--- /dev/null
+From 5c6d00b706d258d9b8cd0484fc6d30fb4b3fedb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jul 2021 12:23:41 +0800
+Subject: ALSA: usb-audio: fix incorrect clock source setting
+
+From: chihhao.chen <chihhao.chen@mediatek.com>
+
+[ Upstream commit 4511781f95da0a3b2bad34f3f5e3967e80cd2d18 ]
+
+The following scenario describes an echo test for
+Samsung USBC Headset (AKG) with VID/PID (0x04e8/0xa051).
+
+We first start a capture stream(USB IN transfer) in 96Khz/24bit/1ch mode.
+In clock find source function, we get value 0x2 for clock selector
+and 0x1 for clock source.
+
+Kernel-4.14 behavior
+Since clock source is valid so clock selector was not set again.
+We pass through this function and start a playback stream(USB OUT transfer)
+in 48Khz/32bit/2ch mode. This time we get value 0x1 for clock selector
+and 0x1 for clock source. Finally clock id with this setting is 0x9.
+
+Kernel-5.10 behavior
+Clock selector was always set one more time even it is valid.
+When we start a playback stream, we will get 0x2 for clock selector
+and 0x1 for clock source. In this case clock id becomes 0xA.
+This is an incorrect clock source setting and results in severe noises.
+We see wrong data rate in USB IN transfer.
+(From 288 bytes/ms becomes 144 bytes/ms) It should keep in 288 bytes/ms.
+
+This earphone works fine on older kernel version load because
+this is a newly-added behavior.
+
+Fixes: d2e8f641257d ("ALSA: usb-audio: Explicitly set up the clock selector")
+Signed-off-by: chihhao.chen <chihhao.chen@mediatek.com>
+Link: https://lore.kernel.org/r/1627100621-19225-1-git-send-email-chihhao.chen@mediatek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/clock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/usb/clock.c b/sound/usb/clock.c
+index 863ac42076e5..d1455fb2c6fc 100644
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -296,6 +296,12 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
+ selector->baCSourceID[ret - 1],
+ visited, validate);
+ if (ret > 0) {
++ /*
++ * For Samsung USBC Headset (AKG), setting clock selector again
++ * will result in incorrect default clock setting problems
++ */
++ if (chip->usb_id == USB_ID(0x04e8, 0xa051))
++ return ret;
+ err = uac_clock_selector_set_val(chip, entity_id, cur);
+ if (err < 0)
+ return err;
+--
+2.30.2
+
--- /dev/null
+From 6f40d83f045e1af50ea90438aa41b62fda69793c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 23:21:07 +0300
+Subject: ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz
+
+From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+
+[ Upstream commit 828db68f4ff1ab6982a36a56522b585160dc8c8e ]
+
+NXP and AzureWave don't recommend using SDIO bus mode 3.3V@50MHz due
+to noise affecting the wireless throughput. Colibri iMX6ULL uses only
+3.3V signaling for Wi-Fi module AW-CM276NF.
+
+Limit the SDIO Clock on Colibri iMX6ULL to 25MHz.
+
+Fixes: c2e4987e0e02 ("ARM: dts: imx6ull: add Toradex Colibri iMX6ULL support")
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi b/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi
+index 038d8c90f6df..621396884c31 100644
+--- a/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi
++++ b/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi
+@@ -43,6 +43,7 @@
+ assigned-clock-rates = <0>, <198000000>;
+ cap-power-off-card;
+ keep-power-in-suspend;
++ max-frequency = <25000000>;
+ mmc-pwrseq = <&wifi_pwrseq>;
+ no-1-8-v;
+ non-removable;
+--
+2.30.2
+
--- /dev/null
+From be424f62f7207c910cb49369f1b5302af43b71a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 20:52:38 +0800
+Subject: ARM: imx: add missing iounmap()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f9613aa07f16d6042e74208d1b40a6104d72964a ]
+
+Commit e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver")
+introduced imx_mmdc_remove(), the mmdc_base need be unmapped in it if
+config PERF_EVENTS is enabled.
+
+If imx_mmdc_perf_init() fails, the mmdc_base also need be unmapped.
+
+Fixes: e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/mmdc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c
+index 04b3bf71de94..1d340fda5e4f 100644
+--- a/arch/arm/mach-imx/mmdc.c
++++ b/arch/arm/mach-imx/mmdc.c
+@@ -472,6 +472,7 @@ static int imx_mmdc_remove(struct platform_device *pdev)
+
+ cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node);
+ perf_pmu_unregister(&pmu_mmdc->pmu);
++ iounmap(pmu_mmdc->mmdc_base);
+ kfree(pmu_mmdc);
+ return 0;
+ }
+@@ -564,7 +565,11 @@ static int imx_mmdc_probe(struct platform_device *pdev)
+ val &= ~(1 << BP_MMDC_MAPSR_PSD);
+ writel_relaxed(val, reg);
+
+- return imx_mmdc_perf_init(pdev, mmdc_base);
++ err = imx_mmdc_perf_init(pdev, mmdc_base);
++ if (err)
++ iounmap(mmdc_base);
++
++ return err;
+ }
+
+ int imx_mmdc_get_ddr_type(void)
+--
+2.30.2
+
--- /dev/null
+From a552e49ba777dd123731f207143a35070914bbdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 20:46:45 +0800
+Subject: blk-iolatency: error out if blk_get_queue() failed in
+ iolatency_set_limit()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 8d75d0eff6887bcac7225e12b9c75595e523d92d ]
+
+If queue is dying while iolatency_set_limit() is in progress,
+blk_get_queue() won't increment the refcount of the queue. However,
+blk_put_queue() will still decrement the refcount later, which will
+cause the refcout to be unbalanced.
