--- /dev/null
+From 1ae56537105f2894b52128d0c380e7f8714dda4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jan 2021 17:58:31 +0100
+Subject: amba: Fix resource leak for drivers without .remove
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit de5d7adb89367bbc87b4e5ce7afe7ae9bd86dc12 ]
+
+Consider an amba driver with a .probe but without a .remove callback (e.g.
+pl061_gpio_driver). The function amba_probe() is called to bind a device
+and so dev_pm_domain_attach() and others are called. As there is no remove
+callback amba_remove() isn't called at unbind time however and so calling
+dev_pm_domain_detach() is missed and the pm domain keeps active.
+
+To fix this always use the core driver callbacks and handle missing amba
+callbacks there. For probe refuse registration as a driver without probe
+doesn't make sense.
+
+Fixes: 7cfe249475fd ("ARM: AMBA: Add pclk support to AMBA bus infrastructure")
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20210126165835.687514-2-u.kleine-koenig@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/amba/bus.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
+index 1accc01fb0ca9..91c99cce22a4d 100644
+--- a/drivers/amba/bus.c
++++ b/drivers/amba/bus.c
+@@ -275,10 +275,11 @@ static int amba_remove(struct device *dev)
+ {
+ struct amba_device *pcdev = to_amba_device(dev);
+ struct amba_driver *drv = to_amba_driver(dev->driver);
+- int ret;
++ int ret = 0;
+
+ pm_runtime_get_sync(dev);
+- ret = drv->remove(pcdev);
++ if (drv->remove)
++ ret = drv->remove(pcdev);
+ pm_runtime_put_noidle(dev);
+
+ /* Undo the runtime PM settings in amba_probe() */
+@@ -295,7 +296,9 @@ static int amba_remove(struct device *dev)
+ static void amba_shutdown(struct device *dev)
+ {
+ struct amba_driver *drv = to_amba_driver(dev->driver);
+- drv->shutdown(to_amba_device(dev));
++
++ if (drv->shutdown)
++ drv->shutdown(to_amba_device(dev));
+ }
+
+ /**
+@@ -308,12 +311,13 @@ static void amba_shutdown(struct device *dev)
+ */
+ int amba_driver_register(struct amba_driver *drv)
+ {
+- drv->drv.bus = &amba_bustype;
++ if (!drv->probe)
++ return -EINVAL;
+
+-#define SETFN(fn) if (drv->fn) drv->drv.fn = amba_##fn
+- SETFN(probe);
+- SETFN(remove);
+- SETFN(shutdown);
++ drv->drv.bus = &amba_bustype;
++ drv->drv.probe = amba_probe;
++ drv->drv.remove = amba_remove;
++ drv->drv.shutdown = amba_shutdown;
+
+ return driver_register(&drv->drv);
+ }
+--
+2.27.0
+
--- /dev/null
+From f9f8fc2c5473b21b571d62f70a0061460edf6b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 10:47:24 +0100
+Subject: ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores
+
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+
+[ Upstream commit 2acb909750431030b65a0a2a17fd8afcbd813a84 ]
+
+It was observed that decompressor running on hardware implementing ARM v8.2
+Load/Store Multiple Atomicity and Ordering Control (LSMAOC), say, as guest,
+would stuck just after:
+
+Uncompressing Linux... done, booting the kernel.
+
+The reason is that it clears nTLSMD bit when disabling caches:
+
+ nTLSMD, bit [3]
+
+ When ARMv8.2-LSMAOC is implemented:
+
+ No Trap Load Multiple and Store Multiple to
+ Device-nGRE/Device-nGnRE/Device-nGnRnE memory.
+
+ 0b0 All memory accesses by A32 and T32 Load Multiple and Store
+ Multiple at EL1 or EL0 that are marked at stage 1 as
+ Device-nGRE/Device-nGnRE/Device-nGnRnE memory are trapped and
+ generate a stage 1 Alignment fault.
+
+ 0b1 All memory accesses by A32 and T32 Load Multiple and Store
+ Multiple at EL1 or EL0 that are marked at stage 1 as
+ Device-nGRE/Device-nGnRE/Device-nGnRnE memory are not trapped.
+
+ This bit is permitted to be cached in a TLB.
+
+ This field resets to 1.
+
+ Otherwise:
+
+ Reserved, RES1
+
+So as effect we start getting traps we are not quite ready for.
+
+Looking into history it seems that mask used for SCTLR clear came from
+the similar code for ARMv4, where bit[3] is the enable/disable bit for
+the write buffer. That not applicable to ARMv7 and onwards, so retire
+that bit from the masks.
+
+Fixes: 7d09e85448dfa78e3e58186c934449aaf6d49b50 ("[ARM] 4393/2: ARMv7: Add uncompressing code for the new CPU Id format")
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/head.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
+index 856913705169f..082d036e95649 100644
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -1074,9 +1074,9 @@ __armv4_mmu_cache_off:
+ __armv7_mmu_cache_off:
+ mrc p15, 0, r0, c1, c0
+ #ifdef CONFIG_MMU
+- bic r0, r0, #0x000d
++ bic r0, r0, #0x0005
+ #else
+- bic r0, r0, #0x000c
++ bic r0, r0, #0x0004
+ #endif
+ mcr p15, 0, r0, c1, c0 @ turn MMU and cache off
+ mov r12, lr
+--
+2.27.0
+
--- /dev/null
+From d574cd3cdefb216886fcf0096fbbd275339ace4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:28:58 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Spring
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 77e6a5467cb8657cf8b5e610a30a4c502085e4f9 ]
+
+The Samsung PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. Without specifying the
+interrupt type in Devicetree, kernel might apply some fixed
+configuration, not necessarily working for this hardware.
+
+Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20201210212903.216728-4-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5250-spring.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5250-spring.dts b/arch/arm/boot/dts/exynos5250-spring.dts
+index c1edd6d038a90..4b3bd43f77213 100644
+--- a/arch/arm/boot/dts/exynos5250-spring.dts
++++ b/arch/arm/boot/dts/exynos5250-spring.dts
+@@ -112,7 +112,7 @@
+ compatible = "samsung,s5m8767-pmic";
+ reg = <0x66>;
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_NONE>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&s5m8767_irq &s5m8767_dvs &s5m8767_ds>;
+ wakeup-source;
+--
+2.27.0
+
--- /dev/null
+From 3101633b593be4fd3369d2c64e1401a488ef9af6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:28:59 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale
+ Octa
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 1ac8893c4fa3d4a34915dc5cdab568a39db5086c ]
+
+The Samsung PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. The falling edge
+interrupt will mostly work but it's not correct.
+
+Fixes: 1fed2252713e ("ARM: dts: fix pinctrl for s2mps11-irq on exynos5420-arndale-octa")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20201210212903.216728-5-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5420-arndale-octa.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5420-arndale-octa.dts b/arch/arm/boot/dts/exynos5420-arndale-octa.dts
+index b54c0b8a5b346..5cf9bcc91c4ab 100644
+--- a/arch/arm/boot/dts/exynos5420-arndale-octa.dts
++++ b/arch/arm/boot/dts/exynos5420-arndale-octa.dts
+@@ -75,7 +75,7 @@
+ s2mps11,buck4-ramp-enable = <1>;
+
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_EDGE_FALLING>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&s2mps11_irq>;
+
+--
+2.27.0
+
--- /dev/null
+From 7e479d713c99d588bb5be6cdb7f49e99c2c9b459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Feb 2021 17:23:42 +0100
+Subject: ARM: s3c: fix fiq for clang IAS
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7f9942c61fa60eda7cc8e42f04bd25b7d175876e ]
+
+Building with the clang integrated assembler produces a couple of
+errors for the s3c24xx fiq support:
+
+ arch/arm/mach-s3c/irq-s3c24xx-fiq.S:52:2: error: instruction 'subne' can not set flags, but 's' suffix specified
+ subnes pc, lr, #4 @@ return, still have work to do
+
+ arch/arm/mach-s3c/irq-s3c24xx-fiq.S:64:1: error: invalid symbol redefinition
+ s3c24xx_spi_fiq_txrx:
+
+There are apparently two problems: one with extraneous or duplicate
+labels, and one with old-style opcode mnemonics. Stefan Agner has
+previously fixed other problems like this, but missed this particular
+file.
+
+Fixes: bec0806cfec6 ("spi_s3c24xx: add FIQ pseudo-DMA support")
+Cc: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20210204162416.3030114-1-arnd@kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-s3c24xx-fiq.S | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-s3c24xx-fiq.S b/drivers/spi/spi-s3c24xx-fiq.S
+index 059f2dc1fda2d..1565c792da079 100644
+--- a/drivers/spi/spi-s3c24xx-fiq.S
++++ b/drivers/spi/spi-s3c24xx-fiq.S
+@@ -36,7 +36,6 @@
+ @ and an offset to the irq acknowledgment word
+
+ ENTRY(s3c24xx_spi_fiq_rx)
+-s3c24xx_spi_fix_rx:
+ .word fiq_rx_end - fiq_rx_start
+ .word fiq_rx_irq_ack - fiq_rx_start
+ fiq_rx_start:
+@@ -50,7 +49,7 @@ fiq_rx_start:
+ strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ]
+
+ subs fiq_rcount, fiq_rcount, #1
+- subnes pc, lr, #4 @@ return, still have work to do
++ subsne pc, lr, #4 @@ return, still have work to do
+
+ @@ set IRQ controller so that next op will trigger IRQ
+ mov fiq_rtmp, #0
+@@ -62,7 +61,6 @@ fiq_rx_irq_ack:
+ fiq_rx_end:
+
+ ENTRY(s3c24xx_spi_fiq_txrx)
+-s3c24xx_spi_fiq_txrx:
+ .word fiq_txrx_end - fiq_txrx_start
+ .word fiq_txrx_irq_ack - fiq_txrx_start
+ fiq_txrx_start:
+@@ -77,7 +75,7 @@ fiq_txrx_start:
+ strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ]
+
+ subs fiq_rcount, fiq_rcount, #1
+- subnes pc, lr, #4 @@ return, still have work to do
++ subsne pc, lr, #4 @@ return, still have work to do
+
+ mov fiq_rtmp, #0
+ str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ]
+@@ -89,7 +87,6 @@ fiq_txrx_irq_ack:
+ fiq_txrx_end:
+
+ ENTRY(s3c24xx_spi_fiq_tx)
+-s3c24xx_spi_fix_tx:
+ .word fiq_tx_end - fiq_tx_start
+ .word fiq_tx_irq_ack - fiq_tx_start
+ fiq_tx_start:
+@@ -102,7 +99,7 @@ fiq_tx_start:
+ strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ]
+
+ subs fiq_rcount, fiq_rcount, #1
+- subnes pc, lr, #4 @@ return, still have work to do
++ subsne pc, lr, #4 @@ return, still have work to do
+
+ mov fiq_rtmp, #0
+ str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ]
+--
+2.27.0
+
--- /dev/null
+From 6b732d756bae29419dbd14721ea9f8aa94239457 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Dec 2020 13:07:59 +0300
+Subject: ASoC: cs42l56: fix up error handling in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 856fe64da84c95a1d415564b981ae3908eea2a76 ]
+
+There are two issues with this code. The first error path forgot to set
+the error code and instead returns success. The second error path
+doesn't clean up.
