--- /dev/null
+From 378081dae0436f26e18144452cdf43d4f85c5987 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 19:23:08 +0200
+Subject: ARM: dts: imx53-ppd: Fix ACHC entry
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit cd7cd5b716d594e27a933c12f026d4f2426d7bf4 ]
+
+PPD has only one ACHC device, which effectively is a Kinetis
+microcontroller. It has one SPI interface used for normal
+communication. Additionally it's possible to flash the device
+firmware using NXP's EzPort protocol by correctly driving a
+second chip select pin and the device reset pin.
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://lore.kernel.org/r/20210802172309.164365-3-sebastian.reichel@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx53-ppd.dts | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx53-ppd.dts b/arch/arm/boot/dts/imx53-ppd.dts
+index 5ff9a179c83c..c80d1700e094 100644
+--- a/arch/arm/boot/dts/imx53-ppd.dts
++++ b/arch/arm/boot/dts/imx53-ppd.dts
+@@ -70,6 +70,12 @@ cko2_11M: sgtl-clock-cko2 {
+ clock-frequency = <11289600>;
+ };
+
++ achc_24M: achc-clock {
++ compatible = "fixed-clock";
++ #clock-cells = <0>;
++ clock-frequency = <24000000>;
++ };
++
+ sgtlsound: sound {
+ compatible = "fsl,imx53-cpuvo-sgtl5000",
+ "fsl,imx-audio-sgtl5000";
+@@ -287,16 +293,13 @@ &gpio4 11 GPIO_ACTIVE_LOW
+ &gpio4 12 GPIO_ACTIVE_LOW>;
+ status = "okay";
+
+- spidev0: spi@0 {
+- compatible = "ge,achc";
+- reg = <0>;
+- spi-max-frequency = <1000000>;
+- };
+-
+- spidev1: spi@1 {
+- compatible = "ge,achc";
+- reg = <1>;
+- spi-max-frequency = <1000000>;
++ spidev0: spi@1 {
++ compatible = "ge,achc", "nxp,kinetis-k20";
++ reg = <1>, <0>;
++ vdd-supply = <®_3v3>;
++ vdda-supply = <®_3v3>;
++ clocks = <&achc_24M>;
++ reset-gpios = <&gpio3 6 GPIO_ACTIVE_LOW>;
+ };
+
+ gpioxra0: gpio@2 {
+--
+2.30.2
+
--- /dev/null
+From acd8020f65d2de9f18ddd3e838cdbf35178e5c1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 15:14:53 +0200
+Subject: ARM: dts: qcom: apq8064: correct clock names
+
+From: David Heidelberg <david@ixit.cz>
+
+[ Upstream commit 0dc6c59892ead17a9febd11202c9f6794aac1895 ]
+
+Since new code doesn't take old clk names in account, it does fixes
+error:
+
+msm_dsi 4700000.mdss_dsi: dev_pm_opp_set_clkname: Couldn't find clock: -2
+
+and following kernel oops introduced by
+b0530eb1191 ("drm/msm/dpu: Use OPP API to set clk/perf state").
+
+Also removes warning about deprecated clock names.
+
+Tested against linux-5.10.y LTS on Nexus 7 2013.
+
+Reviewed-by: Brian Masney <masneyb@onstation.org>
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Link: https://lore.kernel.org/r/20210707131453.24041-1-david@ixit.cz
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index 8b79b4112ee1..2b075e287610 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -1261,9 +1261,9 @@ dsi0: mdss_dsi@4700000 {
+ <&mmcc DSI1_BYTE_CLK>,
+ <&mmcc DSI_PIXEL_CLK>,
+ <&mmcc DSI1_ESC_CLK>;
+- clock-names = "iface_clk", "bus_clk", "core_mmss_clk",
+- "src_clk", "byte_clk", "pixel_clk",
+- "core_clk";
++ clock-names = "iface", "bus", "core_mmss",
++ "src", "byte", "pixel",
++ "core";
+
+ assigned-clocks = <&mmcc DSI1_BYTE_SRC>,
+ <&mmcc DSI1_ESC_SRC>,
+--
+2.30.2
+
--- /dev/null
+From c0e4bf53524ca3f0445f97be6be362d69f0134ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:42:26 +0200
+Subject: ARM: tegra: tamonten: Fix UART pad setting
+
+From: Andreas Obergschwandtner <andreas.obergschwandtner@gmail.com>
+
+[ Upstream commit 2270ad2f4e123336af685ecedd1618701cb4ca1e ]
+
+This patch fixes the tristate and pullup configuration for UART 1 to 3
+on the Tamonten SOM.
+
+Signed-off-by: Andreas Obergschwandtner <andreas.obergschwandtner@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/tegra20-tamonten.dtsi | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/boot/dts/tegra20-tamonten.dtsi b/arch/arm/boot/dts/tegra20-tamonten.dtsi
+index 20137fc578b1..394a6b4dc69d 100644
+--- a/arch/arm/boot/dts/tegra20-tamonten.dtsi
++++ b/arch/arm/boot/dts/tegra20-tamonten.dtsi
+@@ -185,8 +185,9 @@ conf_ata {
+ nvidia,pins = "ata", "atb", "atc", "atd", "ate",
+ "cdev1", "cdev2", "dap1", "dtb", "gma",
+ "gmb", "gmc", "gmd", "gme", "gpu7",
+- "gpv", "i2cp", "pta", "rm", "slxa",
+- "slxk", "spia", "spib", "uac";
++ "gpv", "i2cp", "irrx", "irtx", "pta",
++ "rm", "slxa", "slxk", "spia", "spib",
++ "uac";
+ nvidia,pull = <TEGRA_PIN_PULL_NONE>;
+ nvidia,tristate = <TEGRA_PIN_DISABLE>;
+ };
+@@ -211,7 +212,7 @@ conf_crtp {
+ conf_ddc {
+ nvidia,pins = "ddc", "dta", "dtd", "kbca",
+ "kbcb", "kbcc", "kbcd", "kbce", "kbcf",
+- "sdc";
++ "sdc", "uad", "uca";
+ nvidia,pull = <TEGRA_PIN_PULL_UP>;
+ nvidia,tristate = <TEGRA_PIN_DISABLE>;
+ };
+@@ -221,10 +222,9 @@ conf_hdint {
+ "lvp0", "owc", "sdb";
+ nvidia,tristate = <TEGRA_PIN_ENABLE>;
+ };
+- conf_irrx {
+- nvidia,pins = "irrx", "irtx", "sdd", "spic",
+- "spie", "spih", "uaa", "uab", "uad",
+- "uca", "ucb";
++ conf_sdd {
++ nvidia,pins = "sdd", "spic", "spie", "spih",
++ "uaa", "uab", "ucb";
+ nvidia,pull = <TEGRA_PIN_PULL_UP>;
+ nvidia,tristate = <TEGRA_PIN_ENABLE>;
+ };
+--
+2.30.2
+
--- /dev/null
+From 4a414b295a2365886635c8c06bf3e5f33e191624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 00:54:45 +0530
+Subject: arm64: dts: ls1046a: fix eeprom entries
+
+From: Raag Jadav <raagjadav@gmail.com>
+
+[ Upstream commit c1a6018d1839c9cb8f807dc863a50102a1a5c412 ]
+
+ls1046afrwy and ls1046ardb boards have CAT24C04[1] and CAT24C05[2]
+eeproms respectively. Both are 4Kb (512 bytes) in size,
+and compatible with AT24C04[3].
+Remove multi-address entries, as both the boards have a single chip each.
+
+[1] https://www.onsemi.com/pdf/datasheet/cat24c01-d.pdf
+[2] https://www.onsemi.com/pdf/datasheet/cat24c03-d.pdf
+[3] https://ww1.microchip.com/downloads/en/DeviceDoc/doc0180.pdf
+
+Signed-off-by: Raag Jadav <raagjadav@gmail.com>
+Acked-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/fsl-ls1046a-frwy.dts | 8 +-------
+ arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts | 7 +------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1046a-frwy.dts b/arch/arm64/boot/dts/freescale/fsl-ls1046a-frwy.dts
+index 3595be0f2527..2d6c73d7d397 100644
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a-frwy.dts
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a-frwy.dts
+@@ -83,15 +83,9 @@ rtc@51 {
+ };
+
+ eeprom@52 {
+- compatible = "atmel,24c512";
++ compatible = "onnn,cat24c04", "atmel,24c04";
+ reg = <0x52>;
+ };
+-
+- eeprom@53 {
+- compatible = "atmel,24c512";
+- reg = <0x53>;
+- };
+-
+ };
+ };
+ };
+diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts b/arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts
+index 274339759114..8858c1e92f23 100644
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a-rdb.dts
+@@ -58,14 +58,9 @@ temp-sensor@4c {
+ };
+
+ eeprom@52 {
+- compatible = "atmel,24c512";
++ compatible = "onnn,cat24c05", "atmel,24c04";
+ reg = <0x52>;
+ };
+-
+- eeprom@53 {
+- compatible = "atmel,24c512";
+- reg = <0x53>;
+- };
+ };
+
+ &i2c3 {
+--
+2.30.2
+
--- /dev/null
+From 04557918d01440617183060b4bdd63948eb0de63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 11:38:25 +0530
+Subject: arm64: dts: qcom: sdm660: use reg value for memory node
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit c81210e38966cfa1c784364e4035081c3227cf5b ]
+
+memory node like other node should be node@reg, which is missing in this
+case, so fix it up
+
+arch/arm64/boot/dts/qcom/ipq8074-hk01.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 1073741824, 0, 536870912]]}
+
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Link: https://lore.kernel.org/r/20210308060826.3074234-18-vkoul@kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/ipq8074-hk01.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
+index 70be3f95209b..830d9f2c1e5f 100644
+--- a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
+@@ -20,7 +20,7 @@ chosen {
+ stdout-path = "serial0";
+ };
+
+- memory {
++ memory@40000000 {
+ device_type = "memory";
+ reg = <0x0 0x40000000 0x0 0x20000000>;
+ };
+--
+2.30.2
+
--- /dev/null
+From f3507d00a0b09bdf32362b54ea62456cea9630e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 15:44:22 +0200
+Subject: arm64: tegra: Fix compatible string for Tegra132 CPUs
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit f865d0292ff3c0ca09414436510eb4c815815509 ]
+
+The documented compatible string for the CPUs found on Tegra132 is
+"nvidia,tegra132-denver", rather than the previously used compatible
+string "nvidia,denver".
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra132.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra132.dtsi b/arch/arm64/boot/dts/nvidia/tegra132.dtsi
+index 631a7f77c386..0b3eb8c0b8df 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra132.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra132.dtsi
+@@ -1082,13 +1082,13 @@ cpus {
+
+ cpu@0 {
+ device_type = "cpu";
+- compatible = "nvidia,denver";
++ compatible = "nvidia,tegra132-denver";
+ reg = <0>;
+ };
+
+ cpu@1 {
+ device_type = "cpu";
+- compatible = "nvidia,denver";
++ compatible = "nvidia,tegra132-denver";
+ reg = <1>;
+ };
+ };
+--
+2.30.2
+
--- /dev/null
+From 179e79904094823102bb2fb84a69dc809a352078 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 00:20:55 +0530
+Subject: arm64: tegra: Fix Tegra194 PCIe EP compatible string
+
+From: Vidya Sagar <vidyas@nvidia.com>
+
+[ Upstream commit bf2942a8b7c38e8cc2d5157b4f0323d7f4e5ec71 ]
+
+The initialization sequence performed by the generic platform driver
+pcie-designware-plat.c for a DWC based implementation doesn't work for
+Tegra194. Tegra194 has a different initialization sequence requirement
+which can only be satisfied by the Tegra194 specific platform driver
+pcie-tegra194.c. So, remove the generic compatible string "snps,dw-pcie-ep"
+from Tegra194's endpoint controller nodes.
+
+Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra194.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+index 0821754f0fd6..90adff8aa9ba 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+@@ -1434,7 +1434,7 @@ pcie@141a0000 {
+ };
+
+ pcie_ep@14160000 {
+- compatible = "nvidia,tegra194-pcie-ep", "snps,dw-pcie-ep";
++ compatible = "nvidia,tegra194-pcie-ep";
+ power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX4A>;
+ reg = <0x00 0x14160000 0x0 0x00020000 /* appl registers (128K) */
+ 0x00 0x36040000 0x0 0x00040000 /* iATU_DMA reg space (256K) */
+@@ -1466,7 +1466,7 @@ pcie_ep@14160000 {
+ };
+
+ pcie_ep@14180000 {
+- compatible = "nvidia,tegra194-pcie-ep", "snps,dw-pcie-ep";
++ compatible = "nvidia,tegra194-pcie-ep";
+ power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8B>;
+ reg = <0x00 0x14180000 0x0 0x00020000 /* appl registers (128K) */
+ 0x00 0x38040000 0x0 0x00040000 /* iATU_DMA reg space (256K) */
+@@ -1498,7 +1498,7 @@ pcie_ep@14180000 {
+ };
+
+ pcie_ep@141a0000 {
+- compatible = "nvidia,tegra194-pcie-ep", "snps,dw-pcie-ep";
++ compatible = "nvidia,tegra194-pcie-ep";
+ power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8A>;
+ reg = <0x00 0x141a0000 0x0 0x00020000 /* appl registers (128K) */
+ 0x00 0x3a040000 0x0 0x00040000 /* iATU_DMA reg space (256K) */
+--
+2.30.2
+
--- /dev/null
+From 2bb8b3b2d307d7966cf383e2a97005f87bdcd9f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 14:47:52 -0700
+Subject: ASoC: atmel: ATMEL drivers don't need HAS_DMA
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 6c5c659dfe3f02e08054a6c20019e3886618b512 ]
+
+On a config (such as arch/sh/) which does not set HAS_DMA when MMU
+is not set, several ATMEL ASoC drivers select symbols that cause
+kconfig warnings. There is one "depends on HAS_DMA" which is no longer
+needed. Dropping it eliminates the kconfig warnings and still builds
+with no problems reported.
+
+Fix the following kconfig warnings:
+
+WARNING: unmet direct dependencies detected for SND_ATMEL_SOC_PDC
+ Depends on [n]: SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && HAS_DMA [=n]
+ Selected by [m]:
+ - SND_ATMEL_SOC_SSC [=m] && SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m]
+ - SND_ATMEL_SOC_SSC_PDC [=m] && SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && ATMEL_SSC [=m]
+
+WARNING: unmet direct dependencies detected for SND_ATMEL_SOC_SSC_PDC
+ Depends on [n]: SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && ATMEL_SSC [=m] && HAS_DMA [=n]
+ Selected by [m]:
+ - SND_AT91_SOC_SAM9G20_WM8731 [=m] && SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && (ARCH_AT91 || COMPILE_TEST [=y]) && ATMEL_SSC [=m] && SND_SOC_I2C_AND_SPI [=m]
+
+WARNING: unmet direct dependencies detected for SND_ATMEL_SOC_SSC
+ Depends on [n]: SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && HAS_DMA [=n]
+ Selected by [m]:
+ - SND_ATMEL_SOC_SSC_DMA [=m] && SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && ATMEL_SSC [=m]
+
+WARNING: unmet direct dependencies detected for SND_ATMEL_SOC_SSC_DMA
+ Depends on [n]: SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && ATMEL_SSC [=m] && HAS_DMA [=n]
+ Selected by [m]:
+ - SND_ATMEL_SOC_WM8904 [=m] && SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && (ARCH_AT91 || COMPILE_TEST [=y]) && ATMEL_SSC [=m] && I2C [=m]
+ - SND_AT91_SOC_SAM9X5_WM8731 [=m] && SOUND [=m] && !UML && SND [=m] && SND_SOC [=m] && SND_ATMEL_SOC [=m] && (ARCH_AT91 || COMPILE_TEST [=y]) && ATMEL_SSC [=m] && SND_SOC_I2C_AND_SPI [=m]
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210707214752.3831-1-rdunlap@infradead.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/atmel/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/atmel/Kconfig b/sound/soc/atmel/Kconfig
+index 71f2d42188c4..51e75b781968 100644
+--- a/sound/soc/atmel/Kconfig
++++ b/sound/soc/atmel/Kconfig
+@@ -11,7 +11,6 @@ if SND_ATMEL_SOC
+
+ config SND_ATMEL_SOC_PDC
+ bool
+- depends on HAS_DMA
+
+ config SND_ATMEL_SOC_DMA
+ bool
+--
+2.30.2
+
--- /dev/null
+From 643de216f2612cc9c5697f7ce3c7ce42f7b2d780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 16:24:56 +0200
+Subject: ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps
+ for the matching in-/output
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit dccd1dfd0770bfd494b68d1135b4547b2c602c42 ]
+
+Move the "Platform Clock" routes for the "Internal Mic" and "Speaker"
+routes to the intmic_*_map[] / *_spk_map[] arrays.
+
+This ensures that these "Platform Clock" routes do not get added when the
+BYT_RT5640_NO_INTERNAL_MIC_MAP / BYT_RT5640_NO_SPEAKERS quirks are used.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210802142501.991985-2-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index c67b86e2d0c0..7830d014d924 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -284,9 +284,6 @@ static const struct snd_soc_dapm_widget byt_rt5640_widgets[] = {
+ static const struct snd_soc_dapm_route byt_rt5640_audio_map[] = {
+ {"Headphone", NULL, "Platform Clock"},
+ {"Headset Mic", NULL, "Platform Clock"},
+- {"Internal Mic", NULL, "Platform Clock"},
+- {"Speaker", NULL, "Platform Clock"},
+-
+ {"Headset Mic", NULL, "MICBIAS1"},
+ {"IN2P", NULL, "Headset Mic"},
+ {"Headphone", NULL, "HPOL"},
+@@ -294,19 +291,23 @@ static const struct snd_soc_dapm_route byt_rt5640_audio_map[] = {
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_dmic1_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"DMIC1", NULL, "Internal Mic"},
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_dmic2_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"DMIC2", NULL, "Internal Mic"},
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_in1_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"Internal Mic", NULL, "MICBIAS1"},
+ {"IN1P", NULL, "Internal Mic"},
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_intmic_in3_map[] = {
++ {"Internal Mic", NULL, "Platform Clock"},
+ {"Internal Mic", NULL, "MICBIAS1"},
+ {"IN3P", NULL, "Internal Mic"},
+ };
+@@ -348,6 +349,7 @@ static const struct snd_soc_dapm_route byt_rt5640_ssp0_aif2_map[] = {
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_stereo_spk_map[] = {
++ {"Speaker", NULL, "Platform Clock"},
+ {"Speaker", NULL, "SPOLP"},
+ {"Speaker", NULL, "SPOLN"},
+ {"Speaker", NULL, "SPORP"},
+@@ -355,6 +357,7 @@ static const struct snd_soc_dapm_route byt_rt5640_stereo_spk_map[] = {
+ };
+
+ static const struct snd_soc_dapm_route byt_rt5640_mono_spk_map[] = {
++ {"Speaker", NULL, "Platform Clock"},
+ {"Speaker", NULL, "SPOLP"},
+ {"Speaker", NULL, "SPOLN"},
+ };
+--
+2.30.2
+
--- /dev/null
+From c052e04b504e02a2e19e80187926082a2e63904b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 09:57:36 +0200
+Subject: ASoC: Intel: Skylake: Fix module configuration for KPB and MIXER
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit e4e0633bcadc950b4b4af06c7f1bb7f7e3e86321 ]
+
+KeyPhrasebuffer, Mixin and Mixout modules configuration is described by
+firmware's basic module configuration structure. There are no extended
+parameters required. Update functions taking part in building
+INIT_INSTANCE IPC payload to reflect that.
+
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Tested-by: Lukasz Majczak <lma@semihalf.com>
+Link: https://lore.kernel.org/r/20210818075742.1515155-6-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/skylake/skl-messages.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/skylake/skl-messages.c b/sound/soc/intel/skylake/skl-messages.c
+index 476ef1897961..79c6cf2c14bf 100644
+--- a/sound/soc/intel/skylake/skl-messages.c
++++ b/sound/soc/intel/skylake/skl-messages.c
+@@ -802,9 +802,12 @@ static u16 skl_get_module_param_size(struct skl_dev *skl,
+
+ case SKL_MODULE_TYPE_BASE_OUTFMT:
+ case SKL_MODULE_TYPE_MIC_SELECT:
+- case SKL_MODULE_TYPE_KPB:
+ return sizeof(struct skl_base_outfmt_cfg);
+
++ case SKL_MODULE_TYPE_MIXER:
++ case SKL_MODULE_TYPE_KPB:
++ return sizeof(struct skl_base_cfg);
++
+ default:
+ /*
+ * return only base cfg when no specific module type is
+@@ -857,10 +860,14 @@ static int skl_set_module_format(struct skl_dev *skl,
+
+ case SKL_MODULE_TYPE_BASE_OUTFMT:
+ case SKL_MODULE_TYPE_MIC_SELECT:
+- case SKL_MODULE_TYPE_KPB:
+ skl_set_base_outfmt_format(skl, module_config, *param_data);
+ break;
+
++ case SKL_MODULE_TYPE_MIXER:
++ case SKL_MODULE_TYPE_KPB:
++ skl_set_base_module_format(skl, module_config, *param_data);
++ break;
++
+ default:
+ skl_set_base_module_format(skl, module_config, *param_data);
+ break;
+--
+2.30.2
+
--- /dev/null
+From 9ae67f23e507a506fabc5b11a253b315c2aed5b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 09:57:37 +0200
+Subject: ASoC: Intel: Skylake: Fix passing loadable flag for module
+
+From: Gustaw Lewandowski <gustaw.lewandowski@linux.intel.com>
+
+[ Upstream commit c5ed9c547cba1dc1238c6e8a0c290fd62ee6e127 ]
+
+skl_get_module_info() tries to set mconfig->module->loadable before
+mconfig->module has been assigned thus flag was always set to false
+and driver did not try to load module binaries.
+
+Signed-off-by: Gustaw Lewandowski <gustaw.lewandowski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Tested-by: Lukasz Majczak <lma@semihalf.com>
+Link: https://lore.kernel.org/r/20210818075742.1515155-7-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/skylake/skl-pcm.c | 25 +++++++++----------------
+ 1 file changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/sound/soc/intel/skylake/skl-pcm.c b/sound/soc/intel/skylake/skl-pcm.c
+index 7f287424af9b..439dd4ba690c 100644
+--- a/sound/soc/intel/skylake/skl-pcm.c
++++ b/sound/soc/intel/skylake/skl-pcm.c
+@@ -1333,21 +1333,6 @@ static int skl_get_module_info(struct skl_dev *skl,
+ return -EIO;
+ }
+
+- list_for_each_entry(module, &skl->uuid_list, list) {
+- if (guid_equal(uuid_mod, &module->uuid)) {
+- mconfig->id.module_id = module->id;
+- if (mconfig->module)
+- mconfig->module->loadable = module->is_loadable;
+- ret = 0;
+- break;
+- }
+- }
+-
+- if (ret)
+- return ret;
+-
+- uuid_mod = &module->uuid;
+- ret = -EIO;
+ for (i = 0; i < skl->nr_modules; i++) {
+ skl_module = skl->modules[i];
+ uuid_tplg = &skl_module->uuid;
+@@ -1357,10 +1342,18 @@ static int skl_get_module_info(struct skl_dev *skl,
+ break;
+ }
+ }
++
+ if (skl->nr_modules && ret)
+ return ret;
+
++ ret = -EIO;
+ list_for_each_entry(module, &skl->uuid_list, list) {
++ if (guid_equal(uuid_mod, &module->uuid)) {
++ mconfig->id.module_id = module->id;
++ mconfig->module->loadable = module->is_loadable;
++ ret = 0;
++ }
++
+ for (i = 0; i < MAX_IN_QUEUE; i++) {
+ pin_id = &mconfig->m_in_pin[i].id;
+ if (guid_equal(&pin_id->mod_uuid, &module->uuid))
+@@ -1374,7 +1367,7 @@ static int skl_get_module_info(struct skl_dev *skl,
+ }
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static int skl_populate_modules(struct skl_dev *skl)
+--
+2.30.2
+
--- /dev/null
+From b67e8c3fb4f433517a1dd6ea305c9c03df8efc37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 12:01:50 +0800
+Subject: ASoC: rockchip: i2s: Fix regmap_ops hang
+
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+
+[ Upstream commit 53ca9b9777b95cdd689181d7c547e38dc79adad0 ]
+
+API 'set_fmt' maybe called when PD is off, in the situation,
+any register access will hang the system. so, enable PD
+before r/w register.
+
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Link: https://lore.kernel.org/r/1629950520-14190-4-git-send-email-sugar.zhang@rock-chips.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index 61c984f10d8e..f48b146cd96a 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -186,7 +186,9 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ {
+ struct rk_i2s_dev *i2s = to_info(cpu_dai);
+ unsigned int mask = 0, val = 0;
++ int ret = 0;
+
++ pm_runtime_get_sync(cpu_dai->dev);
+ mask = I2S_CKR_MSS_MASK;
+ switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
+ case SND_SOC_DAIFMT_CBS_CFS:
+@@ -199,7 +201,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ i2s->is_master_mode = false;
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_CKR, mask, val);
+@@ -213,7 +216,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ val = I2S_CKR_CKP_POS;
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_CKR, mask, val);
+@@ -236,7 +240,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ val = I2S_TXCR_TFS_PCM | I2S_TXCR_PBM_MODE(1);
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_TXCR, mask, val);
+@@ -259,12 +264,16 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ val = I2S_RXCR_TFS_PCM | I2S_RXCR_PBM_MODE(1);
+ break;
+ default:
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_pm_put;
+ }
+
+ regmap_update_bits(i2s->regmap, I2S_RXCR, mask, val);
+
+- return 0;
++err_pm_put:
++ pm_runtime_put(cpu_dai->dev);
++
++ return ret;
+ }
+
+ static int rockchip_i2s_hw_params(struct snd_pcm_substream *substream,
+--
+2.30.2
+
--- /dev/null
+From 15bbd4fef4e099fd61662215743a8031e37de3b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 12:02:36 +0800
+Subject: ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B
+
+From: Xiaotan Luo <lxt@rock-chips.com>
+
+[ Upstream commit 1bf56843e664eef2525bdbfae6a561e98910f676 ]
+
+- DSP_A: PCM delay 1 bit mode, L data MSB after FRM LRC
+- DSP_B: PCM no delay mode, L data MSB during FRM LRC
+
+Signed-off-by: Xiaotan Luo <lxt@rock-chips.com>
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Link: https://lore.kernel.org/r/1629950562-14281-3-git-send-email-sugar.zhang@rock-chips.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index f48b146cd96a..086c90e09577 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -233,12 +233,12 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_I2S:
+ val = I2S_TXCR_IBM_NORMAL;
+ break;
+- case SND_SOC_DAIFMT_DSP_A: /* PCM no delay mode */
+- val = I2S_TXCR_TFS_PCM;
+- break;
+- case SND_SOC_DAIFMT_DSP_B: /* PCM delay 1 mode */
++ case SND_SOC_DAIFMT_DSP_A: /* PCM delay 1 bit mode */
+ val = I2S_TXCR_TFS_PCM | I2S_TXCR_PBM_MODE(1);
+ break;
++ case SND_SOC_DAIFMT_DSP_B: /* PCM no delay mode */
++ val = I2S_TXCR_TFS_PCM;
++ break;
+ default:
+ ret = -EINVAL;
+ goto err_pm_put;
+@@ -257,12 +257,12 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_I2S:
+ val = I2S_RXCR_IBM_NORMAL;
+ break;
+- case SND_SOC_DAIFMT_DSP_A: /* PCM no delay mode */
+- val = I2S_RXCR_TFS_PCM;
+- break;
+- case SND_SOC_DAIFMT_DSP_B: /* PCM delay 1 mode */
++ case SND_SOC_DAIFMT_DSP_A: /* PCM delay 1 bit mode */
+ val = I2S_RXCR_TFS_PCM | I2S_RXCR_PBM_MODE(1);
+ break;
++ case SND_SOC_DAIFMT_DSP_B: /* PCM no delay mode */
++ val = I2S_RXCR_TFS_PCM;
++ break;
+ default:
+ ret = -EINVAL;
+ goto err_pm_put;
+--
+2.30.2
+
--- /dev/null
+From b03ceebbc1e99631421978cc30edd03ad404eea8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 15:51:30 +0300
+Subject: ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3ad4a31620355358316fa08fcfab37b9d6c33347 ]
+
+Last change to device managed APIs cleaned up error path to simple phy_exit()
+call, which in some cases has been executed with NULL parameter. This per se
+is not a problem, but rather logical misconception: no need to free resource
+when it's for sure has not been allocated yet. Fix the driver accordingly.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210727125130.19977-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_dwc_460ex.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
+index 9dcef6ac643b..982fe9112532 100644
+--- a/drivers/ata/sata_dwc_460ex.c
++++ b/drivers/ata/sata_dwc_460ex.c
+@@ -1249,24 +1249,20 @@ static int sata_dwc_probe(struct platform_device *ofdev)
+ irq = irq_of_parse_and_map(np, 0);
+ if (irq == NO_IRQ) {
+ dev_err(&ofdev->dev, "no SATA DMA irq\n");
+- err = -ENODEV;
+- goto error_out;
++ return -ENODEV;
+ }
+
+ #ifdef CONFIG_SATA_DWC_OLD_DMA
+ if (!of_find_property(np, "dmas", NULL)) {
+ err = sata_dwc_dma_init_old(ofdev, hsdev);
+ if (err)
+- goto error_out;
++ return err;
+ }
+ #endif
+
+ hsdev->phy = devm_phy_optional_get(hsdev->dev, "sata-phy");
+- if (IS_ERR(hsdev->phy)) {
+- err = PTR_ERR(hsdev->phy);
+- hsdev->phy = NULL;
+- goto error_out;
+- }
++ if (IS_ERR(hsdev->phy))
++ return PTR_ERR(hsdev->phy);
+
+ err = phy_init(hsdev->phy);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From f0868f93a81bf13025a08f6f6fe3143aa35eb135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 09:29:14 -0400
+Subject: ath9k: fix OOB read ar9300_eeprom_restore_internal
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ]
+
+Bad header can have large length field which can cause OOB.
+cptr is the last bytes for read, and the eeprom is parsed
+from high to low address. The OOB, triggered by the condition
+length > cptr could cause memory error with a read on
+negative index.
+
+There are some sanity check around length, but it is not
+compared with cptr (the remaining bytes). Here, the
+corrupted/bad EEPROM can cause panic.
+
+I was able to reproduce the crash, but I cannot find the
+log and the reproducer now. After I applied the patch, the
+bug is no longer reproducible.
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+index b4885a700296..b0a4ca3559fd 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -3351,7 +3351,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
+ "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
+ cptr, code, reference, length, major, minor);
+ if ((!AR_SREV_9485(ah) && length >= 1024) ||
+- (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
++ (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) ||
++ (length > cptr)) {
+ ath_dbg(common, EEPROM, "Skipping bad header\n");
+ cptr -= COMP_HDR_LEN;
+ continue;
+--
+2.30.2
+
--- /dev/null
+From 8ff1e0ad9dfe9cb4602be1a24cc8485f424bfeb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 12:05:16 +0800
+Subject: ath9k: fix sleeping in atomic context
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+[ Upstream commit 7c48662b9d56666219f526a71ace8c15e6e12f1f ]
+
+The problem is that gpio_free() can sleep and the cfg_soc() can be
+called with spinlocks held. One problematic call tree is:
+
+--> ath_reset_internal() takes &sc->sc_pcu_lock spin lock
+ --> ath9k_hw_reset()
+ --> ath9k_hw_gpio_request_in()
+ --> ath9k_hw_gpio_request()
+ --> ath9k_hw_gpio_cfg_soc()
+
+Remove gpio_free(), use error message instead, so we should make sure
+there is no GPIO conflict.
+
+Also remove ath9k_hw_gpio_free() from ath9k_hw_apply_gpio_override(),
+as gpio_mask will never be set for SOC chips.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1628481916-15030-1-git-send-email-miaoqing@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index 9fd8e64288ff..7e2e22b6bbbc 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -1622,7 +1622,6 @@ static void ath9k_hw_apply_gpio_override(struct ath_hw *ah)
+ ath9k_hw_gpio_request_out(ah, i, NULL,
+ AR_GPIO_OUTPUT_MUX_AS_OUTPUT);
+ ath9k_hw_set_gpio(ah, i, !!(ah->gpio_val & BIT(i)));
+- ath9k_hw_gpio_free(ah, i);
+ }
+ }
+
+@@ -2730,14 +2729,17 @@ static void ath9k_hw_gpio_cfg_output_mux(struct ath_hw *ah, u32 gpio, u32 type)
+ static void ath9k_hw_gpio_cfg_soc(struct ath_hw *ah, u32 gpio, bool out,
+ const char *label)
+ {
++ int err;
++
+ if (ah->caps.gpio_requested & BIT(gpio))
+ return;
+
+- /* may be requested by BSP, free anyway */
+- gpio_free(gpio);
+-
+- if (gpio_request_one(gpio, out ? GPIOF_OUT_INIT_LOW : GPIOF_IN, label))
++ err = gpio_request_one(gpio, out ? GPIOF_OUT_INIT_LOW : GPIOF_IN, label);
++ if (err) {
++ ath_err(ath9k_hw_common(ah), "request GPIO%d failed:%d\n",
++ gpio, err);
+ return;
++ }
+
+ ah->caps.gpio_requested |= BIT(gpio);
+ }
+--
+2.30.2
+
--- /dev/null
+From 2a459fd8cbb95f763e8a33b69ea1b3599330c2a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:14:06 +0800
+Subject: Bluetooth: avoid circular locks in sco_sock_connect
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab ]
+
+In a future patch, calls to bh_lock_sock in sco.c should be replaced
+by lock_sock now that none of the functions are run in IRQ context.
+
+However, doing so results in a circular locking dependency:
+
+======================================================
+WARNING: possible circular locking dependency detected
+5.14.0-rc4-syzkaller #0 Not tainted
+------------------------------------------------------
+syz-executor.2/14867 is trying to acquire lock:
+ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
+lock_sock include/net/sock.h:1613 [inline]
+ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
+sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191
+
+but task is already holding lock:
+ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at:
+hci_disconn_cfm include/net/bluetooth/hci_core.h:1497 [inline]
+ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at:
+hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1608
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (hci_cb_list_lock){+.+.}-{3:3}:
+ __mutex_lock_common kernel/locking/mutex.c:959 [inline]
+ __mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104
+ hci_connect_cfm include/net/bluetooth/hci_core.h:1482 [inline]
+ hci_remote_features_evt net/bluetooth/hci_event.c:3263 [inline]
+ hci_event_packet+0x2f4d/0x7c50 net/bluetooth/hci_event.c:6240
+ hci_rx_work+0x4f8/0xd30 net/bluetooth/hci_core.c:5122
+ process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
+ worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
+ kthread+0x3e5/0x4d0 kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+-> #1 (&hdev->lock){+.+.}-{3:3}:
+ __mutex_lock_common kernel/locking/mutex.c:959 [inline]
+ __mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104
+ sco_connect net/bluetooth/sco.c:245 [inline]
+ sco_sock_connect+0x227/0xa10 net/bluetooth/sco.c:601
+ __sys_connect_file+0x155/0x1a0 net/socket.c:1879
+ __sys_connect+0x161/0x190 net/socket.c:1896
+ __do_sys_connect net/socket.c:1906 [inline]
+ __se_sys_connect net/socket.c:1903 [inline]
+ __x64_sys_connect+0x6f/0xb0 net/socket.c:1903
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
+ check_prev_add kernel/locking/lockdep.c:3051 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3174 [inline]
+ validate_chain kernel/locking/lockdep.c:3789 [inline]
+ __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015
+ lock_acquire kernel/locking/lockdep.c:5625 [inline]
+ lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590
+ lock_sock_nested+0xca/0x120 net/core/sock.c:3170
+ lock_sock include/net/sock.h:1613 [inline]
+ sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191
+ sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202
+ hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline]
+ hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608
+ hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778
+ hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015
+ vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
+ __fput+0x288/0x920 fs/file_table.c:280
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:164
+ exit_task_work include/linux/task_work.h:32 [inline]
+ do_exit+0xbd4/0x2a60 kernel/exit.c:825
+ do_group_exit+0x125/0x310 kernel/exit.c:922
+ get_signal+0x47f/0x2160 kernel/signal.c:2808
+ arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
+ handle_signal_work kernel/entry/common.c:148 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
+ exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
+ syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
+ ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288
+
+other info that might help us debug this:
+
+Chain exists of:
+ sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(hci_cb_list_lock);
+ lock(&hdev->lock);
+ lock(hci_cb_list_lock);
+ lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
+
+ *** DEADLOCK ***
+
+The issue is that the lock hierarchy should go from &hdev->lock -->
+hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO. For example,
+one such call trace is:
+
+ hci_dev_do_close():
+ hci_dev_lock();
+ hci_conn_hash_flush():
+ hci_disconn_cfm():
+ mutex_lock(&hci_cb_list_lock);
+ sco_disconn_cfm():
+ sco_conn_del():
+ lock_sock(sk);
+
+However, in sco_sock_connect, we call lock_sock before calling
+hci_dev_lock inside sco_connect, thus inverting the lock hierarchy.
+
+We fix this by pulling the call to hci_dev_lock out from sco_connect.
+
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 39 ++++++++++++++++-----------------------
+ 1 file changed, 16 insertions(+), 23 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 818f244aee46..1915943bb646 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -234,44 +234,32 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
+ return err;
+ }
+
+-static int sco_connect(struct sock *sk)
++static int sco_connect(struct hci_dev *hdev, struct sock *sk)
+ {
+ struct sco_conn *conn;
+ struct hci_conn *hcon;
+- struct hci_dev *hdev;
+ int err, type;
+
+ BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
+
+- hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
+- if (!hdev)
+- return -EHOSTUNREACH;
+-
+- hci_dev_lock(hdev);
+-
+ if (lmp_esco_capable(hdev) && !disable_esco)
+ type = ESCO_LINK;
+ else
+ type = SCO_LINK;
+
+ if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
+- (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
+- err = -EOPNOTSUPP;
+- goto done;
+- }
++ (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)))
++ return -EOPNOTSUPP;
+
+ hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
+ sco_pi(sk)->setting);
+- if (IS_ERR(hcon)) {
+- err = PTR_ERR(hcon);
+- goto done;
+- }
++ if (IS_ERR(hcon))
++ return PTR_ERR(hcon);
+
+ conn = sco_conn_add(hcon);
+ if (!conn) {
+ hci_conn_drop(hcon);
+- err = -ENOMEM;
+- goto done;
++ return -ENOMEM;
+ }
+
+ /* Update source addr of the socket */
+@@ -279,7 +267,7 @@ static int sco_connect(struct sock *sk)
+
+ err = sco_chan_add(conn, sk, NULL);
+ if (err)
+- goto done;
++ return err;
+
+ if (hcon->state == BT_CONNECTED) {
+ sco_sock_clear_timer(sk);
+@@ -289,9 +277,6 @@ static int sco_connect(struct sock *sk)
+ sco_sock_set_timer(sk, sk->sk_sndtimeo);
+ }
+
+-done:
+- hci_dev_unlock(hdev);
+- hci_dev_put(hdev);
+ return err;
+ }
+
+@@ -573,6 +558,7 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
+ {
+ struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
+ struct sock *sk = sock->sk;
++ struct hci_dev *hdev;
+ int err;
+
+ BT_DBG("sk %p", sk);
+@@ -587,12 +573,19 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
+ if (sk->sk_type != SOCK_SEQPACKET)
+ return -EINVAL;
+
++ hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR);
++ if (!hdev)
++ return -EHOSTUNREACH;
++ hci_dev_lock(hdev);
++
+ lock_sock(sk);
+
+ /* Set destination address and psm */
+ bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
+
+- err = sco_connect(sk);
++ err = sco_connect(hdev, sk);
++ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
+ if (err)
+ goto done;
+
+--
+2.30.2
+
--- /dev/null
+From db4e6880d721f94c5216034067595bb93416624b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 16:20:15 -0700
+Subject: Bluetooth: Fix handling of LE Enhanced Connection Complete
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit cafae4cd625502f65d1798659c1aa9b62d38cc56 ]
+
+LE Enhanced Connection Complete contains the Local RPA used in the
+connection which must be used when set otherwise there could problems
+when pairing since the address used by the remote stack could be the
+Local RPA:
+
+BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 4, Part E
+page 2396
+
+ 'Resolvable Private Address being used by the local device for this
+ connection. This is only valid when the Own_Address_Type (from the
+ HCI_LE_Create_Connection, HCI_LE_Set_Advertising_Parameters,
+ HCI_LE_Set_Extended_Advertising_Parameters, or
+ HCI_LE_Extended_Create_Connection commands) is set to 0x02 or
+ 0x03, and the Controller generated a resolvable private address for the
+ local device using a non-zero local IRK. For other Own_Address_Type
+ values, the Controller shall return all zeros.'
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 93 ++++++++++++++++++++++++++-------------
+ 1 file changed, 62 insertions(+), 31 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 82e42d8e2ea0..31469ff084cd 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4920,9 +4920,64 @@ static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
+ }
+ #endif
+
++static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
++ u8 bdaddr_type, bdaddr_t *local_rpa)
++{
++ if (conn->out) {
++ conn->dst_type = bdaddr_type;
++ conn->resp_addr_type = bdaddr_type;
++ bacpy(&conn->resp_addr, bdaddr);
++
++ /* Check if the controller has set a Local RPA then it must be
++ * used instead or hdev->rpa.
++ */
++ if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
++ conn->init_addr_type = ADDR_LE_DEV_RANDOM;
++ bacpy(&conn->init_addr, local_rpa);
++ } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
++ conn->init_addr_type = ADDR_LE_DEV_RANDOM;
++ bacpy(&conn->init_addr, &conn->hdev->rpa);
++ } else {
++ hci_copy_identity_address(conn->hdev, &conn->init_addr,
++ &conn->init_addr_type);
++ }
++ } else {
++ conn->resp_addr_type = conn->hdev->adv_addr_type;
++ /* Check if the controller has set a Local RPA then it must be
++ * used instead or hdev->rpa.
++ */
++ if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
++ conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
++ bacpy(&conn->resp_addr, local_rpa);
++ } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
++ /* In case of ext adv, resp_addr will be updated in
++ * Adv Terminated event.
++ */
++ if (!ext_adv_capable(conn->hdev))
++ bacpy(&conn->resp_addr,
++ &conn->hdev->random_addr);
++ } else {
++ bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
++ }
++
++ conn->init_addr_type = bdaddr_type;
++ bacpy(&conn->init_addr, bdaddr);
++
++ /* For incoming connections, set the default minimum
++ * and maximum connection interval. They will be used
++ * to check if the parameters are in range and if not
++ * trigger the connection update procedure.
++ */
++ conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
++ conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
++ }
++}
++
+ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
+- bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
+- u16 interval, u16 latency, u16 supervision_timeout)
++ bdaddr_t *bdaddr, u8 bdaddr_type,
++ bdaddr_t *local_rpa, u8 role, u16 handle,
++ u16 interval, u16 latency,
++ u16 supervision_timeout)
+ {
+ struct hci_conn_params *params;
+ struct hci_conn *conn;
+@@ -4970,32 +5025,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
+ cancel_delayed_work(&conn->le_conn_timeout);
+ }
+
+- if (!conn->out) {
+- /* Set the responder (our side) address type based on
+- * the advertising address type.
+- */
+- conn->resp_addr_type = hdev->adv_addr_type;
+- if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
+- /* In case of ext adv, resp_addr will be updated in
+- * Adv Terminated event.
+- */
+- if (!ext_adv_capable(hdev))
+- bacpy(&conn->resp_addr, &hdev->random_addr);
+- } else {
+- bacpy(&conn->resp_addr, &hdev->bdaddr);
+- }
+-
+- conn->init_addr_type = bdaddr_type;
+- bacpy(&conn->init_addr, bdaddr);
+-
+- /* For incoming connections, set the default minimum
+- * and maximum connection interval. They will be used
+- * to check if the parameters are in range and if not
+- * trigger the connection update procedure.
+- */
+- conn->le_conn_min_interval = hdev->le_conn_min_interval;
+- conn->le_conn_max_interval = hdev->le_conn_max_interval;
+- }
++ le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
+
+ /* Lookup the identity address from the stored connection
+ * address and address type.
+@@ -5089,7 +5119,7 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+ le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
+- ev->role, le16_to_cpu(ev->handle),
++ NULL, ev->role, le16_to_cpu(ev->handle),
+ le16_to_cpu(ev->interval),
+ le16_to_cpu(ev->latency),
+ le16_to_cpu(ev->supervision_timeout));
+@@ -5103,7 +5133,7 @@ static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
+ BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+ le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
+- ev->role, le16_to_cpu(ev->handle),
++ &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
+ le16_to_cpu(ev->interval),
+ le16_to_cpu(ev->latency),
+ le16_to_cpu(ev->supervision_timeout));
+@@ -5134,7 +5164,8 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ if (conn) {
+ struct adv_info *adv_instance;
+
+- if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
++ if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
++ bacmp(&conn->resp_addr, BDADDR_ANY))
+ return;
+
+ if (!hdev->cur_adv_instance) {
+--
+2.30.2
+
--- /dev/null
+From d31144e53a080fa44a13c20381c269d170bff30f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:14:05 +0800
+Subject: Bluetooth: schedule SCO timeouts with delayed_work
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit ba316be1b6a00db7126ed9a39f9bee434a508043 ]
+
+struct sock.sk_timer should be used as a sock cleanup timer. However,
+SCO uses it to implement sock timeouts.
+
+This causes issues because struct sock.sk_timer's callback is run in
+an IRQ context, and the timer callback function sco_sock_timeout takes
+a spin lock on the socket. However, other functions such as
+sco_conn_del and sco_conn_ready take the spin lock with interrupts
+enabled.
+
+This inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} lock usage could
+lead to deadlocks as reported by Syzbot [1]:
+ CPU0
+ ----
+ lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
+ <Interrupt>
+ lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
+
+To fix this, we use delayed work to implement SCO sock timouts
+instead. This allows us to avoid taking the spin lock on the socket in
+an IRQ context, and corrects the misuse of struct sock.sk_timer.
+
+As a note, cancel_delayed_work is used instead of
+cancel_delayed_work_sync in sco_sock_set_timer and
+sco_sock_clear_timer to avoid a deadlock. In the future, the call to
+bh_lock_sock inside sco_sock_timeout should be changed to lock_sock to
+synchronize with other functions using lock_sock. However, since
+sco_sock_set_timer and sco_sock_clear_timer are sometimes called under
+the locked socket (in sco_connect and __sco_sock_close),
+cancel_delayed_work_sync might cause them to sleep until an
+sco_sock_timeout that has started finishes running. But
+sco_sock_timeout would also sleep until it can grab the lock_sock.
+
+Using cancel_delayed_work is fine because sco_sock_timeout does not
+change from run to run, hence there is no functional difference
+between:
+1. waiting for a timeout to finish running before scheduling another
+timeout
+2. scheduling another timeout while a timeout is running.
