--- /dev/null
+From e1cc8e9bbd9f7353446d353687066d4130031655 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 15:26:00 +0800
+Subject: ACPI / hotplug / PCI: Fix reference count leak in enable_slot()
+
+From: Feilong Lin <linfeilong@huawei.com>
+
+[ Upstream commit 3bbfd319034ddce59e023837a4aa11439460509b ]
+
+In enable_slot(), if pci_get_slot() returns NULL, we clear the SLOT_ENABLED
+flag. When pci_get_slot() finds a device, it increments the device's
+reference count. In this case, we did not call pci_dev_put() to decrement
+the reference count, so the memory of the device (struct pci_dev type) will
+eventually leak.
+
+Call pci_dev_put() to decrement its reference count when pci_get_slot()
+returns a PCI device.
+
+Link: https://lore.kernel.org/r/b411af88-5049-a1c6-83ac-d104a1f429be@huawei.com
+Signed-off-by: Feilong Lin <linfeilong@huawei.com>
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/acpiphp_glue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
+index 6e60b4b1bf53..98be06ac2af2 100644
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -540,6 +540,7 @@ static void enable_slot(struct acpiphp_slot *slot, bool bridge)
+ slot->flags &= ~SLOT_ENABLED;
+ continue;
+ }
++ pci_dev_put(dev);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 85ee344caafc9d08bb5337ed06dd108ab22a67df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 15:39:17 +0800
+Subject: ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP
+
+From: Hui Wang <hui.wang@canonical.com>
+
+[ Upstream commit f48652bbe3ae62ba2835a396b7e01f063e51c4cd ]
+
+Without this change, the DAC ctl's name could be changed only when
+the machine has both Speaker and Headphone, but we met some machines
+which only has Lineout and Headhpone, and the Lineout and Headphone
+share the Audio Mixer0 and DAC0, the ctl's name is set to "Front".
+
+On most of machines, the "Front" is used for Speaker only or Lineout
+only, but on this machine it is shared by Lineout and Headphone,
+This introduces an issue in the pipewire and pulseaudio, suppose users
+want the Headphone to be on and the Speaker/Lineout to be off, they
+could turn off the "Front", this works on most of the machines, but on
+this machine, the "Front" couldn't be turned off otherwise the
+headphone will be off too. Here we do some change to let the ctl's
+name change to "Headphone+LO" on this machine, and pipewire and
+pulseaudio already could handle "Headphone+LO" and "Speaker+LO".
+(https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/747)
+
+BugLink: http://bugs.launchpad.net/bugs/804178
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Link: https://lore.kernel.org/r/20210504073917.22406-1-hui.wang@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_generic.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index efceeae09045..7ac3f04ca8c0 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -1202,11 +1202,17 @@ static const char *get_line_out_pfx(struct hda_codec *codec, int ch,
+ *index = ch;
+ return "Headphone";
+ case AUTO_PIN_LINE_OUT:
+- /* This deals with the case where we have two DACs and
+- * one LO, one HP and one Speaker */
+- if (!ch && cfg->speaker_outs && cfg->hp_outs) {
+- bool hp_lo_shared = !path_has_mixer(codec, spec->hp_paths[0], ctl_type);
+- bool spk_lo_shared = !path_has_mixer(codec, spec->speaker_paths[0], ctl_type);
++ /* This deals with the case where one HP or one Speaker or
++ * one HP + one Speaker need to share the DAC with LO
++ */
++ if (!ch) {
++ bool hp_lo_shared = false, spk_lo_shared = false;
++
++ if (cfg->speaker_outs)
++ spk_lo_shared = !path_has_mixer(codec,
++ spec->speaker_paths[0], ctl_type);
++ if (cfg->hp_outs)
++ hp_lo_shared = !path_has_mixer(codec, spec->hp_paths[0], ctl_type);
+ if (hp_lo_shared && spk_lo_shared)
+ return spec->vmaster_mute.hook ? "PCM" : "Master";
+ if (hp_lo_shared)
+--
+2.30.2
+
--- /dev/null
+From a62828c65264d4850a3f2630aa01a2bcd6df9e10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 09:23:09 +0100
+Subject: ARM: 9058/1: cache-v7: refactor v7_invalidate_l1 to avoid clobbering
+ r5/r6
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit f9e7a99fb6b86aa6a00e53b34ee6973840e005aa ]
+
+The cache invalidation code in v7_invalidate_l1 can be tweaked to
+re-read the associativity from CCSIDR, and keep the way identifier
+component in a single register that is assigned in the outer loop. This
+way, we need 2 registers less.
+
+Given that the number of sets is typically much larger than the
+associativity, rearrange the code so that the outer loop has the fewer
+number of iterations, ensuring that the re-read of CCSIDR only occurs a
+handful of times in practice.
+
+Fix the whitespace while at it, and update the comment to indicate that
+this code is no longer a clone of anything else.
+
+Acked-by: Nicolas Pitre <nico@fluxnic.net>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/cache-v7.S | 51 +++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 26 deletions(-)
+
+diff --git a/arch/arm/mm/cache-v7.S b/arch/arm/mm/cache-v7.S
+index 0ee8fc4b4672..8e69bf36a3ec 100644
+--- a/arch/arm/mm/cache-v7.S
++++ b/arch/arm/mm/cache-v7.S
+@@ -33,41 +33,40 @@ icache_size:
+ * processor. We fix this by performing an invalidate, rather than a
+ * clean + invalidate, before jumping into the kernel.
+ *
+- * This function is cloned from arch/arm/mach-tegra/headsmp.S, and needs
+- * to be called for both secondary cores startup and primary core resume
+- * procedures.
++ * This function needs to be called for both secondary cores startup and
++ * primary core resume procedures.
+ */
+ ENTRY(v7_invalidate_l1)
+ mov r0, #0
+ mcr p15, 2, r0, c0, c0, 0
+ mrc p15, 1, r0, c0, c0, 0
+
+- movw r1, #0x7fff
+- and r2, r1, r0, lsr #13
++ movw r3, #0x3ff
++ and r3, r3, r0, lsr #3 @ 'Associativity' in CCSIDR[12:3]
++ clz r1, r3 @ WayShift
++ mov r2, #1
++ mov r3, r3, lsl r1 @ NumWays-1 shifted into bits [31:...]
++ movs r1, r2, lsl r1 @ #1 shifted left by same amount
++ moveq r1, #1 @ r1 needs value > 0 even if only 1 way
+
+- movw r1, #0x3ff
++ and r2, r0, #0x7
++ add r2, r2, #4 @ SetShift
+
+- and r3, r1, r0, lsr #3 @ NumWays - 1
+- add r2, r2, #1 @ NumSets
++1: movw r4, #0x7fff
++ and r0, r4, r0, lsr #13 @ 'NumSets' in CCSIDR[27:13]
+
+- and r0, r0, #0x7
+- add r0, r0, #4 @ SetShift
+-
+- clz r1, r3 @ WayShift
+- add r4, r3, #1 @ NumWays
+-1: sub r2, r2, #1 @ NumSets--
+- mov r3, r4 @ Temp = NumWays
+-2: subs r3, r3, #1 @ Temp--
+- mov r5, r3, lsl r1
+- mov r6, r2, lsl r0
+- orr r5, r5, r6 @ Reg = (Temp<<WayShift)|(NumSets<<SetShift)
+- mcr p15, 0, r5, c7, c6, 2
+- bgt 2b
+- cmp r2, #0
+- bgt 1b
+- dsb st
+- isb
+- ret lr
++2: mov r4, r0, lsl r2 @ NumSet << SetShift
++ orr r4, r4, r3 @ Reg = (Temp<<WayShift)|(NumSets<<SetShift)
++ mcr p15, 0, r4, c7, c6, 2
++ subs r0, r0, #1 @ Set--
++ bpl 2b
++ subs r3, r3, r1 @ Way--
++ bcc 3f
++ mrc p15, 1, r0, c0, c0, 0 @ re-read cache geometry from CCSIDR
++ b 1b
++3: dsb st
++ isb
++ ret lr
+ ENDPROC(v7_invalidate_l1)
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From bf3f6994f42f577960dadb224aed17f9ecefd316 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Feb 2021 13:25:53 +0100
+Subject: ARM: 9066/1: ftrace: pause/unpause function graph tracer in
+ cpu_suspend()
+
+From: louis.wang <liang26812@gmail.com>
+
+[ Upstream commit 8252ca87c7a2111502ee13994956f8c309faad7f ]
+
+Enabling function_graph tracer on ARM causes kernel panic, because the
+function graph tracer updates the "return address" of a function in order
+to insert a trace callback on function exit, it saves the function's
+original return address in a return trace stack, but cpu_suspend() may not
+return through the normal return path.
+
+cpu_suspend() will resume directly via the cpu_resume path, but the return
+trace stack has been set-up by the subfunctions of cpu_suspend(), which
+makes the "return address" inconsistent with cpu_suspend().
+
+This patch refers to Commit de818bd4522c40ea02a81b387d2fa86f989c9623
+("arm64: kernel: pause/unpause function graph tracer in cpu_suspend()"),
+
+fixes the issue by pausing/resuming the function graph tracer on the thread
+executing cpu_suspend(), so that the function graph tracer state is kept
+consistent across functions that enter power down states and never return
+by effectively disabling graph tracer while they are executing.
+
+Signed-off-by: louis.wang <liang26812@gmail.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/suspend.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/suspend.c b/arch/arm/kernel/suspend.c
+index d08099269e35..e126386fb78a 100644
+--- a/arch/arm/kernel/suspend.c
++++ b/arch/arm/kernel/suspend.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#include <linux/ftrace.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/mm_types.h>
+@@ -26,6 +27,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ if (!idmap_pgd)
+ return -EINVAL;
+
++ /*
++ * Function graph tracer state gets incosistent when the kernel
++ * calls functions that never return (aka suspend finishers) hence
++ * disable graph tracing during their execution.
++ */
++ pause_graph_tracing();
++
+ /*
+ * Provide a temporary page table with an identity mapping for
+ * the MMU-enable code, required for resuming. On successful
+@@ -33,6 +41,9 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ * back to the correct page tables.
