ("PCI: uniphier: Add UniPhier PCIe host controller support")
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Pali Rohár <pali@kernel.org>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-uniphier.c | 26 +++++++++-------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-uniphier.c b/drivers/pci/controller/dwc/pcie-uniphier.c
+index 48176265c867e..527ec8aeb602f 100644
+--- a/drivers/pci/controller/dwc/pcie-uniphier.c
++++ b/drivers/pci/controller/dwc/pcie-uniphier.c
+@@ -171,30 +171,21 @@ static void uniphier_pcie_irq_enable(struct uniphier_pcie_priv *priv)
+ writel(PCL_RCV_INTX_ALL_ENABLE, priv->base + PCL_RCV_INTX);
+ }
+
+-static void uniphier_pcie_irq_ack(struct irq_data *d)
+-{
+- struct pcie_port *pp = irq_data_get_irq_chip_data(d);
+- struct dw_pcie *pci = to_dw_pcie_from_pp(pp);
+- struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci);
+- u32 val;
+-
+- val = readl(priv->base + PCL_RCV_INTX);
+- val &= ~PCL_RCV_INTX_ALL_STATUS;
+- val |= BIT(irqd_to_hwirq(d) + PCL_RCV_INTX_STATUS_SHIFT);
+- writel(val, priv->base + PCL_RCV_INTX);
+-}
+-
+ static void uniphier_pcie_irq_mask(struct irq_data *d)
+ {
+ struct pcie_port *pp = irq_data_get_irq_chip_data(d);
+ struct dw_pcie *pci = to_dw_pcie_from_pp(pp);
+ struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci);
++ unsigned long flags;
+ u32 val;
+
++ raw_spin_lock_irqsave(&pp->lock, flags);
++
+ val = readl(priv->base + PCL_RCV_INTX);
+- val &= ~PCL_RCV_INTX_ALL_MASK;
+ val |= BIT(irqd_to_hwirq(d) + PCL_RCV_INTX_MASK_SHIFT);
+ writel(val, priv->base + PCL_RCV_INTX);
++
++ raw_spin_unlock_irqrestore(&pp->lock, flags);
+ }
+
+ static void uniphier_pcie_irq_unmask(struct irq_data *d)
+@@ -202,17 +193,20 @@ static void uniphier_pcie_irq_unmask(struct irq_data *d)
+ struct pcie_port *pp = irq_data_get_irq_chip_data(d);
+ struct dw_pcie *pci = to_dw_pcie_from_pp(pp);
+ struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci);
++ unsigned long flags;
+ u32 val;
+
++ raw_spin_lock_irqsave(&pp->lock, flags);
++
+ val = readl(priv->base + PCL_RCV_INTX);
+- val &= ~PCL_RCV_INTX_ALL_MASK;
+ val &= ~BIT(irqd_to_hwirq(d) + PCL_RCV_INTX_MASK_SHIFT);
+ writel(val, priv->base + PCL_RCV_INTX);
++
++ raw_spin_unlock_irqrestore(&pp->lock, flags);
+ }
+
+ static struct irq_chip uniphier_pcie_irq_chip = {
+ .name = "PCI",
+- .irq_ack = uniphier_pcie_irq_ack,
+ .irq_mask = uniphier_pcie_irq_mask,
+ .irq_unmask = uniphier_pcie_irq_unmask,
+ };
+--
+2.33.0
+
--- /dev/null
+From ae5efb9aa19b667e3f0903cf2c0e61fa9db02383 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 22:37:33 -0700
+Subject: perf bpf: Add missing free to bpf_event__print_bpf_prog_info()
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 88c42f4d6cb249eb68524282f8d4cc32f9059984 ]
+
+If btf__new() is called then there needs to be a corresponding btf__free().
+
+Fixes: f8dfeae009effc0b ("perf bpf: Show more BPF program info in print_bpf_prog_info()")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andrii Nakryiko <andrii@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: KP Singh <kpsingh@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: bpf@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20211106053733.3580931-2-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/bpf-event.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
+index 3742511a08d15..c8101575dbf45 100644
+--- a/tools/perf/util/bpf-event.c
++++ b/tools/perf/util/bpf-event.c
+@@ -557,7 +557,7 @@ void bpf_event__print_bpf_prog_info(struct bpf_prog_info *info,
+ synthesize_bpf_prog_name(name, KSYM_NAME_LEN, info, btf, 0);
+ fprintf(fp, "# bpf_prog_info %u: %s addr 0x%llx size %u\n",
+ info->id, name, prog_addrs[0], prog_lens[0]);
+- return;
++ goto out;
+ }
+
+ fprintf(fp, "# bpf_prog_info %u:\n", info->id);
+@@ -567,4 +567,6 @@ void bpf_event__print_bpf_prog_info(struct bpf_prog_info *info,
+ fprintf(fp, "# \tsub_prog %u: %s addr 0x%llx size %u\n",
+ i, name, prog_addrs[i], prog_lens[i]);
+ }
++out:
++ btf__free(btf);
+ }
+--
+2.33.0
+
--- /dev/null
+From f76986db06d0c601845bd32838671f8b2c33a30d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 21:16:47 +0200
+Subject: phy: micrel: ksz8041nl: do not use power down mode
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 2641b62d2fab52648e34cdc6994b2eacde2d27c1 ]
+
+Some Micrel KSZ8041NL PHY chips exhibit continuous RX errors after using
+the power down mode bit (0.11). If the PHY is taken out of power down
+mode in a certain temperature range, the PHY enters a weird state which
+leads to continuously reporting RX errors. In that state, the MAC is not
+able to receive or send any Ethernet frames and the activity LED is
+constantly blinking. Since Linux is using the suspend callback when the
+interface is taken down, ending up in that state can easily happen
+during a normal startup.
+
+Micrel confirmed the issue in errata DS80000700A [*], caused by abnormal
+clock recovery when using power down mode. Even the latest revision (A4,
+Revision ID 0x1513) seems to suffer that problem, and according to the
+errata is not going to be fixed.
+
+Remove the suspend/resume callback to avoid using the power down mode
+completely.
+
+[*] https://ww1.microchip.com/downloads/en/DeviceDoc/80000700A.pdf
+
+Fixes: 1a5465f5d6a2 ("phy/micrel: Add suspend/resume support to Micrel PHYs")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index b341a8be09f92..92e94ac94a342 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -1216,8 +1216,9 @@ static struct phy_driver ksphy_driver[] = {
+ .get_sset_count = kszphy_get_sset_count,
+ .get_strings = kszphy_get_strings,
+ .get_stats = kszphy_get_stats,
+- .suspend = genphy_suspend,
+- .resume = genphy_resume,
++ /* No suspend/resume callbacks because of errata DS80000700A,
++ * receiver error following software power down.
++ */
+ }, {
+ .phy_id = PHY_ID_KSZ8041RNLI,
+ .phy_id_mask = MICREL_PHY_ID_MASK,
+--
+2.33.0
+
--- /dev/null
+From b2d21f7c6fde4cd8dd106c08d96e6da2bdca6eb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 02:35:48 +0300
+Subject: phy: qcom-qusb2: Fix a memory leak on probe
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+[ Upstream commit bf7ffcd0069d30e2e7ba2b827f08c89f471cd1f3 ]
+
+On success nvmem_cell_read() returns a pointer to a dynamically allocated
+buffer, and therefore it shall be freed after usage.
+
+The issue is reported by kmemleak:
+
+ # cat /sys/kernel/debug/kmemleak
+ unreferenced object 0xffff3b3803e4b280 (size 128):
+ comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000007739afdc>] __kmalloc+0x27c/0x41c
+ [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0
+ [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc
+ [<00000000fc81fcfa>] phy_init+0x70/0x110
+ [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234
+ [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990
+ [<000000001965faf9>] dwc3_probe+0x4f4/0x730
+ [<000000002f7617ca>] platform_probe+0x74/0xf0
+ [<00000000a2576cac>] really_probe+0xc4/0x470
+ [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190
+ [<00000000130db71f>] driver_probe_device+0x48/0x110
+ [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140
+ [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0
+ [<00000000f4bac574>] __device_attach+0xe4/0x1c0
+ [<00000000d3beb631>] device_initial_probe+0x20/0x30
+ [<000000008019b9db>] bus_probe_device+0xa4/0xb0
+
+Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20210922233548.2150244-1-vladimir.zapolskiy@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+index 557547dabfd50..f531043ec3deb 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -474,7 +474,7 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
+ {
+ struct device *dev = &qphy->phy->dev;
+ const struct qusb2_phy_cfg *cfg = qphy->cfg;
+- u8 *val;
++ u8 *val, hstx_trim;
+
+ /* efuse register is optional */
+ if (!qphy->cell)
+@@ -488,7 +488,13 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
+ * set while configuring the phy.
+ */
+ val = nvmem_cell_read(qphy->cell, NULL);
+- if (IS_ERR(val) || !val[0]) {
++ if (IS_ERR(val)) {
++ dev_dbg(dev, "failed to read a valid hs-tx trim value\n");
++ return;
++ }
++ hstx_trim = val[0];
++ kfree(val);
++ if (!hstx_trim) {
+ dev_dbg(dev, "failed to read a valid hs-tx trim value\n");
+ return;
+ }
+@@ -496,12 +502,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
+ /* Fused TUNE1/2 value is the higher nibble only */
+ if (cfg->update_tune1_with_efuse)
+ qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1],
+- val[0] << HSTX_TRIM_SHIFT,
+- HSTX_TRIM_MASK);
++ hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK);
+ else
+ qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2],
+- val[0] << HSTX_TRIM_SHIFT,
+- HSTX_TRIM_MASK);
++ hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK);
+ }
+
+ static int qusb2_phy_set_mode(struct phy *phy,
+--
+2.33.0
+
--- /dev/null
+From 7bd8844b4e3ac829bea155427017eb4878336855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 09:49:35 +0530
+Subject: phy: qcom-snps: Correct the FSEL_MASK
+
+From: Sandeep Maheswaram <quic_c_sanm@quicinc.com>
+
+[ Upstream commit b475bf0ec40a2b13fb32ef62f5706576d5858460 ]
+
+The FSEL_MASK which selects the refclock is defined incorrectly.
+It should be [4:6] not [5:7]. Due to this incorrect definition, the BIT(7)
+in USB2_PHY_USB_PHY_HS_PHY_CTRL_COMMON0 is reset which keeps PHY analog
+blocks ON during suspend.
+Fix this issue by correctly defining the FSEL_MASK.
+
+Fixes: 51e8114f80d0 ("phy: qcom-snps: Add SNPS USB PHY driver for QCOM based SOCs")
+Signed-off-by: Sandeep Maheswaram <quic_c_sanm@quicinc.com>
+Link: https://lore.kernel.org/r/1635135575-5668-1-git-send-email-quic_c_sanm@quicinc.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c b/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c
+index ae4bac024c7b1..7e61202aa234e 100644
+--- a/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c
++++ b/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c
+@@ -33,7 +33,7 @@
+
+ #define USB2_PHY_USB_PHY_HS_PHY_CTRL_COMMON0 (0x54)
+ #define RETENABLEN BIT(3)
+-#define FSEL_MASK GENMASK(7, 5)
++#define FSEL_MASK GENMASK(6, 4)
+ #define FSEL_DEFAULT (0x3 << 4)
+
+ #define USB2_PHY_USB_PHY_HS_PHY_CTRL_COMMON1 (0x58)
+--
+2.33.0
+
--- /dev/null
+From b3bd2adb63bcfed1846785cde21619d7c7eece8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 14:00:38 +0300
+Subject: phy: ti: gmii-sel: check of_get_address() for failure
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8d55027f4e2c04146a75fb63371ab96ccc887f2c ]
+
+Smatch complains that if of_get_address() returns NULL, then "size"
+isn't initialized. Also it would lead to an Oops.
+
+Fixes: 7f78322cdd67 ("phy: ti: gmii-sel: retrieve ports number and base offset from dt")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Link: https://lore.kernel.org/r/20210914110038.GB11657@kili
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-gmii-sel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/phy/ti/phy-gmii-sel.c b/drivers/phy/ti/phy-gmii-sel.c
+index 5fd2e8a08bfcf..d0ab69750c6b4 100644
+--- a/drivers/phy/ti/phy-gmii-sel.c
++++ b/drivers/phy/ti/phy-gmii-sel.c
+@@ -320,6 +320,8 @@ static int phy_gmii_sel_init_ports(struct phy_gmii_sel_priv *priv)
+ u64 size;
+
+ offset = of_get_address(dev->of_node, 0, &size, NULL);
++ if (!offset)
++ return -EINVAL;
+ priv->num_ports = size / sizeof(u32);
+ if (!priv->num_ports)
+ return -EINVAL;
+--
+2.33.0
+
--- /dev/null
+From 1ce29a24084243cdded08bc3b77ea789811d0959 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 17:38:15 +0800
+Subject: pinctrl: equilibrium: Fix function addition in multiple groups
+
+From: Rahul Tanwar <rtanwar@maxlinear.com>
+
+[ Upstream commit 53b3947ddb7f309d1f611f8dc9bfd6ea9d699907 ]
+
+Ignore the same function with multiple groups.
+Fix a typo in error print.
+
+Fixes: 1948d5c51dba ("pinctrl: Add pinmux & GPIO controller driver for a new SoC")
+Signed-off-by: Rahul Tanwar <rtanwar@maxlinear.com>
+Link: https://lore.kernel.org/r/20211020093815.20870-1-rtanwar@maxlinear.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-equilibrium.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-equilibrium.c b/drivers/pinctrl/pinctrl-equilibrium.c
+index ac1c47f542c11..3b6dcaa80e000 100644
+--- a/drivers/pinctrl/pinctrl-equilibrium.c
++++ b/drivers/pinctrl/pinctrl-equilibrium.c
+@@ -674,6 +674,11 @@ static int eqbr_build_functions(struct eqbr_pinctrl_drv_data *drvdata)
+ return ret;
+
+ for (i = 0; i < nr_funcs; i++) {
++
++ /* Ignore the same function with multiple groups */
++ if (funcs[i].name == NULL)
++ continue;
++
+ ret = pinmux_generic_add_function(drvdata->pctl_dev,
+ funcs[i].name,
+ funcs[i].groups,
+@@ -805,7 +810,7 @@ static int pinctrl_reg(struct eqbr_pinctrl_drv_data *drvdata)
+
+ ret = eqbr_build_functions(drvdata);
+ if (ret) {
+- dev_err(dev, "Failed to build groups\n");
++ dev_err(dev, "Failed to build functions\n");
+ return ret;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 6f27a7c1697a6e419baed153a351099c0f99cdf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 16:38:47 +0200
+Subject: pinctrl: renesas: checker: Fix off-by-one bug in drive register check
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 28e7f8ff90583791a034d43b5d2e3fe394142e13 ]
+
+The GENMASK(h, l) macro creates a contiguous bitmask starting at bit
+position @l and ending at position @h, inclusive.
+
+This did not trigger any error checks, as the individual register fields
+cover at most 3 of the 4 available bits.
+
+Fixes: 08df16e07ad0a1ec ("pinctrl: sh-pfc: checker: Add drive strength register checks")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/8f82d6147fbe3367d4c83962480e97f58d9c96a2.1633615652.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/renesas/core.c b/drivers/pinctrl/renesas/core.c
+index c528c124fb0e9..9d168b90cd281 100644
+--- a/drivers/pinctrl/renesas/core.c
++++ b/drivers/pinctrl/renesas/core.c
+@@ -890,7 +890,7 @@ static void __init sh_pfc_check_drive_reg(const struct sh_pfc_soc_info *info,
+ if (!field->pin && !field->offset && !field->size)
+ continue;
+
+- mask = GENMASK(field->offset + field->size, field->offset);
++ mask = GENMASK(field->offset + field->size - 1, field->offset);
+ if (mask & seen)
+ sh_pfc_err("drive_reg 0x%x: field %u overlap\n",
+ drive->reg, i);
+--
+2.33.0
+
--- /dev/null
+From 9cdec9498bfd4c8edbe578d2fcfac5b636c0ff2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 11:25:37 -0700
+Subject: platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit fd96e35ea7b95f1e216277805be89d66e4ae962d ]
+
+A new warning in clang points out a use of bitwise OR with boolean
+expressions in this driver:
+
+drivers/platform/x86/thinkpad_acpi.c:9061:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical]
+ else if ((strlencmp(cmd, "level disengaged") == 0) |
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ||
+drivers/platform/x86/thinkpad_acpi.c:9061:11: note: cast one or both operands to int to silence this warning
+1 error generated.
+
+This should clearly be a logical OR so change it to fix the warning.
+
+Fixes: fe98a52ce754 ("ACPI: thinkpad-acpi: add sysfs support to fan subdriver")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1476
+Reported-by: Tor Vic <torvic9@mailbox.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/r/20211018182537.2316800-1-nathan@kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 5c2f2e337b57b..2a313643e0388 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -9097,7 +9097,7 @@ static int fan_write_cmd_level(const char *cmd, int *rc)
+
+ if (strlencmp(cmd, "level auto") == 0)
+ level = TP_EC_FAN_AUTO;
+- else if ((strlencmp(cmd, "level disengaged") == 0) |
++ else if ((strlencmp(cmd, "level disengaged") == 0) ||
+ (strlencmp(cmd, "level full-speed") == 0))
+ level = TP_EC_FAN_FULLSPEED;
+ else if (sscanf(cmd, "level %d", &level) != 1)
+--
+2.33.0
+
--- /dev/null
+From 9c473b3566d34ac8c5de2b1bf8626b99c5ac07e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 17:56:26 +0000
+Subject: platform/x86: wmi: do not fail if disabling fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit 1975718c488a39128f1f515b23ae61a5a214cc3d ]
+
+Previously, `__query_block()` would fail if the
+second WCxx method call failed. However, the
+WQxx method might have succeeded, and potentially
+allocated memory for the result. Instead of
+throwing away the result and potentially
+leaking memory, ignore the result of
+the second WCxx call.
+
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Link: https://lore.kernel.org/r/20210904175450.156801-25-pobrn@protonmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index d88f388a3450f..1f80b26281628 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -354,7 +354,14 @@ static acpi_status __query_block(struct wmi_block *wblock, u8 instance,
+ * the WQxx method failed - we should disable collection anyway.
+ */
+ if ((block->flags & ACPI_WMI_EXPENSIVE) && ACPI_SUCCESS(wc_status)) {
+- status = acpi_execute_simple_method(handle, wc_method, 0);
++ /*
++ * Ignore whether this WCxx call succeeds or not since
++ * the previously executed WQxx method call might have
++ * succeeded, and returning the failing status code
++ * of this call would throw away the result of the WQxx
++ * call, potentially leaking memory.
++ */
++ acpi_execute_simple_method(handle, wc_method, 0);
+ }
+
+ return status;
+--
+2.33.0
+
--- /dev/null
+From 5466351b38872422f770fc31f3d94430e7468fc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 15:05:22 +0100
+Subject: PM: EM: Fix inefficient states detection
+
+From: Vincent Donnefort <vincent.donnefort@arm.com>
+
+[ Upstream commit aa1a43262ad5df010768f69530fa179ff81651d3 ]
+
+Currently, a debug message is printed if an inefficient state is detected
+in the Energy Model. Unfortunately, it won't detect if the first state is
+inefficient or if two successive states are. Fix this behavior.
+
+Fixes: 27871f7a8a34 (PM: Introduce an Energy Model management framework)
+Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
+Reviewed-by: Quentin Perret <qperret@google.com>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/energy_model.c | 23 ++++++++---------------
+ 1 file changed, 8 insertions(+), 15 deletions(-)
+
+diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c
+index be381eb6116a1..119b929dcff0f 100644
+--- a/kernel/power/energy_model.c
++++ b/kernel/power/energy_model.c
+@@ -94,8 +94,7 @@ static void em_debug_remove_pd(struct device *dev) {}
+ static int em_create_perf_table(struct device *dev, struct em_perf_domain *pd,
+ int nr_states, struct em_data_callback *cb)
+ {
+- unsigned long opp_eff, prev_opp_eff = ULONG_MAX;
+- unsigned long power, freq, prev_freq = 0;
++ unsigned long power, freq, prev_freq = 0, prev_cost = ULONG_MAX;
+ struct em_perf_state *table;
+ int i, ret;
+ u64 fmax;
+@@ -140,27 +139,21 @@ static int em_create_perf_table(struct device *dev, struct em_perf_domain *pd,
+
+ table[i].power = power;
+ table[i].frequency = prev_freq = freq;
+-
+- /*
+- * The hertz/watts efficiency ratio should decrease as the
+- * frequency grows on sane platforms. But this isn't always
+- * true in practice so warn the user if a higher OPP is more
+- * power efficient than a lower one.
+- */
+- opp_eff = freq / power;
+- if (opp_eff >= prev_opp_eff)
+- dev_dbg(dev, "EM: hertz/watts ratio non-monotonically decreasing: em_perf_state %d >= em_perf_state%d\n",
+- i, i - 1);
+- prev_opp_eff = opp_eff;
+ }
+
+ /* Compute the cost of each performance state. */
+ fmax = (u64) table[nr_states - 1].frequency;
+- for (i = 0; i < nr_states; i++) {
++ for (i = nr_states - 1; i >= 0; i--) {
+ unsigned long power_res = em_scale_power(table[i].power);
+
+ table[i].cost = div64_u64(fmax * power_res,
+ table[i].frequency);
++ if (table[i].cost >= prev_cost) {
++ dev_dbg(dev, "EM: OPP:%lu is inefficient\n",
++ table[i].frequency);
++ } else {
++ prev_cost = table[i].cost;
++ }
+ }
+
+ pd->table = table;
+--
+2.33.0
+
--- /dev/null
+From a0abee015cc61abb652b104f56498e30d4af496d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 21:13:37 +0200
+Subject: PM: hibernate: fix sparse warnings
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit 01de5fcd8b1ac0ca28d2bb0921226a54fdd62684 ]
+
+When building the kernel with sparse enabled 'C=1' the following
+warnings shows up:
+
+kernel/power/swap.c:390:29: warning: incorrect type in assignment (different base types)
+kernel/power/swap.c:390:29: expected int ret
+kernel/power/swap.c:390:29: got restricted blk_status_t
+
+This is due to function hib_wait_io() returns a 'blk_status_t' which is
+a bitwise u8. Commit 5416da01ff6e ("PM: hibernate: Remove
+blk_status_to_errno in hib_wait_io") seemed to have mixed up the return
+type. However, the 4e4cbee93d56 ("block: switch bios to blk_status_t")
+actually broke the behaviour by returning the wrong type.
+
+Rework so function hib_wait_io() returns a 'int' instead of
+'blk_status_t' and make sure to call function
+blk_status_to_errno(hb->error)' when returning from function
+hib_wait_io() a int gets returned.
+
+Fixes: 4e4cbee93d56 ("block: switch bios to blk_status_t")
+Fixes: 5416da01ff6e ("PM: hibernate: Remove blk_status_to_errno in hib_wait_io")
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/swap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/power/swap.c b/kernel/power/swap.c
+index c9126606fa6f4..25e7cb96bb884 100644
+--- a/kernel/power/swap.c
++++ b/kernel/power/swap.c
+@@ -299,7 +299,7 @@ static int hib_submit_io(int op, int op_flags, pgoff_t page_off, void *addr,
+ return error;
+ }
+
+-static blk_status_t hib_wait_io(struct hib_bio_batch *hb)
++static int hib_wait_io(struct hib_bio_batch *hb)
+ {
+ /*
+ * We are relying on the behavior of blk_plug that a thread with
+--
+2.33.0
+
--- /dev/null
+From ff727f90c3cd7635530b51990a311039e90dcb82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 20:19:14 +0800
+Subject: PM: hibernate: Get block device exclusively in swsusp_check()
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 39fbef4b0f77f9c89c8f014749ca533643a37c9f ]
+
+The following kernel crash can be triggered:
+
+[ 89.266592] ------------[ cut here ]------------
+[ 89.267427] kernel BUG at fs/buffer.c:3020!
+[ 89.268264] invalid opcode: 0000 [#1] SMP KASAN PTI
+[ 89.269116] CPU: 7 PID: 1750 Comm: kmmpd-loop0 Not tainted 5.10.0-862.14.0.6.x86_64-08610-gc932cda3cef4-dirty #20
+[ 89.273169] RIP: 0010:submit_bh_wbc.isra.0+0x538/0x6d0
+[ 89.277157] RSP: 0018:ffff888105ddfd08 EFLAGS: 00010246
+[ 89.278093] RAX: 0000000000000005 RBX: ffff888124231498 RCX: ffffffffb2772612
+[ 89.279332] RDX: 1ffff11024846293 RSI: 0000000000000008 RDI: ffff888124231498
+[ 89.280591] RBP: ffff8881248cc000 R08: 0000000000000001 R09: ffffed1024846294
+[ 89.281851] R10: ffff88812423149f R11: ffffed1024846293 R12: 0000000000003800
+[ 89.283095] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8881161f7000
+[ 89.284342] FS: 0000000000000000(0000) GS:ffff88839b5c0000(0000) knlGS:0000000000000000
+[ 89.285711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 89.286701] CR2: 00007f166ebc01a0 CR3: 0000000435c0e000 CR4: 00000000000006e0
+[ 89.287919] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 89.289138] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 89.290368] Call Trace:
+[ 89.290842] write_mmp_block+0x2ca/0x510
+[ 89.292218] kmmpd+0x433/0x9a0
+[ 89.294902] kthread+0x2dd/0x3e0
+[ 89.296268] ret_from_fork+0x22/0x30
+[ 89.296906] Modules linked in:
+
+by running the following commands:
+
+ 1. mkfs.ext4 -O mmp /dev/sda -b 1024
+ 2. mount /dev/sda /home/test
+ 3. echo "/dev/sda" > /sys/power/resume
+
+That happens because swsusp_check() calls set_blocksize() on the
+target partition which confuses the file system:
+
+ Thread1 Thread2
+mount /dev/sda /home/test
+get s_mmp_bh --> has mapped flag
+start kmmpd thread
+ echo "/dev/sda" > /sys/power/resume
+ resume_store
+ software_resume
+ swsusp_check
+ set_blocksize
+ truncate_inode_pages_range
+ truncate_cleanup_page
+ block_invalidatepage
+ discard_buffer --> clean mapped flag
+write_mmp_block
+ submit_bh
+ submit_bh_wbc
+ BUG_ON(!buffer_mapped(bh))
+
+To address this issue, modify swsusp_check() to open the target block
+device with exclusive access.
+
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/swap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/power/swap.c b/kernel/power/swap.c
+index 72e33054a2e1b..c9126606fa6f4 100644
+--- a/kernel/power/swap.c
++++ b/kernel/power/swap.c
+@@ -1521,9 +1521,10 @@ end:
+ int swsusp_check(void)
+ {
+ int error;
++ void *holder;
+
+ hib_resume_bdev = blkdev_get_by_dev(swsusp_resume_device,
+- FMODE_READ, NULL);
++ FMODE_READ | FMODE_EXCL, &holder);
+ if (!IS_ERR(hib_resume_bdev)) {
+ set_blocksize(hib_resume_bdev, PAGE_SIZE);
+ clear_page(swsusp_header);
+@@ -1545,7 +1546,7 @@ int swsusp_check(void)
+
+ put:
+ if (error)
+- blkdev_put(hib_resume_bdev, FMODE_READ);
++ blkdev_put(hib_resume_bdev, FMODE_READ | FMODE_EXCL);
+ else
+ pr_debug("Image signature found, resuming\n");
+ } else {
+--
+2.33.0
+
--- /dev/null
+From d674b73af877de82d3694609d4b6a9b4f0d5504b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 11:59:24 +1000
+Subject: pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+[ Upstream commit a2915fa06227b056a8f9b0d79b61dca08ad5cfc6 ]
+
+_nfs4_pnfs_v3/v4_ds_connect do
+ some work
+ smp_wmb
+ ds->ds_clp = clp;
+
+And nfs4_ff_layout_prepare_ds currently does
+ smp_rmb
+ if(ds->ds_clp)
+ ...
+
+This patch places the smp_rmb after the if. This ensures that following
+reads only happen once nfs4_ff_layout_prepare_ds has checked that data
+has been properly initialized.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++--
+ fs/nfs/pnfs_nfs.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index 3eda40a320a53..1f12297109b41 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -378,10 +378,10 @@ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg,
+ goto noconnect;
+
+ ds = mirror->mirror_ds->ds;
++ if (READ_ONCE(ds->ds_clp))
++ goto out;
+ /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */
+ smp_rmb();
+- if (ds->ds_clp)
+- goto out;
+
+ /* FIXME: For now we assume the server sent only one version of NFS
+ * to use for the DS.
+diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c
+index 251c4a3aef9a6..37b52b53a7e53 100644
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -876,7 +876,7 @@ static int _nfs4_pnfs_v3_ds_connect(struct nfs_server *mds_srv,
+ }
+
+ smp_wmb();
+- ds->ds_clp = clp;
++ WRITE_ONCE(ds->ds_clp, clp);
+ dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr);
+ out:
+ return status;
+@@ -949,7 +949,7 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv,
+ }
+
+ smp_wmb();
+- ds->ds_clp = clp;
++ WRITE_ONCE(ds->ds_clp, clp);
+ dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr);
+ out:
+ return status;
+--
+2.33.0
+
--- /dev/null
+From 8656697c4b92a6f2bba7a1a92a35ccd76d54b48b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 16:25:22 +0100
+Subject: power: supply: bq27xxx: Fix kernel crash on IRQ handler register
+ error
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit cdf10ffe8f626d8a2edc354abf063df0078b2d71 ]
+
+When registering the IRQ handler fails, do not just return the error code,
+this will free the devm_kzalloc()-ed data struct while leaving the queued
+work queued and the registered power_supply registered with both of them
+now pointing to free-ed memory, resulting in various kernel crashes
+soon afterwards.
+
+Instead properly tear-down things on IRQ handler register errors.
+
+Fixes: 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module")
+Cc: Andrew F. Davis <afd@ti.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c
+index eb4f4284982fa..3012eb13a08cb 100644
+--- a/drivers/power/supply/bq27xxx_battery_i2c.c
++++ b/drivers/power/supply/bq27xxx_battery_i2c.c
+@@ -187,7 +187,8 @@ static int bq27xxx_battery_i2c_probe(struct i2c_client *client,
+ dev_err(&client->dev,
+ "Unable to register IRQ %d error %d\n",
+ client->irq, ret);
+- return ret;
++ bq27xxx_battery_teardown(di);
++ goto err_failed;
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From b7aaebfa23ada7d7045a42fbca8fbddf8070c1d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 14:31:50 +0800
+Subject: power: supply: max17040: fix null-ptr-deref in max17040_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1d422ecfc48ee683ae1ccc9217764f6310c0ffce ]
+
+Add check the return value of devm_regmap_init_i2c(), otherwise
+later access may cause null-ptr-deref as follows:
+
+KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
+RIP: 0010:regmap_read+0x33/0x170
+Call Trace:
+ max17040_probe+0x61b/0xff0 [max17040_battery]
+ ? write_comp_data+0x2a/0x90
+ ? max17040_set_property+0x1d0/0x1d0 [max17040_battery]
+ ? tracer_hardirqs_on+0x33/0x520
+ ? __sanitizer_cov_trace_pc+0x1d/0x50
+ ? _raw_spin_unlock_irqrestore+0x4b/0x60
+ ? trace_hardirqs_on+0x63/0x2d0
+ ? write_comp_data+0x2a/0x90
+ ? __sanitizer_cov_trace_pc+0x1d/0x50
+ ? max17040_set_property+0x1d0/0x1d0 [max17040_battery]
+ i2c_device_probe+0xa31/0xbe0
+
+Fixes: 6455a8a84bdf ("power: supply: max17040: Use regmap i2c")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max17040_battery.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/power/supply/max17040_battery.c b/drivers/power/supply/max17040_battery.c
+index d956c67d51558..b6b29ec3d93ec 100644
+--- a/drivers/power/supply/max17040_battery.c
++++ b/drivers/power/supply/max17040_battery.c
+@@ -482,6 +482,8 @@ static int max17040_probe(struct i2c_client *client,
+ chip->client = client;
+ chip->regmap = devm_regmap_init_i2c(client, &max17040_regmap);
+ chip->pdata = client->dev.platform_data;
++ if (IS_ERR(chip->regmap))
++ return PTR_ERR(chip->regmap);
+ chip_id = (enum chip_id) id->driver_data;
+ if (client->dev.of_node) {
+ ret = max17040_get_of_data(chip);
+--
+2.33.0
+
--- /dev/null
+From ef73a292cd867d28705258ab12d054cc0170327f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 10:32:45 +0200
+Subject: =?UTF-8?q?power:=20supply:=20rt5033=5Fbattery:=20Change=20voltage?=
+ =?UTF-8?q?=20values=20to=20=C2=B5V?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakob Hauser <jahau@rocketmail.com>
+
+[ Upstream commit bf895295e9a73411889816f1a0c1f4f1a2d9c678 ]
+
+Currently the rt5033_battery driver provides voltage values in mV. It
+should be µV as stated in Documentation/power/power_supply_class.rst.
+
+Fixes: b847dd96e659 ("power: rt5033_battery: Add RT5033 Fuel gauge device driver")
+Cc: Beomho Seo <beomho.seo@samsung.com>
+Cc: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Jakob Hauser <jahau@rocketmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/rt5033_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/rt5033_battery.c b/drivers/power/supply/rt5033_battery.c
+index 9ad0afe83d1b7..7a23c70f48791 100644
+--- a/drivers/power/supply/rt5033_battery.c
++++ b/drivers/power/supply/rt5033_battery.c
+@@ -60,7 +60,7 @@ static int rt5033_battery_get_watt_prop(struct i2c_client *client,
+ regmap_read(battery->regmap, regh, &msb);
+ regmap_read(battery->regmap, regl, &lsb);
+
+- ret = ((msb << 4) + (lsb >> 4)) * 1250 / 1000;
++ ret = ((msb << 4) + (lsb >> 4)) * 1250;
+
+ return ret;
+ }
+--
+2.33.0
+
--- /dev/null
+From 2587b7cf241658a23b68746db4d2b854ccbc4691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 15:28:22 +0800
+Subject: powerpc/44x/fsp2: add missing of_node_put
+
+From: Bixuan Cui <cuibixuan@linux.alibaba.com>
+
+[ Upstream commit 290fe8aa69ef5c51c778c0bb33f8ef0181c769f5 ]
+
+Early exits from for_each_compatible_node() should decrement the
+node reference counter. Reported by Coccinelle:
+
+./arch/powerpc/platforms/44x/fsp2.c:206:1-25: WARNING: Function
+"for_each_compatible_node" should have of_node_put() before return
+around line 218.
+
+Fixes: 7813043e1bbc ("powerpc/44x/fsp2: Add irq error handlers")
+Signed-off-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1635406102-88719-1-git-send-email-cuibixuan@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/44x/fsp2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/platforms/44x/fsp2.c b/arch/powerpc/platforms/44x/fsp2.c
+index b299e43f5ef94..823397c802def 100644
+--- a/arch/powerpc/platforms/44x/fsp2.c
++++ b/arch/powerpc/platforms/44x/fsp2.c
+@@ -208,6 +208,7 @@ static void node_irq_request(const char *compat, irq_handler_t errirq_handler)
+ if (irq == NO_IRQ) {
+ pr_err("device tree node %pOFn is missing a interrupt",
+ np);
++ of_node_put(np);
+ return;
+ }
+
+@@ -215,6 +216,7 @@ static void node_irq_request(const char *compat, irq_handler_t errirq_handler)
+ if (rc) {
+ pr_err("fsp_of_probe: request_irq failed: np=%pOF rc=%d",
+ np, rc);
++ of_node_put(np);
+ return;
+ }
+ }
+--
+2.33.0
+
--- /dev/null
+From b30386b044afd2b1a612a9906f5dc057aeedc409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 23:05:14 +1000
+Subject: powerpc: Fix is_kvm_guest() / kvm_para_available()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 95839225639ba7c3d8d7231b542728dcf222bf2d ]
+
+Commit a21d1becaa3f ("powerpc: Reintroduce is_kvm_guest() as a fast-path
+check") added is_kvm_guest() and changed kvm_para_available() to use it.
