--- /dev/null
+From 80087dfe46b80130abfb8d987bb24bf9dde52644 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 00:05:29 -0300
+Subject: ACPI: battery: Accept charges over the design capacity as full
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: André Almeida <andrealmeid@collabora.com>
+
+[ Upstream commit 2835f327bd1240508db2c89fe94a056faa53c49a ]
+
+Some buggy firmware and/or brand new batteries can support a charge that's
+slightly over the reported design capacity. In such cases, the kernel will
+report to userspace that the charging state of the battery is "Unknown",
+when in reality the battery charge is "Full", at least from the design
+capacity point of view. Make the fallback condition accepts capacities
+over the designed capacity so userspace knows that is full.
+
+Signed-off-by: André Almeida <andrealmeid@collabora.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 93ecae55fe6a0..69c6f02f16b5b 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -187,7 +187,7 @@ static int acpi_battery_is_charged(struct acpi_battery *battery)
+ return 1;
+
+ /* fallback to using design values for broken batteries */
+- if (battery->design_capacity == battery->capacity_now)
++ if (battery->design_capacity <= battery->capacity_now)
+ return 1;
+
+ /* we don't do any sort of metric based on percentages */
+--
+2.33.0
+
--- /dev/null
+From 6c6780fa35f8ce0ef8febe197504041bb245789e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 16:31:35 +0100
+Subject: ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 009a789443fe4c8e6b1ecb7c16b4865c026184cd ]
+
+The handling of PMIC register reads through writing 0 to address 4
+of the OpRegion is wrong. Instead of returning the read value
+through the value64, which is a no-op for function == ACPI_WRITE calls,
+store the value and then on a subsequent function == ACPI_READ with
+address == 3 (the address for the value field of the OpRegion)
+return the stored value.
+
+This has been tested on a Xiaomi Mi Pad 2 and makes the ACPI battery dev
+there mostly functional (unfortunately there are still other issues).
+
+Here are the SET() / GET() functions of the PMIC ACPI device,
+which use this OpRegion, which clearly show the new behavior to
+be correct:
+
+OperationRegion (REGS, 0x8F, Zero, 0x50)
+Field (REGS, ByteAcc, NoLock, Preserve)
+{
+ CLNT, 8,
+ SA, 8,
+ OFF, 8,
+ VAL, 8,
+ RWM, 8
+}
+
+Method (GET, 3, Serialized)
+{
+ If ((AVBE == One))
+ {
+ CLNT = Arg0
+ SA = Arg1
+ OFF = Arg2
+ RWM = Zero
+ If ((AVBG == One))
+ {
+ GPRW = Zero
+ }
+ }
+
+ Return (VAL) /* \_SB_.PCI0.I2C7.PMI5.VAL_ */
+}
+
+Method (SET, 4, Serialized)
+{
+ If ((AVBE == One))
+ {
+ CLNT = Arg0
+ SA = Arg1
+ OFF = Arg2
+ VAL = Arg3
+ RWM = One
+ If ((AVBG == One))
+ {
+ GPRW = One
+ }
+ }
+}
+
+Fixes: 0afa877a5650 ("ACPI / PMIC: intel: add REGS operation region support")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pmic/intel_pmic.c | 51 +++++++++++++++++++---------------
+ 1 file changed, 28 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/acpi/pmic/intel_pmic.c b/drivers/acpi/pmic/intel_pmic.c
+index ca18e0d23df97..db63d3463617a 100644
+--- a/drivers/acpi/pmic/intel_pmic.c
++++ b/drivers/acpi/pmic/intel_pmic.c
+@@ -216,31 +216,36 @@ static acpi_status intel_pmic_regs_handler(u32 function,
+ void *handler_context, void *region_context)
+ {
+ struct intel_pmic_opregion *opregion = region_context;
+- int result = 0;
++ int result = -EINVAL;
++
++ if (function == ACPI_WRITE) {
++ switch (address) {
++ case 0:
++ return AE_OK;
++ case 1:
++ opregion->ctx.addr |= (*value64 & 0xff) << 8;
++ return AE_OK;
++ case 2:
++ opregion->ctx.addr |= *value64 & 0xff;
++ return AE_OK;
++ case 3:
++ opregion->ctx.val = *value64 & 0xff;
++ return AE_OK;
++ case 4:
++ if (*value64) {
++ result = regmap_write(opregion->regmap, opregion->ctx.addr,
++ opregion->ctx.val);
++ } else {
++ result = regmap_read(opregion->regmap, opregion->ctx.addr,
++ &opregion->ctx.val);
++ }
++ opregion->ctx.addr = 0;
++ }
++ }
+
+- switch (address) {
+- case 0:
+- return AE_OK;
+- case 1:
+- opregion->ctx.addr |= (*value64 & 0xff) << 8;
++ if (function == ACPI_READ && address == 3) {
++ *value64 = opregion->ctx.val;
+ return AE_OK;
+- case 2:
+- opregion->ctx.addr |= *value64 & 0xff;
+- return AE_OK;
+- case 3:
+- opregion->ctx.val = *value64 & 0xff;
+- return AE_OK;
+- case 4:
+- if (*value64) {
+- result = regmap_write(opregion->regmap, opregion->ctx.addr,
+- opregion->ctx.val);
+- } else {
+- result = regmap_read(opregion->regmap, opregion->ctx.addr,
+- &opregion->ctx.val);
+- if (result == 0)
+- *value64 = opregion->ctx.val;
+- }
+- memset(&opregion->ctx, 0x00, sizeof(opregion->ctx));
+ }
+
+ if (result < 0) {
+--
+2.33.0
+
--- /dev/null
+From 8dfb8f9fc7390bd73669f689d70af7c1cbe8cdef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 18:31:25 +0200
+Subject: ACPICA: Avoid evaluating methods too early during system resume
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d3c4b6f64ad356c0d9ddbcf73fa471e6a841cc5c ]
+
+ACPICA commit 0762982923f95eb652cf7ded27356b247c9774de
+
+During wakeup from system-wide sleep states, acpi_get_sleep_type_data()
+is called and it tries to get memory from the slab allocator in order
+to evaluate a control method, but if KFENCE is enabled in the kernel,
+the memory allocation attempt causes an IRQ work to be queued and a
+self-IPI to be sent to the CPU running the code which requires the
+memory controller to be ready, so if that happens too early in the
+wakeup path, it doesn't work.
+
+Prevent that from taking place by calling acpi_get_sleep_type_data()
+for S0 upfront, when preparing to enter a given sleep state, and
+saving the data obtained by it for later use during system wakeup.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214271
+Reported-by: Reik Keutterling <spielkind@gmail.com>
+Tested-by: Reik Keutterling <spielkind@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/acglobal.h | 2 ++
+ drivers/acpi/acpica/hwesleep.c | 8 ++------
+ drivers/acpi/acpica/hwsleep.c | 11 ++++-------
+ drivers/acpi/acpica/hwxfsleep.c | 7 +++++++
+ 4 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/acpi/acpica/acglobal.h b/drivers/acpi/acpica/acglobal.h
+index 750fa824d42c4..a04bb91d56ca6 100644
+--- a/drivers/acpi/acpica/acglobal.h
++++ b/drivers/acpi/acpica/acglobal.h
+@@ -259,6 +259,8 @@ extern struct acpi_bit_register_info
+
+ ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a);
+ ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b);
++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a_s0);
++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b_s0);
+
+ /*****************************************************************************
+ *
+diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c
+index 3f2fb4b31fdc0..7e2f9b0e66eea 100644
+--- a/drivers/acpi/acpica/hwesleep.c
++++ b/drivers/acpi/acpica/hwesleep.c
+@@ -184,17 +184,13 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state)
+
+ acpi_status acpi_hw_extended_wake_prep(u8 sleep_state)
+ {
+- acpi_status status;
+ u8 sleep_type_value;
+
+ ACPI_FUNCTION_TRACE(hw_extended_wake_prep);
+
+- status = acpi_get_sleep_type_data(ACPI_STATE_S0,
+- &acpi_gbl_sleep_type_a,
+- &acpi_gbl_sleep_type_b);
+- if (ACPI_SUCCESS(status)) {
++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) {
+ sleep_type_value =
+- ((acpi_gbl_sleep_type_a << ACPI_X_SLEEP_TYPE_POSITION) &
++ ((acpi_gbl_sleep_type_a_s0 << ACPI_X_SLEEP_TYPE_POSITION) &
+ ACPI_X_SLEEP_TYPE_MASK);
+
+ (void)acpi_write((u64)(sleep_type_value | ACPI_X_SLEEP_ENABLE),
+diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c
+index d00c9810845b2..ddf198de87295 100644
+--- a/drivers/acpi/acpica/hwsleep.c
++++ b/drivers/acpi/acpica/hwsleep.c
+@@ -217,7 +217,7 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state)
+
+ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state)
+ {
+- acpi_status status;
++ acpi_status status = AE_OK;
+ struct acpi_bit_register_info *sleep_type_reg_info;
+ struct acpi_bit_register_info *sleep_enable_reg_info;
+ u32 pm1a_control;
+@@ -230,10 +230,7 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state)
+ * This is unclear from the ACPI Spec, but it is required
+ * by some machines.
+ */
+- status = acpi_get_sleep_type_data(ACPI_STATE_S0,
+- &acpi_gbl_sleep_type_a,
+- &acpi_gbl_sleep_type_b);
+- if (ACPI_SUCCESS(status)) {
++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) {
+ sleep_type_reg_info =
+ acpi_hw_get_bit_register_info(ACPI_BITREG_SLEEP_TYPE);
+ sleep_enable_reg_info =
+@@ -254,9 +251,9 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state)
+
+ /* Insert the SLP_TYP bits */
+
+- pm1a_control |= (acpi_gbl_sleep_type_a <<
++ pm1a_control |= (acpi_gbl_sleep_type_a_s0 <<
+ sleep_type_reg_info->bit_position);
+- pm1b_control |= (acpi_gbl_sleep_type_b <<
++ pm1b_control |= (acpi_gbl_sleep_type_b_s0 <<
+ sleep_type_reg_info->bit_position);
+
+ /* Write the control registers and ignore any errors */
+diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c
+index f76e0eab32b8e..53f9f4c359579 100644
+--- a/drivers/acpi/acpica/hwxfsleep.c
++++ b/drivers/acpi/acpica/hwxfsleep.c
+@@ -315,6 +315,13 @@ acpi_status acpi_enter_sleep_state_prep(u8 sleep_state)
+ return_ACPI_STATUS(status);
+ }
+
++ status = acpi_get_sleep_type_data(ACPI_STATE_S0,
++ &acpi_gbl_sleep_type_a_s0,
++ &acpi_gbl_sleep_type_b_s0);
++ if (ACPI_FAILURE(status)) {
++ acpi_gbl_sleep_type_a_s0 = ACPI_SLEEP_TYPE_INVALID;
++ }
++
+ /* Execute the _PTS method (Prepare To Sleep) */
+
+ arg_list.count = 1;
+--
+2.33.0
+
--- /dev/null
+From 76a7e3bf4da74db0008fa148e17e490d2d1eaf72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 15:30:06 +0100
+Subject: ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 345dac33f58894a56d17b92a41be10e16585ceff ]
+
+When configuring the kernel for big-endian, we set either BE-8 or BE-32
+based on the CPU architecture level. Until linux-4.4, we did not have
+any ARMv7-M platform allowing big-endian builds, but now i.MX/Vybrid
+is in that category, adn we get a build error because of this:
+
+arch/arm/kernel/module-plts.c: In function 'get_module_plt':
+arch/arm/kernel/module-plts.c:60:46: error: implicit declaration of function '__opcode_to_mem_thumb32' [-Werror=implicit-function-declaration]
+
+This comes down to picking the wrong default, ARMv7-M uses BE8
+like ARMv7-A does. Changing the default gets the kernel to compile
+and presumably works.
+
+https://lore.kernel.org/all/1455804123-2526139-2-git-send-email-arnd@arndb.de/
+
+Tested-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
+index 7f3760fa9c154..93623627a0b68 100644
+--- a/arch/arm/mm/Kconfig
++++ b/arch/arm/mm/Kconfig
+@@ -731,7 +731,7 @@ config CPU_BIG_ENDIAN
+ config CPU_ENDIAN_BE8
+ bool
+ depends on CPU_BIG_ENDIAN
+- default CPU_V6 || CPU_V6K || CPU_V7
++ default CPU_V6 || CPU_V6K || CPU_V7 || CPU_V7M
+ help
+ Support for the BE-8 (big-endian) mode on ARMv6 and ARMv7 processors.
+
+--
+2.33.0
+
--- /dev/null
+From 91032665539c7349470e389cc89dcf399f42acc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 09:55:17 +0900
+Subject: ARM: clang: Do not rely on lr register for stacktrace
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit b3ea5d56f212ad81328c82454829a736197ebccc ]
+
+Currently the stacktrace on clang compiled arm kernel uses the 'lr'
+register to find the first frame address from pt_regs. However, that
+is wrong after calling another function, because the 'lr' register
+is used by 'bl' instruction and never be recovered.
+
+As same as gcc arm kernel, directly use the frame pointer (r11) of
+the pt_regs to find the first frame address.
+
+Note that this fixes kretprobe stacktrace issue only with
+CONFIG_UNWINDER_FRAME_POINTER=y. For the CONFIG_UNWINDER_ARM,
+we need another fix.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/stacktrace.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
+index 6e8a50de40e2b..c10c1de244eba 100644
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -51,8 +51,7 @@ int notrace unwind_frame(struct stackframe *frame)
+
+ frame->sp = frame->fp;
+ frame->fp = *(unsigned long *)(fp);
+- frame->pc = frame->lr;
+- frame->lr = *(unsigned long *)(fp + 4);
++ frame->pc = *(unsigned long *)(fp + 4);
+ #else
+ /* check current frame pointer is within bounds */
+ if (fp < low + 12 || fp > high - 4)
+--
+2.33.0
+
--- /dev/null
+From 0ce7d360cd214b8878e6e520ac02f9103e7a0b37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Oct 2021 09:34:15 +0200
+Subject: arm: dts: omap3-gta04a4: accelerometer irq fix
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+[ Upstream commit 884ea75d79a36faf3731ad9d6b9c29f58697638d ]
+
+Fix typo in pinctrl. It did only work because the bootloader
+seems to have initialized it.
+
+Fixes: ee327111953b ("ARM: dts: omap3-gta04: Define and use bma180 irq pin")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap3-gta04.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/omap3-gta04.dtsi b/arch/arm/boot/dts/omap3-gta04.dtsi
+index 7191506934494..338ee6bd0e0c0 100644
+--- a/arch/arm/boot/dts/omap3-gta04.dtsi
++++ b/arch/arm/boot/dts/omap3-gta04.dtsi
+@@ -352,7 +352,7 @@
+ compatible = "bosch,bma180";
+ reg = <0x41>;
+ pinctrl-names = "default";
+- pintcrl-0 = <&bma180_pins>;
++ pinctrl-0 = <&bma180_pins>;
+ interrupt-parent = <&gpio4>;
+ interrupts = <19 IRQ_TYPE_LEVEL_HIGH>; /* GPIO_115 */
+ };
+--
+2.33.0
+
--- /dev/null
+From 84c8f180d3420ab3ddc4c38d5ba95fbab350fadd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 20:35:57 +0800
+Subject: ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 2aa717473ce96c93ae43a5dc8c23cedc8ce7dd9f ]
+
+The s3c24xx_init_intc() returns an error pointer upon failure, not NULL.
+let's add an error pointer check in s3c24xx_handle_irq.
+
+s3c_intc[0] is not NULL or ERR, we can simplify the code.
+
+Fixes: 1f629b7a3ced ("ARM: S3C24XX: transform irq handling into a declarative form")
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Link: https://lore.kernel.org/r/20210901123557.1043953-1-liu.yun@linux.dev
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-s3c24xx.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/irqchip/irq-s3c24xx.c b/drivers/irqchip/irq-s3c24xx.c
+index c25ce5af091ad..e92ab62cc87d9 100644
+--- a/drivers/irqchip/irq-s3c24xx.c
++++ b/drivers/irqchip/irq-s3c24xx.c
+@@ -368,11 +368,25 @@ static inline int s3c24xx_handle_intc(struct s3c_irq_intc *intc,
+ asmlinkage void __exception_irq_entry s3c24xx_handle_irq(struct pt_regs *regs)
+ {
+ do {
+- if (likely(s3c_intc[0]))
+- if (s3c24xx_handle_intc(s3c_intc[0], regs, 0))
+- continue;
++ /*
++ * For platform based machines, neither ERR nor NULL can happen here.
++ * The s3c24xx_handle_irq() will be set as IRQ handler iff this succeeds:
++ *
++ * s3c_intc[0] = s3c24xx_init_intc()
++ *
++ * If this fails, the next calls to s3c24xx_init_intc() won't be executed.
++ *
++ * For DT machine, s3c_init_intc_of() could set the IRQ handler without
++ * setting s3c_intc[0] only if it was called with num_ctrl=0. There is no
++ * such code path, so again the s3c_intc[0] will have a valid pointer if
++ * set_handle_irq() is called.
++ *
++ * Therefore in s3c24xx_handle_irq(), the s3c_intc[0] is always something.
++ */
++ if (s3c24xx_handle_intc(s3c_intc[0], regs, 0))
++ continue;
+
+- if (s3c_intc[2])
++ if (!IS_ERR_OR_NULL(s3c_intc[2]))
+ if (s3c24xx_handle_intc(s3c_intc[2], regs, 64))
+ continue;
+
+--
+2.33.0
+
--- /dev/null
+From c7f44def9820700090467e527292542f1a96811a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 08:38:53 -0700
+Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in
+ channel_detector_create()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ]
+
+kzalloc() is used to allocate memory for cd->detectors, and if it fails,
+channel_detector_exit() behind the label fail will be called:
+ channel_detector_exit(dpd, cd);
+
+In channel_detector_exit(), cd->detectors is dereferenced through:
+ struct pri_detector *de = cd->detectors[i];
+
+To fix this possible null-pointer dereference, check cd->detectors before
+the for loop to dereference cd->detectors.
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
+index 78146607f16e8..acd85e5069346 100644
+--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
+@@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd,
+ if (cd == NULL)
+ return;
+ list_del(&cd->head);
+- for (i = 0; i < dpd->num_radar_types; i++) {
+- struct pri_detector *de = cd->detectors[i];
+- if (de != NULL)
+- de->exit(de);
++ if (cd->detectors) {
++ for (i = 0; i < dpd->num_radar_types; i++) {
++ struct pri_detector *de = cd->detectors[i];
++ if (de != NULL)
++ de->exit(de);
++ }
+ }
+ kfree(cd->detectors);
+ kfree(cd);
+--
+2.33.0
+
--- /dev/null
+From 35e9459e97d404dc4caf480dc8baa4002958b1f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2019 19:21:31 +0200
+Subject: ath10k: fix max antenna gain unit
+
+From: Sven Eckelmann <seckelmann@datto.com>
+
+[ Upstream commit 0a491167fe0cf9f26062462de2a8688b96125d48 ]
+
+Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB
+steps). This isn't the case for max_antenna_gain - which is still expected
+by the firmware as dB.
+
+The firmware is converting it from dB to the internal (twicepower)
+representation when it calculates the limits of a channel. This can be seen
+in tpc_stats when configuring "12" as max_antenna_gain. Instead of the
+expected 12 (6 dB), the tpc_stats shows 24 (12 dB).
+
+Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057.
+
+Fixes: 02256930d9b8 ("ath10k: use proper tx power unit")
+Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20190611172131.6064-1-sven@narfation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 6 +++---
+ drivers/net/wireless/ath/ath10k/wmi.h | 3 +++
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 314cac2ce0879..41fb17cece622 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -980,7 +980,7 @@ static int ath10k_monitor_vdev_start(struct ath10k *ar, int vdev_id)
+ arg.channel.min_power = 0;
+ arg.channel.max_power = channel->max_power * 2;
+ arg.channel.max_reg_power = channel->max_reg_power * 2;
+- arg.channel.max_antenna_gain = channel->max_antenna_gain * 2;
++ arg.channel.max_antenna_gain = channel->max_antenna_gain;
+
+ reinit_completion(&ar->vdev_setup_done);
+
+@@ -1416,7 +1416,7 @@ static int ath10k_vdev_start_restart(struct ath10k_vif *arvif,
+ arg.channel.min_power = 0;
+ arg.channel.max_power = chandef->chan->max_power * 2;
+ arg.channel.max_reg_power = chandef->chan->max_reg_power * 2;
+- arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain * 2;
++ arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain;
+
+ if (arvif->vdev_type == WMI_VDEV_TYPE_AP) {
+ arg.ssid = arvif->u.ap.ssid;
+@@ -3019,7 +3019,7 @@ static int ath10k_update_channel_list(struct ath10k *ar)
+ ch->min_power = 0;
+ ch->max_power = channel->max_power * 2;
+ ch->max_reg_power = channel->max_reg_power * 2;
+- ch->max_antenna_gain = channel->max_antenna_gain * 2;
++ ch->max_antenna_gain = channel->max_antenna_gain;
+ ch->reg_class_id = 0; /* FIXME */
+
+ /* FIXME: why use only legacy modes, why not any
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
+index cce028ea9b57d..5f718210ce682 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.h
++++ b/drivers/net/wireless/ath/ath10k/wmi.h
+@@ -1802,7 +1802,9 @@ struct wmi_channel {
+ union {
+ __le32 reginfo1;
+ struct {
++ /* note: power unit is 1 dBm */
+ u8 antenna_max;
++ /* note: power unit is 0.5 dBm */
+ u8 max_tx_power;
+ } __packed;
+ } __packed;
+@@ -1821,6 +1823,7 @@ struct wmi_channel_arg {
+ u32 min_power;
+ u32 max_power;
+ u32 max_reg_power;
++ /* note: power unit is 1 dBm */
+ u32 max_antenna_gain;
+ u32 reg_class_id;
+ enum wmi_phy_mode mode;
+--
+2.33.0
+
--- /dev/null
+From 68b94b22151073d209439bcc03e11f50b5d55b46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 16:55:53 +0300
+Subject: ath9k: Fix potential interrupt storm on queue reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <ll@simonwunderlich.de>
+
+[ Upstream commit 4925642d541278575ad1948c5924d71ffd57ef14 ]
+
+In tests with two Lima boards from 8devices (QCA4531 based) on OpenWrt
+19.07 we could force a silent restart of a device with no serial
+output when we were sending a high amount of UDP traffic (iperf3 at 80
+MBit/s in both directions from external hosts, saturating the wifi and
+causing a load of about 4.5 to 6) and were then triggering an
+ath9k_queue_reset().
+
+Further debugging showed that the restart was caused by the ath79
+watchdog. With disabled watchdog we could observe that the device was
+constantly going into ath_isr() interrupt handler and was returning
+early after the ATH_OP_HW_RESET flag test, without clearing any
+interrupts. Even though ath9k_queue_reset() calls
+ath9k_hw_kill_interrupts().
+
+With JTAG we could observe the following race condition:
+
+1) ath9k_queue_reset()
+ ...
+ -> ath9k_hw_kill_interrupts()
+ -> set_bit(ATH_OP_HW_RESET, &common->op_flags);
+ ...
+ <- returns
+
+ 2) ath9k_tasklet()
+ ...
+ -> ath9k_hw_resume_interrupts()
+ ...
+ <- returns
+
+ 3) loops around:
+ ...
+ handle_int()
+ -> ath_isr()
+ ...
+ -> if (test_bit(ATH_OP_HW_RESET,
+ &common->op_flags))
+ return IRQ_HANDLED;
+
+ x) ath_reset_internal():
+ => never reached <=
+
+And in ath_isr() we would typically see the following interrupts /
+interrupt causes:
+
+* status: 0x00111030 or 0x00110030
+* async_cause: 2 (AR_INTR_MAC_IPQ)
+* sync_cause: 0
+
+So the ath9k_tasklet() reenables the ath9k interrupts
+through ath9k_hw_resume_interrupts() which ath9k_queue_reset() had just
+disabled. And ath_isr() then keeps firing because it returns IRQ_HANDLED
+without actually clearing the interrupt.
+
+To fix this IRQ storm also clear/disable the interrupts again when we
+are in reset state.