+ */
+ ret = __cpu_suspend(arg, fn, __mpidr);
++
++ unpause_graph_tracing();
++
+ if (ret == 0) {
+ cpu_switch_mm(mm->pgd, mm);
+ local_flush_bp_all();
+@@ -46,7 +57,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ {
+ u32 __mpidr = cpu_logical_map(smp_processor_id());
+- return __cpu_suspend(arg, fn, __mpidr);
++ int ret;
++
++ pause_graph_tracing();
++ ret = __cpu_suspend(arg, fn, __mpidr);
++ unpause_graph_tracing();
++
++ return ret;
+ }
+ #define idmap_pgd NULL
+ #endif
+--
+2.30.2
+
--- /dev/null
+From 8c9d370c4668c116ef1b9e0d9f654e9bb5d1228d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 04:41:16 +0100
+Subject: ARM: 9075/1: kernel: Fix interrupted SMC calls
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 57ac51667d8cd62731223d687e5fe7b41c502f89 ]
+
+On Qualcomm ARM32 platforms, the SMC call can return before it has
+completed. If this occurs, the call can be restarted, but it requires
+using the returned session ID value from the interrupted SMC call.
+
+The ARM32 SMCC code already has the provision to add platform specific
+quirks for things like this. So let's make use of it and add the
+Qualcomm specific quirk (ARM_SMCCC_QUIRK_QCOM_A6) used by the QCOM_SCM
+driver.
+
+This change is similar to the below one added for ARM64 a while ago:
+commit 82bcd087029f ("firmware: qcom: scm: Fix interrupted SCM calls")
+
+Without this change, the Qualcomm ARM32 platforms like SDX55 will return
+-EINVAL for SMC calls used for modem firmware loading and validation.
+
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/asm-offsets.c | 3 +++
+ arch/arm/kernel/smccc-call.S | 11 ++++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/asm-offsets.c b/arch/arm/kernel/asm-offsets.c
+index bfb05c93494d..4ce2e29da14d 100644
+--- a/arch/arm/kernel/asm-offsets.c
++++ b/arch/arm/kernel/asm-offsets.c
+@@ -27,6 +27,7 @@
+ #include <asm/vdso_datapage.h>
+ #include <asm/hardware/cache-l2x0.h>
+ #include <linux/kbuild.h>
++#include <linux/arm-smccc.h>
+ #include "signal.h"
+
+ /*
+@@ -160,6 +161,8 @@ int main(void)
+ DEFINE(SLEEP_SAVE_SP_PHYS, offsetof(struct sleep_save_sp, save_ptr_stash_phys));
+ DEFINE(SLEEP_SAVE_SP_VIRT, offsetof(struct sleep_save_sp, save_ptr_stash));
+ #endif
++ DEFINE(ARM_SMCCC_QUIRK_ID_OFFS, offsetof(struct arm_smccc_quirk, id));
++ DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS, offsetof(struct arm_smccc_quirk, state));
+ BLANK();
+ DEFINE(DMA_BIDIRECTIONAL, DMA_BIDIRECTIONAL);
+ DEFINE(DMA_TO_DEVICE, DMA_TO_DEVICE);
+diff --git a/arch/arm/kernel/smccc-call.S b/arch/arm/kernel/smccc-call.S
+index 00664c78faca..931df62a7831 100644
+--- a/arch/arm/kernel/smccc-call.S
++++ b/arch/arm/kernel/smccc-call.S
+@@ -3,7 +3,9 @@
+ * Copyright (c) 2015, Linaro Limited
+ */
+ #include <linux/linkage.h>
++#include <linux/arm-smccc.h>
+
++#include <asm/asm-offsets.h>
+ #include <asm/opcodes-sec.h>
+ #include <asm/opcodes-virt.h>
+ #include <asm/unwind.h>
+@@ -27,7 +29,14 @@ UNWIND( .fnstart)
+ UNWIND( .save {r4-r7})
+ ldm r12, {r4-r7}
+ \instr
+- pop {r4-r7}
++ ldr r4, [sp, #36]
++ cmp r4, #0
++ beq 1f // No quirk structure
++ ldr r5, [r4, #ARM_SMCCC_QUIRK_ID_OFFS]
++ cmp r5, #ARM_SMCCC_QUIRK_QCOM_A6
++ bne 1f // No quirk present
++ str r6, [r4, #ARM_SMCCC_QUIRK_STATE_OFFS]
++1: pop {r4-r7}
+ ldr r12, [sp, #(4 * 4)]
+ stm r12, {r0-r3}
+ bx lr
+--
+2.30.2
+
--- /dev/null
+From e7c4f1dd09fa75c84bc0865828b5fc4af6ccc22a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 15:18:07 +0800
+Subject: block: reexpand iov_iter after read/write
+
+From: yangerkun <yangerkun@huawei.com>
+
+[ Upstream commit cf7b39a0cbf6bf57aa07a008d46cf695add05b4c ]
+
+We get a bug:
+
+BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x11c/0x404
+lib/iov_iter.c:1139
+Read of size 8 at addr ffff0000d3fb11f8 by task
+
+CPU: 0 PID: 12582 Comm: syz-executor.2 Not tainted
+5.10.0-00843-g352c8610ccd2 #2
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+ dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132
+ show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x110/0x164 lib/dump_stack.c:118
+ print_address_description+0x78/0x5c8 mm/kasan/report.c:385
+ __kasan_report mm/kasan/report.c:545 [inline]
+ kasan_report+0x148/0x1e4 mm/kasan/report.c:562
+ check_memory_region_inline mm/kasan/generic.c:183 [inline]
+ __asan_load8+0xb4/0xbc mm/kasan/generic.c:252
+ iov_iter_revert+0x11c/0x404 lib/iov_iter.c:1139
+ io_read fs/io_uring.c:3421 [inline]
+ io_issue_sqe+0x2344/0x2d64 fs/io_uring.c:5943
+ __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260
+ io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326
+ io_submit_sqe fs/io_uring.c:6395 [inline]
+ io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624
+ __do_sys_io_uring_enter fs/io_uring.c:9013 [inline]
+ __se_sys_io_uring_enter fs/io_uring.c:8960 [inline]
+ __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960
+ __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
+ el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]
+ do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227
+ el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367
+ el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383
+ el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
+
+Allocated by task 12570:
+ stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121
+ kasan_save_stack mm/kasan/common.c:48 [inline]
+ kasan_set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461
+ kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475
+ __kmalloc+0x23c/0x334 mm/slub.c:3970
+ kmalloc include/linux/slab.h:557 [inline]
+ __io_alloc_async_data+0x68/0x9c fs/io_uring.c:3210
+ io_setup_async_rw fs/io_uring.c:3229 [inline]
+ io_read fs/io_uring.c:3436 [inline]
+ io_issue_sqe+0x2954/0x2d64 fs/io_uring.c:5943
+ __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260
+ io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326
+ io_submit_sqe fs/io_uring.c:6395 [inline]
+ io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624
+ __do_sys_io_uring_enter fs/io_uring.c:9013 [inline]
+ __se_sys_io_uring_enter fs/io_uring.c:8960 [inline]
+ __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960
+ __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
+ el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]
+ do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227
+ el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367
+ el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383
+ el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
+
+Freed by task 12570:
+ stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121
+ kasan_save_stack mm/kasan/common.c:48 [inline]
+ kasan_set_track+0x38/0x6c mm/kasan/common.c:56
+ kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355
+ __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422
+ kasan_slab_free+0x10/0x1c mm/kasan/common.c:431
+ slab_free_hook mm/slub.c:1544 [inline]
+ slab_free_freelist_hook mm/slub.c:1577 [inline]
+ slab_free mm/slub.c:3142 [inline]
+ kfree+0x104/0x38c mm/slub.c:4124
+ io_dismantle_req fs/io_uring.c:1855 [inline]
+ __io_free_req+0x70/0x254 fs/io_uring.c:1867
+ io_put_req_find_next fs/io_uring.c:2173 [inline]
+ __io_queue_sqe+0x1fc/0x520 fs/io_uring.c:6279
+ __io_req_task_submit+0x154/0x21c fs/io_uring.c:2051
+ io_req_task_submit+0x2c/0x44 fs/io_uring.c:2063
+ task_work_run+0xdc/0x128 kernel/task_work.c:151
+ get_signal+0x6f8/0x980 kernel/signal.c:2562
+ do_signal+0x108/0x3a4 arch/arm64/kernel/signal.c:658
+ do_notify_resume+0xbc/0x25c arch/arm64/kernel/signal.c:722
+ work_pending+0xc/0x180
+
+blkdev_read_iter can truncate iov_iter's count since the count + pos may
+exceed the size of the blkdev. This will confuse io_read that we have
+consume the iovec. And once we do the iov_iter_revert in io_read, we
+will trigger the slab-out-of-bounds. Fix it by reexpand the count with
+size has been truncated.
+
+blkdev_write_iter can trigger the problem too.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Acked-by: Pavel Begunkov <asml.silencec@gmail.com>
+Link: https://lore.kernel.org/r/20210401071807.3328235-1-yangerkun@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/block_dev.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index bd93563477a4..fa329c7eddf0 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -1987,6 +1987,7 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ struct inode *bd_inode = bdev_file_inode(file);
+ loff_t size = i_size_read(bd_inode);
+ struct blk_plug plug;
++ size_t shorted = 0;
+ ssize_t ret;
+
+ if (bdev_read_only(I_BDEV(bd_inode)))
+@@ -2005,12 +2006,17 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ if ((iocb->ki_flags & (IOCB_NOWAIT | IOCB_DIRECT)) == IOCB_NOWAIT)
+ return -EOPNOTSUPP;
+
+- iov_iter_truncate(from, size - iocb->ki_pos);
++ size -= iocb->ki_pos;
++ if (iov_iter_count(from) > size) {
++ shorted = iov_iter_count(from) - size;
++ iov_iter_truncate(from, size);
++ }
+
+ blk_start_plug(&plug);
+ ret = __generic_file_write_iter(iocb, from);
+ if (ret > 0)
+ ret = generic_write_sync(iocb, ret);
++ iov_iter_reexpand(from, iov_iter_count(from) + shorted);
+ blk_finish_plug(&plug);
+ return ret;
+ }
+@@ -2022,13 +2028,21 @@ ssize_t blkdev_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ struct inode *bd_inode = bdev_file_inode(file);
+ loff_t size = i_size_read(bd_inode);
+ loff_t pos = iocb->ki_pos;
++ size_t shorted = 0;
++ ssize_t ret;
+
+ if (pos >= size)
+ return 0;
+
+ size -= pos;
+- iov_iter_truncate(to, size);
+- return generic_file_read_iter(iocb, to);
++ if (iov_iter_count(to) > size) {
++ shorted = iov_iter_count(to) - size;
++ iov_iter_truncate(to, size);
++ }
++
++ ret = generic_file_read_iter(iocb, to);
++ iov_iter_reexpand(to, iov_iter_count(to) + shorted);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(blkdev_read_iter);
+
+--
+2.30.2
+
--- /dev/null
+From 2ff058acf33778440ddd02fb8237ec3e0a704ceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 22:38:14 +0800
+Subject: bridge: Fix possible races between assigning rx_handler_data and
+ setting IFF_BRIDGE_PORT bit
+
+From: Zhang Zhengming <zhangzhengming@huawei.com>
+
+[ Upstream commit 59259ff7a81b9eb6213891c6451221e567f8f22f ]
+
+There is a crash in the function br_get_link_af_size_filtered,
+as the port_exists(dev) is true and the rx_handler_data of dev is NULL.
