--- /dev/null
+From a4d432e9132c0b29d857b09ca2ec4c1f455b5948 Mon Sep 17 00:00:00 2001
+From: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+Date: Fri, 31 Mar 2023 10:50:23 +0530
+Subject: ASoC: amd: ps: update the acp clock source.
+
+From: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+
+commit a4d432e9132c0b29d857b09ca2ec4c1f455b5948 upstream.
+
+Updating the clock source from ACLK to default clock
+
+Signed-off-by: Syed Saba Kareem <Syed.SabaKareem@amd.com>
+Link: https://lore.kernel.org/r/20230331052102.2211115-1-Syed.SabaKareem@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/ps/pci-ps.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/sound/soc/amd/ps/pci-ps.c
++++ b/sound/soc/amd/ps/pci-ps.c
+@@ -91,7 +91,6 @@ static int acp63_init(void __iomem *acp_
+ dev_err(dev, "ACP reset failed\n");
+ return ret;
+ }
+- acp63_writel(0x03, acp_base + ACP_CLKMUX_SEL);
+ acp63_enable_interrupts(acp_base);
+ return 0;
+ }
+@@ -106,7 +105,6 @@ static int acp63_deinit(void __iomem *ac
+ dev_err(dev, "ACP reset failed\n");
+ return ret;
+ }
+- acp63_writel(0, acp_base + ACP_CLKMUX_SEL);
+ acp63_writel(0, acp_base + ACP_CONTROL);
+ return 0;
+ }
--- /dev/null
+From 5c7cb94452901a93e90c2230632e2c12a681bc92 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 15 Mar 2023 11:39:04 -0700
+Subject: blk-crypto: make blk_crypto_evict_key() more robust
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5c7cb94452901a93e90c2230632e2c12a681bc92 upstream.
+
+If blk_crypto_evict_key() sees that the key is still in-use (due to a
+bug) or that ->keyslot_evict failed, it currently just returns while
+leaving the key linked into the keyslot management structures.
+
+However, blk_crypto_evict_key() is only called in contexts such as inode
+eviction where failure is not an option. So actually the caller
+proceeds with freeing the blk_crypto_key regardless of the return value
+of blk_crypto_evict_key().
+
+These two assumptions don't match, and the result is that there can be a
+use-after-free in blk_crypto_reprogram_all_keys() after one of these
+errors occurs. (Note, these errors *shouldn't* happen; we're just
+talking about what happens if they do anyway.)
+
+Fix this by making blk_crypto_evict_key() unlink the key from the
+keyslot management structures even on failure.
+
+Also improve some comments.
+
+Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto-profile.c | 46 ++++++++++++++++++++-------------------------
+ block/blk-crypto.c | 28 +++++++++++++++++++--------
+ 2 files changed, 41 insertions(+), 33 deletions(-)
+
+--- a/block/blk-crypto-profile.c
++++ b/block/blk-crypto-profile.c
+@@ -354,28 +354,16 @@ bool __blk_crypto_cfg_supported(struct b
+ return true;
+ }
+
+-/**
+- * __blk_crypto_evict_key() - Evict a key from a device.
+- * @profile: the crypto profile of the device
+- * @key: the key to evict. It must not still be used in any I/O.
+- *
+- * If the device has keyslots, this finds the keyslot (if any) that contains the
+- * specified key and calls the driver's keyslot_evict function to evict it.
+- *
+- * Otherwise, this just calls the driver's keyslot_evict function if it is
+- * implemented, passing just the key (without any particular keyslot). This
+- * allows layered devices to evict the key from their underlying devices.
+- *
+- * Context: Process context. Takes and releases profile->lock.
+- * Return: 0 on success or if there's no keyslot with the specified key, -EBUSY
+- * if the keyslot is still in use, or another -errno value on other
+- * error.
++/*
++ * This is an internal function that evicts a key from an inline encryption
++ * device that can be either a real device or the blk-crypto-fallback "device".
++ * It is used only by blk_crypto_evict_key(); see that function for details.
+ */
+ int __blk_crypto_evict_key(struct blk_crypto_profile *profile,
+ const struct blk_crypto_key *key)
+ {
+ struct blk_crypto_keyslot *slot;
+- int err = 0;
++ int err;
+
+ if (profile->num_slots == 0) {
+ if (profile->ll_ops.keyslot_evict) {
+@@ -389,22 +377,30 @@ int __blk_crypto_evict_key(struct blk_cr
+
+ blk_crypto_hw_enter(profile);
+ slot = blk_crypto_find_keyslot(profile, key);
+- if (!slot)
+- goto out_unlock;
++ if (!slot) {
++ /*
++ * Not an error, since a key not in use by I/O is not guaranteed
++ * to be in a keyslot. There can be more keys than keyslots.
++ */
++ err = 0;
++ goto out;
++ }
+
+ if (WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)) {
++ /* BUG: key is still in use by I/O */
+ err = -EBUSY;
+- goto out_unlock;
++ goto out_remove;
+ }
+ err = profile->ll_ops.keyslot_evict(profile, key,
+ blk_crypto_keyslot_index(slot));
+- if (err)
+- goto out_unlock;
+-
++out_remove:
++ /*
++ * Callers free the key even on error, so unlink the key from the hash
++ * table and clear slot->key even on error.
++ */
+ hlist_del(&slot->hash_node);
+ slot->key = NULL;
+- err = 0;
+-out_unlock:
++out:
+ blk_crypto_hw_exit(profile);
+ return err;
+ }
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -400,15 +400,19 @@ int blk_crypto_start_using_key(struct bl
+ }
+
+ /**
+- * blk_crypto_evict_key() - Evict a key from any inline encryption hardware
+- * it may have been programmed into
+- * @bdev: The block_device who's associated inline encryption hardware this key
+- * might have been programmed into
+- * @key: The key to evict
++ * blk_crypto_evict_key() - Evict a blk_crypto_key from a block_device
++ * @bdev: a block_device on which I/O using the key may have been done
++ * @key: the key to evict
+ *
+- * Upper layers (filesystems) must call this function to ensure that a key is
+- * evicted from any hardware that it might have been programmed into. The key
+- * must not be in use by any in-flight IO when this function is called.
++ * For a given block_device, this function removes the given blk_crypto_key from
++ * the keyslot management structures and evicts it from any underlying hardware
++ * keyslot(s) or blk-crypto-fallback keyslot it may have been programmed into.
++ *
++ * Upper layers must call this before freeing the blk_crypto_key. It must be
++ * called for every block_device the key may have been used on. The key must no
++ * longer be in use by any I/O when this function is called.
++ *
++ * Context: May sleep.
+ */
+ void blk_crypto_evict_key(struct block_device *bdev,
+ const struct blk_crypto_key *key)
+@@ -420,6 +424,14 @@ void blk_crypto_evict_key(struct block_d
+ err = __blk_crypto_evict_key(q->crypto_profile, key);
+ else
+ err = blk_crypto_fallback_evict_key(key);
++ /*
++ * An error can only occur here if the key failed to be evicted from a
++ * keyslot (due to a hardware or driver issue) or is allegedly still in
++ * use by I/O (due to a kernel bug). Even in these cases, the key is
++ * still unlinked from the keyslot management structures, and the caller
++ * is allowed and expected to free it right away. There's nothing
++ * callers can do to handle errors, so just log them and return void.
++ */
+ if (err)
+ pr_warn_ratelimited("%pg: error %d evicting key\n", bdev, err);
+ }
--- /dev/null
+From 70493a63ba04f754f7a7dd53a4fcc82700181490 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 15 Mar 2023 11:39:03 -0700
+Subject: blk-crypto: make blk_crypto_evict_key() return void
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 70493a63ba04f754f7a7dd53a4fcc82700181490 upstream.
+
+blk_crypto_evict_key() is only called in contexts such as inode eviction
+where failure is not an option. So there is nothing the caller can do
+with errors except log them. (dm-table.c does "use" the error code, but
+only to pass on to upper layers, so it doesn't really count.)
+
+Just make blk_crypto_evict_key() return void and log errors itself.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto.c | 20 +++++++++-----------
+ drivers/md/dm-table.c | 19 +++++--------------
+ include/linux/blk-crypto.h | 4 ++--
+ 3 files changed, 16 insertions(+), 27 deletions(-)
+
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -13,6 +13,7 @@
+ #include <linux/blkdev.h>
+ #include <linux/blk-crypto-profile.h>
+ #include <linux/module.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+
+ #include "blk-crypto-internal.h"
+@@ -408,21 +409,18 @@ int blk_crypto_start_using_key(struct bl
+ * Upper layers (filesystems) must call this function to ensure that a key is
+ * evicted from any hardware that it might have been programmed into. The key
+ * must not be in use by any in-flight IO when this function is called.
+- *
+- * Return: 0 on success or if the key wasn't in any keyslot; -errno on error.
+ */
+-int blk_crypto_evict_key(struct block_device *bdev,
+- const struct blk_crypto_key *key)
++void blk_crypto_evict_key(struct block_device *bdev,
++ const struct blk_crypto_key *key)
+ {
+ struct request_queue *q = bdev_get_queue(bdev);
++ int err;
+
+ if (blk_crypto_config_supported_natively(bdev, &key->crypto_cfg))
+- return __blk_crypto_evict_key(q->crypto_profile, key);
+-
+- /*
+- * If the block_device didn't support the key, then blk-crypto-fallback
+- * may have been used, so try to evict the key from blk-crypto-fallback.
+- */
+- return blk_crypto_fallback_evict_key(key);
++ err = __blk_crypto_evict_key(q->crypto_profile, key);
++ else
++ err = blk_crypto_fallback_evict_key(key);
++ if (err)
++ pr_warn_ratelimited("%pg: error %d evicting key\n", bdev, err);
+ }
+ EXPORT_SYMBOL_GPL(blk_crypto_evict_key);
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1202,21 +1202,12 @@ struct dm_crypto_profile {
+ struct mapped_device *md;
+ };
+
+-struct dm_keyslot_evict_args {
+- const struct blk_crypto_key *key;
+- int err;
+-};
+-
+ static int dm_keyslot_evict_callback(struct dm_target *ti, struct dm_dev *dev,
+ sector_t start, sector_t len, void *data)
+ {
+- struct dm_keyslot_evict_args *args = data;
+- int err;
++ const struct blk_crypto_key *key = data;
+
+- err = blk_crypto_evict_key(dev->bdev, args->key);
+- if (!args->err)
+- args->err = err;
+- /* Always try to evict the key from all devices. */
++ blk_crypto_evict_key(dev->bdev, key);
+ return 0;
+ }
+
+@@ -1229,7 +1220,6 @@ static int dm_keyslot_evict(struct blk_c
+ {
+ struct mapped_device *md =
+ container_of(profile, struct dm_crypto_profile, profile)->md;
+- struct dm_keyslot_evict_args args = { key };
+ struct dm_table *t;
+ int srcu_idx;
+
+@@ -1242,11 +1232,12 @@ static int dm_keyslot_evict(struct blk_c
+
+ if (!ti->type->iterate_devices)
+ continue;
+- ti->type->iterate_devices(ti, dm_keyslot_evict_callback, &args);
++ ti->type->iterate_devices(ti, dm_keyslot_evict_callback,
++ (void *)key);
+ }
+
+ dm_put_live_table(md, srcu_idx);
+- return args.err;
++ return 0;
+ }
+
+ static int
+--- a/include/linux/blk-crypto.h
++++ b/include/linux/blk-crypto.h
+@@ -95,8 +95,8 @@ int blk_crypto_init_key(struct blk_crypt
+ int blk_crypto_start_using_key(struct block_device *bdev,
+ const struct blk_crypto_key *key);
+
+-int blk_crypto_evict_key(struct block_device *bdev,
+- const struct blk_crypto_key *key);
++void blk_crypto_evict_key(struct block_device *bdev,
++ const struct blk_crypto_key *key);
+
+ bool blk_crypto_config_supported_natively(struct block_device *bdev,
+ const struct blk_crypto_config *cfg);
--- /dev/null
+From 9cd1e566676bbcb8a126acd921e4e194e6339603 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 15 Mar 2023 11:39:02 -0700
+Subject: blk-mq: release crypto keyslot before reporting I/O complete
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 9cd1e566676bbcb8a126acd921e4e194e6339603 upstream.
+
+Once all I/O using a blk_crypto_key has completed, filesystems can call
+blk_crypto_evict_key(). However, the block layer currently doesn't call
+blk_crypto_put_keyslot() until the request is being freed, which happens
+after upper layers have been told (via bio_endio()) the I/O has
+completed. This causes a race condition where blk_crypto_evict_key()
+can see 'slot_refs != 0' without there being an actual bug.
+
+This makes __blk_crypto_evict_key() hit the
+'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without
+doing anything, eventually causing a use-after-free in
+blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only
+been seen when per-file keys are being used with fscrypt.)
+
+There are two options to fix this: either release the keyslot before
+bio_endio() is called on the request's last bio, or make
+__blk_crypto_evict_key() ignore slot_refs. Let's go with the first
+solution, since it preserves the ability to report bugs (via
+WARN_ON_ONCE) where a key is evicted while still in-use.
+
+Fixes: a892c8d52c02 ("block: Inline encryption support for blk-mq")
+Cc: stable@vger.kernel.org
+Reviewed-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto-internal.h | 25 +++++++++++++++++++++----
+ block/blk-crypto.c | 24 ++++++++++++------------
+ block/blk-merge.c | 2 ++
+ block/blk-mq.c | 15 ++++++++++++++-
+ 4 files changed, 49 insertions(+), 17 deletions(-)
+
+--- a/block/blk-crypto-internal.h
++++ b/block/blk-crypto-internal.h
+@@ -65,6 +65,11 @@ static inline bool blk_crypto_rq_is_encr
+ return rq->crypt_ctx;
+ }
+
++static inline bool blk_crypto_rq_has_keyslot(struct request *rq)
++{
++ return rq->crypt_keyslot;
++}
++
+ blk_status_t blk_crypto_get_keyslot(struct blk_crypto_profile *profile,
+ const struct blk_crypto_key *key,
+ struct blk_crypto_keyslot **slot_ptr);
+@@ -119,6 +124,11 @@ static inline bool blk_crypto_rq_is_encr
+ return false;
+ }
+
++static inline bool blk_crypto_rq_has_keyslot(struct request *rq)
++{
++ return false;
++}
++
+ #endif /* CONFIG_BLK_INLINE_ENCRYPTION */
+
+ void __bio_crypt_advance(struct bio *bio, unsigned int bytes);
+@@ -153,14 +163,21 @@ static inline bool blk_crypto_bio_prep(s
+ return true;
+ }
+
+-blk_status_t __blk_crypto_init_request(struct request *rq);
+-static inline blk_status_t blk_crypto_init_request(struct request *rq)
++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq);
++static inline blk_status_t blk_crypto_rq_get_keyslot(struct request *rq)
+ {
+ if (blk_crypto_rq_is_encrypted(rq))
+- return __blk_crypto_init_request(rq);
++ return __blk_crypto_rq_get_keyslot(rq);
+ return BLK_STS_OK;
+ }
+
++void __blk_crypto_rq_put_keyslot(struct request *rq);
++static inline void blk_crypto_rq_put_keyslot(struct request *rq)
++{
++ if (blk_crypto_rq_has_keyslot(rq))
++ __blk_crypto_rq_put_keyslot(rq);
++}
++
+ void __blk_crypto_free_request(struct request *rq);
+ static inline void blk_crypto_free_request(struct request *rq)
+ {
+@@ -199,7 +216,7 @@ static inline blk_status_t blk_crypto_in
+ {
+
+ if (blk_crypto_rq_is_encrypted(rq))
+- return blk_crypto_init_request(rq);
++ return blk_crypto_rq_get_keyslot(rq);
+ return BLK_STS_OK;
+ }
+
+--- a/block/blk-crypto.c
++++ b/block/blk-crypto.c
+@@ -224,27 +224,27 @@ static bool bio_crypt_check_alignment(st
+ return true;
+ }
+
+-blk_status_t __blk_crypto_init_request(struct request *rq)
++blk_status_t __blk_crypto_rq_get_keyslot(struct request *rq)
+ {
+ return blk_crypto_get_keyslot(rq->q->crypto_profile,
+ rq->crypt_ctx->bc_key,
+ &rq->crypt_keyslot);
+ }
+
+-/**
+- * __blk_crypto_free_request - Uninitialize the crypto fields of a request.
+- *
+- * @rq: The request whose crypto fields to uninitialize.
+- *
+- * Completely uninitializes the crypto fields of a request. If a keyslot has
+- * been programmed into some inline encryption hardware, that keyslot is
+- * released. The rq->crypt_ctx is also freed.
+- */
+-void __blk_crypto_free_request(struct request *rq)
++void __blk_crypto_rq_put_keyslot(struct request *rq)
+ {
+ blk_crypto_put_keyslot(rq->crypt_keyslot);
++ rq->crypt_keyslot = NULL;
++}
++
++void __blk_crypto_free_request(struct request *rq)
++{
++ /* The keyslot, if one was needed, should have been released earlier. */
++ if (WARN_ON_ONCE(rq->crypt_keyslot))
++ __blk_crypto_rq_put_keyslot(rq);
++
+ mempool_free(rq->crypt_ctx, bio_crypt_ctx_pool);
+- blk_crypto_rq_set_defaults(rq);
++ rq->crypt_ctx = NULL;
+ }
+
+ /**
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -867,6 +867,8 @@ static struct request *attempt_merge(str
+ if (!blk_discard_mergable(req))
+ elv_merge_requests(q, req, next);
+
++ blk_crypto_rq_put_keyslot(next);
++
+ /*
+ * 'next' is going away, so update stats accordingly
+ */
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -840,6 +840,12 @@ static void blk_complete_request(struct
+ req->q->integrity.profile->complete_fn(req, total_bytes);
+ #endif
+
++ /*
++ * Upper layers may call blk_crypto_evict_key() anytime after the last
++ * bio_endio(). Therefore, the keyslot must be released before that.
