--- /dev/null
+From 8536a5ef886005bc443c2da9b842d69fd3d7647f Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Wed, 15 Dec 2021 09:31:36 +0100
+Subject: ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 8536a5ef886005bc443c2da9b842d69fd3d7647f upstream.
+
+The Thumb2 version of the FP exception handling entry code treats the
+register holding the CP number (R8) differently, resulting in the iWMMXT
+CP number check to be incorrect.
+
+Fix this by unifying the ARM and Thumb2 code paths, and switch the
+order of the additions of the TI_USED_CP offset and the shifted CP
+index.
+
+Cc: <stable@vger.kernel.org>
+Fixes: b86040a59feb ("Thumb-2: Implementation of the unified start-up and exceptions code")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/entry-armv.S | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/kernel/entry-armv.S
++++ b/arch/arm/kernel/entry-armv.S
+@@ -597,11 +597,9 @@ call_fpe:
+ tstne r0, #0x04000000 @ bit 26 set on both ARM and Thumb-2
+ reteq lr
+ and r8, r0, #0x00000f00 @ mask out CP number
+- THUMB( lsr r8, r8, #8 )
+ mov r7, #1
+- add r6, r10, #TI_USED_CP
+- ARM( strb r7, [r6, r8, lsr #8] ) @ set appropriate used_cp[]
+- THUMB( strb r7, [r6, r8] ) @ set appropriate used_cp[]
++ add r6, r10, r8, lsr #8 @ add used_cp[] array offset first
++ strb r7, [r6, #TI_USED_CP] @ set appropriate used_cp[]
+ #ifdef CONFIG_IWMMXT
+ @ Test if we need to give access to iWMMXt coprocessors
+ ldr r5, [r10, #TI_FLAGS]
+@@ -610,7 +608,7 @@ call_fpe:
+ bcs iwmmxt_task_enable
+ #endif
+ ARM( add pc, pc, r8, lsr #6 )
+- THUMB( lsl r8, r8, #2 )
++ THUMB( lsr r8, r8, #6 )
+ THUMB( add pc, r8 )
+ nop
+
--- /dev/null
+From 5598b24efaf4892741c798b425d543e4bed357a1 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Sun, 12 Dec 2021 17:16:30 +0800
+Subject: f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 5598b24efaf4892741c798b425d543e4bed357a1 upstream.
+
+As Wenqing Liu reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=215235
+
+- Overview
+page fault in f2fs_setxattr() when mount and operate on corrupted image
+
+- Reproduce
+tested on kernel 5.16-rc3, 5.15.X under root
+
+1. unzip tmp7.zip
+2. ./single.sh f2fs 7
+
+Sometimes need to run the script several times
+
+- Kernel dump
+loop0: detected capacity change from 0 to 131072
+F2FS-fs (loop0): Found nat_bits in checkpoint
+F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee
+BUG: unable to handle page fault for address: ffffe47bc7123f48
+RIP: 0010:kfree+0x66/0x320
+Call Trace:
+ __f2fs_setxattr+0x2aa/0xc00 [f2fs]
+ f2fs_setxattr+0xfa/0x480 [f2fs]
+ __f2fs_set_acl+0x19b/0x330 [f2fs]
+ __vfs_removexattr+0x52/0x70
+ __vfs_removexattr_locked+0xb1/0x140
+ vfs_removexattr+0x56/0x100
+ removexattr+0x57/0x80
+ path_removexattr+0xa3/0xc0
+ __x64_sys_removexattr+0x17/0x20
+ do_syscall_64+0x37/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root cause is in __f2fs_setxattr(), we missed to do sanity check on
+last xattr entry, result in out-of-bound memory access during updating
+inconsistent xattr data of target inode.
+
+After the fix, it can detect such xattr inconsistency as below:
+
+F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676
+F2FS-fs (loop11): inode (8) has corrupted xattr
+F2FS-fs (loop11): inode (8) has corrupted xattr
+F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736
+
+Cc: stable@vger.kernel.org
+Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/xattr.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -684,8 +684,17 @@ static int __f2fs_setxattr(struct inode
+ }
+
+ last = here;
+- while (!IS_XATTR_LAST_ENTRY(last))
++ while (!IS_XATTR_LAST_ENTRY(last)) {
++ if ((void *)(last) + sizeof(__u32) > last_base_addr ||
++ (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) {
++ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu",
++ inode->i_ino, ENTRY_SIZE(last));
++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
++ error = -EFSCORRUPTED;
++ goto exit;
++ }
+ last = XATTR_NEXT_ENTRY(last);
++ }
+
+ newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size);
+
--- /dev/null
+From 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Mon, 18 Oct 2021 13:22:01 +0200
+Subject: gpio: dln2: Fix interrupts when replugging the device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Noralf Trønnes <noralf@tronnes.org>
+
+commit 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 upstream.
+
+When replugging the device the following message shows up:
+
+gpio gpiochip2: (dln2): detected irqchip that is shared with multiple gpiochips: please fix the driver.
+
+This also has the effect that interrupts won't work.
