--- /dev/null
+From 712a0441fa92b465ae8f4eb142f8ff8f6a1cd387 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 14:30:48 -0700
+Subject: ACPI: CPPC: Replace cppc_attr with kobj_attribute
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 2bc6262c6117dd18106d5aa50d53e945b5d99c51 ]
+
+All of the CPPC sysfs show functions are called via indirect call in
+kobj_attr_show(), where they should be of type
+
+ssize_t (*show)(struct kobject *kobj, struct kobj_attribute *attr, char *buf);
+
+because that is the type of the ->show() member in
+'struct kobj_attribute' but they are actually of type
+
+ssize_t (*show)(struct kobject *kobj, struct attribute *attr, char *buf);
+
+because of the ->show() member in 'struct cppc_attr', resulting in a
+Control Flow Integrity violation [1].
+
+$ cat /sys/devices/system/cpu/cpu0/acpi_cppc/highest_perf
+3400
+
+$ dmesg | grep "CFI failure"
+[ 175.970559] CFI failure (target: show_highest_perf+0x0/0x8):
+
+As far as I can tell, the only difference between 'struct cppc_attr'
+and 'struct kobj_attribute' aside from the type of the attr parameter
+is the type of the count parameter in the ->store() member (ssize_t vs.
+size_t), which does not actually matter because all of these nodes are
+read-only.
+
+Eliminate 'struct cppc_attr' in favor of 'struct kobj_attribute' to fix
+the violation.
+
+[1]: https://lore.kernel.org/r/20210401233216.2540591-1-samitolvanen@google.com/
+
+Fixes: 158c998ea44b ("ACPI / CPPC: add sysfs support to compute delivered performance")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1343
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/cppc_acpi.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index 732549ee1fe3..5b2e58cbeb35 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -118,23 +118,15 @@ static DEFINE_PER_CPU(struct cpc_desc *, cpc_desc_ptr);
+ */
+ #define NUM_RETRIES 500
+
+-struct cppc_attr {
+- struct attribute attr;
+- ssize_t (*show)(struct kobject *kobj,
+- struct attribute *attr, char *buf);
+- ssize_t (*store)(struct kobject *kobj,
+- struct attribute *attr, const char *c, ssize_t count);
+-};
+-
+ #define define_one_cppc_ro(_name) \
+-static struct cppc_attr _name = \
++static struct kobj_attribute _name = \
+ __ATTR(_name, 0444, show_##_name, NULL)
+
+ #define to_cpc_desc(a) container_of(a, struct cpc_desc, kobj)
+
+ #define show_cppc_data(access_fn, struct_name, member_name) \
+ static ssize_t show_##member_name(struct kobject *kobj, \
+- struct attribute *attr, char *buf) \
++ struct kobj_attribute *attr, char *buf) \
+ { \
+ struct cpc_desc *cpc_ptr = to_cpc_desc(kobj); \
+ struct struct_name st_name = {0}; \
+@@ -157,7 +149,7 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, reference_perf);
+ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
+
+ static ssize_t show_feedback_ctrs(struct kobject *kobj,
+- struct attribute *attr, char *buf)
++ struct kobj_attribute *attr, char *buf)
+ {
+ struct cpc_desc *cpc_ptr = to_cpc_desc(kobj);
+ struct cppc_perf_fb_ctrs fb_ctrs = {0};
+--
+2.30.2
+
--- /dev/null
+From 487d590e2d829b3f81f956d36f275c7fc17adf10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 13:19:23 +0200
+Subject: ALSA: core: remove redundant spin_lock pair in snd_card_disconnect
+
+From: Jia Zhou <zhou.jia2@zte.com.cn>
+
+[ Upstream commit abc21649b3e5c34b143bf86f0c78e33d5815e250 ]
+
+modification in commit 2a3f7221acdd ("ALSA: core: Fix card races between
+register and disconnect") resulting in this problem.
+
+Fixes: 2a3f7221acdd ("ALSA: core: Fix card races between register and disconnect")
+Signed-off-by: Jia Zhou <zhou.jia2@zte.com.cn>
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Link: https://lore.kernel.org/r/1616989007-34429-1-git-send-email-wang.yi59@zte.com.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/sound/core/init.c b/sound/core/init.c
+index dcb9199f5e4f..7fdeae4dc820 100644
+--- a/sound/core/init.c
++++ b/sound/core/init.c
+@@ -404,10 +404,8 @@ int snd_card_disconnect(struct snd_card *card)
+ return 0;
+ }
+ card->shutdown = 1;
+- spin_unlock(&card->files_lock);
+
+ /* replace file->f_op with special dummy operations */
+- spin_lock(&card->files_lock);
+ list_for_each_entry(mfile, &card->files_list, list) {
+ /* it's critical part, use endless loop */
+ /* we have no room to fail */
+--
+2.30.2
+
--- /dev/null
+From ad1e2074e486b00c83708e8f296bea79e3f30aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 13:35:34 +0200
+Subject: ALSA: usb-audio: Add error checks for usb_driver_claim_interface()
+ calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5fb45414ae03421255593fd5556aa2d1d82303aa ]
+
+There are a few calls of usb_driver_claim_interface() but all of those
+miss the proper error checks, as reported by Coverity. This patch
+adds those missing checks.
+
+Along with it, replace the magic pointer with -1 with a constant
+USB_AUDIO_IFACE_UNUSED for better readability.
+
+Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
+Addresses-Coverity-ID: 1475943 ("Error handling issues")
+Addresses-Coverity-ID: 1475944 ("Error handling issues")
+Addresses-Coverity-ID: 1475945 ("Error handling issues")
+Fixes: b1ce7ba619d9 ("ALSA: usb-audio: claim autodetected PCM interfaces all at once")
+Fixes: e5779998bf8b ("ALSA: usb-audio: refactor code")
+Link: https://lore.kernel.org/r/202104051059.FB7F3016@keescook
+Link: https://lore.kernel.org/r/20210406113534.30455-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/card.c | 14 +++++++-------
+ sound/usb/quirks.c | 16 ++++++++++++----
+ sound/usb/usbaudio.h | 2 ++
+ 3 files changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 721f91f5766d..1a1cb73360a4 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -183,9 +183,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
+ ctrlif, interface);
+ return -EINVAL;
+ }
+- usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
+-
+- return 0;
++ return usb_driver_claim_interface(&usb_audio_driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
+ }
+
+ if ((altsd->bInterfaceClass != USB_CLASS_AUDIO &&
+@@ -205,7 +204,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
+
+ if (! snd_usb_parse_audio_interface(chip, interface)) {
+ usb_set_interface(dev, interface, 0); /* reset the current interface */
+- usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
++ return usb_driver_claim_interface(&usb_audio_driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
+ }
+
+ return 0;
+@@ -665,7 +665,7 @@ static void usb_audio_disconnect(struct usb_interface *intf)
+ struct snd_card *card;
+ struct list_head *p;
+
+- if (chip == (void *)-1L)
++ if (chip == USB_AUDIO_IFACE_UNUSED)
+ return;
+
+ card = chip->card;
+@@ -765,7 +765,7 @@ static int usb_audio_suspend(struct usb_interface *intf, pm_message_t message)
+ struct usb_mixer_interface *mixer;
+ struct list_head *p;
+
+- if (chip == (void *)-1L)
++ if (chip == USB_AUDIO_IFACE_UNUSED)
+ return 0;
+
+ if (!chip->num_suspended_intf++) {
+@@ -795,7 +795,7 @@ static int __usb_audio_resume(struct usb_interface *intf, bool reset_resume)
+ struct list_head *p;
+ int err = 0;
+
+- if (chip == (void *)-1L)
++ if (chip == USB_AUDIO_IFACE_UNUSED)
+ return 0;
+
+ atomic_inc(&chip->active); /* avoid autopm */
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 6fc9ad067d82..182c9de4f255 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -66,8 +66,12 @@ static int create_composite_quirk(struct snd_usb_audio *chip,
+ if (!iface)
+ continue;
+ if (quirk->ifnum != probed_ifnum &&
+- !usb_interface_claimed(iface))
+- usb_driver_claim_interface(driver, iface, (void *)-1L);
++ !usb_interface_claimed(iface)) {
++ err = usb_driver_claim_interface(driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
++ if (err < 0)
++ return err;
++ }
+ }
+
+ return 0;
+@@ -398,8 +402,12 @@ static int create_autodetect_quirks(struct snd_usb_audio *chip,
+ continue;
+
+ err = create_autodetect_quirk(chip, iface, driver);
+- if (err >= 0)
+- usb_driver_claim_interface(driver, iface, (void *)-1L);
++ if (err >= 0) {
++ err = usb_driver_claim_interface(driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
++ if (err < 0)
++ return err;
++ }
+ }
+
+ return 0;
+diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
+index f4ee83c8e0b2..62456a806bb4 100644
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -63,6 +63,8 @@ struct snd_usb_audio {
+ struct usb_host_interface *ctrl_intf; /* the audio control interface */
+ };
+
++#define USB_AUDIO_IFACE_UNUSED ((void *)-1L)
++
+ #define usb_audio_err(chip, fmt, args...) \
+ dev_err(&(chip)->dev->dev, fmt, ##args)
+ #define usb_audio_warn(chip, fmt, args...) \
+--
+2.30.2
+
--- /dev/null
+From 93a7b12acca1df5256a1acd3b0460b80c429d39b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:25:22 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3
+ family
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 6503c568e97a52f8b7a3109718db438e52e59485 ]
+
+The Maxim PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. Without specifying the
+interrupt type in Devicetree, kernel might apply some fixed
+configuration, not necessarily working for this hardware.
+
+Additionally, the interrupt line is shared so using level sensitive
+interrupt is here especially important to avoid races.
+
+Fixes: eea6653aae7b ("ARM: dts: Enable PMIC interrupts for exynos4412-odroid-common")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20201210212534.216197-6-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos4412-odroid-common.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos4412-odroid-common.dtsi b/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
+index 0d516529bf54..8735c5428677 100644
+--- a/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
++++ b/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
+@@ -265,7 +265,7 @@
+ max77686: pmic@09 {
+ compatible = "maxim,max77686";
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_NONE>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&max77686_irq>;
+ reg = <0x09>;
+--
+2.30.2
+
--- /dev/null
+From d48d38d55e2917fa42be658f601f78963204c485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:25:24 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit f6368c60561370e4a92fac22982a3bd656172170 ]
+
+The Maxim PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. Without specifying the
+interrupt type in Devicetree, kernel might apply some fixed
+configuration, not necessarily working for this hardware.
+
+Additionally, the interrupt line is shared so using level sensitive
+interrupt is here especially important to avoid races.
+
+Fixes: 47580e8d94c2 ("ARM: dts: Specify MAX77686 pmic interrupt for exynos5250-smdk5250")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20201210212534.216197-8-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5250-smdk5250.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5250-smdk5250.dts b/arch/arm/boot/dts/exynos5250-smdk5250.dts
+index 062cba4c2c31..5065e6bf3778 100644
+--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts
++++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts
+@@ -133,7 +133,7 @@
+ compatible = "maxim,max77686";
+ reg = <0x09>;
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_NONE>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&max77686_irq>;
+ wakeup-source;
+--
+2.30.2
+
--- /dev/null
+From ab0781013348c87ed43acc4d7d00e6ddc771d3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:25:25 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Snow
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 8987efbb17c2522be8615085df9a14da2ab53d34 ]
+
+The Maxim PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. Without specifying the
+interrupt type in Devicetree, kernel might apply some fixed
+configuration, not necessarily working for this hardware.
+
+Additionally, the interrupt line is shared so using level sensitive
+interrupt is here especially important to avoid races.
+
+Fixes: c61248afa819 ("ARM: dts: Add max77686 RTC interrupt to cros5250-common")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20201210212534.216197-9-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5250-snow-common.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5250-snow-common.dtsi b/arch/arm/boot/dts/exynos5250-snow-common.dtsi
+index 8788880e459d..134e6e54447f 100644
+--- a/arch/arm/boot/dts/exynos5250-snow-common.dtsi
++++ b/arch/arm/boot/dts/exynos5250-snow-common.dtsi
+@@ -284,7 +284,7 @@
+ max77686: max77686@09 {
+ compatible = "maxim,max77686";
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_NONE>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&max77686_irq>;
+ wakeup-source;
+--
+2.30.2
+
--- /dev/null
+From 6703af801e56265603f179b4dd24cec575222548 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 23:15:06 +0300
+Subject: ata: libahci_platform: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit b30d0040f06159de97ad9c0b1536f47250719d7d ]
+
+Iff platform_get_irq() returns 0, ahci_platform_init_host() would return 0
+early (as if the call was successful). Override IRQ0 with -EINVAL instead
+as the 'libata' regards 0 as "no IRQ" (thus polling) anyway...
+
+Fixes: c034640a32f8 ("ata: libahci: properly propagate return value of platform_get_irq()")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/4448c8cc-331f-2915-0e17-38ea34e251c8@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libahci_platform.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
+index 5929672b809e..19d495244ce8 100644
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -518,11 +518,13 @@ int ahci_platform_init_host(struct platform_device *pdev,
+ int i, irq, n_ports, rc;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0) {
++ if (irq < 0) {
+ if (irq != -EPROBE_DEFER)
+ dev_err(dev, "no irq\n");
+ return irq;
+ }
++ if (!irq)
++ return -EINVAL;
+
+ hpriv->irq = irq;
+
+--
+2.30.2
+
--- /dev/null
+From a7069fe39f638ce00c7309869e4f858beaca8ae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 19:08:19 +0100
+Subject: ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 7dd9a40fd6e0d0f1fd8e1931c007e080801dfdce ]
+
+When the error check in ath9k_hw_read_revisions() was added, it checked for
+-EIO which is what ath9k_regread() in the ath9k_htc driver uses. However,
+for plain ath9k, the register read function uses ioread32(), which just
+returns -1 on error. So if such a read fails, it still gets passed through
+and ends up as a weird mac revision in the log output.
+
+Fix this by changing ath9k_regread() to return -1 on error like ioread32()
+does, and fix the error check to look for that instead of -EIO.
+
+Fixes: 2f90c7e5d094 ("ath9k: Check for errors when reading SREV register")
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210326180819.142480-1-toke@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_init.c | 2 +-
+ drivers/net/wireless/ath/ath9k/hw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+index 66ef5cf16450..88e3b4a4de31 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+@@ -246,7 +246,7 @@ static unsigned int ath9k_regread(void *hw_priv, u32 reg_offset)
+ if (unlikely(r)) {
+ ath_dbg(common, WMI, "REGISTER READ FAILED: (0x%04x, %d)\n",
+ reg_offset, r);
+- return -EIO;
++ return -1;
+ }
+
+ return be32_to_cpu(val);
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index 406b52f114f0..933d4f49d6b0 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -285,7 +285,7 @@ static bool ath9k_hw_read_revisions(struct ath_hw *ah)
+
+ srev = REG_READ(ah, AR_SREV);
+
+- if (srev == -EIO) {
++ if (srev == -1) {
+ ath_err(ath9k_hw_common(ah),
+ "Failed to read SREV register");
+ return false;
+--
+2.30.2
+
--- /dev/null
+From c0e805acb9dcc13fc2ee914b6d1d5805e54a4101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Mar 2021 14:33:07 +0000
+Subject: bug: Remove redundant condition check in report_bug
+
+From: Andrew Scull <ascull@google.com>
+
+[ Upstream commit 3ad1a6cb0abc63d036fc866bd7c2c5983516dec5 ]
+
+report_bug() will return early if it cannot find a bug corresponding to
+the provided address. The subsequent test for the bug will always be
+true so remove it.
+
+Fixes: 1b4cfe3c0a30d ("lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()")
+Signed-off-by: Andrew Scull <ascull@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210318143311.839894-2-ascull@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/bug.c | 33 +++++++++++++++------------------
+ 1 file changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/lib/bug.c b/lib/bug.c
+index d2c9a099561a..cabecce6ffa7 100644
+--- a/lib/bug.c
++++ b/lib/bug.c
+@@ -155,30 +155,27 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs)
+
+ file = NULL;
+ line = 0;
+- warning = 0;
+
+- if (bug) {
+ #ifdef CONFIG_DEBUG_BUGVERBOSE
+ #ifndef CONFIG_GENERIC_BUG_RELATIVE_POINTERS
+- file = bug->file;
++ file = bug->file;
+ #else
+- file = (const char *)bug + bug->file_disp;
++ file = (const char *)bug + bug->file_disp;
+ #endif
+- line = bug->line;
++ line = bug->line;
+ #endif
+- warning = (bug->flags & BUGFLAG_WARNING) != 0;
+- once = (bug->flags & BUGFLAG_ONCE) != 0;
+- done = (bug->flags & BUGFLAG_DONE) != 0;
+-
+- if (warning && once) {
+- if (done)
+- return BUG_TRAP_TYPE_WARN;
+-
+- /*
+- * Since this is the only store, concurrency is not an issue.
+- */
+- bug->flags |= BUGFLAG_DONE;
+- }
++ warning = (bug->flags & BUGFLAG_WARNING) != 0;
++ once = (bug->flags & BUGFLAG_ONCE) != 0;
++ done = (bug->flags & BUGFLAG_DONE) != 0;
++
++ if (warning && once) {
++ if (done)
++ return BUG_TRAP_TYPE_WARN;
++
++ /*
++ * Since this is the only store, concurrency is not an issue.
++ */
++ bug->flags |= BUGFLAG_DONE;
+ }
+
+ if (warning) {
+--
+2.30.2
+
--- /dev/null
+From 321cc7eb97fe5af86960ccc8cf86528f4f88e5d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 03:49:07 -0800
+Subject: bus: qcom: Put child node before return
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit ac6ad7c2a862d682bb584a4bc904d89fa7721af8 ]
+
+Put child node before return to fix potential reference count leak.
+Generally, the reference count of child is incremented and decremented
+automatically in the macro for_each_available_child_of_node() and should
+be decremented manually if the loop is broken in loop body.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Fixes: 335a12754808 ("bus: qcom: add EBI2 driver")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210121114907.109267-1-bianpan2016@163.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/qcom-ebi2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bus/qcom-ebi2.c b/drivers/bus/qcom-ebi2.c
+index a6444244c411..bfb67aa00bec 100644
+--- a/drivers/bus/qcom-ebi2.c
++++ b/drivers/bus/qcom-ebi2.c
+@@ -357,8 +357,10 @@ static int qcom_ebi2_probe(struct platform_device *pdev)
+
+ /* Figure out the chipselect */
+ ret = of_property_read_u32(child, "reg", &csindex);
+- if (ret)
++ if (ret) {
++ of_node_put(child);
+ return ret;
++ }
+
+ if (csindex > 5) {
+ dev_err(dev,
+--
+2.30.2
+
--- /dev/null
+From 8135ed189d9310b1dd873c947c57465a34c162c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 10:01:03 +0100
+Subject: clk: uniphier: Fix potential infinite loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f6b1340dc751a6caa2a0567b667d0f4f4172cd58 ]
+
+The for-loop iterates with a u8 loop counter i and compares this
+with the loop upper limit of num_parents that is an int type.
+There is a potential infinite loop if num_parents is larger than
+the u8 loop counter. Fix this by making the loop counter the same
+type as num_parents. Also make num_parents an unsigned int to
+match the return type of the call to clk_hw_get_num_parents.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20210409090104.629722-1-colin.king@canonical.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/uniphier/clk-uniphier-mux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/uniphier/clk-uniphier-mux.c b/drivers/clk/uniphier/clk-uniphier-mux.c
+index 2c243a894f3b..3a52ab968ac2 100644
+--- a/drivers/clk/uniphier/clk-uniphier-mux.c
++++ b/drivers/clk/uniphier/clk-uniphier-mux.c
+@@ -40,10 +40,10 @@ static int uniphier_clk_mux_set_parent(struct clk_hw *hw, u8 index)
+ static u8 uniphier_clk_mux_get_parent(struct clk_hw *hw)
+ {
+ struct uniphier_clk_mux *mux = to_uniphier_clk_mux(hw);
+- int num_parents = clk_hw_get_num_parents(hw);
++ unsigned int num_parents = clk_hw_get_num_parents(hw);
+ int ret;
+ unsigned int val;
+- u8 i;
++ unsigned int i;
+
+ ret = regmap_read(mux->regmap, mux->reg, &val);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From 201686c428ae04f57893469af2d49e78d5d0ca8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Mar 2021 23:40:00 -0400
+Subject: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 8609f5cfdc872fc3a462efa6a3eca5cb1e2f6446 ]
+
+ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()
+before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the
+vf2pf_lock is initialized in adf_dev_init(), which can fail and when it
+fail, the vf2pf_lock is either not initialized or destroyed, a subsequent
+use of vf2pf_lock will cause issue.
+To fix this issue, only set this flag if adf_dev_init() returns 0.
+
+[ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0
+[ 7.180345] Call Trace:
+[ 7.182576] mutex_lock+0xc9/0xd0
+[ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat]
+[ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]
+[ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat]
+[ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf]
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Fixes: 25c6ffb249f6 ("crypto: qat - check if PF is running")
+Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 4 ++--
+ drivers/crypto/qat/qat_c62xvf/adf_drv.c | 4 ++--
+ drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
+index 613c7d5644ce..e87b7c466bdb 100644
+--- a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
+@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto out_err_free_reg;
+
+- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+-
+ ret = adf_dev_init(accel_dev);
+ if (ret)
+ goto out_err_dev_shutdown;
+
++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
++
+ ret = adf_dev_start(accel_dev);
+ if (ret)
+ goto out_err_dev_stop;
+diff --git a/drivers/crypto/qat/qat_c62xvf/adf_drv.c b/drivers/crypto/qat/qat_c62xvf/adf_drv.c
+index 278452b8ef81..a8f3f2ecae70 100644
+--- a/drivers/crypto/qat/qat_c62xvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_c62xvf/adf_drv.c
+@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto out_err_free_reg;
+
+- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+-
+ ret = adf_dev_init(accel_dev);
+ if (ret)
+ goto out_err_dev_shutdown;
+
++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
++
+ ret = adf_dev_start(accel_dev);
+ if (ret)
+ goto out_err_dev_stop;
+diff --git a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
+index 3da0f951cb59..1b954abf67fb 100644
+--- a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
+@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto out_err_free_reg;
+
+- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+-
+ ret = adf_dev_init(accel_dev);
+ if (ret)
+ goto out_err_dev_shutdown;
+
++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
++
+ ret = adf_dev_start(accel_dev);
+ if (ret)
+ goto out_err_dev_stop;
+--
+2.30.2
+
--- /dev/null
+From 63e9c541c21898cde5b4c9abe26f83e3e955c718 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Mar 2021 23:39:59 -0400
+Subject: crypto: qat - don't release uninitialized resources
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit b66accaab3791e15ac99c92f236d0d3a6d5bd64e ]
+
+adf_vf_isr_resource_alloc() is not unwinding correctly when error
+happens and it want to release uninitialized resources.
+To fix this, only release initialized resources.