+
+Fixes: 272b5edd3b8f ("ASoC: Add support for CS42L56 CODEC")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/X9NE/9nK9/TuxuL+@mwanda
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l56.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c
+index 7cd5f769bb614..a22879ddda476 100644
+--- a/sound/soc/codecs/cs42l56.c
++++ b/sound/soc/codecs/cs42l56.c
+@@ -1269,6 +1269,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client,
+ dev_err(&i2c_client->dev,
+ "CS42L56 Device ID (%X). Expected %X\n",
+ devid, CS42L56_DEVID);
++ ret = -EINVAL;
+ goto err_enable;
+ }
+ alpha_rev = reg & CS42L56_AREV_MASK;
+@@ -1324,7 +1325,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client,
+ ret = snd_soc_register_codec(&i2c_client->dev,
+ &soc_codec_dev_cs42l56, &cs42l56_dai, 1);
+ if (ret < 0)
+- return ret;
++ goto err_enable;
+
+ return 0;
+
+--
+2.27.0
+
--- /dev/null
+From b72bc21994432bdca74a7d13cd3daa4a6c7b70d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 12:05:32 +0000
+Subject: b43: N-PHY: Fix the update of coef for the PHY revision >= 3case
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 4773acf3d4b50768bf08e9e97a204819e9ea0895 ]
+
+The documentation for the PHY update [1] states:
+
+Loop 4 times with index i
+
+ If PHY Revision >= 3
+ Copy table[i] to coef[i]
+ Otherwise
+ Set coef[i] to 0
+
+the copy of the table to coef is currently implemented the wrong way
+around, table is being updated from uninitialized values in coeff.
+Fix this by swapping the assignment around.
+
+[1] https://bcm-v4.sipsolutions.net/802.11/PHY/N/RestoreCal/
+
+Fixes: 2f258b74d13c ("b43: N-PHY: implement restoring general configuration")
+Addresses-Coverity: ("Uninitialized scalar variable")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/b43/phy_n.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/b43/phy_n.c b/drivers/net/wireless/b43/phy_n.c
+index 9f0bcf3b8414c..fa847ae5b5270 100644
+--- a/drivers/net/wireless/b43/phy_n.c
++++ b/drivers/net/wireless/b43/phy_n.c
+@@ -5320,7 +5320,7 @@ static void b43_nphy_restore_cal(struct b43_wldev *dev)
+
+ for (i = 0; i < 4; i++) {
+ if (dev->phy.rev >= 3)
+- table[i] = coef[i];
++ coef[i] = table[i];
+ else
+ coef[i] = 0;
+ }
+--
+2.27.0
+
--- /dev/null
+From 90fbf525fea74c111f69c9b522e2da560bb712d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 23:34:19 -0800
+Subject: Bluetooth: drop HCI device reference before return
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 5a3ef03afe7e12982dc3b978f4c5077c907f7501 ]
+
+Call hci_dev_put() to decrement reference count of HCI device hdev if
+fails to duplicate memory.
+
+Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/a2mp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
+index 242ef2abd0911..fcd819ffda108 100644
+--- a/net/bluetooth/a2mp.c
++++ b/net/bluetooth/a2mp.c
+@@ -519,6 +519,7 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
+ assoc = kmemdup(req->amp_assoc, assoc_len, GFP_KERNEL);
+ if (!assoc) {
+ amp_ctrl_put(ctrl);
++ hci_dev_put(hdev);
+ return -ENOMEM;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 7b882e169b058843c25331bcd5ba27da16c0070d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Dec 2020 19:12:32 -0800
+Subject: Bluetooth: Fix initializing response id after clearing struct
+
+From: Christopher William Snowhill <chris@kode54.net>
+
+[ Upstream commit a5687c644015a097304a2e47476c0ecab2065734 ]
+
+Looks like this was missed when patching the source to clear the structures
+throughout, causing this one instance to clear the struct after the response
+id is assigned.
+
+Fixes: eddb7732119d ("Bluetooth: A2MP: Fix not initializing all members")
+Signed-off-by: Christopher William Snowhill <chris@kode54.net>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/a2mp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
+index 8f918155685db..242ef2abd0911 100644
+--- a/net/bluetooth/a2mp.c
++++ b/net/bluetooth/a2mp.c
+@@ -388,9 +388,9 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb,
+ hdev = hci_dev_get(req->id);
+ if (!hdev || hdev->amp_type == AMP_TYPE_BREDR || tmp) {
+ struct a2mp_amp_assoc_rsp rsp;
+- rsp.id = req->id;
+
+ memset(&rsp, 0, sizeof(rsp));
++ rsp.id = req->id;
+
+ if (tmp) {
+ rsp.status = A2MP_STATUS_COLLISION_OCCURED;
+--
+2.27.0
+
--- /dev/null
+From 18b436df5531b2df3295437d228185dd2a577e78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 00:10:45 -0800
+Subject: Bluetooth: Put HCI device if inquiry procedure interrupts
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 28a758c861ff290e39d4f1ee0aa5df0f0b9a45ee ]
+
+Jump to the label done to decrement the reference count of HCI device
+hdev on path that the Inquiry procedure is interrupted.
+
+Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 4bce3ef2c392a..cc905a4e57325 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1372,8 +1372,10 @@ int hci_inquiry(void __user *arg)
+ * cleared). If it is interrupted by a signal, return -EINTR.
+ */
+ if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
+- TASK_INTERRUPTIBLE))
+- return -EINTR;
++ TASK_INTERRUPTIBLE)) {
++ err = -EINTR;
++ goto done;
++ }
+ }
+
+ /* for unlimited number of responses we will use buffer with
+--
+2.27.0
+
--- /dev/null
+From e9b1f0be7a427fd171e9d1eae5b32c3aa4dcf6bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 02:24:23 -0500
+Subject: bnxt_en: reverse order of TX disable and carrier off
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit 132e0b65dc2b8bfa9721bfce834191f24fd1d7ed ]
+
+A TX queue can potentially immediately timeout after it is stopped
+and the last TX timestamp on that queue was more than 5 seconds ago with
+carrier still up. Prevent these intermittent false TX timeouts
+by bringing down carrier first before calling netif_tx_disable().
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 250ecbcca019f..7444f17b9e050 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -4313,9 +4313,10 @@ static void bnxt_tx_disable(struct bnxt *bp)
+ txr->dev_state = BNXT_DEV_STATE_CLOSING;
+ }
+ }
++ /* Drop carrier first to prevent TX timeout */
++ netif_carrier_off(bp->dev);
+ /* Stop all TX queues */
+ netif_tx_disable(bp->dev);
+- netif_carrier_off(bp->dev);
+ }
+
+ static void bnxt_tx_enable(struct bnxt *bp)
+--
+2.27.0
+
--- /dev/null
+From fde5bc858d6c6db2f75538a88c06fc5935cdb832 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2020 09:08:04 +0800
+Subject: btrfs: clarify error returns values in __load_free_space_cache
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 3cc64e7ebfb0d7faaba2438334c43466955a96e8 ]
+
+Return value in __load_free_space_cache is not properly set after
+(unlikely) memory allocation failures and 0 is returned instead.
+This is not a problem for the caller load_free_space_cache because only
+value 1 is considered as 'cache loaded' but for clarity it's better
+to set the errors accordingly.
+
+Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/free-space-cache.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
+index 05b1b0f99f0bc..55d8020afc583 100644
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -754,8 +754,10 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
+ while (num_entries) {
+ e = kmem_cache_zalloc(btrfs_free_space_cachep,
+ GFP_NOFS);
+- if (!e)
++ if (!e) {
++ ret = -ENOMEM;
+ goto free_cache;
++ }
+
+ ret = io_ctl_read_entry(&io_ctl, e, &type);
+ if (ret) {
+@@ -764,6 +766,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
+ }
+
+ if (!e->bytes) {
++ ret = -1;
+ kmem_cache_free(btrfs_free_space_cachep, e);
+ goto free_cache;
+ }
+@@ -783,6 +786,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
+ num_bitmaps--;
+ e->bitmap = kzalloc(PAGE_CACHE_SIZE, GFP_NOFS);
+ if (!e->bitmap) {
++ ret = -ENOMEM;
+ kmem_cache_free(
+ btrfs_free_space_cachep, e);
+ goto free_cache;
+--
+2.27.0
+
--- /dev/null
+From 62a35f90224add9dd4cf1dabef65ef0a5a7a33d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Dec 2020 13:15:54 +0100
+Subject: clk: meson: clk-pll: fix initializing the old rate (fallback) for a
+ PLL
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 2f290b7c67adf6459a17a4c978102af35cd62e4a ]
+
+The "rate" parameter in meson_clk_pll_set_rate() contains the new rate.
+Retrieve the old rate with clk_hw_get_rate() so we don't inifinitely try
+to switch from the new rate to the same rate again.
+
+Fixes: 7a29a869434e8b ("clk: meson: Add support for Meson clock controller")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20201226121556.975418-2-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/clk-pll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/meson/clk-pll.c b/drivers/clk/meson/clk-pll.c
+index 664edf0708ea7..50b1138aaad71 100644
+--- a/drivers/clk/meson/clk-pll.c
++++ b/drivers/clk/meson/clk-pll.c
+@@ -138,7 +138,7 @@ static int meson_clk_pll_set_rate(struct clk_hw *hw, unsigned long rate,
+ if (parent_rate == 0 || rate == 0)
+ return -EINVAL;
+
+- old_rate = rate;
++ old_rate = clk_hw_get_rate(hw);
+
+ rate_set = meson_clk_get_pll_settings(pll, rate);
+ if (!rate_set)
+--
+2.27.0
+
--- /dev/null
+From 6548ce854c561ce911280a78b9c578175cce6f8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jan 2021 13:19:55 -0800
+Subject: clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is
+ defined
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 7da390694afbaed8e0f05717a541dfaf1077ba51 ]
+
+When DEBUG is defined this error occurs
+
+drivers/clocksource/mxs_timer.c:138:1: error:
+ expected ‘;’ before ‘}’ token
+
+The preceding statement needs a semicolon.
+Replace pr_info() with pr_debug() and remove the unneeded ifdef.
+
+Fixes: eb8703e2ef7c ("clockevents/drivers/mxs: Migrate to new 'set-state' interface")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210118211955.763609-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/mxs_timer.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/clocksource/mxs_timer.c b/drivers/clocksource/mxs_timer.c
+index f5ce2961c0d62..23f125126fa81 100644
+--- a/drivers/clocksource/mxs_timer.c
++++ b/drivers/clocksource/mxs_timer.c
+@@ -154,10 +154,7 @@ static void mxs_irq_clear(char *state)
+
+ /* Clear pending interrupt */
+ timrot_irq_acknowledge();
+-
+-#ifdef DEBUG
+- pr_info("%s: changing mode to %s\n", __func__, state)
+-#endif /* DEBUG */
++ pr_debug("%s: changing mode to %s\n", __func__, state);
+ }
+
+ static int mxs_shutdown(struct clock_event_device *evt)
+--
+2.27.0
+
--- /dev/null
+From 30729df165bfb97bf0f5e87c4d4b692a1fefcbdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Dec 2020 17:06:14 +0100
+Subject: dmaengine: fsldma: Fix a resource leak in an error handling path of
+ the probe function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b202d4e82531a62a33a6b14d321dd2aad491578e ]
+
+In case of error, the previous 'fsl_dma_chan_probe()' calls must be undone
+by some 'fsl_dma_chan_remove()', as already done in the remove function.
