--- /dev/null
+From 8536a5ef886005bc443c2da9b842d69fd3d7647f Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Wed, 15 Dec 2021 09:31:36 +0100
+Subject: ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 8536a5ef886005bc443c2da9b842d69fd3d7647f upstream.
+
+The Thumb2 version of the FP exception handling entry code treats the
+register holding the CP number (R8) differently, resulting in the iWMMXT
+CP number check to be incorrect.
+
+Fix this by unifying the ARM and Thumb2 code paths, and switch the
+order of the additions of the TI_USED_CP offset and the shifted CP
+index.
+
+Cc: <stable@vger.kernel.org>
+Fixes: b86040a59feb ("Thumb-2: Implementation of the unified start-up and exceptions code")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/entry-armv.S | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/kernel/entry-armv.S
++++ b/arch/arm/kernel/entry-armv.S
+@@ -596,11 +596,9 @@ call_fpe:
+ tstne r0, #0x04000000 @ bit 26 set on both ARM and Thumb-2
+ reteq lr
+ and r8, r0, #0x00000f00 @ mask out CP number
+- THUMB( lsr r8, r8, #8 )
+ mov r7, #1
+- add r6, r10, #TI_USED_CP
+- ARM( strb r7, [r6, r8, lsr #8] ) @ set appropriate used_cp[]
+- THUMB( strb r7, [r6, r8] ) @ set appropriate used_cp[]
++ add r6, r10, r8, lsr #8 @ add used_cp[] array offset first
++ strb r7, [r6, #TI_USED_CP] @ set appropriate used_cp[]
+ #ifdef CONFIG_IWMMXT
+ @ Test if we need to give access to iWMMXt coprocessors
+ ldr r5, [r10, #TI_FLAGS]
+@@ -609,7 +607,7 @@ call_fpe:
+ bcs iwmmxt_task_enable
+ #endif
+ ARM( add pc, pc, r8, lsr #6 )
+- THUMB( lsl r8, r8, #2 )
++ THUMB( lsr r8, r8, #6 )
+ THUMB( add pc, r8 )
+ nop
+
--- /dev/null
+From fd84bfdddd169c219c3a637889a8b87f70a072c2 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Mon, 29 Nov 2021 12:16:39 +0100
+Subject: ceph: fix up non-directory creation in SGID directories
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+commit fd84bfdddd169c219c3a637889a8b87f70a072c2 upstream.
+
+Ceph always inherits the SGID bit if it is set on the parent inode,
+while the generic inode_init_owner does not do this in a few cases where
+it can create a possible security problem (cf. [1]).
+
+Update ceph to strip the SGID bit just as inode_init_owner would.
+
+This bug was detected by the mapped mount testsuite in [3]. The
+testsuite tests all core VFS functionality and semantics with and
+without mapped mounts. That is to say it functions as a generic VFS
+testsuite in addition to a mapped mount testsuite. While working on
+mapped mount support for ceph, SIGD inheritance was the only failing
+test for ceph after the port.
+
+The same bug was detected by the mapped mount testsuite in XFS in
+January 2021 (cf. [2]).
+
+[1]: commit 0fa3ecd87848 ("Fix up non-directory creation in SGID directories")
+[2]: commit 01ea173e103e ("xfs: fix up non-directory creation in SGID directories")
+[3]: https://git.kernel.org/fs/xfs/xfstests-dev.git
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/file.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -603,13 +603,25 @@ static int ceph_finish_async_create(stru
+ in.cap.realm = cpu_to_le64(ci->i_snap_realm->ino);
+ in.cap.flags = CEPH_CAP_FLAG_AUTH;
+ in.ctime = in.mtime = in.atime = iinfo.btime;
+- in.mode = cpu_to_le32((u32)mode);
+ in.truncate_seq = cpu_to_le32(1);
+ in.truncate_size = cpu_to_le64(-1ULL);
+ in.xattr_version = cpu_to_le64(1);
+ in.uid = cpu_to_le32(from_kuid(&init_user_ns, current_fsuid()));
+- in.gid = cpu_to_le32(from_kgid(&init_user_ns, dir->i_mode & S_ISGID ?