+The same problem would also show up if multiple devices where plugged in.
+
+Fix this by allocating the irq_chip data structure per instance like other
+drivers do.
+
+I don't know when this problem appeared, but it is present in 5.10.
+
+Cc: <stable@vger.kernel.org> # 5.10+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-dln2.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpio/gpio-dln2.c
++++ b/drivers/gpio/gpio-dln2.c
+@@ -46,6 +46,7 @@
+ struct dln2_gpio {
+ struct platform_device *pdev;
+ struct gpio_chip gpio;
++ struct irq_chip irqchip;
+
+ /*
+ * Cache pin direction to save us one transfer, since the hardware has
+@@ -383,15 +384,6 @@ static void dln2_irq_bus_unlock(struct i
+ mutex_unlock(&dln2->irq_lock);
+ }
+
+-static struct irq_chip dln2_gpio_irqchip = {
+- .name = "dln2-irq",
+- .irq_mask = dln2_irq_mask,
+- .irq_unmask = dln2_irq_unmask,
+- .irq_set_type = dln2_irq_set_type,
+- .irq_bus_lock = dln2_irq_bus_lock,
+- .irq_bus_sync_unlock = dln2_irq_bus_unlock,
+-};
+-
+ static void dln2_gpio_event(struct platform_device *pdev, u16 echo,
+ const void *data, int len)
+ {
+@@ -473,8 +465,15 @@ static int dln2_gpio_probe(struct platfo
+ dln2->gpio.direction_output = dln2_gpio_direction_output;
+ dln2->gpio.set_config = dln2_gpio_set_config;
+
++ dln2->irqchip.name = "dln2-irq",
++ dln2->irqchip.irq_mask = dln2_irq_mask,
++ dln2->irqchip.irq_unmask = dln2_irq_unmask,
++ dln2->irqchip.irq_set_type = dln2_irq_set_type,
++ dln2->irqchip.irq_bus_lock = dln2_irq_bus_lock,
++ dln2->irqchip.irq_bus_sync_unlock = dln2_irq_bus_unlock,
++
+ girq = &dln2->gpio.irq;
+- girq->chip = &dln2_gpio_irqchip;
++ girq->chip = &dln2->irqchip;
+ /* The event comes from the outside so no parent handler */
+ girq->parent_handler = NULL;
+ girq->num_parents = 0;
--- /dev/null
+From 83912d6d55be10d65b5268d1871168b9ebe1ec4b Mon Sep 17 00:00:00 2001
+From: Marcos Del Sol Vives <marcos@orca.pet>
+Date: Thu, 16 Dec 2021 11:37:22 +0100
+Subject: ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1
+
+From: Marcos Del Sol Vives <marcos@orca.pet>
+
+commit 83912d6d55be10d65b5268d1871168b9ebe1ec4b upstream.
+
+According to the official Microsoft MS-SMB2 document section 3.3.5.4, this
+flag should be used only for 3.0 and 3.0.2 dialects. Setting it for 3.1.1
+is a violation of the specification.
+
+This causes my Windows 10 client to detect an anomaly in the negotiation,
+and disable encryption entirely despite being explicitly enabled in ksmbd,
+causing all data transfers to go in plain text.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org # v5.15
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Marcos Del Sol Vives <marcos@orca.pet>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2ops.c | 3 ---
+ fs/ksmbd/smb2pdu.c | 25 +++++++++++++++++++++----
+ 2 files changed, 21 insertions(+), 7 deletions(-)
+
+--- a/fs/ksmbd/smb2ops.c
++++ b/fs/ksmbd/smb2ops.c
+@@ -272,9 +272,6 @@ int init_smb3_11_server(struct ksmbd_con
+ if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
+ conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
+
+- if (conn->cipher_type)
+- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+-
+ if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
+ conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -917,6 +917,25 @@ static void decode_encrypt_ctxt(struct k
+ }
+ }
+
++/**
++ * smb3_encryption_negotiated() - checks if server and client agreed on enabling encryption
++ * @conn: smb connection
++ *
++ * Return: true if connection should be encrypted, else false
++ */
++static bool smb3_encryption_negotiated(struct ksmbd_conn *conn)
++{
++ if (!conn->ops->generate_encryptionkey)
++ return false;
++
++ /*
++ * SMB 3.0 and 3.0.2 dialects use the SMB2_GLOBAL_CAP_ENCRYPTION flag.
++ * SMB 3.1.1 uses the cipher_type field.