+
+It was added in the remove function in commit 77cd62e8082b ("fsldma: allow
+Freescale Elo DMA driver to be compiled as a module")
+
+Fixes: d3f620b2c4fe ("fsldma: simplify IRQ probing and handling")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20201212160614.92576-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/fsldma.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c
+index 1a637104cc08e..7c4b4c71d3a0e 100644
+--- a/drivers/dma/fsldma.c
++++ b/drivers/dma/fsldma.c
+@@ -1335,6 +1335,7 @@ static int fsldma_of_probe(struct platform_device *op)
+ {
+ struct fsldma_device *fdev;
+ struct device_node *child;
++ unsigned int i;
+ int err;
+
+ fdev = kzalloc(sizeof(*fdev), GFP_KERNEL);
+@@ -1416,6 +1417,10 @@ static int fsldma_of_probe(struct platform_device *op)
+ return 0;
+
+ out_free_fdev:
++ for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) {
++ if (fdev->chan[i])
++ fsl_dma_chan_remove(fdev->chan[i]);
++ }
+ irq_dispose_mapping(fdev->irq);
+ kfree(fdev);
+ out_return:
+--
+2.27.0
+
--- /dev/null
+From b61bc1754964bb00489a0569f3865f4c84fea63a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Dec 2020 17:05:16 +0100
+Subject: dmaengine: fsldma: Fix a resource leak in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cbc0ad004c03ad7971726a5db3ec84dba3dcb857 ]
+
+A 'irq_dispose_mapping()' call is missing in the remove function.
+Add it.
+
+This is needed to undo the 'irq_of_parse_and_map() call from the probe
+function and already part of the error handling path of the probe function.
+
+It was added in the probe function only in commit d3f620b2c4fe ("fsldma:
+simplify IRQ probing and handling")
+
+Fixes: 77cd62e8082b ("fsldma: allow Freescale Elo DMA driver to be compiled as a module")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20201212160516.92515-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/fsldma.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c
+index 2209f75fdf05b..1a637104cc08e 100644
+--- a/drivers/dma/fsldma.c
++++ b/drivers/dma/fsldma.c
+@@ -1436,6 +1436,7 @@ static int fsldma_of_remove(struct platform_device *op)
+ if (fdev->chan[i])
+ fsl_dma_chan_remove(fdev->chan[i]);
+ }
++ irq_dispose_mapping(fdev->irq);
+
+ iounmap(fdev->regs);
+ kfree(fdev);
+--
+2.27.0
+
--- /dev/null
+From 7a5bc791f8c81bd704dd5a6658af1222a0f51b8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Nov 2020 10:02:16 +0800
+Subject: drm/gma500: Fix error return code in psb_driver_load()
+
+From: Jialin Zhang <zhangjialin11@huawei.com>
+
+[ Upstream commit 6926872ae24452d4f2176a3ba2dee659497de2c4 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201130020216.1906141-1-zhangjialin11@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/psb_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c
+index db98ab5cde3d8..15a909efe0c70 100644
+--- a/drivers/gpu/drm/gma500/psb_drv.c
++++ b/drivers/gpu/drm/gma500/psb_drv.c
+@@ -325,6 +325,8 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags)
+ if (ret)
+ goto out_err;
+
++ ret = -ENOMEM;
++
+ dev_priv->mmu = psb_mmu_driver_init(dev, 1, 0, 0);
+ if (!dev_priv->mmu)
+ goto out_err;
+--
+2.27.0
+
--- /dev/null
+From 784fbf05d2ec356649ffff18b97dbd46d0a86d9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Nov 2020 19:17:52 -0800
+Subject: fbdev: aty: SPARC64 requires FB_ATY_CT
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c6c90c70db4d9a0989111d6b994d545659410f7a ]
+
+It looks like SPARC64 requires FB_ATY_CT to build without errors,
+so have FB_ATY select FB_ATY_CT if both SPARC64 and PCI are enabled
+instead of using "default y if SPARC64 && PCI", which is not strong
+enough to prevent build errors.
+
+As it currently is, FB_ATY_CT can be disabled, resulting in build
+errors:
+
+ERROR: modpost: "aty_postdividers" [drivers/video/fbdev/aty/atyfb.ko] undefined!
+ERROR: modpost: "aty_ld_pll_ct" [drivers/video/fbdev/aty/atyfb.ko] undefined!
+
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Fixes: f7018c213502 ("video: move fbdev to drivers/video/fbdev")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: sparclinux@vger.kernel.org
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-fbdev@vger.kernel.org
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201127031752.10371-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
+index 6873be0344486..e24e77e31529e 100644
+--- a/drivers/video/fbdev/Kconfig
++++ b/drivers/video/fbdev/Kconfig
+@@ -1397,6 +1397,7 @@ config FB_ATY
+ select FB_CFB_IMAGEBLIT
+ select FB_BACKLIGHT if FB_ATY_BACKLIGHT
+ select FB_MACMODES if PPC
++ select FB_ATY_CT if SPARC64 && PCI
+ help
+ This driver supports graphics boards with the ATI Mach64 chips.
+ Say Y if you have such a graphics board.
+@@ -1407,7 +1408,6 @@ config FB_ATY
+ config FB_ATY_CT
+ bool "Mach64 CT/VT/GT/LT (incl. 3D RAGE) support"
+ depends on PCI && FB_ATY
+- default y if SPARC64 && PCI
+ help
+ Say Y here to support use of ATI's 64-bit Rage boards (or other
+ boards based on the Mach64 CT, VT, GT, and LT chipsets) as a
+--
+2.27.0
+
--- /dev/null
+From 574c77ce4a11778a783884e70d61b4892072f25e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 13:01:08 +0000
+Subject: fs/jfs: fix potential integer overflow on shift of a int
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 4208c398aae4c2290864ba15c3dab7111f32bec1 ]
+
+The left shift of int 32 bit integer constant 1 is evaluated using 32 bit
+arithmetic and then assigned to a signed 64 bit integer. In the case where
+l2nb is 32 or more this can lead to an overflow. Avoid this by shifting
+the value 1LL instead.
+
+Addresses-Coverity: ("Uninitentional integer overflow")
+Fixes: b40c2e665cd5 ("fs/jfs: TRIM support for JFS Filesystem")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 2d514c7affc2a..9ff510a489cb1 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1669,7 +1669,7 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen)
+ } else if (rc == -ENOSPC) {
+ /* search for next smaller log2 block */
+ l2nb = BLKSTOL2(nblocks) - 1;
+- nblocks = 1 << l2nb;
++ nblocks = 1LL << l2nb;
+ } else {
+ /* Trim any already allocated blocks */
+ jfs_error(bmp->db_ipbmap->i_sb, "-EIO\n");
+--
+2.27.0
+
--- /dev/null
+From 2da361554f6fc3bba40d51c8fa702b372f92c28f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Dec 2020 11:40:48 +0300
+Subject: gma500: clean up error handling in init
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 15ccc39b3aab667c6fa131206f01f31bfbccdf6a ]
+
+The main problem with this error handling was that it didn't clean up if
+i2c_add_numbered_adapter() failed. This code is pretty old, and doesn't
+match with today's checkpatch.pl standards so I took the opportunity to
+tidy it up a bit. I changed the NULL comparison, and removed the
+WARNING message if kzalloc() fails and updated the label names.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/X8ikkAqZfnDO2lu6@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c
+index e281070611480..fc9a34ed58bd1 100644
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c
+@@ -279,11 +279,8 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev)
+ hdmi_dev = pci_get_drvdata(dev);
+
+ i2c_dev = kzalloc(sizeof(struct hdmi_i2c_dev), GFP_KERNEL);
+- if (i2c_dev == NULL) {
+- DRM_ERROR("Can't allocate interface\n");
+- ret = -ENOMEM;
+- goto exit;
+- }
++ if (!i2c_dev)
++ return -ENOMEM;
+
+ i2c_dev->adap = &oaktrail_hdmi_i2c_adapter;
+ i2c_dev->status = I2C_STAT_INIT;
+@@ -300,16 +297,23 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev)
+ oaktrail_hdmi_i2c_adapter.name, hdmi_dev);
+ if (ret) {
+ DRM_ERROR("Failed to request IRQ for I2C controller\n");
+- goto err;
++ goto free_dev;
+ }
+
+ /* Adapter registration */
+ ret = i2c_add_numbered_adapter(&oaktrail_hdmi_i2c_adapter);
+- return ret;
++ if (ret) {
++ DRM_ERROR("Failed to add I2C adapter\n");
++ goto free_irq;
++ }
+
+-err:
++ return 0;
++
++free_irq:
++ free_irq(dev->irq, hdmi_dev);
++free_dev:
+ kfree(i2c_dev);
+-exit:
++
+ return ret;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 769b96f590f1a948727159f4092a52f470cebd3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Dec 2020 17:12:21 -0800
+Subject: HID: core: detect and skip invalid inputs to snto32()
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit a0312af1f94d13800e63a7d0a66e563582e39aec ]
+
+Prevent invalid (0, 0) inputs to hid-core's snto32() function.
+
+Maybe it is just the dummy device here that is causing this, but
+there are hundreds of calls to snto32(0, 0). Having n (bits count)
+of 0 is causing the current UBSAN trap with a shift value of
+0xffffffff (-1, or n - 1 in this function).
+
+Either of the value to shift being 0 or the bits count being 0 can be
+handled by just returning 0 to the caller, avoiding the following
+complex shift + OR operations:
+
+ return value & (1 << (n - 1)) ? value | (~0U << n) : value;
+
+Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: linux-input@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 1495cf343d9f5..25544a08fa838 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1109,6 +1109,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);
+
+ static s32 snto32(__u32 value, unsigned n)
+ {
++ if (!value || !n)
++ return 0;
++
+ switch (n) {
+ case 8: return ((__s8)value);
+ case 16: return ((__s16)value);
+--
+2.27.0
+
--- /dev/null
+From fef9f600c7799b7b980633814964576cebc8ec84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 17:11:01 +0100
+Subject: i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit a1858ce0cfe31368b23ba55794e409fb57ced4a4 ]
+
+The brcmstb_send_i2c_cmd currently has a condition that is (CMD_RD ||
+CMD_WR) which always evaluates to true, while the obvious fix is to test
+whether the cmd variable passed as parameter holds one of these two
+values.
+
+Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver")
+Reported-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-brcmstb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-brcmstb.c b/drivers/i2c/busses/i2c-brcmstb.c
+index 81115abf3c1f5..6e9007adad849 100644
+--- a/drivers/i2c/busses/i2c-brcmstb.c
++++ b/drivers/i2c/busses/i2c-brcmstb.c
+@@ -304,7 +304,7 @@ static int brcmstb_send_i2c_cmd(struct brcmstb_i2c_dev *dev,
+ goto cmd_out;
+ }
+
+- if ((CMD_RD || CMD_WR) &&
++ if ((cmd == CMD_RD || cmd == CMD_WR) &&
+ bsc_readl(dev, iic_enable) & BSC_IIC_EN_NOACK_MASK) {
+ rc = -EREMOTEIO;
+ dev_dbg(dev->device, "controller received NOACK intr for %s\n",
+--
+2.27.0
+
--- /dev/null
+From 96aa5690106019528c11d7957cb27ebfb90478d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jan 2021 14:13:38 +0200
+Subject: IB/umad: Return EIO in case of when device disassociated
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 ]
+
+MAD message received by the user has EINVAL error in all flows
+including when the device is disassociated. That makes it impossible
+for the applications to treat such flow differently.