+
+[ 1.792845] Trying to free already-free IRQ 11
+[ 1.793091] WARNING: CPU: 0 PID: 182 at kernel/irq/manage.c:1821 free_irq+0x202/0x380
+[ 1.801340] Call Trace:
+[ 1.801477] adf_vf_isr_resource_free+0x32/0xb0 [intel_qat]
+[ 1.801785] adf_vf_isr_resource_alloc+0x14d/0x150 [intel_qat]
+[ 1.802105] adf_dev_init+0xba/0x140 [intel_qat]
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Fixes: dd0f368398ea ("crypto: qat - Add qat dh895xcc VF driver")
+Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_vf_isr.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+index 4a73fc70f7a9..df9a1f35b832 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+@@ -304,17 +304,26 @@ int adf_vf_isr_resource_alloc(struct adf_accel_dev *accel_dev)
+ goto err_out;
+
+ if (adf_setup_pf2vf_bh(accel_dev))
+- goto err_out;
++ goto err_disable_msi;
+
+ if (adf_setup_bh(accel_dev))
+- goto err_out;
++ goto err_cleanup_pf2vf_bh;
+
+ if (adf_request_msi_irq(accel_dev))
+- goto err_out;
++ goto err_cleanup_bh;
+
+ return 0;
++
++err_cleanup_bh:
++ adf_cleanup_bh(accel_dev);
++
++err_cleanup_pf2vf_bh:
++ adf_cleanup_pf2vf_bh(accel_dev);
++
++err_disable_msi:
++ adf_disable_msi(accel_dev);
++
+ err_out:
+- adf_vf_isr_resource_free(accel_dev);
+ return -EFAULT;
+ }
+ EXPORT_SYMBOL_GPL(adf_vf_isr_resource_alloc);
+--
+2.30.2
+
--- /dev/null
+From 383b97f6918793dc544425aaa796d383cad60fbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 10:13:48 -0700
+Subject: crypto: qat - Fix a double free in adf_create_ring
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit f7cae626cabb3350b23722b78fe34dd7a615ca04 ]
+
+In adf_create_ring, if the callee adf_init_ring() failed, the callee will
+free the ring->base_addr by dma_free_coherent() and return -EFAULT. Then
+adf_create_ring will goto err and the ring->base_addr will be freed again
+in adf_cleanup_ring().
+
+My patch sets ring->base_addr to NULL after the first freed to avoid the
+double free.
+
+Fixes: a672a9dc872ec ("crypto: qat - Intel(R) QAT transport code")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_transport.c b/drivers/crypto/qat/qat_common/adf_transport.c
+index 57d2622728a5..4c0067f8c079 100644
+--- a/drivers/crypto/qat/qat_common/adf_transport.c
++++ b/drivers/crypto/qat/qat_common/adf_transport.c
+@@ -197,6 +197,7 @@ static int adf_init_ring(struct adf_etr_ring_data *ring)
+ dev_err(&GET_DEV(accel_dev), "Ring address not aligned\n");
+ dma_free_coherent(&GET_DEV(accel_dev), ring_size_bytes,
+ ring->base_addr, ring->dma_addr);
++ ring->base_addr = NULL;
+ return -EFAULT;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e4bcb4d518a2c73582a17ab9ae6c0aad4c60354c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 08:34:18 +0000
+Subject: crypto: qat - fix error path in adf_isr_resource_alloc()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 83dc1173d73f80cbce2fee4d308f51f87b2f26ae ]
+
+The function adf_isr_resource_alloc() is not unwinding correctly in case
+of error.
+This patch fixes the error paths and propagate the errors to the caller.
+
+Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_isr.c | 29 ++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_isr.c b/drivers/crypto/qat/qat_common/adf_isr.c
+index 06d49017a52b..2c0be14309cf 100644
+--- a/drivers/crypto/qat/qat_common/adf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_isr.c
+@@ -330,19 +330,32 @@ int adf_isr_resource_alloc(struct adf_accel_dev *accel_dev)
+
+ ret = adf_isr_alloc_msix_entry_table(accel_dev);
+ if (ret)
+- return ret;
+- if (adf_enable_msix(accel_dev))
+ goto err_out;
+
+- if (adf_setup_bh(accel_dev))
+- goto err_out;
++ ret = adf_enable_msix(accel_dev);
++ if (ret)
++ goto err_free_msix_table;
+
+- if (adf_request_irqs(accel_dev))
+- goto err_out;
++ ret = adf_setup_bh(accel_dev);
++ if (ret)
++ goto err_disable_msix;
++
++ ret = adf_request_irqs(accel_dev);
++ if (ret)
++ goto err_cleanup_bh;
+
+ return 0;
++
++err_cleanup_bh:
++ adf_cleanup_bh(accel_dev);
++
++err_disable_msix:
++ adf_disable_msix(&accel_dev->accel_pci_dev);
++
++err_free_msix_table:
++ adf_isr_free_msix_entry_table(accel_dev);
++
+ err_out:
+- adf_isr_resource_free(accel_dev);
+- return -EFAULT;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(adf_isr_resource_alloc);
+--
+2.30.2
+
--- /dev/null
+From 936140000609131a4a08c301552ed27802d83a64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 21:48:09 -0700
+Subject: Drivers: hv: vmbus: Increase wait time for VMbus unload
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 77db0ec8b7764cb9b09b78066ebfd47b2c0c1909 ]
+
+When running in Azure, disks may be connected to a Linux VM with
+read/write caching enabled. If a VM panics and issues a VMbus
+UNLOAD request to Hyper-V, the response is delayed until all dirty
+data in the disk cache is flushed. In extreme cases, this flushing
+can take 10's of seconds, depending on the disk speed and the amount
+of dirty data. If kdump is configured for the VM, the current 10 second
+timeout in vmbus_wait_for_unload() may be exceeded, and the UNLOAD
+complete message may arrive well after the kdump kernel is already
+running, causing problems. Note that no problem occurs if kdump is
+not enabled because Hyper-V waits for the cache flush before doing
+a reboot through the BIOS/UEFI code.
+
+Fix this problem by increasing the timeout in vmbus_wait_for_unload()
+to 100 seconds. Also output periodic messages so that if anyone is
+watching the serial console, they won't think the VM is completely
+hung.
+
+Fixes: 911e1987efc8 ("Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload")
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Link: https://lore.kernel.org/r/1618894089-126662-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index 3891d3c2cc00..bd79d958f7d6 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -768,6 +768,12 @@ static void init_vp_index(struct vmbus_channel *channel, u16 dev_type)
+ free_cpumask_var(available_mask);
+ }
+
++#define UNLOAD_DELAY_UNIT_MS 10 /* 10 milliseconds */
++#define UNLOAD_WAIT_MS (100*1000) /* 100 seconds */
++#define UNLOAD_WAIT_LOOPS (UNLOAD_WAIT_MS/UNLOAD_DELAY_UNIT_MS)
++#define UNLOAD_MSG_MS (5*1000) /* Every 5 seconds */
++#define UNLOAD_MSG_LOOPS (UNLOAD_MSG_MS/UNLOAD_DELAY_UNIT_MS)
++
+ static void vmbus_wait_for_unload(void)
+ {
+ int cpu;
+@@ -785,12 +791,17 @@ static void vmbus_wait_for_unload(void)
+ * vmbus_connection.unload_event. If not, the last thing we can do is
+ * read message pages for all CPUs directly.
+ *
+- * Wait no more than 10 seconds so that the panic path can't get
+- * hung forever in case the response message isn't seen.
++ * Wait up to 100 seconds since an Azure host must writeback any dirty
++ * data in its disk cache before the VMbus UNLOAD request will
++ * complete. This flushing has been empirically observed to take up
++ * to 50 seconds in cases with a lot of dirty data, so allow additional
++ * leeway and for inaccuracies in mdelay(). But eventually time out so
++ * that the panic path can't get hung forever in case the response
++ * message isn't seen.
+ */
+- for (i = 0; i < 1000; i++) {
++ for (i = 1; i <= UNLOAD_WAIT_LOOPS; i++) {
+ if (completion_done(&vmbus_connection.unload_event))
+- break;
++ goto completed;
+
+ for_each_online_cpu(cpu) {
+ struct hv_per_cpu_context *hv_cpu
+@@ -813,9 +824,18 @@ static void vmbus_wait_for_unload(void)
+ vmbus_signal_eom(msg, message_type);
+ }
+
+- mdelay(10);
++ /*
++ * Give a notice periodically so someone watching the
++ * serial output won't think it is completely hung.
++ */
++ if (!(i % UNLOAD_MSG_LOOPS))
++ pr_notice("Waiting for VMBus UNLOAD to complete\n");
++
++ mdelay(UNLOAD_DELAY_UNIT_MS);
+ }
++ pr_err("Continuing even though VMBus UNLOAD did not complete\n");
+
++completed:
+ /*
+ * We're crashing and already got the UNLOAD_RESPONSE, cleanup all
+ * maybe-pending messages on all CPUs to be able to receive new
+--
+2.30.2
+
--- /dev/null
+From 932fe4ea2fd6fa07b7b50ed1a9351433dd596f0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 05:42:00 -0400
+Subject: firmware: qcom-scm: Fix QCOM_SCM configuration
+
+From: He Ying <heying24@huawei.com>
+
+[ Upstream commit 2954a6f12f250890ec2433cec03ba92784d613e8 ]
+
+When CONFIG_QCOM_SCM is y and CONFIG_HAVE_ARM_SMCCC
+is not set, compiling errors are encountered as follows:
+
+drivers/firmware/qcom_scm-smc.o: In function `__scm_smc_do_quirk':
+qcom_scm-smc.c:(.text+0x36): undefined reference to `__arm_smccc_smc'
+drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call':
+qcom_scm-legacy.c:(.text+0xe2): undefined reference to `__arm_smccc_smc'
+drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call_atomic':
+qcom_scm-legacy.c:(.text+0x1f0): undefined reference to `__arm_smccc_smc'
+
+Note that __arm_smccc_smc is defined when HAVE_ARM_SMCCC is y.
+So add dependency on HAVE_ARM_SMCCC in QCOM_SCM configuration.
+
+Fixes: 916f743da354 ("firmware: qcom: scm: Move the scm driver to drivers/firmware")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: He Ying <heying24@huawei.com>
+Link: https://lore.kernel.org/r/20210406094200.60952-1-heying24@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
+index 42c4ff75281b..89c5f3651c3b 100644
+--- a/drivers/firmware/Kconfig
++++ b/drivers/firmware/Kconfig
+@@ -206,6 +206,7 @@ config FW_CFG_SYSFS_CMDLINE
+ config QCOM_SCM
+ bool
+ depends on ARM || ARM64
++ depends on HAVE_ARM_SMCCC
+ select RESET_CONTROLLER
+
+ config QCOM_SCM_32
+--
+2.30.2
+
--- /dev/null
+From f7e7777c5e7acc05a9cdf6161307c97d0094bcbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:15 +0100
+Subject: fotg210-udc: Complete OUT requests on short packets
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 75bb93be0027123b5db6cbcce89eb62f0f6b3c5b ]
+
+A short packet indicates the end of a transfer and marks the request as
+complete.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-8-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 315d0e485d32..9440973cdb44 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -856,12 +856,16 @@ static void fotg210_out_fifo_handler(struct fotg210_ep *ep)
+ {
+ struct fotg210_request *req = list_entry(ep->queue.next,
+ struct fotg210_request, queue);
++ int disgr1 = ioread32(ep->fotg210->reg + FOTG210_DISGR1);
+
+ fotg210_start_dma(ep, req);
+
+- /* finish out transfer */
++ /* Complete the request when it's full or a short packet arrived.
++ * Like other drivers, short_not_ok isn't handled.
++ */
++
+ if (req->req.length == req->req.actual ||
+- req->req.actual < ep->ep.maxpacket)
++ (disgr1 & DISGR1_SPK_INT(ep->epnum - 1)))
+ fotg210_done(ep, req, 0);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 03bd045b36aeca774312ce45909ea1d0508f8601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:14 +0100
+Subject: fotg210-udc: Don't DMA more than the buffer can take
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 3e7c2510bdfe89a9ec223dd7acd6bfc8bb1cbeb6 ]
+
+Before this, it wrote as much as available into the buffer, even if it
+didn't fit.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-7-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index d25cf5d44121..315d0e485d32 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -340,8 +340,9 @@ static void fotg210_start_dma(struct fotg210_ep *ep,
+ } else {
+ buffer = req->req.buf + req->req.actual;
+ length = ioread32(ep->fotg210->reg +
+- FOTG210_FIBCR(ep->epnum - 1));
+- length &= FIBCR_BCFX;
++ FOTG210_FIBCR(ep->epnum - 1)) & FIBCR_BCFX;
++ if (length > req->req.length - req->req.actual)
++ length = req->req.length - req->req.actual;
+ }
+ } else {
+ buffer = req->req.buf + req->req.actual;
+--
+2.30.2
+
--- /dev/null
+From d85702f1ce79e3b26385d61468276eda4dcc5f98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:09 +0100
+Subject: fotg210-udc: Fix DMA on EP0 for length > max packet size
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 755915fc28edfc608fa89a163014acb2f31c1e19 ]
+
+For a 75 Byte request, it would send the first 64 separately, then detect
+that the remaining 11 Byte fit into a single DMA, but due to this bug set
+the length to the original 75 Bytes. This leads to a DMA failure (which is
+ignored...) and the request completes without the remaining bytes having
+been sent.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-2-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 6866a0be249e..bc79bf46acc4 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -348,7 +348,7 @@ static void fotg210_start_dma(struct fotg210_ep *ep,
+ if (req->req.length - req->req.actual > ep->ep.maxpacket)
+ length = ep->ep.maxpacket;
+ else
+- length = req->req.length;
++ length = req->req.length - req->req.actual;
+ }
+
+ d = dma_map_single(NULL, buffer, length,
+--
+2.30.2
+
--- /dev/null
+From edb94d562efebd045f7eb790f427afc69927d100 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:10 +0100
+Subject: fotg210-udc: Fix EP0 IN requests bigger than two packets
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 078ba935651e149c92c41161e0322e3372cc2705 ]
+
+For a 134 Byte packet, it sends the first two 64 Byte packets just fine,
+but then notice that less than a packet is remaining and call fotg210_done
+without actually sending the rest.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-3-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index bc79bf46acc4..788ba50b223f 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -827,7 +827,7 @@ static void fotg210_ep0in(struct fotg210_udc *fotg210)
+ if (req->req.length)
+ fotg210_start_dma(ep, req);
+
+- if ((req->req.length - req->req.actual) < ep->ep.maxpacket)
++ if (req->req.actual == req->req.length)
+ fotg210_done(ep, req, 0);
+ } else {
+ fotg210_set_cxdone(fotg210);
+--
+2.30.2
+
--- /dev/null
+From 2ce8756a1f8e60ff30c13085af9ae69fceb5e180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:12 +0100
+Subject: fotg210-udc: Mask GRP2 interrupts we don't handle
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 9aee3a23d6455200702f3a57e731fa11e8408667 ]
+
+Currently it leaves unhandled interrupts unmasked, but those are never
+acked. In the case of a "device idle" interrupt, this leads to an
+effectively frozen system until plugging it in.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-5-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index dcdf92415064..d25cf5d44121 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -1033,6 +1033,12 @@ static void fotg210_init(struct fotg210_udc *fotg210)
+ value &= ~DMCR_GLINT_EN;
+ iowrite32(value, fotg210->reg + FOTG210_DMCR);
+
++ /* enable only grp2 irqs we handle */
++ iowrite32(~(DISGR2_DMA_ERROR | DISGR2_RX0BYTE_INT | DISGR2_TX0BYTE_INT
++ | DISGR2_ISO_SEQ_ABORT_INT | DISGR2_ISO_SEQ_ERR_INT
++ | DISGR2_RESM_INT | DISGR2_SUSP_INT | DISGR2_USBRST_INT),
++ fotg210->reg + FOTG210_DMISGR2);
++
+ /* disable all fifo interrupt */
+ iowrite32(~(u32)0, fotg210->reg + FOTG210_DMISGR1);
+
+--
+2.30.2
+
--- /dev/null
+From 7454d74e1403c4311558aee28b0651f984b9f32c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:11 +0100
+Subject: fotg210-udc: Remove a dubious condition leading to fotg210_done
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit c7f755b243494d6043aadcd9a2989cb157958b95 ]
+
+When the EP0 IN request was not completed but less than a packet sent,
+it would complete the request successfully. That doesn't make sense
+and can't really happen as fotg210_start_dma always sends
+min(length, maxpkt) bytes.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-4-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 788ba50b223f..dcdf92415064 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -385,8 +385,7 @@ static void fotg210_ep0_queue(struct fotg210_ep *ep,
+ }
+ if (ep->dir_in) { /* if IN */
+ fotg210_start_dma(ep, req);
+- if ((req->req.length == req->req.actual) ||
+- (req->req.actual < ep->ep.maxpacket))
++ if (req->req.length == req->req.actual)
+ fotg210_done(ep, req, 0);
+ } else { /* OUT */
+ u32 value = ioread32(ep->fotg210->reg + FOTG210_DMISGR0);
+--
+2.30.2
+
--- /dev/null
+From 0f549c1221e9f19560a05aa14579f8a47c5ef27d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Feb 2021 16:47:40 +0200
+Subject: HID: plantronics: Workaround for double volume key presses
+
+From: Maxim Mikityanskiy <maxtram95@gmail.com>
+
+[ Upstream commit f567d6ef8606fb427636e824c867229ecb5aefab ]
+
+Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice
+for each volume key press. This patch adds a quirk to hid-plantronics
+for this product ID, which will ignore the second volume key press if
+it happens within 5 ms from the last one that was handled.
+
+The patch was tested on the mentioned model only, it shouldn't affect
+other models, however, this quirk might be needed for them too.
+Auto-repeat (when a key is held pressed) is not affected, because the
+rate is about 3 times per second, which is far less frequent than once
+in 5 ms.
+
+Fixes: 81bb773faed7 ("HID: plantronics: Update to map volume up/down controls")
+Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-plantronics.c | 60 +++++++++++++++++++++++++++++++++--
+ include/linux/hid.h | 2 ++
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index be0707cfc0fd..e5f2958bc18c 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -859,6 +859,7 @@
+ #define USB_DEVICE_ID_ORTEK_IHOME_IMAC_A210S 0x8003
+
+ #define USB_VENDOR_ID_PLANTRONICS 0x047f
++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056
+
+ #define USB_VENDOR_ID_PANASONIC 0x04da
+ #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044
+diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
+index 584b10d3fc3d..460711c1124a 100644
+--- a/drivers/hid/hid-plantronics.c
++++ b/drivers/hid/hid-plantronics.c
+@@ -16,6 +16,7 @@
+
+ #include <linux/hid.h>
+ #include <linux/module.h>
++#include <linux/jiffies.h>
+
+ #define PLT_HID_1_0_PAGE 0xffa00000
+ #define PLT_HID_2_0_PAGE 0xffa20000
+@@ -39,6 +40,16 @@
+ #define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \
+ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER)
+
++#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0)
++
++#define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */
++
++struct plt_drv_data {
++ unsigned long device_type;
++ unsigned long last_volume_key_ts;
++ u32 quirks;
++};
++
+ static int plantronics_input_mapping(struct hid_device *hdev,
+ struct hid_input *hi,
+ struct hid_field *field,
+@@ -46,7 +57,8 @@ static int plantronics_input_mapping(struct hid_device *hdev,
+ unsigned long **bit, int *max)
+ {
+ unsigned short mapped_key;
+- unsigned long plt_type = (unsigned long)hid_get_drvdata(hdev);
++ struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
++ unsigned long plt_type = drv_data->device_type;
+
+ /* special case for PTT products */
+ if (field->application == HID_GD_JOYSTICK)
+@@ -108,6 +120,30 @@ mapped:
+ return 1;
+ }
+
++static int plantronics_event(struct hid_device *hdev, struct hid_field *field,
++ struct hid_usage *usage, __s32 value)
++{
++ struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
++
++ if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) {
++ unsigned long prev_ts, cur_ts;
++
++ /* Usages are filtered in plantronics_usages. */
++
++ if (!value) /* Handle key presses only. */
++ return 0;
++
++ prev_ts = drv_data->last_volume_key_ts;
++ cur_ts = jiffies;
++ if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT)
++ return 1; /* Ignore the repeated key. */
++
++ drv_data->last_volume_key_ts = cur_ts;
++ }
++
++ return 0;
++}
++
+ static unsigned long plantronics_device_type(struct hid_device *hdev)
+ {
+ unsigned i, col_page;
+@@ -136,15 +172,24 @@ exit:
+ static int plantronics_probe(struct hid_device *hdev,
+ const struct hid_device_id *id)
+ {
++ struct plt_drv_data *drv_data;
+ int ret;
+
++ drv_data = devm_kzalloc(&hdev->dev, sizeof(*drv_data), GFP_KERNEL);
++ if (!drv_data)
++ return -ENOMEM;
++
+ ret = hid_parse(hdev);
+ if (ret) {
+ hid_err(hdev, "parse failed\n");
+ goto err;
+ }
+
+- hid_set_drvdata(hdev, (void *)plantronics_device_type(hdev));
++ drv_data->device_type = plantronics_device_type(hdev);
++ drv_data->quirks = id->driver_data;
++ drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT);
++
++ hid_set_drvdata(hdev, drv_data);
+
+ ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT |
+ HID_CONNECT_HIDINPUT_FORCE | HID_CONNECT_HIDDEV_FORCE);
+@@ -156,15 +201,26 @@ err:
+ }
+
+ static const struct hid_device_id plantronics_devices[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, plantronics_devices);
+
++static const struct hid_usage_id plantronics_usages[] = {
++ { HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID },
++ { HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID },
++ { HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR }
++};
++
+ static struct hid_driver plantronics_driver = {
+ .name = "plantronics",
+ .id_table = plantronics_devices,
++ .usage_table = plantronics_usages,
+ .input_mapping = plantronics_input_mapping,
++ .event = plantronics_event,
+ .probe = plantronics_probe,
+ };
+ module_hid_driver(plantronics_driver);
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 40409453ef3e..d07fe33a9045 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -263,6 +263,8 @@ struct hid_item {
+ #define HID_CP_SELECTION 0x000c0080
+ #define HID_CP_MEDIASELECTION 0x000c0087
+ #define HID_CP_SELECTDISC 0x000c00ba
++#define HID_CP_VOLUMEUP 0x000c00e9
++#define HID_CP_VOLUMEDOWN 0x000c00ea
+ #define HID_CP_PLAYBACKSPEED 0x000c00f1
+ #define HID_CP_PROXIMITY 0x000c0109
+ #define HID_CP_SPEAKERSYSTEM 0x000c0160
+--
+2.30.2
+
--- /dev/null
+From 632552be2633a9fefcb37e5c4fb2c4f1ea585a36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 14:08:17 +0300
+Subject: HSI: core: fix resource leaks in hsi_add_client_from_dt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 5c08b0f75575648032f309a6f58294453423ed93 ]
+
+If some of the allocations fail between the dev_set_name() and the
+device_register() then the name will not be freed. Fix this by
+moving dev_set_name() directly in front of the call to device_register().