+
+Cc: Sven Eckelmann <sven@narfation.org>
+Cc: Simon Wunderlich <sw@simonwunderlich.de>
+Cc: Linus Lüssing <linus.luessing@c0d3.blue>
+Fixes: 872b5d814f99 ("ath9k: do not access hardware on IRQs during reset")
+Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210914192515.9273-3-linus.luessing@c0d3.blue
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index 7776f4a8630e4..ca0877f0e6392 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -528,8 +528,10 @@ irqreturn_t ath_isr(int irq, void *dev)
+ ath9k_debug_sync_cause(sc, sync_cause);
+ status &= ah->imask; /* discard unasked-for bits */
+
+- if (test_bit(ATH_OP_HW_RESET, &common->op_flags))
++ if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) {
++ ath9k_hw_kill_interrupts(sc->sc_ah);
+ return IRQ_HANDLED;
++ }
+
+ /*
+ * If there are no status bits set, then this interrupt was not
+--
+2.33.0
+
--- /dev/null
+From 9448dce227120c3c04e8db11c47e2b09a7dbde11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 16:45:02 +0200
+Subject: auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit afcb5a811ff3ab3969f09666535eb6018a160358 ]
+
+While writing an empty string to a device attribute is a no-op, and thus
+does not need explicit safeguards, the user can still write a single
+newline to an attribute file:
+
+ echo > .../message
+
+If that happens, img_ascii_lcd_display() trims the newline, yielding an
+empty string, and causing an infinite loop in img_ascii_lcd_scroll().
+
+Fix this by adding a check for empty strings. Clear the display in case
+one is encountered.
+
+Fixes: 0cad855fbd083ee5 ("auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/img-ascii-lcd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/auxdisplay/img-ascii-lcd.c b/drivers/auxdisplay/img-ascii-lcd.c
+index 6e8eaa7fe7a6f..b5f849d2f7623 100644
+--- a/drivers/auxdisplay/img-ascii-lcd.c
++++ b/drivers/auxdisplay/img-ascii-lcd.c
+@@ -283,6 +283,16 @@ static int img_ascii_lcd_display(struct img_ascii_lcd_ctx *ctx,
+ if (msg[count - 1] == '\n')
+ count--;
+
++ if (!count) {
++ /* clear the LCD */
++ devm_kfree(&ctx->pdev->dev, ctx->message);
++ ctx->message = NULL;
++ ctx->message_len = 0;
++ memset(ctx->curr, ' ', ctx->cfg->num_chars);
++ ctx->cfg->update(ctx);
++ return 0;
++ }
++
+ new_msg = devm_kmalloc(&ctx->pdev->dev, count + 1, GFP_KERNEL);
+ if (!new_msg)
+ return -ENOMEM;
+--
+2.33.0
+
--- /dev/null
+From c0e25421cf2404c4f6872904a3f4f14791973555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 10:36:22 +0300
+Subject: b43: fix a lower bounds test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 9b793db5fca44d01f72d3564a168171acf7c4076 ]
+
+The problem is that "channel" is an unsigned int, when it's less 5 the
+value of "channel - 5" is not a negative number as one would expect but
+is very high positive value instead.
+
+This means that "start" becomes a very high positive value. The result
+of that is that we never enter the "for (i = start; i <= end; i++) {"
+loop. Instead of storing the result from b43legacy_radio_aci_detect()
+it just uses zero.
+
+Fixes: ef1a628d83fc ("b43: Implement dynamic PHY API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211006073621.GE8404@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43/phy_g.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43/phy_g.c b/drivers/net/wireless/broadcom/b43/phy_g.c
+index 822dcaa8ace63..35ff139b1496e 100644
+--- a/drivers/net/wireless/broadcom/b43/phy_g.c
++++ b/drivers/net/wireless/broadcom/b43/phy_g.c
+@@ -2310,7 +2310,7 @@ static u8 b43_gphy_aci_scan(struct b43_wldev *dev)
+ b43_phy_mask(dev, B43_PHY_G_CRS, 0x7FFF);
+ b43_set_all_gains(dev, 3, 8, 1);
+
+- start = (channel - 5 > 0) ? channel - 5 : 1;
++ start = (channel > 5) ? channel - 5 : 1;
+ end = (channel + 5 < 14) ? channel + 5 : 13;
+
+ for (i = start; i <= end; i++) {
+--
+2.33.0
+
--- /dev/null
+From 84f21074405e835cc4d12281d049a7ab711bea0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 10:35:42 +0300
+Subject: b43legacy: fix a lower bounds test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c1c8380b0320ab757e60ed90efc8b1992a943256 ]
+
+The problem is that "channel" is an unsigned int, when it's less 5 the
+value of "channel - 5" is not a negative number as one would expect but
+is very high positive value instead.
+
+This means that "start" becomes a very high positive value. The result
+of that is that we never enter the "for (i = start; i <= end; i++) {"
+loop. Instead of storing the result from b43legacy_radio_aci_detect()
+it just uses zero.
+
+Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211006073542.GD8404@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c
+index 9501420340a91..5b1e8890305c1 100644
+--- a/drivers/net/wireless/broadcom/b43legacy/radio.c
++++ b/drivers/net/wireless/broadcom/b43legacy/radio.c
+@@ -299,7 +299,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev)
+ & 0x7FFF);
+ b43legacy_set_all_gains(dev, 3, 8, 1);
+
+- start = (channel - 5 > 0) ? channel - 5 : 1;
++ start = (channel > 5) ? channel - 5 : 1;
+ end = (channel + 5 < 14) ? channel + 5 : 13;
+
+ for (i = start; i <= end; i++) {
+--
+2.33.0
+
--- /dev/null
+From c7bc5503433e6a2b1eed1fd4ad66903af0f4e160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 17:35:37 -0700
+Subject: Bluetooth: fix use-after-free error in lock_sock_nested()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c ]
+
+use-after-free error in lock_sock_nested is reported:
+
+[ 179.140137][ T3731] =====================================================
+[ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0
+[ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54
+[ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+[ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout
+[ 179.152730][ T3731] Call Trace:
+[ 179.153301][ T3731] dump_stack+0x24c/0x2e0
+[ 179.154063][ T3731] kmsan_report+0xfb/0x1e0
+[ 179.154855][ T3731] __msan_warning+0x5c/0xa0
+[ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0
+[ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180
+[ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890
+[ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20
+[ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180
+[ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0
+[ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420
+[ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50
+[ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180
+[ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0
+[ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050
+[ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70
+[ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590
+[ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20
+[ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560
+[ 179.168818][ T3731] process_one_work+0x121d/0x1ff0
+[ 179.169598][ T3731] worker_thread+0x121b/0x2370
+[ 179.170346][ T3731] kthread+0x4ef/0x610
+[ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0
+[ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110
+[ 179.172587][ T3731] ret_from_fork+0x1f/0x30
+[ 179.173348][ T3731]
+[ 179.173752][ T3731] Uninit was created at:
+[ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0
+[ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0
+[ 179.176060][ T3731] kfree+0x3a5/0x1180
+[ 179.176664][ T3731] __sk_destruct+0x8af/0xb80
+[ 179.177375][ T3731] __sk_free+0x812/0x8c0
+[ 179.178032][ T3731] sk_free+0x97/0x130
+[ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0
+[ 179.179457][ T3731] sock_close+0x150/0x450
+[ 179.180117][ T3731] __fput+0x6bd/0xf00
+[ 179.180787][ T3731] ____fput+0x37/0x40
+[ 179.181481][ T3731] task_work_run+0x140/0x280
+[ 179.182219][ T3731] do_exit+0xe51/0x3e60
+[ 179.182930][ T3731] do_group_exit+0x20e/0x450
+[ 179.183656][ T3731] get_signal+0x2dfb/0x38f0
+[ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10
+[ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560
+[ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60
+[ 179.186984][ T3731] do_syscall_64+0xc5/0x140
+[ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 179.188604][ T3731] =====================================================
+
+In our case, there are two Thread A and B:
+
+Context: Thread A: Context: Thread B:
+
+l2cap_chan_timeout() __se_sys_shutdown()
+ l2cap_chan_close() l2cap_sock_shutdown()
+ l2cap_chan_del() l2cap_chan_close()
+ l2cap_sock_teardown_cb() l2cap_sock_teardown_cb()
+
+Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED,
+and can be treated as killable in l2cap_sock_kill() if sock_orphan() has
+excuted, at this time we close sock through sock_close() which end to call
+l2cap_sock_kill() like Thread C:
+
+Context: Thread C:
+
+sock_close()
+ l2cap_sock_release()
+ sock_orphan()
+ l2cap_sock_kill() #free sock if refcnt is 1
+
+If C completed, Once A or B reaches l2cap_sock_teardown_cb() again,
+use-after-free happened.
+
+We should set chan->data to NULL if sock is destructed, for telling teardown
+operation is not allowed in l2cap_sock_teardown_cb(), and also we should
+avoid killing an already killed socket in l2cap_sock_close_cb().
+
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index f46f59129bf39..a47430d843dcf 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1319,6 +1319,9 @@ static void l2cap_sock_close_cb(struct l2cap_chan *chan)
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return;
++
+ l2cap_sock_kill(sk);
+ }
+
+@@ -1327,6 +1330,9 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
+ struct sock *sk = chan->data;
+ struct sock *parent;
+
++ if (!sk)
++ return;
++
+ BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
+
+ /* This callback can be called both for server (BT_LISTEN)
+@@ -1510,8 +1516,10 @@ static void l2cap_sock_destruct(struct sock *sk)
+ {
+ BT_DBG("sk %p", sk);
+
+- if (l2cap_pi(sk)->chan)
++ if (l2cap_pi(sk)->chan) {
++ l2cap_pi(sk)->chan->data = NULL;
+ l2cap_chan_put(l2cap_pi(sk)->chan);
++ }
+
+ if (l2cap_pi(sk)->rx_busy_skb) {
+ kfree_skb(l2cap_pi(sk)->rx_busy_skb);
+--
+2.33.0
+
--- /dev/null
+From 52f304ca188a614c13315c3826caee76a9664ebc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 18:18:18 +0200
+Subject: Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ]
+
+The sco_send_frame() also takes lock_sock() during memcpy_from_msg()
+call that may be endlessly blocked by a task with userfaultd
+technique, and this will result in a hung task watchdog trigger.
+
+Just like the similar fix for hci_sock_sendmsg() in commit
+92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves
+the memcpy_from_msg() out of lock_sock() for addressing the hang.
+
+This should be the last piece for fixing CVE-2021-3640 after a few
+already queued fixes.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 77f88c7df6053..b3b4ffaa394f6 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -254,7 +254,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
+ return err;
+ }
+
+-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
++static int sco_send_frame(struct sock *sk, void *buf, int len,
++ unsigned int msg_flags)
+ {
+ struct sco_conn *conn = sco_pi(sk)->conn;
+ struct sk_buff *skb;
+@@ -266,15 +267,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
+
+ BT_DBG("sk %p len %d", sk, len);
+
+- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
++ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
+ if (!skb)
+ return err;
+
+- if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
+- kfree_skb(skb);
+- return -EFAULT;
+- }
+-
++ memcpy(skb_put(skb, len), buf, len);
+ hci_send_sco(conn->hcon, skb);
+
+ return len;
+@@ -693,6 +690,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ size_t len)
+ {
+ struct sock *sk = sock->sk;
++ void *buf;
+ int err;
+
+ BT_DBG("sock %p, sk %p", sock, sk);
+@@ -704,14 +702,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ if (msg->msg_flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
++ buf = kmalloc(len, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ if (memcpy_from_msg(buf, msg, len)) {
++ kfree(buf);
++ return -EFAULT;
++ }
++
+ lock_sock(sk);
+
+ if (sk->sk_state == BT_CONNECTED)
+- err = sco_send_frame(sk, msg, len);
++ err = sco_send_frame(sk, buf, len, msg->msg_flags);
+ else
+ err = -ENOTCONN;
+
+ release_sock(sk);
++ kfree(buf);
+ return err;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From b5d38b9886e6a08143f3fd1d5e5b3961cf10b4dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 17:37:33 +0800
+Subject: bonding: Fix a use-after-free problem when bond_sysfs_slave_add()
+ failed
+
+From: Huang Guobin <huangguobin4@huawei.com>
+
+[ Upstream commit b93c6a911a3fe926b00add28f3b932007827c4ca ]
+
+When I do fuzz test for bonding device interface, I got the following
+use-after-free Calltrace:
+
+==================================================================
+BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0
+Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365
+
+CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack_lvl+0x6c/0x8b
+ print_address_description.constprop.0+0x48/0x70
+ kasan_report.cold+0x82/0xdb
+ __asan_load8+0x69/0x90
+ bond_enslave+0x1521/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f19159cf577
+Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78
+RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577
+RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003
+RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000
+R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0
+R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0
+
+Allocated by task 7365:
+ kasan_save_stack+0x23/0x50
+ __kasan_kmalloc+0x83/0xa0
+ kmem_cache_alloc_trace+0x22e/0x470
+ bond_enslave+0x2e1/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Freed by task 7365:
+ kasan_save_stack+0x23/0x50
+ kasan_set_track+0x20/0x30
+ kasan_set_free_info+0x24/0x40
+ __kasan_slab_free+0xf2/0x130
+ kfree+0xd1/0x5c0
+ slave_kobj_release+0x61/0x90
+ kobject_put+0x102/0x180
+ bond_sysfs_slave_add+0x7a/0xa0
+ bond_enslave+0x11b6/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Last potentially related work creation:
+ kasan_save_stack+0x23/0x50
+ kasan_record_aux_stack+0xb7/0xd0
+ insert_work+0x43/0x190
+ __queue_work+0x2e3/0x970
+ delayed_work_timer_fn+0x3e/0x50
+ call_timer_fn+0x148/0x470
+ run_timer_softirq+0x8a8/0xc50
+ __do_softirq+0x107/0x55f
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x23/0x50
+ kasan_record_aux_stack+0xb7/0xd0
+ insert_work+0x43/0x190
+ __queue_work+0x2e3/0x970
+ __queue_delayed_work+0x130/0x180
+ queue_delayed_work_on+0xa7/0xb0
+ bond_enslave+0xe25/0x24f0
+ bond_do_ioctl+0x3e0/0x450
+ dev_ifsioc+0x2ba/0x970
+ dev_ioctl+0x112/0x710
+ sock_do_ioctl+0x118/0x1b0
+ sock_ioctl+0x2e0/0x490
+ __x64_sys_ioctl+0x118/0x150
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff88825bc11c00
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 0 bytes inside of
+ 1024-byte region [ffff88825bc11c00, ffff88825bc12000)
+The buggy address belongs to the page:
+page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10
+head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
+raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0
+raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems
+when new_slave is accessed in the subsequent error handling process. Since
+new_slave will be put in the subsequent error handling process, remove the
+unnecessary put to fix it.
+In addition, when sysfs_create_file() fails, if some files have been crea-
+ted successfully, we need to call sysfs_remove_file() to remove them.
+Since there are sysfs_create_files() & sysfs_remove_files() can be used,
+use these two functions instead.
+
+Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after kobject_add)
+Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_sysfs_slave.c | 36 ++++++++------------------
+ 1 file changed, 11 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
+index 68bbac4715c35..1e1e77a40f182 100644
+--- a/drivers/net/bonding/bond_sysfs_slave.c
++++ b/drivers/net/bonding/bond_sysfs_slave.c
+@@ -112,15 +112,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
+ }
+ static SLAVE_ATTR_RO(ad_partner_oper_port_state);
+
+-static const struct slave_attribute *slave_attrs[] = {
+- &slave_attr_state,
+- &slave_attr_mii_status,
+- &slave_attr_link_failure_count,
+- &slave_attr_perm_hwaddr,
+- &slave_attr_queue_id,
+- &slave_attr_ad_aggregator_id,
+- &slave_attr_ad_actor_oper_port_state,
+- &slave_attr_ad_partner_oper_port_state,
++static const struct attribute *slave_attrs[] = {
++ &slave_attr_state.attr,
++ &slave_attr_mii_status.attr,
++ &slave_attr_link_failure_count.attr,
++ &slave_attr_perm_hwaddr.attr,
++ &slave_attr_queue_id.attr,
++ &slave_attr_ad_aggregator_id.attr,
++ &slave_attr_ad_actor_oper_port_state.attr,
++ &slave_attr_ad_partner_oper_port_state.attr,
+ NULL
+ };
+
+@@ -141,24 +141,10 @@ const struct sysfs_ops slave_sysfs_ops = {
+
+ int bond_sysfs_slave_add(struct slave *slave)
+ {
+- const struct slave_attribute **a;
+- int err;
+-
+- for (a = slave_attrs; *a; ++a) {
+- err = sysfs_create_file(&slave->kobj, &((*a)->attr));
+- if (err) {
+- kobject_put(&slave->kobj);
+- return err;
+- }
+- }
+-
+- return 0;
++ return sysfs_create_files(&slave->kobj, slave_attrs);
+ }
+
+ void bond_sysfs_slave_del(struct slave *slave)
+ {
+- const struct slave_attribute **a;
+-
+- for (a = slave_attrs; *a; ++a)
+- sysfs_remove_file(&slave->kobj, &((*a)->attr));
++ sysfs_remove_files(&slave->kobj, slave_attrs);
+ }
+--
+2.33.0
+
--- /dev/null
+From 6500e1cbdf2cba34168ea881bcd95c2f5960e668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 18:53:08 -0400
+Subject: cgroup: Make rebind_subsystems() disable v2 controllers all at once
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 7ee285395b211cad474b2b989db52666e0430daf ]
+
+It was found that the following warning was displayed when remounting
+controllers from cgroup v2 to v1:
+
+[ 8042.997778] WARNING: CPU: 88 PID: 80682 at kernel/cgroup/cgroup.c:3130 cgroup_apply_control_disable+0x158/0x190
+ :
+[ 8043.091109] RIP: 0010:cgroup_apply_control_disable+0x158/0x190
+[ 8043.096946] Code: ff f6 45 54 01 74 39 48 8d 7d 10 48 c7 c6 e0 46 5a a4 e8 7b 67 33 00 e9 41 ff ff ff 49 8b 84 24 e8 01 00 00 0f b7 40 08 eb 95 <0f> 0b e9 5f ff ff ff 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3
+[ 8043.115692] RSP: 0018:ffffba8a47c23d28 EFLAGS: 00010202
+[ 8043.120916] RAX: 0000000000000036 RBX: ffffffffa624ce40 RCX: 000000000000181a
+[ 8043.128047] RDX: ffffffffa63c43e0 RSI: ffffffffa63c43e0 RDI: ffff9d7284ee1000
+[ 8043.135180] RBP: ffff9d72874c5800 R08: ffffffffa624b090 R09: 0000000000000004
+[ 8043.142314] R10: ffffffffa624b080 R11: 0000000000002000 R12: ffff9d7284ee1000
+[ 8043.149447] R13: ffff9d7284ee1000 R14: ffffffffa624ce70 R15: ffffffffa6269e20
+[ 8043.156576] FS: 00007f7747cff740(0000) GS:ffff9d7a5fc00000(0000) knlGS:0000000000000000
+[ 8043.164663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8043.170409] CR2: 00007f7747e96680 CR3: 0000000887d60001 CR4: 00000000007706e0
+[ 8043.177539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 8043.184673] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 8043.191804] PKRU: 55555554
+[ 8043.194517] Call Trace:
+[ 8043.196970] rebind_subsystems+0x18c/0x470
+[ 8043.201070] cgroup_setup_root+0x16c/0x2f0
+[ 8043.205177] cgroup1_root_to_use+0x204/0x2a0
+[ 8043.209456] cgroup1_get_tree+0x3e/0x120
+[ 8043.213384] vfs_get_tree+0x22/0xb0
+[ 8043.216883] do_new_mount+0x176/0x2d0
+[ 8043.220550] __x64_sys_mount+0x103/0x140
+[ 8043.224474] do_syscall_64+0x38/0x90
+[ 8043.228063] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+It was caused by the fact that rebind_subsystem() disables
+controllers to be rebound one by one. If more than one disabled
+controllers are originally from the default hierarchy, it means that
+cgroup_apply_control_disable() will be called multiple times for the
+same default hierarchy. A controller may be killed by css_kill() in
+the first round. In the second round, the killed controller may not be
+completely dead yet leading to the warning.
+
+To avoid this problem, we collect all the ssid's of controllers that
+needed to be disabled from the default hierarchy and then disable them
+in one go instead of one by one.
+
+Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/cgroup.c b/kernel/cgroup.c
+index 3378c44e147e6..248b0bf5d6795 100644
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -1564,6 +1564,7 @@ static int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+ struct cgroup *dcgrp = &dst_root->cgrp;
+ struct cgroup_subsys *ss;
+ int ssid, i, ret;
++ u16 dfl_disable_ss_mask = 0;
+
+ lockdep_assert_held(&cgroup_mutex);
+
+@@ -1580,8 +1581,28 @@ static int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+ /* can't move between two non-dummy roots either */
+ if (ss->root != &cgrp_dfl_root && dst_root != &cgrp_dfl_root)
+ return -EBUSY;
++
++ /*
++ * Collect ssid's that need to be disabled from default
++ * hierarchy.
++ */
++ if (ss->root == &cgrp_dfl_root)
++ dfl_disable_ss_mask |= 1 << ssid;
++
+ } while_each_subsys_mask();
+
++ if (dfl_disable_ss_mask) {
++ struct cgroup *scgrp = &cgrp_dfl_root.cgrp;
++
++ /*
++ * Controllers from default hierarchy that need to be rebound
++ * are all disabled together in one go.
++ */
++ cgrp_dfl_root.subsys_mask &= ~dfl_disable_ss_mask;
++ WARN_ON(cgroup_apply_control(scgrp));
++ cgroup_finalize_control(scgrp, 0);
++ }
++
+ do_each_subsys_mask(ss, ssid, ss_mask) {
+ struct cgroup_root *src_root = ss->root;
+ struct cgroup *scgrp = &src_root->cgrp;
+@@ -1590,10 +1611,12 @@ static int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+
+ WARN_ON(!css || cgroup_css(dcgrp, ss));
+
+- /* disable from the source */
+- src_root->subsys_mask &= ~(1 << ssid);
+- WARN_ON(cgroup_apply_control(scgrp));
+- cgroup_finalize_control(scgrp, 0);
++ if (src_root != &cgrp_dfl_root) {
++ /* disable from the source */
++ src_root->subsys_mask &= ~(1 << ssid);
++ WARN_ON(cgroup_apply_control(scgrp));
++ cgroup_finalize_control(scgrp, 0);
++ }
+
+ /* rebind */
+ RCU_INIT_POINTER(scgrp->subsys[ssid], NULL);
+--
+2.33.0
+
--- /dev/null
+From 3159536f8b608692f87603eeb799d6de9a4680cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 18:34:40 +0000
+Subject: cpuidle: Fix kobject memory leaks in error paths
+
+From: Anel Orazgaliyeva <anelkz@amazon.de>
+
+[ Upstream commit e5f5a66c9aa9c331da5527c2e3fd9394e7091e01 ]
+
+Commit c343bf1ba5ef ("cpuidle: Fix three reference count leaks")
+fixes the cleanup of kobjects; however, it removes kfree() calls
+altogether, leading to memory leaks.
+
+Fix those and also defer the initialization of dev->kobj_dev until
+after the error check, so that we do not end up with a dangling
+pointer.