+
+Change it to return EIO, so the applications will be able to perform
+disassociation recovery.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/20210125121339.837518-2-leon@kernel.org
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/user_mad.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
+index e9e75f40714cb..27bc51409f559 100644
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -342,6 +342,11 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
+
+ mutex_lock(&file->mutex);
+
++ if (file->agents_dead) {
++ mutex_unlock(&file->mutex);
++ return -EIO;
++ }
++
+ while (list_empty(&file->recv_list)) {
+ mutex_unlock(&file->mutex);
+
+@@ -484,7 +489,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
+
+ agent = __get_agent(file, packet->mad.hdr.id);
+ if (!agent) {
+- ret = -EINVAL;
++ ret = -EIO;
+ goto err_up;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 1f53b89c4941b56f95e4d406dc1da0e1c1b4d82f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Feb 2021 20:29:05 -0800
+Subject: Input: elo - fix an error code in elo_connect()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0958351e93fa0ac142f6dd8bd844441594f30a57 ]
+
+If elo_setup_10() fails then this should return an error code instead
+of success.
+
+Fixes: fae3006e4b42 ("Input: elo - add support for non-pressure-sensitive touchscreens")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YBKFd5CvDu+jVmfW@mwanda
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/elo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/touchscreen/elo.c b/drivers/input/touchscreen/elo.c
+index 8051a4b704ea3..e2e31cbd6b2c3 100644
+--- a/drivers/input/touchscreen/elo.c
++++ b/drivers/input/touchscreen/elo.c
+@@ -345,8 +345,10 @@ static int elo_connect(struct serio *serio, struct serio_driver *drv)
+ switch (elo->id) {
+
+ case 0: /* 10-byte protocol */
+- if (elo_setup_10(elo))
++ if (elo_setup_10(elo)) {
++ err = -EIO;
+ goto fail3;
++ }
+
+ break;
+
+--
+2.27.0
+
--- /dev/null
+From 9e43e132db2e887ac8bd5962198c96a6c87b7592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jan 2021 04:04:55 -0800
+Subject: isofs: release buffer head before return
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 0a6dc67a6aa45f19bd4ff89b4f468fc50c4b8daa ]
+
+Release the buffer_head before returning error code in
+do_isofs_readdir() and isofs_find_entry().
+
+Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem")
+Link: https://lore.kernel.org/r/20210118120455.118955-1-bianpan2016@163.com
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/isofs/dir.c | 1 +
+ fs/isofs/namei.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c
+index b943cbd963bb9..2e7d74c7beed8 100644
+--- a/fs/isofs/dir.c
++++ b/fs/isofs/dir.c
+@@ -151,6 +151,7 @@ static int do_isofs_readdir(struct inode *inode, struct file *file,
+ printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+ " in block %lu of inode %lu\n", block,
+ inode->i_ino);
++ brelse(bh);
+ return -EIO;
+ }
+
+diff --git a/fs/isofs/namei.c b/fs/isofs/namei.c
+index 7b543e6b6526d..696f255d15325 100644
+--- a/fs/isofs/namei.c
++++ b/fs/isofs/namei.c
+@@ -101,6 +101,7 @@ isofs_find_entry(struct inode *dir, struct dentry *dentry,
+ printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+ " in block %lu of inode %lu\n", block,
+ dir->i_ino);
++ brelse(bh);
+ return 0;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 3a2545daae460aa792c68aa4b3ef4589cd456350 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Dec 2020 06:56:04 -0800
+Subject: jffs2: fix use after free in jffs2_sum_write_data()
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ]
+
+clang static analysis reports this problem
+
+fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed
+ c->summary->sum_list_head = temp->u.next;
+ ^~~~~~~~~~~~
+
+In jffs2_sum_write_data(), in a loop summary data is handles a node at
+a time. When it has written out the node it is removed the summary list,
+and the node is deleted. In the corner case when a
+JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to
+jffs2_sum_disable_collecting(). jffs2_sum_disable_collecting() deletes
+the whole list which conflicts with the loop's deleting the list by parts.
+
+To preserve the old behavior of stopping the write midway, bail out of
+the loop after disabling summary collection.
+
+Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/summary.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
+index bc5385471a6e3..c05d6f5f10ecd 100644
+--- a/fs/jffs2/summary.c
++++ b/fs/jffs2/summary.c
+@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
+ dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
+ je16_to_cpu(temp->u.nodetype));
+ jffs2_sum_disable_collecting(c->summary);
++ /* The above call removes the list, nothing more to do */
++ goto bail_rwcompat;
+ } else {
+ BUG(); /* unknown node in summary information */
+ }
+@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
+
+ c->summary->sum_num--;
+ }
++ bail_rwcompat:
+
+ jffs2_sum_reset_collected(c->summary);
+
+--
+2.27.0
+
--- /dev/null
+From 8b4b9f6db69b3e76f0c8105da6c7db4c3fa2b218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Jan 2021 22:21:46 +0100
+Subject: media: cx25821: Fix a bug when reallocating some dma memory
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b2de3643c5024fc4fd128ba7767c7fb8b714bea7 ]
+
+This function looks like a realloc.
+
+However, if 'risc->cpu != NULL', the memory will be freed, but never
+reallocated with the bigger 'size'.
+Explicitly set 'risc->cpu' to NULL, so that the reallocation is
+correctly performed a few lines below.
+
+[hverkuil: NULL != risc->cpu -> risc->cpu]
+
+Fixes: 5ede94c70553 ("[media] cx25821: remove bogus btcx_risc dependency)
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx25821/cx25821-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c
+index 54398d8a4696c..b43cf85ed5f05 100644
+--- a/drivers/media/pci/cx25821/cx25821-core.c
++++ b/drivers/media/pci/cx25821/cx25821-core.c
+@@ -990,8 +990,10 @@ int cx25821_riscmem_alloc(struct pci_dev *pci,
+ __le32 *cpu;
+ dma_addr_t dma = 0;
+
+- if (NULL != risc->cpu && risc->size < size)
++ if (risc->cpu && risc->size < size) {
+ pci_free_consistent(pci, risc->size, risc->cpu, risc->dma);
++ risc->cpu = NULL;
++ }
+ if (NULL == risc->cpu) {
+ cpu = pci_zalloc_consistent(pci, size, &dma);
+ if (NULL == cpu)
+--
+2.27.0
+
--- /dev/null
+From 4fbd52106bf1cb409e6db2a02bd2115dae2279ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Aug 2020 20:13:31 +0200
+Subject: media: lmedm04: Fix misuse of comma
+
+From: Joe Perches <joe@perches.com>
+
+[ Upstream commit 59a3e78f8cc33901fe39035c1ab681374bba95ad ]
+
+There's a comma used instead of a semicolon that causes multiple
+statements to be executed after an if instead of just the intended
+single statement.
+
+Replace the comma with a semicolon.
+
+Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb")
+Signed-off-by: Joe Perches <joe@perches.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 09c97847bf959..b586a23ab5887 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -445,7 +445,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+ ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe);
+
+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
+- lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa),
++ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa);
+
+ lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
+--
+2.27.0
+
--- /dev/null
+From f14064ebba060938ebc9112f687f669e04a45ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Jan 2021 07:27:22 +0100
+Subject: media: media/pci: Fix memleak in empress_init
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 15d0c52241ecb1c9d802506bff6f5c3f7872c0df ]
+
+When vb2_queue_init() fails, dev->empress_dev
+should be released just like other error handling
+paths.
+
+Fixes: 2ada815fc48bb ("[media] saa7134: convert to vb2")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7134/saa7134-empress.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/saa7134/saa7134-empress.c b/drivers/media/pci/saa7134/saa7134-empress.c
+index 56b932c97196d..ae3b96e9cff35 100644
+--- a/drivers/media/pci/saa7134/saa7134-empress.c
++++ b/drivers/media/pci/saa7134/saa7134-empress.c
+@@ -295,8 +295,11 @@ static int empress_init(struct saa7134_dev *dev)
+ q->timestamp_flags = V4L2_BUF_FLAG_TIMESTAMP_MONOTONIC;
+ q->lock = &dev->lock;
+ err = vb2_queue_init(q);
+- if (err)
++ if (err) {
++ video_device_release(dev->empress_dev);
++ dev->empress_dev = NULL;
+ return err;
++ }
+ dev->empress_dev->queue = q;
+
+ video_set_drvdata(dev->empress_dev, dev);
+--
+2.27.0
+
--- /dev/null
+From 337dcd6b570388af617d476afe6bda39f3009ba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Jan 2021 09:26:37 +0100
+Subject: media: tm6000: Fix memleak in tm6000_start_stream
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 76aaf8a96771c16365b8510f1fb97738dc88026e ]
+
+When usb_clear_halt() fails, dvb->bulk_urb->transfer_buffer
+and dvb->bulk_urb should be freed just like when
+usb_submit_urb() fails.
+
+Fixes: 3169c9b26fffa ("V4L/DVB (12788): tm6000: Add initial DVB-T support")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/tm6000/tm6000-dvb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/tm6000/tm6000-dvb.c b/drivers/media/usb/tm6000/tm6000-dvb.c
+index 87401b18d85a8..8afc7de1cf834 100644
+--- a/drivers/media/usb/tm6000/tm6000-dvb.c
++++ b/drivers/media/usb/tm6000/tm6000-dvb.c
+@@ -158,6 +158,10 @@ static int tm6000_start_stream(struct tm6000_core *dev)
+ if (ret < 0) {
+ printk(KERN_ERR "tm6000: error %i in %s during pipe reset\n",
+ ret, __func__);
++
++ kfree(dvb->bulk_urb->transfer_buffer);
++ usb_free_urb(dvb->bulk_urb);
++ dvb->bulk_urb = NULL;
+ return ret;
+ } else
+ printk(KERN_ERR "tm6000: pipe resetted\n");
+--
+2.27.0
+
--- /dev/null
+From 74bf84089066e56f54a4e01a722971c1c25cf65d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Dec 2020 15:11:13 +0100
+Subject: media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit dc9455ffae02d7b7fb51ba1e007fffcb9dc5d890 ]
+
+The Renkforce RF AC4K 300 Action Cam 4K reports invalid bFormatIndex and
+bFrameIndex values when negotiating the video probe and commit controls.
+The UVC descriptors report a single supported format and frame size,
+with bFormatIndex and bFrameIndex both equal to 2, but the video probe
+and commit controls report bFormatIndex and bFrameIndex set to 1.
+
+The device otherwise operates correctly, but the driver rejects the
+values and fails the format try operation. Fix it by ignoring the
+invalid indices, and assuming that the format and frame requested by the
+driver are accepted by the device.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=210767
+
+Fixes: 8a652a17e3c0 ("media: uvcvideo: Ensure all probed info is returned to v4l2")
+Reported-by: Till Dörges <doerges@pre-sense.de>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index a0a544628053d..154f5bd45940e 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -243,7 +243,9 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream,
+ goto done;
+
+ /* After the probe, update fmt with the values returned from
+- * negotiation with the device.
++ * negotiation with the device. Some devices return invalid bFormatIndex
++ * and bFrameIndex values, in which case we can only assume they have
++ * accepted the requested format as-is.