+
+Fixes: a2aa24734d9d ("HSI: Add common DT binding for HSI client devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/hsi_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c
+index 9065efd21851..71895da63810 100644
+--- a/drivers/hsi/hsi_core.c
++++ b/drivers/hsi/hsi_core.c
+@@ -223,8 +223,6 @@ static void hsi_add_client_from_dt(struct hsi_port *port,
+ if (err)
+ goto err;
+
+- dev_set_name(&cl->device, "%s", name);
+-
+ err = hsi_of_property_parse_mode(client, "hsi-mode", &mode);
+ if (err) {
+ err = hsi_of_property_parse_mode(client, "hsi-rx-mode",
+@@ -306,6 +304,7 @@ static void hsi_add_client_from_dt(struct hsi_port *port,
+ cl->device.release = hsi_client_release;
+ cl->device.of_node = client;
+
++ dev_set_name(&cl->device, "%s", name);
+ if (device_register(&cl->device) < 0) {
+ pr_err("hsi: failed to register client: %s\n", name);
+ put_device(&cl->device);
+--
+2.30.2
+
--- /dev/null
+From e34b20b9432ecaf6e9a34406902389f56b67350e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:14:35 +0300
+Subject: i2c: cadence: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 5581c2c5d02bc63a0edb53e061c8e97cd490646e ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index b13605718291..c5475bb4fae6 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -906,7 +906,10 @@ static int cdns_i2c_probe(struct platform_device *pdev)
+ if (IS_ERR(id->membase))
+ return PTR_ERR(id->membase);
+
+- id->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ return ret;
++ id->irq = ret;
+
+ id->adap.owner = THIS_MODULE;
+ id->adap.dev.of_node = pdev->dev.of_node;
+--
+2.30.2
+
--- /dev/null
+From 17b032a238df44899be15fa9ece696b6f948e1b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:16:41 +0300
+Subject: i2c: emev2: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit bb6129c32867baa7988f7fd2066cf18ed662d240 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: 5faf6e1f58b4 ("i2c: emev2: add driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-emev2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-emev2.c b/drivers/i2c/busses/i2c-emev2.c
+index dd97e5d9f49a..74f0d5f2dc30 100644
+--- a/drivers/i2c/busses/i2c-emev2.c
++++ b/drivers/i2c/busses/i2c-emev2.c
+@@ -400,7 +400,10 @@ static int em_i2c_probe(struct platform_device *pdev)
+
+ em_i2c_reset(&priv->adap);
+
+- priv->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ goto err_clk;
++ priv->irq = ret;
+ ret = devm_request_irq(&pdev->dev, priv->irq, em_i2c_irq_handler, 0,
+ "em_i2c", priv);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From f4e836a2233f8775e46755b6d2be50fdb03bfdc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:18:31 +0300
+Subject: i2c: jz4780: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit c5e5f7a8d931fb4beba245bdbc94734175fda9de ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-jz4780.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-jz4780.c b/drivers/i2c/busses/i2c-jz4780.c
+index 41ca9ff7b5da..4dd800c0db14 100644
+--- a/drivers/i2c/busses/i2c-jz4780.c
++++ b/drivers/i2c/busses/i2c-jz4780.c
+@@ -760,7 +760,10 @@ static int jz4780_i2c_probe(struct platform_device *pdev)
+
+ jz4780_i2c_writew(i2c, JZ4780_I2C_INTM, 0x0);
+
+- i2c->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ goto err;
++ i2c->irq = ret;
+ ret = devm_request_irq(&pdev->dev, i2c->irq, jz4780_i2c_irq, 0,
+ dev_name(&pdev->dev), i2c);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From 1e087abe71e1e0112c5fe27eb1236de0c291b0d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:25:10 +0300
+Subject: i2c: sh7760: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit e5b2e3e742015dd2aa6bc7bcef2cb59b2de1221c ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: a26c20b1fa6d ("i2c: Renesas SH7760 I2C master driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-sh7760.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-sh7760.c b/drivers/i2c/busses/i2c-sh7760.c
+index c2005c789d2b..c79c9f542c5a 100644
+--- a/drivers/i2c/busses/i2c-sh7760.c
++++ b/drivers/i2c/busses/i2c-sh7760.c
+@@ -471,7 +471,10 @@ static int sh7760_i2c_probe(struct platform_device *pdev)
+ goto out2;
+ }
+
+- id->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ return ret;
++ id->irq = ret;
+
+ id->adap.nr = pdev->id;
+ id->adap.algo = &sh7760_i2c_algo;
+--
+2.30.2
+
--- /dev/null
+From 6ce682ec1c9c3ba55169c6b1108450fafa00a5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Apr 2021 22:05:05 +0300
+Subject: i2c: sh7760: fix IRQ error path
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 92dfb27240fea2776f61c5422472cb6defca7767 ]
+
+While adding the invalid IRQ check after calling platform_get_irq(),
+I managed to overlook that the driver has a complex error path in its
+probe() method, thus a simple *return* couldn't be used. Use a proper
+*goto* instead!
+
+Fixes: e5b2e3e74201 ("i2c: sh7760: add IRQ check")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-sh7760.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-sh7760.c b/drivers/i2c/busses/i2c-sh7760.c
+index c79c9f542c5a..319d1fa617c8 100644
+--- a/drivers/i2c/busses/i2c-sh7760.c
++++ b/drivers/i2c/busses/i2c-sh7760.c
+@@ -473,7 +473,7 @@ static int sh7760_i2c_probe(struct platform_device *pdev)
+
+ ret = platform_get_irq(pdev, 0);
+ if (ret < 0)
+- return ret;
++ goto out3;
+ id->irq = ret;
+
+ id->adap.nr = pdev->id;
+--
+2.30.2
+
--- /dev/null
+From 4209c7d53495d58376555594b1a7241734d0c923 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 11:31:40 +0000
+Subject: IB/hfi1: Fix error return code in parse_platform_config()
+
+From: Wang Wensheng <wangwensheng4@huawei.com>
+
+[ Upstream commit 4c7d9c69adadfc31892c7e8e134deb3546552106 ]
+
+Fix to return a negative error code from the error handling case instead
+of 0, as done elsewhere in this function.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Link: https://lore.kernel.org/r/20210408113140.103032-1-wangwensheng4@huawei.com
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/firmware.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/firmware.c b/drivers/infiniband/hw/hfi1/firmware.c
+index 5aea8f47e670..c54359376cda 100644
+--- a/drivers/infiniband/hw/hfi1/firmware.c
++++ b/drivers/infiniband/hw/hfi1/firmware.c
+@@ -1885,6 +1885,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
+ dd_dev_err(dd, "%s: Failed CRC check at offset %ld\n",
+ __func__, (ptr -
+ (u32 *)dd->platform_config.data));
++ ret = -EINVAL;
+ goto bail;
+ }
+ /* Jump the CRC DWORD */
+--
+2.30.2
+
--- /dev/null
+From 6e40244a93002bddb51817ab38c297b8e2a8c7b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 22:54:15 -0700
+Subject: kfifo: fix ternary sign extension bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 926ee00ea24320052b46745ef4b00d91c05bd03d ]
+
+The intent with this code was to return negative error codes but instead
+it returns positives.
+
+The problem is how type promotion works with ternary operations. These
+functions return long, "ret" is an int and "copied" is a u32. The
+negative error code is first cast to u32 so it becomes a high positive and
+then cast to long where it's still a positive.
+
+We could fix this by declaring "ret" as a ssize_t but let's just get rid
+of the ternaries instead.
+
+Link: https://lkml.kernel.org/r/YIE+/cK1tBzSuQPU@mwanda
+Fixes: 5bf2b19320ec ("kfifo: add example files to the kernel sample directory")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Stefani Seibold <stefani@seibold.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/kfifo/bytestream-example.c | 8 ++++++--
+ samples/kfifo/inttype-example.c | 8 ++++++--
+ samples/kfifo/record-example.c | 8 ++++++--
+ 3 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/samples/kfifo/bytestream-example.c b/samples/kfifo/bytestream-example.c
+index 2fca916d9edf..a7f5ee8b6edc 100644
+--- a/samples/kfifo/bytestream-example.c
++++ b/samples/kfifo/bytestream-example.c
+@@ -124,8 +124,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf,
+ ret = kfifo_from_user(&test, buf, count, &copied);
+
+ mutex_unlock(&write_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static ssize_t fifo_read(struct file *file, char __user *buf,
+@@ -140,8 +142,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf,
+ ret = kfifo_to_user(&test, buf, count, &copied);
+
+ mutex_unlock(&read_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static const struct file_operations fifo_fops = {
+diff --git a/samples/kfifo/inttype-example.c b/samples/kfifo/inttype-example.c
+index 8dc3c2e7105a..a326a37e9163 100644
+--- a/samples/kfifo/inttype-example.c
++++ b/samples/kfifo/inttype-example.c
+@@ -117,8 +117,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf,
+ ret = kfifo_from_user(&test, buf, count, &copied);
+
+ mutex_unlock(&write_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static ssize_t fifo_read(struct file *file, char __user *buf,
+@@ -133,8 +135,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf,
+ ret = kfifo_to_user(&test, buf, count, &copied);
+
+ mutex_unlock(&read_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static const struct file_operations fifo_fops = {
+diff --git a/samples/kfifo/record-example.c b/samples/kfifo/record-example.c
+index 2d7529eeb294..deb87a2e4e6b 100644
+--- a/samples/kfifo/record-example.c
++++ b/samples/kfifo/record-example.c
+@@ -131,8 +131,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf,
+ ret = kfifo_from_user(&test, buf, count, &copied);
+
+ mutex_unlock(&write_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static ssize_t fifo_read(struct file *file, char __user *buf,
+@@ -147,8 +149,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf,
+ ret = kfifo_to_user(&test, buf, count, &copied);
+
+ mutex_unlock(&read_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static const struct file_operations fifo_fops = {
+--
+2.30.2
+
--- /dev/null
+From bb4c2e7a9f2512b23db61e9f50256e7a7d771769 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 11:12:48 +0100
+Subject: liquidio: Fix unintented sign extension of a left shift of a u16
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 298b58f00c0f86868ea717426beb5c1198772f81 ]
+
+The macro CN23XX_PEM_BAR1_INDEX_REG is being used to shift oct->pcie_port
+(a u16) left 24 places. There are two subtle issues here, first the
+shift gets promoted to an signed int and then sign extended to a u64.
+If oct->pcie_port is 0x80 or more then the upper bits get sign extended
+to 1. Secondly shfiting a u16 24 bits will lead to an overflow so it
+needs to be cast to a u64 for all the bits to not overflow.
+
+It is entirely possible that the u16 port value is never large enough
+for this to fail, but it is useful to fix unintended overflows such
+as this.
+
+Fix this by casting the port parameter to the macro to a u64 before
+the shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+Fixes: 5bc67f587ba7 ("liquidio: CN23XX register definitions")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h
+index e6d4ad99cc38..3f1c189646f4 100644
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h
+@@ -521,7 +521,7 @@
+ #define CN23XX_BAR1_INDEX_OFFSET 3
+
+ #define CN23XX_PEM_BAR1_INDEX_REG(port, idx) \
+- (CN23XX_PEM_BAR1_INDEX_START + ((port) << CN23XX_PEM_OFFSET) + \
++ (CN23XX_PEM_BAR1_INDEX_START + (((u64)port) << CN23XX_PEM_OFFSET) + \
+ ((idx) << CN23XX_BAR1_INDEX_OFFSET))
+
+ /*############################ DPI #########################*/
+--
+2.30.2
+
--- /dev/null
+From 96f704fe462d5fe838a599d570414a414f87e72f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 14:31:50 +0200
+Subject: mac80211: bail out if cipher schemes are invalid
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ]
+
+If any of the cipher schemes specified by the driver are invalid, bail
+out and fail the registration rather than just warning. Otherwise, we
+might later crash when we try to use the invalid cipher scheme, e.g.
+if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd
+have an out-of-bounds access in RX validation.
+
+Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support")
+Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/main.c b/net/mac80211/main.c
+index 2136ce3b4489..a24acd0ee788 100644
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1043,8 +1043,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
+ if (local->hw.wiphy->max_scan_ie_len)
+ local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len;
+
+- WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
+- local->hw.n_cipher_schemes));
++ if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
++ local->hw.n_cipher_schemes))) {
++ result = -EINVAL;
++ goto fail_workqueue;
++ }
+
+ result = ieee80211_init_cipher_suites(local);
+ if (result < 0)
+--
+2.30.2
+
--- /dev/null
+From 7a9b2bc7084517b05128b697f062562a3d5f3b63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Oct 2020 14:16:28 +0200
+Subject: media: m88rs6000t: avoid potential out-of-bounds reads on arrays
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9baa3d64e8e2373ddd11c346439e5dfccb2cbb0d ]
+
+There a 3 array for-loops that don't check the upper bounds of the
+index into arrays and this may lead to potential out-of-bounds
+reads. Fix this by adding array size upper bounds checks to be
+full safe.
+
+Addresses-Coverity: ("Out-of-bounds read")
+
+Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@canonical.com
+Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/m88rs6000t.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/tuners/m88rs6000t.c b/drivers/media/tuners/m88rs6000t.c
+index 9f3e0fd4cad9..d4443f9c9fa3 100644
+--- a/drivers/media/tuners/m88rs6000t.c
++++ b/drivers/media/tuners/m88rs6000t.c
+@@ -534,7 +534,7 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
+ PGA2_cri = PGA2_GC >> 2;
+ PGA2_crf = PGA2_GC & 0x03;
+
+- for (i = 0; i <= RF_GC; i++)
++ for (i = 0; i <= RF_GC && i < ARRAY_SIZE(RFGS); i++)
+ RFG += RFGS[i];
+
+ if (RF_GC == 0)
+@@ -546,12 +546,12 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
+ if (RF_GC == 3)
+ RFG += 100;
+
+- for (i = 0; i <= IF_GC; i++)
++ for (i = 0; i <= IF_GC && i < ARRAY_SIZE(IFGS); i++)
+ IFG += IFGS[i];
+
+ TIAG = TIA_GC * TIA_GS;
+
+- for (i = 0; i <= BB_GC; i++)
++ for (i = 0; i <= BB_GC && i < ARRAY_SIZE(BBGS); i++)
+ BBG += BBGS[i];
+
+ PGA2G = PGA2_cri * PGA2_cri_GS + PGA2_crf * PGA2_crf_GS;
+--
+2.30.2
+
--- /dev/null
+From 8d1a04eeca0835a18f5cf1eff08f020cd12f8e83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Nov 2020 03:50:41 +0100
+Subject: media: omap4iss: return error code when omap4iss_get() failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8938c48fa25b491842ece9eb38f0bea0fcbaca44 ]
+
+If omap4iss_get() failed, it need return error code in iss_probe().
+
+Fixes: 59f0ad807681 ("[media] v4l: omap4iss: Add support for OMAP4...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/omap4iss/iss.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/omap4iss/iss.c b/drivers/staging/media/omap4iss/iss.c
+index c26c99fd4a24..1e10fe204d3b 100644
+--- a/drivers/staging/media/omap4iss/iss.c
++++ b/drivers/staging/media/omap4iss/iss.c
+@@ -1244,8 +1244,10 @@ static int iss_probe(struct platform_device *pdev)
+ if (ret < 0)
+ goto error;
+
+- if (!omap4iss_get(iss))
++ if (!omap4iss_get(iss)) {
++ ret = -EINVAL;
+ goto error;
++ }
+
+ ret = iss_reset(iss);
+ if (ret < 0)
+--
+2.30.2
+
--- /dev/null
+From c13a034e4283335f95451af87ff14b0cd815f4c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 16:43:27 +0100
+Subject: media: vivid: fix assignment of dev->fbuf_out_flags
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 5cde22fcc7271812a7944c47b40100df15908358 ]
+
+Currently the chroma_flags and alpha_flags are being zero'd with a bit-wise
+mask and the following statement should be bit-wise or'ing in the new flag
+bits but instead is making a direct assignment. Fix this by using the |=
+operator rather than an assignment.
+
+Addresses-Coverity: ("Unused value")
+
+Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-vid-out.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-vid-out.c b/drivers/media/platform/vivid/vivid-vid-out.c
+index 3e7a26d15074..4629679a0f3c 100644
+--- a/drivers/media/platform/vivid/vivid-vid-out.c
++++ b/drivers/media/platform/vivid/vivid-vid-out.c
+@@ -1010,7 +1010,7 @@ int vivid_vid_out_s_fbuf(struct file *file, void *fh,
+ return -EINVAL;
+ }
+ dev->fbuf_out_flags &= ~(chroma_flags | alpha_flags);
+- dev->fbuf_out_flags = a->flags & (chroma_flags | alpha_flags);
++ dev->fbuf_out_flags |= a->flags & (chroma_flags | alpha_flags);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d45559cd5c65bf022d6c3fb868c8dddc9526c457 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Feb 2021 19:38:21 +0000
+Subject: memory: gpmc: fix out of bounds read and dereference on gpmc_cs[]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e004c3e67b6459c99285b18366a71af467d869f5 ]
+
+Currently the array gpmc_cs is indexed by cs before it cs is range checked
+and the pointer read from this out-of-index read is dereferenced. Fix this
+by performing the range check on cs before the read and the following
+pointer dereference.
+
+Addresses-Coverity: ("Negative array index read")
+Fixes: 9ed7a776eb50 ("ARM: OMAP2+: Fix support for multiple devices on a GPMC chip select")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210223193821.17232-1-colin.king@canonical.com
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/omap-gpmc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
+index cc0da96d07ca..4eb1b8ebfd22 100644
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -1028,8 +1028,8 @@ EXPORT_SYMBOL(gpmc_cs_request);
+
+ void gpmc_cs_free(int cs)
+ {
+- struct gpmc_cs_data *gpmc = &gpmc_cs[cs];
+- struct resource *res = &gpmc->mem;
++ struct gpmc_cs_data *gpmc;
++ struct resource *res;
+
+ spin_lock(&gpmc_mem_lock);
+ if (cs >= gpmc_cs_num || cs < 0 || !gpmc_cs_reserved(cs)) {
+@@ -1038,6 +1038,9 @@ void gpmc_cs_free(int cs)
+ spin_unlock(&gpmc_mem_lock);
+ return;
+ }
++ gpmc = &gpmc_cs[cs];
++ res = &gpmc->mem;
++
+ gpmc_cs_disable_mem(cs);
+ if (res->flags)
+ release_resource(res);
+--
+2.30.2
+
--- /dev/null
+From dc2f6752ba452b2625c736dd2492a8b429d76e82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 18:51:35 +0100
+Subject: mfd: stm32-timers: Avoid clearing auto reload register
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+[ Upstream commit 4917e498c6894ba077867aff78f82cffd5ffbb5c ]
+
+The ARR register is cleared unconditionally upon probing, after the maximum
+value has been read. This initial condition is rather not intuitive, when
+considering the counter child driver. It rather expects the maximum value
+by default:
+- The counter interface shows a zero value by default for 'ceiling'
+ attribute.
+- Enabling the counter without any prior configuration makes it doesn't
+ count.
+
+The reset value of ARR register is the maximum. So Choice here
+is to backup it, and restore it then, instead of clearing its value.
+It also fixes the initial condition seen by the counter driver.
+
+Fixes: d0f949e220fd ("mfd: Add STM32 Timers driver")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Acked-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/stm32-timers.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/stm32-timers.c b/drivers/mfd/stm32-timers.c
+index a6675a449409..e280e0ff2dcc 100644
+--- a/drivers/mfd/stm32-timers.c
++++ b/drivers/mfd/stm32-timers.c
+@@ -20,13 +20,18 @@ static const struct regmap_config stm32_timers_regmap_cfg = {
+
+ static void stm32_timers_get_arr_size(struct stm32_timers *ddata)
+ {
++ u32 arr;
++
++ /* Backup ARR to restore it after getting the maximum value */
++ regmap_read(ddata->regmap, TIM_ARR, &arr);
++
+ /*
+ * Only the available bits will be written so when readback
+ * we get the maximum value of auto reload register
+ */
+ regmap_write(ddata->regmap, TIM_ARR, ~0L);
+ regmap_read(ddata->regmap, TIM_ARR, &ddata->max_arr);
+- regmap_write(ddata->regmap, TIM_ARR, 0x0);
++ regmap_write(ddata->regmap, TIM_ARR, arr);
+ }
+
+ static int stm32_timers_probe(struct platform_device *pdev)
+--
+2.30.2
+
--- /dev/null
+From d118b4af6703ccdf468fd491baa3203fbda3c6e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 20:12:37 -0700
+Subject: MIPS: pci-legacy: stop using of_pci_range_to_resource
+
+From: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+
+[ Upstream commit 3ecb9dc1581eebecaee56decac70e35365260866 ]
+
+Mirror commit aeba3731b150 ("powerpc/pci: Fix IO space breakage after
+of_pci_range_to_resource() change").
+
+Most MIPS platforms do not define PCI_IOBASE, nor implement
+pci_address_to_pio(). Moreover, IO_SPACE_LIMIT is 0xffff for most MIPS
+platforms. of_pci_range_to_resource passes the _start address_ of the IO
+range into pci_address_to_pio, which then checks it against
+IO_SPACE_LIMIT and fails, because for MIPS platforms that use
+pci-legacy (pci-lantiq, pci-rt3883, pci-mt7620), IO ranges start much
+higher than 0xffff.
+
+In fact, pci-mt7621 in staging already works around this problem, see
+commit 09dd629eeabb ("staging: mt7621-pci: fix io space and properly set
+resource limits")
+
+So just stop using of_pci_range_to_resource, which does not work for
+MIPS.
+
+Fixes PCI errors like:
+ pci_bus 0000:00: root bus resource [io 0xffffffff]
+
+Fixes: 0b0b0893d49b ("of/pci: Fix the conversion of IO ranges into IO resources")
+Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+Cc: Liviu Dudau <Liviu.Dudau@arm.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/pci/pci-legacy.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/pci/pci-legacy.c b/arch/mips/pci/pci-legacy.c
+index 1ae6bc414e2b..c932ffa6e1d3 100644
+--- a/arch/mips/pci/pci-legacy.c
++++ b/arch/mips/pci/pci-legacy.c
+@@ -169,8 +169,13 @@ void pci_load_of_ranges(struct pci_controller *hose, struct device_node *node)
+ res = hose->mem_resource;
+ break;
+ }
+- if (res != NULL)
+- of_pci_range_to_resource(&range, node, res);
++ if (res != NULL) {
++ res->name = node->full_name;
++ res->flags = range.flags;
++ res->start = range.cpu_addr;
++ res->end = range.cpu_addr + range.size - 1;
++ res->parent = res->child = res->sibling = NULL;
++ }
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 311137ee183df8e0b3861d27b4ed241a3d061f99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 18:32:41 +0000
+Subject: mt7601u: fix always true expression
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 87fce88658ba047ae62e83497d3f3c5dc22fa6f9 ]
+
+Currently the expression ~nic_conf1 is always true because nic_conf1
+is a u16 and according to 6.5.3.3 of the C standard the ~ operator
+promotes the u16 to an integer before flipping all the bits. Thus
+the top 16 bits of the integer result are all set so the expression
+is always true. If the intention was to flip all the bits of nic_conf1
+then casting the integer result back to a u16 is a suitabel fix.
+
+Interestingly static analyzers seem to thing a bitwise ! should be
+used instead of ~ for this scenario, so I think the original intent
+of the expression may need some extra consideration.
+
+Addresses-Coverity: ("Logical vs. bitwise operator")
+Fixes: c869f77d6abb ("add mt7601u driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210225183241.1002129-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.c b/drivers/net/wireless/mediatek/mt7601u/eeprom.c
+index da6faea092d6..80d0f64205f8 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.c
+@@ -106,7 +106,7 @@ mt7601u_has_tssi(struct mt7601u_dev *dev, u8 *eeprom)
+ {
+ u16 nic_conf1 = get_unaligned_le16(eeprom + MT_EE_NIC_CONF_1);
+
+- return ~nic_conf1 && (nic_conf1 & MT_EE_NIC_CONF_1_TX_ALC_EN);
++ return (u16)~nic_conf1 && (nic_conf1 & MT_EE_NIC_CONF_1_TX_ALC_EN);
+ }
+
+ static void
+--
+2.30.2
+
--- /dev/null
+From a1c8c7c1c7184ab4b0e8763003623ff579b0e1bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 23:09:05 -0700
+Subject: mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 076de75de1e53160e9b099f75872c1f9adf41a0b ]
+
+If the callee gpmi_alloc_dma_buffer() failed to alloc memory for
+this->raw_buffer, gpmi_free_dma_buffer() will be called to free
+this->auxiliary_virt. But this->auxiliary_virt is still a non-NULL
+and valid ptr.
+
+Then gpmi_alloc_dma_buffer() returns err and gpmi_free_dma_buffer()
+is called again to free this->auxiliary_virt in err_out. This causes
+a double free.