+
+Fixes: c343bf1ba5ef ("cpuidle: Fix three reference count leaks")
+Signed-off-by: Anel Orazgaliyeva <anelkz@amazon.de>
+Suggested-by: Aman Priyadarshi <apeureka@amazon.de>
+[ rjw: Subject edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/sysfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
+index e7e92ed34f0c6..34c4a61a954fc 100644
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -413,6 +413,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device)
+ &kdev->kobj, "state%d", i);
+ if (ret) {
+ kobject_put(&kobj->kobj);
++ kfree(kobj);
+ goto error_state;
+ }
+ kobject_uevent(&kobj->kobj, KOBJ_ADD);
+@@ -543,6 +544,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev)
+ &kdev->kobj, "driver");
+ if (ret) {
+ kobject_put(&kdrv->kobj);
++ kfree(kdrv);
+ return ret;
+ }
+
+@@ -629,7 +631,6 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ if (!kdev)
+ return -ENOMEM;
+ kdev->dev = dev;
+- dev->kobj_dev = kdev;
+
+ init_completion(&kdev->kobj_unregister);
+
+@@ -637,9 +638,11 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
+ "cpuidle");
+ if (error) {
+ kobject_put(&kdev->kobj);
++ kfree(kdev);
+ return error;
+ }
+
++ dev->kobj_dev = kdev;
+ kobject_uevent(&kdev->kobj, KOBJ_ADD);
+
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From 3b0148eccd8aa01c3d3fe04aaa1d312848cf9b42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 14:30:28 -0400
+Subject: crypto: pcrypt - Delay write to padata->info
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 68b6dea802cea0dbdd8bd7ccc60716b5a32a5d8a ]
+
+These three events can race when pcrypt is used multiple times in a
+template ("pcrypt(pcrypt(...))"):
+
+ 1. [taskA] The caller makes the crypto request via crypto_aead_encrypt()
+ 2. [kworkerB] padata serializes the inner pcrypt request
+ 3. [kworkerC] padata serializes the outer pcrypt request
+
+3 might finish before the call to crypto_aead_encrypt() returns in 1,
+resulting in two possible issues.
+
+First, a use-after-free of the crypto request's memory when, for
+example, taskA writes to the outer pcrypt request's padata->info in
+pcrypt_aead_enc() after kworkerC completes the request.
+
+Second, the outer pcrypt request overwrites the inner pcrypt request's
+return code with -EINPROGRESS, making a successful request appear to
+fail. For instance, kworkerB writes the outer pcrypt request's
+padata->info in pcrypt_aead_done() and then taskA overwrites it
+in pcrypt_aead_enc().
+
+Avoid both situations by delaying the write of padata->info until after
+the inner crypto request's return code is checked. This prevents the
+use-after-free by not touching the crypto request's memory after the
+next-inner crypto request is made, and stops padata->info from being
+overwritten.
+
+Fixes: 5068c7a883d16 ("crypto: pcrypt - Add pcrypt crypto parallelization wrapper")
+Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/pcrypt.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index 85082574c5154..62e11835f220e 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -138,12 +138,14 @@ static void pcrypt_aead_enc(struct padata_priv *padata)
+ {
+ struct pcrypt_request *preq = pcrypt_padata_request(padata);
+ struct aead_request *req = pcrypt_request_ctx(preq);
++ int ret;
+
+- padata->info = crypto_aead_encrypt(req);
++ ret = crypto_aead_encrypt(req);
+
+- if (padata->info == -EINPROGRESS)
++ if (ret == -EINPROGRESS)
+ return;
+
++ padata->info = ret;
+ padata_do_serial(padata);
+ }
+
+@@ -180,12 +182,14 @@ static void pcrypt_aead_dec(struct padata_priv *padata)
+ {
+ struct pcrypt_request *preq = pcrypt_padata_request(padata);
+ struct aead_request *req = pcrypt_request_ctx(preq);
++ int ret;
+
+- padata->info = crypto_aead_decrypt(req);
++ ret = crypto_aead_decrypt(req);
+
+- if (padata->info == -EINPROGRESS)
++ if (ret == -EINPROGRESS)
+ return;
+
++ padata->info = ret;
+ padata_do_serial(padata);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 9b48a7626b1b8dd8bd849718e78c67d7101b35c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:44:29 +0100
+Subject: crypto: qat - detect PFVF collision after ACK
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 9b768e8a3909ac1ab39ed44a3933716da7761a6f ]
+
+Detect a PFVF collision between the local and the remote function by
+checking if the message on the PFVF CSR has been overwritten.
+This is done after the remote function confirms that the message has
+been received, by clearing the interrupt bit, or the maximum number of
+attempts (ADF_IOV_MSG_ACK_MAX_RETRY) to check the CSR has been exceeded.
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Co-developed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index c64481160b711..72fd2bbbe704e 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -195,6 +195,13 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr)
+ val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset);
+ } while ((val & int_bit) && (count++ < ADF_IOV_MSG_ACK_MAX_RETRY));
+
++ if (val != msg) {
++ dev_dbg(&GET_DEV(accel_dev),
++ "Collision - PFVF CSR overwritten by remote function\n");
++ ret = -EIO;
++ goto out;
++ }
++
+ if (val & int_bit) {
+ dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n");
+ val &= ~int_bit;
+--
+2.33.0
+
--- /dev/null
+From d6af1be6c966710dfe692f055df71e16f63ed3e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 12:44:30 +0100
+Subject: crypto: qat - disregard spurious PFVF interrupts
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 18fcba469ba5359c1de7e3fb16f7b9e8cd1b8e02 ]
+
+Upon receiving a PFVF message, check if the interrupt bit is set in the
+message. If it is not, that means that the interrupt was probably
+triggered by a collision. In this case, disregard the message and
+re-enable the interrupts.
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 6 ++++++
+ drivers/crypto/qat/qat_common/adf_vf_isr.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index 72fd2bbbe704e..180016e157771 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -250,6 +250,11 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info)
+
+ /* Read message from the VF */
+ msg = ADF_CSR_RD(pmisc_addr, hw_data->get_pf2vf_offset(vf_nr));
++ if (!(msg & ADF_VF2PF_INT)) {
++ dev_info(&GET_DEV(accel_dev),
++ "Spurious VF2PF interrupt, msg %X. Ignored\n", msg);
++ goto out;
++ }
+
+ /* To ACK, clear the VF2PFINT bit */
+ msg &= ~ADF_VF2PF_INT;
+@@ -333,6 +338,7 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info)
+ if (resp && adf_iov_putmsg(accel_dev, resp, vf_nr))
+ dev_err(&GET_DEV(accel_dev), "Failed to send response to VF\n");
+
++out:
+ /* re-enable interrupt on PF from this VF */
+ adf_enable_vf2pf_interrupts(accel_dev, (1 << vf_nr));
+ return;
+diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+index 36db3c443e7e4..6fa1447d05829 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+@@ -123,6 +123,11 @@ static void adf_pf2vf_bh_handler(void *data)
+
+ /* Read the message from PF */
+ msg = ADF_CSR_RD(pmisc_bar_addr, hw_data->get_pf2vf_offset(0));
++ if (!(msg & ADF_PF2VF_INT)) {
++ dev_info(&GET_DEV(accel_dev),
++ "Spurious PF2VF interrupt, msg %X. Ignored\n", msg);
++ goto out;
++ }
+
+ if (!(msg & ADF_PF2VF_MSGORIGIN_SYSTEM))
+ /* Ignore legacy non-system (non-kernel) PF2VF messages */
+@@ -171,6 +176,7 @@ static void adf_pf2vf_bh_handler(void *data)
+ msg &= ~BIT(0);
+ ADF_CSR_WR(pmisc_bar_addr, hw_data->get_pf2vf_offset(0), msg);
+
++out:
+ /* Re-enable PF2VF interrupts */
+ adf_enable_pf2vf_interrupts(accel_dev);
+ return;
+--
+2.33.0
+
--- /dev/null
+From caf5bb99fd956b90ee38524dd4cc7f02dcec591c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 14:12:28 +0300
+Subject: dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 320c88a3104dc955f928a1eecebd551ff89530c0 ]
+
+AT_XDMAC_CC_PERID() should be used to setup bits 24..30 of XDMAC_CC
+register. Using it without parenthesis around 0x7f & (i) will lead to
+setting all the time zero for bits 24..30 of XDMAC_CC as the << operator
+has higher precedence over bitwise &. Thus, add paranthesis around
+0x7f & (i).
+
+Fixes: 15a03850ab8f ("dmaengine: at_xdmac: fix macro typo")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20211007111230.2331837-3-claudiu.beznea@microchip.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index 12d9048293245..a505be9ef96da 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -156,7 +156,7 @@
+ #define AT_XDMAC_CC_WRIP (0x1 << 23) /* Write in Progress (read only) */
+ #define AT_XDMAC_CC_WRIP_DONE (0x0 << 23)
+ #define AT_XDMAC_CC_WRIP_IN_PROGRESS (0x1 << 23)
+-#define AT_XDMAC_CC_PERID(i) (0x7f & (i) << 24) /* Channel Peripheral Identifier */
++#define AT_XDMAC_CC_PERID(i) ((0x7f & (i)) << 24) /* Channel Peripheral Identifier */
+ #define AT_XDMAC_CDS_MSP 0x2C /* Channel Data Stride Memory Set Pattern */
+ #define AT_XDMAC_CSUS 0x30 /* Channel Source Microblock Stride */
+ #define AT_XDMAC_CDUS 0x34 /* Channel Destination Microblock Stride */
+--
+2.33.0
+
--- /dev/null
+From a646c4528ad3fe4931635eb2ff6c9798ebe0901b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Oct 2021 15:41:01 +0200
+Subject: dmaengine: dmaengine_desc_callback_valid(): Check for
+ `callback_result`
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit e7e1e880b114ca640a2f280b0d5d38aed98f98c6 ]
+
+Before the `callback_result` callback was introduced drivers coded their
+invocation to the callback in a similar way to:
+
+ if (cb->callback) {
+ spin_unlock(&dma->lock);
+ cb->callback(cb->callback_param);
+ spin_lock(&dma->lock);
+ }
+
+With the introduction of `callback_result` two helpers where introduced to
+transparently handle both types of callbacks. And drivers where updated to
+look like this:
+
+ if (dmaengine_desc_callback_valid(cb)) {
+ spin_unlock(&dma->lock);
+ dmaengine_desc_callback_invoke(cb, ...);
+ spin_lock(&dma->lock);
+ }
+
+dmaengine_desc_callback_invoke() correctly handles both `callback_result`
+and `callback`. But we forgot to update the dmaengine_desc_callback_valid()
+function to check for `callback_result`. As a result DMA descriptors that
+use the `callback_result` rather than `callback` don't have their callback
+invoked by drivers that follow the pattern above.
+
+Fix this by checking for both `callback` and `callback_result` in
+dmaengine_desc_callback_valid().
+
+Fixes: f067025bc676 ("dmaengine: add support to provide error result from a DMA transation")
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/20211023134101.28042-1-lars@metafoo.de
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmaengine.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/dmaengine.h b/drivers/dma/dmaengine.h
+index 882ff9448c3ba..6537b8ec03934 100644
+--- a/drivers/dma/dmaengine.h
++++ b/drivers/dma/dmaengine.h
+@@ -167,7 +167,7 @@ dmaengine_desc_get_callback_invoke(struct dma_async_tx_descriptor *tx,
+ static inline bool
+ dmaengine_desc_callback_valid(struct dmaengine_desc_callback *cb)
+ {
+- return (cb->callback) ? true : false;
++ return cb->callback || cb->callback_result;
+ }
+
+ #endif
+--
+2.33.0
+
--- /dev/null
+From c1a1a4e5356a3b884be45f9586a78161b60d5b9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 11:13:15 +0300
+Subject: drm/msm: uninitialized variable in msm_gem_import()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2203bd0e5c12ffc53ffdd4fbd7b12d6ba27e0424 ]
+
+The msm_gem_new_impl() function cleans up after itself so there is no
+need to call drm_gem_object_put(). Conceptually, it does not make sense
+to call a kref_put() function until after the reference counting has
+been initialized which happens immediately after this call in the
+drm_gem_(private_)object_init() functions.
+
+In the msm_gem_import() function the "obj" pointer is uninitialized, so
+it will lead to a crash.
+
+Fixes: 05b849111c07 ("drm/msm: prime support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211013081315.GG6010@kili
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
+index 983ce7965c7ff..dfce39f02f8d4 100644
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -871,7 +871,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev,
+
+ ret = msm_gem_new_impl(dev, size, flags, NULL, &obj);
+ if (ret)
+- goto fail;
++ return ERR_PTR(ret);
+
+ if (use_pages(obj)) {
+ ret = drm_gem_object_init(dev, obj, size);
+@@ -910,7 +910,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
+ mutex_unlock(&dev->struct_mutex);
+
+ if (ret)
+- goto fail;
++ return ERR_PTR(ret);
+
+ drm_gem_private_object_init(dev, obj, size);
+
+--
+2.33.0
+
--- /dev/null
+From 189e913d3475e5a86a298743a9f0e9fc4d3f9dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 02:37:06 -0400
+Subject: drm/plane-helper: fix uninitialized variable reference
+
+From: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+
+[ Upstream commit 7be28bd73f23e53d6e7f5fe891ba9503fc0c7210 ]
+
+drivers/gpu/drm/drm_plane_helper.c: In function 'drm_primary_helper_update':
+drivers/gpu/drm/drm_plane_helper.c:113:32: error: 'visible' is used uninitialized [-Werror=uninitialized]
+ 113 | struct drm_plane_state plane_state = {
+ | ^~~~~~~~~~~
+drivers/gpu/drm/drm_plane_helper.c:178:14: note: 'visible' was declared here
+ 178 | bool visible;
+ | ^~~~~~~
+cc1: all warnings being treated as errors
+
+visible is an output, not an input. in practice this use might turn out
+OK but it's still UB.
+
+Fixes: df86af9133b4 ("drm/plane-helper: Add drm_plane_helper_check_state()")
+Reviewed-by: Simon Ser <contact@emersion.fr>
+Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211007063706.305984-1-alex_y_xu@yahoo.ca
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_plane_helper.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_plane_helper.c b/drivers/gpu/drm/drm_plane_helper.c
+index 7899fc1dcdb08..c4fd742ff917a 100644
+--- a/drivers/gpu/drm/drm_plane_helper.c
++++ b/drivers/gpu/drm/drm_plane_helper.c
+@@ -246,7 +246,6 @@ int drm_plane_helper_check_update(struct drm_plane *plane,
+ .crtc_w = drm_rect_width(dst),
+ .crtc_h = drm_rect_height(dst),
+ .rotation = rotation,
+- .visible = *visible,
+ };
+ int ret;
+
+--
+2.33.0
+
--- /dev/null
+From 64c897a2fb1940f92dae4840538fce983abee5df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 00:00:20 -0800
+Subject: fs: orangefs: fix error return code of orangefs_revalidate_lookup()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 4c2b46c824a78fc8190d8eafaaea5a9078fe7479 ]
+
+When op_alloc() returns NULL to new_op, no error return code of
+orangefs_revalidate_lookup() is assigned.
+To fix this bug, ret is assigned with -ENOMEM in this case.
+
+Fixes: 8bb8aefd5afb ("OrangeFS: Change almost all instances of the string PVFS2 to OrangeFS.")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/dcache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c
+index 5355efba4bc8c..1942f9946ab77 100644
+--- a/fs/orangefs/dcache.c
++++ b/fs/orangefs/dcache.c
+@@ -25,8 +25,10 @@ static int orangefs_revalidate_lookup(struct dentry *dentry)
+ gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__);
+
+ new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP);
+- if (!new_op)
++ if (!new_op) {
++ ret = -ENOMEM;
+ goto out_put_parent;
++ }
+
+ new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW;
+ new_op->upcall.req.lookup.parent_refn = parent->refn;
+--
+2.33.0
+
--- /dev/null
+From b0496881c20e83b2918ec5e84d0bc19cc4c20d26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 19:27:58 +0800
+Subject: hwmon: Fix possible memleak in __hwmon_device_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ada61aa0b1184a8fda1a89a340c7d6cc4e59aee5 ]
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff888102740438 (size 8):
+ comm "27", pid 859, jiffies 4295031351 (age 143.992s)
+ hex dump (first 8 bytes):
+ 68 77 6d 6f 6e 30 00 00 hwmon0..
+ backtrace:
+ [<00000000544b5996>] __kmalloc_track_caller+0x1a6/0x300
+ [<00000000df0d62b9>] kvasprintf+0xad/0x140
+ [<00000000d3d2a3da>] kvasprintf_const+0x62/0x190
+ [<000000005f8f0f29>] kobject_set_name_vargs+0x56/0x140
+ [<00000000b739e4b9>] dev_set_name+0xb0/0xe0
+ [<0000000095b69c25>] __hwmon_device_register+0xf19/0x1e50 [hwmon]
+ [<00000000a7e65b52>] hwmon_device_register_with_info+0xcb/0x110 [hwmon]
+ [<000000006f181e86>] devm_hwmon_device_register_with_info+0x85/0x100 [hwmon]
+ [<0000000081bdc567>] tmp421_probe+0x2d2/0x465 [tmp421]
+ [<00000000502cc3f8>] i2c_device_probe+0x4e1/0xbb0
+ [<00000000f90bda3b>] really_probe+0x285/0xc30
+ [<000000007eac7b77>] __driver_probe_device+0x35f/0x4f0
+ [<000000004953d43d>] driver_probe_device+0x4f/0x140
+ [<000000002ada2d41>] __device_attach_driver+0x24c/0x330
+ [<00000000b3977977>] bus_for_each_drv+0x15d/0x1e0
+ [<000000005bf2a8e3>] __device_attach+0x267/0x410
+
+When device_register() returns an error, the name allocated in
+dev_set_name() will be leaked, the put_device() should be used
+instead of calling hwmon_dev_release() to give up the device
+reference, then the name will be freed in kobject_cleanup().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: bab2243ce189 ("hwmon: Introduce hwmon_device_register_with_groups")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211012112758.2681084-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/hwmon.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
+index e0a1a118514f9..8b11d2fdf80ab 100644
+--- a/drivers/hwmon/hwmon.c
++++ b/drivers/hwmon/hwmon.c
+@@ -592,8 +592,10 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
+ dev_set_drvdata(hdev, drvdata);
+ dev_set_name(hdev, HWMON_ID_FORMAT, id);
+ err = device_register(hdev);
+- if (err)
+- goto free_hwmon;
++ if (err) {
++ put_device(hdev);
++ goto ida_remove;
++ }
+
+ if (chip && chip->ops->is_visible && chip->ops->read &&
+ chip->info[0]->type == hwmon_chip &&
+--
+2.33.0
+
--- /dev/null
+From b0914979819e0851ad1f614c8a4f368fc1fd5052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 22:48:08 +0200
+Subject: i2c: xlr: Fix a resource leak in the error handling path of
+ 'xlr_i2c_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 7f98960c046ee1136e7096aee168eda03aef8a5d ]
+
+A successful 'clk_prepare()' call should be balanced by a corresponding
+'clk_unprepare()' call in the error handling path of the probe, as already
+done in the remove function.
+
+More specifically, 'clk_prepare_enable()' is used, but 'clk_disable()' is
+also already called. So just the unprepare step has still to be done.
+
+Update the error handling path accordingly.
+
+Fixes: 75d31c2372e4 ("i2c: xlr: add support for Sigma Designs controller variant")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-xlr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-xlr.c b/drivers/i2c/busses/i2c-xlr.c
+index ad17d88d85736..63f47e07345c0 100644
+--- a/drivers/i2c/busses/i2c-xlr.c
++++ b/drivers/i2c/busses/i2c-xlr.c
+@@ -434,11 +434,15 @@ static int xlr_i2c_probe(struct platform_device *pdev)
+ i2c_set_adapdata(&priv->adap, priv);
+ ret = i2c_add_numbered_adapter(&priv->adap);
+ if (ret < 0)
+- return ret;
++ goto err_unprepare_clk;
+
+ platform_set_drvdata(pdev, priv);
+ dev_info(&priv->adap.dev, "Added I2C Bus.\n");
+ return 0;
++
++err_unprepare_clk:
++ clk_unprepare(clk);
++ return ret;
+ }
+
+ static int xlr_i2c_remove(struct platform_device *pdev)
+--
+2.33.0
+
--- /dev/null
+From f76d6e00633394b5703e3d6b1d3cc1acf314bf09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Sep 2021 10:12:24 -0700
+Subject: ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c15b5fc054c3d6c97e953617605235c5cb8ce979 ]
+
+When CONFIG_PRINTK is not set, the CMPXCHG_BUGCHECK() macro calls
+_printk(), but _printk() is a static inline function, not available
+as an extern.
+Since the purpose of the macro is to print the BUGCHECK info,
+make this config option depend on PRINTK.
+
+Fixes multiple occurrences of this build error:
+
+../include/linux/printk.h:208:5: error: static declaration of '_printk' follows non-static declaration
+ 208 | int _printk(const char *s, ...)
+ | ^~~~~~~
+In file included from ../arch/ia64/include/asm/cmpxchg.h:5,
+../arch/ia64/include/uapi/asm/cmpxchg.h:146:28: note: previous declaration of '_printk' with type 'int(const char *, ...)'
+ 146 | extern int _printk(const char *fmt, ...);
+
+Cc: linux-ia64@vger.kernel.org
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Chris Down <chris@chrisdown.name>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/Kconfig.debug | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/ia64/Kconfig.debug b/arch/ia64/Kconfig.debug
+index de9d507ba0fd4..ee6c7f75f479d 100644
+--- a/arch/ia64/Kconfig.debug
++++ b/arch/ia64/Kconfig.debug
+@@ -41,7 +41,7 @@ config DISABLE_VHPT
+
+ config IA64_DEBUG_CMPXCHG
+ bool "Turn on compare-and-exchange bug checking (slow!)"
+- depends on DEBUG_KERNEL
++ depends on DEBUG_KERNEL && PRINTK
+ help
+ Selecting this option turns on bug checking for the IA-64
+ compare-and-exchange instructions. This is slow! Itaniums
+--
+2.33.0
+
--- /dev/null
+From bd09bc1e177cacb5a9ac64b5e525e91ccd733ea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 17:25:22 +0100
+Subject: irq: mips: avoid nested irq_enter()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit c65b52d02f6c1a06ddb20cba175ad49eccd6410d ]
+
+As bcm6345_l1_irq_handle() is a chained irqchip handler, it will be
+invoked within the context of the root irqchip handler, which must have
+entered IRQ context already.
+
+When bcm6345_l1_irq_handle() calls arch/mips's do_IRQ() , this will nest
+another call to irq_enter(), and the resulting nested increment to
+`rcu_data.dynticks_nmi_nesting` will cause rcu_is_cpu_rrupt_from_idle()
+to fail to identify wakeups from idle, resulting in failure to preempt,
+and RCU stalls.
+
+Chained irqchip handlers must invoke IRQ handlers by way of thee core
+irqchip code, i.e. generic_handle_irq() or generic_handle_domain_irq()
+and should not call do_IRQ(), which is intended only for root irqchip
+handlers.
+
+Fix bcm6345_l1_irq_handle() by calling generic_handle_irq() directly.
+
+Fixes: c7c42ec2baa1de7a ("irqchips/bmips: Add bcm6345-l1 interrupt controller")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-bcm6345-l1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-bcm6345-l1.c b/drivers/irqchip/irq-bcm6345-l1.c
+index daa4ae89e466e..7ed976d436b25 100644
+--- a/drivers/irqchip/irq-bcm6345-l1.c
++++ b/drivers/irqchip/irq-bcm6345-l1.c
+@@ -143,7 +143,7 @@ static void bcm6345_l1_irq_handle(struct irq_desc *desc)
+ for_each_set_bit(hwirq, &pending, IRQS_PER_WORD) {
+ irq = irq_linear_revmap(intc->domain, base + hwirq);
+ if (irq)
+- do_IRQ(irq);
++ generic_handle_irq(irq);
+ else
+ spurious_interrupt();
+ }
+--
+2.33.0
+
--- /dev/null
+From 4e95ead60a6625a7bdcf65abfc8f4298d451f3c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Oct 2021 11:43:40 +0300
+Subject: iwlwifi: mvm: disable RX-diversity in powersave
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e5322b9ab5f63536c41301150b7ce64605ce52cc ]
+
+Just like we have default SMPS mode as dynamic in powersave,
+we should not enable RX-diversity in powersave, to reduce
+power consumption when connected to a non-MIMO AP.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211017113927.fc896bc5cdaa.I1d11da71b8a5cbe921a37058d5f578f1b14a2023@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+index ff5ce1ed03c42..4746f4b096c56 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+@@ -913,6 +913,9 @@ bool iwl_mvm_rx_diversity_allowed(struct iwl_mvm *mvm)
+
+ lockdep_assert_held(&mvm->mutex);
+
++ if (iwlmvm_mod_params.power_scheme != IWL_POWER_SCHEME_CAM)
++ return false;
++
+ if (num_of_ant(iwl_mvm_get_valid_rx_ant(mvm)) == 1)
+ return false;
+
+--
+2.33.0
+
--- /dev/null
+From 21eecdabb139531f01717ec15cc415a28dfa0894 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 10:37:41 +0800
+Subject: JFS: fix memleak in jfs_mount
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit c48a14dca2cb57527dde6b960adbe69953935f10 ]
+
+In jfs_mount, when diMount(ipaimap2) fails, it goes to errout35. However,
+the following code does not free ipaimap2 allocated by diReadSpecial.