++ */
++ return (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) ||
++ conn->cipher_type;
++}
++
+ static void decode_compress_ctxt(struct ksmbd_conn *conn,
+ struct smb2_compression_ctx *pneg_ctxt)
+ {
+@@ -1471,8 +1490,7 @@ static int ntlm_authenticate(struct ksmb
+ (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
+ sess->sign = true;
+
+- if (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION &&
+- conn->ops->generate_encryptionkey &&
++ if (smb3_encryption_negotiated(conn) &&
+ !(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
+ rc = conn->ops->generate_encryptionkey(sess);
+ if (rc) {
+@@ -1562,8 +1580,7 @@ static int krb5_authenticate(struct ksmb
+ (req->SecurityMode & SMB2_NEGOTIATE_SIGNING_REQUIRED))
+ sess->sign = true;
+
+- if ((conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) &&
+- conn->ops->generate_encryptionkey) {
++ if (smb3_encryption_negotiated(conn)) {
+ retval = conn->ops->generate_encryptionkey(sess);
+ if (retval) {
+ ksmbd_debug(SMB,
--- /dev/null
+From ef399469d9ceb9f2171cdd79863f9434b9fa3edc Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 30 Nov 2021 15:50:47 +0300
+Subject: ksmbd: fix error code in ndr_read_int32()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ef399469d9ceb9f2171cdd79863f9434b9fa3edc upstream.
+
+This is a failure path and it should return -EINVAL instead of success.
+Otherwise it could result in the caller using uninitialized memory.
+
+Fixes: 303fff2b8c77 ("ksmbd: add validation for ndr read/write functions")
+Cc: stable@vger.kernel.org # v5.15
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/ndr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ksmbd/ndr.c
++++ b/fs/ksmbd/ndr.c
+@@ -148,7 +148,7 @@ static int ndr_read_int16(struct ndr *n,
+ static int ndr_read_int32(struct ndr *n, __u32 *value)
+ {
+ if (n->offset + sizeof(__u32) > n->length)
+- return 0;
++ return -EINVAL;
+
+ if (value)
+ *value = le32_to_cpu(*(__le32 *)ndr_get_field(n));
--- /dev/null
+From f2e78affc48dee29b989c1d9b0d89b503dcd1204 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 1 Dec 2021 10:12:39 +0900
+Subject: ksmbd: fix uninitialized symbol 'pntsd_size'
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit f2e78affc48dee29b989c1d9b0d89b503dcd1204 upstream.
+
+No check for if "rc" is an error code for build_sec_desc().
+This can cause problems with using uninitialized pntsd_size.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org # v5.15
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -2964,6 +2964,10 @@ int smb2_open(struct ksmbd_work *work)
+ &pntsd_size, &fattr);
+ posix_acl_release(fattr.cf_acls);
+ posix_acl_release(fattr.cf_dacls);
++ if (rc) {
++ kfree(pntsd);
++ goto err_out;
++ }
+
+ rc = ksmbd_vfs_set_sd_xattr(conn,
+ user_ns,
--- /dev/null
+From 87a270625a89fc841f1a7e21aae6176543d8385c Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 20 Dec 2021 10:22:40 +0100
+Subject: mac80211: fix locking in ieee80211_start_ap error path
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 87a270625a89fc841f1a7e21aae6176543d8385c upstream.
+
+We need to hold the local->mtx to release the channel context,
+as even encoded by the lockdep_assert_held() there. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 295b02c4be74 ("mac80211: Add FILS discovery support")
+Reported-and-tested-by: syzbot+11c342e5e30e9539cabd@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20211220090836.cee3d59a1915.I36bba9b79dc2ff4d57c3c7aa30dff9a003fe8c5c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1226,7 +1226,10 @@ static int ieee80211_start_ap(struct wip
+ return 0;
+
+ error:
++ mutex_lock(&local->mtx);
+ ieee80211_vif_release_channel(sdata);
++ mutex_unlock(&local->mtx);
++
+ return err;
+ }
+
--- /dev/null
+From 34796417964b8d0aef45a99cf6c2d20cebe33733 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Fri, 24 Dec 2021 21:12:54 -0800
+Subject: mm/damon/dbgfs: protect targets destructions with kdamond_lock
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 34796417964b8d0aef45a99cf6c2d20cebe33733 upstream.
+
+DAMON debugfs interface iterates current monitoring targets in
+'dbgfs_target_ids_read()' while holding the corresponding
+'kdamond_lock'. However, it also destructs the monitoring targets in
+'dbgfs_before_terminate()' without holding the lock. This can result in
+a use_after_free bug. This commit avoids the race by protecting the
+destruction with the corresponding 'kdamond_lock'.
+
+Link: https://lkml.kernel.org/r/20211221094447.2241-1-sj@kernel.org
+Reported-by: Sangwoo Bae <sangwoob@amazon.com>
+Fixes: 4bc05954d007 ("mm/damon: implement a debugfs-based user space interface")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org> [5.15.x]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/dbgfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/damon/dbgfs.c
++++ b/mm/damon/dbgfs.c
+@@ -309,10 +309,12 @@ static int dbgfs_before_terminate(struct
+ if (!targetid_is_pid(ctx))
+ return 0;
+
++ mutex_lock(&ctx->kdamond_lock);
+ damon_for_each_target_safe(t, next, ctx) {
+ put_pid((struct pid *)t->id);
+ damon_destroy_target(t);
+ }
++ mutex_unlock(&ctx->kdamond_lock);
+ return 0;
+ }
+
--- /dev/null
+From 2a57d83c78f889bf3f54eede908d0643c40d5418 Mon Sep 17 00:00:00 2001
+From: Liu Shixin <liushixin2@huawei.com>
+Date: Fri, 24 Dec 2021 21:12:58 -0800
+Subject: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+commit 2a57d83c78f889bf3f54eede908d0643c40d5418 upstream.