+But the rx_handler_data of dev is correct saved in vmcore.
+
+The oops looks something like:
+ ...
+ pc : br_get_link_af_size_filtered+0x28/0x1c8 [bridge]
+ ...
+ Call trace:
+ br_get_link_af_size_filtered+0x28/0x1c8 [bridge]
+ if_nlmsg_size+0x180/0x1b0
+ rtnl_calcit.isra.12+0xf8/0x148
+ rtnetlink_rcv_msg+0x334/0x370
+ netlink_rcv_skb+0x64/0x130
+ rtnetlink_rcv+0x28/0x38
+ netlink_unicast+0x1f0/0x250
+ netlink_sendmsg+0x310/0x378
+ sock_sendmsg+0x4c/0x70
+ __sys_sendto+0x120/0x150
+ __arm64_sys_sendto+0x30/0x40
+ el0_svc_common+0x78/0x130
+ el0_svc_handler+0x38/0x78
+ el0_svc+0x8/0xc
+
+In br_add_if(), we found there is no guarantee that
+assigning rx_handler_data to dev->rx_handler_data
+will before setting the IFF_BRIDGE_PORT bit of priv_flags.
+So there is a possible data competition:
+
+CPU 0: CPU 1:
+(RCU read lock) (RTNL lock)
+rtnl_calcit() br_add_slave()
+ if_nlmsg_size() br_add_if()
+ br_get_link_af_size_filtered() -> netdev_rx_handler_register
+ ...
+ // The order is not guaranteed
+ ... -> dev->priv_flags |= IFF_BRIDGE_PORT;
+ // The IFF_BRIDGE_PORT bit of priv_flags has been set
+ -> if (br_port_exists(dev)) {
+ // The dev->rx_handler_data has NOT been assigned
+ -> p = br_port_get_rcu(dev);
+ ....
+ -> rcu_assign_pointer(dev->rx_handler_data, rx_handler_data);
+ ...
+
+Fix it in br_get_link_af_size_filtered, using br_port_get_check_rcu() and checking the return value.
+
+Signed-off-by: Zhang Zhengming <zhangzhengming@huawei.com>
+Reviewed-by: Zhao Lei <zhaolei69@huawei.com>
+Reviewed-by: Wang Xiaogang <wangxiaogang3@huawei.com>
+Suggested-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index a0a54482aabc..8a664148f57a 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -99,8 +99,9 @@ static size_t br_get_link_af_size_filtered(const struct net_device *dev,
+
+ rcu_read_lock();
+ if (netif_is_bridge_port(dev)) {
+- p = br_port_get_rcu(dev);
+- vg = nbp_vlan_group_rcu(p);
++ p = br_port_get_check_rcu(dev);
++ if (p)
++ vg = nbp_vlan_group_rcu(p);
+ } else if (dev->priv_flags & IFF_EBRIDGE) {
+ br = netdev_priv(dev);
+ vg = br_vlan_group_rcu(br);
+--
+2.30.2
+
--- /dev/null
+From 98d2ebcf141eee49a5f9beba0f5f840dcd96e707 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 18:05:37 -0500
+Subject: ceph: fix fscache invalidation
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 10a7052c7868bc7bc72d947f5aac6f768928db87 ]
+
+Ensure that we invalidate the fscache whenever we invalidate the
+pagecache.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/caps.c | 1 +
+ fs/ceph/inode.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 22833fa5bb58..a6047caf77ec 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1780,6 +1780,7 @@ static int try_nonblocking_invalidate(struct inode *inode)
+ u32 invalidating_gen = ci->i_rdcache_gen;
+
+ spin_unlock(&ci->i_ceph_lock);
++ ceph_fscache_invalidate(inode);
+ invalidate_mapping_pages(&inode->i_data, 0, -1);
+ spin_lock(&ci->i_ceph_lock);
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 660a878e20ef..5beebbbb42f0 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1875,6 +1875,7 @@ static void ceph_do_invalidate_pages(struct inode *inode)
+ orig_gen = ci->i_rdcache_gen;
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_fscache_invalidate(inode);
+ if (invalidate_inode_pages2(inode->i_mapping) < 0) {
+ pr_err("invalidate_pages %p fails\n", inode);
+ }
+--
+2.30.2
+
--- /dev/null
+From ed917f5bdf35ca6287e9f74972a2dfa1b5b33026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 20:04:06 +0100
+Subject: dmaengine: dw-edma: Fix crash on loading/unloading driver
+
+From: Gustavo Pimentel <Gustavo.Pimentel@synopsys.com>
+
+[ Upstream commit e970dcc4bd8e0a1376e794fc81d41d0fc98262dd ]
+
+When the driver is compiled as a module and loaded if we try to unload
+it, the Kernel shows a crash log. This Kernel crash is due to the
+dma_async_device_unregister() call done after deleting the channels,
+this patch fixes this issue.
+
+Signed-off-by: Gustavo Pimentel <gustavo.pimentel@synopsys.com>
+Link: https://lore.kernel.org/r/4aa850c035cf7ee488f1d3fb6dee0e37be0dce0a.1613674948.git.gustavo.pimentel@synopsys.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dw-edma/dw-edma-core.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/dma/dw-edma/dw-edma-core.c b/drivers/dma/dw-edma/dw-edma-core.c
+index 31577316f80b..afbd1a459019 100644
+--- a/drivers/dma/dw-edma/dw-edma-core.c
++++ b/drivers/dma/dw-edma/dw-edma-core.c
+@@ -910,22 +910,21 @@ int dw_edma_remove(struct dw_edma_chip *chip)
+ /* Power management */
+ pm_runtime_disable(dev);
+
++ /* Deregister eDMA device */
++ dma_async_device_unregister(&dw->wr_edma);
+ list_for_each_entry_safe(chan, _chan, &dw->wr_edma.channels,
+ vc.chan.device_node) {
+- list_del(&chan->vc.chan.device_node);
+ tasklet_kill(&chan->vc.task);
++ list_del(&chan->vc.chan.device_node);
+ }
+
++ dma_async_device_unregister(&dw->rd_edma);
+ list_for_each_entry_safe(chan, _chan, &dw->rd_edma.channels,
+ vc.chan.device_node) {
+- list_del(&chan->vc.chan.device_node);
+ tasklet_kill(&chan->vc.task);
++ list_del(&chan->vc.chan.device_node);
+ }
+
+- /* Deregister eDMA device */
+- dma_async_device_unregister(&dw->wr_edma);
+- dma_async_device_unregister(&dw->rd_edma);
+-
+ /* Turn debugfs off */
+ dw_edma_v0_core_debugfs_off();
+
+--
+2.30.2
+
--- /dev/null
+From 2917129a32ade668c4b116df0cc7d07110582ae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 20:06:04 -0400
+Subject: drm/amd/display: Fix two cursor duplication when using overlay
+
+From: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+
+[ Upstream commit 16e9b3e58bc3fce7391539e0eb3fd167cbf9951f ]
+
+Our driver supports overlay planes, and as expected, some userspace
+compositor takes advantage of these features. If the userspace is not
+enabling the cursor, they can use multiple planes as they please.
+Nevertheless, we start to have constraints when userspace tries to
+enable hardware cursor with various planes. Basically, we cannot draw
+the cursor at the same size and position on two separated pipes since it
+uses extra bandwidth and DML only run with one cursor.
+
+For those reasons, when we enable hardware cursor and multiple planes,
+our driver should accept variations like the ones described below:
+
+ +-------------+ +--------------+
+ | +---------+ | | |
+ | |Primary | | | Primary |
+ | | | | | Overlay |
+ | +---------+ | | |
+ |Overlay | | |
+ +-------------+ +--------------+
+
+In this scenario, we can have the desktop UI in the overlay and some
+other framebuffer attached to the primary plane (e.g., video). However,
+userspace needs to obey some rules and avoid scenarios like the ones
+described below (when enabling hw cursor):
+
+ +--------+
+ |Overlay |
+ +-------------+ +-----+-------+ +-| |--+
+ | +--------+ | +--------+ | | +--------+ |
+ | |Overlay | | |Overlay | | | |
+ | | | | | | | | |
+ | +--------+ | +--------+ | | |
+ | Primary | | Primary | | Primary |
+ +-------------+ +-------------+ +-------------+
+
+ +-------------+ +-------------+
+ | +--------+ | Primary |
+ | |Overlay | | |
+ | | | | |
+ | +--------+ | +--------+ |
+ | Primary | | |Overlay | |
+ +-------------+ +-| |--+
+ +--------+
+
+If the userspace violates some of the above scenarios, our driver needs
+to reject the commit; otherwise, we can have unexpected behavior. Since
+we don't have a proper driver validation for the above case, we can see
+some problems like a duplicate cursor in applications that use multiple
+planes. This commit fixes the cursor issue and others by adding adequate
+verification for multiple planes.
+
+Change since V1 (Harry and Sean):
+- Remove cursor verification from the equation.