+
+Fix this by refactoring the error handling code of jfs_mount. To be
+specific, modify the lable name and free ipaimap2 when the above error
+ocurrs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_mount.c | 51 ++++++++++++++++++++--------------------------
+ 1 file changed, 22 insertions(+), 29 deletions(-)
+
+diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c
+index 103788ecc28c1..0c2aabba1fdbb 100644
+--- a/fs/jfs/jfs_mount.c
++++ b/fs/jfs/jfs_mount.c
+@@ -93,14 +93,14 @@ int jfs_mount(struct super_block *sb)
+ * (initialize mount inode from the superblock)
+ */
+ if ((rc = chkSuper(sb))) {
+- goto errout20;
++ goto out;
+ }
+
+ ipaimap = diReadSpecial(sb, AGGREGATE_I, 0);
+ if (ipaimap == NULL) {
+ jfs_err("jfs_mount: Failed to read AGGREGATE_I");
+ rc = -EIO;
+- goto errout20;
++ goto out;
+ }
+ sbi->ipaimap = ipaimap;
+
+@@ -111,7 +111,7 @@ int jfs_mount(struct super_block *sb)
+ */
+ if ((rc = diMount(ipaimap))) {
+ jfs_err("jfs_mount: diMount(ipaimap) failed w/rc = %d", rc);
+- goto errout21;
++ goto err_ipaimap;
+ }
+
+ /*
+@@ -120,7 +120,7 @@ int jfs_mount(struct super_block *sb)
+ ipbmap = diReadSpecial(sb, BMAP_I, 0);
+ if (ipbmap == NULL) {
+ rc = -EIO;
+- goto errout22;
++ goto err_umount_ipaimap;
+ }
+
+ jfs_info("jfs_mount: ipbmap:0x%p", ipbmap);
+@@ -132,7 +132,7 @@ int jfs_mount(struct super_block *sb)
+ */
+ if ((rc = dbMount(ipbmap))) {
+ jfs_err("jfs_mount: dbMount failed w/rc = %d", rc);
+- goto errout22;
++ goto err_ipbmap;
+ }
+
+ /*
+@@ -151,7 +151,7 @@ int jfs_mount(struct super_block *sb)
+ if (!ipaimap2) {
+ jfs_err("jfs_mount: Failed to read AGGREGATE_I");
+ rc = -EIO;
+- goto errout35;
++ goto err_umount_ipbmap;
+ }
+ sbi->ipaimap2 = ipaimap2;
+
+@@ -163,7 +163,7 @@ int jfs_mount(struct super_block *sb)
+ if ((rc = diMount(ipaimap2))) {
+ jfs_err("jfs_mount: diMount(ipaimap2) failed, rc = %d",
+ rc);
+- goto errout35;
++ goto err_ipaimap2;
+ }
+ } else
+ /* Secondary aggregate inode table is not valid */
+@@ -180,7 +180,7 @@ int jfs_mount(struct super_block *sb)
+ jfs_err("jfs_mount: Failed to read FILESYSTEM_I");
+ /* open fileset secondary inode allocation map */
+ rc = -EIO;
+- goto errout40;
++ goto err_umount_ipaimap2;
+ }
+ jfs_info("jfs_mount: ipimap:0x%p", ipimap);
+
+@@ -190,41 +190,34 @@ int jfs_mount(struct super_block *sb)
+ /* initialize fileset inode allocation map */
+ if ((rc = diMount(ipimap))) {
+ jfs_err("jfs_mount: diMount failed w/rc = %d", rc);
+- goto errout41;
++ goto err_ipimap;
+ }
+
+- goto out;
++ return rc;
+
+ /*
+ * unwind on error
+ */
+- errout41: /* close fileset inode allocation map inode */
++err_ipimap:
++ /* close fileset inode allocation map inode */
+ diFreeSpecial(ipimap);
+-
+- errout40: /* fileset closed */
+-
++err_umount_ipaimap2:
+ /* close secondary aggregate inode allocation map */
+- if (ipaimap2) {
++ if (ipaimap2)
+ diUnmount(ipaimap2, 1);
++err_ipaimap2:
++ /* close aggregate inodes */
++ if (ipaimap2)
+ diFreeSpecial(ipaimap2);
+- }
+-
+- errout35:
+-
+- /* close aggregate block allocation map */
++err_umount_ipbmap: /* close aggregate block allocation map */
+ dbUnmount(ipbmap, 1);
++err_ipbmap: /* close aggregate inodes */
+ diFreeSpecial(ipbmap);
+-
+- errout22: /* close aggregate inode allocation map */
+-
++err_umount_ipaimap: /* close aggregate inode allocation map */
+ diUnmount(ipaimap, 1);
+-
+- errout21: /* close aggregate inodes */
++err_ipaimap: /* close aggregate inodes */
+ diFreeSpecial(ipaimap);
+- errout20: /* aggregate closed */
+-
+- out:
+-
++out:
+ if (rc)
+ jfs_err("Mount JFS Failure: %d", rc);
+
+--
+2.33.0
+
--- /dev/null
+From b5331336b843fa46041cf4989ebeb5fe4bc0b044 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 05:31:39 +0800
+Subject: lib/xz: Avoid overlapping memcpy() with invalid input with in-place
+ decompression
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 83d3c4f22a36d005b55f44628f46cc0d319a75e8 ]
+
+With valid files, the safety margin described in lib/decompress_unxz.c
+ensures that these buffers cannot overlap. But if the uncompressed size
+of the input is larger than the caller thought, which is possible when
+the input file is invalid/corrupt, the buffers can overlap. Obviously
+the result will then be garbage (and usually the decoder will return
+an error too) but no other harm will happen when such an over-run occurs.
+
+This change only affects uncompressed LZMA2 chunks and so this
+should have no effect on performance.
+
+Link: https://lore.kernel.org/r/20211010213145.17462-2-xiang@kernel.org
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/decompress_unxz.c | 2 +-
+ lib/xz/xz_dec_lzma2.c | 21 +++++++++++++++++++--
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/lib/decompress_unxz.c b/lib/decompress_unxz.c
+index 25d59a95bd668..abea25310ac73 100644
+--- a/lib/decompress_unxz.c
++++ b/lib/decompress_unxz.c
+@@ -167,7 +167,7 @@
+ * memeq and memzero are not used much and any remotely sane implementation
+ * is fast enough. memcpy/memmove speed matters in multi-call mode, but
+ * the kernel image is decompressed in single-call mode, in which only
+- * memcpy speed can matter and only if there is a lot of uncompressible data
++ * memmove speed can matter and only if there is a lot of uncompressible data
+ * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the
+ * functions below should just be kept small; it's probably not worth
+ * optimizing for speed.
+diff --git a/lib/xz/xz_dec_lzma2.c b/lib/xz/xz_dec_lzma2.c
+index 08c3c80499983..2c5197d6b944d 100644
+--- a/lib/xz/xz_dec_lzma2.c
++++ b/lib/xz/xz_dec_lzma2.c
+@@ -387,7 +387,14 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b,
+
+ *left -= copy_size;
+
+- memcpy(dict->buf + dict->pos, b->in + b->in_pos, copy_size);
++ /*
++ * If doing in-place decompression in single-call mode and the
++ * uncompressed size of the file is larger than the caller
++ * thought (i.e. it is invalid input!), the buffers below may
++ * overlap and cause undefined behavior with memcpy().
++ * With valid inputs memcpy() would be fine here.
++ */
++ memmove(dict->buf + dict->pos, b->in + b->in_pos, copy_size);
+ dict->pos += copy_size;
+
+ if (dict->full < dict->pos)
+@@ -397,7 +404,11 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b,
+ if (dict->pos == dict->end)
+ dict->pos = 0;
+
+- memcpy(b->out + b->out_pos, b->in + b->in_pos,
++ /*
++ * Like above but for multi-call mode: use memmove()
++ * to avoid undefined behavior with invalid input.
++ */
++ memmove(b->out + b->out_pos, b->in + b->in_pos,
+ copy_size);
+ }
+
+@@ -421,6 +432,12 @@ static uint32_t dict_flush(struct dictionary *dict, struct xz_buf *b)
+ if (dict->pos == dict->end)
+ dict->pos = 0;
+
++ /*
++ * These buffers cannot overlap even if doing in-place
++ * decompression because in multi-call mode dict->buf
++ * has been allocated by us in this file; it's not
++ * provided by the caller like in single-call mode.
++ */
+ memcpy(b->out + b->out_pos, dict->buf + dict->start,
+ copy_size);
+ }
+--
+2.33.0
+
--- /dev/null
+From d984188b10b5a0b9a99920388cfa0ddf2142a6ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 05:31:40 +0800
+Subject: lib/xz: Validate the value before assigning it to an enum variable
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 4f8d7abaa413c34da9d751289849dbfb7c977d05 ]
+
+This might matter, for example, if the underlying type of enum xz_check
+was a signed char. In such a case the validation wouldn't have caught an
+unsupported header. I don't know if this problem can occur in the kernel
+on any arch but it's still good to fix it because some people might copy
+the XZ code to their own projects from Linux instead of the upstream
+XZ Embedded repository.
+
+This change may increase the code size by a few bytes. An alternative
+would have been to use an unsigned int instead of enum xz_check but
+using an enumeration looks cleaner.
+
+Link: https://lore.kernel.org/r/20211010213145.17462-3-xiang@kernel.org
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/xz/xz_dec_stream.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xz/xz_dec_stream.c b/lib/xz/xz_dec_stream.c
+index ac809b1e64f78..9e5b9ab537fea 100644
+--- a/lib/xz/xz_dec_stream.c
++++ b/lib/xz/xz_dec_stream.c
+@@ -402,12 +402,12 @@ static enum xz_ret dec_stream_header(struct xz_dec *s)
+ * we will accept other check types too, but then the check won't
+ * be verified and a warning (XZ_UNSUPPORTED_CHECK) will be given.
+ */
++ if (s->temp.buf[HEADER_MAGIC_SIZE + 1] > XZ_CHECK_MAX)
++ return XZ_OPTIONS_ERROR;
++
+ s->check_type = s->temp.buf[HEADER_MAGIC_SIZE + 1];
+
+ #ifdef XZ_DEC_ANY_CHECK
+- if (s->check_type > XZ_CHECK_MAX)
+- return XZ_OPTIONS_ERROR;
+-
+ if (s->check_type > XZ_CHECK_CRC32)
+ return XZ_UNSUPPORTED_CHECK;
+ #else
+--
+2.33.0
+
--- /dev/null
+From cfe58f4c2584ca96ac0a6d0133c6bff2438473c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 20:03:45 +0800
+Subject: libertas: Fix possible memory leak in probe and disconnect
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 9692151e2fe7a326bafe99836fd1f20a2cc3a049 ]
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff88812c7d7400 (size 512):
+ comm "kworker/6:1", pid 176, jiffies 4295003332 (age 822.830s)
+ hex dump (first 32 bytes):
+ 00 68 1e 04 81 88 ff ff 01 00 00 00 00 00 00 00 .h..............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
+ [<ffffffff8167f627>] kmem_cache_alloc_trace+0x1f7/0x470
+ [<ffffffffa02c9873>] if_usb_probe+0x63/0x446 [usb8xxx]
+ [<ffffffffa022668a>] usb_probe_interface+0x1aa/0x3c0 [usbcore]
+ [<ffffffff82b59630>] really_probe+0x190/0x480
+ [<ffffffff82b59a19>] __driver_probe_device+0xf9/0x180
+ [<ffffffff82b59af3>] driver_probe_device+0x53/0x130
+ [<ffffffff82b5a075>] __device_attach_driver+0x105/0x130
+ [<ffffffff82b55949>] bus_for_each_drv+0x129/0x190
+ [<ffffffff82b593c9>] __device_attach+0x1c9/0x270
+ [<ffffffff82b5a250>] device_initial_probe+0x20/0x30
+ [<ffffffff82b579c2>] bus_probe_device+0x142/0x160
+ [<ffffffff82b52e49>] device_add+0x829/0x1300
+ [<ffffffffa02229b1>] usb_set_configuration+0xb01/0xcc0 [usbcore]
+ [<ffffffffa0235c4e>] usb_generic_driver_probe+0x6e/0x90 [usbcore]
+ [<ffffffffa022641f>] usb_probe_device+0x6f/0x130 [usbcore]
+
+cardp is missing being freed in the error handling path of the probe
+and the path of the disconnect, which will cause memory leak.
+
+This patch adds the missing kfree().
+
+Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211020120345.2016045-3-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/if_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c
+index 9d147b11ee516..9f19fd5c18d07 100644
+--- a/drivers/net/wireless/marvell/libertas/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas/if_usb.c
+@@ -292,6 +292,7 @@ err_add_card:
+ if_usb_reset_device(cardp);
+ dealloc:
+ if_usb_free(cardp);
++ kfree(cardp);
+
+ error:
+ return r;
+@@ -318,6 +319,7 @@ static void if_usb_disconnect(struct usb_interface *intf)
+
+ /* Unlink and free urb */
+ if_usb_free(cardp);
++ kfree(cardp);
+
+ usb_set_intfdata(intf, NULL);
+ usb_put_dev(interface_to_usbdev(intf));
+--
+2.33.0
+
--- /dev/null
+From 44e59e73e480fa43831e33d6d727c0f11b62edf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 20:03:44 +0800
+Subject: libertas_tf: Fix possible memory leak in probe and disconnect
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit d549107305b4634c81223a853701c06bcf657bc3 ]
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff88810a2ddc00 (size 512):
+ comm "kworker/6:1", pid 176, jiffies 4295009893 (age 757.220s)
+ hex dump (first 32 bytes):
+ 00 50 05 18 81 88 ff ff 00 00 00 00 00 00 00 00 .P..............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
+ [<ffffffff8167f627>] kmem_cache_alloc_trace+0x1f7/0x470
+ [<ffffffffa02a1530>] if_usb_probe+0x60/0x37c [libertas_tf_usb]
+ [<ffffffffa022668a>] usb_probe_interface+0x1aa/0x3c0 [usbcore]
+ [<ffffffff82b59630>] really_probe+0x190/0x480
+ [<ffffffff82b59a19>] __driver_probe_device+0xf9/0x180
+ [<ffffffff82b59af3>] driver_probe_device+0x53/0x130
+ [<ffffffff82b5a075>] __device_attach_driver+0x105/0x130
+ [<ffffffff82b55949>] bus_for_each_drv+0x129/0x190
+ [<ffffffff82b593c9>] __device_attach+0x1c9/0x270
+ [<ffffffff82b5a250>] device_initial_probe+0x20/0x30
+ [<ffffffff82b579c2>] bus_probe_device+0x142/0x160
+ [<ffffffff82b52e49>] device_add+0x829/0x1300
+ [<ffffffffa02229b1>] usb_set_configuration+0xb01/0xcc0 [usbcore]
+ [<ffffffffa0235c4e>] usb_generic_driver_probe+0x6e/0x90 [usbcore]
+ [<ffffffffa022641f>] usb_probe_device+0x6f/0x130 [usbcore]
+
+cardp is missing being freed in the error handling path of the probe
+and the path of the disconnect, which will cause memory leak.
+
+This patch adds the missing kfree().
+
+Fixes: c305a19a0d0a ("libertas_tf: usb specific functions")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211020120345.2016045-2-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+index 4b539209999b4..aaba324dbc39b 100644
+--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+@@ -234,6 +234,7 @@ static int if_usb_probe(struct usb_interface *intf,
+
+ dealloc:
+ if_usb_free(cardp);
++ kfree(cardp);
+ error:
+ lbtf_deb_leave(LBTF_DEB_MAIN);
+ return -ENOMEM;
+@@ -258,6 +259,7 @@ static void if_usb_disconnect(struct usb_interface *intf)
+
+ /* Unlink and free urb */
+ if_usb_free(cardp);
++ kfree(cardp);
+
+ usb_set_intfdata(intf, NULL);
+ usb_put_dev(interface_to_usbdev(intf));
+--
+2.33.0
+
--- /dev/null
+From 948204c21e96f10c4a83b61196517c8de1682c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 14:42:14 -0700
+Subject: llc: fix out-of-bound array index in llc_sk_dev_hash()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8ac9dfd58b138f7e82098a4e0a0d46858b12215b ]
+
+Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed.
+
+This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative
+if @ifindex is negative.
+
+We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned.
+
+In this patch I chose to use hash_32() to get more entropy
+from @ifindex, like llc_sk_laddr_hashfn().
+
+UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26
+index -43 is out of range for type 'hlist_head [64]'
+CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:151
+ __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291
+ llc_sk_dev_hash include/net/llc.h:75 [inline]
+ llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697
+ llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404
+ __sys_bind+0x1e9/0x250 net/socket.c:1693
+ __do_sys_bind net/socket.c:1704 [inline]
+ __se_sys_bind net/socket.c:1702 [inline]
+ __x64_sys_bind+0x6f/0xb0 net/socket.c:1702
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fa503407ae9
+
+Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/llc.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/llc.h b/include/net/llc.h
+index 95e5ced4c1339..18dfd3e49a69f 100644
+--- a/include/net/llc.h
++++ b/include/net/llc.h
+@@ -72,7 +72,9 @@ struct llc_sap {
+ static inline
+ struct hlist_head *llc_sk_dev_hash(struct llc_sap *sap, int ifindex)
+ {
+- return &sap->sk_dev_hash[ifindex % LLC_SK_DEV_HASH_ENTRIES];
++ u32 bucket = hash_32(ifindex, LLC_SK_DEV_HASH_BITS);
++
++ return &sap->sk_dev_hash[bucket];
+ }
+
+ static inline
+--
+2.33.0
+
--- /dev/null
+From 2330d89afd1014e19abc71eb21dace8f90165640 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 11:41:10 +0200
+Subject: locking/lockdep: Avoid RCU-induced noinstr fail
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit ce0b9c805dd66d5e49fd53ec5415ae398f4c56e6 ]
+
+vmlinux.o: warning: objtool: look_up_lock_class()+0xc7: call to rcu_read_lock_any_held() leaves .noinstr.text section
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210624095148.311980536@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 9f56e3fac795a..05dd765e2cbca 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -695,7 +695,7 @@ look_up_lock_class(struct lockdep_map *lock, unsigned int subclass)
+ if (DEBUG_LOCKS_WARN_ON(!irqs_disabled()))
+ return NULL;
+
+- hlist_for_each_entry_rcu(class, hash_head, hash_entry) {
++ hlist_for_each_entry_rcu_notrace(class, hash_head, hash_entry) {
+ if (class->key == key) {
+ /*
+ * Huh! same key, different name? Did someone trample
+--
+2.33.0
+
--- /dev/null
+From 52524c3343402170a0044db6f4f290cd33b39cf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Oct 2021 17:02:23 -0700
+Subject: m68k: set a default value for MEMORY_RESERVE
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1aaa557b2db95c9506ed0981bc34505c32d6b62b ]
+
+'make randconfig' can produce a .config file with
+"CONFIG_MEMORY_RESERVE=" (no value) since it has no default.
+When a subsequent 'make all' is done, kconfig restarts the config
+and prompts for a value for MEMORY_RESERVE. This breaks
+scripting/automation where there is no interactive user input.
+
+Add a default value for MEMORY_RESERVE. (Any integer value will
+work here for kconfig.)
+
+Fixes a kconfig warning:
+
+.config:214:warning: symbol value '' invalid for MEMORY_RESERVE
+* Restart config...
+Memory reservation (MiB) (MEMORY_RESERVE) [] (NEW)
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # from beginning of git history
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Greg Ungerer <gerg@linux-m68k.org>
+Cc: linux-m68k@lists.linux-m68k.org
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.machine | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine
+index 2a5c7abb2896e..f622c3ccafc31 100644
+--- a/arch/m68k/Kconfig.machine
++++ b/arch/m68k/Kconfig.machine
+@@ -184,6 +184,7 @@ config INIT_LCD
+ config MEMORY_RESERVE
+ int "Memory reservation (MiB)"
+ depends on (UCSIMM || UCDIMM)
++ default 0
+ help
+ Reserve certain memory regions on 68x328 based boards.
+
+--
+2.33.0
+
--- /dev/null
+From 0a1ca8368607cf2a346df7c6bc26cefadaed294f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 16:34:20 +0200
+Subject: media: dvb-usb: fix ununit-value in az6027_rc_query
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit afae4ef7d5ad913cab1316137854a36bea6268a5 ]
+
+Syzbot reported ununit-value bug in az6027_rc_query(). The problem was
+in missing state pointer initialization. Since this function does nothing
+we can simply initialize state to REMOTE_NO_KEY_PRESSED.
+
+Reported-and-tested-by: syzbot+2cd8c5db4a85f0a04142@syzkaller.appspotmail.com
+
+Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/az6027.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
+index 2e711362847e4..382c8075ef524 100644
+--- a/drivers/media/usb/dvb-usb/az6027.c
++++ b/drivers/media/usb/dvb-usb/az6027.c
+@@ -394,6 +394,7 @@ static struct rc_map_table rc_map_az6027_table[] = {
+ /* remote control stuff (does not work with my box) */
+ static int az6027_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
++ *state = REMOTE_NO_KEY_PRESSED;
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 32f28f4eed3b7ebc924ecbb22d82d1d849b35c66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 22:31:10 +0200
+Subject: media: mceusb: return without resubmitting URB in case of -EPROTO
+ error.
+
+From: Rajat Asthana <rajatasthana4@gmail.com>
+
+[ Upstream commit 476db72e521983ecb847e4013b263072bb1110fc ]
+
+Syzkaller reported a warning called "rcu detected stall in dummy_timer".
+
+The error seems to be an error in mceusb_dev_recv(). In the case of
+-EPROTO error, the routine immediately resubmits the URB. Instead it
+should return without resubmitting URB.
+
+Reported-by: syzbot+4d3749e9612c2cfab956@syzkaller.appspotmail.com
+Signed-off-by: Rajat Asthana <rajatasthana4@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/mceusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
+index d9f88a4a96bd1..b78d70685b1c3 100644
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1090,6 +1090,7 @@ static void mceusb_dev_recv(struct urb *urb)
+ case -ECONNRESET:
+ case -ENOENT:
+ case -EILSEQ:
++ case -EPROTO:
+ case -ESHUTDOWN:
+ usb_unlink_urb(urb);
+ return;
+--
+2.33.0
+
--- /dev/null
+From 6a6b77580adbfe8be3762ae5ce7391b0380a2529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 09:35:15 +0200
+Subject: media: mt9p031: Fix corrupted frame after restarting stream
+
+From: Dirk Bender <d.bender@phytec.de>
+
+[ Upstream commit 0961ba6dd211a4a52d1dd4c2d59be60ac2dc08c7 ]
+
+To prevent corrupted frames after starting and stopping the sensor its
+datasheet specifies a specific pause sequence to follow:
+
+Stopping:
+ Set Pause_Restart Bit -> Set Restart Bit -> Set Chip_Enable Off
+
+Restarting:
+ Set Chip_Enable On -> Clear Pause_Restart Bit
+
+The Restart Bit is cleared automatically and must not be cleared
+manually as this would cause undefined behavior.