+ */
+ for (i = 0; i < stream->nformats; ++i) {
+ if (probe->bFormatIndex == stream->format[i].index) {
+@@ -252,11 +254,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream,
+ }
+ }
+
+- if (i == stream->nformats) {
+- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n",
++ if (i == stream->nformats)
++ uvc_trace(UVC_TRACE_FORMAT,
++ "Unknown bFormatIndex %u, using default\n",
+ probe->bFormatIndex);
+- return -EINVAL;
+- }
+
+ for (i = 0; i < format->nframes; ++i) {
+ if (probe->bFrameIndex == format->frame[i].bFrameIndex) {
+@@ -265,11 +266,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream,
+ }
+ }
+
+- if (i == format->nframes) {
+- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n",
++ if (i == format->nframes)
++ uvc_trace(UVC_TRACE_FORMAT,
++ "Unknown bFrameIndex %u, using default\n",
+ probe->bFrameIndex);
+- return -EINVAL;
+- }
+
+ fmt->fmt.pix.width = frame->wWidth;
+ fmt->fmt.pix.height = frame->wHeight;
+--
+2.27.0
+
--- /dev/null
+From 9c7c3f1c53a55690f153be23bb5d2f1546513269 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jan 2021 17:37:24 +0300
+Subject: mfd: wm831x-auxadc: Prevent use after free in
+ wm831x_auxadc_read_irq()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 26783d74cc6a440ee3ef9836a008a697981013d0 ]
+
+The "req" struct is always added to the "wm831x->auxadc_pending" list,
+but it's only removed from the list on the success path. If a failure
+occurs then the "req" struct is freed but it's still on the list,
+leading to a use after free.
+
+Fixes: 78bb3688ea18 ("mfd: Support multiple active WM831x AUXADC conversions")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/wm831x-auxadc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/wm831x-auxadc.c b/drivers/mfd/wm831x-auxadc.c
+index fd789d2eb0f52..9f7ae1e1ebcd6 100644
+--- a/drivers/mfd/wm831x-auxadc.c
++++ b/drivers/mfd/wm831x-auxadc.c
+@@ -98,11 +98,10 @@ static int wm831x_auxadc_read_irq(struct wm831x *wm831x,
+ wait_for_completion_timeout(&req->done, msecs_to_jiffies(500));
+
+ mutex_lock(&wm831x->auxadc_lock);
+-
+- list_del(&req->list);
+ ret = req->val;
+
+ out:
++ list_del(&req->list);
+ mutex_unlock(&wm831x->auxadc_lock);
+
+ kfree(req);
+--
+2.27.0
+
--- /dev/null
+From 7cbbdfe6346f1f78539c0f06503c3ce872d56e70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 13:34:56 -0700
+Subject: MIPS: c-r4k: Fix section mismatch for loongson2_sc_init
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit c58734eee6a2151ba033c0dcb31902c89e310374 ]
+
+When building with clang, the following section mismatch warning occurs:
+
+WARNING: modpost: vmlinux.o(.text+0x24490): Section mismatch in
+reference from the function r4k_cache_init() to the function
+.init.text:loongson2_sc_init()
+
+This should have been fixed with commit ad4fddef5f23 ("mips: fix Section
+mismatch in reference") but it was missed. Remove the improper __init
+annotation like that commit did.
+
+Fixes: 078a55fc824c ("MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code")
+Link: https://github.com/ClangBuiltLinux/linux/issues/787
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Huacai Chen <chenhuacai@kernel.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mm/c-r4k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
+index 6c0147bd8e801..90f8d6d51f316 100644
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -1401,7 +1401,7 @@ static int probe_scache(void)
+ return 1;
+ }
+
+-static void __init loongson2_sc_init(void)
++static void loongson2_sc_init(void)
+ {
+ struct cpuinfo_mips *c = ¤t_cpu_data;
+
+--
+2.27.0
+
--- /dev/null
+From 5e0482986bc16c454caf7a2815d0697b78d87a64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 13:15:48 -0700
+Subject: MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit c6f2a9e17b9bef7677caddb1626c2402f3e9d2bd ]
+
+When building xway_defconfig with clang:
+
+arch/mips/lantiq/irq.c:305:48: error: use of logical '&&' with constant
+operand [-Werror,-Wconstant-logical-operand]
+ if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT)
+ ^ ~~~~~~~~~~~~~~~~~
+arch/mips/lantiq/irq.c:305:48: note: use '&' for a bitwise operation
+ if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT)
+ ^~
+ &
+arch/mips/lantiq/irq.c:305:48: note: remove constant to silence this
+warning
+ if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT)
+ ~^~~~~~~~~~~~~~~~~~~~
+1 error generated.
+
+Explicitly compare the constant LTQ_EBU_PCC_ISTAT against 0 to fix the
+warning. Additionally, remove the unnecessary parentheses as this is a
+simple conditional statement and shorthand '== 0' to '!'.
+
+Fixes: 3645da0276ae ("OF: MIPS: lantiq: implement irq_domain support")
+Link: https://github.com/ClangBuiltLinux/linux/issues/807
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
+index a7057a06c0961..5526b89a21a02 100644
+--- a/arch/mips/lantiq/irq.c
++++ b/arch/mips/lantiq/irq.c
+@@ -245,7 +245,7 @@ static void ltq_hw_irqdispatch(int module)
+ do_IRQ((int)irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module));
+
+ /* if this is a EBU irq, we need to ack it or get a deadlock */
+- if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT)
++ if (irq == LTQ_ICU_EBU_IRQ && !module && LTQ_EBU_PCC_ISTAT != 0)
+ ltq_ebu_w32(ltq_ebu_r32(LTQ_EBU_PCC_ISTAT) | 0x10,
+ LTQ_EBU_PCC_ISTAT);
+ }
+--
+2.27.0
+
--- /dev/null
+From ff279e1acfcbfa8de9954f7ee965a8e38941510e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 10:42:52 +0530
+Subject: misc: eeprom_93xx46: Add module alias to avoid breaking support for
+ non device tree users
+
+From: Aswath Govindraju <a-govindraju@ti.com>
+
+[ Upstream commit 4540b9fbd8ebb21bb3735796d300a1589ee5fbf2 ]
+
+Module alias "spi:93xx46" is used by non device tree users like
+drivers/misc/eeprom/digsy_mtc_eeprom.c and removing it will
+break support for them.
+
+Fix this by adding back the module alias "spi:93xx46".
+
+Fixes: 13613a2246bf ("misc: eeprom_93xx46: Fix module alias to enable module autoprobe")
+Signed-off-by: Aswath Govindraju <a-govindraju@ti.com>
+Link: https://lore.kernel.org/r/20210113051253.15061-1-a-govindraju@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/eeprom_93xx46.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c
+index 15c7e3574bcb2..22c1f06728a9c 100644
+--- a/drivers/misc/eeprom/eeprom_93xx46.c
++++ b/drivers/misc/eeprom/eeprom_93xx46.c
+@@ -380,4 +380,5 @@ module_spi_driver(eeprom_93xx46_driver);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs");
+ MODULE_AUTHOR("Anatolij Gustschin <agust@denx.de>");
++MODULE_ALIAS("spi:93xx46");
+ MODULE_ALIAS("spi:eeprom-93xx46");
+--
+2.27.0
+
--- /dev/null
+From 08b963e22192447168b92e4eca870becdcd3aed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 22:09:53 +0530
+Subject: misc: eeprom_93xx46: Fix module alias to enable module autoprobe
+
+From: Aswath Govindraju <a-govindraju@ti.com>
+
+[ Upstream commit 13613a2246bf531f5fc04e8e62e8f21a3d39bf1c ]
+
+Fix module autoprobe by correcting module alias to match the string from
+/sys/class/.../spi1.0/modalias content.
+
+Fixes: 06b4501e88ad ("misc/eeprom: add driver for microwire 93xx46 EEPROMs")
+Signed-off-by: Aswath Govindraju <a-govindraju@ti.com>
+Link: https://lore.kernel.org/r/20210107163957.28664-2-a-govindraju@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/eeprom_93xx46.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c
+index ff63f05edc763..15c7e3574bcb2 100644
+--- a/drivers/misc/eeprom/eeprom_93xx46.c
++++ b/drivers/misc/eeprom/eeprom_93xx46.c
+@@ -380,4 +380,4 @@ module_spi_driver(eeprom_93xx46_driver);
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs");
+ MODULE_AUTHOR("Anatolij Gustschin <agust@denx.de>");
+-MODULE_ALIAS("spi:93xx46");
++MODULE_ALIAS("spi:eeprom-93xx46");
+--
+2.27.0
+
--- /dev/null
+From 3070f3d765aa703e1045bd67f3d88ecffae457f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Feb 2021 12:06:50 -0800
+Subject: mm/hugetlb: fix potential double free in hugetlb_register_node()
+ error path
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ]
+
+In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs
+when failed to create sysfs group but forget to set hstate_kobjs to NULL.
+Then in hugetlb_register_node() error path, we may free it again via
+hugetlb_unregister_node().
+
+Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com
+Fixes: a3437870160c ("hugetlb: new sysfs interface")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Muchun Song <smuchun@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/hugetlb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index dc877712ef1f3..7c3ecac8aeb3f 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2485,8 +2485,10 @@ static int hugetlb_sysfs_add_hstate(struct hstate *h, struct kobject *parent,
+ return -ENOMEM;
+
+ retval = sysfs_create_group(hstate_kobjs[hi], hstate_attr_group);
+- if (retval)
++ if (retval) {
+ kobject_put(hstate_kobjs[hi]);
++ hstate_kobjs[hi] = NULL;
++ }
+
+ return retval;
+ }
+--
+2.27.0
+
--- /dev/null
+From 6f413a786beb3527d7f850db5516065dee13de66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Feb 2021 12:04:33 -0800
+Subject: mm/memory.c: fix potential pte_unmap_unlock pte error
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ]
+
+Since commit 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged
+high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed,
+we would break the loop with pte unchanged. Then the wrong pte - 1 would
+be passed to pte_unmap_unlock.
+
+Andi said:
+
+ "While the fix is correct, I'm not sure if it actually is a real bug.
+ Is there any architecture that would do something else than unlocking
+ the underlying page? If it's just the underlying page then it should
+ be always the same page, so no bug"
+
+Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com
+Fixes: 42e4089c789 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings")
+Signed-off-by: Hongxiang Lou <louhongxiang@huawei.com>
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mm/memory.c b/mm/memory.c
+index fa752df6dc857..86ca97c24f1d9 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1686,11 +1686,11 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd,
+ unsigned long addr, unsigned long end,
+ unsigned long pfn, pgprot_t prot)
+ {
+- pte_t *pte;
++ pte_t *pte, *mapped_pte;
+ spinlock_t *ptl;
+ int err = 0;
+
+- pte = pte_alloc_map_lock(mm, pmd, addr, &ptl);
++ mapped_pte = pte = pte_alloc_map_lock(mm, pmd, addr, &ptl);
+ if (!pte)
+ return -ENOMEM;
+ arch_enter_lazy_mmu_mode();
+@@ -1704,7 +1704,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd,
+ pfn++;
+ } while (pte++, addr += PAGE_SIZE, addr != end);
+ arch_leave_lazy_mmu_mode();
+- pte_unmap_unlock(pte - 1, ptl);
++ pte_unmap_unlock(mapped_pte, ptl);
+ return err;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From c913ff9d17e71fec6a74e0a7f953841b6c5a5f83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Dec 2020 22:09:22 +0100
+Subject: mmc: usdhi6rol0: Fix a resource leak in the error handling path of
+ the probe
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6052b3c370fb82dec28bcfff6d7ec0da84ac087a ]
+
+A call to 'ausdhi6_dma_release()' to undo a previous call to
+'usdhi6_dma_request()' is missing in the error handling path of the probe
+function.
+
+It is already present in the remove function.