+
+Link: https://syzkaller.appspot.com/bug?id=9089d89de0502e120f234ca0fc8a703f7368b31e [1]
+Reported-by: syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com
+Tested-by: syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 35 +++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 1b7540cb8e5c..818f244aee46 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -48,6 +48,8 @@ struct sco_conn {
+ spinlock_t lock;
+ struct sock *sk;
+
++ struct delayed_work timeout_work;
++
+ unsigned int mtu;
+ };
+
+@@ -73,9 +75,20 @@ struct sco_pinfo {
+ #define SCO_CONN_TIMEOUT (HZ * 40)
+ #define SCO_DISCONN_TIMEOUT (HZ * 2)
+
+-static void sco_sock_timeout(struct timer_list *t)
++static void sco_sock_timeout(struct work_struct *work)
+ {
+- struct sock *sk = from_timer(sk, t, sk_timer);
++ struct sco_conn *conn = container_of(work, struct sco_conn,
++ timeout_work.work);
++ struct sock *sk;
++
++ sco_conn_lock(conn);
++ sk = conn->sk;
++ if (sk)
++ sock_hold(sk);
++ sco_conn_unlock(conn);
++
++ if (!sk)
++ return;
+
+ BT_DBG("sock %p state %d", sk, sk->sk_state);
+
+@@ -89,14 +102,21 @@ static void sco_sock_timeout(struct timer_list *t)
+
+ static void sco_sock_set_timer(struct sock *sk, long timeout)
+ {
++ if (!sco_pi(sk)->conn)
++ return;
++
+ BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
+- sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
++ cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
++ schedule_delayed_work(&sco_pi(sk)->conn->timeout_work, timeout);
+ }
+
+ static void sco_sock_clear_timer(struct sock *sk)
+ {
++ if (!sco_pi(sk)->conn)
++ return;
++
+ BT_DBG("sock %p state %d", sk, sk->sk_state);
+- sk_stop_timer(sk, &sk->sk_timer);
++ cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
+ }
+
+ /* ---- SCO connections ---- */
+@@ -176,6 +196,9 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
+ sco_chan_del(sk, err);
+ bh_unlock_sock(sk);
+ sock_put(sk);
++
++ /* Ensure no more work items will run before freeing conn. */
++ cancel_delayed_work_sync(&conn->timeout_work);
+ }
+
+ hcon->sco_data = NULL;
+@@ -190,6 +213,8 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
+ sco_pi(sk)->conn = conn;
+ conn->sk = sk;
+
++ INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
++
+ if (parent)
+ bt_accept_enqueue(parent, sk, true);
+ }
+@@ -484,8 +509,6 @@ static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,
+
+ sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
+
+- timer_setup(&sk->sk_timer, sco_sock_timeout, 0);
+-
+ bt_sock_link(&sco_sk_list, sk);
+ return sk;
+ }
+--
+2.30.2
+
--- /dev/null
+From 6e8ff22836dd37487da8da39e66227a6e5d0cbd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 15:51:04 +0800
+Subject: Bluetooth: skip invalid hci_sync_conn_complete_evt
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 92fe24a7db751b80925214ede43f8d2be792ea7b ]
+
+Syzbot reported a corrupted list in kobject_add_internal [1]. This
+happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with
+status 0 are sent for the same HCI connection. This causes us to
+register the device more than once which corrupts the kset list.
+
+As this is forbidden behavior, we add a check for whether we're
+trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple
+times for one connection. If that's the case, the event is invalid, so
+we report an error that the device is misbehaving, and ignore the
+packet.
+
+Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1]
+Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
+Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index e8e7f108b016..82e42d8e2ea0 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4202,6 +4202,21 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+
+ switch (ev->status) {
+ case 0x00:
++ /* The synchronous connection complete event should only be
++ * sent once per new connection. Receiving a successful
++ * complete event when the connection status is already
++ * BT_CONNECTED means that the device is misbehaving and sent
++ * multiple complete event packets for the same new connection.
++ *
++ * Registering the device more than once can corrupt kernel
++ * memory, hence upon detecting this invalid event, we report
++ * an error and ignore the packet.
++ */
++ if (conn->state == BT_CONNECTED) {
++ bt_dev_err(hdev, "Ignoring connect complete event for existing connection");
++ goto unlock;
++ }
++
+ conn->handle = __le16_to_cpu(ev->handle);
+ conn->state = BT_CONNECTED;
+ conn->type = ev->link_type;
+--
+2.30.2
+
--- /dev/null
+From 51b2b60debeef9126fe86de38373f96c5c34c4f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 10:19:11 +0800
+Subject: bonding: 3ad: fix the concurrency between __bond_release_one() and
+ bond_3ad_state_machine_handler()
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit 220ade77452c15ecb1ab94c3f8aaeb6d033c3582 ]
+
+Some time ago, I reported a calltrace issue
+"did not find a suitable aggregator", please see[1].
+After a period of analysis and reproduction, I find
+that this problem is caused by concurrency.
+
+Before the problem occurs, the bond structure is like follows:
+
+bond0 - slaver0(eth0) - agg0.lag_ports -> port0 - port1
+ \
+ port0
+ \
+ slaver1(eth1) - agg1.lag_ports -> NULL
+ \
+ port1
+
+If we run 'ifenslave bond0 -d eth1', the process is like below:
+
+excuting __bond_release_one()
+|
+bond_upper_dev_unlink()[step1]
+| | |
+| | bond_3ad_lacpdu_recv()
+| | ->bond_3ad_rx_indication()
+| | spin_lock_bh()
+| | ->ad_rx_machine()
+| | ->__record_pdu()[step2]
+| | spin_unlock_bh()
+| | |
+| bond_3ad_state_machine_handler()
+| spin_lock_bh()
+| ->ad_port_selection_logic()
+| ->try to find free aggregator[step3]
+| ->try to find suitable aggregator[step4]
+| ->did not find a suitable aggregator[step5]
+| spin_unlock_bh()
+| |
+| |
+bond_3ad_unbind_slave() |
+spin_lock_bh()
+spin_unlock_bh()
+
+step1: already removed slaver1(eth1) from list, but port1 remains
+step2: receive a lacpdu and update port0
+step3: port0 will be removed from agg0.lag_ports. The struct is
+ "agg0.lag_ports -> port1" now, and agg0 is not free. At the
+ same time, slaver1/agg1 has been removed from the list by step1.
+ So we can't find a free aggregator now.
+step4: can't find suitable aggregator because of step2
+step5: cause a calltrace since port->aggregator is NULL
+
+To solve this concurrency problem, put bond_upper_dev_unlink()
+after bond_3ad_unbind_slave(). In this way, we can invalid the port
+first and skip this port in bond_3ad_state_machine_handler(). This
+eliminates the situation that the slaver has been removed from the
+list but the port is still valid.
+
+[1]https://lore.kernel.org/netdev/10374.1611947473@famine/
+
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index e21643377162..1949f631e1bc 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1926,7 +1926,6 @@ static int __bond_release_one(struct net_device *bond_dev,
+ /* recompute stats just before removing the slave */
+ bond_get_stats(bond->dev, &bond->bond_stats);
+
+- bond_upper_dev_unlink(bond, slave);
+ /* unregister rx_handler early so bond_handle_frame wouldn't be called
+ * for this slave anymore.
+ */
+@@ -1935,6 +1934,8 @@ static int __bond_release_one(struct net_device *bond_dev,
+ if (BOND_MODE(bond) == BOND_MODE_8023AD)
+ bond_3ad_unbind_slave(slave);
+
++ bond_upper_dev_unlink(bond, slave);
++
+ if (bond_mode_can_use_xmit_hash(bond))
+ bond_update_slave_arr(bond, slave);
+
+--
+2.30.2
+
--- /dev/null
+From f07a898413cf953e803ad57683d5923fba52b71a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 18:47:41 +0200
+Subject: bpf: Fix off-by-one in tail call count limiting
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit b61a28cf11d61f512172e673b8f8c4a6c789b425 ]
+
+Before, the interpreter allowed up to MAX_TAIL_CALL_CNT + 1 tail calls.
+Now precisely MAX_TAIL_CALL_CNT is allowed, which is in line with the
+behavior of the x86 JITs.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210728164741.350370-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index d9a3d995bd96..0dd3cdb67dd8 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1490,7 +1490,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
+
+ if (unlikely(index >= array->map.max_entries))
+ goto out;
+- if (unlikely(tail_call_cnt > MAX_TAIL_CALL_CNT))
++ if (unlikely(tail_call_cnt >= MAX_TAIL_CALL_CNT))
+ goto out;
+
+ tail_call_cnt++;
+--
+2.30.2
+
--- /dev/null
+From 8d60e5f2ac0b33e6dbd023b0c132fc9d38580889 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 12:38:22 +0200
+Subject: bpf/tests: Do not PASS tests without actually testing the result
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit 2b7e9f25e590726cca76700ebdb10e92a7a72ca1 ]
+
+Each test case can have a set of sub-tests, where each sub-test can
+run the cBPF/eBPF test snippet with its own data_size and expected
+result. Before, the end of the sub-test array was indicated by both
+data_size and result being zero. However, most or all of the internal
+eBPF tests has a data_size of zero already. When such a test also had
+an expected value of zero, the test was never run but reported as
+PASS anyway.
+
+Now the test runner always runs the first sub-test, regardless of the
+data_size and result values. The sub-test array zero-termination only
+applies for any additional sub-tests.
+
+There are other ways fix it of course, but this solution at least
+removes the surprise of eBPF tests with a zero result always succeeding.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210721103822.3755111-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_bpf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index 5e985ed68b2a..3ae002ced4c7 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -6684,7 +6684,14 @@ static int run_one(const struct bpf_prog *fp, struct bpf_test *test)
+ u64 duration;
+ u32 ret;
+
+- if (test->test[i].data_size == 0 &&
++ /*
++ * NOTE: Several sub-tests may be present, in which case
++ * a zero {data_size, result} tuple indicates the end of
++ * the sub-test array. The first test is always run,
++ * even if both data_size and result happen to be zero.
++ */
++ if (i > 0 &&
++ test->test[i].data_size == 0 &&
+ test->test[i].result == 0)
+ break;
+
+--
+2.30.2
+
--- /dev/null
+From 952a402bffb03fbce77adf2d880b9a36fc80f0d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 12:40:58 +0200
+Subject: bpf/tests: Fix copy-and-paste error in double word test
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit ae7f47041d928b1a2f28717d095b4153c63cbf6a ]
+
+This test now operates on DW as stated instead of W, which was
+already covered by another test.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210721104058.3755254-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_bpf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index 5ef3eccee27c..5e985ed68b2a 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -4286,8 +4286,8 @@ static struct bpf_test tests[] = {
+ .u.insns_int = {
+ BPF_LD_IMM64(R0, 0),
+ BPF_LD_IMM64(R1, 0xffffffffffffffffLL),
+- BPF_STX_MEM(BPF_W, R10, R1, -40),
+- BPF_LDX_MEM(BPF_W, R0, R10, -40),
++ BPF_STX_MEM(BPF_DW, R10, R1, -40),
++ BPF_LDX_MEM(BPF_DW, R0, R10, -40),
+ BPF_EXIT_INSN(),
+ },
+ INTERNAL,
+--
+2.30.2
+
--- /dev/null
+From 688ecbe163ac98fab0b3ceca22f9e88f9abe9057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 09:34:00 -0300
+Subject: btrfs: tree-log: check btrfs_lookup_data_extent return value
+
+From: Marcos Paulo de Souza <mpdesouza@suse.com>
+
+[ Upstream commit 3736127a3aa805602b7a2ad60ec9cfce68065fbb ]
+
+Function btrfs_lookup_data_extent calls btrfs_search_slot to verify if
+the EXTENT_ITEM exists in the extent tree. btrfs_search_slot can return
+values bellow zero if an error happened.
+
+Function replay_one_extent currently checks if the search found
+something (0 returned) and increments the reference, and if not, it
+seems to evaluate as 'not found'.
+
+Fix the condition by checking if the value was bellow zero and return
+early.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Marcos Paulo de Souza <mpdesouza@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 5412361d0c27..8ea4b3da85d1 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -719,7 +719,9 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans,
+ */
+ ret = btrfs_lookup_data_extent(fs_info, ins.objectid,
+ ins.offset);
+- if (ret == 0) {
++ if (ret < 0) {
++ goto out;
++ } else if (ret == 0) {
+ btrfs_init_generic_ref(&ref,
+ BTRFS_ADD_DELAYED_REF,
+ ins.objectid, ins.offset, 0);
+--
+2.30.2
+
--- /dev/null
+From 6d8b3d064b0d4fe225922e5b6eb604f4f6cdb215 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 22:55:10 +0800
+Subject: cifs: fix wrong release in sess_alloc_buffer() failed path
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit d72c74197b70bc3c95152f351a568007bffa3e11 ]
+
+smb_buf is allocated by small_smb_init_no_tc(), and buf type is
+CIFS_SMALL_BUFFER, so we should use cifs_small_buf_release() to
+release it in failed path.
+
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/sess.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index 85bd644f9773..30f841a880ac 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -610,7 +610,7 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct)
+ return 0;
+
+ out_free_smb_buf:
+- kfree(smb_buf);
++ cifs_small_buf_release(smb_buf);
+ sess_data->iov[0].iov_base = NULL;
+ sess_data->iov[0].iov_len = 0;
+ sess_data->buf0_type = CIFS_NO_BUFFER;
+--
+2.30.2
+
--- /dev/null
+From 56c5431146ce8777dd28dce31e932023f3870a66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 16:12:13 +0300
+Subject: clk: at91: clk-generated: Limit the requested rate to our range
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+[ Upstream commit af7651e67b9d5f7e63ea23b118e3672ac662244a ]
+
+On clk_generated_determine_rate(), the requested rate could be outside
+of clk's range. Limit the rate to the clock's range to not return an
+error.
+
+Fixes: df70aeef6083 ("clk: at91: add generated clock driver")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Link: https://lore.kernel.org/r/20210707131213.3283509-1-codrin.ciubotariu@microchip.com
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-generated.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c
+index 273d0447d727..d7fe1303f79d 100644
+--- a/drivers/clk/at91/clk-generated.c
++++ b/drivers/clk/at91/clk-generated.c
+@@ -127,6 +127,12 @@ static int clk_generated_determine_rate(struct clk_hw *hw,
+ int i;
+ u32 div;
+
++ /* do not look for a rate that is outside of our range */
++ if (gck->range.max && req->rate > gck->range.max)
++ req->rate = gck->range.max;
++ if (gck->range.min && req->rate < gck->range.min)
++ req->rate = gck->range.min;
++
+ for (i = 0; i < clk_hw_get_num_parents(hw); i++) {
+ if (gck->chg_pid == i)
+ continue;
+--
+2.30.2
+
--- /dev/null
+From 71584111a7ea6cb5fa4c4ef85d46cd90949fa2a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 10:38:18 +0300
+Subject: clk: at91: clk-generated: pass the id of changeable parent at
+ registration
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 64c9247b9e87e96e41cea545eb64727cee10c55c ]
+
+Pass the ID of changeable parent at registration. This will allow
+the scalability of this clock driver with regards to the changeable
+parent ID for versions of this IP where changeable parent is not the
+last one in the parents list (e.g. SAMA7G5). With this the clock flags
+are set to zero in case we have no changeable parent. Also in
+clk_generated_best_diff() the *best_diff variable is check against
+tmp_diff variable using ">=" operator instead of ">" so that in case
+the requested frequency could be obtained using fix parents + gck
+dividers but the clock also supports changeable parent to be able
+to force the usage of the changeable parent.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/1595403506-8209-11-git-send-email-claudiu.beznea@microchip.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-generated.c | 26 ++++++++++++++------------
+ drivers/clk/at91/dt-compat.c | 8 +++++---
+ drivers/clk/at91/pmc.h | 4 ++--
+ drivers/clk/at91/sam9x60.c | 3 +--
+ drivers/clk/at91/sama5d2.c | 31 +++++++++++++++----------------
+ 5 files changed, 37 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c
+index 44a46dcc0518..273d0447d727 100644
+--- a/drivers/clk/at91/clk-generated.c
++++ b/drivers/clk/at91/clk-generated.c
+@@ -18,8 +18,6 @@
+
+ #define GENERATED_MAX_DIV 255
+
+-#define GCK_INDEX_DT_AUDIO_PLL 5
+-
+ struct clk_generated {
+ struct clk_hw hw;
+ struct regmap *regmap;
+@@ -29,7 +27,7 @@ struct clk_generated {
+ u32 gckdiv;
+ const struct clk_pcr_layout *layout;
+ u8 parent_id;
+- bool audio_pll_allowed;
++ int chg_pid;
+ };
+
+ #define to_clk_generated(hw) \
+@@ -109,7 +107,7 @@ static void clk_generated_best_diff(struct clk_rate_request *req,
+ tmp_rate = parent_rate / div;
+ tmp_diff = abs(req->rate - tmp_rate);
+
+- if (*best_diff < 0 || *best_diff > tmp_diff) {
++ if (*best_diff < 0 || *best_diff >= tmp_diff) {
+ *best_rate = tmp_rate;
+ *best_diff = tmp_diff;
+ req->best_parent_rate = parent_rate;
+@@ -129,7 +127,10 @@ static int clk_generated_determine_rate(struct clk_hw *hw,
+ int i;
+ u32 div;
+
+- for (i = 0; i < clk_hw_get_num_parents(hw) - 1; i++) {
++ for (i = 0; i < clk_hw_get_num_parents(hw); i++) {
++ if (gck->chg_pid == i)
++ continue;
++
+ parent = clk_hw_get_parent_by_index(hw, i);
+ if (!parent)
+ continue;
+@@ -161,10 +162,10 @@ static int clk_generated_determine_rate(struct clk_hw *hw,
+ * that the only clks able to modify gck rate are those of audio IPs.
+ */
+
+- if (!gck->audio_pll_allowed)
++ if (gck->chg_pid < 0)
+ goto end;
+
+- parent = clk_hw_get_parent_by_index(hw, GCK_INDEX_DT_AUDIO_PLL);
++ parent = clk_hw_get_parent_by_index(hw, gck->chg_pid);
+ if (!parent)
+ goto end;
+
+@@ -271,8 +272,8 @@ struct clk_hw * __init
+ at91_clk_register_generated(struct regmap *regmap, spinlock_t *lock,
+ const struct clk_pcr_layout *layout,
+ const char *name, const char **parent_names,
+- u8 num_parents, u8 id, bool pll_audio,
+- const struct clk_range *range)
++ u8 num_parents, u8 id,
++ const struct clk_range *range, int chg_pid)
+ {
+ struct clk_generated *gck;
+ struct clk_init_data init;
+@@ -287,15 +288,16 @@ at91_clk_register_generated(struct regmap *regmap, spinlock_t *lock,
+ init.ops = &generated_ops;
+ init.parent_names = parent_names;
+ init.num_parents = num_parents;
+- init.flags = CLK_SET_RATE_GATE | CLK_SET_PARENT_GATE |
+- CLK_SET_RATE_PARENT;
++ init.flags = CLK_SET_RATE_GATE | CLK_SET_PARENT_GATE;
++ if (chg_pid >= 0)
++ init.flags |= CLK_SET_RATE_PARENT;
+
+ gck->id = id;
+ gck->hw.init = &init;
+ gck->regmap = regmap;
+ gck->lock = lock;
+ gck->range = *range;
+- gck->audio_pll_allowed = pll_audio;
++ gck->chg_pid = chg_pid;
+ gck->layout = layout;
+
+ clk_generated_startup(gck);
+diff --git a/drivers/clk/at91/dt-compat.c b/drivers/clk/at91/dt-compat.c
+index aa1754eac59f..8a652c44c25a 100644
+--- a/drivers/clk/at91/dt-compat.c
++++ b/drivers/clk/at91/dt-compat.c
+@@ -22,6 +22,8 @@
+
+ #define SYSTEM_MAX_ID 31
+
++#define GCK_INDEX_DT_AUDIO_PLL 5
++
+ #ifdef CONFIG_HAVE_AT91_AUDIO_PLL
+ static void __init of_sama5d2_clk_audio_pll_frac_setup(struct device_node *np)
+ {
+@@ -135,7 +137,7 @@ static void __init of_sama5d2_clk_generated_setup(struct device_node *np)
+ return;
+
+ for_each_child_of_node(np, gcknp) {
+- bool pll_audio = false;
++ int chg_pid = INT_MIN;
+
+ if (of_property_read_u32(gcknp, "reg", &id))
+ continue;
+@@ -152,12 +154,12 @@ static void __init of_sama5d2_clk_generated_setup(struct device_node *np)
+ if (of_device_is_compatible(np, "atmel,sama5d2-clk-generated") &&
+ (id == GCK_ID_I2S0 || id == GCK_ID_I2S1 ||
+ id == GCK_ID_CLASSD))
+- pll_audio = true;
++ chg_pid = GCK_INDEX_DT_AUDIO_PLL;
+
+ hw = at91_clk_register_generated(regmap, &pmc_pcr_lock,
+ &dt_pcr_layout, name,
+ parent_names, num_parents,
+- id, pll_audio, &range);
++ id, &range, chg_pid);
+ if (IS_ERR(hw))
+ continue;
+
+diff --git a/drivers/clk/at91/pmc.h b/drivers/clk/at91/pmc.h
+index 9b8db9cdcda5..8a88ad236074 100644
+--- a/drivers/clk/at91/pmc.h
++++ b/drivers/clk/at91/pmc.h
+@@ -118,8 +118,8 @@ struct clk_hw * __init
+ at91_clk_register_generated(struct regmap *regmap, spinlock_t *lock,
+ const struct clk_pcr_layout *layout,
+ const char *name, const char **parent_names,
+- u8 num_parents, u8 id, bool pll_audio,
+- const struct clk_range *range);
++ u8 num_parents, u8 id,
++ const struct clk_range *range, int chg_pid);
+
+ struct clk_hw * __init
+ at91_clk_register_h32mx(struct regmap *regmap, const char *name,
+diff --git a/drivers/clk/at91/sam9x60.c b/drivers/clk/at91/sam9x60.c
+index bee1120e7041..39923899478f 100644
+--- a/drivers/clk/at91/sam9x60.c
++++ b/drivers/clk/at91/sam9x60.c
+@@ -282,8 +282,7 @@ static void __init sam9x60_pmc_setup(struct device_node *np)
+ sam9x60_gck[i].n,
+ parent_names, 6,
+ sam9x60_gck[i].id,
+- false,
+- &sam9x60_gck[i].r);
++ &sam9x60_gck[i].r, INT_MIN);
+ if (IS_ERR(hw))
+ goto err_free;
+
+diff --git a/drivers/clk/at91/sama5d2.c b/drivers/clk/at91/sama5d2.c
+index ff7e3f727082..d3c4bceb032d 100644
+--- a/drivers/clk/at91/sama5d2.c
++++ b/drivers/clk/at91/sama5d2.c
+@@ -115,21 +115,20 @@ static const struct {
+ char *n;
+ u8 id;
+ struct clk_range r;
+- bool pll;
++ int chg_pid;
+ } sama5d2_gck[] = {
+- { .n = "sdmmc0_gclk", .id = 31, },
+- { .n = "sdmmc1_gclk", .id = 32, },
+- { .n = "tcb0_gclk", .id = 35, .r = { .min = 0, .max = 83000000 }, },
+- { .n = "tcb1_gclk", .id = 36, .r = { .min = 0, .max = 83000000 }, },
+- { .n = "pwm_gclk", .id = 38, .r = { .min = 0, .max = 83000000 }, },
+- { .n = "isc_gclk", .id = 46, },
+- { .n = "pdmic_gclk", .id = 48, },
+- { .n = "i2s0_gclk", .id = 54, .pll = true },
+- { .n = "i2s1_gclk", .id = 55, .pll = true },
+- { .n = "can0_gclk", .id = 56, .r = { .min = 0, .max = 80000000 }, },
+- { .n = "can1_gclk", .id = 57, .r = { .min = 0, .max = 80000000 }, },
+- { .n = "classd_gclk", .id = 59, .r = { .min = 0, .max = 100000000 },
+- .pll = true },
++ { .n = "sdmmc0_gclk", .id = 31, .chg_pid = INT_MIN, },
++ { .n = "sdmmc1_gclk", .id = 32, .chg_pid = INT_MIN, },
++ { .n = "tcb0_gclk", .id = 35, .chg_pid = INT_MIN, .r = { .min = 0, .max = 83000000 }, },
++ { .n = "tcb1_gclk", .id = 36, .chg_pid = INT_MIN, .r = { .min = 0, .max = 83000000 }, },
++ { .n = "pwm_gclk", .id = 38, .chg_pid = INT_MIN, .r = { .min = 0, .max = 83000000 }, },
++ { .n = "isc_gclk", .id = 46, .chg_pid = INT_MIN, },
++ { .n = "pdmic_gclk", .id = 48, .chg_pid = INT_MIN, },
++ { .n = "i2s0_gclk", .id = 54, .chg_pid = 5, },
++ { .n = "i2s1_gclk", .id = 55, .chg_pid = 5, },
++ { .n = "can0_gclk", .id = 56, .chg_pid = INT_MIN, .r = { .min = 0, .max = 80000000 }, },
++ { .n = "can1_gclk", .id = 57, .chg_pid = INT_MIN, .r = { .min = 0, .max = 80000000 }, },
++ { .n = "classd_gclk", .id = 59, .chg_pid = 5, .r = { .min = 0, .max = 100000000 }, },
+ };
+
+ static const struct clk_programmable_layout sama5d2_programmable_layout = {
+@@ -317,8 +316,8 @@ static void __init sama5d2_pmc_setup(struct device_node *np)
+ sama5d2_gck[i].n,
+ parent_names, 6,
+ sama5d2_gck[i].id,
+- sama5d2_gck[i].pll,
+- &sama5d2_gck[i].r);
++ &sama5d2_gck[i].r,
++ sama5d2_gck[i].chg_pid);
+ if (IS_ERR(hw))
+ goto err_free;
+
+--
+2.30.2
+
--- /dev/null
+From 0c4e047e2793e756312c26c5ce5dcb0615d04b1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jan 2020 13:58:16 +0200
+Subject: clk: at91: sam9x60: Don't use audio PLL
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+[ Upstream commit 5bf7f4a249387a6062b9a14c8a77e7ba2fd6a53b ]
+
+On sam9x60, there is not audio PLL and so I2S and classD have to use one
+of the best matching parents for their generated clock.
+
+Fixes: 01e2113de9a5 ("clk: at91: add sam9x60 pmc driver")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Link: https://lkml.kernel.org/r/20200131115816.12483-1-codrin.ciubotariu@microchip.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/sam9x60.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/at91/sam9x60.c b/drivers/clk/at91/sam9x60.c
+index e3f4c8f20223..bee1120e7041 100644
+--- a/drivers/clk/at91/sam9x60.c
++++ b/drivers/clk/at91/sam9x60.c
+@@ -124,7 +124,6 @@ static const struct {
+ char *n;
+ u8 id;
+ struct clk_range r;
+- bool pll;
+ } sam9x60_gck[] = {
+ { .n = "flex0_gclk", .id = 5, },
+ { .n = "flex1_gclk", .id = 6, },
+@@ -144,11 +143,9 @@ static const struct {
+ { .n = "sdmmc1_gclk", .id = 26, .r = { .min = 0, .max = 105000000 }, },
+ { .n = "flex11_gclk", .id = 32, },
+ { .n = "flex12_gclk", .id = 33, },
+- { .n = "i2s_gclk", .id = 34, .r = { .min = 0, .max = 105000000 },
+- .pll = true, },
++ { .n = "i2s_gclk", .id = 34, .r = { .min = 0, .max = 105000000 }, },
+ { .n = "pit64b_gclk", .id = 37, },
+- { .n = "classd_gclk", .id = 42, .r = { .min = 0, .max = 100000000 },
+- .pll = true, },
++ { .n = "classd_gclk", .id = 42, .r = { .min = 0, .max = 100000000 }, },
+ { .n = "tcb1_gclk", .id = 45, },
+ { .n = "dbgu_gclk", .id = 47, },
+ };
+@@ -285,7 +282,7 @@ static void __init sam9x60_pmc_setup(struct device_node *np)
+ sam9x60_gck[i].n,
+ parent_names, 6,
+ sam9x60_gck[i].id,
+- sam9x60_gck[i].pll,
++ false,
+ &sam9x60_gck[i].r);
+ if (IS_ERR(hw))
+ goto err_free;
+--
+2.30.2
+
--- /dev/null
+From 5f3d23c2140c3a57e952e8dd53e6d9e4a8ca77bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 14:56:38 -0400
+Subject: crypto: mxs-dcp - Use sg_mapping_iter to copy data
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit 2e6d793e1bf07fe5e20cfbbdcec9e1af7e5097eb ]
+
+This uses the sg_pcopy_from_buffer to copy data, instead of doing it
+ourselves.
+
+In addition to reducing code size, this fixes the following oops
+resulting from failing to kmap the page:
+
+[ 68.896381] Unable to handle kernel NULL pointer dereference at virtual address 00000ab8
+[ 68.904539] pgd = 3561adb3
+[ 68.907475] [00000ab8] *pgd=00000000
+[ 68.911153] Internal error: Oops: 805 [#1] ARM
+[ 68.915618] Modules linked in: cfg80211 rfkill des_generic libdes arc4 libarc4 cbc ecb algif_skcipher sha256_generic libsha256 sha1_generic hmac aes_generic libaes cmac sha512_generic md5 md4 algif_hash af_alg i2c_imx i2c_core ci_hdrc_imx ci_hdrc mxs_dcp ulpi roles udc_core imx_sdma usbmisc_imx usb_common firmware_class virt_dma phy_mxs_usb nf_tables nfnetlink ip_tables x_tables ipv6 autofs4
+[ 68.950741] CPU: 0 PID: 139 Comm: mxs_dcp_chan/ae Not tainted 5.10.34 #296
+[ 68.958501] Hardware name: Freescale i.MX6 Ultralite (Device Tree)
+[ 68.964710] PC is at memcpy+0xa8/0x330
+[ 68.968479] LR is at 0xd7b2bc9d
+[ 68.971638] pc : [<c053e7c8>] lr : [<d7b2bc9d>] psr: 000f0013
+[ 68.977920] sp : c2cbbee4 ip : 00000010 fp : 00000010
+[ 68.983159] r10: 00000000 r9 : c3283a40 r8 : 1a5a6f08
+[ 68.988402] r7 : 4bfe0ecc r6 : 76d8a220 r5 : c32f9050 r4 : 00000001
+[ 68.994945] r3 : 00000ab8 r2 : fffffff0 r1 : c32f9050 r0 : 00000ab8
+[ 69.001492] Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 69.008646] Control: 10c53c7d Table: 83664059 DAC: 00000051
+[ 69.014414] Process mxs_dcp_chan/ae (pid: 139, stack limit = 0x667b57ab)
+[ 69.021133] Stack: (0xc2cbbee4 to 0xc2cbc000)
+[ 69.025519] bee0: c32f9050 c3235408 00000010 00000010 00000ab8 00000001 bf10406c
+[ 69.033720] bf00: 00000000 00000000 00000010 00000000 c32355d0 832fb080 00000000 c13de2fc
+[ 69.041921] bf20: c3628010 00000010 c33d5780 00000ab8 bf1067e8 00000002 c21e5010 c2cba000
+[ 69.050125] bf40: c32f8040 00000000 bf106a40 c32f9040 c3283a80 00000001 bf105240 c3234040
+[ 69.058327] bf60: ffffe000 c3204100 c2c69800 c2cba000 00000000 bf103b84 00000000 c2eddc54
+[ 69.066530] bf80: c3204144 c0140d1c c2cba000 c2c69800 c0140be8 00000000 00000000 00000000
+[ 69.074730] bfa0: 00000000 00000000 00000000 c0100114 00000000 00000000 00000000 00000000
+[ 69.082932] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 69.091131] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[ 69.099364] [<c053e7c8>] (memcpy) from [<bf10406c>] (dcp_chan_thread_aes+0x4e8/0x840 [mxs_dcp])
+[ 69.108117] [<bf10406c>] (dcp_chan_thread_aes [mxs_dcp]) from [<c0140d1c>] (kthread+0x134/0x160)
+[ 69.116941] [<c0140d1c>] (kthread) from [<c0100114>] (ret_from_fork+0x14/0x20)
+[ 69.124178] Exception stack(0xc2cbbfb0 to 0xc2cbbff8)
+[ 69.129250] bfa0: 00000000 00000000 00000000 00000000
+[ 69.137450] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 69.145648] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 69.152289] Code: e320f000 e4803004 e4804004 e4805004 (e4806004)
+
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mxs-dcp.c | 36 +++++++++---------------------------
+ 1 file changed, 9 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
+index 66fa524b6261..547111079207 100644
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -298,21 +298,20 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
+
+ struct scatterlist *dst = req->dst;
+ struct scatterlist *src = req->src;
+- const int nents = sg_nents(req->src);
++ int dst_nents = sg_nents(dst);
+
+ const int out_off = DCP_BUF_SZ;
+ uint8_t *in_buf = sdcp->coh->aes_in_buf;
+ uint8_t *out_buf = sdcp->coh->aes_out_buf;
+
+- uint8_t *out_tmp, *src_buf, *dst_buf = NULL;
+ uint32_t dst_off = 0;
++ uint8_t *src_buf = NULL;
+ uint32_t last_out_len = 0;
+
+ uint8_t *key = sdcp->coh->aes_key;
+
+ int ret = 0;
+- int split = 0;
+- unsigned int i, len, clen, rem = 0, tlen = 0;
++ unsigned int i, len, clen, tlen = 0;
+ int init = 0;
+ bool limit_hit = false;
+
+@@ -330,7 +329,7 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
+ memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128);
+ }
+
+- for_each_sg(req->src, src, nents, i) {
++ for_each_sg(req->src, src, sg_nents(src), i) {
+ src_buf = sg_virt(src);
+ len = sg_dma_len(src);
+ tlen += len;
+@@ -355,34 +354,17 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq)
+ * submit the buffer.
+ */
+ if (actx->fill == out_off || sg_is_last(src) ||
+- limit_hit) {
++ limit_hit) {
+ ret = mxs_dcp_run_aes(actx, req, init);
+ if (ret)
+ return ret;
+ init = 0;
+
+- out_tmp = out_buf;
++ sg_pcopy_from_buffer(dst, dst_nents, out_buf,
++ actx->fill, dst_off);
++ dst_off += actx->fill;
+ last_out_len = actx->fill;
+- while (dst && actx->fill) {
+- if (!split) {
+- dst_buf = sg_virt(dst);
+- dst_off = 0;
+- }
+- rem = min(sg_dma_len(dst) - dst_off,
+- actx->fill);
+-
+- memcpy(dst_buf + dst_off, out_tmp, rem);
+- out_tmp += rem;
+- dst_off += rem;
+- actx->fill -= rem;
+-
+- if (dst_off == sg_dma_len(dst)) {
+- dst = sg_next(dst);
+- split = 0;
+- } else {
+- split = 1;
+- }
+- }
++ actx->fill = 0;
+ }
+ } while (len);
+
+--
+2.30.2
+
--- /dev/null
+From fefd429b0dbed95b07c93055da2ad2db20757ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 16:10:55 +0200
+Subject: dma-debug: fix debugfs initialization order
+
+From: Anthony Iliopoulos <ailiop@suse.com>
+
+[ Upstream commit 173735c346c412d9f084825ecb04f24ada0e2986 ]
+
+Due to link order, dma_debug_init is called before debugfs has a chance
+to initialize (via debugfs_init which also happens in the core initcall
+stage), so the directories for dma-debug are never created.
+
+Decouple dma_debug_fs_init from dma_debug_init and defer its init until
+core_initcall_sync (after debugfs has been initialized) while letting
+dma-debug initialization occur as soon as possible to catch any early
+mappings, as suggested in [1].
+
+[1] https://lore.kernel.org/linux-iommu/YIgGa6yF%2Fadg8OSN@kroah.com/
+
+Fixes: 15b28bbcd567 ("dma-debug: move initialization to common code")
+Signed-off-by: Anthony Iliopoulos <ailiop@suse.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/debug.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index cb6425e52bf7..01e893cf9b9f 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -846,7 +846,7 @@ static int dump_show(struct seq_file *seq, void *v)
+ }
+ DEFINE_SHOW_ATTRIBUTE(dump);
+
+-static void dma_debug_fs_init(void)
++static int __init dma_debug_fs_init(void)
+ {
+ struct dentry *dentry = debugfs_create_dir("dma-api", NULL);
+
+@@ -859,7 +859,10 @@ static void dma_debug_fs_init(void)
+ debugfs_create_u32("nr_total_entries", 0444, dentry, &nr_total_entries);
+ debugfs_create_file("driver_filter", 0644, dentry, NULL, &filter_fops);
+ debugfs_create_file("dump", 0444, dentry, NULL, &dump_fops);
++
++ return 0;
+ }
++core_initcall_sync(dma_debug_fs_init);
+
+ static int device_dma_allocations(struct device *dev, struct dma_debug_entry **out_entry)
+ {
+@@ -944,8 +947,6 @@ static int dma_debug_init(void)
+ spin_lock_init(&dma_entry_hash[i].lock);
+ }
+
+- dma_debug_fs_init();
+-
+ nr_pages = DIV_ROUND_UP(nr_prealloc_entries, DMA_DEBUG_DYNAMIC_ENTRIES);
+ for (i = 0; i < nr_pages; ++i)
+ dma_debug_create_entries(GFP_KERNEL);
+--
+2.30.2
+
--- /dev/null
+From 4680583e29be73301653bed57466075f82bce9f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 16:04:12 +0300
+Subject: docs: Fix infiniband uverbs minor number
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 8d7e415d55610d503fdb8815344846b72d194a40 ]
+
+Starting from the beginning of infiniband subsystem, the uverbs char
+devices start from 192 as a minor number, see
+commit bc38a6abdd5a ("[PATCH] IB uverbs: core implementation").
+
+This patch updates the admin guide documentation to reflect it.
+
+Fixes: 9d85025b0418 ("docs-rst: create an user's manual book")
+Link: https://lore.kernel.org/r/bad03e6bcde45550c01e12908a6fe7dfa4770703.1627477347.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/admin-guide/devices.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/admin-guide/devices.txt b/Documentation/admin-guide/devices.txt
+index 1c5d2281efc9..771d9e7ae082 100644
+--- a/Documentation/admin-guide/devices.txt
++++ b/Documentation/admin-guide/devices.txt
+@@ -3002,10 +3002,10 @@
+ 65 = /dev/infiniband/issm1 Second InfiniBand IsSM device
+ ...
+ 127 = /dev/infiniband/issm63 63rd InfiniBand IsSM device
+- 128 = /dev/infiniband/uverbs0 First InfiniBand verbs device
+- 129 = /dev/infiniband/uverbs1 Second InfiniBand verbs device
++ 192 = /dev/infiniband/uverbs0 First InfiniBand verbs device
++ 193 = /dev/infiniband/uverbs1 Second InfiniBand verbs device
+ ...
+- 159 = /dev/infiniband/uverbs31 31st InfiniBand verbs device
++ 223 = /dev/infiniband/uverbs31 31st InfiniBand verbs device
+
+ 232 char Biometric Devices
+ 0 = /dev/biometric/sensor0/fingerprint first fingerprint sensor on first device
+--
+2.30.2
+
--- /dev/null
+From 90a551ef8971d688bc0e76e9d023e8257869d496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 11:00:44 -0400
+Subject: drm/amd/amdgpu: Update debugfs link_settings output link_rate field
+ in hex
+
+From: Anson Jacob <Anson.Jacob@amd.com>
+
+[ Upstream commit 1a394b3c3de2577f200cb623c52a5c2b82805cec ]
+
+link_rate is updated via debugfs using hex values, set it to output
+in hex as well.
+
+eg: Resolution: 1920x1080@144Hz
+cat /sys/kernel/debug/dri/0/DP-1/link_settings
+Current: 4 0x14 0 Verified: 4 0x1e 0 Reported: 4 0x1e 16 Preferred: 0 0x0 0
+
+echo "4 0x1e" > /sys/kernel/debug/dri/0/DP-1/link_settings
+
+cat /sys/kernel/debug/dri/0/DP-1/link_settings
+Current: 4 0x1e 0 Verified: 4 0x1e 0 Reported: 4 0x1e 16 Preferred: 4 0x1e 0
+
+Signed-off-by: Anson Jacob <Anson.Jacob@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index f3dfb2887ae0..2cdcefab2d7d 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -95,29 +95,29 @@ static ssize_t dp_link_settings_read(struct file *f, char __user *buf,
+
+ rd_buf_ptr = rd_buf;
+
+- str_len = strlen("Current: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Current: %d %d %d ",
++ str_len = strlen("Current: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Current: %d 0x%x %d ",
+ link->cur_link_settings.lane_count,
+ link->cur_link_settings.link_rate,
+ link->cur_link_settings.link_spread);
+ rd_buf_ptr += str_len;
+
+- str_len = strlen("Verified: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Verified: %d %d %d ",
++ str_len = strlen("Verified: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Verified: %d 0x%x %d ",
+ link->verified_link_cap.lane_count,
+ link->verified_link_cap.link_rate,
+ link->verified_link_cap.link_spread);
+ rd_buf_ptr += str_len;
+
+- str_len = strlen("Reported: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Reported: %d %d %d ",
++ str_len = strlen("Reported: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Reported: %d 0x%x %d ",
+ link->reported_link_cap.lane_count,
+ link->reported_link_cap.link_rate,
+ link->reported_link_cap.link_spread);
+ rd_buf_ptr += str_len;
+
+- str_len = strlen("Preferred: %d %d %d ");
+- snprintf(rd_buf_ptr, str_len, "Preferred: %d %d %d\n",
++ str_len = strlen("Preferred: %d 0x%x %d ");
++ snprintf(rd_buf_ptr, str_len, "Preferred: %d 0x%x %d\n",
+ link->preferred_link_setting.lane_count,
+ link->preferred_link_setting.link_rate,
+ link->preferred_link_setting.link_spread);
+--
+2.30.2
+
--- /dev/null
+From ab0beaadd8fa40f2185805cf0719362592a0c9f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 15:04:04 -0400
+Subject: drm/amd/display: Fix timer_per_pixel unit error
+
+From: Oliver Logush <oliver.logush@amd.com>
+
+[ Upstream commit 23e55639b87fb16a9f0f66032ecb57060df6c46c ]
+
+[why]
+The units of the time_per_pixel variable were incorrect, this had to be
+changed for the code to properly function.
+
+[how]
+The change was very straightforward, only required one line of code to
+be changed where the calculation was done.
+
+Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Oliver Logush <oliver.logush@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+index 2b1175bb2dae..d2ea4c003d44 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+@@ -2232,7 +2232,7 @@ void dcn20_set_mcif_arb_params(
+ wb_arb_params->cli_watermark[k] = get_wm_writeback_urgent(&context->bw_ctx.dml, pipes, pipe_cnt) * 1000;
+ wb_arb_params->pstate_watermark[k] = get_wm_writeback_dram_clock_change(&context->bw_ctx.dml, pipes, pipe_cnt) * 1000;
+ }
+- wb_arb_params->time_per_pixel = 16.0 / context->res_ctx.pipe_ctx[i].stream->phy_pix_clk; /* 4 bit fraction, ms */
++ wb_arb_params->time_per_pixel = 16.0 * 1000 / (context->res_ctx.pipe_ctx[i].stream->phy_pix_clk / 1000); /* 4 bit fraction, ms */
+ wb_arb_params->slice_lines = 32;
+ wb_arb_params->arbitration_slice = 2;
+ wb_arb_params->max_scaled_time = dcn20_calc_max_scaled_time(wb_arb_params->time_per_pixel,
+--
+2.30.2
+
--- /dev/null
+From e86bbbae6a7dd906373ec49409dbcae9a23089f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 16:40:22 -0400
+Subject: drm/amdgpu: Fix amdgpu_ras_eeprom_init()
+
+From: Luben Tuikov <luben.tuikov@amd.com>
+
+[ Upstream commit dce4400e6516d18313d23de45b5be8a18980b00e ]
+
+No need to account for the 2 bytes of EEPROM
+address--this is now well abstracted away by
+the fixes the the lower layers.
+
+Cc: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Cc: Alexander Deucher <Alexander.Deucher@amd.com>
+Signed-off-by: Luben Tuikov <luben.tuikov@amd.com>
+Acked-by: Alexander Deucher <Alexander.Deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+index 8a32b5c93778..bd7ae3e130b6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+@@ -138,7 +138,7 @@ int amdgpu_ras_eeprom_init(struct amdgpu_ras_eeprom_control *control)
+ return ret;
+ }
+
+- __decode_table_header_from_buff(hdr, &buff[2]);
++ __decode_table_header_from_buff(hdr, buff);
+
+ if (hdr->header == EEPROM_TABLE_HDR_VAL) {
+ control->num_recs = (hdr->tbl_size - EEPROM_TABLE_HEADER_SIZE) /
+--
+2.30.2
+
--- /dev/null
+From a246168154cb5dbed8c415d33f6d6cbbd93d28d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 21:26:14 -0500
+Subject: drm/amdkfd: Account for SH/SE count when setting up cu masks.
+
+From: Sean Keely <Sean.Keely@amd.com>
+
+[ Upstream commit 1ec06c2dee679e9f089e78ed20cb74ee90155f61 ]
+
+On systems with multiple SH per SE compute_static_thread_mgmt_se#
+is split into independent masks, one for each SH, in the upper and
+lower 16 bits. We need to detect this and apply cu masking to each
+SH. The cu mask bits are assigned first to each SE, then to
+alternate SHs, then finally to higher CU id. This ensures that
+the maximum number of SPIs are engaged as early as possible while
+balancing CU assignment to each SH.
+
+v2: Use max SH/SE rather than max SH in cu_per_sh.
+
+v3: Fix comment blocks, ensure se_mask is initially zero filled,
+ and correctly assign se.sh.cu positions to unset bits in cu_mask.
+
+Signed-off-by: Sean Keely <Sean.Keely@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 84 +++++++++++++++-----
+ drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.h | 1 +
+ 2 files changed, 64 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
+index 88813dad731f..c021519af810 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
+@@ -98,36 +98,78 @@ void mqd_symmetrically_map_cu_mask(struct mqd_manager *mm,
+ uint32_t *se_mask)
+ {
+ struct kfd_cu_info cu_info;
+- uint32_t cu_per_se[KFD_MAX_NUM_SE] = {0};
+- int i, se, sh, cu = 0;
+-
++ uint32_t cu_per_sh[KFD_MAX_NUM_SE][KFD_MAX_NUM_SH_PER_SE] = {0};
++ int i, se, sh, cu;
+ amdgpu_amdkfd_get_cu_info(mm->dev->kgd, &cu_info);
+
+ if (cu_mask_count > cu_info.cu_active_number)
+ cu_mask_count = cu_info.cu_active_number;
+
++ /* Exceeding these bounds corrupts the stack and indicates a coding error.
++ * Returning with no CU's enabled will hang the queue, which should be
++ * attention grabbing.
++ */
++ if (cu_info.num_shader_engines > KFD_MAX_NUM_SE) {
++ pr_err("Exceeded KFD_MAX_NUM_SE, chip reports %d\n", cu_info.num_shader_engines);
++ return;
++ }
++ if (cu_info.num_shader_arrays_per_engine > KFD_MAX_NUM_SH_PER_SE) {
++ pr_err("Exceeded KFD_MAX_NUM_SH, chip reports %d\n",
++ cu_info.num_shader_arrays_per_engine * cu_info.num_shader_engines);
++ return;
++ }
++ /* Count active CUs per SH.