+
+As gpmi_free_dma_buffer() has already called in gpmi_alloc_dma_buffer's
+error path, so it should return err directly instead of releasing the dma
+buffer again.
+
+Fixes: 4d02423e9afe6 ("mtd: nand: gpmi: Fix gpmi_nand_init() error path")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210403060905.5251-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+index c7d0d2eed6c2..5a694bdc4f75 100644
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+@@ -2022,7 +2022,7 @@ static int gpmi_nand_init(struct gpmi_nand_data *this)
+ this->bch_geometry.auxiliary_size = 128;
+ ret = gpmi_alloc_dma_buffer(this);
+ if (ret)
+- goto err_out;
++ return ret;
+
+ ret = nand_scan_ident(mtd, GPMI_IS_MX6(this) ? 2 : 1, NULL);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From 07ce141627f04f1b4e8d011f8ab5066826d7fd7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 16:57:35 +0100
+Subject: mtd: require write permissions for locking and badblock ioctls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 1e97743fd180981bef5f01402342bb54bf1c6366 ]
+
+MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require
+write permission. Depending on the hardware MEMLOCK might even be
+write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK
+is always write-once.
+
+MEMSETBADBLOCK modifies the bad block table.
+
+Fixes: f7e6b19bc764 ("mtd: properly check all write ioctls for permissions")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdchar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
+index 18dd333f2d40..0a109277b174 100644
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -689,16 +689,12 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg)
+ case MEMGETINFO:
+ case MEMREADOOB:
+ case MEMREADOOB64:
+- case MEMLOCK:
+- case MEMUNLOCK:
+ case MEMISLOCKED:
+ case MEMGETOOBSEL:
+ case MEMGETBADBLOCK:
+- case MEMSETBADBLOCK:
+ case OTPSELECT:
+ case OTPGETREGIONCOUNT:
+ case OTPGETREGIONINFO:
+- case OTPLOCK:
+ case ECCGETLAYOUT:
+ case ECCGETSTATS:
+ case MTDFILEMODE:
+@@ -709,9 +705,13 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg)
+ /* "dangerous" commands */
+ case MEMERASE:
+ case MEMERASE64:
++ case MEMLOCK:
++ case MEMUNLOCK:
++ case MEMSETBADBLOCK:
+ case MEMWRITEOOB:
+ case MEMWRITEOOB64:
+ case MEMWRITE:
++ case OTPLOCK:
+ if (!(file->f_mode & FMODE_WRITE))
+ return -EPERM;
+ break;
+--
+2.30.2
+
--- /dev/null
+From 88b5d616f6ac84aaa8474f1332661f79b82d35a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 11:26:27 -0700
+Subject: mwl8k: Fix a double Free in mwl8k_probe_hw
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit a8e083ee8e2a6c94c29733835adae8bf5b832748 ]
+
+In mwl8k_probe_hw, hw->priv->txq is freed at the first time by
+dma_free_coherent() in the call chain:
+if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i).
+
+Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed
+at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent().
+
+My patch set txq->txd to NULL after the first free to avoid the
+double free.
+
+Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index a87ccf9ceb67..e39aaee92add 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -1464,6 +1464,7 @@ static int mwl8k_txq_init(struct ieee80211_hw *hw, int index)
+ txq->skb = kcalloc(MWL8K_TX_DESCS, sizeof(*txq->skb), GFP_KERNEL);
+ if (txq->skb == NULL) {
+ pci_free_consistent(priv->pdev, size, txq->txd, txq->txd_dma);
++ txq->txd = NULL;
+ return -ENOMEM;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 683505557df4246e77a10a44cd05c00f183e55fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 18:16:14 +0100
+Subject: net: davinci_emac: Fix incorrect masking of tx and rx error channel
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit d83b8aa5207d81f9f6daec9888390f079cc5db3f ]
+
+The bit-masks used for the TXERRCH and RXERRCH (tx and rx error channels)
+are incorrect and always lead to a zero result. The mask values are
+currently the incorrect post-right shifted values, fix this by setting
+them to the currect values.
+
+(I double checked these against the TMS320TCI6482 data sheet, section
+5.30, page 127 to ensure I had the correct mask values for the TXERRCH
+and RXERRCH fields in the MACSTATUS register).
+
+Addresses-Coverity: ("Operands don't affect result")
+Fixes: a6286ee630f6 ("net: Add TI DaVinci EMAC driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index 47a096134043..32e7b87baaa7 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -183,11 +183,11 @@ static const char emac_version_string[] = "TI DaVinci EMAC Linux v6.1";
+ /* EMAC mac_status register */
+ #define EMAC_MACSTATUS_TXERRCODE_MASK (0xF00000)
+ #define EMAC_MACSTATUS_TXERRCODE_SHIFT (20)
+-#define EMAC_MACSTATUS_TXERRCH_MASK (0x7)
++#define EMAC_MACSTATUS_TXERRCH_MASK (0x70000)
+ #define EMAC_MACSTATUS_TXERRCH_SHIFT (16)
+ #define EMAC_MACSTATUS_RXERRCODE_MASK (0xF000)
+ #define EMAC_MACSTATUS_RXERRCODE_SHIFT (12)
+-#define EMAC_MACSTATUS_RXERRCH_MASK (0x7)
++#define EMAC_MACSTATUS_RXERRCH_MASK (0x700)
+ #define EMAC_MACSTATUS_RXERRCH_SHIFT (8)
+
+ /* EMAC RX register masks */
+--
+2.30.2
+
--- /dev/null
+From 72a6ae663058e591d454be348f276809c3950169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Apr 2021 09:06:25 -0700
+Subject: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57 ]
+
+In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
+If some error happens in emac_tx_fill_tpd(), the skb will be freed via
+dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
+But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).
+
+As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
+thus my patch assigns skb->len to 'len' before the possible free and
+use 'len' instead of skb->len later.
+
+Fixes: b9b17debc69d2 ("net: emac: emac gigabit ethernet controller driver")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac-mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/emac/emac-mac.c b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+index 44f797ab5d15..57f509a6c449 100644
+--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+@@ -1458,6 +1458,7 @@ int emac_mac_tx_buf_send(struct emac_adapter *adpt, struct emac_tx_queue *tx_q,
+ {
+ struct emac_tpd tpd;
+ u32 prod_idx;
++ int len;
+
+ memset(&tpd, 0, sizeof(tpd));
+
+@@ -1477,9 +1478,10 @@ int emac_mac_tx_buf_send(struct emac_adapter *adpt, struct emac_tx_queue *tx_q,
+ if (skb_network_offset(skb) != ETH_HLEN)
+ TPD_TYP_SET(&tpd, 1);
+
++ len = skb->len;
+ emac_tx_fill_tpd(adpt, tx_q, skb, &tpd);
+
+- netdev_sent_queue(adpt->netdev, skb->len);
++ netdev_sent_queue(adpt->netdev, len);
+
+ /* Make sure the are enough free descriptors to hold one
+ * maximum-sized SKB. We need one desc for each fragment,
+--
+2.30.2
+
--- /dev/null
+From 26943b1e8fbef2315626aba17e3b51f91705b298 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 23:23:09 -0800
+Subject: net: lapbether: Prevent racing when checking whether the netif is
+ running
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit 5acd0cfbfbb5a688da1bfb1a2152b0c855115a35 ]
+
+There are two "netif_running" checks in this driver. One is in
+"lapbeth_xmit" and the other is in "lapbeth_rcv". They serve to make
+sure that the LAPB APIs called in these functions are called before
+"lapb_unregister" is called by the "ndo_stop" function.
+
+However, these "netif_running" checks are unreliable, because it's
+possible that immediately after "netif_running" returns true, "ndo_stop"
+is called (which causes "lapb_unregister" to be called).
+
+This patch adds locking to make sure "lapbeth_xmit" and "lapbeth_rcv" can
+reliably check and ensure the netif is running while doing their work.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index fad5fc8b9edb..3ec922bed2d8 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -56,6 +56,8 @@ struct lapbethdev {
+ struct list_head node;
+ struct net_device *ethdev; /* link to ethernet device */
+ struct net_device *axdev; /* lapbeth device (lapb#) */
++ bool up;
++ spinlock_t up_lock; /* Protects "up" */
+ };
+
+ static LIST_HEAD(lapbeth_devices);
+@@ -103,8 +105,9 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
+ rcu_read_lock();
+ lapbeth = lapbeth_get_x25_dev(dev);
+ if (!lapbeth)
+- goto drop_unlock;
+- if (!netif_running(lapbeth->axdev))
++ goto drop_unlock_rcu;
++ spin_lock_bh(&lapbeth->up_lock);
++ if (!lapbeth->up)
+ goto drop_unlock;
+
+ len = skb->data[0] + skb->data[1] * 256;
+@@ -119,11 +122,14 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
+ goto drop_unlock;
+ }
+ out:
++ spin_unlock_bh(&lapbeth->up_lock);
+ rcu_read_unlock();
+ return 0;
+ drop_unlock:
+ kfree_skb(skb);
+ goto out;
++drop_unlock_rcu:
++ rcu_read_unlock();
+ drop:
+ kfree_skb(skb);
+ return 0;
+@@ -151,13 +157,11 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb)
+ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb,
+ struct net_device *dev)
+ {
++ struct lapbethdev *lapbeth = netdev_priv(dev);
+ int err;
+
+- /*
+- * Just to be *really* sure not to send anything if the interface
+- * is down, the ethernet device may have gone.
+- */
+- if (!netif_running(dev))
++ spin_lock_bh(&lapbeth->up_lock);
++ if (!lapbeth->up)
+ goto drop;
+
+ /* There should be a pseudo header of 1 byte added by upper layers.
+@@ -188,6 +192,7 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb,
+ goto drop;
+ }
+ out:
++ spin_unlock_bh(&lapbeth->up_lock);
+ return NETDEV_TX_OK;
+ drop:
+ kfree_skb(skb);
+@@ -279,6 +284,7 @@ static const struct lapb_register_struct lapbeth_callbacks = {
+ */
+ static int lapbeth_open(struct net_device *dev)
+ {
++ struct lapbethdev *lapbeth = netdev_priv(dev);
+ int err;
+
+ if ((err = lapb_register(dev, &lapbeth_callbacks)) != LAPB_OK) {
+@@ -286,13 +292,22 @@ static int lapbeth_open(struct net_device *dev)
+ return -ENODEV;
+ }
+
++ spin_lock_bh(&lapbeth->up_lock);
++ lapbeth->up = true;
++ spin_unlock_bh(&lapbeth->up_lock);
++
+ return 0;
+ }
+
+ static int lapbeth_close(struct net_device *dev)
+ {
++ struct lapbethdev *lapbeth = netdev_priv(dev);
+ int err;
+
++ spin_lock_bh(&lapbeth->up_lock);
++ lapbeth->up = false;
++ spin_unlock_bh(&lapbeth->up_lock);
++
+ if ((err = lapb_unregister(dev)) != LAPB_OK)
+ pr_err("lapb_unregister error: %d\n", err);
+
+@@ -350,6 +365,9 @@ static int lapbeth_new_device(struct net_device *dev)
+ dev_hold(dev);
+ lapbeth->ethdev = dev;
+
++ lapbeth->up = false;
++ spin_lock_init(&lapbeth->up_lock);
++
+ rc = -EIO;
+ if (register_netdevice(ndev))
+ goto fail;
+--
+2.30.2
+
--- /dev/null
+From be92d913fd21bf8e669d70a54cb7027df5386146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 09:22:58 -0700
+Subject: net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 75258586793efc521e5dd52a5bf6c7a4cf7002be ]
+
+In digital_tg_recv_dep_req, it calls nfc_tm_data_received(..,resp).
+If nfc_tm_data_received() failed, the callee will free the resp via
+kfree_skb() and return error. But in the exit branch, the resp
+will be freed again.
+
+My patch sets resp to NULL if nfc_tm_data_received() failed, to
+avoid the double free.
+
+Fixes: 1c7a4c24fbfd9 ("NFC Digital: Add target NFC-DEP support")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/digital_dep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c
+index 4f9a973988b2..1eed0cf59190 100644
+--- a/net/nfc/digital_dep.c
++++ b/net/nfc/digital_dep.c
+@@ -1285,6 +1285,8 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
+ }
+
+ rc = nfc_tm_data_received(ddev->nfc_dev, resp);
++ if (rc)
++ resp = NULL;
+
+ exit:
+ kfree_skb(ddev->chaining_skb);
+--
+2.30.2
+
--- /dev/null
+From 90910250cac1993d30e06fb75c7eedc9be20f4b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 14:07:26 +0100
+Subject: net: thunderx: Fix unintentional sign extension issue
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e701a25840360706fe4cf5de0015913ca19c274b ]
+
+The shifting of the u8 integers rq->caching by 26 bits to
+the left will be promoted to a 32 bit signed int and then
+sign-extended to a u64. In the event that rq->caching is
+greater than 0x1f then all then all the upper 32 bits of
+the u64 end up as also being set because of the int
+sign-extension. Fix this by casting the u8 values to a
+u64 before the 26 bit left shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+index 7ad1d56d8389..d44d9d0e9d06 100644
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+@@ -775,7 +775,7 @@ static void nicvf_rcv_queue_config(struct nicvf *nic, struct queue_set *qs,
+ mbx.rq.msg = NIC_MBOX_MSG_RQ_CFG;
+ mbx.rq.qs_num = qs->vnic_id;
+ mbx.rq.rq_num = qidx;
+- mbx.rq.cfg = (rq->caching << 26) | (rq->cq_qs << 19) |
++ mbx.rq.cfg = ((u64)rq->caching << 26) | (rq->cq_qs << 19) |
+ (rq->cq_idx << 16) | (rq->cont_rbdr_qs << 9) |
+ (rq->cont_qs_rbdr_idx << 8) |
+ (rq->start_rbdr_qs << 1) | (rq->start_qs_rbdr_idx);
+--
+2.30.2
+
--- /dev/null
+From f9e46e4b93662db9cf67ade9be133d68e7bcb5e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 14:44:42 +0300
+Subject: nfc: pn533: prevent potential memory corruption
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ]
+
+If the "type_a->nfcid_len" is too large then it would lead to memory
+corruption in pn533_target_found_type_a() when we do:
+
+ memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
+
+Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/pn533.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
+index c05cb637ba92..e3026e20f169 100644
+--- a/drivers/nfc/pn533/pn533.c
++++ b/drivers/nfc/pn533/pn533.c
+@@ -692,6 +692,9 @@ static bool pn533_target_type_a_is_valid(struct pn533_target_type_a *type_a,
+ if (PN533_TYPE_A_SEL_CASCADE(type_a->sel_res) != 0)
+ return false;
+
++ if (type_a->nfcid_len > NFC_NFCID1_MAXSIZE)
++ return false;
++
+ return true;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From dbdb680aa495d8f4152ab96259acbcf42644c497 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 23:50:24 +0300
+Subject: pata_arasan_cf: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit c7e8f404d56b99c80990b19a402c3f640d74be05 ]
+
+The driver's probe() method is written as if platform_get_irq() returns 0
+on error, while actually it returns a negative error code (with all the
+other values considered valid IRQs). Rewrite the driver's IRQ checking code
+to pass the positive IRQ #s to ata_host_activate(), propagate upstream
+-EPROBE_DEFER, and set up the driver to polling mode on (negative) errors
+and IRQ0 (libata treats IRQ #0 as a polling mode anyway)...
+
+Fixes: a480167b23ef ("pata_arasan_cf: Adding support for arasan compact flash host controller")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_arasan_cf.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
+index b4d54771c9fe..623199fab8fe 100644
+--- a/drivers/ata/pata_arasan_cf.c
++++ b/drivers/ata/pata_arasan_cf.c
+@@ -819,12 +819,19 @@ static int arasan_cf_probe(struct platform_device *pdev)
+ else
+ quirk = CF_BROKEN_UDMA; /* as it is on spear1340 */
+
+- /* if irq is 0, support only PIO */
+- acdev->irq = platform_get_irq(pdev, 0);
+- if (acdev->irq)
++ /*
++ * If there's an error getting IRQ (or we do get IRQ0),
++ * support only PIO
++ */
++ ret = platform_get_irq(pdev, 0);
++ if (ret > 0) {
++ acdev->irq = ret;
+ irq_handler = arasan_cf_interrupt;
+- else
++ } else if (ret == -EPROBE_DEFER) {
++ return ret;
++ } else {
+ quirk |= CF_BROKEN_MWDMA | CF_BROKEN_UDMA;
++ }
+
+ acdev->pbase = res->start;
+ acdev->vbase = devm_ioremap_nocache(&pdev->dev, res->start,
+--
+2.30.2
+
--- /dev/null
+From 91e4354367a6c9f2b19b5b802bcef9b4d9913b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 23:51:10 +0300
+Subject: pata_ipx4xx_cf: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit e379b40cc0f179403ce0b82b7e539f635a568da5 ]
+
+The driver's probe() method is written as if platform_get_irq() returns 0
+on error, while actually it returns a negative error code (with all the
+other values considered valid IRQs). Rewrite the driver's IRQ checking
+code to pass the positive IRQ #s to ata_host_activate(), propagate errors
+upstream, and treat IRQ0 as error, returning -EINVAL, as the libata code
+treats 0 as an indication that polling should be used anyway...
+
+Fixes: 0df0d0a0ea9f ("[libata] ARM: add ixp4xx PATA driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_ixp4xx_cf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_ixp4xx_cf.c b/drivers/ata/pata_ixp4xx_cf.c
+index 0b0d93065f5a..867621f8c387 100644
+--- a/drivers/ata/pata_ixp4xx_cf.c
++++ b/drivers/ata/pata_ixp4xx_cf.c
+@@ -169,8 +169,12 @@ static int ixp4xx_pata_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq)
++ if (irq > 0)
+ irq_set_irq_type(irq, IRQ_TYPE_EDGE_RISING);
++ else if (irq < 0)
++ return irq;
++ else
++ return -EINVAL;
+
+ /* Setup expansion bus chip selects */
+ *data->cs0_cfg = data->cs0_bits;
+--
+2.30.2
+
--- /dev/null
+From 6d1bc96f859b3e6ecd9b9f95d68a7421c01c3c97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 11:17:51 -0300
+Subject: perf symbols: Fix dso__fprintf_symbols_by_name() to return the number
+ of printed chars
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 210e4c89ef61432040c6cd828fefa441f4887186 ]
+
+The 'ret' variable was initialized to zero but then it was not updated
+from the fprintf() return, fix it.
+
+Reported-by: Yang Li <yang.lee@linux.alibaba.com>
+cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+cc: Ingo Molnar <mingo@redhat.com>
+cc: Jiri Olsa <jolsa@redhat.com>
+cc: Mark Rutland <mark.rutland@arm.com>
+cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Fixes: 90f18e63fbd00513 ("perf symbols: List symbols in a dso in ascending name order")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol_fprintf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/symbol_fprintf.c b/tools/perf/util/symbol_fprintf.c
+index 6dd2cb88ccbe..d6ed44bd1eba 100644
+--- a/tools/perf/util/symbol_fprintf.c
++++ b/tools/perf/util/symbol_fprintf.c
+@@ -66,7 +66,7 @@ size_t dso__fprintf_symbols_by_name(struct dso *dso,
+
+ for (nd = rb_first(&dso->symbol_names[type]); nd; nd = rb_next(nd)) {
+ pos = rb_entry(nd, struct symbol_name_rb_node, rb_node);
+- fprintf(fp, "%s\n", pos->sym.name);
++ ret += fprintf(fp, "%s\n", pos->sym.name);
+ }
+
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 7f71dc04e1e5a300df6dee40bf8913d4499fbdef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Feb 2021 16:02:52 +0100
+Subject: phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y,
+ unconditionally
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 6cb17707aad869de163d7bf42c253caf501be4e2 ]
+
+Merely enabling CONFIG_COMPILE_TEST should not enable additional code.
+To fix this, restrict the automatic enabling of ARMADA375_USBCLUSTER_PHY
+to MACH_ARMADA_375, and ask the user in case of compile-testing.
+
+Fixes: eee47538ec1f2619 ("phy: add support for USB cluster on the Armada 375 SoC")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20210208150252.424706-1-geert+renesas@glider.be
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/marvell/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/phy/marvell/Kconfig b/drivers/phy/marvell/Kconfig
+index 68e321225400..ed4d3904e53f 100644
+--- a/drivers/phy/marvell/Kconfig
++++ b/drivers/phy/marvell/Kconfig
+@@ -2,8 +2,8 @@
+ # Phy drivers for Marvell platforms
+ #
+ config ARMADA375_USBCLUSTER_PHY
+- def_bool y
+- depends on MACH_ARMADA_375 || COMPILE_TEST
++ bool "Armada 375 USB cluster PHY support" if COMPILE_TEST
++ default y if MACH_ARMADA_375
+ depends on OF && HAS_IOMEM
+ select GENERIC_PHY
+
+--
+2.30.2
+
--- /dev/null
+From ff6000a8524b2e56fd03509011276582025a09d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Apr 2021 15:30:06 +0200
+Subject: platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards
+ with critclk_systems DMI table
+
+From: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+
+[ Upstream commit d21e5abd3a005253eb033090aab2e43bce090d89 ]
+
+pmc_plt_clk* clocks are used for ethernet controllers, so need to stay
+turned on. This adds the affected board family to critclk_systems DMI
+table, so the clocks are marked as CLK_CRITICAL and not turned off.
+
+This replaces the previously listed boards with a match for the whole
+device family CBxx63. CBxx63 matches only baytrail devices.
+There are new affected boards that would otherwise need to be listed.
+There are unaffected boards in the family, but having the clocks
+turned on is not an issue.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Link: https://lore.kernel.org/r/20210412133006.397679-1-linux-kernel-dev@beckhoff.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 28 ++--------------------------
+ 1 file changed, 2 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index 92205b90c25c..d1d5ec3c0f14 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -453,34 +453,10 @@ static const struct dmi_system_id critclk_systems[] = {
+ },
+ {
+ /* pmc_plt_clk* - are used for ethernet controllers */
+- .ident = "Beckhoff CB3163",
++ .ident = "Beckhoff Baytrail",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
+- DMI_MATCH(DMI_BOARD_NAME, "CB3163"),
+- },
+- },
+- {
+- /* pmc_plt_clk* - are used for ethernet controllers */
+- .ident = "Beckhoff CB4063",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
+- DMI_MATCH(DMI_BOARD_NAME, "CB4063"),
+- },
+- },
+- {
+- /* pmc_plt_clk* - are used for ethernet controllers */
+- .ident = "Beckhoff CB6263",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
+- DMI_MATCH(DMI_BOARD_NAME, "CB6263"),
+- },
+- },
+- {
+- /* pmc_plt_clk* - are used for ethernet controllers */
+- .ident = "Beckhoff CB6363",
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
+- DMI_MATCH(DMI_BOARD_NAME, "CB6363"),
++ DMI_MATCH(DMI_PRODUCT_FAMILY, "CBxx63"),
+ },
+ },
+ {
+--
+2.30.2
+
--- /dev/null
+From 87e2051ea43f11ea5db8aacd538855717bc5e64f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 17:24:03 +0000
+Subject: powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of
+ 'add')
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 8a87a507714386efc39c3ae6fa24d4f79846b522 ]
+
+ AS arch/powerpc/platforms/52xx/lite5200_sleep.o
+arch/powerpc/platforms/52xx/lite5200_sleep.S: Assembler messages:
+arch/powerpc/platforms/52xx/lite5200_sleep.S:184: Warning: invalid register expression
+
+In the following code, 'addi' is wrong, has to be 'add'
+
+ /* local udelay in sram is needed */
+ udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */
+ mullw r12, r12, r11
+ mftb r13 /* start */
+ addi r12, r13, r12 /* end */
+
+Fixes: ee983079ce04 ("[POWERPC] MPC5200 low power mode")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/cb4cec9131c8577803367f1699209a7e104cec2a.1619025821.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/52xx/lite5200_sleep.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/52xx/lite5200_sleep.S b/arch/powerpc/platforms/52xx/lite5200_sleep.S
+index 3a9969c429b3..054f927bfef9 100644
+--- a/arch/powerpc/platforms/52xx/lite5200_sleep.S
++++ b/arch/powerpc/platforms/52xx/lite5200_sleep.S
+@@ -181,7 +181,7 @@ sram_code:
+ udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */
+ mullw r12, r12, r11
+ mftb r13 /* start */
+- addi r12, r13, r12 /* end */
++ add r12, r13, r12 /* end */
+ 1:
+ mftb r13 /* current */
+ cmp cr0, r13, r12
+--
+2.30.2
+
--- /dev/null
+From 938fde73e8cbad403f3226124e315be0557cb967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Mar 2021 09:49:00 +0000
+Subject: powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Huang <chenhuang5@huawei.com>
+
+[ Upstream commit 4fe529449d85e78972fa327999961ecc83a0b6db ]
+
+When compiling the powerpc with the SMP disabled, it shows the issue:
+
+arch/powerpc/kernel/watchdog.c: In function ‘watchdog_smp_panic’:
+arch/powerpc/kernel/watchdog.c:177:4: error: implicit declaration of function ‘smp_send_nmi_ipi’; did you mean ‘smp_send_stop’? [-Werror=implicit-function-declaration]
+ 177 | smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000);
+ | ^~~~~~~~~~~~~~~~
+ | smp_send_stop
+cc1: all warnings being treated as errors
+make[2]: *** [scripts/Makefile.build:273: arch/powerpc/kernel/watchdog.o] Error 1
+make[1]: *** [scripts/Makefile.build:534: arch/powerpc/kernel] Error 2
+make: *** [Makefile:1980: arch/powerpc] Error 2
+make: *** Waiting for unfinished jobs....