++ */
++ blk_crypto_rq_put_keyslot(req);
++
+ blk_account_io_completion(req, total_bytes);
+
+ do {
+@@ -905,6 +911,13 @@ bool blk_update_request(struct request *
+ req->q->integrity.profile->complete_fn(req, nr_bytes);
+ #endif
+
++ /*
++ * Upper layers may call blk_crypto_evict_key() anytime after the last
++ * bio_endio(). Therefore, the keyslot must be released before that.
++ */
++ if (blk_crypto_rq_has_keyslot(req) && nr_bytes >= blk_rq_bytes(req))
++ __blk_crypto_rq_put_keyslot(req);
++
+ if (unlikely(error && !blk_rq_is_passthrough(req) &&
+ !(req->rq_flags & RQF_QUIET)) &&
+ !test_bit(GD_DEAD, &req->q->disk->state)) {
+@@ -2965,7 +2978,7 @@ void blk_mq_submit_bio(struct bio *bio)
+
+ blk_mq_bio_to_request(rq, bio, nr_segs);
+
+- ret = blk_crypto_init_request(rq);
++ ret = blk_crypto_rq_get_keyslot(rq);
+ if (ret != BLK_STS_OK) {
+ bio->bi_status = ret;
+ bio_endio(bio);
--- /dev/null
+From 20de765f6d9da0c47b756429c60b41063b990a10 Mon Sep 17 00:00:00 2001
+From: Chengming Zhou <zhouchengming@bytedance.com>
+Date: Thu, 13 Apr 2023 14:28:04 +0800
+Subject: blk-stat: fix QUEUE_FLAG_STATS clear
+
+From: Chengming Zhou <zhouchengming@bytedance.com>
+
+commit 20de765f6d9da0c47b756429c60b41063b990a10 upstream.
+
+We need to set QUEUE_FLAG_STATS for two cases:
+1. blk_stat_enable_accounting()
+2. blk_stat_add_callback()
+
+So we should clear it only when ((q->stats->accounting == 0) &&
+list_empty(&q->stats->callbacks)).
+
+blk_stat_disable_accounting() only check if q->stats->accounting
+is 0 before clear the flag, this patch fix it.
+
+Also add list_empty(&q->stats->callbacks)) check when enable, or
+the flag is already set.
+
+The bug can be reproduced on kernel without BLK_DEV_THROTTLING
+(since it unconditionally enable accounting, see the next patch).
+
+ # cat /sys/block/sr0/queue/scheduler
+ none mq-deadline [bfq]
+
+ # cat /sys/kernel/debug/block/sr0/state
+ SAME_COMP|IO_STAT|INIT_DONE|STATS|REGISTERED|NOWAIT|30
+
+ # echo none > /sys/block/sr0/queue/scheduler
+
+ # cat /sys/kernel/debug/block/sr0/state
+ SAME_COMP|IO_STAT|INIT_DONE|REGISTERED|NOWAIT
+
+ # cat /sys/block/sr0/queue/wbt_lat_usec
+ 75000
+
+We can see that after changing elevator from "bfq" to "none",
+"STATS" flag is lost even though WBT callback still need it.
+
+Fixes: 68497092bde9 ("block: make queue stat accounting a reference")
+Cc: <stable@vger.kernel.org> # v5.17+
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20230413062805.2081970-1-chengming.zhou@linux.dev
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-stat.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/blk-stat.c
++++ b/block/blk-stat.c
+@@ -190,7 +190,7 @@ void blk_stat_disable_accounting(struct
+ unsigned long flags;
+
+ spin_lock_irqsave(&q->stats->lock, flags);
+- if (!--q->stats->accounting)
++ if (!--q->stats->accounting && list_empty(&q->stats->callbacks))
+ blk_queue_flag_clear(QUEUE_FLAG_STATS, q);
+ spin_unlock_irqrestore(&q->stats->lock, flags);
+ }
+@@ -201,7 +201,7 @@ void blk_stat_enable_accounting(struct r
+ unsigned long flags;
+
+ spin_lock_irqsave(&q->stats->lock, flags);
+- if (!q->stats->accounting++)
++ if (!q->stats->accounting++ && list_empty(&q->stats->callbacks))
+ blk_queue_flag_set(QUEUE_FLAG_STATS, q);
+ spin_unlock_irqrestore(&q->stats->lock, flags);
+ }
--- /dev/null
+From 14853a0676c126aad836eb249499552fa9d6e85a Mon Sep 17 00:00:00 2001
+From: Slark Xiao <slark_xiao@163.com>
+Date: Fri, 10 Mar 2023 18:17:15 +0800
+Subject: bus: mhi: host: pci_generic: Revert "Add a secondary AT port to Telit FN990"
+
+From: Slark Xiao <slark_xiao@163.com>
+
+commit 14853a0676c126aad836eb249499552fa9d6e85a upstream.
+
+This reverts commit 2d5253a096c6057bbf7caa5520856dcdf7eca8bb.
+There are 2 commits with commit message "Add a secondary AT port to Telit
+FN990":
+
+commit 2d5253a096c6 ("bus: mhi: host: pci_generic: Add a secondary AT port
+to Telit FN990")
+commit 479aa3b0ec2e ("bus: mhi: host: pci_generic: Add a secondary AT port
+to Telit FN990")
+
+This turned out to be due to the patch getting applied through different
+trees and git settled on a resolution while applying it second time. But
+the second AT port of Foxconn devices don't work in PCIe mode. So the
+second commit needs to be reverted.
+
+Cc: stable@vger.kernel.org # 6.2
+Fixes: 2d5253a096c6 ("bus: mhi: host: pci_generic: Add a secondary AT port to Telit FN990")
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Reviewed-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Link: https://lore.kernel.org/r/20230310101715.69209-1-slark_xiao@163.com
+[mani: massaged the commit message a bit, added fixes tag and CCed stable]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/pci_generic.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/bus/mhi/host/pci_generic.c
++++ b/drivers/bus/mhi/host/pci_generic.c
+@@ -344,8 +344,6 @@ static const struct mhi_channel_config m
+ MHI_CHANNEL_CONFIG_DL(13, "MBIM", 32, 0),
+ MHI_CHANNEL_CONFIG_UL(32, "DUN", 32, 0),
+ MHI_CHANNEL_CONFIG_DL(33, "DUN", 32, 0),
+- MHI_CHANNEL_CONFIG_UL(92, "DUN2", 32, 1),
+- MHI_CHANNEL_CONFIG_DL(93, "DUN2", 32, 1),
+ MHI_CHANNEL_CONFIG_HW_UL(100, "IP_HW0_MBIM", 128, 2),
+ MHI_CHANNEL_CONFIG_HW_DL(101, "IP_HW0_MBIM", 128, 3),
+ };
--- /dev/null
+From a37a512db3fa1b65fe9087003e5b2072cefb3667 Mon Sep 17 00:00:00 2001
+From: Martin Krastev <krastevm@vmware.com>
+Date: Mon, 20 Mar 2023 22:09:49 -0400
+Subject: drm/vmwgfx: Fix Legacy Display Unit atomic drm support
+
+From: Martin Krastev <krastevm@vmware.com>
+
+commit a37a512db3fa1b65fe9087003e5b2072cefb3667 upstream.
+
+Legacy Display Unit (LDU) fb dirty support used a custom fb dirty callback. Latter
+handled only the DIRTYFB IOCTL presentation path but not the ADDFB2/PAGE_FLIP/RMFB
+IOCTL path, common for Wayland compositors.
+
+Get rid of the custom callback in favor of drm_atomic_helper_dirtyfb and unify the
+handling of the presentation paths inside of vmw_ldu_primary_plane_atomic_update.
+This also homogenizes the fb dirty callbacks across all DUs: LDU, SOU and STDU.
+
+Signed-off-by: Martin Krastev <krastevm@vmware.com>
+Reviewed-by: Maaz Mombasawala <mombasawalam@vmware.com>
+Fixes: 2f5544ff0300 ("drm/vmwgfx: Use atomic helper function for dirty fb IOCTL")
+Cc: <stable@vger.kernel.org> # v5.0+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230321020949.335012-3-zack@kde.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 62 ------------------------------------
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 5 --
+ drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 45 +++++++++++++++++++++-----
+ 3 files changed, 38 insertions(+), 74 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -1420,70 +1420,10 @@ static void vmw_framebuffer_bo_destroy(s
+ kfree(vfbd);
+ }
+
+-static int vmw_framebuffer_bo_dirty(struct drm_framebuffer *framebuffer,
+- struct drm_file *file_priv,
+- unsigned int flags, unsigned int color,
+- struct drm_clip_rect *clips,
+- unsigned int num_clips)
+-{
+- struct vmw_private *dev_priv = vmw_priv(framebuffer->dev);
+- struct vmw_framebuffer_bo *vfbd =
+- vmw_framebuffer_to_vfbd(framebuffer);
+- struct drm_clip_rect norect;
+- int ret, increment = 1;
+-
+- drm_modeset_lock_all(&dev_priv->drm);
+-
+- if (!num_clips) {
+- num_clips = 1;
+- clips = &norect;
+- norect.x1 = norect.y1 = 0;
+- norect.x2 = framebuffer->width;
+- norect.y2 = framebuffer->height;
+- } else if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY) {
+- num_clips /= 2;
+- increment = 2;
+- }
+-
+- switch (dev_priv->active_display_unit) {
+- case vmw_du_legacy:
+- ret = vmw_kms_ldu_do_bo_dirty(dev_priv, &vfbd->base, 0, 0,
+- clips, num_clips, increment);
+- break;
+- default:
+- ret = -EINVAL;
+- WARN_ONCE(true, "Dirty called with invalid display system.\n");
+- break;
+- }
+-
+- vmw_cmd_flush(dev_priv, false);
+-
+- drm_modeset_unlock_all(&dev_priv->drm);
+-
+- return ret;
+-}
+-
+-static int vmw_framebuffer_bo_dirty_ext(struct drm_framebuffer *framebuffer,
+- struct drm_file *file_priv,
+- unsigned int flags, unsigned int color,
+- struct drm_clip_rect *clips,
+- unsigned int num_clips)
+-{
+- struct vmw_private *dev_priv = vmw_priv(framebuffer->dev);
+-
+- if (dev_priv->active_display_unit == vmw_du_legacy &&
+- vmw_cmd_supported(dev_priv))
+- return vmw_framebuffer_bo_dirty(framebuffer, file_priv, flags,
+- color, clips, num_clips);
+-
+- return drm_atomic_helper_dirtyfb(framebuffer, file_priv, flags, color,
+- clips, num_clips);
+-}
+-
+ static const struct drm_framebuffer_funcs vmw_framebuffer_bo_funcs = {
+ .create_handle = vmw_framebuffer_bo_create_handle,
+ .destroy = vmw_framebuffer_bo_destroy,
+- .dirty = vmw_framebuffer_bo_dirty_ext,
++ .dirty = drm_atomic_helper_dirtyfb,
+ };
+
+ /*
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
+@@ -512,11 +512,6 @@ void vmw_du_connector_destroy_state(stru
+ */
+ int vmw_kms_ldu_init_display(struct vmw_private *dev_priv);
+ int vmw_kms_ldu_close_display(struct vmw_private *dev_priv);
+-int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv,
+- struct vmw_framebuffer *framebuffer,
+- unsigned int flags, unsigned int color,
+- struct drm_clip_rect *clips,
+- unsigned int num_clips, int increment);
+ int vmw_kms_update_proxy(struct vmw_resource *res,
+ const struct drm_clip_rect *clips,
+ unsigned num_clips,
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
+@@ -234,6 +234,7 @@ static const struct drm_crtc_funcs vmw_l
+ .atomic_duplicate_state = vmw_du_crtc_duplicate_state,
+ .atomic_destroy_state = vmw_du_crtc_destroy_state,
+ .set_config = drm_atomic_helper_set_config,
++ .page_flip = drm_atomic_helper_page_flip,
+ };
+
+
+@@ -273,6 +274,12 @@ static const struct
+ drm_connector_helper_funcs vmw_ldu_connector_helper_funcs = {
+ };
+
++static int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv,
++ struct vmw_framebuffer *framebuffer,
++ unsigned int flags, unsigned int color,
++ struct drm_mode_rect *clips,
++ unsigned int num_clips);
++
+ /*
+ * Legacy Display Plane Functions
+ */
+@@ -291,7 +298,6 @@ vmw_ldu_primary_plane_atomic_update(stru
+ struct drm_framebuffer *fb;
+ struct drm_crtc *crtc = new_state->crtc ?: old_state->crtc;
+
+-
+ ldu = vmw_crtc_to_ldu(crtc);
+ dev_priv = vmw_priv(plane->dev);
+ fb = new_state->fb;
+@@ -304,8 +310,31 @@ vmw_ldu_primary_plane_atomic_update(stru
+ vmw_ldu_del_active(dev_priv, ldu);
+
+ vmw_ldu_commit_list(dev_priv);
+-}
+
++ if (vfb && vmw_cmd_supported(dev_priv)) {
++ struct drm_mode_rect fb_rect = {
++ .x1 = 0,
++ .y1 = 0,
++ .x2 = vfb->base.width,
++ .y2 = vfb->base.height
++ };
++ struct drm_mode_rect *damage_rects = drm_plane_get_damage_clips(new_state);
++ u32 rect_count = drm_plane_get_damage_clips_count(new_state);
++ int ret;
++
++ if (!damage_rects) {
++ damage_rects = &fb_rect;
++ rect_count = 1;
++ }
++
++ ret = vmw_kms_ldu_do_bo_dirty(dev_priv, vfb, 0, 0, damage_rects, rect_count);
++
++ drm_WARN_ONCE(plane->dev, ret,
++ "vmw_kms_ldu_do_bo_dirty failed with: ret=%d\n", ret);
++
++ vmw_cmd_flush(dev_priv, false);
++ }
++}
+
+ static const struct drm_plane_funcs vmw_ldu_plane_funcs = {
+ .update_plane = drm_atomic_helper_update_plane,
+@@ -536,11 +565,11 @@ int vmw_kms_ldu_close_display(struct vmw
+ }
+
+
+-int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv,
+- struct vmw_framebuffer *framebuffer,
+- unsigned int flags, unsigned int color,
+- struct drm_clip_rect *clips,
+- unsigned int num_clips, int increment)
++static int vmw_kms_ldu_do_bo_dirty(struct vmw_private *dev_priv,
++ struct vmw_framebuffer *framebuffer,
++ unsigned int flags, unsigned int color,
++ struct drm_mode_rect *clips,
++ unsigned int num_clips)
+ {
+ size_t fifo_size;
+ int i;
+@@ -556,7 +585,7 @@ int vmw_kms_ldu_do_bo_dirty(struct vmw_p
+ return -ENOMEM;
+
+ memset(cmd, 0, fifo_size);
+- for (i = 0; i < num_clips; i++, clips += increment) {
++ for (i = 0; i < num_clips; i++, clips++) {
+ cmd[i].header = SVGA_CMD_UPDATE;
+ cmd[i].body.x = clips->x1;
+ cmd[i].body.y = clips->y1;
--- /dev/null
+From e3184de9d46c2eebdb776face2e2662c6733331d Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Fri, 31 Mar 2023 16:45:02 +0800
+Subject: fs: fix sysctls.c built
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit e3184de9d46c2eebdb776face2e2662c6733331d upstream.
+
+'obj-$(CONFIG_SYSCTL) += sysctls.o' must be moved after "obj-y :=",
+or it won't be built as it is overwrited.
+
+Note that there is nothing that is going to break by linking
+sysctl.o later, we were just being way to cautious and patches
+have been updated to reflect these considerations and sent for
+stable as well with the whole "base" stuff needing to be linked
+prior to child sysctl tables that use that directory. All of
+the kernel sysctl APIs always share the same directory, and races
+against using it should end up re-using the same single created
+directory.
+
+And so something we can do eventually is do away with all the base stuff.
+For now it's fine, it's not creating an issue. It is just a bit pedantic
+and careful.
+
+Fixes: ab171b952c6e ("fs: move namespace sysctls and declare fs base directory")
+Cc: stable@vger.kernel.org # v5.17
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+[mcgrof: enhanced commit log for stable criteria and clarify base stuff ]
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/Makefile
++++ b/fs/Makefile
+@@ -6,7 +6,6 @@
+ # Rewritten to use lists instead of if-statements.
+ #
+
+-obj-$(CONFIG_SYSCTL) += sysctls.o
+
+ obj-y := open.o read_write.o file_table.o super.o \
+ char_dev.o stat.o exec.o pipe.o namei.o fcntl.o \
+@@ -50,7 +49,7 @@ obj-$(CONFIG_FS_MBCACHE) += mbcache.o
+ obj-$(CONFIG_FS_POSIX_ACL) += posix_acl.o
+ obj-$(CONFIG_NFS_COMMON) += nfs_common/
+ obj-$(CONFIG_COREDUMP) += coredump.o
+-obj-$(CONFIG_SYSCTL) += drop_caches.o
++obj-$(CONFIG_SYSCTL) += drop_caches.o sysctls.o
+
+ obj-$(CONFIG_FHANDLE) += fhandle.o
+ obj-y += iomap/
--- /dev/null
+From 2a8e41ad337508fc5d598c0f9288890214f8e318 Mon Sep 17 00:00:00 2001
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Wed, 19 Apr 2023 11:36:55 +1200
+Subject: hwmon: (adt7475) Use device_property APIs when configuring polarity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+commit 2a8e41ad337508fc5d598c0f9288890214f8e318 upstream.