++ *
++ * Some CUs in an SH may be disabled. HW expects disabled CUs to be
++ * represented in the high bits of each SH's enable mask (the upper and lower
++ * 16 bits of se_mask) and will take care of the actual distribution of
++ * disabled CUs within each SH automatically.
++ * Each half of se_mask must be filled only on bits 0-cu_per_sh[se][sh]-1.
++ *
++ * See note on Arcturus cu_bitmap layout in gfx_v9_0_get_cu_info.
++ */
+ for (se = 0; se < cu_info.num_shader_engines; se++)
+ for (sh = 0; sh < cu_info.num_shader_arrays_per_engine; sh++)
+- cu_per_se[se] += hweight32(cu_info.cu_bitmap[se % 4][sh + (se / 4)]);
+-
+- /* Symmetrically map cu_mask to all SEs:
+- * cu_mask[0] bit0 -> se_mask[0] bit0;
+- * cu_mask[0] bit1 -> se_mask[1] bit0;
+- * ... (if # SE is 4)
+- * cu_mask[0] bit4 -> se_mask[0] bit1;
++ cu_per_sh[se][sh] = hweight32(cu_info.cu_bitmap[se % 4][sh + (se / 4)]);
++
++ /* Symmetrically map cu_mask to all SEs & SHs:
++ * se_mask programs up to 2 SH in the upper and lower 16 bits.
++ *
++ * Examples
++ * Assuming 1 SH/SE, 4 SEs:
++ * cu_mask[0] bit0 -> se_mask[0] bit0
++ * cu_mask[0] bit1 -> se_mask[1] bit0
++ * ...
++ * cu_mask[0] bit4 -> se_mask[0] bit1
++ * ...
++ *
++ * Assuming 2 SH/SE, 4 SEs
++ * cu_mask[0] bit0 -> se_mask[0] bit0 (SE0,SH0,CU0)
++ * cu_mask[0] bit1 -> se_mask[1] bit0 (SE1,SH0,CU0)
++ * ...
++ * cu_mask[0] bit4 -> se_mask[0] bit16 (SE0,SH1,CU0)
++ * cu_mask[0] bit5 -> se_mask[1] bit16 (SE1,SH1,CU0)
++ * ...
++ * cu_mask[0] bit8 -> se_mask[0] bit1 (SE0,SH0,CU1)
+ * ...
++ *
++ * First ensure all CUs are disabled, then enable user specified CUs.
+ */
+- se = 0;
+- for (i = 0; i < cu_mask_count; i++) {
+- if (cu_mask[i / 32] & (1 << (i % 32)))
+- se_mask[se] |= 1 << cu;
+-
+- do {
+- se++;
+- if (se == cu_info.num_shader_engines) {
+- se = 0;
+- cu++;
++ for (i = 0; i < cu_info.num_shader_engines; i++)
++ se_mask[i] = 0;
++
++ i = 0;
++ for (cu = 0; cu < 16; cu++) {
++ for (sh = 0; sh < cu_info.num_shader_arrays_per_engine; sh++) {
++ for (se = 0; se < cu_info.num_shader_engines; se++) {
++ if (cu_per_sh[se][sh] > cu) {
++ if (cu_mask[i / 32] & (1 << (i % 32)))
++ se_mask[se] |= 1 << (cu + sh * 16);
++ i++;
++ if (i == cu_mask_count)
++ return;
++ }
+ }
+- } while (cu >= cu_per_se[se] && cu < 32);
++ }
+ }
+ }
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.h b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.h
+index fbdb16418847..4edc012e3138 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.h
+@@ -27,6 +27,7 @@
+ #include "kfd_priv.h"
+
+ #define KFD_MAX_NUM_SE 8
++#define KFD_MAX_NUM_SH_PER_SE 2
+
+ /**
+ * struct mqd_manager
+--
+2.30.2
+
--- /dev/null
+From 4d3f102e94da431e055434bb8eb4b568d1cad19c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 12:35:05 +0800
+Subject: drm: avoid blocking in drm_clients_info's rcu section
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit 5eff9585de220cdd131237f5665db5e6c6bdf590 ]
+
+Inside drm_clients_info, the rcu_read_lock is held to lock
+pid_task()->comm. However, within this protected section, a call to
+drm_is_current_master is made, which involves a mutex lock in a future
+patch. However, this is illegal because the mutex lock might block
+while in the RCU read-side critical section.
+
+Since drm_is_current_master isn't protected by rcu_read_lock, we avoid
+this by moving it out of the RCU critical section.
+
+The following report came from intel-gfx ci's
+igt@debugfs_test@read_all_entries testcase:
+
+=============================
+[ BUG: Invalid wait context ]
+5.13.0-CI-Patchwork_20515+ #1 Tainted: G W
+-----------------------------
+debugfs_test/1101 is trying to lock:
+ffff888132d901a8 (&dev->master_mutex){+.+.}-{3:3}, at:
+drm_is_current_master+0x1e/0x50
+other info that might help us debug this:
+context-{4:4}
+3 locks held by debugfs_test/1101:
+ #0: ffff88810fdffc90 (&p->lock){+.+.}-{3:3}, at:
+ seq_read_iter+0x53/0x3b0
+ #1: ffff888132d90240 (&dev->filelist_mutex){+.+.}-{3:3}, at:
+ drm_clients_info+0x63/0x2a0
+ #2: ffffffff82734220 (rcu_read_lock){....}-{1:2}, at:
+ drm_clients_info+0x1b1/0x2a0
+stack backtrace:
+CPU: 8 PID: 1101 Comm: debugfs_test Tainted: G W
+5.13.0-CI-Patchwork_20515+ #1
+Hardware name: Intel Corporation CometLake Client Platform/CometLake S
+UDIMM (ERB/CRB), BIOS CMLSFWR1.R00.1263.D00.1906260926 06/26/2019
+Call Trace:
+ dump_stack+0x7f/0xad
+ __lock_acquire.cold.78+0x2af/0x2ca
+ lock_acquire+0xd3/0x300
+ ? drm_is_current_master+0x1e/0x50
+ ? __mutex_lock+0x76/0x970
+ ? lockdep_hardirqs_on+0xbf/0x130
+ __mutex_lock+0xab/0x970
+ ? drm_is_current_master+0x1e/0x50
+ ? drm_is_current_master+0x1e/0x50
+ ? drm_is_current_master+0x1e/0x50
+ drm_is_current_master+0x1e/0x50
+ drm_clients_info+0x107/0x2a0
+ seq_read_iter+0x178/0x3b0
+ seq_read+0x104/0x150
+ full_proxy_read+0x4e/0x80
+ vfs_read+0xa5/0x1b0
+ ksys_read+0x5a/0xd0
+ do_syscall_64+0x39/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210712043508.11584-3-desmondcheongzx@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c
+index 00debd02c322..0ba92428ef56 100644
+--- a/drivers/gpu/drm/drm_debugfs.c
++++ b/drivers/gpu/drm/drm_debugfs.c
+@@ -91,6 +91,7 @@ static int drm_clients_info(struct seq_file *m, void *data)
+ mutex_lock(&dev->filelist_mutex);
+ list_for_each_entry_reverse(priv, &dev->filelist, lhead) {
+ struct task_struct *task;
++ bool is_current_master = drm_is_current_master(priv);
+
+ rcu_read_lock(); /* locks pid_task()->comm */
+ task = pid_task(priv->pid, PIDTYPE_PID);
+@@ -99,7 +100,7 @@ static int drm_clients_info(struct seq_file *m, void *data)
+ task ? task->comm : "<unknown>",
+ pid_vnr(priv->pid),
+ priv->minor->index,
+- drm_is_current_master(priv) ? 'y' : 'n',
++ is_current_master ? 'y' : 'n',
+ priv->authenticated ? 'y' : 'n',
+ from_kuid_munged(seq_user_ns(m), uid),
+ priv->magic);
+--
+2.30.2
+
--- /dev/null
+From efee7fefc6ac6eebc7a55b608ebdf9bf4631423b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 21:07:03 -0700
+Subject: drm/display: fix possible null-pointer dereference in
+ dcn10_set_clock()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 554594567b1fa3da74f88ec7b2dc83d000c58e98 ]
+
+The variable dc->clk_mgr is checked in:
+ if (dc->clk_mgr && dc->clk_mgr->funcs->get_clock)
+
+This indicates dc->clk_mgr can be NULL.
+However, it is dereferenced in:
+ if (!dc->clk_mgr->funcs->get_clock)
+
+To fix this null-pointer dereference, check dc->clk_mgr and the function
+pointer dc->clk_mgr->funcs->get_clock earlier, and return if one of them
+is NULL.
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+index 60123db7ba02..bc5ebea1abed 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+@@ -3264,13 +3264,12 @@ static enum dc_status dcn10_set_clock(struct dc *dc,
+ struct dc_clock_config clock_cfg = {0};
+ struct dc_clocks *current_clocks = &context->bw_ctx.bw.dcn.clk;
+
+- if (dc->clk_mgr && dc->clk_mgr->funcs->get_clock)
+- dc->clk_mgr->funcs->get_clock(dc->clk_mgr,
+- context, clock_type, &clock_cfg);
+-
+- if (!dc->clk_mgr->funcs->get_clock)
++ if (!dc->clk_mgr || !dc->clk_mgr->funcs->get_clock)
+ return DC_FAIL_UNSUPPORTED_1;
+
++ dc->clk_mgr->funcs->get_clock(dc->clk_mgr,
++ context, clock_type, &clock_cfg);
++
+ if (clk_khz > clock_cfg.max_clock_khz)
+ return DC_FAIL_CLK_EXCEED_MAX;
+
+@@ -3288,7 +3287,7 @@ static enum dc_status dcn10_set_clock(struct dc *dc,
+ else
+ return DC_ERROR_UNEXPECTED;
+
+- if (dc->clk_mgr && dc->clk_mgr->funcs->update_clocks)
++ if (dc->clk_mgr->funcs->update_clocks)
+ dc->clk_mgr->funcs->update_clocks(dc->clk_mgr,
+ context, true);
+ return DC_OK;
+--
+2.30.2
+
--- /dev/null
+From ebed9f5bdac7e8422cab6ec66f684c9116c5ec68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 16:36:56 -0700
+Subject: drm/exynos: Always initialize mapping in exynos_drm_register_dma()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit c626f3864bbbb28bbe06476b0b497c1330aa4463 ]
+
+In certain randconfigs, clang warns:
+
+drivers/gpu/drm/exynos/exynos_drm_dma.c:121:19: warning: variable
+'mapping' is uninitialized when used here [-Wuninitialized]
+ priv->mapping = mapping;
+ ^~~~~~~
+drivers/gpu/drm/exynos/exynos_drm_dma.c:111:16: note: initialize the
+variable 'mapping' to silence this warning
+ void *mapping;
+ ^
+ = NULL
+1 warning generated.
+
+This occurs when CONFIG_EXYNOS_IOMMU is enabled and both
+CONFIG_ARM_DMA_USE_IOMMU and CONFIG_IOMMU_DMA are disabled, which makes
+the code look like
+
+ void *mapping;
+
+ if (0)
+ mapping = arm_iommu_create_mapping()
+ else if (0)
+ mapping = iommu_get_domain_for_dev()
+
+ ...
+ priv->mapping = mapping;
+
+Add an else branch that initializes mapping to the -ENODEV error pointer
+so that there is no more warning and the driver does not change during
+runtime.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_dma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_dma.c b/drivers/gpu/drm/exynos/exynos_drm_dma.c
+index 58b89ec11b0e..a3c9d8b9e1a1 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_dma.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_dma.c
+@@ -140,6 +140,8 @@ int exynos_drm_register_dma(struct drm_device *drm, struct device *dev,
+ EXYNOS_DEV_ADDR_START, EXYNOS_DEV_ADDR_SIZE);
+ else if (IS_ENABLED(CONFIG_IOMMU_DMA))
+ mapping = iommu_get_domain_for_dev(priv->dma_dev);
++ else
++ mapping = ERR_PTR(-ENODEV);
+
+ if (IS_ERR(mapping))
+ return PTR_ERR(mapping);
+--
+2.30.2
+
--- /dev/null
+From c49a2f69646501c332c95c48cff553f09723d6b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 08:09:25 +0200
+Subject: drm/msm: mdp4: drop vblank get/put from prepare/complete_commit
+
+From: David Heidelberg <david@ixit.cz>
+
+[ Upstream commit 56bd931ae506730c9ab1e4cc4bfefa43fc2d18fa ]
+
+msm_atomic is doing vblank get/put's already,
+currently there no need to duplicate the effort in MDP4
+
+Fix warning:
+...
+WARNING: CPU: 3 PID: 79 at drivers/gpu/drm/drm_vblank.c:1194 drm_vblank_put+0x1cc/0x1d4
+...
+and multiple vblank time-outs:
+...
+msm 5100000.mdp: vblank time out, crtc=1
+...
+
+Tested on Nexus 7 2013 (deb), LTS 5.10.50.
+
+Introduced by: 119ecb7fd3b5 ("drm/msm/mdp4: request vblank during modeset")
+
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Link: https://lore.kernel.org/r/20210715060925.7880-1-david@ixit.cz
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
+index 20194d86d033..5d50e93efe36 100644
+--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
+@@ -108,13 +108,6 @@ static void mdp4_disable_commit(struct msm_kms *kms)
+
+ static void mdp4_prepare_commit(struct msm_kms *kms, struct drm_atomic_state *state)
+ {
+- int i;
+- struct drm_crtc *crtc;
+- struct drm_crtc_state *crtc_state;
+-
+- /* see 119ecb7fd */
+- for_each_new_crtc_in_state(state, crtc, crtc_state, i)
+- drm_crtc_vblank_get(crtc);
+ }
+
+ static void mdp4_flush_commit(struct msm_kms *kms, unsigned crtc_mask)
+@@ -133,12 +126,6 @@ static void mdp4_wait_flush(struct msm_kms *kms, unsigned crtc_mask)
+
+ static void mdp4_complete_commit(struct msm_kms *kms, unsigned crtc_mask)
+ {
+- struct mdp4_kms *mdp4_kms = to_mdp4_kms(to_mdp_kms(kms));
+- struct drm_crtc *crtc;
+-
+- /* see 119ecb7fd */
+- for_each_crtc_mask(mdp4_kms->dev, crtc, crtc_mask)
+- drm_crtc_vblank_put(crtc);
+ }
+
+ static long mdp4_round_pixclk(struct msm_kms *kms, unsigned long rate,
+--
+2.30.2
+
--- /dev/null
+From 1edd0e00052f40c0b7e3b2476292c73816b87ef7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Aug 2021 08:12:08 +0800
+Subject: f2fs: fix to account missing .skipped_gc_rwsem
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ad126ebddecbf696e0cf214ff56c7b170fa9f0f7 ]
+
+There is a missing place we forgot to account .skipped_gc_rwsem, fix it.
+
+Fixes: 6f8d4455060d ("f2fs: avoid fi->i_gc_rwsem[WRITE] lock in f2fs_gc")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/gc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index 6b13a1a89206..4b6c36208f55 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1095,8 +1095,10 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
+ int err;
+
+ if (S_ISREG(inode->i_mode)) {
+- if (!down_write_trylock(&fi->i_gc_rwsem[READ]))
++ if (!down_write_trylock(&fi->i_gc_rwsem[READ])) {
++ sbi->skipped_gc_rwsem++;
+ continue;
++ }
+ if (!down_write_trylock(
+ &fi->i_gc_rwsem[WRITE])) {
+ sbi->skipped_gc_rwsem++;
+--
+2.30.2
+
--- /dev/null
+From 3970f7b78e0e7ca5f5deca04efc392ab92be7013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 19:34:19 +0800
+Subject: f2fs: fix to unmap pages from userspace process in punch_hole()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit c8dc3047c48540183744f959412d44b08c5435e1 ]
+
+We need to unmap pages from userspace process before removing pagecache
+in punch_hole() like we did in f2fs_setattr().
+
+Similar change:
+commit 5e44f8c374dc ("ext4: hole-punch use truncate_pagecache_range")
+
+Fixes: fbfa2cc58d53 ("f2fs: add file operations")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index f98dce4d07b3..516007bb1ced 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -981,7 +981,6 @@ static int punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ }
+
+ if (pg_start < pg_end) {
+- struct address_space *mapping = inode->i_mapping;
+ loff_t blk_start, blk_end;
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+
+@@ -993,8 +992,7 @@ static int punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ down_write(&F2FS_I(inode)->i_mmap_sem);
+
+- truncate_inode_pages_range(mapping, blk_start,
+- blk_end - 1);
++ truncate_pagecache_range(inode, blk_start, blk_end - 1);
+
+ f2fs_lock_op(sbi);
+ ret = f2fs_truncate_hole(inode, pg_start, pg_end);
+--
+2.30.2
+
--- /dev/null
+From d921de4f1ddc01d2683710422c2612ba9fd2db96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 10:03:15 +0800
+Subject: f2fs: fix unexpected ENOENT comes from f2fs_map_blocks()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit adf9ea89c719c1d23794e363f631e376b3ff8cbc ]
+
+In below path, it will return ENOENT if filesystem is shutdown:
+
+- f2fs_map_blocks
+ - f2fs_get_dnode_of_data
+ - f2fs_get_node_page
+ - __get_node_page
+ - read_node_page
+ - is_sbi_flag_set(sbi, SBI_IS_SHUTDOWN)
+ return -ENOENT
+ - force return value from ENOENT to 0
+
+It should be fine for read case, since it indicates a hole condition,
+and caller could use .m_next_pgofs to skip the hole and continue the
+lookup.
+
+However it may cause confusing for write case, since leaving a hole
+there, and said nothing was wrong doesn't help.
+
+There is at least one case from dax_iomap_actor() will complain that,
+so fix this in prior to supporting dax in f2fs.
+
+xfstest generic/388 reports below warning:
+
+ubuntu godown: xfstests-induced forced shutdown of /mnt/scratch_f2fs:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 485833 at fs/dax.c:1127 dax_iomap_actor+0x339/0x370
+Call Trace:
+ iomap_apply+0x1c4/0x7b0
+ ? dax_iomap_rw+0x1c0/0x1c0
+ dax_iomap_rw+0xad/0x1c0
+ ? dax_iomap_rw+0x1c0/0x1c0
+ f2fs_file_write_iter+0x5ab/0x970 [f2fs]
+ do_iter_readv_writev+0x273/0x2e0
+ do_iter_write+0xab/0x1f0
+ vfs_iter_write+0x21/0x40
+ iter_file_splice_write+0x287/0x540
+ do_splice+0x37c/0xa60
+ __x64_sys_splice+0x15f/0x3a0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ubuntu godown: xfstests-induced forced shutdown of /mnt/scratch_f2fs:
+------------[ cut here ]------------
+RIP: 0010:dax_iomap_pte_fault.isra.0+0x72e/0x14a0
+Call Trace:
+ dax_iomap_fault+0x44/0x70
+ f2fs_dax_huge_fault+0x155/0x400 [f2fs]
+ f2fs_dax_fault+0x18/0x30 [f2fs]
+ __do_fault+0x4e/0x120
+ do_fault+0x3cf/0x7a0
+ __handle_mm_fault+0xa8c/0xf20
+ ? find_held_lock+0x39/0xd0
+ handle_mm_fault+0x1b6/0x480
+ do_user_addr_fault+0x320/0xcd0
+ ? rcu_read_lock_sched_held+0x67/0xc0
+ exc_page_fault+0x77/0x3f0
+ ? asm_exc_page_fault+0x8/0x30
+ asm_exc_page_fault+0x1e/0x30
+
+Fixes: 83a3bfdb5a8a ("f2fs: indicate shutdown f2fs to allow unmount successfully")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index df2c361feade..1679f9c0b63b 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -1191,7 +1191,21 @@ int f2fs_map_blocks(struct inode *inode, struct f2fs_map_blocks *map,
+ if (err) {
+ if (flag == F2FS_GET_BLOCK_BMAP)
+ map->m_pblk = 0;
++
+ if (err == -ENOENT) {
++ /*
++ * There is one exceptional case that read_node_page()
++ * may return -ENOENT due to filesystem has been
++ * shutdown or cp_error, so force to convert error
++ * number to EIO for such case.
++ */
++ if (map->m_may_create &&
++ (is_sbi_flag_set(sbi, SBI_IS_SHUTDOWN) ||
++ f2fs_cp_error(sbi))) {
++ err = -EIO;
++ goto unlock_out;
++ }
++
+ err = 0;
+ if (map->m_next_pgofs)
+ *map->m_next_pgofs =
+--
+2.30.2
+
--- /dev/null
+From 7697d8e56bcb69789c0c1501050880cac66a3e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 16:46:47 +0800
+Subject: f2fs: quota: fix potential deadlock
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 ]
+
+xfstest generic/587 reports a deadlock issue as below:
+
+======================================================
+WARNING: possible circular locking dependency detected
+5.14.0-rc1 #69 Not tainted
+------------------------------------------------------
+repquota/8606 is trying to acquire lock:
+ffff888022ac9320 (&sb->s_type->i_mutex_key#18){+.+.}-{3:3}, at: f2fs_quota_sync+0x207/0x300 [f2fs]
+
+but task is already holding lock:
+ffff8880084bcde8 (&sbi->quota_sem){.+.+}-{3:3}, at: f2fs_quota_sync+0x59/0x300 [f2fs]
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (&sbi->quota_sem){.+.+}-{3:3}:
+ __lock_acquire+0x648/0x10b0
+ lock_acquire+0x128/0x470
+ down_read+0x3b/0x2a0
+ f2fs_quota_sync+0x59/0x300 [f2fs]
+ f2fs_quota_on+0x48/0x100 [f2fs]
+ do_quotactl+0x5e3/0xb30
+ __x64_sys_quotactl+0x23a/0x4e0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+-> #1 (&sbi->cp_rwsem){++++}-{3:3}:
+ __lock_acquire+0x648/0x10b0
+ lock_acquire+0x128/0x470
+ down_read+0x3b/0x2a0
+ f2fs_unlink+0x353/0x670 [f2fs]
+ vfs_unlink+0x1c7/0x380
+ do_unlinkat+0x413/0x4b0
+ __x64_sys_unlinkat+0x50/0xb0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+-> #0 (&sb->s_type->i_mutex_key#18){+.+.}-{3:3}:
+ check_prev_add+0xdc/0xb30
+ validate_chain+0xa67/0xb20
+ __lock_acquire+0x648/0x10b0
+ lock_acquire+0x128/0x470
+ down_write+0x39/0xc0
+ f2fs_quota_sync+0x207/0x300 [f2fs]
+ do_quotactl+0xaff/0xb30
+ __x64_sys_quotactl+0x23a/0x4e0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+other info that might help us debug this:
+
+Chain exists of:
+ &sb->s_type->i_mutex_key#18 --> &sbi->cp_rwsem --> &sbi->quota_sem
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&sbi->quota_sem);
+ lock(&sbi->cp_rwsem);
+ lock(&sbi->quota_sem);
+ lock(&sb->s_type->i_mutex_key#18);
+
+ *** DEADLOCK ***
+
+3 locks held by repquota/8606:
+ #0: ffff88801efac0e0 (&type->s_umount_key#53){++++}-{3:3}, at: user_get_super+0xd9/0x190
+ #1: ffff8880084bc380 (&sbi->cp_rwsem){++++}-{3:3}, at: f2fs_quota_sync+0x3e/0x300 [f2fs]
+ #2: ffff8880084bcde8 (&sbi->quota_sem){.+.+}-{3:3}, at: f2fs_quota_sync+0x59/0x300 [f2fs]
+
+stack backtrace:
+CPU: 6 PID: 8606 Comm: repquota Not tainted 5.14.0-rc1 #69
+Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+Call Trace:
+ dump_stack_lvl+0xce/0x134
+ dump_stack+0x17/0x20
+ print_circular_bug.isra.0.cold+0x239/0x253
+ check_noncircular+0x1be/0x1f0
+ check_prev_add+0xdc/0xb30
+ validate_chain+0xa67/0xb20
+ __lock_acquire+0x648/0x10b0
+ lock_acquire+0x128/0x470
+ down_write+0x39/0xc0
+ f2fs_quota_sync+0x207/0x300 [f2fs]
+ do_quotactl+0xaff/0xb30
+ __x64_sys_quotactl+0x23a/0x4e0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f883b0b4efe
+
+The root cause is ABBA deadlock of inode lock and cp_rwsem,
+reorder locks in f2fs_quota_sync() as below to fix this issue:
+- lock inode
+- lock cp_rwsem
+- lock quota_sem
+
+Fixes: db6ec53b7e03 ("f2fs: add a rw_sem to cover quota flag changes")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 84 ++++++++++++++++++++++++++++---------------------
+ 1 file changed, 48 insertions(+), 36 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 6d904dc9bd19..41bf656658ba 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1994,6 +1994,33 @@ static int f2fs_enable_quotas(struct super_block *sb)
+ return 0;
+ }
+
++static int f2fs_quota_sync_file(struct f2fs_sb_info *sbi, int type)
++{
++ struct quota_info *dqopt = sb_dqopt(sbi->sb);
++ struct address_space *mapping = dqopt->files[type]->i_mapping;
++ int ret = 0;
++
++ ret = dquot_writeback_dquots(sbi->sb, type);
++ if (ret)
++ goto out;
++
++ ret = filemap_fdatawrite(mapping);
++ if (ret)
++ goto out;
++
++ /* if we are using journalled quota */
++ if (is_journalled_quota(sbi))
++ goto out;
++
++ ret = filemap_fdatawait(mapping);
++
++ truncate_inode_pages(&dqopt->files[type]->i_data, 0);
++out:
++ if (ret)
++ set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR);
++ return ret;
++}
++
+ int f2fs_quota_sync(struct super_block *sb, int type)
+ {
+ struct f2fs_sb_info *sbi = F2FS_SB(sb);
+@@ -2001,57 +2028,42 @@ int f2fs_quota_sync(struct super_block *sb, int type)
+ int cnt;
+ int ret;
+
+- /*
+- * do_quotactl
+- * f2fs_quota_sync
+- * down_read(quota_sem)
+- * dquot_writeback_dquots()
+- * f2fs_dquot_commit
+- * block_operation
+- * down_read(quota_sem)
+- */
+- f2fs_lock_op(sbi);
+-
+- down_read(&sbi->quota_sem);
+- ret = dquot_writeback_dquots(sb, type);
+- if (ret)
+- goto out;
+-
+ /*
+ * Now when everything is written we can discard the pagecache so
+ * that userspace sees the changes.
+ */
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+- struct address_space *mapping;
+
+ if (type != -1 && cnt != type)
+ continue;
+- if (!sb_has_quota_active(sb, cnt))
+- continue;
+
+- mapping = dqopt->files[cnt]->i_mapping;
++ if (!sb_has_quota_active(sb, type))
++ return 0;
+
+- ret = filemap_fdatawrite(mapping);
+- if (ret)
+- goto out;
++ inode_lock(dqopt->files[cnt]);
+
+- /* if we are using journalled quota */
+- if (is_journalled_quota(sbi))
+- continue;
++ /*
++ * do_quotactl
++ * f2fs_quota_sync
++ * down_read(quota_sem)
++ * dquot_writeback_dquots()
++ * f2fs_dquot_commit
++ * block_operation
++ * down_read(quota_sem)
++ */
++ f2fs_lock_op(sbi);
++ down_read(&sbi->quota_sem);
+
+- ret = filemap_fdatawait(mapping);
+- if (ret)
+- set_sbi_flag(F2FS_SB(sb), SBI_QUOTA_NEED_REPAIR);
++ ret = f2fs_quota_sync_file(sbi, cnt);
++
++ up_read(&sbi->quota_sem);
++ f2fs_unlock_op(sbi);
+
+- inode_lock(dqopt->files[cnt]);
+- truncate_inode_pages(&dqopt->files[cnt]->i_data, 0);
+ inode_unlock(dqopt->files[cnt]);
++
++ if (ret)
++ break;
+ }
+-out:
+- if (ret)
+- set_sbi_flag(F2FS_SB(sb), SBI_QUOTA_NEED_REPAIR);
+- up_read(&sbi->quota_sem);
+- f2fs_unlock_op(sbi);
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From c0bad92f2aaed993e9cb923eac7902287aae8f57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 11:29:46 +0800
+Subject: f2fs: reduce the scope of setting fsck tag when de->name_len is zero
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit d4bf15a7ce172d186d400d606adf4f34a59130d6 ]
+
+I recently found a case where de->name_len is 0 in f2fs_fill_dentries()
+easily reproduced, and finally set the fsck flag.
+
+Thread A Thread B
+- f2fs_readdir
+ - f2fs_read_inline_dir
+ - ctx->pos = d.max
+ - f2fs_add_dentry
+ - f2fs_add_inline_entry
+ - do_convert_inline_dir
+ - f2fs_add_regular_entry
+- f2fs_readdir
+ - f2fs_fill_dentries
+ - set_sbi_flag(sbi, SBI_NEED_FSCK)
+
+Process A opens the folder, and has been reading without closing it.
+During this period, Process B created a file under the folder (occupying
+multiple f2fs_dir_entry, exceeding the d.max of the inline dir). After
+creation, process A uses the d.max of inline dir to read it again, and
+it will read that de->name_len is 0.
+
+And Chao pointed out that w/o inline conversion, the race condition still
+can happen as below:
+
+dir_entry1: A
+dir_entry2: B
+dir_entry3: C
+free slot: _
+ctx->pos: ^
+
+Thread A is traversing directory,
+ctx-pos moves to below position after readdir() by thread A:
+AAAABBBB___
+ ^
+
+Then thread B delete dir_entry2, and create dir_entry3.
+
+Thread A calls readdir() to lookup dirents starting from middle
+of new dirent slots as below:
+AAAACCCCCC_
+ ^
+In these scenarios, the file system is not damaged, and it's hard to
+avoid it. But we can bypass tagging FSCK flag if:
+a) bit_pos (:= ctx->pos % d->max) is non-zero and
+b) before bit_pos moves to first valid dir_entry.
+
+Fixes: ddf06b753a85 ("f2fs: fix to trigger fsck if dirent.name_len is zero")
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+[Chao: clean up description]
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/dir.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index 7b3fbfe68f8c..99c4a868d73b 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -892,6 +892,7 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ struct f2fs_sb_info *sbi = F2FS_I_SB(d->inode);
+ struct blk_plug plug;
+ bool readdir_ra = sbi->readdir_ra == 1;
++ bool found_valid_dirent = false;
+ int err = 0;
+
+ bit_pos = ((unsigned long)ctx->pos % d->max);
+@@ -906,13 +907,15 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+
+ de = &d->dentry[bit_pos];
+ if (de->name_len == 0) {
++ if (found_valid_dirent || !bit_pos) {
++ printk_ratelimited(
++ "%sF2FS-fs (%s): invalid namelen(0), ino:%u, run fsck to fix.",
++ KERN_WARNING, sbi->sb->s_id,
++ le32_to_cpu(de->ino));
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ }
+ bit_pos++;
+ ctx->pos = start_pos + bit_pos;
+- printk_ratelimited(
+- "%sF2FS-fs (%s): invalid namelen(0), ino:%u, run fsck to fix.",
+- KERN_WARNING, sbi->sb->s_id,
+- le32_to_cpu(de->ino));
+- set_sbi_flag(sbi, SBI_NEED_FSCK);
+ continue;
+ }
+
+@@ -955,6 +958,7 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
+
+ ctx->pos = start_pos + bit_pos;
++ found_valid_dirent = true;
+ }
+ out:
+ if (readdir_ra)
+--
+2.30.2
+
--- /dev/null
+From 110ae8197abbed3e7a786d0bbea5bb55e917b4c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2019 17:53:23 +0800
+Subject: f2fs: show f2fs instance in printk_ratelimited
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit c45d6002ff7a322022560e9b19ad867b01fec77f ]
+
+As Eric mentioned, bare printk{,_ratelimited} won't show which
+filesystem instance these message is coming from, this patch tries
+to show fs instance with sb->s_id field in all places we missed
+before.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/checkpoint.c | 2 +-
+ fs/f2fs/data.c | 9 +++++----
+ fs/f2fs/dir.c | 7 ++++---
+ fs/f2fs/f2fs.h | 24 +++++++++++++-----------
+ fs/f2fs/file.c | 2 +-
+ fs/f2fs/gc.c | 2 +-
+ fs/f2fs/inode.c | 2 +-
+ fs/f2fs/node.c | 2 +-
+ fs/f2fs/segment.c | 9 +++++----
+ 9 files changed, 32 insertions(+), 27 deletions(-)
+
+diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
+index a57219c51c01..f7d27cbbeb86 100644
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -583,7 +583,7 @@ int f2fs_acquire_orphan_inode(struct f2fs_sb_info *sbi)
+
+ if (time_to_inject(sbi, FAULT_ORPHAN)) {
+ spin_unlock(&im->ino_lock);
+- f2fs_show_injection_info(FAULT_ORPHAN);
++ f2fs_show_injection_info(sbi, FAULT_ORPHAN);
+ return -ENOSPC;
+ }
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 64ee2a064e33..df2c361feade 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -167,9 +167,10 @@ static bool f2fs_bio_post_read_required(struct bio *bio)
+
+ static void f2fs_read_end_io(struct bio *bio)
+ {
+- if (time_to_inject(F2FS_P_SB(bio_first_page_all(bio)),
+- FAULT_READ_IO)) {
+- f2fs_show_injection_info(FAULT_READ_IO);
++ struct f2fs_sb_info *sbi = F2FS_P_SB(bio_first_page_all(bio));
++
++ if (time_to_inject(sbi, FAULT_READ_IO)) {
++ f2fs_show_injection_info(sbi, FAULT_READ_IO);
+ bio->bi_status = BLK_STS_IOERR;
+ }
+
+@@ -191,7 +192,7 @@ static void f2fs_write_end_io(struct bio *bio)
+ struct bvec_iter_all iter_all;
+
+ if (time_to_inject(sbi, FAULT_WRITE_IO)) {
+- f2fs_show_injection_info(FAULT_WRITE_IO);
++ f2fs_show_injection_info(sbi, FAULT_WRITE_IO);
+ bio->bi_status = BLK_STS_IOERR;
+ }
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index 78d041f9775a..7b3fbfe68f8c 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -618,7 +618,7 @@ int f2fs_add_regular_entry(struct inode *dir, const struct qstr *new_name,
+
+ start:
+ if (time_to_inject(F2FS_I_SB(dir), FAULT_DIR_DEPTH)) {
+- f2fs_show_injection_info(FAULT_DIR_DEPTH);
++ f2fs_show_injection_info(F2FS_I_SB(dir), FAULT_DIR_DEPTH);
+ return -ENOSPC;
+ }
+
+@@ -909,8 +909,9 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d,
+ bit_pos++;
+ ctx->pos = start_pos + bit_pos;
+ printk_ratelimited(
+- "%s, invalid namelen(0), ino:%u, run fsck to fix.",
+- KERN_WARNING, le32_to_cpu(de->ino));
++ "%sF2FS-fs (%s): invalid namelen(0), ino:%u, run fsck to fix.",
++ KERN_WARNING, sbi->sb->s_id,
++ le32_to_cpu(de->ino));
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ continue;
+ }
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 4ca3c2a0a0f5..031a17bf52a2 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1374,9 +1374,10 @@ struct f2fs_private_dio {
+ };
+
+ #ifdef CONFIG_F2FS_FAULT_INJECTION
+-#define f2fs_show_injection_info(type) \
+- printk_ratelimited("%sF2FS-fs : inject %s in %s of %pS\n", \
+- KERN_INFO, f2fs_fault_name[type], \
++#define f2fs_show_injection_info(sbi, type) \
++ printk_ratelimited("%sF2FS-fs (%s) : inject %s in %s of %pS\n", \
++ KERN_INFO, sbi->sb->s_id, \
++ f2fs_fault_name[type], \
+ __func__, __builtin_return_address(0))
+ static inline bool time_to_inject(struct f2fs_sb_info *sbi, int type)
+ {
+@@ -1396,7 +1397,7 @@ static inline bool time_to_inject(struct f2fs_sb_info *sbi, int type)
+ return false;
+ }
+ #else
+-#define f2fs_show_injection_info(type) do { } while (0)
++#define f2fs_show_injection_info(sbi, type) do { } while (0)
+ static inline bool time_to_inject(struct f2fs_sb_info *sbi, int type)
+ {
+ return false;
+@@ -1781,7 +1782,7 @@ static inline int inc_valid_block_count(struct f2fs_sb_info *sbi,
+ return ret;
+
+ if (time_to_inject(sbi, FAULT_BLOCK)) {
+- f2fs_show_injection_info(FAULT_BLOCK);
++ f2fs_show_injection_info(sbi, FAULT_BLOCK);
+ release = *count;
+ goto release_quota;
+ }
+@@ -2033,7 +2034,7 @@ static inline int inc_valid_node_count(struct f2fs_sb_info *sbi,
+ }
+
+ if (time_to_inject(sbi, FAULT_BLOCK)) {
+- f2fs_show_injection_info(FAULT_BLOCK);
++ f2fs_show_injection_info(sbi, FAULT_BLOCK);
+ goto enospc;
+ }
+
+@@ -2148,7 +2149,8 @@ static inline struct page *f2fs_grab_cache_page(struct address_space *mapping,
+ return page;
+
+ if (time_to_inject(F2FS_M_SB(mapping), FAULT_PAGE_ALLOC)) {
+- f2fs_show_injection_info(FAULT_PAGE_ALLOC);
++ f2fs_show_injection_info(F2FS_M_SB(mapping),
++ FAULT_PAGE_ALLOC);
+ return NULL;
+ }
+ }
+@@ -2163,7 +2165,7 @@ static inline struct page *f2fs_pagecache_get_page(
+ int fgp_flags, gfp_t gfp_mask)
+ {
+ if (time_to_inject(F2FS_M_SB(mapping), FAULT_PAGE_GET)) {
+- f2fs_show_injection_info(FAULT_PAGE_GET);
++ f2fs_show_injection_info(F2FS_M_SB(mapping), FAULT_PAGE_GET);
+ return NULL;
+ }
+
+@@ -2232,7 +2234,7 @@ static inline struct bio *f2fs_bio_alloc(struct f2fs_sb_info *sbi,
+ return bio;
+ }
+ if (time_to_inject(sbi, FAULT_ALLOC_BIO)) {
+- f2fs_show_injection_info(FAULT_ALLOC_BIO);
++ f2fs_show_injection_info(sbi, FAULT_ALLOC_BIO);
+ return NULL;
+ }
+
+@@ -2797,7 +2799,7 @@ static inline void *f2fs_kmalloc(struct f2fs_sb_info *sbi,
+ size_t size, gfp_t flags)
+ {
+ if (time_to_inject(sbi, FAULT_KMALLOC)) {
+- f2fs_show_injection_info(FAULT_KMALLOC);
++ f2fs_show_injection_info(sbi, FAULT_KMALLOC);
+ return NULL;
+ }
+
+@@ -2814,7 +2816,7 @@ static inline void *f2fs_kvmalloc(struct f2fs_sb_info *sbi,
+ size_t size, gfp_t flags)
+ {
+ if (time_to_inject(sbi, FAULT_KVMALLOC)) {
+- f2fs_show_injection_info(FAULT_KVMALLOC);
++ f2fs_show_injection_info(sbi, FAULT_KVMALLOC);
+ return NULL;
+ }
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 6e58b2e62b18..f98dce4d07b3 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -682,7 +682,7 @@ int f2fs_truncate(struct inode *inode)
+ trace_f2fs_truncate(inode);
+
+ if (time_to_inject(F2FS_I_SB(inode), FAULT_TRUNCATE)) {
+- f2fs_show_injection_info(FAULT_TRUNCATE);
++ f2fs_show_injection_info(F2FS_I_SB(inode), FAULT_TRUNCATE);
+ return -EIO;
+ }
+
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index a78aa5480454..6b13a1a89206 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -54,7 +54,7 @@ static int gc_thread_func(void *data)
+ }
+
+ if (time_to_inject(sbi, FAULT_CHECKPOINT)) {
+- f2fs_show_injection_info(FAULT_CHECKPOINT);
++ f2fs_show_injection_info(sbi, FAULT_CHECKPOINT);
+ f2fs_stop_checkpoint(sbi, false);
+ }
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 386ad54c13c3..502bd491336a 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -681,7 +681,7 @@ void f2fs_evict_inode(struct inode *inode)
+ err = f2fs_truncate(inode);
+
+ if (time_to_inject(sbi, FAULT_EVICT_INODE)) {
+- f2fs_show_injection_info(FAULT_EVICT_INODE);
++ f2fs_show_injection_info(sbi, FAULT_EVICT_INODE);
+ err = -EIO;
+ }
+
+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
+index 48bb5d3c709d..4cb182c20eed 100644
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -2406,7 +2406,7 @@ bool f2fs_alloc_nid(struct f2fs_sb_info *sbi, nid_t *nid)
+ struct free_nid *i = NULL;
+ retry:
+ if (time_to_inject(sbi, FAULT_ALLOC_NID)) {
+- f2fs_show_injection_info(FAULT_ALLOC_NID);
++ f2fs_show_injection_info(sbi, FAULT_ALLOC_NID);
+ return false;
+ }
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 5ba677f85533..78c54bb7898d 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -489,7 +489,7 @@ int f2fs_commit_inmem_pages(struct inode *inode)
+ void f2fs_balance_fs(struct f2fs_sb_info *sbi, bool need)
+ {
+ if (time_to_inject(sbi, FAULT_CHECKPOINT)) {
+- f2fs_show_injection_info(FAULT_CHECKPOINT);
++ f2fs_show_injection_info(sbi, FAULT_CHECKPOINT);
+ f2fs_stop_checkpoint(sbi, false);
+ }
+
+@@ -1017,8 +1017,9 @@ static void __remove_discard_cmd(struct f2fs_sb_info *sbi,
+
+ if (dc->error)
+ printk_ratelimited(
+- "%sF2FS-fs: Issue discard(%u, %u, %u) failed, ret: %d",
+- KERN_INFO, dc->lstart, dc->start, dc->len, dc->error);
++ "%sF2FS-fs (%s): Issue discard(%u, %u, %u) failed, ret: %d",
++ KERN_INFO, sbi->sb->s_id,
++ dc->lstart, dc->start, dc->len, dc->error);
+ __detach_discard_cmd(dcc, dc);
+ }
+
+@@ -1158,7 +1159,7 @@ static int __submit_discard_cmd(struct f2fs_sb_info *sbi,
+ dc->len += len;
+
+ if (time_to_inject(sbi, FAULT_DISCARD)) {
+- f2fs_show_injection_info(FAULT_DISCARD);
++ f2fs_show_injection_info(sbi, FAULT_DISCARD);
+ err = -EIO;
+ goto submit;
+ }
+--
+2.30.2
+
--- /dev/null
+From dbc299b1e1b08c319f92b7060006e45ed0a7b0e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 11:47:01 +0800
+Subject: fix array-index-out-of-bounds in taprio_change
+
+From: Haimin Zhang <tcs_kernel@tencent.com>
+
+[ Upstream commit efe487fce3061d94222c6501d7be3aa549b3dc78 ]
+
+syzbot report an array-index-out-of-bounds in taprio_change
+index 16 is out of range for type '__u16 [16]'
+that's because mqprio->num_tc is lager than TC_MAX_QUEUE,so we check
+the return value of netdev_set_num_tc.
+
+Reported-by: syzbot+2b3e5fb6c7ef285a94f6@syzkaller.appspotmail.com
+Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_taprio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index a4de4853c79d..da9ed0613eb7 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -1503,7 +1503,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ taprio_set_picos_per_byte(dev, q);
+
+ if (mqprio) {
+- netdev_set_num_tc(dev, mqprio->num_tc);
++ err = netdev_set_num_tc(dev, mqprio->num_tc);
++ if (err)
++ goto free_sched;
+ for (i = 0; i < mqprio->num_tc; i++)
+ netdev_set_tc_queue(dev, i,
+ mqprio->count[i],
+--
+2.30.2
+
--- /dev/null
+From d247fd53abb900463d5391d02c40a34b4bc67fc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 14:25:11 -0500
+Subject: flow_dissector: Fix out-of-bounds warnings
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 323e0cb473e2a8706ff162b6b4f4fa16023c9ba7 ]
+
+Fix the following out-of-bounds warnings:
+
+ net/core/flow_dissector.c: In function '__skb_flow_dissect':
+>> net/core/flow_dissector.c:1104:4: warning: 'memcpy' offset [24, 39] from the object at '<unknown>' is out of the bounds of referenced subobject 'saddr' with type 'struct in6_addr' at offset 8 [-Warray-bounds]
+ 1104 | memcpy(&key_addrs->v6addrs, &iph->saddr,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1105 | sizeof(key_addrs->v6addrs));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from include/linux/ipv6.h:5,
+ from net/core/flow_dissector.c:6:
+ include/uapi/linux/ipv6.h:133:18: note: subobject 'saddr' declared here
+ 133 | struct in6_addr saddr;
+ | ^~~~~
+>> net/core/flow_dissector.c:1059:4: warning: 'memcpy' offset [16, 19] from the object at '<unknown>' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 12 [-Warray-bounds]
+ 1059 | memcpy(&key_addrs->v4addrs, &iph->saddr,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 1060 | sizeof(key_addrs->v4addrs));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from include/linux/ip.h:17,
+ from net/core/flow_dissector.c:5:
+ include/uapi/linux/ip.h:103:9: note: subobject 'saddr' declared here
+ 103 | __be32 saddr;
+ | ^~~~~
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). So, the compiler legitimately complains about it. As these
+are just a couple of members, fix this by copying each one of them in
+separate calls to memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 96957a7c732f..b740a74f06f2 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -1025,8 +1025,10 @@ bool __skb_flow_dissect(const struct net *net,
+ FLOW_DISSECTOR_KEY_IPV4_ADDRS,
+ target_container);
+
+- memcpy(&key_addrs->v4addrs, &iph->saddr,
+- sizeof(key_addrs->v4addrs));
++ memcpy(&key_addrs->v4addrs.src, &iph->saddr,
++ sizeof(key_addrs->v4addrs.src));
++ memcpy(&key_addrs->v4addrs.dst, &iph->daddr,
++ sizeof(key_addrs->v4addrs.dst));
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
+ }
+
+@@ -1070,8 +1072,10 @@ bool __skb_flow_dissect(const struct net *net,
+ FLOW_DISSECTOR_KEY_IPV6_ADDRS,
+ target_container);
+
+- memcpy(&key_addrs->v6addrs, &iph->saddr,
+- sizeof(key_addrs->v6addrs));
++ memcpy(&key_addrs->v6addrs.src, &iph->saddr,
++ sizeof(key_addrs->v6addrs.src));
++ memcpy(&key_addrs->v6addrs.dst, &iph->daddr,
++ sizeof(key_addrs->v6addrs.dst));
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d80bd3545c06703b08572bab18d92438464b0e55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 14:21:00 +0100
+Subject: fscache: Fix cookie key hashing
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 35b72573e977ed6b18b094136a4fa3e0ffb13603 ]
+
+The current hash algorithm used for hashing cookie keys is really bad,
+producing almost no dispersion (after a test kernel build, ~30000 files
+were split over just 18 out of the 32768 hash buckets).
+
+Borrow the full_name_hash() hash function into fscache to do the hashing
+for cookie keys and, in the future, volume keys.