+
+Thus error out in such case to fix the problem.
+
+Fixes: 8c772a9bfc7c ("blk-iolatency: fix IO hang due to negative inflight counter")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20210805124645.543797-1-yukuai3@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iolatency.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
+index 0529e94a20f7..019cf002ecee 100644
+--- a/block/blk-iolatency.c
++++ b/block/blk-iolatency.c
+@@ -800,7 +800,11 @@ static ssize_t iolatency_set_limit(struct kernfs_open_file *of, char *buf,
+
+ enable = iolatency_set_min_lat_nsec(blkg, lat_val);
+ if (enable) {
+- WARN_ON_ONCE(!blk_get_queue(blkg->q));
++ if (!blk_get_queue(blkg->q)) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ blkg_get(blkg);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From eaaec873d8d6bc53873c391db59b0a3c40fad3ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 19:26:56 +0900
+Subject: Bluetooth: defer cleanup of resources in hci_unregister_dev()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]
+
+syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
+calling lock_sock() with rw spinlock held [1].
+
+It seems that history of this locking problem is a trial and error.
+
+Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
+hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
+lock_sock() as an attempt to fix lockdep warning.
+
+Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
+hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
+local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
+sleep in atomic context warning.
+
+Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
+hci_sock.c") in 3.3-rc1 removed local_bh_disable().
+
+Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
+of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
+lock_sock() as an attempt to fix CVE-2021-3573.
+
+This difficulty comes from current implementation that
+hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
+references from sockets because hci_unregister_dev() immediately
+reclaims resources as soon as returning from
+hci_sock_dev_event(HCI_DEV_UNREG).
+
+But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
+doing what it should do.
+
+Therefore, instead of trying to detach sockets from device, let's accept
+not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
+by moving actual cleanup of resources from hci_unregister_dev() to
+hci_cleanup_dev() which is called by bt_host_release() when all
+references to this unregistered device (which is a kobject) are gone.
+
+Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
+hci_pi(sk)->hdev, we need to check whether this device was unregistered
+and return an error based on HCI_UNREGISTER flag. There might be subtle
+behavioral difference in "monitor the hdev" functionality; please report
+if you found something went wrong due to this patch.
+
+Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
+Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
+Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_core.c | 16 +++++------
+ net/bluetooth/hci_sock.c | 49 +++++++++++++++++++++-----------
+ net/bluetooth/hci_sysfs.c | 3 ++
+ 4 files changed, 45 insertions(+), 24 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 6a61faf0cc79..75d892dc7796 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1042,6 +1042,7 @@ struct hci_dev *hci_alloc_dev(void);
+ void hci_free_dev(struct hci_dev *hdev);
+ int hci_register_dev(struct hci_dev *hdev);
+ void hci_unregister_dev(struct hci_dev *hdev);
++void hci_cleanup_dev(struct hci_dev *hdev);
+ int hci_suspend_dev(struct hci_dev *hdev);
+ int hci_resume_dev(struct hci_dev *hdev);
+ int hci_reset_dev(struct hci_dev *hdev);
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 219cdbb476fb..7a85f215da45 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3261,14 +3261,10 @@ EXPORT_SYMBOL(hci_register_dev);
+ /* Unregister HCI device */
+ void hci_unregister_dev(struct hci_dev *hdev)
+ {
+- int id;
+-
+ BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+
+ hci_dev_set_flag(hdev, HCI_UNREGISTER);
+
+- id = hdev->id;
+-
+ write_lock(&hci_dev_list_lock);
+ list_del(&hdev->list);
+ write_unlock(&hci_dev_list_lock);
+@@ -3297,7 +3293,14 @@ void hci_unregister_dev(struct hci_dev *hdev)
+ }
+
+ device_del(&hdev->dev);
++ /* Actual cleanup is deferred until hci_cleanup_dev(). */
++ hci_dev_put(hdev);
++}
++EXPORT_SYMBOL(hci_unregister_dev);
+
++/* Cleanup HCI device */
++void hci_cleanup_dev(struct hci_dev *hdev)
++{
+ debugfs_remove_recursive(hdev->debugfs);
+ kfree_const(hdev->hw_info);
+ kfree_const(hdev->fw_info);
+@@ -3320,11 +3323,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