+
+Cc: Louis Li <Ching-shih.Li@amd.com>
+Cc: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Cc: Harry Wentland <Harry.Wentland@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 51 +++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 82f1d5434b82..6e31e899192c 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7267,6 +7267,53 @@ static int add_affected_mst_dsc_crtcs(struct drm_atomic_state *state, struct drm
+ }
+ #endif
+
++static int validate_overlay(struct drm_atomic_state *state)
++{
++ int i;
++ struct drm_plane *plane;
++ struct drm_plane_state *old_plane_state, *new_plane_state;
++ struct drm_plane_state *primary_state, *overlay_state = NULL;
++
++ /* Check if primary plane is contained inside overlay */
++ for_each_oldnew_plane_in_state_reverse(state, plane, old_plane_state, new_plane_state, i) {
++ if (plane->type == DRM_PLANE_TYPE_OVERLAY) {
++ if (drm_atomic_plane_disabling(plane->state, new_plane_state))
++ return 0;
++
++ overlay_state = new_plane_state;
++ continue;
++ }
++ }
++
++ /* check if we're making changes to the overlay plane */
++ if (!overlay_state)
++ return 0;
++
++ /* check if overlay plane is enabled */
++ if (!overlay_state->crtc)
++ return 0;
++
++ /* find the primary plane for the CRTC that the overlay is enabled on */
++ primary_state = drm_atomic_get_plane_state(state, overlay_state->crtc->primary);
++ if (IS_ERR(primary_state))
++ return PTR_ERR(primary_state);
++
++ /* check if primary plane is enabled */
++ if (!primary_state->crtc)
++ return 0;
++
++ /* Perform the bounds check to ensure the overlay plane covers the primary */
++ if (primary_state->crtc_x < overlay_state->crtc_x ||
++ primary_state->crtc_y < overlay_state->crtc_y ||
++ primary_state->crtc_x + primary_state->crtc_w > overlay_state->crtc_x + overlay_state->crtc_w ||
++ primary_state->crtc_y + primary_state->crtc_h > overlay_state->crtc_y + overlay_state->crtc_h) {
++ DRM_DEBUG_ATOMIC("Overlay plane is enabled with hardware cursor but does not fully cover primary plane\n");
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ /**
+ * amdgpu_dm_atomic_check() - Atomic check implementation for AMDgpu DM.
+ * @dev: The DRM device
+@@ -7440,6 +7487,10 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ goto fail;
+ }
+
++ ret = validate_overlay(state);
++ if (ret)
++ goto fail;
++
+ /* Add new/modified planes */
+ for_each_oldnew_plane_in_state_reverse(state, plane, old_plane_state, new_plane_state, i) {
+ ret = dm_update_plane_state(dc, state, plane,
+--
+2.30.2
+
--- /dev/null
+From 6c6973fc4c776c1f96c1d891fa80b1cb4bdc920e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 18:27:40 +0200
+Subject: gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro
+ 5055
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit da91ece226729c76f60708efc275ebd4716ad089 ]
+
+Like some other Bay and Cherry Trail SoC based devices the Dell Venue
+10 Pro 5055 has an embedded-controller which uses ACPI GPIO events to
+report events instead of using the standard ACPI EC interface for this.
+
+The EC interrupt is only used to report battery-level changes and
+it keeps doing this while the system is suspended, causing the system
+to not stay suspended.
+
+Add an ignore-wake quirk for the GPIO pin used by the EC to fix the
+spurious wakeups from suspend.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
+index 66dcab6ab26d..e3ddc99c105d 100644
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -1394,6 +1394,20 @@ static const struct dmi_system_id gpiolib_acpi_quirks[] = {
+ .no_edge_events_on_boot = true,
+ },
+ },
++ {
++ /*
++ * The Dell Venue 10 Pro 5055, with Bay Trail SoC + TI PMIC uses an
++ * external embedded-controller connected via I2C + an ACPI GPIO
++ * event handler on INT33FFC:02 pin 12, causing spurious wakeups.
++ */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Venue 10 Pro 5055"),
++ },
++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
++ .ignore_wake = "INT33FC:02@12",
++ },
++ },
+ {
+ /*
+ * HP X2 10 models with Cherry Trail SoC + TI PMIC use an
+--
+2.30.2
+
--- /dev/null
+From 5ff69d3239a8e757ba342859d57e4ba3499ad0f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 22:29:07 -0700
+Subject: Input: elants_i2c - do not bind to i2c-hid compatible ACPI
+ instantiated devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 65299e8bfb24774e6340e93ae49f6626598917c8 ]
+
+Several users have been reporting that elants_i2c gives several errors
+during probe and that their touchscreen does not work on their Lenovo AMD
+based laptops with a touchscreen with a ELAN0001 ACPI hardware-id:
+
+[ 0.550596] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vcc33 not found, using dummy regulator
+[ 0.551836] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vccio not found, using dummy regulator
+[ 0.560932] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121
+[ 0.562427] elants_i2c i2c-ELAN0001:00: software reset failed: -121
+[ 0.595925] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121
+[ 0.597974] elants_i2c i2c-ELAN0001:00: software reset failed: -121
+[ 0.621893] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121
+[ 0.622504] elants_i2c i2c-ELAN0001:00: software reset failed: -121
+[ 0.632650] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (4d 61 69 6e): -121
+[ 0.634256] elants_i2c i2c-ELAN0001:00: boot failed: -121
+[ 0.699212] elants_i2c i2c-ELAN0001:00: invalid 'hello' packet: 00 00 ff ff
+[ 1.630506] elants_i2c i2c-ELAN0001:00: Failed to read fw id: -121
+[ 1.645508] elants_i2c i2c-ELAN0001:00: unknown packet 00 00 ff ff
+
+Despite these errors, the elants_i2c driver stays bound to the device
+(it returns 0 from its probe method despite the errors), blocking the
+i2c-hid driver from binding.
+
+Manually unbinding the elants_i2c driver and binding the i2c-hid driver
+makes the touchscreen work.
+
+Check if the ACPI-fwnode for the touchscreen contains one of the i2c-hid
+compatiblity-id strings and if it has the I2C-HID spec's DSM to get the
+HID descriptor address, If it has both then make elants_i2c not bind,
+so that the i2c-hid driver can bind.
+
+This assumes that non of the (older) elan touchscreens which actually
+need the elants_i2c driver falsely advertise an i2c-hid compatiblity-id
++ DSM in their ACPI-fwnodes. If some of them actually do have this
+false advertising, then this change may lead to regressions.
+
+While at it also drop the unnecessary DEVICE_NAME prefixing of the
+"I2C check functionality error", dev_err already outputs the driver-name.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207759
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210405202756.16830-1-hdegoede@redhat.com
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/elants_i2c.c | 44 ++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
+index d4ad24ea54c8..a51e7c85f581 100644
+--- a/drivers/input/touchscreen/elants_i2c.c
++++ b/drivers/input/touchscreen/elants_i2c.c
+@@ -36,6 +36,7 @@
+ #include <linux/of.h>
+ #include <linux/gpio/consumer.h>
+ #include <linux/regulator/consumer.h>
++#include <linux/uuid.h>
+ #include <asm/unaligned.h>
+
+ /* Device, Driver information */
+@@ -1127,6 +1128,40 @@ static void elants_i2c_power_off(void *_data)
+ }
+ }
+
++#ifdef CONFIG_ACPI
++static const struct acpi_device_id i2c_hid_ids[] = {
++ {"ACPI0C50", 0 },
++ {"PNP0C50", 0 },
++ { },
++};
++
++static const guid_t i2c_hid_guid =
++ GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555,
++ 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE);
++
++static bool elants_acpi_is_hid_device(struct device *dev)
++{
++ acpi_handle handle = ACPI_HANDLE(dev);
++ union acpi_object *obj;
++
++ if (acpi_match_device_ids(ACPI_COMPANION(dev), i2c_hid_ids))
++ return false;
++
++ obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL, ACPI_TYPE_INTEGER);
++ if (obj) {
++ ACPI_FREE(obj);
++ return true;
++ }
++
++ return false;
++}
++#else
++static bool elants_acpi_is_hid_device(struct device *dev)
++{
++ return false;
++}
++#endif
++
+ static int elants_i2c_probe(struct i2c_client *client,
+ const struct i2c_device_id *id)
+ {
+@@ -1135,9 +1170,14 @@ static int elants_i2c_probe(struct i2c_client *client,
+ unsigned long irqflags;
+ int error;
+
++ /* Don't bind to i2c-hid compatible devices, these are handled by the i2c-hid drv. */
++ if (elants_acpi_is_hid_device(&client->dev)) {
++ dev_warn(&client->dev, "This device appears to be an I2C-HID device, not binding\n");
++ return -ENODEV;
++ }
++
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
+- dev_err(&client->dev,
+- "%s: i2c check functionality error\n", DEVICE_NAME);
++ dev_err(&client->dev, "I2C check functionality error\n");
+ return -ENXIO;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a9c219d47372dca78a57750fc572c7d2eb1b8ef4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 22:29:49 -0700
+Subject: Input: silead - add workaround for x86 BIOS-es which bring the chip
+ up in a stuck state
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit e479187748a8f151a85116a7091c599b121fdea5 ]
+
+Some buggy BIOS-es bring up the touchscreen-controller in a stuck
+state where it blocks the I2C bus. Specifically this happens on
+the Jumper EZpad 7 tablet model.
+
+After much poking at this problem I have found that the following steps
+are necessary to unstuck the chip / bus:
+
+1. Turn off the Silead chip.
+2. Try to do an I2C transfer with the chip, this will fail in response to
+ which the I2C-bus-driver will call: i2c_recover_bus() which will unstuck
+ the I2C-bus. Note the unstuck-ing of the I2C bus only works if we first
+ drop the chip of the bus by turning it off.
+3. Turn the chip back on.
+
+On the x86/ACPI systems were this problem is seen, step 1. and 3. require
+making ACPI calls and dealing with ACPI Power Resources. This commit adds
+a workaround which runtime-suspends the chip to turn it off, leaving it up
+to the ACPI subsystem to deal with all the ACPI specific details.