+
+I don't want to use full_name_hash() as-is because I want the hash value to
+be consistent across arches and over time as the hash value produced may
+get used on disk.
+
+I can also optimise parts of it away as the key will always be a padded
+array of aligned 32-bit words.
+
+Fixes: ec0328e46d6e ("fscache: Maintain a catalogue of allocated cookies")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+cc: linux-cachefs@redhat.com
+Link: https://lore.kernel.org/r/162431201844.2908479.8293647220901514696.stgit@warthog.procyon.org.uk/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/cookie.c | 14 +-------------
+ fs/fscache/internal.h | 2 ++
+ fs/fscache/main.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 13 deletions(-)
+
+diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
+index 0ce39658a620..44a426c8ea01 100644
+--- a/fs/fscache/cookie.c
++++ b/fs/fscache/cookie.c
+@@ -74,10 +74,8 @@ void fscache_free_cookie(struct fscache_cookie *cookie)
+ static int fscache_set_key(struct fscache_cookie *cookie,
+ const void *index_key, size_t index_key_len)
+ {
+- unsigned long long h;
+ u32 *buf;
+ int bufs;
+- int i;
+
+ bufs = DIV_ROUND_UP(index_key_len, sizeof(*buf));
+
+@@ -91,17 +89,7 @@ static int fscache_set_key(struct fscache_cookie *cookie,
+ }
+
+ memcpy(buf, index_key, index_key_len);
+-
+- /* Calculate a hash and combine this with the length in the first word
+- * or first half word
+- */
+- h = (unsigned long)cookie->parent;
+- h += index_key_len + cookie->type;
+-
+- for (i = 0; i < bufs; i++)
+- h += buf[i];
+-
+- cookie->key_hash = h ^ (h >> 32);
++ cookie->key_hash = fscache_hash(0, buf, bufs);
+ return 0;
+ }
+
+diff --git a/fs/fscache/internal.h b/fs/fscache/internal.h
+index 9616af3768e1..d09d4e69c818 100644
+--- a/fs/fscache/internal.h
++++ b/fs/fscache/internal.h
+@@ -97,6 +97,8 @@ extern struct workqueue_struct *fscache_object_wq;
+ extern struct workqueue_struct *fscache_op_wq;
+ DECLARE_PER_CPU(wait_queue_head_t, fscache_object_cong_wait);
+
++extern unsigned int fscache_hash(unsigned int salt, unsigned int *data, unsigned int n);
++
+ static inline bool fscache_object_congested(void)
+ {
+ return workqueue_congested(WORK_CPU_UNBOUND, fscache_object_wq);
+diff --git a/fs/fscache/main.c b/fs/fscache/main.c
+index 59c2494efda3..3aa3756c7176 100644
+--- a/fs/fscache/main.c
++++ b/fs/fscache/main.c
+@@ -94,6 +94,45 @@ static struct ctl_table fscache_sysctls_root[] = {
+ };
+ #endif
+
++/*
++ * Mixing scores (in bits) for (7,20):
++ * Input delta: 1-bit 2-bit
++ * 1 round: 330.3 9201.6
++ * 2 rounds: 1246.4 25475.4
++ * 3 rounds: 1907.1 31295.1
++ * 4 rounds: 2042.3 31718.6
++ * Perfect: 2048 31744
++ * (32*64) (32*31/2 * 64)
++ */
++#define HASH_MIX(x, y, a) \
++ ( x ^= (a), \
++ y ^= x, x = rol32(x, 7),\
++ x += y, y = rol32(y,20),\
++ y *= 9 )
++
++static inline unsigned int fold_hash(unsigned long x, unsigned long y)
++{
++ /* Use arch-optimized multiply if one exists */
++ return __hash_32(y ^ __hash_32(x));
++}
++
++/*
++ * Generate a hash. This is derived from full_name_hash(), but we want to be
++ * sure it is arch independent and that it doesn't change as bits of the
++ * computed hash value might appear on disk. The caller also guarantees that
++ * the hashed data will be a series of aligned 32-bit words.
++ */
++unsigned int fscache_hash(unsigned int salt, unsigned int *data, unsigned int n)
++{
++ unsigned int a, x = 0, y = salt;
++
++ for (; n; n--) {
++ a = *data++;
++ HASH_MIX(x, y, a);
++ }
++ return fold_hash(x, y);
++}
++
+ /*
+ * initialise the fs caching module
+ */
+--
+2.30.2
+
--- /dev/null
+From a4aa00177705cc2961d18e16199d2162f1eb0eb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 12:41:49 -0500
+Subject: gfs2: Don't call dlm after protocol is unmounted
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit d1340f80f0b8066321b499a376780da00560e857 ]
+
+In the gfs2 withdraw sequence, the dlm protocol is unmounted with a call
+to lm_unmount. After a withdraw, users are allowed to unmount the
+withdrawn file system. But at that point we may still have glocks left
+over that we need to free via unmount's call to gfs2_gl_hash_clear.
+These glocks may have never been completed because of whatever problem
+caused the withdraw (IO errors or whatever).
+
+Before this patch, function gdlm_put_lock would still try to call into
+dlm to unlock these leftover glocks, which resulted in dlm returning
+-EINVAL because the lock space was abandoned. These glocks were never
+freed because there was no mechanism after that to free them.
+
+This patch adds a check to gdlm_put_lock to see if the locking protocol
+was inactive (DFL_UNMOUNT flag) and if so, free the glock and not
+make the invalid call into dlm.
+
+I could have combined this "if" with the one that follows, related to
+leftover glock LVBs, but I felt the code was more readable with its own
+if clause.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/lock_dlm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c
+index 72dec177b349..94c290a333a0 100644
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -292,6 +292,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl)
+ gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT);
+ gfs2_update_request_times(gl);
+
++ /* don't want to call dlm if we've unmounted the lock protocol */
++ if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) {
++ gfs2_glock_free(gl);
++ return;
++ }
+ /* don't want to skip dlm_unlock writing the lvb when lock has one */
+
+ if (test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags) &&
+--
+2.30.2
+
--- /dev/null
+From 399c115c8bc169dd0be350457806a56b4c20f8b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 04:34:58 -0700
+Subject: gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible
+ uninitialized-variable access in amdgpu_i2c_router_select_ddc_port()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit a211260c34cfadc6068fece8c9e99e0fe1e2a2b6 ]
+
+The variable val is declared without initialization, and its address is
+passed to amdgpu_i2c_get_byte(). In this function, the value of val is
+accessed in:
+ DRM_DEBUG("i2c 0x%02x 0x%02x read failed\n",
+ addr, *val);
+
+Also, when amdgpu_i2c_get_byte() returns, val may remain uninitialized,
+but it is accessed in:
+ val &= ~amdgpu_connector->router.ddc_mux_control_pin;
+
+To fix this possible uninitialized-variable access, initialize val to 0 in
+amdgpu_i2c_router_select_ddc_port().
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c
+index 70dbe343f51d..89cecdba81ac 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c
+@@ -339,7 +339,7 @@ static void amdgpu_i2c_put_byte(struct amdgpu_i2c_chan *i2c_bus,
+ void
+ amdgpu_i2c_router_select_ddc_port(const struct amdgpu_connector *amdgpu_connector)
+ {
+- u8 val;
++ u8 val = 0;
+
+ if (!amdgpu_connector->router.ddc_valid)
+ return;
+--
+2.30.2
+
--- /dev/null
+From c916dab0e66f8c25d816303b42660de984416b8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 23:55:05 -0700
+Subject: HID: i2c-hid: Fix Elan touchpad regression
+
+From: Jim Broadus <jbroadus@gmail.com>
+
+[ Upstream commit 786537063bbfb3a7ebc6fc21b2baf37fb91df401 ]
+
+A quirk was recently added for Elan devices that has same device match
+as an entry earlier in the list. The i2c_hid_lookup_quirk function will
+always return the last match in the list, so the new entry shadows the
+old entry. The quirk in the previous entry, I2C_HID_QUIRK_BOGUS_IRQ,
+silenced a flood of messages which have reappeared in the 5.13 kernel.
+
+This change moves the two quirk flags into the same entry.
+
+Fixes: ca66a6770bd9 (HID: i2c-hid: Skip ELAN power-on command after reset)
+Signed-off-by: Jim Broadus <jbroadus@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+index 6f7a3702b5fb..ac076ac73de5 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -178,8 +178,6 @@ static const struct i2c_hid_quirks {
+ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET },
+ { I2C_VENDOR_ID_RAYDIUM, I2C_PRODUCT_ID_RAYDIUM_3118,
+ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET },
+- { USB_VENDOR_ID_ELAN, HID_ANY_ID,
+- I2C_HID_QUIRK_BOGUS_IRQ },
+ { USB_VENDOR_ID_ALPS_JP, HID_ANY_ID,
+ I2C_HID_QUIRK_RESET_ON_RESUME },
+ { I2C_VENDOR_ID_SYNAPTICS, I2C_PRODUCT_ID_SYNAPTICS_SYNA2393,
+@@ -190,7 +188,8 @@ static const struct i2c_hid_quirks {
+ * Sending the wakeup after reset actually break ELAN touchscreen controller
+ */
+ { USB_VENDOR_ID_ELAN, HID_ANY_ID,
+- I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET },
++ I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET |
++ I2C_HID_QUIRK_BOGUS_IRQ },
+ { 0, 0 }
+ };
+
+--
+2.30.2
+
--- /dev/null
+From cdc4c0bda9bd0c7d52d1a4dcc71a783eaa4e746f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 11:25:50 -0700
+Subject: HID: input: do not report stylus battery state as "full"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit f4abaa9eebde334045ed6ac4e564d050f1df3013 ]
+
+The power supply states of discharging, charging, full, etc, represent
+state of charging, not the capacity level of the battery (for which
+we have a separate property). Current HID usage tables to not allow
+for expressing charging state of the batteries found in generic
+styli, so we should simply assume that the battery is discharging
+even if current capacity is at 100% when battery strength reporting
+is done via HID interface. In fact, we were doing just that before
+commit 581c4484769e.
+
+This change helps UIs to not mis-represent fully charged batteries in
+styli as being charging/topping-off.
+
+Fixes: 581c4484769e ("HID: input: map digitizer battery usage")
+Reported-by: Kenneth Albanowski <kenalba@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 6d551ae251c0..ea4c97f5b073 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -415,8 +415,6 @@ static int hidinput_get_battery_property(struct power_supply *psy,
+
+ if (dev->battery_status == HID_BATTERY_UNKNOWN)
+ val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
+- else if (dev->battery_capacity == 100)
+- val->intval = POWER_SUPPLY_STATUS_FULL;
+ else
+ val->intval = POWER_SUPPLY_STATUS_DISCHARGING;
+ break;
+--
+2.30.2
+
--- /dev/null
+From 44b789d6cfc1aae48f2dc2d9c0c0a342971575c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 09:43:11 +0200
+Subject: hvsi: don't panic on tty_register_driver failure
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 7ccbdcc4d08a6d7041e4849219bbb12ffa45db4c ]
+
+The alloc_tty_driver failure is handled gracefully in hvsi_init. But
+tty_register_driver is not. panic is called if that one fails.
+
+So handle the failure of tty_register_driver gracefully too. This will
+keep at least the console functional as it was enabled earlier by
+console_initcall in hvsi_console_init. Instead of shooting down the
+whole system.
+
+This means, we disable interrupts and restore hvsi_wait back to
+poll_for_state().
+
+Cc: linuxppc-dev@lists.ozlabs.org
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20210723074317.32690-3-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/hvc/hvsi.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c
+index 66f95f758be0..73226337f561 100644
+--- a/drivers/tty/hvc/hvsi.c
++++ b/drivers/tty/hvc/hvsi.c
+@@ -1038,7 +1038,7 @@ static const struct tty_operations hvsi_ops = {
+
+ static int __init hvsi_init(void)
+ {
+- int i;
++ int i, ret;
+
+ hvsi_driver = alloc_tty_driver(hvsi_count);
+ if (!hvsi_driver)
+@@ -1069,12 +1069,25 @@ static int __init hvsi_init(void)
+ }
+ hvsi_wait = wait_for_state; /* irqs active now */
+
+- if (tty_register_driver(hvsi_driver))
+- panic("Couldn't register hvsi console driver\n");
++ ret = tty_register_driver(hvsi_driver);
++ if (ret) {
++ pr_err("Couldn't register hvsi console driver\n");
++ goto err_free_irq;
++ }
+
+ printk(KERN_DEBUG "HVSI: registered %i devices\n", hvsi_count);
+
+ return 0;
++err_free_irq:
++ hvsi_wait = poll_for_state;
++ for (i = 0; i < hvsi_count; i++) {
++ struct hvsi_struct *hp = &hvsi_ports[i];
++
++ free_irq(hp->virq, hp);
++ }
++ tty_driver_kref_put(hvsi_driver);
++
++ return ret;
+ }
+ device_initcall(hvsi_init);
+
+--
+2.30.2
+
--- /dev/null
+From 4530bbb11134b5bfb4ccd11b897d24361b786fa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Mar 2021 13:38:56 +0100
+Subject: iavf: do not override the adapter state in the watchdog task
+
+From: Stefan Assmann <sassmann@kpanic.de>
+
+[ Upstream commit 22c8fd71d3a5e6fe584ccc2c1e8760e5baefd5aa ]
+
+The iavf watchdog task overrides adapter->state to __IAVF_RESETTING
+when it detects a pending reset. Then schedules iavf_reset_task() which
+takes care of the reset.
+
+The reset task is capable of handling the reset without changing
+adapter->state. In fact we lose the state information when the watchdog
+task prematurely changes the adapter state. This may lead to a crash if
+instead of the reset task the iavf_remove() function gets called before
+the reset task.
+In that case (if we were in state __IAVF_RUNNING previously) the
+iavf_remove() function triggers iavf_close() which fails to close the
+device because of the incorrect state information.
+
+This may result in a crash due to pending interrupts.
+kernel BUG at drivers/pci/msi.c:357!
+[...]
+Call Trace:
+ [<ffffffffbddf24dd>] pci_disable_msix+0x3d/0x50
+ [<ffffffffc08d2a63>] iavf_reset_interrupt_capability+0x23/0x40 [iavf]
+ [<ffffffffc08d312a>] iavf_remove+0x10a/0x350 [iavf]
+ [<ffffffffbddd3359>] pci_device_remove+0x39/0xc0
+ [<ffffffffbdeb492f>] __device_release_driver+0x7f/0xf0
+ [<ffffffffbdeb49c3>] device_release_driver+0x23/0x30
+ [<ffffffffbddcabb4>] pci_stop_bus_device+0x84/0xa0
+ [<ffffffffbddcacc2>] pci_stop_and_remove_bus_device+0x12/0x20
+ [<ffffffffbddf361f>] pci_iov_remove_virtfn+0xaf/0x160
+ [<ffffffffbddf3bcc>] sriov_disable+0x3c/0xf0
+ [<ffffffffbddf3ca3>] pci_disable_sriov+0x23/0x30
+ [<ffffffffc0667365>] i40e_free_vfs+0x265/0x2d0 [i40e]
+ [<ffffffffc0667624>] i40e_pci_sriov_configure+0x144/0x1f0 [i40e]
+ [<ffffffffbddd5307>] sriov_numvfs_store+0x177/0x1d0
+Code: 00 00 e8 3c 25 e3 ff 49 c7 86 88 08 00 00 00 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b 7b 28 e8 0d 44
+RIP [<ffffffffbbbf1068>] free_msi_irqs+0x188/0x190
+
+The solution is to not touch the adapter->state in iavf_watchdog_task()
+and let the reset task handle the state transition.
+
+Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 94a3f000e999..3e76111af872 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1961,7 +1961,6 @@ static void iavf_watchdog_task(struct work_struct *work)
+ /* check for hw reset */
+ reg_val = rd32(hw, IAVF_VF_ARQLEN1) & IAVF_VF_ARQLEN1_ARQENABLE_MASK;
+ if (!reg_val) {
+- adapter->state = __IAVF_RESETTING;
+ adapter->flags |= IAVF_FLAG_RESET_PENDING;
+ adapter->aq_required = 0;
+ adapter->current_op = VIRTCHNL_OP_UNKNOWN;
+--
+2.30.2
+
--- /dev/null
+From d1a4fe9f0ec525fc77dcd13f3640f5d106509b74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 11:01:41 +0100
+Subject: iavf: fix locking of critical sections
+
+From: Stefan Assmann <sassmann@kpanic.de>
+
+[ Upstream commit 226d528512cfac890a1619aea4301f3dd314fe60 ]
+
+To avoid races between iavf_init_task(), iavf_reset_task(),
+iavf_watchdog_task(), iavf_adminq_task() as well as the shutdown and
+remove functions more locking is required.
+The current protection by __IAVF_IN_CRITICAL_TASK is needed in
+additional places.
+
+- The reset task performs state transitions, therefore needs locking.
+- The adminq task acts on replies from the PF in
+ iavf_virtchnl_completion() which may alter the states.
+- The init task is not only run during probe but also if a VF gets stuck
+ to reinitialize it.
+- The shutdown function performs a state transition.
+- The remove function performs a state transition and also free's
+ resources.
+
+iavf_lock_timeout() is introduced to avoid waiting infinitely
+and cause a deadlock. Rather unlock and print a warning.
+
+Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 57 ++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 3e76111af872..bc46c262b42d 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -142,6 +142,30 @@ enum iavf_status iavf_free_virt_mem_d(struct iavf_hw *hw,
+ return 0;
+ }
+
++/**
++ * iavf_lock_timeout - try to set bit but give up after timeout
++ * @adapter: board private structure
++ * @bit: bit to set
++ * @msecs: timeout in msecs
++ *
++ * Returns 0 on success, negative on failure
++ **/
++static int iavf_lock_timeout(struct iavf_adapter *adapter,
++ enum iavf_critical_section_t bit,
++ unsigned int msecs)
++{
++ unsigned int wait, delay = 10;
++
++ for (wait = 0; wait < msecs; wait += delay) {
++ if (!test_and_set_bit(bit, &adapter->crit_section))
++ return 0;
++
++ msleep(delay);
++ }
++
++ return -1;
++}
++
+ /**
+ * iavf_schedule_reset - Set the flags and schedule a reset event
+ * @adapter: board private structure
+@@ -2076,6 +2100,10 @@ static void iavf_reset_task(struct work_struct *work)
+ if (test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section))
+ return;
+
++ if (iavf_lock_timeout(adapter, __IAVF_IN_CRITICAL_TASK, 200)) {
++ schedule_work(&adapter->reset_task);
++ return;
++ }
+ while (test_and_set_bit(__IAVF_IN_CLIENT_TASK,
+ &adapter->crit_section))
+ usleep_range(500, 1000);
+@@ -2290,6 +2318,8 @@ static void iavf_adminq_task(struct work_struct *work)
+ if (!event.msg_buf)
+ goto out;
+
++ if (iavf_lock_timeout(adapter, __IAVF_IN_CRITICAL_TASK, 200))
++ goto freedom;
+ do {
+ ret = iavf_clean_arq_element(hw, &event, &pending);
+ v_op = (enum virtchnl_ops)le32_to_cpu(event.desc.cookie_high);
+@@ -2303,6 +2333,7 @@ static void iavf_adminq_task(struct work_struct *work)
+ if (pending != 0)
+ memset(event.msg_buf, 0, IAVF_MAX_AQ_BUF_SIZE);
+ } while (pending);
++ clear_bit(__IAVF_IN_CRITICAL_TASK, &adapter->crit_section);
+
+ if ((adapter->flags &
+ (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) ||
+@@ -3599,6 +3630,10 @@ static void iavf_init_task(struct work_struct *work)
+ init_task.work);
+ struct iavf_hw *hw = &adapter->hw;
+
++ if (iavf_lock_timeout(adapter, __IAVF_IN_CRITICAL_TASK, 5000)) {
++ dev_warn(&adapter->pdev->dev, "failed to set __IAVF_IN_CRITICAL_TASK in %s\n", __FUNCTION__);
++ return;
++ }
+ switch (adapter->state) {
+ case __IAVF_STARTUP:
+ if (iavf_startup(adapter) < 0)
+@@ -3611,14 +3646,14 @@ static void iavf_init_task(struct work_struct *work)
+ case __IAVF_INIT_GET_RESOURCES:
+ if (iavf_init_get_resources(adapter) < 0)
+ goto init_failed;
+- return;
++ goto out;
+ default:
+ goto init_failed;
+ }
+
+ queue_delayed_work(iavf_wq, &adapter->init_task,
+ msecs_to_jiffies(30));
+- return;
++ goto out;
+ init_failed:
+ if (++adapter->aq_wait_count > IAVF_AQ_MAX_ERR) {
+ dev_err(&adapter->pdev->dev,
+@@ -3627,9 +3662,11 @@ static void iavf_init_task(struct work_struct *work)
+ iavf_shutdown_adminq(hw);
+ adapter->state = __IAVF_STARTUP;
+ queue_delayed_work(iavf_wq, &adapter->init_task, HZ * 5);
+- return;
++ goto out;
+ }
+ queue_delayed_work(iavf_wq, &adapter->init_task, HZ);
++out:
++ clear_bit(__IAVF_IN_CRITICAL_TASK, &adapter->crit_section);
+ }
+
+ /**
+@@ -3646,9 +3683,12 @@ static void iavf_shutdown(struct pci_dev *pdev)
+ if (netif_running(netdev))
+ iavf_close(netdev);
+
++ if (iavf_lock_timeout(adapter, __IAVF_IN_CRITICAL_TASK, 5000))
++ dev_warn(&adapter->pdev->dev, "failed to set __IAVF_IN_CRITICAL_TASK in %s\n", __FUNCTION__);
+ /* Prevent the watchdog from running. */
+ adapter->state = __IAVF_REMOVE;
+ adapter->aq_required = 0;
++ clear_bit(__IAVF_IN_CRITICAL_TASK, &adapter->crit_section);
+
+ #ifdef CONFIG_PM
+ pci_save_state(pdev);
+@@ -3877,10 +3917,6 @@ static void iavf_remove(struct pci_dev *pdev)
+ err);
+ }
+
+- /* Shut down all the garbage mashers on the detention level */
+- adapter->state = __IAVF_REMOVE;
+- adapter->aq_required = 0;
+- adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED;
+ iavf_request_reset(adapter);
+ msleep(50);
+ /* If the FW isn't responding, kick it once, but only once. */
+@@ -3888,6 +3924,13 @@ static void iavf_remove(struct pci_dev *pdev)
+ iavf_request_reset(adapter);
+ msleep(50);
+ }
++ if (iavf_lock_timeout(adapter, __IAVF_IN_CRITICAL_TASK, 5000))
++ dev_warn(&adapter->pdev->dev, "failed to set __IAVF_IN_CRITICAL_TASK in %s\n", __FUNCTION__);
++
++ /* Shut down all the garbage mashers on the detention level */
++ adapter->state = __IAVF_REMOVE;
++ adapter->aq_required = 0;
++ adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED;
+ iavf_free_all_tx_resources(adapter);
+ iavf_free_all_rx_resources(adapter);
+ iavf_misc_irq_disable(adapter);
+--
+2.30.2
+
--- /dev/null
+From 9a9633da14ae70b25d9f2266d48fb0d256c2bd39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 12:04:45 -0400
+Subject: IB/hfi1: Adjust pkey entry in index 0
+
+From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
+
+[ Upstream commit 62004871e1fa7f9a60797595c03477af5b5ec36f ]
+
+It is possible for the primary IPoIB network device associated with any
+RDMA device to fail to join certain multicast groups preventing IPv6
+neighbor discovery and possibly other network ULPs from working
+correctly. The IPv4 broadcast group is not affected as the IPoIB network
+device handles joining that multicast group directly.
+
+This is because the primary IPoIB network device uses the pkey at ndex 0
+in the associated RDMA device's pkey table. Anytime the pkey value of
+index 0 changes, the primary IPoIB network device automatically modifies
+it's broadcast address (i.e. /sys/class/net/[ib0]/broadcast), since the
+broadcast address includes the pkey value, and then bounces carrier. This
+includes initial pkey assignment, such as when the pkey at index 0
+transitions from the opa default of invalid (0x0000) to some value such as
+the OPA default pkey for Virtual Fabric 0: 0x8001 or when the fabric
+manager is restarted with a configuration change causing the pkey at index
+0 to change. Many network ULPs are not sensitive to the carrier bounce and
+are not expecting the broadcast address to change including the linux IPv6
+stack. This problem does not affect IPoIB child network devices as their
+pkey value is constant for all time.
+
+To mitigate this issue, change the default pkey in at index 0 to 0x8001 to
+cover the predominant case and avoid issues as ipoib comes up and the FM
+sweeps.
+
+At some point, ipoib multicast support should automatically fix
+non-broadcast addresses as it does with the primary broadcast address.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Link: https://lore.kernel.org/r/20210715160445.142451.47651.stgit@awfm-01.cornelisnetworks.com
+Suggested-by: Josh Collier <josh.d.collier@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/init.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/init.c b/drivers/infiniband/hw/hfi1/init.c
+index fbff6b2f00e7..1256dbd5b2ef 100644
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -664,12 +664,7 @@ void hfi1_init_pportdata(struct pci_dev *pdev, struct hfi1_pportdata *ppd,
+
+ ppd->pkeys[default_pkey_idx] = DEFAULT_P_KEY;
+ ppd->part_enforce |= HFI1_PART_ENFORCE_IN;
+-
+- if (loopback) {
+- dd_dev_err(dd, "Faking data partition 0x8001 in idx %u\n",
+- !default_pkey_idx);
+- ppd->pkeys[!default_pkey_idx] = 0x8001;
+- }
++ ppd->pkeys[0] = 0x8001;
+
+ INIT_WORK(&ppd->link_vc_work, handle_verify_cap);
+ INIT_WORK(&ppd->link_up_work, handle_link_up);
+--
+2.30.2
+
--- /dev/null
+From a86e1bf558cece17c0718eec2749b66a3d622240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 15:19:39 +0300
+Subject: igc: Check if num of q_vectors is smaller than max before array
+ access
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit 373e2829e7c2e1e606503cdb5c97749f512a4be9 ]
+
+Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed
+beyond its size. It was fixed by using a local variable num_q_vectors
+as a limit for loop index, and ensure that num_q_vectors is not bigger
+than MAX_Q_VECTORS.
+
+Suggested-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 084cf4a4114a..9ba05d9aa8e0 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -2693,6 +2693,7 @@ static irqreturn_t igc_msix_ring(int irq, void *data)
+ */
+ static int igc_request_msix(struct igc_adapter *adapter)
+ {
++ unsigned int num_q_vectors = adapter->num_q_vectors;
+ int i = 0, err = 0, vector = 0, free_vector = 0;
+ struct net_device *netdev = adapter->netdev;
+
+@@ -2701,7 +2702,13 @@ static int igc_request_msix(struct igc_adapter *adapter)
+ if (err)
+ goto err_out;
+
+- for (i = 0; i < adapter->num_q_vectors; i++) {
++ if (num_q_vectors > MAX_Q_VECTORS) {
++ num_q_vectors = MAX_Q_VECTORS;
++ dev_warn(&adapter->pdev->dev,
++ "The number of queue vectors (%d) is higher than max allowed (%d)\n",
++ adapter->num_q_vectors, MAX_Q_VECTORS);
++ }
++ for (i = 0; i < num_q_vectors; i++) {
+ struct igc_q_vector *q_vector = adapter->q_vector[i];
+
+ vector++;
+--
+2.30.2
+
--- /dev/null
+From a170027059ec9f618e01c751e67cdbc903a7bc80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 17:32:37 +0100
+Subject: iio: dac: ad5624r: Fix incorrect handling of an optional regulator.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 97683c851f9cdbd3ea55697cbe2dcb6af4287bbd ]
+
+The naming of the regulator is problematic. VCC is usually a supply
+voltage whereas these devices have a separate VREF pin.
+
+Secondly, the regulator core might have provided a stub regulator if
+a real regulator wasn't provided. That would in turn have failed to
+provide a voltage when queried. So reality was that there was no way
+to use the internal reference.
+
+In order to avoid breaking any dts out in the wild, make sure to fallback
+to the original vcc naming if vref is not available.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Acked-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210627163244.1090296-9-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/dac/ad5624r_spi.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/dac/ad5624r_spi.c b/drivers/iio/dac/ad5624r_spi.c
+index e6c022e1dc1c..17cc8b3fc5d8 100644
+--- a/drivers/iio/dac/ad5624r_spi.c
++++ b/drivers/iio/dac/ad5624r_spi.c
+@@ -229,7 +229,7 @@ static int ad5624r_probe(struct spi_device *spi)
+ if (!indio_dev)
+ return -ENOMEM;
+ st = iio_priv(indio_dev);
+- st->reg = devm_regulator_get(&spi->dev, "vcc");
++ st->reg = devm_regulator_get_optional(&spi->dev, "vref");
+ if (!IS_ERR(st->reg)) {
+ ret = regulator_enable(st->reg);
+ if (ret)
+@@ -240,6 +240,22 @@ static int ad5624r_probe(struct spi_device *spi)
+ goto error_disable_reg;
+
+ voltage_uv = ret;
++ } else {
++ if (PTR_ERR(st->reg) != -ENODEV)
++ return PTR_ERR(st->reg);
++ /* Backwards compatibility. This naming is not correct */
++ st->reg = devm_regulator_get_optional(&spi->dev, "vcc");
++ if (!IS_ERR(st->reg)) {
++ ret = regulator_enable(st->reg);
++ if (ret)
++ return ret;
++
++ ret = regulator_get_voltage(st->reg);
++ if (ret < 0)
++ goto error_disable_reg;
++
++ voltage_uv = ret;
++ }
+ }
+
+ spi_set_drvdata(spi, indio_dev);
+--
+2.30.2
+
--- /dev/null
+From 706745385d54eff3d4c45f964c8680a19f4764b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 14:52:51 -0500
+Subject: ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 6321c7acb82872ef6576c520b0e178eaad3a25c0 ]
+
+Fix the following out-of-bounds warning:
+
+ In function 'ip_copy_addrs',
+ inlined from '__ip_queue_xmit' at net/ipv4/ip_output.c:517:2:
+net/ipv4/ip_output.c:449:2: warning: 'memcpy' offset [40, 43] from the object at 'fl' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 36 [-Warray-bounds]
+ 449 | memcpy(&iph->saddr, &fl4->saddr,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 450 | sizeof(fl4->saddr) + sizeof(fl4->daddr));
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). This causes a legitimate compiler warning because memcpy()
+overruns the length of &iph->saddr and &fl4->saddr. As these are just
+a couple of struct members, fix this by using direct assignments,
+instead of memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_output.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index f52bc9c22e5b..0ec529d77a56 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -446,8 +446,9 @@ static void ip_copy_addrs(struct iphdr *iph, const struct flowi4 *fl4)
+ {
+ BUILD_BUG_ON(offsetof(typeof(*fl4), daddr) !=
+ offsetof(typeof(*fl4), saddr) + sizeof(fl4->saddr));
+- memcpy(&iph->saddr, &fl4->saddr,
+- sizeof(fl4->saddr) + sizeof(fl4->daddr));
++
++ iph->saddr = fl4->saddr;
++ iph->daddr = fl4->daddr;
+ }
+
+ /* Note: skb->sk can be different from sk, in case of tunnels */
+--
+2.30.2
+
--- /dev/null
+From 497e41bb4165833d8a38fe77b0d06d912b125894 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 17:28:27 +0300
+Subject: iwlwifi: mvm: avoid static queue number aliasing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit c6ce1c74ef2923b8ffd85f7f8b486f804f343b39 ]
+
+When TVQM is enabled (iwl_mvm_has_new_tx_api() is true), then
+queue numbers are just sequentially assigned 0, 1, 2, ...
+Prior to TVQM, in DQA, there were some statically allocated
+queue numbers:
+ * IWL_MVM_DQA_AUX_QUEUE == 1,
+ * both IWL_MVM_DQA_INJECT_MONITOR_QUEUE and
+ IWL_MVM_DQA_P2P_DEVICE_QUEUE == 2, and
+ * IWL_MVM_DQA_AP_PROBE_RESP_QUEUE == 9.
+
+Now, these values are assigned to the members mvm->aux_queue,
+mvm->snif_queue, mvm->probe_queue and mvm->p2p_dev_queue by
+default. Normally, this doesn't really matter, and if TVQM is
+in fact available we override them to the real values after
+allocating a queue for use there.
+
+However, this allocation doesn't always happen. For example,
+for mvm->p2p_dev_queue (== 2) it only happens when the P2P
+Device interface is started, if any. If it's not started, the
+value in mvm->p2p_dev_queue remains 2. This wouldn't really
+matter all that much if it weren't for iwl_mvm_is_static_queue()
+which checks a queue number against one of those four static
+numbers.
+
+Now, if no P2P Device or monitor interface is added then queue
+2 may be dynamically allocated, yet alias mvm->p2p_dev_queue or
+mvm->snif_queue, and thus iwl_mvm_is_static_queue() erroneously
+returns true for it. If it then gets full, all interface queues
+are stopped, instead of just backpressuring against the one TXQ
+that's really the only affected one.
+
+This clearly can lead to issues, as everything is stopped even
+if just a single TXQ filled its corresponding HW queue, if it
+happens to have an appropriate number (2 or 9, AUX is always
+reassigned.) Due to a mac80211 bug, this also led to a situation
+in which the queues remained stopped across a deauthentication
+and then attempts to connect to a new AP started failing, but
+that's fixed separately.
+
+Fix all of this by simply initializing the queue numbers to
+the invalid value until they're used, if TVQM is enabled, and
+also setting them back to that value when the queues are later
+freed again.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210802172232.2e47e623f9e2.I9b0830dafbb68ef35b7b8f0f46160abec02ac7d0@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 24 +++++++++++++---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 30 ++++++++++++--------
+ 2 files changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 8b0576cde797..a9aab6c690e8 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -687,10 +687,26 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+
+ mvm->fw_restart = iwlwifi_mod_params.fw_restart ? -1 : 0;
+
+- mvm->aux_queue = IWL_MVM_DQA_AUX_QUEUE;
+- mvm->snif_queue = IWL_MVM_DQA_INJECT_MONITOR_QUEUE;
+- mvm->probe_queue = IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
+- mvm->p2p_dev_queue = IWL_MVM_DQA_P2P_DEVICE_QUEUE;
++ if (iwl_mvm_has_new_tx_api(mvm)) {
++ /*
++ * If we have the new TX/queue allocation API initialize them
++ * all to invalid numbers. We'll rewrite the ones that we need
++ * later, but that doesn't happen for all of them all of the
++ * time (e.g. P2P Device is optional), and if a dynamic queue
++ * ends up getting number 2 (IWL_MVM_DQA_P2P_DEVICE_QUEUE) then
++ * iwl_mvm_is_static_queue() erroneously returns true, and we
++ * might have things getting stuck.
++ */
++ mvm->aux_queue = IWL_MVM_INVALID_QUEUE;
++ mvm->snif_queue = IWL_MVM_INVALID_QUEUE;
++ mvm->probe_queue = IWL_MVM_INVALID_QUEUE;
++ mvm->p2p_dev_queue = IWL_MVM_INVALID_QUEUE;
++ } else {
++ mvm->aux_queue = IWL_MVM_DQA_AUX_QUEUE;
++ mvm->snif_queue = IWL_MVM_DQA_INJECT_MONITOR_QUEUE;
++ mvm->probe_queue = IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
++ mvm->p2p_dev_queue = IWL_MVM_DQA_P2P_DEVICE_QUEUE;
++ }
+
+ mvm->sf_state = SF_UNINIT;
+ if (iwl_mvm_has_unified_ucode(mvm))
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index 40cafcf40ccf..5df4bbb6c6de 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -346,8 +346,9 @@ static int iwl_mvm_invalidate_sta_queue(struct iwl_mvm *mvm, int queue,
+ }
+
+ static int iwl_mvm_disable_txq(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
+- int queue, u8 tid, u8 flags)
++ u16 *queueptr, u8 tid, u8 flags)
+ {
++ int queue = *queueptr;
+ struct iwl_scd_txq_cfg_cmd cmd = {
+ .scd_queue = queue,
+ .action = SCD_CFG_DISABLE_QUEUE,
+@@ -356,6 +357,7 @@ static int iwl_mvm_disable_txq(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
+
+ if (iwl_mvm_has_new_tx_api(mvm)) {
+ iwl_trans_txq_free(mvm->trans, queue);
++ *queueptr = IWL_MVM_INVALID_QUEUE;
+
+ return 0;
+ }
+@@ -517,6 +519,7 @@ static int iwl_mvm_free_inactive_queue(struct iwl_mvm *mvm, int queue,
+ u8 sta_id, tid;
+ unsigned long disable_agg_tids = 0;
+ bool same_sta;
++ u16 queue_tmp = queue;
+ int ret;
+
+ lockdep_assert_held(&mvm->mutex);
+@@ -539,7 +542,7 @@ static int iwl_mvm_free_inactive_queue(struct iwl_mvm *mvm, int queue,
+ iwl_mvm_invalidate_sta_queue(mvm, queue,
+ disable_agg_tids, false);
+
+- ret = iwl_mvm_disable_txq(mvm, old_sta, queue, tid, 0);
++ ret = iwl_mvm_disable_txq(mvm, old_sta, &queue_tmp, tid, 0);
+ if (ret) {
+ IWL_ERR(mvm,
+ "Failed to free inactive queue %d (ret=%d)\n",
+@@ -1209,6 +1212,7 @@ static int iwl_mvm_sta_alloc_queue(struct iwl_mvm *mvm,
+ unsigned int wdg_timeout =
+ iwl_mvm_get_wd_timeout(mvm, mvmsta->vif, false, false);
+ int queue = -1;
++ u16 queue_tmp;
+ unsigned long disable_agg_tids = 0;
+ enum iwl_mvm_agg_state queue_state;
+ bool shared_queue = false, inc_ssn;
+@@ -1357,7 +1361,8 @@ static int iwl_mvm_sta_alloc_queue(struct iwl_mvm *mvm,
+ return 0;
+
+ out_err:
+- iwl_mvm_disable_txq(mvm, sta, queue, tid, 0);
++ queue_tmp = queue;
++ iwl_mvm_disable_txq(mvm, sta, &queue_tmp, tid, 0);
+
+ return ret;
+ }
+@@ -1795,7 +1800,7 @@ static void iwl_mvm_disable_sta_queues(struct iwl_mvm *mvm,
+ if (mvm_sta->tid_data[i].txq_id == IWL_MVM_INVALID_QUEUE)
+ continue;
+
+- iwl_mvm_disable_txq(mvm, sta, mvm_sta->tid_data[i].txq_id, i,
++ iwl_mvm_disable_txq(mvm, sta, &mvm_sta->tid_data[i].txq_id, i,
+ 0);
+ mvm_sta->tid_data[i].txq_id = IWL_MVM_INVALID_QUEUE;
+ }
+@@ -2005,7 +2010,7 @@ static int iwl_mvm_add_int_sta_with_queue(struct iwl_mvm *mvm, int macidx,
+ ret = iwl_mvm_add_int_sta_common(mvm, sta, NULL, macidx, maccolor);
+ if (ret) {
+ if (!iwl_mvm_has_new_tx_api(mvm))
+- iwl_mvm_disable_txq(mvm, NULL, *queue,
++ iwl_mvm_disable_txq(mvm, NULL, queue,
+ IWL_MAX_TID_COUNT, 0);
+ return ret;
+ }
+@@ -2073,7 +2078,7 @@ int iwl_mvm_rm_snif_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+ if (WARN_ON_ONCE(mvm->snif_sta.sta_id == IWL_MVM_INVALID_STA))
+ return -EINVAL;
+
+- iwl_mvm_disable_txq(mvm, NULL, mvm->snif_queue, IWL_MAX_TID_COUNT, 0);
++ iwl_mvm_disable_txq(mvm, NULL, &mvm->snif_queue, IWL_MAX_TID_COUNT, 0);
+ ret = iwl_mvm_rm_sta_common(mvm, mvm->snif_sta.sta_id);
+ if (ret)
+ IWL_WARN(mvm, "Failed sending remove station\n");
+@@ -2090,7 +2095,7 @@ int iwl_mvm_rm_aux_sta(struct iwl_mvm *mvm)
+ if (WARN_ON_ONCE(mvm->aux_sta.sta_id == IWL_MVM_INVALID_STA))
+ return -EINVAL;
+
+- iwl_mvm_disable_txq(mvm, NULL, mvm->aux_queue, IWL_MAX_TID_COUNT, 0);
++ iwl_mvm_disable_txq(mvm, NULL, &mvm->aux_queue, IWL_MAX_TID_COUNT, 0);
+ ret = iwl_mvm_rm_sta_common(mvm, mvm->aux_sta.sta_id);
+ if (ret)
+ IWL_WARN(mvm, "Failed sending remove station\n");
+@@ -2186,7 +2191,7 @@ static void iwl_mvm_free_bcast_sta_queues(struct iwl_mvm *mvm,
+ struct ieee80211_vif *vif)
+ {
+ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+- int queue;
++ u16 *queueptr, queue;
+
+ lockdep_assert_held(&mvm->mutex);
+
+@@ -2195,10 +2200,10 @@ static void iwl_mvm_free_bcast_sta_queues(struct iwl_mvm *mvm,
+ switch (vif->type) {
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_ADHOC:
+- queue = mvm->probe_queue;
++ queueptr = &mvm->probe_queue;
+ break;
+ case NL80211_IFTYPE_P2P_DEVICE:
+- queue = mvm->p2p_dev_queue;
++ queueptr = &mvm->p2p_dev_queue;
+ break;
+ default:
+ WARN(1, "Can't free bcast queue on vif type %d\n",
+@@ -2206,7 +2211,8 @@ static void iwl_mvm_free_bcast_sta_queues(struct iwl_mvm *mvm,
+ return;
+ }
+
+- iwl_mvm_disable_txq(mvm, NULL, queue, IWL_MAX_TID_COUNT, 0);
++ queue = *queueptr;
++ iwl_mvm_disable_txq(mvm, NULL, queueptr, IWL_MAX_TID_COUNT, 0);
+ if (iwl_mvm_has_new_tx_api(mvm))
+ return;
+
+@@ -2441,7 +2447,7 @@ int iwl_mvm_rm_mcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+
+ iwl_mvm_flush_sta(mvm, &mvmvif->mcast_sta, true, 0);
+
+- iwl_mvm_disable_txq(mvm, NULL, mvmvif->cab_queue, 0, 0);
++ iwl_mvm_disable_txq(mvm, NULL, &mvmvif->cab_queue, 0, 0);
+
+ ret = iwl_mvm_rm_sta_common(mvm, mvmvif->mcast_sta.sta_id);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From e8009ed256ec6e253dbf031e93388ef661652d1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 17:28:24 +0300
+Subject: iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 0f5d44ac6e55551798dd3da0ff847c8df5990822 ]
+
+If beacon_inject_active is true, we will return without freeing
+beacon. Fid that by freeing it before returning.
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+[reworded the commit message]
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210802172232.d16206ca60fc.I9984a9b442c84814c307cee3213044e24d26f38a@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+index 9c417dd06291..7736621dca65 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+@@ -1043,8 +1043,10 @@ int iwl_mvm_mac_ctxt_beacon_changed(struct iwl_mvm *mvm,
+ return -ENOMEM;
+
+ #ifdef CONFIG_IWLWIFI_DEBUGFS
+- if (mvm->beacon_inject_active)
++ if (mvm->beacon_inject_active) {
++ dev_kfree_skb(beacon);
+ return -EBUSY;
++ }
+ #endif
+
+ ret = iwl_mvm_mac_ctxt_send_beacon(mvm, vif, beacon);
+--
+2.30.2
+
--- /dev/null
+From 4a90c827fff1999adf0dd406e3f59b45dcf09ae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 13:19:31 +0300
+Subject: iwlwifi: mvm: fix access to BSS elements
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 6c608cd6962ebdf84fd3de6d42f88ed64d2f4e1b ]
+
+BSS elements are protected using RCU, so we need to use
+RCU properly to access them, fix that.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210805130823.fd8b5791ab44.Iba26800a6301078d3782fb249c476dd8ac2bf3c6@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 09b1a6beee77..081cbc9ec736 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -2970,16 +2970,20 @@ static void iwl_mvm_check_he_obss_narrow_bw_ru_iter(struct wiphy *wiphy,
+ void *_data)
+ {
+ struct iwl_mvm_he_obss_narrow_bw_ru_data *data = _data;
++ const struct cfg80211_bss_ies *ies;
+ const struct element *elem;
+
+- elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY, bss->ies->data,
+- bss->ies->len);
++ rcu_read_lock();
++ ies = rcu_dereference(bss->ies);
++ elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY, ies->data,
++ ies->len);
+
+ if (!elem || elem->datalen < 10 ||
+ !(elem->data[10] &
+ WLAN_EXT_CAPA10_OBSS_NARROW_BW_RU_TOLERANCE_SUPPORT)) {
+ data->tolerated = false;
+ }
++ rcu_read_unlock();
+ }
+
+ static void iwl_mvm_check_he_obss_narrow_bw_ru(struct ieee80211_hw *hw,
+--
+2.30.2
+
--- /dev/null
+From 78a2e9ac0f01e959d6748a1e3fffa07d61136242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 09:01:14 +0900
+Subject: kbuild: Fix 'no symbols' warning when CONFIG_TRIM_UNUSD_KSYMS=y
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 52d83df682c82055961531853c066f4f16e234ea ]
+
+When CONFIG_TRIM_UNUSED_KSYMS is enabled, I see some warnings like this:
+
+ nm: arch/x86/entry/vdso/vdso32/note.o: no symbols
+
+$NM (both GNU nm and llvm-nm) warns when no symbol is found in the
+object. Suppress the stderr.
+
+Fangrui Song mentioned binutils>=2.37 `nm -q` can be used to suppress
+"no symbols" [1], and llvm-nm>=13.0.0 supports -q as well.
+
+We cannot use it for now, but note it as a TODO.
+
+[1]: https://sourceware.org/bugzilla/show_bug.cgi?id=27408
+
+Fixes: bbda5ec671d3 ("kbuild: simplify dependency generation for CONFIG_TRIM_UNUSED_KSYMS")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gen_ksymdeps.sh | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/scripts/gen_ksymdeps.sh b/scripts/gen_ksymdeps.sh
+index 1324986e1362..725e8c9c1b53 100755
+--- a/scripts/gen_ksymdeps.sh
++++ b/scripts/gen_ksymdeps.sh
+@@ -4,7 +4,13 @@
+ set -e
+
+ # List of exported symbols
+-ksyms=$($NM $1 | sed -n 's/.*__ksym_marker_\(.*\)/\1/p' | tr A-Z a-z)
++#
++# If the object has no symbol, $NM warns 'no symbols'.
++# Suppress the stderr.
++# TODO:
++# Use -q instead of 2>/dev/null when we upgrade the minimum version of
++# binutils to 2.37, llvm to 13.0.0.
++ksyms=$($NM $1 2>/dev/null | sed -n 's/.*__ksym_marker_\(.*\)/\1/p' | tr A-Z a-z)
+
+ if [ -z "$ksyms" ]; then
+ exit 0
+--
+2.30.2
+
--- /dev/null
+From 61a99291d069188b4e2b43703ddf8f8c73432b44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 02:00:43 +1000
+Subject: KVM: PPC: Book3S HV Nested: Reflect guest PMU in-use to L0 when guest
+ SPRs are live
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 1782663897945a5cf28e564ba5eed730098e9aa4 ]
+
+After the L1 saves its PMU SPRs but before loading the L2's PMU SPRs,
+switch the pmcregs_in_use field in the L1 lppaca to the value advertised
+by the L2 in its VPA. On the way out of the L2, set it back after saving
+the L2 PMU registers (if they were in-use).