+ hci_discovery_filter_clear(hdev);
+ hci_dev_unlock(hdev);
+
+- hci_dev_put(hdev);
+-
+- ida_simple_remove(&hci_index_ida, id);
++ ida_simple_remove(&hci_index_ida, hdev->id);
+ }
+-EXPORT_SYMBOL(hci_unregister_dev);
+
+ /* Suspend HCI device */
+ int hci_suspend_dev(struct hci_dev *hdev)
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 06156de24c50..3ba0c6df73ce 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -59,6 +59,17 @@ struct hci_pinfo {
+ char comm[TASK_COMM_LEN];
+ };
+
++static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
++{
++ struct hci_dev *hdev = hci_pi(sk)->hdev;
++
++ if (!hdev)
++ return ERR_PTR(-EBADFD);
++ if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
++ return ERR_PTR(-EPIPE);
++ return hdev;
++}
++
+ void hci_sock_set_flag(struct sock *sk, int nr)
+ {
+ set_bit(nr, &hci_pi(sk)->flags);
+@@ -752,19 +763,13 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
+ if (event == HCI_DEV_UNREG) {
+ struct sock *sk;
+
+- /* Detach sockets from device */
++ /* Wake up sockets using this dead device */
+ read_lock(&hci_sk_list.lock);
+ sk_for_each(sk, &hci_sk_list.head) {
+- lock_sock(sk);
+ if (hci_pi(sk)->hdev == hdev) {
+- hci_pi(sk)->hdev = NULL;
+ sk->sk_err = EPIPE;
+- sk->sk_state = BT_OPEN;
+ sk->sk_state_change(sk);
+-
+- hci_dev_put(hdev);
+ }
+- release_sock(sk);
+ }
+ read_unlock(&hci_sk_list.lock);
+ }
+@@ -923,10 +928,10 @@ static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
+ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
+ unsigned long arg)
+ {
+- struct hci_dev *hdev = hci_pi(sk)->hdev;
++ struct hci_dev *hdev = hci_hdev_from_sock(sk);
+
+- if (!hdev)
+- return -EBADFD;
++ if (IS_ERR(hdev))
++ return PTR_ERR(hdev);
+
+ if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
+ return -EBUSY;
+@@ -1080,6 +1085,18 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
+
+ lock_sock(sk);
+
++ /* Allow detaching from dead device and attaching to alive device, if
++ * the caller wants to re-bind (instead of close) this socket in
++ * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
++ */
++ hdev = hci_pi(sk)->hdev;
++ if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
++ hci_pi(sk)->hdev = NULL;
++ sk->sk_state = BT_OPEN;
++ hci_dev_put(hdev);
++ }
++ hdev = NULL;
++
+ if (sk->sk_state == BT_BOUND) {
+ err = -EALREADY;
+ goto done;
+@@ -1356,9 +1373,9 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
+
+ lock_sock(sk);
+
+- hdev = hci_pi(sk)->hdev;
+- if (!hdev) {
+- err = -EBADFD;
++ hdev = hci_hdev_from_sock(sk);
++ if (IS_ERR(hdev)) {
++ err = PTR_ERR(hdev);
+ goto done;
+ }
+
+@@ -1718,9 +1735,9 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto done;
+ }
+
+- hdev = hci_pi(sk)->hdev;
+- if (!hdev) {
+- err = -EBADFD;
++ hdev = hci_hdev_from_sock(sk);
++ if (IS_ERR(hdev)) {
++ err = PTR_ERR(hdev);
+ goto done;
+ }
+
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index 9874844a95a9..b69d88b88d2e 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -83,6 +83,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
+ static void bt_host_release(struct device *dev)
+ {
+ struct hci_dev *hdev = to_hci_dev(dev);
++
++ if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
++ hci_cleanup_dev(hdev);
+ kfree(hdev);
+ module_put(THIS_MODULE);
+ }
+--
+2.30.2
+
--- /dev/null
+From d41ba8acce2580e4bcb426e6cc7dfe25ea1b6345 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 13:38:26 +0300
+Subject: bnx2x: fix an error code in bnx2x_nic_load()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fb653827c758725b149b5c924a5eb50ab4812750 ]
+
+Set the error code if bnx2x_alloc_fw_stats_mem() fails. The current
+code returns success.
+
+Fixes: ad5afc89365e ("bnx2x: Separate VF and PF logic")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index cf01e73d1bcc..2610acf9ac36 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -2668,7 +2668,8 @@ int bnx2x_nic_load(struct bnx2x *bp, int load_mode)
+ }
+
+ /* Allocated memory for FW statistics */
+- if (bnx2x_alloc_fw_stats_mem(bp))
++ rc = bnx2x_alloc_fw_stats_mem(bp);
++ if (rc)
+ LOAD_ERROR_EXIT(bp, load_error0);
+
+ /* request pf to initialize status blocks */
+--
+2.30.2
+
--- /dev/null
+From 8273e5b308889361d94a93cf0c9fd4d0b29e1930 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 18:07:25 +0200
+Subject: clk: stm32f4: fix post divisor setup for I2S/SAI PLLs
+
+From: Dario Binacchi <dariobin@libero.it>
+
+[ Upstream commit 24b5b1978cd5a80db58e2a19db2f9c36fe8d4f7a ]
+
+Enabling the framebuffer leads to a system hang. Running, as a debug
+hack, the store_pan() function in drivers/video/fbdev/core/fbsysfs.c
+without taking the console_lock, allows to see the crash backtrace on
+the serial line.