+- dir->i_gid : current_fsgid()));
++ if (dir->i_mode & S_ISGID) {
++ in.gid = cpu_to_le32(from_kgid(&init_user_ns, dir->i_gid));
++
++ /* Directories always inherit the setgid bit. */
++ if (S_ISDIR(mode))
++ mode |= S_ISGID;
++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
++ !in_group_p(dir->i_gid) &&
++ !capable_wrt_inode_uidgid(dir, CAP_FSETID))
++ mode &= ~S_ISGID;
++ } else {
++ in.gid = cpu_to_le32(from_kgid(&init_user_ns, current_fsgid()));
++ }
++ in.mode = cpu_to_le32((u32)mode);
++
+ in.nlink = cpu_to_le32(1);
+ in.max_size = cpu_to_le64(lo->stripe_unit);
+
--- /dev/null
+From 5598b24efaf4892741c798b425d543e4bed357a1 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Sun, 12 Dec 2021 17:16:30 +0800
+Subject: f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 5598b24efaf4892741c798b425d543e4bed357a1 upstream.
+
+As Wenqing Liu reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=215235
+
+- Overview
+page fault in f2fs_setxattr() when mount and operate on corrupted image
+
+- Reproduce
+tested on kernel 5.16-rc3, 5.15.X under root
+
+1. unzip tmp7.zip
+2. ./single.sh f2fs 7
+
+Sometimes need to run the script several times
+
+- Kernel dump
+loop0: detected capacity change from 0 to 131072
+F2FS-fs (loop0): Found nat_bits in checkpoint
+F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee
+BUG: unable to handle page fault for address: ffffe47bc7123f48
+RIP: 0010:kfree+0x66/0x320
+Call Trace:
+ __f2fs_setxattr+0x2aa/0xc00 [f2fs]
+ f2fs_setxattr+0xfa/0x480 [f2fs]
+ __f2fs_set_acl+0x19b/0x330 [f2fs]
+ __vfs_removexattr+0x52/0x70
+ __vfs_removexattr_locked+0xb1/0x140
+ vfs_removexattr+0x56/0x100
+ removexattr+0x57/0x80
+ path_removexattr+0xa3/0xc0
+ __x64_sys_removexattr+0x17/0x20
+ do_syscall_64+0x37/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root cause is in __f2fs_setxattr(), we missed to do sanity check on
+last xattr entry, result in out-of-bound memory access during updating
+inconsistent xattr data of target inode.
+
+After the fix, it can detect such xattr inconsistency as below:
+
+F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676
+F2FS-fs (loop11): inode (8) has corrupted xattr
+F2FS-fs (loop11): inode (8) has corrupted xattr
+F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736
+
+Cc: stable@vger.kernel.org
+Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/xattr.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -680,8 +680,17 @@ static int __f2fs_setxattr(struct inode
+ }
+
+ last = here;
+- while (!IS_XATTR_LAST_ENTRY(last))
++ while (!IS_XATTR_LAST_ENTRY(last)) {
++ if ((void *)(last) + sizeof(__u32) > last_base_addr ||
++ (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) {
++ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu",
++ inode->i_ino, ENTRY_SIZE(last));
++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
++ error = -EFSCORRUPTED;
++ goto exit;
++ }
+ last = XATTR_NEXT_ENTRY(last);
++ }
+
+ newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size);
+
--- /dev/null
+From 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Mon, 18 Oct 2021 13:22:01 +0200
+Subject: gpio: dln2: Fix interrupts when replugging the device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Noralf Trønnes <noralf@tronnes.org>
+
+commit 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 upstream.
+
+When replugging the device the following message shows up:
+
+gpio gpiochip2: (dln2): detected irqchip that is shared with multiple gpiochips: please fix the driver.
+
+This also has the effect that interrupts won't work.
+The same problem would also show up if multiple devices where plugged in.
+
+Fix this by allocating the irq_chip data structure per instance like other
+drivers do.
+
+I don't know when this problem appeared, but it is present in 5.10.