+
+This transfers the PMU liveness indication between the L1 and L2 at the
+points where the registers are not live.
+
+This fixes the nested HV bug for which a workaround was added to the L0
+HV by commit 63279eeb7f93a ("KVM: PPC: Book3S HV: Always save guest pmu
+for guest capable of nesting"), which explains the problem in detail.
+That workaround is no longer required for guests that include this bug
+fix.
+
+Fixes: 360cae313702 ("KVM: PPC: Book3S HV: Nested guest entry via hypercall")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210811160134.904987-10-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/pmc.h | 7 +++++++
+ arch/powerpc/kvm/book3s_hv.c | 20 ++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/arch/powerpc/include/asm/pmc.h b/arch/powerpc/include/asm/pmc.h
+index c6bbe9778d3c..3c09109e708e 100644
+--- a/arch/powerpc/include/asm/pmc.h
++++ b/arch/powerpc/include/asm/pmc.h
+@@ -34,6 +34,13 @@ static inline void ppc_set_pmu_inuse(int inuse)
+ #endif
+ }
+
++#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
++static inline int ppc_get_pmu_inuse(void)
++{
++ return get_paca()->pmcregs_in_use;
++}
++#endif
++
+ extern void power4_enable_pmcs(void);
+
+ #else /* CONFIG_PPC64 */
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index bba358f13471..6c99ccc3bfcb 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -58,6 +58,7 @@
+ #include <asm/kvm_book3s.h>
+ #include <asm/mmu_context.h>
+ #include <asm/lppaca.h>
++#include <asm/pmc.h>
+ #include <asm/processor.h>
+ #include <asm/cputhreads.h>
+ #include <asm/page.h>
+@@ -3559,6 +3560,18 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu *vcpu, u64 time_limit,
+ cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST))
+ kvmppc_restore_tm_hv(vcpu, vcpu->arch.shregs.msr, true);
+
++#ifdef CONFIG_PPC_PSERIES
++ if (kvmhv_on_pseries()) {
++ barrier();
++ if (vcpu->arch.vpa.pinned_addr) {
++ struct lppaca *lp = vcpu->arch.vpa.pinned_addr;
++ get_lppaca()->pmcregs_in_use = lp->pmcregs_in_use;
++ } else {
++ get_lppaca()->pmcregs_in_use = 1;
++ }
++ barrier();
++ }
++#endif
+ kvmhv_load_guest_pmu(vcpu);
+
+ msr_check_and_set(MSR_FP | MSR_VEC | MSR_VSX);
+@@ -3693,6 +3706,13 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu *vcpu, u64 time_limit,
+ save_pmu |= nesting_enabled(vcpu->kvm);
+
+ kvmhv_save_guest_pmu(vcpu, save_pmu);
++#ifdef CONFIG_PPC_PSERIES
++ if (kvmhv_on_pseries()) {
++ barrier();
++ get_lppaca()->pmcregs_in_use = ppc_get_pmu_inuse();
++ barrier();
++ }
++#endif
+
+ vc->entry_exit_map = 0x101;
+ vc->in_guest = 0;
+--
+2.30.2
+
--- /dev/null
+From 89551c698d8f628ef8eb21047370d64caedf7ae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 14:07:06 +1000
+Subject: KVM: PPC: Fix clearing never mapped TCEs in realmode
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit 1d78dfde33a02da1d816279c2e3452978b7abd39 ]
+
+Since commit e1a1ef84cd07 ("KVM: PPC: Book3S: Allocate guest TCEs on
+demand too"), pages for TCE tables for KVM guests are allocated only
+when needed. This allows skipping any update when clearing TCEs. This
+works mostly fine as TCE updates are handled when the MMU is enabled.
+The realmode handlers fail with H_TOO_HARD when pages are not yet
+allocated, except when clearing a TCE in which case KVM prints a warning
+and proceeds to dereference a NULL pointer, which crashes the host OS.
+
+This has not been caught so far as the change in commit e1a1ef84cd07 is
+reasonably new, and POWER9 runs mostly radix which does not use realmode
+handlers. With hash, the default TCE table is memset() by QEMU when the
+machine is reset which triggers page faults and the KVM TCE device's
+kvm_spapr_tce_fault() handles those with MMU on. And the huge DMA
+windows are not cleared by VMs which instead successfully create a DMA
+window big enough to map the VM memory 1:1 and then VMs just map
+everything without clearing.
+
+This started crashing now as commit 381ceda88c4c ("powerpc/pseries/iommu:
+Make use of DDW for indirect mapping") added a mode when a dymanic DMA
+window not big enough to map the VM memory 1:1 but it is used anyway,
+and the VM now is the first (i.e. not QEMU) to clear a just created
+table. Note that upstream QEMU needs to be modified to trigger the VM to
+trigger the host OS crash.
+
+This replaces WARN_ON_ONCE_RM() with a check and return, and adds
+another warning if TCE is not being cleared.
+
+Fixes: e1a1ef84cd07 ("KVM: PPC: Book3S: Allocate guest TCEs on demand too")
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210827040706.517652-1-aik@ozlabs.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_64_vio_hv.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
+index ab6eeb8e753e..35fd67b4ceb4 100644
+--- a/arch/powerpc/kvm/book3s_64_vio_hv.c
++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
+@@ -177,10 +177,13 @@ static void kvmppc_rm_tce_put(struct kvmppc_spapr_tce_table *stt,
+ idx -= stt->offset;
+ page = stt->pages[idx / TCES_PER_PAGE];
+ /*
+- * page must not be NULL in real mode,
+- * kvmppc_rm_ioba_validate() must have taken care of this.
++ * kvmppc_rm_ioba_validate() allows pages not be allocated if TCE is
++ * being cleared, otherwise it returns H_TOO_HARD and we skip this.
+ */
+- WARN_ON_ONCE_RM(!page);
++ if (!page) {
++ WARN_ON_ONCE_RM(tce != 0);
++ return;
++ }
+ tbl = kvmppc_page_address(page);
+
+ tbl[idx % TCES_PER_PAGE] = tce;
+--
+2.30.2
+
--- /dev/null
+From 665e30a8844fb4302eabc467ad66392405cd44fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 17:01:59 -0400
+Subject: lockd: lockd server-side shouldn't set fl_ops
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 7de875b231edb807387a81cde288aa9e1015ef9e ]
+
+Locks have two sets of op arrays, fl_lmops for the lock manager (lockd
+or nfsd), fl_ops for the filesystem. The server-side lockd code has
+been setting its own fl_ops, which leads to confusion (and crashes) in
+the reexport case, where the filesystem expects to be the only one
+setting fl_ops.
+
+And there's no reason for it that I can see-the lm_get/put_owner ops do
+the same job.
+
+Reported-by: Daire Byrne <daire@dneg.com>
+Tested-by: Daire Byrne <daire@dneg.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/lockd/svclock.c | 30 ++++++++++++------------------
+ 1 file changed, 12 insertions(+), 18 deletions(-)
+
+diff --git a/fs/lockd/svclock.c b/fs/lockd/svclock.c
+index 498cb70c2c0d..273a81971ed5 100644
+--- a/fs/lockd/svclock.c
++++ b/fs/lockd/svclock.c
+@@ -395,28 +395,10 @@ nlmsvc_release_lockowner(struct nlm_lock *lock)
+ nlmsvc_put_lockowner(lock->fl.fl_owner);
+ }
+
+-static void nlmsvc_locks_copy_lock(struct file_lock *new, struct file_lock *fl)
+-{
+- struct nlm_lockowner *nlm_lo = (struct nlm_lockowner *)fl->fl_owner;
+- new->fl_owner = nlmsvc_get_lockowner(nlm_lo);
+-}
+-
+-static void nlmsvc_locks_release_private(struct file_lock *fl)
+-{
+- nlmsvc_put_lockowner((struct nlm_lockowner *)fl->fl_owner);
+-}
+-
+-static const struct file_lock_operations nlmsvc_lock_ops = {
+- .fl_copy_lock = nlmsvc_locks_copy_lock,
+- .fl_release_private = nlmsvc_locks_release_private,
+-};
+-
+ void nlmsvc_locks_init_private(struct file_lock *fl, struct nlm_host *host,
+ pid_t pid)
+ {
+ fl->fl_owner = nlmsvc_find_lockowner(host, pid);
+- if (fl->fl_owner != NULL)
+- fl->fl_ops = &nlmsvc_lock_ops;
+ }
+
+ /*
+@@ -788,9 +770,21 @@ nlmsvc_notify_blocked(struct file_lock *fl)
+ printk(KERN_WARNING "lockd: notification for unknown block!\n");
+ }
+
++static fl_owner_t nlmsvc_get_owner(fl_owner_t owner)
++{
++ return nlmsvc_get_lockowner(owner);
++}
++
++static void nlmsvc_put_owner(fl_owner_t owner)
++{
++ nlmsvc_put_lockowner(owner);
++}
++
+ const struct lock_manager_operations nlmsvc_lock_operations = {
+ .lm_notify = nlmsvc_notify_blocked,
+ .lm_grant = nlmsvc_grant_deferred,
++ .lm_get_owner = nlmsvc_get_owner,
++ .lm_put_owner = nlmsvc_put_owner,
+ };
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 733a18bc7017f9e92665db85c05fdc46130a0903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:01:31 +1000
+Subject: m68knommu: only set CONFIG_ISA_DMA_API for ColdFire sub-arch
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit db87db65c1059f3be04506d122f8ec9b2fa3b05e ]
+
+> Hi Arnd,
+>
+> First bad commit (maybe != root cause):
+>
+> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
+> head: 2f73937c9aa561e2082839bc1a8efaac75d6e244
+> commit: 47fd22f2b84765a2f7e3f150282497b902624547 [4771/5318] cs89x0: rework driver configuration
+> config: m68k-randconfig-c003-20210804 (attached as .config)
+> compiler: m68k-linux-gcc (GCC) 10.3.0
+> reproduce (this is a W=1 build):
+> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
+> chmod +x ~/bin/make.cross
+> # https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=47fd22f2b84765a2f7e3f150282497b902624547
+> git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
+> git fetch --no-tags linux-next master
+> git checkout 47fd22f2b84765a2f7e3f150282497b902624547
+> # save the attached .config to linux build tree
+> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross ARCH=m68k
+>
+> If you fix the issue, kindly add following tag as appropriate
+> Reported-by: kernel test robot <lkp@intel.com>
+>
+> All errors (new ones prefixed by >>):
+>
+> In file included from include/linux/kernel.h:19,
+> from include/linux/list.h:9,
+> from include/linux/module.h:12,
+> from drivers/net/ethernet/cirrus/cs89x0.c:51:
+> drivers/net/ethernet/cirrus/cs89x0.c: In function 'net_open':
+> drivers/net/ethernet/cirrus/cs89x0.c:897:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration]
+> 897 | (unsigned long)isa_virt_to_bus(lp->dma_buff));
+> | ^~~~~~~~~~~~~~~
+> include/linux/printk.h:141:17: note: in definition of macro 'no_printk'
+> 141 | printk(fmt, ##__VA_ARGS__); \
+> | ^~~~~~~~~~~
+> drivers/net/ethernet/cirrus/cs89x0.c:86:3: note: in expansion of macro 'pr_debug'
+> 86 | pr_##level(fmt, ##__VA_ARGS__); \
+> | ^~~
+> drivers/net/ethernet/cirrus/cs89x0.c:894:3: note: in expansion of macro 'cs89_dbg'
+> 894 | cs89_dbg(1, debug, "%s: dma %lx %lx\n",
+> | ^~~~~~~~
+> >> drivers/net/ethernet/cirrus/cs89x0.c:914:3: error: implicit declaration of function 'disable_dma'; did you mean 'disable_irq'? [-Werror=implicit-function-declaration]
+
+As far as I can tell, this is a bug with the m68kmmu architecture, not
+with my driver:
+The CONFIG_ISA_DMA_API option is provided for coldfire, which implements it,
+but dragonball also sets the option as a side-effect, without actually
+implementing
+the interfaces. The patch below should fix it.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.bus | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/Kconfig.bus b/arch/m68k/Kconfig.bus
+index 9d0a3a23d50e..355c51309ed8 100644
+--- a/arch/m68k/Kconfig.bus
++++ b/arch/m68k/Kconfig.bus
+@@ -63,7 +63,7 @@ source "drivers/zorro/Kconfig"
+
+ endif
+
+-if !MMU
++if COLDFIRE
+
+ config ISA_DMA_API
+ def_bool !M5272
+--
+2.30.2
+
--- /dev/null
+From b7ed0170a8e435eeaa78af5a28560a3a735283a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 14:32:46 +0200
+Subject: mac80211: Fix monitor MTU limit so that A-MSDUs get through
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit 79f5962baea74ce1cd4e5949598944bff854b166 ]
+
+The maximum MTU was set to 2304, which is the maximum MSDU size. While
+this is valid for normal WLAN interfaces, it is too low for monitor
+interfaces. A monitor interface may receive and inject MPDU frames, and
+the maximum MPDU frame size is larger than 2304. The MPDU may also
+contain an A-MSDU frame, in which case the size may be much larger than
+the MTU limit. Since the maximum size of an A-MSDU depends on the PHY
+mode of the transmitting STA, it is not possible to set an exact MTU
+limit for a monitor interface. Now the maximum MTU for a monitor
+interface is unrestricted.
+
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Link: https://lore.kernel.org/r/20210628123246.2070558-1-johan.almbladh@anyfinetworks.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 6f576306a4d7..ddc001ad9055 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1875,9 +1875,16 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
+
+ netdev_set_default_ethtool_ops(ndev, &ieee80211_ethtool_ops);
+
+- /* MTU range: 256 - 2304 */
++ /* MTU range is normally 256 - 2304, where the upper limit is
++ * the maximum MSDU size. Monitor interfaces send and receive
++ * MPDU and A-MSDU frames which may be much larger so we do
++ * not impose an upper limit in that case.
++ */
+ ndev->min_mtu = 256;
+- ndev->max_mtu = local->hw.max_mtu;
++ if (type == NL80211_IFTYPE_MONITOR)
++ ndev->max_mtu = 0;
++ else
++ ndev->max_mtu = local->hw.max_mtu;
+
+ ret = register_netdevice(ndev);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From 45f9de436ae93ce3c60d9cda9e750e7e605ca669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 13:28:57 +0200
+Subject: media: dib8000: rewrite the init prbs logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 8db11aebdb8f93f46a8513c22c9bd52fa23263aa ]
+
+The logic at dib8000_get_init_prbs() has a few issues:
+
+1. the tables used there has an extra unused value at the beginning;
+2. the dprintk() message doesn't write the right value when
+ transmission mode is not 8K;
+3. the array overflow validation is done by the callers.
+
+Rewrite the code to fix such issues.
+
+This should also shut up those smatch warnings:
+
+ drivers/media/dvb-frontends/dib8000.c:2125 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14
+ drivers/media/dvb-frontends/dib8000.c:2129 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_2k' 14 <= 14
+ drivers/media/dvb-frontends/dib8000.c:2131 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_4k' 14 <= 14
+ drivers/media/dvb-frontends/dib8000.c:2134 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib8000.c | 58 +++++++++++++++++++--------
+ 1 file changed, 41 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
+index 082796534b0a..bb02354a48b8 100644
+--- a/drivers/media/dvb-frontends/dib8000.c
++++ b/drivers/media/dvb-frontends/dib8000.c
+@@ -2107,32 +2107,55 @@ static void dib8000_load_ana_fe_coefs(struct dib8000_state *state, const s16 *an
+ dib8000_write_word(state, 117 + mode, ana_fe[mode]);
+ }
+
+-static const u16 lut_prbs_2k[14] = {
+- 0, 0x423, 0x009, 0x5C7, 0x7A6, 0x3D8, 0x527, 0x7FF, 0x79B, 0x3D6, 0x3A2, 0x53B, 0x2F4, 0x213
++static const u16 lut_prbs_2k[13] = {
++ 0x423, 0x009, 0x5C7,
++ 0x7A6, 0x3D8, 0x527,
++ 0x7FF, 0x79B, 0x3D6,
++ 0x3A2, 0x53B, 0x2F4,
++ 0x213
+ };
+-static const u16 lut_prbs_4k[14] = {
+- 0, 0x208, 0x0C3, 0x7B9, 0x423, 0x5C7, 0x3D8, 0x7FF, 0x3D6, 0x53B, 0x213, 0x029, 0x0D0, 0x48E
++
++static const u16 lut_prbs_4k[13] = {
++ 0x208, 0x0C3, 0x7B9,
++ 0x423, 0x5C7, 0x3D8,
++ 0x7FF, 0x3D6, 0x53B,
++ 0x213, 0x029, 0x0D0,
++ 0x48E
+ };
+-static const u16 lut_prbs_8k[14] = {
+- 0, 0x740, 0x069, 0x7DD, 0x208, 0x7B9, 0x5C7, 0x7FF, 0x53B, 0x029, 0x48E, 0x4C4, 0x367, 0x684
++
++static const u16 lut_prbs_8k[13] = {
++ 0x740, 0x069, 0x7DD,
++ 0x208, 0x7B9, 0x5C7,
++ 0x7FF, 0x53B, 0x029,
++ 0x48E, 0x4C4, 0x367,
++ 0x684
+ };
+
+ static u16 dib8000_get_init_prbs(struct dib8000_state *state, u16 subchannel)
+ {
+ int sub_channel_prbs_group = 0;
++ int prbs_group;
+
+- sub_channel_prbs_group = (subchannel / 3) + 1;
+- dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", sub_channel_prbs_group, subchannel, lut_prbs_8k[sub_channel_prbs_group]);
++ sub_channel_prbs_group = subchannel / 3;
++ if (sub_channel_prbs_group >= ARRAY_SIZE(lut_prbs_2k))
++ return 0;
+
+ switch (state->fe[0]->dtv_property_cache.transmission_mode) {
+ case TRANSMISSION_MODE_2K:
+- return lut_prbs_2k[sub_channel_prbs_group];
++ prbs_group = lut_prbs_2k[sub_channel_prbs_group];
++ break;
+ case TRANSMISSION_MODE_4K:
+- return lut_prbs_4k[sub_channel_prbs_group];
++ prbs_group = lut_prbs_4k[sub_channel_prbs_group];
++ break;
+ default:
+ case TRANSMISSION_MODE_8K:
+- return lut_prbs_8k[sub_channel_prbs_group];
++ prbs_group = lut_prbs_8k[sub_channel_prbs_group];
+ }
++
++ dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n",
++ sub_channel_prbs_group, subchannel, prbs_group);
++
++ return prbs_group;
+ }
+
+ static void dib8000_set_13seg_channel(struct dib8000_state *state)
+@@ -2409,10 +2432,8 @@ static void dib8000_set_isdbt_common_channel(struct dib8000_state *state, u8 seq
+ /* TSB or ISDBT ? apply it now */
+ if (c->isdbt_sb_mode) {
+ dib8000_set_sb_channel(state);
+- if (c->isdbt_sb_subchannel < 14)
+- init_prbs = dib8000_get_init_prbs(state, c->isdbt_sb_subchannel);
+- else
+- init_prbs = 0;
++ init_prbs = dib8000_get_init_prbs(state,
++ c->isdbt_sb_subchannel);
+ } else {
+ dib8000_set_13seg_channel(state);
+ init_prbs = 0xfff;
+@@ -3004,6 +3025,7 @@ static int dib8000_tune(struct dvb_frontend *fe)
+
+ unsigned long *timeout = &state->timeout;
+ unsigned long now = jiffies;
++ u16 init_prbs;
+ #ifdef DIB8000_AGC_FREEZE
+ u16 agc1, agc2;
+ #endif
+@@ -3302,8 +3324,10 @@ static int dib8000_tune(struct dvb_frontend *fe)
+ break;
+
+ case CT_DEMOD_STEP_11: /* 41 : init prbs autosearch */
+- if (state->subchannel <= 41) {
+- dib8000_set_subchannel_prbs(state, dib8000_get_init_prbs(state, state->subchannel));
++ init_prbs = dib8000_get_init_prbs(state, state->subchannel);
++
++ if (init_prbs) {
++ dib8000_set_subchannel_prbs(state, init_prbs);
+ *tune_state = CT_DEMOD_STEP_9;
+ } else {
+ *tune_state = CT_DEMOD_STOP;
+--
+2.30.2
+
--- /dev/null
+From e776c4079a85dcc94fb61b234c66f1e10c18c246 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 13:22:33 +0200
+Subject: media: imx258: Limit the max analogue gain to 480
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Umang Jain <umang.jain@ideasonboard.com>
+
+[ Upstream commit f809665ee75fff3f4ea8907f406a66d380aeb184 ]
+
+The range for analog gain mentioned in the datasheet is [0, 480].
+The real gain formula mentioned in the datasheet is:
+
+ Gain = 512 / (512 – X)
+
+Hence, values larger than 511 clearly makes no sense. The gain
+register field is also documented to be of 9-bits in the datasheet.
+
+Certainly, it is enough to infer that, the kernel driver currently
+advertises an arbitrary analog gain max. Fix it by rectifying the
+value as per the data sheet i.e. 480.
+
+Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx258.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/imx258.c b/drivers/media/i2c/imx258.c
+index 5f5e50c01b12..ffaa4a91e571 100644
+--- a/drivers/media/i2c/imx258.c
++++ b/drivers/media/i2c/imx258.c
+@@ -46,7 +46,7 @@
+ /* Analog gain control */
+ #define IMX258_REG_ANALOG_GAIN 0x0204
+ #define IMX258_ANA_GAIN_MIN 0
+-#define IMX258_ANA_GAIN_MAX 0x1fff
++#define IMX258_ANA_GAIN_MAX 480
+ #define IMX258_ANA_GAIN_STEP 1
+ #define IMX258_ANA_GAIN_DEFAULT 0x0
+
+--
+2.30.2
+
--- /dev/null
+From 0e87182877dc94a2065ac9a058f727febe0c4cdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 13:22:32 +0200
+Subject: media: imx258: Rectify mismatch of VTS value
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 51f93add3669f1b1f540de1cf397815afbd4c756 ]
+
+The frame_length_lines (0x0340) registers are hard-coded as follows:
+
+- 4208x3118
+ frame_length_lines = 0x0c50
+
+- 2104x1560
+ frame_length_lines = 0x0638
+
+- 1048x780
+ frame_length_lines = 0x034c
+
+The driver exposes the V4L2_CID_VBLANK control in read-only mode and
+sets its value to vts_def - height, where vts_def is a mode-dependent
+value coming from the supported_modes array. It is set using one of
+the following macros defined in the driver:
+
+ #define IMX258_VTS_30FPS 0x0c98
+ #define IMX258_VTS_30FPS_2K 0x0638
+ #define IMX258_VTS_30FPS_VGA 0x034c
+
+There's a clear mismatch in the value for the full resolution mode i.e.
+IMX258_VTS_30FPS. Fix it by rectifying the macro with the value set for
+the frame_length_lines register as stated above.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx258.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/imx258.c b/drivers/media/i2c/imx258.c
+index f86ae18bc104..5f5e50c01b12 100644
+--- a/drivers/media/i2c/imx258.c
++++ b/drivers/media/i2c/imx258.c
+@@ -22,7 +22,7 @@
+ #define IMX258_CHIP_ID 0x0258
+
+ /* V_TIMING internal */
+-#define IMX258_VTS_30FPS 0x0c98
++#define IMX258_VTS_30FPS 0x0c50
+ #define IMX258_VTS_30FPS_2K 0x0638
+ #define IMX258_VTS_30FPS_VGA 0x034c
+ #define IMX258_VTS_MAX 0xffff
+--
+2.30.2
+
--- /dev/null
+From 34ce39e541e07fa5d5761f74e2d4ba6d2dcdc19b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 12:46:28 +0200
+Subject: media: TDA1997x: fix tda1997x_query_dv_timings() return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Hałasa <khalasa@piap.pl>
+
+[ Upstream commit 7dee1030871a48d4f3c5a74227a4b4188463479a ]
+
+Correctly propagate the tda1997x_detect_std error value.
+
+Signed-off-by: Krzysztof Hałasa <khalasa@piap.pl>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tda1997x.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c
+index 1088161498df..18a2027ba145 100644
+--- a/drivers/media/i2c/tda1997x.c
++++ b/drivers/media/i2c/tda1997x.c
+@@ -1695,14 +1695,15 @@ static int tda1997x_query_dv_timings(struct v4l2_subdev *sd,
+ struct v4l2_dv_timings *timings)
+ {
+ struct tda1997x_state *state = to_state(sd);
++ int ret;
+
+ v4l_dbg(1, debug, state->client, "%s\n", __func__);
+ memset(timings, 0, sizeof(struct v4l2_dv_timings));
+ mutex_lock(&state->lock);
+- tda1997x_detect_std(state, timings);
++ ret = tda1997x_detect_std(state, timings);
+ mutex_unlock(&state->lock);
+
+- return 0;
++ return ret;
+ }
+
+ static const struct v4l2_subdev_video_ops tda1997x_video_ops = {
+--
+2.30.2
+
--- /dev/null
+From 35bbb902ecf60b0ef00c32b1e8ec42db4a17af8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 16:44:32 +0200
+Subject: media: tegra-cec: Handle errors of clk_prepare_enable()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 38367073c796a37a61549b1f66a71b3adb03802d ]
+
+tegra_cec_probe() and tegra_cec_resume() ignored possible errors of
+clk_prepare_enable(). The patch fixes this.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/tegra-cec/tegra_cec.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/tegra-cec/tegra_cec.c b/drivers/media/platform/tegra-cec/tegra_cec.c
+index a632602131f2..efb80a78d2fa 100644
+--- a/drivers/media/platform/tegra-cec/tegra_cec.c
++++ b/drivers/media/platform/tegra-cec/tegra_cec.c
+@@ -366,7 +366,11 @@ static int tegra_cec_probe(struct platform_device *pdev)
+ return -ENOENT;
+ }
+
+- clk_prepare_enable(cec->clk);
++ ret = clk_prepare_enable(cec->clk);
++ if (ret) {
++ dev_err(&pdev->dev, "Unable to prepare clock for CEC\n");
++ return ret;
++ }
+
+ /* set context info. */
+ cec->dev = &pdev->dev;
+@@ -446,9 +450,7 @@ static int tegra_cec_resume(struct platform_device *pdev)
+
+ dev_notice(&pdev->dev, "Resuming\n");
+
+- clk_prepare_enable(cec->clk);
+-
+- return 0;
++ return clk_prepare_enable(cec->clk);
+ }
+ #endif
+
+--
+2.30.2
+
--- /dev/null
+From 506b7cd77732470098db15c8d924242e7af06520 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 10:22:59 +0200
+Subject: media: v4l2-dv-timings.c: fix wrong condition in two for-loops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4108b3e6db31acc4c68133290bbcc87d4db905c9 ]
+
+These for-loops should test against v4l2_dv_timings_presets[i].bt.width,
+not if i < v4l2_dv_timings_presets[i].bt.width. Luckily nothing ever broke,
+since the smallest width is still a lot higher than the total number of
+presets, but it is wrong.
+
+The last item in the presets array is all 0, so the for-loop must stop
+when it reaches that sentinel.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Krzysztof Hałasa <khalasa@piap.pl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-dv-timings.c b/drivers/media/v4l2-core/v4l2-dv-timings.c
+index 4f23e939ead0..60454e1b727e 100644
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -196,7 +196,7 @@ bool v4l2_find_dv_timings_cap(struct v4l2_dv_timings *t,
+ if (!v4l2_valid_dv_timings(t, cap, fnc, fnc_handle))
+ return false;
+
+- for (i = 0; i < v4l2_dv_timings_presets[i].bt.width; i++) {
++ for (i = 0; v4l2_dv_timings_presets[i].bt.width; i++) {
+ if (v4l2_valid_dv_timings(v4l2_dv_timings_presets + i, cap,
+ fnc, fnc_handle) &&
+ v4l2_match_dv_timings(t, v4l2_dv_timings_presets + i,
+@@ -218,7 +218,7 @@ bool v4l2_find_dv_timings_cea861_vic(struct v4l2_dv_timings *t, u8 vic)
+ {
+ unsigned int i;
+
+- for (i = 0; i < v4l2_dv_timings_presets[i].bt.width; i++) {
++ for (i = 0; v4l2_dv_timings_presets[i].bt.width; i++) {
+ const struct v4l2_bt_timings *bt =
+ &v4l2_dv_timings_presets[i].bt;
+
+--
+2.30.2
+
--- /dev/null
+From 23af98f6ab24c5d6ae9509a0180e2ba72f533f6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 09:19:51 +0200
+Subject: MIPS: Malta: fix alignment of the devicetree buffer
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit bea6a94a279bcbe6b2cde348782b28baf12255a5 ]
+
+Starting with following patch MIPS Malta is not able to boot:
+| commit 79edff12060fe7772af08607eff50c0e2486c5ba
+| Author: Rob Herring <robh@kernel.org>
+| scripts/dtc: Update to upstream version v1.6.0-51-g183df9e9c2b9
+
+The reason is the alignment test added to the fdt_ro_probe_(). To fix
+this issue, we need to make sure that fdt_buf is aligned.
+
+Since the dtc patch was designed to uncover potential issue, I handle
+initial MIPS Malta patch as initial bug.
+
+Fixes: e81a8c7dabac ("MIPS: Malta: Setup RAM regions via DT")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mti-malta/malta-dtshim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/mti-malta/malta-dtshim.c b/arch/mips/mti-malta/malta-dtshim.c
+index 98a063093b69..0be28adff557 100644
+--- a/arch/mips/mti-malta/malta-dtshim.c
++++ b/arch/mips/mti-malta/malta-dtshim.c
+@@ -22,7 +22,7 @@
+ #define ROCIT_CONFIG_GEN1_MEMMAP_SHIFT 8
+ #define ROCIT_CONFIG_GEN1_MEMMAP_MASK (0xf << 8)
+
+-static unsigned char fdt_buf[16 << 10] __initdata;
++static unsigned char fdt_buf[16 << 10] __initdata __aligned(8);
+
+ /* determined physical memory size, not overridden by command line args */
+ extern unsigned long physical_memsize;
+--
+2.30.2
+
--- /dev/null
+From 0f1e16eb737351c0fb02bd87ba310b58f649e301 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 00:47:26 +0530
+Subject: mmc: core: Return correct emmc response in case of ioctl error
+
+From: Nishad Kamdar <nishadkamdar@gmail.com>
+
+[ Upstream commit e72a55f2e5ddcfb3dce0701caf925ce435b87682 ]
+
+When a read/write command is sent via ioctl to the kernel,
+and the command fails, the actual error response of the emmc
+is not sent to the user.
+
+IOCTL read/write tests are carried out using commands
+17 (Single BLock Read), 24 (Single Block Write),
+18 (Multi Block Read), 25 (Multi Block Write)
+
+The tests are carried out on a 64Gb emmc device. All of these
+tests try to access an "out of range" sector address (0x09B2FFFF).
+
+It is seen that without the patch the response received by the user
+is not OUT_OF_RANGE error (R1 response 31st bit is not set) as per
+JEDEC specification. After applying the patch proper response is seen.
+This is because the function returns without copying the response to
+the user in case of failure. This patch fixes the issue.
+
+Hence, this memcpy is required whether we get an error response or not.
+Therefor it is moved up from the current position up to immediately
+after we have called mmc_wait_for_req().
+
+The test code and the output of only the CMD17 is included in the
+commit to limit the message length.
+
+CMD17 (Test Code Snippet):
+==========================
+ printf("Forming CMD%d\n", opt_idx);
+ /* single block read */
+ cmd.blksz = 512;
+ cmd.blocks = 1;
+ cmd.write_flag = 0;
+ cmd.opcode = 17;
+ //cmd.arg = atoi(argv[3]);
+ cmd.arg = 0x09B2FFFF;
+ /* Expecting response R1B */
+ cmd.flags = MMC_RSP_SPI_R1 | MMC_RSP_R1 | MMC_CMD_ADTC;
+
+ memset(data, 0, sizeof(__u8) * 512);
+ mmc_ioc_cmd_set_data(cmd, data);
+
+ printf("Sending CMD%d: ARG[0x%08x]\n", opt_idx, cmd.arg);
+ if(ioctl(fd, MMC_IOC_CMD, &cmd))
+ perror("Error");
+
+ printf("\nResponse: %08x\n", cmd.response[0]);
+
+CMD17 (Output without patch):
+=============================
+test@test-LIVA-Z:~$ sudo ./mmc cmd_test /dev/mmcblk0 17
+Entering the do_mmc_commands:Device: /dev/mmcblk0 nargs:4
+Entering the do_mmc_commands:Device: /dev/mmcblk0 options[17, 0x09B2FFF]
+Forming CMD17
+Sending CMD17: ARG[0x09b2ffff]
+Error: Connection timed out
+
+Response: 00000000
+(Incorrect response)
+
+CMD17 (Output with patch):
+==========================
+test@test-LIVA-Z:~$ sudo ./mmc cmd_test /dev/mmcblk0 17
+[sudo] password for test:
+Entering the do_mmc_commands:Device: /dev/mmcblk0 nargs:4
+Entering the do_mmc_commands:Device: /dev/mmcblk0 options[17, 09B2FFFF]
+Forming CMD17
+Sending CMD17: ARG[0x09b2ffff]
+Error: Connection timed out
+
+Response: 80000900
+(Correct OUT_OF_ERROR response as per JEDEC specification)
+
+Signed-off-by: Nishad Kamdar <nishadkamdar@gmail.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Link: https://lore.kernel.org/r/20210824191726.8296-1-nishadkamdar@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/block.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
+index 8322d22a59c4..e92f9373e227 100644
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -591,6 +591,7 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md,
+ }
+
+ mmc_wait_for_req(card->host, &mrq);
++ memcpy(&idata->ic.response, cmd.resp, sizeof(cmd.resp));
+
+ if (cmd.error) {
+ dev_err(mmc_dev(card->host), "%s: cmd error %d\n",
+@@ -640,8 +641,6 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md,
+ if (idata->ic.postsleep_min_us)
+ usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
+
+- memcpy(&(idata->ic.response), cmd.resp, sizeof(cmd.resp));
+-
+ if (idata->rpmb || (cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) {
+ /*
+ * Ensure RPMB/R1B command has completed by polling CMD13
+--
+2.30.2
+
--- /dev/null
+From a8dd0e280ac6b9e52388daadb4c4a3aa64587bab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 04:46:14 -0700
+Subject: mmc: rtsx_pci: Fix long reads when clock is prescaled
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+[ Upstream commit 3ac5e45291f3f0d699a721357380d4593bc2dcb3 ]
+
+For unexplained reasons, the prescaler register for this device needs to
+be cleared (set to 1) while performing a data read or else the command
+will hang. This does not appear to affect the real clock rate sent out
+on the bus, so I assume it's purely to work around a hardware bug.
+
+During normal operation, the prescaler is already set to 1, so nothing
+needs to be done. However, in "initial mode" (which is used for sub-MHz
+clock speeds, like the core sets while enumerating cards), it's set to
+128 and so we need to reset it during data reads. We currently fail to
+do this for long reads.
+
+This has no functional affect on the driver's operation currently
+written, as the MMC core always sets a clock above 1MHz before
+attempting any long reads. However, the core could conceivably set any
+clock speed at any time and the driver should still work, so I think
+this fix is worthwhile.
+
+I personally encountered this issue while performing data recovery on an
+external chip. My connections had poor signal integrity, so I modified
+the core code to reduce the clock speed. Without this change, I saw the
+card enumerate but was unable to actually read any data.
+
+Writes don't seem to work in the situation described above even with
+this change (and even if the workaround is extended to encompass data
+write commands). I was not able to find a way to get them working.
+
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Link: https://lore.kernel.org/r/2fef280d8409ab0100c26c6ac7050227defd098d.1627818365.git.tommyhebb@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/rtsx_pci_sdmmc.c | 36 ++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c
+index 11087976ab19..9ff718b61c72 100644
+--- a/drivers/mmc/host/rtsx_pci_sdmmc.c
++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c
+@@ -539,9 +539,22 @@ static int sd_write_long_data(struct realtek_pci_sdmmc *host,
+ return 0;
+ }
+
++static inline void sd_enable_initial_mode(struct realtek_pci_sdmmc *host)
++{
++ rtsx_pci_write_register(host->pcr, SD_CFG1,
++ SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_128);
++}
++
++static inline void sd_disable_initial_mode(struct realtek_pci_sdmmc *host)
++{
++ rtsx_pci_write_register(host->pcr, SD_CFG1,
++ SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0);
++}
++
+ static int sd_rw_multi(struct realtek_pci_sdmmc *host, struct mmc_request *mrq)
+ {
+ struct mmc_data *data = mrq->data;
++ int err;
+
+ if (host->sg_count < 0) {
+ data->error = host->sg_count;
+@@ -550,22 +563,19 @@ static int sd_rw_multi(struct realtek_pci_sdmmc *host, struct mmc_request *mrq)
+ return data->error;
+ }
+
+- if (data->flags & MMC_DATA_READ)
+- return sd_read_long_data(host, mrq);
++ if (data->flags & MMC_DATA_READ) {
++ if (host->initial_mode)
++ sd_disable_initial_mode(host);
+
+- return sd_write_long_data(host, mrq);
+-}
++ err = sd_read_long_data(host, mrq);
+
+-static inline void sd_enable_initial_mode(struct realtek_pci_sdmmc *host)
+-{
+- rtsx_pci_write_register(host->pcr, SD_CFG1,
+- SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_128);
+-}
++ if (host->initial_mode)
++ sd_enable_initial_mode(host);
+
+-static inline void sd_disable_initial_mode(struct realtek_pci_sdmmc *host)
+-{
+- rtsx_pci_write_register(host->pcr, SD_CFG1,
+- SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0);
++ return err;
++ }
++
++ return sd_write_long_data(host, mrq);
+ }
+
+ static void sd_normal_rw(struct realtek_pci_sdmmc *host,
+--
+2.30.2
+
--- /dev/null
+From 11ef2c127356b5d808c2da4641ee31307636bf8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 16:13:54 +0530
+Subject: mmc: sdhci-of-arasan: Check return value of non-void funtions
+
+From: Manish Narani <manish.narani@xilinx.com>
+
+[ Upstream commit 66bad6ed2204fdb78a0a8fb89d824397106a5471 ]
+
+At a couple of places, the return values of the non-void functions were
+not getting checked. This was reported by the coverity tool. Modify the
+code to check the return values of the same.
+
+Addresses-Coverity: ("check_return")
+Signed-off-by: Manish Narani <manish.narani@xilinx.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1623753837-21035-5-git-send-email-manish.narani@xilinx.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-arasan.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci-of-arasan.c b/drivers/mmc/host/sdhci-of-arasan.c
+index 7023cbec4017..dd10f7abf5a7 100644
+--- a/drivers/mmc/host/sdhci-of-arasan.c
++++ b/drivers/mmc/host/sdhci-of-arasan.c
+@@ -192,7 +192,12 @@ static void sdhci_arasan_set_clock(struct sdhci_host *host, unsigned int clock)
+ * through low speeds without power cycling.
+ */
+ sdhci_set_clock(host, host->max_clk);
+- phy_power_on(sdhci_arasan->phy);
++ if (phy_power_on(sdhci_arasan->phy)) {
++ pr_err("%s: Cannot power on phy.\n",
++ mmc_hostname(host->mmc));
++ return;
++ }
++
+ sdhci_arasan->is_phy_on = true;
+
+ /*
+@@ -228,7 +233,12 @@ static void sdhci_arasan_set_clock(struct sdhci_host *host, unsigned int clock)
+ msleep(20);
+
+ if (ctrl_phy) {
+- phy_power_on(sdhci_arasan->phy);
++ if (phy_power_on(sdhci_arasan->phy)) {
++ pr_err("%s: Cannot power on phy.\n",
++ mmc_hostname(host->mmc));
++ return;
++ }
++
+ sdhci_arasan->is_phy_on = true;
+ }
+ }
+@@ -416,7 +426,9 @@ static int sdhci_arasan_suspend(struct device *dev)
+ ret = phy_power_off(sdhci_arasan->phy);
+ if (ret) {
+ dev_err(dev, "Cannot power off phy.\n");
+- sdhci_resume_host(host);
++ if (sdhci_resume_host(host))
++ dev_err(dev, "Cannot resume host.\n");
++
+ return ret;
+ }
+ sdhci_arasan->is_phy_on = false;
+--
+2.30.2
+
--- /dev/null
+From 8ba21cecf0d3290f6eee81e266e82a42ab9db747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:13:40 -0700
+Subject: net: ethernet: stmmac: Do not use unreachable() in
+ ipq806x_gmac_probe()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 4367355dd90942a71641c98c40c74589c9bddf90 ]
+
+When compiling with clang in certain configurations, an objtool warning
+appears:
+
+drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.o: warning: objtool:
+ipq806x_gmac_probe() falls through to next function phy_modes()
+
+This happens because the unreachable annotation in the third switch
+statement is not eliminated. The compiler should know that the first
+default case would prevent the second and third from being reached as
+the comment notes but sanitizer options can make it harder for the
+compiler to reason this out.
+
+Help the compiler out by eliminating the unreachable() annotation and
+unifying the default case error handling so that there is no objtool
+warning, the meaning of the code stays the same, and there is less
+duplication.
+
+Reported-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/stmicro/stmmac/dwmac-ipq806x.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+index 0f56f8e33691..03b11f191c26 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -288,10 +288,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ val &= ~NSS_COMMON_GMAC_CTL_PHY_IFACE_SEL;
+ break;
+ default:
+- dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n",
+- phy_modes(gmac->phy_mode));
+- err = -EINVAL;
+- goto err_remove_config_dt;
++ goto err_unsupported_phy;
+ }
+ regmap_write(gmac->nss_common, NSS_COMMON_GMAC_CTL(gmac->id), val);
+
+@@ -308,10 +305,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ NSS_COMMON_CLK_SRC_CTRL_OFFSET(gmac->id);
+ break;
+ default:
+- dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n",
+- phy_modes(gmac->phy_mode));
+- err = -EINVAL;
+- goto err_remove_config_dt;
++ goto err_unsupported_phy;
+ }
+ regmap_write(gmac->nss_common, NSS_COMMON_CLK_SRC_CTRL, val);
+
+@@ -328,8 +322,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id);
+ break;
+ default:
+- /* We don't get here; the switch above will have errored out */
+- unreachable();
++ goto err_unsupported_phy;
+ }
+ regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val);
+
+@@ -360,6 +353,11 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+
+ return 0;
+
++err_unsupported_phy:
++ dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n",
++ phy_modes(gmac->phy_mode));
++ err = -EINVAL;
++
+ err_remove_config_dt:
+ stmmac_remove_config_dt(pdev, plat_dat);
+
+--
+2.30.2
+
--- /dev/null
+From fc8339ec82a97899ddd8c790dbbd8f81eeb3d027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 18:28:01 +0800
+Subject: net: fix NULL pointer reference in cipso_v4_doi_free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: 王贇 <yun.wang@linux.alibaba.com>
+
+[ Upstream commit 733c99ee8be9a1410287cdbb943887365e83b2d6 ]
+
+In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc
+failed, we sometime observe panic:
+
+ BUG: kernel NULL pointer dereference, address:
+ ...
+ RIP: 0010:cipso_v4_doi_free+0x3a/0x80
+ ...
+ Call Trace:
+ netlbl_cipsov4_add_std+0xf4/0x8c0
+ netlbl_cipsov4_add+0x13f/0x1b0
+ genl_family_rcv_msg_doit.isra.15+0x132/0x170
+ genl_rcv_msg+0x125/0x240
+
+This is because in cipso_v4_doi_free() there is no check
+on 'doi_def->map.std' when 'doi_def->type' equal 1, which
+is possibe, since netlbl_cipsov4_add_std() haven't initialize
+it before alloc 'doi_def->map.std'.
+
+This patch just add the check to prevent panic happen for similar
+cases.
+
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_cipso_v4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
+index 8cd3daf0e3db..1778e4e8ce24 100644
+--- a/net/netlabel/netlabel_cipso_v4.c
++++ b/net/netlabel/netlabel_cipso_v4.c
+@@ -144,8 +144,8 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ return -ENOMEM;
+ doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL);
+ if (doi_def->map.std == NULL) {
+- ret_val = -ENOMEM;
+- goto add_std_failure;
++ kfree(doi_def);
++ return -ENOMEM;
+ }
+ doi_def->type = CIPSO_V4_MAP_TRANS;
+
+--
+2.30.2
+
--- /dev/null
+From ddf73c72ac195dac9859480fba61efc54c38ce8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 20:58:50 +0300
+Subject: net/mlx5: DR, Enable QP retransmission
+
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+
+[ Upstream commit ec449ed8230cd30769de3cb70ee0fce293047372 ]
+
+Under high stress, SW steering might get stuck on polling for completion
+that never comes.
+For such cases QP needs to have protocol retransmission mechanism enabled.
+Currently the retransmission timeout is defined as 0 (unlimited). Fix this
+by defining a real timeout.
+
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Reviewed-by: Alex Vesker <valex@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+index f012aac83b10..401564b94eb1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+@@ -603,6 +603,7 @@ static int dr_cmd_modify_qp_rtr2rts(struct mlx5_core_dev *mdev,
+ MLX5_SET(qpc, qpc, log_ack_req_freq, 0);
+ MLX5_SET(qpc, qpc, retry_count, attr->retry_cnt);
+ MLX5_SET(qpc, qpc, rnr_retry, attr->rnr_retry);
++ MLX5_SET(qpc, qpc, primary_address_path.ack_timeout, 0x8); /* ~1ms */
+
+ return mlx5_core_qp_modify(mdev, MLX5_CMD_OP_RTR2RTS_QP, 0, qpc,
+ &dr_qp->mqp);
+--
+2.30.2
+
--- /dev/null
+From 6868e4ece168c86a78bea8f2a36c1db9ea377c51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 21:15:05 +0300
+Subject: net/mlx5: Fix variable type to match 64bit
+
+From: Eran Ben Elisha <eranbe@nvidia.com>
+
+[ Upstream commit 979aa51967add26b37f9d77e01729d44a2da8e5f ]
+
+Fix the following smatch warning:
+wait_func_handle_exec_timeout() warn: should '1 << ent->idx' be a 64 bit type?