+
+Signed-off-by: Dirk Bender <d.bender@phytec.de>
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/mt9p031.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c
+index 237737fec09c1..e6159faff45af 100644
+--- a/drivers/media/i2c/mt9p031.c
++++ b/drivers/media/i2c/mt9p031.c
+@@ -81,7 +81,9 @@
+ #define MT9P031_PIXEL_CLOCK_INVERT (1 << 15)
+ #define MT9P031_PIXEL_CLOCK_SHIFT(n) ((n) << 8)
+ #define MT9P031_PIXEL_CLOCK_DIVIDE(n) ((n) << 0)
+-#define MT9P031_FRAME_RESTART 0x0b
++#define MT9P031_RESTART 0x0b
++#define MT9P031_FRAME_PAUSE_RESTART (1 << 1)
++#define MT9P031_FRAME_RESTART (1 << 0)
+ #define MT9P031_SHUTTER_DELAY 0x0c
+ #define MT9P031_RST 0x0d
+ #define MT9P031_RST_ENABLE 1
+@@ -448,9 +450,23 @@ static int mt9p031_set_params(struct mt9p031 *mt9p031)
+ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable)
+ {
+ struct mt9p031 *mt9p031 = to_mt9p031(subdev);
++ struct i2c_client *client = v4l2_get_subdevdata(subdev);
++ int val;
+ int ret;
+
+ if (!enable) {
++ /* enable pause restart */
++ val = MT9P031_FRAME_PAUSE_RESTART;
++ ret = mt9p031_write(client, MT9P031_RESTART, val);
++ if (ret < 0)
++ return ret;
++
++ /* enable restart + keep pause restart set */
++ val |= MT9P031_FRAME_RESTART;
++ ret = mt9p031_write(client, MT9P031_RESTART, val);
++ if (ret < 0)
++ return ret;
++
+ /* Stop sensor readout */
+ ret = mt9p031_set_output_control(mt9p031,
+ MT9P031_OUTPUT_CONTROL_CEN, 0);
+@@ -470,6 +486,16 @@ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable)
+ if (ret < 0)
+ return ret;
+
++ /*
++ * - clear pause restart
++ * - don't clear restart as clearing restart manually can cause
++ * undefined behavior
++ */
++ val = MT9P031_FRAME_RESTART;
++ ret = mt9p031_write(client, MT9P031_RESTART, val);
++ if (ret < 0)
++ return ret;
++
+ return mt9p031_pll_enable(mt9p031);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 2a66e323d7057f70877c781691cf9d06cdbd1f00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 22:21:25 +0200
+Subject: media: mtk-vpu: Fix a resource leak in the error handling path of
+ 'mtk_vpu_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2143ad413c05c7be24c3a92760e367b7f6aaac92 ]
+
+A successful 'clk_prepare()' call should be balanced by a corresponding
+'clk_unprepare()' call in the error handling path of the probe, as already
+done in the remove function.
+
+Update the error handling path accordingly.
+
+Fixes: 3003a180ef6b ("[media] VPU: mediatek: support Mediatek VPU")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Houlong Wei <houlong.wei@mediatek.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vpu/mtk_vpu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c
+index c9bf58c978780..9c332ce8cdfec 100644
+--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c
++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c
+@@ -801,7 +801,8 @@ static int mtk_vpu_probe(struct platform_device *pdev)
+ vpu->wdt.wq = create_singlethread_workqueue("vpu_wdt");
+ if (!vpu->wdt.wq) {
+ dev_err(dev, "initialize wdt workqueue failed\n");
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto clk_unprepare;
+ }
+ INIT_WORK(&vpu->wdt.ws, vpu_wdt_reset_func);
+ mutex_init(&vpu->vpu_mutex);
+@@ -900,6 +901,8 @@ disable_vpu_clk:
+ vpu_clock_disable(vpu);
+ workqueue_destroy:
+ destroy_workqueue(vpu->wdt.wq);
++clk_unprepare:
++ clk_unprepare(vpu->clk);
+
+ return ret;
+ }
+--
+2.33.0
+
--- /dev/null
+From e565bc249ca9d4a57265c2aebb26adfc65a54f96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 08:01:05 +0200
+Subject: media: netup_unidvb: handle interrupt properly according to the
+ firmware
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit dbb4cfea6efe979ed153bd59a6a527a90d3d0ab3 ]
+
+The interrupt handling should be related to the firmware version. If
+the driver matches an old firmware, then the driver should not handle
+interrupt such as i2c or dma, otherwise it will cause some errors.
+
+This log reveals it:
+
+[ 27.708641] INFO: trying to register non-static key.
+[ 27.710851] The code is fine but needs lockdep annotation, or maybe
+[ 27.712010] you didn't initialize this object before use?
+[ 27.712396] turning off the locking correctness validator.
+[ 27.712787] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169
+[ 27.713349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 27.714149] Call Trace:
+[ 27.714329] <IRQ>
+[ 27.714480] dump_stack+0xba/0xf5
+[ 27.714737] register_lock_class+0x873/0x8f0
+[ 27.715052] ? __lock_acquire+0x323/0x1930
+[ 27.715353] __lock_acquire+0x75/0x1930
+[ 27.715636] lock_acquire+0x1dd/0x3e0
+[ 27.715905] ? netup_i2c_interrupt+0x19/0x310
+[ 27.716226] _raw_spin_lock_irqsave+0x4b/0x60
+[ 27.716544] ? netup_i2c_interrupt+0x19/0x310
+[ 27.716863] netup_i2c_interrupt+0x19/0x310
+[ 27.717178] netup_unidvb_isr+0xd3/0x160
+[ 27.717467] __handle_irq_event_percpu+0x53/0x3e0
+[ 27.717808] handle_irq_event_percpu+0x35/0x90
+[ 27.718129] handle_irq_event+0x39/0x60
+[ 27.718409] handle_fasteoi_irq+0xc2/0x1d0
+[ 27.718707] __common_interrupt+0x7f/0x150
+[ 27.719008] common_interrupt+0xb4/0xd0
+[ 27.719289] </IRQ>
+[ 27.719446] asm_common_interrupt+0x1e/0x40
+[ 27.719747] RIP: 0010:native_safe_halt+0x17/0x20
+[ 27.720084] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6
+[ 27.721386] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
+[ 27.721758] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+[ 27.722262] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6
+[ 27.722770] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001
+[ 27.723277] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408
+[ 27.723781] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000
+[ 27.724289] default_idle+0x9/0x10
+[ 27.724537] arch_cpu_idle+0xa/0x10
+[ 27.724791] default_idle_call+0x6e/0x250
+[ 27.725082] do_idle+0x1f0/0x2d0
+[ 27.725326] cpu_startup_entry+0x18/0x20
+[ 27.725613] start_secondary+0x11f/0x160
+[ 27.725902] secondary_startup_64_no_verify+0xb0/0xbb
+[ 27.726272] BUG: kernel NULL pointer dereference, address: 0000000000000002
+[ 27.726768] #PF: supervisor read access in kernel mode
+[ 27.727138] #PF: error_code(0x0000) - not-present page
+[ 27.727507] PGD 8000000118688067 P4D 8000000118688067 PUD 10feab067 PMD 0
+[ 27.727999] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 27.728302] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169
+[ 27.728861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 27.729660] RIP: 0010:netup_i2c_interrupt+0x23/0x310
+[ 27.730019] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02
+[ 27.731339] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046
+[ 27.731716] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000
+[ 27.732223] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8
+[ 27.732727] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001
+[ 27.733239] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000
+[ 27.733745] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400
+[ 27.734251] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 27.734821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 27.735228] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0
+[ 27.735735] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 27.736241] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 27.736744] Call Trace:
+[ 27.736924] <IRQ>
+[ 27.737074] netup_unidvb_isr+0xd3/0x160
+[ 27.737363] __handle_irq_event_percpu+0x53/0x3e0
+[ 27.737706] handle_irq_event_percpu+0x35/0x90
+[ 27.738028] handle_irq_event+0x39/0x60
+[ 27.738306] handle_fasteoi_irq+0xc2/0x1d0
+[ 27.738602] __common_interrupt+0x7f/0x150
+[ 27.738899] common_interrupt+0xb4/0xd0
+[ 27.739176] </IRQ>
+[ 27.739331] asm_common_interrupt+0x1e/0x40
+[ 27.739633] RIP: 0010:native_safe_halt+0x17/0x20
+[ 27.739967] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6
+[ 27.741275] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
+[ 27.741647] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+[ 27.742148] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6
+[ 27.742652] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001
+[ 27.743154] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408
+[ 27.743652] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000
+[ 27.744157] default_idle+0x9/0x10
+[ 27.744405] arch_cpu_idle+0xa/0x10
+[ 27.744658] default_idle_call+0x6e/0x250
+[ 27.744948] do_idle+0x1f0/0x2d0
+[ 27.745190] cpu_startup_entry+0x18/0x20
+[ 27.745475] start_secondary+0x11f/0x160
+[ 27.745761] secondary_startup_64_no_verify+0xb0/0xbb
+[ 27.746123] Modules linked in:
+[ 27.746348] Dumping ftrace buffer:
+[ 27.746596] (ftrace buffer empty)
+[ 27.746852] CR2: 0000000000000002
+[ 27.747094] ---[ end trace ebafd46f83ab946d ]---
+[ 27.747424] RIP: 0010:netup_i2c_interrupt+0x23/0x310
+[ 27.747778] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02
+[ 27.749082] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046
+[ 27.749461] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000
+[ 27.749966] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8
+[ 27.750471] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001
+[ 27.750976] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000
+[ 27.751480] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400
+[ 27.751986] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 27.752560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 27.752970] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0
+[ 27.753481] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 27.753984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 27.754487] Kernel panic - not syncing: Fatal exception in interrupt
+[ 27.755033] Dumping ftrace buffer:
+[ 27.755279] (ftrace buffer empty)
+[ 27.755534] Kernel Offset: disabled
+[ 27.755785] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../pci/netup_unidvb/netup_unidvb_core.c | 27 +++++++++++--------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+index b078ac2a682cf..48e1f4a128019 100644
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+@@ -266,19 +266,24 @@ static irqreturn_t netup_unidvb_isr(int irq, void *dev_id)
+ if ((reg40 & AVL_IRQ_ASSERTED) != 0) {
+ /* IRQ is being signaled */
+ reg_isr = readw(ndev->bmmio0 + REG_ISR);
+- if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) {
+- iret = netup_i2c_interrupt(&ndev->i2c[0]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) {
+- iret = netup_i2c_interrupt(&ndev->i2c[1]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_SPI) {
++ if (reg_isr & NETUP_UNIDVB_IRQ_SPI)
+ iret = netup_spi_interrupt(ndev->spi);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) {
+- iret = netup_dma_interrupt(&ndev->dma[0]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) {
+- iret = netup_dma_interrupt(&ndev->dma[1]);
+- } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) {
+- iret = netup_ci_interrupt(ndev);
++ else if (!ndev->old_fw) {
++ if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) {
++ iret = netup_i2c_interrupt(&ndev->i2c[0]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) {
++ iret = netup_i2c_interrupt(&ndev->i2c[1]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) {
++ iret = netup_dma_interrupt(&ndev->dma[0]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) {
++ iret = netup_dma_interrupt(&ndev->dma[1]);
++ } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) {
++ iret = netup_ci_interrupt(ndev);
++ } else {
++ goto err;
++ }
+ } else {
++err:
+ dev_err(&pci_dev->dev,
+ "%s(): unknown interrupt 0x%x\n",
+ __func__, reg_isr);
+--
+2.33.0
+
--- /dev/null
+From 79668318315d1e70fd8357609af7d9b22169b9c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 09:55:35 +0200
+Subject: media: s5p-mfc: fix possible null-pointer dereference in
+ s5p_mfc_probe()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 8515965e5e33f4feb56134348c95953f3eadfb26 ]
+
+The variable pdev is assigned to dev->plat_dev, and dev->plat_dev is
+checked in:
+ if (!dev->plat_dev)
+
+This indicates both dev->plat_dev and pdev can be NULL. If so, the
+function dev_err() is called to print error information.
+ dev_err(&pdev->dev, "No platform data specified\n");
+
+However, &pdev->dev is an illegal address, and it is dereferenced in
+dev_err().
+
+To fix this possible null-pointer dereference, replace dev_err() with
+mfc_err().
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+index 8051c13456922..0ff972b8d9671 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -1160,7 +1160,7 @@ static int s5p_mfc_probe(struct platform_device *pdev)
+ spin_lock_init(&dev->condlock);
+ dev->plat_dev = pdev;
+ if (!dev->plat_dev) {
+- dev_err(&pdev->dev, "No platform data specified\n");
++ mfc_err("No platform data specified\n");
+ return -ENODEV;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 38ca3b93c62334ef67642285976fd3759cec7643 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 21:46:09 +0200
+Subject: media: si470x: Avoid card name truncation
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 2908249f3878a591f7918368fdf0b7b0a6c3158c ]
+
+The "card" string only holds 31 characters (and the terminating NUL).
+In order to avoid truncation, use a shorter card description instead of
+the current result, "Silicon Labs Si470x FM Radio Re".
+
+Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 78656acdcf48 ("V4L/DVB (7038): USB radio driver for Silicon Labs Si470x FM Radio Receivers")
+Fixes: cc35bbddfe10 ("V4L/DVB (12416): radio-si470x: add i2c driver for si470x")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/si470x/radio-si470x-i2c.c | 2 +-
+ drivers/media/radio/si470x/radio-si470x-usb.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c
+index 8f3086773db46..6162aa5758428 100644
+--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
+@@ -24,7 +24,7 @@
+
+ /* driver definitions */
+ #define DRIVER_AUTHOR "Joonyoung Shim <jy0922.shim@samsung.com>";
+-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver"
++#define DRIVER_CARD "Silicon Labs Si470x FM Radio"
+ #define DRIVER_DESC "I2C radio driver for Si470x FM Radio Receivers"
+ #define DRIVER_VERSION "1.0.2"
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
+index 1d045a8c29e21..a8a0ff9a1f838 100644
+--- a/drivers/media/radio/si470x/radio-si470x-usb.c
++++ b/drivers/media/radio/si470x/radio-si470x-usb.c
+@@ -29,7 +29,7 @@
+
+ /* driver definitions */
+ #define DRIVER_AUTHOR "Tobias Lorenz <tobias.lorenz@gmx.net>"
+-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver"
++#define DRIVER_CARD "Silicon Labs Si470x FM Radio"
+ #define DRIVER_DESC "USB radio driver for Si470x FM Radio Receivers"
+ #define DRIVER_VERSION "1.0.10"
+
+--
+2.33.0
+
--- /dev/null
+From c481471e32a2ca8b8e28b61fa81afe6dc143f2e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Dec 2020 07:16:06 +0100
+Subject: media: usb: dvd-usb: fix uninit-value bug in
+ dibusb_read_eeprom_byte()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+[ Upstream commit 899a61a3305d49e8a712e9ab20d0db94bde5929f ]
+
+In dibusb_read_eeprom_byte(), if dibusb_i2c_msg() fails, val gets
+assigned an value that's not properly initialized.
+Using kzalloc() in place of kmalloc() for the buffer fixes this issue,
+as the val can now be set to 0 in the event dibusb_i2c_msg() fails.
+
+Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com
+Tested-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dibusb-common.c b/drivers/media/usb/dvb-usb/dibusb-common.c
+index bcacb0f220282..3e45642ae186b 100644
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -226,7 +226,7 @@ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
+ u8 *buf;
+ int rc;
+
+- buf = kmalloc(2, GFP_KERNEL);
++ buf = kzalloc(2, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+--
+2.33.0
+
--- /dev/null
+From 1fb5cdf46e5ca22868e16c4af2378cffb2cb5feb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 14:29:08 +0200
+Subject: media: uvcvideo: Set capability in s_param
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 97a2777a96070afb7da5d587834086c0b586c8cc ]
+
+Fixes v4l2-compliance:
+
+Format ioctls (Input 0):
+ warn: v4l2-test-formats.cpp(1339): S_PARM is supported but doesn't report V4L2_CAP_TIMEPERFRAME
+ fail: v4l2-test-formats.cpp(1241): node->has_frmintervals && !cap->capability
+
+Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 4a270f88aa18c..2b1e06e825f0d 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -451,10 +451,13 @@ static int uvc_v4l2_set_streamparm(struct uvc_streaming *stream,
+ uvc_simplify_fraction(&timeperframe.numerator,
+ &timeperframe.denominator, 8, 333);
+
+- if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE)
++ if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+ parm->parm.capture.timeperframe = timeperframe;
+- else
++ parm->parm.capture.capability = V4L2_CAP_TIMEPERFRAME;
++ } else {
+ parm->parm.output.timeperframe = timeperframe;
++ parm->parm.output.capability = V4L2_CAP_TIMEPERFRAME;
++ }
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 605d48b54e644561442da0a7edeec2b1d8221be2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Sep 2021 23:14:32 +0800
+Subject: memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 4ed2f3545c2e5acfbccd7f85fea5b1a82e9862d7 ]
+
+The error handling code of fsl_ifc_ctrl_probe is problematic. When
+fsl_ifc_ctrl_init fails or request_irq of fsl_ifc_ctrl_dev->irq fails,
+it forgets to free the irq and nand_irq. Meanwhile, if request_irq of
+fsl_ifc_ctrl_dev->nand_irq fails, it will still free nand_irq even if
+the request_irq is not successful.
+
+Fix this by refactoring the error handling code.
+
+Fixes: d2ae2e20fbdd ("driver/memory:Move Freescale IFC driver to a common driver")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20210925151434.8170-1-mudongliangabcd@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/fsl_ifc.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c
+index 38b945eb410f3..9c0e70b047c39 100644
+--- a/drivers/memory/fsl_ifc.c
++++ b/drivers/memory/fsl_ifc.c
+@@ -276,7 +276,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+
+ ret = fsl_ifc_ctrl_init(fsl_ifc_ctrl_dev);
+ if (ret < 0)
+- goto err;
++ goto err_unmap_nandirq;
+
+ init_waitqueue_head(&fsl_ifc_ctrl_dev->nand_wait);
+
+@@ -285,7 +285,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+ if (ret != 0) {
+ dev_err(&dev->dev, "failed to install irq (%d)\n",
+ fsl_ifc_ctrl_dev->irq);
+- goto err_irq;
++ goto err_unmap_nandirq;
+ }
+
+ if (fsl_ifc_ctrl_dev->nand_irq) {
+@@ -294,17 +294,16 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+ if (ret != 0) {
+ dev_err(&dev->dev, "failed to install irq (%d)\n",
+ fsl_ifc_ctrl_dev->nand_irq);
+- goto err_nandirq;
++ goto err_free_irq;
+ }
+ }
+
+ return 0;
+
+-err_nandirq:
+- free_irq(fsl_ifc_ctrl_dev->nand_irq, fsl_ifc_ctrl_dev);
+- irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq);
+-err_irq:
++err_free_irq:
+ free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev);
++err_unmap_nandirq:
++ irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq);
+ irq_dispose_mapping(fsl_ifc_ctrl_dev->irq);
+ err:
+ iounmap(fsl_ifc_ctrl_dev->gregs);
+--
+2.33.0
+
--- /dev/null
+From d4616cc8bf02f3dd6a4ec631cc634a63c398588c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 11:44:47 +0200
+Subject: memstick: avoid out-of-range warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 4853396f03c3019eccf5cd113e464231e9ddf0b3 ]
+
+clang-14 complains about a sanity check that always passes when the
+page size is 64KB or larger:
+
+drivers/memstick/core/ms_block.c:1739:21: error: result of comparison of constant 65536 with expression of type 'unsigned short' is always false [-Werror,-Wtautological-constant-out-of-range-compare]
+ if (msb->page_size > PAGE_SIZE) {
+ ~~~~~~~~~~~~~~ ^ ~~~~~~~~~
+
+This is fine, it will still work on all architectures, so just shut
+up that warning with a cast.
+
+Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20210927094520.696665-1-arnd@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/core/ms_block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c
+index aacf584f2a42e..45136b700d2c4 100644
+--- a/drivers/memstick/core/ms_block.c
++++ b/drivers/memstick/core/ms_block.c
+@@ -1730,7 +1730,7 @@ static int msb_init_card(struct memstick_dev *card)
+ msb->pages_in_block = boot_block->attr.block_size * 2;
+ msb->block_size = msb->page_size * msb->pages_in_block;
+
+- if (msb->page_size > PAGE_SIZE) {
++ if ((size_t)msb->page_size > PAGE_SIZE) {
+ /* this isn't supported by linux at all, anyway*/
+ dbg("device page %d size isn't supported", msb->page_size);
+ return -EINVAL;
+--
+2.33.0
+
--- /dev/null
+From fb22d3339deac196f3f029f4f06a43ab074e5b75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 15:39:12 +0300
+Subject: memstick: jmb38x_ms: use appropriate free function in
+ jmb38x_ms_alloc_host()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit beae4a6258e64af609ad5995cc6b6056eb0d898e ]
+
+The "msh" pointer is device managed, meaning that memstick_alloc_host()
+calls device_initialize() on it. That means that it can't be free
+using kfree() but must instead be freed with memstick_free_host().
+Otherwise it leads to a tiny memory leak of device resources.
+
+Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211011123912.GD15188@kili
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/jmb38x_ms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/memstick/host/jmb38x_ms.c b/drivers/memstick/host/jmb38x_ms.c
+index 08fa6400d2558..ba6cd576e9979 100644
+--- a/drivers/memstick/host/jmb38x_ms.c
++++ b/drivers/memstick/host/jmb38x_ms.c
+@@ -905,7 +905,7 @@ static struct memstick_host *jmb38x_ms_alloc_host(struct jmb38x_ms *jm, int cnt)
+
+ iounmap(host->addr);
+ err_out_free:
+- kfree(msh);
++ memstick_free_host(msh);
+ return NULL;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 3eb7661a759bed5a069c72987f10452d7b85c449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 11:26:21 +0000
+Subject: memstick: r592: Fix a UAF bug when removing the driver
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 738216c1953e802aa9f930c5d15b8f9092c847ff ]
+
+In r592_remove(), the driver will free dma after freeing the host, which
+may cause a UAF bug.
+
+The following log reveals it:
+
+[ 45.361796 ] BUG: KASAN: use-after-free in r592_remove+0x269/0x350 [r592]
+[ 45.364286 ] Call Trace:
+[ 45.364472 ] dump_stack_lvl+0xa8/0xd1
+[ 45.364751 ] print_address_description+0x87/0x3b0
+[ 45.365137 ] kasan_report+0x172/0x1c0
+[ 45.365415 ] ? r592_remove+0x269/0x350 [r592]
+[ 45.365834 ] ? r592_remove+0x269/0x350 [r592]
+[ 45.366168 ] __asan_report_load8_noabort+0x14/0x20
+[ 45.366531 ] r592_remove+0x269/0x350 [r592]
+[ 45.378785 ]
+[ 45.378903 ] Allocated by task 4674:
+[ 45.379162 ] ____kasan_kmalloc+0xb5/0xe0
+[ 45.379455 ] __kasan_kmalloc+0x9/0x10
+[ 45.379730 ] __kmalloc+0x150/0x280
+[ 45.379984 ] memstick_alloc_host+0x2a/0x190
+[ 45.380664 ]
+[ 45.380781 ] Freed by task 5509:
+[ 45.381014 ] kasan_set_track+0x3d/0x70
+[ 45.381293 ] kasan_set_free_info+0x23/0x40
+[ 45.381635 ] ____kasan_slab_free+0x10b/0x140
+[ 45.381950 ] __kasan_slab_free+0x11/0x20
+[ 45.382241 ] slab_free_freelist_hook+0x81/0x150
+[ 45.382575 ] kfree+0x13e/0x290
+[ 45.382805 ] memstick_free+0x1c/0x20
+[ 45.383070 ] device_release+0x9c/0x1d0
+[ 45.383349 ] kobject_put+0x2ef/0x4c0
+[ 45.383616 ] put_device+0x1f/0x30
+[ 45.383865 ] memstick_free_host+0x24/0x30
+[ 45.384162 ] r592_remove+0x242/0x350 [r592]
+[ 45.384473 ] pci_device_remove+0xa9/0x250
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Link: https://lore.kernel.org/r/1634383581-11055-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/r592.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
+index 2539984c1db1c..256634ec58b63 100644
+--- a/drivers/memstick/host/r592.c
++++ b/drivers/memstick/host/r592.c
+@@ -841,15 +841,15 @@ static void r592_remove(struct pci_dev *pdev)
+ }
+ memstick_remove_host(dev->host);
+
++ if (dev->dummy_dma_page)
++ dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page,
++ dev->dummy_dma_page_physical_address);
++
+ free_irq(dev->irq, dev);
+ iounmap(dev->mmio);
+ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ memstick_free_host(dev->host);
+-
+- if (dev->dummy_dma_page)
+- dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page,
+- dev->dummy_dma_page_physical_address);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+--
+2.33.0
+
--- /dev/null
+From 9c42226135d41b022ee8e0b49b4f4c0cd56fc8d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 23:20:58 +0200
+Subject: MIPS: lantiq: dma: add small delay after reset
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit c12aa581f6d5e80c3c3675ab26a52c2b3b62f76e ]
+
+Reading the DMA registers immediately after the reset causes
+Data Bus Error. Adding a small delay fixes this issue.