+
+Cc: <stable@vger.kernel.org> # 5.10+
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-dln2.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpio/gpio-dln2.c
++++ b/drivers/gpio/gpio-dln2.c
+@@ -46,6 +46,7 @@
+ struct dln2_gpio {
+ struct platform_device *pdev;
+ struct gpio_chip gpio;
++ struct irq_chip irqchip;
+
+ /*
+ * Cache pin direction to save us one transfer, since the hardware has
+@@ -383,15 +384,6 @@ static void dln2_irq_bus_unlock(struct i
+ mutex_unlock(&dln2->irq_lock);
+ }
+
+-static struct irq_chip dln2_gpio_irqchip = {
+- .name = "dln2-irq",
+- .irq_mask = dln2_irq_mask,
+- .irq_unmask = dln2_irq_unmask,
+- .irq_set_type = dln2_irq_set_type,
+- .irq_bus_lock = dln2_irq_bus_lock,
+- .irq_bus_sync_unlock = dln2_irq_bus_unlock,
+-};
+-
+ static void dln2_gpio_event(struct platform_device *pdev, u16 echo,
+ const void *data, int len)
+ {
+@@ -477,8 +469,15 @@ static int dln2_gpio_probe(struct platfo
+ dln2->gpio.direction_output = dln2_gpio_direction_output;
+ dln2->gpio.set_config = dln2_gpio_set_config;
+
++ dln2->irqchip.name = "dln2-irq",
++ dln2->irqchip.irq_mask = dln2_irq_mask,
++ dln2->irqchip.irq_unmask = dln2_irq_unmask,
++ dln2->irqchip.irq_set_type = dln2_irq_set_type,
++ dln2->irqchip.irq_bus_lock = dln2_irq_bus_lock,
++ dln2->irqchip.irq_bus_sync_unlock = dln2_irq_bus_unlock,
++
+ girq = &dln2->gpio.irq;
+- girq->chip = &dln2_gpio_irqchip;
++ girq->chip = &dln2->irqchip;
+ /* The event comes from the outside so no parent handler */
+ girq->parent_handler = NULL;
+ girq->num_parents = 0;
--- /dev/null
+From 87a270625a89fc841f1a7e21aae6176543d8385c Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 20 Dec 2021 10:22:40 +0100
+Subject: mac80211: fix locking in ieee80211_start_ap error path
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 87a270625a89fc841f1a7e21aae6176543d8385c upstream.
+
+We need to hold the local->mtx to release the channel context,
+as even encoded by the lockdep_assert_held() there. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 295b02c4be74 ("mac80211: Add FILS discovery support")
+Reported-and-tested-by: syzbot+11c342e5e30e9539cabd@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20211220090836.cee3d59a1915.I36bba9b79dc2ff4d57c3c7aa30dff9a003fe8c5c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1217,7 +1217,10 @@ static int ieee80211_start_ap(struct wip
+ return 0;
+
+ error:
++ mutex_lock(&local->mtx);
+ ieee80211_vif_release_channel(sdata);
++ mutex_unlock(&local->mtx);
++
+ return err;
+ }
+
--- /dev/null
+From 2a57d83c78f889bf3f54eede908d0643c40d5418 Mon Sep 17 00:00:00 2001
+From: Liu Shixin <liushixin2@huawei.com>
+Date: Fri, 24 Dec 2021 21:12:58 -0800
+Subject: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+commit 2a57d83c78f889bf3f54eede908d0643c40d5418 upstream.
+
+Hulk Robot reported a panic in put_page_testzero() when testing
+madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying
+get_any_page(). This is because we keep MF_COUNT_INCREASED flag in
+second try but the refcnt is not increased.
+
+ page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
+ ------------[ cut here ]------------
+ kernel BUG at include/linux/mm.h:737!
+ invalid opcode: 0000 [#1] PREEMPT SMP
+ CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ RIP: release_pages+0x53f/0x840
+ Call Trace:
+ free_pages_and_swap_cache+0x64/0x80
+ tlb_flush_mmu+0x6f/0x220
+ unmap_page_range+0xe6c/0x12c0
+ unmap_single_vma+0x90/0x170
+ unmap_vmas+0xc4/0x180
+ exit_mmap+0xde/0x3a0
+ mmput+0xa3/0x250
+ do_exit+0x564/0x1470
+ do_group_exit+0x3b/0x100
+ __do_sys_exit_group+0x13/0x20
+ __x64_sys_exit_group+0x16/0x20
+ do_syscall_64+0x34/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ Modules linked in:
+ ---[ end trace e99579b570fe0649 ]---
+ RIP: 0010:release_pages+0x53f/0x840
+
+Link: https://lkml.kernel.org/r/20211221074908.3910286-1-liushixin2@huawei.com
+Fixes: b94e02822deb ("mm,hwpoison: try to narrow window race for free pages")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1938,6 +1938,7 @@ retry:
+ else if (ret == 0)
+ if (soft_offline_free_page(page) && try_again) {
+ try_again = false;
++ flags &= ~MF_COUNT_INCREASED;
+ goto retry;
+ }
+
--- /dev/null
+From 66c915d09b942fb3b2b0cb2f56562180901fba17 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Fri, 3 Dec 2021 15:15:54 +0100
+Subject: mmc: core: Disable card detect during shutdown
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 66c915d09b942fb3b2b0cb2f56562180901fba17 upstream.