+
+There is no good way to detect this bug, so the workaround gets activated
+by a new "silead,stuck-controller-bug" boolean device-property. Since this
+is only used on x86/ACPI, this will be set by model specific device-props
+set by drivers/platform/x86/touchscreen_dmi.c. Therefor this new
+device-property is not documented in the DT-bindings.
+
+Dmesg will contain the following messages on systems where the workaround
+is activated:
+
+[ 54.309029] silead_ts i2c-MSSL1680:00: [Firmware Bug]: Stuck I2C bus: please ignore the next 'controller timed out' error
+[ 55.373593] i2c_designware 808622C1:04: controller timed out
+[ 55.582186] silead_ts i2c-MSSL1680:00: Silead chip ID: 0x80360000
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210405202745.16777-1-hdegoede@redhat.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/silead.c | 44 +++++++++++++++++++++++++++---
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c
+index ad8b6a2bfd36..c8776146f1d1 100644
+--- a/drivers/input/touchscreen/silead.c
++++ b/drivers/input/touchscreen/silead.c
+@@ -20,6 +20,7 @@
+ #include <linux/input/mt.h>
+ #include <linux/input/touchscreen.h>
+ #include <linux/pm.h>
++#include <linux/pm_runtime.h>
+ #include <linux/irq.h>
+ #include <linux/regulator/consumer.h>
+
+@@ -335,10 +336,8 @@ static int silead_ts_get_id(struct i2c_client *client)
+
+ error = i2c_smbus_read_i2c_block_data(client, SILEAD_REG_ID,
+ sizeof(chip_id), (u8 *)&chip_id);
+- if (error < 0) {
+- dev_err(&client->dev, "Chip ID read error %d\n", error);
++ if (error < 0)
+ return error;
+- }
+
+ data->chip_id = le32_to_cpu(chip_id);
+ dev_info(&client->dev, "Silead chip ID: 0x%8X", data->chip_id);
+@@ -351,12 +350,49 @@ static int silead_ts_setup(struct i2c_client *client)
+ int error;
+ u32 status;
+
++ /*
++ * Some buggy BIOS-es bring up the chip in a stuck state where it
++ * blocks the I2C bus. The following steps are necessary to
++ * unstuck the chip / bus:
++ * 1. Turn off the Silead chip.
++ * 2. Try to do an I2C transfer with the chip, this will fail in
++ * response to which the I2C-bus-driver will call:
++ * i2c_recover_bus() which will unstuck the I2C-bus. Note the
++ * unstuck-ing of the I2C bus only works if we first drop the
++ * chip off the bus by turning it off.
++ * 3. Turn the chip back on.
++ *
++ * On the x86/ACPI systems were this problem is seen, step 1. and
++ * 3. require making ACPI calls and dealing with ACPI Power
++ * Resources. The workaround below runtime-suspends the chip to
++ * turn it off, leaving it up to the ACPI subsystem to deal with
++ * this.
++ */
++
++ if (device_property_read_bool(&client->dev,
++ "silead,stuck-controller-bug")) {
++ pm_runtime_set_active(&client->dev);
++ pm_runtime_enable(&client->dev);
++ pm_runtime_allow(&client->dev);
++
++ pm_runtime_suspend(&client->dev);
++
++ dev_warn(&client->dev, FW_BUG "Stuck I2C bus: please ignore the next 'controller timed out' error\n");
++ silead_ts_get_id(client);
++
++ /* The forbid will also resume the device */
++ pm_runtime_forbid(&client->dev);
++ pm_runtime_disable(&client->dev);
++ }
++
+ silead_ts_set_power(client, SILEAD_POWER_OFF);
+ silead_ts_set_power(client, SILEAD_POWER_ON);
+
+ error = silead_ts_get_id(client);
+- if (error)
++ if (error) {
++ dev_err(&client->dev, "Chip ID read error %d\n", error);
+ return error;
++ }
+
+ error = silead_ts_init(client);
+ if (error)
+--
+2.30.2
+
--- /dev/null
+From 5d30a1a418a196dd50059cc1e6e48d3c1cbfc6d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 18:03:40 -0700
+Subject: lib: stackdepot: turn depot_lock spinlock to raw_spinlock
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+[ Upstream commit 78564b9434878d686c5f88c4488b20cccbcc42bc ]
+
+In RT system, the spin_lock will be replaced by sleepable rt_mutex lock,
+in __call_rcu(), disable interrupts before calling
+kasan_record_aux_stack(), will trigger this calltrace:
+
+ BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:951
+ in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 19, name: pgdatinit0
+ Call Trace:
+ ___might_sleep.cold+0x1b2/0x1f1
+ rt_spin_lock+0x3b/0xb0
+ stack_depot_save+0x1b9/0x440
+ kasan_save_stack+0x32/0x40
+ kasan_record_aux_stack+0xa5/0xb0
+ __call_rcu+0x117/0x880
+ __exit_signal+0xafb/0x1180
+ release_task+0x1d6/0x480
+ exit_notify+0x303/0x750
+ do_exit+0x678/0xcf0
+ kthread+0x364/0x4f0
+ ret_from_fork+0x22/0x30
+
+Replace spinlock with raw_spinlock.
+
+Link: https://lkml.kernel.org/r/20210329084009.27013-1-qiang.zhang@windriver.com
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Reported-by: Andrew Halaney <ahalaney@redhat.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: Vijayanand Jitta <vjitta@codeaurora.org>
+Cc: Vinayak Menon <vinmenon@codeaurora.org>
+Cc: Yogesh Lal <ylal@codeaurora.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/stackdepot.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/stackdepot.c b/lib/stackdepot.c
+index 81c69c08d1d1..468626b8eb1b 100644
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -69,7 +69,7 @@ static void *stack_slabs[STACK_ALLOC_MAX_SLABS];
+ static int depot_index;
+ static int next_slab_inited;
+ static size_t depot_offset;
+-static DEFINE_SPINLOCK(depot_lock);
++static DEFINE_RAW_SPINLOCK(depot_lock);
+
+ static bool init_stack_slab(void **prealloc)
+ {
+@@ -269,7 +269,7 @@ depot_stack_handle_t stack_depot_save(unsigned long *entries,
+ prealloc = page_address(page);
+ }
+
+- spin_lock_irqsave(&depot_lock, flags);
++ raw_spin_lock_irqsave(&depot_lock, flags);
+
+ found = find_stack(*bucket, entries, nr_entries, hash);
+ if (!found) {
+@@ -293,7 +293,7 @@ depot_stack_handle_t stack_depot_save(unsigned long *entries,
+ WARN_ON(!init_stack_slab(&prealloc));
+ }
+
+- spin_unlock_irqrestore(&depot_lock, flags);
++ raw_spin_unlock_irqrestore(&depot_lock, flags);
+ exit:
+ if (prealloc) {
+ /* Nobody used this memory, ok to free it. */
+--
+2.30.2
+
--- /dev/null
+From 3f080dcc7c72f1b810c8606dd8332a4e90fdd57d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 16:33:12 +0200
+Subject: net: stmmac: Do not enable RX FIFO overflow interrupts
+
+From: Yannick Vignon <yannick.vignon@nxp.com>
+
+[ Upstream commit 8a7cb245cf28cb3e541e0d6c8624b95d079e155b ]
+
+The RX FIFO overflows when the system is not able to process all received
+packets and they start accumulating (first in the DMA queue in memory,
+then in the FIFO). An interrupt is then raised for each overflowing packet
+and handled in stmmac_interrupt(). This is counter-productive, since it
+brings the system (or more likely, one CPU core) to its knees to process
+the FIFO overflow interrupts.
+
+stmmac_interrupt() handles overflow interrupts by writing the rx tail ptr
+into the corresponding hardware register (according to the MAC spec, this
+has the effect of restarting the MAC DMA). However, without freeing any rx
+descriptors, the DMA stops right away, and another overflow interrupt is
+raised as the FIFO overflows again. Since the DMA is already restarted at
+the end of stmmac_rx_refill() after freeing descriptors, disabling FIFO
+overflow interrupts and the corresponding handling code has no side effect,
+and eliminates the interrupt storm when the RX FIFO overflows.
+
+Signed-off-by: Yannick Vignon <yannick.vignon@nxp.com>
+Link: https://lore.kernel.org/r/20210506143312.20784-1-yannick.vignon@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 7 +------
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 ++------------
+ 2 files changed, 3 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+index a41ac13cc4e5..0d993f4b701c 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+@@ -211,7 +211,7 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ unsigned int rqs = fifosz / 256 - 1;
+- u32 mtl_rx_op, mtl_rx_int;
++ u32 mtl_rx_op;
+
+ mtl_rx_op = readl(ioaddr + MTL_CHAN_RX_OP_MODE(channel));
+
+@@ -282,11 +282,6 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
+ }
+
+ writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(channel));
+-
+- /* Enable MTL RX overflow */
+- mtl_rx_int = readl(ioaddr + MTL_CHAN_INT_CTRL(channel));
+- writel(mtl_rx_int | MTL_RX_OVERFLOW_INT_EN,
+- ioaddr + MTL_CHAN_INT_CTRL(channel));
+ }
+
+ static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode,
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 8e7c60e02fa0..10d28be73f45 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3855,7 +3855,6 @@ static irqreturn_t stmmac_interrupt(int irq, void *dev_id)
+ /* To handle GMAC own interrupts */
+ if ((priv->plat->has_gmac) || xmac) {
+ int status = stmmac_host_irq_status(priv, priv->hw, &priv->xstats);
+- int mtl_status;
+
+ if (unlikely(status)) {
+ /* For LPI we need to save the tx status */
+@@ -3866,17 +3865,8 @@ static irqreturn_t stmmac_interrupt(int irq, void *dev_id)
+ }
+
+ for (queue = 0; queue < queues_count; queue++) {
+- struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue];
+-
+- mtl_status = stmmac_host_mtl_irq_status(priv, priv->hw,
+- queue);
+- if (mtl_status != -EINVAL)
+- status |= mtl_status;
+-
+- if (status & CORE_IRQ_MTL_RX_OVERFLOW)
+- stmmac_set_rx_tail_ptr(priv, priv->ioaddr,
+- rx_q->rx_tail_addr,
+- queue);
++ status = stmmac_host_mtl_irq_status(priv, priv->hw,
++ queue);
+ }
+
+ /* PCS link status */
+--
+2.30.2
+
--- /dev/null
+From 38d42043104d6e91c063b647059b810dfaf0b168 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 16:24:47 +0100
+Subject: PCI: thunder: Fix compile testing
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 16f7ae5906dfbeff54f74ec75d0563bb3a87ab0b ]
+
+Compile-testing these drivers is currently broken. Enabling it causes a
+couple of build failures though:
+
+ drivers/pci/controller/pci-thunder-ecam.c:119:30: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ drivers/pci/controller/pci-thunder-pem.c:54:2: error: implicit declaration of function 'writeq' [-Werror,-Wimplicit-function-declaration]
+ drivers/pci/controller/pci-thunder-pem.c:392:8: error: implicit declaration of function 'acpi_get_rc_resources' [-Werror,-Wimplicit-function-declaration]
+
+Fix them with the obvious one-line changes.