+
+Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20201217210922.165340-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/usdhi6rol0.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c
+index b47122d3e8d8c..2b6a9c6a6e965 100644
+--- a/drivers/mmc/host/usdhi6rol0.c
++++ b/drivers/mmc/host/usdhi6rol0.c
+@@ -1808,10 +1808,12 @@ static int usdhi6_probe(struct platform_device *pdev)
+
+ ret = mmc_add_host(mmc);
+ if (ret < 0)
+- goto e_clk_off;
++ goto e_release_dma;
+
+ return 0;
+
++e_release_dma:
++ usdhi6_dma_release(host);
+ e_clk_off:
+ clk_disable_unprepare(host->clk);
+ e_free_mmc:
+--
+2.27.0
+
--- /dev/null
+From d679570f3620a4a19a70fcd32611d07fa617a661 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Jan 2021 16:39:32 +0100
+Subject: PCI: Align checking of syscall user config accessors
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit ef9e4005cbaf022c6251263aa27836acccaef65d ]
+
+After 34e3207205ef ("PCI: handle positive error codes"),
+pci_user_read_config_*() and pci_user_write_config_*() return 0 or negative
+errno values, not PCIBIOS_* values like PCIBIOS_SUCCESSFUL or
+PCIBIOS_BAD_REGISTER_NUMBER.
+
+Remove comparisons with PCIBIOS_SUCCESSFUL and check only for non-zero. It
+happens that PCIBIOS_SUCCESSFUL is zero, so this is not a functional
+change, but it aligns this code with the user accessors.
+
+[bhelgaas: commit log]
+Fixes: 34e3207205ef ("PCI: handle positive error codes")
+Link: https://lore.kernel.org/r/f1220314-e518-1e18-bf94-8e6f8c703758@gmail.com
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/syscall.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
+index b91c4da683657..7958250856d36 100644
+--- a/drivers/pci/syscall.c
++++ b/drivers/pci/syscall.c
+@@ -21,7 +21,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,
+ u16 word;
+ u32 dword;
+ long err;
+- long cfg_ret;
++ int cfg_ret;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -47,7 +47,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,
+ }
+
+ err = -EIO;
+- if (cfg_ret != PCIBIOS_SUCCESSFUL)
++ if (cfg_ret)
+ goto error;
+
+ switch (len) {
+@@ -105,7 +105,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+ if (err)
+ break;
+ err = pci_user_write_config_byte(dev, off, byte);
+- if (err != PCIBIOS_SUCCESSFUL)
++ if (err)
+ err = -EIO;
+ break;
+
+@@ -114,7 +114,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+ if (err)
+ break;
+ err = pci_user_write_config_word(dev, off, word);
+- if (err != PCIBIOS_SUCCESSFUL)
++ if (err)
+ err = -EIO;
+ break;
+
+@@ -123,7 +123,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
+ if (err)
+ break;
+ err = pci_user_write_config_dword(dev, off, dword);
+- if (err != PCIBIOS_SUCCESSFUL)
++ if (err)
+ err = -EIO;
+ break;
+
+--
+2.27.0
+
--- /dev/null
+From cb66d807de28bd4ae08f9d754817759aaf15b428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Feb 2021 19:53:47 +0200
+Subject: perf intel-pt: Fix missing CYC processing in PSB
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 03fb0f859b45d1eb05c984ab4bd3bef67e45ede2 ]
+
+Add missing CYC packet processing when walking through PSB+. This
+improves the accuracy of timestamps that follow PSB+, until the next
+MTC.
+
+Fixes: 3d49807870f08 ("perf tools: Add new Intel PT packet definitions")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: https://lore.kernel.org/r/20210205175350.23817-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+index c1944765533c8..28f9e88c65bac 100644
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1478,6 +1478,9 @@ static int intel_pt_walk_psbend(struct intel_pt_decoder *decoder)
+ break;
+
+ case INTEL_PT_CYC:
++ intel_pt_calc_cyc_timestamp(decoder);
++ break;
++
+ case INTEL_PT_VMCS:
+ case INTEL_PT_MNT:
+ case INTEL_PT_PAD:
+--
+2.27.0
+
--- /dev/null
+From a6767892441bcc17b072440cc7cecff278450bd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Feb 2021 18:16:38 +0900
+Subject: perf test: Fix unaligned access in sample parsing test
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit c5c97cadd7ed13381cb6b4bef5c841a66938d350 ]
+
+The ubsan reported the following error. It was because sample's raw
+data missed u32 padding at the end. So it broke the alignment of the
+array after it.
+
+The raw data contains an u32 size prefix so the data size should have
+an u32 padding after 8-byte aligned data.
+
+27: Sample parsing :util/synthetic-events.c:1539:4:
+ runtime error: store to misaligned address 0x62100006b9bc for type
+ '__u64' (aka 'unsigned long long'), which requires 8 byte alignment
+0x62100006b9bc: note: pointer points here
+ 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ #0 0x561532a9fc96 in perf_event__synthesize_sample util/synthetic-events.c:1539:13
+ #1 0x5615327f4a4f in do_test tests/sample-parsing.c:284:8
+ #2 0x5615327f3f50 in test__sample_parsing tests/sample-parsing.c:381:9
+ #3 0x56153279d3a1 in run_test tests/builtin-test.c:424:9
+ #4 0x56153279c836 in test_and_print tests/builtin-test.c:454:9
+ #5 0x56153279b7eb in __cmd_test tests/builtin-test.c:675:4
+ #6 0x56153279abf0 in cmd_test tests/builtin-test.c:821:9
+ #7 0x56153264e796 in run_builtin perf.c:312:11
+ #8 0x56153264cf03 in handle_internal_command perf.c:364:8
+ #9 0x56153264e47d in run_argv perf.c:408:2
+ #10 0x56153264c9a9 in main perf.c:538:3
+ #11 0x7f137ab6fbbc in __libc_start_main (/lib64/libc.so.6+0x38bbc)
+ #12 0x561532596828 in _start ...
+
+SUMMARY: UndefinedBehaviorSanitizer: misaligned-pointer-use
+ util/synthetic-events.c:1539:4 in
+
+Fixes: 045f8cd8542d ("perf tests: Add a sample parsing test")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: https://lore.kernel.org/r/20210214091638.519643-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/sample-parsing.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/sample-parsing.c b/tools/perf/tests/sample-parsing.c
+index 30c02181e78b2..bdef02599b4e3 100644
+--- a/tools/perf/tests/sample-parsing.c
++++ b/tools/perf/tests/sample-parsing.c
+@@ -167,7 +167,7 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format)
+ .data = {1, 211, 212, 213},
+ };
+ u64 regs[64];
+- const u64 raw_data[] = {0x123456780a0b0c0dULL, 0x1102030405060708ULL};
++ const u32 raw_data[] = {0x12345678, 0x0a0b0c0d, 0x11020304, 0x05060708, 0 };
+ const u64 data[] = {0x2211443366558877ULL, 0, 0xaabbccddeeff4321ULL};
+ struct perf_sample sample = {
+ .ip = 101,
+--
+2.27.0
+
--- /dev/null
+From 78d9b1b471e479f557aa01cd63d21f450be2713e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 07:49:13 +0000
+Subject: powerpc/47x: Disable 256k page size
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 910a0cb6d259736a0c86e795d4c2f42af8d0d775 ]
+
+PPC47x_TLBE_SIZE isn't defined for 256k pages, leading to a build
+break if 256k pages is selected.
+
+So change the kconfig so that 256k pages can't be selected for 47x.
+
+Fixes: e7f75ad01d59 ("powerpc/47x: Base ppc476 support")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+[mpe: Expand change log to mention build break]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/2fed79b1154c872194f98bac4422c23918325e61.1611128938.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index 4ece20178145d..735f99906a320 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -577,7 +577,7 @@ config PPC_64K_PAGES
+
+ config PPC_256K_PAGES
+ bool "256k page size"
+- depends on 44x && !STDBINUTILS
++ depends on 44x && !STDBINUTILS && !PPC_47x
+ help
+ Make the page size 256k.
+
+--
+2.27.0
+
--- /dev/null
+From c055ba982bbecb8359e8c5c15e1859241546ff79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Jan 2021 20:59:00 -0600
+Subject: powerpc/pseries/dlpar: handle ibm, configure-connector delay status
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 768d70e19ba525debd571b36e6d0ab19956c63d7 ]
+
+dlpar_configure_connector() has two problems in its handling of
+ibm,configure-connector's return status:
+
+1. When the status is -2 (busy, call again), we call
+ ibm,configure-connector again immediately without checking whether
+ to schedule, which can result in monopolizing the CPU.
+2. Extended delay status (9900..9905) goes completely unhandled,
+ causing the configuration to unnecessarily terminate.
+
+Fix both of these issues by using rtas_busy_delay().
+
+Fixes: ab519a011caa ("powerpc/pseries: Kernel DLPAR Infrastructure")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210107025900.410369-1-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/dlpar.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
+index 551ba5b35df9d..91a667d8b1e90 100644
+--- a/arch/powerpc/platforms/pseries/dlpar.c
++++ b/arch/powerpc/platforms/pseries/dlpar.c
+@@ -131,7 +131,6 @@ void dlpar_free_cc_nodes(struct device_node *dn)
+ #define NEXT_PROPERTY 3
+ #define PREV_PARENT 4
+ #define MORE_MEMORY 5
+-#define CALL_AGAIN -2
+ #define ERR_CFG_USE -9003
+
+ struct device_node *dlpar_configure_connector(__be32 drc_index,
+@@ -173,6 +172,9 @@ struct device_node *dlpar_configure_connector(__be32 drc_index,
+
+ spin_unlock(&rtas_data_buf_lock);
+
++ if (rtas_busy_delay(rc))
++ continue;
++
+ switch (rc) {
+ case COMPLETE:
+ break;
+@@ -225,9 +227,6 @@ struct device_node *dlpar_configure_connector(__be32 drc_index,
+ parent_path = last_dn->parent->full_name;
+ break;
+
+- case CALL_AGAIN:
+- break;
+-
+ case MORE_MEMORY:
+ case ERR_CFG_USE:
+ default:
+--
+2.27.0
+
--- /dev/null
+From 013216be4adfc7cc4f1dcfa3a9d0fc4d7e3db41c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 04:33:13 -0800
+Subject: regulator: axp20x: Fix reference cout leak
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit e78bf6be7edaacb39778f3a89416caddfc6c6d70 ]
+
+Decrements the reference count of device node and its child node.
+
+Fixes: dfe7a1b058bb ("regulator: AXP20x: Add support for regulators subsystem")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210120123313.107640-1-bianpan2016@163.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/axp20x-regulator.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c
+index 5cf4a97e03048..df235ac1a6b2b 100644
+--- a/drivers/regulator/axp20x-regulator.c
++++ b/drivers/regulator/axp20x-regulator.c
+@@ -279,7 +279,7 @@ static int axp20x_set_dcdc_freq(struct platform_device *pdev, u32 dcdcfreq)
+ static int axp20x_regulator_parse_dt(struct platform_device *pdev)
+ {
+ struct device_node *np, *regulators;
+- int ret;
++ int ret = 0;
+ u32 dcdcfreq = 0;
+
+ np = of_node_get(pdev->dev.parent->of_node);
+@@ -294,13 +294,12 @@ static int axp20x_regulator_parse_dt(struct platform_device *pdev)
+ ret = axp20x_set_dcdc_freq(pdev, dcdcfreq);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Error setting dcdc frequency: %d\n", ret);
+- return ret;
+ }
+-
+ of_node_put(regulators);
+ }
+
+- return 0;
++ of_node_put(np);
++ return ret;
+ }
+
+ static int axp20x_set_dcdc_workmode(struct regulator_dev *rdev, int id, u32 workmode)
+--
+2.27.0
+
--- /dev/null
+From 22b02ff3a210ce8e8c1fbe8745cef7d191991d9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Feb 2021 11:24:28 -0800
+Subject: scsi: bnx2fc: Fix Kconfig warning & CNIC build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit eefb816acb0162e94a85a857f3a55148f671d5a5 ]
+
+CNIC depends on MMU, but since 'select' does not follow any dependency
+chains, SCSI_BNX2X_FCOE also needs to depend on MMU, so that erroneous
+configs are not generated, which cause build errors in cnic.