+
+On DT unaware platforms of_property_read_u32_array() returns -ENOSYS
+which wasn't handled by the code treating adi,pwm-active-state as
+optional. Update the code to use device_property_read_u32_array() which
+deals gracefully with DT unaware platforms.
+
+Fixes: 86da28eed4fb ("hwmon: (adt7475) Add support for inverting pwm output")
+Reported-by: Mariusz Białończyk <manio@skyboo.net>
+Link: https://lore.kernel.org/linux-hwmon/52e26a67-9131-2dc0-40cb-db5c07370027@alliedtelesis.co.nz/T/#mdd0505801e0a4e72340de009a47c0fca4f771ed3
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20230418233656.869055-2-chris.packham@alliedtelesis.co.nz
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/adt7475.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/adt7475.c
++++ b/drivers/hwmon/adt7475.c
+@@ -1604,9 +1604,9 @@ static int adt7475_set_pwm_polarity(stru
+ int ret, i;
+ u8 val;
+
+- ret = of_property_read_u32_array(client->dev.of_node,
+- "adi,pwm-active-state", states,
+- ARRAY_SIZE(states));
++ ret = device_property_read_u32_array(&client->dev,
++ "adi,pwm-active-state", states,
++ ARRAY_SIZE(states));
+ if (ret)
+ return ret;
+
--- /dev/null
+From 0c072385348e3ac5229145644055d3e2afb5b3db Mon Sep 17 00:00:00 2001
+From: Babu Moger <Babu.Moger@amd.com>
+Date: Thu, 13 Apr 2023 16:39:58 -0500
+Subject: hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Babu Moger <Babu.Moger@amd.com>
+
+commit 0c072385348e3ac5229145644055d3e2afb5b3db upstream.
+
+Spec says, when CUR_TEMP_TJ_SEL == 3 and CUR_TEMP_RANGE_SEL == 0,
+it should use RangeUnadjusted is 0, which is (CurTmp*0.125 -49) C. The
+CUR_TEMP register is read-write when CUR_TEMP_TJ_SEL == 3 (bit 17-16).
+
+Add the check to detect it.
+
+Sensors command's output before the patch.
+$sensors
+ k10temp-pci-00c3
+ Adapter: PCI adapter
+ Tctl: +76.6°C <- Wrong value
+ Tccd1: +26.5°C
+ Tccd2: +27.5°C
+ Tccd3: +27.2°C
+ Tccd4: +27.5°C
+ Tccd5: +26.0°C
+ Tccd6: +26.2°C
+ Tccd7: +25.0°C
+ Tccd8: +26.5°C
+
+Sensors command's output after the patch.
+$sensors
+ k10temp-pci-00c3
+ Adapter: PCI adapter
+ Tctl: +28.8°C <- corrected value
+ Tccd1: +27.5°C
+ Tccd2: +28.5°C
+ Tccd3: +28.5°C
+ Tccd4: +28.5°C
+ Tccd5: +27.0°C
+ Tccd6: +27.5°C
+ Tccd7: +27.0°C
+ Tccd8: +27.5°C
+
+Signed-off-by: Babu Moger <babu.moger@amd.com>
+Fixes: 1b59788979ac ("hwmon: (k10temp) Add temperature offset for Ryzen 2700X")
+Link: https://lore.kernel.org/r/20230413213958.847634-1-babu.moger@amd.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/k10temp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/k10temp.c
++++ b/drivers/hwmon/k10temp.c
+@@ -75,6 +75,7 @@ static DEFINE_MUTEX(nb_smu_ind_mutex);
+
+ #define ZEN_CUR_TEMP_SHIFT 21
+ #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19)
++#define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16)
+
+ struct k10temp_data {
+ struct pci_dev *pdev;
+@@ -155,7 +156,8 @@ static long get_raw_temp(struct k10temp_
+
+ data->read_tempreg(data->pdev, ®val);
+ temp = (regval >> ZEN_CUR_TEMP_SHIFT) * 125;
+- if (regval & data->temp_adjust_mask)
++ if ((regval & data->temp_adjust_mask) ||
++ (regval & ZEN_CUR_TEMP_TJ_SEL_MASK) == ZEN_CUR_TEMP_TJ_SEL_MASK)
+ temp -= 49000;
+ return temp;
+ }
--- /dev/null
+From 9740827468cea80c42db29e7171a50e99acf7328 Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <william.gray@linaro.org>
+Date: Thu, 6 Apr 2023 10:40:10 -0400
+Subject: iio: addac: stx104: Fix race condition for stx104_write_raw()
+
+From: William Breathitt Gray <william.gray@linaro.org>
+
+commit 9740827468cea80c42db29e7171a50e99acf7328 upstream.
+
+The priv->chan_out_states array and actual DAC value can become
+mismatched if stx104_write_raw() is called concurrently. Prevent such a
+race condition by utilizing a mutex.
+
+Fixes: 97a445dad37a ("iio: Add IIO support for the DAC on the Apex Embedded Systems STX104")
+Signed-off-by: William Breathitt Gray <william.gray@linaro.org>
+Link: https://lore.kernel.org/r/c95c9a77fcef36b2a052282146950f23bbc1ebdc.1680790580.git.william.gray@linaro.org
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/addac/stx104.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/iio/addac/stx104.c
++++ b/drivers/iio/addac/stx104.c
+@@ -15,6 +15,7 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/moduleparam.h>
++#include <linux/mutex.h>
+ #include <linux/spinlock.h>
+ #include <linux/types.h>
+
+@@ -69,10 +70,12 @@ struct stx104_reg {
+
+ /**
+ * struct stx104_iio - IIO device private data structure
++ * @lock: synchronization lock to prevent I/O race conditions
+ * @chan_out_states: channels' output states
+ * @reg: I/O address offset for the device registers
+ */
+ struct stx104_iio {
++ struct mutex lock;
+ unsigned int chan_out_states[STX104_NUM_OUT_CHAN];
+ struct stx104_reg __iomem *reg;
+ };
+@@ -182,9 +185,12 @@ static int stx104_write_raw(struct iio_d
+ if ((unsigned int)val > 65535)
+ return -EINVAL;
+
++ mutex_lock(&priv->lock);
++
+ priv->chan_out_states[chan->channel] = val;
+ iowrite16(val, &priv->reg->dac[chan->channel]);
+
++ mutex_unlock(&priv->lock);
+ return 0;
+ }
+ return -EINVAL;
+@@ -355,6 +361,8 @@ static int stx104_probe(struct device *d
+
+ indio_dev->name = dev_name(dev);
+
++ mutex_init(&priv->lock);
++
+ /* configure device for software trigger operation */
+ iowrite8(0, &priv->reg->acr);
+
--- /dev/null
+From 4f9b80aefb9e2f542a49d9ec087cf5919730e1dd Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <william.gray@linaro.org>
+Date: Thu, 6 Apr 2023 10:40:11 -0400
+Subject: iio: addac: stx104: Fix race condition when converting analog-to-digital
+
+From: William Breathitt Gray <william.gray@linaro.org>
+
+commit 4f9b80aefb9e2f542a49d9ec087cf5919730e1dd upstream.
+
+The ADC conversion procedure requires several device I/O operations
+performed in a particular sequence. If stx104_read_raw() is called
+concurrently, the ADC conversion procedure could be clobbered. Prevent
+such a race condition by utilizing a mutex.
+
+Fixes: 4075a283ae83 ("iio: stx104: Add IIO support for the ADC channels")
+Signed-off-by: William Breathitt Gray <william.gray@linaro.org>
+Link: https://lore.kernel.org/r/2ae5e40eed5006ca735e4c12181a9ff5ced65547.1680790580.git.william.gray@linaro.org
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/addac/stx104.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/iio/addac/stx104.c
++++ b/drivers/iio/addac/stx104.c
+@@ -114,6 +114,8 @@ static int stx104_read_raw(struct iio_de
+ return IIO_VAL_INT;
+ }
+
++ mutex_lock(&priv->lock);
++
+ /* select ADC channel */
+ iowrite8(chan->channel | (chan->channel << 4), ®->achan);
+
+@@ -124,6 +126,8 @@ static int stx104_read_raw(struct iio_de
+ while (ioread8(®->cir_asr) & BIT(7));
+
+ *val = ioread16(®->ssr_ad);
++
++ mutex_unlock(&priv->lock);
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_OFFSET:
+ /* get ADC bipolar/unipolar configuration */
--- /dev/null
+From 644f17412f5acf01a19af9d04a921937a2bc86c6 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 23 Feb 2023 19:27:03 -0800
+Subject: IMA: allow/fix UML builds
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 644f17412f5acf01a19af9d04a921937a2bc86c6 upstream.
+
+UML supports HAS_IOMEM since 0bbadafdc49d (um: allow disabling
+NO_IOMEM).
+
+Current IMA build on UML fails on allmodconfig (with TCG_TPM=m):
+
+ld: security/integrity/ima/ima_queue.o: in function `ima_add_template_entry':
+ima_queue.c:(.text+0x2d9): undefined reference to `tpm_pcr_extend'
+ld: security/integrity/ima/ima_init.o: in function `ima_init':
+ima_init.c:(.init.text+0x43f): undefined reference to `tpm_default_chip'
+ld: security/integrity/ima/ima_crypto.o: in function `ima_calc_boot_aggregate_tfm':
+ima_crypto.c:(.text+0x1044): undefined reference to `tpm_pcr_read'
+ld: ima_crypto.c:(.text+0x10d8): undefined reference to `tpm_pcr_read'
+
+Modify the IMA Kconfig entry so that it selects TCG_TPM if HAS_IOMEM
+is set, regardless of the UML Kconfig setting.
+This updates TCG_TPM from =m to =y and fixes the linker errors.
+
+Fixes: f4a0391dfa91 ("ima: fix Kconfig dependencies")
+Cc: Stable <stable@vger.kernel.org> # v5.14+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: linux-um@lists.infradead.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -8,7 +8,7 @@ config IMA
+ select CRYPTO_HMAC
+ select CRYPTO_SHA1
+ select CRYPTO_HASH_INFO
+- select TCG_TPM if HAS_IOMEM && !UML
++ select TCG_TPM if HAS_IOMEM
+ select TCG_TIS if TCG_TPM && X86
+ select TCG_CRB if TCG_TPM && ACPI
+ select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
--- /dev/null
+From 6d2555cde2918409b0331560e66f84a0ad4849c6 Mon Sep 17 00:00:00 2001
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Date: Wed, 12 Apr 2023 15:49:07 +0800
+Subject: ipmi: fix SSIF not responding under certain cond.
+
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+
+commit 6d2555cde2918409b0331560e66f84a0ad4849c6 upstream.
+
+The ipmi communication is not restored after a specific version of BMC is
+upgraded on our server.
+The ipmi driver does not respond after printing the following log:
+
+ ipmi_ssif: Invalid response getting flags: 1c 1
+
+I found that after entering this branch, ssif_info->ssif_state always
+holds SSIF_GETTING_FLAGS and never return to IDLE.
+
+As a result, the driver cannot be loaded, because the driver status is
+checked during the unload process and must be IDLE in shutdown_ssif():
+
+ while (ssif_info->ssif_state != SSIF_IDLE)
+ schedule_timeout(1);
+
+The process trigger this problem is:
+
+1. One msg timeout and next msg start send, and call
+ssif_set_need_watch().
+
+2. ssif_set_need_watch()->watch_timeout()->start_flag_fetch() change
+ssif_state to SSIF_GETTING_FLAGS.
+
+3. In msg_done_handler() ssif_state == SSIF_GETTING_FLAGS, if an error
+message is received, the second branch does not modify the ssif_state.
+
+4. All retry action need IS_SSIF_IDLE() == True. Include retry action in
+watch_timeout(), msg_done_handler(). Sending msg does not work either.
+SSIF_IDLE is also checked in start_next_msg().
+
+5. The only thing that can be triggered in the SSIF driver is
+watch_timeout(), after destory_user(), this timer will stop too.
+
+So, if enter this branch, the ssif_state will remain SSIF_GETTING_FLAGS
+and can't send msg, no timer started, can't unload.
+
+We did a comparative test before and after adding this patch, and the
+result is effective.
+
+Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Message-Id: <20230412074907.80046-1-zhangyuchen.lcr@bytedance.com>
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -786,9 +786,9 @@ static void msg_done_handler(struct ssif
+ } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
+ || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
+ /*
+- * Don't abort here, maybe it was a queued
+- * response to a previous command.
++ * Recv error response, give up.
+ */
++ ssif_info->ssif_state = SSIF_IDLE;
+ ipmi_ssif_unlock_cond(ssif_info, flags);
+ dev_warn(&ssif_info->client->dev,
+ "Invalid response getting flags: %x %x\n",
--- /dev/null
+From 6ce7995a43febe693d4894033c6e29314970646a Mon Sep 17 00:00:00 2001
+From: Corey Minyard <minyard@acm.org>
+Date: Tue, 4 Apr 2023 12:09:14 +0000
+Subject: ipmi:ssif: Add send_retries increment
+
+From: Corey Minyard <minyard@acm.org>
+
+commit 6ce7995a43febe693d4894033c6e29314970646a upstream.
+
+A recent change removed an increment of send_retries, re-add it.
+
+Fixes: 95767ed78a18 ipmi:ssif: resend_msg() cannot fail
+Reported-by: Pavel Machek <pavel@denx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -557,8 +557,10 @@ static void retry_timeout(struct timer_l
+
+ if (waiting)
+ start_get(ssif_info);
+- if (resend)
++ if (resend) {
+ start_resend(ssif_info);
++ ssif_inc_stat(ssif_info, send_retries);
++ }
+ }
+
+ static void watch_timeout(struct timer_list *t)
--- /dev/null
+From b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 2 Mar 2023 14:49:50 -0800
+Subject: kheaders: Use array declaration instead of char
+
+From: Kees Cook <keescook@chromium.org>
+
+commit b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb upstream.
+
+Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination
+and source buffers. Defining kernel_headers_data as "char" would trip
+this check. Since these addresses are treated as byte arrays, define
+them as arrays (as done everywhere else).
+
+This was seen with:
+
+ $ cat /sys/kernel/kheaders.tar.xz >> /dev/null
+
+ detected buffer overflow in memcpy
+ kernel BUG at lib/string_helpers.c:1027!
+ ...
+ RIP: 0010:fortify_panic+0xf/0x20
+ [...]
+ Call Trace:
+ <TASK>
+ ikheaders_read+0x45/0x50 [kheaders]
+ kernfs_fop_read_iter+0x1a4/0x2f0
+ ...
+
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20230302112130.6e402a98@kernel.org/
+Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Tested-by: Jakub Kicinski <kuba@kernel.org>
+Fixes: 43d8ce9d65a5 ("Provide in-kernel headers to make extending kernel easier")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230302224946.never.243-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kheaders.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/kheaders.c
++++ b/kernel/kheaders.c
+@@ -26,15 +26,15 @@ asm (
+ " .popsection \n"
+ );
+
+-extern char kernel_headers_data;
+-extern char kernel_headers_data_end;
++extern char kernel_headers_data[];
++extern char kernel_headers_data_end[];
+
+ static ssize_t
+ ikheaders_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *bin_attr,
+ char *buf, loff_t off, size_t len)
+ {
+- memcpy(buf, &kernel_headers_data + off, len);
++ memcpy(buf, &kernel_headers_data[off], len);
+ return len;
+ }
+
+@@ -48,8 +48,8 @@ static struct bin_attribute kheaders_att
+
+ static int __init ikheaders_init(void)
+ {
+- kheaders_attr.size = (&kernel_headers_data_end -
+- &kernel_headers_data);
++ kheaders_attr.size = (kernel_headers_data_end -
++ kernel_headers_data);
+ return sysfs_create_bin_file(kernel_kobj, &kheaders_attr);
+ }
+
--- /dev/null
+From 5a4e1b5aed2a36a10d6a3b30fafb6b3bf41c3186 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Thu, 23 Mar 2023 23:44:20 +0100
+Subject: media: ov8856: Do not check for for module version
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 5a4e1b5aed2a36a10d6a3b30fafb6b3bf41c3186 upstream.
+
+It the device is probed in non-zero ACPI D state, the module
+identification is delayed until the first streamon.
+
+The module identification has two parts: deviceID and version. To rea
+the version we have to enable OTP read. This cannot be done during
+streamon, becase it modifies REG_MODE_SELECT.
+
+Since the driver has the same behaviour for all the module versions, do
+not read the module version from the sensor's OTP.