+
+Link: https://lore.kernel.org/r/20210308152501.2135937-2-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Robert Richter <rric@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-thunder-ecam.c | 2 +-
+ drivers/pci/controller/pci-thunder-pem.c | 13 +++++++------
+ drivers/pci/pci.h | 6 ++++++
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-thunder-ecam.c b/drivers/pci/controller/pci-thunder-ecam.c
+index 32d1d7b81ef4..18715d2ce022 100644
+--- a/drivers/pci/controller/pci-thunder-ecam.c
++++ b/drivers/pci/controller/pci-thunder-ecam.c
+@@ -116,7 +116,7 @@ static int thunder_ecam_p2_config_read(struct pci_bus *bus, unsigned int devfn,
+ * the config space access window. Since we are working with
+ * the high-order 32 bits, shift everything down by 32 bits.
+ */
+- node_bits = (cfg->res.start >> 32) & (1 << 12);
++ node_bits = upper_32_bits(cfg->res.start) & (1 << 12);
+
+ v |= node_bits;
+ set_val(v, where, size, val);
+diff --git a/drivers/pci/controller/pci-thunder-pem.c b/drivers/pci/controller/pci-thunder-pem.c
+index f127ce8bd4ef..1650ec2c35f9 100644
+--- a/drivers/pci/controller/pci-thunder-pem.c
++++ b/drivers/pci/controller/pci-thunder-pem.c
+@@ -11,6 +11,7 @@
+ #include <linux/pci-acpi.h>
+ #include <linux/pci-ecam.h>
+ #include <linux/platform_device.h>
++#include <linux/io-64-nonatomic-lo-hi.h>
+ #include "../pci.h"
+
+ #if defined(CONFIG_PCI_HOST_THUNDER_PEM) || (defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS))
+@@ -314,9 +315,9 @@ static int thunder_pem_init(struct device *dev, struct pci_config_window *cfg,
+ * structure here for the BAR.
+ */
+ bar4_start = res_pem->start + 0xf00000;
+- pem_pci->ea_entry[0] = (u32)bar4_start | 2;
+- pem_pci->ea_entry[1] = (u32)(res_pem->end - bar4_start) & ~3u;
+- pem_pci->ea_entry[2] = (u32)(bar4_start >> 32);
++ pem_pci->ea_entry[0] = lower_32_bits(bar4_start) | 2;
++ pem_pci->ea_entry[1] = lower_32_bits(res_pem->end - bar4_start) & ~3u;
++ pem_pci->ea_entry[2] = upper_32_bits(bar4_start);
+
+ cfg->priv = pem_pci;
+ return 0;
+@@ -324,9 +325,9 @@ static int thunder_pem_init(struct device *dev, struct pci_config_window *cfg,
+
+ #if defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS)
+
+-#define PEM_RES_BASE 0x87e0c0000000UL
+-#define PEM_NODE_MASK GENMASK(45, 44)
+-#define PEM_INDX_MASK GENMASK(26, 24)
++#define PEM_RES_BASE 0x87e0c0000000ULL
++#define PEM_NODE_MASK GENMASK_ULL(45, 44)
++#define PEM_INDX_MASK GENMASK_ULL(26, 24)
+ #define PEM_MIN_DOM_IN_NODE 4
+ #define PEM_MAX_DOM_IN_NODE 10
+
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index a5adc2e2c351..572c2f0a2f0c 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -588,6 +588,12 @@ static inline int pci_dev_specific_reset(struct pci_dev *dev, int probe)
+ #if defined(CONFIG_PCI_QUIRKS) && defined(CONFIG_ARM64)
+ int acpi_get_rc_resources(struct device *dev, const char *hid, u16 segment,
+ struct resource *res);
++#else
++static inline int acpi_get_rc_resources(struct device *dev, const char *hid,
++ u16 segment, struct resource *res)
++{
++ return -ENODEV;
++}
+ #endif
+
+ u32 pci_rebar_get_possible_sizes(struct pci_dev *pdev, int bar);
+--
+2.30.2
+
--- /dev/null
+From 8f9a7c4fcace60b85f6975e9c78b3f90782f9380 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2020 09:35:09 -0600
+Subject: pinctrl: ingenic: Improve unreachable code generation
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit d6d43a92172085a2681e06a0d06aac53c7bcdd12 ]
+
+In the second loop of ingenic_pinconf_set(), it annotates the switch
+default case as unreachable(). The annotation is technically correct,
+because that same case would have resulted in an early function return
+in the previous loop.
+
+However, the compiled code is suboptimal. GCC seems to work extra hard
+to ensure that the unreachable code path triggers undefined behavior.
+The function would fall through to start executing whatever function
+happens to be next in the compilation unit.
+
+This is problematic because:
+
+ a) it adds unnecessary 'ensure undefined behavior' logic, and
+ corresponding i-cache footprint; and
+
+ b) it's less robust -- if a bug were to be introduced, falling through
+ to the next function would be catastrophic.
+
+Yet another issue is that, while objtool normally understands
+unreachable() annotations, there's one special case where it doesn't:
+when the annotation occurs immediately after a 'ret' instruction. That
+happens to be the case here because unreachable() is immediately before
+the return.
+
+Remove the unreachable() annotation and replace it with a comment. This
+simplifies the code generation and changes the unreachable error path to
+just silently return instead of corrupting execution.
+
+This fixes the following objtool warning:
+
+ drivers/pinctrl/pinctrl-ingenic.o: warning: objtool: ingenic_pinconf_set() falls through to next function ingenic_pinconf_group_set()
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lore.kernel.org/r/bc20fdbcb826512cf76b7dfd0972740875931b19.1582212881.git.jpoimboe@redhat.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-ingenic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-ingenic.c b/drivers/pinctrl/pinctrl-ingenic.c
+index 61e7d938d4c5..91596eee0bda 100644
+--- a/drivers/pinctrl/pinctrl-ingenic.c
++++ b/drivers/pinctrl/pinctrl-ingenic.c
+@@ -1846,7 +1846,8 @@ static int ingenic_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin,
+ break;
+
+ default:
+- unreachable();
++ /* unreachable */
++ break;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 7bb7ed24fdba87f2da349107f71b95390c34caa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 15:38:06 -0700
+Subject: riscv: Workaround mcount name prior to clang-13
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 7ce04771503074a7de7f539cc43f5e1b385cb99b ]
+
+Prior to clang 13.0.0, the RISC-V name for the mcount symbol was
+"mcount", which differs from the GCC version of "_mcount", which results
+in the following errors:
+
+riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_level':
+main.c:(.text+0xe): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_start':
+main.c:(.text+0x4e): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_finish':
+main.c:(.text+0x92): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `.LBB32_28':
+main.c:(.text+0x30c): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `free_initmem':
+main.c:(.text+0x54c): undefined reference to `mcount'
+
+This has been corrected in https://reviews.llvm.org/D98881 but the
+minimum supported clang version is 10.0.1. To avoid build errors and to
+gain a working function tracer, adjust the name of the mcount symbol for
+older versions of clang in mount.S and recordmcount.pl.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1331
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/ftrace.h | 14 ++++++++++++--
+ arch/riscv/kernel/mcount.S | 10 +++++-----
+ scripts/recordmcount.pl | 2 +-
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h
+index 02fbc175142e..693c3839a7df 100644
+--- a/arch/riscv/include/asm/ftrace.h
++++ b/arch/riscv/include/asm/ftrace.h
+@@ -10,9 +10,19 @@
+ #endif
+ #define HAVE_FUNCTION_GRAPH_RET_ADDR_PTR
+
++/*
++ * Clang prior to 13 had "mcount" instead of "_mcount":
++ * https://reviews.llvm.org/D98881
++ */
++#if defined(CONFIG_CC_IS_GCC) || CONFIG_CLANG_VERSION >= 130000
++#define MCOUNT_NAME _mcount
++#else
++#define MCOUNT_NAME mcount
++#endif
++
+ #define ARCH_SUPPORTS_FTRACE_OPS 1
+ #ifndef __ASSEMBLY__
+-void _mcount(void);
++void MCOUNT_NAME(void);
+ static inline unsigned long ftrace_call_adjust(unsigned long addr)
+ {
+ return addr;
+@@ -33,7 +43,7 @@ struct dyn_arch_ftrace {
+ * both auipc and jalr at the same time.