+
+is_kvm_guest() checks a static key, kvm_guest, and that static key is
+set in check_kvm_guest().
+
+The problem is check_kvm_guest() is only called on pseries, and even
+then only in some configurations. That means is_kvm_guest() always
+returns false on all non-pseries and some pseries depending on
+configuration. That's a bug.
+
+For PR KVM guests this is noticable because they no longer do live
+patching of themselves, which can be detected by the omission of a
+message in dmesg such as:
+
+ KVM: Live patching for a fast VM worked
+
+To fix it make check_kvm_guest() an initcall, to ensure it's always
+called at boot. It needs to be core so that it runs before
+kvm_guest_init() which is postcore. To be an initcall it needs to return
+int, where 0 means success, so update that.
+
+We still call it manually in pSeries_smp_probe(), because that runs
+before init calls are run.
+
+Fixes: a21d1becaa3f ("powerpc: Reintroduce is_kvm_guest() as a fast-path check")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210623130514.2543232-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/kvm_guest.h | 4 ++--
+ arch/powerpc/kernel/firmware.c | 10 ++++++----
+ arch/powerpc/platforms/pseries/smp.c | 4 +++-
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/kvm_guest.h b/arch/powerpc/include/asm/kvm_guest.h
+index 2fca299f7e192..c63105d2c9e7c 100644
+--- a/arch/powerpc/include/asm/kvm_guest.h
++++ b/arch/powerpc/include/asm/kvm_guest.h
+@@ -16,10 +16,10 @@ static inline bool is_kvm_guest(void)
+ return static_branch_unlikely(&kvm_guest);
+ }
+
+-bool check_kvm_guest(void);
++int check_kvm_guest(void);
+ #else
+ static inline bool is_kvm_guest(void) { return false; }
+-static inline bool check_kvm_guest(void) { return false; }
++static inline int check_kvm_guest(void) { return 0; }
+ #endif
+
+ #endif /* _ASM_POWERPC_KVM_GUEST_H_ */
+diff --git a/arch/powerpc/kernel/firmware.c b/arch/powerpc/kernel/firmware.c
+index c9e2819b095ab..c7022c41cc314 100644
+--- a/arch/powerpc/kernel/firmware.c
++++ b/arch/powerpc/kernel/firmware.c
+@@ -23,18 +23,20 @@ EXPORT_SYMBOL_GPL(powerpc_firmware_features);
+
+ #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
+ DEFINE_STATIC_KEY_FALSE(kvm_guest);
+-bool check_kvm_guest(void)
++int __init check_kvm_guest(void)
+ {
+ struct device_node *hyper_node;
+
+ hyper_node = of_find_node_by_path("/hypervisor");
+ if (!hyper_node)
+- return false;
++ return 0;
+
+ if (!of_device_is_compatible(hyper_node, "linux,kvm"))
+- return false;
++ return 0;
+
+ static_branch_enable(&kvm_guest);
+- return true;
++
++ return 0;
+ }
++core_initcall(check_kvm_guest); // before kvm_guest_init()
+ #endif
+diff --git a/arch/powerpc/platforms/pseries/smp.c b/arch/powerpc/platforms/pseries/smp.c
+index 9d596b41ec675..f47429323eee9 100644
+--- a/arch/powerpc/platforms/pseries/smp.c
++++ b/arch/powerpc/platforms/pseries/smp.c
+@@ -208,7 +208,9 @@ static __init void pSeries_smp_probe(void)
+ if (!cpu_has_feature(CPU_FTR_SMT))
+ return;
+
+- if (check_kvm_guest()) {
++ check_kvm_guest();
++
++ if (is_kvm_guest()) {
+ /*
+ * KVM emulates doorbells by disabling FSCR[MSGP] so msgsndp
+ * faults to the hypervisor which then reads the instruction
+--
+2.33.0
+
--- /dev/null
+From d47984e0564f2979a5adedd79199472513ad0268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 07:45:50 -0500
+Subject: powerpc: fix unbalanced node refcount in check_kvm_guest()
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 56537faf8821e361d739fc5ff58c9c40f54a1d4c ]
+
+When check_kvm_guest() succeeds in looking up a /hypervisor OF node, it
+returns without performing a matching put for the lookup, leaving the
+node's reference count elevated.
+
+Add the necessary call to of_node_put(), rearranging the code slightly to
+avoid repetition or goto.
+
+Fixes: 107c55005fbd ("powerpc/pseries: Add KVM guest doorbell restrictions")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210928124550.132020-1-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/firmware.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/kernel/firmware.c b/arch/powerpc/kernel/firmware.c
+index c7022c41cc314..20328f72f9f2b 100644
+--- a/arch/powerpc/kernel/firmware.c
++++ b/arch/powerpc/kernel/firmware.c
+@@ -31,11 +31,10 @@ int __init check_kvm_guest(void)
+ if (!hyper_node)
+ return 0;
+
+- if (!of_device_is_compatible(hyper_node, "linux,kvm"))
+- return 0;
+-
+- static_branch_enable(&kvm_guest);
++ if (of_device_is_compatible(hyper_node, "linux,kvm"))
++ static_branch_enable(&kvm_guest);
+
++ of_node_put(hyper_node);
+ return 0;
+ }
+ core_initcall(check_kvm_guest); // before kvm_guest_init()
+--
+2.33.0
+
--- /dev/null
+From 504ea61513b0dd85d367a1aa120f2e69218cb6a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Dec 2020 10:34:53 +0530
+Subject: powerpc: Refactor is_kvm_guest() declaration to new header
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 92cc6bf01c7f4c5cfefd1963985c0064687ebeda ]
+
+Only code/declaration movement, in anticipation of doing a KVM-aware
+vcpu_is_preempted(). No additional changes.
+
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201202050456.164005-2-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/firmware.h | 6 ------
+ arch/powerpc/include/asm/kvm_guest.h | 15 +++++++++++++++
+ arch/powerpc/include/asm/kvm_para.h | 2 +-
+ arch/powerpc/kernel/firmware.c | 1 +
+ arch/powerpc/platforms/pseries/smp.c | 1 +
+ 5 files changed, 18 insertions(+), 7 deletions(-)
+ create mode 100644 arch/powerpc/include/asm/kvm_guest.h
+
+diff --git a/arch/powerpc/include/asm/firmware.h b/arch/powerpc/include/asm/firmware.h
+index 0b295bdb201e8..aa6a5ef5d4830 100644
+--- a/arch/powerpc/include/asm/firmware.h
++++ b/arch/powerpc/include/asm/firmware.h
+@@ -134,12 +134,6 @@ extern int ibm_nmi_interlock_token;
+
+ extern unsigned int __start___fw_ftr_fixup, __stop___fw_ftr_fixup;
+
+-#if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
+-bool is_kvm_guest(void);
+-#else
+-static inline bool is_kvm_guest(void) { return false; }
+-#endif
+-
+ #ifdef CONFIG_PPC_PSERIES
+ void pseries_probe_fw_features(void);
+ #else
+diff --git a/arch/powerpc/include/asm/kvm_guest.h b/arch/powerpc/include/asm/kvm_guest.h
+new file mode 100644
+index 0000000000000..d2c946dbbd2c0
+--- /dev/null
++++ b/arch/powerpc/include/asm/kvm_guest.h
+@@ -0,0 +1,15 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++/*
++ * Copyright (C) 2020 IBM Corporation
++ */
++
++#ifndef _ASM_POWERPC_KVM_GUEST_H_
++#define _ASM_POWERPC_KVM_GUEST_H_
++
++#if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
++bool is_kvm_guest(void);
++#else
++static inline bool is_kvm_guest(void) { return false; }
++#endif
++
++#endif /* _ASM_POWERPC_KVM_GUEST_H_ */
+diff --git a/arch/powerpc/include/asm/kvm_para.h b/arch/powerpc/include/asm/kvm_para.h
+index 744612054c94c..abe1b5e82547b 100644
+--- a/arch/powerpc/include/asm/kvm_para.h
++++ b/arch/powerpc/include/asm/kvm_para.h
+@@ -8,7 +8,7 @@
+ #ifndef __POWERPC_KVM_PARA_H__
+ #define __POWERPC_KVM_PARA_H__
+
+-#include <asm/firmware.h>
++#include <asm/kvm_guest.h>
+
+ #include <uapi/asm/kvm_para.h>
+
+diff --git a/arch/powerpc/kernel/firmware.c b/arch/powerpc/kernel/firmware.c
+index fe48d319d490e..5f48e5ad24cdd 100644
+--- a/arch/powerpc/kernel/firmware.c
++++ b/arch/powerpc/kernel/firmware.c
+@@ -14,6 +14,7 @@
+ #include <linux/of.h>
+
+ #include <asm/firmware.h>
++#include <asm/kvm_guest.h>
+
+ #ifdef CONFIG_PPC64
+ unsigned long powerpc_firmware_features __read_mostly;
+diff --git a/arch/powerpc/platforms/pseries/smp.c b/arch/powerpc/platforms/pseries/smp.c
+index 624e80b00eb18..7be7094075ab5 100644
+--- a/arch/powerpc/platforms/pseries/smp.c
++++ b/arch/powerpc/platforms/pseries/smp.c
+@@ -42,6 +42,7 @@
+ #include <asm/plpar_wrappers.h>
+ #include <asm/code-patching.h>
+ #include <asm/svm.h>
++#include <asm/kvm_guest.h>
+
+ #include "pseries.h"
+
+--
+2.33.0
+
--- /dev/null
+From 297501a8e68937882c03890ab92ffdb1e6273a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Dec 2020 10:34:55 +0530
+Subject: powerpc: Reintroduce is_kvm_guest() as a fast-path check
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit a21d1becaa3f17a97b933ffa677b526afc514ec5 ]
+
+Introduce a static branch that would be set during boot if the OS
+happens to be a KVM guest. Subsequent checks to see if we are on KVM
+will rely on this static branch. This static branch would be used in
+vcpu_is_preempted() in a subsequent patch.
+
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201202050456.164005-4-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/kvm_guest.h | 10 ++++++++++
+ arch/powerpc/include/asm/kvm_para.h | 2 +-
+ arch/powerpc/kernel/firmware.c | 2 ++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/kvm_guest.h b/arch/powerpc/include/asm/kvm_guest.h
+index d7749ecb30d49..2fca299f7e192 100644
+--- a/arch/powerpc/include/asm/kvm_guest.h
++++ b/arch/powerpc/include/asm/kvm_guest.h
+@@ -7,8 +7,18 @@
+ #define _ASM_POWERPC_KVM_GUEST_H_
+
+ #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
++#include <linux/jump_label.h>
++
++DECLARE_STATIC_KEY_FALSE(kvm_guest);
++
++static inline bool is_kvm_guest(void)
++{
++ return static_branch_unlikely(&kvm_guest);
++}
++
+ bool check_kvm_guest(void);
+ #else
++static inline bool is_kvm_guest(void) { return false; }
+ static inline bool check_kvm_guest(void) { return false; }
+ #endif
+
+diff --git a/arch/powerpc/include/asm/kvm_para.h b/arch/powerpc/include/asm/kvm_para.h
+index 6fba06b6cfdbc..abe1b5e82547b 100644
+--- a/arch/powerpc/include/asm/kvm_para.h
++++ b/arch/powerpc/include/asm/kvm_para.h
+@@ -14,7 +14,7 @@
+
+ static inline int kvm_para_available(void)
+ {
+- return IS_ENABLED(CONFIG_KVM_GUEST) && check_kvm_guest();
++ return IS_ENABLED(CONFIG_KVM_GUEST) && is_kvm_guest();
+ }
+
+ static inline unsigned int kvm_arch_para_features(void)
+diff --git a/arch/powerpc/kernel/firmware.c b/arch/powerpc/kernel/firmware.c
+index c3140c6084c93..c9e2819b095ab 100644
+--- a/arch/powerpc/kernel/firmware.c
++++ b/arch/powerpc/kernel/firmware.c
+@@ -22,6 +22,7 @@ EXPORT_SYMBOL_GPL(powerpc_firmware_features);
+ #endif
+
+ #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
++DEFINE_STATIC_KEY_FALSE(kvm_guest);
+ bool check_kvm_guest(void)
+ {
+ struct device_node *hyper_node;
+@@ -33,6 +34,7 @@ bool check_kvm_guest(void)
+ if (!of_device_is_compatible(hyper_node, "linux,kvm"))
+ return false;
+
++ static_branch_enable(&kvm_guest);
+ return true;
+ }
+ #endif
+--
+2.33.0
+
--- /dev/null
+From 9456e4b34dec7fcd09eb2d713042e13164f47ac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Dec 2020 10:34:54 +0530
+Subject: powerpc: Rename is_kvm_guest() to check_kvm_guest()
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 16520a858a995742c2d2248e86a6026bd0316562 ]
+
+We want to reuse the is_kvm_guest() name in a subsequent patch but
+with a new body. Hence rename is_kvm_guest() to check_kvm_guest(). No
+additional changes.
+
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Signed-off-by: kernel test robot <lkp@intel.com> # int -> bool fix
+[mpe: Fold in fix from lkp to use true/false not 0/1]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201202050456.164005-3-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/kvm_guest.h | 4 ++--
+ arch/powerpc/include/asm/kvm_para.h | 2 +-
+ arch/powerpc/kernel/firmware.c | 8 ++++----
+ arch/powerpc/platforms/pseries/smp.c | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/kvm_guest.h b/arch/powerpc/include/asm/kvm_guest.h
+index d2c946dbbd2c0..d7749ecb30d49 100644
+--- a/arch/powerpc/include/asm/kvm_guest.h
++++ b/arch/powerpc/include/asm/kvm_guest.h
+@@ -7,9 +7,9 @@
+ #define _ASM_POWERPC_KVM_GUEST_H_
+
+ #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
+-bool is_kvm_guest(void);
++bool check_kvm_guest(void);
+ #else
+-static inline bool is_kvm_guest(void) { return false; }
++static inline bool check_kvm_guest(void) { return false; }
+ #endif
+
+ #endif /* _ASM_POWERPC_KVM_GUEST_H_ */
+diff --git a/arch/powerpc/include/asm/kvm_para.h b/arch/powerpc/include/asm/kvm_para.h
+index abe1b5e82547b..6fba06b6cfdbc 100644
+--- a/arch/powerpc/include/asm/kvm_para.h
++++ b/arch/powerpc/include/asm/kvm_para.h
+@@ -14,7 +14,7 @@
+
+ static inline int kvm_para_available(void)
+ {
+- return IS_ENABLED(CONFIG_KVM_GUEST) && is_kvm_guest();
++ return IS_ENABLED(CONFIG_KVM_GUEST) && check_kvm_guest();
+ }
+
+ static inline unsigned int kvm_arch_para_features(void)
+diff --git a/arch/powerpc/kernel/firmware.c b/arch/powerpc/kernel/firmware.c
+index 5f48e5ad24cdd..c3140c6084c93 100644
+--- a/arch/powerpc/kernel/firmware.c
++++ b/arch/powerpc/kernel/firmware.c
+@@ -22,17 +22,17 @@ EXPORT_SYMBOL_GPL(powerpc_firmware_features);
+ #endif
+
+ #if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_KVM_GUEST)
+-bool is_kvm_guest(void)
++bool check_kvm_guest(void)
+ {
+ struct device_node *hyper_node;
+
+ hyper_node = of_find_node_by_path("/hypervisor");
+ if (!hyper_node)
+- return 0;
++ return false;
+
+ if (!of_device_is_compatible(hyper_node, "linux,kvm"))
+- return 0;
++ return false;
+
+- return 1;
++ return true;
+ }
+ #endif
+diff --git a/arch/powerpc/platforms/pseries/smp.c b/arch/powerpc/platforms/pseries/smp.c
+index 7be7094075ab5..9d596b41ec675 100644
+--- a/arch/powerpc/platforms/pseries/smp.c
++++ b/arch/powerpc/platforms/pseries/smp.c
+@@ -208,7 +208,7 @@ static __init void pSeries_smp_probe(void)
+ if (!cpu_has_feature(CPU_FTR_SMT))
+ return;
+
+- if (is_kvm_guest()) {
++ if (check_kvm_guest()) {
+ /*
+ * KVM emulates doorbells by disabling FSCR[MSGP] so msgsndp
+ * faults to the hypervisor which then reads the instruction
+--
+2.33.0
+
--- /dev/null
+From f8fa816f790ead3a303134761de9755c4d6c45cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 10:40:21 +0200
+Subject: rcu: Always inline rcu_dynticks_task*_{enter,exit}()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 7663ad9a5dbcc27f3090e6bfd192c7e59222709f ]
+
+RCU managed to grow a few noinstr violations:
+
+ vmlinux.o: warning: objtool: rcu_dynticks_eqs_enter()+0x0: call to rcu_dynticks_task_trace_enter() leaves .noinstr.text section
+ vmlinux.o: warning: objtool: rcu_dynticks_eqs_exit()+0xe: call to rcu_dynticks_task_trace_exit() leaves .noinstr.text section
+
+Fix them by adding __always_inline to the relevant trivial functions.
+
+Also replace the noinstr with __always_inline for the existing
+rcu_dynticks_task_*() functions since noinstr would force noinline
+them, even when empty, which seems silly.
+
+Fixes: 7d0c9c50c5a1 ("rcu-tasks: Avoid IPIing userspace/idle tasks if kernel is so built")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_plugin.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index c5091aeaa37bb..6ed153f226b39 100644
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -2573,7 +2573,7 @@ static void rcu_bind_gp_kthread(void)
+ }
+
+ /* Record the current task on dyntick-idle entry. */
+-static void noinstr rcu_dynticks_task_enter(void)
++static __always_inline void rcu_dynticks_task_enter(void)
+ {
+ #if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL)
+ WRITE_ONCE(current->rcu_tasks_idle_cpu, smp_processor_id());
+@@ -2581,7 +2581,7 @@ static void noinstr rcu_dynticks_task_enter(void)
+ }
+
+ /* Record no current task on dyntick-idle exit. */
+-static void noinstr rcu_dynticks_task_exit(void)
++static __always_inline void rcu_dynticks_task_exit(void)
+ {
+ #if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL)
+ WRITE_ONCE(current->rcu_tasks_idle_cpu, -1);
+@@ -2589,7 +2589,7 @@ static void noinstr rcu_dynticks_task_exit(void)
+ }
+
+ /* Turn on heavyweight RCU tasks trace readers on idle/user entry. */
+-static void rcu_dynticks_task_trace_enter(void)
++static __always_inline void rcu_dynticks_task_trace_enter(void)
+ {
+ #ifdef CONFIG_TASKS_TRACE_RCU
+ if (IS_ENABLED(CONFIG_TASKS_TRACE_RCU_READ_MB))
+@@ -2598,7 +2598,7 @@ static void rcu_dynticks_task_trace_enter(void)
+ }
+
+ /* Turn off heavyweight RCU tasks trace readers on idle/user exit. */
+-static void rcu_dynticks_task_trace_exit(void)
++static __always_inline void rcu_dynticks_task_trace_exit(void)
+ {
+ #ifdef CONFIG_TASKS_TRACE_RCU
+ if (IS_ENABLED(CONFIG_TASKS_TRACE_RCU_READ_MB))
+--
+2.33.0
+
--- /dev/null
+From 142d61493581f07361de05362cdba1a7de8bf75c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 13:34:00 +0530
+Subject: rcu: Fix existing exp request check in
+ sync_sched_exp_online_cleanup()
+
+From: Neeraj Upadhyay <neeraju@codeaurora.org>
+
+[ Upstream commit f0b2b2df5423fb369ac762c77900bc7765496d58 ]
+
+The sync_sched_exp_online_cleanup() checks to see if RCU needs
+an expedited quiescent state from the incoming CPU, sending it
+an IPI if so. Before sending IPI, it checks whether expedited
+qs need has been already requested for the incoming CPU, by
+checking rcu_data.cpu_no_qs.b.exp for the current cpu, on which
+sync_sched_exp_online_cleanup() is running. This works for the
+case where incoming CPU is same as self. However, for the case
+where incoming CPU is different from self, expedited request
+won't get marked, which can potentially delay reporting of
+expedited quiescent state for the incoming CPU.
+
+Fixes: e015a3411220 ("rcu: Avoid self-IPI in sync_sched_exp_online_cleanup()")
+Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_exp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h
+index 8760b6ead770a..0ffe185c1f46a 100644
+--- a/kernel/rcu/tree_exp.h
++++ b/kernel/rcu/tree_exp.h
+@@ -759,7 +759,7 @@ static void sync_sched_exp_online_cleanup(int cpu)
+ my_cpu = get_cpu();
+ /* Quiescent state either not needed or already requested, leave. */
+ if (!(READ_ONCE(rnp->expmask) & rdp->grpmask) ||
+- __this_cpu_read(rcu_data.cpu_no_qs.b.exp)) {
++ rdp->cpu_no_qs.b.exp) {
+ put_cpu();
+ return;
+ }
+--
+2.33.0
+
--- /dev/null
+From 49bc2edf7066014922eb565512d6667303a0e740 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 09:07:44 -0700
+Subject: rcu-tasks: Move RTGS_WAIT_CBS to beginning of rcu_tasks_kthread()
+ loop
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 0db7c32ad3160ae06f497d48a74bd46a2a35e6bf ]
+
+Early in debugging, it made some sense to differentiate the first
+iteration from subsequent iterations, but now this just causes confusion.
+This commit therefore moves the "set_tasks_gp_state(rtp, RTGS_WAIT_CBS)"
+statement to the beginning of the "for" loop in rcu_tasks_kthread().
+
+Reported-by: Neeraj Upadhyay <neeraju@codeaurora.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tasks.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
+index b338f514ee5aa..7c05c5ab78653 100644
+--- a/kernel/rcu/tasks.h
++++ b/kernel/rcu/tasks.h
+@@ -197,6 +197,7 @@ static int __noreturn rcu_tasks_kthread(void *arg)
+ * This loop is terminated by the system going down. ;-)
+ */
+ for (;;) {
++ set_tasks_gp_state(rtp, RTGS_WAIT_CBS);
+
+ /* Pick up any new callbacks. */
+ raw_spin_lock_irqsave(&rtp->cbs_lock, flags);
+@@ -236,8 +237,6 @@ static int __noreturn rcu_tasks_kthread(void *arg)
+ }
+ /* Paranoid sleep to keep this from entering a tight loop */
+ schedule_timeout_idle(rtp->gp_sleep);
+-
+- set_tasks_gp_state(rtp, RTGS_WAIT_CBS);
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From aa7c49dae9033e03c04c444480b8618049fcd312 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 09:42:36 +0200
+Subject: rcutorture: Avoid problematic critical section nesting on PREEMPT_RT
+
+From: Scott Wood <swood@redhat.com>
+
+[ Upstream commit 71921a9606ddbcc1d98c00eca7ae82c373d1fecd ]
+
+rcutorture is generating some nesting scenarios that are not compatible on PREEMPT_RT.
+For example:
+ preempt_disable();
+ rcu_read_lock_bh();
+ preempt_enable();
+ rcu_read_unlock_bh();
+
+The problem here is that on PREEMPT_RT the bottom halves have to be
+disabled and enabled in preemptible context.
+
+Reorder locking: start with BH locking and continue with then with
+disabling preemption or interrupts. In the unlocking do it reverse by
+first enabling interrupts and preemption and BH at the very end.
+Ensure that on PREEMPT_RT BH locking remains unchanged if in
+non-preemptible context.
+
+Link: https://lkml.kernel.org/r/20190911165729.11178-6-swood@redhat.com
+Link: https://lkml.kernel.org/r/20210819182035.GF4126399@paulmck-ThinkPad-P17-Gen-1
+Signed-off-by: Scott Wood <swood@redhat.com>
+[bigeasy: Drop ATOM_BH, make it only about changing BH in atomic
+context. Allow enabling RCU in IRQ-off section. Reword commit message.]
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcutorture.c | 48 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
+index 916ea4f66e4b2..6c1aea48a79a1 100644
+--- a/kernel/rcu/rcutorture.c
++++ b/kernel/rcu/rcutorture.c
+@@ -1238,28 +1238,34 @@ static void rcutorture_one_extend(int *readstate, int newstate,
+ /* First, put new protection in place to avoid critical-section gap. */
+ if (statesnew & RCUTORTURE_RDR_BH)
+ local_bh_disable();
++ if (statesnew & RCUTORTURE_RDR_RBH)
++ rcu_read_lock_bh();
+ if (statesnew & RCUTORTURE_RDR_IRQ)
+ local_irq_disable();
+ if (statesnew & RCUTORTURE_RDR_PREEMPT)
+ preempt_disable();
+- if (statesnew & RCUTORTURE_RDR_RBH)
+- rcu_read_lock_bh();
+ if (statesnew & RCUTORTURE_RDR_SCHED)
+ rcu_read_lock_sched();
+ if (statesnew & RCUTORTURE_RDR_RCU)
+ idxnew = cur_ops->readlock() << RCUTORTURE_RDR_SHIFT;
+
+- /* Next, remove old protection, irq first due to bh conflict. */
++ /*
++ * Next, remove old protection, in decreasing order of strength
++ * to avoid unlock paths that aren't safe in the stronger
++ * context. Namely: BH can not be enabled with disabled interrupts.
++ * Additionally PREEMPT_RT requires that BH is enabled in preemptible
++ * context.
++ */
+ if (statesold & RCUTORTURE_RDR_IRQ)
+ local_irq_enable();
+- if (statesold & RCUTORTURE_RDR_BH)
+- local_bh_enable();
+ if (statesold & RCUTORTURE_RDR_PREEMPT)
+ preempt_enable();
+- if (statesold & RCUTORTURE_RDR_RBH)
+- rcu_read_unlock_bh();
+ if (statesold & RCUTORTURE_RDR_SCHED)
+ rcu_read_unlock_sched();
++ if (statesold & RCUTORTURE_RDR_BH)
++ local_bh_enable();
++ if (statesold & RCUTORTURE_RDR_RBH)
++ rcu_read_unlock_bh();
+ if (statesold & RCUTORTURE_RDR_RCU) {
+ bool lockit = !statesnew && !(torture_random(trsp) & 0xffff);
+
+@@ -1302,6 +1308,9 @@ rcutorture_extend_mask(int oldmask, struct torture_random_state *trsp)
+ int mask = rcutorture_extend_mask_max();
+ unsigned long randmask1 = torture_random(trsp) >> 8;
+ unsigned long randmask2 = randmask1 >> 3;
++ unsigned long preempts = RCUTORTURE_RDR_PREEMPT | RCUTORTURE_RDR_SCHED;
++ unsigned long preempts_irq = preempts | RCUTORTURE_RDR_IRQ;
++ unsigned long bhs = RCUTORTURE_RDR_BH | RCUTORTURE_RDR_RBH;
+
+ WARN_ON_ONCE(mask >> RCUTORTURE_RDR_SHIFT);
+ /* Mostly only one bit (need preemption!), sometimes lots of bits. */
+@@ -1309,11 +1318,26 @@ rcutorture_extend_mask(int oldmask, struct torture_random_state *trsp)
+ mask = mask & randmask2;
+ else
+ mask = mask & (1 << (randmask2 % RCUTORTURE_RDR_NBITS));
+- /* Can't enable bh w/irq disabled. */
+- if ((mask & RCUTORTURE_RDR_IRQ) &&
+- ((!(mask & RCUTORTURE_RDR_BH) && (oldmask & RCUTORTURE_RDR_BH)) ||
+- (!(mask & RCUTORTURE_RDR_RBH) && (oldmask & RCUTORTURE_RDR_RBH))))
+- mask |= RCUTORTURE_RDR_BH | RCUTORTURE_RDR_RBH;
++
++ /*
++ * Can't enable bh w/irq disabled.
++ */
++ if (mask & RCUTORTURE_RDR_IRQ)
++ mask |= oldmask & bhs;
++
++ /*
++ * Ideally these sequences would be detected in debug builds
++ * (regardless of RT), but until then don't stop testing
++ * them on non-RT.
++ */
++ if (IS_ENABLED(CONFIG_PREEMPT_RT)) {
++ /* Can't modify BH in atomic context */
++ if (oldmask & preempts_irq)
++ mask &= ~bhs;
++ if ((oldmask | mask) & preempts_irq)
++ mask |= oldmask & bhs;
++ }
++
+ return mask ?: RCUTORTURE_RDR_RCU;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 28c828771fd71b81408293e1bf71557a5282c54f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 05:32:38 -0700
+Subject: RDMA/bnxt_re: Fix query SRQ failure
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 598d16fa1bf93431ad35bbab3ed1affe4fb7b562 ]
+
+Fill the missing parameters for the FW command while querying SRQ.
+
+Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
+Link: https://lore.kernel.org/r/1631709163-2287-8-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index d4d4959c2434c..bd153aa7e9ab3 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -707,12 +707,13 @@ int bnxt_qplib_query_srq(struct bnxt_qplib_res *res,
+ int rc = 0;
+
+ RCFW_CMD_PREP(req, QUERY_SRQ, cmd_flags);
+- req.srq_cid = cpu_to_le32(srq->id);
+
+ /* Configure the request */
+ sbuf = bnxt_qplib_rcfw_alloc_sbuf(rcfw, sizeof(*sb));
+ if (!sbuf)
+ return -ENOMEM;
++ req.resp_size = sizeof(*sb) / BNXT_QPLIB_CMDQE_UNITS;
++ req.srq_cid = cpu_to_le32(srq->id);
+ sb = sbuf->sb;
+ rc = bnxt_qplib_rcfw_send_message(rcfw, (void *)&req, (void *)&resp,
+ (void *)sbuf, 0);
+--
+2.33.0
+
--- /dev/null
+From befcb44641a956b59a25c6c94aee511284512d90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 10:28:43 +0300
+Subject: RDMA/mlx4: Return missed an error if device doesn't support steering
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b ]
+
+The error flow fixed in this patch is not possible because all kernel
+users of create QP interface check that device supports steering before
+set IB_QP_CREATE_NETIF_QP flag.
+
+Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs")
+Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index 6bc0818f4b2c6..c6a815a705fef 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -1099,8 +1099,10 @@ static int create_qp_common(struct ib_pd *pd, struct ib_qp_init_attr *init_attr,
+ if (dev->steering_support ==
+ MLX4_STEERING_MODE_DEVICE_MANAGED)
+ qp->flags |= MLX4_IB_QP_NETIF;
+- else
++ else {
++ err = -EINVAL;
+ goto err;
++ }
+ }
+
+ err = set_kernel_sq_size(dev, &init_attr->cap, qp_type, qp);
+--
+2.33.0
+
--- /dev/null
+From 0ae24169d44535f1a8757e983116cd98613186fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 16:32:23 +0800
+Subject: RDMA/rxe: Fix wrong port_cap_flags
+
+From: Junji Wei <weijunji@bytedance.com>
+
+[ Upstream commit dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e ]
+
+The port->attr.port_cap_flags should be set to enum
+ib_port_capability_mask_bits in ib_mad.h, not
+RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20210831083223.65797-1-weijunji@bytedance.com
+Signed-off-by: Junji Wei <weijunji@bytedance.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_param.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_param.h b/drivers/infiniband/sw/rxe/rxe_param.h
+index 25ab50d9b7c28..f9fb56ec6dfda 100644
+--- a/drivers/infiniband/sw/rxe/rxe_param.h
++++ b/drivers/infiniband/sw/rxe/rxe_param.h
+@@ -108,7 +108,7 @@ enum rxe_device_param {
+ /* default/initial rxe port parameters */
+ enum rxe_port_param {
+ RXE_PORT_GID_TBL_LEN = 1024,
+- RXE_PORT_PORT_CAP_FLAGS = RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP,
++ RXE_PORT_PORT_CAP_FLAGS = IB_PORT_CM_SUP,
+ RXE_PORT_MAX_MSG_SZ = 0x800000,
+ RXE_PORT_BAD_PKEY_CNTR = 0,
+ RXE_PORT_QKEY_VIOL_CNTR = 0,
+--
+2.33.0
+
--- /dev/null
+From 645dd5494e6ce01853cc065b7ed32680339f041f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 13:37:32 +0200
+Subject: remoteproc: Fix a memory leak in an error handling path in
+ 'rproc_handle_vdev()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 0374a4ea7269645c46c3eb288526ea072fa19e79 ]
+
+If 'copy_dma_range_map() fails, the memory allocated for 'rvdev' will leak.
+Move the 'copy_dma_range_map()' call after the device registration so
+that 'rproc_rvdev_release()' can be called to free some resources.
+
+Also, branch to the error handling path if 'copy_dma_range_map()' instead
+of a direct return to avoid some other leaks.
+
+Fixes: e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jim Quinlan <james.quinlan@broadcom.com>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/e6d0dad6620da4fdf847faa903f79b735d35f262.1630755377.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
+index 47924d5ed4f56..369a97f3eca99 100644
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -550,9 +550,6 @@ static int rproc_handle_vdev(struct rproc *rproc, struct fw_rsc_vdev *rsc,
+ /* Initialise vdev subdevice */
+ snprintf(name, sizeof(name), "vdev%dbuffer", rvdev->index);
+ rvdev->dev.parent = &rproc->dev;
+- ret = copy_dma_range_map(&rvdev->dev, rproc->dev.parent);
+- if (ret)
+- return ret;
+ rvdev->dev.release = rproc_rvdev_release;
+ dev_set_name(&rvdev->dev, "%s#%s", dev_name(rvdev->dev.parent), name);
+ dev_set_drvdata(&rvdev->dev, rvdev);
+@@ -562,6 +559,11 @@ static int rproc_handle_vdev(struct rproc *rproc, struct fw_rsc_vdev *rsc,
+ put_device(&rvdev->dev);
+ return ret;
+ }
++
++ ret = copy_dma_range_map(&rvdev->dev, rproc->dev.parent);
++ if (ret)
++ goto free_rvdev;
++
+ /* Make device dma capable by inheriting from parent's capabilities */
+ set_dma_ops(&rvdev->dev, get_dma_ops(rproc->dev.parent));
+
+--
+2.33.0
+
--- /dev/null
+From d2020546924ad497e78fc1ebee38d2aa46b295f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 14:39:12 +0200
+Subject: rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined
+
+From: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+
+[ Upstream commit 537d3af1bee8ad1415fda9b622d1ea6d1ae76dfa ]
+
+According to the description of the rpmsg_create_ept in rpmsg_core.c
+the function should return NULL on error.
+
+Fixes: 2c8a57088045 ("rpmsg: Provide function stubs for API")
+Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20210712123912.10672-1-arnaud.pouliquen@foss.st.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rpmsg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/rpmsg.h b/include/linux/rpmsg.h
+index 9fe156d1c018e..a68972b097b72 100644
+--- a/include/linux/rpmsg.h
++++ b/include/linux/rpmsg.h
+@@ -177,7 +177,7 @@ static inline struct rpmsg_endpoint *rpmsg_create_ept(struct rpmsg_device *rpdev
+ /* This shouldn't be possible */
+ WARN_ON(1);
+
+- return ERR_PTR(-ENXIO);
++ return NULL;
+ }
+
+ static inline int rpmsg_send(struct rpmsg_endpoint *ept, void *data, int len)
+--
+2.33.0
+
--- /dev/null
+From 2127266a9eca52cc137f5bf927f16fda6f1e8bae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 12:03:35 +0800
+Subject: rsi: stop thread firstly in rsi_91x_init() error handling
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 515e7184bdf0a3ebf1757cc77fb046b4fe282189 ]
+
+When fail to init coex module, free 'common' and 'adapter' directly, but
+common->tx_thread which will access 'common' and 'adapter' is running at
+the same time. That will trigger the UAF bug.