+
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/xway/dma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c
+index cef811755123f..d89a9bcf92c85 100644
+--- a/arch/mips/lantiq/xway/dma.c
++++ b/arch/mips/lantiq/xway/dma.c
+@@ -21,6 +21,7 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/module.h>
+ #include <linux/clk.h>
++#include <linux/delay.h>
+ #include <linux/err.h>
+
+ #include <lantiq_soc.h>
+@@ -232,6 +233,8 @@ ltq_dma_init(struct platform_device *pdev)
+ clk_enable(clk);
+ ltq_dma_w32_mask(0, DMA_RESET, LTQ_DMA_CTRL);
+
++ usleep_range(1, 10);
++
+ /* disable all interrupts */
+ ltq_dma_w32(0, LTQ_DMA_IRNEN);
+
+--
+2.33.0
+
--- /dev/null
+From a35e0dc00b73610b054ce48ae208ebd14d251610 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 23:20:59 +0200
+Subject: MIPS: lantiq: dma: reset correct number of channel
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 5ca9ce2ba4d5884cd94d1a856c675ab1242cd242 ]
+
+Different SoCs have a different number of channels, e.g .:
+* amazon-se has 10 channels,
+* danube+ar9 have 20 channels,
+* vr9 has 28 channels,
+* ar10 has 24 channels.
+
+We can read the ID register and, depending on the reported
+number of channels, reset the appropriate number of channels.
+
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/xway/dma.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c
+index d89a9bcf92c85..fc9eff29d8ff0 100644
+--- a/arch/mips/lantiq/xway/dma.c
++++ b/arch/mips/lantiq/xway/dma.c
+@@ -40,6 +40,7 @@
+ #define LTQ_DMA_PCTRL 0x44
+ #define LTQ_DMA_IRNEN 0xf4
+
++#define DMA_ID_CHNR GENMASK(26, 20) /* channel number */
+ #define DMA_DESCPT BIT(3) /* descriptor complete irq */
+ #define DMA_TX BIT(8) /* TX channel direction */
+ #define DMA_CHAN_ON BIT(0) /* channel on / off bit */
+@@ -50,7 +51,6 @@
+ #define DMA_POLL BIT(31) /* turn on channel polling */
+ #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */
+ #define DMA_2W_BURST BIT(1) /* 2 word burst length */
+-#define DMA_MAX_CHANNEL 20 /* the soc has 20 channels */
+ #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */
+ #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */
+
+@@ -217,7 +217,7 @@ ltq_dma_init(struct platform_device *pdev)
+ {
+ struct clk *clk;
+ struct resource *res;
+- unsigned id;
++ unsigned int id, nchannels;
+ int i;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+@@ -239,17 +239,18 @@ ltq_dma_init(struct platform_device *pdev)
+ ltq_dma_w32(0, LTQ_DMA_IRNEN);
+
+ /* reset/configure each channel */
+- for (i = 0; i < DMA_MAX_CHANNEL; i++) {
++ id = ltq_dma_r32(LTQ_DMA_ID);
++ nchannels = ((id & DMA_ID_CHNR) >> 20);
++ for (i = 0; i < nchannels; i++) {
+ ltq_dma_w32(i, LTQ_DMA_CS);
+ ltq_dma_w32(DMA_CHAN_RST, LTQ_DMA_CCTRL);
+ ltq_dma_w32(DMA_POLL | DMA_CLK_DIV4, LTQ_DMA_CPOLL);
+ ltq_dma_w32_mask(DMA_CHAN_ON, 0, LTQ_DMA_CCTRL);
+ }
+
+- id = ltq_dma_r32(LTQ_DMA_ID);
+ dev_info(&pdev->dev,
+ "Init done - hw rev: %X, ports: %d, channels: %d\n",
+- id & 0x1f, (id >> 16) & 0xf, id >> 20);
++ id & 0x1f, (id >> 16) & 0xf, nchannels);
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From bccc8c00e7cca3f81b6cfed695b5531c0c2e1819 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Sep 2021 14:19:08 +0800
+Subject: MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 7f3b3c2bfa9c93ab9b5595543496f570983dc330 ]
+
+mach/loongson64 fails to build when the FPU support is disabled:
+
+arch/mips/loongson64/cop2-ex.c:45:15: error: implicit declaration of function ‘__is_fpu_owner’; did you mean ‘is_fpu_owner’? [-Werror=implicit-function-declaration]
+arch/mips/loongson64/cop2-ex.c:98:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:99:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:131:43: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:137:38: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:203:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:219:30: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:283:38: error: ‘struct thread_struct’ has no member named ‘fpu’
+arch/mips/loongson64/cop2-ex.c:301:38: error: ‘struct thread_struct’ has no member named ‘fpu’
+
+Fixes: ef2f826c8f2f ("MIPS: Loongson-3: Enable the COP2 usage")
+Suggested-by: Huacai Chen <chenhuacai@kernel.org>
+Reviewed-by: Huacai Chen <chenhuacai@kernel.org>
+Reported-by: k2ci robot <kernel-bot@kylinos.cn>
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 24eb7fe7922e6..3ab2a95673680 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -1373,6 +1373,7 @@ config CPU_LOONGSON3
+ select WEAK_REORDERING_BEYOND_LLSC
+ select MIPS_PGD_C0_CONTEXT
+ select MIPS_L1_CACHE_SHIFT_6
++ select MIPS_FP_SUPPORT
+ select GPIOLIB
+ help
+ The Loongson 3 processor implements the MIPS64R2 instruction
+--
+2.33.0
+
--- /dev/null
+From 1be150f90e31849b59f80d39cadb446dee5d2693 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 13:45:03 -0700
+Subject: mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and
+ zs_unregister_migration()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit afe8605ca45424629fdddfd85984b442c763dc47 ]
+
+There is one possible race window between zs_pool_dec_isolated() and
+zs_unregister_migration() because wait_for_isolated_drain() checks the
+isolated count without holding class->lock and there is no order inside
+zs_pool_dec_isolated(). Thus the below race window could be possible:
+
+ zs_pool_dec_isolated zs_unregister_migration
+ check pool->destroying != 0
+ pool->destroying = true;
+ smp_mb();
+ wait_for_isolated_drain()
+ wait for pool->isolated_pages == 0
+ atomic_long_dec(&pool->isolated_pages);
+ atomic_long_read(&pool->isolated_pages) == 0
+
+Since we observe the pool->destroying (false) before atomic_long_dec()
+for pool->isolated_pages, waking pool->migration_wait up is missed.
+
+Fix this by ensure checking pool->destroying happens after the
+atomic_long_dec(&pool->isolated_pages).
+
+Link: https://lkml.kernel.org/r/20210708115027.7557-1-linmiaohe@huawei.com
+Fixes: 701d678599d0 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Henry Burns <henryburns@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/zsmalloc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
+index 2b7bfd97587a0..b5c1cd4ba2a15 100644
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1962,10 +1962,11 @@ static inline void zs_pool_dec_isolated(struct zs_pool *pool)
+ VM_BUG_ON(atomic_long_read(&pool->isolated_pages) <= 0);
+ atomic_long_dec(&pool->isolated_pages);
+ /*
+- * There's no possibility of racing, since wait_for_isolated_drain()
+- * checks the isolated count under &class->lock after enqueuing
+- * on migration_wait.
++ * Checking pool->destroying must happen after atomic_long_dec()
++ * for pool->isolated_pages above. Paired with the smp_mb() in
++ * zs_unregister_migration().
+ */
++ smp_mb__after_atomic();
+ if (atomic_long_read(&pool->isolated_pages) == 0 && pool->destroying)
+ wake_up_all(&pool->migration_wait);
+ }
+--
+2.33.0
+
--- /dev/null
+From f59109cbae5a6eb1ef7da49dda99fe390878e33b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 08:21:44 +0200
+Subject: mmc: mxs-mmc: disable regulator on error and in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ce5f6c2c9b0fcb4094f8e162cfd37fb4294204f7 ]
+
+The 'reg_vmmc' regulator is enabled in the probe. It is never disabled.
+Neither in the error handling path of the probe nor in the remove
+function.
+
+Register a devm_action to disable it when needed.
+
+Fixes: 4dc5a79f1350 ("mmc: mxs-mmc: enable regulator for mmc slot")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/4aadb3c97835f7b80f00819c3d549e6130384e67.1634365151.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mxs-mmc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c
+index 687fd68fbbcd1..77a03301b2a58 100644
+--- a/drivers/mmc/host/mxs-mmc.c
++++ b/drivers/mmc/host/mxs-mmc.c
+@@ -571,6 +571,11 @@ static const struct of_device_id mxs_mmc_dt_ids[] = {
+ };
+ MODULE_DEVICE_TABLE(of, mxs_mmc_dt_ids);
+
++static void mxs_mmc_regulator_disable(void *regulator)
++{
++ regulator_disable(regulator);
++}
++
+ static int mxs_mmc_probe(struct platform_device *pdev)
+ {
+ const struct of_device_id *of_id =
+@@ -614,6 +619,11 @@ static int mxs_mmc_probe(struct platform_device *pdev)
+ "Failed to enable vmmc regulator: %d\n", ret);
+ goto out_mmc_free;
+ }
++
++ ret = devm_add_action_or_reset(&pdev->dev, mxs_mmc_regulator_disable,
++ reg_vmmc);
++ if (ret)
++ goto out_mmc_free;
+ }
+
+ ssp->clk = devm_clk_get(&pdev->dev, NULL);
+--
+2.33.0
+
--- /dev/null
+From b0568f1343316f964608839626877eae2f98fb34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:45:29 +0300
+Subject: mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 78e4d342187625585932bb437ec26e1060f7fc6f ]
+
+hisi_spi_nor_probe() invokes clk_disable_unprepare() on all paths after
+successful call of clk_prepare_enable(). Besides, the clock is enabled by
+hispi_spi_nor_prep() and disabled by hispi_spi_nor_unprep(). So at remove
+time it is not possible to have the clock enabled. The patch removes
+excessive clk_disable_unprepare() from hisi_spi_nor_remove().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver")
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Link: https://lore.kernel.org/r/20210709144529.31379-1-novikov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/hisi-sfc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mtd/spi-nor/hisi-sfc.c b/drivers/mtd/spi-nor/hisi-sfc.c
+index 68be79ba571df..a0c2101f0b486 100644
+--- a/drivers/mtd/spi-nor/hisi-sfc.c
++++ b/drivers/mtd/spi-nor/hisi-sfc.c
+@@ -467,7 +467,6 @@ static int hisi_spi_nor_remove(struct platform_device *pdev)
+
+ hisi_spi_nor_unregister_all(host);
+ mutex_destroy(&host->lock);
+- clk_disable_unprepare(host->clk);
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 62aff05af18dafc7a5fd9613cabc248667cbd330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 17:32:43 +0200
+Subject: mwifiex: Send DELBA requests according to spec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonas Dreßler <verdre@v0yd.nl>
+
+[ Upstream commit cc8a8bc37466f79b24d972555237f3d591150602 ]
+
+While looking at on-air packets using Wireshark, I noticed we're never
+setting the initiator bit when sending DELBA requests to the AP: While
+we set the bit on our del_ba_param_set bitmask, we forget to actually
+copy that bitmask over to the command struct, which means we never
+actually set the initiator bit.
+
+Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command
+struct.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Jonas Dreßler <verdre@v0yd.nl>
+Acked-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211016153244.24353-5-verdre@v0yd.nl
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c
+index c174e79e6df2b..b70eac7d2dd79 100644
+--- a/drivers/net/wireless/marvell/mwifiex/11n.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n.c
+@@ -630,14 +630,15 @@ int mwifiex_send_delba(struct mwifiex_private *priv, int tid, u8 *peer_mac,
+ uint16_t del_ba_param_set;
+
+ memset(&delba, 0, sizeof(delba));
+- delba.del_ba_param_set = cpu_to_le16(tid << DELBA_TID_POS);
+
+- del_ba_param_set = le16_to_cpu(delba.del_ba_param_set);
++ del_ba_param_set = tid << DELBA_TID_POS;
++
+ if (initiator)
+ del_ba_param_set |= IEEE80211_DELBA_PARAM_INITIATOR_MASK;
+ else
+ del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK;
+
++ delba.del_ba_param_set = cpu_to_le16(del_ba_param_set);
+ memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN);
+
+ /* We don't wait for the response of this command */
+--
+2.33.0
+
--- /dev/null
+From c7874206f9c660bb5fc47479f7410d606d8b9ee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 04:02:59 +0000
+Subject: mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ]
+
+When the driver fails to request the firmware, it calls its error
+handler. In the error handler, the driver detaches device from driver
+first before releasing the firmware, which can cause a use-after-free bug.
+
+Fix this by releasing firmware first.
+
+The following log reveals it:
+
+[ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010143 ] Workqueue: events request_firmware_work_func
+[ 9.010830 ] Call Trace:
+[ 9.010830 ] dump_stack_lvl+0xa8/0xd1
+[ 9.010830 ] print_address_description+0x87/0x3b0
+[ 9.010830 ] kasan_report+0x172/0x1c0
+[ 9.010830 ] ? mutex_unlock+0xd/0x10
+[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010830 ] __asan_report_load8_noabort+0x14/0x20
+[ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0
+[ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0
+[ 9.010830 ] request_firmware_work_func+0x172/0x250
+[ 9.010830 ] ? read_lock_is_recursive+0x20/0x20
+[ 9.010830 ] ? process_one_work+0x7a1/0x1100
+[ 9.010830 ] ? request_firmware_nowait+0x460/0x460
+[ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20
+[ 9.010830 ] process_one_work+0x9bb/0x1100
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index 66cd38d4f199b..c6f008796ff16 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -5783,8 +5783,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context)
+ fail:
+ priv->fw_state = FW_STATE_ERROR;
+ complete(&priv->firmware_loading_complete);
+- device_release_driver(&priv->pdev->dev);
+ mwl8k_release_firmware(priv);
++ device_release_driver(&priv->pdev->dev);
+ }
+
+ #define MAX_RESTART_ATTEMPTS 1
+--
+2.33.0
+
--- /dev/null
+From 2ab6ddc83652eeff487aa4242008ef92e73b4a79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 18:23:41 +0300
+Subject: net: davinci_emac: Fix interrupt pacing disable
+
+From: Maxim Kiselev <bigunclemax@gmail.com>
+
+[ Upstream commit d52bcb47bdf971a59a2467975d2405fcfcb2fa19 ]
+
+This patch allows to use 0 for `coal->rx_coalesce_usecs` param to
+disable rx irq coalescing.
+
+Previously we could enable rx irq coalescing via ethtool
+(For ex: `ethtool -C eth0 rx-usecs 2000`) but we couldn't disable
+it because this part rejects 0 value:
+
+ if (!coal->rx_coalesce_usecs)
+ return -EINVAL;
+
+Fixes: 84da2658a619 ("TI DaVinci EMAC : Implement interrupt pacing functionality.")
+Signed-off-by: Maxim Kiselev <bigunclemax@gmail.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Link: https://lore.kernel.org/r/20211101152343.4193233-1-bigunclemax@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index 8b7596fef42a6..37162492e2635 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -426,8 +426,20 @@ static int emac_set_coalesce(struct net_device *ndev,
+ u32 int_ctrl, num_interrupts = 0;
+ u32 prescale = 0, addnl_dvdr = 1, coal_intvl = 0;
+
+- if (!coal->rx_coalesce_usecs)
+- return -EINVAL;
++ if (!coal->rx_coalesce_usecs) {
++ priv->coal_intvl = 0;
++
++ switch (priv->version) {
++ case EMAC_VERSION_2:
++ emac_ctrl_write(EMAC_DM646X_CMINTCTRL, 0);
++ break;
++ default:
++ emac_ctrl_write(EMAC_CTRL_EWINTTCNT, 0);
++ break;
++ }
++
++ return 0;
++ }
+
+ coal_intvl = coal->rx_coalesce_usecs;
+
+--
+2.33.0
+
--- /dev/null
+From 1f2f3ea0d55e62ab9e6f186e0b988c940eb7ef9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 06:37:39 -0700
+Subject: net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 ]
+
+sk_stream_kill_queues() can be called on close when there are
+still outstanding skbs to transmit. Those skbs may try to queue
+notifications to the error queue (e.g. timestamps).
+If sk_stream_kill_queues() purges the queue without taking
+its lock the queue may get corrupted, and skbs leaked.
+
+This shows up as a warning about an rmem leak:
+
+WARNING: CPU: 24 PID: 0 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x...
+
+The leak is always a multiple of 0x300 bytes (the value is in
+%rax on my builds, so RAX: 0000000000000300). 0x300 is truesize of
+an empty sk_buff. Indeed if we dump the socket state at the time
+of the warning the sk_error_queue is often (but not always)
+corrupted. The ->next pointer points back at the list head,
+but not the ->prev pointer. Indeed we can find the leaked skb
+by scanning the kernel memory for something that looks like
+an skb with ->sk = socket in question, and ->truesize = 0x300.
+The contents of ->cb[] of the skb confirms the suspicion that
+it is indeed a timestamp notification (as generated in
+__skb_complete_tx_timestamp()).
+
+Removing purging of sk_error_queue should be okay, since
+inet_sock_destruct() does it again once all socket refs
+are gone. Eric suggests this may cause sockets that go
+thru disconnect() to maintain notifications from the
+previous incarnations of the socket, but that should be
+okay since the race was there anyway, and disconnect()
+is not exactly dependable.
+
+Thanks to Jonathan Lemon and Omar Sandoval for help at various
+stages of tracing the issue.
+
+Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 6e41b20bf9f86..05b63feac7e57 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -193,9 +193,6 @@ void sk_stream_kill_queues(struct sock *sk)
+ /* First the read buffer. */
+ __skb_queue_purge(&sk->sk_receive_queue);
+
+- /* Next, the error queue. */
+- __skb_queue_purge(&sk->sk_error_queue);
+-
+ /* Next, the write queue. */
+ WARN_ON(!skb_queue_empty(&sk->sk_write_queue));
+
+--
+2.33.0
+
--- /dev/null
+From 04bcc53855eea4ec7595c27c69a186793123ceaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 18:08:10 +0200
+Subject: netfilter: nfnetlink_queue: fix OOB when mac header was cleared
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ]
+
+On 64bit platforms the MAC header is set to 0xffff on allocation and
+also when a helper like skb_unset_mac_header() is called.
+
+dev_parse_header may call skb_mac_header() which assumes valid mac offset:
+
+ BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90
+ Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364
+ Call Trace:
+ memcpy+0x20/0x60
+ eth_header_parse+0x75/0x90
+ __nfqnl_enqueue_packet+0x1a61/0x3380
+ __nf_queue+0x597/0x1300
+ nf_queue+0xf/0x40
+ nf_hook_slow+0xed/0x190
+ nf_hook+0x184/0x440
+ ip_output+0x1c0/0x2a0
+ nf_reinject+0x26f/0x700
+ nfqnl_recv_verdict+0xa16/0x18b0
+ nfnetlink_rcv_msg+0x506/0xe70
+
+The existing code only works if the skb has a mac header.
+
+Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 2a811b5634d46..a35510565d4d1 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -539,7 +539,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ goto nla_put_failure;
+
+ if (indev && entskb->dev &&
+- entskb->mac_header != entskb->network_header) {
++ skb_mac_header_was_set(entskb)) {
+ struct nfqnl_msg_packet_hw phw;
+ int len;
+
+--
+2.33.0
+
--- /dev/null
+From 8f27d7ba337fdb577395d58808a11deca1944138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 06:36:36 -0700
+Subject: nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
+
+From: Chengfeng Ye <cyeaa@connect.ust.hk>
+
+[ Upstream commit 9fec40f850658e00a14a7dd9e06f7fbc7e59cc4a ]
+
+skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs,
+but follow error handler branch when pn533_fill_fragment_skbs()
+fails, skb is freed again, results in double free issue. Fix this
+by not free skb in error path of pn533_fill_fragment_skbs.
+
+Fixes: 963a82e07d4e ("NFC: pn533: Split large Tx frames in chunks")
+Fixes: 93ad42020c2d ("NFC: pn533: Target mode Tx fragmentation support")
+Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/pn533.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
+index 6c495664d2cb7..806309ee41657 100644
+--- a/drivers/nfc/pn533/pn533.c
++++ b/drivers/nfc/pn533/pn533.c
+@@ -2075,7 +2075,7 @@ static int pn533_fill_fragment_skbs(struct pn533 *dev, struct sk_buff *skb)
+ frag = pn533_alloc_skb(dev, frag_size);
+ if (!frag) {
+ skb_queue_purge(&dev->fragment_skb);
+- break;
++ return -ENOMEM;
+ }
+
+ if (!dev->tgt_mode) {
+@@ -2145,7 +2145,7 @@ static int pn533_transceive(struct nfc_dev *nfc_dev,
+ /* jumbo frame ? */
+ if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) {
+ rc = pn533_fill_fragment_skbs(dev, skb);
+- if (rc <= 0)
++ if (rc < 0)
+ goto error;
+
+ skb = skb_dequeue(&dev->fragment_skb);
+@@ -2217,7 +2217,7 @@ static int pn533_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb)
+ /* let's split in multiple chunks if size's too big */
+ if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) {
+ rc = pn533_fill_fragment_skbs(dev, skb);
+- if (rc <= 0)
++ if (rc < 0)
+ goto error;
+
+ /* get the first skb */
+--
+2.33.0
+
--- /dev/null
+From 6390f940cc441a3ebebcfe071b2a0248e773a064 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Oct 2021 20:24:39 +0200
+Subject: parisc: fix warning in flush_tlb_all
+
+From: Sven Schnelle <svens@stackframe.org>
+
+[ Upstream commit 1030d681319b43869e0d5b568b9d0226652d1a6f ]
+
+I've got the following splat after enabling preemption:
+
+[ 3.724721] BUG: using __this_cpu_add() in preemptible [00000000] code: swapper/0/1
+[ 3.734630] caller is __this_cpu_preempt_check+0x38/0x50
+[ 3.740635] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc4-64bit+ #324
+[ 3.744605] Hardware name: 9000/785/C8000
+[ 3.744605] Backtrace:
+[ 3.744605] [<00000000401d9d58>] show_stack+0x74/0xb0
+[ 3.744605] [<0000000040c27bd4>] dump_stack_lvl+0x10c/0x188
+[ 3.744605] [<0000000040c27c84>] dump_stack+0x34/0x48
+[ 3.744605] [<0000000040c33438>] check_preemption_disabled+0x178/0x1b0
+[ 3.744605] [<0000000040c334f8>] __this_cpu_preempt_check+0x38/0x50
+[ 3.744605] [<00000000401d632c>] flush_tlb_all+0x58/0x2e0
+[ 3.744605] [<00000000401075c0>] 0x401075c0
+[ 3.744605] [<000000004010b8fc>] 0x4010b8fc
+[ 3.744605] [<00000000401080fc>] 0x401080fc
+[ 3.744605] [<00000000401d5224>] do_one_initcall+0x128/0x378
+[ 3.744605] [<0000000040102de8>] 0x40102de8
+[ 3.744605] [<0000000040c33864>] kernel_init+0x60/0x3a8
+[ 3.744605] [<00000000401d1020>] ret_from_kernel_thread+0x20/0x28
+[ 3.744605]
+
+Fix this by moving the __inc_irq_stat() into the locked section.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/mm/init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
+index dbbe3932f833c..7bdc449615e85 100644
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -940,9 +940,9 @@ void flush_tlb_all(void)
+ {
+ int do_recycle;
+
+- __inc_irq_stat(irq_tlb_count);
+ do_recycle = 0;
+ spin_lock(&sid_lock);
++ __inc_irq_stat(irq_tlb_count);
+ if (dirty_space_ids > RECYCLE_THRESHOLD) {
+ BUG_ON(recycle_inuse); /* FIXME: Use a semaphore/wait queue here */
+ get_dirty_sids(&recycle_ndirty,recycle_dirty_array);
+@@ -961,8 +961,8 @@ void flush_tlb_all(void)
+ #else
+ void flush_tlb_all(void)
+ {
+- __inc_irq_stat(irq_tlb_count);
+ spin_lock(&sid_lock);
++ __inc_irq_stat(irq_tlb_count);
+ flush_tlb_all_local(NULL);
+ recycle_sids();
+ spin_unlock(&sid_lock);
+--
+2.33.0
+
--- /dev/null
+From da9f885acc1ed0844762af61a06c353bd2153d5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 21:49:23 +0200
+Subject: parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
+
+From: Sven Schnelle <svens@stackframe.org>
+
+[ Upstream commit 66e29fcda1824f0427966fbee2bd2c85bf362c82 ]
+
+With idle polling, IPIs are not sent when a CPU idle, but queued
+and run later from do_idle(). The default kgdb_call_nmi_hook()
+implementation gets the pointer to struct pt_regs from get_irq_reqs(),
+which doesn't work in that case because it was not called from the
+IPI interrupt handler. Fix it by defining our own kgdb_roundup()
+function which sents an IPI_ENTER_KGDB. When that IPI is received
+on the target CPU kgdb_nmicallback() is called.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/smp.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/kernel/smp.c b/arch/parisc/kernel/smp.c
+index 75dab2871346c..af966c1c922ff 100644
+--- a/arch/parisc/kernel/smp.c
++++ b/arch/parisc/kernel/smp.c
+@@ -32,6 +32,7 @@
+ #include <linux/bitops.h>
+ #include <linux/ftrace.h>
+ #include <linux/cpu.h>
++#include <linux/kgdb.h>
+
+ #include <linux/atomic.h>
+ #include <asm/current.h>
+@@ -74,7 +75,10 @@ enum ipi_message_type {
+ IPI_CALL_FUNC,
+ IPI_CPU_START,
+ IPI_CPU_STOP,
+- IPI_CPU_TEST
++ IPI_CPU_TEST,
++#ifdef CONFIG_KGDB
++ IPI_ENTER_KGDB,
++#endif
+ };
+
+
+@@ -170,7 +174,12 @@ ipi_interrupt(int irq, void *dev_id)
+ case IPI_CPU_TEST:
+ smp_debug(100, KERN_DEBUG "CPU%d is alive!\n", this_cpu);
+ break;
+-
++#ifdef CONFIG_KGDB
++ case IPI_ENTER_KGDB:
++ smp_debug(100, KERN_DEBUG "CPU%d ENTER_KGDB\n", this_cpu);
++ kgdb_nmicallback(raw_smp_processor_id(), get_irq_regs());
++ break;
++#endif
+ default:
+ printk(KERN_CRIT "Unknown IPI num on CPU%d: %lu\n",
+ this_cpu, which);
+@@ -226,6 +235,12 @@ send_IPI_allbutself(enum ipi_message_type op)
+ }
+ }
+
++#ifdef CONFIG_KGDB
++void kgdb_roundup_cpus(void)
++{
++ send_IPI_allbutself(IPI_ENTER_KGDB);
++}
++#endif
+
+ inline void
+ smp_send_stop(void) { send_IPI_allbutself(IPI_CPU_STOP); }
+--
+2.33.0
+
--- /dev/null
+From c53152de45ce283f940b22ef17591846ecf1e944 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 20:09:42 +0200
+Subject: PCI: aardvark: Don't spam about PIO Response Status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 464de7e7fff767e87429cd7be09c4f2cb50a6ccb ]
+
+Use dev_dbg() instead of dev_err() in advk_pcie_check_pio_status().