+ */
+
+-#define MCOUNT_ADDR ((unsigned long)_mcount)
++#define MCOUNT_ADDR ((unsigned long)MCOUNT_NAME)
+ #define JALR_SIGN_MASK (0x00000800)
+ #define JALR_OFFSET_MASK (0x00000fff)
+ #define AUIPC_OFFSET_MASK (0xfffff000)
+diff --git a/arch/riscv/kernel/mcount.S b/arch/riscv/kernel/mcount.S
+index 8a5593ff9ff3..6d462681c9c0 100644
+--- a/arch/riscv/kernel/mcount.S
++++ b/arch/riscv/kernel/mcount.S
+@@ -47,8 +47,8 @@
+
+ ENTRY(ftrace_stub)
+ #ifdef CONFIG_DYNAMIC_FTRACE
+- .global _mcount
+- .set _mcount, ftrace_stub
++ .global MCOUNT_NAME
++ .set MCOUNT_NAME, ftrace_stub
+ #endif
+ ret
+ ENDPROC(ftrace_stub)
+@@ -78,7 +78,7 @@ ENDPROC(return_to_handler)
+ #endif
+
+ #ifndef CONFIG_DYNAMIC_FTRACE
+-ENTRY(_mcount)
++ENTRY(MCOUNT_NAME)
+ la t4, ftrace_stub
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ la t0, ftrace_graph_return
+@@ -124,6 +124,6 @@ do_trace:
+ jalr t5
+ RESTORE_ABI_STATE
+ ret
+-ENDPROC(_mcount)
++ENDPROC(MCOUNT_NAME)
+ #endif
+-EXPORT_SYMBOL(_mcount)
++EXPORT_SYMBOL(MCOUNT_NAME)
+diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
+index 857d5b70b1a9..4f84657f55c2 100755
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -395,7 +395,7 @@ if ($arch eq "x86_64") {
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s_mcount\$";
+ } elsif ($arch eq "riscv") {
+ $function_regex = "^([0-9a-fA-F]+)\\s+<([^.0-9][0-9a-zA-Z_\\.]+)>:";
+- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL(_PLT)?\\s_mcount\$";
++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL(_PLT)?\\s_?mcount\$";
+ $type = ".quad";
+ $alignment = 2;
+ } elsif ($arch eq "nds32") {
+--
+2.30.2
+
--- /dev/null
+From 8973a128e3500539696a14f40e27116196fdb1dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 15:38:05 -0700
+Subject: scripts/recordmcount.pl: Fix RISC-V regex for clang
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 2f095504f4b9cf75856d6a9cf90299cf75aa46c5 ]
+
+Clang can generate R_RISCV_CALL_PLT relocations to _mcount:
+
+$ llvm-objdump -dr build/riscv/init/main.o | rg mcount
+ 000000000000000e: R_RISCV_CALL_PLT _mcount
+ 000000000000004e: R_RISCV_CALL_PLT _mcount
+
+After this, the __start_mcount_loc section is properly generated and
+function tracing still works.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1331
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
+index 0bafed857e17..857d5b70b1a9 100755
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -395,7 +395,7 @@ if ($arch eq "x86_64") {
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s_mcount\$";
+ } elsif ($arch eq "riscv") {
+ $function_regex = "^([0-9a-fA-F]+)\\s+<([^.0-9][0-9a-zA-Z_\\.]+)>:";
+- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL\\s_mcount\$";
++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL(_PLT)?\\s_mcount\$";
+ $type = ".quad";
+ $alignment = 2;
+ } elsif ($arch eq "nds32") {
+--
+2.30.2
+
--- /dev/null
+From 95804069a2b2aa6876b4cbfed7fc3a0e18e767e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 16:44:33 -0700
+Subject: scsi: lpfc: Fix illegal memory access on Abort IOCBs
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit e1364711359f3ced054bda9920477c8bf93b74c5 ]
+
+In devloss timer handler and in backend calls to terminate remote port I/O,
+there is logic to walk through all active IOCBs and validate them to
+potentially trigger an abort request. This logic is causing illegal memory
+accesses which leads to a crash. Abort IOCBs, which may be on the list, do
+not have an associated lpfc_io_buf struct. The driver is trying to map an
+lpfc_io_buf struct on the IOCB and which results in a bogus address thus
+the issue.
+
+Fix by skipping over ABORT IOCBs (CLOSE IOCBs are ABORTS that don't send
+ABTS) in the IOCB scan logic.
+
+Link: https://lore.kernel.org/r/20210421234433.102079-1-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index ef7cef316d21..795460eda6a5 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -11337,13 +11337,20 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_iocbq *iocbq, struct lpfc_vport *vport,
+ lpfc_ctx_cmd ctx_cmd)
+ {
+ struct lpfc_io_buf *lpfc_cmd;
++ IOCB_t *icmd = NULL;
+ int rc = 1;
+
+ if (iocbq->vport != vport)
+ return rc;
+
+- if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
+- !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ))
++ if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
++ !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ) ||
++ iocbq->iocb_flag & LPFC_DRIVER_ABORTED)
++ return rc;
++
++ icmd = &iocbq->iocb;
++ if (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
++ icmd->ulpCommand == CMD_CLOSE_XRI_CN)
+ return rc;
+
+ lpfc_cmd = container_of(iocbq, struct lpfc_io_buf, cur_iocbq);
+--
+2.30.2
+
--- /dev/null
+From cacee284a4cf2619c208b1384d711b2f87235188 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:01:23 +0200
+Subject: scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id
+ not found
+
+From: Bodo Stroesser <bostroesser@gmail.com>
+
+[ Upstream commit 9814b55cde0588b6d9bc496cee43f87316cbc6f1 ]
+
+If tcmu_handle_completions() finds an invalid cmd_id while looping over cmd
+responses from userspace it sets TCMU_DEV_BIT_BROKEN and breaks the
+loop. This means that it does further handling for the tcmu device.
+
+Skip that handling by replacing 'break' with 'return'.
+
+Additionally change tcmu_handle_completions() from unsigned int to bool,
+since the value used in return already is bool.
+
+Link: https://lore.kernel.org/r/20210423150123.24468-1-bostroesser@gmail.com
+Signed-off-by: Bodo Stroesser <bostroesser@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_user.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
+index d6634baebb47..71144e33272a 100644
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -1205,7 +1205,7 @@ static void tcmu_set_next_deadline(struct list_head *queue,
+ del_timer(timer);
+ }
+
+-static unsigned int tcmu_handle_completions(struct tcmu_dev *udev)
++static bool tcmu_handle_completions(struct tcmu_dev *udev)
+ {
+ struct tcmu_mailbox *mb;
+ struct tcmu_cmd *cmd;
+@@ -1245,7 +1245,7 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev)
+ pr_err("cmd_id %u not found, ring is broken\n",
+ entry->hdr.cmd_id);
+ set_bit(TCMU_DEV_BIT_BROKEN, &udev->flags);
+- break;
++ return false;
+ }
+
+ tcmu_handle_completion(cmd, entry);
+--
+2.30.2
+
usb-sl811-hcd-improve-misleading-indentation.patch
cxgb4-fix-the-wmisleading-indentation-warning.patch
isdn-capi-fix-mismatched-prototypes.patch
+pinctrl-ingenic-improve-unreachable-code-generation.patch
+xsk-simplify-detection-of-empty-and-full-rings.patch
+virtio_net-do-not-pull-payload-in-skb-head.patch
+arm-9058-1-cache-v7-refactor-v7_invalidate_l1-to-avo.patch
+pci-thunder-fix-compile-testing.patch
+dmaengine-dw-edma-fix-crash-on-loading-unloading-dri.patch
+arm-9066-1-ftrace-pause-unpause-function-graph-trace.patch
+acpi-hotplug-pci-fix-reference-count-leak-in-enable_.patch
+input-elants_i2c-do-not-bind-to-i2c-hid-compatible-a.patch
+input-silead-add-workaround-for-x86-bios-es-which-br.patch
+um-mark-all-kernel-symbols-as-local.patch
+um-disable-config_gcov-with-modules.patch
+arm-9075-1-kernel-fix-interrupted-smc-calls.patch
+scripts-recordmcount.pl-fix-risc-v-regex-for-clang.patch
+riscv-workaround-mcount-name-prior-to-clang-13.patch
+scsi-lpfc-fix-illegal-memory-access-on-abort-iocbs.patch
+ceph-fix-fscache-invalidation.patch
+scsi-target-tcmu-return-from-tcmu_handle_completions.patch
+bridge-fix-possible-races-between-assigning-rx_handl.patch
+drm-amd-display-fix-two-cursor-duplication-when-usin.patch
+gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-dell-.patch
+alsa-hda-generic-change-the-dac-ctl-name-for-lo-spk-.patch
+block-reexpand-iov_iter-after-read-write.patch
+lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch
+net-stmmac-do-not-enable-rx-fifo-overflow-interrupts.patch
--- /dev/null
+From 01c8de6dd175ebc3b935655b8669444c111b0c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 23:47:31 +0100
+Subject: um: Disable CONFIG_GCOV with MODULES
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ad3d19911632debc886ef4a992d41d6de7927006 ]
+
+CONFIG_GCOV doesn't work with modules, and for various reasons
+it cannot work, see also
+https://lore.kernel.org/r/d36ea54d8c0a8dd706826ba844a6f27691f45d55.camel@sipsolutions.net
+
+Make CONFIG_GCOV depend on !MODULES to avoid anyone
+running into issues there. This also means we need
+not export the gcov symbols.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/Kconfig.debug | 1 +
+ arch/um/kernel/Makefile | 1 -
+ arch/um/kernel/gmon_syms.c | 16 ----------------
+ 3 files changed, 1 insertion(+), 17 deletions(-)
+ delete mode 100644 arch/um/kernel/gmon_syms.c
+
+diff --git a/arch/um/Kconfig.debug b/arch/um/Kconfig.debug
+index 85726eeec345..e4a0f12f20d9 100644
+--- a/arch/um/Kconfig.debug
++++ b/arch/um/Kconfig.debug
+@@ -17,6 +17,7 @@ config GCOV
+ bool "Enable gcov support"
+ depends on DEBUG_INFO
+ depends on !KCOV
++ depends on !MODULES
+ help
+ This option allows developers to retrieve coverage data from a UML
+ session.