+
+It's seems prone to problems by allowing card detect and its corresponding
+mmc_rescan() work to run, during platform shutdown. For example, we may end
+up turning off the power while initializing a card, which potentially could
+damage it.
+
+To avoid this scenario, let's add ->shutdown_pre() callback for the mmc host
+class device and then turn of the card detect from there.
+
+Reported-by: Al Cooper <alcooperx@gmail.com>
+Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211203141555.105351-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 7 ++++++-
+ drivers/mmc/core/core.h | 1 +
+ drivers/mmc/core/host.c | 9 +++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -2327,7 +2327,7 @@ void mmc_start_host(struct mmc_host *hos
+ _mmc_detect_change(host, 0, false);
+ }
+
+-void mmc_stop_host(struct mmc_host *host)
++void __mmc_stop_host(struct mmc_host *host)
+ {
+ if (host->slot.cd_irq >= 0) {
+ mmc_gpio_set_cd_wake(host, false);
+@@ -2336,6 +2336,11 @@ void mmc_stop_host(struct mmc_host *host
+
+ host->rescan_disable = 1;
+ cancel_delayed_work_sync(&host->detect);
++}
++
++void mmc_stop_host(struct mmc_host *host)
++{
++ __mmc_stop_host(host);
+
+ /* clear pm flags now and let card drivers set them as needed */
+ host->pm_flags = 0;
+--- a/drivers/mmc/core/core.h
++++ b/drivers/mmc/core/core.h
+@@ -69,6 +69,7 @@ static inline void mmc_delay(unsigned in
+
+ void mmc_rescan(struct work_struct *work);
+ void mmc_start_host(struct mmc_host *host);
++void __mmc_stop_host(struct mmc_host *host);
+ void mmc_stop_host(struct mmc_host *host);
+
+ void _mmc_detect_change(struct mmc_host *host, unsigned long delay,
+--- a/drivers/mmc/core/host.c
++++ b/drivers/mmc/core/host.c
+@@ -79,9 +79,18 @@ static void mmc_host_classdev_release(st
+ kfree(host);
+ }
+
++static int mmc_host_classdev_shutdown(struct device *dev)
++{
++ struct mmc_host *host = cls_dev_to_mmc_host(dev);
++
++ __mmc_stop_host(host);
++ return 0;
++}
++
+ static struct class mmc_host_class = {
+ .name = "mmc_host",
+ .dev_release = mmc_host_classdev_release,
++ .shutdown_pre = mmc_host_classdev_shutdown,
+ .pm = MMC_HOST_CLASS_DEV_PM_OPS,
+ };
+
--- /dev/null
+From f89b548ca66be7500dcd92ee8e61590f7d08ac91 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 19 Dec 2021 16:34:41 +0100
+Subject: mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit f89b548ca66be7500dcd92ee8e61590f7d08ac91 upstream.
+
+The vendor driver implements special handling for multi-block
+SD_IO_RW_EXTENDED (and SD_IO_RW_DIRECT) commands which have data
+attached to them. It sets the MANUAL_STOP bit in the MESON_SDHC_MISC
+register for these commands. In all other cases this bit is cleared.
+Here we omit SD_IO_RW_DIRECT since that command never has any data
+attached to it.