+
+Cc: stable@vger.kernel.org
+Fixes: 0e014f1a8d54 ("media: ov8856: support device probe in non-zero ACPI D state")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov8856.c | 40 ----------------------------------------
+ 1 file changed, 40 deletions(-)
+
+--- a/drivers/media/i2c/ov8856.c
++++ b/drivers/media/i2c/ov8856.c
+@@ -1709,46 +1709,6 @@ static int ov8856_identify_module(struct
+ return -ENXIO;
+ }
+
+- ret = ov8856_write_reg(ov8856, OV8856_REG_MODE_SELECT,
+- OV8856_REG_VALUE_08BIT, OV8856_MODE_STREAMING);
+- if (ret)
+- return ret;
+-
+- ret = ov8856_write_reg(ov8856, OV8856_OTP_MODE_CTRL,
+- OV8856_REG_VALUE_08BIT, OV8856_OTP_MODE_AUTO);
+- if (ret) {
+- dev_err(&client->dev, "failed to set otp mode");
+- return ret;
+- }
+-
+- ret = ov8856_write_reg(ov8856, OV8856_OTP_LOAD_CTRL,
+- OV8856_REG_VALUE_08BIT,
+- OV8856_OTP_LOAD_CTRL_ENABLE);
+- if (ret) {
+- dev_err(&client->dev, "failed to enable load control");
+- return ret;
+- }
+-
+- ret = ov8856_read_reg(ov8856, OV8856_MODULE_REVISION,
+- OV8856_REG_VALUE_08BIT, &val);
+- if (ret) {
+- dev_err(&client->dev, "failed to read module revision");
+- return ret;
+- }
+-
+- dev_info(&client->dev, "OV8856 revision %x (%s) at address 0x%02x\n",
+- val,
+- val == OV8856_2A_MODULE ? "2A" :
+- val == OV8856_1B_MODULE ? "1B" : "unknown revision",
+- client->addr);
+-
+- ret = ov8856_write_reg(ov8856, OV8856_REG_MODE_SELECT,
+- OV8856_REG_VALUE_08BIT, OV8856_MODE_STANDBY);
+- if (ret) {
+- dev_err(&client->dev, "failed to exit streaming mode");
+- return ret;
+- }
+-
+ ov8856->identified = true;
+
+ return 0;
--- /dev/null
+From ee1809ed7bc456a72dc8410b475b73021a3a68d5 Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Tue, 11 Apr 2023 12:14:26 +0100
+Subject: MIPS: fw: Allow firmware to pass a empty env
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit ee1809ed7bc456a72dc8410b475b73021a3a68d5 upstream.
+
+fw_getenv will use env entry to determine style of env,
+however it is legal for firmware to just pass a empty list.
+
+Check if first entry exist before running strchr to avoid
+null pointer dereference.
+
+Cc: stable@vger.kernel.org
+Link: https://github.com/clbr/n64bootloader/issues/5
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/fw/lib/cmdline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/fw/lib/cmdline.c
++++ b/arch/mips/fw/lib/cmdline.c
+@@ -53,7 +53,7 @@ char *fw_getenv(char *envname)
+ {
+ char *result = NULL;
+
+- if (_fw_envp != NULL) {
++ if (_fw_envp != NULL && fw_envp(0) != NULL) {
+ /*
+ * Return a pointer to the given environment variable.
+ * YAMON uses "name", "value" pairs, while U-Boot uses
--- /dev/null
+From 3a2776e8a0e156a61f5b59ae341d8fffc730b962 Mon Sep 17 00:00:00 2001
+From: Josh Triplett <josh@joshtriplett.org>
+Date: Sun, 13 Nov 2022 23:23:26 -0800
+Subject: PCI: kirin: Select REGMAP_MMIO
+
+From: Josh Triplett <josh@joshtriplett.org>
+
+commit 3a2776e8a0e156a61f5b59ae341d8fffc730b962 upstream.
+
+pcie-kirin uses regmaps, and needs to pull them in; otherwise, with
+CONFIG_PCIE_KIRIN=y and without CONFIG_REGMAP_MMIO pcie-kirin produces
+a linker failure looking for __devm_regmap_init_mmio_clk().
+
+Fixes: d19afe7be126 ("PCI: kirin: Use regmap for APB registers")
+Link: https://lore.kernel.org/r/04636141da1d6d592174eefb56760511468d035d.1668410580.git.josh@joshtriplett.org
+Signed-off-by: Josh Triplett <josh@joshtriplett.org>
+[lpieralisi@kernel.org: commit log and removed REGMAP select]
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Cc: stable@vger.kernel.org # 5.16+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/controller/dwc/Kconfig
++++ b/drivers/pci/controller/dwc/Kconfig
+@@ -307,6 +307,7 @@ config PCIE_KIRIN
+ tristate "HiSilicon Kirin series SoCs PCIe controllers"
+ depends on PCI_MSI
+ select PCIE_DW_HOST
++ select REGMAP_MMIO
+ help
+ Say Y here if you want PCIe controller support
+ on HiSilicon Kirin series SoCs.
--- /dev/null
+From f5eff5591b8f9c5effd25c92c758a127765f74c1 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 11 Apr 2023 08:21:02 +0200
+Subject: PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit f5eff5591b8f9c5effd25c92c758a127765f74c1 upstream.
+
+In 2013, commits
+
+ 2e35afaefe64 ("PCI: pciehp: Add reset_slot() method")
+ 608c388122c7 ("PCI: Add slot reset option to pci_dev_reset()")
+
+amended PCIe hotplug to mask Presence Detect Changed events during a
+Secondary Bus Reset. The reset thus no longer causes gratuitous slot
+bringdown and bringup.
+
+However the commits neglected to serialize reset with code paths reading
+slot registers. For instance, a slot bringup due to an earlier hotplug
+event may see the Presence Detect State bit cleared during a concurrent
+Secondary Bus Reset.
+
+In 2018, commit
+
+ 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset")
+
+retrofitted the missing locking. It introduced a reset_lock which
+serializes a Secondary Bus Reset with other parts of pciehp.
+
+Unfortunately the locking turns out to be overzealous: reset_lock is
+held for the entire enumeration and de-enumeration of hotplugged devices,
+including driver binding and unbinding.
+
+Driver binding and unbinding acquires device_lock while the reset_lock
+of the ancestral hotplug port is held. A concurrent Secondary Bus Reset
+acquires the ancestral reset_lock while already holding the device_lock.
+The asymmetric locking order in the two code paths can lead to AB-BA
+deadlocks.
+
+Michael Haeuptle reports such deadlocks on simultaneous hot-removal and
+vfio release (the latter implies a Secondary Bus Reset):
+
+ pciehp_ist() # down_read(reset_lock)
+ pciehp_handle_presence_or_link_change()
+ pciehp_disable_slot()
+ __pciehp_disable_slot()
+ remove_board()
+ pciehp_unconfigure_device()
+ pci_stop_and_remove_bus_device()
+ pci_stop_bus_device()
+ pci_stop_dev()
+ device_release_driver()
+ device_release_driver_internal()
+ __device_driver_lock() # device_lock()
+
+ SYS_munmap()
+ vfio_device_fops_release()
+ vfio_device_group_close()
+ vfio_device_close()
+ vfio_device_last_close()
+ vfio_pci_core_close_device()
+ vfio_pci_core_disable() # device_lock()
+ __pci_reset_function_locked()
+ pci_reset_bus_function()
+ pci_dev_reset_slot_function()
+ pci_reset_hotplug_slot()
+ pciehp_reset_slot() # down_write(reset_lock)
+
+Ian May reports the same deadlock on simultaneous hot-removal and an
+AER-induced Secondary Bus Reset:
+
+ aer_recover_work_func()
+ pcie_do_recovery()
+ aer_root_reset()
+ pci_bus_error_reset()
+ pci_slot_reset()
+ pci_slot_lock() # device_lock()
+ pci_reset_hotplug_slot()
+ pciehp_reset_slot() # down_write(reset_lock)
+
+Fix by releasing the reset_lock during driver binding and unbinding,
+thereby splitting and shrinking the critical section.
+
+Driver binding and unbinding is protected by the device_lock() and thus
+serialized with a Secondary Bus Reset. There's no need to additionally
+protect it with the reset_lock. However, pciehp does not bind and
+unbind devices directly, but rather invokes PCI core functions which
+also perform certain enumeration and de-enumeration steps.
+
+The reset_lock's purpose is to protect slot registers, not enumeration
+and de-enumeration of hotplugged devices. That would arguably be the
+job of the PCI core, not the PCIe hotplug driver. After all, an
+AER-induced Secondary Bus Reset may as well happen during boot-time
+enumeration of the PCI hierarchy and there's no locking to prevent that
+either.
+
+Exempting *de-enumeration* from the reset_lock is relatively harmless:
+A concurrent Secondary Bus Reset may foil config space accesses such as
+PME interrupt disablement. But if the device is physically gone, those
+accesses are pointless anyway. If the device is physically present and
+only logically removed through an Attention Button press or the sysfs
+"power" attribute, PME interrupts as well as DMA cannot come through
+because pciehp_unconfigure_device() disables INTx and Bus Master bits.
+That's still protected by the reset_lock in the present commit.
+
+Exempting *enumeration* from the reset_lock also has limited impact:
+The exempted call to pci_bus_add_device() may perform device accesses
+through pcibios_bus_add_device() and pci_fixup_device() which are now
+no longer protected from a concurrent Secondary Bus Reset. Otherwise
+there should be no impact.
+
+In essence, the present commit seeks to fix the AB-BA deadlocks while
+still retaining a best-effort reset protection for enumeration and
+de-enumeration of hotplugged devices -- until a general solution is
+implemented in the PCI core.
+
+Link: https://lore.kernel.org/linux-pci/CS1PR8401MB0728FC6FDAB8A35C22BD90EC95F10@CS1PR8401MB0728.NAMPRD84.PROD.OUTLOOK.COM
+Link: https://lore.kernel.org/linux-pci/20200615143250.438252-1-ian.may@canonical.com
+Link: https://lore.kernel.org/linux-pci/ce878dab-c0c4-5bd0-a725-9805a075682d@amd.com
+Link: https://lore.kernel.org/linux-pci/ed831249-384a-6d35-0831-70af191e9bce@huawei.com
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215590
+Fixes: 5b3f7b7d062b ("PCI: pciehp: Avoid slot access during reset")
+Link: https://lore.kernel.org/r/fef2b2e9edf245c049a8c5b94743c0f74ff5008a.1681191902.git.lukas@wunner.de
+Reported-by: Michael Haeuptle <michael.haeuptle@hpe.com>
+Reported-by: Ian May <ian.may@canonical.com>
+Reported-by: Andrey Grodzovsky <andrey2805@gmail.com>
+Reported-by: Rahul Kumar <rahul.kumar1@amd.com>
+Reported-by: Jialin Zhang <zhangjialin11@huawei.com>
+Tested-by: Anatoli Antonovitch <Anatoli.Antonovitch@amd.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v4.19+
+Cc: Dan Stein <dstein@hpe.com>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: Alex Michon <amichon@kalrayinc.com>
+Cc: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Sathyanarayanan Kuppuswamy <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/hotplug/pciehp_pci.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/pci/hotplug/pciehp_pci.c
++++ b/drivers/pci/hotplug/pciehp_pci.c
+@@ -63,7 +63,14 @@ int pciehp_configure_device(struct contr
+
+ pci_assign_unassigned_bridge_resources(bridge);
+ pcie_bus_configure_settings(parent);
++
++ /*
++ * Release reset_lock during driver binding
++ * to avoid AB-BA deadlock with device_lock.
++ */
++ up_read(&ctrl->reset_lock);
+ pci_bus_add_devices(parent);
++ down_read_nested(&ctrl->reset_lock, ctrl->depth);
+
+ out:
+ pci_unlock_rescan_remove();
+@@ -104,7 +111,15 @@ void pciehp_unconfigure_device(struct co
+ list_for_each_entry_safe_reverse(dev, temp, &parent->devices,
+ bus_list) {
+ pci_dev_get(dev);
++
++ /*
++ * Release reset_lock during driver unbinding
++ * to avoid AB-BA deadlock with device_lock.
++ */
++ up_read(&ctrl->reset_lock);
+ pci_stop_and_remove_bus_device(dev);
++ down_read_nested(&ctrl->reset_lock, ctrl->depth);
++
+ /*
+ * Ensure that no new Requests will be generated from
+ * the device.
--- /dev/null
+From 2542e16c392508800f1d9037feee881a9c444951 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Thu, 16 Mar 2023 13:40:59 +0530
+Subject: PCI: qcom: Fix the incorrect register usage in v2.7.0 config
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 2542e16c392508800f1d9037feee881a9c444951 upstream.
+
+Qcom PCIe IP version v2.7.0 and its derivatives don't contain the
+PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT register. Instead, they have the new
+PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2 register. So fix the incorrect
+register usage which is modifying a different register.
+
+Also in this IP version, this register change doesn't depend on MSI
+being enabled. So remove that check also.
+
+Link: https://lore.kernel.org/r/20230316081117.14288-2-manivannan.sadhasivam@linaro.org
+Fixes: ed8cc3b1fc84 ("PCI: qcom: Add support for SDM845 PCIe controller")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Cc: <stable@vger.kernel.org> # 5.6+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -1279,11 +1279,9 @@ static int qcom_pcie_init_2_7_0(struct q
+ val &= ~REQ_NOT_ENTR_L1;
+ writel(val, pcie->parf + PCIE20_PARF_PM_CTRL);
+
+- if (IS_ENABLED(CONFIG_PCI_MSI)) {
+- val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT);
+- val |= BIT(31);
+- writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT);
+- }
++ val = readl(pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2);
++ val |= BIT(31);
++ writel(val, pcie->parf + PCIE20_PARF_AXI_MSTR_WR_ADDR_HALT_V2);
+
+ return 0;
+ err_disable_clocks:
--- /dev/null
+From 1db6b0a4246ce708b89f5136571130b9987741d1 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Date: Fri, 31 Mar 2023 18:12:49 +0300
+Subject: phy: qcom-qmp-pcie: sc8180x PCIe PHY has 2 lanes
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+commit 1db6b0a4246ce708b89f5136571130b9987741d1 upstream.
+
+All PCIe PHYs on sc8180x platform have 2 lanes, so change the number of
+lanes to 2.
+
+Fixes: f839f14e24f2 ("phy: qcom-qmp: Add sc8180x PCIe support")
+Cc: stable@vger.kernel.org # 5.15
+Sgned-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20230331151250.4049-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -2152,7 +2152,7 @@ static const struct qmp_phy_cfg msm8998_
+ };
+
+ static const struct qmp_phy_cfg sc8180x_pciephy_cfg = {
+- .lanes = 1,
++ .lanes = 2,
+
+ .tbls = {
+ .serdes = sc8180x_qmp_pcie_serdes_tbl,
--- /dev/null
+From f7abf14f0001a5a47539d9f60bbdca649e43536b Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 17 Apr 2023 15:37:55 +0200
+Subject: posix-cpu-timers: Implement the missing timer_wait_running callback
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit f7abf14f0001a5a47539d9f60bbdca649e43536b upstream.
+
+For some unknown reason the introduction of the timer_wait_running callback
+missed to fixup posix CPU timers, which went unnoticed for almost four years.
+Marco reported recently that the WARN_ON() in timer_wait_running()
+triggers with a posix CPU timer test case.
+
+Posix CPU timers have two execution models for expiring timers depending on
+CONFIG_POSIX_CPU_TIMERS_TASK_WORK:
+
+1) If not enabled, the expiry happens in hard interrupt context so
+ spin waiting on the remote CPU is reasonably time bound.
+
+ Implement an empty stub function for that case.
+
+2) If enabled, the expiry happens in task work before returning to user
+ space or guest mode. The expired timers are marked as firing and moved
+ from the timer queue to a local list head with sighand lock held. Once
+ the timers are moved, sighand lock is dropped and the expiry happens in
+ fully preemptible context. That means the expiring task can be scheduled
+ out, migrated, interrupted etc. So spin waiting on it is more than
+ suboptimal.
+
+ The timer wheel has a timer_wait_running() mechanism for RT, which uses
+ a per CPU timer-base expiry lock which is held by the expiry code and the
+ task waiting for the timer function to complete blocks on that lock.
+
+ This does not work in the same way for posix CPU timers as there is no
+ timer base and expiry for process wide timers can run on any task
+ belonging to that process, but the concept of waiting on an expiry lock
+ can be used too in a slightly different way:
+
+ - Add a mutex to struct posix_cputimers_work. This struct is per task
+ and used to schedule the expiry task work from the timer interrupt.
+
+ - Add a task_struct pointer to struct cpu_timer which is used to store
+ a the task which runs the expiry. That's filled in when the task
+ moves the expired timers to the local expiry list. That's not
+ affecting the size of the k_itimer union as there are bigger union
+ members already
+
+ - Let the task take the expiry mutex around the expiry function
+
+ - Let the waiter acquire a task reference with rcu_read_lock() held and
+ block on the expiry mutex
+
+ This avoids spin-waiting on a task which might not even be on a CPU and
+ works nicely for RT too.