+
+==================================================================
+BUG: KASAN: use-after-free in rsi_tx_scheduler_thread+0x50f/0x520 [rsi_91x]
+Read of size 8 at addr ffff8880076dc000 by task Tx-Thread/124777
+CPU: 0 PID: 124777 Comm: Tx-Thread Not tainted 5.15.0-rc5+ #19
+Call Trace:
+ dump_stack_lvl+0xe2/0x152
+ print_address_description.constprop.0+0x21/0x140
+ ? rsi_tx_scheduler_thread+0x50f/0x520
+ kasan_report.cold+0x7f/0x11b
+ ? rsi_tx_scheduler_thread+0x50f/0x520
+ rsi_tx_scheduler_thread+0x50f/0x520
+...
+
+Freed by task 111873:
+ kasan_save_stack+0x1b/0x40
+ kasan_set_track+0x1c/0x30
+ kasan_set_free_info+0x20/0x30
+ __kasan_slab_free+0x109/0x140
+ kfree+0x117/0x4c0
+ rsi_91x_init+0x741/0x8a0 [rsi_91x]
+ rsi_probe+0x9f/0x1750 [rsi_usb]
+
+Stop thread before free 'common' and 'adapter' to fix it.
+
+Fixes: 2108df3c4b18 ("rsi: add coex support")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211015040335.1021546-1-william.xuanziyang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
+index 0a2f8b4f447bd..8c638cfeac52f 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_main.c
++++ b/drivers/net/wireless/rsi/rsi_91x_main.c
+@@ -369,6 +369,7 @@ struct rsi_hw *rsi_91x_init(u16 oper_mode)
+ if (common->coex_mode > 1) {
+ if (rsi_coex_attach(common)) {
+ rsi_dbg(ERR_ZONE, "Failed to init coex module\n");
++ rsi_kill_thread(&common->tx_thread);
+ goto err;
+ }
+ }
+--
+2.33.0
+
--- /dev/null
+From ae97deb6de59fb940585f0493616ada2e9474c8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 13:10:28 +0300
+Subject: rtc: rv3032: fix error handling in rv3032_clkout_set_rate()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c3336b8ac6091df60a5c1049a8c685d0b947cc61 ]
+
+Do not call rv3032_exit_eerd() if the enter function fails but don't
+forget to call the exit when the enter succeeds.
+
+Fixes: 2eeaa532acca ("rtc: rv3032: Add a driver for Microcrystal RV-3032")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20211012101028.GT2083@kadam
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-rv3032.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/rtc-rv3032.c b/drivers/rtc/rtc-rv3032.c
+index 3e67f71f42614..9e6166864bd73 100644
+--- a/drivers/rtc/rtc-rv3032.c
++++ b/drivers/rtc/rtc-rv3032.c
+@@ -617,11 +617,11 @@ static int rv3032_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+
+ ret = rv3032_enter_eerd(rv3032, &eerd);
+ if (ret)
+- goto exit_eerd;
++ return ret;
+
+ ret = regmap_write(rv3032->regmap, RV3032_CLKOUT1, hfd & 0xff);
+ if (ret)
+- return ret;
++ goto exit_eerd;
+
+ ret = regmap_write(rv3032->regmap, RV3032_CLKOUT2, RV3032_CLKOUT2_OS |
+ FIELD_PREP(RV3032_CLKOUT2_HFD_MSK, hfd >> 8));
+--
+2.33.0
+
--- /dev/null
+From 3c523aae56ab42a3c01ea6599610d68a04cc030f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 19:18:30 +0800
+Subject: rtw88: fix RX clock gate setting while fifo dump
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit c5a8e90730a322f236731fc347dd3afa5db5550e ]
+
+When fw fifo dumps, RX clock gating should be disabled to avoid
+something unexpected. However, the register operation ran into
+a mistake. So, we fix it.
+
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210927111830.5354-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/fw.c | 7 +++----
+ drivers/net/wireless/realtek/rtw88/reg.h | 1 +
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
+index 0452630bcfacc..40bcfabd2d214 100644
+--- a/drivers/net/wireless/realtek/rtw88/fw.c
++++ b/drivers/net/wireless/realtek/rtw88/fw.c
+@@ -1421,12 +1421,10 @@ static void rtw_fw_read_fifo_page(struct rtw_dev *rtwdev, u32 offset, u32 size,
+ u32 i;
+ u16 idx = 0;
+ u16 ctl;
+- u8 rcr;
+
+- rcr = rtw_read8(rtwdev, REG_RCR + 2);
+ ctl = rtw_read16(rtwdev, REG_PKTBUF_DBG_CTRL) & 0xf000;
+ /* disable rx clock gate */
+- rtw_write8(rtwdev, REG_RCR, rcr | BIT(3));
++ rtw_write32_set(rtwdev, REG_RCR, BIT_DISGCLK);
+
+ do {
+ rtw_write16(rtwdev, REG_PKTBUF_DBG_CTRL, start_pg | ctl);
+@@ -1445,7 +1443,8 @@ static void rtw_fw_read_fifo_page(struct rtw_dev *rtwdev, u32 offset, u32 size,
+
+ out:
+ rtw_write16(rtwdev, REG_PKTBUF_DBG_CTRL, ctl);
+- rtw_write8(rtwdev, REG_RCR + 2, rcr);
++ /* restore rx clock gate */
++ rtw_write32_clr(rtwdev, REG_RCR, BIT_DISGCLK);
+ }
+
+ static void rtw_fw_read_fifo(struct rtw_dev *rtwdev, enum rtw_fw_fifo_sel sel,
+diff --git a/drivers/net/wireless/realtek/rtw88/reg.h b/drivers/net/wireless/realtek/rtw88/reg.h
+index aca3dbdc2d5a5..9088bfb2a3157 100644
+--- a/drivers/net/wireless/realtek/rtw88/reg.h
++++ b/drivers/net/wireless/realtek/rtw88/reg.h
+@@ -400,6 +400,7 @@
+ #define BIT_MFBEN BIT(22)
+ #define BIT_DISCHKPPDLLEN BIT(21)
+ #define BIT_PKTCTL_DLEN BIT(20)
++#define BIT_DISGCLK BIT(19)
+ #define BIT_TIM_PARSER_EN BIT(18)
+ #define BIT_BC_MD_EN BIT(17)
+ #define BIT_UC_MD_EN BIT(16)
+--
+2.33.0
+
--- /dev/null
+From 16833b8cd40888f83edf8ea2cd5e676e01f9b6dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 03:18:37 +0000
+Subject: rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies()
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit acde891c243c1ed85b19d4d5042bdf00914f5739 ]
+
+Directly using _usecs_to_jiffies() might be unsafe, so it's
+better to use usecs_to_jiffies() instead.
+Because we can see that the result of _usecs_to_jiffies()
+could be larger than MAX_JIFFY_OFFSET values without the
+check of the input.
+
+Fixes: c410bf01933e ("Fix the excessive initial retransmission timeout")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/rtt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/rtt.c b/net/rxrpc/rtt.c
+index 4e565eeab4260..be61d6f5be8d1 100644
+--- a/net/rxrpc/rtt.c
++++ b/net/rxrpc/rtt.c
+@@ -22,7 +22,7 @@ static u32 rxrpc_rto_min_us(struct rxrpc_peer *peer)
+
+ static u32 __rxrpc_set_rto(const struct rxrpc_peer *peer)
+ {
+- return _usecs_to_jiffies((peer->srtt_us >> 3) + peer->rttvar_us);
++ return usecs_to_jiffies((peer->srtt_us >> 3) + peer->rttvar_us);
+ }
+
+ static u32 rxrpc_bound_rto(u32 rto)
+--
+2.33.0
+
--- /dev/null
+From 3bf3ae912de5da7b1ebafbd733569923940ad101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 18:22:41 +0200
+Subject: s390/gmap: don't unconditionally call pte_unmap_unlock() in
+ __gmap_zap()
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ]
+
+... otherwise we will try unlocking a spinlock that was never locked via a
+garbage pointer.
+
+At the time we reach this code path, we usually successfully looked up
+a PGSTE already; however, evil user space could have manipulated the VMA
+layout in the meantime and triggered removal of the page table.
+
+Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/gmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
+index 64795d0349263..f2d19d40272cf 100644
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -684,9 +684,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
+ vmaddr |= gaddr & ~PMD_MASK;
+ /* Get pointer to the page table entry */
+ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
+- if (likely(ptep))
++ if (likely(ptep)) {
+ ptep_zap_unused(gmap->mm, vmaddr, ptep, 0);
+- pte_unmap_unlock(ptep, ptl);
++ pte_unmap_unlock(ptep, ptl);
++ }
+ }
+ }
+ EXPORT_SYMBOL_GPL(__gmap_zap);
+--
+2.33.0
+
--- /dev/null
+From 42ee8c337c9dcfe960d04531bf64b3355eaddca6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 09:51:28 +0800
+Subject: samples/kretprobes: Fix return value if register_kretprobe() failed
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit f76fbbbb5061fe14824ba5807c44bd7400a6b4e1 ]
+
+Use the actual return value instead of always -1 if register_kretprobe()
+failed.
+
+E.g. without this patch:
+
+ # insmod samples/kprobes/kretprobe_example.ko func=no_such_func
+ insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Operation not permitted
+
+With this patch:
+
+ # insmod samples/kprobes/kretprobe_example.ko func=no_such_func
+ insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Unknown symbol in module
+
+Link: https://lkml.kernel.org/r/1635213091-24387-2-git-send-email-yangtiezhu@loongson.cn
+
+Fixes: 804defea1c02 ("Kprobes: move kprobe examples to samples/")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/kprobes/kretprobe_example.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/kprobes/kretprobe_example.c b/samples/kprobes/kretprobe_example.c
+index 5dc1bf3baa98b..228321ecb1616 100644
+--- a/samples/kprobes/kretprobe_example.c
++++ b/samples/kprobes/kretprobe_example.c
+@@ -86,7 +86,7 @@ static int __init kretprobe_init(void)
+ ret = register_kretprobe(&my_kretprobe);
+ if (ret < 0) {
+ pr_err("register_kretprobe failed, returned %d\n", ret);
+- return -1;
++ return ret;
+ }
+ pr_info("Planted return probe at %s: %p\n",
+ my_kretprobe.kp.symbol_name, my_kretprobe.kp.addr);
+--
+2.33.0
+
--- /dev/null
+From 1149bcf4ff9b0dfa0856cee58e7883f0da6f0414 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 10:32:43 +0300
+Subject: scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f4875d509a0a78ad294a1a538d534b5ba94e685a ]
+
+This variable is just a temporary variable, used to do an endian
+conversion. The problem is that the last byte is not initialized. After
+the conversion is completely done, the last byte is discarded so it doesn't
+cause a problem. But static checkers and the KMSan runtime checker can
+detect the uninitialized read and will complain about it.
+
+Link: https://lore.kernel.org/r/20211006073242.GA8404@kili
+Fixes: 5036f0a0ecd3 ("[SCSI] csiostor: Fix sparse warnings.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_lnode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c
+index dc98f51f466fb..d5ac938970232 100644
+--- a/drivers/scsi/csiostor/csio_lnode.c
++++ b/drivers/scsi/csiostor/csio_lnode.c
+@@ -619,7 +619,7 @@ csio_ln_vnp_read_cbfn(struct csio_hw *hw, struct csio_mb *mbp)
+ struct fc_els_csp *csp;
+ struct fc_els_cssp *clsp;
+ enum fw_retval retval;
+- __be32 nport_id;
++ __be32 nport_id = 0;
+
+ retval = FW_CMD_RETVAL_G(ntohl(rsp->alloc_to_len16));
+ if (retval != FW_SUCCESS) {
+--
+2.33.0
+
--- /dev/null
+From 6b1c8e9c3b4d71427c4eed81ea0c3fb32b2fa933 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 21:07:02 -0700
+Subject: scsi: dc395: Fix error case unwinding
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit cbd9a3347c757383f3d2b50cf7cfd03eb479c481 ]
+
+dc395x_init_one()->adapter_init() might fail. In this case, the acb is
+already cleaned up by adapter_init(), no need to do that in
+adapter_uninit(acb) again.
+
+[ 1.252251] dc395x: adapter init failed
+[ 1.254900] RIP: 0010:adapter_uninit+0x94/0x170 [dc395x]
+[ 1.260307] Call Trace:
+[ 1.260442] dc395x_init_one.cold+0x72a/0x9bb [dc395x]
+
+Link: https://lore.kernel.org/r/20210907040702.1846409-1-ztong0001@gmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/dc395x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index fa16894d8758c..6cb48ae8e1241 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -4658,6 +4658,7 @@ static int dc395x_init_one(struct pci_dev *dev, const struct pci_device_id *id)
+ /* initialise the adapter and everything we need */
+ if (adapter_init(acb, io_port_base, io_port_len, irq)) {
+ dprintkl(KERN_INFO, "adapter init failed\n");
++ acb = NULL;
+ goto fail;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 70a746b4fa320cf3f9fcf01daeb1c19d4c534a3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 19:58:47 -0700
+Subject: scsi: pm80xx: Fix misleading log statement in
+ pm8001_mpi_get_nvmd_resp()
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit 4084a7235d38311a77c86ba69ba849bd787db87b ]
+
+pm8001_mpi_get_nvmd_resp() handles a GET_NVMD_DATA response, not a
+SET_NVMD_DATA response, as the log statement implies.
+
+Fixes: 1f889b58716a ("scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition")
+Link: https://lore.kernel.org/r/20210929025847.646999-1-ipylypiv@google.com
+Reviewed-by: Changyuan Lyu <changyuanl@google.com>
+Acked-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pm8001/pm8001_hwi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
+index 2114d2dd3501a..5d751628a6340 100644
+--- a/drivers/scsi/pm8001/pm8001_hwi.c
++++ b/drivers/scsi/pm8001/pm8001_hwi.c
+@@ -3107,7 +3107,7 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb)
+ * fw_control_context->usrAddr
+ */
+ complete(pm8001_ha->nvmd_completion);
+- pm8001_dbg(pm8001_ha, MSG, "Set nvm data complete!\n");
++ pm8001_dbg(pm8001_ha, MSG, "Get nvmd data complete!\n");
+ ccb->task = NULL;
+ ccb->ccb_tag = 0xFFFFFFFF;
+ pm8001_tag_free(pm8001_ha, tag);
+--
+2.33.0
+
--- /dev/null
+From 5eb35295446da12be6abec4a3572f72784039aa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 21:37:10 -0700
+Subject: scsi: qla2xxx: Changes to support FCP2 Target
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+[ Upstream commit 44c57f205876518b14ab2b4b5d88a181f41260bb ]
+
+Add changes to support FCP2 Target.
+
+Link: https://lore.kernel.org/r/20210810043720.1137-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 3 +--
+ drivers/scsi/qla2xxx/qla_init.c | 6 ++++++
+ drivers/scsi/qla2xxx/qla_os.c | 10 ++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
+index 144a893e7335b..3a20bf8ce5ab9 100644
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -12,8 +12,7 @@
+ * ----------------------------------------------------------------------
+ * | Module Init and Probe | 0x0199 | |
+ * | Mailbox commands | 0x1206 | 0x11a5-0x11ff |
+- * | Device Discovery | 0x2134 | 0x210e-0x2116 |
+- * | | | 0x211a |
++ * | Device Discovery | 0x2134 | 0x210e-0x2115 |
+ * | | | 0x211c-0x2128 |
+ * | | | 0x212c-0x2134 |
+ * | Queue Command and IO tracing | 0x3074 | 0x300b |
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index b7aac3116f2db..e893b42e51a35 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -1710,6 +1710,12 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea)
+
+ fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1);
+ if (fcport) {
++ if (fcport->flags & FCF_FCP2_DEVICE) {
++ ql_dbg(ql_dbg_disc, vha, 0x2115,
++ "Delaying session delete for FCP2 portid=%06x %8phC ",
++ fcport->d_id.b24, fcport->port_name);
++ return;
++ }
+ fcport->scan_needed = 1;
+ fcport->rscn_gen++;
+ }
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 813abaf1b0872..30ce84468c759 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3955,6 +3955,16 @@ qla2x00_mark_all_devices_lost(scsi_qla_host_t *vha)
+ "Mark all dev lost\n");
+
+ list_for_each_entry(fcport, &vha->vp_fcports, list) {
++ if (fcport->loop_id != FC_NO_LOOP_ID &&
++ (fcport->flags & FCF_FCP2_DEVICE) &&
++ fcport->port_type == FCT_TARGET &&
++ !qla2x00_reset_active(vha)) {
++ ql_dbg(ql_dbg_disc, vha, 0x211a,
++ "Delaying session delete for FCP2 flags 0x%x port_type = 0x%x port_id=%06x %phC",
++ fcport->flags, fcport->port_type,
++ fcport->d_id.b24, fcport->port_name);
++ continue;
++ }
+ fcport->scan_state = 0;
+ qlt_schedule_sess_for_deletion(fcport);
+ }
+--
+2.33.0
+
--- /dev/null
+From 7a785da2a0077063e7ef92ecbc0d3b031bdfcd27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 04:54:01 -0700
+Subject: scsi: qla2xxx: Fix gnl list corruption
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit c98c5daaa24b583cba1369b7d167f93c6ae7299c ]
+
+Current code does list element deletion and addition in and out of lock
+protection. This patch moves deletion behind lock.
+
+list_add double add: new=ffff9130b5eb89f8, prev=ffff9130b5eb89f8,
+ next=ffff9130c6a715f0.
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:31!
+ invalid opcode: 0000 [#1] SMP PTI
+ CPU: 1 PID: 182395 Comm: kworker/1:37 Kdump: loaded Tainted: G W OE
+ --------- - - 4.18.0-193.el8.x86_64 #1
+ Hardware name: HP ProLiant DL160 Gen8, BIOS J03 02/10/2014
+ Workqueue: qla2xxx_wq qla2x00_iocb_work_fn [qla2xxx]
+ RIP: 0010:__list_add_valid+0x41/0x50
+ Code: 85 94 00 00 00 48 39 c7 74 0b 48 39 d7 74 06 b8 01 00 00 00 c3 48 89 f2
+ 4c 89 c1 48 89 fe 48 c7 c7 60 83 ad 97 e8 4d bd ce ff <0f> 0b 0f 1f 00 66 2e
+ 0f 1f 84 00 00 00 00 00 48 8b 07 48 8b 57 08
+ RSP: 0018:ffffaba306f47d68 EFLAGS: 00010046
+ RAX: 0000000000000058 RBX: ffff9130b5eb8800 RCX: 0000000000000006
+ RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9130b7456a00
+ RBP: ffff9130c6a70a58 R08: 000000000008d7be R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000001 R12: ffff9130c6a715f0
+ R13: ffff9130b5eb8824 R14: ffff9130b5eb89f8 R15: ffff9130b5eb89f8
+ FS: 0000000000000000(0000) GS:ffff9130b7440000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007efcaaef11a0 CR3: 000000005200a002 CR4: 00000000000606e0
+ Call Trace:
+ qla24xx_async_gnl+0x113/0x3c0 [qla2xxx]
+ ? qla2x00_iocb_work_fn+0x53/0x80 [qla2xxx]
+ ? process_one_work+0x1a7/0x3b0
+ ? worker_thread+0x30/0x390
+ ? create_worker+0x1a0/0x1a0
+ ? kthread+0x112/0x130
+
+Link: https://lore.kernel.org/r/20211026115412.27691-3-njavali@marvell.com
+Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 5bbdaefb44efc..fdae25ec554d9 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -976,8 +976,6 @@ static void qla24xx_async_gnl_sp_done(srb_t *sp, int res)
+ sp->name, res, sp->u.iocb_cmd.u.mbx.in_mb[1],
+ sp->u.iocb_cmd.u.mbx.in_mb[2]);
+
+- if (res == QLA_FUNCTION_TIMEOUT)
+- return;
+
+ sp->fcport->flags &= ~(FCF_ASYNC_SENT|FCF_ASYNC_ACTIVE);
+ memset(&ea, 0, sizeof(ea));
+@@ -1015,8 +1013,8 @@ static void qla24xx_async_gnl_sp_done(srb_t *sp, int res)
+ spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags);
+
+ list_for_each_entry_safe(fcport, tf, &h, gnl_entry) {
+- list_del_init(&fcport->gnl_entry);
+ spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags);
++ list_del_init(&fcport->gnl_entry);
+ fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE);
+ spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags);
+ ea.fcport = fcport;
+--
+2.33.0
+
--- /dev/null
+From bf5045aba325e8e50fb5dd72d343598008d7ae28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 04:54:00 -0700
+Subject: scsi: qla2xxx: Relogin during fabric disturbance
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit bb2ca6b3f09ac20e8357d257d0557ab5ddf6adcd ]
+
+For RSCN of type "Area, Domain, or Fabric", which indicate a portion or
+entire fabric was disturbed, current driver does not set the scan_need flag
+to indicate a session was affected by the disturbance. This in turn can
+lead to I/O timeout and delay of relogin. Hence initiate relogin in the
+event of fabric disturbance.
+
+Link: https://lore.kernel.org/r/20211026115412.27691-2-njavali@marvell.com
+Fixes: 1560bafdff9e ("scsi: qla2xxx: Use complete switch scan for RSCN events")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 56 +++++++++++++++++++++++++++------
+ 1 file changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index e893b42e51a35..5bbdaefb44efc 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -1708,16 +1708,52 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea)
+ fc_port_t *fcport;
+ unsigned long flags;
+
+- fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1);
+- if (fcport) {
+- if (fcport->flags & FCF_FCP2_DEVICE) {
+- ql_dbg(ql_dbg_disc, vha, 0x2115,
+- "Delaying session delete for FCP2 portid=%06x %8phC ",
+- fcport->d_id.b24, fcport->port_name);
+- return;
+- }
+- fcport->scan_needed = 1;
+- fcport->rscn_gen++;
++ switch (ea->id.b.rsvd_1) {
++ case RSCN_PORT_ADDR:
++ fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1);
++ if (fcport) {
++ if (fcport->flags & FCF_FCP2_DEVICE) {
++ ql_dbg(ql_dbg_disc, vha, 0x2115,
++ "Delaying session delete for FCP2 portid=%06x %8phC ",
++ fcport->d_id.b24, fcport->port_name);
++ return;
++ }
++ fcport->scan_needed = 1;
++ fcport->rscn_gen++;
++ }
++ break;
++ case RSCN_AREA_ADDR:
++ list_for_each_entry(fcport, &vha->vp_fcports, list) {
++ if (fcport->flags & FCF_FCP2_DEVICE)
++ continue;
++
++ if ((ea->id.b24 & 0xffff00) == (fcport->d_id.b24 & 0xffff00)) {
++ fcport->scan_needed = 1;
++ fcport->rscn_gen++;
++ }
++ }
++ break;
++ case RSCN_DOM_ADDR:
++ list_for_each_entry(fcport, &vha->vp_fcports, list) {
++ if (fcport->flags & FCF_FCP2_DEVICE)
++ continue;
++
++ if ((ea->id.b24 & 0xff0000) == (fcport->d_id.b24 & 0xff0000)) {
++ fcport->scan_needed = 1;
++ fcport->rscn_gen++;
++ }
++ }
++ break;
++ case RSCN_FAB_ADDR:
++ default:
++ list_for_each_entry(fcport, &vha->vp_fcports, list) {
++ if (fcport->flags & FCF_FCP2_DEVICE)
++ continue;
++
++ fcport->scan_needed = 1;
++ fcport->rscn_gen++;
++ }
++ break;
+ }
+
+ spin_lock_irqsave(&vha->work_lock, flags);
+--
+2.33.0
+
--- /dev/null
+From 27923b4a8cd06ebce49da0960e86bbf678b606dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 04:54:02 -0700
+Subject: scsi: qla2xxx: Turn off target reset during issue_lip
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 0b7a9fd934a68ebfc1019811b7bdc1742072ad7b ]
+
+When user uses issue_lip to do link bounce, driver sends additional target
+reset to remote device before resetting the link. The target reset would
+affect other paths with active I/Os. This patch will remove the unnecessary
+target reset.
+
+Link: https://lore.kernel.org/r/20211026115412.27691-4-njavali@marvell.com
+Fixes: 5854771e314e ("[SCSI] qla2xxx: Add ISPFX00 specific bus reset routine")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_gbl.h | 2 --
+ drivers/scsi/qla2xxx/qla_mr.c | 23 -----------------------
+ drivers/scsi/qla2xxx/qla_os.c | 27 ++-------------------------
+ 3 files changed, 2 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
+index e39b4f2da73a0..3bc1850273421 100644
+--- a/drivers/scsi/qla2xxx/qla_gbl.h
++++ b/drivers/scsi/qla2xxx/qla_gbl.h
+@@ -158,7 +158,6 @@ extern int ql2xasynctmfenable;
+ extern int ql2xgffidenable;
+ extern int ql2xenabledif;
+ extern int ql2xenablehba_err_chk;
+-extern int ql2xtargetreset;
+ extern int ql2xdontresethba;
+ extern uint64_t ql2xmaxlun;
+ extern int ql2xmdcapmask;
+@@ -791,7 +790,6 @@ extern void qlafx00_abort_iocb(srb_t *, struct abort_iocb_entry_fx00 *);
+ extern void qlafx00_fxdisc_iocb(srb_t *, struct fxdisc_entry_fx00 *);
+ extern void qlafx00_timer_routine(scsi_qla_host_t *);
+ extern int qlafx00_rescan_isp(scsi_qla_host_t *);
+-extern int qlafx00_loop_reset(scsi_qla_host_t *vha);
+
+ /* qla82xx related functions */
+
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index ca73066853255..7178646ee0f06 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -738,29 +738,6 @@ qlafx00_lun_reset(fc_port_t *fcport, uint64_t l, int tag)
+ return qla2x00_async_tm_cmd(fcport, TCF_LUN_RESET, l, tag);
+ }
+
+-int
+-qlafx00_loop_reset(scsi_qla_host_t *vha)
+-{
+- int ret;
+- struct fc_port *fcport;
+- struct qla_hw_data *ha = vha->hw;
+-
+- if (ql2xtargetreset) {
+- list_for_each_entry(fcport, &vha->vp_fcports, list) {
+- if (fcport->port_type != FCT_TARGET)
+- continue;
+-
+- ret = ha->isp_ops->target_reset(fcport, 0, 0);
+- if (ret != QLA_SUCCESS) {
+- ql_dbg(ql_dbg_taskm, vha, 0x803d,
+- "Bus Reset failed: Reset=%d "
+- "d_id=%x.\n", ret, fcport->d_id.b24);
+- }
+- }
+- }
+- return QLA_SUCCESS;
+-}
+-
+ int
+ qlafx00_iospace_config(struct qla_hw_data *ha)
+ {
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 30ce84468c759..e7f73a167fbd6 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -197,12 +197,6 @@ MODULE_PARM_DESC(ql2xdbwr,
+ " 0 -- Regular doorbell.\n"
+ " 1 -- CAMRAM doorbell (faster).\n");
+
+-int ql2xtargetreset = 1;
+-module_param(ql2xtargetreset, int, S_IRUGO);
+-MODULE_PARM_DESC(ql2xtargetreset,
+- "Enable target reset."
+- "Default is 1 - use hw defaults.");
+-
+ int ql2xgffidenable;
+ module_param(ql2xgffidenable, int, S_IRUGO);
+ MODULE_PARM_DESC(ql2xgffidenable,
+@@ -1652,27 +1646,10 @@ int
+ qla2x00_loop_reset(scsi_qla_host_t *vha)
+ {
+ int ret;
+- struct fc_port *fcport;
+ struct qla_hw_data *ha = vha->hw;
+
+- if (IS_QLAFX00(ha)) {
+- return qlafx00_loop_reset(vha);
+- }
+-
+- if (ql2xtargetreset == 1 && ha->flags.enable_target_reset) {
+- list_for_each_entry(fcport, &vha->vp_fcports, list) {
+- if (fcport->port_type != FCT_TARGET)
+- continue;
+-
+- ret = ha->isp_ops->target_reset(fcport, 0, 0);
+- if (ret != QLA_SUCCESS) {
+- ql_dbg(ql_dbg_taskm, vha, 0x802c,
+- "Bus Reset failed: Reset=%d "
+- "d_id=%x.\n", ret, fcport->d_id.b24);
+- }
+- }
+- }
+-
++ if (IS_QLAFX00(ha))
++ return QLA_SUCCESS;
+
+ if (ha->flags.enable_lip_full_login && !IS_CNA_CAPABLE(ha)) {
+ atomic_set(&vha->loop_state, LOOP_DOWN);
+--
+2.33.0
+
--- /dev/null
+From 48e57f57c5a0a3620a9aedf13f4ced700a179069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Nov 2020 18:01:00 -0800
+Subject: scsi: ufs: Refactor ufshcd_setup_clocks() to remove skip_ref_clk
+
+From: Can Guo <cang@codeaurora.org>
+
+[ Upstream commit 81309c247a4dcd597cbda5254fd0afdd61b93f14 ]
+
+Remove the param skip_ref_clk from __ufshcd_setup_clocks(), but keep a flag
+in struct ufs_clk_info to tell whether a clock can be disabled or not while
+the link is active.
+
+Link: https://lore.kernel.org/r/1606356063-38380-2-git-send-email-cang@codeaurora.org
+Reviewed-by: Hongwu Su <hongwus@codeaurora.org>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd-pltfrm.c | 2 ++
+ drivers/scsi/ufs/ufshcd.c | 29 +++++++++--------------------
+ drivers/scsi/ufs/ufshcd.h | 3 +++
+ 3 files changed, 14 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
+index 24927cf485b47..68ce209577eca 100644
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -92,6 +92,8 @@ static int ufshcd_parse_clock_info(struct ufs_hba *hba)
+ clki->min_freq = clkfreq[i];
+ clki->max_freq = clkfreq[i+1];
+ clki->name = kstrdup(name, GFP_KERNEL);
++ if (!strcmp(name, "ref_clk"))
++ clki->keep_link_active = true;
+ dev_dbg(dev, "%s: min %u max %u name %s\n", "freq-table-hz",
+ clki->min_freq, clki->max_freq, clki->name);
+ list_add_tail(&clki->list, &hba->clk_list_head);
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 3139d9df6f320..930f35863cbb5 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -221,8 +221,6 @@ static int ufshcd_eh_host_reset_handler(struct scsi_cmnd *cmd);
+ static int ufshcd_clear_tm_cmd(struct ufs_hba *hba, int tag);
+ static void ufshcd_hba_exit(struct ufs_hba *hba);
+ static int ufshcd_probe_hba(struct ufs_hba *hba, bool async);
+-static int __ufshcd_setup_clocks(struct ufs_hba *hba, bool on,
+- bool skip_ref_clk);
+ static int ufshcd_setup_clocks(struct ufs_hba *hba, bool on);
+ static int ufshcd_uic_hibern8_enter(struct ufs_hba *hba);
+ static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba);
+@@ -1714,11 +1712,7 @@ static void ufshcd_gate_work(struct work_struct *work)
+
+ ufshcd_disable_irq(hba);
+
+- if (!ufshcd_is_link_active(hba))
+- ufshcd_setup_clocks(hba, false);
+- else
+- /* If link is active, device ref_clk can't be switched off */
+- __ufshcd_setup_clocks(hba, false, true);
++ ufshcd_setup_clocks(hba, false);
+
+ /*
+ * In case you are here to cancel this work the gating state
+@@ -8055,8 +8049,7 @@ static int ufshcd_init_hba_vreg(struct ufs_hba *hba)
+ return 0;
+ }
+
+-static int __ufshcd_setup_clocks(struct ufs_hba *hba, bool on,
+- bool skip_ref_clk)
++static int ufshcd_setup_clocks(struct ufs_hba *hba, bool on)
+ {
+ int ret = 0;
+ struct ufs_clk_info *clki;
+@@ -8074,7 +8067,12 @@ static int __ufshcd_setup_clocks(struct ufs_hba *hba, bool on,
+
+ list_for_each_entry(clki, head, list) {
+ if (!IS_ERR_OR_NULL(clki->clk)) {
+- if (skip_ref_clk && !strcmp(clki->name, "ref_clk"))
++ /*
++ * Don't disable clocks which are needed
++ * to keep the link active.
++ */
++ if (ufshcd_is_link_active(hba) &&
++ clki->keep_link_active)
+ continue;
+
+ clk_state_changed = on ^ clki->enabled;
+@@ -8119,11 +8117,6 @@ out:
+ return ret;
+ }
+
+-static int ufshcd_setup_clocks(struct ufs_hba *hba, bool on)
+-{
+- return __ufshcd_setup_clocks(hba, on, false);
+-}
+-
+ static int ufshcd_init_clocks(struct ufs_hba *hba)
+ {
+ int ret = 0;
+@@ -8642,11 +8635,7 @@ disable_clks:
+ */
+ ufshcd_disable_irq(hba);
+
+- if (!ufshcd_is_link_active(hba))
+- ufshcd_setup_clocks(hba, false);
+- else
+- /* If link is active, device ref_clk can't be switched off */
+- __ufshcd_setup_clocks(hba, false, true);
++ ufshcd_setup_clocks(hba, false);
+
+ if (ufshcd_is_clkgating_allowed(hba)) {
+ hba->clk_gating.state = CLKS_OFF;
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index 812aa348751eb..1ba9c786feb6d 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -229,6 +229,8 @@ struct ufs_dev_cmd {
+ * @max_freq: maximum frequency supported by the clock
+ * @min_freq: min frequency that can be used for clock scaling
+ * @curr_freq: indicates the current frequency that it is set to
++ * @keep_link_active: indicates that the clk should not be disabled if
++ link is active
+ * @enabled: variable to check against multiple enable/disable
+ */
+ struct ufs_clk_info {
+@@ -238,6 +240,7 @@ struct ufs_clk_info {
+ u32 max_freq;
+ u32 min_freq;
+ u32 curr_freq;
++ bool keep_link_active;
+ bool enabled;
+ };
+
+--
+2.33.0
+
--- /dev/null
+From 797c7b864d07933e7e4e9bce699659a7b5d7ddff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 10:22:14 +0100
+Subject: scsi: ufs: ufshcd-pltfrm: Fix memory leak due to probe defer
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit b6ca770ae7f2c560a29bbd02c4e3d734fafaf804 ]
+
+UFS drivers that probe defer will end up leaking memory allocated for clk
+and regulator names via kstrdup() because the structure that is holding
+this memory is allocated via devm_* variants which will be freed during
+probe defer but the names are never freed.
+
+Use same devm_* variant of kstrdup to free the memory allocated to name
+when driver probe defers.
+
+Kmemleak found around 11 leaks on Qualcomm Dragon Board RB5:
+
+unreferenced object 0xffff66f243fb2c00 (size 128):
+ comm "kworker/u16:0", pid 7, jiffies 4294893319 (age 94.848s)
+ hex dump (first 32 bytes):
+ 63 6f 72 65 5f 63 6c 6b 00 76 69 72 74 75 61 6c core_clk.virtual
+ 2f 77 6f 72 6b 71 75 65 75 65 2f 73 63 73 69 5f /workqueue/scsi_
+ backtrace:
+ [<000000006f788cd1>] slab_post_alloc_hook+0x88/0x410
+ [<00000000cfd1372b>] __kmalloc_track_caller+0x138/0x230
+ [<00000000a92ab17b>] kstrdup+0xb0/0x110
+ [<0000000037263ab6>] ufshcd_pltfrm_init+0x1a8/0x500
+ [<00000000a20a5caa>] ufs_qcom_probe+0x20/0x58
+ [<00000000a5e43067>] platform_probe+0x6c/0x118
+ [<00000000ef686e3f>] really_probe+0xc4/0x330
+ [<000000005b18792c>] __driver_probe_device+0x88/0x118
+ [<00000000a5d295e8>] driver_probe_device+0x44/0x158
+ [<000000007e83f58d>] __device_attach_driver+0xb4/0x128
+ [<000000004bfa4470>] bus_for_each_drv+0x68/0xd0
+ [<00000000b89a83bc>] __device_attach+0xec/0x170
+ [<00000000ada2beea>] device_initial_probe+0x14/0x20
+ [<0000000079921612>] bus_probe_device+0x9c/0xa8
+ [<00000000d268bf7c>] deferred_probe_work_func+0x90/0xd0
+ [<000000009ef64bfa>] process_one_work+0x29c/0x788
+unreferenced object 0xffff66f243fb2c80 (size 128):
+ comm "kworker/u16:0", pid 7, jiffies 4294893319 (age 94.848s)
+ hex dump (first 32 bytes):
+ 62 75 73 5f 61 67 67 72 5f 63 6c 6b 00 00 00 00 bus_aggr_clk....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+
+With this patch no memory leaks are reported.