+
+This fixes SDIO wifi using the brcmfmac driver which reported the
+following error without this change on a Netxeon S82 board using a
+Meson8 (S802) SoC:
+ brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip
+ BCM43362/1
+ brcmf_sdiod_ramrw: membytes transfer failed
+ brcmf_sdio_download_code_file: error -110 on writing 219557 membytes
+ at 0x00000000
+ brcmf_sdio_download_firmware: dongle image file download failed
+
+And with this change:
+ brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip
+ BCM43362/1
+ brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may
+ have limited channels available
+ brcmf_c_preinit_dcmds: Firmware: BCM43362/1 wl0: Apr 22 2013 14:50:00
+ version 5.90.195.89.6 FWID 01-b30a427d
+
+Fixes: e4bf1b0970ef96 ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211219153442.463863-2-martin.blumenstingl@googlemail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/meson-mx-sdhc-mmc.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/mmc/host/meson-mx-sdhc-mmc.c
++++ b/drivers/mmc/host/meson-mx-sdhc-mmc.c
+@@ -135,6 +135,7 @@ static void meson_mx_sdhc_start_cmd(stru
+ struct mmc_command *cmd)
+ {
+ struct meson_mx_sdhc_host *host = mmc_priv(mmc);
++ bool manual_stop = false;
+ u32 ictl, send;
+ int pack_len;
+
+@@ -172,12 +173,27 @@ static void meson_mx_sdhc_start_cmd(stru
+ else
+ /* software flush: */
+ ictl |= MESON_SDHC_ICTL_DATA_XFER_OK;
++
++ /*
++ * Mimic the logic from the vendor driver where (only)
++ * SD_IO_RW_EXTENDED commands with more than one block set the
++ * MESON_SDHC_MISC_MANUAL_STOP bit. This fixes the firmware
++ * download in the brcmfmac driver for a BCM43362/1 card.
++ * Without this sdio_memcpy_toio() (with a size of 219557
++ * bytes) times out if MESON_SDHC_MISC_MANUAL_STOP is not set.
++ */
++ manual_stop = cmd->data->blocks > 1 &&
++ cmd->opcode == SD_IO_RW_EXTENDED;
+ } else {
+ pack_len = 0;
+
+ ictl |= MESON_SDHC_ICTL_RESP_OK;
+ }
+
++ regmap_update_bits(host->regmap, MESON_SDHC_MISC,
++ MESON_SDHC_MISC_MANUAL_STOP,
++ manual_stop ? MESON_SDHC_MISC_MANUAL_STOP : 0);
++
+ if (cmd->opcode == MMC_STOP_TRANSMISSION)
+ send |= MESON_SDHC_SEND_DATA_STOP;
+
--- /dev/null
+From ff31ee0a0f471776f67be5e5275c18d17736fc6b Mon Sep 17 00:00:00 2001
+From: Yann Gautier <yann.gautier@foss.st.com>
+Date: Wed, 15 Dec 2021 15:17:26 +0100
+Subject: mmc: mmci: stm32: clear DLYB_CR after sending tuning command
+
+From: Yann Gautier <yann.gautier@foss.st.com>
+
+commit ff31ee0a0f471776f67be5e5275c18d17736fc6b upstream.
+
+During test campaign, and especially after several unbind/bind sequences,
+it has been seen that the SD-card on SDMMC1 thread could freeze.
+The freeze always appear on a CMD23 following a CMD19.
+Checking SDMMC internal registers shows that the tuning command (CMD19)
+has failed.
+The freeze is then due to the delay block involved in the tuning sequence.
+To correct this, clear the delay block register DLYB_CR register after
+the tuning commands.
+
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Fixes: 1103f807a3b9 ("mmc: mmci_sdmmc: Add execute tuning with delay block")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211215141727.4901-4-yann.gautier@foss.st.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmci_stm32_sdmmc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/mmci_stm32_sdmmc.c
++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c
+@@ -441,6 +441,8 @@ static int sdmmc_dlyb_phase_tuning(struc
+ return -EINVAL;
+ }
+
++ writel_relaxed(0, dlyb->base + DLYB_CR);
++
+ phase = end_of_len - max_len / 2;
+ sdmmc_dlyb_set_cfgr(dlyb, dlyb->unit, phase, false);
+
--- /dev/null
+From 4fc7261dbab139d3c64c3b618262504e16cfe7ee Mon Sep 17 00:00:00 2001
+From: Prathamesh Shete <pshete@nvidia.com>
+Date: Tue, 14 Dec 2021 17:06:53 +0530
+Subject: mmc: sdhci-tegra: Fix switch to HS400ES mode
+
+From: Prathamesh Shete <pshete@nvidia.com>
+
+commit 4fc7261dbab139d3c64c3b618262504e16cfe7ee upstream.
+
+When CMD13 is sent after switching to HS400ES mode, the bus
+is operating at either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR.