+
+Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT")
+Reported-by: Marco Elver <elver@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Marco Elver <elver@google.com>
+Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/87zg764ojw.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/posix-timers.h | 17 +++++---
+ kernel/time/posix-cpu-timers.c | 81 +++++++++++++++++++++++++++++++++--------
+ kernel/time/posix-timers.c | 4 ++
+ 3 files changed, 82 insertions(+), 20 deletions(-)
+
+--- a/include/linux/posix-timers.h
++++ b/include/linux/posix-timers.h
+@@ -4,6 +4,7 @@
+
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
++#include <linux/mutex.h>
+ #include <linux/alarmtimer.h>
+ #include <linux/timerqueue.h>
+
+@@ -62,16 +63,18 @@ static inline int clockid_to_fd(const cl
+ * cpu_timer - Posix CPU timer representation for k_itimer
+ * @node: timerqueue node to queue in the task/sig
+ * @head: timerqueue head on which this timer is queued
+- * @task: Pointer to target task
++ * @pid: Pointer to target task PID
+ * @elist: List head for the expiry list
+ * @firing: Timer is currently firing
++ * @handling: Pointer to the task which handles expiry
+ */
+ struct cpu_timer {
+- struct timerqueue_node node;
+- struct timerqueue_head *head;
+- struct pid *pid;
+- struct list_head elist;
+- int firing;
++ struct timerqueue_node node;
++ struct timerqueue_head *head;
++ struct pid *pid;
++ struct list_head elist;
++ int firing;
++ struct task_struct __rcu *handling;
+ };
+
+ static inline bool cpu_timer_enqueue(struct timerqueue_head *head,
+@@ -135,10 +138,12 @@ struct posix_cputimers {
+ /**
+ * posix_cputimers_work - Container for task work based posix CPU timer expiry
+ * @work: The task work to be scheduled
++ * @mutex: Mutex held around expiry in context of this task work
+ * @scheduled: @work has been scheduled already, no further processing
+ */
+ struct posix_cputimers_work {
+ struct callback_head work;
++ struct mutex mutex;
+ unsigned int scheduled;
+ };
+
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -846,6 +846,8 @@ static u64 collect_timerqueue(struct tim
+ return expires;
+
+ ctmr->firing = 1;
++ /* See posix_cpu_timer_wait_running() */
++ rcu_assign_pointer(ctmr->handling, current);
+ cpu_timer_dequeue(ctmr);
+ list_add_tail(&ctmr->elist, firing);
+ }
+@@ -1161,7 +1163,49 @@ static void handle_posix_cpu_timers(stru
+ #ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK
+ static void posix_cpu_timers_work(struct callback_head *work)
+ {
++ struct posix_cputimers_work *cw = container_of(work, typeof(*cw), work);
++
++ mutex_lock(&cw->mutex);
+ handle_posix_cpu_timers(current);
++ mutex_unlock(&cw->mutex);
++}
++
++/*
++ * Invoked from the posix-timer core when a cancel operation failed because
++ * the timer is marked firing. The caller holds rcu_read_lock(), which
++ * protects the timer and the task which is expiring it from being freed.
++ */
++static void posix_cpu_timer_wait_running(struct k_itimer *timr)
++{
++ struct task_struct *tsk = rcu_dereference(timr->it.cpu.handling);
++
++ /* Has the handling task completed expiry already? */
++ if (!tsk)
++ return;
++
++ /* Ensure that the task cannot go away */
++ get_task_struct(tsk);
++ /* Now drop the RCU protection so the mutex can be locked */
++ rcu_read_unlock();
++ /* Wait on the expiry mutex */
++ mutex_lock(&tsk->posix_cputimers_work.mutex);
++ /* Release it immediately again. */
++ mutex_unlock(&tsk->posix_cputimers_work.mutex);
++ /* Drop the task reference. */
++ put_task_struct(tsk);
++ /* Relock RCU so the callsite is balanced */
++ rcu_read_lock();
++}
++
++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr)
++{
++ /* Ensure that timr->it.cpu.handling task cannot go away */
++ rcu_read_lock();
++ spin_unlock_irq(&timr->it_lock);
++ posix_cpu_timer_wait_running(timr);
++ rcu_read_unlock();
++ /* @timr is on stack and is valid */
++ spin_lock_irq(&timr->it_lock);
+ }
+
+ /*
+@@ -1177,6 +1221,7 @@ void clear_posix_cputimers_work(struct t
+ sizeof(p->posix_cputimers_work.work));
+ init_task_work(&p->posix_cputimers_work.work,
+ posix_cpu_timers_work);
++ mutex_init(&p->posix_cputimers_work.mutex);
+ p->posix_cputimers_work.scheduled = false;
+ }
+
+@@ -1255,6 +1300,18 @@ static inline void __run_posix_cpu_timer
+ lockdep_posixtimer_exit();
+ }
+
++static void posix_cpu_timer_wait_running(struct k_itimer *timr)
++{
++ cpu_relax();
++}
++
++static void posix_cpu_timer_wait_running_nsleep(struct k_itimer *timr)
++{
++ spin_unlock_irq(&timr->it_lock);
++ cpu_relax();
++ spin_lock_irq(&timr->it_lock);
++}
++
+ static inline bool posix_cpu_timers_work_scheduled(struct task_struct *tsk)
+ {
+ return false;
+@@ -1363,6 +1420,8 @@ static void handle_posix_cpu_timers(stru
+ */
+ if (likely(cpu_firing >= 0))
+ cpu_timer_fire(timer);
++ /* See posix_cpu_timer_wait_running() */
++ rcu_assign_pointer(timer->it.cpu.handling, NULL);
+ spin_unlock(&timer->it_lock);
+ }
+ }
+@@ -1497,23 +1556,16 @@ static int do_cpu_nanosleep(const clocki
+ expires = cpu_timer_getexpires(&timer.it.cpu);
+ error = posix_cpu_timer_set(&timer, 0, &zero_it, &it);
+ if (!error) {
+- /*
+- * Timer is now unarmed, deletion can not fail.
+- */
++ /* Timer is now unarmed, deletion can not fail. */
+ posix_cpu_timer_del(&timer);
++ } else {
++ while (error == TIMER_RETRY) {
++ posix_cpu_timer_wait_running_nsleep(&timer);
++ error = posix_cpu_timer_del(&timer);
++ }
+ }
+- spin_unlock_irq(&timer.it_lock);
+
+- while (error == TIMER_RETRY) {
+- /*
+- * We need to handle case when timer was or is in the
+- * middle of firing. In other cases we already freed
+- * resources.
+- */
+- spin_lock_irq(&timer.it_lock);
+- error = posix_cpu_timer_del(&timer);
+- spin_unlock_irq(&timer.it_lock);
+- }
++ spin_unlock_irq(&timer.it_lock);
+
+ if ((it.it_value.tv_sec | it.it_value.tv_nsec) == 0) {
+ /*
+@@ -1623,6 +1675,7 @@ const struct k_clock clock_posix_cpu = {
+ .timer_del = posix_cpu_timer_del,
+ .timer_get = posix_cpu_timer_get,
+ .timer_rearm = posix_cpu_timer_rearm,
++ .timer_wait_running = posix_cpu_timer_wait_running,
+ };
+
+ const struct k_clock clock_process = {
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -846,6 +846,10 @@ static struct k_itimer *timer_wait_runni
+ rcu_read_lock();
+ unlock_timer(timer, *flags);
+
++ /*
++ * kc->timer_wait_running() might drop RCU lock. So @timer
++ * cannot be touched anymore after the function returns!
++ */
+ if (!WARN_ON_ONCE(!kc->timer_wait_running))
+ kc->timer_wait_running(timer);
+
--- /dev/null
+From 648a1783fe2551f5a091c9a5f8f463cb2cbf8745 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 7 Apr 2023 14:09:09 +1000
+Subject: powerpc/boot: Fix boot wrapper code generation with CONFIG_POWER10_CPU
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 648a1783fe2551f5a091c9a5f8f463cb2cbf8745 upstream.
+
+-mcpu=power10 will generate prefixed and pcrel code by default, which
+we do not support. The general kernel disables these with cflags, but
+those were missed for the boot wrapper.
+
+Fixes: 4b2a9315f20d ("powerpc/64s: POWER10 CPU Kconfig build option")
+Cc: stable@vger.kernel.org # v6.1+
+Reported-by: Danny Tsen <dtsen@linux.ibm.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230407040909.230998-1-npiggin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/boot/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -34,6 +34,8 @@ endif
+
+ BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ -fno-strict-aliasing -O2 -msoft-float -mno-altivec -mno-vsx \
++ $(call cc-option,-mno-prefixed) $(call cc-option,-mno-pcrel) \
++ $(call cc-option,-mno-mma) \
+ $(call cc-option,-mno-spe) $(call cc-option,-mspe=no) \
+ -pipe -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
+ $(LINUXINCLUDE)
--- /dev/null
+From 146a37e05d620cef4ad430e5d1c9c077fe6fa76f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Fri, 17 Mar 2023 13:33:18 +0200
+Subject: serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit 146a37e05d620cef4ad430e5d1c9c077fe6fa76f upstream.
+
+There's a potential race before THRE/TEMT deasserts when DMA Tx is
+starting up (or the next batch of continuous Tx is being submitted).
+This can lead to misdetecting Tx empty condition.
+
+It is entirely normal for THRE/TEMT to be set for some time after the
+DMA Tx had been setup in serial8250_tx_dma(). As Tx side is definitely
+not empty at that point, it seems incorrect for serial8250_tx_empty()
+claim Tx is empty.
+
+Fix the race by also checking in serial8250_tx_empty() whether there's
+DMA Tx active.
+
+Note: This fix only addresses in-kernel race mainly to make using
+TCSADRAIN/FLUSH robust. Userspace can still cause other races but they
+seem userspace concurrency control problems.
+
+Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20230317113318.31327-3-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250.h | 12 ++++++++++++
+ drivers/tty/serial/8250/8250_port.c | 7 ++++---
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250.h
++++ b/drivers/tty/serial/8250/8250.h
+@@ -365,6 +365,13 @@ static inline void serial8250_do_prepare
+ if (dma->prepare_rx_dma)
+ dma->prepare_rx_dma(p);
+ }
++
++static inline bool serial8250_tx_dma_running(struct uart_8250_port *p)
++{
++ struct uart_8250_dma *dma = p->dma;
++
++ return dma && dma->tx_running;
++}
+ #else
+ static inline int serial8250_tx_dma(struct uart_8250_port *p)
+ {
+@@ -380,6 +387,11 @@ static inline int serial8250_request_dma
+ return -1;
+ }
+ static inline void serial8250_release_dma(struct uart_8250_port *p) { }
++
++static inline bool serial8250_tx_dma_running(struct uart_8250_port *p)
++{
++ return false;
++}
+ #endif
+
+ static inline int ns16550a_goto_highspeed(struct uart_8250_port *up)
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2016,18 +2016,19 @@ static int serial8250_tx_threshold_handl
+ static unsigned int serial8250_tx_empty(struct uart_port *port)
+ {
+ struct uart_8250_port *up = up_to_u8250p(port);
++ unsigned int result = 0;
+ unsigned long flags;
+- u16 lsr;
+
+ serial8250_rpm_get(up);
+
+ spin_lock_irqsave(&port->lock, flags);
+- lsr = serial_lsr_in(up);
++ if (!serial8250_tx_dma_running(up) && uart_lsr_tx_empty(serial_lsr_in(up)))
++ result = TIOCSER_TEMT;
+ spin_unlock_irqrestore(&port->lock, flags);
+
+ serial8250_rpm_put(up);
+
+- return uart_lsr_tx_empty(lsr) ? TIOCSER_TEMT : 0;
++ return result;
+ }
+
+ unsigned int serial8250_do_get_mctrl(struct uart_port *port)
--- /dev/null
+From 9e4f2a8004213339e9d837d891a59cc80e082966 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 12 Apr 2023 14:48:11 +0200
+Subject: serial: fix TIOCSRS485 locking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9e4f2a8004213339e9d837d891a59cc80e082966 upstream.
+
+The RS485 multipoint addressing support for some reason added a new
+ADDRB termios cflag which is (only!) updated from one of the RS485
+ioctls.
+
+Make sure to take the termios rw semaphore for the right ioctl (i.e.
+set, not get).
+
+Fixes: ae50bb275283 ("serial: take termios_rwsem for ->rs485_config() & pass termios as param")
+Cc: stable@vger.kernel.org # 6.0
+Cc: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20230412124811.11217-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -1552,7 +1552,7 @@ uart_ioctl(struct tty_struct *tty, unsig
+ goto out;
+
+ /* rs485_config requires more locking than others */
+- if (cmd == TIOCGRS485)
++ if (cmd == TIOCSRS485)
+ down_write(&tty->termios_rwsem);
+
+ mutex_lock(&port->mutex);
+@@ -1595,7 +1595,7 @@ uart_ioctl(struct tty_struct *tty, unsig
+ }
+ out_up:
+ mutex_unlock(&port->mutex);
+- if (cmd == TIOCGRS485)
++ if (cmd == TIOCSRS485)
+ up_write(&tty->termios_rwsem);
+ out:
+ return ret;
--- /dev/null
+From 3f42b142ea1171967e40e10e4b0241c0d6d28d41 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jan.kundrat@cesnet.cz>
+Date: Wed, 5 Apr 2023 22:14:23 +0200
+Subject: serial: max310x: fix IO data corruption in batched operations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jan Kundrát <jan.kundrat@cesnet.cz>
+
+commit 3f42b142ea1171967e40e10e4b0241c0d6d28d41 upstream.
+
+After upgrading from 5.16 to 6.1, our board with a MAX14830 started
+producing lots of garbage data over UART. Bisection pointed out commit
+285e76fc049c as the culprit. That patch tried to replace hand-written
+code which I added in 2b4bac48c1084 ("serial: max310x: Use batched reads
+when reasonably safe") with the generic regmap infrastructure for
+batched operations.
+
+Unfortunately, the `regmap_raw_read` and `regmap_raw_write` which were
+used are actually functions which perform IO over *multiple* registers.
+That's not what is needed for accessing these Tx/Rx FIFOs; the
+appropriate functions are the `_noinc_` versions, not the `_raw_` ones.
+
+Fix this regression by using `regmap_noinc_read()` and
+`regmap_noinc_write()` along with the necessary `regmap_config` setup;
+with this patch in place, our board communicates happily again. Since
+our board uses SPI for talking to this chip, the I2C part is completely
+untested.
+
+Fixes: 285e76fc049c ("serial: max310x: use regmap methods for SPI batch operations")
+Cc: stable@vger.kernel.org
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Link: https://lore.kernel.org/r/79db8e82aadb0e174bc82b9996423c3503c8fb37.1680732084.git.jan.kundrat@cesnet.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/max310x.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/max310x.c
++++ b/drivers/tty/serial/max310x.c
+@@ -525,6 +525,11 @@ static bool max310x_reg_precious(struct
+ return false;
+ }
+
++static bool max310x_reg_noinc(struct device *dev, unsigned int reg)
++{
++ return reg == MAX310X_RHR_REG;
++}
++
+ static int max310x_set_baud(struct uart_port *port, int baud)
+ {
+ unsigned int mode = 0, div = 0, frac = 0, c = 0, F = 0;
+@@ -651,14 +656,14 @@ static void max310x_batch_write(struct u
+ {
+ struct max310x_one *one = to_max310x_port(port);
+
+- regmap_raw_write(one->regmap, MAX310X_THR_REG, txbuf, len);
++ regmap_noinc_write(one->regmap, MAX310X_THR_REG, txbuf, len);
+ }
+
+ static void max310x_batch_read(struct uart_port *port, u8 *rxbuf, unsigned int len)
+ {
+ struct max310x_one *one = to_max310x_port(port);
+
+- regmap_raw_read(one->regmap, MAX310X_RHR_REG, rxbuf, len);
++ regmap_noinc_read(one->regmap, MAX310X_RHR_REG, rxbuf, len);
+ }
+
+ static void max310x_handle_rx(struct uart_port *port, unsigned int rxlen)
+@@ -1468,6 +1473,10 @@ static struct regmap_config regcfg = {
+ .writeable_reg = max310x_reg_writeable,
+ .volatile_reg = max310x_reg_volatile,
+ .precious_reg = max310x_reg_precious,
++ .writeable_noinc_reg = max310x_reg_noinc,
++ .readable_noinc_reg = max310x_reg_noinc,
++ .max_raw_read = MAX310X_FIFO_SIZE,
++ .max_raw_write = MAX310X_FIFO_SIZE,
+ };
+
+ #ifdef CONFIG_SPI_MASTER
+@@ -1553,6 +1562,10 @@ static struct regmap_config regcfg_i2c =
+ .volatile_reg = max310x_reg_volatile,
+ .precious_reg = max310x_reg_precious,
+ .max_register = MAX310X_I2C_REVID_EXTREG,
++ .writeable_noinc_reg = max310x_reg_noinc,
++ .readable_noinc_reg = max310x_reg_noinc,
++ .max_raw_read = MAX310X_FIFO_SIZE,
++ .max_raw_write = MAX310X_FIFO_SIZE,
+ };
+
+ static const struct max310x_if_cfg max310x_i2c_if_cfg = {
+wifi-mt76-mt7921e-set-memory-space-enable-in-pci_command-if-unset.patch
+asoc-amd-ps-update-the-acp-clock-source.patch
+powerpc-boot-fix-boot-wrapper-code-generation-with-config_power10_cpu.patch
+pci-kirin-select-regmap_mmio.patch
+pci-pciehp-fix-ab-ba-deadlock-between-reset_lock-and-device_lock.patch
+pci-qcom-fix-the-incorrect-register-usage-in-v2.7.0-config.patch
+bus-mhi-host-pci_generic-revert-add-a-secondary-at-port-to-telit-fn990.patch
+phy-qcom-qmp-pcie-sc8180x-pcie-phy-has-2-lanes.patch
+ima-allow-fix-uml-builds.patch
+wifi-rtw88-usb-fix-priority-queue-to-endpoint-mapping.patch
+usb-gadget-udc-core-invoke-usb_gadget_connect-only-when-started.patch
+usb-gadget-udc-core-prevent-redundant-calls-to-pullup.patch
+usb-dwc3-gadget-stall-and-restart-ep0-if-host-is-unresponsive.patch
+usb-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch
+usb-dwc3-fix-runtime-pm-imbalance-on-unbind.patch
+hwmon-k10temp-check-range-scale-when-cur_temp-register-is-read-write.patch
+hwmon-adt7475-use-device_property-apis-when-configuring-polarity.patch
+tpm-add-tpm_amd_is_rng_defective-to-the-hwrng_unregister-call-site.patch
+posix-cpu-timers-implement-the-missing-timer_wait_running-callback.patch
+media-ov8856-do-not-check-for-for-module-version.patch
+drm-vmwgfx-fix-legacy-display-unit-atomic-drm-support.patch
+blk-stat-fix-queue_flag_stats-clear.patch
+blk-mq-release-crypto-keyslot-before-reporting-i-o-complete.patch
+blk-crypto-make-blk_crypto_evict_key-return-void.patch
+blk-crypto-make-blk_crypto_evict_key-more-robust.patch
+staging-iio-resolver-ads1210-fix-config-mode.patch
+tty-prevent-writing-chars-during-tcsetattr-tcsadrain-flush.patch
+xhci-fix-debugfs-register-accesses-while-suspended.patch
+serial-fix-tiocsrs485-locking.patch
+serial-8250-fix-serial8250_tx_empty-race-with-dma-tx.patch
+serial-max310x-fix-io-data-corruption-in-batched-operations.patch
+tick-nohz-fix-cpu_is_hotpluggable-by-checking-with-nohz-subsystem.patch
+fs-fix-sysctls.c-built.patch
+mips-fw-allow-firmware-to-pass-a-empty-env.patch
+ipmi-ssif-add-send_retries-increment.patch
+ipmi-fix-ssif-not-responding-under-certain-cond.patch
+iio-addac-stx104-fix-race-condition-when-converting-analog-to-digital.patch
+iio-addac-stx104-fix-race-condition-for-stx104_write_raw.patch
+kheaders-use-array-declaration-instead-of-char.patch
+wifi-mt76-add-missing-locking-to-protect-against-concurrent-rx-status-calls.patch
+wifi-rtw89-correct-5-mhz-mask-setting.patch
--- /dev/null
+From 16313403d873ff17a587818b61f84c8cb4971cef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Mon, 27 Mar 2023 16:54:14 +0200
+Subject: staging: iio: resolver: ads1210: fix config mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 16313403d873ff17a587818b61f84c8cb4971cef upstream.