+
+WARNING: unmet direct dependencies detected for CNIC
+ Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && MMU [=n]
+ Selected by [y]:
+ - SCSI_BNX2X_FCOE [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && LIBFC [=y] && LIBFCOE [=y]
+
+riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L154':
+cnic.c:(.text+0x1094): undefined reference to `uio_event_notify'
+riscv64-linux-ld: cnic.c:(.text+0x10bc): undefined reference to `uio_event_notify'
+riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L1442':
+cnic.c:(.text+0x96a8): undefined reference to `__uio_register_device'
+riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L0 ':
+cnic.c:(.text.unlikely+0x68): undefined reference to `uio_unregister_device'
+
+Link: https://lore.kernel.org/r/20210213192428.22537-1-rdunlap@infradead.org
+Fixes: 853e2bd2103a ("[SCSI] bnx2fc: Broadcom FCoE offload driver")
+Cc: Saurav Kashyap <skashyap@marvell.com>
+Cc: Javed Hasan <jhasan@marvell.com>
+Cc: GR-QLogic-Storage-Upstream@marvell.com
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: linux-scsi@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bnx2fc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/bnx2fc/Kconfig b/drivers/scsi/bnx2fc/Kconfig
+index d401a096dfc7e..2eb2476852b11 100644
+--- a/drivers/scsi/bnx2fc/Kconfig
++++ b/drivers/scsi/bnx2fc/Kconfig
+@@ -4,6 +4,7 @@ config SCSI_BNX2X_FCOE
+ depends on (IPV6 || IPV6=n)
+ depends on LIBFC
+ depends on LIBFCOE
++ depends on MMU
+ select NETDEVICES
+ select ETHERNET
+ select NET_VENDOR_BROADCOM
+--
+2.27.0
+
scripts-recordmcount.pl-support-big-endian-for-arch-.patch
kdb-make-memory-allocations-more-robust.patch
mips-vmlinux.lds.s-add-missing-page_aligned_data-section.patch
+bluetooth-fix-initializing-response-id-after-clearin.patch
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-26341
+bluetooth-drop-hci-device-reference-before-return.patch
+bluetooth-put-hci-device-if-inquiry-procedure-interr.patch
+usb-dwc2-abort-transaction-after-errors-with-unknown.patch
+usb-dwc2-make-trimming-xfer-length-a-debug-message.patch
+arm-s3c-fix-fiq-for-clang-ias.patch
+bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch
+xen-netback-fix-spurious-event-detection-for-common-.patch
+b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch
+fbdev-aty-sparc64-requires-fb_aty_ct.patch
+drm-gma500-fix-error-return-code-in-psb_driver_load.patch
+gma500-clean-up-error-handling-in-init.patch
+mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch
+mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch
+media-media-pci-fix-memleak-in-empress_init.patch
+media-tm6000-fix-memleak-in-tm6000_start_stream.patch
+asoc-cs42l56-fix-up-error-handling-in-probe.patch
+media-lmedm04-fix-misuse-of-comma.patch
+media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch
+media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch
+btrfs-clarify-error-returns-values-in-__load_free_sp.patch
+fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch
+jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch
+clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch
+hid-core-detect-and-skip-invalid-inputs-to-snto32.patch
+dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch
+dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch
+clocksource-drivers-mxs_timer-add-missing-semicolon-.patch
+regulator-axp20x-fix-reference-cout-leak.patch
+isofs-release-buffer-head-before-return.patch
+ib-umad-return-eio-in-case-of-when-device-disassocia.patch
+powerpc-47x-disable-256k-page-size.patch
+mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch
+arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch
+amba-fix-resource-leak-for-drivers-without-.remove.patch
+tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch
+mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch
+powerpc-pseries-dlpar-handle-ibm-configure-connector.patch
+perf-intel-pt-fix-missing-cyc-processing-in-psb.patch
+perf-test-fix-unaligned-access-in-sample-parsing-tes.patch
+input-elo-fix-an-error-code-in-elo_connect.patch
+sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch
+misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch
+misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch
+vmci-use-set_page_dirty_lock-when-unregistering-gues.patch
+pci-align-checking-of-syscall-user-config-accessors.patch
+take-mmap-lock-in-cacheflush-syscall.patch
+mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch
+mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch
+i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch
+scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch
--- /dev/null
+From 683c6f6c04b0d3da121ffa859e99519860651c6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Nov 2020 16:40:11 -0800
+Subject: sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 80bddf5c93a99e11fc9faf7e4b575d01cecd45d3 ]
+
+Currently COMPAT on SPARC64 selects COMPAT_BINFMT_ELF unconditionally,
+even when BINFMT_ELF is not enabled. This causes a kconfig warning.
+
+Instead, just select COMPAT_BINFMT_ELF if BINFMT_ELF is enabled.
+This builds cleanly with no kconfig warnings.
+
+WARNING: unmet direct dependencies detected for COMPAT_BINFMT_ELF
+ Depends on [n]: COMPAT [=y] && BINFMT_ELF [=n]
+ Selected by [y]:
+ - COMPAT [=y] && SPARC64 [=y]
+
+Fixes: 26b4c912185a ("sparc,sparc64: unify Kconfig files")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: sparclinux@vger.kernel.org
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
+index 94f4ac21761bf..f42973685fd2c 100644
+--- a/arch/sparc/Kconfig
++++ b/arch/sparc/Kconfig
+@@ -539,7 +539,7 @@ config COMPAT
+ bool
+ depends on SPARC64
+ default y
+- select COMPAT_BINFMT_ELF
++ select COMPAT_BINFMT_ELF if BINFMT_ELF
+ select HAVE_UID16
+ select ARCH_WANT_OLD_COMPAT_IPC
+ select COMPAT_OLD_SIGACTION
+--
+2.27.0
+
--- /dev/null
+From 244758ba62fba26291ab05f76a696c10e5093eec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Feb 2021 14:59:35 +0800
+Subject: Take mmap lock in cacheflush syscall
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit c26958cb5a0d9053d1358258827638773f3d36ed ]
+
+We need to take the mmap lock around find_vma() and subsequent use of the
+VMA. Otherwise, we can race with concurrent operations like munmap(), which
+can lead to use-after-free accesses to freed VMAs.
+
+Fixes: 1000197d8013 ("nios2: System calls handling")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/nios2/kernel/sys_nios2.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c
+index cd390ec4f88bf..b1ca856999521 100644
+--- a/arch/nios2/kernel/sys_nios2.c
++++ b/arch/nios2/kernel/sys_nios2.c
+@@ -22,6 +22,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len,
+ unsigned int op)
+ {
+ struct vm_area_struct *vma;
++ struct mm_struct *mm = current->mm;
+
+ if (len == 0)
+ return 0;
+@@ -34,16 +35,22 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len,
+ if (addr + len < addr)
+ return -EFAULT;
+
++ if (mmap_read_lock_killable(mm))
++ return -EINTR;
++
+ /*
+ * Verify that the specified address region actually belongs
+ * to this process.
+ */
+- vma = find_vma(current->mm, addr);
+- if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end)
++ vma = find_vma(mm, addr);
++ if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) {
++ mmap_read_unlock(mm);
+ return -EFAULT;
++ }
+
+ flush_cache_range(vma, addr, addr + len);
+
++ mmap_read_unlock(mm);
+ return 0;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 105d9713ef60729bdf366e1c62133eaf1fbba3e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Nov 2020 09:34:05 -0500
+Subject: tracepoint: Do not fail unregistering a probe due to memory failure
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit befe6d946551d65cddbd32b9cb0170b0249fd5ed ]
+
+The list of tracepoint callbacks is managed by an array that is protected
+by RCU. To update this array, a new array is allocated, the updates are
+copied over to the new array, and then the list of functions for the
+tracepoint is switched over to the new array. After a completion of an RCU
+grace period, the old array is freed.
+
+This process happens for both adding a callback as well as removing one.
+But on removing a callback, if the new array fails to be allocated, the
+callback is not removed, and may be used after it is freed by the clients
+of the tracepoint.
+
+There's really no reason to fail if the allocation for a new array fails
+when removing a function. Instead, the function can simply be replaced by a
+stub function that could be cleaned up on the next modification of the
+array. That is, instead of calling the function registered to the
+tracepoint, it would call a stub function in its place.
+
+Link: https://lore.kernel.org/r/20201115055256.65625-1-mmullins@mmlx.us
+Link: https://lore.kernel.org/r/20201116175107.02db396d@gandalf.local.home
+Link: https://lore.kernel.org/r/20201117211836.54acaef2@oasis.local.home
+Link: https://lkml.kernel.org/r/20201118093405.7a6d2290@gandalf.local.home
+
+[ Note, this version does use undefined compiler behavior (assuming that
+ a stub function with no parameters or return, can be called by a location
+ that thinks it has parameters but still no return value. Static calls
+ do the same thing, so this trick is not without precedent.
+
+ There's another solution that uses RCU tricks and is more complex, but
+ can be an alternative if this solution becomes an issue.