+
+Hulk Robot reported a panic in put_page_testzero() when testing
+madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying
+get_any_page(). This is because we keep MF_COUNT_INCREASED flag in
+second try but the refcnt is not increased.
+
+ page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
+ ------------[ cut here ]------------
+ kernel BUG at include/linux/mm.h:737!
+ invalid opcode: 0000 [#1] PREEMPT SMP
+ CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ RIP: release_pages+0x53f/0x840
+ Call Trace:
+ free_pages_and_swap_cache+0x64/0x80
+ tlb_flush_mmu+0x6f/0x220
+ unmap_page_range+0xe6c/0x12c0
+ unmap_single_vma+0x90/0x170
+ unmap_vmas+0xc4/0x180
+ exit_mmap+0xde/0x3a0
+ mmput+0xa3/0x250
+ do_exit+0x564/0x1470
+ do_group_exit+0x3b/0x100
+ __do_sys_exit_group+0x13/0x20
+ __x64_sys_exit_group+0x16/0x20
+ do_syscall_64+0x34/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ Modules linked in:
+ ---[ end trace e99579b570fe0649 ]---
+ RIP: 0010:release_pages+0x53f/0x840
+
+Link: https://lkml.kernel.org/r/20211221074908.3910286-1-liushixin2@huawei.com
+Fixes: b94e02822deb ("mm,hwpoison: try to narrow window race for free pages")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -2201,6 +2201,7 @@ retry:
+ } else if (ret == 0) {
+ if (soft_offline_free_page(page) && try_again) {
+ try_again = false;
++ flags &= ~MF_COUNT_INCREASED;
+ goto retry;
+ }
+ }
--- /dev/null
+From e37e7b0b3bd52ec4f8ab71b027bcec08f57f1b3b Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Date: Fri, 24 Dec 2021 21:12:45 -0800
+Subject: mm, hwpoison: fix condition in free hugetlb page path
+
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+
+commit e37e7b0b3bd52ec4f8ab71b027bcec08f57f1b3b upstream.
+
+When a memory error hits a tail page of a free hugepage,
+__page_handle_poison() is expected to be called to isolate the error in
+4kB unit, but it's not called due to the outdated if-condition in
+memory_failure_hugetlb(). This loses the chance to isolate the error in
+the finer unit, so it's not optimal. Drop the condition.
+
+This "(p != head && TestSetPageHWPoison(head)" condition is based on the
+old semantics of PageHWPoison on hugepage (where PG_hwpoison flag was
+set on the subpage), so it's not necessray any more. By getting to set
+PG_hwpoison on head page for hugepages, concurrent error events on
+different subpages in a single hugepage can be prevented by
+TestSetPageHWPoison(head) at the beginning of memory_failure_hugetlb().
+So dropping the condition should not reopen the race window originally
+mentioned in commit b985194c8c0a ("hwpoison, hugetlb:
+lock_page/unlock_page does not match for handling a free hugepage")
+
+[naoya.horiguchi@linux.dev: fix "HardwareCorrupted" counter]
+ Link: https://lkml.kernel.org/r/20211220084851.GA1460264@u2004
+
+Link: https://lkml.kernel.org/r/20211210110208.879740-1-naoya.horiguchi@linux.dev
+Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Reported-by: Fei Luo <luofei@unicloud.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org> [5.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1437,17 +1437,12 @@ static int memory_failure_hugetlb(unsign
+ if (!(flags & MF_COUNT_INCREASED)) {
+ res = get_hwpoison_page(p, flags);
+ if (!res) {
+- /*
+- * Check "filter hit" and "race with other subpage."
+- */
+ lock_page(head);
+- if (PageHWPoison(head)) {
+- if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
+- || (p != head && TestSetPageHWPoison(head))) {
++ if (hwpoison_filter(p)) {
++ if (TestClearPageHWPoison(head))
+ num_poisoned_pages_dec();
+- unlock_page(head);
+- return 0;
+- }
++ unlock_page(head);
++ return 0;
+ }
+ unlock_page(head);
+ res = MF_FAILED;
--- /dev/null
+From 338635340669d5b317c7e8dcf4fff4a0f3651d87 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <arbn@yandex-team.com>
+Date: Fri, 24 Dec 2021 21:12:35 -0800
+Subject: mm: mempolicy: fix THP allocations escaping mempolicy restrictions
+
+From: Andrey Ryabinin <arbn@yandex-team.com>
+
+commit 338635340669d5b317c7e8dcf4fff4a0f3651d87 upstream.