+
+We found that powerpc used ipi to implement hardlockup watchdog, so the
+HAVE_HARDLOCKUP_DETECTOR_ARCH should depend on the SMP.
+
+Fixes: 2104180a5369 ("powerpc/64s: implement arch-specific hardlockup watchdog")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Chen Huang <chenhuang5@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210327094900.938555-1-chenhuang5@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index fff11a5bb805..3fcfa8534156 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -208,7 +208,7 @@ config PPC
+ select HAVE_MEMBLOCK_NODE_MAP
+ select HAVE_MOD_ARCH_SPECIFIC
+ select HAVE_NMI if PERF_EVENTS || (PPC64 && PPC_BOOK3S)
+- select HAVE_HARDLOCKUP_DETECTOR_ARCH if (PPC64 && PPC_BOOK3S)
++ select HAVE_HARDLOCKUP_DETECTOR_ARCH if PPC64 && PPC_BOOK3S && SMP
+ select HAVE_OPROFILE
+ select HAVE_OPTPROBES if PPC64
+ select HAVE_PERF_EVENTS
+--
+2.30.2
+
--- /dev/null
+From 4895f472a736783891d8d3d654f9f0c3320cc129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Apr 2021 12:26:23 -0700
+Subject: powerpc: iommu: fix build when neither PCI or IBMVIO is set
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b27dadecdf9102838331b9a0b41ffc1cfe288154 ]
+
+When neither CONFIG_PCI nor CONFIG_IBMVIO is set/enabled, iommu.c has a
+build error. The fault injection code is not useful in that kernel config,
+so make the FAIL_IOMMU option depend on PCI || IBMVIO.
+
+Prevents this build error (warning escalated to error):
+../arch/powerpc/kernel/iommu.c:178:30: error: 'fail_iommu_bus_notifier' defined but not used [-Werror=unused-variable]
+ 178 | static struct notifier_block fail_iommu_bus_notifier = {
+
+Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection")
+Reported-by: kernel test robot <lkp@intel.com>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210404192623.10697-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Kconfig.debug | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
+index be1c8c5beb61..762bb08b0f59 100644
+--- a/arch/powerpc/Kconfig.debug
++++ b/arch/powerpc/Kconfig.debug
+@@ -349,6 +349,7 @@ config PPC_EARLY_DEBUG_CPM_ADDR
+ config FAIL_IOMMU
+ bool "Fault-injection capability for IOMMU"
+ depends on FAULT_INJECTION
++ depends on PCI || IBMVIO
+ help
+ Provide fault-injection capability for IOMMU. Each device can
+ be selectively enabled via the fail_iommu property.
+--
+2.30.2
+
--- /dev/null
+From 09b05eb0e71892cd80b820ddfe076d02237251b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 12:16:01 -0400
+Subject: powerpc/perf: Fix PMU constraint check for EBB events
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit 10f8f96179ecc7f69c927f6d231f6d02736cea83 ]
+
+The power PMU group constraints includes check for EBB events to make
+sure all events in a group must agree on EBB. This will prevent
+scheduling EBB and non-EBB events together. But in the existing check,
+settings for constraint mask and value is interchanged. Patch fixes the
+same.
+
+Before the patch, PMU selftest "cpu_event_pinned_vs_ebb_test" fails with
+below in dmesg logs. This happens because EBB event gets enabled along
+with a non-EBB cpu event.
+
+ [35600.453346] cpu_event_pinne[41326]: illegal instruction (4)
+ at 10004a18 nip 10004a18 lr 100049f8 code 1 in
+ cpu_event_pinned_vs_ebb_test[10000000+10000]
+
+Test results after the patch:
+
+ $ ./pmu/ebb/cpu_event_pinned_vs_ebb_test
+ test: cpu_event_pinned_vs_ebb
+ tags: git_version:v5.12-rc5-93-gf28c3125acd3-dirty
+ Binding to cpu 8
+ EBB Handler is at 0x100050c8
+ read error on event 0x7fffe6bd4040!
+ PM_RUN_INST_CMPL: result 9872 running/enabled 37930432
+ success: cpu_event_pinned_vs_ebb
+
+This bug was hidden by other logic until commit 1908dc911792 (perf:
+Tweak perf_event_attr::exclusive semantics).
+
+Fixes: 4df489991182 ("powerpc/perf: Add power8 EBB support")
+Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+[mpe: Mention commit 1908dc911792]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1617725761-1464-1-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/isa207-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c
+index dd9f88fed63c..24a78565bca6 100644
+--- a/arch/powerpc/perf/isa207-common.c
++++ b/arch/powerpc/perf/isa207-common.c
+@@ -361,8 +361,8 @@ ebb_bhrb:
+ * EBB events are pinned & exclusive, so this should never actually
+ * hit, but we leave it as a fallback in case.
+ */
+- mask |= CNST_EBB_VAL(ebb);
+- value |= CNST_EBB_MASK;
++ mask |= CNST_EBB_MASK;
++ value |= CNST_EBB_VAL(ebb);
+
+ *maskp = mask;
+ *valp = value;
+--
+2.30.2
+
--- /dev/null
+From e20bc2690e957ac604a8a63a3d94ac9744163559 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 13:08:29 -0700
+Subject: powerpc/prom: Mark identical_pvr_fixup as __init
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 1ef1dd9c7ed27b080445e1576e8a05957e0e4dfc ]
+
+If identical_pvr_fixup() is not inlined, there are two modpost warnings:
+
+WARNING: modpost: vmlinux.o(.text+0x54e8): Section mismatch in reference
+from the function identical_pvr_fixup() to the function
+.init.text:of_get_flat_dt_prop()
+The function identical_pvr_fixup() references
+the function __init of_get_flat_dt_prop().
+This is often because identical_pvr_fixup lacks a __init
+annotation or the annotation of of_get_flat_dt_prop is wrong.
+
+WARNING: modpost: vmlinux.o(.text+0x551c): Section mismatch in reference
+from the function identical_pvr_fixup() to the function
+.init.text:identify_cpu()
+The function identical_pvr_fixup() references
+the function __init identify_cpu().
+This is often because identical_pvr_fixup lacks a __init
+annotation or the annotation of identify_cpu is wrong.
+
+identical_pvr_fixup() calls two functions marked as __init and is only
+called by a function marked as __init so it should be marked as __init
+as well. At the same time, remove the inline keywork as it is not
+necessary to inline this function. The compiler is still free to do so
+if it feels it is worthwhile since commit 889b3c1245de ("compiler:
+remove CONFIG_OPTIMIZE_INLINING entirely").
+
+Fixes: 14b3d926a22b ("[POWERPC] 4xx: update 440EP(x)/440GR(x) identical PVR issue workaround")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1316
+Link: https://lore.kernel.org/r/20210302200829.2680663-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/prom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
+index bbe9c57dd1a3..99409d0420d2 100644
+--- a/arch/powerpc/kernel/prom.c
++++ b/arch/powerpc/kernel/prom.c
+@@ -265,7 +265,7 @@ static struct feature_property {
+ };
+
+ #if defined(CONFIG_44x) && defined(CONFIG_PPC_FPU)
+-static inline void identical_pvr_fixup(unsigned long node)
++static __init void identical_pvr_fixup(unsigned long node)
+ {
+ unsigned int pvr;
+ const char *model = of_get_flat_dt_prop(node, "model", NULL);
+--
+2.30.2
+
--- /dev/null
+From 86aee92df58c181973aa121018cc23fa5892eb1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 12:24:35 -0600
+Subject: powerpc/pseries: extract host bridge from pci_bus prior to bus
+ removal
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+[ Upstream commit 38d0b1c9cec71e6d0f3bddef0bbce41d05a3e796 ]
+
+The pci_bus->bridge reference may no longer be valid after
+pci_bus_remove() resulting in passing a bad value to device_unregister()
+for the associated bridge device.
+
+Store the host_bridge reference in a separate variable prior to
+pci_bus_remove().
+
+Fixes: 7340056567e3 ("powerpc/pci: Reorder pci bus/bridge unregistration during PHB removal")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210211182435.47968-1-tyreld@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/pci_dlpar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/pci_dlpar.c b/arch/powerpc/platforms/pseries/pci_dlpar.c
+index 561917fa54a8..afca4b737e80 100644
+--- a/arch/powerpc/platforms/pseries/pci_dlpar.c
++++ b/arch/powerpc/platforms/pseries/pci_dlpar.c
+@@ -66,6 +66,7 @@ EXPORT_SYMBOL_GPL(init_phb_dynamic);
+ int remove_phb_dynamic(struct pci_controller *phb)
+ {
+ struct pci_bus *b = phb->bus;
++ struct pci_host_bridge *host_bridge = to_pci_host_bridge(b->bridge);
+ struct resource *res;
+ int rc, i;
+
+@@ -92,7 +93,8 @@ int remove_phb_dynamic(struct pci_controller *phb)
+ /* Remove the PCI bus and unregister the bridge device from sysfs */
+ phb->bus = NULL;
+ pci_remove_bus(b);
+- device_unregister(b->bridge);
++ host_bridge->bus = NULL;
++ device_unregister(&host_bridge->dev);
+
+ /* Now release the IO resource */
+ if (res->flags & IORESOURCE_IO)
+--
+2.30.2
+
--- /dev/null
+From 8843f26d55cf7dd5ea6a4aee0155c121acc5a570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 19:21:04 -0500
+Subject: RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails
+
+From: Sindhu Devale <sindhu.devale@intel.com>
+
+[ Upstream commit 783a11bf2400e5d5c42a943c3083dc0330751842 ]
+
+When i40iw_hmc_sd_one fails, chunk is freed without the deletion of chunk
+entry in the PBLE info list.
+
+Fix it by adding the chunk entry to the PBLE info list only after
+successful addition of SD in i40iw_hmc_sd_one.
+
+This fixes a static checker warning reported here:
+ https://lore.kernel.org/linux-rdma/YHV4CFXzqTm23AOZ@mwanda/
+
+Fixes: 9715830157be ("i40iw: add pble resource files")
+Link: https://lore.kernel.org/r/20210416002104.323-1-shiraz.saleem@intel.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_pble.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_pble.c b/drivers/infiniband/hw/i40iw/i40iw_pble.c
+index 540aab5e502d..3fafc5424e76 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_pble.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_pble.c
+@@ -392,12 +392,9 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev,
+ i40iw_debug(dev, I40IW_DEBUG_PBLE, "next_fpm_addr = %llx chunk_size[%u] = 0x%x\n",
+ pble_rsrc->next_fpm_addr, chunk->size, chunk->size);
+ pble_rsrc->unallocated_pble -= (chunk->size >> 3);
+- list_add(&chunk->list, &pble_rsrc->pinfo.clist);
+ sd_reg_val = (sd_entry_type == I40IW_SD_TYPE_PAGED) ?
+ sd_entry->u.pd_table.pd_page_addr.pa : sd_entry->u.bp.addr.pa;
+- if (sd_entry->valid)
+- return 0;
+- if (dev->is_pf) {
++ if (dev->is_pf && !sd_entry->valid) {
+ ret_code = i40iw_hmc_sd_one(dev, hmc_info->hmc_fn_id,
+ sd_reg_val, idx->sd_idx,
+ sd_entry->entry_type, true);
+@@ -408,6 +405,7 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev,
+ }
+
+ sd_entry->valid = true;
++ list_add(&chunk->list, &pble_rsrc->pinfo.clist);
+ return 0;
+ error:
+ kfree(chunk);
+--
+2.30.2
+
--- /dev/null
+From 9f4b7f7aa60307b56c97bf1f60f622432f22cca7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Feb 2021 13:26:07 +0800
+Subject: rtlwifi: 8821ae: upgrade PHY and RF parameters
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 18fb0bedb5fc2fddc057dbe48b7360a6ffda34b3 ]
+
+The signal strength of 5G is quite low, so user can't connect to an AP far
+away. New parameters with new format and its parser are updated by the commit
+84d26fda52e2 ("rtlwifi: Update 8821ae new phy parameters and its parser."), but
+some parameters are missing. Use this commit to update to the novel parameters
+that use new format.
+
+Fixes: 84d26fda52e2 ("rtlwifi: Update 8821ae new phy parameters and its parser")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210219052607.7323-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../realtek/rtlwifi/rtl8821ae/table.c | 500 +++++++++++++-----
+ 1 file changed, 370 insertions(+), 130 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c
+index 408c4611e5de..607bb7601892 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c
+@@ -273,7 +273,7 @@ u32 RTL8821AE_PHY_REG_ARRAY[] = {
+ 0x824, 0x00030FE0,
+ 0x828, 0x00000000,
+ 0x82C, 0x002081DD,
+- 0x830, 0x2AAA8E24,
++ 0x830, 0x2AAAEEC8,
+ 0x834, 0x0037A706,
+ 0x838, 0x06489B44,
+ 0x83C, 0x0000095B,
+@@ -348,10 +348,10 @@ u32 RTL8821AE_PHY_REG_ARRAY[] = {
+ 0x9D8, 0x00000000,
+ 0x9DC, 0x00000000,
+ 0x9E0, 0x00005D00,
+- 0x9E4, 0x00000002,
++ 0x9E4, 0x00000003,
+ 0x9E8, 0x00000001,
+ 0xA00, 0x00D047C8,
+- 0xA04, 0x01FF000C,
++ 0xA04, 0x01FF800C,
+ 0xA08, 0x8C8A8300,
+ 0xA0C, 0x2E68000F,
+ 0xA10, 0x9500BB78,
+@@ -1347,7 +1347,11 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x083, 0x00021800,
+ 0x084, 0x00028000,
+ 0x085, 0x00048000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
++ 0x086, 0x0009483A,
++ 0xA0000000, 0x00000000,
+ 0x086, 0x00094838,
++ 0xB0000000, 0x00000000,
+ 0x087, 0x00044980,
+ 0x088, 0x00048000,
+ 0x089, 0x0000D480,
+@@ -1436,36 +1440,32 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x03C, 0x000CA000,
+ 0x0EF, 0x00000000,
+ 0x0EF, 0x00001100,
+- 0xFF0F0104, 0xABCD,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0004ADF3,
+ 0x034, 0x00049DF0,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0004ADF3,
+ 0x034, 0x00049DF0,
+- 0xFF0F0404, 0xCDEF,
+- 0x034, 0x0004ADF3,
+- 0x034, 0x00049DF0,
+- 0xFF0F0200, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0004ADF5,
+ 0x034, 0x00049DF2,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0004A0F3,
++ 0x034, 0x000490B1,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0004A0F3,
+ 0x034, 0x000490B1,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0004ADF5,
++ 0x034, 0x00049DF2,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0004ADF3,
++ 0x034, 0x00049DF0,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x0004ADF7,
+ 0x034, 0x00049DF3,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
+- 0x034, 0x00048DED,
+- 0x034, 0x00047DEA,
+- 0x034, 0x00046DE7,
+- 0x034, 0x00045CE9,
+- 0x034, 0x00044CE6,
+- 0x034, 0x000438C6,
+- 0x034, 0x00042886,
+- 0x034, 0x00041486,
+- 0x034, 0x00040447,
+- 0xFF0F0204, 0xCDEF,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00048DED,
+ 0x034, 0x00047DEA,
+ 0x034, 0x00046DE7,
+@@ -1475,7 +1475,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00042886,
+ 0x034, 0x00041486,
+ 0x034, 0x00040447,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00048DED,
+ 0x034, 0x00047DEA,
+ 0x034, 0x00046DE7,
+@@ -1485,7 +1485,17 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00042886,
+ 0x034, 0x00041486,
+ 0x034, 0x00040447,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x000480AE,
++ 0x034, 0x000470AB,
++ 0x034, 0x0004608B,
++ 0x034, 0x00045069,
++ 0x034, 0x00044048,
++ 0x034, 0x00043045,
++ 0x034, 0x00042026,
++ 0x034, 0x00041023,
++ 0x034, 0x00040002,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x000480AE,
+ 0x034, 0x000470AB,
+ 0x034, 0x0004608B,
+@@ -1495,7 +1505,17 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00042026,
+ 0x034, 0x00041023,
+ 0x034, 0x00040002,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x00048DED,
++ 0x034, 0x00047DEA,
++ 0x034, 0x00046DE7,
++ 0x034, 0x00045CE9,
++ 0x034, 0x00044CE6,
++ 0x034, 0x000438C6,
++ 0x034, 0x00042886,
++ 0x034, 0x00041486,
++ 0x034, 0x00040447,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x00048DEF,
+ 0x034, 0x00047DEC,
+ 0x034, 0x00046DE9,
+@@ -1505,38 +1525,36 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x0004248A,
+ 0x034, 0x0004108D,
+ 0x034, 0x0004008A,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0200, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x80000210, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0002ADF4,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0002A0F3,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0002A0F3,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0002ADF4,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x0002ADF7,
+- 0xFF0F0200, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
+- 0x034, 0x00029DF4,
+- 0xFF0F0204, 0xCDEF,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00029DF4,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00029DF4,
+- 0xFF0F0200, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00029DF1,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x000290F0,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x000290F0,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x00029DF1,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x00029DF4,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x00029DF2,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
+- 0x034, 0x00028DF1,
+- 0x034, 0x00027DEE,
+- 0x034, 0x00026DEB,
+- 0x034, 0x00025CEC,
+- 0x034, 0x00024CE9,
+- 0x034, 0x000238CA,
+- 0x034, 0x00022889,
+- 0x034, 0x00021489,
+- 0x034, 0x0002044A,
+- 0xFF0F0204, 0xCDEF,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00028DF1,
+ 0x034, 0x00027DEE,
+ 0x034, 0x00026DEB,
+@@ -1546,7 +1564,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00022889,
+ 0x034, 0x00021489,
+ 0x034, 0x0002044A,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00028DF1,
+ 0x034, 0x00027DEE,
+ 0x034, 0x00026DEB,
+@@ -1556,7 +1574,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00022889,
+ 0x034, 0x00021489,
+ 0x034, 0x0002044A,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x000280AF,
+ 0x034, 0x000270AC,
+ 0x034, 0x0002608B,
+@@ -1566,7 +1584,27 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00022026,
+ 0x034, 0x00021023,
+ 0x034, 0x00020002,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x000280AF,
++ 0x034, 0x000270AC,
++ 0x034, 0x0002608B,
++ 0x034, 0x00025069,
++ 0x034, 0x00024048,
++ 0x034, 0x00023045,
++ 0x034, 0x00022026,
++ 0x034, 0x00021023,
++ 0x034, 0x00020002,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x00028DF1,
++ 0x034, 0x00027DEE,
++ 0x034, 0x00026DEB,
++ 0x034, 0x00025CEC,
++ 0x034, 0x00024CE9,
++ 0x034, 0x000238CA,
++ 0x034, 0x00022889,
++ 0x034, 0x00021489,
++ 0x034, 0x0002044A,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x00028DEE,
+ 0x034, 0x00027DEB,
+ 0x034, 0x00026CCD,
+@@ -1576,27 +1614,24 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00022849,
+ 0x034, 0x00021449,
+ 0x034, 0x0002004D,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F02C0, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x8000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0000A0D7,
++ 0x034, 0x000090D3,
++ 0x034, 0x000080B1,
++ 0x034, 0x000070AE,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0000A0D7,
+ 0x034, 0x000090D3,
+ 0x034, 0x000080B1,
+ 0x034, 0x000070AE,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x0000ADF7,
+ 0x034, 0x00009DF4,
+ 0x034, 0x00008DF1,
+ 0x034, 0x00007DEE,
+- 0xFF0F02C0, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
+- 0x034, 0x00006DEB,
+- 0x034, 0x00005CEC,
+- 0x034, 0x00004CE9,
+- 0x034, 0x000038CA,
+- 0x034, 0x00002889,
+- 0x034, 0x00001489,
+- 0x034, 0x0000044A,
+- 0xFF0F0204, 0xCDEF,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00006DEB,
+ 0x034, 0x00005CEC,
+ 0x034, 0x00004CE9,
+@@ -1604,7 +1639,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00002889,
+ 0x034, 0x00001489,
+ 0x034, 0x0000044A,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x00006DEB,
+ 0x034, 0x00005CEC,
+ 0x034, 0x00004CE9,
+@@ -1612,7 +1647,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00002889,
+ 0x034, 0x00001489,
+ 0x034, 0x0000044A,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
+ 0x034, 0x0000608D,
+ 0x034, 0x0000506B,
+ 0x034, 0x0000404A,
+@@ -1620,7 +1655,23 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00002044,
+ 0x034, 0x00001025,
+ 0x034, 0x00000004,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x0000608D,
++ 0x034, 0x0000506B,
++ 0x034, 0x0000404A,
++ 0x034, 0x00003047,
++ 0x034, 0x00002044,
++ 0x034, 0x00001025,
++ 0x034, 0x00000004,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x034, 0x00006DEB,
++ 0x034, 0x00005CEC,
++ 0x034, 0x00004CE9,
++ 0x034, 0x000038CA,
++ 0x034, 0x00002889,
++ 0x034, 0x00001489,
++ 0x034, 0x0000044A,
++ 0xA0000000, 0x00000000,
+ 0x034, 0x00006DCD,
+ 0x034, 0x00005CCD,
+ 0x034, 0x00004CCA,
+@@ -1628,11 +1679,11 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x034, 0x00002888,
+ 0x034, 0x00001488,
+ 0x034, 0x00000486,
+- 0xFF0F0104, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x0EF, 0x00000000,
+ 0x018, 0x0001712A,
+ 0x0EF, 0x00000040,
+- 0xFF0F0104, 0xABCD,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x035, 0x00000187,