+
+ Link: https://lore.kernel.org/lkml/20210127170721.58bce7cc@gandalf.local.home/
+]
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: KP Singh <kpsingh@chromium.org>
+Cc: netdev <netdev@vger.kernel.org>
+Cc: bpf <bpf@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Florian Weimer <fw@deneb.enyo.de>
+Fixes: 97e1c18e8d17b ("tracing: Kernel Tracepoints")
+Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com
+Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com
+Reported-by: Matt Mullins <mmullins@mmlx.us>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Tested-by: Matt Mullins <mmullins@mmlx.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/tracepoint.c | 80 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 64 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
+index eda85bbf1c2e4..a1f9be7030021 100644
+--- a/kernel/tracepoint.c
++++ b/kernel/tracepoint.c
+@@ -59,6 +59,12 @@ struct tp_probes {
+ struct tracepoint_func probes[0];
+ };
+
++/* Called in removal of a func but failed to allocate a new tp_funcs */
++static void tp_stub_func(void)
++{
++ return;
++}
++
+ static inline void *allocate_probes(int count)
+ {
+ struct tp_probes *p = kmalloc(count * sizeof(struct tracepoint_func)
+@@ -97,6 +103,7 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func,
+ {
+ struct tracepoint_func *old, *new;
+ int nr_probes = 0;
++ int stub_funcs = 0;
+ int pos = -1;
+
+ if (WARN_ON(!tp_func->func))
+@@ -113,14 +120,34 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func,
+ if (old[nr_probes].func == tp_func->func &&
+ old[nr_probes].data == tp_func->data)
+ return ERR_PTR(-EEXIST);
++ if (old[nr_probes].func == tp_stub_func)
++ stub_funcs++;
+ }
+ }
+- /* + 2 : one for new probe, one for NULL func */
+- new = allocate_probes(nr_probes + 2);
++ /* + 2 : one for new probe, one for NULL func - stub functions */
++ new = allocate_probes(nr_probes + 2 - stub_funcs);
+ if (new == NULL)
+ return ERR_PTR(-ENOMEM);
+ if (old) {
+- if (pos < 0) {
++ if (stub_funcs) {
++ /* Need to copy one at a time to remove stubs */
++ int probes = 0;
++
++ pos = -1;
++ for (nr_probes = 0; old[nr_probes].func; nr_probes++) {
++ if (old[nr_probes].func == tp_stub_func)
++ continue;
++ if (pos < 0 && old[nr_probes].prio < prio)
++ pos = probes++;
++ new[probes++] = old[nr_probes];
++ }
++ nr_probes = probes;
++ if (pos < 0)
++ pos = probes;
++ else
++ nr_probes--; /* Account for insertion */
++
++ } else if (pos < 0) {
+ pos = nr_probes;
+ memcpy(new, old, nr_probes * sizeof(struct tracepoint_func));
+ } else {
+@@ -154,8 +181,9 @@ static void *func_remove(struct tracepoint_func **funcs,
+ /* (N -> M), (N > 1, M >= 0) probes */
+ if (tp_func->func) {
+ for (nr_probes = 0; old[nr_probes].func; nr_probes++) {
+- if (old[nr_probes].func == tp_func->func &&
+- old[nr_probes].data == tp_func->data)
++ if ((old[nr_probes].func == tp_func->func &&
++ old[nr_probes].data == tp_func->data) ||
++ old[nr_probes].func == tp_stub_func)
+ nr_del++;
+ }
+ }
+@@ -174,14 +202,32 @@ static void *func_remove(struct tracepoint_func **funcs,
+ /* N -> M, (N > 1, M > 0) */
+ /* + 1 for NULL */
+ new = allocate_probes(nr_probes - nr_del + 1);
+- if (new == NULL)
+- return ERR_PTR(-ENOMEM);
+- for (i = 0; old[i].func; i++)
+- if (old[i].func != tp_func->func
+- || old[i].data != tp_func->data)
+- new[j++] = old[i];
+- new[nr_probes - nr_del].func = NULL;
+- *funcs = new;
++ if (new) {
++ for (i = 0; old[i].func; i++)
++ if ((old[i].func != tp_func->func
++ || old[i].data != tp_func->data)
++ && old[i].func != tp_stub_func)
++ new[j++] = old[i];
++ new[nr_probes - nr_del].func = NULL;
++ *funcs = new;
++ } else {
++ /*
++ * Failed to allocate, replace the old function
++ * with calls to tp_stub_func.
++ */
++ for (i = 0; old[i].func; i++)
++ if (old[i].func == tp_func->func &&
++ old[i].data == tp_func->data) {
++ old[i].func = tp_stub_func;
++ /* Set the prio to the next event. */
++ if (old[i + 1].func)
++ old[i].prio =
++ old[i + 1].prio;
++ else
++ old[i].prio = -1;
++ }
++ *funcs = old;
++ }
+ }
+ debug_print_probes(*funcs);
+ return old;
+@@ -234,10 +280,12 @@ static int tracepoint_remove_func(struct tracepoint *tp,
+ tp_funcs = rcu_dereference_protected(tp->funcs,
+ lockdep_is_held(&tracepoints_mutex));
+ old = func_remove(&tp_funcs, func);
+- if (IS_ERR(old)) {
+- WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
++ if (WARN_ON_ONCE(IS_ERR(old)))
+ return PTR_ERR(old);
+- }
++
++ if (tp_funcs == old)
++ /* Failed allocating new tp_funcs, replaced func with stub */
++ return 0;
+
+ if (!tp_funcs) {
+ /* Removed last function */
+--
+2.27.0
+
--- /dev/null
+From 1fcc073363f1d98b127a9e2b6c45ed1efe2b8f98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 12:20:50 +0100
+Subject: usb: dwc2: Abort transaction after errors with unknown reason
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit f74b68c61cbc4b2245022fcce038509333d63f6f ]
+
+In some situations, the following error messages are reported.
+
+dwc2 ff540000.usb: dwc2_hc_chhltd_intr_dma: Channel 1 - ChHltd set, but reason is unknown
+dwc2 ff540000.usb: hcint 0x00000002, intsts 0x04000021
+
+This is sometimes followed by:
+
+dwc2 ff540000.usb: dwc2_update_urb_state_abn(): trimming xfer length
+
+and then:
+
+WARNING: CPU: 0 PID: 0 at kernel/v4.19/drivers/usb/dwc2/hcd.c:2913
+ dwc2_assign_and_init_hc+0x98c/0x990
+
+The warning suggests that an odd buffer address is to be used for DMA.
+
+After an error is observed, the receive buffer may be full
+(urb->actual_length >= urb->length). However, the urb is still left in
+the queue unless three errors were observed in a row. When it is queued
+again, the dwc2 hcd code translates this into a 1-block transfer.
+If urb->actual_length (ie the total expected receive length) is not
+DMA-aligned, the buffer pointer programmed into the chip will be
+unaligned. This results in the observed warning.
+
+To solve the problem, abort input transactions after an error with
+unknown cause if the entire packet was already received. This may be
+a bit drastic, but we don't really know why the transfer was aborted
+even though the entire packet was received. Aborting the transfer in
+this situation is less risky than accepting a potentially corrupted
+packet.
+
+With this patch in place, the 'ChHltd set' and 'trimming xfer length'
+messages are still observed, but there are no more transfer attempts
+with odd buffer addresses.
+
+Fixes: 151d0cbdbe860 ("usb: dwc2: make the scheduler handle excessive NAKs better")
+Cc: Boris ARZUR <boris@konbu.org>
+Cc: Douglas Anderson <dianders@chromium.org>
+Tested-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20210113112052.17063-3-nsaenzjulienne@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/hcd_intr.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
+index 51866f3f20522..84487548918f9 100644
+--- a/drivers/usb/dwc2/hcd_intr.c
++++ b/drivers/usb/dwc2/hcd_intr.c
+@@ -1915,6 +1915,18 @@ error:
+ qtd->error_count++;
+ dwc2_update_urb_state_abn(hsotg, chan, chnum, qtd->urb,
+ qtd, DWC2_HC_XFER_XACT_ERR);
++ /*
++ * We can get here after a completed transaction
++ * (urb->actual_length >= urb->length) which was not reported
++ * as completed. If that is the case, and we do not abort
++ * the transfer, a transfer of size 0 will be enqueued
++ * subsequently. If urb->actual_length is not DMA-aligned,
++ * the buffer will then point to an unaligned address, and
++ * the resulting behavior is undefined. Bail out in that
++ * situation.
++ */
++ if (qtd->urb->actual_length >= qtd->urb->length)
++ qtd->error_count = 3;
+ dwc2_hcd_save_data_toggle(hsotg, chan, chnum, qtd);
+ dwc2_halt_channel(hsotg, chan, qtd, DWC2_HC_XFER_XACT_ERR);
+ }
+--
+2.27.0
+
--- /dev/null
+From a1c56dae76baf6e396c64bbfdb013ee434ed5822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 12:20:51 +0100
+Subject: usb: dwc2: Make "trimming xfer length" a debug message
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 1a9e38cabd80356ffb98c2c88fec528ea9644fd5 ]
+
+With some USB network adapters, such as DM96xx, the following message
+is seen for each maximum size receive packet.
+
+dwc2 ff540000.usb: dwc2_update_urb_state(): trimming xfer length
+
+This happens because the packet size requested by the driver is 1522
+bytes, wMaxPacketSize is 64, the dwc2 driver configures the chip to
+receive 24*64 = 1536 bytes, and the chip does indeed send more than
+1522 bytes of data. Since the event does not indicate an error condition,
+the message is just noise. Demote it to debug level.
+
+Fixes: 7359d482eb4d3 ("staging: HCD files for the DWC2 driver")
+Tested-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20210113112052.17063-4-nsaenzjulienne@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/hcd_intr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c
+index 84487548918f9..9c030e0033fe9 100644
+--- a/drivers/usb/dwc2/hcd_intr.c
++++ b/drivers/usb/dwc2/hcd_intr.c
+@@ -461,7 +461,7 @@ static int dwc2_update_urb_state(struct dwc2_hsotg *hsotg,
+ &short_read);
+
+ if (urb->actual_length + xfer_length > urb->length) {
+- dev_warn(hsotg->dev, "%s(): trimming xfer length\n", __func__);
++ dev_dbg(hsotg->dev, "%s(): trimming xfer length\n", __func__);
+ xfer_length = urb->length - urb->actual_length;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 7aa05a3e8248725ef1ffffedf09c45b05f3871aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 08:32:40 -0800
+Subject: VMCI: Use set_page_dirty_lock() when unregistering guest memory
+
+From: Jorgen Hansen <jhansen@vmware.com>
+
+[ Upstream commit 5a16c535409f8dcb7568e20737309e3027ae3e49 ]
+
+When the VMCI host support releases guest memory in the case where
+the VM was killed, the pinned guest pages aren't locked. Use
+set_page_dirty_lock() instead of set_page_dirty().
+
+Testing done: Killed VM while having an active VMCI based vSocket
+connection and observed warning from ext4. With this fix, no
+warning was observed. Ran various vSocket tests without issues.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
+Link: https://lore.kernel.org/r/1611160360-30299-1-git-send-email-jhansen@vmware.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+index e57340e980c4b..44e29d835e246 100644
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -732,7 +732,7 @@ static void qp_release_pages(struct page **pages,
+
+ for (i = 0; i < num_pages; i++) {
+ if (dirty)
+- set_page_dirty(pages[i]);
++ set_page_dirty_lock(pages[i]);
+
+ page_cache_release(pages[i]);
+ pages[i] = NULL;
+--
+2.27.0
+
--- /dev/null
+From 7ed826ef9a9b363a1acb1d138d7dbf30a4dddf64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 11:16:12 +0100
+Subject: xen/netback: fix spurious event detection for common event case
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit a3daf3d39132b405781be8d9ede0c449b244b64e ]
+
+In case of a common event for rx and tx queue the event should be
+regarded to be spurious if no rx and no tx requests are pending.
+
+Unfortunately the condition for testing that is wrong causing to
+decide a event being spurious if no rx OR no tx requests are
+pending.
+
+Fix that plus using local variables for rx/tx pending indicators in
+order to split function calls and if condition.
+
+Fixes: 23025393dbeb3b ("xen/netback: use lateeoi irq binding")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Paul Durrant <paul@xen.org>
+Reviewed-by: Wei Liu <wl@xen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/interface.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
+index f9f4391ecee37..93f7659e75954 100644
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -161,13 +161,15 @@ irqreturn_t xenvif_interrupt(int irq, void *dev_id)
+ {
+ struct xenvif_queue *queue = dev_id;
+ int old;
++ bool has_rx, has_tx;
+
+ old = xenvif_atomic_fetch_or(NETBK_COMMON_EOI, &queue->eoi_pending);
+ WARN(old, "Interrupt while EOI pending\n");
+
+- /* Use bitwise or as we need to call both functions. */
+- if ((!xenvif_handle_tx_interrupt(queue) |
+- !xenvif_handle_rx_interrupt(queue))) {
++ has_tx = xenvif_handle_tx_interrupt(queue);
++ has_rx = xenvif_handle_rx_interrupt(queue);
++
++ if (!has_rx && !has_tx) {
+ atomic_andnot(NETBK_COMMON_EOI, &queue->eoi_pending);
+ xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS);
+ }
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