+
+alloc_pages_vma() may try to allocate THP page on the local NUMA node
+first:
+
+ page = __alloc_pages_node(hpage_node,
+ gfp | __GFP_THISNODE | __GFP_NORETRY, order);
+
+And if the allocation fails it retries allowing remote memory:
+
+ if (!page && (gfp & __GFP_DIRECT_RECLAIM))
+ page = __alloc_pages_node(hpage_node,
+ gfp, order);
+
+However, this retry allocation completely ignores memory policy nodemask
+allowing allocation to escape restrictions.
+
+The first appearance of this bug seems to be the commit ac5b2c18911f
+("mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings").
+
+The bug disappeared later in the commit 89c83fb539f9 ("mm, thp:
+consolidate THP gfp handling into alloc_hugepage_direct_gfpmask") and
+reappeared again in slightly different form in the commit 76e654cc91bb
+("mm, page_alloc: allow hugepage fallback to remote nodes when
+madvised")
+
+Fix this by passing correct nodemask to the __alloc_pages() call.
+
+The demonstration/reproducer of the problem:
+
+ $ mount -oremount,size=4G,huge=always /dev/shm/
+ $ echo always > /sys/kernel/mm/transparent_hugepage/defrag
+ $ cat mbind_thp.c
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <numaif.h>
+
+ #define SIZE 2ULL << 30
+ int main(int argc, char **argv)
+ {
+ int fd;
+ unsigned long long i;
+ char *addr;
+ pid_t pid;
+ char buf[100];
+ unsigned long nodemask = 1;
+
+ fd = open("/dev/shm/test", O_RDWR|O_CREAT);
+ assert(fd > 0);
+ assert(ftruncate(fd, SIZE) == 0);
+
+ addr = mmap(NULL, SIZE, PROT_READ|PROT_WRITE,
+ MAP_SHARED, fd, 0);
+
+ assert(mbind(addr, SIZE, MPOL_BIND, &nodemask, 2, MPOL_MF_STRICT|MPOL_MF_MOVE)==0);
+ for (i = 0; i < SIZE; i+=4096) {
+ addr[i] = 1;
+ }
+ pid = getpid();
+ snprintf(buf, sizeof(buf), "grep shm /proc/%d/numa_maps", pid);
+ system(buf);
+ sleep(10000);
+
+ return 0;
+ }
+ $ gcc mbind_thp.c -o mbind_thp -lnuma
+ $ numactl -H
+ available: 2 nodes (0-1)
+ node 0 cpus: 0 2
+ node 0 size: 1918 MB
+ node 0 free: 1595 MB
+ node 1 cpus: 1 3
+ node 1 size: 2014 MB
+ node 1 free: 1731 MB
+ node distances:
+ node 0 1
+ 0: 10 20
+ 1: 20 10
+ $ rm -f /dev/shm/test; taskset -c 0 ./mbind_thp
+ 7fd970a00000 bind:0 file=/dev/shm/test dirty=524288 active=0 N0=396800 N1=127488 kernelpagesize_kB=4
+
+Link: https://lkml.kernel.org/r/20211208165343.22349-1-arbn@yandex-team.com
+Fixes: ac5b2c18911f ("mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings")
+Signed-off-by: Andrey Ryabinin <arbn@yandex-team.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Acked-by: David Rientjes <rientjes@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempolicy.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2140,8 +2140,7 @@ struct page *alloc_pages_vma(gfp_t gfp,
+ * memory with both reclaim and compact as well.
+ */
+ if (!page && (gfp & __GFP_DIRECT_RECLAIM))
+- page = __alloc_pages_node(hpage_node,
+- gfp, order);
++ page = __alloc_pages(gfp, order, hpage_node, nmask);
+
+ goto out;
+ }
--- /dev/null
+From 66c915d09b942fb3b2b0cb2f56562180901fba17 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Fri, 3 Dec 2021 15:15:54 +0100
+Subject: mmc: core: Disable card detect during shutdown
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 66c915d09b942fb3b2b0cb2f56562180901fba17 upstream.
+
+It's seems prone to problems by allowing card detect and its corresponding
+mmc_rescan() work to run, during platform shutdown. For example, we may end
+up turning off the power while initializing a card, which potentially could
+damage it.
+
+To avoid this scenario, let's add ->shutdown_pre() callback for the mmc host
+class device and then turn of the card detect from there.