+
+For example CRS is not an error status, it just says that the request
+should be retried.
+
+Link: https://lore.kernel.org/r/20211005180952.6812-4-kabel@kernel.org
+Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/host/pci-aardvark.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/host/pci-aardvark.c b/drivers/pci/host/pci-aardvark.c
+index 2afa42046c3e3..08375e68f1c30 100644
+--- a/drivers/pci/host/pci-aardvark.c
++++ b/drivers/pci/host/pci-aardvark.c
+@@ -405,7 +405,7 @@ static void advk_pcie_check_pio_status(struct advk_pcie *pcie)
+ else
+ str_posted = "Posted";
+
+- dev_err(dev, "%s PIO Response Status: %s, %#x @ %#x\n",
++ dev_dbg(dev, "%s PIO Response Status: %s, %#x @ %#x\n",
+ str_posted, strcomp_status, reg, advk_readl(pcie, PIO_ADDR_LS));
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 749e929efd6568690bd02d6e85f2d28dc1198218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 21:16:47 +0200
+Subject: phy: micrel: ksz8041nl: do not use power down mode
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 2641b62d2fab52648e34cdc6994b2eacde2d27c1 ]
+
+Some Micrel KSZ8041NL PHY chips exhibit continuous RX errors after using
+the power down mode bit (0.11). If the PHY is taken out of power down
+mode in a certain temperature range, the PHY enters a weird state which
+leads to continuously reporting RX errors. In that state, the MAC is not
+able to receive or send any Ethernet frames and the activity LED is
+constantly blinking. Since Linux is using the suspend callback when the
+interface is taken down, ending up in that state can easily happen
+during a normal startup.
+
+Micrel confirmed the issue in errata DS80000700A [*], caused by abnormal
+clock recovery when using power down mode. Even the latest revision (A4,
+Revision ID 0x1513) seems to suffer that problem, and according to the
+errata is not going to be fixed.
+
+Remove the suspend/resume callback to avoid using the power down mode
+completely.
+
+[*] https://ww1.microchip.com/downloads/en/DeviceDoc/80000700A.pdf
+
+Fixes: 1a5465f5d6a2 ("phy/micrel: Add suspend/resume support to Micrel PHYs")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 1704d9e2ca8d1..c21328e1e3cca 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -876,8 +876,9 @@ static struct phy_driver ksphy_driver[] = {
+ .get_sset_count = kszphy_get_sset_count,
+ .get_strings = kszphy_get_strings,
+ .get_stats = kszphy_get_stats,
+- .suspend = genphy_suspend,
+- .resume = genphy_resume,
++ /* No suspend/resume callbacks because of errata DS80000700A,
++ * receiver error following software power down.
++ */
+ }, {
+ .phy_id = PHY_ID_KSZ8041RNLI,
+ .phy_id_mask = MICREL_PHY_ID_MASK,
+--
+2.33.0
+
--- /dev/null
+From 1d9d995fa1e55c841bfa26bbdc6d1d9de67360e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 11:25:37 -0700
+Subject: platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit fd96e35ea7b95f1e216277805be89d66e4ae962d ]
+
+A new warning in clang points out a use of bitwise OR with boolean
+expressions in this driver:
+
+drivers/platform/x86/thinkpad_acpi.c:9061:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical]
+ else if ((strlencmp(cmd, "level disengaged") == 0) |
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ||
+drivers/platform/x86/thinkpad_acpi.c:9061:11: note: cast one or both operands to int to silence this warning
+1 error generated.
+
+This should clearly be a logical OR so change it to fix the warning.
+
+Fixes: fe98a52ce754 ("ACPI: thinkpad-acpi: add sysfs support to fan subdriver")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1476
+Reported-by: Tor Vic <torvic9@mailbox.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/r/20211018182537.2316800-1-nathan@kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 84bfecded84d9..9c929b5ce58e2 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -8884,7 +8884,7 @@ static int fan_write_cmd_level(const char *cmd, int *rc)
+
+ if (strlencmp(cmd, "level auto") == 0)
+ level = TP_EC_FAN_AUTO;
+- else if ((strlencmp(cmd, "level disengaged") == 0) |
++ else if ((strlencmp(cmd, "level disengaged") == 0) ||
+ (strlencmp(cmd, "level full-speed") == 0))
+ level = TP_EC_FAN_FULLSPEED;
+ else if (sscanf(cmd, "level %d", &level) != 1)
+--
+2.33.0
+
--- /dev/null
+From 3fc48be73e16d71861ce7b1e800025fbd19bc8d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 17:56:26 +0000
+Subject: platform/x86: wmi: do not fail if disabling fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit 1975718c488a39128f1f515b23ae61a5a214cc3d ]
+
+Previously, `__query_block()` would fail if the
+second WCxx method call failed. However, the
+WQxx method might have succeeded, and potentially
+allocated memory for the result. Instead of
+throwing away the result and potentially
+leaking memory, ignore the result of
+the second WCxx call.
+
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Link: https://lore.kernel.org/r/20210904175450.156801-25-pobrn@protonmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index 00d82e8443bdd..da06284c455dc 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -289,7 +289,14 @@ struct acpi_buffer *out)
+ * the WQxx method failed - we should disable collection anyway.
+ */
+ if ((block->flags & ACPI_WMI_EXPENSIVE) && ACPI_SUCCESS(wc_status)) {
+- status = acpi_execute_simple_method(handle, wc_method, 0);
++ /*
++ * Ignore whether this WCxx call succeeds or not since
++ * the previously executed WQxx method call might have
++ * succeeded, and returning the failing status code
++ * of this call would throw away the result of the WQxx
++ * call, potentially leaking memory.
++ */
++ acpi_execute_simple_method(handle, wc_method, 0);
+ }
+
+ return status;
+--
+2.33.0
+
--- /dev/null
+From 2afaa174d9c564c226965bd6839b691e5bf9ec27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 20:19:14 +0800
+Subject: PM: hibernate: Get block device exclusively in swsusp_check()
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 39fbef4b0f77f9c89c8f014749ca533643a37c9f ]
+
+The following kernel crash can be triggered:
+
+[ 89.266592] ------------[ cut here ]------------
+[ 89.267427] kernel BUG at fs/buffer.c:3020!
+[ 89.268264] invalid opcode: 0000 [#1] SMP KASAN PTI
+[ 89.269116] CPU: 7 PID: 1750 Comm: kmmpd-loop0 Not tainted 5.10.0-862.14.0.6.x86_64-08610-gc932cda3cef4-dirty #20
+[ 89.273169] RIP: 0010:submit_bh_wbc.isra.0+0x538/0x6d0
+[ 89.277157] RSP: 0018:ffff888105ddfd08 EFLAGS: 00010246
+[ 89.278093] RAX: 0000000000000005 RBX: ffff888124231498 RCX: ffffffffb2772612
+[ 89.279332] RDX: 1ffff11024846293 RSI: 0000000000000008 RDI: ffff888124231498
+[ 89.280591] RBP: ffff8881248cc000 R08: 0000000000000001 R09: ffffed1024846294
+[ 89.281851] R10: ffff88812423149f R11: ffffed1024846293 R12: 0000000000003800
+[ 89.283095] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8881161f7000
+[ 89.284342] FS: 0000000000000000(0000) GS:ffff88839b5c0000(0000) knlGS:0000000000000000
+[ 89.285711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 89.286701] CR2: 00007f166ebc01a0 CR3: 0000000435c0e000 CR4: 00000000000006e0
+[ 89.287919] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 89.289138] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 89.290368] Call Trace:
+[ 89.290842] write_mmp_block+0x2ca/0x510
+[ 89.292218] kmmpd+0x433/0x9a0
+[ 89.294902] kthread+0x2dd/0x3e0
+[ 89.296268] ret_from_fork+0x22/0x30
+[ 89.296906] Modules linked in:
+
+by running the following commands:
+
+ 1. mkfs.ext4 -O mmp /dev/sda -b 1024
+ 2. mount /dev/sda /home/test
+ 3. echo "/dev/sda" > /sys/power/resume
+
+That happens because swsusp_check() calls set_blocksize() on the
+target partition which confuses the file system:
+
+ Thread1 Thread2
+mount /dev/sda /home/test
+get s_mmp_bh --> has mapped flag
+start kmmpd thread
+ echo "/dev/sda" > /sys/power/resume
+ resume_store
+ software_resume
+ swsusp_check
+ set_blocksize
+ truncate_inode_pages_range
+ truncate_cleanup_page
+ block_invalidatepage
+ discard_buffer --> clean mapped flag
+write_mmp_block
+ submit_bh
+ submit_bh_wbc
+ BUG_ON(!buffer_mapped(bh))
+
+To address this issue, modify swsusp_check() to open the target block
+device with exclusive access.
+
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/swap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/power/swap.c b/kernel/power/swap.c
+index a3b1e617bcdc3..8009cd308fcc6 100644
+--- a/kernel/power/swap.c
++++ b/kernel/power/swap.c
+@@ -1528,9 +1528,10 @@ end:
+ int swsusp_check(void)
+ {
+ int error;
++ void *holder;
+
+ hib_resume_bdev = blkdev_get_by_dev(swsusp_resume_device,
+- FMODE_READ, NULL);
++ FMODE_READ | FMODE_EXCL, &holder);
+ if (!IS_ERR(hib_resume_bdev)) {
+ set_blocksize(hib_resume_bdev, PAGE_SIZE);
+ clear_page(swsusp_header);
+@@ -1552,7 +1553,7 @@ int swsusp_check(void)
+
+ put:
+ if (error)
+- blkdev_put(hib_resume_bdev, FMODE_READ);
++ blkdev_put(hib_resume_bdev, FMODE_READ | FMODE_EXCL);
+ else
+ pr_debug("PM: Image signature found, resuming\n");
+ } else {
+--
+2.33.0
+
--- /dev/null
+From 1bfee5bdb36d8249a59ab970fea7015e440a4cb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 11:59:24 +1000
+Subject: pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+[ Upstream commit a2915fa06227b056a8f9b0d79b61dca08ad5cfc6 ]
+
+_nfs4_pnfs_v3/v4_ds_connect do
+ some work
+ smp_wmb
+ ds->ds_clp = clp;
+
+And nfs4_ff_layout_prepare_ds currently does
+ smp_rmb
+ if(ds->ds_clp)
+ ...
+
+This patch places the smp_rmb after the if. This ensures that following
+reads only happen once nfs4_ff_layout_prepare_ds has checked that data
+has been properly initialized.
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++--
+ fs/nfs/pnfs_nfs.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+index c8863563c6350..287ed99a7e513 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -383,10 +383,10 @@ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg, u32 ds_idx,
+ goto out_fail;
+
+ ds = mirror->mirror_ds->ds;
++ if (READ_ONCE(ds->ds_clp))
++ goto out;
+ /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */
+ smp_rmb();
+- if (ds->ds_clp)
+- goto out;
+
+ /* FIXME: For now we assume the server sent only one version of NFS
+ * to use for the DS.
+diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c
+index 53b4705abcc76..1f2da20946640 100644
+--- a/fs/nfs/pnfs_nfs.c
++++ b/fs/nfs/pnfs_nfs.c
+@@ -666,7 +666,7 @@ static int _nfs4_pnfs_v3_ds_connect(struct nfs_server *mds_srv,
+ }
+
+ smp_wmb();
+- ds->ds_clp = clp;
++ WRITE_ONCE(ds->ds_clp, clp);
+ dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr);
+ out:
+ return status;
+@@ -742,7 +742,7 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv,
+ }
+
+ smp_wmb();
+- ds->ds_clp = clp;
++ WRITE_ONCE(ds->ds_clp, clp);
+ dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr);
+ out:
+ return status;
+--
+2.33.0
+
--- /dev/null
+From cf0297a252190874b0b0dcb64b3f3211e11763af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 16:25:22 +0100
+Subject: power: supply: bq27xxx: Fix kernel crash on IRQ handler register
+ error
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit cdf10ffe8f626d8a2edc354abf063df0078b2d71 ]
+
+When registering the IRQ handler fails, do not just return the error code,
+this will free the devm_kzalloc()-ed data struct while leaving the queued
+work queued and the registered power_supply registered with both of them
+now pointing to free-ed memory, resulting in various kernel crashes
+soon afterwards.
+
+Instead properly tear-down things on IRQ handler register errors.
+
+Fixes: 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module")
+Cc: Andrew F. Davis <afd@ti.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c
+index 5c5c3a6f99234..91fabe9e6efd0 100644
+--- a/drivers/power/supply/bq27xxx_battery_i2c.c
++++ b/drivers/power/supply/bq27xxx_battery_i2c.c
+@@ -115,7 +115,8 @@ static int bq27xxx_battery_i2c_probe(struct i2c_client *client,
+ dev_err(&client->dev,
+ "Unable to register IRQ %d error %d\n",
+ client->irq, ret);
+- return ret;
++ bq27xxx_battery_teardown(di);
++ goto err_failed;
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From e97cebd55c019a0438b28ab63d36a4e3c01d434f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 10:32:45 +0200
+Subject: =?UTF-8?q?power:=20supply:=20rt5033=5Fbattery:=20Change=20voltage?=
+ =?UTF-8?q?=20values=20to=20=C2=B5V?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakob Hauser <jahau@rocketmail.com>
+
+[ Upstream commit bf895295e9a73411889816f1a0c1f4f1a2d9c678 ]
+
+Currently the rt5033_battery driver provides voltage values in mV. It
+should be µV as stated in Documentation/power/power_supply_class.rst.
+
+Fixes: b847dd96e659 ("power: rt5033_battery: Add RT5033 Fuel gauge device driver")
+Cc: Beomho Seo <beomho.seo@samsung.com>
+Cc: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Jakob Hauser <jahau@rocketmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/rt5033_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/rt5033_battery.c b/drivers/power/supply/rt5033_battery.c
+index 9310b85f3405e..7eec7014086d8 100644
+--- a/drivers/power/supply/rt5033_battery.c
++++ b/drivers/power/supply/rt5033_battery.c
+@@ -63,7 +63,7 @@ static int rt5033_battery_get_watt_prop(struct i2c_client *client,
+ regmap_read(battery->regmap, regh, &msb);
+ regmap_read(battery->regmap, regl, &lsb);
+
+- ret = ((msb << 4) + (lsb >> 4)) * 1250 / 1000;
++ ret = ((msb << 4) + (lsb >> 4)) * 1250;
+
+ return ret;
+ }
+--
+2.33.0
+
--- /dev/null
+From 9f21c3178896803f8c228825dff3166d34fad204 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 10:28:43 +0300
+Subject: RDMA/mlx4: Return missed an error if device doesn't support steering
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b ]
+
+The error flow fixed in this patch is not possible because all kernel
+users of create QP interface check that device supports steering before
+set IB_QP_CREATE_NETIF_QP flag.
+
+Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs")
+Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index 7284a9176844e..718d817265795 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -773,8 +773,10 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd,
+ if (dev->steering_support ==
+ MLX4_STEERING_MODE_DEVICE_MANAGED)
+ qp->flags |= MLX4_IB_QP_NETIF;
+- else
++ else {
++ err = -EINVAL;
+ goto err;
++ }
+ }
+
+ memcpy(&backup_cap, &init_attr->cap, sizeof(backup_cap));
+--
+2.33.0
+
--- /dev/null
+From d297e4dd355422a3fde9d06916e790a6265c5e43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 16:32:23 +0800
+Subject: RDMA/rxe: Fix wrong port_cap_flags
+
+From: Junji Wei <weijunji@bytedance.com>
+
+[ Upstream commit dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e ]
+
+The port->attr.port_cap_flags should be set to enum
+ib_port_capability_mask_bits in ib_mad.h, not
+RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20210831083223.65797-1-weijunji@bytedance.com
+Signed-off-by: Junji Wei <weijunji@bytedance.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_param.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_param.h b/drivers/infiniband/sw/rxe/rxe_param.h
+index 13ed2cc6eaa2a..9f7817e12775a 100644
+--- a/drivers/infiniband/sw/rxe/rxe_param.h
++++ b/drivers/infiniband/sw/rxe/rxe_param.h
+@@ -144,7 +144,7 @@ enum rxe_port_param {
+ RXE_PORT_MAX_MTU = IB_MTU_4096,
+ RXE_PORT_ACTIVE_MTU = IB_MTU_256,
+ RXE_PORT_GID_TBL_LEN = 1024,
+- RXE_PORT_PORT_CAP_FLAGS = RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP,
++ RXE_PORT_PORT_CAP_FLAGS = IB_PORT_CM_SUP,
+ RXE_PORT_MAX_MSG_SZ = 0x800000,
+ RXE_PORT_BAD_PKEY_CNTR = 0,
+ RXE_PORT_QKEY_VIOL_CNTR = 0,
+--
+2.33.0
+
--- /dev/null
+From aad39b472c06d73b071adcb041011190dd9e7526 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 18:22:41 +0200
+Subject: s390/gmap: don't unconditionally call pte_unmap_unlock() in
+ __gmap_zap()
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ]
+
+... otherwise we will try unlocking a spinlock that was never locked via a
+garbage pointer.
+
+At the time we reach this code path, we usually successfully looked up
+a PGSTE already; however, evil user space could have manipulated the VMA
+layout in the meantime and triggered removal of the page table.
+
+Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/gmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
+index a8498870bcf49..ffc1372e4c56d 100644
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -668,9 +668,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
+
+ /* Get pointer to the page table entry */
+ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
+- if (likely(ptep))
++ if (likely(ptep)) {
+ ptep_zap_unused(gmap->mm, vmaddr, ptep, 0);
+- pte_unmap_unlock(ptep, ptl);
++ pte_unmap_unlock(ptep, ptl);
++ }
+ }
+ }
+ EXPORT_SYMBOL_GPL(__gmap_zap);
+--
+2.33.0
+
--- /dev/null
+From 35177947f8b30a9282dc9149cb936de4c6dd487e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 18:22:40 +0200
+Subject: s390/gmap: validate VMA in __gmap_zap()
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit 2d8fb8f3914b40e3cc12f8cbb74daefd5245349d ]
+
+We should not walk/touch page tables outside of VMA boundaries when
+holding only the mmap sem in read mode. Evil user space can modify the
+VMA layout just before this function runs and e.g., trigger races with
+page table removal code since commit dd2283f2605e ("mm: mmap: zap pages
+with read mmap_sem in munmap"). The pure prescence in our guest_to_host
+radix tree does not imply that there is a VMA.
+
+Further, we should not allocate page tables (via get_locked_pte()) outside
+of VMA boundaries: if evil user space decides to map hugetlbfs to these
+ranges, bad things will happen because we suddenly have PTE or PMD page
+tables where we shouldn't have them.
+
+Similarly, we have to check if we suddenly find a hugetlbfs VMA, before
+calling get_locked_pte().
+
+Note that gmap_discard() is different:
+zap_page_range()->unmap_single_vma() makes sure to stay within VMA
+boundaries.
+
+Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/gmap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
+index 0195c3983f540..a8498870bcf49 100644
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -651,6 +651,7 @@ EXPORT_SYMBOL_GPL(gmap_fault);
+ */
+ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
+ {
++ struct vm_area_struct *vma;
+ unsigned long vmaddr;
+ spinlock_t *ptl;
+ pte_t *ptep;
+@@ -660,6 +661,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr)
+ gaddr >> PMD_SHIFT);
+ if (vmaddr) {
+ vmaddr |= gaddr & ~PMD_MASK;
++
++ vma = vma_lookup(gmap->mm, vmaddr);
++ if (!vma || is_vm_hugetlb_page(vma))
++ return;
++
+ /* Get pointer to the page table entry */
+ ptep = get_locked_pte(gmap->mm, vmaddr, &ptl);
+ if (likely(ptep))
+--
+2.33.0
+
--- /dev/null
+From 851a8ba9711d66460d92b004d6edf5cbdad67f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 09:51:28 +0800
+Subject: samples/kretprobes: Fix return value if register_kretprobe() failed
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit f76fbbbb5061fe14824ba5807c44bd7400a6b4e1 ]
+
+Use the actual return value instead of always -1 if register_kretprobe()
+failed.
+
+E.g. without this patch:
+
+ # insmod samples/kprobes/kretprobe_example.ko func=no_such_func
+ insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Operation not permitted
+
+With this patch:
+
+ # insmod samples/kprobes/kretprobe_example.ko func=no_such_func
+ insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Unknown symbol in module
+
+Link: https://lkml.kernel.org/r/1635213091-24387-2-git-send-email-yangtiezhu@loongson.cn
+
+Fixes: 804defea1c02 ("Kprobes: move kprobe examples to samples/")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/kprobes/kretprobe_example.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/kprobes/kretprobe_example.c b/samples/kprobes/kretprobe_example.c
+index 7f9060f435cde..da6de5e78e1dd 100644
+--- a/samples/kprobes/kretprobe_example.c
++++ b/samples/kprobes/kretprobe_example.c
+@@ -83,7 +83,7 @@ static int __init kretprobe_init(void)
+ ret = register_kretprobe(&my_kretprobe);
+ if (ret < 0) {
+ pr_err("register_kretprobe failed, returned %d\n", ret);
+- return -1;
++ return ret;
+ }
+ pr_info("Planted return probe at %s: %p\n",
+ my_kretprobe.kp.symbol_name, my_kretprobe.kp.addr);
+--
+2.33.0
+
--- /dev/null
+From 7535337e63524cb628d2599cd1a2cc9ed434f3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 10:32:43 +0300
+Subject: scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f4875d509a0a78ad294a1a538d534b5ba94e685a ]
+
+This variable is just a temporary variable, used to do an endian
+conversion. The problem is that the last byte is not initialized. After
+the conversion is completely done, the last byte is discarded so it doesn't
+cause a problem. But static checkers and the KMSan runtime checker can
+detect the uninitialized read and will complain about it.