+
+As stated in the device datasheet [1], bits a0 and a1 have to be set to
+1 for the configuration mode.
+
+[1]: https://www.analog.com/media/en/technical-documentation/data-sheets/ad2s1210.pdf
+
+Fixes: b19e9ad5e2cb9 ("staging:iio:resolver:ad2s1210 general driver cleanup")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20230327145414.1505537-1-nuno.sa@analog.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/iio/resolver/ad2s1210.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/iio/resolver/ad2s1210.c
++++ b/drivers/staging/iio/resolver/ad2s1210.c
+@@ -101,7 +101,7 @@ struct ad2s1210_state {
+ static const int ad2s1210_mode_vals[4][2] = {
+ [MOD_POS] = { 0, 0 },
+ [MOD_VEL] = { 0, 1 },
+- [MOD_CONFIG] = { 1, 0 },
++ [MOD_CONFIG] = { 1, 1 },
+ };
+
+ static inline void ad2s1210_set_mode(enum ad2s1210_mode mode,
--- /dev/null
+From 58d7668242647e661a20efe065519abd6454287e Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Tue, 24 Jan 2023 17:31:26 +0000
+Subject: tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit 58d7668242647e661a20efe065519abd6454287e upstream.
+
+For CONFIG_NO_HZ_FULL systems, the tick_do_timer_cpu cannot be offlined.
+However, cpu_is_hotpluggable() still returns true for those CPUs. This causes
+torture tests that do offlining to end up trying to offline this CPU causing
+test failures. Such failure happens on all architectures.
+
+Fix the repeated error messages thrown by this (even if the hotplug errors are
+harmless) by asking the opinion of the nohz subsystem on whether the CPU can be
+hotplugged.
+
+[ Apply Frederic Weisbecker feedback on refactoring tick_nohz_cpu_down(). ]
+
+For drivers/base/ portion:
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: Zhouyi Zhou <zhouzhouyi@gmail.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: rcu <rcu@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 2987557f52b9 ("driver-core/cpu: Expose hotpluggability to the rest of the kernel")
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/cpu.c | 3 ++-
+ include/linux/tick.h | 2 ++
+ kernel/time/tick-sched.c | 11 ++++++++---
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -487,7 +487,8 @@ static const struct attribute_group *cpu
+ bool cpu_is_hotpluggable(unsigned int cpu)
+ {
+ struct device *dev = get_cpu_device(cpu);
+- return dev && container_of(dev, struct cpu, dev)->hotpluggable;
++ return dev && container_of(dev, struct cpu, dev)->hotpluggable
++ && tick_nohz_cpu_hotpluggable(cpu);
+ }
+ EXPORT_SYMBOL_GPL(cpu_is_hotpluggable);
+
+--- a/include/linux/tick.h
++++ b/include/linux/tick.h
+@@ -216,6 +216,7 @@ extern void tick_nohz_dep_set_signal(str
+ enum tick_dep_bits bit);
+ extern void tick_nohz_dep_clear_signal(struct signal_struct *signal,
+ enum tick_dep_bits bit);
++extern bool tick_nohz_cpu_hotpluggable(unsigned int cpu);
+
+ /*
+ * The below are tick_nohz_[set,clear]_dep() wrappers that optimize off-cases
+@@ -280,6 +281,7 @@ static inline void tick_nohz_full_add_cp
+
+ static inline void tick_nohz_dep_set_cpu(int cpu, enum tick_dep_bits bit) { }
+ static inline void tick_nohz_dep_clear_cpu(int cpu, enum tick_dep_bits bit) { }
++static inline bool tick_nohz_cpu_hotpluggable(unsigned int cpu) { return true; }
+
+ static inline void tick_dep_set(enum tick_dep_bits bit) { }
+ static inline void tick_dep_clear(enum tick_dep_bits bit) { }
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -527,7 +527,7 @@ void __init tick_nohz_full_setup(cpumask
+ tick_nohz_full_running = true;
+ }
+
+-static int tick_nohz_cpu_down(unsigned int cpu)
++bool tick_nohz_cpu_hotpluggable(unsigned int cpu)
+ {
+ /*
+ * The tick_do_timer_cpu CPU handles housekeeping duty (unbound
+@@ -535,8 +535,13 @@ static int tick_nohz_cpu_down(unsigned i
+ * CPUs. It must remain online when nohz full is enabled.
+ */
+ if (tick_nohz_full_running && tick_do_timer_cpu == cpu)
+- return -EBUSY;
+- return 0;
++ return false;
++ return true;
++}
++
++static int tick_nohz_cpu_down(unsigned int cpu)
++{
++ return tick_nohz_cpu_hotpluggable(cpu) ? 0 : -EBUSY;
+ }
+
+ void __init tick_nohz_init(void)
--- /dev/null
+From bd8621ca1510e6e802df9855bdc35a04a3cfa932 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Sun, 23 Apr 2023 18:49:58 +0300
+Subject: tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit bd8621ca1510e6e802df9855bdc35a04a3cfa932 upstream.
+
+The following crash was reported:
+
+[ 1950.279393] list_del corruption, ffff99560d485790->next is NULL
+[ 1950.279400] ------------[ cut here ]------------
+[ 1950.279401] kernel BUG at lib/list_debug.c:49!
+[ 1950.279405] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[ 1950.279407] CPU: 11 PID: 5886 Comm: modprobe Tainted: G O 6.2.8_1 #1
+[ 1950.279409] Hardware name: Gigabyte Technology Co., Ltd. B550M AORUS PRO-P/B550M AORUS PRO-P,
+BIOS F15c 05/11/2022
+[ 1950.279410] RIP: 0010:__list_del_entry_valid+0x59/0xc0
+[ 1950.279415] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 c6 75 65 b8 01 00 00 00 c3 cc cc cc
+cc 48 89 fe 48 c7 c7 08 a8 13 9e e8 b7 0a bc ff <0f> 0b 48 89 fe 48 c7 c7 38 a8 13 9e e8 a6 0a bc
+ff 0f 0b 48 89 fe
+[ 1950.279416] RSP: 0018:ffffa96d05647e08 EFLAGS: 00010246
+[ 1950.279418] RAX: 0000000000000033 RBX: ffff99560d485750 RCX: 0000000000000000
+[ 1950.279419] RDX: 0000000000000000 RSI: ffffffff9e107c59 RDI: 00000000ffffffff
+[ 1950.279420] RBP: ffffffffc19c5168 R08: 0000000000000000 R09: ffffa96d05647cc8
+[ 1950.279421] R10: 0000000000000003 R11: ffffffff9ea2a568 R12: 0000000000000000
+[ 1950.279422] R13: ffff99560140a2e0 R14: ffff99560127d2e0 R15: 0000000000000000
+[ 1950.279422] FS: 00007f67da795380(0000) GS:ffff995d1f0c0000(0000) knlGS:0000000000000000
+[ 1950.279424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1950.279424] CR2: 00007f67da7e65c0 CR3: 00000001feed2000 CR4: 0000000000750ee0
+[ 1950.279426] PKRU: 55555554
+[ 1950.279426] Call Trace:
+[ 1950.279428] <TASK>
+[ 1950.279430] hwrng_unregister+0x28/0xe0 [rng_core]
+[ 1950.279436] tpm_chip_unregister+0xd5/0xf0 [tpm]
+
+Add the forgotten !tpm_amd_is_rng_defective() invariant to the
+hwrng_unregister() call site inside tpm_chip_unregister().
+
+Cc: stable@vger.kernel.org
+Reported-by: Martin Dimov <martin@dmarto.com>
+Link: https://lore.kernel.org/linux-integrity/3d1d7e9dbfb8c96125bc93b6b58b90a7@dmarto.com/
+Fixes: f1324bbc4011 ("tpm: disable hwrng for fTPM on some AMD designs")
+Fixes: b006c439d58d ("hwrng: core - start hwrng kthread also for untrusted sources")
+Tested-by: Martin Dimov <martin@dmarto.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm-chip.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -682,7 +682,8 @@ EXPORT_SYMBOL_GPL(tpm_chip_register);
+ void tpm_chip_unregister(struct tpm_chip *chip)
+ {
+ tpm_del_legacy_sysfs(chip);
+- if (IS_ENABLED(CONFIG_HW_RANDOM_TPM) && !tpm_is_firmware_upgrade(chip))
++ if (IS_ENABLED(CONFIG_HW_RANDOM_TPM) && !tpm_is_firmware_upgrade(chip) &&
++ !tpm_amd_is_rng_defective(chip))
+ hwrng_unregister(&chip->hwrng);
+ tpm_bios_log_teardown(chip);
+ if (chip->flags & TPM_CHIP_FLAG_TPM2 && !tpm_is_firmware_upgrade(chip))
--- /dev/null
+From 094fb49a2d0d6827c86d2e0840873e6db0c491d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Fri, 17 Mar 2023 13:33:17 +0200
+Subject: tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit 094fb49a2d0d6827c86d2e0840873e6db0c491d2 upstream.
+
+If userspace races tcsetattr() with a write, the drained condition
+might not be guaranteed by the kernel. There is a race window after
+checking Tx is empty before tty_set_termios() takes termios_rwsem for
+write. During that race window, more characters can be queued by a
+racing writer.
+
+Any ongoing transmission might produce garbage during HW's
+->set_termios() call. The intent of TCSADRAIN/FLUSH seems to be
+preventing such a character corruption. If those flags are set, take
+tty's write lock to stop any writer before performing the lower layer
+Tx empty check and wait for the pending characters to be sent (if any).
+
+The initial wait for all-writers-done must be placed outside of tty's
+write lock to avoid deadlock which makes it impossible to use
+tty_wait_until_sent(). The write lock is retried if a racing write is
+detected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20230317113318.31327-2-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty.h | 2 ++
+ drivers/tty/tty_io.c | 4 ++--
+ drivers/tty/tty_ioctl.c | 45 +++++++++++++++++++++++++++++++++------------
+ 3 files changed, 37 insertions(+), 14 deletions(-)
+
+--- a/drivers/tty/tty.h
++++ b/drivers/tty/tty.h
+@@ -62,6 +62,8 @@ int __tty_check_change(struct tty_struct
+ int tty_check_change(struct tty_struct *tty);
+ void __stop_tty(struct tty_struct *tty);
+ void __start_tty(struct tty_struct *tty);
++void tty_write_unlock(struct tty_struct *tty);
++int tty_write_lock(struct tty_struct *tty, int ndelay);
+ void tty_vhangup_session(struct tty_struct *tty);
+ void tty_open_proc_set_tty(struct file *filp, struct tty_struct *tty);
+ int tty_signal_session_leader(struct tty_struct *tty, int exit_session);
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -933,13 +933,13 @@ static ssize_t tty_read(struct kiocb *io
+ return i;
+ }
+
+-static void tty_write_unlock(struct tty_struct *tty)
++void tty_write_unlock(struct tty_struct *tty)
+ {
+ mutex_unlock(&tty->atomic_write_lock);
+ wake_up_interruptible_poll(&tty->write_wait, EPOLLOUT);
+ }
+
+-static int tty_write_lock(struct tty_struct *tty, int ndelay)
++int tty_write_lock(struct tty_struct *tty, int ndelay)
+ {
+ if (!mutex_trylock(&tty->atomic_write_lock)) {
+ if (ndelay)
+--- a/drivers/tty/tty_ioctl.c
++++ b/drivers/tty/tty_ioctl.c
+@@ -500,21 +500,42 @@ static int set_termios(struct tty_struct
+ tmp_termios.c_ispeed = tty_termios_input_baud_rate(&tmp_termios);
+ tmp_termios.c_ospeed = tty_termios_baud_rate(&tmp_termios);
+
+- ld = tty_ldisc_ref(tty);
++ if (opt & (TERMIOS_FLUSH|TERMIOS_WAIT)) {
++retry_write_wait:
++ retval = wait_event_interruptible(tty->write_wait, !tty_chars_in_buffer(tty));
++ if (retval < 0)
++ return retval;
+
+- if (ld != NULL) {
+- if ((opt & TERMIOS_FLUSH) && ld->ops->flush_buffer)
+- ld->ops->flush_buffer(tty);
+- tty_ldisc_deref(ld);
+- }
++ if (tty_write_lock(tty, 0) < 0)
++ goto retry_write_wait;
+
+- if (opt & TERMIOS_WAIT) {
+- tty_wait_until_sent(tty, 0);
+- if (signal_pending(current))
+- return -ERESTARTSYS;
+- }
++ /* Racing writer? */
++ if (tty_chars_in_buffer(tty)) {
++ tty_write_unlock(tty);
++ goto retry_write_wait;
++ }
++
++ ld = tty_ldisc_ref(tty);
++ if (ld != NULL) {
++ if ((opt & TERMIOS_FLUSH) && ld->ops->flush_buffer)
++ ld->ops->flush_buffer(tty);
++ tty_ldisc_deref(ld);
++ }
+
+- tty_set_termios(tty, &tmp_termios);
++ if ((opt & TERMIOS_WAIT) && tty->ops->wait_until_sent) {
++ tty->ops->wait_until_sent(tty, 0);
++ if (signal_pending(current)) {
++ tty_write_unlock(tty);
++ return -ERESTARTSYS;
++ }
++ }
++
++ tty_set_termios(tty, &tmp_termios);
++
++ tty_write_unlock(tty);
++ } else {
++ tty_set_termios(tty, &tmp_termios);
++ }
+
+ /* FIXME: Arguably if tmp_termios == tty->termios AND the
+ actual requested termios was not tmp_termios then we may
--- /dev/null
+From 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 4 Apr 2023 09:25:14 +0200
+Subject: USB: dwc3: fix runtime pm imbalance on probe errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 9a8ad10c9f2e0925ff26308ec6756b93fc2f4977 upstream.
+
+Make sure not to suspend the device when probe fails to avoid disabling
+clocks and phys multiple times.
+
+Fixes: 328082376aea ("usb: dwc3: fix runtime PM in error path")
+Cc: stable@vger.kernel.org # 4.8
+Cc: Roger Quadros <rogerq@ti.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20230404072524.19014-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1883,13 +1883,11 @@ static int dwc3_probe(struct platform_de
+ spin_lock_init(&dwc->lock);
+ mutex_init(&dwc->mutex);
+
++ pm_runtime_get_noresume(dev);
+ pm_runtime_set_active(dev);
+ pm_runtime_use_autosuspend(dev);
+ pm_runtime_set_autosuspend_delay(dev, DWC3_DEFAULT_AUTOSUSPEND_DELAY);
+ pm_runtime_enable(dev);
+- ret = pm_runtime_get_sync(dev);
+- if (ret < 0)
+- goto err1;
+
+ pm_runtime_forbid(dev);
+
+@@ -1954,12 +1952,10 @@ err3:
+ dwc3_free_event_buffers(dwc);
+
+ err2:
+- pm_runtime_allow(&pdev->dev);
+-
+-err1:
+- pm_runtime_put_sync(&pdev->dev);
+- pm_runtime_disable(&pdev->dev);
+-
++ pm_runtime_allow(dev);
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ pm_runtime_put_noidle(dev);
+ disable_clks:
+ dwc3_clk_disable(dwc);
+ assert_reset:
--- /dev/null
+From 44d257e9012ee8040e41d224d0e5bfb5ef5427ea Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 4 Apr 2023 09:25:15 +0200
+Subject: USB: dwc3: fix runtime pm imbalance on unbind
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 44d257e9012ee8040e41d224d0e5bfb5ef5427ea upstream.
+
+Make sure to balance the runtime PM usage count on driver unbind by
+adding back the pm_runtime_allow() call that had been erroneously
+removed.