+
+~ # echo 0 0 > /sys/class/graphics/fb0/pan
+
+[ 9.719414] Unhandled exception: IPSR = 00000005 LR = fffffff1
+[ 9.726937] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9
+[ 9.733008] Hardware name: STM32 (Device Tree Support)
+[ 9.738296] PC is at clk_gate_is_enabled+0x0/0x28
+[ 9.743426] LR is at stm32f4_pll_div_set_rate+0xf/0x38
+[ 9.748857] pc : [<0011e4be>] lr : [<0011f9e3>] psr: 0100000b
+[ 9.755373] sp : 00bc7be0 ip : 00000000 fp : 001f3ac4
+[ 9.760812] r10: 002610d0 r9 : 01efe920 r8 : 00540560
+[ 9.766269] r7 : 02e7ddb0 r6 : 0173eed8 r5 : 00000000 r4 : 004027c0
+[ 9.773081] r3 : 0011e4bf r2 : 02e7ddb0 r1 : 0173eed8 r0 : 1d3267b8
+[ 9.779911] xPSR: 0100000b
+[ 9.782719] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9
+[ 9.788791] Hardware name: STM32 (Device Tree Support)
+[ 9.794120] [<0000afa1>] (unwind_backtrace) from [<0000a33f>] (show_stack+0xb/0xc)
+[ 9.802421] [<0000a33f>] (show_stack) from [<0000a8df>] (__invalid_entry+0x4b/0x4c)
+
+The `pll_num' field in the post_div_data configuration contained a wrong
+value which also referenced an uninitialized hardware clock when
+clk_register_pll_div() was called.
+
+Fixes: 517633ef630e ("clk: stm32f4: Add post divisor for I2S & SAI PLLs")
+Signed-off-by: Dario Binacchi <dariobin@libero.it>
+Reviewed-by: Gabriel Fernandez <gabriel.fernandez@st.com>
+Link: https://lore.kernel.org/r/20210725160725.10788-1-dariobin@libero.it
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-stm32f4.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c
+index 294850bdc195..61de486dec41 100644
+--- a/drivers/clk/clk-stm32f4.c
++++ b/drivers/clk/clk-stm32f4.c
+@@ -454,7 +454,7 @@ struct stm32f4_pll {
+
+ struct stm32f4_pll_post_div_data {
+ int idx;
+- u8 pll_num;
++ int pll_idx;
+ const char *name;
+ const char *parent;
+ u8 flag;
+@@ -485,13 +485,13 @@ static const struct clk_div_table post_divr_table[] = {
+
+ #define MAX_POST_DIV 3
+ static const struct stm32f4_pll_post_div_data post_div_data[MAX_POST_DIV] = {
+- { CLK_I2SQ_PDIV, PLL_I2S, "plli2s-q-div", "plli2s-q",
++ { CLK_I2SQ_PDIV, PLL_VCO_I2S, "plli2s-q-div", "plli2s-q",
+ CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 0, 5, 0, NULL},
+
+- { CLK_SAIQ_PDIV, PLL_SAI, "pllsai-q-div", "pllsai-q",
++ { CLK_SAIQ_PDIV, PLL_VCO_SAI, "pllsai-q-div", "pllsai-q",
+ CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 8, 5, 0, NULL },
+
+- { NO_IDX, PLL_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT,
++ { NO_IDX, PLL_VCO_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT,
+ STM32F4_RCC_DCKCFGR, 16, 2, 0, post_divr_table },
+ };
+
+@@ -1499,7 +1499,7 @@ static void __init stm32f4_rcc_init(struct device_node *np)
+ post_div->width,
+ post_div->flag_div,
+ post_div->div_table,
+- clks[post_div->pll_num],
++ clks[post_div->pll_idx],
+ &stm32f4_clk_lock);
+
+ if (post_div->idx != NO_IDX)
+--
+2.30.2
+
--- /dev/null
+From ed185dea8d48f642bb4c675d5e04de0861319cd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 09:58:23 +0200
+Subject: media: videobuf2-core: dequeue if start_streaming fails
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit c592b46907adbeb81243f7eb7a468c36692658b8 ]
+
+If a vb2_queue sets q->min_buffers_needed then when the number of
+queued buffers reaches q->min_buffers_needed, vb2_core_qbuf() will call
+the start_streaming() callback. If start_streaming() returns an error,
+then that error was just returned by vb2_core_qbuf(), but the buffer
+was still queued. However, userspace expects that if VIDIOC_QBUF fails,
+the buffer is returned dequeued.