+
+Link: https://lore.kernel.org/r/20210914092214.6468-1-srinivas.kandagatla@linaro.org
+Fixes: aa4976130934 ("ufs: Add regulator enable support")
+Fixes: c6e79dacd86f ("ufs: Add clock initialization support")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd-pltfrm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
+index 68ce209577eca..8c92d1bde64be 100644
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -91,7 +91,7 @@ static int ufshcd_parse_clock_info(struct ufs_hba *hba)
+
+ clki->min_freq = clkfreq[i];
+ clki->max_freq = clkfreq[i+1];
+- clki->name = kstrdup(name, GFP_KERNEL);
++ clki->name = devm_kstrdup(dev, name, GFP_KERNEL);
+ if (!strcmp(name, "ref_clk"))
+ clki->keep_link_active = true;
+ dev_dbg(dev, "%s: min %u max %u name %s\n", "freq-table-hz",
+@@ -127,7 +127,7 @@ static int ufshcd_populate_vreg(struct device *dev, const char *name,
+ if (!vreg)
+ return -ENOMEM;
+
+- vreg->name = kstrdup(name, GFP_KERNEL);
++ vreg->name = devm_kstrdup(dev, name, GFP_KERNEL);
+
+ snprintf(prop_name, MAX_PROP_SIZE, "%s-max-microamp", name);
+ if (of_property_read_u32(np, prop_name, &vreg->max_uA)) {
+--
+2.33.0
+
--- /dev/null
+From ef8103189dd2905fc12f43f7e80d4e7357ea25e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 10:18:14 +0000
+Subject: selftests: bpf: Convert sk_lookup ctx access tests to PROG_TEST_RUN
+
+From: Lorenz Bauer <lmb@cloudflare.com>
+
+[ Upstream commit 509b2937bce90089fd2785db9f27951a3d850c34 ]
+
+Convert the selftests for sk_lookup narrow context access to use
+PROG_TEST_RUN instead of creating actual sockets. This ensures that
+ctx is populated correctly when using PROG_TEST_RUN.
+
+Assert concrete values since we now control remote_ip and remote_port.
+
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20210303101816.36774-4-lmb@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/sk_lookup.c | 83 +++++++++++++++----
+ .../selftests/bpf/progs/test_sk_lookup.c | 62 +++++++++-----
+ 2 files changed, 109 insertions(+), 36 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+index 9ff0412e1fd38..45c82db3c58c5 100644
+--- a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
++++ b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+@@ -241,6 +241,48 @@ fail:
+ return -1;
+ }
+
++static __u64 socket_cookie(int fd)
++{
++ __u64 cookie;
++ socklen_t cookie_len = sizeof(cookie);
++
++ if (CHECK(getsockopt(fd, SOL_SOCKET, SO_COOKIE, &cookie, &cookie_len) < 0,
++ "getsockopt(SO_COOKIE)", "%s\n", strerror(errno)))
++ return 0;
++ return cookie;
++}
++
++static int fill_sk_lookup_ctx(struct bpf_sk_lookup *ctx, const char *local_ip, __u16 local_port,
++ const char *remote_ip, __u16 remote_port)
++{
++ void *local, *remote;
++ int err;
++
++ memset(ctx, 0, sizeof(*ctx));
++ ctx->local_port = local_port;
++ ctx->remote_port = htons(remote_port);
++
++ if (is_ipv6(local_ip)) {
++ ctx->family = AF_INET6;
++ local = &ctx->local_ip6[0];
++ remote = &ctx->remote_ip6[0];
++ } else {
++ ctx->family = AF_INET;
++ local = &ctx->local_ip4;
++ remote = &ctx->remote_ip4;
++ }
++
++ err = inet_pton(ctx->family, local_ip, local);
++ if (CHECK(err != 1, "inet_pton", "local_ip failed\n"))
++ return 1;
++
++ err = inet_pton(ctx->family, remote_ip, remote);
++ if (CHECK(err != 1, "inet_pton", "remote_ip failed\n"))
++ return 1;
++
++ return 0;
++}
++
+ static int send_byte(int fd)
+ {
+ ssize_t n;
+@@ -1009,18 +1051,27 @@ static void test_drop_on_reuseport(struct test_sk_lookup *skel)
+
+ static void run_sk_assign(struct test_sk_lookup *skel,
+ struct bpf_program *lookup_prog,
+- const char *listen_ip, const char *connect_ip)
++ const char *remote_ip, const char *local_ip)
+ {
+- int client_fd, peer_fd, server_fds[MAX_SERVERS] = { -1 };
+- struct bpf_link *lookup_link;
++ int server_fds[MAX_SERVERS] = { -1 };
++ struct bpf_sk_lookup ctx;
++ __u64 server_cookie;
+ int i, err;
+
+- lookup_link = attach_lookup_prog(lookup_prog);
+- if (!lookup_link)
++ DECLARE_LIBBPF_OPTS(bpf_test_run_opts, opts,
++ .ctx_in = &ctx,
++ .ctx_size_in = sizeof(ctx),
++ .ctx_out = &ctx,
++ .ctx_size_out = sizeof(ctx),
++ );
++
++ if (fill_sk_lookup_ctx(&ctx, local_ip, EXT_PORT, remote_ip, INT_PORT))
+ return;
+
++ ctx.protocol = IPPROTO_TCP;
++
+ for (i = 0; i < ARRAY_SIZE(server_fds); i++) {
+- server_fds[i] = make_server(SOCK_STREAM, listen_ip, 0, NULL);
++ server_fds[i] = make_server(SOCK_STREAM, local_ip, 0, NULL);
+ if (server_fds[i] < 0)
+ goto close_servers;
+
+@@ -1030,23 +1081,25 @@ static void run_sk_assign(struct test_sk_lookup *skel,
+ goto close_servers;
+ }
+
+- client_fd = make_client(SOCK_STREAM, connect_ip, EXT_PORT);
+- if (client_fd < 0)
++ server_cookie = socket_cookie(server_fds[SERVER_B]);
++ if (!server_cookie)
++ return;
++
++ err = bpf_prog_test_run_opts(bpf_program__fd(lookup_prog), &opts);
++ if (CHECK(err, "test_run", "failed with error %d\n", errno))
++ goto close_servers;
++
++ if (CHECK(ctx.cookie == 0, "ctx.cookie", "no socket selected\n"))
+ goto close_servers;
+
+- peer_fd = accept(server_fds[SERVER_B], NULL, NULL);
+- if (CHECK(peer_fd < 0, "accept", "failed\n"))
+- goto close_client;
++ CHECK(ctx.cookie != server_cookie, "ctx.cookie",
++ "selected sk %llu instead of %llu\n", ctx.cookie, server_cookie);
+
+- close(peer_fd);
+-close_client:
+- close(client_fd);
+ close_servers:
+ for (i = 0; i < ARRAY_SIZE(server_fds); i++) {
+ if (server_fds[i] != -1)
+ close(server_fds[i]);
+ }
+- bpf_link__destroy(lookup_link);
+ }
+
+ static void run_sk_assign_v4(struct test_sk_lookup *skel,
+diff --git a/tools/testing/selftests/bpf/progs/test_sk_lookup.c b/tools/testing/selftests/bpf/progs/test_sk_lookup.c
+index 1032b292af5b7..ac6f7f205e25d 100644
+--- a/tools/testing/selftests/bpf/progs/test_sk_lookup.c
++++ b/tools/testing/selftests/bpf/progs/test_sk_lookup.c
+@@ -64,6 +64,10 @@ static const int PROG_DONE = 1;
+ static const __u32 KEY_SERVER_A = SERVER_A;
+ static const __u32 KEY_SERVER_B = SERVER_B;
+
++static const __u16 SRC_PORT = bpf_htons(8008);
++static const __u32 SRC_IP4 = IP4(127, 0, 0, 2);
++static const __u32 SRC_IP6[] = IP6(0xfd000000, 0x0, 0x0, 0x00000002);
++
+ static const __u16 DST_PORT = 7007; /* Host byte order */
+ static const __u32 DST_IP4 = IP4(127, 0, 0, 1);
+ static const __u32 DST_IP6[] = IP6(0xfd000000, 0x0, 0x0, 0x00000001);
+@@ -398,11 +402,12 @@ int ctx_narrow_access(struct bpf_sk_lookup *ctx)
+ if (LSW(ctx->protocol, 0) != IPPROTO_TCP)
+ return SK_DROP;
+
+- /* Narrow loads from remote_port field. Expect non-0 value. */
+- if (LSB(ctx->remote_port, 0) == 0 && LSB(ctx->remote_port, 1) == 0 &&
+- LSB(ctx->remote_port, 2) == 0 && LSB(ctx->remote_port, 3) == 0)
++ /* Narrow loads from remote_port field. Expect SRC_PORT. */
++ if (LSB(ctx->remote_port, 0) != ((SRC_PORT >> 0) & 0xff) ||
++ LSB(ctx->remote_port, 1) != ((SRC_PORT >> 8) & 0xff) ||
++ LSB(ctx->remote_port, 2) != 0 || LSB(ctx->remote_port, 3) != 0)
+ return SK_DROP;
+- if (LSW(ctx->remote_port, 0) == 0)
++ if (LSW(ctx->remote_port, 0) != SRC_PORT)
+ return SK_DROP;
+
+ /* Narrow loads from local_port field. Expect DST_PORT. */
+@@ -415,11 +420,14 @@ int ctx_narrow_access(struct bpf_sk_lookup *ctx)
+
+ /* Narrow loads from IPv4 fields */
+ if (v4) {
+- /* Expect non-0.0.0.0 in remote_ip4 */
+- if (LSB(ctx->remote_ip4, 0) == 0 && LSB(ctx->remote_ip4, 1) == 0 &&
+- LSB(ctx->remote_ip4, 2) == 0 && LSB(ctx->remote_ip4, 3) == 0)
++ /* Expect SRC_IP4 in remote_ip4 */
++ if (LSB(ctx->remote_ip4, 0) != ((SRC_IP4 >> 0) & 0xff) ||
++ LSB(ctx->remote_ip4, 1) != ((SRC_IP4 >> 8) & 0xff) ||
++ LSB(ctx->remote_ip4, 2) != ((SRC_IP4 >> 16) & 0xff) ||
++ LSB(ctx->remote_ip4, 3) != ((SRC_IP4 >> 24) & 0xff))
+ return SK_DROP;
+- if (LSW(ctx->remote_ip4, 0) == 0 && LSW(ctx->remote_ip4, 1) == 0)
++ if (LSW(ctx->remote_ip4, 0) != ((SRC_IP4 >> 0) & 0xffff) ||
++ LSW(ctx->remote_ip4, 1) != ((SRC_IP4 >> 16) & 0xffff))
+ return SK_DROP;
+
+ /* Expect DST_IP4 in local_ip4 */
+@@ -448,20 +456,32 @@ int ctx_narrow_access(struct bpf_sk_lookup *ctx)
+
+ /* Narrow loads from IPv6 fields */
+ if (!v4) {
+- /* Expect non-:: IP in remote_ip6 */
+- if (LSB(ctx->remote_ip6[0], 0) == 0 && LSB(ctx->remote_ip6[0], 1) == 0 &&
+- LSB(ctx->remote_ip6[0], 2) == 0 && LSB(ctx->remote_ip6[0], 3) == 0 &&
+- LSB(ctx->remote_ip6[1], 0) == 0 && LSB(ctx->remote_ip6[1], 1) == 0 &&
+- LSB(ctx->remote_ip6[1], 2) == 0 && LSB(ctx->remote_ip6[1], 3) == 0 &&
+- LSB(ctx->remote_ip6[2], 0) == 0 && LSB(ctx->remote_ip6[2], 1) == 0 &&
+- LSB(ctx->remote_ip6[2], 2) == 0 && LSB(ctx->remote_ip6[2], 3) == 0 &&
+- LSB(ctx->remote_ip6[3], 0) == 0 && LSB(ctx->remote_ip6[3], 1) == 0 &&
+- LSB(ctx->remote_ip6[3], 2) == 0 && LSB(ctx->remote_ip6[3], 3) == 0)
++ /* Expect SRC_IP6 in remote_ip6 */
++ if (LSB(ctx->remote_ip6[0], 0) != ((SRC_IP6[0] >> 0) & 0xff) ||
++ LSB(ctx->remote_ip6[0], 1) != ((SRC_IP6[0] >> 8) & 0xff) ||
++ LSB(ctx->remote_ip6[0], 2) != ((SRC_IP6[0] >> 16) & 0xff) ||
++ LSB(ctx->remote_ip6[0], 3) != ((SRC_IP6[0] >> 24) & 0xff) ||
++ LSB(ctx->remote_ip6[1], 0) != ((SRC_IP6[1] >> 0) & 0xff) ||
++ LSB(ctx->remote_ip6[1], 1) != ((SRC_IP6[1] >> 8) & 0xff) ||
++ LSB(ctx->remote_ip6[1], 2) != ((SRC_IP6[1] >> 16) & 0xff) ||
++ LSB(ctx->remote_ip6[1], 3) != ((SRC_IP6[1] >> 24) & 0xff) ||
++ LSB(ctx->remote_ip6[2], 0) != ((SRC_IP6[2] >> 0) & 0xff) ||
++ LSB(ctx->remote_ip6[2], 1) != ((SRC_IP6[2] >> 8) & 0xff) ||
++ LSB(ctx->remote_ip6[2], 2) != ((SRC_IP6[2] >> 16) & 0xff) ||
++ LSB(ctx->remote_ip6[2], 3) != ((SRC_IP6[2] >> 24) & 0xff) ||
++ LSB(ctx->remote_ip6[3], 0) != ((SRC_IP6[3] >> 0) & 0xff) ||
++ LSB(ctx->remote_ip6[3], 1) != ((SRC_IP6[3] >> 8) & 0xff) ||
++ LSB(ctx->remote_ip6[3], 2) != ((SRC_IP6[3] >> 16) & 0xff) ||
++ LSB(ctx->remote_ip6[3], 3) != ((SRC_IP6[3] >> 24) & 0xff))
+ return SK_DROP;
+- if (LSW(ctx->remote_ip6[0], 0) == 0 && LSW(ctx->remote_ip6[0], 1) == 0 &&
+- LSW(ctx->remote_ip6[1], 0) == 0 && LSW(ctx->remote_ip6[1], 1) == 0 &&
+- LSW(ctx->remote_ip6[2], 0) == 0 && LSW(ctx->remote_ip6[2], 1) == 0 &&
+- LSW(ctx->remote_ip6[3], 0) == 0 && LSW(ctx->remote_ip6[3], 1) == 0)
++ if (LSW(ctx->remote_ip6[0], 0) != ((SRC_IP6[0] >> 0) & 0xffff) ||
++ LSW(ctx->remote_ip6[0], 1) != ((SRC_IP6[0] >> 16) & 0xffff) ||
++ LSW(ctx->remote_ip6[1], 0) != ((SRC_IP6[1] >> 0) & 0xffff) ||
++ LSW(ctx->remote_ip6[1], 1) != ((SRC_IP6[1] >> 16) & 0xffff) ||
++ LSW(ctx->remote_ip6[2], 0) != ((SRC_IP6[2] >> 0) & 0xffff) ||
++ LSW(ctx->remote_ip6[2], 1) != ((SRC_IP6[2] >> 16) & 0xffff) ||
++ LSW(ctx->remote_ip6[3], 0) != ((SRC_IP6[3] >> 0) & 0xffff) ||
++ LSW(ctx->remote_ip6[3], 1) != ((SRC_IP6[3] >> 16) & 0xffff))
+ return SK_DROP;
+ /* Expect DST_IP6 in local_ip6 */
+ if (LSB(ctx->local_ip6[0], 0) != ((DST_IP6[0] >> 0) & 0xff) ||
+--
+2.33.0
+
--- /dev/null
+From 5657d7293c6acf160276e6690a55214f40ae7c73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 16:34:09 +0200
+Subject: selftests/bpf: Fix fclose/pclose mismatch in test_progs
+
+From: Andrea Righi <andrea.righi@canonical.com>
+
+[ Upstream commit f48ad69097fe79d1de13c4d8fef556d4c11c5e68 ]
+
+Make sure to use pclose() to properly close the pipe opened by popen().
+
+Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID")
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20211026143409.42666-1-andrea.righi@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 22943b58d752a..4a13477aef9dd 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -347,7 +347,7 @@ int extract_build_id(char *build_id, size_t size)
+
+ if (getline(&line, &len, fp) == -1)
+ goto err;
+- fclose(fp);
++ pclose(fp);
+
+ if (len > size)
+ len = size;
+@@ -356,7 +356,7 @@ int extract_build_id(char *build_id, size_t size)
+ free(line);
+ return 0;
+ err:
+- fclose(fp);
++ pclose(fp);
+ return -1;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 3a9a99a46ff9d9cfb699cba429da439a8649ee40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:05:00 +0530
+Subject: selftests/bpf: Fix fd cleanup in sk_lookup test
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit c3fc706e94f5653def2783ffcd809a38676b7551 ]
+
+Similar to the fix in commit:
+e31eec77e4ab ("bpf: selftests: Fix fd cleanup in get_branch_snapshot")
+
+We use designated initializer to set fds to -1 without breaking on
+future changes to MAX_SERVER constant denoting the array size.
+
+The particular close(0) occurs on non-reuseport tests, so it can be seen
+with -n 115/{2,3} but not 115/4. This can cause problems with future
+tests if they depend on BTF fd never being acquired as fd 0, breaking
+internal libbpf assumptions.
+
+Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20211028063501.2239335-8-memxor@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+index 45c82db3c58c5..b4c9f4a96ae4d 100644
+--- a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
++++ b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+@@ -598,7 +598,7 @@ close:
+
+ static void run_lookup_prog(const struct test *t)
+ {
+- int server_fds[MAX_SERVERS] = { -1 };
++ int server_fds[] = { [0 ... MAX_SERVERS - 1] = -1 };
+ int client_fd, reuse_conn_fd = -1;
+ struct bpf_link *lookup_link;
+ int i, err;
+@@ -1053,7 +1053,7 @@ static void run_sk_assign(struct test_sk_lookup *skel,
+ struct bpf_program *lookup_prog,
+ const char *remote_ip, const char *local_ip)
+ {
+- int server_fds[MAX_SERVERS] = { -1 };
++ int server_fds[] = { [0 ... MAX_SERVERS - 1] = -1 };
+ struct bpf_sk_lookup ctx;
+ __u64 server_cookie;
+ int i, err;
+--
+2.33.0
+
--- /dev/null
+From 7b2eadf4132aca3d9db3128b9f8539e1400ea74b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 13:41:30 +0200
+Subject: selftests/bpf: Fix perf_buffer test on system with offline cpus
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+[ Upstream commit d4121376ac7a9c81a696d7558789b2f29ef3574e ]
+
+The perf_buffer fails on system with offline cpus:
+
+ # test_progs -t perf_buffer
+ test_perf_buffer:PASS:nr_cpus 0 nsec
+ test_perf_buffer:PASS:nr_on_cpus 0 nsec
+ test_perf_buffer:PASS:skel_load 0 nsec
+ test_perf_buffer:PASS:attach_kprobe 0 nsec
+ test_perf_buffer:PASS:perf_buf__new 0 nsec
+ test_perf_buffer:PASS:epoll_fd 0 nsec
+ skipping offline CPU #24
+ skipping offline CPU #25
+ skipping offline CPU #26
+ skipping offline CPU #27
+ skipping offline CPU #28
+ skipping offline CPU #29
+ skipping offline CPU #30
+ skipping offline CPU #31
+ test_perf_buffer:PASS:perf_buffer__poll 0 nsec
+ test_perf_buffer:PASS:seen_cpu_cnt 0 nsec
+ test_perf_buffer:FAIL:buf_cnt got 24, expected 32
+ Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
+
+Changing the test to check online cpus instead of possible.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20211021114132.8196-2-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/perf_buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/perf_buffer.c b/tools/testing/selftests/bpf/prog_tests/perf_buffer.c
+index ca9f0895ec84e..8d75475408f57 100644
+--- a/tools/testing/selftests/bpf/prog_tests/perf_buffer.c
++++ b/tools/testing/selftests/bpf/prog_tests/perf_buffer.c
+@@ -107,8 +107,8 @@ void test_perf_buffer(void)
+ "expect %d, seen %d\n", nr_on_cpus, CPU_COUNT(&cpu_seen)))
+ goto out_free_pb;
+
+- if (CHECK(perf_buffer__buffer_cnt(pb) != nr_cpus, "buf_cnt",
+- "got %zu, expected %d\n", perf_buffer__buffer_cnt(pb), nr_cpus))
++ if (CHECK(perf_buffer__buffer_cnt(pb) != nr_on_cpus, "buf_cnt",
++ "got %zu, expected %d\n", perf_buffer__buffer_cnt(pb), nr_on_cpus))
+ goto out_close;
+
+ for (i = 0; i < nr_cpus; i++) {
+--
+2.33.0
+
--- /dev/null
+From acf9169a2da442393eb28b2c921294fb60b92fca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 11:29:07 -0700
+Subject: selftests/bpf: Fix strobemeta selftest regression
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 0133c20480b14820d43c37c0e9502da4bffcad3a ]
+
+After most recent nightly Clang update strobemeta selftests started
+failing with the following error (relevant portion of assembly included):
+
+ 1624: (85) call bpf_probe_read_user_str#114
+ 1625: (bf) r1 = r0
+ 1626: (18) r2 = 0xfffffffe
+ 1628: (5f) r1 &= r2
+ 1629: (55) if r1 != 0x0 goto pc+7
+ 1630: (07) r9 += 104
+ 1631: (6b) *(u16 *)(r9 +0) = r0
+ 1632: (67) r0 <<= 32
+ 1633: (77) r0 >>= 32
+ 1634: (79) r1 = *(u64 *)(r10 -456)
+ 1635: (0f) r1 += r0
+ 1636: (7b) *(u64 *)(r10 -456) = r1
+ 1637: (79) r1 = *(u64 *)(r10 -368)
+ 1638: (c5) if r1 s< 0x1 goto pc+778
+ 1639: (bf) r6 = r8
+ 1640: (0f) r6 += r7
+ 1641: (b4) w1 = 0
+ 1642: (6b) *(u16 *)(r6 +108) = r1
+ 1643: (79) r3 = *(u64 *)(r10 -352)
+ 1644: (79) r9 = *(u64 *)(r10 -456)
+ 1645: (bf) r1 = r9
+ 1646: (b4) w2 = 1
+ 1647: (85) call bpf_probe_read_user_str#114
+
+ R1 unbounded memory access, make sure to bounds check any such access
+
+In the above code r0 and r1 are implicitly related. Clang knows that,
+but verifier isn't able to infer this relationship.
+
+Yonghong Song narrowed down this "regression" in code generation to
+a recent Clang optimization change ([0]), which for BPF target generates
+code pattern that BPF verifier can't handle and loses track of register
+boundaries.
+
+This patch works around the issue by adding an BPF assembly-based helper
+that helps to prove to the verifier that upper bound of the register is
+a given constant by controlling the exact share of generated BPF
+instruction sequence. This fixes the immediate issue for strobemeta
+selftest.
+
+ [0] https://github.com/llvm/llvm-project/commit/acabad9ff6bf13e00305d9d8621ee8eafc1f8b08
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211029182907.166910-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/strobemeta.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/progs/strobemeta.h b/tools/testing/selftests/bpf/progs/strobemeta.h
+index 7de534f38c3f1..3687ea755ab5a 100644
+--- a/tools/testing/selftests/bpf/progs/strobemeta.h
++++ b/tools/testing/selftests/bpf/progs/strobemeta.h
+@@ -10,6 +10,14 @@
+ #include <linux/types.h>
+ #include <bpf/bpf_helpers.h>
+
++#define bpf_clamp_umax(VAR, UMAX) \
++ asm volatile ( \
++ "if %0 <= %[max] goto +1\n" \
++ "%0 = %[max]\n" \
++ : "+r"(VAR) \
++ : [max]"i"(UMAX) \
++ )
++
+ typedef uint32_t pid_t;
+ struct task_struct {};
+
+@@ -413,6 +421,7 @@ static __always_inline void *read_map_var(struct strobemeta_cfg *cfg,
+
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, map.tag);
+ if (len <= STROBE_MAX_STR_LEN) {
++ bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->tag_len = len;
+ payload += len;
+ }
+@@ -430,6 +439,7 @@ static __always_inline void *read_map_var(struct strobemeta_cfg *cfg,
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].key);
+ if (len <= STROBE_MAX_STR_LEN) {
++ bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->key_lens[i] = len;
+ payload += len;
+ }
+@@ -437,6 +447,7 @@ static __always_inline void *read_map_var(struct strobemeta_cfg *cfg,
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].val);
+ if (len <= STROBE_MAX_STR_LEN) {
++ bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->val_lens[i] = len;
+ payload += len;
+ }
+--
+2.33.0
+
--- /dev/null
+From 1fdf5da5548d85fe8492e8c4d4bba6dc60a4bc0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 13:26:19 -0600
+Subject: selftests/core: fix conflicting types compile error for close_range()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit f35dcaa0a8a29188ed61083d153df1454cf89d08 ]
+
+close_range() test type conflicts with close_range() library call in
+x86_64-linux-gnu/bits/unistd_ext.h. Fix it by changing the name to
+core_close_range().
+
+gcc -g -I../../../../usr/include/ close_range_test.c -o ../tools/testing/selftests/core/close_range_test
+In file included from close_range_test.c:16:
+close_range_test.c:57:6: error: conflicting types for ‘close_range’; have ‘void(struct __test_metadata *)’
+ 57 | TEST(close_range)
+ | ^~~~~~~~~~~
+../kselftest_harness.h:181:21: note: in definition of macro ‘__TEST_IMPL’
+ 181 | static void test_name(struct __test_metadata *_metadata); \
+ | ^~~~~~~~~
+close_range_test.c:57:1: note: in expansion of macro ‘TEST’
+ 57 | TEST(close_range)
+ | ^~~~
+In file included from /usr/include/unistd.h:1204,
+ from close_range_test.c:13:
+/usr/include/x86_64-linux-gnu/bits/unistd_ext.h:56:12: note: previous declaration of ‘close_range’ with type ‘int(unsigned int, unsigned int, int)’
+ 56 | extern int close_range (unsigned int __fd, unsigned int __max_fd,
+ | ^~~~~~~~~~~
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/core/close_range_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/core/close_range_test.c b/tools/testing/selftests/core/close_range_test.c
+index 575b391ddc78d..0a26795842f6f 100644
+--- a/tools/testing/selftests/core/close_range_test.c
++++ b/tools/testing/selftests/core/close_range_test.c
+@@ -33,7 +33,7 @@ static inline int sys_close_range(unsigned int fd, unsigned int max_fd,
+ #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+ #endif
+
+-TEST(close_range)
++TEST(core_close_range)
+ {
+ int i, ret;
+ int open_fds[101];
+--
+2.33.0
+
--- /dev/null
+From a8b1b5804069f281d426da06a64cf1a2392e6399 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 11:56:03 -0600
+Subject: selftests: kvm: fix mismatched fclose() after popen()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit c3867ab5924b7a9a0b4a117902a08669d8be7c21 ]
+
+get_warnings_count() does fclose() using File * returned from popen().
+Fix it to call pclose() as it should.
+
+tools/testing/selftests/kvm/x86_64/mmio_warning_test
+x86_64/mmio_warning_test.c: In function ‘get_warnings_count’:
+x86_64/mmio_warning_test.c:87:9: warning: ‘fclose’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc]
+ 87 | fclose(f);
+ | ^~~~~~~~~
+x86_64/mmio_warning_test.c:84:13: note: returned from ‘popen’
+ 84 | f = popen("dmesg | grep \"WARNING:\" | wc -l", "r");
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/x86_64/mmio_warning_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c b/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c
+index 8039e1eff9388..9f55ccd169a13 100644
+--- a/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c
++++ b/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c
+@@ -84,7 +84,7 @@ int get_warnings_count(void)
+ f = popen("dmesg | grep \"WARNING:\" | wc -l", "r");
+ if (fscanf(f, "%d", &warnings) < 1)
+ warnings = 0;
+- fclose(f);
++ pclose(f);
+
+ return warnings;
+ }
+--
+2.33.0
+
--- /dev/null
+From 41a6c94810cc8a90e1585032ef9ee2c87f08f8a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Nov 2021 06:57:17 -0500
+Subject: selftests/net: udpgso_bench_rx: fix port argument
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit d336509cb9d03970911878bb77f0497f64fda061 ]
+
+The below commit added optional support for passing a bind address.
+It configures the sockaddr bind arguments before parsing options and
+reconfigures on options -b and -4.
+
+This broke support for passing port (-p) on its own.
+
+Configure sockaddr after parsing all arguments.
+
+Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/udpgso_bench_rx.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c
+index 76a24052f4b47..6a193425c367f 100644
+--- a/tools/testing/selftests/net/udpgso_bench_rx.c
++++ b/tools/testing/selftests/net/udpgso_bench_rx.c
+@@ -293,19 +293,17 @@ static void usage(const char *filepath)
+
+ static void parse_opts(int argc, char **argv)
+ {
++ const char *bind_addr = NULL;
+ int c;
+
+- /* bind to any by default */
+- setup_sockaddr(PF_INET6, "::", &cfg_bind_addr);
+ while ((c = getopt(argc, argv, "4b:C:Gl:n:p:rR:S:tv")) != -1) {
+ switch (c) {
+ case '4':
+ cfg_family = PF_INET;
+ cfg_alen = sizeof(struct sockaddr_in);
+- setup_sockaddr(PF_INET, "0.0.0.0", &cfg_bind_addr);
+ break;
+ case 'b':
+- setup_sockaddr(cfg_family, optarg, &cfg_bind_addr);
++ bind_addr = optarg;
+ break;
+ case 'C':
+ cfg_connect_timeout_ms = strtoul(optarg, NULL, 0);
+@@ -341,6 +339,11 @@ static void parse_opts(int argc, char **argv)
+ }
+ }
+
++ if (!bind_addr)
++ bind_addr = cfg_family == PF_INET6 ? "::" : "0.0.0.0";
++
++ setup_sockaddr(cfg_family, bind_addr, &cfg_bind_addr);
++
+ if (optind != argc)
+ usage(argv[0]);
+
+--
+2.33.0
+
--- /dev/null
+From 5409a6b90ab9f6a74d95ec462ce0b683387e84f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 18:35:19 -0800
+Subject: seq_file: fix passing wrong private data
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+[ Upstream commit 10a6de19cad6efb9b49883513afb810dc265fca2 ]
+
+DEFINE_PROC_SHOW_ATTRIBUTE() is supposed to be used to define a series
+of functions and variables to register proc file easily. And the users
+can use proc_create_data() to pass their own private data and get it
+via seq->private in the callback. Unfortunately, the proc file system
+use PDE_DATA() to get private data instead of inode->i_private. So fix
+it. Fortunately, there only one user of it which does not pass any
+private data, so this bug does not break any in-tree codes.
+
+Link: https://lkml.kernel.org/r/20211029032638.84884-1-songmuchun@bytedance.com
+Fixes: 97a32539b956 ("proc: convert everything to "struct proc_ops"")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Florent Revest <revest@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/seq_file.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
+index b83b3ae3c877f..662a8cfa1bcd3 100644
+--- a/include/linux/seq_file.h
++++ b/include/linux/seq_file.h
+@@ -182,7 +182,7 @@ static const struct file_operations __name ## _fops = { \
+ #define DEFINE_PROC_SHOW_ATTRIBUTE(__name) \
+ static int __name ## _open(struct inode *inode, struct file *file) \
+ { \
+- return single_open(file, __name ## _show, inode->i_private); \
++ return single_open(file, __name ## _show, PDE_DATA(inode)); \
+ } \
+ \
+ static const struct proc_ops __name ## _proc_ops = { \
+--
+2.33.0
+
--- /dev/null
+From 355bb9f8a9ee66fd58f1286dc2355e9321953494 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 16:45:16 +0300
+Subject: serial: 8250_dw: Drop wrong use of ACPI_PTR()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ebabb77a2a115b6c5e68f7364b598310b5f61fb2 ]
+
+ACPI_PTR() is more harmful than helpful. For example, in this case
+if CONFIG_ACPI=n, the ID table left unused which is not what we want.
+
+Instead of adding ifdeffery here and there, drop ACPI_PTR().
+
+Fixes: 6a7320c4669f ("serial: 8250_dw: Add ACPI 5.0 support")
+Reported-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20211005134516.23218-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
+index a3a0154da567d..49559731bbcf1 100644
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -726,7 +726,7 @@ static struct platform_driver dw8250_platform_driver = {
+ .name = "dw-apb-uart",
+ .pm = &dw8250_pm_ops,
+ .of_match_table = dw8250_of_match,
+- .acpi_match_table = ACPI_PTR(dw8250_acpi_match),
++ .acpi_match_table = dw8250_acpi_match,
+ },
+ .probe = dw8250_probe,
+ .remove = dw8250_remove,
+--
+2.33.0
+
--- /dev/null
+From a4cfcad55ac5df7f1c08d475f896af5a1d1fd475 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 21:26:42 +0200
+Subject: serial: imx: fix detach/attach of serial console
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 6d0d1b5a1b4870911beb89544ec1a9751c42fec7 ]
+
+If the device used as a serial console gets detached/attached at runtime,
+register_console() will try to call imx_uart_setup_console(), but this
+is not possible since it is marked as __init.
+
+For instance
+
+ # cat /sys/devices/virtual/tty/console/active
+ tty1 ttymxc0
+ # echo -n N > /sys/devices/virtual/tty/console/subsystem/ttymxc0/console
+ # echo -n Y > /sys/devices/virtual/tty/console/subsystem/ttymxc0/console
+
+[ 73.166649] 8<--- cut here ---
+[ 73.167005] Unable to handle kernel paging request at virtual address c154d928
+[ 73.167601] pgd = 55433e84
+[ 73.167875] [c154d928] *pgd=8141941e(bad)
+[ 73.168304] Internal error: Oops: 8000000d [#1] SMP ARM
+[ 73.168429] Modules linked in:
+[ 73.168522] CPU: 0 PID: 536 Comm: sh Not tainted 5.15.0-rc6-00056-g3968ddcf05fb #3
+[ 73.168675] Hardware name: Freescale i.MX6 Ultralite (Device Tree)
+[ 73.168791] PC is at imx_uart_console_setup+0x0/0x238
+[ 73.168927] LR is at try_enable_new_console+0x98/0x124
+[ 73.169056] pc : [<c154d928>] lr : [<c0196f44>] psr: a0000013
+[ 73.169178] sp : c2ef5e70 ip : 00000000 fp : 00000000
+[ 73.169281] r10: 00000000 r9 : c02cf970 r8 : 00000000
+[ 73.169389] r7 : 00000001 r6 : 00000001 r5 : c1760164 r4 : c1e0fb08
+[ 73.169512] r3 : c154d928 r2 : 00000000 r1 : efffcbd1 r0 : c1760164
+[ 73.169641] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 73.169782] Control: 10c5387d Table: 8345406a DAC: 00000051
+[ 73.169895] Register r0 information: non-slab/vmalloc memory
+[ 73.170032] Register r1 information: non-slab/vmalloc memory
+[ 73.170158] Register r2 information: NULL pointer
+[ 73.170273] Register r3 information: non-slab/vmalloc memory
+[ 73.170397] Register r4 information: non-slab/vmalloc memory
+[ 73.170521] Register r5 information: non-slab/vmalloc memory
+[ 73.170647] Register r6 information: non-paged memory
+[ 73.170771] Register r7 information: non-paged memory
+[ 73.170892] Register r8 information: NULL pointer
+[ 73.171009] Register r9 information: non-slab/vmalloc memory
+[ 73.171142] Register r10 information: NULL pointer
+[ 73.171259] Register r11 information: NULL pointer
+[ 73.171375] Register r12 information: NULL pointer
+[ 73.171494] Process sh (pid: 536, stack limit = 0xcd1ba82f)
+[ 73.171621] Stack: (0xc2ef5e70 to 0xc2ef6000)
+[ 73.171731] 5e60: ???????? ???????? ???????? ????????