+ 0x035, 0x00008187,
+ 0x035, 0x00010187,
+@@ -1642,7 +1693,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x035, 0x00040188,
+ 0x035, 0x00048188,
+ 0x035, 0x00050188,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x035, 0x00000187,
+ 0x035, 0x00008187,
+ 0x035, 0x00010187,
+@@ -1652,7 +1703,37 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x035, 0x00040188,
+ 0x035, 0x00048188,
+ 0x035, 0x00050188,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
++ 0x035, 0x00000128,
++ 0x035, 0x00008128,
++ 0x035, 0x00010128,
++ 0x035, 0x000201C8,
++ 0x035, 0x000281C8,
++ 0x035, 0x000301C8,
++ 0x035, 0x000401C8,
++ 0x035, 0x000481C8,
++ 0x035, 0x000501C8,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x035, 0x00000145,
++ 0x035, 0x00008145,
++ 0x035, 0x00010145,
++ 0x035, 0x00020196,
++ 0x035, 0x00028196,
++ 0x035, 0x00030196,
++ 0x035, 0x000401C7,
++ 0x035, 0x000481C7,
++ 0x035, 0x000501C7,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x035, 0x00000128,
++ 0x035, 0x00008128,
++ 0x035, 0x00010128,
++ 0x035, 0x000201C8,
++ 0x035, 0x000281C8,
++ 0x035, 0x000301C8,
++ 0x035, 0x000401C8,
++ 0x035, 0x000481C8,
++ 0x035, 0x000501C8,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x035, 0x00000187,
+ 0x035, 0x00008187,
+ 0x035, 0x00010187,
+@@ -1662,7 +1743,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x035, 0x00040188,
+ 0x035, 0x00048188,
+ 0x035, 0x00050188,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x035, 0x00000145,
+ 0x035, 0x00008145,
+ 0x035, 0x00010145,
+@@ -1672,11 +1753,11 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x035, 0x000401C7,
+ 0x035, 0x000481C7,
+ 0x035, 0x000501C7,
+- 0xFF0F0104, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x0EF, 0x00000000,
+ 0x018, 0x0001712A,
+ 0x0EF, 0x00000010,
+- 0xFF0F0104, 0xABCD,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x036, 0x00085733,
+ 0x036, 0x0008D733,
+ 0x036, 0x00095733,
+@@ -1689,7 +1770,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x036, 0x000CE4B4,
+ 0x036, 0x000D64B4,
+ 0x036, 0x000DE4B4,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x036, 0x00085733,
+ 0x036, 0x0008D733,
+ 0x036, 0x00095733,
+@@ -1702,7 +1783,46 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x036, 0x000CE4B4,
+ 0x036, 0x000D64B4,
+ 0x036, 0x000DE4B4,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
++ 0x036, 0x000063B5,
++ 0x036, 0x0000E3B5,
++ 0x036, 0x000163B5,
++ 0x036, 0x0001E3B5,
++ 0x036, 0x000263B5,
++ 0x036, 0x0002E3B5,
++ 0x036, 0x000363B5,
++ 0x036, 0x0003E3B5,
++ 0x036, 0x000463B5,
++ 0x036, 0x0004E3B5,
++ 0x036, 0x000563B5,
++ 0x036, 0x0005E3B5,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x036, 0x000056B3,
++ 0x036, 0x0000D6B3,
++ 0x036, 0x000156B3,
++ 0x036, 0x0001D6B3,
++ 0x036, 0x00026634,
++ 0x036, 0x0002E634,
++ 0x036, 0x00036634,
++ 0x036, 0x0003E634,
++ 0x036, 0x000467B4,
++ 0x036, 0x0004E7B4,
++ 0x036, 0x000567B4,
++ 0x036, 0x0005E7B4,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x036, 0x000063B5,
++ 0x036, 0x0000E3B5,
++ 0x036, 0x000163B5,
++ 0x036, 0x0001E3B5,
++ 0x036, 0x000263B5,
++ 0x036, 0x0002E3B5,
++ 0x036, 0x000363B5,
++ 0x036, 0x0003E3B5,
++ 0x036, 0x000463B5,
++ 0x036, 0x0004E3B5,
++ 0x036, 0x000563B5,
++ 0x036, 0x0005E3B5,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x036, 0x00085733,
+ 0x036, 0x0008D733,
+ 0x036, 0x00095733,
+@@ -1715,7 +1835,7 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x036, 0x000CE4B4,
+ 0x036, 0x000D64B4,
+ 0x036, 0x000DE4B4,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x036, 0x000056B3,
+ 0x036, 0x0000D6B3,
+ 0x036, 0x000156B3,
+@@ -1728,103 +1848,162 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x036, 0x0004E7B4,
+ 0x036, 0x000567B4,
+ 0x036, 0x0005E7B4,
+- 0xFF0F0104, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x0EF, 0x00000000,
+ 0x0EF, 0x00000008,
+- 0xFF0F0104, 0xABCD,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x000001C8,
+ 0x03C, 0x00000492,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x000001C8,
+ 0x03C, 0x00000492,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
++ 0x03C, 0x000001B6,
++ 0x03C, 0x00000492,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x03C, 0x0000022A,
++ 0x03C, 0x00000594,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x03C, 0x000001B6,
++ 0x03C, 0x00000492,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x000001C8,
+ 0x03C, 0x00000492,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x03C, 0x0000022A,
+ 0x03C, 0x00000594,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x00000800,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x00000800,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x00000800,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
+ 0x03C, 0x00000820,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x03C, 0x00000820,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x03C, 0x00000800,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x03C, 0x00000800,
++ 0xA0000000, 0x00000000,
+ 0x03C, 0x00000900,
+- 0xFF0F0104, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x0EF, 0x00000000,
+ 0x018, 0x0001712A,
+ 0x0EF, 0x00000002,
+- 0xFF0F0104, 0xABCD,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x008, 0x0004E400,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x008, 0x0004E400,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
++ 0x008, 0x00002000,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x008, 0x00002000,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x008, 0x00002000,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x008, 0x00002000,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x008, 0x0004E400,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x008, 0x00002000,
+- 0xFF0F0104, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x0EF, 0x00000000,
+ 0x0DF, 0x000000C0,
+- 0x01F, 0x00040064,
+- 0xFF0F0104, 0xABCD,
++ 0x01F, 0x00000064,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x058, 0x000A7284,
+ 0x059, 0x000600EC,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x058, 0x000A7284,
+ 0x059, 0x000600EC,
+- 0xFF0F0404, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x058, 0x00081184,
++ 0x059, 0x0006016C,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x058, 0x00081184,
++ 0x059, 0x0006016C,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x058, 0x00081184,
++ 0x059, 0x0006016C,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x058, 0x000A7284,
+ 0x059, 0x000600EC,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x058, 0x00081184,
+ 0x059, 0x0006016C,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x061, 0x000E8D73,
+ 0x062, 0x00093FC5,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x061, 0x000E8D73,
+ 0x062, 0x00093FC5,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
++ 0x061, 0x000EFD83,
++ 0x062, 0x00093FCC,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x061, 0x000EAD53,
++ 0x062, 0x00093BC4,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x061, 0x000EFD83,
++ 0x062, 0x00093FCC,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x061, 0x000E8D73,
+ 0x062, 0x00093FC5,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x061, 0x000EAD53,
+ 0x062, 0x00093BC4,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
+ 0x063, 0x000110E9,
+- 0xFF0F0204, 0xCDEF,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
+ 0x063, 0x000110E9,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
++ 0x063, 0x000110EB,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
+ 0x063, 0x000110E9,
+- 0xFF0F0200, 0xCDEF,
+- 0x063, 0x000710E9,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x063, 0x000110E9,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x063, 0x000110EB,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
++ 0x063, 0x000110E9,
++ 0xA0000000, 0x00000000,
+ 0x063, 0x000714E9,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0104, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
++ 0x064, 0x0001C27C,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
++ 0x064, 0x0001C27C,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
+ 0x064, 0x0001C27C,
+- 0xFF0F0204, 0xCDEF,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x064, 0x0001C67C,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
+ 0x064, 0x0001C27C,
+- 0xFF0F0404, 0xCDEF,
++ 0x90000410, 0x00000000, 0x40000000, 0x00000000,
+ 0x064, 0x0001C27C,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x064, 0x0001C67C,
+- 0xFF0F0104, 0xDEAD,
+- 0xFF0F0200, 0xABCD,
++ 0xB0000000, 0x00000000,
++ 0x80000111, 0x00000000, 0x40000000, 0x00000000,
++ 0x065, 0x00091016,
++ 0x90000110, 0x00000000, 0x40000000, 0x00000000,
++ 0x065, 0x00091016,
++ 0x90000210, 0x00000000, 0x40000000, 0x00000000,
+ 0x065, 0x00093016,
+- 0xFF0F02C0, 0xCDEF,
++ 0x9000020c, 0x00000000, 0x40000000, 0x00000000,
+ 0x065, 0x00093015,
+- 0xCDCDCDCD, 0xCDCD,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
++ 0x065, 0x00093015,
++ 0x90000200, 0x00000000, 0x40000000, 0x00000000,
++ 0x065, 0x00093016,
++ 0xA0000000, 0x00000000,
+ 0x065, 0x00091016,
+- 0xFF0F0200, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x018, 0x00000006,
+ 0x0EF, 0x00002000,
+ 0x03B, 0x0003824B,
+@@ -1922,9 +2101,10 @@ u32 RTL8821AE_RADIOA_ARRAY[] = {
+ 0x0B4, 0x0001214C,
+ 0x0B7, 0x0003000C,
+ 0x01C, 0x000539D2,
++ 0x0C4, 0x000AFE00,
+ 0x018, 0x0001F12A,
+- 0x0FE, 0x00000000,
+- 0x0FE, 0x00000000,
++ 0xFFE, 0x00000000,
++ 0xFFE, 0x00000000,
+ 0x018, 0x0001712A,
+
+ };
+@@ -2044,6 +2224,7 @@ u32 RTL8812AE_MAC_REG_ARRAY[] = {
+ u32 RTL8812AE_MAC_1T_ARRAYLEN = sizeof(RTL8812AE_MAC_REG_ARRAY) / sizeof(u32);
+
+ u32 RTL8821AE_MAC_REG_ARRAY[] = {
++ 0x421, 0x0000000F,
+ 0x428, 0x0000000A,
+ 0x429, 0x00000010,
+ 0x430, 0x00000000,
+@@ -2513,7 +2694,7 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = {
+ 0x81C, 0xA6360001,
+ 0x81C, 0xA5380001,
+ 0x81C, 0xA43A0001,
+- 0x81C, 0xA33C0001,
++ 0x81C, 0x683C0001,
+ 0x81C, 0x673E0001,
+ 0x81C, 0x66400001,
+ 0x81C, 0x65420001,
+@@ -2547,7 +2728,66 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = {
+ 0x81C, 0x017A0001,
+ 0x81C, 0x017C0001,
+ 0x81C, 0x017E0001,
+- 0xFF0F02C0, 0xABCD,
++ 0x8000020c, 0x00000000, 0x40000000, 0x00000000,
++ 0x81C, 0xFB000101,
++ 0x81C, 0xFA020101,
++ 0x81C, 0xF9040101,
++ 0x81C, 0xF8060101,
++ 0x81C, 0xF7080101,
++ 0x81C, 0xF60A0101,
++ 0x81C, 0xF50C0101,
++ 0x81C, 0xF40E0101,
++ 0x81C, 0xF3100101,
++ 0x81C, 0xF2120101,
++ 0x81C, 0xF1140101,
++ 0x81C, 0xF0160101,
++ 0x81C, 0xEF180101,
++ 0x81C, 0xEE1A0101,
++ 0x81C, 0xED1C0101,
++ 0x81C, 0xEC1E0101,
++ 0x81C, 0xEB200101,
++ 0x81C, 0xEA220101,
++ 0x81C, 0xE9240101,
++ 0x81C, 0xE8260101,
++ 0x81C, 0xE7280101,
++ 0x81C, 0xE62A0101,
++ 0x81C, 0xE52C0101,
++ 0x81C, 0xE42E0101,
++ 0x81C, 0xE3300101,
++ 0x81C, 0xA5320101,
++ 0x81C, 0xA4340101,
++ 0x81C, 0xA3360101,
++ 0x81C, 0x87380101,
++ 0x81C, 0x863A0101,
++ 0x81C, 0x853C0101,
++ 0x81C, 0x843E0101,
++ 0x81C, 0x69400101,
++ 0x81C, 0x68420101,
++ 0x81C, 0x67440101,
++ 0x81C, 0x66460101,
++ 0x81C, 0x49480101,
++ 0x81C, 0x484A0101,
++ 0x81C, 0x474C0101,
++ 0x81C, 0x2A4E0101,
++ 0x81C, 0x29500101,
++ 0x81C, 0x28520101,
++ 0x81C, 0x27540101,
++ 0x81C, 0x26560101,
++ 0x81C, 0x25580101,
++ 0x81C, 0x245A0101,
++ 0x81C, 0x235C0101,
++ 0x81C, 0x055E0101,
++ 0x81C, 0x04600101,
++ 0x81C, 0x03620101,
++ 0x81C, 0x02640101,
++ 0x81C, 0x01660101,
++ 0x81C, 0x01680101,
++ 0x81C, 0x016A0101,
++ 0x81C, 0x016C0101,
++ 0x81C, 0x016E0101,
++ 0x81C, 0x01700101,
++ 0x81C, 0x01720101,
++ 0x9000040c, 0x00000000, 0x40000000, 0x00000000,
+ 0x81C, 0xFB000101,
+ 0x81C, 0xFA020101,
+ 0x81C, 0xF9040101,
+@@ -2606,7 +2846,7 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = {
+ 0x81C, 0x016E0101,
+ 0x81C, 0x01700101,
+ 0x81C, 0x01720101,
+- 0xCDCDCDCD, 0xCDCD,
++ 0xA0000000, 0x00000000,
+ 0x81C, 0xFF000101,
+ 0x81C, 0xFF020101,
+ 0x81C, 0xFE040101,
+@@ -2665,7 +2905,7 @@ u32 RTL8821AE_AGC_TAB_ARRAY[] = {
+ 0x81C, 0x046E0101,
+ 0x81C, 0x03700101,
+ 0x81C, 0x02720101,
+- 0xFF0F02C0, 0xDEAD,
++ 0xB0000000, 0x00000000,
+ 0x81C, 0x01740101,
+ 0x81C, 0x01760101,
+ 0x81C, 0x01780101,
+--
+2.30.2
+
--- /dev/null
+From a012266521461b2369da02d8ff530a448985805f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 00:13:49 +0300
+Subject: sata_mv: add IRQ checks
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit e6471a65fdd5efbb8dd2732dd0f063f960685ceb ]
+
+The function mv_platform_probe() neglects to check the results of the
+calls to platform_get_irq() and irq_of_parse_and_map() and blithely
+passes them to ata_host_activate() -- while the latter only checks
+for IRQ0 (treating it as a polling mode indicattion) and passes the
+negative values to devm_request_irq() causing it to fail as it takes
+unsigned values for the IRQ #...
+
+Add to mv_platform_probe() the proper IRQ checks to pass the positive IRQ
+#s to ata_host_activate(), propagate upstream the negative error codes,
+and override the IRQ0 with -EINVAL (as we don't want the polling mode).
+
+Fixes: f351b2d638c3 ("sata_mv: Support SoC controllers")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/51436f00-27a1-e20b-c21b-0e817e0a7c86@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_mv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
+index d85965bab2e2..6059b030678b 100644
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -4112,6 +4112,10 @@ static int mv_platform_probe(struct platform_device *pdev)
+ n_ports = mv_platform_data->n_ports;
+ irq = platform_get_irq(pdev, 0);
+ }
++ if (irq < 0)
++ return irq;
++ if (!irq)
++ return -EINVAL;
+
+ host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports);
+ hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL);
+--
+2.30.2
+
--- /dev/null
+From e83ad3ed3a8c4c87e1c2c2fbf4312a6a3b117117 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 20:43:23 +0300
+Subject: scsi: jazz_esp: Add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 38fca15c29db6ed06e894ac194502633e2a7d1fb ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real
+error code. Stop calling request_irq() with the invalid IRQ #s.
+
+Link: https://lore.kernel.org/r/594aa9ae-2215-49f6-f73c-33bd38989912@omprussia.ru
+Fixes: 352e921f0dd4 ("[SCSI] jazz_esp: converted to use esp_core")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/jazz_esp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/jazz_esp.c b/drivers/scsi/jazz_esp.c
+index 9aaa74e349cc..65f0dbfc3a45 100644
+--- a/drivers/scsi/jazz_esp.c
++++ b/drivers/scsi/jazz_esp.c
+@@ -170,7 +170,9 @@ static int esp_jazz_probe(struct platform_device *dev)
+ if (!esp->command_block)
+ goto fail_unmap_regs;
+
+- host->irq = platform_get_irq(dev, 0);
++ host->irq = err = platform_get_irq(dev, 0);
++ if (err < 0)
++ goto fail_unmap_command_block;
+ err = request_irq(host->irq, scsi_esp_intr, IRQF_SHARED, "ESP", esp);
+ if (err < 0)
+ goto fail_unmap_command_block;
+--
+2.30.2
+
--- /dev/null
+From 3e729516a0542ccb88f81002c1e6015ff228da30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 20:45:12 +0300
+Subject: scsi: sni_53c710: Add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 1160d61bc51e87e509cfaf9da50a0060f67b6de4 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #s), causing it to fail with -EINVAL (overridden by -ENODEV
+further below). Stop calling request_irq() with the invalid IRQ #s.
+
+Link: https://lore.kernel.org/r/8f4b8fa5-8251-b977-70a1-9099bcb4bb17@omprussia.ru
+Fixes: c27d85f3f3c5 ("[SCSI] SNI RM 53c710 driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sni_53c710.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sni_53c710.c b/drivers/scsi/sni_53c710.c
+index 3102a75984d3..aed91afb79b6 100644
+--- a/drivers/scsi/sni_53c710.c
++++ b/drivers/scsi/sni_53c710.c
+@@ -71,6 +71,7 @@ static int snirm710_probe(struct platform_device *dev)
+ struct NCR_700_Host_Parameters *hostdata;
+ struct Scsi_Host *host;
+ struct resource *res;
++ int rc;
+
+ res = platform_get_resource(dev, IORESOURCE_MEM, 0);
+ if (!res)
+@@ -96,7 +97,9 @@ static int snirm710_probe(struct platform_device *dev)
+ goto out_kfree;
+ host->this_id = 7;
+ host->base = base;
+- host->irq = platform_get_irq(dev, 0);
++ host->irq = rc = platform_get_irq(dev, 0);
++ if (rc < 0)
++ goto out_put_host;
+ if(request_irq(host->irq, NCR_700_intr, IRQF_SHARED, "snirm710", host)) {
+ printk(KERN_ERR "snirm710: request_irq failed!\n");
+ goto out_put_host;
+--
+2.30.2
+
--- /dev/null
+From ee9a8fbabdf270560421994ec7ee8a729679ef55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 20:44:08 +0300
+Subject: scsi: sun3x_esp: Add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 14b321380eb333c82853d7d612d0995f05f88fdc ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real
+error code. Stop calling request_irq() with the invalid IRQ #s.
+
+Link: https://lore.kernel.org/r/363eb4c8-a3bf-4dc9-2a9e-90f349030a15@omprussia.ru
+Fixes: 0bb67f181834 ("[SCSI] sun3x_esp: convert to esp_scsi")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sun3x_esp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sun3x_esp.c b/drivers/scsi/sun3x_esp.c
+index d50c5ed8f428..167ae2d29e47 100644
+--- a/drivers/scsi/sun3x_esp.c
++++ b/drivers/scsi/sun3x_esp.c
+@@ -233,7 +233,9 @@ static int esp_sun3x_probe(struct platform_device *dev)
+ if (!esp->command_block)
+ goto fail_unmap_regs_dma;
+
+- host->irq = platform_get_irq(dev, 0);
++ host->irq = err = platform_get_irq(dev, 0);
++ if (err < 0)
++ goto fail_unmap_command_block;
+ err = request_irq(host->irq, scsi_esp_intr, IRQF_SHARED,
+ "SUN3X ESP", esp);
+ if (err < 0)
+--
+2.30.2
+
--- /dev/null
+From d467bbaae539fc7003a2ea81161dd58f864ffd27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 17:22:58 +0100
+Subject: serial: stm32: fix incorrect characters on console
+
+From: Erwan Le Ray <erwan.leray@foss.st.com>
+
+[ Upstream commit f264c6f6aece81a9f8fbdf912b20bd3feb476a7a ]
+
+Incorrect characters are observed on console during boot. This issue occurs
+when init/main.c is modifying termios settings to open /dev/console on the
+rootfs.
+
+This patch adds a waiting loop in set_termios to wait for TX shift register
+empty (and TX FIFO if any) before stopping serial port.
+
+Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver")
+Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
+Link: https://lore.kernel.org/r/20210304162308.8984-4-erwan.leray@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index 1e854e1851fb..6ad982cf31fc 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -499,8 +499,9 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios,
+ unsigned int baud;
+ u32 usartdiv, mantissa, fraction, oversampling;
+ tcflag_t cflag = termios->c_cflag;
+- u32 cr1, cr2, cr3;
++ u32 cr1, cr2, cr3, isr;
+ unsigned long flags;
++ int ret;
+
+ if (!stm32_port->hw_flow_control)
+ cflag &= ~CRTSCTS;
+@@ -509,6 +510,15 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios,
+
+ spin_lock_irqsave(&port->lock, flags);
+
++ ret = readl_relaxed_poll_timeout_atomic(port->membase + ofs->isr,
++ isr,
++ (isr & USART_SR_TC),
++ 10, 100000);
++
++ /* Send the TC error message only when ISR_TC is not set. */
++ if (ret)
++ dev_err(port->dev, "Transmission is not complete\n");
++
+ /* Stop serial port and reset value */
+ writel_relaxed(0, port->membase + ofs->cr1);
+
+--
+2.30.2
+
--- /dev/null
+From ea12d624944cc311326dd85469ec63431865c91f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 17:23:07 +0100
+Subject: serial: stm32: fix tx_empty condition
+
+From: Erwan Le Ray <erwan.leray@foss.st.com>
+
+[ Upstream commit 3db1d52466dc11dca4e47ef12a6e6e97f846af62 ]
+
+In "tx_empty", we should poll TC bit in both DMA and PIO modes (instead of
+TXE) to check transmission data register has been transmitted independently
+of the FIFO mode. TC indicates that both transmit register and shift
+register are empty. When shift register is empty, tx_empty should return
+TIOCSER_TEMT instead of TC value.
+
+Cleans the USART_CR_TC TCCF register define (transmission complete clear
+flag) as it is duplicate of USART_ICR_TCCF.