+
+Fixes: 266d0493900a ("usb: dwc3: core: don't trigger runtime pm when remove driver")
+Cc: stable@vger.kernel.org # 5.9
+Cc: Li Jun <jun.li@nxp.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20230404072524.19014-3-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1979,6 +1979,7 @@ static int dwc3_remove(struct platform_d
+ dwc3_core_exit(dwc);
+ dwc3_ulpi_exit(dwc);
+
++ pm_runtime_allow(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
--- /dev/null
+From 02435a739b81ae24aff5d6e930efef9458e2af3c Mon Sep 17 00:00:00 2001
+From: Wesley Cheng <quic_wcheng@quicinc.com>
+Date: Thu, 13 Apr 2023 12:57:40 -0700
+Subject: usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive
+
+From: Wesley Cheng <quic_wcheng@quicinc.com>
+
+commit 02435a739b81ae24aff5d6e930efef9458e2af3c upstream.
+
+It was observed that there are hosts that may complete pending SETUP
+transactions before the stop active transfers and controller halt occurs,
+leading to lingering endxfer commands on DEPs on subsequent pullup/gadget
+start iterations.
+
+ dwc3_gadget_ep_disable name=ep8in flags=0x3009 direction=1
+ dwc3_gadget_ep_disable name=ep4in flags=1 direction=1
+ dwc3_gadget_ep_disable name=ep3out flags=1 direction=0
+ usb_gadget_disconnect deactivated=0 connected=0 ret=0
+
+The sequence shows that the USB gadget disconnect (dwc3_gadget_pullup(0))
+routine completed successfully, allowing for the USB gadget to proceed with
+a USB gadget connect. However, if this occurs the system runs into an
+issue where:
+
+ BUG: spinlock already unlocked on CPU
+ spin_bug+0x0
+ dwc3_remove_requests+0x278
+ dwc3_ep0_out_start+0xb0
+ __dwc3_gadget_start+0x25c
+
+This is due to the pending endxfers, leading to gadget start (w/o lock
+held) to execute the remove requests, which will unlock the dwc3
+spinlock as part of giveback.
+
+To mitigate this, resolve the pending endxfers on the pullup disable
+path by re-locating the SETUP phase check after stop active transfers, since
+that is where the DWC3_EP_DELAY_STOP is potentially set. This also allows
+for handling of a host that may be unresponsive by using the completion
+timeout to trigger the stall and restart for EP0.
+
+Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
+Cc: stable@vger.kernel.org
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
+Link: https://lore.kernel.org/r/20230413195742.11821-2-quic_wcheng@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 49 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2532,29 +2532,17 @@ static int __dwc3_gadget_start(struct dw
+ static int dwc3_gadget_soft_disconnect(struct dwc3 *dwc)
+ {
+ unsigned long flags;
++ int ret;
+
+ spin_lock_irqsave(&dwc->lock, flags);
+ dwc->connected = false;
+
+ /*
+- * Per databook, when we want to stop the gadget, if a control transfer
+- * is still in process, complete it and get the core into setup phase.
++ * Attempt to end pending SETUP status phase, and not wait for the
++ * function to do so.
+ */
+- if (dwc->ep0state != EP0_SETUP_PHASE) {
+- int ret;
+-
+- if (dwc->delayed_status)
+- dwc3_ep0_send_delayed_status(dwc);
+-
+- reinit_completion(&dwc->ep0_in_setup);
+-
+- spin_unlock_irqrestore(&dwc->lock, flags);
+- ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
+- msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
+- spin_lock_irqsave(&dwc->lock, flags);
+- if (ret == 0)
+- dev_warn(dwc->dev, "timed out waiting for SETUP phase\n");
+- }
++ if (dwc->delayed_status)
++ dwc3_ep0_send_delayed_status(dwc);
+
+ /*
+ * In the Synopsys DesignWare Cores USB3 Databook Rev. 3.30a
+@@ -2568,6 +2556,33 @@ static int dwc3_gadget_soft_disconnect(s
+ spin_unlock_irqrestore(&dwc->lock, flags);
+
+ /*
++ * Per databook, when we want to stop the gadget, if a control transfer
++ * is still in process, complete it and get the core into setup phase.
++ * In case the host is unresponsive to a SETUP transaction, forcefully
++ * stall the transfer, and move back to the SETUP phase, so that any
++ * pending endxfers can be executed.
++ */
++ if (dwc->ep0state != EP0_SETUP_PHASE) {
++ reinit_completion(&dwc->ep0_in_setup);
++
++ ret = wait_for_completion_timeout(&dwc->ep0_in_setup,
++ msecs_to_jiffies(DWC3_PULL_UP_TIMEOUT));
++ if (ret == 0) {
++ unsigned int dir;
++
++ dev_warn(dwc->dev, "wait for SETUP phase timed out\n");
++ spin_lock_irqsave(&dwc->lock, flags);
++ dir = !!dwc->ep0_expect_in;
++ if (dwc->ep0state == EP0_DATA_PHASE)
++ dwc3_ep0_end_control_data(dwc, dwc->eps[dir]);
++ else
++ dwc3_ep0_end_control_data(dwc, dwc->eps[!dir]);
++ dwc3_ep0_stall_and_restart(dwc);
++ spin_unlock_irqrestore(&dwc->lock, flags);
++ }
++ }
++
++ /*
+ * Note: if the GEVNTCOUNT indicates events in the event buffer, the
+ * driver needs to acknowledge them before the controller can halt.
+ * Simply let the interrupt handler acknowledges and handle the
--- /dev/null
+From 0db213ea8eed5534a5169e807f28103cbc9d23df Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Fri, 7 Apr 2023 03:07:40 +0000
+Subject: usb: gadget: udc: core: Invoke usb_gadget_connect only when started
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit 0db213ea8eed5534a5169e807f28103cbc9d23df upstream.
+
+usb_udc_connect_control does not check to see if the udc has already
+been started. This causes gadget->ops->pullup to be called through
+usb_gadget_connect when invoked from usb_udc_vbus_handler even before
+usb_gadget_udc_start is called. Guard this by checking for udc->started
+in usb_udc_connect_control before invoking usb_gadget_connect.
+
+Guarding udc->vbus, udc->started, gadget->connect, gadget->deactivate
+related functions with connect_lock. usb_gadget_connect_locked,
+usb_gadget_disconnect_locked, usb_udc_connect_control_locked,
+usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are called with
+this lock held as they can be simulataneously invoked from different code
+paths.
+
+Adding an additional check to make sure udc is started(udc->started)
+before pullup callback is invoked.
+
+Fixes: 628ef0d273a6 ("usb: udc: add usb_udc_vbus_handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Link: https://lore.kernel.org/r/20230407030741.3163220-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 148 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 104 insertions(+), 44 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -37,6 +37,10 @@ static struct bus_type gadget_bus_type;
+ * @vbus: for udcs who care about vbus status, this value is real vbus status;
+ * for udcs who do not care about vbus status, this value is always true
+ * @started: the UDC's started state. True if the UDC had started.
++ * @connect_lock: protects udc->vbus, udc->started, gadget->connect, gadget->deactivate related
++ * functions. usb_gadget_connect_locked, usb_gadget_disconnect_locked,
++ * usb_udc_connect_control_locked, usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are
++ * called with this lock held.
+ *
+ * This represents the internal data structure which is used by the UDC-class
+ * to hold information about udc driver and gadget together.
+@@ -48,6 +52,7 @@ struct usb_udc {
+ struct list_head list;
+ bool vbus;
+ bool started;
++ struct mutex connect_lock;
+ };
+
+ static struct class *udc_class;
+@@ -660,17 +665,9 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(usb_gadget_vbus_disconnect);
+
+-/**
+- * usb_gadget_connect - software-controlled connect to USB host
+- * @gadget:the peripheral being connected
+- *
+- * Enables the D+ (or potentially D-) pullup. The host will start
+- * enumerating this gadget when the pullup is active and a VBUS session
+- * is active (the link is powered).
+- *
+- * Returns zero on success, else negative errno.
+- */
+-int usb_gadget_connect(struct usb_gadget *gadget)
++/* Internal version of usb_gadget_connect needs to be called with connect_lock held. */
++static int usb_gadget_connect_locked(struct usb_gadget *gadget)
++ __must_hold(&gadget->udc->connect_lock)
+ {
+ int ret = 0;
+
+@@ -679,10 +676,12 @@ int usb_gadget_connect(struct usb_gadget
+ goto out;
+ }
+
+- if (gadget->deactivated) {
++ if (gadget->deactivated || !gadget->udc->started) {
+ /*
+ * If gadget is deactivated we only save new state.
+ * Gadget will be connected automatically after activation.
++ *
++ * udc first needs to be started before gadget can be pulled up.
+ */
+ gadget->connected = true;
+ goto out;
+@@ -697,22 +696,32 @@ out:
+
+ return ret;
+ }
+-EXPORT_SYMBOL_GPL(usb_gadget_connect);
+
+ /**
+- * usb_gadget_disconnect - software-controlled disconnect from USB host
+- * @gadget:the peripheral being disconnected
+- *
+- * Disables the D+ (or potentially D-) pullup, which the host may see
+- * as a disconnect (when a VBUS session is active). Not all systems
+- * support software pullup controls.
++ * usb_gadget_connect - software-controlled connect to USB host
++ * @gadget:the peripheral being connected
+ *
+- * Following a successful disconnect, invoke the ->disconnect() callback
+- * for the current gadget driver so that UDC drivers don't need to.
++ * Enables the D+ (or potentially D-) pullup. The host will start
++ * enumerating this gadget when the pullup is active and a VBUS session
++ * is active (the link is powered).
+ *
+ * Returns zero on success, else negative errno.
+ */
+-int usb_gadget_disconnect(struct usb_gadget *gadget)
++int usb_gadget_connect(struct usb_gadget *gadget)
++{
++ int ret;
++
++ mutex_lock(&gadget->udc->connect_lock);
++ ret = usb_gadget_connect_locked(gadget);
++ mutex_unlock(&gadget->udc->connect_lock);
++
++ return ret;
++}
++EXPORT_SYMBOL_GPL(usb_gadget_connect);
++
++/* Internal version of usb_gadget_disconnect needs to be called with connect_lock held. */
++static int usb_gadget_disconnect_locked(struct usb_gadget *gadget)
++ __must_hold(&gadget->udc->connect_lock)
+ {
+ int ret = 0;
+
+@@ -724,10 +733,12 @@ int usb_gadget_disconnect(struct usb_gad
+ if (!gadget->connected)
+ goto out;
+
+- if (gadget->deactivated) {
++ if (gadget->deactivated || !gadget->udc->started) {
+ /*
+ * If gadget is deactivated we only save new state.
+ * Gadget will stay disconnected after activation.
++ *
++ * udc should have been started before gadget being pulled down.
+ */
+ gadget->connected = false;
+ goto out;
+@@ -747,6 +758,30 @@ out:
+
+ return ret;
+ }
++
++/**
++ * usb_gadget_disconnect - software-controlled disconnect from USB host
++ * @gadget:the peripheral being disconnected
++ *
++ * Disables the D+ (or potentially D-) pullup, which the host may see
++ * as a disconnect (when a VBUS session is active). Not all systems
++ * support software pullup controls.
++ *
++ * Following a successful disconnect, invoke the ->disconnect() callback
++ * for the current gadget driver so that UDC drivers don't need to.
++ *
++ * Returns zero on success, else negative errno.
++ */
++int usb_gadget_disconnect(struct usb_gadget *gadget)
++{
++ int ret;
++
++ mutex_lock(&gadget->udc->connect_lock);
++ ret = usb_gadget_disconnect_locked(gadget);
++ mutex_unlock(&gadget->udc->connect_lock);
++
++ return ret;
++}
+ EXPORT_SYMBOL_GPL(usb_gadget_disconnect);
+
+ /**
+@@ -767,10 +802,11 @@ int usb_gadget_deactivate(struct usb_gad
+ if (gadget->deactivated)
+ goto out;
+
++ mutex_lock(&gadget->udc->connect_lock);
+ if (gadget->connected) {
+- ret = usb_gadget_disconnect(gadget);
++ ret = usb_gadget_disconnect_locked(gadget);
+ if (ret)
+- goto out;
++ goto unlock;
+
+ /*
+ * If gadget was being connected before deactivation, we want
+@@ -780,6 +816,8 @@ int usb_gadget_deactivate(struct usb_gad
+ }
+ gadget->deactivated = true;
+
++unlock:
++ mutex_unlock(&gadget->udc->connect_lock);
+ out:
+ trace_usb_gadget_deactivate(gadget, ret);
+
+@@ -803,6 +841,7 @@ int usb_gadget_activate(struct usb_gadge
+ if (!gadget->deactivated)
+ goto out;
+
++ mutex_lock(&gadget->udc->connect_lock);
+ gadget->deactivated = false;
+
+ /*
+@@ -810,7 +849,8 @@ int usb_gadget_activate(struct usb_gadge
+ * while it was being deactivated, we call usb_gadget_connect().
+ */
+ if (gadget->connected)
+- ret = usb_gadget_connect(gadget);
++ ret = usb_gadget_connect_locked(gadget);
++ mutex_unlock(&gadget->udc->connect_lock);
+
+ out:
+ trace_usb_gadget_activate(gadget, ret);
+@@ -1051,12 +1091,13 @@ EXPORT_SYMBOL_GPL(usb_gadget_set_state);
+
+ /* ------------------------------------------------------------------------- */
+
+-static void usb_udc_connect_control(struct usb_udc *udc)
++/* Acquire connect_lock before calling this function. */
++static void usb_udc_connect_control_locked(struct usb_udc *udc) __must_hold(&udc->connect_lock)
+ {
+- if (udc->vbus)
+- usb_gadget_connect(udc->gadget);
++ if (udc->vbus && udc->started)
++ usb_gadget_connect_locked(udc->gadget);
+ else
+- usb_gadget_disconnect(udc->gadget);
++ usb_gadget_disconnect_locked(udc->gadget);
+ }
+
+ /**
+@@ -1072,10 +1113,12 @@ void usb_udc_vbus_handler(struct usb_gad
+ {
+ struct usb_udc *udc = gadget->udc;
+
++ mutex_lock(&udc->connect_lock);
+ if (udc) {
+ udc->vbus = status;
+- usb_udc_connect_control(udc);
++ usb_udc_connect_control_locked(udc);
+ }
++ mutex_unlock(&udc->connect_lock);
+ }
+ EXPORT_SYMBOL_GPL(usb_udc_vbus_handler);
+
+@@ -1097,7 +1140,7 @@ void usb_gadget_udc_reset(struct usb_gad
+ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);
+
+ /**
+- * usb_gadget_udc_start - tells usb device controller to start up
++ * usb_gadget_udc_start_locked - tells usb device controller to start up
+ * @udc: The UDC to be started
+ *
+ * This call is issued by the UDC Class driver when it's about
+@@ -1108,8 +1151,11 @@ EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);
+ * necessary to have it powered on.
+ *
+ * Returns zero on success, else negative errno.
++ *
++ * Caller should acquire connect_lock before invoking this function.
+ */
+-static inline int usb_gadget_udc_start(struct usb_udc *udc)
++static inline int usb_gadget_udc_start_locked(struct usb_udc *udc)
++ __must_hold(&udc->connect_lock)
+ {
+ int ret;
+
+@@ -1126,7 +1172,7 @@ static inline int usb_gadget_udc_start(s
+ }
+
+ /**
+- * usb_gadget_udc_stop - tells usb device controller we don't need it anymore
++ * usb_gadget_udc_stop_locked - tells usb device controller we don't need it anymore
+ * @udc: The UDC to be stopped
+ *
+ * This call is issued by the UDC Class driver after calling
+@@ -1135,8 +1181,11 @@ static inline int usb_gadget_udc_start(s
+ * The details are implementation specific, but it can go as
+ * far as powering off UDC completely and disable its data
+ * line pullups.
++ *
++ * Caller should acquire connect lock before invoking this function.
+ */
+-static inline void usb_gadget_udc_stop(struct usb_udc *udc)
++static inline void usb_gadget_udc_stop_locked(struct usb_udc *udc)
++ __must_hold(&udc->connect_lock)
+ {
+ if (!udc->started) {
+ dev_err(&udc->dev, "UDC had already stopped\n");
+@@ -1295,6 +1344,7 @@ int usb_add_gadget(struct usb_gadget *ga
+
+ udc->gadget = gadget;
+ gadget->udc = udc;
++ mutex_init(&udc->connect_lock);
+
+ udc->started = false;
+
+@@ -1496,11 +1546,15 @@ static int gadget_bind_driver(struct dev
+ if (ret)
+ goto err_bind;
+
+- ret = usb_gadget_udc_start(udc);
+- if (ret)
++ mutex_lock(&udc->connect_lock);
++ ret = usb_gadget_udc_start_locked(udc);
++ if (ret) {
++ mutex_unlock(&udc->connect_lock);
+ goto err_start;
++ }
+ usb_gadget_enable_async_callbacks(udc);
+- usb_udc_connect_control(udc);
++ usb_udc_connect_control_locked(udc);
++ mutex_unlock(&udc->connect_lock);
+
+ kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE);
+ return 0;
+@@ -1531,12 +1585,14 @@ static void gadget_unbind_driver(struct
+
+ kobject_uevent(&udc->dev.kobj, KOBJ_CHANGE);
+
+- usb_gadget_disconnect(gadget);
++ mutex_lock(&udc->connect_lock);
++ usb_gadget_disconnect_locked(gadget);
+ usb_gadget_disable_async_callbacks(udc);
+ if (gadget->irq)
+ synchronize_irq(gadget->irq);
+ udc->driver->unbind(gadget);
+- usb_gadget_udc_stop(udc);
++ usb_gadget_udc_stop_locked(udc);
++ mutex_unlock(&udc->connect_lock);
+
+ mutex_lock(&udc_lock);
+ driver->is_bound = false;
+@@ -1622,11 +1678,15 @@ static ssize_t soft_connect_store(struct
+ }
+
+ if (sysfs_streq(buf, "connect")) {
+- usb_gadget_udc_start(udc);
+- usb_gadget_connect(udc->gadget);
++ mutex_lock(&udc->connect_lock);
++ usb_gadget_udc_start_locked(udc);
++ usb_gadget_connect_locked(udc->gadget);
++ mutex_unlock(&udc->connect_lock);
+ } else if (sysfs_streq(buf, "disconnect")) {
+- usb_gadget_disconnect(udc->gadget);
+- usb_gadget_udc_stop(udc);
++ mutex_lock(&udc->connect_lock);
++ usb_gadget_disconnect_locked(udc->gadget);
++ usb_gadget_udc_stop_locked(udc);
++ mutex_unlock(&udc->connect_lock);
+ } else {
+ dev_err(dev, "unsupported command '%s'\n", buf);
+ ret = -EINVAL;
--- /dev/null
+From a3afbf5cc887fc3401f012fe629810998ed61859 Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Fri, 7 Apr 2023 03:07:41 +0000
+Subject: usb: gadget: udc: core: Prevent redundant calls to pullup
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit a3afbf5cc887fc3401f012fe629810998ed61859 upstream.