+
+So if start_streaming() fails, then remove the buffer from the queue,
+thus avoiding this unwanted side-effect.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Tested-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Fixes: b3379c6201bb ("[media] vb2: only call start_streaming if sufficient buffers are queued")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/videobuf2/videobuf2-core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
+index 93d250db0b6f..50015a2ea5ce 100644
+--- a/drivers/media/common/videobuf2/videobuf2-core.c
++++ b/drivers/media/common/videobuf2/videobuf2-core.c
+@@ -1391,6 +1391,7 @@ static int vb2_start_streaming(struct vb2_queue *q)
+ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb)
+ {
+ struct vb2_buffer *vb;
++ enum vb2_buffer_state orig_state;
+ int ret;
+
+ if (q->error) {
+@@ -1420,6 +1421,7 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb)
+ * Add to the queued buffers list, a buffer will stay on it until
+ * dequeued in dqbuf.
+ */
++ orig_state = vb->state;
+ list_add_tail(&vb->queued_entry, &q->queued_list);
+ q->queued_count++;
+ q->waiting_for_buffers = false;
+@@ -1450,8 +1452,17 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb)
+ if (q->streaming && !q->start_streaming_called &&
+ q->queued_count >= q->min_buffers_needed) {
+ ret = vb2_start_streaming(q);
+- if (ret)
++ if (ret) {
++ /*
++ * Since vb2_core_qbuf will return with an error,
++ * we should return it to state DEQUEUED since
++ * the error indicates that the buffer wasn't queued.
++ */
++ list_del(&vb->queued_entry);
++ q->queued_count--;
++ vb->state = orig_state;
+ return ret;
++ }
+ }
+
+ dprintk(2, "qbuf of buffer %d succeeded\n", vb->index);
+--
+2.30.2
+
--- /dev/null
+From 287f1bd5608fe28aa753147d319f84944e8dcd6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 10:57:10 +0200
+Subject: mips: Fix non-POSIX regexp
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+[ Upstream commit 28bbbb9875a35975904e46f9b06fa689d051b290 ]
+
+When cross compiling a MIPS kernel on a BSD based HOSTCC leads
+to errors like
+
+ SYNC include/config/auto.conf.cmd - due to: .config
+egrep: empty (sub)expression
+ UPD include/config/kernel.release
+ HOSTCC scripts/dtc/dtc.o - due to target missing
+
+It turns out that egrep uses this egrep pattern:
+
+ (|MINOR_|PATCHLEVEL_)
+
+This is not valid syntax or gives undefined results according
+to POSIX 9.5.3 ERE Grammar
+
+ https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html
+
+It seems to be silently accepted by the Linux egrep implementation
+while a BSD host complains.
+
+Such patterns can be replaced by a transformation like
+
+ "(|p1|p2)" -> "(p1|p2)?"
+
+Fixes: 48c35b2d245f ("[MIPS] There is no __GNUC_MAJOR__")
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/Makefile b/arch/mips/Makefile
+index 63e2ad43bd6a..8f4e169cde11 100644
+--- a/arch/mips/Makefile
++++ b/arch/mips/Makefile
+@@ -325,7 +325,7 @@ KBUILD_LDFLAGS += -m $(ld-emul)
+
+ ifdef CONFIG_MIPS
+ CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
+- egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
++ egrep -vw '__GNUC_(MINOR_|PATCHLEVEL_)?_' | \
+ sed -e "s/^\#define /-D'/" -e "s/ /'='/" -e "s/$$/'/" -e 's/\$$/&&/g')
+ endif
+
+--
+2.30.2
+
--- /dev/null
+From 23871cdd950b634c5fa87417d5026ab666fad362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 18:51:51 +0300
+Subject: net: fec: fix use-after-free in fec_drv_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 44712965bf12ae1758cec4de53816ed4b914ca1a ]
+
+Smatch says:
+ drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
+ drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
+
+Since fep pointer is netdev private data, accessing it after free_netdev()
+call can cause use-after-free bug. Fix it by moving free_netdev() call at
+the end of the function
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 6b9eada1feb2..3fc823e9cdc9 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3733,13 +3733,13 @@ fec_drv_remove(struct platform_device *pdev)
+ if (of_phy_is_fixed_link(np))
+ of_phy_deregister_fixed_link(np);
+ of_node_put(fep->phy_node);
+- free_netdev(ndev);
+
+ clk_disable_unprepare(fep->clk_ahb);
+ clk_disable_unprepare(fep->clk_ipg);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
++ free_netdev(ndev);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2056759d4bddf0a3e3ca05cf82f92a3717ed2aaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 12:00:16 +0200
+Subject: net: ipv6: fix returned variable type in ip6_skb_dst_mtu
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 4039146777a91e1576da2bf38e0d8a1061a1ae47 ]
+
+The patch fixing the returned value of ip6_skb_dst_mtu (int -> unsigned
+int) was rebased between its initial review and the version applied. In
+the meantime fade56410c22 was applied, which added a new variable (int)
+used as the returned value. This lead to a mismatch between the function
+prototype and the variable used as the return value.