+
+Reported-by: Al Cooper <alcooperx@gmail.com>
+Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211203141555.105351-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 7 ++++++-
+ drivers/mmc/core/core.h | 1 +
+ drivers/mmc/core/host.c | 9 +++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -2264,7 +2264,7 @@ void mmc_start_host(struct mmc_host *hos
+ _mmc_detect_change(host, 0, false);
+ }
+
+-void mmc_stop_host(struct mmc_host *host)
++void __mmc_stop_host(struct mmc_host *host)
+ {
+ if (host->slot.cd_irq >= 0) {
+ mmc_gpio_set_cd_wake(host, false);
+@@ -2273,6 +2273,11 @@ void mmc_stop_host(struct mmc_host *host
+
+ host->rescan_disable = 1;
+ cancel_delayed_work_sync(&host->detect);
++}
++
++void mmc_stop_host(struct mmc_host *host)
++{
++ __mmc_stop_host(host);
+
+ /* clear pm flags now and let card drivers set them as needed */
+ host->pm_flags = 0;
+--- a/drivers/mmc/core/core.h
++++ b/drivers/mmc/core/core.h
+@@ -70,6 +70,7 @@ static inline void mmc_delay(unsigned in
+
+ void mmc_rescan(struct work_struct *work);
+ void mmc_start_host(struct mmc_host *host);
++void __mmc_stop_host(struct mmc_host *host);
+ void mmc_stop_host(struct mmc_host *host);
+
+ void _mmc_detect_change(struct mmc_host *host, unsigned long delay,
+--- a/drivers/mmc/core/host.c
++++ b/drivers/mmc/core/host.c
+@@ -80,9 +80,18 @@ static void mmc_host_classdev_release(st
+ kfree(host);
+ }
+
++static int mmc_host_classdev_shutdown(struct device *dev)
++{
++ struct mmc_host *host = cls_dev_to_mmc_host(dev);
++
++ __mmc_stop_host(host);
++ return 0;
++}
++
+ static struct class mmc_host_class = {
+ .name = "mmc_host",
+ .dev_release = mmc_host_classdev_release,
++ .shutdown_pre = mmc_host_classdev_shutdown,
+ .pm = MMC_HOST_CLASS_DEV_PM_OPS,
+ };
+
--- /dev/null
+From f89b548ca66be7500dcd92ee8e61590f7d08ac91 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 19 Dec 2021 16:34:41 +0100
+Subject: mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit f89b548ca66be7500dcd92ee8e61590f7d08ac91 upstream.
+
+The vendor driver implements special handling for multi-block
+SD_IO_RW_EXTENDED (and SD_IO_RW_DIRECT) commands which have data
+attached to them. It sets the MANUAL_STOP bit in the MESON_SDHC_MISC
+register for these commands. In all other cases this bit is cleared.
+Here we omit SD_IO_RW_DIRECT since that command never has any data
+attached to it.
+
+This fixes SDIO wifi using the brcmfmac driver which reported the
+following error without this change on a Netxeon S82 board using a
+Meson8 (S802) SoC:
+ brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip
+ BCM43362/1
+ brcmf_sdiod_ramrw: membytes transfer failed
+ brcmf_sdio_download_code_file: error -110 on writing 219557 membytes
+ at 0x00000000
+ brcmf_sdio_download_firmware: dongle image file download failed
+
+And with this change:
+ brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip
+ BCM43362/1
+ brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may
+ have limited channels available
+ brcmf_c_preinit_dcmds: Firmware: BCM43362/1 wl0: Apr 22 2013 14:50:00
+ version 5.90.195.89.6 FWID 01-b30a427d
+
+Fixes: e4bf1b0970ef96 ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211219153442.463863-2-martin.blumenstingl@googlemail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/meson-mx-sdhc-mmc.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/mmc/host/meson-mx-sdhc-mmc.c
++++ b/drivers/mmc/host/meson-mx-sdhc-mmc.c
+@@ -135,6 +135,7 @@ static void meson_mx_sdhc_start_cmd(stru
+ struct mmc_command *cmd)
+ {
+ struct meson_mx_sdhc_host *host = mmc_priv(mmc);
++ bool manual_stop = false;
+ u32 ictl, send;
+ int pack_len;
+
+@@ -172,12 +173,27 @@ static void meson_mx_sdhc_start_cmd(stru
+ else
+ /* software flush: */
+ ictl |= MESON_SDHC_ICTL_DATA_XFER_OK;
++
++ /*
++ * Mimic the logic from the vendor driver where (only)
++ * SD_IO_RW_EXTENDED commands with more than one block set the
++ * MESON_SDHC_MISC_MANUAL_STOP bit. This fixes the firmware
++ * download in the brcmfmac driver for a BCM43362/1 card.
++ * Without this sdio_memcpy_toio() (with a size of 219557
++ * bytes) times out if MESON_SDHC_MISC_MANUAL_STOP is not set.
++ */
++ manual_stop = cmd->data->blocks > 1 &&
++ cmd->opcode == SD_IO_RW_EXTENDED;
+ } else {
+ pack_len = 0;
+
+ ictl |= MESON_SDHC_ICTL_RESP_OK;
+ }
+
++ regmap_update_bits(host->regmap, MESON_SDHC_MISC,
++ MESON_SDHC_MISC_MANUAL_STOP,
++ manual_stop ? MESON_SDHC_MISC_MANUAL_STOP : 0);
++
+ if (cmd->opcode == MMC_STOP_TRANSMISSION)
+ send |= MESON_SDHC_SEND_DATA_STOP;
+
--- /dev/null
+From ff31ee0a0f471776f67be5e5275c18d17736fc6b Mon Sep 17 00:00:00 2001
+From: Yann Gautier <yann.gautier@foss.st.com>
+Date: Wed, 15 Dec 2021 15:17:26 +0100
+Subject: mmc: mmci: stm32: clear DLYB_CR after sending tuning command
+
+From: Yann Gautier <yann.gautier@foss.st.com>
+
+commit ff31ee0a0f471776f67be5e5275c18d17736fc6b upstream.