+
+Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver")
+Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
+Link: https://lore.kernel.org/r/20210304162308.8984-13-erwan.leray@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 5 ++++-
+ drivers/tty/serial/stm32-usart.h | 3 ---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index 6ad982cf31fc..a10335e904ea 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -365,7 +365,10 @@ static unsigned int stm32_tx_empty(struct uart_port *port)
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
+
+- return readl_relaxed(port->membase + ofs->isr) & USART_SR_TXE;
++ if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC)
++ return TIOCSER_TEMT;
++
++ return 0;
+ }
+
+ static void stm32_set_mctrl(struct uart_port *port, unsigned int mctrl)
+diff --git a/drivers/tty/serial/stm32-usart.h b/drivers/tty/serial/stm32-usart.h
+index 9d087881913a..55142df8e24b 100644
+--- a/drivers/tty/serial/stm32-usart.h
++++ b/drivers/tty/serial/stm32-usart.h
+@@ -123,9 +123,6 @@ struct stm32_usart_info stm32h7_info = {
+ /* Dummy bits */
+ #define USART_SR_DUMMY_RX BIT(16)
+
+-/* USART_ICR (F7) */
+-#define USART_CR_TC BIT(6)
+-
+ /* USART_DR */
+ #define USART_DR_MASK GENMASK(8, 0)
+
+--
+2.30.2
+
kvm-s390-split-kvm_s390_real_to_abs.patch
kvm-s390-extend-kvm_s390_shadow_fault-to-return-entry-pointer.patch
usb-gadget-pch_udc-revert-d3cb25a12138-completely.patch
+memory-gpmc-fix-out-of-bounds-read-and-dereference-o.patch
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-28183
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-2983
+serial-stm32-fix-incorrect-characters-on-console.patch
+serial-stm32-fix-tx_empty-condition.patch
+usb-typec-tcpci-check-role_control-while-interpretin.patch
+x86-microcode-check-for-offline-cpus-before-requesti.patch
+usb-gadget-pch_udc-replace-cpu_to_le32-by-lower_32_b.patch
+usb-gadget-pch_udc-check-if-driver-is-present-before.patch
+usb-gadget-pch_udc-check-for-dma-mapping-error.patch
+crypto-qat-don-t-release-uninitialized-resources.patch
+crypto-qat-adf_status_pf_running-should-be-set-after.patch
+fotg210-udc-fix-dma-on-ep0-for-length-max-packet-siz.patch
+fotg210-udc-fix-ep0-in-requests-bigger-than-two-pack.patch
+fotg210-udc-remove-a-dubious-condition-leading-to-fo.patch
+fotg210-udc-mask-grp2-interrupts-we-don-t-handle.patch
+fotg210-udc-don-t-dma-more-than-the-buffer-can-take.patch
+fotg210-udc-complete-out-requests-on-short-packets.patch
+mtd-require-write-permissions-for-locking-and-badblo.patch
+bus-qcom-put-child-node-before-return.patch
+phy-marvell-armada375_usbcluster_phy-should-not-defa.patch
+crypto-qat-fix-error-path-in-adf_isr_resource_alloc.patch
+usb-gadget-udc-fix-wrong-pointer-passed-to-is_err-an.patch
+mtd-rawnand-gpmi-fix-a-double-free-in-gpmi_nand_init.patch
+staging-rtl8192u-fix-potential-infinite-loop.patch
+staging-greybus-uart-fix-unprivileged-tioccserial.patch
+spi-fix-use-after-free-with-devm_spi_alloc_.patch
+soc-qcom-mdt_loader-validate-that-p_filesz-p_memsz.patch
+soc-qcom-mdt_loader-detect-truncated-read-of-segment.patch
+acpi-cppc-replace-cppc_attr-with-kobj_attribute.patch
+crypto-qat-fix-a-double-free-in-adf_create_ring.patch
+usb-gadget-r8a66597-add-missing-null-check-on-return.patch
+usb-cdc-acm-fix-unprivileged-tioccserial.patch
+tty-actually-undefine-superseded-async-flags.patch
+tty-fix-return-value-for-unsupported-ioctls.patch
+firmware-qcom-scm-fix-qcom_scm-configuration.patch
+platform-x86-pmc_atom-match-all-beckhoff-automation-.patch
+x86-platform-uv-fix-kexec-build-failure.patch
+drivers-hv-vmbus-increase-wait-time-for-vmbus-unload.patch
+ttyprintk-add-tty-hangup-callback.patch
+media-vivid-fix-assignment-of-dev-fbuf_out_flags.patch
+media-omap4iss-return-error-code-when-omap4iss_get-f.patch
+media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch
+x86-kprobes-fix-to-check-non-boostable-prefixes-corr.patch
+pata_arasan_cf-fix-irq-check.patch
+pata_ipx4xx_cf-fix-irq-check.patch
+sata_mv-add-irq-checks.patch
+ata-libahci_platform-fix-irq-check.patch
+vfio-mdev-do-not-allow-a-mdev_type-to-have-a-null-pa.patch
+clk-uniphier-fix-potential-infinite-loop.patch
+scsi-jazz_esp-add-irq-check.patch
+scsi-sun3x_esp-add-irq-check.patch
+scsi-sni_53c710-add-irq-check.patch
+mfd-stm32-timers-avoid-clearing-auto-reload-register.patch
+hsi-core-fix-resource-leaks-in-hsi_add_client_from_d.patch
+x86-events-amd-iommu-fix-sysfs-type-mismatch.patch
+hid-plantronics-workaround-for-double-volume-key-pre.patch
+perf-symbols-fix-dso__fprintf_symbols_by_name-to-ret.patch
+net-lapbether-prevent-racing-when-checking-whether-t.patch
+powerpc-prom-mark-identical_pvr_fixup-as-__init.patch
+powerpc-fix-have_hardlockup_detector_arch-build-conf.patch
+alsa-core-remove-redundant-spin_lock-pair-in-snd_car.patch
+bug-remove-redundant-condition-check-in-report_bug.patch
+nfc-pn533-prevent-potential-memory-corruption.patch
+alsa-usb-audio-add-error-checks-for-usb_driver_claim.patch
+liquidio-fix-unintented-sign-extension-of-a-left-shi.patch
+powerpc-perf-fix-pmu-constraint-check-for-ebb-events.patch
+powerpc-iommu-fix-build-when-neither-pci-or-ibmvio-i.patch
+mac80211-bail-out-if-cipher-schemes-are-invalid.patch
+mt7601u-fix-always-true-expression.patch
+ib-hfi1-fix-error-return-code-in-parse_platform_conf.patch
+net-thunderx-fix-unintentional-sign-extension-issue.patch
+i2c-cadence-add-irq-check.patch
+i2c-emev2-add-irq-check.patch
+i2c-jz4780-add-irq-check.patch
+i2c-sh7760-add-irq-check.patch
+mips-pci-legacy-stop-using-of_pci_range_to_resource.patch
+powerpc-pseries-extract-host-bridge-from-pci_bus-pri.patch
+rtlwifi-8821ae-upgrade-phy-and-rf-parameters.patch
+i2c-sh7760-fix-irq-error-path.patch
+mwl8k-fix-a-double-free-in-mwl8k_probe_hw.patch
+vsock-vmci-log-once-the-failed-queue-pair-allocation.patch
+rdma-i40iw-fix-error-unwinding-when-i40iw_hmc_sd_one.patch
+net-davinci_emac-fix-incorrect-masking-of-tx-and-rx-.patch
+ath9k-fix-error-check-in-ath9k_hw_read_revisions-for.patch
+powerpc-52xx-fix-an-invalid-asm-expression-addi-used.patch
+net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch
+net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch
+kfifo-fix-ternary-sign-extension-bugs.patch
--- /dev/null
+From 41a10c364a485c9a4733287d4fc3d9c6ea630f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 15:25:26 -0800
+Subject: soc: qcom: mdt_loader: Detect truncated read of segments
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 0648c55e3a21ccd816e99b6600d6199fbf39d23a ]
+
+Given that no validation of how much data the firmware loader read in
+for a given segment truncated segment files would best case result in a
+hash verification failure, without any indication of what went wrong.
+
+Improve this by validating that the firmware loader did return the
+amount of data requested.
+
+Fixes: 445c2410a449 ("soc: qcom: mdt_loader: Use request_firmware_into_buf()")
+Reviewed-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20210107232526.716989-1-bjorn.andersson@linaro.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
+index 17cba12cdf61..9155b1c75cfb 100644
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -193,6 +193,15 @@ int qcom_mdt_load(struct device *dev, const struct firmware *fw,
+ break;
+ }
+
++ if (seg_fw->size != phdr->p_filesz) {
++ dev_err(dev,
++ "failed to load segment %d from truncated file %s\n",
++ i, fw_name);
++ release_firmware(seg_fw);
++ ret = -EINVAL;
++ break;
++ }
++
+ release_firmware(seg_fw);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ed7eb8d80b065c2ab99e70db8f21d31b902fb19e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 15:31:19 -0800
+Subject: soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 84168d1b54e76a1bcb5192991adde5176abe02e3 ]
+
+The code validates that segments of p_memsz bytes of a segment will fit
+in the provided memory region, but does not validate that p_filesz bytes
+will, which means that an incorrectly crafted ELF header might write
+beyond the provided memory region.
+
+Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Reviewed-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20210107233119.717173-1-bjorn.andersson@linaro.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
+index 08bd8549242a..17cba12cdf61 100644
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -174,6 +174,14 @@ int qcom_mdt_load(struct device *dev, const struct firmware *fw,
+ break;
+ }
+
++ if (phdr->p_filesz > phdr->p_memsz) {
++ dev_err(dev,
++ "refusing to load segment %d with p_filesz > p_memsz\n",
++ i);
++ ret = -EINVAL;
++ break;
++ }
++
+ ptr = mem_region + offset;
+
+ if (phdr->p_filesz) {
+--
+2.30.2
+
--- /dev/null
+From 3c24ff2a94d02a09ee1904dac035350b1e5346f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 02:55:27 -0700
+Subject: spi: Fix use-after-free with devm_spi_alloc_*
+
+From: William A. Kennington III <wak@google.com>
+
+[ Upstream commit 794aaf01444d4e765e2b067cba01cc69c1c68ed9 ]
+
+We can't rely on the contents of the devres list during
+spi_unregister_controller(), as the list is already torn down at the
+time we perform devres_find() for devm_spi_release_controller. This
+causes devices registered with devm_spi_alloc_{master,slave}() to be
+mistakenly identified as legacy, non-devm managed devices and have their
+reference counters decremented below 0.
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174
+[<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98)
+[<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24)
+ r4:b6700140
+[<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40)
+[<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4)
+ r5:b6700180 r4:b6700100
+[<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60)
+ r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10
+[<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec)
+ r5:b117ad94 r4:b163dc10
+[<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0)
+ r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10
+[<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8)
+
+Instead, determine the devm allocation state as a flag on the
+controller which is guaranteed to be stable during cleanup.
+
+Fixes: 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation")
+Signed-off-by: William A. Kennington III <wak@google.com>
+Link: https://lore.kernel.org/r/20210407095527.2771582-1-wak@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 9 ++-------
+ include/linux/spi/spi.h | 3 +++
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index ca9970a63fdf..da71a53b0df7 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2076,6 +2076,7 @@ struct spi_controller *__devm_spi_alloc_controller(struct device *dev,
+
+ ctlr = __spi_alloc_controller(dev, size, slave);
+ if (ctlr) {
++ ctlr->devm_allocated = true;
+ *ptr = ctlr;
+ devres_add(dev, ptr);
+ } else {
+@@ -2304,11 +2305,6 @@ int devm_spi_register_controller(struct device *dev,
+ }
+ EXPORT_SYMBOL_GPL(devm_spi_register_controller);
+
+-static int devm_spi_match_controller(struct device *dev, void *res, void *ctlr)
+-{
+- return *(struct spi_controller **)res == ctlr;
+-}
+-
+ static int __unregister(struct device *dev, void *null)
+ {
+ spi_unregister_device(to_spi_device(dev));
+@@ -2353,8 +2349,7 @@ void spi_unregister_controller(struct spi_controller *ctlr)
+ /* Release the last reference on the controller if its driver
+ * has not yet been converted to devm_spi_alloc_master/slave().
+ */
+- if (!devres_find(ctlr->dev.parent, devm_spi_release_controller,
+- devm_spi_match_controller, ctlr))
++ if (!ctlr->devm_allocated)
+ put_device(&ctlr->dev);
+
+ /* free bus id */
+diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h
+index 715bd276a041..a8f6606dd498 100644
+--- a/include/linux/spi/spi.h
++++ b/include/linux/spi/spi.h
+@@ -452,6 +452,9 @@ struct spi_controller {
+
+ #define SPI_MASTER_GPIO_SS BIT(5) /* GPIO CS must select slave */
+
++ /* flag indicating this is a non-devres managed controller */
++ bool devm_allocated;
++
+ /* flag indicating this is an SPI slave controller */
+ bool slave;
+
+--
+2.30.2
+
--- /dev/null
+From 1aec9ccd2c50d2d8a4282bf73a01a81c51be6889 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:24 +0200
+Subject: staging: greybus: uart: fix unprivileged TIOCCSERIAL
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 60c6b305c11b5fd167ce5e2ce42f3a9098c388f0 ]
+
+TIOCSSERIAL is a horrid, underspecified, legacy interface which for most
+serial devices is only useful for setting the close_delay and
+closing_wait parameters.
+
+A non-privileged user has only ever been able to set the since long
+deprecated ASYNC_SPD flags and trying to change any other *supported*
+feature should result in -EPERM being returned. Setting the current
+values for any supported features should return success.
+
+Fix the greybus implementation which instead indicated that the
+TIOCSSERIAL ioctl was not even implemented when a non-privileged user
+set the current values.
+
+Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-7-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/uart.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c
+index 2b297df88bdd..b0b7d4a1cee4 100644
+--- a/drivers/staging/greybus/uart.c
++++ b/drivers/staging/greybus/uart.c
+@@ -657,8 +657,6 @@ static int set_serial_info(struct gb_tty *gb_tty,
+ if ((close_delay != gb_tty->port.close_delay) ||
+ (closing_wait != gb_tty->port.closing_wait))
+ retval = -EPERM;
+- else
+- retval = -EOPNOTSUPP;
+ } else {
+ gb_tty->port.close_delay = close_delay;
+ gb_tty->port.closing_wait = closing_wait;
+--
+2.30.2
+
--- /dev/null
+From 55b47e0e8ded3ff3e1c99b74ef5c363621ca7e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 16:03:08 +0100
+Subject: staging: rtl8192u: Fix potential infinite loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f9b9263a25dc3d2eaaa829e207434db6951ca7bc ]
+
+The for-loop iterates with a u8 loop counter i and compares this
+with the loop upper limit of riv->ieee80211->LinkDetectInfo.SlotNum
+that is a u16 type. There is a potential infinite loop if SlotNum
+is larger than the u8 loop counter. Fix this by making the loop
+counter the same type as SlotNum.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210407150308.496623-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
+index b5941ae410d9..89ec4bb19e48 100644
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -3418,7 +3418,7 @@ static void rtl819x_update_rxcounts(struct r8192_priv *priv, u32 *TotalRxBcnNum,
+ u32 *TotalRxDataNum)
+ {
+ u16 SlotIndex;
+- u8 i;
++ u16 i;
+
+ *TotalRxBcnNum = 0;
+ *TotalRxDataNum = 0;
+--
+2.30.2
+
--- /dev/null
+From 3677e62e4a030e11682a60850f12ef8f580fdf84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 11:52:01 +0200
+Subject: tty: actually undefine superseded ASYNC flags
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit d09845e98a05850a8094ea8fd6dd09a8e6824fff ]
+
+Some kernel-internal ASYNC flags have been superseded by tty-port flags
+and should no longer be used by kernel drivers.
+
+Fix the misspelled "__KERNEL__" compile guards which failed their sole
+purpose to break out-of-tree drivers that have not yet been updated.
+
+Fixes: 5c0517fefc92 ("tty: core: Undefine ASYNC_* flags superceded by TTY_PORT* flags")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407095208.31838-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/tty_flags.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/uapi/linux/tty_flags.h b/include/uapi/linux/tty_flags.h
+index 6ac609a00dea..31e106168ebb 100644
+--- a/include/uapi/linux/tty_flags.h
++++ b/include/uapi/linux/tty_flags.h
+@@ -39,7 +39,7 @@
+ * WARNING: These flags are no longer used and have been superceded by the
+ * TTY_PORT_ flags in the iflags field (and not userspace-visible)
+ */
+-#ifndef _KERNEL_
++#ifndef __KERNEL__
+ #define ASYNCB_INITIALIZED 31 /* Serial port was initialized */
+ #define ASYNCB_SUSPENDED 30 /* Serial port is suspended */
+ #define ASYNCB_NORMAL_ACTIVE 29 /* Normal device is active */
+@@ -81,7 +81,7 @@
+ #define ASYNC_SPD_WARP (ASYNC_SPD_HI|ASYNC_SPD_SHI)
+ #define ASYNC_SPD_MASK (ASYNC_SPD_HI|ASYNC_SPD_VHI|ASYNC_SPD_SHI)
+
+-#ifndef _KERNEL_
++#ifndef __KERNEL__
+ /* These flags are no longer used (and were always masked from userspace) */
+ #define ASYNC_INITIALIZED (1U << ASYNCB_INITIALIZED)
+ #define ASYNC_NORMAL_ACTIVE (1U << ASYNCB_NORMAL_ACTIVE)
+--
+2.30.2
+
--- /dev/null
+From 2a565c5bc3b691f4b6966e2394a6aa682a595a8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 11:52:02 +0200
+Subject: tty: fix return value for unsupported ioctls
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1b8b20868a6d64cfe8174a21b25b74367bdf0560 ]
+
+Drivers should return -ENOTTY ("Inappropriate I/O control operation")
+when an ioctl isn't supported, while -EINVAL is used for invalid
+arguments.
+
+Fix up the TIOCMGET, TIOCMSET and TIOCGICOUNT helpers which returned
+-EINVAL when a tty driver did not implement the corresponding
+operations.
+
+Note that the TIOCMGET and TIOCMSET helpers predate git and do not get a
+corresponding Fixes tag below.
+
+Fixes: d281da7ff6f7 ("tty: Make tiocgicount a handler")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407095208.31838-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/tty_io.c | 8 ++++----
+ include/linux/tty_driver.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index d7e56de19c58..ae3af8debf67 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2424,14 +2424,14 @@ out:
+ * @p: pointer to result
+ *
+ * Obtain the modem status bits from the tty driver if the feature
+- * is supported. Return -EINVAL if it is not available.
++ * is supported. Return -ENOTTY if it is not available.
+ *
+ * Locking: none (up to the driver)
+ */
+
+ static int tty_tiocmget(struct tty_struct *tty, int __user *p)
+ {
+- int retval = -EINVAL;
++ int retval = -ENOTTY;
+
+ if (tty->ops->tiocmget) {
+ retval = tty->ops->tiocmget(tty);
+@@ -2449,7 +2449,7 @@ static int tty_tiocmget(struct tty_struct *tty, int __user *p)
+ * @p: pointer to desired bits
+ *
+ * Set the modem status bits from the tty driver if the feature
+- * is supported. Return -EINVAL if it is not available.
++ * is supported. Return -ENOTTY if it is not available.
+ *
+ * Locking: none (up to the driver)
+ */
+@@ -2461,7 +2461,7 @@ static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,
+ unsigned int set, clear, val;
+
+ if (tty->ops->tiocmset == NULL)
+- return -EINVAL;
++ return -ENOTTY;
+
+ retval = get_user(val, p);
+ if (retval)
+diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
+index 31c2b5b166de..ebca9e4a2fed 100644
+--- a/include/linux/tty_driver.h
++++ b/include/linux/tty_driver.h
+@@ -236,7 +236,7 @@
+ *
+ * Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel
+ * structure to complete. This method is optional and will only be called
+- * if provided (otherwise EINVAL will be returned).
++ * if provided (otherwise ENOTTY will be returned).
+ */
+
+ #include <linux/export.h>
+--
+2.30.2
+
--- /dev/null
+From f2eca4367bd34cb5ed56b0699ee48227fdfd742f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 09:22:22 +0900
+Subject: ttyprintk: Add TTY hangup callback.
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit c0070e1e60270f6a1e09442a9ab2335f3eaeaad2 ]
+
+syzbot is reporting hung task due to flood of
+
+ tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__,
+ port->count);
+
+message [1], for ioctl(TIOCVHANGUP) prevents tty_port_close() from
+decrementing port->count due to tty_hung_up_p() == true.
+
+----------
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[])
+{
+ int i;
+ int fd[10];
+
+ for (i = 0; i < 10; i++)
+ fd[i] = open("/dev/ttyprintk", O_WRONLY);
+ ioctl(fd[0], TIOCVHANGUP);
+ for (i = 0; i < 10; i++)
+ close(fd[i]);
+ close(open("/dev/ttyprintk", O_WRONLY));
+ return 0;
+}
+----------
+
+When TTY hangup happens, port->count needs to be reset via
+"struct tty_operations"->hangup callback.
+
+[1] https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a
+
+Reported-by: syzbot <syzbot+43e93968b964e369db0b@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+3ed715090790806d8b18@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+43e93968b964e369db0b@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 24b4b67d17c308aa ("add ttyprintk driver")
+Link: https://lore.kernel.org/r/17e0652d-89b7-c8c0-fb53-e7566ac9add4@i-love.sakura.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ttyprintk.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/char/ttyprintk.c b/drivers/char/ttyprintk.c
+index 774748497ace..e56ac5adb5fc 100644
+--- a/drivers/char/ttyprintk.c
++++ b/drivers/char/ttyprintk.c
+@@ -159,12 +159,23 @@ static int tpk_ioctl(struct tty_struct *tty,
+ return 0;
+ }
+
++/*
++ * TTY operations hangup function.
++ */
++static void tpk_hangup(struct tty_struct *tty)
++{
++ struct ttyprintk_port *tpkp = tty->driver_data;
++
++ tty_port_hangup(&tpkp->port);
++}
++
+ static const struct tty_operations ttyprintk_ops = {
+ .open = tpk_open,
+ .close = tpk_close,
+ .write = tpk_write,
+ .write_room = tpk_write_room,
+ .ioctl = tpk_ioctl,
++ .hangup = tpk_hangup,
+ };
+
+ static const struct tty_port_operations null_ops = { };
+--
+2.30.2
+
--- /dev/null
+From 883d89df17d0824c9c60ac0d3cd6a9bb8dc8e0ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:16:01 +0200
+Subject: USB: cdc-acm: fix unprivileged TIOCCSERIAL
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit dd5619582d60007139f0447382d2839f4f9e339b ]
+
+TIOCSSERIAL is a horrid, underspecified, legacy interface which for most
+serial devices is only useful for setting the close_delay and
+closing_wait parameters.
+
+A non-privileged user has only ever been able to set the since long
+deprecated ASYNC_SPD flags and trying to change any other *supported*
+feature should result in -EPERM being returned. Setting the current
+values for any supported features should return success.
+
+Fix the cdc-acm implementation which instead indicated that the
+TIOCSSERIAL ioctl was not even implemented when a non-privileged user
+set the current values.
+
+Fixes: ba2d8ce9db0a ("cdc-acm: implement TIOCSSERIAL to avoid blocking close(2)")
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210408131602.27956-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/class/cdc-acm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 22a7f67e70e7..fbf7cb8d34e7 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -999,8 +999,6 @@ static int set_serial_info(struct acm *acm,
+ if ((new_serial.close_delay != old_close_delay) ||
+ (new_serial.closing_wait != old_closing_wait))
+ retval = -EPERM;
+- else
+- retval = -EOPNOTSUPP;
+ } else {
+ acm->port.close_delay = close_delay;
+ acm->port.closing_wait = closing_wait;
+--
+2.30.2
+
--- /dev/null
+From 207442722676c2a8617aebd3dbace7844d3d8fb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 17:36:22 +0200
+Subject: usb: gadget: pch_udc: Check for DMA mapping error
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 4a28d77e359009b846951b06f7c0d8eec8dce298 ]
+
+DMA mapping might fail, we have to check it with dma_mapping_error().