+
+Fixes: 40fc3054b458 ("net: ipv6: fix return value of ip6_skb_dst_mtu")
+Cc: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_route.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
+index a8f5410ae0d4..f237573a2651 100644
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -243,7 +243,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+
+ static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb)
+ {
+- int mtu;
++ unsigned int mtu;
+
+ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
+ inet6_sk(skb->sk) : NULL;
+--
+2.30.2
+
--- /dev/null
+From 35cf53b325b9f232f9dbfeee618191bd09227a15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jul 2021 14:38:01 +0800
+Subject: net: natsemi: Fix missing pci_disable_device() in probe and remove
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 7fe74dfd41c428afb24e2e615470832fa997ff14 ]
+
+Replace pci_enable_device() with pcim_enable_device(),
+pci_disable_device() and pci_release_regions() will be
+called in release automatically.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/natsemi/natsemi.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c
+index b9a1a9f999ea..039d5dd98dfe 100644
+--- a/drivers/net/ethernet/natsemi/natsemi.c
++++ b/drivers/net/ethernet/natsemi/natsemi.c
+@@ -819,7 +819,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ printk(version);
+ #endif
+
+- i = pci_enable_device(pdev);
++ i = pcim_enable_device(pdev);
+ if (i) return i;
+
+ /* natsemi has a non-standard PM control register
+@@ -852,7 +852,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ ioaddr = ioremap(iostart, iosize);
+ if (!ioaddr) {
+ i = -ENOMEM;
+- goto err_ioremap;
++ goto err_pci_request_regions;
+ }
+
+ /* Work around the dropped serial bit. */
+@@ -974,9 +974,6 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err_register_netdev:
+ iounmap(ioaddr);
+
+- err_ioremap:
+- pci_release_regions(pdev);
+-
+ err_pci_request_regions:
+ free_netdev(dev);
+ return i;
+@@ -3242,7 +3239,6 @@ static void natsemi_remove1(struct pci_dev *pdev)
+
+ NATSEMI_REMOVE_FILE(pdev, dspcfg_workaround);
+ unregister_netdev (dev);
+- pci_release_regions (pdev);
+ iounmap(ioaddr);
+ free_netdev (dev);
+ }
+--
+2.30.2
+
--- /dev/null
+From f68c15373f2e4707044b1f4f54c90007cfea4240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 17:30:05 +0300
+Subject: net: pegasus: fix uninit-value in get_interrupt_interval
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit af35fc37354cda3c9c8cc4961b1d24bdc9d27903 ]
+
+Syzbot reported uninit value pegasus_probe(). The problem was in missing
+error handling.
+
+get_interrupt_interval() internally calls read_eprom_word() which can
+fail in some cases. For example: failed to receive usb control message.
+These cases should be handled to prevent uninit value bug, since
+read_eprom_word() will not initialize passed stack variable in case of
+internal failure.
+
+Fail log:
+
+BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
+BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
+CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0
+...
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
+ kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197
+ get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
+ pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
+....
+
+Local variable ----data.i@pegasus_probe created at:
+ get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
+ pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
+ get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
+ pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
+
+Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20210804143005.439-1-paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/pegasus.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
+index b7a0df95d4b0..9f1777e56d7d 100644
+--- a/drivers/net/usb/pegasus.c
++++ b/drivers/net/usb/pegasus.c
+@@ -750,12 +750,16 @@ static inline void disable_net_traffic(pegasus_t *pegasus)
+ set_registers(pegasus, EthCtrl0, sizeof(tmp), &tmp);
+ }
+
+-static inline void get_interrupt_interval(pegasus_t *pegasus)
++static inline int get_interrupt_interval(pegasus_t *pegasus)
+ {
+ u16 data;
+ u8 interval;
++ int ret;
++
++ ret = read_eprom_word(pegasus, 4, &data);
++ if (ret < 0)
++ return ret;
+
+- read_eprom_word(pegasus, 4, &data);
+ interval = data >> 8;
+ if (pegasus->usb->speed != USB_SPEED_HIGH) {
+ if (interval < 0x80) {
+@@ -770,6 +774,8 @@ static inline void get_interrupt_interval(pegasus_t *pegasus)
+ }
+ }