+[ 73.171899] 5e80: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.172059] 5ea0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.172217] 5ec0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.172377] 5ee0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.172537] 5f00: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.172698] 5f20: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.172856] 5f40: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.173016] 5f60: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.173177] 5f80: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.173336] 5fa0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.173496] 5fc0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.173654] 5fe0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.173826] [<c0196f44>] (try_enable_new_console) from [<c01984a8>] (register_console+0x10c/0x2ec)
+[ 73.174053] [<c01984a8>] (register_console) from [<c06e2c90>] (console_store+0x14c/0x168)
+[ 73.174262] [<c06e2c90>] (console_store) from [<c0383718>] (kernfs_fop_write_iter+0x110/0x1cc)
+[ 73.174470] [<c0383718>] (kernfs_fop_write_iter) from [<c02cf5f4>] (vfs_write+0x31c/0x548)
+[ 73.174679] [<c02cf5f4>] (vfs_write) from [<c02cf970>] (ksys_write+0x60/0xec)
+[ 73.174863] [<c02cf970>] (ksys_write) from [<c0100080>] (ret_fast_syscall+0x0/0x1c)
+[ 73.175052] Exception stack(0xc2ef5fa8 to 0xc2ef5ff0)
+[ 73.175167] 5fa0: ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.175327] 5fc0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ????????
+[ 73.175486] 5fe0: ???????? ???????? ???????? ????????
+[ 73.175608] Code: 00000000 00000000 00000000 00000000 (00000000)
+[ 73.175744] ---[ end trace 9b75121265109bf1 ]---
+
+A similar issue could be triggered by unbinding/binding the serial
+console device [*].
+
+Drop __init so that imx_uart_setup_console() can be safely called at
+runtime.
+
+[*] https://lore.kernel.org/all/20181114174940.7865-3-stefan@agner.ch/
+
+Fixes: a3cb39d258ef ("serial: core: Allow detach and attach serial device for console")
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20211020192643.476895-2-francesco.dolcini@toradex.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/imx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index cacf7266a262d..28cc328ddb6eb 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2049,7 +2049,7 @@ imx_uart_console_write(struct console *co, const char *s, unsigned int count)
+ * If the port was already initialised (eg, by a boot loader),
+ * try to determine the current setup.
+ */
+-static void __init
++static void
+ imx_uart_console_get_options(struct imx_port *sport, int *baud,
+ int *parity, int *bits)
+ {
+@@ -2108,7 +2108,7 @@ imx_uart_console_get_options(struct imx_port *sport, int *baud,
+ }
+ }
+
+-static int __init
++static int
+ imx_uart_console_setup(struct console *co, char *options)
+ {
+ struct imx_port *sport;
+--
+2.33.0
+
--- /dev/null
+From 5aff11fb229fdc3f6ecad61f5973e26785107994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 13:27:41 +0300
+Subject: serial: xilinx_uartps: Fix race condition causing stuck TX
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit 88b20f84f0fe47409342669caf3e58a3fc64c316 ]
+
+xilinx_uartps .start_tx() clears TXEMPTY when enabling TXEMPTY to avoid
+any previous TXEVENT event asserting the UART interrupt. This clear
+operation is done immediately after filling the TX FIFO.
+
+However, if the bytes inserted by cdns_uart_handle_tx() are consumed by
+the UART before the TXEMPTY is cleared, the clear operation eats the new
+TXEMPTY event as well, causing cdns_uart_isr() to never receive the
+TXEMPTY event. If there are bytes still queued in circbuf, TX will get
+stuck as they will never get transferred to FIFO (unless new bytes are
+queued to circbuf in which case .start_tx() is called again).
+
+While the racy missed TXEMPTY occurs fairly often with short data
+sequences (e.g. write 1 byte), in those cases circbuf is usually empty
+so no action on TXEMPTY would have been needed anyway. On the other
+hand, longer data sequences make the race much more unlikely as UART
+takes longer to consume the TX FIFO. Therefore it is rare for this race
+to cause visible issues in general.
+
+Fix the race by clearing the TXEMPTY bit in ISR *before* filling the
+FIFO.
+
+The TXEMPTY bit in ISR will only get asserted at the exact moment the
+TX FIFO *becomes* empty, so clearing the bit before filling FIFO does
+not cause an extra immediate assertion even if the FIFO is initially
+empty.
+
+This is hard to reproduce directly on a normal system, but inserting
+e.g. udelay(200) after cdns_uart_handle_tx(port), setting 4000000 baud,
+and then running "dd if=/dev/zero bs=128 of=/dev/ttyPS0 count=50"
+reliably reproduces the issue on my ZynqMP test system unless this fix
+is applied.
+
+Fixes: 85baf542d54e ("tty: xuartps: support 64 byte FIFO size")
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Link: https://lore.kernel.org/r/20211026102741.2910441-1-anssi.hannula@bitwise.fi
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index a9b1ee27183a7..b5a8afbc452ba 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -601,9 +601,10 @@ static void cdns_uart_start_tx(struct uart_port *port)
+ if (uart_circ_empty(&port->state->xmit))
+ return;
+
++ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR);
++
+ cdns_uart_handle_tx(port);
+
+- writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR);
+ /* Enable the TX Empty interrupt */
+ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IER);
+ }
+--
+2.33.0
+
usb-iowarrior-fix-control-message-timeouts.patch
usb-chipidea-fix-interrupt-deadlock.patch
power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch
+dma-buf-warn-on-dmabuf-release-with-pending-attachme.patch
+drm-panel-orientation-quirks-update-the-lenovo-ideap.patch
+drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch
+drm-panel-orientation-quirks-add-quirk-for-the-samsu.patch
+bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch
+bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch
+drm-panel-orientation-quirks-add-valve-steam-deck.patch
+rcutorture-avoid-problematic-critical-section-nestin.patch
+platform-x86-wmi-do-not-fail-if-disabling-fails.patch
+mips-lantiq-dma-add-small-delay-after-reset.patch
+mips-lantiq-dma-reset-correct-number-of-channel.patch
+locking-lockdep-avoid-rcu-induced-noinstr-fail.patch
+net-sched-update-default-qdisc-visibility-after-tx-q.patch
+rcu-tasks-move-rtgs_wait_cbs-to-beginning-of-rcu_tas.patch
+smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch
+ath11k-align-bss_chan_info-structure-with-firmware.patch
+x86-increase-exception-stack-sizes.patch
+mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch
+mwifiex-properly-initialize-private-structure-on-int.patch
+fscrypt-allow-256-bit-master-keys-with-aes-256-xts.patch
+drm-amdgpu-fix-mmio-access-page-fault.patch
+ath11k-avoid-reg-rules-update-during-firmware-recove.patch
+ath11k-add-handler-for-scan-event-wmi_scan_event_deq.patch
+ath11k-change-dma_from_device-to-dma_to_device-when-.patch
+ath10k-high-latency-fixes-for-beacon-buffer.patch
+media-mt9p031-fix-corrupted-frame-after-restarting-s.patch
+media-netup_unidvb-handle-interrupt-properly-accordi.patch
+media-atomisp-fix-error-handling-in-probe.patch
+media-stm32-potential-null-pointer-dereference-in-dc.patch
+media-uvcvideo-set-capability-in-s_param.patch
+media-uvcvideo-return-eio-for-control-errors.patch
+media-uvcvideo-set-unique-vdev-name-based-in-type.patch
+media-s5p-mfc-fix-possible-null-pointer-dereference-.patch
+media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch
+media-imx-set-a-media_device-bus_info-string.patch
+media-mceusb-return-without-resubmitting-urb-in-case.patch
+ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch
+rtw88-fix-rx-clock-gate-setting-while-fifo-dump.patch
+brcmfmac-add-dmi-nvram-filename-quirk-for-cyberbook-.patch
+media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch
+ipmi-disable-some-operations-during-a-panic.patch
+fs-proc-uptime.c-fix-idle-time-reporting-in-proc-upt.patch
+acpica-avoid-evaluating-methods-too-early-during-sys.patch
+media-ipu3-imgu-imgu_fmt-handle-properly-try.patch
+media-ipu3-imgu-vidioc_querycap-fix-bus_info.patch
+media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch
+net-sysfs-try-not-to-restart-the-syscall-if-it-will-.patch
+tracefs-have-tracefs-directories-not-set-oth-permiss.patch
+ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch
+mmc-moxart-fix-reference-count-leaks-in-moxart_probe.patch
+iov_iter-fix-iov_iter_get_pages-_alloc-page-fault-re.patch
+acpi-battery-accept-charges-over-the-design-capacity.patch
+drm-amdkfd-fix-resume-error-when-iommu-disabled-in-p.patch
+net-phy-micrel-make-skew-ps-check-more-lenient.patch
+leaking_addresses-always-print-a-trailing-newline.patch
+drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch
+block-bump-max-plugged-deferred-size-from-16-to-32.patch
+md-update-superblock-after-changing-rdev-flags-in-st.patch
+memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch
+lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch
+lib-xz-validate-the-value-before-assigning-it-to-an-.patch
+workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch
+tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch
+mt76-mt7915-fix-an-off-by-one-bound-check.patch
+mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch
+block-remove-inaccurate-requeue-check.patch
+media-allegro-ignore-interrupt-if-mailbox-is-not-ini.patch
+nvmet-fix-use-after-free-when-a-port-is-removed.patch
+nvmet-rdma-fix-use-after-free-when-a-port-is-removed.patch
+nvmet-tcp-fix-use-after-free-when-a-port-is-removed.patch
+nvme-drop-scan_lock-and-always-kick-requeue-list-whe.patch
+pm-hibernate-get-block-device-exclusively-in-swsusp_.patch
+selftests-kvm-fix-mismatched-fclose-after-popen.patch
+selftests-bpf-fix-perf_buffer-test-on-system-with-of.patch
+iwlwifi-mvm-disable-rx-diversity-in-powersave.patch
+smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch
+arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch
+gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch
+net-dsa-lantiq_gswip-serialize-access-to-the-pce-tab.patch
+gfs2-cancel-remote-delete-work-asynchronously.patch
+gfs2-fix-glock_hash_walk-bugs.patch
+arm-9136-1-armv7-m-uses-be-8-not-be-32.patch
+vrf-run-conntrack-only-in-context-of-lower-physdev-f.patch
+net-annotate-data-race-in-neigh_output.patch
+acpi-ac-quirk-gk45-to-skip-reading-_psr.patch
+btrfs-reflink-initialize-return-value-to-0-in-btrfs_.patch
+btrfs-do-not-take-the-uuid_mutex-in-btrfs_rm_device.patch
+btrfs-subpage-make-btrfs_submit_compressed_write-com.patch
+spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch
+wcn36xx-correct-band-freq-reporting-on-rx.patch
+x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch
+drm-amd-display-dcn20_resource_construct-reduce-scop.patch
+selftests-core-fix-conflicting-types-compile-error-f.patch
+parisc-fix-warning-in-flush_tlb_all.patch
+task_stack-fix-end_of_stack-for-architectures-with-u.patch
+erofs-don-t-trigger-warn-when-decompression-fails.patch
+parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch
+parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch
+netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch
+selftests-bpf-fix-strobemeta-selftest-regression.patch
+bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch
+rcu-fix-existing-exp-request-check-in-sync_sched_exp.patch
+mips-lantiq-dma-fix-burst-length-for-deu.patch
+objtool-add-xen_start_kernel-to-noreturn-list.patch
+x86-xen-mark-cpu_bringup_and_idle-as-dead_end_functi.patch
+objtool-fix-static_call-list-generation.patch
+drm-v3d-fix-wait-for-tmu-write-combiner-flush.patch
+virtio-gpu-fix-possible-memory-allocation-failure.patch
+lockdep-let-lock_is_held_type-detect-recursive-read-.patch
+net-net_namespace-fix-undefined-member-in-key_remove.patch
+cgroup-make-rebind_subsystems-disable-v2-controllers.patch
+wcn36xx-fix-antenna-diversity-switching.patch
+wilc1000-fix-possible-memory-leak-in-cfg_scan_result.patch
+bluetooth-btmtkuart-fix-a-memleak-in-mtk_hci_wmt_syn.patch
+crypto-caam-disable-pkc-for-non-e-socs.patch
+rxrpc-fix-_usecs_to_jiffies-by-using-usecs_to_jiffie.patch
+net-dsa-rtl8366rb-fix-off-by-one-bug.patch
+ath11k-fix-some-sleeping-in-atomic-bugs.patch
+ath11k-avoid-race-during-regd-updates.patch
+ath11k-fix-packet-drops-due-to-incorrect-6-ghz-freq-.patch
+ath11k-fix-memory-leak-in-ath11k_qmi_driver_event_wo.patch
+ath10k-fix-missing-frame-timestamp-for-beacon-probe-.patch
+ath10k-sdio-add-missing-bh-locking-around-napi_schdu.patch
+drm-ttm-stop-calling-tt_swapin-in-vm_access.patch
+arm64-mm-update-max_pfn-after-memory-hotplug.patch
+drm-amdgpu-fix-warning-for-overflow-check.patch
+media-em28xx-add-missing-em28xx_close_extension.patch
+media-cxd2880-spi-fix-a-null-pointer-dereference-on-.patch
+media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch
+media-v4l2-ioctl-s_ctrl-output-the-right-value.patch
+media-tda1997x-handle-short-reads-of-hdmi-info-frame.patch
+media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch
+media-i2c-ths8200-needs-v4l2_async.patch
+media-radio-wl1273-avoid-card-name-truncation.patch
+media-si470x-avoid-card-name-truncation.patch
+media-tm6000-avoid-card-name-truncation.patch
+media-cx23885-fix-snd_card_free-call-on-null-card-po.patch
+kprobes-do-not-use-local-variable-when-creating-debu.patch
+crypto-ecc-fix-crypto_default_rng-dependency.patch
+cpuidle-fix-kobject-memory-leaks-in-error-paths.patch
+media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch
+ath9k-fix-potential-interrupt-storm-on-queue-reset.patch
+pm-em-fix-inefficient-states-detection.patch
+edac-amd64-handle-three-rank-interleaving-mode.patch
+rcu-always-inline-rcu_dynticks_task-_-enter-exit.patch
+netfilter-nft_dynset-relax-superfluous-check-on-set-.patch
+media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch
+crypto-qat-detect-pfvf-collision-after-ack.patch
+crypto-qat-disregard-spurious-pfvf-interrupts.patch
+hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch
+b43legacy-fix-a-lower-bounds-test.patch
+b43-fix-a-lower-bounds-test.patch
+gve-recover-from-queue-stall-due-to-missed-irq.patch
+mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch
+mmc-sdhci-omap-fix-context-restore.patch
+memstick-avoid-out-of-range-warning.patch
+memstick-jmb38x_ms-use-appropriate-free-function-in-.patch
+net-neigh-fix-ntf_ext_learned-in-combination-with-nt.patch
+hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch
+hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch
+ath10k-fix-max-antenna-gain-unit.patch
+kernel-sched-fix-sched_fork-access-an-invalid-sched_.patch
+tcp-switch-orphan_count-to-bare-per-cpu-counters.patch
+drm-msm-potential-error-pointer-dereference-in-init.patch
+drm-msm-uninitialized-variable-in-msm_gem_import.patch
+net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch
+media-ir_toy-assignment-to-be16-should-be-of-correct.patch
+mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch
+block-ataflop-fix-breakage-introduced-at-blk-mq-refa.patch
+platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch
+mt76-mt7615-fix-endianness-warning-in-mt7615_mac_wri.patch
+mt76-mt76x02-fix-endianness-warnings-in-mt76x02_mac..patch
+mt76-mt7915-fix-possible-infinite-loop-release-semap.patch
+mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch
+mt76-mt7915-fix-muar_idx-in-mt7915_mcu_alloc_sta_req.patch
+rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch
+mwifiex-send-delba-requests-according-to-spec.patch
+net-enetc-unmap-dma-in-enetc_send_cmd.patch
+phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch
+nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch
+pm-hibernate-fix-sparse-warnings.patch
+clocksource-drivers-timer-ti-dm-select-timer_of.patch
+x86-sev-fix-stack-type-check-in-vc_switch_off_ist.patch
+drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch
+smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch
+kvm-selftests-add-operand-to-vmsave-vmload-vmrun-in-.patch
+kvm-selftests-fix-nested-svm-tests-when-built-with-c.patch
+bpftool-avoid-leaking-the-json-writer-prepared-for-p.patch
+libbpf-fix-btf-data-layout-checks-and-allow-empty-bt.patch
+libbpf-allow-loading-empty-btfs.patch
+libbpf-fix-overflow-in-btf-sanity-checks.patch
+libbpf-fix-btf-header-parsing-checks.patch
+s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch
+kvm-s390-pv-avoid-double-free-of-sida-page.patch
+kvm-s390-pv-avoid-stalls-for-kvm_s390_pv_init_vm.patch
+irq-mips-avoid-nested-irq_enter.patch
+ataflop-use-a-separate-gendisk-for-each-media-format.patch
+ataflop-potential-out-of-bounds-in-do_format.patch
+block-ataflop-more-blk-mq-refactoring-fixes.patch
+tpm-fix-atmel-tpm-crash-caused-by-too-frequent-queri.patch
+tpm_tis_spi-add-missing-spi-id.patch
+libbpf-fix-endianness-detection-in-bpf_core_read_bit.patch
+tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch
+spi-spi-rpc-if-check-return-value-of-rpcif_sw_init.patch
+samples-kretprobes-fix-return-value-if-register_kret.patch
+kvm-s390-fix-handle_sske-page-fault-handling.patch
+libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch
+libertas-fix-possible-memory-leak-in-probe-and-disco.patch
+wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch
+wcn36xx-fix-discarded-frames-due-to-wrong-sequence-n.patch
+drm-amdgpu-gmc6-fix-dma-mask-from-44-to-40-bits.patch
+selftests-bpf-convert-sk_lookup-ctx-access-tests-to-.patch
+selftests-bpf-fix-fd-cleanup-in-sk_lookup-test.patch
+net-amd-xgbe-toggle-pll-settings-during-rate-change.patch
+net-phylink-avoid-mvneta-warning-when-setting-pause-.patch
+crypto-pcrypt-delay-write-to-padata-info.patch
+selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch
+udp6-allow-so_mark-ctrl-msg-to-affect-routing.patch
+ibmvnic-don-t-stop-queue-in-xmit.patch
+ibmvnic-process-crqs-after-enabling-interrupts.patch
+cgroup-fix-rootcg-cpu.stat-guest-double-counting.patch
+bpf-fix-propagation-of-bounds-from-64-bit-min-max-in.patch
+bpf-fix-propagation-of-signed-bounds-from-64-bit-min.patch
+of-unittest-fix-expect-text-for-gpio-hog-errors.patch
+iio-st_sensors-call-st_sensors_power_enable-from-bus.patch
+iio-st_sensors-disable-regulators-after-device-unreg.patch
+rdma-rxe-fix-wrong-port_cap_flags.patch
+arm-dts-bcm5301x-fix-memory-nodes-names.patch
+clk-mvebu-ap-cpu-clk-fix-a-memory-leak-in-error-hand.patch
+arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch
+arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch
+arm-dts-qcom-msm8974-add-xo_board-reference-clock-to.patch
+rdma-bnxt_re-fix-query-srq-failure.patch
+arm64-dts-ti-k3-j721e-main-fix-max-virtual-functions.patch
+arm64-dts-ti-k3-j721e-main-fix-bus-range-upto-256-bu.patch
+arm64-dts-meson-g12a-fix-the-pwm-regulator-supply-pr.patch
+arm64-dts-meson-g12b-fix-the-pwm-regulator-supply-pr.patch
+bus-ti-sysc-fix-timekeeping_suspended-warning-on-res.patch
+arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch
+scsi-dc395-fix-error-case-unwinding.patch
+mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch
+jfs-fix-memleak-in-jfs_mount.patch
+arm64-dts-qcom-msm8916-fix-secondary-mi2s-bit-clock.patch
+arm64-dts-renesas-beacon-fix-ethernet-phy-mode.patch
+arm64-dts-qcom-pm8916-remove-wrong-reg-names-for-rtc.patch
+alsa-hda-reduce-udelay-at-skl-position-reporting.patch
+alsa-hda-release-controller-display-power-during-shu.patch
+alsa-hda-fix-hang-during-shutdown-due-to-link-reset.patch
+alsa-hda-use-position-buffer-for-skl-again.patch
+soundwire-debugfs-use-controller-id-and-link_id-for-.patch
+scsi-pm80xx-fix-misleading-log-statement-in-pm8001_m.patch
+driver-core-fix-possible-memory-leak-in-device_link_.patch
+arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch
+asoc-sof-topology-do-not-power-down-primary-core-dur.patch
+soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch
+memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch
+clk-at91-check-pmc-node-status-before-registering-sy.patch
+video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch
+powerpc-refactor-is_kvm_guest-declaration-to-new-hea.patch
+powerpc-rename-is_kvm_guest-to-check_kvm_guest.patch
+powerpc-reintroduce-is_kvm_guest-as-a-fast-path-chec.patch
+powerpc-fix-is_kvm_guest-kvm_para_available.patch
+powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch
+serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch
+usb-gadget-hid-fix-error-code-in-do_config.patch
+power-supply-rt5033_battery-change-voltage-values-to.patch
+power-supply-max17040-fix-null-ptr-deref-in-max17040.patch
+scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch
+rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch
+usb-musb-select-generic_phy-instead-of-depending-on-.patch
+staging-most-dim2-do-not-double-register-the-same-de.patch
+staging-ks7010-select-crypto_hash-crypto_michael_mic.patch
+pinctrl-renesas-checker-fix-off-by-one-bug-in-drive-.patch
+arm-dts-stm32-reduce-dhcor-spi-nor-frequency-to-50-m.patch
+arm-dts-stm32-fix-sai-sub-nodes-register-range.patch
+arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm3.patch
+asoc-cs42l42-correct-some-register-default-values.patch
+asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch
+soc-qcom-rpmhpd-provide-some-missing-struct-member-d.patch
+soc-qcom-rpmhpd-make-power_on-actually-enable-the-do.patch
+usb-typec-stusb160x-should-select-regmap_i2c.patch
+iio-adis-do-not-disabe-irqs-in-adis_init.patch
+scsi-ufs-refactor-ufshcd_setup_clocks-to-remove-skip.patch
+scsi-ufs-ufshcd-pltfrm-fix-memory-leak-due-to-probe-.patch
+serial-imx-fix-detach-attach-of-serial-console.patch
+usb-dwc2-drd-fix-dwc2_force_mode-call-in-dwc2_ovr_in.patch
+usb-dwc2-drd-fix-dwc2_drd_role_sw_set-when-clock-cou.patch
+usb-dwc2-drd-reset-current-session-before-setting-th.patch
+firmware-qcom_scm-fix-error-retval-in-__qcom_scm_is_.patch
+soc-qcom-apr-add-of_node_put-before-return.patch
+pinctrl-equilibrium-fix-function-addition-in-multipl.patch
+phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch
+phy-ti-gmii-sel-check-of_get_address-for-failure.patch
+phy-qcom-snps-correct-the-fsel_mask.patch
+serial-xilinx_uartps-fix-race-condition-causing-stuc.patch
+clk-at91-sam9x60-pll-use-div_round_closest_ull.patch
+hid-u2fzero-clarify-error-check-and-length-calculati.patch
+hid-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch
+powerpc-44x-fsp2-add-missing-of_node_put.patch
+asoc-cs42l42-disable-regulators-if-probe-fails.patch
+asoc-cs42l42-use-device_property-api-instead-of-of_p.patch
+asoc-cs42l42-correct-configuring-of-switch-inversion.patch
+virtio_ring-check-desc-null-when-using-indirect-with.patch
+mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch
+power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch
+apparmor-fix-error-check.patch
+rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch
+nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch
+i2c-mediatek-fixing-the-incorrect-register-offset.patch
+nfs-fix-dentry-verifier-races.patch
+pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch
+drm-plane-helper-fix-uninitialized-variable-referenc.patch
+pci-aardvark-don-t-spam-about-pio-response-status.patch
+pci-aardvark-fix-preserving-pci_exp_rtctl_crssve-fla.patch
+opp-fix-return-in-_opp_add_static_v2.patch
+nfs-fix-deadlocks-in-nfs_scan_commit_list.patch
+fs-orangefs-fix-error-return-code-of-orangefs_revali.patch
+mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch
+pci-uniphier-serialize-intx-masking-unmasking-and-fi.patch
+mtd-core-don-t-remove-debugfs-directory-if-device-is.patch
+remoteproc-fix-a-memory-leak-in-an-error-handling-pa.patch
+rtc-rv3032-fix-error-handling-in-rv3032_clkout_set_r.patch
+dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch
+nfs-fix-up-commit-deadlocks.patch
+nfs-fix-an-oops-in-pnfs_mark_request_commit.patch
+fix-user-namespace-leak.patch
+auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch
+auxdisplay-ht16k33-connect-backlight-to-fbdev.patch
+auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch
+soc-fsl-dpaa2-console-free-buffer-before-returning-f.patch
+netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch
+dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch
+signal-sh-use-force_sig-sigkill-instead-of-do_group_.patch
+m68k-set-a-default-value-for-memory_reserve.patch
+watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch
+ar7-fix-kernel-builds-for-compiler-test.patch
+scsi-qla2xxx-changes-to-support-fcp2-target.patch
+scsi-qla2xxx-relogin-during-fabric-disturbance.patch
+scsi-qla2xxx-fix-gnl-list-corruption.patch
+scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch
+nfsv4-fix-a-regression-in-nfs_set_open_stateid_locke.patch
+i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch
+xen-pciback-fix-return-in-pm_ctrl_init.patch
+net-davinci_emac-fix-interrupt-pacing-disable.patch
+ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch
+openrisc-fix-smp-tlb-flush-null-pointer-dereference.patch
+net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch
+ice-fix-replacing-vf-hardware-mac-to-existing-mac-fi.patch
+ice-fix-not-stopping-tx-queues-for-vfs.patch
+acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch
+drm-nouveau-svm-fix-refcount-leak-bug-and-missing-ch.patch
+block-ataflop-use-the-blk_cleanup_disk-helper.patch
+block-ataflop-add-registration-bool-before-calling-d.patch
+block-ataflop-provide-a-helper-for-cleanup-up-an-ata.patch
+ataflop-remove-ataflop_probe_lock-mutex.patch
+net-phy-fix-duplex-out-of-sync-problem-while-changin.patch
+bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch
+mfd-core-add-missing-of_node_put-for-loop-iteration.patch
+can-mcp251xfd-mcp251xfd_chip_start-fix-error-handlin.patch
+mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch
+zram-off-by-one-in-read_block_state.patch
+perf-bpf-add-missing-free-to-bpf_event__print_bpf_pr.patch
+llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch
+nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch
+arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch
+bpf-sockmap-remove-unhash-handler-for-bpf-sockmap-us.patch
+bpf-sockmap-strparser-and-tls-are-reusing-qdisc_skb_.patch
+gve-fix-off-by-one-in-gve_tx_timeout.patch
+seq_file-fix-passing-wrong-private-data.patch
+net-sched-sch_taprio-fix-undefined-behavior-in-ktime.patch
+net-hns3-fix-kernel-crash-when-unload-vf-while-it-is.patch
+net-hns3-allow-configure-ets-bandwidth-of-all-tcs.patch
+net-stmmac-allow-a-tc-taprio-base-time-of-zero.patch
+vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch
+net-smc-fix-sk_refcnt-underflow-on-linkdown-and-fall.patch
+cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch
+selftests-net-udpgso_bench_rx-fix-port-argument.patch
--- /dev/null
+From 1254ea38526c087a183d6479a877108b3364d201 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 12:43:52 -0500
+Subject: signal/sh: Use force_sig(SIGKILL) instead of do_group_exit(SIGKILL)
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+[ Upstream commit ce0ee4e6ac99606f3945f4d47775544edc3f7985 ]
+
+Today the sh code allocates memory the first time a process uses
+the fpu. If that memory allocation fails, kill the affected task
+with force_sig(SIGKILL) rather than do_group_exit(SIGKILL).
+
+Calling do_group_exit from an exception handler can potentially lead
+to dead locks as do_group_exit is not designed to be called from
+interrupt context. Instead use force_sig(SIGKILL) to kill the
+userspace process. Sending signals in general and force_sig in
+particular has been tested from interrupt context so there should be
+no problems.
+
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Fixes: 0ea820cf9bf5 ("sh: Move over to dynamically allocated FPU context.")
+Link: https://lkml.kernel.org/r/20211020174406.17889-6-ebiederm@xmission.com
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/kernel/cpu/fpu.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/arch/sh/kernel/cpu/fpu.c b/arch/sh/kernel/cpu/fpu.c
+index ae354a2931e7e..fd6db0ab19288 100644
+--- a/arch/sh/kernel/cpu/fpu.c
++++ b/arch/sh/kernel/cpu/fpu.c
+@@ -62,18 +62,20 @@ void fpu_state_restore(struct pt_regs *regs)
+ }
+
+ if (!tsk_used_math(tsk)) {
+- local_irq_enable();
++ int ret;
+ /*
+ * does a slab alloc which can sleep
+ */
+- if (init_fpu(tsk)) {
++ local_irq_enable();
++ ret = init_fpu(tsk);
++ local_irq_disable();
++ if (ret) {
+ /*
+ * ran out of memory!
+ */
+- do_group_exit(SIGKILL);
++ force_sig(SIGKILL);
+ return;
+ }
+- local_irq_disable();
+ }
+
+ grab_fpu(regs);
+--
+2.33.0
+
--- /dev/null
+From 391c13fd555d4dabaea1051b96725019ef6152df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 23:41:40 -0700
+Subject: smackfs: Fix use-after-free in netlbl_catmap_walk()
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 0817534ff9ea809fac1322c5c8c574be8483ea57 ]
+
+Syzkaller reported use-after-free bug as described in [1]. The bug is
+triggered when smk_set_cipso() tries to free stale category bitmaps
+while there are concurrent reader(s) using the same bitmaps.
+
+Wait for RCU grace period to finish before freeing the category bitmaps
+in smk_set_cipso(). This makes sure that there are no more readers using
+the stale bitmaps and freeing them should be safe.
+
+[1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/
+
+Reported-by: syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index b88c1a9538334..e33f98d25fc02 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -831,6 +831,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file)
+ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos, int format)
+ {
++ struct netlbl_lsm_catmap *old_cat;
+ struct smack_known *skp;
+ struct netlbl_lsm_secattr ncats;
+ char mapcatset[SMK_CIPSOLEN];
+@@ -920,9 +921,11 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+
+ rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
+ if (rc >= 0) {
+- netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
++ old_cat = skp->smk_netlabel.attr.mls.cat;
+ skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
+ skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
++ synchronize_rcu();
++ netlbl_catmap_free(old_cat);
+ rc = count;
+ /*
+ * This mapping may have been cached, so clear the cache.
+--
+2.33.0
+
--- /dev/null
+From 1496f0510de48a938bfb2c668f2ba170d7118087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 20:54:31 +0900
+Subject: smackfs: use __GFP_NOFAIL for smk_cipso_doi()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit f91488ee15bd3cac467e2d6a361fc2d34d1052ae ]
+
+syzbot is reporting kernel panic at smk_cipso_doi() due to memory
+allocation fault injection [1]. The reason for need to use panic() was
+not explained. But since no fix was proposed for 18 months, for now
+let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs.
+
+Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1]
+Reported-by: syzbot <syzbot+89731ccb6fec15ce1c22@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index e33f98d25fc02..ca0daba11f814 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -693,9 +693,7 @@ static void smk_cipso_doi(void)
+ printk(KERN_WARNING "%s:%d remove rc = %d\n",
+ __func__, __LINE__, rc);
+
+- doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
+- if (doip == NULL)
+- panic("smack: Failed to initialize cipso DOI.\n");
++ doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);
+ doip->map.std = NULL;
+ doip->doi = smk_cipso_doi_value;
+ doip->type = CIPSO_V4_MAP_PASS;
+--
+2.33.0
+
--- /dev/null
+From 95a508bc04853e9b834fc2e690d3880d9c9af4a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 20:27:26 +0900
+Subject: smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit 0934ad42bb2c5df90a1b9de690f93de735b622fe ]
+
+syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi()
+is calling kfree() without removing from the cipso_v4_doi_list list after
+netlbl_cfg_cipsov4_map_add() returned an error. We need to use
+netlbl_cfg_cipsov4_del() in order to remove from the list and wait for
+RCU grace period before kfree().
+
+Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1]
+Reported-by: syzbot <syzbot+93dba5b91f0fed312cbd@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 6c2e8ac0953fccdd ("netlabel: Update kernel configuration API")
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index ca0daba11f814..3eabcc469669e 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -712,7 +712,7 @@ static void smk_cipso_doi(void)
+ if (rc != 0) {
+ printk(KERN_WARNING "%s:%d map add rc = %d\n",
+ __func__, __LINE__, rc);
+- kfree(doip);
++ netlbl_cfg_cipsov4_del(doip->doi, &nai);
+ return;
+ }
+ }
+--
+2.33.0
+
--- /dev/null
+From f79e8ef39ff73cff21f1da6603f1f149914ea57c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 12:01:51 +0300
+Subject: soc: fsl: dpaa2-console: free buffer before returning from
+ dpaa2_console_read
+
+From: Robert-Ionut Alexa <robert-ionut.alexa@nxp.com>
+
+[ Upstream commit 8120bd469f5525da229953c1197f2b826c0109f4 ]
+
+Free the kbuf buffer before returning from the dpaa2_console_read()
+function. The variable no longer goes out of scope, leaking the storage
+it points to.
+
+Fixes: c93349d8c170 ("soc: fsl: add DPAA2 console support")
+Signed-off-by: Robert-Ionut Alexa <robert-ionut.alexa@nxp.com>
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/dpaa2-console.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/fsl/dpaa2-console.c b/drivers/soc/fsl/dpaa2-console.c
+index 27243f706f376..53917410f2bdb 100644
+--- a/drivers/soc/fsl/dpaa2-console.c
++++ b/drivers/soc/fsl/dpaa2-console.c
+@@ -231,6 +231,7 @@ static ssize_t dpaa2_console_read(struct file *fp, char __user *buf,
+ cd->cur_ptr += bytes;
+ written += bytes;
+
++ kfree(kbuf);
+ return written;
+
+ err_free_buf:
+--
+2.33.0
+
--- /dev/null
+From da22791816462baf901e94340f1aae5c66c5e2c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 04:30:17 -0400
+Subject: soc: qcom: apr: Add of_node_put() before return
+
+From: Wan Jiabing <wanjiabing@vivo.com>
+
+[ Upstream commit 72f1aa6205d84337b90b065f602a8fe190821781 ]
+
+Fix following coccicheck warning:
+
+./drivers/soc/qcom/apr.c:485:1-23: WARNING: Function
+for_each_child_of_node should have of_node_put() before return
+
+Early exits from for_each_child_of_node should decrement the
+node reference counter.