+
+Use 1ULL, to have a 64 bit type variable.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Eran Ben Elisha <eranbe@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 76547d35cd0e..bf091a6c0cd2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -865,7 +865,7 @@ static void cb_timeout_handler(struct work_struct *work)
+ ent->ret = -ETIMEDOUT;
+ mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) Async, timeout. Will cause a leak of a command resource\n",
+ ent->idx, mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in));
+- mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true);
+
+ out:
+ cmd_ent_put(ent); /* for the cmd_ent_get() took on schedule delayed work */
+@@ -977,7 +977,7 @@ static void cmd_work_handler(struct work_struct *work)
+ MLX5_SET(mbox_out, ent->out, status, status);
+ MLX5_SET(mbox_out, ent->out, syndrome, drv_synd);
+
+- mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true);
+ return;
+ }
+
+@@ -991,7 +991,7 @@ static void cmd_work_handler(struct work_struct *work)
+ poll_timeout(ent);
+ /* make sure we read the descriptor after ownership is SW */
+ rmb();
+- mlx5_cmd_comp_handler(dev, 1UL << ent->idx, (ent->ret == -ETIMEDOUT));
++ mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, (ent->ret == -ETIMEDOUT));
+ }
+ }
+
+@@ -1051,7 +1051,7 @@ static void wait_func_handle_exec_timeout(struct mlx5_core_dev *dev,
+ mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in));
+
+ ent->ret = -ETIMEDOUT;
+- mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true);
+ }
+
+ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent)
+--
+2.30.2
+
--- /dev/null
+From 653c7d8dc0d4aec93eee838ddfdbcd4d449a6f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 16:40:18 +0800
+Subject: net: w5100: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit a39ff4a47f3e1da3b036817ef436b1a9be10783a ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wiznet/w5100.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/wiznet/w5100.c b/drivers/net/ethernet/wiznet/w5100.c
+index bede1ff289c5..a65b7291e12a 100644
+--- a/drivers/net/ethernet/wiznet/w5100.c
++++ b/drivers/net/ethernet/wiznet/w5100.c
+@@ -1052,6 +1052,8 @@ static int w5100_mmio_probe(struct platform_device *pdev)
+ mac_addr = data->mac_addr;
+
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!mem)
++ return -EINVAL;
+ if (resource_size(mem) < W5100_BUS_DIRECT_SIZE)
+ ops = &w5100_mmio_indirect_ops;
+ else
+--
+2.30.2
+
--- /dev/null
+From 5cf5a117509f57c68b30dc939a75a6b02bb365ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 13:18:16 +0800
+Subject: netlink: Deal with ESRCH error in nlmsg_notify()
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit fef773fc8110d8124c73a5e6610f89e52814637d ]
+
+Yonghong Song report:
+The bpf selftest tc_bpf failed with latest bpf-next.
+The following is the command to run and the result:
+$ ./test_progs -n 132
+[ 40.947571] bpf_testmod: loading out-of-tree module taints kernel.
+test_tc_bpf:PASS:test_tc_bpf__open_and_load 0 nsec
+test_tc_bpf:PASS:bpf_tc_hook_create(BPF_TC_INGRESS) 0 nsec
+test_tc_bpf:PASS:bpf_tc_hook_create invalid hook.attach_point 0 nsec
+test_tc_bpf_basic:PASS:bpf_obj_get_info_by_fd 0 nsec
+test_tc_bpf_basic:PASS:bpf_tc_attach 0 nsec
+test_tc_bpf_basic:PASS:handle set 0 nsec
+test_tc_bpf_basic:PASS:priority set 0 nsec
+test_tc_bpf_basic:PASS:prog_id set 0 nsec
+test_tc_bpf_basic:PASS:bpf_tc_attach replace mode 0 nsec
+test_tc_bpf_basic:PASS:bpf_tc_query 0 nsec
+test_tc_bpf_basic:PASS:handle set 0 nsec
+test_tc_bpf_basic:PASS:priority set 0 nsec
+test_tc_bpf_basic:PASS:prog_id set 0 nsec
+libbpf: Kernel error message: Failed to send filter delete notification
+test_tc_bpf_basic:FAIL:bpf_tc_detach unexpected error: -3 (errno 3)
+test_tc_bpf:FAIL:test_tc_internal ingress unexpected error: -3 (errno 3)
+
+The failure seems due to the commit
+ cfdf0d9ae75b ("rtnetlink: use nlmsg_notify() in rtnetlink_send()")
+
+Deal with ESRCH error in nlmsg_notify() even the report variable is zero.
+
+Reported-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Link: https://lore.kernel.org/r/20210719051816.11762-1-yajun.deng@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 9d993b4cf1af..acc76a738cfd 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2521,13 +2521,15 @@ int nlmsg_notify(struct sock *sk, struct sk_buff *skb, u32 portid,
+ /* errors reported via destination sk->sk_err, but propagate
+ * delivery errors if NETLINK_BROADCAST_ERROR flag is set */
+ err = nlmsg_multicast(sk, skb, exclude_portid, group, flags);
++ if (err == -ESRCH)
++ err = 0;
+ }
+
+ if (report) {
+ int err2;
+
+ err2 = nlmsg_unicast(sk, skb, portid);
+- if (!err || err == -ESRCH)
++ if (!err)
+ err = err2;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 9249fd57a4dda051167530fe07942440ede546a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 14:19:35 -0700
+Subject: nvme-tcp: don't check blk_mq_tag_to_rq when receiving pdu data
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 3b01a9d0caa8276d9ce314e09610f7fb70f49a00 ]
+
+We already validate it when receiving the c2hdata pdu header
+and this is not changing so this is a redundant check.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index f6427a10a990..38bbbbbc6f47 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -642,17 +642,9 @@ static int nvme_tcp_recv_data(struct nvme_tcp_queue *queue, struct sk_buff *skb,
+ unsigned int *offset, size_t *len)
+ {
+ struct nvme_tcp_data_pdu *pdu = (void *)queue->pdu;
+- struct nvme_tcp_request *req;
+- struct request *rq;
+-
+- rq = blk_mq_tag_to_rq(nvme_tcp_tagset(queue), pdu->command_id);
+- if (!rq) {
+- dev_err(queue->ctrl->ctrl.device,
+- "queue %d tag %#x not found\n",
+- nvme_tcp_queue_id(queue), pdu->command_id);
+- return -ENOENT;
+- }
+- req = blk_mq_rq_to_pdu(rq);
++ struct request *rq =
++ blk_mq_tag_to_rq(nvme_tcp_tagset(queue), pdu->command_id);
++ struct nvme_tcp_request *req = blk_mq_rq_to_pdu(rq);
+
+ while (true) {
+ int recv_len, ret;
+--
+2.30.2
+
--- /dev/null
+From 088485759363d53f5c6a5a12e281247843ca3135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 15:47:22 +0100
+Subject: of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 6211e9cb2f8faf7faae0b6caf844bfe9527cc607 ]
+
+Trying to boot without SYSFS, but with OF_DYNAMIC quickly
+results in a crash:
+
+[ 0.088460] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070
+[...]
+[ 0.103927] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.14.0-rc3 #4179
+[ 0.105810] Hardware name: linux,dummy-virt (DT)
+[ 0.107147] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
+[ 0.108876] pc : kernfs_find_and_get_ns+0x3c/0x7c
+[ 0.110244] lr : kernfs_find_and_get_ns+0x3c/0x7c
+[...]
+[ 0.134087] Call trace:
+[ 0.134800] kernfs_find_and_get_ns+0x3c/0x7c
+[ 0.136054] safe_name+0x4c/0xd0
+[ 0.136994] __of_attach_node_sysfs+0xf8/0x124
+[ 0.138287] of_core_init+0x90/0xfc
+[ 0.139296] driver_init+0x30/0x4c
+[ 0.140283] kernel_init_freeable+0x160/0x1b8
+[ 0.141543] kernel_init+0x30/0x140
+[ 0.142561] ret_from_fork+0x10/0x18
+
+While not having sysfs isn't a very common option these days,
+it is still expected that such configuration would work.
+
+Paper over it by bailing out from __of_attach_node_sysfs() if
+CONFIG_SYSFS isn't enabled.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210820144722.169226-1-maz@kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/kobj.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/of/kobj.c b/drivers/of/kobj.c
+index a32e60b024b8..6675b5e56960 100644
+--- a/drivers/of/kobj.c
++++ b/drivers/of/kobj.c
+@@ -119,7 +119,7 @@ int __of_attach_node_sysfs(struct device_node *np)
+ struct property *pp;
+ int rc;
+
+- if (!of_kset)
++ if (!IS_ENABLED(CONFIG_SYSFS) || !of_kset)
+ return 0;
+
+ np->kobj.kset = of_kset;
+--
+2.30.2
+
--- /dev/null
+From 32ae9a815629c5febfe15ca149232d73a968e935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 19:33:09 -0700
+Subject: openrisc: don't printk() unconditionally
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 946e1052cdcc7e585ee5d1e72528ca49fb295243 ]
+
+Don't call printk() when CONFIG_PRINTK is not set.
+Fixes the following build errors:
+
+or1k-linux-ld: arch/openrisc/kernel/entry.o: in function `_external_irq_handler':
+(.text+0x804): undefined reference to `printk'
+(.text+0x804): relocation truncated to fit: R_OR1K_INSN_REL_26 against undefined symbol `printk'
+
+Fixes: 9d02a4283e9c ("OpenRISC: Boot code")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Jonas Bonn <jonas@southpole.se>
+Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
+Cc: Stafford Horne <shorne@gmail.com>
+Cc: openrisc@lists.librecores.org
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/entry.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S
+index c6481cfc5220..6b27cf4a0d78 100644
+--- a/arch/openrisc/kernel/entry.S
++++ b/arch/openrisc/kernel/entry.S
+@@ -547,6 +547,7 @@ EXCEPTION_ENTRY(_external_irq_handler)
+ l.bnf 1f // ext irq enabled, all ok.
+ l.nop
+
++#ifdef CONFIG_PRINTK
+ l.addi r1,r1,-0x8
+ l.movhi r3,hi(42f)
+ l.ori r3,r3,lo(42f)
+@@ -560,6 +561,7 @@ EXCEPTION_ENTRY(_external_irq_handler)
+ .string "\n\rESR interrupt bug: in _external_irq_handler (ESR %x)\n\r"
+ .align 4
+ .previous
++#endif
+
+ l.ori r4,r4,SPR_SR_IEE // fix the bug
+ // l.sw PT_SR(r1),r4
+--
+2.30.2
+
--- /dev/null
+From bc708f9a73b294e729db7921b1cfa808e9552e67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 16:57:20 +0530
+Subject: opp: Don't print an error if required-opps is missing
+
+From: Rajendra Nayak <rnayak@codeaurora.org>
+
+[ Upstream commit 020d86fc0df8b865f6dc168d88a7c2dccabd0a9e ]
+
+The 'required-opps' property is considered optional, hence remove
+the pr_err() in of_parse_required_opp() when we find the property is
+missing.
+While at it, also fix the return value of
+of_get_required_opp_performance_state() when of_parse_required_opp()
+fails, return a -ENODEV instead of the -EINVAL.
+
+Signed-off-by: Rajendra Nayak <rnayak@codeaurora.org>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/opp/of.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/opp/of.c b/drivers/opp/of.c
+index 603c688fe23d..30cc407c8f93 100644
+--- a/drivers/opp/of.c
++++ b/drivers/opp/of.c
+@@ -95,15 +95,7 @@ static struct dev_pm_opp *_find_opp_of_np(struct opp_table *opp_table,
+ static struct device_node *of_parse_required_opp(struct device_node *np,
+ int index)
+ {
+- struct device_node *required_np;
+-
+- required_np = of_parse_phandle(np, "required-opps", index);
+- if (unlikely(!required_np)) {
+- pr_err("%s: Unable to parse required-opps: %pOF, index: %d\n",
+- __func__, np, index);
+- }
+-
+- return required_np;
++ return of_parse_phandle(np, "required-opps", index);
+ }
+
+ /* The caller must call dev_pm_opp_put_opp_table() after the table is used */
+@@ -996,7 +988,7 @@ int of_get_required_opp_performance_state(struct device_node *np, int index)
+
+ required_np = of_parse_required_opp(np, index);
+ if (!required_np)
+- return -EINVAL;
++ return -ENODEV;
+
+ opp_table = _find_table_of_opp_np(required_np);
+ if (IS_ERR(opp_table)) {
+--
+2.30.2
+
--- /dev/null
+From 7a37edfe4903d2cbe4fb03f2e9101ddf4753b893 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 11:07:10 +0100
+Subject: parport: remove non-zero check on count
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 0be883a0d795d9146f5325de582584147dd0dcdc ]
+
+The check for count appears to be incorrect since a non-zero count
+check occurs a couple of statements earlier. Currently the check is
+always false and the dev->port->irq != PARPORT_IRQ_NONE part of the
+check is never tested and the if statement is dead-code. Fix this
+by removing the check on count.
+
+Note that this code is pre-git history, so I can't find a sha for
+it.
+
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Addresses-Coverity: ("Logically dead code")
+Link: https://lore.kernel.org/r/20210730100710.27405-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/parport/ieee1284_ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/parport/ieee1284_ops.c b/drivers/parport/ieee1284_ops.c
+index 5d41dda6da4e..75daa16f38b7 100644
+--- a/drivers/parport/ieee1284_ops.c
++++ b/drivers/parport/ieee1284_ops.c
+@@ -535,7 +535,7 @@ size_t parport_ieee1284_ecp_read_data (struct parport *port,
+ goto out;
+
+ /* Yield the port for a while. */
+- if (count && dev->port->irq != PARPORT_IRQ_NONE) {
++ if (dev->port->irq != PARPORT_IRQ_NONE) {
+ parport_release (dev);
+ schedule_timeout_interruptible(msecs_to_jiffies(40));
+ parport_claim_or_block (dev);
+--
+2.30.2
+
--- /dev/null
+From c7caf01763eecc4e24d3a3811965c622d55518e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 15:25:06 +0200
+Subject: PCI: Use pci_update_current_state() in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 14858dcc3b3587f4bb5c48e130ee7d68fc2b0a29 ]
+
+Updating the current_state field of struct pci_dev the way it is done
+in pci_enable_device_flags() before calling do_pci_enable_device() may
+not work. For example, if the given PCI device depends on an ACPI
+power resource whose _STA method initially returns 0 ("off"), but the
+config space of the PCI device is accessible and the power state
+retrieved from the PCI_PM_CTRL register is D0, the current_state
+field in the struct pci_dev representing that device will get out of
+sync with the power.state of its ACPI companion object and that will
+lead to power management issues going forward.
+
+To avoid such issues, make pci_enable_device_flags() call
+pci_update_current_state() which takes ACPI device power management
+into account, if present, to retrieve the current power state of the
+device.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 58c33b65d451..91b2733ded17 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1672,11 +1672,7 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+ * so that things like MSI message writing will behave as expected
+ * (e.g. if the device really is in D0 at enable time).
+ */
+- if (dev->pm_cap) {
+- u16 pmcsr;
+- pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+- dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+- }
++ pci_update_current_state(dev, dev->current_state);
+
+ if (atomic_inc_return(&dev->enable_cnt) > 1)
+ return 0; /* already enabled */
+--
+2.30.2
+
--- /dev/null
+From f09b87e86ce78519ac738cd5af19ecc726e5ceaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 22:29:05 +0300
+Subject: pinctrl: samsung: Fix pinctrl bank pin count
+
+From: Jaehyoung Choi <jkkkkk.choi@samsung.com>
+
+[ Upstream commit 70115558ab02fe8d28a6634350b3491a542aaa02 ]
+
+Commit 1abd18d1a51a ("pinctrl: samsung: Register pinctrl before GPIO")
+changes the order of GPIO and pinctrl registration: now pinctrl is
+registered before GPIO. That means gpio_chip->ngpio is not set when
+samsung_pinctrl_register() called, and one cannot rely on that value
+anymore. Use `pin_bank->nr_pins' instead of `pin_bank->gpio_chip.ngpio'
+to fix mentioned inconsistency.
+
+Fixes: 1abd18d1a51a ("pinctrl: samsung: Register pinctrl before GPIO")
+Signed-off-by: Jaehyoung Choi <jkkkkk.choi@samsung.com>
+Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20210730192905.7173-1-semen.protsenko@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/samsung/pinctrl-samsung.c b/drivers/pinctrl/samsung/pinctrl-samsung.c
+index f26574ef234a..601fffeba39f 100644
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -918,7 +918,7 @@ static int samsung_pinctrl_register(struct platform_device *pdev,
+ pin_bank->grange.pin_base = drvdata->pin_base
+ + pin_bank->pin_base;
+ pin_bank->grange.base = pin_bank->grange.pin_base;
+- pin_bank->grange.npins = pin_bank->gpio_chip.ngpio;
++ pin_bank->grange.npins = pin_bank->nr_pins;
+ pin_bank->grange.gc = &pin_bank->gpio_chip;
+ pinctrl_add_gpio_range(drvdata->pctl_dev, &pin_bank->grange);
+ }
+--
+2.30.2
+
--- /dev/null
+From 42e552c798107d57c5c0692cba9ad5138d60ed6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 11:39:29 +0800
+Subject: pinctrl: single: Fix error return code in
+ pcs_parse_bits_in_pinctrl_entry()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d789a490d32fdf0465275e3607f8a3bc87d3f3ba ]
+
+Fix to return -ENOTSUPP instead of 0 when PCS_HAS_PINCONF is true, which
+is the same as that returned in pcs_parse_pinconf().
+
+Fixes: 4e7e8017a80e ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210722033930.4034-2-thunder.leizhen@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index a9d511982780..fb1c8965cb99 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1201,6 +1201,7 @@ static int pcs_parse_bits_in_pinctrl_entry(struct pcs_device *pcs,
+
+ if (PCS_HAS_PINCONF) {
+ dev_err(pcs->dev, "pinconf not supported\n");
++ res = -ENOTSUPP;
+ goto free_pingroups;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 918a9b428f77f870fc4ba96ac842927672b4e4ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Aug 2021 16:08:22 +0200
+Subject: platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from
+ run_smbios_call
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 0487d4fc42d7f31a56cfd9e2237f9ebd889e6112 ]
+
+As pointed out be Kees Cook if we return -EIO because the
+obj->type != ACPI_TYPE_BUFFER, then we must kfree the
+output buffer before the return.
+
+Fixes: 1a258e670434 ("platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver")
+Reported-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210826140822.71198-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell-smbios-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/dell-smbios-wmi.c b/drivers/platform/x86/dell-smbios-wmi.c
+index c97bd4a45242..5821e9d9a4ce 100644
+--- a/drivers/platform/x86/dell-smbios-wmi.c
++++ b/drivers/platform/x86/dell-smbios-wmi.c
+@@ -69,6 +69,7 @@ static int run_smbios_call(struct wmi_device *wdev)
+ if (obj->type == ACPI_TYPE_INTEGER)
+ dev_dbg(&wdev->dev, "SMBIOS call failed: %llu\n",
+ obj->integer.value);
++ kfree(output.pointer);
+ return -EIO;
+ }
+ memcpy(&priv->buf->std, obj->buffer.pointer, obj->buffer.length);
+--
+2.30.2
+
--- /dev/null
+From 3afda0d336af1344dfda350c7bec31ec461c668e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 14:24:06 +0930
+Subject: powerpc/config: Renable MTD_PHYSMAP_OF
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit d0e28a6145c3455b69991245e7f6147eb914b34a ]
+
+CONFIG_MTD_PHYSMAP_OF is not longer enabled as it depends on
+MTD_PHYSMAP which is not enabled.
+
+This is a regression from commit 642b1e8dbed7 ("mtd: maps: Merge
+physmap_of.c into physmap-core.c"), which added the extra dependency.
+Add CONFIG_MTD_PHYSMAP=y so this stays in the config, as Christophe said
+it is useful for build coverage.
+
+Fixes: 642b1e8dbed7 ("mtd: maps: Merge physmap_of.c into physmap-core.c")
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Acked-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210817045407.2445664-3-joel@jms.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/configs/mpc885_ads_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/configs/mpc885_ads_defconfig b/arch/powerpc/configs/mpc885_ads_defconfig
+index 285d506c5a76..2f5e06309f09 100644
+--- a/arch/powerpc/configs/mpc885_ads_defconfig
++++ b/arch/powerpc/configs/mpc885_ads_defconfig
+@@ -39,6 +39,7 @@ CONFIG_MTD_CFI_GEOMETRY=y
+ # CONFIG_MTD_CFI_I2 is not set
+ CONFIG_MTD_CFI_I4=y
+ CONFIG_MTD_CFI_AMDSTD=y
++CONFIG_MTD_PHYSMAP=y
+ CONFIG_MTD_PHYSMAP_OF=y
+ # CONFIG_BLK_DEV is not set
+ CONFIG_NETDEVICES=y
+--
+2.30.2
+
--- /dev/null
+From d28c15de0955a4feb1a43423e29343778af5549c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 20:01:03 +0200
+Subject: powerpc/stacktrace: Include linux/delay.h
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit a6cae77f1bc89368a4e2822afcddc45c3062d499 ]
+
+commit 7c6986ade69e ("powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()")
+introduces udelay() call without including the linux/delay.h header.
+This may happen to work on master but the header that declares the
+functionshould be included nonetheless.
+
+Fixes: 7c6986ade69e ("powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210729180103.15578-1-msuchanek@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/stacktrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/stacktrace.c b/arch/powerpc/kernel/stacktrace.c
+index b13c6213b0d9..890f95151fb4 100644
+--- a/arch/powerpc/kernel/stacktrace.c
++++ b/arch/powerpc/kernel/stacktrace.c
+@@ -8,6 +8,7 @@
+ * Copyright 2018 Nick Piggin, Michael Ellerman, IBM Corp.
+ */
+
++#include <linux/delay.h>
+ #include <linux/export.h>
+ #include <linux/kallsyms.h>
+ #include <linux/module.h>
+--
+2.30.2
+
--- /dev/null
+From a49964b8dbcb0419579b812913b4d3c9fcdf0db6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 14:39:45 +0300
+Subject: RDMA/efa: Remove double QP type assignment
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit f9193d266347fe9bed5c173e7a1bf96268142a79 ]
+
+The QP type is set by the IB/core and shouldn't be set in the driver.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://lore.kernel.org/r/838c40134c1590167b888ca06ad51071139ff2ae.1627040189.git.leonro@nvidia.com
+Acked-by: Gal Pressman <galpress@amazon.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 4edae89e8e3c..17f1e59ab12e 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -745,7 +745,6 @@ struct ib_qp *efa_create_qp(struct ib_pd *ibpd,
+ rq_entry_inserted = true;
+ qp->qp_handle = create_qp_resp.qp_handle;
+ qp->ibqp.qp_num = create_qp_resp.qp_num;
+- qp->ibqp.qp_type = init_attr->qp_type;
+ qp->max_send_wr = init_attr->cap.max_send_wr;
+ qp->max_recv_wr = init_attr->cap.max_recv_wr;
+ qp->max_send_sge = init_attr->cap.max_send_sge;
+--
+2.30.2
+
--- /dev/null
+From c76abcb09eb6b81250c0b401563716bff87b87d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 17:08:55 +0300
+Subject: RDMA/iwcm: Release resources if iw_cm module initialization fails
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit e677b72a0647249370f2635862bf0241c86f66ad ]
+
+The failure during iw_cm module initialization partially left the system
+with unreleased memory and other resources. Rewrite the module init/exit
+routines in such way that netlink commands will be opened only after
+successful initialization.
+
+Fixes: b493d91d333e ("iwcm: common code for port mapper")
+Link: https://lore.kernel.org/r/b01239f99cb1a3e6d2b0694c242d89e6410bcd93.1627048781.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/iwcm.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
+index da8adadf4755..75b6da00065a 100644
+--- a/drivers/infiniband/core/iwcm.c
++++ b/drivers/infiniband/core/iwcm.c
+@@ -1187,29 +1187,34 @@ static int __init iw_cm_init(void)
+
+ ret = iwpm_init(RDMA_NL_IWCM);
+ if (ret)
+- pr_err("iw_cm: couldn't init iwpm\n");
+- else
+- rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table);
++ return ret;
++
+ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0);
+ if (!iwcm_wq)
+- return -ENOMEM;
++ goto err_alloc;
+
+ iwcm_ctl_table_hdr = register_net_sysctl(&init_net, "net/iw_cm",
+ iwcm_ctl_table);
+ if (!iwcm_ctl_table_hdr) {
+ pr_err("iw_cm: couldn't register sysctl paths\n");
+- destroy_workqueue(iwcm_wq);
+- return -ENOMEM;
++ goto err_sysctl;
+ }
+
++ rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table);
+ return 0;
++
++err_sysctl:
++ destroy_workqueue(iwcm_wq);
++err_alloc:
++ iwpm_exit(RDMA_NL_IWCM);
++ return -ENOMEM;
+ }
+
+ static void __exit iw_cm_cleanup(void)
+ {
++ rdma_nl_unregister(RDMA_NL_IWCM);
+ unregister_net_sysctl_table(iwcm_ctl_table_hdr);
+ destroy_workqueue(iwcm_wq);
+- rdma_nl_unregister(RDMA_NL_IWCM);
+ iwpm_exit(RDMA_NL_IWCM);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ce5b83aee883544d439f83bffd5e5fdfefc4cc9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 15:35:01 +0300
+Subject: Revert "USB: xhci: fix U1/U2 handling for hardware with
+ XHCI_INTEL_HOST quirk set"
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 2847c46c61486fd8bca9136a6e27177212e78c69 ]
+
+This reverts commit 5d5323a6f3625f101dbfa94ba3ef7706cce38760.
+
+That commit effectively disabled Intel host initiated U1/U2 lpm for devices
+with periodic endpoints.
+
+Before that commit we disabled host initiated U1/U2 lpm if the exit latency
+was larger than any periodic endpoint service interval, this is according
+to xhci spec xhci 1.1 specification section 4.23.5.2
+
+After that commit we incorrectly checked that service interval was smaller
+than U1/U2 inactivity timeout. This is not relevant, and can't happen for
+Intel hosts as previously set U1/U2 timeout = 105% * service interval.
+
+Patch claimed it solved cases where devices can't be enumerated because of
+bandwidth issues. This might be true but it's a side effect of accidentally
+turning off lpm.
+
+exit latency calculations have been revised since then
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210820123503.2605901-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index a3813c75a3de..505da4999e20 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4662,19 +4662,19 @@ static u16 xhci_calculate_u1_timeout(struct xhci_hcd *xhci,
+ {
+ unsigned long long timeout_ns;
+
+- if (xhci->quirks & XHCI_INTEL_HOST)
+- timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc);
+- else
+- timeout_ns = udev->u1_params.sel;
+-
+ /* Prevent U1 if service interval is shorter than U1 exit latency */
+ if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
+- if (xhci_service_interval_to_ns(desc) <= timeout_ns) {
++ if (xhci_service_interval_to_ns(desc) <= udev->u1_params.mel) {
+ dev_dbg(&udev->dev, "Disable U1, ESIT shorter than exit latency\n");
+ return USB3_LPM_DISABLED;
+ }
+ }
+
++ if (xhci->quirks & XHCI_INTEL_HOST)
++ timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc);
++ else
++ timeout_ns = udev->u1_params.sel;
++
+ /* The U1 timeout is encoded in 1us intervals.
+ * Don't return a timeout of zero, because that's USB3_LPM_DISABLED.
+ */
+@@ -4726,19 +4726,19 @@ static u16 xhci_calculate_u2_timeout(struct xhci_hcd *xhci,
+ {
+ unsigned long long timeout_ns;
+
+- if (xhci->quirks & XHCI_INTEL_HOST)
+- timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc);
+- else
+- timeout_ns = udev->u2_params.sel;
+-
+ /* Prevent U2 if service interval is shorter than U2 exit latency */
+ if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
+- if (xhci_service_interval_to_ns(desc) <= timeout_ns) {
++ if (xhci_service_interval_to_ns(desc) <= udev->u2_params.mel) {
+ dev_dbg(&udev->dev, "Disable U2, ESIT shorter than exit latency\n");
+ return USB3_LPM_DISABLED;
+ }
+ }
+
++ if (xhci->quirks & XHCI_INTEL_HOST)
++ timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc);
++ else
++ timeout_ns = udev->u2_params.sel;
++
+ /* The U2 timeout is encoded in 256us intervals */
+ timeout_ns = DIV_ROUND_UP_ULL(timeout_ns, 256 * 1000);
+ /* If the necessary timeout value is bigger than what we can set in the
+--
+2.30.2
+
--- /dev/null
+From a9b034e13a6f32401ed62bc0d408c15fb3b7db7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 16:41:42 -0400
+Subject: rpc: fix gss_svc_init cleanup on failure
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 5a4753446253a427c0ff1e433b9c4933e5af207c ]
+
+The failure case here should be rare, but it's obviously wrong.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
+index d5470c7fe879..c0016473a255 100644
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1937,7 +1937,7 @@ gss_svc_init_net(struct net *net)
+ goto out2;
+ return 0;
+ out2:
+- destroy_use_gss_proxy_proc_entry(net);
++ rsi_cache_destroy_net(net);
+ out1:
+ rsc_cache_destroy_net(net);
+ return rv;
+--
+2.30.2
+
--- /dev/null
+From e8838c6487d622164b22cfa2a4d51f9667d36387 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 19:26:01 +0200
+Subject: s390/jump_label: print real address in a case of a jump label bug
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 5492886c14744d239e87f1b0b774b5a341e755cc ]
+
+In case of a jump label print the real address of the piece of code
+where a mismatch was detected. This is right before the system panics,
+so there is nothing revealed.
+
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/jump_label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/jump_label.c b/arch/s390/kernel/jump_label.c
+index ab584e8e3527..9156653b56f6 100644
+--- a/arch/s390/kernel/jump_label.c
++++ b/arch/s390/kernel/jump_label.c
+@@ -36,7 +36,7 @@ static void jump_label_bug(struct jump_entry *entry, struct insn *expected,
+ unsigned char *ipe = (unsigned char *)expected;
+ unsigned char *ipn = (unsigned char *)new;
+
+- pr_emerg("Jump label code mismatch at %pS [%p]\n", ipc, ipc);
++ pr_emerg("Jump label code mismatch at %pS [%px]\n", ipc, ipc);
+ pr_emerg("Found: %6ph\n", ipc);
+ pr_emerg("Expected: %6ph\n", ipe);
+ pr_emerg("New: %6ph\n", ipn);
+--
+2.30.2
+
--- /dev/null
+From 4de0b0c06cff192c4b7dcde6ccb1520be5c0c9b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 14:55:42 +0200
+Subject: s390: make PCI mio support a machine flag
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit 3322ba0d7bea1e24ae464418626f6a15b69533ab ]
+
+Kernel support for the newer PCI mio instructions can be toggled off
+with the pci=nomio command line option which needs to integrate with
+common code PCI option parsing. However this option then toggles static
+branches which can't be toggled yet in an early_param() call.
+
+Thus commit 9964f396f1d0 ("s390: fix setting of mio addressing control")
+moved toggling the static branches to the PCI init routine.
+
+With this setup however we can't check for mio support outside the PCI
+code during early boot, i.e. before switching the static branches, which
+we need to be able to export this as an ELF HWCAP.
+
+Improve on this by turning mio availability into a machine flag that
+gets initially set based on CONFIG_PCI and the facility bit and gets
+toggled off if pci=nomio is found during PCI option parsing allowing
+simple access to this machine flag after early init.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/setup.h | 2 ++
+ arch/s390/kernel/early.c | 4 ++++
+ arch/s390/pci/pci.c | 5 ++---
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/include/asm/setup.h b/arch/s390/include/asm/setup.h
+index 1932088686a6..e6a5007f017d 100644
+--- a/arch/s390/include/asm/setup.h
++++ b/arch/s390/include/asm/setup.h
+@@ -39,6 +39,7 @@
+ #define MACHINE_FLAG_NX BIT(15)
+ #define MACHINE_FLAG_GS BIT(16)
+ #define MACHINE_FLAG_SCC BIT(17)
++#define MACHINE_FLAG_PCI_MIO BIT(18)
+
+ #define LPP_MAGIC BIT(31)
+ #define LPP_PID_MASK _AC(0xffffffff, UL)
+@@ -106,6 +107,7 @@ extern unsigned long __swsusp_reset_dma;
+ #define MACHINE_HAS_NX (S390_lowcore.machine_flags & MACHINE_FLAG_NX)
+ #define MACHINE_HAS_GS (S390_lowcore.machine_flags & MACHINE_FLAG_GS)
+ #define MACHINE_HAS_SCC (S390_lowcore.machine_flags & MACHINE_FLAG_SCC)
++#define MACHINE_HAS_PCI_MIO (S390_lowcore.machine_flags & MACHINE_FLAG_PCI_MIO)
+
+ /*
+ * Console mode. Override with conmode=
+diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
+index 2531776cf6cf..eb89cb0aa60b 100644
+--- a/arch/s390/kernel/early.c
++++ b/arch/s390/kernel/early.c
+@@ -252,6 +252,10 @@ static __init void detect_machine_facilities(void)
+ clock_comparator_max = -1ULL >> 1;
+ __ctl_set_bit(0, 53);
+ }
++ if (IS_ENABLED(CONFIG_PCI) && test_facility(153)) {
++ S390_lowcore.machine_flags |= MACHINE_FLAG_PCI_MIO;
++ /* the control bit is set during PCI initialization */
++ }
+ }
+
+ static inline void save_vector_registers(void)
+diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
+index 6105b1b6e49b..b8ddacf1efe1 100644
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -854,7 +854,6 @@ static void zpci_mem_exit(void)
+ }
+
+ static unsigned int s390_pci_probe __initdata = 1;
+-static unsigned int s390_pci_no_mio __initdata;
+ unsigned int s390_pci_force_floating __initdata;
+ static unsigned int s390_pci_initialized;
+
+@@ -865,7 +864,7 @@ char * __init pcibios_setup(char *str)
+ return NULL;
+ }
+ if (!strcmp(str, "nomio")) {
+- s390_pci_no_mio = 1;
++ S390_lowcore.machine_flags &= ~MACHINE_FLAG_PCI_MIO;
+ return NULL;
+ }
+ if (!strcmp(str, "force_floating")) {
+@@ -890,7 +889,7 @@ static int __init pci_base_init(void)
+ if (!test_facility(69) || !test_facility(71))
+ return 0;
+
+- if (test_facility(153) && !s390_pci_no_mio) {
++ if (MACHINE_HAS_PCI_MIO) {
+ static_branch_enable(&have_mio);
+ ctl_set_bit(2, 5);
+ }
+--
+2.30.2
+
--- /dev/null
+From c135fd62ee729e5cd0210e2d82a397556c157aac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 04:10:55 +0000
+Subject: samples: bpf: Fix tracex7 error raised on the missing argument
+
+From: Juhee Kang <claudiajkang@gmail.com>
+
+[ Upstream commit 7d07006f05922b95518be403f08ef8437b67aa32 ]
+
+The current behavior of 'tracex7' doesn't consist with other bpf samples
+tracex{1..6}. Other samples do not require any argument to run with, but
+tracex7 should be run with btrfs device argument. (it should be executed
+with test_override_return.sh)
+
+Currently, tracex7 doesn't have any description about how to run this
+program and raises an unexpected error. And this result might be
+confusing since users might not have a hunch about how to run this
+program.
+
+ // Current behavior
+ # ./tracex7
+ sh: 1: Syntax error: word unexpected (expecting ")")
+ // Fixed behavior
+ # ./tracex7
+ ERROR: Run with the btrfs device argument!
+
+In order to fix this error, this commit adds logic to report a message
+and exit when running this program with a missing argument.
+
+Additionally in test_override_return.sh, there is a problem with
+multiple directory(tmpmnt) creation. So in this commit adds a line with
+removing the directory with every execution.
+
+Signed-off-by: Juhee Kang <claudiajkang@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210727041056.23455-1-claudiajkang@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/test_override_return.sh | 1 +
+ samples/bpf/tracex7_user.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/samples/bpf/test_override_return.sh b/samples/bpf/test_override_return.sh
+index e68b9ee6814b..35db26f736b9 100755
+--- a/samples/bpf/test_override_return.sh
++++ b/samples/bpf/test_override_return.sh
+@@ -1,5 +1,6 @@
+ #!/bin/bash
+
++rm -r tmpmnt
+ rm -f testfile.img
+ dd if=/dev/zero of=testfile.img bs=1M seek=1000 count=1
+ DEVICE=$(losetup --show -f testfile.img)
+diff --git a/samples/bpf/tracex7_user.c b/samples/bpf/tracex7_user.c
+index ea6dae78f0df..2ed13e9f3fcb 100644
+--- a/samples/bpf/tracex7_user.c
++++ b/samples/bpf/tracex7_user.c
+@@ -13,6 +13,11 @@ int main(int argc, char **argv)
+ char command[256];
+ int ret;
+
++ if (!argv[1]) {
++ fprintf(stderr, "ERROR: Run with the btrfs device argument!\n");
++ return 0;
++ }
++
+ snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+
+ if (load_bpf_file(filename)) {
+--
+2.30.2
+
--- /dev/null
+From 1703480c1074b25596b28fbc297d7ff91960ae8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jul 2021 09:20:10 +0200
+Subject: scsi: bsg: Remove support for SCSI_IOCTL_SEND_COMMAND
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit beec64d0c9749afedf51c3c10cf52de1d9a89cc0 ]
+
+SCSI_IOCTL_SEND_COMMAND has been deprecated longer than bsg exists and has
+been warning for just as long. More importantly it harcodes SCSI CDBs and
+thus will do the wrong thing on non-SCSI bsg nodes.
+
+Link: https://lore.kernel.org/r/20210724072033.1284840-2-hch@lst.de
+Fixes: aa387cc89567 ("block: add bsg helper library")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bsg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/block/bsg.c b/block/bsg.c
+index 0d012efef527..c8b9714e6923 100644
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -371,10 +371,13 @@ static long bsg_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ case SG_GET_RESERVED_SIZE:
+ case SG_SET_RESERVED_SIZE:
+ case SG_EMULATED_HOST:
+- case SCSI_IOCTL_SEND_COMMAND:
+ return scsi_cmd_ioctl(bd->queue, NULL, file->f_mode, cmd, uarg);
+ case SG_IO:
+ return bsg_sg_io(bd->queue, file->f_mode, uarg);
++ case SCSI_IOCTL_SEND_COMMAND:
++ pr_warn_ratelimited("%s: calling unsupported SCSI_IOCTL_SEND_COMMAND\n",
++ current->comm);
++ return -EINVAL;
+ default:
+ return -ENOTTY;
+ }
+--
+2.30.2
+
--- /dev/null
+From 20c72f613bd709699d60704f710955f0e0461ccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 11:26:25 +0800
+Subject: scsi: fdomain: Fix error return code in fdomain_probe()
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit 632c4ae6da1d629eddf9da1e692d7617c568c256 ]
+
+If request_region() fails the return value is not set. Return -EBUSY on
+error.
+
+Link: https://lore.kernel.org/r/20210715032625.1395495-1-liwei391@huawei.com
+Fixes: 8674a8aa2c39 ("scsi: fdomain: Add PCMCIA support")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pcmcia/fdomain_cs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/pcmcia/fdomain_cs.c b/drivers/scsi/pcmcia/fdomain_cs.c
+index e42acf314d06..33df6a9ba9b5 100644
+--- a/drivers/scsi/pcmcia/fdomain_cs.c
++++ b/drivers/scsi/pcmcia/fdomain_cs.c
+@@ -45,8 +45,10 @@ static int fdomain_probe(struct pcmcia_device *link)
+ goto fail_disable;
+
+ if (!request_region(link->resource[0]->start, FDOMAIN_REGION_SIZE,
+- "fdomain_cs"))
++ "fdomain_cs")) {
++ ret = -EBUSY;
+ goto fail_disable;
++ }
+
+ sh = fdomain_create(link->resource[0]->start, link->irq, 7, &link->dev);
+ if (!sh) {
+--
+2.30.2
+
--- /dev/null
+From b7170e0aa5d31ef8b4930f220a3034127d3f83ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:51:49 +0300
+Subject: scsi: qedf: Fix error codes in qedf_alloc_global_queues()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ccc89737aa6b9f248cf1623014038beb6c2b7f56 ]
+
+This driver has some left over "return 1" on failure style code mixed with
+"return negative error codes" style code. The caller doesn't care so we
+should just convert everything to return negative error codes.
+
+Then there was a problem that there were two variables used to store error
+codes which just resulted in confusion. If qedf_alloc_bdq() returned a
+negative error code, we accidentally returned success instead of
+propagating the error code. So get rid of the "rc" variable and use
+"status" every where.
+
+Also remove the "status = 0" initialization so that these sorts of bugs
+will be detected by the compiler in the future.
+
+Link: https://lore.kernel.org/r/20210810085023.GA23998@kili
+Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_main.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index 7a6306f8483e..c95e04cc6424 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -2894,7 +2894,7 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf)
+ {
+ u32 *list;
+ int i;
+- int status = 0, rc;
++ int status;
+ u32 *pbl;
+ dma_addr_t page;
+ int num_pages;
+@@ -2906,7 +2906,7 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf)
+ */
+ if (!qedf->num_queues) {
+ QEDF_ERR(&(qedf->dbg_ctx), "No MSI-X vectors available!\n");
+- return 1;
++ return -ENOMEM;
+ }
+
+ /*
+@@ -2914,7 +2914,7 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf)
+ * addresses of our queues
+ */
+ if (!qedf->p_cpuq) {
+- status = 1;
++ status = -EINVAL;
+ QEDF_ERR(&qedf->dbg_ctx, "p_cpuq is NULL.\n");
+ goto mem_alloc_failure;
+ }
+@@ -2930,8 +2930,8 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf)
+ "qedf->global_queues=%p.\n", qedf->global_queues);
+
+ /* Allocate DMA coherent buffers for BDQ */
+- rc = qedf_alloc_bdq(qedf);
+- if (rc) {
++ status = qedf_alloc_bdq(qedf);
++ if (status) {
+ QEDF_ERR(&qedf->dbg_ctx, "Unable to allocate bdq.\n");
+ goto mem_alloc_failure;
+ }
+--
+2.30.2
+
--- /dev/null
+From e147ae4a759bad4168bf22444de3c92439e79ed8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:47:53 +0300
+Subject: scsi: qedi: Fix error codes in qedi_alloc_global_queues()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4dbe57d46d54a847875fa33e7d05877bb341585e ]
+
+This function had some left over code that returned 1 on error instead
+negative error codes. Convert everything to use negative error codes. The
+caller treats all non-zero returns the same so this does not affect run
+time.
+
+A couple places set "rc" instead of "status" so those error paths ended up
+returning success by mistake. Get rid of the "rc" variable and use
+"status" everywhere.
+
+Remove the bogus "status = 0" initialization, as a future proofing measure
+so the compiler will warn about uninitialized error codes.
+
+Link: https://lore.kernel.org/r/20210810084753.GD23810@kili
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Acked-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
+index 1ec42c5f0b2a..92c4a367b7bd 100644
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -1553,7 +1553,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
+ {
+ u32 *list;
+ int i;
+- int status = 0, rc;
++ int status;
+ u32 *pbl;
+ dma_addr_t page;
+ int num_pages;
+@@ -1564,14 +1564,14 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
+ */
+ if (!qedi->num_queues) {
+ QEDI_ERR(&qedi->dbg_ctx, "No MSI-X vectors available!\n");
+- return 1;
++ return -ENOMEM;
+ }
+
+ /* Make sure we allocated the PBL that will contain the physical
+ * addresses of our queues
+ */
+ if (!qedi->p_cpuq) {
+- status = 1;
++ status = -EINVAL;
+ goto mem_alloc_failure;
+ }
+
+@@ -1586,13 +1586,13 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
+ "qedi->global_queues=%p.\n", qedi->global_queues);
+
+ /* Allocate DMA coherent buffers for BDQ */
+- rc = qedi_alloc_bdq(qedi);
+- if (rc)
++ status = qedi_alloc_bdq(qedi);
++ if (status)
+ goto mem_alloc_failure;
+
+ /* Allocate DMA coherent buffers for NVM_ISCSI_CFG */
+- rc = qedi_alloc_nvm_iscsi_cfg(qedi);
+- if (rc)
++ status = qedi_alloc_nvm_iscsi_cfg(qedi);
++ if (status)
+ goto mem_alloc_failure;
+
+ /* Allocate a CQ and an associated PBL for each MSI-X
+--
+2.30.2
+
--- /dev/null
+From 7df89a15d448069f8979f2e5ccf6fde91e843f37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:46:13 +0300
+Subject: scsi: smartpqi: Fix an error code in pqi_get_raid_map()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d1f6581a6796c4e9fd8a4a24e8b77463d18f0df1 ]
+
+Return -EINVAL on failure instead of success.
+
+Link: https://lore.kernel.org/r/20210810084613.GB23810@kili
+Fixes: a91aaae0243b ("scsi: smartpqi: allow for larger raid maps")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 9bc451004184..80ff00025c03 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -1192,6 +1192,7 @@ static int pqi_get_raid_map(struct pqi_ctrl_info *ctrl_info,
+ "Requested %d bytes, received %d bytes",
+ raid_map_size,
+ get_unaligned_le32(&raid_map->structure_size));
++ rc = -EINVAL;
+ goto error;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From c4ebecdc62fd1cc9cf7ea8f6dc2f9df47e7292a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2020 15:19:52 +0100
+Subject: scsi: target: avoid per-loop XCOPY buffer allocations
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit 0ad08996da05b6b735d4963dceab7d2a4043607c ]
+
+The main target_xcopy_do_work() loop unnecessarily allocates an I/O buffer
+with each synchronous READ / WRITE pair. This commit significantly reduces
+allocations by reusing the XCOPY I/O buffer when possible.
+
+Link: https://lore.kernel.org/r/20200327141954.955-4-ddiss@suse.de
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_xcopy.c | 96 ++++++++++--------------------
+ drivers/target/target_core_xcopy.h | 1 +
+ 2 files changed, 31 insertions(+), 66 deletions(-)
+
+diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
+index 596ad3edec9c..48fabece7644 100644
+--- a/drivers/target/target_core_xcopy.c
++++ b/drivers/target/target_core_xcopy.c
+@@ -533,7 +533,6 @@ void target_xcopy_release_pt(void)
+ * @cdb: SCSI CDB to be copied into @xpt_cmd.
+ * @remote_port: If false, use the LUN through which the XCOPY command has
+ * been received. If true, use @se_dev->xcopy_lun.
+- * @alloc_mem: Whether or not to allocate an SGL list.
+ *
+ * Set up a SCSI command (READ or WRITE) that will be used to execute an
+ * XCOPY command.
+@@ -543,12 +542,9 @@ static int target_xcopy_setup_pt_cmd(
+ struct xcopy_op *xop,
+ struct se_device *se_dev,
+ unsigned char *cdb,
+- bool remote_port,
+- bool alloc_mem)
++ bool remote_port)
+ {
+ struct se_cmd *cmd = &xpt_cmd->se_cmd;
+- sense_reason_t sense_rc;
+- int ret = 0, rc;
+
+ /*
+ * Setup LUN+port to honor reservations based upon xop->op_origin for
+@@ -564,46 +560,17 @@ static int target_xcopy_setup_pt_cmd(
+ cmd->se_cmd_flags |= SCF_SE_LUN_CMD;
+
+ cmd->tag = 0;
+- sense_rc = target_setup_cmd_from_cdb(cmd, cdb);
+- if (sense_rc) {
+- ret = -EINVAL;
+- goto out;
+- }
++ if (target_setup_cmd_from_cdb(cmd, cdb))
++ return -EINVAL;
+
+- if (alloc_mem) {
+- rc = target_alloc_sgl(&cmd->t_data_sg, &cmd->t_data_nents,
+- cmd->data_length, false, false);
+- if (rc < 0) {
+- ret = rc;
+- goto out;
+- }
+- /*
+- * Set this bit so that transport_free_pages() allows the
+- * caller to release SGLs + physical memory allocated by
+- * transport_generic_get_mem()..