+
+usb_gadget_connect calls gadget->ops->pullup without checking whether
+gadget->connected was previously set. Make this symmetric to
+usb_gadget_disconnect by returning early if gadget->connected is
+already set.
+
+Fixes: 5a1da544e572 ("usb: gadget: core: do not try to disconnect gadget if it is not connected")
+Cc: stable@vger.kernel.org
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Link: https://lore.kernel.org/r/20230407030741.3163220-2-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -676,6 +676,9 @@ static int usb_gadget_connect_locked(str
+ goto out;
+ }
+
++ if (gadget->connected)
++ goto out;
++
+ if (gadget->deactivated || !gadget->udc->started) {
+ /*
+ * If gadget is deactivated we only save new state.
--- /dev/null
+From 5b8ccdfb943f6a03c676d2ea816dd38c149e920b Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 14 Apr 2023 14:10:54 +0200
+Subject: wifi: mt76: add missing locking to protect against concurrent rx/status calls
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 5b8ccdfb943f6a03c676d2ea816dd38c149e920b upstream.
+
+According to the documentation, ieee80211_rx_list must not run concurrently
+with ieee80211_tx_status (or its variants).
+
+Cc: stable@vger.kernel.org
+Fixes: 88046b2c9f6d ("mt76: add support for reporting tx status with skb")
+Reported-by: Brian Coverstone <brian@mainsequence.net>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/dma.c | 2 ++
+ drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 5 ++++-
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 5 ++++-
+ drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 5 ++++-
+ drivers/net/wireless/mediatek/mt76/tx.c | 4 ++++
+ 5 files changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/dma.c
+@@ -576,7 +576,9 @@ free:
+ free_skb:
+ status.skb = tx_info.skb;
+ hw = mt76_tx_status_get_hw(dev, tx_info.skb);
++ spin_lock_bh(&dev->rx_lock);
+ ieee80211_tx_status_ext(hw, &status);
++ spin_unlock_bh(&dev->rx_lock);
+
+ return ret;
+ }
+--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
+@@ -1279,8 +1279,11 @@ void mt7603_mac_add_txs(struct mt7603_de
+ if (wcidx >= MT7603_WTBL_STA || !sta)
+ goto out;
+
+- if (mt7603_fill_txs(dev, msta, &info, txs_data))
++ if (mt7603_fill_txs(dev, msta, &info, txs_data)) {
++ spin_lock_bh(&dev->mt76.rx_lock);
+ ieee80211_tx_status_noskb(mt76_hw(dev), sta, &info);
++ spin_unlock_bh(&dev->mt76.rx_lock);
++ }
+
+ out:
+ rcu_read_unlock();
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -1530,8 +1530,11 @@ static void mt7615_mac_add_txs(struct mt
+ if (wcid->phy_idx && dev->mt76.phys[MT_BAND1])
+ mphy = dev->mt76.phys[MT_BAND1];
+
+- if (mt7615_fill_txs(dev, msta, &info, txs_data))
++ if (mt7615_fill_txs(dev, msta, &info, txs_data)) {
++ spin_lock_bh(&dev->mt76.rx_lock);
+ ieee80211_tx_status_noskb(mphy->hw, sta, &info);
++ spin_unlock_bh(&dev->mt76.rx_lock);
++ }
+
+ out:
+ rcu_read_unlock();
+--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
+@@ -631,8 +631,11 @@ void mt76x02_send_tx_status(struct mt76x
+
+ mt76_tx_status_unlock(mdev, &list);
+
+- if (!status.skb)
++ if (!status.skb) {
++ spin_lock_bh(&dev->mt76.rx_lock);
+ ieee80211_tx_status_ext(mt76_hw(dev), &status);
++ spin_unlock_bh(&dev->mt76.rx_lock);
++ }
+
+ if (!len)
+ goto out;
+--- a/drivers/net/wireless/mediatek/mt76/tx.c
++++ b/drivers/net/wireless/mediatek/mt76/tx.c
+@@ -77,7 +77,9 @@ mt76_tx_status_unlock(struct mt76_dev *d
+ }
+
+ hw = mt76_tx_status_get_hw(dev, skb);
++ spin_lock_bh(&dev->rx_lock);
+ ieee80211_tx_status_ext(hw, &status);
++ spin_unlock_bh(&dev->rx_lock);
+ }
+ rcu_read_unlock();
+ }
+@@ -263,7 +265,9 @@ void __mt76_tx_complete_skb(struct mt76_
+ if (cb->pktid < MT_PACKET_ID_FIRST) {
+ hw = mt76_tx_status_get_hw(dev, skb);
+ status.sta = wcid_to_sta(wcid);
++ spin_lock_bh(&dev->rx_lock);
+ ieee80211_tx_status_ext(hw, &status);
++ spin_unlock_bh(&dev->rx_lock);
+ goto out;
+ }
+
--- /dev/null
+From 09d4d6da1b65d09414e7bce61459593f3c80ead1 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 29 Mar 2023 14:57:58 -0500
+Subject: wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 09d4d6da1b65d09414e7bce61459593f3c80ead1 upstream.
+
+When the BIOS has been configured for Fast Boot, systems with mt7921e
+have non-functional wifi. Turning on Fast boot caused both bus master
+enable and memory space enable bits in PCI_COMMAND not to get configured.
+
+The mt7921 driver already sets bus master enable, but explicitly check
+and set memory access enable as well to fix this problem.
+
+Tested-by: Anson Tsao <anson.tsao@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+@@ -263,6 +263,7 @@ static int mt7921_pci_probe(struct pci_d
+ struct mt76_dev *mdev;
+ u8 features;
+ int ret;
++ u16 cmd;
+
+ ret = pcim_enable_device(pdev);
+ if (ret)
+@@ -272,6 +273,11 @@ static int mt7921_pci_probe(struct pci_d
+ if (ret)
+ return ret;
+
++ pci_read_config_word(pdev, PCI_COMMAND, &cmd);
++ if (!(cmd & PCI_COMMAND_MEMORY)) {
++ cmd |= PCI_COMMAND_MEMORY;
++ pci_write_config_word(pdev, PCI_COMMAND, cmd);
++ }
+ pci_set_master(pdev);
+
+ ret = pci_alloc_irq_vectors(pdev, 1, 1, PCI_IRQ_ALL_TYPES);
--- /dev/null
+From a6f187f92bcc2b17821538b4a11d61764e68b091 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Mon, 17 Apr 2023 16:03:55 +0200
+Subject: wifi: rtw88: usb: fix priority queue to endpoint mapping
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit a6f187f92bcc2b17821538b4a11d61764e68b091 upstream.
+
+The RTW88 chipsets have four different priority queues in hardware. For
+the USB type chipsets the packets destined for a specific priority queue
+must be sent through the endpoint corresponding to the queue. This was
+not fully understood when porting from the RTW88 USB out of tree driver
+and thus violated.
+
+This patch implements the qsel to endpoint mapping as in
+get_usb_bulkout_id_88xx() in the downstream driver.
+
+Without this the driver often issues "timed out to flush queue 3"
+warnings and often TX stalls completely.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Tested-by: ValdikSS <iam@valdikss.org.ru>
+Tested-by: Alexandru gagniuc <mr.nuke.me@gmail.com>
+Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230417140358.2240429-2-s.hauer@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/usb.c | 70 ++++++++++++++++++++-----------
+ 1 file changed, 47 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/usb.c
++++ b/drivers/net/wireless/realtek/rtw88/usb.c
+@@ -118,6 +118,22 @@ static void rtw_usb_write32(struct rtw_d
+ rtw_usb_write(rtwdev, addr, val, 4);
+ }
+
++static int dma_mapping_to_ep(enum rtw_dma_mapping dma_mapping)
++{
++ switch (dma_mapping) {
++ case RTW_DMA_MAPPING_HIGH:
++ return 0;
++ case RTW_DMA_MAPPING_NORMAL:
++ return 1;
++ case RTW_DMA_MAPPING_LOW:
++ return 2;
++ case RTW_DMA_MAPPING_EXTRA:
++ return 3;
++ default:
++ return -EINVAL;
++ }
++}
++
+ static int rtw_usb_parse(struct rtw_dev *rtwdev,
+ struct usb_interface *interface)
+ {
+@@ -129,6 +145,8 @@ static int rtw_usb_parse(struct rtw_dev
+ int num_out_pipes = 0;
+ int i;
+ u8 num;
++ const struct rtw_chip_info *chip = rtwdev->chip;
++ const struct rtw_rqpn *rqpn;
+
+ for (i = 0; i < interface_desc->bNumEndpoints; i++) {
+ endpoint = &host_interface->endpoint[i].desc;
+@@ -183,31 +201,34 @@ static int rtw_usb_parse(struct rtw_dev
+
+ rtwdev->hci.bulkout_num = num_out_pipes;
+
+- switch (num_out_pipes) {
+- case 4:
+- case 3:
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID0] = 2;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID1] = 2;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID2] = 2;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID3] = 2;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID4] = 1;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID5] = 1;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID6] = 0;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID7] = 0;
+- break;
+- case 2:
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID0] = 1;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID1] = 1;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID2] = 1;
+- rtwusb->qsel_to_ep[TX_DESC_QSEL_TID3] = 1;
+- break;
+- case 1:
+- break;
+- default:
+- rtw_err(rtwdev, "failed to get out_pipes(%d)\n", num_out_pipes);
++ if (num_out_pipes < 1 || num_out_pipes > 4) {
++ rtw_err(rtwdev, "invalid number of endpoints %d\n", num_out_pipes);
+ return -EINVAL;
+ }
+
++ rqpn = &chip->rqpn_table[num_out_pipes];
++
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID0] = dma_mapping_to_ep(rqpn->dma_map_be);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID1] = dma_mapping_to_ep(rqpn->dma_map_bk);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID2] = dma_mapping_to_ep(rqpn->dma_map_bk);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID3] = dma_mapping_to_ep(rqpn->dma_map_be);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID4] = dma_mapping_to_ep(rqpn->dma_map_vi);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID5] = dma_mapping_to_ep(rqpn->dma_map_vi);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID6] = dma_mapping_to_ep(rqpn->dma_map_vo);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID7] = dma_mapping_to_ep(rqpn->dma_map_vo);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID8] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID9] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID10] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID11] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID12] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID13] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID14] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_TID15] = -EINVAL;
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_BEACON] = dma_mapping_to_ep(rqpn->dma_map_hi);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_HIGH] = dma_mapping_to_ep(rqpn->dma_map_hi);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_MGMT] = dma_mapping_to_ep(rqpn->dma_map_mg);
++ rtwusb->qsel_to_ep[TX_DESC_QSEL_H2C] = dma_mapping_to_ep(rqpn->dma_map_hi);
++
+ return 0;
+ }
+
+@@ -250,7 +271,7 @@ static void rtw_usb_write_port_tx_comple
+ static int qsel_to_ep(struct rtw_usb *rtwusb, unsigned int qsel)
+ {
+ if (qsel >= ARRAY_SIZE(rtwusb->qsel_to_ep))
+- return 0;
++ return -EINVAL;
+
+ return rtwusb->qsel_to_ep[qsel];
+ }
+@@ -265,6 +286,9 @@ static int rtw_usb_write_port(struct rtw
+ int ret;
+ int ep = qsel_to_ep(rtwusb, qsel);
+
++ if (ep < 0)
++ return ep;
++
+ pipe = usb_sndbulkpipe(usbd, rtwusb->out_ep[ep]);
+ urb = usb_alloc_urb(0, GFP_ATOMIC);
+ if (!urb)
--- /dev/null
+From d33fc8d0368c180fe2338bfae4f5367a66a719f4 Mon Sep 17 00:00:00 2001
+From: Eric Huang <echuang@realtek.com>
+Date: Thu, 6 Apr 2023 15:28:41 +0800
+Subject: wifi: rtw89: correct 5 MHz mask setting
+
+From: Eric Huang <echuang@realtek.com>
+
+commit d33fc8d0368c180fe2338bfae4f5367a66a719f4 upstream.
+
+Use primary channel index to determine which 5 MHz mask should be enable.
+This mask is used to prevent noise from channel edge to effect CCA
+threshold in wide bandwidth (>= 40 MHZ).
+
+Fixes: 1b00e9236a71 ("rtw89: 8852c: add set channel of BB part")
+Fixes: 6b0698984eb0 ("wifi: rtw89: 8852b: add chip_ops::set_channel")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Huang <echuang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230406072841.8308-1-pkshih@realtek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw89/rtw8852b.c | 9 +++++----
+ drivers/net/wireless/realtek/rtw89/rtw8852c.c | 9 +++++----
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtw89/rtw8852b.c
++++ b/drivers/net/wireless/realtek/rtw89/rtw8852b.c
+@@ -1284,7 +1284,7 @@ static void rtw8852b_ctrl_cck_en(struct
+ static void rtw8852b_5m_mask(struct rtw89_dev *rtwdev, const struct rtw89_chan *chan,
+ enum rtw89_phy_idx phy_idx)
+ {
+- u8 pri_ch = chan->primary_channel;
++ u8 pri_ch = chan->pri_ch_idx;
+ bool mask_5m_low;
+ bool mask_5m_en;
+
+@@ -1292,12 +1292,13 @@ static void rtw8852b_5m_mask(struct rtw8
+ case RTW89_CHANNEL_WIDTH_40:
+ /* Prich=1: Mask 5M High, Prich=2: Mask 5M Low */
+ mask_5m_en = true;
+- mask_5m_low = pri_ch == 2;
++ mask_5m_low = pri_ch == RTW89_SC_20_LOWER;
+ break;
+ case RTW89_CHANNEL_WIDTH_80:
+ /* Prich=3: Mask 5M High, Prich=4: Mask 5M Low, Else: Disable */
+- mask_5m_en = pri_ch == 3 || pri_ch == 4;
+- mask_5m_low = pri_ch == 4;
++ mask_5m_en = pri_ch == RTW89_SC_20_UPMOST ||
++ pri_ch == RTW89_SC_20_LOWEST;
++ mask_5m_low = pri_ch == RTW89_SC_20_LOWEST;
+ break;
+ default:
+ mask_5m_en = false;
+--- a/drivers/net/wireless/realtek/rtw89/rtw8852c.c
++++ b/drivers/net/wireless/realtek/rtw89/rtw8852c.c
+@@ -1445,18 +1445,19 @@ static void rtw8852c_5m_mask(struct rtw8
+ const struct rtw89_chan *chan,
+ enum rtw89_phy_idx phy_idx)
+ {
+- u8 pri_ch = chan->primary_channel;
++ u8 pri_ch = chan->pri_ch_idx;
+ bool mask_5m_low;
+ bool mask_5m_en;
+
+ switch (chan->band_width) {
+ case RTW89_CHANNEL_WIDTH_40:
+ mask_5m_en = true;
+- mask_5m_low = pri_ch == 2;
++ mask_5m_low = pri_ch == RTW89_SC_20_LOWER;
+ break;
+ case RTW89_CHANNEL_WIDTH_80:
+- mask_5m_en = ((pri_ch == 3) || (pri_ch == 4));
+- mask_5m_low = pri_ch == 4;
++ mask_5m_en = pri_ch == RTW89_SC_20_UPMOST ||
++ pri_ch == RTW89_SC_20_LOWEST;
++ mask_5m_low = pri_ch == RTW89_SC_20_LOWEST;
+ break;
+ default:
+ mask_5m_en = false;
--- /dev/null
+From 735baf1b23458f71a8b15cb924af22c9ff9cd125 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 5 Apr 2023 11:03:42 +0200
+Subject: xhci: fix debugfs register accesses while suspended
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 735baf1b23458f71a8b15cb924af22c9ff9cd125 upstream.
+
+Wire up the debugfs regset device pointer so that the controller is
+resumed before accessing registers to avoid crashing or locking up if it
+happens to be runtime suspended.
+
+Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
+Cc: stable@vger.kernel.org # 4.15: 30332eeefec8: debugfs: regset32: Add Runtime PM support
+Cc: stable@vger.kernel.org # 4.15
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20230405090342.7363-1-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-debugfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-debugfs.c
++++ b/drivers/usb/host/xhci-debugfs.c
+@@ -133,6 +133,7 @@ static void xhci_debugfs_regset(struct x
+ regset->regs = regs;
+ regset->nregs = nregs;
+ regset->base = hcd->regs + base;
++ regset->dev = hcd->self.controller;
+
+ debugfs_create_regset32((const char *)rgs->name, 0444, parent, regset);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