+
+Fixes: 834735662602 ("soc: qcom: apr: Add avs/audio tracking functionality")
+Signed-off-by: Wan Jiabing <wanjiabing@vivo.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211014083017.19714-1-wanjiabing@vivo.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/apr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
+index 7abfc8c4fdc72..f736d208362c9 100644
+--- a/drivers/soc/qcom/apr.c
++++ b/drivers/soc/qcom/apr.c
+@@ -323,12 +323,14 @@ static int of_apr_add_pd_lookups(struct device *dev)
+ 1, &service_path);
+ if (ret < 0) {
+ dev_err(dev, "pdr service path missing: %d\n", ret);
++ of_node_put(node);
+ return ret;
+ }
+
+ pds = pdr_add_lookup(apr->pdr, service_name, service_path);
+ if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
+ dev_err(dev, "pdr add lookup failed: %ld\n", PTR_ERR(pds));
++ of_node_put(node);
+ return PTR_ERR(pds);
+ }
+ }
+--
+2.33.0
+
--- /dev/null
+From d6b7c2ea1dccdcfe4f32484deab671516083bd23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 20:37:32 -0700
+Subject: soc: qcom: rpmhpd: Make power_on actually enable the domain
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit e3e56c050ab6e3f1bd811f0787f50709017543e4 ]
+
+The general expectation is that powering on a power-domain should make
+the power domain deliver some power, and if a specific performance state
+is needed further requests has to be made.
+
+But in contrast with other power-domain implementations (e.g. rpmpd) the
+RPMh does not have an interface to enable the power, so the driver has
+to vote for a particular corner (performance level) in rpmh_power_on().
+
+But the corner is never initialized, so a typical request to simply
+enable the power domain would not actually turn on the hardware. Further
+more, when no more clients vote for a performance state (i.e. the
+aggregated vote is 0) the power domain would be turned off.
+
+Fix both of these issues by always voting for a corner with non-zero
+value, when the power domain is enabled.
+
+The tracking of the lowest non-zero corner is performed to handle the
+corner case if there's ever a domain with a non-zero lowest corner, in
+which case both rpmh_power_on() and rpmh_rpmhpd_set_performance_state()
+would be allowed to use this lowest corner.
+
+Fixes: 279b7e8a62cc ("soc: qcom: rpmhpd: Add RPMh power domain driver")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20211005033732.2284447-1-bjorn.andersson@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/rpmhpd.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soc/qcom/rpmhpd.c b/drivers/soc/qcom/rpmhpd.c
+index e7cb40144f9b1..436ec79122ed2 100644
+--- a/drivers/soc/qcom/rpmhpd.c
++++ b/drivers/soc/qcom/rpmhpd.c
+@@ -30,6 +30,7 @@
+ * @active_only: True if it represents an Active only peer
+ * @corner: current corner
+ * @active_corner: current active corner
++ * @enable_corner: lowest non-zero corner
+ * @level: An array of level (vlvl) to corner (hlvl) mappings
+ * derived from cmd-db
+ * @level_count: Number of levels supported by the power domain. max
+@@ -47,6 +48,7 @@ struct rpmhpd {
+ const bool active_only;
+ unsigned int corner;
+ unsigned int active_corner;
++ unsigned int enable_corner;
+ u32 level[RPMH_ARC_MAX_LEVELS];
+ size_t level_count;
+ bool enabled;
+@@ -295,13 +297,13 @@ static int rpmhpd_aggregate_corner(struct rpmhpd *pd, unsigned int corner)
+ static int rpmhpd_power_on(struct generic_pm_domain *domain)
+ {
+ struct rpmhpd *pd = domain_to_rpmhpd(domain);
+- int ret = 0;
++ unsigned int corner;
++ int ret;
+
+ mutex_lock(&rpmhpd_lock);
+
+- if (pd->corner)
+- ret = rpmhpd_aggregate_corner(pd, pd->corner);
+-
++ corner = max(pd->corner, pd->enable_corner);
++ ret = rpmhpd_aggregate_corner(pd, corner);
+ if (!ret)
+ pd->enabled = true;
+
+@@ -346,6 +348,10 @@ static int rpmhpd_set_performance_state(struct generic_pm_domain *domain,
+ i--;
+
+ if (pd->enabled) {
++ /* Ensure that the domain isn't turn off */
++ if (i < pd->enable_corner)
++ i = pd->enable_corner;
++
+ ret = rpmhpd_aggregate_corner(pd, i);
+ if (ret)
+ goto out;
+@@ -382,6 +388,10 @@ static int rpmhpd_update_level_mapping(struct rpmhpd *rpmhpd)
+ for (i = 0; i < rpmhpd->level_count; i++) {
+ rpmhpd->level[i] = buf[i];
+
++ /* Remember the first corner with non-zero level */
++ if (!rpmhpd->level[rpmhpd->enable_corner] && rpmhpd->level[i])
++ rpmhpd->enable_corner = i;
++
+ /*
+ * The AUX data may be zero padded. These 0 valued entries at
+ * the end of the map must be ignored.
+--
+2.33.0
+
--- /dev/null
+From 74b9ef304510cac7e8983faa3946d6c6d1ad55d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 15:28:34 +0000
+Subject: soc: qcom: rpmhpd: Provide some missing struct member descriptions
+
+From: Lee Jones <lee.jones@linaro.org>
+
+[ Upstream commit 5d16af6a921f5a4e7038671be5478cba4b7cfe81 ]
+
+Fixes the following W=1 kernel build warning(s):
+
+ drivers/soc/qcom/rpmhpd.c:52: warning: Function parameter or member 'parent' not described in 'rpmhpd'
+ drivers/soc/qcom/rpmhpd.c:52: warning: Function parameter or member 'corner' not described in 'rpmhpd'
+ drivers/soc/qcom/rpmhpd.c:52: warning: Function parameter or member 'active_corner' not described in 'rpmhpd'
+
+Cc: Andy Gross <agross@kernel.org>
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: linux-arm-msm@vger.kernel.org
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20201103152838.1290217-22-lee.jones@linaro.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/rpmhpd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/soc/qcom/rpmhpd.c b/drivers/soc/qcom/rpmhpd.c
+index c8b584d0c8fb4..e7cb40144f9b1 100644
+--- a/drivers/soc/qcom/rpmhpd.c
++++ b/drivers/soc/qcom/rpmhpd.c
+@@ -24,9 +24,12 @@
+ * struct rpmhpd - top level RPMh power domain resource data structure
+ * @dev: rpmh power domain controller device
+ * @pd: generic_pm_domain corrresponding to the power domain
++ * @parent: generic_pm_domain corrresponding to the parent's power domain
+ * @peer: A peer power domain in case Active only Voting is
+ * supported
+ * @active_only: True if it represents an Active only peer
++ * @corner: current corner
++ * @active_corner: current active corner
+ * @level: An array of level (vlvl) to corner (hlvl) mappings
+ * derived from cmd-db
+ * @level_count: Number of levels supported by the power domain. max
+--
+2.33.0
+
--- /dev/null
+From 41d0462dc82eac4404c80f0e771997c3d0e5c9b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 17:54:31 +0200
+Subject: soc/tegra: Fix an error handling path in tegra_powergate_power_up()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 986b5094708e508baa452a23ffe809870934a7df ]
+
+If an error occurs after a successful tegra_powergate_enable_clocks()
+call, it must be undone by a tegra_powergate_disable_clocks() call, as
+already done in the below and above error handling paths of this function.
+
+Update the 'goto' to branch at the correct place of the error handling
+path.
+
+Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/pmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
+index 0118bd986f902..857354a69c39d 100644
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -705,7 +705,7 @@ static int tegra_powergate_power_up(struct tegra_powergate *pg,
+
+ err = reset_control_deassert(pg->reset);
+ if (err)
+- goto powergate_off;
++ goto disable_clks;
+
+ usleep_range(10, 20);
+
+--
+2.33.0
+
--- /dev/null
+From d92dbbd572f37fe234aa62fc6d81d5909fd5742a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Sep 2021 11:53:32 +0100
+Subject: soundwire: debugfs: use controller id and link_id for debugfs
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 75eac387a2539aa6c6bbee3affa23435f2096396 ]
+
+link_id can be zero and if we have multiple controller instances
+in a system like Qualcomm debugfs will end-up with duplicate namespace
+resulting in incorrect debugfs entries.
+
+Using bus-id and link-id combination should give a unique debugfs directory
+entry and should fix below warning too.
+"debugfs: Directory 'master-0' with parent 'soundwire' already present!"
+
+Fixes: bf03473d5bcc ("soundwire: add debugfs support")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210907105332.1257-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c
+index b6cad0d59b7b9..49900cd207bc7 100644
+--- a/drivers/soundwire/debugfs.c
++++ b/drivers/soundwire/debugfs.c
+@@ -19,7 +19,7 @@ void sdw_bus_debugfs_init(struct sdw_bus *bus)
+ return;
+
+ /* create the debugfs master-N */
+- snprintf(name, sizeof(name), "master-%d", bus->link_id);
++ snprintf(name, sizeof(name), "master-%d-%d", bus->id, bus->link_id);
+ bus->debugfs = debugfs_create_dir(name, sdw_debugfs_root);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 9c56486e78638fb5b8f01953261199743e593b96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 15:34:13 +0800
+Subject: spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in
+ bcm_qspi_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ca9b8f56ec089d3a436050afefd17b7237301f47 ]
+
+Fix the missing clk_disable_unprepare() before return
+from bcm_qspi_probe() in the error handling case.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211018073413.2029081-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm-qspi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c
+index b4d5930be2a95..3c0ae6dbc43e2 100644
+--- a/drivers/spi/spi-bcm-qspi.c
++++ b/drivers/spi/spi-bcm-qspi.c
+@@ -1460,7 +1460,7 @@ int bcm_qspi_probe(struct platform_device *pdev,
+ &qspi->dev_ids[val]);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "IRQ %s not found\n", name);
+- goto qspi_probe_err;
++ goto qspi_unprepare_err;
+ }
+
+ qspi->dev_ids[val].dev = qspi;
+@@ -1475,7 +1475,7 @@ int bcm_qspi_probe(struct platform_device *pdev,
+ if (!num_ints) {
+ dev_err(&pdev->dev, "no IRQs registered, cannot init driver\n");
+ ret = -EINVAL;
+- goto qspi_probe_err;
++ goto qspi_unprepare_err;
+ }
+
+ bcm_qspi_hw_init(qspi);
+@@ -1499,6 +1499,7 @@ int bcm_qspi_probe(struct platform_device *pdev,
+
+ qspi_reg_err:
+ bcm_qspi_hw_uninit(qspi);
++qspi_unprepare_err:
+ clk_disable_unprepare(qspi->clk);
+ qspi_probe_err:
+ kfree(qspi->dev_ids);
+--
+2.33.0
+
--- /dev/null
+From 418d982e9c3185692376d0974146200b25429947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 21:56:27 +0100
+Subject: spi: spi-rpc-if: Check return value of rpcif_sw_init()
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 0b0a281ed7001d4c4f4c47bdc84680c4997761ca ]
+
+rpcif_sw_init() can fail so make sure we check the return value
+of it and on error exit rpcif_spi_probe() callback with error code.
+
+Fixes: eb8d6d464a27 ("spi: add Renesas RPC-IF driver")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20211025205631.21151-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-rpc-if.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-rpc-if.c b/drivers/spi/spi-rpc-if.c
+index 3579675485a5e..727d7cf0a6ad8 100644
+--- a/drivers/spi/spi-rpc-if.c
++++ b/drivers/spi/spi-rpc-if.c
+@@ -139,7 +139,9 @@ static int rpcif_spi_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ rpc = spi_controller_get_devdata(ctlr);
+- rpcif_sw_init(rpc, parent);
++ error = rpcif_sw_init(rpc, parent);
++ if (error)
++ return error;
+
+ platform_set_drvdata(pdev, ctlr);
+
+--
+2.33.0
+
--- /dev/null
+From f3dfdbba338c814dcfb3dcd729cb2cc6e0683f13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 17:29:41 +0200
+Subject: staging: ks7010: select CRYPTO_HASH/CRYPTO_MICHAEL_MIC
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+[ Upstream commit 9ca0e55e52c7b2a99f3c2051fc4bd1c63a061519 ]
+
+Fix the following build/link errors:
+
+ ld: drivers/staging/ks7010/ks_hostif.o: in function `michael_mic.constprop.0':
+ ks_hostif.c:(.text+0x95b): undefined reference to `crypto_alloc_shash'
+ ld: ks_hostif.c:(.text+0x97a): undefined reference to `crypto_shash_setkey'
+ ld: ks_hostif.c:(.text+0xa13): undefined reference to `crypto_shash_update'
+ ld: ks_hostif.c:(.text+0xa28): undefined reference to `crypto_shash_update'
+ ld: ks_hostif.c:(.text+0xa48): undefined reference to `crypto_shash_finup'
+ ld: ks_hostif.c:(.text+0xa6d): undefined reference to `crypto_destroy_tfm'
+
+Fixes: 8b523f20417d ("staging: ks7010: removed custom Michael MIC implementation.")
+Fixes: 3e5bc68fa5968 ("staging: ks7010: Fix build error")
+Fixes: a4961427e7494 ("Revert "staging: ks7010: Fix build error"")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Link: https://lore.kernel.org/r/20211011152941.12847-1-vegard.nossum@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/ks7010/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/ks7010/Kconfig b/drivers/staging/ks7010/Kconfig
+index 0987fdc2f70db..8ea6c09286798 100644
+--- a/drivers/staging/ks7010/Kconfig
++++ b/drivers/staging/ks7010/Kconfig
+@@ -5,6 +5,9 @@ config KS7010
+ select WIRELESS_EXT
+ select WEXT_PRIV
+ select FW_LOADER
++ select CRYPTO
++ select CRYPTO_HASH
++ select CRYPTO_MICHAEL_MIC
+ help
+ This is a driver for KeyStream KS7010 based SDIO WIFI cards. It is
+ found on at least later Spectec SDW-821 (FCC-ID "S2Y-WLAN-11G-K" only,
+--
+2.33.0
+
--- /dev/null
+From dabfb39c5a30478cc6c2aac506c7848632834e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 09:11:18 +0300
+Subject: staging: most: dim2: do not double-register the same device
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 2ab189164056b05474275bb40caa038a37713061 ]
+
+Commit 723de0f9171e ("staging: most: remove device from interface
+structure") moved registration of driver-provided struct device to
+the most subsystem.
+
+Dim2 used to register the same struct device to provide a custom device
+attribute. This causes double-registration of the same struct device.
+
+Fix that by moving the custom attribute to driver's dev_groups.
+This moves attribute to the platform_device object, which is a better
+location for platform-specific attributes anyway.
+
+Fixes: 723de0f9171e ("staging: most: remove device from interface structure")
+Acked-by: Christian Gromm <christian.gromm@microchip.com>
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Link: https://lore.kernel.org/r/20211011061117.21435-1-nikita.yoush@cogentembedded.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/most/dim2/Makefile | 2 +-
+ drivers/staging/most/dim2/dim2.c | 24 ++++++++-------
+ drivers/staging/most/dim2/sysfs.c | 49 ------------------------------
+ drivers/staging/most/dim2/sysfs.h | 11 -------
+ 4 files changed, 14 insertions(+), 72 deletions(-)
+ delete mode 100644 drivers/staging/most/dim2/sysfs.c
+
+diff --git a/drivers/staging/most/dim2/Makefile b/drivers/staging/most/dim2/Makefile
+index 861adacf6c729..5f9612af3fa3c 100644
+--- a/drivers/staging/most/dim2/Makefile
++++ b/drivers/staging/most/dim2/Makefile
+@@ -1,4 +1,4 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-$(CONFIG_MOST_DIM2) += most_dim2.o
+
+-most_dim2-objs := dim2.o hal.o sysfs.o
++most_dim2-objs := dim2.o hal.o
+diff --git a/drivers/staging/most/dim2/dim2.c b/drivers/staging/most/dim2/dim2.c
+index b34e3c130f53f..8c2f384233aab 100644
+--- a/drivers/staging/most/dim2/dim2.c
++++ b/drivers/staging/most/dim2/dim2.c
+@@ -115,7 +115,8 @@ struct dim2_platform_data {
+ (((p)[1] == 0x18) && ((p)[2] == 0x05) && ((p)[3] == 0x0C) && \
+ ((p)[13] == 0x3C) && ((p)[14] == 0x00) && ((p)[15] == 0x0A))
+
+-bool dim2_sysfs_get_state_cb(void)
++static ssize_t state_show(struct device *dev, struct device_attribute *attr,
++ char *buf)
+ {
+ bool state;
+ unsigned long flags;
+@@ -124,9 +125,18 @@ bool dim2_sysfs_get_state_cb(void)
+ state = dim_get_lock_state();
+ spin_unlock_irqrestore(&dim_lock, flags);
+
+- return state;
++ return sysfs_emit(buf, "%s\n", state ? "locked" : "");
+ }
+
++static DEVICE_ATTR_RO(state);
++
++static struct attribute *dim2_attrs[] = {
++ &dev_attr_state.attr,
++ NULL,
++};
++
++ATTRIBUTE_GROUPS(dim2);
++
+ /**
+ * dimcb_on_error - callback from HAL to report miscommunication between
+ * HDM and HAL
+@@ -863,16 +873,8 @@ static int dim2_probe(struct platform_device *pdev)
+ goto err_stop_thread;
+ }
+
+- ret = dim2_sysfs_probe(&dev->dev);
+- if (ret) {
+- dev_err(&pdev->dev, "failed to create sysfs attribute\n");
+- goto err_unreg_iface;
+- }
+-
+ return 0;
+
+-err_unreg_iface:
+- most_deregister_interface(&dev->most_iface);
+ err_stop_thread:
+ kthread_stop(dev->netinfo_task);
+ err_shutdown_dim:
+@@ -895,7 +897,6 @@ static int dim2_remove(struct platform_device *pdev)
+ struct dim2_hdm *dev = platform_get_drvdata(pdev);
+ unsigned long flags;
+
+- dim2_sysfs_destroy(&dev->dev);
+ most_deregister_interface(&dev->most_iface);
+ kthread_stop(dev->netinfo_task);
+
+@@ -1079,6 +1080,7 @@ static struct platform_driver dim2_driver = {
+ .driver = {
+ .name = "hdm_dim2",
+ .of_match_table = dim2_of_match,
++ .dev_groups = dim2_groups,
+ },
+ };
+
+diff --git a/drivers/staging/most/dim2/sysfs.c b/drivers/staging/most/dim2/sysfs.c
+deleted file mode 100644
+index c85b2cdcdca3d..0000000000000
+--- a/drivers/staging/most/dim2/sysfs.c
++++ /dev/null
+@@ -1,49 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * sysfs.c - MediaLB sysfs information
+- *
+- * Copyright (C) 2015, Microchip Technology Germany II GmbH & Co. KG
+- */
+-
+-/* Author: Andrey Shvetsov <andrey.shvetsov@k2l.de> */
+-
+-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+-
+-#include <linux/kernel.h>
+-#include "sysfs.h"
+-#include <linux/device.h>
+-
+-static ssize_t state_show(struct device *dev, struct device_attribute *attr,
+- char *buf)
+-{
+- bool state = dim2_sysfs_get_state_cb();
+-
+- return sprintf(buf, "%s\n", state ? "locked" : "");
+-}
+-
+-static DEVICE_ATTR_RO(state);
+-
+-static struct attribute *dev_attrs[] = {
+- &dev_attr_state.attr,
+- NULL,
+-};
+-
+-static struct attribute_group dev_attr_group = {
+- .attrs = dev_attrs,
+-};
+-
+-static const struct attribute_group *dev_attr_groups[] = {
+- &dev_attr_group,
+- NULL,
+-};
+-
+-int dim2_sysfs_probe(struct device *dev)
+-{
+- dev->groups = dev_attr_groups;
+- return device_register(dev);
+-}
+-
+-void dim2_sysfs_destroy(struct device *dev)
+-{
+- device_unregister(dev);
+-}
+diff --git a/drivers/staging/most/dim2/sysfs.h b/drivers/staging/most/dim2/sysfs.h
+index 24277a17cff3d..09115cf4ed00e 100644
+--- a/drivers/staging/most/dim2/sysfs.h
++++ b/drivers/staging/most/dim2/sysfs.h
+@@ -16,15 +16,4 @@ struct medialb_bus {
+ struct kobject kobj_group;
+ };
+
+-struct device;
+-
+-int dim2_sysfs_probe(struct device *dev);
+-void dim2_sysfs_destroy(struct device *dev);
+-
+-/*
+- * callback,
+- * must deliver MediaLB state as true if locked or false if unlocked
+- */
+-bool dim2_sysfs_get_state_cb(void);
+-
+ #endif /* DIM2_SYSFS_H */
+--
+2.33.0
+
--- /dev/null
+From d25ea3797682497385d00b56301b59225b6ccdcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 00:05:43 +0200
+Subject: task_stack: Fix end_of_stack() for architectures with upwards-growing
+ stack
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 9cc2fa4f4a92ccc6760d764e7341be46ee8aaaa1 ]
+
+The function end_of_stack() returns a pointer to the last entry of a
+stack. For architectures like parisc where the stack grows upwards
+return the pointer to the highest address in the stack.
+
+Without this change I faced a crash on parisc, because the stackleak
+functionality wrote STACKLEAK_POISON to the lowest address and thus
+overwrote the first 4 bytes of the task_struct which included the
+TIF_FLAGS.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/task_stack.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h
+index 2413427e439c7..d10150587d819 100644
+--- a/include/linux/sched/task_stack.h
++++ b/include/linux/sched/task_stack.h
+@@ -25,7 +25,11 @@ static inline void *task_stack_page(const struct task_struct *task)
+
+ static inline unsigned long *end_of_stack(const struct task_struct *task)
+ {
++#ifdef CONFIG_STACK_GROWSUP
++ return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1;
++#else
+ return task->stack;
++#endif
+ }
+
+ #elif !defined(__HAVE_THREAD_FUNCTIONS)
+--
+2.33.0
+
--- /dev/null
+From 2e16ebaa6d457f769f360b8ab0ead62abb35bd84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 10:59:03 +1100
+Subject: tcp: don't free a FIN sk_buff in tcp_remove_empty_skb()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jon Maxwell <jmaxwell37@gmail.com>
+
+[ Upstream commit cf12e6f9124629b18a6182deefc0315f0a73a199 ]
+
+v1: Implement a more general statement as recommended by Eric Dumazet. The
+sequence number will be advanced, so this check will fix the FIN case and
+other cases.
+
+A customer reported sockets stuck in the CLOSING state. A Vmcore revealed that
+the write_queue was not empty as determined by tcp_write_queue_empty() but the
+sk_buff containing the FIN flag had been freed and the socket was zombied in
+that state. Corresponding pcaps show no FIN from the Linux kernel on the wire.
+
+Some instrumentation was added to the kernel and it was found that there is a
+timing window where tcp_sendmsg() can run after tcp_send_fin().
+
+tcp_sendmsg() will hit an error, for example:
+
+1269 ▹ if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))↩
+1270 ▹ ▹ goto do_error;↩
+
+tcp_remove_empty_skb() will then free the FIN sk_buff as "skb->len == 0". The
+TCP socket is now wedged in the FIN-WAIT-1 state because the FIN is never sent.
+
+If the other side sends a FIN packet the socket will transition to CLOSING and
+remain that way until the system is rebooted.
+
+Fix this by checking for the FIN flag in the sk_buff and don't free it if that
+is the case. Testing confirmed that fixed the issue.
+
+Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases")
+Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
+Reported-by: Monir Zouaoui <Monir.Zouaoui@mail.schwarz>
+Reported-by: Simon Stier <simon.stier@mail.schwarz>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 65eb0a523e3f5..e8aca226c4ae3 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -956,7 +956,7 @@ int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
+ */
+ static void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb)
+ {
+- if (skb && !skb->len) {
++ if (skb && TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) {
+ tcp_unlink_write_queue(skb, sk);
+ if (tcp_write_queue_empty(sk))
+ tcp_chrono_stop(sk, TCP_CHRONO_BUSY);
+--
+2.33.0
+
--- /dev/null
+From 451115004174eb2061b20345dfbe7227dabd017d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 06:41:26 -0700
+Subject: tcp: switch orphan_count to bare per-cpu counters
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 19757cebf0c5016a1f36f7fe9810a9f0b33c0832 ]
+
+Use of percpu_counter structure to track count of orphaned
+sockets is causing problems on modern hosts with 256 cpus
+or more.
+
+Stefan Bach reported a serious spinlock contention in real workloads,
+that I was able to reproduce with a netfilter rule dropping
+incoming FIN packets.
+
+ 53.56% server [kernel.kallsyms] [k] queued_spin_lock_slowpath
+ |
+ ---queued_spin_lock_slowpath
+ |
+ --53.51%--_raw_spin_lock_irqsave
+ |
+ --53.51%--__percpu_counter_sum
+ tcp_check_oom
+ |
+ |--39.03%--__tcp_close
+ | tcp_close
+ | inet_release
+ | inet6_release
+ | sock_close
+ | __fput
+ | ____fput
+ | task_work_run
+ | exit_to_usermode_loop
+ | do_syscall_64
+ | entry_SYSCALL_64_after_hwframe
+ | __GI___libc_close
+ |
+ --14.48%--tcp_out_of_resources
+ tcp_write_timeout
+ tcp_retransmit_timer
+ tcp_write_timer_handler
+ tcp_write_timer
+ call_timer_fn
+ expire_timers
+ __run_timers
+ run_timer_softirq
+ __softirqentry_text_start
+
+As explained in commit cf86a086a180 ("net/dst: use a smaller percpu_counter
+batch for dst entries accounting"), default batch size is too big
+for the default value of tcp_max_orphans (262144).
+
+But even if we reduce batch sizes, there would still be cases
+where the estimated count of orphans is beyond the limit,
+and where tcp_too_many_orphans() has to call the expensive
+percpu_counter_sum_positive().
+
+One solution is to use plain per-cpu counters, and have
+a timer to periodically refresh this cache.
+
+Updating this cache every 100ms seems about right, tcp pressure
+state is not radically changing over shorter periods.
+
+percpu_counter was nice 15 years ago while hosts had less
+than 16 cpus, not anymore by current standards.
+
+v2: Fix the build issue for CONFIG_CRYPTO_DEV_CHELSIO_TLS=m,
+ reported by kernel test robot <lkp@intel.com>
+ Remove unused socket argument from tcp_too_many_orphans()
+
+Fixes: dd24c00191d5 ("net: Use a percpu_counter for orphan_count")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Stefan Bach <sfb@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../chelsio/inline_crypto/chtls/chtls_cm.c | 2 +-
+ .../chelsio/inline_crypto/chtls/chtls_cm.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/sock.h | 2 +-
+ include/net/tcp.h | 17 ++-------
+ net/dccp/dccp.h | 2 +-
+ net/dccp/proto.c | 14 ++-----
+ net/ipv4/inet_connection_sock.c | 4 +-
+ net/ipv4/inet_hashtables.c | 2 +-
+ net/ipv4/proc.c | 2 +-
+ net/ipv4/tcp.c | 38 ++++++++++++++++---
+ 11 files changed, 49 insertions(+), 38 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
+index a262c949ed76b..d6b6ebb3f1ec7 100644
+--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
+@@ -870,7 +870,7 @@ static void do_abort_syn_rcv(struct sock *child, struct sock *parent)
+ * created only after 3 way handshake is done.
+ */
+ sock_orphan(child);
+- percpu_counter_inc((child)->sk_prot->orphan_count);
++ INC_ORPHAN_COUNT(child);
+ chtls_release_resources(child);
+ chtls_conn_done(child);
+ } else {
+diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h
+index b1161bdeda4dc..f61ca657601ca 100644
+--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h
++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h
+@@ -95,7 +95,7 @@ struct deferred_skb_cb {
+ #define WSCALE_OK(tp) ((tp)->rx_opt.wscale_ok)
+ #define TSTAMP_OK(tp) ((tp)->rx_opt.tstamp_ok)
+ #define SACK_OK(tp) ((tp)->rx_opt.sack_ok)
+-#define INC_ORPHAN_COUNT(sk) percpu_counter_inc((sk)->sk_prot->orphan_count)
++#define INC_ORPHAN_COUNT(sk) this_cpu_inc(*(sk)->sk_prot->orphan_count)
+
+ /* TLS SKB */
+ #define skb_ulp_tls_inline(skb) (ULP_SKB_CB(skb)->ulp.tls.ofld)
+diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
+index aa92af3dd444d..0b1864a82d4ad 100644
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -291,7 +291,7 @@ static inline void inet_csk_prepare_for_destroy_sock(struct sock *sk)
+ {
+ /* The below has to be done to allow calling inet_csk_destroy_sock */
+ sock_set_flag(sk, SOCK_DEAD);
+- percpu_counter_inc(sk->sk_prot->orphan_count);
++ this_cpu_inc(*sk->sk_prot->orphan_count);
+ }
+
+ void inet_csk_destroy_sock(struct sock *sk);
+diff --git a/include/net/sock.h b/include/net/sock.h
+index cdca984f36305..6270d1d9436b0 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1214,7 +1214,7 @@ struct proto {
+ unsigned int useroffset; /* Usercopy region offset */
+ unsigned int usersize; /* Usercopy region size */
+
+- struct percpu_counter *orphan_count;
++ unsigned int __percpu *orphan_count;
+
+ struct request_sock_ops *rsk_prot;
+ struct timewait_sock_ops *twsk_prot;
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index eff611da5780b..334b8d1b54429 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -48,7 +48,9 @@
+
+ extern struct inet_hashinfo tcp_hashinfo;
+
+-extern struct percpu_counter tcp_orphan_count;
++DECLARE_PER_CPU(unsigned int, tcp_orphan_count);
++int tcp_orphan_count_sum(void);
++
+ void tcp_time_wait(struct sock *sk, int state, int timeo);
+
+ #define MAX_TCP_HEADER L1_CACHE_ALIGN(128 + MAX_HEADER)
+@@ -290,19 +292,6 @@ static inline bool tcp_out_of_memory(struct sock *sk)
+
+ void sk_forced_mem_schedule(struct sock *sk, int size);
+
+-static inline bool tcp_too_many_orphans(struct sock *sk, int shift)
+-{
+- struct percpu_counter *ocp = sk->sk_prot->orphan_count;
+- int orphans = percpu_counter_read_positive(ocp);
+-
+- if (orphans << shift > sysctl_tcp_max_orphans) {
+- orphans = percpu_counter_sum_positive(ocp);
+- if (orphans << shift > sysctl_tcp_max_orphans)
+- return true;
+- }
+- return false;
+-}
+-
+ bool tcp_check_oom(struct sock *sk, int shift);
+
+
+diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
+index c5c1d2b8045e8..5183e627468d8 100644
+--- a/net/dccp/dccp.h
++++ b/net/dccp/dccp.h
+@@ -48,7 +48,7 @@ extern bool dccp_debug;
+
+ extern struct inet_hashinfo dccp_hashinfo;
+
+-extern struct percpu_counter dccp_orphan_count;
++DECLARE_PER_CPU(unsigned int, dccp_orphan_count);
+
+ void dccp_time_wait(struct sock *sk, int state, int timeo);
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index 6d705d90c6149..548cf0135647d 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -42,8 +42,8 @@ DEFINE_SNMP_STAT(struct dccp_mib, dccp_statistics) __read_mostly;
+
+ EXPORT_SYMBOL_GPL(dccp_statistics);
+
+-struct percpu_counter dccp_orphan_count;
+-EXPORT_SYMBOL_GPL(dccp_orphan_count);
++DEFINE_PER_CPU(unsigned int, dccp_orphan_count);
++EXPORT_PER_CPU_SYMBOL_GPL(dccp_orphan_count);
+
+ struct inet_hashinfo dccp_hashinfo;
+ EXPORT_SYMBOL_GPL(dccp_hashinfo);
+@@ -1055,7 +1055,7 @@ adjudge_to_death:
+ bh_lock_sock(sk);
+ WARN_ON(sock_owned_by_user(sk));
+
+- percpu_counter_inc(sk->sk_prot->orphan_count);
++ this_cpu_inc(dccp_orphan_count);
+
+ /* Have we already been destroyed by a softirq or backlog? */
+ if (state != DCCP_CLOSED && sk->sk_state == DCCP_CLOSED)
+@@ -1115,13 +1115,10 @@ static int __init dccp_init(void)
+
+ BUILD_BUG_ON(sizeof(struct dccp_skb_cb) >
+ sizeof_field(struct sk_buff, cb));
+- rc = percpu_counter_init(&dccp_orphan_count, 0, GFP_KERNEL);
+- if (rc)
+- goto out_fail;
+ inet_hashinfo_init(&dccp_hashinfo);
+ rc = inet_hashinfo2_init_mod(&dccp_hashinfo);
+ if (rc)
+- goto out_free_percpu;
++ goto out_fail;
+ rc = -ENOBUFS;
+ dccp_hashinfo.bind_bucket_cachep =
+ kmem_cache_create("dccp_bind_bucket",
+@@ -1226,8 +1223,6 @@ out_free_bind_bucket_cachep:
+ kmem_cache_destroy(dccp_hashinfo.bind_bucket_cachep);
+ out_free_hashinfo2:
+ inet_hashinfo2_free_mod(&dccp_hashinfo);
+-out_free_percpu:
+- percpu_counter_destroy(&dccp_orphan_count);
+ out_fail:
+ dccp_hashinfo.bhash = NULL;
+ dccp_hashinfo.ehash = NULL;
+@@ -1250,7 +1245,6 @@ static void __exit dccp_fini(void)
+ dccp_ackvec_exit();
+ dccp_sysctl_exit();
+ inet_hashinfo2_free_mod(&dccp_hashinfo);
+- percpu_counter_destroy(&dccp_orphan_count);
+ }
+
+ module_init(dccp_init);
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 1dfa561e8f981..addd595bb3fe6 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -892,7 +892,7 @@ void inet_csk_destroy_sock(struct sock *sk)
+
+ sk_refcnt_debug_release(sk);
+
+- percpu_counter_dec(sk->sk_prot->orphan_count);
++ this_cpu_dec(*sk->sk_prot->orphan_count);
+
+ sock_put(sk);
+ }
+@@ -951,7 +951,7 @@ static void inet_child_forget(struct sock *sk, struct request_sock *req,
+
+ sock_orphan(child);
+
+- percpu_counter_inc(sk->sk_prot->orphan_count);
++ this_cpu_inc(*sk->sk_prot->orphan_count);
+
+ if (sk->sk_protocol == IPPROTO_TCP && tcp_rsk(req)->tfo_listener) {
+ BUG_ON(rcu_access_pointer(tcp_sk(child)->fastopen_rsk) != req);
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index f3fd5c911ed09..e093847c334da 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -598,7 +598,7 @@ bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, bool *found_dup_sk)
+ if (ok) {
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+ } else {
+- percpu_counter_inc(sk->sk_prot->orphan_count);
++ this_cpu_inc(*sk->sk_prot->orphan_count);
+ inet_sk_set_state(sk, TCP_CLOSE);
+ sock_set_flag(sk, SOCK_DEAD);
+ inet_csk_destroy_sock(sk);
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index 8d5e1695b9aa8..80d13d8f982dc 100644
+--- a/net/ipv4/proc.c
++++ b/net/ipv4/proc.c
+@@ -53,7 +53,7 @@ static int sockstat_seq_show(struct seq_file *seq, void *v)
+ struct net *net = seq->private;
+ int orphans, sockets;
+
+- orphans = percpu_counter_sum_positive(&tcp_orphan_count);
++ orphans = tcp_orphan_count_sum();
+ sockets = proto_sockets_allocated_sum_positive(&tcp_prot);
+
+ socket_seq_show(seq);
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 54230852e5f95..65eb0a523e3f5 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -280,8 +280,8 @@
+ #include <asm/ioctls.h>
+ #include <net/busy_poll.h>
+
+-struct percpu_counter tcp_orphan_count;
+-EXPORT_SYMBOL_GPL(tcp_orphan_count);
++DEFINE_PER_CPU(unsigned int, tcp_orphan_count);
++EXPORT_PER_CPU_SYMBOL_GPL(tcp_orphan_count);
+
+ long sysctl_tcp_mem[3] __read_mostly;
+ EXPORT_SYMBOL(sysctl_tcp_mem);
+@@ -2394,11 +2394,36 @@ void tcp_shutdown(struct sock *sk, int how)
+ }
+ EXPORT_SYMBOL(tcp_shutdown);
+
++int tcp_orphan_count_sum(void)
++{
++ int i, total = 0;
++
++ for_each_possible_cpu(i)
++ total += per_cpu(tcp_orphan_count, i);
++
++ return max(total, 0);
++}
++
++static int tcp_orphan_cache;
++static struct timer_list tcp_orphan_timer;
++#define TCP_ORPHAN_TIMER_PERIOD msecs_to_jiffies(100)
++
++static void tcp_orphan_update(struct timer_list *unused)
++{
++ WRITE_ONCE(tcp_orphan_cache, tcp_orphan_count_sum());
++ mod_timer(&tcp_orphan_timer, jiffies + TCP_ORPHAN_TIMER_PERIOD);
++}
++
++static bool tcp_too_many_orphans(int shift)
++{
++ return READ_ONCE(tcp_orphan_cache) << shift > sysctl_tcp_max_orphans;
++}
++
+ bool tcp_check_oom(struct sock *sk, int shift)
+ {
+ bool too_many_orphans, out_of_socket_memory;
+
+- too_many_orphans = tcp_too_many_orphans(sk, shift);
++ too_many_orphans = tcp_too_many_orphans(shift);
+ out_of_socket_memory = tcp_out_of_memory(sk);
+
+ if (too_many_orphans)
+@@ -2508,7 +2533,7 @@ adjudge_to_death:
+ /* remove backlog if any, without releasing ownership. */
+ __release_sock(sk);
+
+- percpu_counter_inc(sk->sk_prot->orphan_count);
++ this_cpu_inc(tcp_orphan_count);
+
+ /* Have we already been destroyed by a softirq or backlog? */
+ if (state != TCP_CLOSE && sk->sk_state == TCP_CLOSE)
+@@ -4145,7 +4170,10 @@ void __init tcp_init(void)
+ sizeof_field(struct sk_buff, cb));
+
+ percpu_counter_init(&tcp_sockets_allocated, 0, GFP_KERNEL);
+- percpu_counter_init(&tcp_orphan_count, 0, GFP_KERNEL);
++
++ timer_setup(&tcp_orphan_timer, tcp_orphan_update, TIMER_DEFERRABLE);
++ mod_timer(&tcp_orphan_timer, jiffies + TCP_ORPHAN_TIMER_PERIOD);
++
+ inet_hashinfo_init(&tcp_hashinfo);
+ inet_hashinfo2_init(&tcp_hashinfo, "tcp_listen_portaddr_hash",
+ thash_entries, 21, /* one slot per 2 MB*/
+--
+2.33.0
+
--- /dev/null
+From af651b963c8a2f5c63b1e5f854b453d703b39bcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 02:26:06 -0700
+Subject: tpm: fix Atmel TPM crash caused by too frequent queries
+
+From: Hao Wu <hao.wu@rubrik.com>
+
+[ Upstream commit 79ca6f74dae067681a779fd573c2eb59649989bc ]
+
+The Atmel TPM 1.2 chips crash with error
+`tpm_try_transmit: send(): error -62` since kernel 4.14.