+- */
+- cmd->se_cmd_flags |= SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC;
+- } else {
+- /*
+- * Here the previously allocated SGLs for the internal READ
+- * are mapped zero-copy to the internal WRITE.
+- */
+- sense_rc = transport_generic_map_mem_to_cmd(cmd,
+- xop->xop_data_sg, xop->xop_data_nents,
+- NULL, 0);
+- if (sense_rc) {
+- ret = -EINVAL;
+- goto out;
+- }
++ if (transport_generic_map_mem_to_cmd(cmd, xop->xop_data_sg,
++ xop->xop_data_nents, NULL, 0))
++ return -EINVAL;
+
+- pr_debug("Setup PASSTHROUGH_NOALLOC t_data_sg: %p t_data_nents:"
+- " %u\n", cmd->t_data_sg, cmd->t_data_nents);
+- }
++ pr_debug("Setup PASSTHROUGH_NOALLOC t_data_sg: %p t_data_nents:"
++ " %u\n", cmd->t_data_sg, cmd->t_data_nents);
+
+ return 0;
+-
+-out:
+- return ret;
+ }
+
+ static int target_xcopy_issue_pt_cmd(struct xcopy_pt_cmd *xpt_cmd)
+@@ -660,15 +627,13 @@ static int target_xcopy_read_source(
+ xop->src_pt_cmd = xpt_cmd;
+
+ rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, src_dev, &cdb[0],
+- remote_port, true);
++ remote_port);
+ if (rc < 0) {
+ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+
+- xop->xop_data_sg = se_cmd->t_data_sg;
+- xop->xop_data_nents = se_cmd->t_data_nents;
+ pr_debug("XCOPY-READ: Saved xop->xop_data_sg: %p, num: %u for READ"
+ " memory\n", xop->xop_data_sg, xop->xop_data_nents);
+
+@@ -678,12 +643,6 @@ static int target_xcopy_read_source(
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+- /*
+- * Clear off the allocated t_data_sg, that has been saved for
+- * zero-copy WRITE submission reuse in struct xcopy_op..
+- */
+- se_cmd->t_data_sg = NULL;
+- se_cmd->t_data_nents = 0;
+
+ return 0;
+ }
+@@ -722,19 +681,9 @@ static int target_xcopy_write_destination(
+ xop->dst_pt_cmd = xpt_cmd;
+
+ rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, dst_dev, &cdb[0],
+- remote_port, false);
++ remote_port);
+ if (rc < 0) {
+- struct se_cmd *src_cmd = &xop->src_pt_cmd->se_cmd;
+ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+- /*
+- * If the failure happened before the t_mem_list hand-off in
+- * target_xcopy_setup_pt_cmd(), Reset memory + clear flag so that
+- * core releases this memory on error during X-COPY WRITE I/O.
+- */
+- src_cmd->se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC;
+- src_cmd->t_data_sg = xop->xop_data_sg;
+- src_cmd->t_data_nents = xop->xop_data_nents;
+-
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+@@ -742,7 +691,6 @@ static int target_xcopy_write_destination(
+ rc = target_xcopy_issue_pt_cmd(xpt_cmd);
+ if (rc < 0) {
+ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+- se_cmd->se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+@@ -758,7 +706,7 @@ static void target_xcopy_do_work(struct work_struct *work)
+ sector_t src_lba, dst_lba, end_lba;
+ unsigned int max_sectors;
+ int rc = 0;
+- unsigned short nolb, cur_nolb, max_nolb, copied_nolb = 0;
++ unsigned short nolb, max_nolb, copied_nolb = 0;
+
+ if (target_parse_xcopy_cmd(xop) != TCM_NO_SENSE)
+ goto err_free;
+@@ -788,7 +736,23 @@ static void target_xcopy_do_work(struct work_struct *work)
+ (unsigned long long)src_lba, (unsigned long long)dst_lba);
+
+ while (src_lba < end_lba) {
+- cur_nolb = min(nolb, max_nolb);
++ unsigned short cur_nolb = min(nolb, max_nolb);
++ u32 cur_bytes = cur_nolb * src_dev->dev_attrib.block_size;
++
++ if (cur_bytes != xop->xop_data_bytes) {
++ /*
++ * (Re)allocate a buffer large enough to hold the XCOPY
++ * I/O size, which can be reused each read / write loop.
++ */
++ target_free_sgl(xop->xop_data_sg, xop->xop_data_nents);
++ rc = target_alloc_sgl(&xop->xop_data_sg,
++ &xop->xop_data_nents,
++ cur_bytes,
++ false, false);
++ if (rc < 0)
++ goto out;
++ xop->xop_data_bytes = cur_bytes;
++ }
+
+ pr_debug("target_xcopy_do_work: Calling read src_dev: %p src_lba: %llu,"
+ " cur_nolb: %hu\n", src_dev, (unsigned long long)src_lba, cur_nolb);
+@@ -819,12 +783,11 @@ static void target_xcopy_do_work(struct work_struct *work)
+ nolb -= cur_nolb;
+
+ transport_generic_free_cmd(&xop->src_pt_cmd->se_cmd, 0);
+- xop->dst_pt_cmd->se_cmd.se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC;
+-
+ transport_generic_free_cmd(&xop->dst_pt_cmd->se_cmd, 0);
+ }
+
+ xcopy_pt_undepend_remotedev(xop);
++ target_free_sgl(xop->xop_data_sg, xop->xop_data_nents);
+ kfree(xop);
+
+ pr_debug("target_xcopy_do_work: Final src_lba: %llu, dst_lba: %llu\n",
+@@ -838,6 +801,7 @@ static void target_xcopy_do_work(struct work_struct *work)
+
+ out:
+ xcopy_pt_undepend_remotedev(xop);
++ target_free_sgl(xop->xop_data_sg, xop->xop_data_nents);
+
+ err_free:
+ kfree(xop);
+diff --git a/drivers/target/target_core_xcopy.h b/drivers/target/target_core_xcopy.h
+index 974bc1e19ff2..a1805a14eea0 100644
+--- a/drivers/target/target_core_xcopy.h
++++ b/drivers/target/target_core_xcopy.h
+@@ -41,6 +41,7 @@ struct xcopy_op {
+ struct xcopy_pt_cmd *src_pt_cmd;
+ struct xcopy_pt_cmd *dst_pt_cmd;
+
++ u32 xop_data_bytes;
+ u32 xop_data_nents;
+ struct scatterlist *xop_data_sg;
+ struct work_struct xop_work;
+--
+2.30.2
+
--- /dev/null
+From a16d5657235ed14f31449f12e6ec5543e13ff93f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 09:55:53 +0800
+Subject: selftests/bpf: Enlarge select() timeout for test_maps
+
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+
+[ Upstream commit 2d82d73da35b72b53fe0d96350a2b8d929d07e42 ]
+
+0Day robot observed that it's easily timeout on a heavy load host.
+-------------------
+ # selftests: bpf: test_maps
+ # Fork 1024 tasks to 'test_update_delete'
+ # Fork 1024 tasks to 'test_update_delete'
+ # Fork 100 tasks to 'test_hashmap'
+ # Fork 100 tasks to 'test_hashmap_percpu'
+ # Fork 100 tasks to 'test_hashmap_sizes'
+ # Fork 100 tasks to 'test_hashmap_walk'
+ # Fork 100 tasks to 'test_arraymap'
+ # Fork 100 tasks to 'test_arraymap_percpu'
+ # Failed sockmap unexpected timeout
+ not ok 3 selftests: bpf: test_maps # exit=1
+ # selftests: bpf: test_lru_map
+ # nr_cpus:8
+-------------------
+Since this test will be scheduled by 0Day to a random host that could have
+only a few cpus(2-8), enlarge the timeout to avoid a false NG report.
+
+In practice, i tried to pin it to only one cpu by 'taskset 0x01 ./test_maps',
+and knew 10S is likely enough, but i still perfer to a larger value 30.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20210820015556.23276-2-lizhijian@cn.fujitsu.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_maps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
+index 1c4219ceced2..45c7a55f0b8b 100644
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -972,7 +972,7 @@ static void test_sockmap(unsigned int tasks, void *data)
+
+ FD_ZERO(&w);
+ FD_SET(sfd[3], &w);
+- to.tv_sec = 1;
++ to.tv_sec = 30;
+ to.tv_usec = 0;
+ s = select(sfd[3] + 1, &w, NULL, NULL, &to);
+ if (s == -1) {
+--
+2.30.2
+
--- /dev/null
+From df1f503f08ac284aeb7d9b3dc9758904c3945a74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jul 2021 05:57:37 +0000
+Subject: selftests/bpf: Fix xdp_tx.c prog section name
+
+From: Jussi Maki <joamaki@gmail.com>
+
+[ Upstream commit 95413846cca37f20000dd095cf6d91f8777129d7 ]
+
+The program type cannot be deduced from 'tx' which causes an invalid
+argument error when trying to load xdp_tx.o using the skeleton.
+Rename the section name to "xdp" so that libbpf can deduce the type.
+
+Signed-off-by: Jussi Maki <joamaki@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210731055738.16820-7-joamaki@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/xdp_tx.c | 2 +-
+ tools/testing/selftests/bpf/test_xdp_veth.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/xdp_tx.c b/tools/testing/selftests/bpf/progs/xdp_tx.c
+index 57912e7c94b0..9ed477776eca 100644
+--- a/tools/testing/selftests/bpf/progs/xdp_tx.c
++++ b/tools/testing/selftests/bpf/progs/xdp_tx.c
+@@ -3,7 +3,7 @@
+ #include <linux/bpf.h>
+ #include "bpf_helpers.h"
+
+-SEC("tx")
++SEC("xdp")
+ int xdp_tx(struct xdp_md *xdp)
+ {
+ return XDP_TX;
+diff --git a/tools/testing/selftests/bpf/test_xdp_veth.sh b/tools/testing/selftests/bpf/test_xdp_veth.sh
+index ba8ffcdaac30..995278e684b6 100755
+--- a/tools/testing/selftests/bpf/test_xdp_veth.sh
++++ b/tools/testing/selftests/bpf/test_xdp_veth.sh
+@@ -108,7 +108,7 @@ ip link set dev veth2 xdp pinned $BPF_DIR/progs/redirect_map_1
+ ip link set dev veth3 xdp pinned $BPF_DIR/progs/redirect_map_2
+
+ ip -n ns1 link set dev veth11 xdp obj xdp_dummy.o sec xdp_dummy
+-ip -n ns2 link set dev veth22 xdp obj xdp_tx.o sec tx
++ip -n ns2 link set dev veth22 xdp obj xdp_tx.o sec xdp
+ ip -n ns3 link set dev veth33 xdp obj xdp_dummy.o sec xdp_dummy
+
+ trap cleanup EXIT
+--
+2.30.2
+
--- /dev/null
+From a3a87178bc034e08d292d963d60417575072f54c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jun 2021 06:11:51 +0200
+Subject: serial: 8250: Define RX trigger levels for OxSemi 950 devices
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit d7aff291d069c4418285f3c8ee27b0ff67ce5998 ]
+
+Oxford Semiconductor 950 serial port devices have a 128-byte FIFO and in
+the enhanced (650) mode, which we select in `autoconfig_has_efr' with
+the ECB bit set in the EFR register, they support the receive interrupt
+trigger level selectable with FCR bits 7:6 from the set of 16, 32, 112,
+120. This applies to the original OX16C950 discrete UART[1] as well as
+950 cores embedded into more complex devices.
+
+For these devices we set the default to 112, which sets an excessively
+high level of 112 or 7/8 of the FIFO capacity, unlike with other port
+types where we choose at most 1/2 of their respective FIFO capacities.
+Additionally we don't make the trigger level configurable. Consequently
+frequent input overruns happen with high bit rates where hardware flow
+control cannot be used (e.g. terminal applications) even with otherwise
+highly-performant systems.
+
+Lower the default receive interrupt trigger level to 32 then, and make
+it configurable. Document the trigger levels along with other port
+types, including the set of 16, 32, 64, 112 for the transmit interrupt
+as well[2].
+
+References:
+
+[1] "OX16C950 rev B High Performance UART with 128 byte FIFOs", Oxford
+ Semiconductor, Inc., DS-0031, Sep 05, Table 10: "Receiver Trigger
+ Levels", p. 22
+
+[2] same, Table 9: "Transmit Interrupt Trigger Levels", p. 22
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2106260608480.37803@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 3 ++-
+ include/uapi/linux/serial_reg.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index 8a7c6d65f10e..777ef1a9591c 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -125,7 +125,8 @@ static const struct serial8250_config uart_config[] = {
+ .name = "16C950/954",
+ .fifo_size = 128,
+ .tx_loadsz = 128,
+- .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10,
++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_01,
++ .rxtrig_bytes = {16, 32, 112, 120},
+ /* UART_CAP_EFR breaks billionon CF bluetooth card. */
+ .flags = UART_CAP_FIFO | UART_CAP_SLEEP,
+ },
+diff --git a/include/uapi/linux/serial_reg.h b/include/uapi/linux/serial_reg.h
+index be07b5470f4b..f51bc8f36813 100644
+--- a/include/uapi/linux/serial_reg.h
++++ b/include/uapi/linux/serial_reg.h
+@@ -62,6 +62,7 @@
+ * ST16C654: 8 16 56 60 8 16 32 56 PORT_16654
+ * TI16C750: 1 16 32 56 xx xx xx xx PORT_16750
+ * TI16C752: 8 16 56 60 8 16 32 56
++ * OX16C950: 16 32 112 120 16 32 64 112 PORT_16C950
+ * Tegra: 1 4 8 14 16 8 4 1 PORT_TEGRA
+ */
+ #define UART_FCR_R_TRIG_00 0x00
+--
+2.30.2
+
--- /dev/null
+From 24fc7a881e716eed8520fd3362f86b3db9e612d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 15:07:17 +0200
+Subject: serial: 8250_pci: make setup_port() parameters explicitly unsigned
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 3a96e97ab4e835078e6f27b7e1c0947814df3841 ]
+
+The bar and offset parameters to setup_port() are used in pointer math,
+and while it would be very difficult to get them to wrap as a negative
+number, just be "safe" and make them unsigned so that static checkers do
+not trip over them unintentionally.
+
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Reported-by: Jordy Zomer <jordy@pwning.systems>
+Link: https://lore.kernel.org/r/20210726130717.2052096-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
+index 43fc5b6a25d3..a2bb103f22fc 100644
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -89,7 +89,7 @@ static void moan_device(const char *str, struct pci_dev *dev)
+
+ static int
+ setup_port(struct serial_private *priv, struct uart_8250_port *port,
+- int bar, int offset, int regshift)
++ u8 bar, unsigned int offset, int regshift)
+ {
+ struct pci_dev *dev = priv->dev;
+
+--
+2.30.2
+
--- /dev/null
+From e669fab326d8395f190d8521870341806ffbbad2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 18:22:01 +0200
+Subject: serial: sh-sci: fix break handling for sysrq
+
+From: Ulrich Hecht <uli+renesas@fpond.eu>
+
+[ Upstream commit 87b8061bad9bd4b549b2daf36ffbaa57be2789a2 ]
+
+This fixes two issues that cause the sysrq sequence to be inadvertently
+aborted on SCIF serial consoles:
+
+- a NUL character remains in the RX queue after a break has been detected,
+ which is then passed on to uart_handle_sysrq_char()
+- the break interrupt is handled twice on controllers with multiplexed ERI
+ and BRI interrupts
+
+Signed-off-by: Ulrich Hecht <uli+renesas@fpond.eu>
+Link: https://lore.kernel.org/r/20210816162201.28801-1-uli+renesas@fpond.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sh-sci.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
+index 97ee1fc1cd24..ecff9b208808 100644
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1763,6 +1763,10 @@ static irqreturn_t sci_br_interrupt(int irq, void *ptr)
+
+ /* Handle BREAKs */
+ sci_handle_breaks(port);
++
++ /* drop invalid character received before break was detected */
++ serial_port_in(port, SCxRDR);
++
+ sci_clear_SCxSR(port, SCxSR_BREAK_CLEAR(port));
+
+ return IRQ_HANDLED;
+@@ -1842,7 +1846,8 @@ static irqreturn_t sci_mpxed_interrupt(int irq, void *ptr)
+ ret = sci_er_interrupt(irq, ptr);
+
+ /* Break Interrupt */
+- if ((ssr_status & SCxSR_BRK(port)) && err_enabled)
++ if (s->irqs[SCIx_ERI_IRQ] != s->irqs[SCIx_BRI_IRQ] &&
++ (ssr_status & SCxSR_BRK(port)) && err_enabled)
+ ret = sci_br_interrupt(irq, ptr);
+
+ /* Overrun Interrupt */
+--
+2.30.2
+
pci-aardvark-increase-polling-delay-to-1.5s-while-waiting-for-pio-response.patch
pci-aardvark-fix-masking-and-unmasking-legacy-intx-interrupts.patch
revert-bluetooth-move-shutdown-callback-before-flush.patch
+hid-input-do-not-report-stylus-battery-state-as-full.patch
+f2fs-quota-fix-potential-deadlock.patch
+scsi-bsg-remove-support-for-scsi_ioctl_send_command.patch
+ib-hfi1-adjust-pkey-entry-in-index-0.patch
+rdma-iwcm-release-resources-if-iw_cm-module-initiali.patch
+docs-fix-infiniband-uverbs-minor-number.patch
+pinctrl-samsung-fix-pinctrl-bank-pin-count.patch
+vfio-use-config-not-menuconfig-for-vfio_noiommu.patch
+powerpc-stacktrace-include-linux-delay.h.patch
+rdma-efa-remove-double-qp-type-assignment.patch
+f2fs-show-f2fs-instance-in-printk_ratelimited.patch
+f2fs-reduce-the-scope-of-setting-fsck-tag-when-de-na.patch
+openrisc-don-t-printk-unconditionally.patch
+dma-debug-fix-debugfs-initialization-order.patch
+sunrpc-fix-potential-memory-corruption.patch
+scsi-fdomain-fix-error-return-code-in-fdomain_probe.patch
+pinctrl-single-fix-error-return-code-in-pcs_parse_bi.patch
+scsi-smartpqi-fix-an-error-code-in-pqi_get_raid_map.patch
+scsi-qedi-fix-error-codes-in-qedi_alloc_global_queue.patch
+scsi-qedf-fix-error-codes-in-qedf_alloc_global_queue.patch
+powerpc-config-renable-mtd_physmap_of.patch
+scsi-target-avoid-per-loop-xcopy-buffer-allocations.patch
+hid-i2c-hid-fix-elan-touchpad-regression.patch
+kvm-ppc-book3s-hv-nested-reflect-guest-pmu-in-use-to.patch
+platform-x86-dell-smbios-wmi-add-missing-kfree-in-er.patch
+fscache-fix-cookie-key-hashing.patch
+clk-at91-sam9x60-don-t-use-audio-pll.patch
+clk-at91-clk-generated-pass-the-id-of-changeable-par.patch
+clk-at91-clk-generated-limit-the-requested-rate-to-o.patch
+kvm-ppc-fix-clearing-never-mapped-tces-in-realmode.patch
+f2fs-fix-to-account-missing-.skipped_gc_rwsem.patch
+f2fs-fix-unexpected-enoent-comes-from-f2fs_map_block.patch
+f2fs-fix-to-unmap-pages-from-userspace-process-in-pu.patch
+mips-malta-fix-alignment-of-the-devicetree-buffer.patch
+kbuild-fix-no-symbols-warning-when-config_trim_unusd.patch
+userfaultfd-prevent-concurrent-api-initialization.patch
+drm-amdgpu-fix-amdgpu_ras_eeprom_init.patch
+asoc-atmel-atmel-drivers-don-t-need-has_dma.patch
+media-dib8000-rewrite-the-init-prbs-logic.patch
+crypto-mxs-dcp-use-sg_mapping_iter-to-copy-data.patch
+pci-use-pci_update_current_state-in-pci_enable_devic.patch
+tipc-keep-the-skb-in-rcv-queue-until-the-whole-data-.patch
+iio-dac-ad5624r-fix-incorrect-handling-of-an-optiona.patch
+iavf-do-not-override-the-adapter-state-in-the-watchd.patch
+iavf-fix-locking-of-critical-sections.patch
+arm-dts-qcom-apq8064-correct-clock-names.patch
+video-fbdev-kyro-fix-a-dos-bug-by-restricting-user-i.patch
+netlink-deal-with-esrch-error-in-nlmsg_notify.patch
+smack-fix-wrong-semantics-in-smk_access_entry.patch
+drm-avoid-blocking-in-drm_clients_info-s-rcu-section.patch
+igc-check-if-num-of-q_vectors-is-smaller-than-max-be.patch
+usb-host-fotg210-fix-the-endpoint-s-transactional-op.patch
+usb-host-fotg210-fix-the-actual_length-of-an-iso-pac.patch
+usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch
+usb-ehci-ehci-mv-improve-error-handling-in-mv_ehci_e.patch
+usb-gadget-composite-allow-bmaxpower-0-if-self-power.patch
+staging-board-fix-uninitialized-spinlock-when-attach.patch
+tty-serial-jsm-hold-port-lock-when-reporting-modem-l.patch
+drm-amd-display-fix-timer_per_pixel-unit-error.patch
+spi-imx-fix-err009165.patch
+drm-amd-amdgpu-update-debugfs-link_settings-output-l.patch
+bpf-tests-fix-copy-and-paste-error-in-double-word-te.patch
+bpf-tests-do-not-pass-tests-without-actually-testing.patch
+video-fbdev-asiliantfb-error-out-if-pixclock-equals-.patch
+video-fbdev-kyro-error-out-if-pixclock-equals-zero.patch
+video-fbdev-riva-error-out-if-pixclock-equals-zero.patch
+ipv4-ip_output.c-fix-out-of-bounds-warning-in-ip_cop.patch
+flow_dissector-fix-out-of-bounds-warnings.patch
+s390-jump_label-print-real-address-in-a-case-of-a-ju.patch
+s390-make-pci-mio-support-a-machine-flag.patch
+serial-8250-define-rx-trigger-levels-for-oxsemi-950-.patch
+xtensa-iss-don-t-panic-in-rs_init.patch
+hvsi-don-t-panic-on-tty_register_driver-failure.patch
+serial-8250_pci-make-setup_port-parameters-explicitl.patch
+staging-ks7010-fix-the-initialization-of-the-sleep_s.patch
+samples-bpf-fix-tracex7-error-raised-on-the-missing-.patch
+ata-sata_dwc_460ex-no-need-to-call-phy_exit-befre-ph.patch
+bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch
+workqueue-fix-possible-memory-leaks-in-wq_numa_init.patch
+bonding-3ad-fix-the-concurrency-between-__bond_relea.patch
+arm64-tegra-fix-tegra194-pcie-ep-compatible-string.patch
+asoc-intel-bytcr_rt5640-move-platform-clock-routes-t.patch
+bpf-fix-off-by-one-in-tail-call-count-limiting.patch
+media-imx258-rectify-mismatch-of-vts-value.patch
+media-imx258-limit-the-max-analogue-gain-to-480.patch
+media-v4l2-dv-timings.c-fix-wrong-condition-in-two-f.patch
+media-tda1997x-fix-tda1997x_query_dv_timings-return-.patch
+media-tegra-cec-handle-errors-of-clk_prepare_enable.patch
+arm-dts-imx53-ppd-fix-achc-entry.patch
+arm64-dts-qcom-sdm660-use-reg-value-for-memory-node.patch
+net-ethernet-stmmac-do-not-use-unreachable-in-ipq806.patch
+drm-msm-mdp4-drop-vblank-get-put-from-prepare-comple.patch
+selftests-bpf-fix-xdp_tx.c-prog-section-name.patch
+bluetooth-schedule-sco-timeouts-with-delayed_work.patch
+bluetooth-avoid-circular-locks-in-sco_sock_connect.patch
+net-mlx5-fix-variable-type-to-match-64bit.patch
+gpu-drm-amd-amdgpu-amdgpu_i2c-fix-possible-uninitial.patch
+drm-display-fix-possible-null-pointer-dereference-in.patch
+mac80211-fix-monitor-mtu-limit-so-that-a-msdus-get-t.patch
+arm-tegra-tamonten-fix-uart-pad-setting.patch
+arm64-tegra-fix-compatible-string-for-tegra132-cpus.patch
+arm64-dts-ls1046a-fix-eeprom-entries.patch
+nvme-tcp-don-t-check-blk_mq_tag_to_rq-when-receiving.patch
+bluetooth-fix-handling-of-le-enhanced-connection-com.patch
+opp-don-t-print-an-error-if-required-opps-is-missing.patch
+serial-sh-sci-fix-break-handling-for-sysrq.patch
+tcp-enable-data-less-empty-cookie-syn-with-tfo_serve.patch
+rpc-fix-gss_svc_init-cleanup-on-failure.patch
+staging-rts5208-fix-get_ms_information-heap-buffer-s.patch
+gfs2-don-t-call-dlm-after-protocol-is-unmounted.patch
+usb-chipidea-host-fix-port-index-underflow-and-ubsan.patch
+lockd-lockd-server-side-shouldn-t-set-fl_ops.patch
+drm-exynos-always-initialize-mapping-in-exynos_drm_r.patch
+m68knommu-only-set-config_isa_dma_api-for-coldfire-s.patch
+btrfs-tree-log-check-btrfs_lookup_data_extent-return.patch
+asoc-intel-skylake-fix-module-configuration-for-kpb-.patch
+asoc-intel-skylake-fix-passing-loadable-flag-for-mod.patch
+of-don-t-allow-__of_attached_node_sysfs-without-conf.patch
+mmc-sdhci-of-arasan-check-return-value-of-non-void-f.patch
+mmc-rtsx_pci-fix-long-reads-when-clock-is-prescaled.patch
+selftests-bpf-enlarge-select-timeout-for-test_maps.patch
+mmc-core-return-correct-emmc-response-in-case-of-ioc.patch
+cifs-fix-wrong-release-in-sess_alloc_buffer-failed-p.patch
+revert-usb-xhci-fix-u1-u2-handling-for-hardware-with.patch
+usb-musb-musb_dsps-request_irq-after-initializing-mu.patch
+usbip-give-back-urbs-for-unsent-unlink-requests-duri.patch
+usbip-vhci_hcd-usb-port-can-get-stuck-in-the-disable.patch
+asoc-rockchip-i2s-fix-regmap_ops-hang.patch
+asoc-rockchip-i2s-fixup-config-for-daifmt_dsp_a-b.patch
+drm-amdkfd-account-for-sh-se-count-when-setting-up-c.patch
+iwlwifi-mvm-fix-a-memory-leak-in-iwl_mvm_mac_ctxt_be.patch
+iwlwifi-mvm-avoid-static-queue-number-aliasing.patch
+iwlwifi-mvm-fix-access-to-bss-elements.patch
+net-mlx5-dr-enable-qp-retransmission.patch
+parport-remove-non-zero-check-on-count.patch
+ath9k-fix-oob-read-ar9300_eeprom_restore_internal.patch
+ath9k-fix-sleeping-in-atomic-context.patch
+net-fix-null-pointer-reference-in-cipso_v4_doi_free.patch
+fix-array-index-out-of-bounds-in-taprio_change.patch
+net-w5100-check-return-value-after-calling-platform_.patch
--- /dev/null
+From c3055b16026fac8dfceb0009913b337532981c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 17:17:24 +0800
+Subject: Smack: Fix wrong semantics in smk_access_entry()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 6d14f5c7028eea70760df284057fe198ce7778dd ]
+
+In the smk_access_entry() function, if no matching rule is found
+in the rust_list, a negative error code will be used to perform bit
+operations with the MAY_ enumeration value. This is semantically
+wrong. This patch fixes this issue.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_access.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index 38ac3da4e791..beeba1a9be17 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -81,23 +81,22 @@ int log_policy = SMACK_AUDIT_DENIED;
+ int smk_access_entry(char *subject_label, char *object_label,
+ struct list_head *rule_list)
+ {
+- int may = -ENOENT;
+ struct smack_rule *srp;
+
+ list_for_each_entry_rcu(srp, rule_list, list) {
+ if (srp->smk_object->smk_known == object_label &&
+ srp->smk_subject->smk_known == subject_label) {
+- may = srp->smk_access;
+- break;
++ int may = srp->smk_access;
++ /*
++ * MAY_WRITE implies MAY_LOCK.
++ */
++ if ((may & MAY_WRITE) == MAY_WRITE)
++ may |= MAY_LOCK;
++ return may;
+ }
+ }
+
+- /*
+- * MAY_WRITE implies MAY_LOCK.
+- */
+- if ((may & MAY_WRITE) == MAY_WRITE)
+- may |= MAY_LOCK;
+- return may;
++ return -ENOENT;
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From 706610f4bfeb2f11494d3628b0b2cb664e5b182f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 18:20:47 +0800
+Subject: spi: imx: fix ERR009165
+
+From: Robin Gong <yibin.gong@nxp.com>
+
+[ Upstream commit 980f884866eed4dda2a18de888c5a67dde67d640 ]
+
+Change to XCH mode even in dma mode, please refer to the below
+errata:
+https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf
+
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Acked-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 474d5a7fa95e..c47e1d428ef4 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -614,8 +614,8 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->spi_bus_clk, &clk);
+ spi_imx->spi_bus_clk = clk;
+
+- if (spi_imx->usedma)
+- ctrl |= MX51_ECSPI_CTRL_SMC;
++ /* ERR009165: work in XHC mode as PIO */
++ ctrl &= ~MX51_ECSPI_CTRL_SMC;
+
+ writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
+
+@@ -629,7 +629,7 @@ static void mx51_setup_wml(struct spi_imx_data *spi_imx)
+ * and enable DMA request.
+ */
+ writel(MX51_ECSPI_DMA_RX_WML(spi_imx->wml - 1) |
+- MX51_ECSPI_DMA_TX_WML(spi_imx->wml) |
++ MX51_ECSPI_DMA_TX_WML(0) |
+ MX51_ECSPI_DMA_RXT_WML(spi_imx->wml) |
+ MX51_ECSPI_DMA_TEDEN | MX51_ECSPI_DMA_RXDEN |
+ MX51_ECSPI_DMA_RXTDEN, spi_imx->base + MX51_ECSPI_DMA);
+@@ -1284,10 +1284,6 @@ static int spi_imx_sdma_init(struct device *dev, struct spi_imx_data *spi_imx,
+ {
+ int ret;
+
+- /* use pio mode for i.mx6dl chip TKT238285 */
+- if (of_machine_is_compatible("fsl,imx6dl"))
+- return 0;
+-
+ spi_imx->wml = spi_imx->devtype_data->fifo_size / 2;
+
+ /* Prepare for TX DMA: */
+--
+2.30.2
+
--- /dev/null
+From d07fade1544c5405a7bc97a50794ff3b1f2bc47d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 12:13:46 +0200
+Subject: staging: board: Fix uninitialized spinlock when attaching genpd
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit df00609821bf17f50a75a446266d19adb8339d84 ]
+
+On Armadillo-800-EVA with CONFIG_DEBUG_SPINLOCK=y:
+
+ BUG: spinlock bad magic on CPU#0, swapper/1
+ lock: lcdc0_device+0x10c/0x308, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+ CPU: 0 PID: 1 Comm: swapper Not tainted 5.11.0-rc5-armadillo-00036-gbbca04be7a80-dirty #287
+ Hardware name: Generic R8A7740 (Flattened Device Tree)
+ [<c010c3c8>] (unwind_backtrace) from [<c010a49c>] (show_stack+0x10/0x14)
+ [<c010a49c>] (show_stack) from [<c0159534>] (do_raw_spin_lock+0x20/0x94)
+ [<c0159534>] (do_raw_spin_lock) from [<c040858c>] (dev_pm_get_subsys_data+0x8c/0x11c)
+ [<c040858c>] (dev_pm_get_subsys_data) from [<c05fbcac>] (genpd_add_device+0x78/0x2b8)
+ [<c05fbcac>] (genpd_add_device) from [<c0412db4>] (of_genpd_add_device+0x34/0x4c)
+ [<c0412db4>] (of_genpd_add_device) from [<c0a1ea74>] (board_staging_register_device+0x11c/0x148)
+ [<c0a1ea74>] (board_staging_register_device) from [<c0a1eac4>] (board_staging_register_devices+0x24/0x28)
+
+of_genpd_add_device() is called before platform_device_register(), as it
+needs to attach the genpd before the device is probed. But the spinlock
+is only initialized when the device is registered.
+
+Fix this by open-coding the spinlock initialization, cfr.
+device_pm_init_common() in the internal drivers/base code, and in the
+SuperH early platform code.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/57783ece7ddae55f2bda2f59f452180bff744ea0.1626257398.git.geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/board/board.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/board/board.c b/drivers/staging/board/board.c
+index cb6feb34dd40..f980af037345 100644
+--- a/drivers/staging/board/board.c
++++ b/drivers/staging/board/board.c
+@@ -136,6 +136,7 @@ int __init board_staging_register_clock(const struct board_staging_clk *bsc)
+ static int board_staging_add_dev_domain(struct platform_device *pdev,
+ const char *domain)
+ {
++ struct device *dev = &pdev->dev;
+ struct of_phandle_args pd_args;
+ struct device_node *np;
+
+@@ -148,7 +149,11 @@ static int board_staging_add_dev_domain(struct platform_device *pdev,
+ pd_args.np = np;
+ pd_args.args_count = 0;
+
+- return of_genpd_add_device(&pd_args, &pdev->dev);
++ /* Initialization similar to device_pm_init_common() */
++ spin_lock_init(&dev->power.lock);
++ dev->power.early_init = true;
++
++ return of_genpd_add_device(&pd_args, dev);
+ }
+ #else
+ static inline int board_staging_add_dev_domain(struct platform_device *pdev,
+--
+2.30.2
+
--- /dev/null
+From cca08c83b258ce8b15f6638ea602fdc0bd6e1b79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:45:11 +0200
+Subject: staging: ks7010: Fix the initialization of the 'sleep_status'
+ structure
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 56315e55119c0ea57e142b6efb7c31208628ad86 ]
+
+'sleep_status' has 3 atomic_t members. Initialize the 3 of them instead of
+initializing only 2 of them and setting 0 twice to the same variable.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/d2e52a33a9beab41879551d0ae2fdfc99970adab.1626856991.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/ks7010/ks7010_sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/ks7010/ks7010_sdio.c b/drivers/staging/ks7010/ks7010_sdio.c
+index 4b379542ecd5..3fbe223d59b8 100644
+--- a/drivers/staging/ks7010/ks7010_sdio.c
++++ b/drivers/staging/ks7010/ks7010_sdio.c
+@@ -938,9 +938,9 @@ static void ks7010_private_init(struct ks_wlan_private *priv,
+ memset(&priv->wstats, 0, sizeof(priv->wstats));
+
+ /* sleep mode */
++ atomic_set(&priv->sleepstatus.status, 0);
+ atomic_set(&priv->sleepstatus.doze_request, 0);
+ atomic_set(&priv->sleepstatus.wakeup_request, 0);
+- atomic_set(&priv->sleepstatus.wakeup_request, 0);
+
+ trx_device_init(priv);
+ hostif_init(priv);
+--
+2.30.2
+
--- /dev/null
+From 0a1274b3c1653cc6f84d362fc85308644659503d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 21:42:52 -0700
+Subject: staging: rts5208: Fix get_ms_information() heap buffer size
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit cbe34165cc1b7d1110b268ba8b9f30843c941639 ]
+
+Fix buf allocation size (it needs to be 2 bytes larger). Found when
+__alloc_size() annotations were added to kmalloc() interfaces.
+
+In file included from ./include/linux/string.h:253,
+ from ./include/linux/bitmap.h:10,
+ from ./include/linux/cpumask.h:12,
+ from ./arch/x86/include/asm/paravirt.h:17,
+ from ./arch/x86/include/asm/irqflags.h:63,
+ from ./include/linux/irqflags.h:16,
+ from ./include/linux/rcupdate.h:26,
+ from ./include/linux/rculist.h:11,
+ from ./include/linux/pid.h:5,
+ from ./include/linux/sched.h:14,
+ from ./include/linux/blkdev.h:5,
+ from drivers/staging/rts5208/rtsx_scsi.c:12:
+In function 'get_ms_information',
+ inlined from 'ms_sp_cmnd' at drivers/staging/rts5208/rtsx_scsi.c:2877:12,
+ inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3247:12:
+./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' forming offset [106, 107] is out
+ of the bounds [0, 106] [-Warray-bounds]
+ 54 | #define __underlying_memcpy __builtin_memcpy
+ | ^
+./include/linux/fortify-string.h:417:2: note: in expansion of macro '__underlying_memcpy'
+ 417 | __underlying_##op(p, q, __fortify_size); \
+ | ^~~~~~~~~~~~~
+./include/linux/fortify-string.h:463:26: note: in expansion of macro '__fortify_memcpy_chk'
+ 463 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
+ | ^~~~~~~~~~~~~~~~~~~~
+drivers/staging/rts5208/rtsx_scsi.c:2851:3: note: in expansion of macro 'memcpy'
+ 2851 | memcpy(buf + i, ms_card->raw_sys_info, 96);
+ | ^~~~~~
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-staging@lists.linux.dev
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210818044252.1533634-1-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rts5208/rtsx_scsi.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
+index 1deb74112ad4..11d9d9155eef 100644
+--- a/drivers/staging/rts5208/rtsx_scsi.c
++++ b/drivers/staging/rts5208/rtsx_scsi.c
+@@ -2802,10 +2802,10 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip)
+ }
+
+ if (dev_info_id == 0x15) {
+- buf_len = 0x3A;
++ buf_len = 0x3C;
+ data_len = 0x3A;
+ } else {
+- buf_len = 0x6A;
++ buf_len = 0x6C;
+ data_len = 0x6A;
+ }
+
+@@ -2855,11 +2855,7 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip)
+ }
+
+ rtsx_stor_set_xfer_buf(buf, buf_len, srb);
+-
+- if (dev_info_id == 0x15)
+- scsi_set_resid(srb, scsi_bufflen(srb) - 0x3C);
+- else
+- scsi_set_resid(srb, scsi_bufflen(srb) - 0x6C);
++ scsi_set_resid(srb, scsi_bufflen(srb) - buf_len);
+
+ kfree(buf);
+ return STATUS_SUCCESS;
+--
+2.30.2
+
--- /dev/null
+From 2d3d97e758f557cb2dc90888db1c17926e498fc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 07:59:23 -0400
+Subject: SUNRPC: Fix potential memory corruption
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit c2dc3e5fad13aca5d7bdf4bcb52b1a1d707c8555 ]
+
+We really should not call rpc_wake_up_queued_task_set_status() with
+xprt->snd_task as an argument unless we are certain that is actually an
+rpc_task.
+
+Fixes: 0445f92c5d53 ("SUNRPC: Fix disconnection races")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/xprt.h | 1 +
+ net/sunrpc/xprt.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/sunrpc/xprt.h b/include/linux/sunrpc/xprt.h
+index d7ef5b97174c..3c6c4b1dbf1a 100644
+--- a/include/linux/sunrpc/xprt.h
++++ b/include/linux/sunrpc/xprt.h
+@@ -419,6 +419,7 @@ void xprt_unlock_connect(struct rpc_xprt *, void *);
+ #define XPRT_CONGESTED (9)
+ #define XPRT_CWND_WAIT (10)
+ #define XPRT_WRITE_SPACE (11)
++#define XPRT_SND_IS_COOKIE (12)
+
+ static inline void xprt_set_connected(struct rpc_xprt *xprt)
+ {
+diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
+index 639837b3a5d9..3653898f465f 100644
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -729,9 +729,9 @@ void xprt_force_disconnect(struct rpc_xprt *xprt)
+ /* Try to schedule an autoclose RPC call */
+ if (test_and_set_bit(XPRT_LOCKED, &xprt->state) == 0)
+ queue_work(xprtiod_workqueue, &xprt->task_cleanup);
+- else if (xprt->snd_task)
++ else if (xprt->snd_task && !test_bit(XPRT_SND_IS_COOKIE, &xprt->state))
+ rpc_wake_up_queued_task_set_status(&xprt->pending,
+- xprt->snd_task, -ENOTCONN);
++ xprt->snd_task, -ENOTCONN);
+ spin_unlock(&xprt->transport_lock);
+ }
+ EXPORT_SYMBOL_GPL(xprt_force_disconnect);
+@@ -820,6 +820,7 @@ bool xprt_lock_connect(struct rpc_xprt *xprt,
+ goto out;
+ if (xprt->snd_task != task)
+ goto out;
++ set_bit(XPRT_SND_IS_COOKIE, &xprt->state);
+ xprt->snd_task = cookie;
+ ret = true;
+ out:
+@@ -835,6 +836,7 @@ void xprt_unlock_connect(struct rpc_xprt *xprt, void *cookie)
+ if (!test_bit(XPRT_LOCKED, &xprt->state))
+ goto out;
+ xprt->snd_task =NULL;
++ clear_bit(XPRT_SND_IS_COOKIE, &xprt->state);
+ xprt->ops->release_xprt(xprt, NULL);
+ xprt_schedule_autodisconnect(xprt);
+ out:
+--
+2.30.2
+
--- /dev/null
+From 677681ea3b3a89a1b92d41234178f9935fb7ac5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 20:51:06 +0000
+Subject: tcp: enable data-less, empty-cookie SYN with
+ TFO_SERVER_COOKIE_NOT_REQD
+
+From: Luke Hsiao <lukehsiao@google.com>
+
+[ Upstream commit e3faa49bcecdfcc80e94dd75709d6acb1a5d89f6 ]
+
+Since the original TFO server code was implemented in commit
+168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef ("tcp: TCP Fast Open Server -
+main code path") the TFO server code has supported the sysctl bit flag
+TFO_SERVER_COOKIE_NOT_REQD. Currently, when the TFO_SERVER_ENABLE and
+TFO_SERVER_COOKIE_NOT_REQD sysctl bit flags are set, a server connection
+will accept a SYN with N bytes of data (N > 0) that has no TFO cookie,
+create a new fast open connection, process the incoming data in the SYN,
+and make the connection ready for accepting. After accepting, the
+connection is ready for read()/recvmsg() to read the N bytes of data in
+the SYN, ready for write()/sendmsg() calls and data transmissions to
+transmit data.
+
+This commit changes an edge case in this feature by changing this
+behavior to apply to (N >= 0) bytes of data in the SYN rather than only
+(N > 0) bytes of data in the SYN. Now, a server will accept a data-less
+SYN without a TFO cookie if TFO_SERVER_COOKIE_NOT_REQD is set.
+
+Caveat! While this enables a new kind of TFO (data-less empty-cookie
+SYN), some firewall rules setup may not work if they assume such packets
+are not legit TFOs and will filter them.
+
+Signed-off-by: Luke Hsiao <lukehsiao@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210816205105.2533289-1-luke.w.hsiao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_fastopen.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 8af4fefe371f..a5ec77a5ad6f 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -379,8 +379,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
+ return NULL;
+ }
+
+- if (syn_data &&
+- tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
++ if (tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
+ goto fastopen;
+
+ if (foc->len == 0) {
+--
+2.30.2
+
--- /dev/null
+From ca15ca0645fdd7291f07488e94c668f7d6473e83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 17:44:07 -0400
+Subject: tipc: keep the skb in rcv queue until the whole data is read
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f4919ff59c2828064b4156e3c3600a169909bcf4 ]
+
+Currently, when userspace reads a datagram with a buffer that is
+smaller than this datagram, the data will be truncated and only
+part of it can be received by users. It doesn't seem right that
+users don't know the datagram size and have to use a huge buffer
+to read it to avoid the truncation.
+
+This patch to fix it by keeping the skb in rcv queue until the
+whole data is read by users. Only the last msg of the datagram
+will be marked with MSG_EOR, just as TCP/SCTP does.
+
+Note that this will work as above only when MSG_EOR is set in the
+flags parameter of recvmsg(), so that it won't break any old user
+applications.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index a5922ce9109c..231f9e1bf6bb 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1756,6 +1756,7 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+ bool connected = !tipc_sk_type_connectionless(sk);
+ struct tipc_sock *tsk = tipc_sk(sk);
+ int rc, err, hlen, dlen, copy;
++ struct tipc_skb_cb *skb_cb;
+ struct sk_buff_head xmitq;
+ struct tipc_msg *hdr;
+ struct sk_buff *skb;
+@@ -1779,6 +1780,7 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+ if (unlikely(rc))
+ goto exit;
+ skb = skb_peek(&sk->sk_receive_queue);
++ skb_cb = TIPC_SKB_CB(skb);
+ hdr = buf_msg(skb);
+ dlen = msg_data_sz(hdr);
+ hlen = msg_hdr_sz(hdr);
+@@ -1798,18 +1800,33 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+
+ /* Capture data if non-error msg, otherwise just set return value */
+ if (likely(!err)) {
+- copy = min_t(int, dlen, buflen);
+- if (unlikely(copy != dlen))
+- m->msg_flags |= MSG_TRUNC;
+- rc = skb_copy_datagram_msg(skb, hlen, m, copy);
++ int offset = skb_cb->bytes_read;
++
++ copy = min_t(int, dlen - offset, buflen);
++ rc = skb_copy_datagram_msg(skb, hlen + offset, m, copy);
++ if (unlikely(rc))
++ goto exit;
++ if (unlikely(offset + copy < dlen)) {
++ if (flags & MSG_EOR) {
++ if (!(flags & MSG_PEEK))
++ skb_cb->bytes_read = offset + copy;
++ } else {
++ m->msg_flags |= MSG_TRUNC;
++ skb_cb->bytes_read = 0;
++ }
++ } else {
++ if (flags & MSG_EOR)
++ m->msg_flags |= MSG_EOR;
++ skb_cb->bytes_read = 0;
++ }
+ } else {
+ copy = 0;
+ rc = 0;
+- if (err != TIPC_CONN_SHUTDOWN && connected && !m->msg_control)
++ if (err != TIPC_CONN_SHUTDOWN && connected && !m->msg_control) {
+ rc = -ECONNRESET;
++ goto exit;
++ }
+ }
+- if (unlikely(rc))
+- goto exit;
+
+ /* Mark message as group event if applicable */
+ if (unlikely(grp_evt)) {
+@@ -1832,9 +1849,10 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
+ tipc_node_distr_xmit(sock_net(sk), &xmitq);
+ }
+
+- tsk_advance_rx_queue(sk);
++ if (!skb_cb->bytes_read)
++ tsk_advance_rx_queue(sk);
+
+- if (likely(!connected))
++ if (likely(!connected) || skb_cb->bytes_read)
+ goto exit;
+
+ /* Send connection flow control advertisement when applicable */
+--
+2.30.2
+
--- /dev/null
+From 2da84e1079b5dcf1521551507b501eb55e05a90a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 05:53:23 +0000
+Subject: tty: serial: jsm: hold port lock when reporting modem line changes
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 240e126c28df084222f0b661321e8e3ecb0d232e ]
+
+uart_handle_dcd_change() requires a port lock to be held and will emit a
+warning when lockdep is enabled.
+
+Held corresponding lock to fix the following warnings.