+Otherwise DMA-API is not happy:
+
+ DMA-API: pch_udc 0000:02:02.4: device driver failed to check map error[device address=0x00000000027ee678] [size=64 bytes] [mapped as single]
+
+Fixes: abab0c67c061 ("usb: pch_udc: Fixed issue which does not work with g_serial")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210323153626.54908-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index 1090b846df38..d165c1f67541 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -2977,7 +2977,7 @@ static int init_dma_pools(struct pch_udc_dev *dev)
+ dev->dma_addr = dma_map_single(&dev->pdev->dev, ep0out_buf,
+ UDC_EP0OUT_BUFF_SIZE * 4,
+ DMA_FROM_DEVICE);
+- return 0;
++ return dma_mapping_error(&dev->pdev->dev, dev->dma_addr);
+ }
+
+ static int pch_udc_start(struct usb_gadget *g,
+--
+2.30.2
+
--- /dev/null
+From 1dffde5574a6059eca0ce57c337fbe9c9c86b79b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 17:36:21 +0200
+Subject: usb: gadget: pch_udc: Check if driver is present before calling
+ ->setup()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit fbdbbe6d3ee502b3bdeb4f255196bb45003614be ]
+
+Since we have a separate routine for VBUS sense, the interrupt may occur
+before gadget driver is present. Hence, ->setup() call may oops the kernel:
+
+[ 55.245843] BUG: kernel NULL pointer dereference, address: 00000010
+...
+[ 55.245843] EIP: pch_udc_isr.cold+0x162/0x33f
+...
+[ 55.245843] <IRQ>
+[ 55.245843] ? pch_udc_svc_data_out+0x160/0x160
+
+Check if driver is present before calling ->setup().
+
+Fixes: f646cf94520e ("USB device driver of Topcliff PCH")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210323153626.54908-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index e9c2f67a8b10..1090b846df38 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -2329,6 +2329,21 @@ static void pch_udc_svc_data_out(struct pch_udc_dev *dev, int ep_num)
+ pch_udc_set_dma(dev, DMA_DIR_RX);
+ }
+
++static int pch_udc_gadget_setup(struct pch_udc_dev *dev)
++ __must_hold(&dev->lock)
++{
++ int rc;
++
++ /* In some cases we can get an interrupt before driver gets setup */
++ if (!dev->driver)
++ return -ESHUTDOWN;
++
++ spin_unlock(&dev->lock);
++ rc = dev->driver->setup(&dev->gadget, &dev->setup_data);
++ spin_lock(&dev->lock);
++ return rc;
++}
++
+ /**
+ * pch_udc_svc_control_in() - Handle Control IN endpoint interrupts
+ * @dev: Reference to the device structure
+@@ -2400,15 +2415,12 @@ static void pch_udc_svc_control_out(struct pch_udc_dev *dev)
+ dev->gadget.ep0 = &dev->ep[UDC_EP0IN_IDX].ep;
+ else /* OUT */
+ dev->gadget.ep0 = &ep->ep;
+- spin_lock(&dev->lock);
+ /* If Mass storage Reset */
+ if ((dev->setup_data.bRequestType == 0x21) &&
+ (dev->setup_data.bRequest == 0xFF))
+ dev->prot_stall = 0;
+ /* call gadget with setup data received */
+- setup_supported = dev->driver->setup(&dev->gadget,
+- &dev->setup_data);
+- spin_unlock(&dev->lock);
++ setup_supported = pch_udc_gadget_setup(dev);
+
+ if (dev->setup_data.bRequestType & USB_DIR_IN) {
+ ep->td_data->status = (ep->td_data->status &
+@@ -2656,9 +2668,7 @@ static void pch_udc_svc_intf_interrupt(struct pch_udc_dev *dev)
+ dev->ep[i].halted = 0;
+ }
+ dev->stall = 0;
+- spin_unlock(&dev->lock);
+- dev->driver->setup(&dev->gadget, &dev->setup_data);
+- spin_lock(&dev->lock);
++ pch_udc_gadget_setup(dev);
+ }
+
+ /**
+@@ -2693,9 +2703,7 @@ static void pch_udc_svc_cfg_interrupt(struct pch_udc_dev *dev)
+ dev->stall = 0;
+
+ /* call gadget zero with setup data received */
+- spin_unlock(&dev->lock);
+- dev->driver->setup(&dev->gadget, &dev->setup_data);
+- spin_lock(&dev->lock);
++ pch_udc_gadget_setup(dev);
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From 8d6467653dd584fe5102d8666a0e7ab4964f9a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 17:36:20 +0200
+Subject: usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 91356fed6afd1c83bf0d3df1fc336d54e38f0458 ]
+
+Either way ~0 will be in the correct byte order, hence
+replace cpu_to_le32() by lower_32_bits(). Moreover,
+it makes sparse happy, otherwise it complains:
+
+.../pch_udc.c:1813:27: warning: incorrect type in assignment (different base types)
+.../pch_udc.c:1813:27: expected unsigned int [usertype] dataptr
+.../pch_udc.c:1813:27: got restricted __le32 [usertype]
+
+Fixes: f646cf94520e ("USB device driver of Topcliff PCH")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210323153626.54908-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index 8d3cbca9f926..e9c2f67a8b10 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -1786,7 +1786,7 @@ static struct usb_request *pch_udc_alloc_request(struct usb_ep *usbep,
+ }
+ /* prevent from using desc. - set HOST BUSY */
+ dma_desc->status |= PCH_UDC_BS_HST_BSY;
+- dma_desc->dataptr = cpu_to_le32(DMA_ADDR_INVALID);
++ dma_desc->dataptr = lower_32_bits(DMA_ADDR_INVALID);
+ req->td_data = dma_desc;
+ req->td_data_last = dma_desc;
+ req->chain_len = 1;
+--
+2.30.2
+
--- /dev/null
+From 07ea5444954439c96867627dbea59e05301bea66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 19:45:10 +0100
+Subject: usb: gadget: r8a66597: Add missing null check on return from
+ platform_get_resource
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9c2076090c2815fe7c49676df68dde7e60a9b9fc ]
+
+The call to platform_get_resource can potentially return a NULL pointer
+on failure, so add this check and return -EINVAL if it fails.
+
+Fixes: c41442474a26 ("usb: gadget: R8A66597 peripheral controller support.")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Addresses-Coverity: ("Dereference null return")
+Link: https://lore.kernel.org/r/20210406184510.433497-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/r8a66597-udc.c b/drivers/usb/gadget/udc/r8a66597-udc.c
+index 84b227ede082..cf92f6aca433 100644
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -1855,6 +1855,8 @@ static int r8a66597_probe(struct platform_device *pdev)
+ return PTR_ERR(reg);
+
+ ires = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
++ if (!ires)
++ return -EINVAL;
+ irq = ires->start;
+ irq_trigger = ires->flags & IRQF_TRIGGER_MASK;
+
+--
+2.30.2
+
--- /dev/null
+From f7ad9ae3c71e66f49981265960540e005623f5d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 21:01:59 +0800
+Subject: USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2e3d055bf27d70204cae349335a62a4f9b7c165a ]
+
+IS_ERR() and PTR_ERR() use wrong pointer, it should be
+udc->virt_addr, fix it.
+
+Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210330130159.1051979-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/snps_udc_plat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c b/drivers/usb/gadget/udc/snps_udc_plat.c
+index e8a5fdaee37d..204f7acf89a4 100644
+--- a/drivers/usb/gadget/udc/snps_udc_plat.c
++++ b/drivers/usb/gadget/udc/snps_udc_plat.c
+@@ -122,8 +122,8 @@ static int udc_plat_probe(struct platform_device *pdev)
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ udc->virt_addr = devm_ioremap_resource(dev, res);
+- if (IS_ERR(udc->regs))
+- return PTR_ERR(udc->regs);
++ if (IS_ERR(udc->virt_addr))
++ return PTR_ERR(udc->virt_addr);
+
+ /* udc csr registers base */
+ udc->csr = udc->virt_addr + UDC_CSR_ADDR;
+--
+2.30.2
+
--- /dev/null
+From 7e3b81a243b19eeb352e3d94de2512a651cfb2ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 23:09:31 -0800
+Subject: usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+[ Upstream commit 19c234a14eafca78e0bc14ffb8be3891096ce147 ]
+
+While interpreting CC_STATUS, ROLE_CONTROL has to be read to make
+sure that CC1/CC2 is not forced presenting Rp/Rd.
+
+>From the TCPCI spec:
+
+4.4.5.2 ROLE_CONTROL (Normative):
+The TCPM shall write B6 (DRP) = 0b and B3..0 (CC1/CC2) if it wishes
+to control the Rp/Rd directly instead of having the TCPC perform
+DRP toggling autonomously. When controlling Rp/Rd directly, the
+TCPM writes to B3..0 (CC1/CC2) each time it wishes to change the
+CC1/CC2 values. This control is used for TCPM-TCPC implementing
+Source or Sink only as well as when a connection has been detected
+via DRP toggling but the TCPM wishes to attempt Try.Src or Try.Snk.
+
+Table 4-22. CC_STATUS Register Definition:
+If (ROLE_CONTROL.CC1 = Rd) or ConnectResult=1)
+00b: SNK.Open (Below maximum vRa)
+01b: SNK.Default (Above minimum vRd-Connect)
+10b: SNK.Power1.5 (Above minimum vRd-Connect) Detects Rp-1.5A
+11b: SNK.Power3.0 (Above minimum vRd-Connect) Detects Rp-3.0A
+
+If (ROLE_CONTROL.CC2=Rd) or (ConnectResult=1)
+00b: SNK.Open (Below maximum vRa)
+01b: SNK.Default (Above minimum vRd-Connect)
+10b: SNK.Power1.5 (Above minimum vRd-Connect) Detects Rp 1.5A
+11b: SNK.Power3.0 (Above minimum vRd-Connect) Detects Rp 3.0A
+
+Fixes: 74e656d6b0551 ("staging: typec: Type-C Port Controller Interface driver (tcpci)")
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Link: https://lore.kernel.org/r/20210304070931.1947316-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/typec/tcpci.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/typec/tcpci.c b/drivers/staging/typec/tcpci.c
+index df72d8b01e73..39e2aee0b1a3 100644
+--- a/drivers/staging/typec/tcpci.c
++++ b/drivers/staging/typec/tcpci.c
+@@ -28,6 +28,15 @@
+
+ #define PD_RETRY_COUNT 3
+
++#define tcpc_presenting_cc1_rd(reg) \
++ (!(TCPC_ROLE_CTRL_DRP & (reg)) && \
++ (((reg) & (TCPC_ROLE_CTRL_CC1_MASK << TCPC_ROLE_CTRL_CC1_SHIFT)) == \
++ (TCPC_ROLE_CTRL_CC_RD << TCPC_ROLE_CTRL_CC1_SHIFT)))
++#define tcpc_presenting_cc2_rd(reg) \
++ (!(TCPC_ROLE_CTRL_DRP & (reg)) && \
++ (((reg) & (TCPC_ROLE_CTRL_CC2_MASK << TCPC_ROLE_CTRL_CC2_SHIFT)) == \
++ (TCPC_ROLE_CTRL_CC_RD << TCPC_ROLE_CTRL_CC2_SHIFT)))
++
+ struct tcpci {
+ struct device *dev;
+ struct i2c_client *client;
+@@ -149,19 +158,25 @@ static int tcpci_get_cc(struct tcpc_dev *tcpc,
+ enum typec_cc_status *cc1, enum typec_cc_status *cc2)
+ {
+ struct tcpci *tcpci = tcpc_to_tcpci(tcpc);
+- unsigned int reg;
++ unsigned int reg, role_control;
+ int ret;
+
++ ret = regmap_read(tcpci->regmap, TCPC_ROLE_CTRL, &role_control);
++ if (ret < 0)
++ return ret;
++
+ ret = regmap_read(tcpci->regmap, TCPC_CC_STATUS, ®);
+ if (ret < 0)
+ return ret;
+
+ *cc1 = tcpci_to_typec_cc((reg >> TCPC_CC_STATUS_CC1_SHIFT) &
+ TCPC_CC_STATUS_CC1_MASK,
+- reg & TCPC_CC_STATUS_TERM);
++ reg & TCPC_CC_STATUS_TERM ||
++ tcpc_presenting_cc1_rd(role_control));
+ *cc2 = tcpci_to_typec_cc((reg >> TCPC_CC_STATUS_CC2_SHIFT) &
+ TCPC_CC_STATUS_CC2_MASK,
+- reg & TCPC_CC_STATUS_TERM);
++ reg & TCPC_CC_STATUS_TERM ||
++ tcpc_presenting_cc2_rd(role_control));
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From b94093203ab37c9780c85a228db9ce1d3cd8d189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 16:40:25 -0300
+Subject: vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit b5a1f8921d5040bb788492bf33a66758021e4be5 ]
+
+There is a small race where the parent is NULL even though the kobj has
+already been made visible in sysfs.
+
+For instance the attribute_group is made visible in sysfs_create_files()
+and the mdev_type_attr_show() does:
+
+ ret = attr->show(kobj, type->parent->dev, buf);
+
+Which will crash on NULL parent. Move the parent setup to before the type
+pointer leaves the stack frame.
+
+Fixes: 7b96953bc640 ("vfio: Mediated device Core driver")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Message-Id: <2-v2-d36939638fc6+d54-vfio2_jgg@nvidia.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/mdev/mdev_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c
+index 7e474e41c85e..2dbdefd7b683 100644
+--- a/drivers/vfio/mdev/mdev_sysfs.c
++++ b/drivers/vfio/mdev/mdev_sysfs.c
+@@ -108,6 +108,7 @@ struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent,
+ return ERR_PTR(-ENOMEM);
+
+ type->kobj.kset = parent->mdev_types_kset;
++ type->parent = parent;
+
+ ret = kobject_init_and_add(&type->kobj, &mdev_type_ktype, NULL,
+ "%s-%s", dev_driver_string(parent->dev),
+@@ -135,7 +136,6 @@ struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent,
+ }
+
+ type->group = group;
+- type->parent = parent;
+ return type;
+
+ attrs_failed:
+--
+2.30.2
+
--- /dev/null
+From 1f42134d06c2d89d4f80c47b5b99264d846fbeba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 12:44:16 +0200
+Subject: vsock/vmci: log once the failed queue pair allocation
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit e16edc99d658cd41c60a44cc14d170697aa3271f ]
+
+VMCI feature is not supported in conjunction with the vSphere Fault
+Tolerance (FT) feature.
+
+VMware Tools can repeatedly try to create a vsock connection. If FT is
+enabled the kernel logs is flooded with the following messages:
+
+ qp_alloc_hypercall result = -20
+ Could not attach to queue pair with -20
+
+"qp_alloc_hypercall result = -20" was hidden by commit e8266c4c3307
+("VMCI: Stop log spew when qp allocation isn't possible"), but "Could
+not attach to queue pair with -20" is still there flooding the log.
+
+Since the error message can be useful in some cases, print it only once.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/vmci_transport.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index ba4cb18c4b9a..c1da1ce3d36e 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -585,8 +585,7 @@ vmci_transport_queue_pair_alloc(struct vmci_qp **qpair,
+ peer, flags, VMCI_NO_PRIVILEGE_FLAGS);
+ out:
+ if (err < 0) {
+- pr_err("Could not attach to queue pair with %d\n",
+- err);
++ pr_err_once("Could not attach to queue pair with %d\n", err);
+ err = vmci_transport_error_to_vsock_error(err);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From f86e35a1a0979d76e23f976ee21f660c32d916eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 17:11:11 -0700
+Subject: x86/events/amd/iommu: Fix sysfs type mismatch
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit de5bc7b425d4c27ae5faa00ea7eb6b9780b9a355 ]
+
+dev_attr_show() calls _iommu_event_show() via an indirect call but
+_iommu_event_show()'s type does not currently match the type of the
+show() member in 'struct device_attribute', resulting in a Control Flow
+Integrity violation.
+
+$ cat /sys/devices/amd_iommu_1/events/mem_dte_hit
+csource=0x0a
+
+$ dmesg | grep "CFI failure"
+[ 3526.735140] CFI failure (target: _iommu_event_show...):
+
+Change _iommu_event_show() and 'struct amd_iommu_event_desc' to
+'struct device_attribute' so that there is no more CFI violation.
+
+Fixes: 7be6296fdd75 ("perf/x86/amd: AMD IOMMU Performance Counter PERF uncore PMU implementation")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210415001112.3024673-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/iommu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c
+index 3641e24fdac5..5a372b8902f4 100644
+--- a/arch/x86/events/amd/iommu.c
++++ b/arch/x86/events/amd/iommu.c
+@@ -84,12 +84,12 @@ static struct attribute_group amd_iommu_events_group = {
+ };
+
+ struct amd_iommu_event_desc {
+- struct kobj_attribute attr;
++ struct device_attribute attr;
+ const char *event;
+ };
+
+-static ssize_t _iommu_event_show(struct kobject *kobj,
+- struct kobj_attribute *attr, char *buf)
++static ssize_t _iommu_event_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ struct amd_iommu_event_desc *event =
+ container_of(attr, struct amd_iommu_event_desc, attr);
+--
+2.30.2
+
--- /dev/null
+From 6eab87b20e2defc90700576cf8cca6689da70b20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 19:08:31 +0900
+Subject: x86/kprobes: Fix to check non boostable prefixes correctly
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit 6dd3b8c9f58816a1354be39559f630cd1bd12159 ]
+
+There are 2 bugs in the can_boost() function because of using
+x86 insn decoder. Since the insn->opcode never has a prefix byte,
+it can not find CS override prefix in it. And the insn->attr is
+the attribute of the opcode, thus inat_is_address_size_prefix(
+insn->attr) always returns false.
+
+Fix those by checking each prefix bytes with for_each_insn_prefix
+loop and getting the correct attribute for each prefix byte.
+Also, this removes unlikely, because this is a slow path.
+
+Fixes: a8d11cd0714f ("kprobes/x86: Consolidate insn decoder users for copying code")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/161666691162.1120877.2808435205294352583.stgit@devnote2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/kprobes/core.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index 700d434f5bda..cfd8269ab4cd 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -173,6 +173,8 @@ NOKPROBE_SYMBOL(skip_prefixes);
+ int can_boost(struct insn *insn, void *addr)
+ {
+ kprobe_opcode_t opcode;
++ insn_byte_t prefix;
++ int i;
+
+ if (search_exception_tables((unsigned long)addr))
+ return 0; /* Page fault may occur on this address. */
+@@ -185,9 +187,14 @@ int can_boost(struct insn *insn, void *addr)
+ if (insn->opcode.nbytes != 1)
+ return 0;
+
+- /* Can't boost Address-size override prefix */
+- if (unlikely(inat_is_address_size_prefix(insn->attr)))
+- return 0;
++ for_each_insn_prefix(insn, i, prefix) {
++ insn_attr_t attr;
++
++ attr = inat_get_opcode_attribute(prefix);
++ /* Can't boost Address-size override prefix and CS override prefix */
++ if (prefix == 0x2e || inat_is_address_size_prefix(attr))
++ return 0;
++ }
+
+ opcode = insn->opcode.bytes[0];
+
+@@ -212,8 +219,8 @@ int can_boost(struct insn *insn, void *addr)
+ /* clear and set flags are boostable */
+ return (opcode == 0xf5 || (0xf7 < opcode && opcode < 0xfe));
+ default:
+- /* CS override prefix and call are not boostable */
+- return (opcode != 0x2e && opcode != 0x9a);
++ /* call is not boostable */
++ return opcode != 0x9a;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4aaf6c3705f7ed961b89d0d23553c5956f4a642c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 09:55:15 -0700
+Subject: x86/microcode: Check for offline CPUs before requesting new microcode
+
+From: Otavio Pontes <otavio.pontes@intel.com>
+
+[ Upstream commit 7189b3c11903667808029ec9766a6e96de5012a5 ]
+
+Currently, the late microcode loading mechanism checks whether any CPUs
+are offlined, and, in such a case, aborts the load attempt.
+
+However, this must be done before the kernel caches new microcode from
+the filesystem. Otherwise, when offlined CPUs are onlined later, those
+cores are going to be updated through the CPU hotplug notifier callback
+with the new microcode, while CPUs previously onine will continue to run
+with the older microcode.
+
+For example:
+
+Turn off one core (2 threads):
+
+ echo 0 > /sys/devices/system/cpu/cpu3/online
+ echo 0 > /sys/devices/system/cpu/cpu1/online
+
+Install the ucode fails because a primary SMT thread is offline:
+
+ cp intel-ucode/06-8e-09 /lib/firmware/intel-ucode/
+ echo 1 > /sys/devices/system/cpu/microcode/reload
+ bash: echo: write error: Invalid argument
+
+Turn the core back on
+
+ echo 1 > /sys/devices/system/cpu/cpu3/online
+ echo 1 > /sys/devices/system/cpu/cpu1/online
+ cat /proc/cpuinfo |grep microcode
+ microcode : 0x30
+ microcode : 0xde
+ microcode : 0x30
+ microcode : 0xde
+
+The rationale for why the update is aborted when at least one primary
+thread is offline is because even if that thread is soft-offlined
+and idle, it will still have to participate in broadcasted MCE's
+synchronization dance or enter SMM, and in both examples it will execute
+instructions so it better have the same microcode revision as the other
+cores.
+
+ [ bp: Heavily edit and extend commit message with the reasoning behind all
+ this. ]
+
+Fixes: 30ec26da9967 ("x86/microcode: Do not upload microcode if CPUs are offline")
+Signed-off-by: Otavio Pontes <otavio.pontes@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Acked-by: Ashok Raj <ashok.raj@intel.com>
+Link: https://lkml.kernel.org/r/20210319165515.9240-2-otavio.pontes@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 93c22e7ee424..51583a5d656d 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -627,16 +627,16 @@ static ssize_t reload_store(struct device *dev,
+ if (val != 1)
+ return size;
+
+- tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true);
+- if (tmp_ret != UCODE_NEW)
+- return size;
+-
+ get_online_cpus();
+
+ ret = check_online_cpus();
+ if (ret)
+ goto put;
+
++ tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true);
++ if (tmp_ret != UCODE_NEW)
++ goto put;
++
+ mutex_lock(µcode_mutex);
+ ret = microcode_reload_late();
+ mutex_unlock(µcode_mutex);
+--
+2.30.2
+
--- /dev/null
+From f03519978200120a2e787bdf5b8451f11328274d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 09:47:42 +0200
+Subject: x86/platform/uv: Fix !KEXEC build failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ingo Molnar <mingo@kernel.org>
+
+[ Upstream commit c2209ea55612efac75de0a58ef5f7394fae7fa0f ]
+
+When KEXEC is disabled, the UV build fails:
+
+ arch/x86/platform/uv/uv_nmi.c:875:14: error: ‘uv_nmi_kexec_failed’ undeclared (first use in this function)
+
+Since uv_nmi_kexec_failed is only defined in the KEXEC_CORE #ifdef branch,
+this code cannot ever have been build tested:
+
+ if (main)
+ pr_err("UV: NMI kdump: KEXEC not supported in this kernel\n");
+ atomic_set(&uv_nmi_kexec_failed, 1);
+
+Nor is this use possible in uv_handle_nmi():
+
+ atomic_set(&uv_nmi_kexec_failed, 0);
+
+These bugs were introduced in this commit:
+
+ d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails")
+
+Which added the uv_nmi_kexec_failed assignments to !KEXEC code, while making the
+definition KEXEC-only - apparently without testing the !KEXEC case.
+
+Instead of complicating the #ifdef maze, simplify the code by requiring X86_UV
+to depend on KEXEC_CORE. This pattern is present in other architectures as well.
+
+( We'll remove the untested, 7 years old !KEXEC complications from the file in a
+ separate commit. )
+
+Fixes: d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Mike Travis <travis@sgi.com>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index c55870ac907e..64edc125c122 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -526,6 +526,7 @@ config X86_UV
+ depends on X86_EXTENDED_PLATFORM
+ depends on NUMA
+ depends on EFI
++ depends on KEXEC_CORE
+ depends on X86_X2APIC
+ depends on PCI
+ ---help---
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