+
+During test campaign, and especially after several unbind/bind sequences,
+it has been seen that the SD-card on SDMMC1 thread could freeze.
+The freeze always appear on a CMD23 following a CMD19.
+Checking SDMMC internal registers shows that the tuning command (CMD19)
+has failed.
+The freeze is then due to the delay block involved in the tuning sequence.
+To correct this, clear the delay block register DLYB_CR register after
+the tuning commands.
+
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Fixes: 1103f807a3b9 ("mmc: mmci_sdmmc: Add execute tuning with delay block")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211215141727.4901-4-yann.gautier@foss.st.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmci_stm32_sdmmc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/mmci_stm32_sdmmc.c
++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c
+@@ -441,6 +441,8 @@ static int sdmmc_dlyb_phase_tuning(struc
+ return -EINVAL;
+ }
+
++ writel_relaxed(0, dlyb->base + DLYB_CR);
++
+ phase = end_of_len - max_len / 2;
+ sdmmc_dlyb_set_cfgr(dlyb, dlyb->unit, phase, false);
+
--- /dev/null
+From 4fc7261dbab139d3c64c3b618262504e16cfe7ee Mon Sep 17 00:00:00 2001
+From: Prathamesh Shete <pshete@nvidia.com>
+Date: Tue, 14 Dec 2021 17:06:53 +0530
+Subject: mmc: sdhci-tegra: Fix switch to HS400ES mode
+
+From: Prathamesh Shete <pshete@nvidia.com>
+
+commit 4fc7261dbab139d3c64c3b618262504e16cfe7ee upstream.
+
+When CMD13 is sent after switching to HS400ES mode, the bus
+is operating at either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR.
+To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI
+interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host
+controller CAR clock and the interface clock are rate matched.
+
+Signed-off-by: Prathamesh Shete <pshete@nvidia.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: dfc9700cef77 ("mmc: tegra: Implement HS400 enhanced strobe")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211214113653.4631-1-pshete@nvidia.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-tegra.c | 43 ++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-tegra.c
++++ b/drivers/mmc/host/sdhci-tegra.c
+@@ -356,23 +356,6 @@ static void tegra_sdhci_set_tap(struct s
+ }
+ }
+
+-static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc,
+- struct mmc_ios *ios)
+-{
+- struct sdhci_host *host = mmc_priv(mmc);
+- u32 val;
+-
+- val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
+-
+- if (ios->enhanced_strobe)
+- val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
+- else
+- val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
+-
+- sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
+-
+-}
+-
+ static void tegra_sdhci_reset(struct sdhci_host *host, u8 mask)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+@@ -793,6 +776,32 @@ static void tegra_sdhci_set_clock(struct
+ }
+ }
+
++static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc,
++ struct mmc_ios *ios)
++{
++ struct sdhci_host *host = mmc_priv(mmc);
++ u32 val;
++
++ val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
++
++ if (ios->enhanced_strobe) {
++ val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
++ /*
++ * When CMD13 is sent from mmc_select_hs400es() after
++ * switching to HS400ES mode, the bus is operating at
++ * either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR.
++ * To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI
++ * interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host
++ * controller CAR clock and the interface clock are rate matched.
++ */
++ tegra_sdhci_set_clock(host, MMC_HS200_MAX_DTR);
++ } else {
++ val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
++ }
++
++ sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
++}
++
+ static unsigned int tegra_sdhci_get_max_clock(struct sdhci_host *host)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
--- /dev/null
+From 3cfef1b612e15a0c2f5b1c9d3f3f31ad72d56fcd Mon Sep 17 00:00:00 2001
+From: Jeffle Xu <jefflexu@linux.alibaba.com>
+Date: Tue, 7 Dec 2021 11:14:49 +0800
+Subject: netfs: fix parameter of cleanup()
+
+From: Jeffle Xu <jefflexu@linux.alibaba.com>
+
+commit 3cfef1b612e15a0c2f5b1c9d3f3f31ad72d56fcd upstream.
+
+The order of these two parameters is just reversed. gcc didn't warn on
+that, probably because 'void *' can be converted from or to other
+pointer types without warning.