+
+[ 132.528648] WARNING: CPU: 5 PID: 11600 at drivers/tty/serial/serial_core.c:3046 uart_handle_dcd_change+0xf4/0x120
+[ 132.530482] Modules linked in:
+[ 132.531050] CPU: 5 PID: 11600 Comm: jsm Not tainted 5.14.0-rc1-00003-g7fef2edf7cc7-dirty #31
+[ 132.535268] RIP: 0010:uart_handle_dcd_change+0xf4/0x120
+[ 132.557100] Call Trace:
+[ 132.557562] ? __free_pages+0x83/0xb0
+[ 132.558213] neo_parse_modem+0x156/0x220
+[ 132.558897] neo_param+0x399/0x840
+[ 132.559495] jsm_tty_open+0x12f/0x2d0
+[ 132.560131] uart_startup.part.18+0x153/0x340
+[ 132.560888] ? lock_is_held_type+0xe9/0x140
+[ 132.561660] uart_port_activate+0x7f/0xe0
+[ 132.562351] ? uart_startup.part.18+0x340/0x340
+[ 132.563003] tty_port_open+0x8d/0xf0
+[ 132.563523] ? uart_set_options+0x1e0/0x1e0
+[ 132.564125] uart_open+0x24/0x40
+[ 132.564604] tty_open+0x15c/0x630
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Link: https://lore.kernel.org/r/1626242003-3809-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/jsm/jsm_neo.c | 2 ++
+ drivers/tty/serial/jsm/jsm_tty.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/tty/serial/jsm/jsm_neo.c b/drivers/tty/serial/jsm/jsm_neo.c
+index bf0e2a4cb0ce..c6f927a76c3b 100644
+--- a/drivers/tty/serial/jsm/jsm_neo.c
++++ b/drivers/tty/serial/jsm/jsm_neo.c
+@@ -815,7 +815,9 @@ static void neo_parse_isr(struct jsm_board *brd, u32 port)
+ /* Parse any modem signal changes */
+ jsm_dbg(INTR, &ch->ch_bd->pci_dev,
+ "MOD_STAT: sending to parse_modem_sigs\n");
++ spin_lock_irqsave(&ch->uart_port.lock, lock_flags);
+ neo_parse_modem(ch, readb(&ch->ch_neo_uart->msr));
++ spin_unlock_irqrestore(&ch->uart_port.lock, lock_flags);
+ }
+ }
+
+diff --git a/drivers/tty/serial/jsm/jsm_tty.c b/drivers/tty/serial/jsm/jsm_tty.c
+index 689774c073ca..8438454ca653 100644
+--- a/drivers/tty/serial/jsm/jsm_tty.c
++++ b/drivers/tty/serial/jsm/jsm_tty.c
+@@ -187,6 +187,7 @@ static void jsm_tty_break(struct uart_port *port, int break_state)
+
+ static int jsm_tty_open(struct uart_port *port)
+ {
++ unsigned long lock_flags;
+ struct jsm_board *brd;
+ struct jsm_channel *channel =
+ container_of(port, struct jsm_channel, uart_port);
+@@ -240,6 +241,7 @@ static int jsm_tty_open(struct uart_port *port)
+ channel->ch_cached_lsr = 0;
+ channel->ch_stops_sent = 0;
+
++ spin_lock_irqsave(&port->lock, lock_flags);
+ termios = &port->state->port.tty->termios;
+ channel->ch_c_cflag = termios->c_cflag;
+ channel->ch_c_iflag = termios->c_iflag;
+@@ -259,6 +261,7 @@ static int jsm_tty_open(struct uart_port *port)
+ jsm_carrier(channel);
+
+ channel->ch_open_count++;
++ spin_unlock_irqrestore(&port->lock, lock_flags);
+
+ jsm_dbg(OPEN, &channel->ch_bd->pci_dev, "finish\n");
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 7393f67d11d311fd93e6f0524d5e5e3cbc975093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 16:28:58 +0800
+Subject: usb: chipidea: host: fix port index underflow and UBSAN complains
+
+From: Li Jun <jun.li@nxp.com>
+
+[ Upstream commit e5d6a7c6cfae9e714a0e8ff64facd1ac68a784c6 ]
+
+If wIndex is 0 (and it often is), these calculations underflow and
+UBSAN complains, here resolve this by not decrementing the index when
+it is equal to 0, this copies the solution from commit 85e3990bea49
+("USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN")
+
+Reported-by: Zhipeng Wang <zhipeng.wang_1@nxp.com>
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Link: https://lore.kernel.org/r/1624004938-2399-1-git-send-email-jun.li@nxp.com
+Signed-off-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/host.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c
+index 48e4a5ca1835..f5f56ee07729 100644
+--- a/drivers/usb/chipidea/host.c
++++ b/drivers/usb/chipidea/host.c
+@@ -233,18 +233,26 @@ static int ci_ehci_hub_control(
+ )
+ {
+ struct ehci_hcd *ehci = hcd_to_ehci(hcd);
++ unsigned int ports = HCS_N_PORTS(ehci->hcs_params);
+ u32 __iomem *status_reg;
+- u32 temp;
++ u32 temp, port_index;
+ unsigned long flags;
+ int retval = 0;
+ struct device *dev = hcd->self.controller;
+ struct ci_hdrc *ci = dev_get_drvdata(dev);
+
+- status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1];
++ port_index = wIndex & 0xff;
++ port_index -= (port_index > 0);
++ status_reg = &ehci->regs->port_status[port_index];
+
+ spin_lock_irqsave(&ehci->lock, flags);
+
+ if (typeReq == SetPortFeature && wValue == USB_PORT_FEAT_SUSPEND) {
++ if (!wIndex || wIndex > ports) {
++ retval = -EPIPE;
++ goto done;
++ }
++
+ temp = ehci_readl(ehci, status_reg);
+ if ((temp & PORT_PE) == 0 || (temp & PORT_RESET) != 0) {
+ retval = -EPIPE;
+@@ -273,7 +281,7 @@ static int ci_ehci_hub_control(
+ ehci_writel(ehci, temp, status_reg);
+ }
+
+- set_bit((wIndex & 0xff) - 1, &ehci->suspended_ports);
++ set_bit(port_index, &ehci->suspended_ports);
+ goto done;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5e4e013b701aee7075dff85a1b086945c18a567c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 11:30:56 +0300
+Subject: USB: EHCI: ehci-mv: improve error handling in mv_ehci_enable()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 61136a12cbed234374ec6f588af57c580b20b772 ]
+
+mv_ehci_enable() did not disable and unprepare clocks in case of
+failures of phy_init(). Besides, it did not take into account failures
+of ehci_clock_enable() (in effect, failures of clk_prepare_enable()).
+The patch fixes both issues and gets rid of redundant wrappers around
+clk_prepare_enable() and clk_disable_unprepare() to simplify this a bit.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Link: https://lore.kernel.org/r/20210708083056.21543-1-novikov@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-mv.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c
+index b6f196f5e252..b0e0f8ea98a9 100644
+--- a/drivers/usb/host/ehci-mv.c
++++ b/drivers/usb/host/ehci-mv.c
+@@ -41,26 +41,25 @@ struct ehci_hcd_mv {
+ int (*set_vbus)(unsigned int vbus);
+ };
+
+-static void ehci_clock_enable(struct ehci_hcd_mv *ehci_mv)
++static int mv_ehci_enable(struct ehci_hcd_mv *ehci_mv)
+ {
+- clk_prepare_enable(ehci_mv->clk);
+-}
++ int retval;
+
+-static void ehci_clock_disable(struct ehci_hcd_mv *ehci_mv)
+-{
+- clk_disable_unprepare(ehci_mv->clk);
+-}
++ retval = clk_prepare_enable(ehci_mv->clk);
++ if (retval)
++ return retval;
+
+-static int mv_ehci_enable(struct ehci_hcd_mv *ehci_mv)
+-{
+- ehci_clock_enable(ehci_mv);
+- return phy_init(ehci_mv->phy);
++ retval = phy_init(ehci_mv->phy);
++ if (retval)
++ clk_disable_unprepare(ehci_mv->clk);
++
++ return retval;
+ }
+
+ static void mv_ehci_disable(struct ehci_hcd_mv *ehci_mv)
+ {
+ phy_exit(ehci_mv->phy);
+- ehci_clock_disable(ehci_mv);
++ clk_disable_unprepare(ehci_mv->clk);
+ }
+
+ static int mv_ehci_reset(struct usb_hcd *hcd)
+--
+2.30.2
+
--- /dev/null
+From 50f2e00357ff6f2363beb91d1b75a29fa4ae089d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 01:09:07 -0700
+Subject: usb: gadget: composite: Allow bMaxPower=0 if self-powered
+
+From: Jack Pham <jackp@codeaurora.org>
+
+[ Upstream commit bcacbf06c891374e7fdd7b72d11cda03b0269b43 ]
+
+Currently the composite driver encodes the MaxPower field of
+the configuration descriptor by reading the c->MaxPower of the
+usb_configuration only if it is non-zero, otherwise it falls back
+to using the value hard-coded in CONFIG_USB_GADGET_VBUS_DRAW.
+However, there are cases when a configuration must explicitly set
+bMaxPower to 0, particularly if its bmAttributes also has the
+Self-Powered bit set, which is a valid combination.
+
+This is specifically called out in the USB PD specification section
+9.1, in which a PDUSB device "shall report zero in the bMaxPower
+field after negotiating a mutually agreeable Contract", and also
+verified by the USB Type-C Functional Test TD.4.10.2 Sink Power
+Precedence Test.
+
+The fix allows the c->MaxPower to be used for encoding the bMaxPower
+even if it is 0, if the self-powered bit is also set. An example
+usage of this would be for a ConfigFS gadget to be dynamically
+updated by userspace when the Type-C connection is determined to be
+operating in Power Delivery mode.
+
+Co-developed-by: Ronak Vijay Raheja <rraheja@codeaurora.org>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Ronak Vijay Raheja <rraheja@codeaurora.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Link: https://lore.kernel.org/r/20210720080907.30292-1-jackp@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 24dad1d78d1e..6bd3fdb925cd 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -481,7 +481,7 @@ static u8 encode_bMaxPower(enum usb_device_speed speed,
+ {
+ unsigned val;
+
+- if (c->MaxPower)
++ if (c->MaxPower || (c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))
+ val = c->MaxPower;
+ else
+ val = CONFIG_USB_GADGET_VBUS_DRAW;
+@@ -905,7 +905,11 @@ static int set_config(struct usb_composite_dev *cdev,
+ }
+
+ /* when we return, be sure our power usage is valid */
+- power = c->MaxPower ? c->MaxPower : CONFIG_USB_GADGET_VBUS_DRAW;
++ if (c->MaxPower || (c->bmAttributes & USB_CONFIG_ATT_SELFPOWER))
++ power = c->MaxPower;
++ else
++ power = CONFIG_USB_GADGET_VBUS_DRAW;
++
+ if (gadget->speed < USB_SPEED_SUPER)
+ power = min(power, 500U);
+ else
+--
+2.30.2
+
--- /dev/null
+From 23ea82b730bf51cf8d782e3556ee94b28a3454a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 04:48:34 -0700
+Subject: usb: gadget: u_ether: fix a potential null pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ]
+
+f_ncm tx timeout can call us with null skb to flush
+a pending frame. In this case skb is NULL to begin
+with but ceases to be null after dev->wrap() completes.
+
+In such a case in->maxpacket will be read, even though
+we've failed to check that 'in' is not NULL.
+
+Though I've never observed this fail in practice,
+however the 'flush operation' simply does not make sense with
+a null usb IN endpoint - there's nowhere to flush to...
+(note that we're the gadget/device, and IN is from the point
+ of view of the host, so here IN actually means outbound...)
+
+Cc: Brooke Basile <brookebasile@gmail.com>
+Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index 99b840daf3d9..57da62e33184 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -491,8 +491,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
+ }
+ spin_unlock_irqrestore(&dev->lock, flags);
+
+- if (skb && !in) {
+- dev_kfree_skb_any(skb);
++ if (!in) {
++ if (skb)
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From f357a40d56251aaa1903877787fe7b076c6d0602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 20:57:47 +0800
+Subject: usb: host: fotg210: fix the actual_length of an iso packet
+
+From: Kelly Devilliv <kelly.devilliv@gmail.com>
+
+[ Upstream commit 091cb2f782f32ab68c6f5f326d7868683d3d4875 ]
+
+We should acquire the actual_length of an iso packet
+from the iTD directly using FOTG210_ITD_LENGTH() macro.
+
+Signed-off-by: Kelly Devilliv <kelly.devilliv@gmail.com>
+Link: https://lore.kernel.org/r/20210627125747.127646-4-kelly.devilliv@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 5 ++---
+ drivers/usb/host/fotg210.h | 5 -----
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index e62c456e78ac..f457e083a6f8 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -4461,13 +4461,12 @@ static bool itd_complete(struct fotg210_hcd *fotg210, struct fotg210_itd *itd)
+
+ /* HC need not update length with this error */
+ if (!(t & FOTG210_ISOC_BABBLE)) {
+- desc->actual_length =
+- fotg210_itdlen(urb, desc, t);
++ desc->actual_length = FOTG210_ITD_LENGTH(t);
+ urb->actual_length += desc->actual_length;
+ }
+ } else if (likely((t & FOTG210_ISOC_ACTIVE) == 0)) {
+ desc->status = 0;
+- desc->actual_length = fotg210_itdlen(urb, desc, t);
++ desc->actual_length = FOTG210_ITD_LENGTH(t);
+ urb->actual_length += desc->actual_length;
+ } else {
+ /* URB was too late */
+diff --git a/drivers/usb/host/fotg210.h b/drivers/usb/host/fotg210.h
+index 1b4db95e5c43..291add93d84e 100644
+--- a/drivers/usb/host/fotg210.h
++++ b/drivers/usb/host/fotg210.h
+@@ -686,11 +686,6 @@ static inline unsigned fotg210_read_frame_index(struct fotg210_hcd *fotg210)
+ return fotg210_readl(fotg210, &fotg210->regs->frame_index);
+ }
+
+-#define fotg210_itdlen(urb, desc, t) ({ \
+- usb_pipein((urb)->pipe) ? \
+- (desc)->length - FOTG210_ITD_LENGTH(t) : \
+- FOTG210_ITD_LENGTH(t); \
+-})
+ /*-------------------------------------------------------------------------*/
+
+ #endif /* __LINUX_FOTG210_H */
+--
+2.30.2
+
--- /dev/null
+From 1e339e92ecc64a2c4e47f444a46f1380fc50a25f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 20:57:46 +0800
+Subject: usb: host: fotg210: fix the endpoint's transactional opportunities
+ calculation
+
+From: Kelly Devilliv <kelly.devilliv@gmail.com>
+
+[ Upstream commit c2e898764245c852bc8ee4857613ba4f3a6d761d ]
+
+Now that usb_endpoint_maxp() only returns the lowest
+11 bits from wMaxPacketSize, we should make use of the
+usb_endpoint_* helpers instead and remove the unnecessary
+max_packet()/hb_mult() macro.
+
+Signed-off-by: Kelly Devilliv <kelly.devilliv@gmail.com>
+Link: https://lore.kernel.org/r/20210627125747.127646-3-kelly.devilliv@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/fotg210-hcd.c | 36 ++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
+index c3f74d6674e1..e62c456e78ac 100644
+--- a/drivers/usb/host/fotg210-hcd.c
++++ b/drivers/usb/host/fotg210-hcd.c
+@@ -2511,11 +2511,6 @@ static unsigned qh_completions(struct fotg210_hcd *fotg210,
+ return count;
+ }
+
+-/* high bandwidth multiplier, as encoded in highspeed endpoint descriptors */
+-#define hb_mult(wMaxPacketSize) (1 + (((wMaxPacketSize) >> 11) & 0x03))
+-/* ... and packet size, for any kind of endpoint descriptor */
+-#define max_packet(wMaxPacketSize) ((wMaxPacketSize) & 0x07ff)
+-
+ /* reverse of qh_urb_transaction: free a list of TDs.
+ * used for cleanup after errors, before HC sees an URB's TDs.
+ */
+@@ -2601,7 +2596,7 @@ static struct list_head *qh_urb_transaction(struct fotg210_hcd *fotg210,
+ token |= (1 /* "in" */ << 8);
+ /* else it's already initted to "out" pid (0 << 8) */
+
+- maxpacket = max_packet(usb_maxpacket(urb->dev, urb->pipe, !is_input));
++ maxpacket = usb_maxpacket(urb->dev, urb->pipe, !is_input);
+
+ /*
+ * buffer gets wrapped in one or more qtds;
+@@ -2715,9 +2710,11 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ gfp_t flags)
+ {
+ struct fotg210_qh *qh = fotg210_qh_alloc(fotg210, flags);
++ struct usb_host_endpoint *ep;
+ u32 info1 = 0, info2 = 0;
+ int is_input, type;
+ int maxp = 0;
++ int mult;
+ struct usb_tt *tt = urb->dev->tt;
+ struct fotg210_qh_hw *hw;
+
+@@ -2732,14 +2729,15 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+
+ is_input = usb_pipein(urb->pipe);
+ type = usb_pipetype(urb->pipe);
+- maxp = usb_maxpacket(urb->dev, urb->pipe, !is_input);
++ ep = usb_pipe_endpoint(urb->dev, urb->pipe);
++ maxp = usb_endpoint_maxp(&ep->desc);
++ mult = usb_endpoint_maxp_mult(&ep->desc);
+
+ /* 1024 byte maxpacket is a hardware ceiling. High bandwidth
+ * acts like up to 3KB, but is built from smaller packets.
+ */
+- if (max_packet(maxp) > 1024) {
+- fotg210_dbg(fotg210, "bogus qh maxpacket %d\n",
+- max_packet(maxp));
++ if (maxp > 1024) {
++ fotg210_dbg(fotg210, "bogus qh maxpacket %d\n", maxp);
+ goto done;
+ }
+
+@@ -2753,8 +2751,7 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ */
+ if (type == PIPE_INTERRUPT) {
+ qh->usecs = NS_TO_US(usb_calc_bus_time(USB_SPEED_HIGH,
+- is_input, 0,
+- hb_mult(maxp) * max_packet(maxp)));
++ is_input, 0, mult * maxp));
+ qh->start = NO_FRAME;
+
+ if (urb->dev->speed == USB_SPEED_HIGH) {
+@@ -2791,7 +2788,7 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ think_time = tt ? tt->think_time : 0;
+ qh->tt_usecs = NS_TO_US(think_time +
+ usb_calc_bus_time(urb->dev->speed,
+- is_input, 0, max_packet(maxp)));
++ is_input, 0, maxp));
+ qh->period = urb->interval;
+ if (qh->period > fotg210->periodic_size) {
+ qh->period = fotg210->periodic_size;
+@@ -2854,11 +2851,11 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb,
+ * to help them do so. So now people expect to use
+ * such nonconformant devices with Linux too; sigh.
+ */
+- info1 |= max_packet(maxp) << 16;
++ info1 |= maxp << 16;
+ info2 |= (FOTG210_TUNE_MULT_HS << 30);
+ } else { /* PIPE_INTERRUPT */
+- info1 |= max_packet(maxp) << 16;
+- info2 |= hb_mult(maxp) << 30;
++ info1 |= maxp << 16;
++ info2 |= mult << 30;
+ }
+ break;
+ default:
+@@ -3928,6 +3925,7 @@ static void iso_stream_init(struct fotg210_hcd *fotg210,
+ int is_input;
+ long bandwidth;
+ unsigned multi;
++ struct usb_host_endpoint *ep;
+
+ /*
+ * this might be a "high bandwidth" highspeed endpoint,
+@@ -3935,14 +3933,14 @@ static void iso_stream_init(struct fotg210_hcd *fotg210,
+ */
+ epnum = usb_pipeendpoint(pipe);
+ is_input = usb_pipein(pipe) ? USB_DIR_IN : 0;
+- maxp = usb_maxpacket(dev, pipe, !is_input);
++ ep = usb_pipe_endpoint(dev, pipe);
++ maxp = usb_endpoint_maxp(&ep->desc);
+ if (is_input)
+ buf1 = (1 << 11);
+ else
+ buf1 = 0;
+
+- maxp = max_packet(maxp);
+- multi = hb_mult(maxp);
++ multi = usb_endpoint_maxp_mult(&ep->desc);
+ buf1 |= maxp;
+ maxp *= multi;
+
+--
+2.30.2
+
--- /dev/null
+From 827ec93a95ea84e785fe197fc75eb33c8d580186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 19:33:23 +0300
+Subject: usb: musb: musb_dsps: request_irq() after initializing musb
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit 7c75bde329d7e2a93cf86a5c15c61f96f1446cdc ]
+
+If IRQ occurs between calling dsps_setup_optional_vbus_irq()
+and dsps_create_musb_pdev(), then null pointer dereference occurs
+since glue->musb wasn't initialized yet.
+
+The patch puts initializing of neccesery data before registration
+of the interrupt handler.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210819163323.17714-1-lutovinova@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/musb_dsps.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c
+index 327d4f7baaf7..89d659cef5c6 100644
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -890,23 +890,22 @@ static int dsps_probe(struct platform_device *pdev)
+ if (!glue->usbss_base)
+ return -ENXIO;
+
+- if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) {
+- ret = dsps_setup_optional_vbus_irq(pdev, glue);
+- if (ret)
+- goto err_iounmap;
+- }
+-
+ platform_set_drvdata(pdev, glue);
+ pm_runtime_enable(&pdev->dev);
+ ret = dsps_create_musb_pdev(glue, pdev);
+ if (ret)
+ goto err;
+
++ if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) {
++ ret = dsps_setup_optional_vbus_irq(pdev, glue);
++ if (ret)
++ goto err;
++ }
++
+ return 0;
+
+ err:
+ pm_runtime_disable(&pdev->dev);
+-err_iounmap:
+ iounmap(glue->usbss_base);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From bd7a64e9f0a94ee206dbf96044eba4b297ec09a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Aug 2021 00:31:21 +0530
+Subject: usbip: give back URBs for unsent unlink requests during cleanup
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+[ Upstream commit 258c81b341c8025d79073ce2d6ce19dcdc7d10d2 ]
+
+In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
+not given back. This sometimes causes usb_kill_urb to wait indefinitely
+for that urb to be given back. syzbot has reported a hung task issue [1]
+for this.
+
+To fix this, give back the urbs corresponding to unsent unlink requests
+(unlink_tx list) similar to how urbs corresponding to unanswered unlink
+requests (unlink_rx list) are given back.
+
+[1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
+
+Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
+Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210820190122.16379-2-mail@anirudhrb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/vhci_hcd.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
+index 98636fbf7188..46a46cde2070 100644
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -952,8 +952,32 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
+ spin_lock(&vdev->priv_lock);
+
+ list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
++ struct urb *urb;
++
++ /* give back urb of unsent unlink request */
+ pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
++
++ urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
++ if (!urb) {
++ list_del(&unlink->list);
++ kfree(unlink);
++ continue;
++ }
++
++ urb->status = -ENODEV;
++
++ usb_hcd_unlink_urb_from_ep(hcd, urb);
++
+ list_del(&unlink->list);
++
++ spin_unlock(&vdev->priv_lock);
++ spin_unlock_irqrestore(&vhci->lock, flags);
++
++ usb_hcd_giveback_urb(hcd, urb, urb->status);
++
++ spin_lock_irqsave(&vhci->lock, flags);
++ spin_lock(&vdev->priv_lock);
++
+ kfree(unlink);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a7126cb8d8ea97ecac4b1daa7f6c35c4d6afe729 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 16:59:37 -0600
+Subject: usbip:vhci_hcd USB port can get stuck in the disabled state
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 66cce9e73ec61967ed1f97f30cee79bd9a2bb7ee ]
+
+When a remote usb device is attached to the local Virtual USB
+Host Controller Root Hub port, the bound device driver may send
+a port reset command.
+
+vhci_hcd accepts port resets only when the device doesn't have
+port address assigned to it. When reset happens device is in
+assigned/used state and vhci_hcd rejects it leaving the port in
+a stuck state.
+
+This problem was found when a blue-tooth or xbox wireless dongle
+was passed through using usbip.
+
+A few drivers reset the port during probe including mt76 driver
+specific to this bug report. Fix the problem with a change to
+honor reset requests when device is in used state (VDEV_ST_USED).
+
+Reported-and-tested-by: Michael <msbroadf@gmail.com>
+Suggested-by: Michael <msbroadf@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20210819225937.41037-1-skhan@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/vhci_hcd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
+index 46a46cde2070..170abb06a8a4 100644
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -455,8 +455,14 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ vhci_hcd->port_status[rhport] &= ~(1 << USB_PORT_FEAT_RESET);
+ vhci_hcd->re_timeout = 0;
+
++ /*
++ * A few drivers do usb reset during probe when
++ * the device could be in VDEV_ST_USED state
++ */
+ if (vhci_hcd->vdev[rhport].ud.status ==
+- VDEV_ST_NOTASSIGNED) {
++ VDEV_ST_NOTASSIGNED ||
++ vhci_hcd->vdev[rhport].ud.status ==
++ VDEV_ST_USED) {
+ usbip_dbg_vhci_rh(
+ " enable rhport %d (status %u)\n",
+ rhport,
+--
+2.30.2
+
--- /dev/null
+From 48bec926bb49522021076a11c12486496c652810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 14:58:59 -0700
+Subject: userfaultfd: prevent concurrent API initialization
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit 22e5fe2a2a279d9a6fcbdfb4dffe73821bef1c90 ]
+
+userfaultfd assumes that the enabled features are set once and never
+changed after UFFDIO_API ioctl succeeded.
+
+However, currently, UFFDIO_API can be called concurrently from two
+different threads, succeed on both threads and leave userfaultfd's
+features in non-deterministic state. Theoretically, other uffd operations
+(ioctl's and page-faults) can be dispatched while adversely affected by
+such changes of features.
+
+Moreover, the writes to ctx->state and ctx->features are not ordered,
+which can - theoretically, again - let userfaultfd_ioctl() think that
+userfaultfd API completed, while the features are still not initialized.
+
+To avoid races, it is arguably best to get rid of ctx->state. Since there
+are only 2 states, record the API initialization in ctx->features as the
+uppermost bit and remove ctx->state.
+
+Link: https://lkml.kernel.org/r/20210808020724.1022515-3-namit@vmware.com
+Fixes: 9cd75c3cd4c3d ("userfaultfd: non-cooperative: add ability to report non-PF events from uffd descriptor")
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/userfaultfd.c | 93 +++++++++++++++++++++++-------------------------
+ 1 file changed, 45 insertions(+), 48 deletions(-)
+
+diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
+index 2c807283115d..ec57bbb6bb05 100644
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -32,11 +32,6 @@ int sysctl_unprivileged_userfaultfd __read_mostly = 1;
+
+ static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly;
+
+-enum userfaultfd_state {
+- UFFD_STATE_WAIT_API,
+- UFFD_STATE_RUNNING,
+-};
+-
+ /*
+ * Start with fault_pending_wqh and fault_wqh so they're more likely
+ * to be in the same cacheline.
+@@ -68,8 +63,6 @@ struct userfaultfd_ctx {
+ unsigned int flags;
+ /* features requested from the userspace */
+ unsigned int features;
+- /* state machine */
+- enum userfaultfd_state state;
+ /* released */
+ bool released;
+ /* memory mappings are changing because of non-cooperative event */
+@@ -103,6 +96,14 @@ struct userfaultfd_wake_range {
+ unsigned long len;
+ };
+
++/* internal indication that UFFD_API ioctl was successfully executed */
++#define UFFD_FEATURE_INITIALIZED (1u << 31)
++
++static bool userfaultfd_is_initialized(struct userfaultfd_ctx *ctx)
++{
++ return ctx->features & UFFD_FEATURE_INITIALIZED;
++}
++
+ static int userfaultfd_wake_function(wait_queue_entry_t *wq, unsigned mode,
+ int wake_flags, void *key)
+ {
+@@ -699,7 +700,6 @@ int dup_userfaultfd(struct vm_area_struct *vma, struct list_head *fcs)
+
+ refcount_set(&ctx->refcount, 1);
+ ctx->flags = octx->flags;
+- ctx->state = UFFD_STATE_RUNNING;
+ ctx->features = octx->features;
+ ctx->released = false;
+ ctx->mmap_changing = false;
+@@ -980,38 +980,33 @@ static __poll_t userfaultfd_poll(struct file *file, poll_table *wait)
+
+ poll_wait(file, &ctx->fd_wqh, wait);
+
+- switch (ctx->state) {
+- case UFFD_STATE_WAIT_API:
++ if (!userfaultfd_is_initialized(ctx))
+ return EPOLLERR;
+- case UFFD_STATE_RUNNING:
+- /*
+- * poll() never guarantees that read won't block.
+- * userfaults can be waken before they're read().
+- */
+- if (unlikely(!(file->f_flags & O_NONBLOCK)))
+- return EPOLLERR;
+- /*
+- * lockless access to see if there are pending faults
+- * __pollwait last action is the add_wait_queue but
+- * the spin_unlock would allow the waitqueue_active to
+- * pass above the actual list_add inside
+- * add_wait_queue critical section. So use a full
+- * memory barrier to serialize the list_add write of
+- * add_wait_queue() with the waitqueue_active read
+- * below.
+- */
+- ret = 0;
+- smp_mb();
+- if (waitqueue_active(&ctx->fault_pending_wqh))
+- ret = EPOLLIN;
+- else if (waitqueue_active(&ctx->event_wqh))
+- ret = EPOLLIN;
+-
+- return ret;
+- default:
+- WARN_ON_ONCE(1);
++
++ /*
++ * poll() never guarantees that read won't block.
++ * userfaults can be waken before they're read().
++ */
++ if (unlikely(!(file->f_flags & O_NONBLOCK)))
+ return EPOLLERR;
+- }
++ /*
++ * lockless access to see if there are pending faults
++ * __pollwait last action is the add_wait_queue but
++ * the spin_unlock would allow the waitqueue_active to
++ * pass above the actual list_add inside
++ * add_wait_queue critical section. So use a full
++ * memory barrier to serialize the list_add write of
++ * add_wait_queue() with the waitqueue_active read
++ * below.
++ */
++ ret = 0;
++ smp_mb();
++ if (waitqueue_active(&ctx->fault_pending_wqh))
++ ret = EPOLLIN;
++ else if (waitqueue_active(&ctx->event_wqh))
++ ret = EPOLLIN;
++
++ return ret;
+ }
+
+ static const struct file_operations userfaultfd_fops;
+@@ -1205,7 +1200,7 @@ static ssize_t userfaultfd_read(struct file *file, char __user *buf,
+ struct uffd_msg msg;
+ int no_wait = file->f_flags & O_NONBLOCK;
+
+- if (ctx->state == UFFD_STATE_WAIT_API)
++ if (!userfaultfd_is_initialized(ctx))
+ return -EINVAL;
+
+ for (;;) {
+@@ -1807,9 +1802,10 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx,
+ static inline unsigned int uffd_ctx_features(__u64 user_features)
+ {
+ /*
+- * For the current set of features the bits just coincide
++ * For the current set of features the bits just coincide. Set
++ * UFFD_FEATURE_INITIALIZED to mark the features as enabled.
+ */
+- return (unsigned int)user_features;
++ return (unsigned int)user_features | UFFD_FEATURE_INITIALIZED;
+ }
+
+ /*
+@@ -1822,12 +1818,10 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
+ {
+ struct uffdio_api uffdio_api;
+ void __user *buf = (void __user *)arg;
++ unsigned int ctx_features;
+ int ret;
+ __u64 features;
+
+- ret = -EINVAL;
+- if (ctx->state != UFFD_STATE_WAIT_API)
+- goto out;
+ ret = -EFAULT;
+ if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api)))
+ goto out;
+@@ -1844,9 +1838,13 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
+ ret = -EFAULT;
+ if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
+ goto out;
+- ctx->state = UFFD_STATE_RUNNING;
++
+ /* only enable the requested features for this uffd context */
+- ctx->features = uffd_ctx_features(features);
++ ctx_features = uffd_ctx_features(features);
++ ret = -EINVAL;
++ if (cmpxchg(&ctx->features, 0, ctx_features) != 0)
++ goto err_out;
++
+ ret = 0;
+ out:
+ return ret;
+@@ -1863,7 +1861,7 @@ static long userfaultfd_ioctl(struct file *file, unsigned cmd,
+ int ret = -EINVAL;
+ struct userfaultfd_ctx *ctx = file->private_data;
+
+- if (cmd != UFFDIO_API && ctx->state == UFFD_STATE_WAIT_API)
++ if (cmd != UFFDIO_API && !userfaultfd_is_initialized(ctx))
+ return -EINVAL;
+
+ switch(cmd) {
+@@ -1964,7 +1962,6 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
+ refcount_set(&ctx->refcount, 1);
+ ctx->flags = flags;
+ ctx->features = 0;
+- ctx->state = UFFD_STATE_WAIT_API;
+ ctx->released = false;
+ ctx->mmap_changing = false;
+ ctx->mm = current->mm;
+--
+2.30.2
+
--- /dev/null
+From fb406d98142f28f6539488810ebaf61c4c36c3f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 15:39:12 -0300
+Subject: vfio: Use config not menuconfig for VFIO_NOIOMMU
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 26c22cfde5dd6e63f25c48458b0185dcb0fbb2fd ]
+
+VFIO_NOIOMMU is supposed to be an element in the VFIO menu, not start
+a new menu. Correct this copy-paste mistake.
+
+Fixes: 03a76b60f8ba ("vfio: Include No-IOMMU mode")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Link: https://lore.kernel.org/r/0-v1-3f0b685c3679+478-vfio_menuconfig_jgg@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/Kconfig b/drivers/vfio/Kconfig
+index 503ed2f3fbb5..65743de8aad1 100644
+--- a/drivers/vfio/Kconfig
++++ b/drivers/vfio/Kconfig
+@@ -29,7 +29,7 @@ menuconfig VFIO
+
+ If you don't know what to do here, say N.
+
+-menuconfig VFIO_NOIOMMU
++config VFIO_NOIOMMU
+ bool "VFIO No-IOMMU support"
+ depends on VFIO
+ help
+--
+2.30.2
+
--- /dev/null
+From 12571217e16c95d005d1ec24e1dff09c687e9a35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 10:03:53 +0000
+Subject: video: fbdev: asiliantfb: Error out if 'pixclock' equals zero
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ]
+
+The userspace program could pass any values to the driver through
+ioctl() interface. If the driver doesn't check the value of 'pixclock',
+it may cause divide error.
+
+Fix this by checking whether 'pixclock' is zero first.
+
+The following log reveals it:
+
+[ 43.861711] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 43.861737] CPU: 2 PID: 11764 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #224
+[ 43.861756] RIP: 0010:asiliantfb_check_var+0x4e/0x730
+[ 43.861843] Call Trace:
+[ 43.861848] ? asiliantfb_remove+0x190/0x190
+[ 43.861858] fb_set_var+0x2e4/0xeb0
+[ 43.861866] ? fb_blank+0x1a0/0x1a0
+[ 43.861873] ? lock_acquire+0x1ef/0x530
+[ 43.861884] ? lock_release+0x810/0x810
+[ 43.861892] ? lock_is_held_type+0x100/0x140
+[ 43.861903] ? ___might_sleep+0x1ee/0x2d0
+[ 43.861914] ? __mutex_lock+0x620/0x1190
+[ 43.861921] ? do_fb_ioctl+0x313/0x700
+[ 43.861929] ? mutex_lock_io_nested+0xfa0/0xfa0
+[ 43.861936] ? __this_cpu_preempt_check+0x1d/0x30
+[ 43.861944] ? _raw_spin_unlock_irqrestore+0x46/0x60
+[ 43.861952] ? lockdep_hardirqs_on+0x59/0x100
+[ 43.861959] ? _raw_spin_unlock_irqrestore+0x46/0x60
+[ 43.861967] ? trace_hardirqs_on+0x6a/0x1c0
+[ 43.861978] do_fb_ioctl+0x31e/0x700
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-2-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/asiliantfb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c
+index ea31054a28ca..c1d6e6336225 100644
+--- a/drivers/video/fbdev/asiliantfb.c
++++ b/drivers/video/fbdev/asiliantfb.c
+@@ -227,6 +227,9 @@ static int asiliantfb_check_var(struct fb_var_screeninfo *var,
+ {
+ unsigned long Ftarget, ratio, remainder;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ ratio = 1000000 / var->pixclock;
+ remainder = 1000000 % var->pixclock;
+ Ftarget = 1000000 * ratio + (1000000 * remainder) / var->pixclock;
+--
+2.30.2
+
--- /dev/null
+From 6d0688ebc49e63cd4affde34a4a27585a5518594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 10:03:54 +0000
+Subject: video: fbdev: kyro: Error out if 'pixclock' equals zero
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 1520b4b7ba964f8eec2e7dd14c571d50de3e5191 ]
+
+The userspace program could pass any values to the driver through
+ioctl() interface. if the driver doesn't check the value of 'pixclock',
+it may cause divide error because the value of 'lineclock' and
+'frameclock' will be zero.
+
+Fix this by checking whether 'pixclock' is zero in kyrofb_check_var().
+
+The following log reveals it:
+
+[ 103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1b1a0-dirty #118
+[ 103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80
+[ 103.074045] Call Trace:
+[ 103.074048] ? ___might_sleep+0x1ee/0x2d0
+[ 103.074060] ? kyrofb_ioctl+0x330/0x330
+[ 103.074069] fb_set_var+0x5bf/0xeb0
+[ 103.074078] ? fb_blank+0x1a0/0x1a0
+[ 103.074085] ? lock_acquire+0x3bd/0x530
+[ 103.074094] ? lock_release+0x810/0x810
+[ 103.074103] ? ___might_sleep+0x1ee/0x2d0
+[ 103.074114] ? __mutex_lock+0x620/0x1190
+[ 103.074126] ? trace_hardirqs_on+0x6a/0x1c0
+[ 103.074137] do_fb_ioctl+0x31e/0x700
+[ 103.074144] ? fb_getput_cmap+0x280/0x280
+[ 103.074152] ? rcu_read_lock_sched_held+0x11/0x80
+[ 103.074162] ? rcu_read_lock_sched_held+0x11/0x80
+[ 103.074171] ? __sanitizer_cov_trace_switch+0x67/0xf0
+[ 103.074181] ? __sanitizer_cov_trace_const_cmp2+0x20/0x80
+[ 103.074191] ? do_vfs_ioctl+0x14b/0x16c0
+[ 103.074199] ? vfs_fileattr_set+0xb60/0xb60
+[ 103.074207] ? rcu_read_lock_sched_held+0x11/0x80
+[ 103.074216] ? lock_release+0x483/0x810
+[ 103.074224] ? __fget_files+0x217/0x3d0
+[ 103.074234] ? __fget_files+0x239/0x3d0
+[ 103.074243] ? do_fb_ioctl+0x700/0x700
+[ 103.074250] fb_ioctl+0xe6/0x130
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-3-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/kyro/fbdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c
+index d7aa431e6846..74bf26b527b9 100644
+--- a/drivers/video/fbdev/kyro/fbdev.c
++++ b/drivers/video/fbdev/kyro/fbdev.c
+@@ -399,6 +399,9 @@ static int kyrofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ {
+ struct kyrofb_info *par = info->par;
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (var->bits_per_pixel != 16 && var->bits_per_pixel != 32) {
+ printk(KERN_WARNING "kyrofb: depth not supported: %u\n", var->bits_per_pixel);
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 1def9564f8a99a255507f9125004cf386badecf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 04:09:22 +0000
+Subject: video: fbdev: kyro: fix a DoS bug by restricting user input
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 98a65439172dc69cb16834e62e852afc2adb83ed ]
+
+The user can pass in any value to the driver through the 'ioctl'
+interface. The driver dost not check, which may cause DoS bugs.
+
+The following log reveals it:
+
+divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+RIP: 0010:SetOverlayViewPort+0x133/0x5f0 drivers/video/fbdev/kyro/STG4000OverlayDevice.c:476
+Call Trace:
+ kyro_dev_overlay_viewport_set drivers/video/fbdev/kyro/fbdev.c:378 [inline]
+ kyrofb_ioctl+0x2eb/0x330 drivers/video/fbdev/kyro/fbdev.c:603
+ do_fb_ioctl+0x1f3/0x700 drivers/video/fbdev/core/fbmem.c:1171
+ fb_ioctl+0xeb/0x130 drivers/video/fbdev/core/fbmem.c:1185
+ vfs_ioctl fs/ioctl.c:48 [inline]
+ __do_sys_ioctl fs/ioctl.c:753 [inline]
+ __se_sys_ioctl fs/ioctl.c:739 [inline]
+ __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739
+ do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1626235762-2590-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/kyro/fbdev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c
+index a7bd9f25911b..d7aa431e6846 100644
+--- a/drivers/video/fbdev/kyro/fbdev.c
++++ b/drivers/video/fbdev/kyro/fbdev.c
+@@ -372,6 +372,11 @@ static int kyro_dev_overlay_viewport_set(u32 x, u32 y, u32 ulWidth, u32 ulHeight
+ /* probably haven't called CreateOverlay yet */
+ return -EINVAL;
+
++ if (ulWidth == 0 || ulWidth == 0xffffffff ||
++ ulHeight == 0 || ulHeight == 0xffffffff ||
++ (x < 2 && ulWidth + 2 == 0))
++ return -EINVAL;
++
+ /* Stop Ramdac Output */
+ DisableRamdacOutput(deviceInfo.pSTGReg);
+
+--
+2.30.2
+
--- /dev/null
+From 0f978f9bb46d1cc76402bf858739974a2c5b8327 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 10:03:55 +0000
+Subject: video: fbdev: riva: Error out if 'pixclock' equals zero
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit f92763cb0feba247e0939ed137b495601fd072a5 ]
+
+The userspace program could pass any values to the driver through
+ioctl() interface. If the driver doesn't check the value of 'pixclock',
+it may cause divide error.
+
+Fix this by checking whether 'pixclock' is zero first.
+
+The following log reveals it:
+
+[ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222
+[ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70
+[ 33.396969] Call Trace:
+[ 33.396973] ? debug_smp_processor_id+0x1c/0x20
+[ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90
+[ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0
+[ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0
+[ 33.397014] ? vprintk_emit+0x110/0x4b0
+[ 33.397024] ? vprintk_default+0x26/0x30
+[ 33.397033] ? vprintk+0x9c/0x1f0
+[ 33.397041] ? printk+0xba/0xed
+[ 33.397054] ? record_print_text.cold+0x16/0x16
+[ 33.397063] ? __kasan_check_read+0x11/0x20
+[ 33.397074] ? profile_tick+0xc0/0x100
+[ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80
+[ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0
+[ 33.397102] rivafb_set_par+0xbe/0x610
+[ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0
+[ 33.397119] fb_set_var+0x5bf/0xeb0
+[ 33.397127] ? fb_blank+0x1a0/0x1a0
+[ 33.397134] ? lock_acquire+0x1ef/0x530
+[ 33.397143] ? lock_release+0x810/0x810
+[ 33.397151] ? lock_is_held_type+0x100/0x140
+[ 33.397159] ? ___might_sleep+0x1ee/0x2d0
+[ 33.397170] ? __mutex_lock+0x620/0x1190
+[ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0
+[ 33.397190] do_fb_ioctl+0x31e/0x700
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-4-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/riva/fbdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/fbdev.c
+index ca593a3e41d7..51c9d9508c0b 100644
+--- a/drivers/video/fbdev/riva/fbdev.c
++++ b/drivers/video/fbdev/riva/fbdev.c
+@@ -1088,6 +1088,9 @@ static int rivafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
+ int mode_valid = 0;
+
+ NVTRACE_ENTER();
++ if (!var->pixclock)
++ return -EINVAL;
++
+ switch (var->bits_per_pixel) {
+ case 1 ... 8:
+ var->red.offset = var->green.offset = var->blue.offset = 0;
+--
+2.30.2
+
--- /dev/null
+From 1be3ab571c261370642250b8194ed4de0bfdbfd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 11:03:52 +0800
+Subject: workqueue: Fix possible memory leaks in wq_numa_init()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit f728c4a9e8405caae69d4bc1232c54ff57b5d20f ]
+
+In error handling branch "if (WARN_ON(node == NUMA_NO_NODE))", the
+previously allocated memories are not released. Doing this before
+allocating memory eliminates memory leaks.
+
+tj: Note that the condition only occurs when the arch code is pretty broken
+and the WARN_ON might as well be BUG_ON().
+
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/workqueue.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 6aeb53b4e19f..885d4792abdf 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5869,6 +5869,13 @@ static void __init wq_numa_init(void)
+ return;
+ }
+
++ for_each_possible_cpu(cpu) {
++ if (WARN_ON(cpu_to_node(cpu) == NUMA_NO_NODE)) {
++ pr_warn("workqueue: NUMA node mapping not available for cpu%d, disabling NUMA support\n", cpu);
++ return;
++ }
++ }
++
+ wq_update_unbound_numa_attrs_buf = alloc_workqueue_attrs();
+ BUG_ON(!wq_update_unbound_numa_attrs_buf);
+
+@@ -5886,11 +5893,6 @@ static void __init wq_numa_init(void)
+
+ for_each_possible_cpu(cpu) {
+ node = cpu_to_node(cpu);
+- if (WARN_ON(node == NUMA_NO_NODE)) {
+- pr_warn("workqueue: NUMA node mapping not available for cpu%d, disabling NUMA support\n", cpu);
+- /* happens iff arch is bonkers, let's just proceed */
+- return;
+- }
+ cpumask_set_cpu(cpu, tbl[node]);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From fbc9cad4696ab95ae0c90e63b42cfb73656f1d18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 09:43:10 +0200
+Subject: xtensa: ISS: don't panic in rs_init
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 23411c720052ad860b3e579ee4873511e367130a ]
+
+While alloc_tty_driver failure in rs_init would mean we have much bigger
+problem, there is no reason to panic when tty_register_driver fails
+there. It can fail for various reasons.
+
+So handle the failure gracefully. Actually handle them both while at it.
+This will make at least the console functional as it was enabled earlier
+by console_initcall in iss_console_init. Instead of shooting down the
+whole system.
+
+We move tty_port_init() after alloc_tty_driver(), so that we don't need
+to destroy the port in case the latter function fails.
+
+Cc: Chris Zankel <chris@zankel.net>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: linux-xtensa@linux-xtensa.org
+Acked-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20210723074317.32690-2-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/platforms/iss/console.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/arch/xtensa/platforms/iss/console.c b/arch/xtensa/platforms/iss/console.c
+index af81a62faba6..e7faea3d73d3 100644
+--- a/arch/xtensa/platforms/iss/console.c
++++ b/arch/xtensa/platforms/iss/console.c
+@@ -168,9 +168,13 @@ static const struct tty_operations serial_ops = {
+
+ int __init rs_init(void)
+ {
+- tty_port_init(&serial_port);
++ int ret;
+
+ serial_driver = alloc_tty_driver(SERIAL_MAX_NUM_LINES);
++ if (!serial_driver)
++ return -ENOMEM;
++
++ tty_port_init(&serial_port);
+
+ pr_info("%s %s\n", serial_name, serial_version);
+
+@@ -190,8 +194,15 @@ int __init rs_init(void)
+ tty_set_operations(serial_driver, &serial_ops);
+ tty_port_link_device(&serial_port, serial_driver, 0);
+
+- if (tty_register_driver(serial_driver))
+- panic("Couldn't register serial driver\n");
++ ret = tty_register_driver(serial_driver);
++ if (ret) {
++ pr_err("Couldn't register serial driver\n");
++ tty_driver_kref_put(serial_driver);
++ tty_port_destroy(&serial_port);
++
++ return ret;
++ }
++
+ return 0;
+ }
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