+ pegasus->intr_interval = interval;
++
++ return 0;
+ }
+
+ static void set_carrier(struct net_device *net)
+@@ -1188,7 +1194,9 @@ static int pegasus_probe(struct usb_interface *intf,
+ | NETIF_MSG_PROBE | NETIF_MSG_LINK);
+
+ pegasus->features = usb_dev_id[dev_index].private;
+- get_interrupt_interval(pegasus);
++ res = get_interrupt_interval(pegasus);
++ if (res)
++ goto out2;
+ if (reset_mac(pegasus)) {
+ dev_err(&intf->dev, "can't reset MAC\n");
+ res = -EIO;
+--
+2.30.2
+
--- /dev/null
+From e5625cde413fb8f9bdec9267020ced66080b9909 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 18:52:20 +0300
+Subject: net: vxge: fix use-after-free in vxge_device_unregister
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 942e560a3d3862dd5dee1411dbdd7097d29b8416 ]
+
+Smatch says:
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+
+Since vdev pointer is netdev private data accessing it after free_netdev()
+call can cause use-after-free bug. Fix it by moving free_netdev() call at
+the end of the function
+
+Fixes: 6cca200362b4 ("vxge: cleanup probe error paths")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/vxge/vxge-main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c
+index 5ae3fa82909f..0766288e2f38 100644
+--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c
++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c
+@@ -3529,13 +3529,13 @@ static void vxge_device_unregister(struct __vxge_hw_device *hldev)
+
+ kfree(vdev->vpaths);
+
+- /* we are safe to free it now */
+- free_netdev(dev);
+-
+ vxge_debug_init(vdev->level_trace, "%s: ethernet device unregistered",
+ buf);
+ vxge_debug_entryexit(vdev->level_trace, "%s: %s:%d Exiting...", buf,
+ __func__, __LINE__);
++
++ /* we are safe to free it now */
++ free_netdev(dev);
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From ab82ff8ca9cc4a3283652c737b117d38b191eb4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 12:39:11 +0200
+Subject: nfp: update ethtool reporting of pauseframe control
+
+From: Fei Qin <fei.qin@corigine.com>
+
+[ Upstream commit 9fdc5d85a8fe684cdf24dc31c6bc4a727decfe87 ]
+
+Pauseframe control is set to symmetric mode by default on the NFP.
+Pause frames can not be configured through ethtool now, but ethtool can
+report the supported mode.
+
+Fixes: 265aeb511bd5 ("nfp: add support for .get_link_ksettings()")
+Signed-off-by: Fei Qin <fei.qin@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+index 9043d2cadd5d..2e75d0af4a58 100644
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -292,6 +292,8 @@ nfp_net_get_link_ksettings(struct net_device *netdev,
+
+ /* Init to unknowns */
+ ethtool_link_ksettings_add_link_mode(cmd, supported, FIBRE);
++ ethtool_link_ksettings_add_link_mode(cmd, supported, Pause);
++ ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause);
+ cmd->base.port = PORT_OTHER;
+ cmd->base.speed = SPEED_UNKNOWN;
+ cmd->base.duplex = DUPLEX_UNKNOWN;
+--
+2.30.2
+
--- /dev/null
+From b46a4e1f987950c42b69552d9036f50884d2dd17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 16:00:22 +0200
+Subject: omap5-board-common: remove not physically existing vdds_1v8_main
+ fixed-regulator
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+[ Upstream commit c68ef4ad180e09805fa46965d15e1dfadf09ffa5 ]
+
+This device tree include file describes a fixed-regulator
+connecting smps7_reg output (1.8V) to some 1.8V rail and
+consumers (vdds_1v8_main).
+
+This regulator does not physically exist.
+
+I assume it was introduced as a wrapper around smps7_reg
+to provide a speaking signal name "vdds_1v8_main" as label.
+
+This fixed-regulator without real function was not an issue
+in driver code until
+
+ Commit 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators")
+
+introduced a new check for regulator initialization which
+makes Palmas regulator registration fail:
+
+[ 5.407712] ldo1: supplied by vsys_cobra
+[ 5.412748] ldo2: supplied by vsys_cobra
+[ 5.417603] palmas-pmic 48070000.i2c:palmas@48:palmas_pmic: failed to register 48070000.i2c:palmas@48:palmas_pmic regulator
+
+The reason is that the supply-chain of regulators is too
+long and goes from ldo3 through the virtual vdds_1v8_main
+regulator and then back to smps7. This adds a cross-dependency
+of probing Palmas regulators and the fixed-regulator which
+leads to probe deferral by the new check and is no longer
+resolved.
+
+Since we do not control what device tree files including this
+one reference (either &vdds_1v8_main or &smps7_reg or both)
+we keep both labels for smps7 for compatibility.