+It is observed from the kernel log after running `tpm_sealdata -z`.
+The error thrown from the command is as follows
+```
+$ tpm_sealdata -z
+Tspi_Key_LoadKey failed: 0x00001087 - layer=tddl,
+code=0087 (135), I/O error
+```
+
+The issue was reproduced with the following Atmel TPM chip:
+```
+$ tpm_version
+T0 TPM 1.2 Version Info:
+ Chip Version: 1.2.66.1
+ Spec Level: 2
+ Errata Revision: 3
+ TPM Vendor ID: ATML
+ TPM Version: 01010000
+ Manufacturer Info: 41544d4c
+```
+
+The root cause of the issue is due to the TPM calls to msleep()
+were replaced with usleep_range() [1], which reduces
+the actual timeout. Via experiments, it is observed that
+the original msleep(5) actually sleeps for 15ms.
+Because of a known timeout issue in Atmel TPM 1.2 chip,
+the shorter timeout than 15ms can cause the error described above.
+
+A few further changes in kernel 4.16 [2] and 4.18 [3, 4] further
+reduced the timeout to less than 1ms. With experiments,
+the problematic timeout in the latest kernel is the one
+for `wait_for_tpm_stat`.
+
+To fix it, the patch reverts the timeout of `wait_for_tpm_stat`
+to 15ms for all Atmel TPM 1.2 chips, but leave it untouched
+for Ateml TPM 2.0 chip, and chips from other vendors.
+As explained above, the chosen 15ms timeout is
+the actual timeout before this issue introduced,
+thus the old value is used here.
+Particularly, TPM_ATML_TIMEOUT_WAIT_STAT_MIN is set to 14700us,
+TPM_ATML_TIMEOUT_WAIT_STAT_MIN is set to 15000us according to
+the existing TPM_TIMEOUT_RANGE_US (300us).
+The fixed has been tested in the system with the affected Atmel chip
+with no issues observed after boot up.
+
+References:
+[1] 9f3fc7bcddcb tpm: replace msleep() with usleep_range() in TPM
+1.2/2.0 generic drivers
+[2] cf151a9a44d5 tpm: reduce tpm polling delay in tpm_tis_core
+[3] 59f5a6b07f64 tpm: reduce poll sleep time in tpm_transmit()
+[4] 424eaf910c32 tpm: reduce polling time to usecs for even finer
+granularity
+
+Fixes: 9f3fc7bcddcb ("tpm: replace msleep() with usleep_range() in TPM 1.2/2.0 generic drivers")
+Link: https://patchwork.kernel.org/project/linux-integrity/patch/20200926223150.109645-1-hao.wu@rubrik.com/
+Signed-off-by: Hao Wu <hao.wu@rubrik.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 26 ++++++++++++++++++--------
+ drivers/char/tpm/tpm_tis_core.h | 4 ++++
+ include/linux/tpm.h | 1 +
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index 69579efb247b3..b2659a4c40168 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -48,6 +48,7 @@ static int wait_for_tpm_stat(struct tpm_chip *chip, u8 mask,
+ unsigned long timeout, wait_queue_head_t *queue,
+ bool check_cancel)
+ {
++ struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev);
+ unsigned long stop;
+ long rc;
+ u8 status;
+@@ -80,8 +81,8 @@ again:
+ }
+ } else {
+ do {
+- usleep_range(TPM_TIMEOUT_USECS_MIN,
+- TPM_TIMEOUT_USECS_MAX);
++ usleep_range(priv->timeout_min,
++ priv->timeout_max);
+ status = chip->ops->status(chip);
+ if ((status & mask) == mask)
+ return 0;
+@@ -945,7 +946,22 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
+ chip->timeout_b = msecs_to_jiffies(TIS_TIMEOUT_B_MAX);
+ chip->timeout_c = msecs_to_jiffies(TIS_TIMEOUT_C_MAX);
+ chip->timeout_d = msecs_to_jiffies(TIS_TIMEOUT_D_MAX);
++ priv->timeout_min = TPM_TIMEOUT_USECS_MIN;
++ priv->timeout_max = TPM_TIMEOUT_USECS_MAX;
+ priv->phy_ops = phy_ops;
++
++ rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor);
++ if (rc < 0)
++ goto out_err;
++
++ priv->manufacturer_id = vendor;
++
++ if (priv->manufacturer_id == TPM_VID_ATML &&
++ !(chip->flags & TPM_CHIP_FLAG_TPM2)) {
++ priv->timeout_min = TIS_TIMEOUT_MIN_ATML;
++ priv->timeout_max = TIS_TIMEOUT_MAX_ATML;
++ }
++
+ dev_set_drvdata(&chip->dev, priv);
+
+ if (is_bsw()) {
+@@ -988,12 +1004,6 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
+ if (rc)
+ goto out_err;
+
+- rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor);
+- if (rc < 0)
+- goto out_err;
+-
+- priv->manufacturer_id = vendor;
+-
+ rc = tpm_tis_read8(priv, TPM_RID(0), &rid);
+ if (rc < 0)
+ goto out_err;
+diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h
+index b2a3c6c72882d..3be24f221e32a 100644
+--- a/drivers/char/tpm/tpm_tis_core.h
++++ b/drivers/char/tpm/tpm_tis_core.h
+@@ -54,6 +54,8 @@ enum tis_defaults {
+ TIS_MEM_LEN = 0x5000,
+ TIS_SHORT_TIMEOUT = 750, /* ms */
+ TIS_LONG_TIMEOUT = 2000, /* 2 sec */
++ TIS_TIMEOUT_MIN_ATML = 14700, /* usecs */
++ TIS_TIMEOUT_MAX_ATML = 15000, /* usecs */
+ };
+
+ /* Some timeout values are needed before it is known whether the chip is
+@@ -98,6 +100,8 @@ struct tpm_tis_data {
+ wait_queue_head_t read_queue;
+ const struct tpm_tis_phy_ops *phy_ops;
+ unsigned short rng_quality;
++ unsigned int timeout_min; /* usecs */
++ unsigned int timeout_max; /* usecs */
+ };
+
+ struct tpm_tis_phy_ops {
+diff --git a/include/linux/tpm.h b/include/linux/tpm.h
+index 804a3f69bbd93..95c3069823f9b 100644
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -262,6 +262,7 @@ enum tpm2_cc_attrs {
+ #define TPM_VID_INTEL 0x8086
+ #define TPM_VID_WINBOND 0x1050
+ #define TPM_VID_STM 0x104A
++#define TPM_VID_ATML 0x1114
+
+ enum tpm_chip_flags {
+ TPM_CHIP_FLAG_TPM2 = BIT(1),
+--
+2.33.0
+
--- /dev/null
+From 4f73dc3a9dc730a598f9e1c32940219a5c7080cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 15:41:11 +0100
+Subject: tpm_tis_spi: Add missing SPI ID
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 7eba41fe8c7bb01ff3d4b757bd622375792bc720 ]
+
+In commit c46ed2281bbe ("tpm_tis_spi: add missing SPI device ID entries")
+we added SPI IDs for all the DT aliases to handle the fact that we always
+use SPI modaliases to load modules even when probed via DT however the
+mentioned commit missed that the SPI and OF device ID entries did not
+match and were different and so DT nodes with compatible
+"tcg,tpm_tis-spi" will not match. Add an extra ID for tpm_tis-spi
+rather than just fix the existing one since what's currently there is
+going to be better for anyone actually using SPI IDs to instantiate.
+
+Fixes: c46ed2281bbe ("tpm_tis_spi: add missing SPI device ID entries")
+Fixes: 96c8395e2166 ("spi: Revert modalias changes")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_spi_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c
+index de4209003a448..d64bea3298a29 100644
+--- a/drivers/char/tpm/tpm_tis_spi_main.c
++++ b/drivers/char/tpm/tpm_tis_spi_main.c
+@@ -263,6 +263,7 @@ static const struct spi_device_id tpm_tis_spi_id[] = {
+ { "st33htpm-spi", (unsigned long)tpm_tis_spi_probe },
+ { "slb9670", (unsigned long)tpm_tis_spi_probe },
+ { "tpm_tis_spi", (unsigned long)tpm_tis_spi_probe },
++ { "tpm_tis-spi", (unsigned long)tpm_tis_spi_probe },
+ { "cr50", (unsigned long)cr50_spi_probe },
+ {}
+ };
+--
+2.33.0
+
--- /dev/null
+From 9a4d8848c98140038ec9d63a7dc0d208b1c5644c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 11:24:50 -0400
+Subject: tracefs: Have tracefs directories not set OTH permission bits by
+ default
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit 49d67e445742bbcb03106b735b2ab39f6e5c56bc ]
+
+The tracefs file system is by default mounted such that only root user can
+access it. But there are legitimate reasons to create a group and allow
+those added to the group to have access to tracing. By changing the
+permissions of the tracefs mount point to allow access, it will allow
+group access to the tracefs directory.
+
+There should not be any real reason to allow all access to the tracefs
+directory as it contains sensitive information. Have the default
+permission of directories being created not have any OTH (other) bits set,
+such that an admin that wants to give permission to a group has to first
+disable all OTH bits in the file system.
+
+Link: https://lkml.kernel.org/r/20210818153038.664127804@goodmis.org
+
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/tracefs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
+index 0ee8c6dfb0364..bf58ae6f984fe 100644
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -430,7 +430,8 @@ static struct dentry *__create_dir(const char *name, struct dentry *parent,
+ if (unlikely(!inode))
+ return failed_creating(dentry);
+
+- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++ /* Do not set bits for OTH */
++ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
+ inode->i_op = ops;
+ inode->i_fop = &simple_dir_operations;
+
+--
+2.33.0
+
--- /dev/null
+From 8fb0ecb67a003a2619989f931347dc7199afe007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 21:52:17 -0700
+Subject: tracing/cfi: Fix cmp_entries_* functions signature mismatch
+
+From: Kalesh Singh <kaleshsingh@google.com>
+
+[ Upstream commit 7ce1bb83a14019f8c396d57ec704d19478747716 ]
+
+If CONFIG_CFI_CLANG=y, attempting to read an event histogram will cause
+the kernel to panic due to failed CFI check.
+
+ 1. echo 'hist:keys=common_pid' >> events/sched/sched_switch/trigger
+ 2. cat events/sched/sched_switch/hist
+ 3. kernel panics on attempting to read hist
+
+This happens because the sort() function expects a generic
+int (*)(const void *, const void *) pointer for the compare function.
+To prevent this CFI failure, change tracing map cmp_entries_* function
+signatures to match this.
+
+Also, fix the build error reported by the kernel test robot [1].
+
+[1] https://lore.kernel.org/r/202110141140.zzi4dRh4-lkp@intel.com/
+
+Link: https://lkml.kernel.org/r/20211014045217.3265162-1-kaleshsingh@google.com
+
+Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/tracing_map.c | 40 ++++++++++++++++++++++----------------
+ 1 file changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c
+index 4b50fc0cb12c7..d63e51dde0d24 100644
+--- a/kernel/trace/tracing_map.c
++++ b/kernel/trace/tracing_map.c
+@@ -834,29 +834,35 @@ int tracing_map_init(struct tracing_map *map)
+ return err;
+ }
+
+-static int cmp_entries_dup(const struct tracing_map_sort_entry **a,
+- const struct tracing_map_sort_entry **b)
++static int cmp_entries_dup(const void *A, const void *B)
+ {
++ const struct tracing_map_sort_entry *a, *b;
+ int ret = 0;
+
+- if (memcmp((*a)->key, (*b)->key, (*a)->elt->map->key_size))
++ a = *(const struct tracing_map_sort_entry **)A;
++ b = *(const struct tracing_map_sort_entry **)B;
++
++ if (memcmp(a->key, b->key, a->elt->map->key_size))
+ ret = 1;
+
+ return ret;
+ }
+
+-static int cmp_entries_sum(const struct tracing_map_sort_entry **a,
+- const struct tracing_map_sort_entry **b)
++static int cmp_entries_sum(const void *A, const void *B)
+ {
+ const struct tracing_map_elt *elt_a, *elt_b;
++ const struct tracing_map_sort_entry *a, *b;
+ struct tracing_map_sort_key *sort_key;
+ struct tracing_map_field *field;
+ tracing_map_cmp_fn_t cmp_fn;
+ void *val_a, *val_b;
+ int ret = 0;
+
+- elt_a = (*a)->elt;
+- elt_b = (*b)->elt;
++ a = *(const struct tracing_map_sort_entry **)A;
++ b = *(const struct tracing_map_sort_entry **)B;
++
++ elt_a = a->elt;
++ elt_b = b->elt;
+
+ sort_key = &elt_a->map->sort_key;
+
+@@ -873,18 +879,21 @@ static int cmp_entries_sum(const struct tracing_map_sort_entry **a,
+ return ret;
+ }
+
+-static int cmp_entries_key(const struct tracing_map_sort_entry **a,
+- const struct tracing_map_sort_entry **b)
++static int cmp_entries_key(const void *A, const void *B)
+ {
+ const struct tracing_map_elt *elt_a, *elt_b;
++ const struct tracing_map_sort_entry *a, *b;
+ struct tracing_map_sort_key *sort_key;
+ struct tracing_map_field *field;
+ tracing_map_cmp_fn_t cmp_fn;
+ void *val_a, *val_b;
+ int ret = 0;
+
+- elt_a = (*a)->elt;
+- elt_b = (*b)->elt;
++ a = *(const struct tracing_map_sort_entry **)A;
++ b = *(const struct tracing_map_sort_entry **)B;
++
++ elt_a = a->elt;
++ elt_b = b->elt;
+
+ sort_key = &elt_a->map->sort_key;
+
+@@ -989,10 +998,8 @@ static void sort_secondary(struct tracing_map *map,
+ struct tracing_map_sort_key *primary_key,
+ struct tracing_map_sort_key *secondary_key)
+ {
+- int (*primary_fn)(const struct tracing_map_sort_entry **,
+- const struct tracing_map_sort_entry **);
+- int (*secondary_fn)(const struct tracing_map_sort_entry **,
+- const struct tracing_map_sort_entry **);
++ int (*primary_fn)(const void *, const void *);
++ int (*secondary_fn)(const void *, const void *);
+ unsigned i, start = 0, n_sub = 1;
+
+ if (is_key(map, primary_key->field_idx))
+@@ -1061,8 +1068,7 @@ int tracing_map_sort_entries(struct tracing_map *map,
+ unsigned int n_sort_keys,
+ struct tracing_map_sort_entry ***sort_entries)
+ {
+- int (*cmp_entries_fn)(const struct tracing_map_sort_entry **,
+- const struct tracing_map_sort_entry **);
++ int (*cmp_entries_fn)(const void *, const void *);
+ struct tracing_map_sort_entry *sort_entry, **entries;
+ int i, n_entries, ret;
+
+--
+2.33.0
+
--- /dev/null
+From 819eaacb617460cbcf2890d98d22255ed6211f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 08:51:34 -0700
+Subject: udp6: allow SO_MARK ctrl msg to affect routing
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 42dcfd850e514b229d616a53dec06d0f2533217c ]
+
+Commit c6af0c227a22 ("ip: support SO_MARK cmsg")
+added propagation of SO_MARK from cmsg to skb->mark.
+For IPv4 and raw sockets the mark also affects route
+lookup, but in case of IPv6 the flow info is
+initialized before cmsg is parsed.
+
+Fixes: c6af0c227a22 ("ip: support SO_MARK cmsg")
+Reported-and-tested-by: Xintong Hu <huxintong@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index bae6b51a9bd46..8a1863146f34c 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1420,7 +1420,6 @@ do_udp_sendmsg:
+ if (!fl6.flowi6_oif)
+ fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
+
+- fl6.flowi6_mark = ipc6.sockc.mark;
+ fl6.flowi6_uid = sk->sk_uid;
+
+ if (msg->msg_controllen) {
+@@ -1456,6 +1455,7 @@ do_udp_sendmsg:
+ ipc6.opt = opt;
+
+ fl6.flowi6_proto = sk->sk_protocol;
++ fl6.flowi6_mark = ipc6.sockc.mark;
+ fl6.daddr = *daddr;
+ if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr))
+ fl6.saddr = np->saddr;
+--
+2.33.0
+
--- /dev/null
+From a1c85026dd4a741a4ec395e5aabed8f34fcc8ba8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 11:53:04 +0200
+Subject: usb: dwc2: drd: fix dwc2_drd_role_sw_set when clock could be disabled
+
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+
+[ Upstream commit 8d387f61b0240854e81450c261beb775065bad5d ]
+
+In case of USB_DR_MODE_PERIPHERAL, the OTG clock is disabled at the end of
+the probe (it is not the case if USB_DR_MODE_HOST or USB_DR_MODE_OTG).
+The clock is then enabled on udc_start.
+If dwc2_drd_role_sw_set is called before udc_start (it is the case if the
+usb cable is plugged at boot), GOTGCTL and GUSBCFG registers cannot be
+read/written, so session cannot be overridden.
+To avoid this case, check the ll_hw_enabled value and enable the clock if
+it is available, and disable it after the override.
+
+Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support")
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/20211005095305.66397-3-amelie.delaunay@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/drd.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/usb/dwc2/drd.c b/drivers/usb/dwc2/drd.c
+index 80eae88d76dda..99672360f34b0 100644
+--- a/drivers/usb/dwc2/drd.c
++++ b/drivers/usb/dwc2/drd.c
+@@ -7,6 +7,7 @@
+ * Author(s): Amelie Delaunay <amelie.delaunay@st.com>
+ */
+
++#include <linux/clk.h>
+ #include <linux/iopoll.h>
+ #include <linux/platform_device.h>
+ #include <linux/usb/role.h>
+@@ -86,6 +87,20 @@ static int dwc2_drd_role_sw_set(struct usb_role_switch *sw, enum usb_role role)
+ }
+ #endif
+
++ /*
++ * In case of USB_DR_MODE_PERIPHERAL, clock is disabled at the end of
++ * the probe and enabled on udc_start.
++ * If role-switch set is called before the udc_start, we need to enable
++ * the clock to read/write GOTGCTL and GUSBCFG registers to override
++ * mode and sessions. It is the case if cable is plugged at boot.
++ */
++ if (!hsotg->ll_hw_enabled && hsotg->clk) {
++ int ret = clk_prepare_enable(hsotg->clk);
++
++ if (ret)
++ return ret;
++ }
++
+ spin_lock_irqsave(&hsotg->lock, flags);
+
+ if (role == USB_ROLE_HOST) {
+@@ -110,6 +125,9 @@ static int dwc2_drd_role_sw_set(struct usb_role_switch *sw, enum usb_role role)
+ /* This will raise a Connector ID Status Change Interrupt */
+ dwc2_force_mode(hsotg, role == USB_ROLE_HOST);
+
++ if (!hsotg->ll_hw_enabled && hsotg->clk)
++ clk_disable_unprepare(hsotg->clk);
++
+ dev_dbg(hsotg->dev, "%s-session valid\n",
+ role == USB_ROLE_NONE ? "No" :
+ role == USB_ROLE_HOST ? "A" : "B");
+--
+2.33.0
+
--- /dev/null
+From ad8b94326b4177407c4ed9d598a536bab9e894e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 11:53:03 +0200
+Subject: usb: dwc2: drd: fix dwc2_force_mode call in dwc2_ovr_init
+
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+
+[ Upstream commit b2cab2a24fb5d13ce1d384ecfb6de827fa08a048 ]
+
+Instead of forcing the role to Device, check the dr_mode configuration.
+If the core is Host only, force the mode to Host, this to avoid the
+dwc2_force_mode warning:
+WARNING: CPU: 1 PID: 21 at drivers/usb/dwc2/core.c:615 dwc2_drd_init+0x104/0x17c
+
+When forcing mode to Host, dwc2_force_mode may sleep the time the host
+role is applied. To avoid sleeping while atomic context, move the call
+to dwc2_force_mode after spin_unlock_irqrestore. It is safe, as
+interrupts are not yet unmasked here.
+
+Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support")
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/20211005095305.66397-2-amelie.delaunay@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/drd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc2/drd.c b/drivers/usb/dwc2/drd.c
+index 2d4176f5788eb..80eae88d76dda 100644
+--- a/drivers/usb/dwc2/drd.c
++++ b/drivers/usb/dwc2/drd.c
+@@ -25,9 +25,9 @@ static void dwc2_ovr_init(struct dwc2_hsotg *hsotg)
+ gotgctl &= ~(GOTGCTL_BVALOVAL | GOTGCTL_AVALOVAL | GOTGCTL_VBVALOVAL);
+ dwc2_writel(hsotg, gotgctl, GOTGCTL);
+
+- dwc2_force_mode(hsotg, false);
+-
+ spin_unlock_irqrestore(&hsotg->lock, flags);
++
++ dwc2_force_mode(hsotg, (hsotg->dr_mode == USB_DR_MODE_HOST));
+ }
+
+ static int dwc2_ovr_avalid(struct dwc2_hsotg *hsotg, bool valid)
+--
+2.33.0
+
--- /dev/null
+From dd18a729cd6a6bdb04ce7a44d72d0ebc56c736a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 11:53:05 +0200
+Subject: usb: dwc2: drd: reset current session before setting the new one
+
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+
+[ Upstream commit 1ad707f559f7cb12c64f3d7cb37f0b1ea27c1058 ]
+
+If role is changed without the "none" step, A- and B- valid session could
+be set at the same time. It is an issue.
+This patch resets A-session if role switch sets B-session, and resets
+B-session if role switch sets A-session.
+Then, it is possible to change the role without the "none" step.
+
+Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support")
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/20211005095305.66397-4-amelie.delaunay@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/drd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/dwc2/drd.c b/drivers/usb/dwc2/drd.c
+index 99672360f34b0..aa6eb76f64ddc 100644
+--- a/drivers/usb/dwc2/drd.c
++++ b/drivers/usb/dwc2/drd.c
+@@ -40,6 +40,7 @@ static int dwc2_ovr_avalid(struct dwc2_hsotg *hsotg, bool valid)
+ (!valid && !(gotgctl & GOTGCTL_ASESVLD)))
+ return -EALREADY;
+
++ gotgctl &= ~GOTGCTL_BVALOVAL;
+ if (valid)
+ gotgctl |= GOTGCTL_AVALOVAL | GOTGCTL_VBVALOVAL;
+ else
+@@ -58,6 +59,7 @@ static int dwc2_ovr_bvalid(struct dwc2_hsotg *hsotg, bool valid)
+ (!valid && !(gotgctl & GOTGCTL_BSESVLD)))
+ return -EALREADY;
+
++ gotgctl &= ~GOTGCTL_AVALOVAL;
+ if (valid)
+ gotgctl |= GOTGCTL_BVALOVAL | GOTGCTL_VBVALOVAL;
+ else
+--
+2.33.0
+
--- /dev/null
+From c92446c7982aa85a73383a47a1072bb6ba5df120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 15:37:39 +0300
+Subject: usb: gadget: hid: fix error code in do_config()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 68e7c510fdf4f6167404609da52e1979165649f6 ]
+
+Return an error code if usb_get_function() fails. Don't return success.
+
+Fixes: 4bc8a33f2407 ("usb: gadget: hid: convert to new interface of f_hid")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211011123739.GC15188@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/legacy/hid.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c
+index 5b27d289443fe..3912cc805f3af 100644
+--- a/drivers/usb/gadget/legacy/hid.c
++++ b/drivers/usb/gadget/legacy/hid.c
+@@ -99,8 +99,10 @@ static int do_config(struct usb_configuration *c)
+
+ list_for_each_entry(e, &hidg_func_list, node) {
+ e->f = usb_get_function(e->fi);
+- if (IS_ERR(e->f))
++ if (IS_ERR(e->f)) {
++ status = PTR_ERR(e->f);
+ goto put;
++ }
+ status = usb_add_function(c, e->f);
+ if (status < 0) {
+ usb_put_function(e->f);
+--
+2.33.0
+
--- /dev/null
+From 46724892398f029e97ca72aa08ff5286b606e82f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 16:57:47 -0700
+Subject: usb: musb: select GENERIC_PHY instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit fde1fbedbaed4e76cef4600d775b185f59b9b568 ]
+
+The kconfig symbol GENERIC_PHY says:
+ All the users of this framework should select this config.
+and around 136 out of 138 drivers do so, so change USB_MUSB_MEDIATEK
+to do so also.
+
+This (also) fixes a long circular dependency problem for an upcoming
+patch.
+
+Fixes: 0990366bab3c ("usb: musb: Add support for MediaTek musb controller")
+Cc: Bin Liu <b-liu@ti.com>
+Cc: Min Guo <min.guo@mediatek.com>
+Cc: Yonglong Wu <yonglong.wu@mediatek.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-mediatek@lists.infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20211005235747.5588-1-rdunlap@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig
+index 8de143807c1ae..4d61df6a9b5c8 100644
+--- a/drivers/usb/musb/Kconfig
++++ b/drivers/usb/musb/Kconfig
+@@ -120,7 +120,7 @@ config USB_MUSB_MEDIATEK
+ tristate "MediaTek platforms"
+ depends on ARCH_MEDIATEK || COMPILE_TEST
+ depends on NOP_USB_XCEIV
+- depends on GENERIC_PHY
++ select GENERIC_PHY
+ select USB_ROLE_SWITCH
+
+ comment "MUSB DMA mode"
+--
+2.33.0
+
--- /dev/null
+From be251f196f8e861fe3580fb2b9100165fc629eab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 18:36:09 -0700
+Subject: usb: typec: STUSB160X should select REGMAP_I2C
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 8ef1e58783b9f55daa4a865c7801dc75cbeb8260 ]
+
+REGMAP_I2C is not a user visible kconfig symbol so driver configs
+should not "depend on" it. They should depend on I2C and then
+select REGMAP_I2C.
+
+If this worked, it was only because some other driver had set/enabled
+REGMAP_I2C.
+
+Fixes: da0cb6310094 ("usb: typec: add support for STUSB160x Type-C controller family")
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Amelie Delaunay <amelie.delaunay@st.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20211015013609.7300-1-rdunlap@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/typec/Kconfig b/drivers/usb/typec/Kconfig
+index e7f120874c483..0d953c6805f0f 100644
+--- a/drivers/usb/typec/Kconfig
++++ b/drivers/usb/typec/Kconfig
+@@ -75,9 +75,9 @@ config TYPEC_TPS6598X
+
+ config TYPEC_STUSB160X
+ tristate "STMicroelectronics STUSB160x Type-C controller driver"
+- depends on I2C
+- depends on REGMAP_I2C
+ depends on USB_ROLE_SWITCH || !USB_ROLE_SWITCH
++ depends on I2C
++ select REGMAP_I2C
+ help
+ Say Y or M here if your system has STMicroelectronics STUSB160x
+ Type-C port controller.
+--
+2.33.0
+
--- /dev/null
+From 9b352521b1faba60c0abae81c97b9df40d6dec13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 15:34:35 +0200
+Subject: video: fbdev: chipsfb: use memset_io() instead of memset()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f2719b26ae27282c145202ffd656d5ff1fe737cc ]
+
+While investigating a lockup at startup on Powerbook 3400C, it was
+identified that the fbdev driver generates alignment exception at
+startup:
+
+ --- interrupt: 600 at memset+0x60/0xc0
+ NIP: c0021414 LR: c03fc49c CTR: 00007fff
+ REGS: ca021c10 TRAP: 0600 Tainted: G W (5.14.2-pmac-00727-g12a41fa69492)
+ MSR: 00009032 <EE,ME,IR,DR,RI> CR: 44008442 XER: 20000100
+ DAR: cab80020 DSISR: 00017c07
+ GPR00: 00000007 ca021cd0 c14412e0 cab80000 00000000 00100000 cab8001c 00000004
+ GPR08: 00100000 00007fff 00000000 00000000 84008442 00000000 c0006fb4 00000000
+ GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000
+ GPR24: 00000000 81800000 00000320 c15fa400 c14d1878 00000000 c14d1800 c094e19c
+ NIP [c0021414] memset+0x60/0xc0
+ LR [c03fc49c] chipsfb_pci_init+0x160/0x580
+ --- interrupt: 600
+ [ca021cd0] [c03fc46c] chipsfb_pci_init+0x130/0x580 (unreliable)
+ [ca021d20] [c03a3a70] pci_device_probe+0xf8/0x1b8
+ [ca021d50] [c043d584] really_probe.part.0+0xac/0x388
+ [ca021d70] [c043d914] __driver_probe_device+0xb4/0x170
+ [ca021d90] [c043da18] driver_probe_device+0x48/0x144
+ [ca021dc0] [c043e318] __driver_attach+0x11c/0x1c4
+ [ca021de0] [c043ad30] bus_for_each_dev+0x88/0xf0
+ [ca021e10] [c043c724] bus_add_driver+0x190/0x22c
+ [ca021e40] [c043ee94] driver_register+0x9c/0x170
+ [ca021e60] [c0006c28] do_one_initcall+0x54/0x1ec
+ [ca021ed0] [c08246e4] kernel_init_freeable+0x1c0/0x270
+ [ca021f10] [c0006fdc] kernel_init+0x28/0x11c
+ [ca021f30] [c0017148] ret_from_kernel_thread+0x14/0x1c
+ Instruction dump:
+ 7d4601a4 39490777 7d4701a4 39490888 7d4801a4 39490999 7d4901a4 39290aaa
+ 7d2a01a4 4c00012c 4bfffe88 0fe00000 <4bfffe80> 9421fff0 38210010 48001970
+
+This is due to 'dcbz' instruction being used on non-cached memory.
+'dcbz' instruction is used by memset() to zeroize a complete
+cacheline at once, and memset() is not expected to be used on non
+cached memory.
+
+When performing a 'sparse' check on fbdev driver, it also appears
+that the use of memset() is unexpected:
+
+ drivers/video/fbdev/chipsfb.c:334:17: warning: incorrect type in argument 1 (different address spaces)
+ drivers/video/fbdev/chipsfb.c:334:17: expected void *
+ drivers/video/fbdev/chipsfb.c:334:17: got char [noderef] __iomem *screen_base
+ drivers/video/fbdev/chipsfb.c:334:15: warning: memset with byte count of 1048576
+
+Use fb_memset() instead of memset(). fb_memset() is defined as
+memset_io() for powerpc.
+
+Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK")
+Reported-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/884a54f1e5cb774c1d9b4db780209bee5d4f6718.1631712563.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/chipsfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c
+index 998067b701fa0..393894af26f84 100644
+--- a/drivers/video/fbdev/chipsfb.c
++++ b/drivers/video/fbdev/chipsfb.c
+@@ -331,7 +331,7 @@ static const struct fb_var_screeninfo chipsfb_var = {
+
+ static void init_chips(struct fb_info *p, unsigned long addr)
+ {
+- memset(p->screen_base, 0, 0x100000);
++ fb_memset(p->screen_base, 0, 0x100000);
+
+ p->fix = chipsfb_fix;
+ p->fix.smem_start = addr;
+--
+2.33.0
+
--- /dev/null
+From 01a1bbf7a7e26ed5e7883dd32bf19b198deeaa40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 18:43:21 +0800
+Subject: virtio-gpu: fix possible memory allocation failure
+
+From: liuyuntao <liuyuntao10@huawei.com>
+
+[ Upstream commit 5bd4f20de8acad37dbb3154feb34dbc36d506c02 ]
+
+When kmem_cache_zalloc in virtio_gpu_get_vbuf fails, it will return
+an error code. But none of its callers checks this error code, and
+a core dump will take place.
+
+Considering many of its callers can't handle such error, I add
+a __GFP_NOFAIL flag when calling kmem_cache_zalloc to make sure
+it won't fail, and delete those unused error handlings.
+
+Fixes: dc5698e80cf724 ("Add virtio gpu driver.")