+To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI
+interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host
+controller CAR clock and the interface clock are rate matched.
+
+Signed-off-by: Prathamesh Shete <pshete@nvidia.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: dfc9700cef77 ("mmc: tegra: Implement HS400 enhanced strobe")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211214113653.4631-1-pshete@nvidia.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-tegra.c | 43 ++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-tegra.c
++++ b/drivers/mmc/host/sdhci-tegra.c
+@@ -354,23 +354,6 @@ static void tegra_sdhci_set_tap(struct s
+ }
+ }
+
+-static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc,
+- struct mmc_ios *ios)
+-{
+- struct sdhci_host *host = mmc_priv(mmc);
+- u32 val;
+-
+- val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
+-
+- if (ios->enhanced_strobe)
+- val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
+- else
+- val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
+-
+- sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
+-
+-}
+-
+ static void tegra_sdhci_reset(struct sdhci_host *host, u8 mask)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+@@ -791,6 +774,32 @@ static void tegra_sdhci_set_clock(struct
+ }
+ }
+
++static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc,
++ struct mmc_ios *ios)
++{
++ struct sdhci_host *host = mmc_priv(mmc);
++ u32 val;
++
++ val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
++
++ if (ios->enhanced_strobe) {
++ val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
++ /*
++ * When CMD13 is sent from mmc_select_hs400es() after
++ * switching to HS400ES mode, the bus is operating at
++ * either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR.
++ * To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI
++ * interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host
++ * controller CAR clock and the interface clock are rate matched.
++ */
++ tegra_sdhci_set_clock(host, MMC_HS200_MAX_DTR);
++ } else {
++ val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE;
++ }
++
++ sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL);
++}
++
+ static unsigned int tegra_sdhci_get_max_clock(struct sdhci_host *host)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
--- /dev/null
+From b67210cc217f9ca1c576909454d846970c13dfd4 Mon Sep 17 00:00:00 2001
+From: Fabien Dessenne <fabien.dessenne@foss.st.com>
+Date: Wed, 15 Dec 2021 10:58:08 +0100
+Subject: pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines
+
+From: Fabien Dessenne <fabien.dessenne@foss.st.com>
+
+commit b67210cc217f9ca1c576909454d846970c13dfd4 upstream.
+
+Consider the GPIO controller offset (from "gpio-ranges") to compute the
+maximum GPIO line number.
+This fixes an issue where gpio-ranges uses a non-null offset.
+ e.g.: gpio-ranges = <&pinctrl 6 86 10>
+ In that case the last valid GPIO line is not 9 but 15 (6 + 10 - 1)
+
+Cc: stable@vger.kernel.org
+Fixes: 67e2996f72c7 ("pinctrl: stm32: fix the reported number of GPIO lines per bank")
+Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
+Signed-off-by: Fabien Dessenne <fabien.dessenne@foss.st.com>
+Link: https://lore.kernel.org/r/20211215095808.621716-1-fabien.dessenne@foss.st.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/stm32/pinctrl-stm32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
+@@ -1255,10 +1255,10 @@ static int stm32_gpiolib_register_bank(s
+ bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK;
+ bank->gpio_chip.base = args.args[1];
+
+- npins = args.args[2];
+- while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3,
+- ++i, &args))
+- npins += args.args[2];
++ /* get the last defined gpio line (offset + nb of pins) */
++ npins = args.args[0] + args.args[2];
++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++i, &args))
++ npins = max(npins, (int)(args.args[0] + args.args[2]));
+ } else {
+ bank_nr = pctl->nbanks;
+ bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK;
x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch
platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch
kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch
+pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch
+gpio-dln2-fix-interrupts-when-replugging-the-device.patch
+mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch
+mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch
+mmc-core-disable-card-detect-during-shutdown.patch
+mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch
+arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch
+mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch
+mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch
+tee-optee-fix-incorrect-page-free-bug.patch
+f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch
+ceph-fix-up-non-directory-creation-in-sgid-directories.patch
+usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch
--- /dev/null
+From 18549bf4b21c739a9def39f27dcac53e27286ab5 Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Thu, 16 Dec 2021 11:17:25 +0530
+Subject: tee: optee: Fix incorrect page free bug
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit 18549bf4b21c739a9def39f27dcac53e27286ab5 upstream.