+
+Fixes: 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators")
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap5-board-common.dtsi | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/arch/arm/boot/dts/omap5-board-common.dtsi b/arch/arm/boot/dts/omap5-board-common.dtsi
+index 61a06f6add3c..d1cb9ba080b2 100644
+--- a/arch/arm/boot/dts/omap5-board-common.dtsi
++++ b/arch/arm/boot/dts/omap5-board-common.dtsi
+@@ -33,14 +33,6 @@
+ regulator-max-microvolt = <5000000>;
+ };
+
+- vdds_1v8_main: fixedregulator-vdds_1v8_main {
+- compatible = "regulator-fixed";
+- regulator-name = "vdds_1v8_main";
+- vin-supply = <&smps7_reg>;
+- regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <1800000>;
+- };
+-
+ vmmcsd_fixed: fixedregulator-mmcsd {
+ compatible = "regulator-fixed";
+ regulator-name = "vmmcsd_fixed";
+@@ -490,6 +482,7 @@
+ regulator-boot-on;
+ };
+
++ vdds_1v8_main:
+ smps7_reg: smps7 {
+ /* VDDS_1v8_OMAP over VDDS_1v8_MAIN */
+ regulator-name = "smps7";
+--
+2.30.2
+
--- /dev/null
+From 0a8267a656a38632488a56118cf22b774548e650 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 19:49:13 +0800
+Subject: scsi: sr: Return correct event when media event code is 3
+
+From: Li Manyi <limanyi@uniontech.com>
+
+[ Upstream commit 5c04243a56a7977185b00400e59ca7e108004faf ]
+
+Media event code 3 is defined in the MMC-6 spec as follows:
+
+ "MediaRemoval: The media has been removed from the specified slot, and
+ the Drive is unable to access the media without user intervention. This
+ applies to media changers only."
+
+This indicated that treating the condition as an EJECT_REQUEST was
+appropriate. However, doing so had the unfortunate side-effect of causing
+the drive tray to be physically ejected on resume. Instead treat the event
+as a MEDIA_CHANGE request.
+
+Fixes: 7dd753ca59d6 ("scsi: sr: Return appropriate error code when disk is ejected")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213759
+Link: https://lore.kernel.org/r/20210726114913.6760-1-limanyi@uniontech.com
+Signed-off-by: Li Manyi <limanyi@uniontech.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
+index acf0c244141f..84dd776d36c3 100644
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -217,7 +217,7 @@ static unsigned int sr_get_events(struct scsi_device *sdev)
+ else if (med->media_event_code == 2)
+ return DISK_EVENT_MEDIA_CHANGE;
+ else if (med->media_event_code == 3)
+- return DISK_EVENT_EJECT_REQUEST;
++ return DISK_EVENT_MEDIA_CHANGE;
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 35ef2452ce7e47c4eea2208d2f301f50af81fc9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 02:25:31 -0400
+Subject: sctp: move the active_key update after sh_keys is added
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ae954bbc451d267f7d60d7b49db811d5a68ebd7b ]
+
+In commit 58acd1009226 ("sctp: update active_key for asoc when old key is
+being replaced"), sctp_auth_asoc_init_active_key() is called to update
+the active_key right after the old key is deleted and before the new key
+is added, and it caused that the active_key could be found with the key_id.
+
+In Ying Xu's testing, the BUG_ON in sctp_auth_asoc_init_active_key() was
+triggered:
+
+ [ ] kernel BUG at net/sctp/auth.c:416!
+ [ ] RIP: 0010:sctp_auth_asoc_init_active_key.part.8+0xe7/0xf0 [sctp]
+ [ ] Call Trace:
+ [ ] sctp_auth_set_key+0x16d/0x1b0 [sctp]
+ [ ] sctp_setsockopt.part.33+0x1ba9/0x2bd0 [sctp]
+ [ ] __sys_setsockopt+0xd6/0x1d0
+ [ ] __x64_sys_setsockopt+0x20/0x30
+ [ ] do_syscall_64+0x5b/0x1a0
+
+So fix it by moving the active_key update after sh_keys is added.
+
+Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
+Reported-by: Ying Xu <yinxu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/auth.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index b2ca66c4a21d..9e0c98df20da 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -880,14 +880,18 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ memcpy(key->data, &auth_key->sca_key[0], auth_key->sca_keylength);
+ cur_key->key = key;
+
+- if (replace) {
+- list_del_init(&shkey->key_list);
+- sctp_auth_shkey_release(shkey);
+- if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
+- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
++ if (!replace) {
++ list_add(&cur_key->key_list, sh_keys);
++ return 0;
+ }
++
++ list_del_init(&shkey->key_list);
++ sctp_auth_shkey_release(shkey);
+ list_add(&cur_key->key_list, sh_keys);
+
++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+arm-imx-add-missing-iounmap.patch
+arm-dts-colibri-imx6ull-limit-sdio-clock-to-25mhz.patch
+alsa-usb-audio-fix-incorrect-clock-source-setting.patch
+clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch
+omap5-board-common-remove-not-physically-existing-vd.patch
+scsi-sr-return-correct-event-when-media-event-code-i.patch
+media-videobuf2-core-dequeue-if-start_streaming-fail.patch
+net-natsemi-fix-missing-pci_disable_device-in-probe-.patch
+sctp-move-the-active_key-update-after-sh_keys-is-add.patch
+nfp-update-ethtool-reporting-of-pauseframe-control.patch
+net-ipv6-fix-returned-variable-type-in-ip6_skb_dst_m.patch
+mips-fix-non-posix-regexp.patch
+bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch
+net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch
+net-fec-fix-use-after-free-in-fec_drv_remove.patch
+net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch
+blk-iolatency-error-out-if-blk_get_queue-failed-in-i.patch
+bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