+Signed-off-by: Yuntao Liu <liuyuntao10@huawei.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210828104321.3410312-1-liuyuntao10@huawei.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_vq.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
+index 07945ca238e2d..5e40fa0f5e8f2 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
+@@ -91,9 +91,7 @@ virtio_gpu_get_vbuf(struct virtio_gpu_device *vgdev,
+ {
+ struct virtio_gpu_vbuffer *vbuf;
+
+- vbuf = kmem_cache_zalloc(vgdev->vbufs, GFP_KERNEL);
+- if (!vbuf)
+- return ERR_PTR(-ENOMEM);
++ vbuf = kmem_cache_zalloc(vgdev->vbufs, GFP_KERNEL | __GFP_NOFAIL);
+
+ BUG_ON(size > MAX_INLINE_CMD_SIZE ||
+ size < sizeof(struct virtio_gpu_ctrl_hdr));
+@@ -147,10 +145,6 @@ static void *virtio_gpu_alloc_cmd_resp(struct virtio_gpu_device *vgdev,
+
+ vbuf = virtio_gpu_get_vbuf(vgdev, cmd_size,
+ resp_size, resp_buf, cb);
+- if (IS_ERR(vbuf)) {
+- *vbuffer_p = NULL;
+- return ERR_CAST(vbuf);
+- }
+ *vbuffer_p = vbuf;
+ return (struct virtio_gpu_command *)vbuf->buf;
+ }
+--
+2.33.0
+
--- /dev/null
+From bbad2c7d1181194ab0c2a907e99cf0b5592687e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 19:23:23 +0800
+Subject: virtio_ring: check desc == NULL when using indirect with packed
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit fc6d70f40b3d0b3219e2026d05be0409695f620d ]
+
+When using indirect with packed, we don't check for allocation failures.
+This patch checks that and fall back on direct.
+
+Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support")
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20211020112323.67466-3-xuanzhuo@linux.alibaba.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_ring.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
+index 6c730d6d50f71..e9432dbbec0a7 100644
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -992,6 +992,8 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq,
+
+ head = vq->packed.next_avail_idx;
+ desc = alloc_indirect_packed(total_sg, gfp);
++ if (!desc)
++ return -ENOMEM;
+
+ if (unlikely(vq->vq.num_free < 1)) {
+ pr_debug("Can't add buf len 1 - avail = 0\n");
+@@ -1103,6 +1105,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
+ unsigned int i, n, c, descs_used, err_idx;
+ __le16 head_flags, flags;
+ u16 head, id, prev, curr, avail_used_flags;
++ int err;
+
+ START_USE(vq);
+
+@@ -1118,9 +1121,14 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
+
+ BUG_ON(total_sg == 0);
+
+- if (virtqueue_use_indirect(_vq, total_sg))
+- return virtqueue_add_indirect_packed(vq, sgs, total_sg,
+- out_sgs, in_sgs, data, gfp);
++ if (virtqueue_use_indirect(_vq, total_sg)) {
++ err = virtqueue_add_indirect_packed(vq, sgs, total_sg, out_sgs,
++ in_sgs, data, gfp);
++ if (err != -ENOMEM)
++ return err;
++
++ /* fall back on direct */
++ }
+
+ head = vq->packed.next_avail_idx;
+ avail_used_flags = vq->packed.avail_used_flags;
+--
+2.33.0
+
--- /dev/null
+From 8500c1e786ddc10bbb21a696f4c0641e90476ff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 16:14:00 +0200
+Subject: vrf: run conntrack only in context of lower/physdev for locally
+ generated packets
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 8c9c296adfae9ea05f655d69e9f6e13daa86fb4a ]
+
+The VRF driver invokes netfilter for output+postrouting hooks so that users
+can create rules that check for 'oif $vrf' rather than lower device name.
+
+This is a problem when NAT rules are configured.
+
+To avoid any conntrack involvement in round 1, tag skbs as 'untracked'
+to prevent conntrack from picking them up.
+
+This gets cleared before the packet gets handed to the ip stack so
+conntrack will be active on the second iteration.
+
+One remaining issue is that a rule like
+
+ output ... oif $vrfname notrack
+
+won't propagate to the second round because we can't tell
+'notrack set via ruleset' and 'notrack set by vrf driver' apart.
+However, this isn't a regression: the 'notrack' removal happens
+instead of unconditional nf_reset_ct().
+I'd also like to avoid leaking more vrf specific conditionals into the
+netfilter infra.
+
+For ingress, conntrack has already been done before the packet makes it
+to the vrf driver, with this patch egress does connection tracking with
+lower/physical device as well.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index 2746f77745e4d..71902706234cc 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -34,6 +34,7 @@
+ #include <net/l3mdev.h>
+ #include <net/fib_rules.h>
+ #include <net/netns/generic.h>
++#include <net/netfilter/nf_conntrack.h>
+
+ #define DRV_NAME "vrf"
+ #define DRV_VERSION "1.1"
+@@ -423,12 +424,26 @@ static int vrf_local_xmit(struct sk_buff *skb, struct net_device *dev,
+ return NETDEV_TX_OK;
+ }
+
++static void vrf_nf_set_untracked(struct sk_buff *skb)
++{
++ if (skb_get_nfct(skb) == 0)
++ nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
++}
++
++static void vrf_nf_reset_ct(struct sk_buff *skb)
++{
++ if (skb_get_nfct(skb) == IP_CT_UNTRACKED)
++ nf_reset_ct(skb);
++}
++
+ #if IS_ENABLED(CONFIG_IPV6)
+ static int vrf_ip6_local_out(struct net *net, struct sock *sk,
+ struct sk_buff *skb)
+ {
+ int err;
+
++ vrf_nf_reset_ct(skb);
++
+ err = nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net,
+ sk, skb, NULL, skb_dst(skb)->dev, dst_output);
+
+@@ -508,6 +523,8 @@ static int vrf_ip_local_out(struct net *net, struct sock *sk,
+ {
+ int err;
+
++ vrf_nf_reset_ct(skb);
++
+ err = nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, sk,
+ skb, NULL, skb_dst(skb)->dev, dst_output);
+ if (likely(err == 1))
+@@ -627,8 +644,7 @@ static void vrf_finish_direct(struct sk_buff *skb)
+ skb_pull(skb, ETH_HLEN);
+ }
+
+- /* reset skb device */
+- nf_reset_ct(skb);
++ vrf_nf_reset_ct(skb);
+ }
+
+ #if IS_ENABLED(CONFIG_IPV6)
+@@ -642,7 +658,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk,
+ struct neighbour *neigh;
+ int ret;
+
+- nf_reset_ct(skb);
++ vrf_nf_reset_ct(skb);
+
+ skb->protocol = htons(ETH_P_IPV6);
+ skb->dev = dev;
+@@ -753,6 +769,8 @@ static struct sk_buff *vrf_ip6_out_direct(struct net_device *vrf_dev,
+
+ skb->dev = vrf_dev;
+
++ vrf_nf_set_untracked(skb);
++
+ err = nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk,
+ skb, NULL, vrf_dev, vrf_ip6_out_direct_finish);
+
+@@ -860,7 +878,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
+ bool is_v6gw = false;
+ int ret = -EINVAL;
+
+- nf_reset_ct(skb);
++ vrf_nf_reset_ct(skb);
+
+ /* Be paranoid, rather than too clever. */
+ if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {
+@@ -988,6 +1006,8 @@ static struct sk_buff *vrf_ip_out_direct(struct net_device *vrf_dev,
+
+ skb->dev = vrf_dev;
+
++ vrf_nf_set_untracked(skb);
++
+ err = nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, sk,
+ skb, NULL, vrf_dev, vrf_ip_out_direct_finish);
+
+--
+2.33.0
+
--- /dev/null
+From df206d8b681037fe95f02ff2441ccfc3a1947e3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 00:15:02 +0000
+Subject: vsock: prevent unnecessary refcnt inc for nonblocking connect
+
+From: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
+
+[ Upstream commit c7cd82b90599fa10915f41e3dd9098a77d0aa7b6 ]
+
+Currently vosck_connect() increments sock refcount for nonblocking
+socket each time it's called, which can lead to memory leak if
+it's called multiple times because connect timeout function decrements
+sock refcount only once.
+
+Fixes it by making vsock_connect() return -EALREADY immediately when
+sock state is already SS_CONNECTING.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 326250513570e..7fe36dbcbe187 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1279,6 +1279,8 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+ * non-blocking call.
+ */
+ err = -EALREADY;
++ if (flags & O_NONBLOCK)
++ goto out;
+ break;
+ default:
+ if ((sk->sk_state == TCP_LISTEN) ||
+--
+2.33.0
+
--- /dev/null
+From 6622e3017de65f749ac45c519e1af792ad356562 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:20:31 +0200
+Subject: watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+[ Upstream commit 164483c735190775f29d0dcbac0363adc51a068d ]
+
+The fintek watchdog timer can configure timeouts of second granularity
+only up to 255 seconds. Beyond that, the timeout needs to be configured
+with minute granularity. WDIOC_GETTIMEOUT should report the actual
+timeout configured, not just echo back the timeout configured by the
+user. Do so.
+
+Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG")
+Suggested-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://lore.kernel.org/r/5e17960fe8cc0e3cb2ba53de4730b75d9a0f33d5.1628525954.git-series.a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/f71808e_wdt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c
+index f60beec1bbaea..f7d82d2619133 100644
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -228,15 +228,17 @@ static int watchdog_set_timeout(int timeout)
+
+ mutex_lock(&watchdog.lock);
+
+- watchdog.timeout = timeout;
+ if (timeout > 0xff) {
+ watchdog.timer_val = DIV_ROUND_UP(timeout, 60);
+ watchdog.minutes_mode = true;
++ timeout = watchdog.timer_val * 60;
+ } else {
+ watchdog.timer_val = timeout;
+ watchdog.minutes_mode = false;
+ }
+
++ watchdog.timeout = timeout;
++
+ mutex_unlock(&watchdog.lock);
+
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From 023b415d6dcb6133cd4c8a96716a8d01a76c1792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Oct 2021 17:15:28 -0700
+Subject: wcn36xx: add proper DMA memory barriers in rx path
+
+From: Benjamin Li <benl@squareup.com>
+
+[ Upstream commit 9bfe38e064af5decba2ffce66a2958ab8b10eaa4 ]
+
+This is essentially exactly following the dma_wmb()/dma_rmb() usage
+instructions in Documentation/memory-barriers.txt.
+
+The theoretical races here are:
+
+1. DXE (the DMA Transfer Engine in the Wi-Fi subsystem) seeing the
+dxe->ctrl & WCN36xx_DXE_CTRL_VLD write before the dxe->dst_addr_l
+write, thus performing DMA into the wrong address.
+
+2. CPU reading dxe->dst_addr_l before DXE unsets dxe->ctrl &
+WCN36xx_DXE_CTRL_VLD. This should generally be harmless since DXE
+doesn't write dxe->dst_addr_l (no risk of freeing the wrong skb).
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Benjamin Li <benl@squareup.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211023001528.3077822-1-benl@squareup.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/dxe.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c
+index 70c46c327512f..cf4eb0fb28151 100644
+--- a/drivers/net/wireless/ath/wcn36xx/dxe.c
++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c
+@@ -606,6 +606,10 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn,
+ dxe = ctl->desc;
+
+ while (!(READ_ONCE(dxe->ctrl) & WCN36xx_DXE_CTRL_VLD)) {
++ /* do not read until we own DMA descriptor */
++ dma_rmb();
++
++ /* read/modify DMA descriptor */
+ skb = ctl->skb;
+ dma_addr = dxe->dst_addr_l;
+ ret = wcn36xx_dxe_fill_skb(wcn->dev, ctl, GFP_ATOMIC);
+@@ -616,9 +620,15 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn,
+ dma_unmap_single(wcn->dev, dma_addr, WCN36XX_PKT_SIZE,
+ DMA_FROM_DEVICE);
+ wcn36xx_rx_skb(wcn, skb);
+- } /* else keep old skb not submitted and use it for rx DMA */
++ }
++ /* else keep old skb not submitted and reuse it for rx DMA
++ * (dropping the packet that it contained)
++ */
+
++ /* flush descriptor changes before re-marking as valid */
++ dma_wmb();
+ dxe->ctrl = ctrl;
++
+ ctl = ctl->next;
+ dxe = ctl->desc;
+ }
+--
+2.33.0
+
--- /dev/null
+From 8b3168c198afbd4a1cf8d9c348da3eb6224866eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 12:57:57 +0200
+Subject: wcn36xx: Correct band/freq reporting on RX
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit 8a27ca39478270e07baf9c09aa0c99709769ba03 ]
+
+For packets originating from hardware scan, the channel and band is
+included in the buffer descriptor (bd->rf_band & bd->rx_ch).
+
+For 2Ghz band the channel value is directly reported in the 4-bit
+rx_ch field. For 5Ghz band, the rx_ch field contains a mapping
+index (given the 4-bit limitation).
+
+The reserved0 value field is also used to extend 4-bit mapping to
+5-bit mapping to support more than 16 5Ghz channels.
+
+This change adds correct reporting of the frequency/band, that is
+used in scan mechanism. And is required for 5Ghz hardware scan
+support.
+
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1634554678-7993-1-git-send-email-loic.poulain@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/txrx.c | 23 +++++++++++++++++++++++
+ drivers/net/wireless/ath/wcn36xx/txrx.h | 3 ++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c
+index eaf2410e39647..c0f51fa13dfa1 100644
+--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
+@@ -31,6 +31,13 @@ struct wcn36xx_rate {
+ enum rate_info_bw bw;
+ };
+
++/* Buffer descriptor rx_ch field is limited to 5-bit (4+1), a mapping is used
++ * for 11A Channels.
++ */
++static const u8 ab_rx_ch_map[] = { 36, 40, 44, 48, 52, 56, 60, 64, 100, 104,
++ 108, 112, 116, 120, 124, 128, 132, 136, 140,
++ 149, 153, 157, 161, 165, 144 };
++
+ static const struct wcn36xx_rate wcn36xx_rate_table[] = {
+ /* 11b rates */
+ { 10, 0, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 },
+@@ -291,6 +298,22 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
+ ieee80211_is_probe_resp(hdr->frame_control))
+ status.boottime_ns = ktime_get_boottime_ns();
+
++ if (bd->scan_learn) {
++ /* If packet originates from hardware scanning, extract the
++ * band/channel from bd descriptor.
++ */
++ u8 hwch = (bd->reserved0 << 4) + bd->rx_ch;
++
++ if (bd->rf_band != 1 && hwch <= sizeof(ab_rx_ch_map) && hwch >= 1) {
++ status.band = NL80211_BAND_5GHZ;
++ status.freq = ieee80211_channel_to_frequency(ab_rx_ch_map[hwch - 1],
++ status.band);
++ } else {
++ status.band = NL80211_BAND_2GHZ;
++ status.freq = ieee80211_channel_to_frequency(hwch, status.band);
++ }
++ }
++
+ memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status));
+
+ if (ieee80211_is_beacon(hdr->frame_control)) {
+diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.h b/drivers/net/wireless/ath/wcn36xx/txrx.h
+index 032216e82b2be..b54311ffde9c5 100644
+--- a/drivers/net/wireless/ath/wcn36xx/txrx.h
++++ b/drivers/net/wireless/ath/wcn36xx/txrx.h
+@@ -110,7 +110,8 @@ struct wcn36xx_rx_bd {
+ /* 0x44 */
+ u32 exp_seq_num:12;
+ u32 cur_seq_num:12;
+- u32 fr_type_subtype:8;
++ u32 rf_band:2;
++ u32 fr_type_subtype:6;
+
+ /* 0x48 */
+ u32 msdu_size:16;
+--
+2.33.0
+
--- /dev/null
+From 0b0393753d8eb663d7bbfe5ea728cef2e60f34a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 15:44:27 +0100
+Subject: wcn36xx: Fix Antenna Diversity Switching
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 701668d3bfa03dabc5095fc383d5315544ee5b31 ]
+
+We have been tracking a strange bug with Antenna Diversity Switching (ADS)
+on wcn3680b for a while.
+
+ADS is configured like this:
+ A. Via a firmware configuration table baked into the NV area.
+ 1. Defines if ADS is enabled.
+ 2. Defines which GPIOs are connected to which antenna enable pin.
+ 3. Defines which antenna/GPIO is primary and which is secondary.
+
+ B. WCN36XX_CFG_VAL(ANTENNA_DIVERSITY, N)
+ N is a bitmask of available antenna.
+
+ Setting N to 3 indicates a bitmask of enabled antenna (1 | 2).
+
+ Obviously then we can set N to 1 or N to 2 to fix to a particular
+ antenna and disable antenna diversity.
+
+ C. WCN36XX_CFG_VAL(ASD_PROBE_INTERVAL, XX)
+ XX is the number of beacons between each antenna RSSI check.
+ Setting this value to 50 means, every 50 received beacons, run the
+ ADS algorithm.
+
+ D. WCN36XX_CFG_VAL(ASD_TRIGGER_THRESHOLD, YY)
+ YY is a two's complement integer which specifies the RSSI decibel
+ threshold below which ADS will run.
+ We default to -60db here, meaning a measured RSSI <= -60db will
+ trigger an ADS probe.
+
+ E. WCN36XX_CFG_VAL(ASD_RTT_RSSI_HYST_THRESHOLD, Z)
+ Z is a hysteresis value, indicating a delta which the RSSI must
+ exceed for the antenna switch to be valid.
+
+ For example if HYST_THRESHOLD == 3 AntennaId1-RSSI == -60db and
+ AntennaId-2-RSSI == -58db then firmware will not switch antenna.
+ The threshold needs to be -57db or better to satisfy the criteria.
+
+ F. A firmware feature bit also exists ANTENNA_DIVERSITY_SELECTION.
+ This feature bit is used by the firmware to report if
+ ANTENNA_DIVERSITY_SELECTION is supported. The host is not required to
+ toggle this bit to enable or disable ADS.
+
+ADS works like this:
+
+ A. Every XX beacons the firmware switches to or remains on the primary
+ antenna.
+
+ B. The firmware then sends a Request-To-Send (RTS) packet to the AP.
+
+ C. The firmware waits for a Clear-To-Send (CTS) response from the AP.
+
+ D. The firmware then notes the received RSSI on the CTS packet.
+
+ E. The firmware then repeats steps A-D on the secondary antenna.
+
+ F. Subsequently if the RSSI on the measured antenna is better than
+ ASD_TRIGGER_THRESHOLD + the active antenna's RSSI then the
+ measured antenna becomes the active antenna.
+
+ G. If RSSI rises past ASD_TRIGGER_THRESHOLD then ADS doesn't run at
+ all even if there is a substantially better RSSI on the alternative
+ antenna.
+
+What we have been observing is that the RTS packet is being sent but the
+MAC address is a byte-swapped version of the target MAC. The ADS/RTS MAC is
+corrupted only when the link is encrypted, if the AP is open the RTS MAC is
+correct. Similarly if we configure the firmware to an RTS/CTS sequence for
+regular data - the transmitted RTS MAC is correctly formatted.
+
+Internally the wcn36xx firmware uses the indexes in the SMD commands to
+populate and extract data from specific entries in an STA lookup table. The
+AP's MAC appears a number of times in different indexes within this lookup
+table, so the MAC address extracted for the data-transmit RTS and the MAC
+address extracted for the ADS/RTS packet are not the same STA table index.
+
+Our analysis indicates the relevant firmware STA table index is
+"bssSelfStaIdx".
+
+There is an STA populate function responsible for formatting the MAC
+address of the bssSelfStaIdx including byte-swapping the MAC address.
+
+Its clear then that the required STA populate command did not run for
+bssSelfStaIdx.
+
+So taking a look at the sequence of SMD commands sent to the firmware we
+see the following downstream when moving from an unencrypted to encrypted
+BSS setup.
+
+- WLAN_HAL_CONFIG_BSS_REQ
+- WLAN_HAL_CONFIG_STA_REQ
+- WLAN_HAL_SET_STAKEY_REQ
+
+Upstream in wcn36xx we have
+
+- WLAN_HAL_CONFIG_BSS_REQ
+- WLAN_HAL_SET_STAKEY_REQ
+
+The solution then is to add the missing WLAN_HAL_CONFIG_STA_REQ between
+WLAN_HAL_CONFIG_BSS_REQ and WLAN_HAL_SET_STAKEY_REQ.
+
+No surprise WLAN_HAL_CONFIG_STA_REQ is the routine responsible for
+populating the STA lookup table in the firmware and once done the MAC sent
+by the ADS routine is in the correct byte-order.
+
+This bug is apparent with ADS but it is also the case that any other
+firmware routine that depends on the "bssSelfStaIdx" would retrieve
+malformed data on an encrypted link.
+
+Fixes: 3e977c5c523d ("wcn36xx: Define wcn3680 specific firmware parameters")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Tested-by: Benjamin Li <benl@squareup.com>
+Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210909144428.2564650-2-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index 883534125df10..629ddfd74da1a 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -568,12 +568,14 @@ static int wcn36xx_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ if (IEEE80211_KEY_FLAG_PAIRWISE & key_conf->flags) {
+ sta_priv->is_data_encrypted = true;
+ /* Reconfigure bss with encrypt_type */
+- if (NL80211_IFTYPE_STATION == vif->type)
++ if (NL80211_IFTYPE_STATION == vif->type) {
+ wcn36xx_smd_config_bss(wcn,
+ vif,
+ sta,
+ sta->addr,
+ true);
++ wcn36xx_smd_config_sta(wcn, vif, sta);
++ }
+
+ wcn36xx_smd_set_stakey(wcn,
+ vif_priv->encrypt_type,
+--
+2.33.0
+
--- /dev/null
+From 9eb98272d655a39a9773b02cd2ecce15be64b12a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 10:25:36 +0200
+Subject: wcn36xx: Fix discarded frames due to wrong sequence number
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit 113f304dbc1627c6ec9d5329d839964095768980 ]
+
+The firmware is offering features such as ARP offload, for which
+firmware crafts its own (QoS)packets without waking up the host.
+Point is that the sequence numbers generated by the firmware are
+not in sync with the host mac80211 layer and can cause packets
+such as firmware ARP reponses to be dropped by the AP (too old SN).
+
+To fix this we need to let the firmware manages the sequence
+numbers by its own (except for QoS null frames). There is a SN
+counter for each QoS queue and one global/baseline counter for
+Non-QoS.
+
+Fixes: 84aff52e4f57 ("wcn36xx: Use sequence number allocated by mac80211")
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1635150336-18736-1-git-send-email-loic.poulain@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/txrx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c
+index c0f51fa13dfa1..bbd7194c82e27 100644
+--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
+@@ -344,8 +344,6 @@ static void wcn36xx_set_tx_pdu(struct wcn36xx_tx_bd *bd,
+ bd->pdu.mpdu_header_off;
+ bd->pdu.mpdu_len = len;
+ bd->pdu.tid = tid;
+- /* Use seq number generated by mac80211 */
+- bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_HOST;
+ }
+
+ static inline struct wcn36xx_vif *get_vif_by_addr(struct wcn36xx *wcn,
+@@ -442,6 +440,9 @@ static void wcn36xx_set_tx_data(struct wcn36xx_tx_bd *bd,
+ tid = ieee80211_get_tid(hdr);
+ /* TID->QID is one-to-one mapping */
+ bd->queue_id = tid;
++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_QOS;
++ } else {
++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_NON_QOS;
+ }
+
+ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT ||
+@@ -453,6 +454,8 @@ static void wcn36xx_set_tx_data(struct wcn36xx_tx_bd *bd,
+ /* Don't use a regular queue for null packet (no ampdu) */
+ bd->queue_id = WCN36XX_TX_U_WQ_ID;
+ bd->bd_rate = WCN36XX_BD_RATE_CTRL;
++ if (ieee80211_is_qos_nullfunc(hdr->frame_control))
++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_HOST;
+ }
+
+ if (bcast) {
+@@ -512,6 +515,8 @@ static void wcn36xx_set_tx_mgmt(struct wcn36xx_tx_bd *bd,
+ bd->queue_id = WCN36XX_TX_U_WQ_ID;
+ *vif_priv = __vif_priv;
+
++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_NON_QOS;
++
+ wcn36xx_set_tx_pdu(bd,
+ ieee80211_is_data_qos(hdr->frame_control) ?
+ sizeof(struct ieee80211_qos_hdr) :
+--
+2.33.0
+
--- /dev/null
+From b4db53f0604551dd0d41d010b5bb87d5b87832bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 16:49:18 +0000
+Subject: wilc1000: fix possible memory leak in cfg_scan_result()
+
+From: Ajay Singh <ajay.kathat@microchip.com>
+
+[ Upstream commit 3c719fed0f3a5e95b1d164609ecc81c4191ade70 ]
+
+When the BSS reference holds a valid reference, it is not freed. The 'if'
+condition is wrong. Instead of the 'if (bss)' check, the 'if (!bss)' check
+is used.
+The issue is solved by removing the unnecessary 'if' check because
+cfg80211_put_bss() already performs the NULL validation.
+
+Fixes: 6cd4fa5ab691 ("staging: wilc1000: make use of cfg80211_inform_bss_frame()")
+Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210916164902.74629-3-ajay.kathat@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+index c1ac1d84790f0..6be5ac8ba518d 100644
+--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+@@ -129,8 +129,7 @@ static void cfg_scan_result(enum scan_event scan_event,
+ info->frame_len,
+ (s32)info->rssi * 100,
+ GFP_KERNEL);
+- if (!bss)
+- cfg80211_put_bss(wiphy, bss);
++ cfg80211_put_bss(wiphy, bss);
+ } else if (scan_event == SCAN_EVENT_DONE) {
+ mutex_lock(&priv->scan_req_lock);
+
+--
+2.33.0
+
--- /dev/null
+From 965bfef10d39b14c323e245621c0b650de8f4bdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Oct 2021 20:04:02 +0800
+Subject: workqueue: make sysfs of unbound kworker cpumask more clever
+
+From: Menglong Dong <imagedong@tencent.com>
+
+[ Upstream commit d25302e46592c97d29f70ccb1be558df31a9a360 ]
+
+Some unfriendly component, such as dpdk, write the same mask to
+unbound kworker cpumask again and again. Every time it write to
+this interface some work is queue to cpu, even though the mask
+is same with the original mask.
+
+So, fix it by return success and do nothing if the cpumask is
+equal with the old one.
+
+Signed-off-by: Mengen Sun <mengensun@tencent.com>
+Signed-off-by: Menglong Dong <imagedong@tencent.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/workqueue.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 4cb622b2661b5..d02073b9d56e2 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5326,9 +5326,6 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask)
+ int ret = -EINVAL;
+ cpumask_var_t saved_cpumask;
+
+- if (!zalloc_cpumask_var(&saved_cpumask, GFP_KERNEL))
+- return -ENOMEM;
+-
+ /*
+ * Not excluding isolated cpus on purpose.
+ * If the user wishes to include them, we allow that.
+@@ -5336,6 +5333,15 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask)
+ cpumask_and(cpumask, cpumask, cpu_possible_mask);
+ if (!cpumask_empty(cpumask)) {
+ apply_wqattrs_lock();
++ if (cpumask_equal(cpumask, wq_unbound_cpumask)) {
++ ret = 0;
++ goto out_unlock;
++ }
++
++ if (!zalloc_cpumask_var(&saved_cpumask, GFP_KERNEL)) {
++ ret = -ENOMEM;
++ goto out_unlock;
++ }
+
+ /* save the old wq_unbound_cpumask. */
+ cpumask_copy(saved_cpumask, wq_unbound_cpumask);
+@@ -5348,10 +5354,11 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask)
+ if (ret < 0)
+ cpumask_copy(wq_unbound_cpumask, saved_cpumask);
+
++ free_cpumask_var(saved_cpumask);
++out_unlock:
+ apply_wqattrs_unlock();
+ }
+
+- free_cpumask_var(saved_cpumask);
+ return ret;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 0bab637d1546ddefe9a020686c4ae9a282466d48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 17:50:05 +0200
+Subject: x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 285f68afa8b20f752b0b7194d54980b5e0e27b75 ]
+
+The following issue is observed with CONFIG_DEBUG_PREEMPT when KVM loads:
+
+ KVM: vmx: using Hyper-V Enlightened VMCS
+ BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/488
+ caller is set_hv_tscchange_cb+0x16/0x80
+ CPU: 1 PID: 488 Comm: systemd-udevd Not tainted 5.15.0-rc5+ #396
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
+ Call Trace:
+ dump_stack_lvl+0x6a/0x9a
+ check_preemption_disabled+0xde/0xe0
+ ? kvm_gen_update_masterclock+0xd0/0xd0 [kvm]
+ set_hv_tscchange_cb+0x16/0x80
+ kvm_arch_init+0x23f/0x290 [kvm]
+ kvm_init+0x30/0x310 [kvm]
+ vmx_init+0xaf/0x134 [kvm_intel]
+ ...
+
+set_hv_tscchange_cb() can get preempted in between acquiring
+smp_processor_id() and writing to HV_X64_MSR_REENLIGHTENMENT_CONTROL. This
+is not an issue by itself: HV_X64_MSR_REENLIGHTENMENT_CONTROL is a
+partition-wide MSR and it doesn't matter which particular CPU will be
+used to receive reenlightenment notifications. The only real problem can
+(in theory) be observed if the CPU whose id was acquired with
+smp_processor_id() goes offline before we manage to write to the MSR,
+the logic in hv_cpu_die() won't be able to reassign it correctly.
+
+Reported-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Link: https://lore.kernel.org/r/20211012155005.1613352-1-vkuznets@redhat.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/hyperv/hv_init.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
+index 6375967a8244d..3cf4030232590 100644
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -168,7 +168,6 @@ void set_hv_tscchange_cb(void (*cb)(void))
+ struct hv_reenlightenment_control re_ctrl = {
+ .vector = HYPERV_REENLIGHTENMENT_VECTOR,
+ .enabled = 1,
+- .target_vp = hv_vp_index[smp_processor_id()]
+ };
+ struct hv_tsc_emulation_control emu_ctrl = {.enabled = 1};
+
+@@ -182,8 +181,12 @@ void set_hv_tscchange_cb(void (*cb)(void))
+ /* Make sure callback is registered before we write to MSRs */
+ wmb();
+
++ re_ctrl.target_vp = hv_vp_index[get_cpu()];
++
+ wrmsrl(HV_X64_MSR_REENLIGHTENMENT_CONTROL, *((u64 *)&re_ctrl));
+ wrmsrl(HV_X64_MSR_TSC_EMULATION_CONTROL, *((u64 *)&emu_ctrl));
++
++ put_cpu();
+ }
+ EXPORT_SYMBOL_GPL(set_hv_tscchange_cb);
+
+--
+2.33.0
+
--- /dev/null
+From 4d144402b88221e3ad1c24c7ea2637a3615df2c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 16:19:46 +0200
+Subject: x86: Increase exception stack sizes
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 7fae4c24a2b84a66c7be399727aca11e7a888462 ]
+
+It turns out that a single page of stack is trivial to overflow with
+all the tracing gunk enabled. Raise the exception stacks to 2 pages,
+which is still half the interrupt stacks, which are at 4 pages.
+
+Reported-by: Michael Wang <yun.wang@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/YUIO9Ye98S5Eb68w@hirez.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/page_64_types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
+index 3f49dac03617d..224d71aef6303 100644
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -15,7 +15,7 @@
+ #define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER)
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
+
+-#define EXCEPTION_STACK_ORDER (0 + KASAN_STACK_ORDER)
++#define EXCEPTION_STACK_ORDER (1 + KASAN_STACK_ORDER)
+ #define EXCEPTION_STKSZ (PAGE_SIZE << EXCEPTION_STACK_ORDER)
+
+ #define IRQ_STACK_ORDER (2 + KASAN_STACK_ORDER)
+--
+2.33.0
+
--- /dev/null
+From 255c3aa8c54df1a362f119a5660959dd933571c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 10:08:32 +0200
+Subject: x86/sev: Fix stack type check in vc_switch_off_ist()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+[ Upstream commit 5681981fb788281b09a4ea14d310d30b2bd89132 ]
+
+The value of STACK_TYPE_EXCEPTION_LAST points to the last _valid_
+exception stack. Reflect that in the check done in the
+vc_switch_off_ist() function.
+
+Fixes: a13644f3a53de ("x86/entry/64: Add entry code for #VC handler")
+Reported-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20211021080833.30875-2-joro@8bytes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index 7692bf7908e6c..143fcb8af38f4 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -701,7 +701,7 @@ asmlinkage __visible noinstr struct pt_regs *vc_switch_off_ist(struct pt_regs *r
+ stack = (unsigned long *)sp;
+
+ if (!get_stack_info_noinstr(stack, current, &info) || info.type == STACK_TYPE_ENTRY ||
+- info.type >= STACK_TYPE_EXCEPTION_LAST)
++ info.type > STACK_TYPE_EXCEPTION_LAST)
+ sp = __this_cpu_ist_top_va(VC2);
+
+ sync:
+--
+2.33.0
+
--- /dev/null
+From b13572f60ca0be6b6aca06cf9b00a79f5c9b6da1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 11:41:00 +0200
+Subject: x86/xen: Mark cpu_bringup_and_idle() as dead_end_function
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 9af9dcf11bda3e2c0e24c1acaacb8685ad974e93 ]
+
+The asm_cpu_bringup_and_idle() function is required to push the return
+value on the stack in order to make ORC happy, but the only reason
+objtool doesn't complain is because of a happy accident.
+
+The thing is that asm_cpu_bringup_and_idle() doesn't return, so
+validate_branch() never terminates and falls through to the next
+function, which in the normal case is the hypercall_page. And that, as
+it happens, is 4095 NOPs and a RET.
+
+Make asm_cpu_bringup_and_idle() terminate on it's own, by making the
+function it calls as a dead-end. This way we no longer rely on what
+code happens to come after.
+
+Fixes: c3881eb58d56 ("x86/xen: Make the secondary CPU idle tasks reliable")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Link: https://lore.kernel.org/r/20210624095147.693801717@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index ec15cadbb3d3e..4261f93ce06f9 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -157,6 +157,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
+ "rewind_stack_do_exit",
+ "kunit_try_catch_throw",
+ "xen_start_kernel",
++ "cpu_bringup_and_idle",
+ };
+
+ if (!func)
+--
+2.33.0
+
--- /dev/null
+From bbbe0f0f644afed60661e0150d08e68be90686a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 15:44:17 +0800
+Subject: xen-pciback: Fix return in pm_ctrl_init()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 4745ea2628bb43a7ec34b71763b5a56407b33990 ]
+
+Return NULL instead of passing to ERR_PTR while err is zero,
+this fix smatch warnings:
+drivers/xen/xen-pciback/conf_space_capability.c:163
+ pm_ctrl_init() warn: passing zero to 'ERR_PTR'
+
+Fixes: a92336a1176b ("xen/pciback: Drop two backends, squash and cleanup some code.")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20211008074417.8260-1-yuehaibing@huawei.com
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xen-pciback/conf_space_capability.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c
+index 22f13abbe9130..5e53b4817f167 100644
+--- a/drivers/xen/xen-pciback/conf_space_capability.c
++++ b/drivers/xen/xen-pciback/conf_space_capability.c
+@@ -160,7 +160,7 @@ static void *pm_ctrl_init(struct pci_dev *dev, int offset)
+ }
+
+ out:
+- return ERR_PTR(err);
++ return err ? ERR_PTR(err) : NULL;
+ }
+
+ static const struct config_field caplist_pm[] = {
+--
+2.33.0
+
--- /dev/null
+From b1e660e7e535bf61516d4c27eb352590108f6e47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 13:45:12 -0700
+Subject: zram: off by one in read_block_state()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a88e03cf3d190cf46bc4063a9b7efe87590de5f4 ]
+
+snprintf() returns the number of bytes it would have printed if there
+were space. But it does not count the NUL terminator. So that means
+that if "count == copied" then this has already overflowed by one
+character.
+
+This bug likely isn't super harmful in real life.
+
+Link: https://lkml.kernel.org/r/20210916130404.GA25094@kili
+Fixes: c0265342bff4 ("zram: introduce zram memory tracking")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/zram/zram_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
+index 7dce17fd59baa..0636df6b67db6 100644
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -907,7 +907,7 @@ static ssize_t read_block_state(struct file *file, char __user *buf,
+ zram_test_flag(zram, index, ZRAM_HUGE) ? 'h' : '.',
+ zram_test_flag(zram, index, ZRAM_IDLE) ? 'i' : '.');
+
+- if (count < copied) {
++ if (count <= copied) {
+ zram_slot_unlock(zram, index);
+ break;
+ }
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