+
+Pointer to the allocated pages (struct page *page) has already
+progressed towards the end of allocation. It is incorrect to perform
+__free_pages(page, order) using this pointer as we would free any
+arbitrary pages. Fix this by stop modifying the page pointer.
+
+Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
+Cc: stable@vger.kernel.org
+Reported-by: Patrik Lantz <patrik.lantz@axis.com>
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/shm_pool.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/tee/optee/shm_pool.c
++++ b/drivers/tee/optee/shm_pool.c
+@@ -41,10 +41,8 @@ static int pool_op_alloc(struct tee_shm_
+ goto err;
+ }
+
+- for (i = 0; i < nr_pages; i++) {
+- pages[i] = page;
+- page++;
+- }
++ for (i = 0; i < nr_pages; i++)
++ pages[i] = page + i;
+
+ shm->flags |= TEE_SHM_REGISTER;
+ rc = optee_shm_register(shm->ctx, shm, pages, nr_pages,
--- /dev/null
+From 890d5b40908bfd1a79be018d2d297cf9df60f4ee Mon Sep 17 00:00:00 2001
+From: Marian Postevca <posteuca@mutex.one>
+Date: Sat, 4 Dec 2021 23:49:12 +0200
+Subject: usb: gadget: u_ether: fix race in setting MAC address in setup phase
+
+From: Marian Postevca <posteuca@mutex.one>
+
+commit 890d5b40908bfd1a79be018d2d297cf9df60f4ee upstream.
+
+When listening for notifications through netlink of a new interface being
+registered, sporadically, it is possible for the MAC to be read as zero.
+The zero MAC address lasts a short period of time and then switches to a
+valid random MAC address.
+
+This causes problems for netd in Android, which assumes that the interface
+is malfunctioning and will not use it.
+
+In the good case we get this log:
+InterfaceController::getCfg() ifName usb0
+ hwAddr 92:a8:f0:73:79:5b ipv4Addr 0.0.0.0 flags 0x1002
+
+In the error case we get these logs:
+InterfaceController::getCfg() ifName usb0
+ hwAddr 00:00:00:00:00:00 ipv4Addr 0.0.0.0 flags 0x1002
+
+netd : interfaceGetCfg("usb0")
+netd : interfaceSetCfg() -> ServiceSpecificException
+ (99, "[Cannot assign requested address] : ioctl() failed")
+
+The reason for the issue is the order in which the interface is setup,
+it is first registered through register_netdev() and after the MAC
+address is set.
+
+Fixed by first setting the MAC address of the net_device and after that
+calling register_netdev().
+
+Fixes: bcd4a1c40bee885e ("usb: gadget: u_ether: construct with default values and add setters/getters")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marian Postevca <posteuca@mutex.one>
+Link: https://lore.kernel.org/r/20211204214912.17627-1-posteuca@mutex.one
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -860,19 +860,23 @@ int gether_register_netdev(struct net_de
+ {
+ struct eth_dev *dev;
+ struct usb_gadget *g;
+- struct sockaddr sa;
+ int status;
+
+ if (!net->dev.parent)
+ return -EINVAL;
+ dev = netdev_priv(net);
+ g = dev->gadget;
++
++ memcpy(net->dev_addr, dev->dev_mac, ETH_ALEN);
++ net->addr_assign_type = NET_ADDR_RANDOM;
++
+ status = register_netdev(net);
+ if (status < 0) {
+ dev_dbg(&g->dev, "register_netdev failed, %d\n", status);
+ return status;
+ } else {
+ INFO(dev, "HOST MAC %pM\n", dev->host_mac);
++ INFO(dev, "MAC %pM\n", dev->dev_mac);
+
+ /* two kinds of host-initiated state changes:
+ * - iff DATA transfer is active, carrier is "on"
+@@ -880,15 +884,6 @@ int gether_register_netdev(struct net_de
+ */
+ netif_carrier_off(net);
+ }
+- sa.sa_family = net->type;
+- memcpy(sa.sa_data, dev->dev_mac, ETH_ALEN);
+- rtnl_lock();
+- status = dev_set_mac_address(net, &sa, NULL);
+- rtnl_unlock();
+- if (status)
+- pr_warn("cannot set self ethernet address: %d\n", status);
+- else
+- INFO(dev, "MAC %pM\n", dev->dev_mac);
+
+ return status;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