+
+Cc: stable@vger.kernel.org
+Fixes: 3d3c95046742 ("netfs: Provide readahead and readpage netfs helpers")
+Fixes: e1b1240c1ff5 ("netfs: Add write_begin helper")
+Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Link: https://lore.kernel.org/r/20211207031449.100510-1-jefflexu@linux.alibaba.com/ # v1
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/netfs/read_helper.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/netfs/read_helper.c
++++ b/fs/netfs/read_helper.c
+@@ -958,7 +958,7 @@ int netfs_readpage(struct file *file,
+ rreq = netfs_alloc_read_request(ops, netfs_priv, file);
+ if (!rreq) {
+ if (netfs_priv)
+- ops->cleanup(netfs_priv, page_file_mapping(page));
++ ops->cleanup(page_file_mapping(page), netfs_priv);
+ unlock_page(page);
+ return -ENOMEM;
+ }
+@@ -1185,7 +1185,7 @@ have_page:
+ goto error;
+ have_page_no_wait:
+ if (netfs_priv)
+- ops->cleanup(netfs_priv, mapping);
++ ops->cleanup(mapping, netfs_priv);
+ *_page = page;
+ _leave(" = 0");
+ return 0;
+@@ -1196,7 +1196,7 @@ error:
+ unlock_page(page);
+ put_page(page);
+ if (netfs_priv)
+- ops->cleanup(netfs_priv, mapping);
++ ops->cleanup(mapping, netfs_priv);
+ _leave(" = %d", ret);
+ return ret;
+ }
--- /dev/null
+From b67210cc217f9ca1c576909454d846970c13dfd4 Mon Sep 17 00:00:00 2001
+From: Fabien Dessenne <fabien.dessenne@foss.st.com>
+Date: Wed, 15 Dec 2021 10:58:08 +0100
+Subject: pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
+
+From: Fabien Dessenne <fabien.dessenne@foss.st.com>
+
+commit b67210cc217f9ca1c576909454d846970c13dfd4 upstream.
+
+Consider the GPIO controller offset (from "gpio-ranges") to compute the
+maximum GPIO line number.
+This fixes an issue where gpio-ranges uses a non-null offset.
+ e.g.: gpio-ranges = <&pinctrl 6 86 10>
+ In that case the last valid GPIO line is not 9 but 15 (6 + 10 - 1)
+
+Cc: stable@vger.kernel.org
+Fixes: 67e2996f72c7 ("pinctrl: stm32: fix the reported number of GPIO lines per bank")
+Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
+Signed-off-by: Fabien Dessenne <fabien.dessenne@foss.st.com>
+Link: https://lore.kernel.org/r/20211215095808.621716-1-fabien.dessenne@foss.st.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/stm32/pinctrl-stm32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
+@@ -1251,10 +1251,10 @@ static int stm32_gpiolib_register_bank(s
+ bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK;
+ bank->gpio_chip.base = args.args[1];
+
+- npins = args.args[2];
+- while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3,
+- ++i, &args))
+- npins += args.args[2];
++ /* get the last defined gpio line (offset + nb of pins) */
++ npins = args.args[0] + args.args[2];
++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++i, &args))
++ npins = max(npins, (int)(args.args[0] + args.args[2]));
+ } else {
+ bank_nr = pctl->nbanks;
+ bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK;
kvm-nvmx-synthesize-triple_fault-for-l2-if-emulation-is-required.patch
kvm-vmx-always-clear-vmx-fail-on-emulation_required.patch
kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch
+pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch
+gpio-dln2-fix-interrupts-when-replugging-the-device.patch
+mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch
+mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch
+mmc-core-disable-card-detect-during-shutdown.patch
+mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch
+arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch
+ksmbd-fix-error-code-in-ndr_read_int32.patch
+ksmbd-fix-uninitialized-symbol-pntsd_size.patch
+ksmbd-disable-smb2_global_cap_encryption-for-smb-3.1.1.patch
+mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch
+mm-mempolicy-fix-thp-allocations-escaping-mempolicy-restrictions.patch
+mm-hwpoison-fix-condition-in-free-hugetlb-page-path.patch
+mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch
+mm-damon-dbgfs-protect-targets-destructions-with-kdamond_lock.patch
+tee-optee-fix-incorrect-page-free-bug.patch
+f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch
+netfs-fix-parameter-of-cleanup.patch
--- /dev/null
+From 18549bf4b21c739a9def39f27dcac53e27286ab5 Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Thu, 16 Dec 2021 11:17:25 +0530
+Subject: tee: optee: Fix incorrect page free bug
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit 18549bf4b21c739a9def39f27dcac53e27286ab5 upstream.
+
+Pointer to the allocated pages (struct page *page) has already
+progressed towards the end of allocation. It is incorrect to perform
+__free_pages(page, order) using this pointer as we would free any
+arbitrary pages. Fix this by stop modifying the page pointer.
+
+Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
+Cc: stable@vger.kernel.org
+Reported-by: Patrik Lantz <patrik.lantz@axis.com>
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/shm_pool.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/tee/optee/shm_pool.c
++++ b/drivers/tee/optee/shm_pool.c
+@@ -41,10 +41,8 @@ static int pool_op_alloc(struct tee_shm_
+ goto err;
+ }
+
+- for (i = 0; i < nr_pages; i++) {
+- pages[i] = page;
+- page++;
+- }
++ for (i = 0; i < nr_pages; i++)
++ pages[i] = page + i;
+
+ shm->flags |= TEE_SHM_REGISTER;
+ rc = optee_shm_register(shm->ctx, shm, pages, nr_pages,
projects / thirdparty / kernel / stable-queue.git / commitdiff