+diff --git a/arch/um/kernel/Makefile b/arch/um/kernel/Makefile
+index 5aa882011e04..e698e0c7dbdc 100644
+--- a/arch/um/kernel/Makefile
++++ b/arch/um/kernel/Makefile
+@@ -21,7 +21,6 @@ obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \
+
+ obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o
+ obj-$(CONFIG_GPROF) += gprof_syms.o
+-obj-$(CONFIG_GCOV) += gmon_syms.o
+ obj-$(CONFIG_EARLY_PRINTK) += early_printk.o
+ obj-$(CONFIG_STACKTRACE) += stacktrace.o
+
+diff --git a/arch/um/kernel/gmon_syms.c b/arch/um/kernel/gmon_syms.c
+deleted file mode 100644
+index 9361a8eb9bf1..000000000000
+--- a/arch/um/kernel/gmon_syms.c
++++ /dev/null
+@@ -1,16 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * Copyright (C) 2001 - 2007 Jeff Dike (jdike@{addtoit,linux.intel}.com)
+- */
+-
+-#include <linux/module.h>
+-
+-extern void __bb_init_func(void *) __attribute__((weak));
+-EXPORT_SYMBOL(__bb_init_func);
+-
+-extern void __gcov_init(void *) __attribute__((weak));
+-EXPORT_SYMBOL(__gcov_init);
+-extern void __gcov_merge_add(void *, unsigned int) __attribute__((weak));
+-EXPORT_SYMBOL(__gcov_merge_add);
+-extern void __gcov_exit(void) __attribute__((weak));
+-EXPORT_SYMBOL(__gcov_exit);
+--
+2.30.2
+
--- /dev/null
+From 18ae9df8b1112c1d5df1fb72fbf5d59bca710431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Mar 2021 21:43:15 +0100
+Subject: um: Mark all kernel symbols as local
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d5027ca63e0e778b641cf23e3f5c6d6212cf412b ]
+
+Ritesh reported a bug [1] against UML, noting that it crashed on
+startup. The backtrace shows the following (heavily redacted):
+
+(gdb) bt
+...
+ #26 0x0000000060015b5d in sem_init () at ipc/sem.c:268
+ #27 0x00007f89906d92f7 in ?? () from /lib/x86_64-linux-gnu/libcom_err.so.2
+ #28 0x00007f8990ab8fb2 in call_init (...) at dl-init.c:72
+...
+ #40 0x00007f89909bf3a6 in nss_load_library (...) at nsswitch.c:359
+...
+ #44 0x00007f8990895e35 in _nss_compat_getgrnam_r (...) at nss_compat/compat-grp.c:486
+ #45 0x00007f8990968b85 in __getgrnam_r [...]
+ #46 0x00007f89909d6b77 in grantpt [...]
+ #47 0x00007f8990a9394e in __GI_openpty [...]
+ #48 0x00000000604a1f65 in openpty_cb (...) at arch/um/os-Linux/sigio.c:407
+ #49 0x00000000604a58d0 in start_idle_thread (...) at arch/um/os-Linux/skas/process.c:598
+ #50 0x0000000060004a3d in start_uml () at arch/um/kernel/skas/process.c:45
+ #51 0x00000000600047b2 in linux_main (...) at arch/um/kernel/um_arch.c:334
+ #52 0x000000006000574f in main (...) at arch/um/os-Linux/main.c:144
+
+indicating that the UML function openpty_cb() calls openpty(),
+which internally calls __getgrnam_r(), which causes the nsswitch
+machinery to get started.
+
+This loads, through lots of indirection that I snipped, the
+libcom_err.so.2 library, which (in an unknown function, "??")
+calls sem_init().
+
+Now, of course it wants to get libpthread's sem_init(), since
+it's linked against libpthread. However, the dynamic linker
+looks up that symbol against the binary first, and gets the
+kernel's sem_init().
+
+Hajime Tazaki noted that "objcopy -L" can localize a symbol,
+so the dynamic linker wouldn't do the lookup this way. I tried,
+but for some reason that didn't seem to work.
+
+Doing the same thing in the linker script instead does seem to
+work, though I cannot entirely explain - it *also* works if I
+just add "VERSION { { global: *; }; }" instead, indicating that
+something else is happening that I don't really understand. It
+may be that explicitly doing that marks them with some kind of
+empty version, and that's different from the default.
+
+Explicitly marking them with a version breaks kallsyms, so that
+doesn't seem to be possible.
+
+Marking all the symbols as local seems correct, and does seem
+to address the issue, so do that. Also do it for static link,
+nsswitch libraries could still be loaded there.
+
+[1] https://bugs.debian.org/983379
+
+Reported-by: Ritesh Raj Sarraf <rrs@debian.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Tested-By: Ritesh Raj Sarraf <rrs@debian.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/kernel/dyn.lds.S | 6 ++++++
+ arch/um/kernel/uml.lds.S | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/arch/um/kernel/dyn.lds.S b/arch/um/kernel/dyn.lds.S
+index f5001481010c..a82ec0113321 100644
+--- a/arch/um/kernel/dyn.lds.S
++++ b/arch/um/kernel/dyn.lds.S
+@@ -6,6 +6,12 @@ OUTPUT_ARCH(ELF_ARCH)
+ ENTRY(_start)
+ jiffies = jiffies_64;
+
++VERSION {
++ {
++ local: *;
++ };
++}
++
+ SECTIONS
+ {
+ PROVIDE (__executable_start = START);
+diff --git a/arch/um/kernel/uml.lds.S b/arch/um/kernel/uml.lds.S
+index 9f21443be2c9..85b404d068f4 100644
+--- a/arch/um/kernel/uml.lds.S
++++ b/arch/um/kernel/uml.lds.S
+@@ -7,6 +7,12 @@ OUTPUT_ARCH(ELF_ARCH)
+ ENTRY(_start)
+ jiffies = jiffies_64;
+
++VERSION {
++ {
++ local: *;
++ };
++}
++
+ SECTIONS
+ {
+ /* This must contain the right address - not quite the default ELF one.*/
+--
+2.30.2
+
--- /dev/null
+From ccb1759cd5e6493f9906ab510d65ed5501665b43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 06:26:02 -0700
+Subject: virtio_net: Do not pull payload in skb->head
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db ]
+
+Xuan Zhuo reported that commit 3226b158e67c ("net: avoid 32 x truesize
+under-estimation for tiny skbs") brought a ~10% performance drop.
+
+The reason for the performance drop was that GRO was forced
+to chain sk_buff (using skb_shinfo(skb)->frag_list), which
+uses more memory but also cause packet consumers to go over
+a lot of overhead handling all the tiny skbs.
+
+It turns out that virtio_net page_to_skb() has a wrong strategy :
+It allocates skbs with GOOD_COPY_LEN (128) bytes in skb->head, then
+copies 128 bytes from the page, before feeding the packet to GRO stack.
+
+This was suboptimal before commit 3226b158e67c ("net: avoid 32 x truesize
+under-estimation for tiny skbs") because GRO was using 2 frags per MSS,
+meaning we were not packing MSS with 100% efficiency.
+
+Fix is to pull only the ethernet header in page_to_skb()
+
+Then, we change virtio_net_hdr_to_skb() to pull the missing
+headers, instead of assuming they were already pulled by callers.
+
+This fixes the performance regression, but could also allow virtio_net
+to accept packets with more than 128bytes of headers.
+
+Many thanks to Xuan Zhuo for his report, and his tests/help.
+
+Fixes: 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs")
+Reported-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://www.spinics.net/lists/netdev/msg731397.html
+Co-Developed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: virtualization@lists.linux-foundation.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 10 +++++++---
+ include/linux/virtio_net.h | 14 +++++++++-----
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index b67460864b3c..d8ee001d8e8e 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -406,9 +406,13 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi,
+ offset += hdr_padded_len;
+ p += hdr_padded_len;
+
+- copy = len;
+- if (copy > skb_tailroom(skb))
+- copy = skb_tailroom(skb);
++ /* Copy all frame if it fits skb->head, otherwise
++ * we let virtio_net_hdr_to_skb() and GRO pull headers as needed.
++ */
++ if (len <= skb_tailroom(skb))
++ copy = len;
++ else
++ copy = ETH_HLEN + metasize;
+ skb_put_data(skb, p, copy);
+
+ if (metasize) {
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index 98775d7fa696..b465f8f3e554 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -65,14 +65,18 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ skb_reset_mac_header(skb);
+
+ if (hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
+- u16 start = __virtio16_to_cpu(little_endian, hdr->csum_start);
+- u16 off = __virtio16_to_cpu(little_endian, hdr->csum_offset);
++ u32 start = __virtio16_to_cpu(little_endian, hdr->csum_start);
++ u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset);
++ u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16));
++
++ if (!pskb_may_pull(skb, needed))
++ return -EINVAL;
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
+
+ p_off = skb_transport_offset(skb) + thlen;
+- if (p_off > skb_headlen(skb))
++ if (!pskb_may_pull(skb, p_off))
+ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+@@ -102,14 +106,14 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ }
+
+ p_off = keys.control.thoff + thlen;
+- if (p_off > skb_headlen(skb) ||
++ if (!pskb_may_pull(skb, p_off) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
+ } else if (gso_type) {
+ p_off = thlen;
+- if (p_off > skb_headlen(skb))
++ if (!pskb_may_pull(skb, p_off))
+ return -EINVAL;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 6c4cbef21253bc82dc2a759b3e0894f5303291c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2019 13:39:21 +0100
+Subject: xsk: Simplify detection of empty and full rings
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 11cc2d21499cabe7e7964389634ed1de3ee91d33 ]
+
+In order to set the correct return flags for poll, the xsk code has to
+check if the Rx queue is empty and if the Tx queue is full. This code
+was unnecessarily large and complex as it used the functions that are
+used to update the local state from the global state (xskq_nb_free and
+xskq_nb_avail). Since we are not doing this nor updating any data
+dependent on this state, we can simplify the functions. Another
+benefit from this is that we can also simplify the xskq_nb_free and
+xskq_nb_avail functions in a later commit.
+
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/1576759171-28550-3-git-send-email-magnus.karlsson@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_queue.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h
+index eddae4688862..ee3f8c857dd8 100644
+--- a/net/xdp/xsk_queue.h
++++ b/net/xdp/xsk_queue.h
+@@ -363,12 +363,15 @@ static inline void xskq_produce_flush_desc(struct xsk_queue *q)
+
+ static inline bool xskq_full_desc(struct xsk_queue *q)
+ {
+- return xskq_nb_avail(q, q->nentries) == q->nentries;
++ /* No barriers needed since data is not accessed */
++ return READ_ONCE(q->ring->producer) - READ_ONCE(q->ring->consumer) ==
++ q->nentries;
+ }
+
+ static inline bool xskq_empty_desc(struct xsk_queue *q)
+ {
+- return xskq_nb_free(q, q->prod_tail, q->nentries) == q->nentries;
++ /* No barriers needed since data is not accessed */
++ return READ_ONCE(q->ring->consumer) == READ_ONCE(q->ring->producer);
+ }
+
+ void xskq_set_umem(struct xsk_queue *q, u64 size, u64 chunk_mask);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