+
+Link: https://lore.kernel.org/r/20211006073242.GA8404@kili
+Fixes: 5036f0a0ecd3 ("[SCSI] csiostor: Fix sparse warnings.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_lnode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c
+index 957767d383610..d1df694d9ed00 100644
+--- a/drivers/scsi/csiostor/csio_lnode.c
++++ b/drivers/scsi/csiostor/csio_lnode.c
+@@ -611,7 +611,7 @@ csio_ln_vnp_read_cbfn(struct csio_hw *hw, struct csio_mb *mbp)
+ struct fc_els_csp *csp;
+ struct fc_els_cssp *clsp;
+ enum fw_retval retval;
+- __be32 nport_id;
++ __be32 nport_id = 0;
+
+ retval = FW_CMD_RETVAL_G(ntohl(rsp->alloc_to_len16));
+ if (retval != FW_SUCCESS) {
+--
+2.33.0
+
--- /dev/null
+From c31f9d74da9ccb5cb95b6302fefabe4c6220662c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 21:07:02 -0700
+Subject: scsi: dc395: Fix error case unwinding
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit cbd9a3347c757383f3d2b50cf7cfd03eb479c481 ]
+
+dc395x_init_one()->adapter_init() might fail. In this case, the acb is
+already cleaned up by adapter_init(), no need to do that in
+adapter_uninit(acb) again.
+
+[ 1.252251] dc395x: adapter init failed
+[ 1.254900] RIP: 0010:adapter_uninit+0x94/0x170 [dc395x]
+[ 1.260307] Call Trace:
+[ 1.260442] dc395x_init_one.cold+0x72a/0x9bb [dc395x]
+
+Link: https://lore.kernel.org/r/20210907040702.1846409-1-ztong0001@gmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/dc395x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 830b2d2dcf206..8490d0ff04ca7 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -4809,6 +4809,7 @@ static int dc395x_init_one(struct pci_dev *dev, const struct pci_device_id *id)
+ /* initialise the adapter and everything we need */
+ if (adapter_init(acb, io_port_base, io_port_len, irq)) {
+ dprintkl(KERN_INFO, "adapter init failed\n");
++ acb = NULL;
+ goto fail;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From eb79f08a1f83c3ff3dd4069e0c4abcb46b76560d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 04:54:02 -0700
+Subject: scsi: qla2xxx: Turn off target reset during issue_lip
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 0b7a9fd934a68ebfc1019811b7bdc1742072ad7b ]
+
+When user uses issue_lip to do link bounce, driver sends additional target
+reset to remote device before resetting the link. The target reset would
+affect other paths with active I/Os. This patch will remove the unnecessary
+target reset.
+
+Link: https://lore.kernel.org/r/20211026115412.27691-4-njavali@marvell.com
+Fixes: 5854771e314e ("[SCSI] qla2xxx: Add ISPFX00 specific bus reset routine")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_gbl.h | 2 --
+ drivers/scsi/qla2xxx/qla_mr.c | 23 -----------------------
+ drivers/scsi/qla2xxx/qla_os.c | 27 ++-------------------------
+ 3 files changed, 2 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
+index 6ca00813c71f0..4a1a16e6a8204 100644
+--- a/drivers/scsi/qla2xxx/qla_gbl.h
++++ b/drivers/scsi/qla2xxx/qla_gbl.h
+@@ -115,7 +115,6 @@ extern int ql2xasynctmfenable;
+ extern int ql2xgffidenable;
+ extern int ql2xenabledif;
+ extern int ql2xenablehba_err_chk;
+-extern int ql2xtargetreset;
+ extern int ql2xdontresethba;
+ extern uint64_t ql2xmaxlun;
+ extern int ql2xmdcapmask;
+@@ -655,7 +654,6 @@ extern void qlafx00_abort_iocb(srb_t *, struct abort_iocb_entry_fx00 *);
+ extern void qlafx00_fxdisc_iocb(srb_t *, struct fxdisc_entry_fx00 *);
+ extern void qlafx00_timer_routine(scsi_qla_host_t *);
+ extern int qlafx00_rescan_isp(scsi_qla_host_t *);
+-extern int qlafx00_loop_reset(scsi_qla_host_t *vha);
+
+ /* qla82xx related functions */
+
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index 15dff7099955b..b72cc4b1287d9 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -738,29 +738,6 @@ qlafx00_lun_reset(fc_port_t *fcport, uint64_t l, int tag)
+ return qla2x00_async_tm_cmd(fcport, TCF_LUN_RESET, l, tag);
+ }
+
+-int
+-qlafx00_loop_reset(scsi_qla_host_t *vha)
+-{
+- int ret;
+- struct fc_port *fcport;
+- struct qla_hw_data *ha = vha->hw;
+-
+- if (ql2xtargetreset) {
+- list_for_each_entry(fcport, &vha->vp_fcports, list) {
+- if (fcport->port_type != FCT_TARGET)
+- continue;
+-
+- ret = ha->isp_ops->target_reset(fcport, 0, 0);
+- if (ret != QLA_SUCCESS) {
+- ql_dbg(ql_dbg_taskm, vha, 0x803d,
+- "Bus Reset failed: Reset=%d "
+- "d_id=%x.\n", ret, fcport->d_id.b24);
+- }
+- }
+- }
+- return QLA_SUCCESS;
+-}
+-
+ int
+ qlafx00_iospace_config(struct qla_hw_data *ha)
+ {
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 65bbca715f57d..274b61ddee04a 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -180,12 +180,6 @@ MODULE_PARM_DESC(ql2xdbwr,
+ " 0 -- Regular doorbell.\n"
+ " 1 -- CAMRAM doorbell (faster).\n");
+
+-int ql2xtargetreset = 1;
+-module_param(ql2xtargetreset, int, S_IRUGO);
+-MODULE_PARM_DESC(ql2xtargetreset,
+- "Enable target reset."
+- "Default is 1 - use hw defaults.");
+-
+ int ql2xgffidenable;
+ module_param(ql2xgffidenable, int, S_IRUGO);
+ MODULE_PARM_DESC(ql2xgffidenable,
+@@ -1401,27 +1395,10 @@ int
+ qla2x00_loop_reset(scsi_qla_host_t *vha)
+ {
+ int ret;
+- struct fc_port *fcport;
+ struct qla_hw_data *ha = vha->hw;
+
+- if (IS_QLAFX00(ha)) {
+- return qlafx00_loop_reset(vha);
+- }
+-
+- if (ql2xtargetreset == 1 && ha->flags.enable_target_reset) {
+- list_for_each_entry(fcport, &vha->vp_fcports, list) {
+- if (fcport->port_type != FCT_TARGET)
+- continue;
+-
+- ret = ha->isp_ops->target_reset(fcport, 0, 0);
+- if (ret != QLA_SUCCESS) {
+- ql_dbg(ql_dbg_taskm, vha, 0x802c,
+- "Bus Reset failed: Reset=%d "
+- "d_id=%x.\n", ret, fcport->d_id.b24);
+- }
+- }
+- }
+-
++ if (IS_QLAFX00(ha))
++ return QLA_SUCCESS;
+
+ if (ha->flags.enable_lip_full_login && !IS_CNA_CAPABLE(ha)) {
+ atomic_set(&vha->loop_state, LOOP_DOWN);
+--
+2.33.0
+
--- /dev/null
+From 936d29c2393596065c586add91cc1972af313669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 16:45:16 +0300
+Subject: serial: 8250_dw: Drop wrong use of ACPI_PTR()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ebabb77a2a115b6c5e68f7364b598310b5f61fb2 ]
+
+ACPI_PTR() is more harmful than helpful. For example, in this case
+if CONFIG_ACPI=n, the ID table left unused which is not what we want.
+
+Instead of adding ifdeffery here and there, drop ACPI_PTR().
+
+Fixes: 6a7320c4669f ("serial: 8250_dw: Add ACPI 5.0 support")
+Reported-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20211005134516.23218-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
+index 22d65a33059e1..aa9cc5e1c91cc 100644
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -637,7 +637,7 @@ static struct platform_driver dw8250_platform_driver = {
+ .name = "dw-apb-uart",
+ .pm = &dw8250_pm_ops,
+ .of_match_table = dw8250_of_match,
+- .acpi_match_table = ACPI_PTR(dw8250_acpi_match),
++ .acpi_match_table = dw8250_acpi_match,
+ },
+ .probe = dw8250_probe,
+ .remove = dw8250_remove,
+--
+2.33.0
+
--- /dev/null
+From df54e0daa503f13a40d871531c815af74d72bbf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 13:27:41 +0300
+Subject: serial: xilinx_uartps: Fix race condition causing stuck TX
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit 88b20f84f0fe47409342669caf3e58a3fc64c316 ]
+
+xilinx_uartps .start_tx() clears TXEMPTY when enabling TXEMPTY to avoid
+any previous TXEVENT event asserting the UART interrupt. This clear
+operation is done immediately after filling the TX FIFO.
+
+However, if the bytes inserted by cdns_uart_handle_tx() are consumed by
+the UART before the TXEMPTY is cleared, the clear operation eats the new
+TXEMPTY event as well, causing cdns_uart_isr() to never receive the
+TXEMPTY event. If there are bytes still queued in circbuf, TX will get
+stuck as they will never get transferred to FIFO (unless new bytes are
+queued to circbuf in which case .start_tx() is called again).
+
+While the racy missed TXEMPTY occurs fairly often with short data
+sequences (e.g. write 1 byte), in those cases circbuf is usually empty
+so no action on TXEMPTY would have been needed anyway. On the other
+hand, longer data sequences make the race much more unlikely as UART
+takes longer to consume the TX FIFO. Therefore it is rare for this race
+to cause visible issues in general.
+
+Fix the race by clearing the TXEMPTY bit in ISR *before* filling the
+FIFO.
+
+The TXEMPTY bit in ISR will only get asserted at the exact moment the
+TX FIFO *becomes* empty, so clearing the bit before filling FIFO does
+not cause an extra immediate assertion even if the FIFO is initially
+empty.
+
+This is hard to reproduce directly on a normal system, but inserting
+e.g. udelay(200) after cdns_uart_handle_tx(port), setting 4000000 baud,
+and then running "dd if=/dev/zero bs=128 of=/dev/ttyPS0 count=50"
+reliably reproduces the issue on my ZynqMP test system unless this fix
+is applied.
+
+Fixes: 85baf542d54e ("tty: xuartps: support 64 byte FIFO size")
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Link: https://lore.kernel.org/r/20211026102741.2910441-1-anssi.hannula@bitwise.fi
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index eb61a07fcbbc3..b92700fdfd512 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -589,9 +589,10 @@ static void cdns_uart_start_tx(struct uart_port *port)
+ if (uart_circ_empty(&port->state->xmit))
+ return;
+
++ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR);
++
+ cdns_uart_handle_tx(port);
+
+- writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR);
+ /* Enable the TX Empty interrupt */
+ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IER);
+ }
+--
+2.33.0
+
iio-dac-ad5446-fix-ad5622_write-return-value.patch
usb-serial-keyspan-fix-memleak-on-probe-errors.patch
usb-iowarrior-fix-control-message-timeouts.patch
+bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch
+bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch
+platform-x86-wmi-do-not-fail-if-disabling-fails.patch
+mips-lantiq-dma-add-small-delay-after-reset.patch
+mips-lantiq-dma-reset-correct-number-of-channel.patch
+locking-lockdep-avoid-rcu-induced-noinstr-fail.patch
+smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch
+x86-increase-exception-stack-sizes.patch
+media-mt9p031-fix-corrupted-frame-after-restarting-s.patch
+media-netup_unidvb-handle-interrupt-properly-accordi.patch
+media-uvcvideo-set-capability-in-s_param.patch
+media-s5p-mfc-fix-possible-null-pointer-dereference-.patch
+media-mceusb-return-without-resubmitting-urb-in-case.patch
+ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch
+acpica-avoid-evaluating-methods-too-early-during-sys.patch
+media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch
+tracefs-have-tracefs-directories-not-set-oth-permiss.patch
+ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch
+acpi-battery-accept-charges-over-the-design-capacity.patch
+memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch
+lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch
+lib-xz-validate-the-value-before-assigning-it-to-an-.patch
+tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch
+mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch
+pm-hibernate-get-block-device-exclusively-in-swsusp_.patch
+iwlwifi-mvm-disable-rx-diversity-in-powersave.patch
+smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch
+arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch
+arm-9136-1-armv7-m-uses-be-8-not-be-32.patch
+spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch
+parisc-fix-warning-in-flush_tlb_all.patch
+parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch
+cgroup-make-rebind_subsystems-disable-v2-controllers.patch
+media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch
+media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch
+media-si470x-avoid-card-name-truncation.patch
+cpuidle-fix-kobject-memory-leaks-in-error-paths.patch
+ath9k-fix-potential-interrupt-storm-on-queue-reset.patch
+crypto-qat-detect-pfvf-collision-after-ack.patch
+crypto-qat-disregard-spurious-pfvf-interrupts.patch
+b43legacy-fix-a-lower-bounds-test.patch
+b43-fix-a-lower-bounds-test.patch
+memstick-avoid-out-of-range-warning.patch
+memstick-jmb38x_ms-use-appropriate-free-function-in-.patch
+hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch
+ath10k-fix-max-antenna-gain-unit.patch
+drm-msm-uninitialized-variable-in-msm_gem_import.patch
+net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch
+mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch
+platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch
+mwifiex-send-delba-requests-according-to-spec.patch
+phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch
+smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch
+s390-gmap-validate-vma-in-__gmap_zap.patch
+s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch
+irq-mips-avoid-nested-irq_enter.patch
+samples-kretprobes-fix-return-value-if-register_kret.patch
+libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch
+libertas-fix-possible-memory-leak-in-probe-and-disco.patch
+crypto-pcrypt-delay-write-to-padata-info.patch
+rdma-rxe-fix-wrong-port_cap_flags.patch
+arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch
+scsi-dc395-fix-error-case-unwinding.patch
+mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch
+jfs-fix-memleak-in-jfs_mount.patch
+arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch
+soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch
+memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch
+video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch
+serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch
+usb-gadget-hid-fix-error-code-in-do_config.patch
+power-supply-rt5033_battery-change-voltage-values-to.patch
+scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch
+rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch
+serial-xilinx_uartps-fix-race-condition-causing-stuc.patch
+power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch
+pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch
+drm-plane-helper-fix-uninitialized-variable-referenc.patch
+pci-aardvark-don-t-spam-about-pio-response-status.patch
+fs-orangefs-fix-error-return-code-of-orangefs_revali.patch
+mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch
+dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch
+auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch
+netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch
+dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch
+m68k-set-a-default-value-for-memory_reserve.patch
+watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch
+scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch
+i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch
+xen-pciback-fix-return-in-pm_ctrl_init.patch
+net-davinci_emac-fix-interrupt-pacing-disable.patch
+acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch
+bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch
+mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch
+llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch
+nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch
+vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch
--- /dev/null
+From cb41c23d3158a793dbd0b5ed8083b28ded34e055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 23:41:40 -0700
+Subject: smackfs: Fix use-after-free in netlbl_catmap_walk()
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 0817534ff9ea809fac1322c5c8c574be8483ea57 ]
+
+Syzkaller reported use-after-free bug as described in [1]. The bug is
+triggered when smk_set_cipso() tries to free stale category bitmaps
+while there are concurrent reader(s) using the same bitmaps.
+
+Wait for RCU grace period to finish before freeing the category bitmaps
+in smk_set_cipso(). This makes sure that there are no more readers using
+the stale bitmaps and freeing them should be safe.
+
+[1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/
+
+Reported-by: syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 966d30bf2e388..e26e7fbb89657 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -854,6 +854,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file)
+ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos, int format)
+ {
++ struct netlbl_lsm_catmap *old_cat;
+ struct smack_known *skp;
+ struct netlbl_lsm_secattr ncats;
+ char mapcatset[SMK_CIPSOLEN];
+@@ -943,9 +944,11 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+
+ rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
+ if (rc >= 0) {
+- netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
++ old_cat = skp->smk_netlabel.attr.mls.cat;
+ skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
+ skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
++ synchronize_rcu();
++ netlbl_catmap_free(old_cat);
+ rc = count;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From c5f98f98dbb6a540ba2c5b490e8154ba8c4b47fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 20:54:31 +0900
+Subject: smackfs: use __GFP_NOFAIL for smk_cipso_doi()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit f91488ee15bd3cac467e2d6a361fc2d34d1052ae ]
+
+syzbot is reporting kernel panic at smk_cipso_doi() due to memory
+allocation fault injection [1]. The reason for need to use panic() was
+not explained. But since no fix was proposed for 18 months, for now
+let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs.
+
+Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1]
+Reported-by: syzbot <syzbot+89731ccb6fec15ce1c22@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index e26e7fbb89657..cf1f92a04359a 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -716,9 +716,7 @@ static void smk_cipso_doi(void)
+ printk(KERN_WARNING "%s:%d remove rc = %d\n",
+ __func__, __LINE__, rc);
+
+- doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
+- if (doip == NULL)
+- panic("smack: Failed to initialize cipso DOI.\n");
++ doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);
+ doip->map.std = NULL;
+ doip->doi = smk_cipso_doi_value;
+ doip->type = CIPSO_V4_MAP_PASS;
+--
+2.33.0
+
--- /dev/null
+From 14349aee7f95bf3a29bccca70b5658f0ea548f49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 20:27:26 +0900
+Subject: smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit 0934ad42bb2c5df90a1b9de690f93de735b622fe ]
+
+syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi()
+is calling kfree() without removing from the cipso_v4_doi_list list after
+netlbl_cfg_cipsov4_map_add() returned an error. We need to use
+netlbl_cfg_cipsov4_del() in order to remove from the list and wait for
+RCU grace period before kfree().
+
+Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1]
+Reported-by: syzbot <syzbot+93dba5b91f0fed312cbd@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 6c2e8ac0953fccdd ("netlabel: Update kernel configuration API")
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index cf1f92a04359a..ed5b89fbbd96f 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -735,7 +735,7 @@ static void smk_cipso_doi(void)
+ if (rc != 0) {
+ printk(KERN_WARNING "%s:%d map add rc = %d\n",
+ __func__, __LINE__, rc);
+- kfree(doip);
++ netlbl_cfg_cipsov4_del(doip->doi, &nai);
+ return;
+ }
+ }
+--
+2.33.0
+
--- /dev/null
+From bc3465bec62161017b0cda2bdc7259b0d99e4dfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 17:54:31 +0200
+Subject: soc/tegra: Fix an error handling path in tegra_powergate_power_up()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 986b5094708e508baa452a23ffe809870934a7df ]
+
+If an error occurs after a successful tegra_powergate_enable_clocks()
+call, it must be undone by a tegra_powergate_disable_clocks() call, as
+already done in the below and above error handling paths of this function.
+
+Update the 'goto' to branch at the correct place of the error handling
+path.
+
+Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/pmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
+index a12710c917a14..cb2ef789263b7 100644
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -396,7 +396,7 @@ static int tegra_powergate_power_up(struct tegra_powergate *pg,
+
+ err = tegra_powergate_reset_deassert(pg);
+ if (err)
+- goto powergate_off;
++ goto disable_clks;
+
+ usleep_range(10, 20);
+
+--
+2.33.0
+
--- /dev/null
+From 132af93f0bc7732085fca76979ddb3d06b7a34c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 15:34:13 +0800
+Subject: spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in
+ bcm_qspi_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ca9b8f56ec089d3a436050afefd17b7237301f47 ]
+
+Fix the missing clk_disable_unprepare() before return
+from bcm_qspi_probe() in the error handling case.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211018073413.2029081-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm-qspi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c
+index 5453910d8abc3..d521adf6ac245 100644
+--- a/drivers/spi/spi-bcm-qspi.c
++++ b/drivers/spi/spi-bcm-qspi.c
+@@ -1266,7 +1266,7 @@ int bcm_qspi_probe(struct platform_device *pdev,
+ &qspi->dev_ids[val]);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "IRQ %s not found\n", name);
+- goto qspi_probe_err;
++ goto qspi_unprepare_err;
+ }
+
+ qspi->dev_ids[val].dev = qspi;
+@@ -1281,7 +1281,7 @@ int bcm_qspi_probe(struct platform_device *pdev,
+ if (!num_ints) {
+ dev_err(&pdev->dev, "no IRQs registered, cannot init driver\n");
+ ret = -EINVAL;
+- goto qspi_probe_err;
++ goto qspi_unprepare_err;
+ }
+
+ /*
+@@ -1332,6 +1332,7 @@ int bcm_qspi_probe(struct platform_device *pdev,
+
+ qspi_reg_err:
+ bcm_qspi_hw_uninit(qspi);
++qspi_unprepare_err:
+ clk_disable_unprepare(qspi->clk);
+ qspi_probe_err:
+ kfree(qspi->dev_ids);
+--
+2.33.0
+
--- /dev/null
+From 0af47ff9f253adbe0ab0b746d9258db9be9e8d10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 11:24:50 -0400
+Subject: tracefs: Have tracefs directories not set OTH permission bits by
+ default
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit 49d67e445742bbcb03106b735b2ab39f6e5c56bc ]
+
+The tracefs file system is by default mounted such that only root user can
+access it. But there are legitimate reasons to create a group and allow
+those added to the group to have access to tracing. By changing the
+permissions of the tracefs mount point to allow access, it will allow
+group access to the tracefs directory.
+
+There should not be any real reason to allow all access to the tracefs
+directory as it contains sensitive information. Have the default
+permission of directories being created not have any OTH (other) bits set,
+such that an admin that wants to give permission to a group has to first
+disable all OTH bits in the file system.
+
+Link: https://lkml.kernel.org/r/20210818153038.664127804@goodmis.org
+
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/tracefs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
+index 21d36d2847356..985cccfcedad9 100644
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -429,7 +429,8 @@ static struct dentry *__create_dir(const char *name, struct dentry *parent,
+ if (unlikely(!inode))
+ return failed_creating(dentry);
+
+- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++ /* Do not set bits for OTH */
++ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
+ inode->i_op = ops;
+ inode->i_fop = &simple_dir_operations;
+
+--
+2.33.0
+
--- /dev/null
+From 1489ec45b4f614fe7201919b4e4b37e008f73db2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 21:52:17 -0700
+Subject: tracing/cfi: Fix cmp_entries_* functions signature mismatch
+
+From: Kalesh Singh <kaleshsingh@google.com>
+
+[ Upstream commit 7ce1bb83a14019f8c396d57ec704d19478747716 ]
+
+If CONFIG_CFI_CLANG=y, attempting to read an event histogram will cause
+the kernel to panic due to failed CFI check.
+
+ 1. echo 'hist:keys=common_pid' >> events/sched/sched_switch/trigger
+ 2. cat events/sched/sched_switch/hist
+ 3. kernel panics on attempting to read hist
+
+This happens because the sort() function expects a generic
+int (*)(const void *, const void *) pointer for the compare function.
+To prevent this CFI failure, change tracing map cmp_entries_* function
+signatures to match this.
+
+Also, fix the build error reported by the kernel test robot [1].
+
+[1] https://lore.kernel.org/r/202110141140.zzi4dRh4-lkp@intel.com/
+
+Link: https://lkml.kernel.org/r/20211014045217.3265162-1-kaleshsingh@google.com
+
+Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/tracing_map.c | 40 ++++++++++++++++++++++----------------
+ 1 file changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c
+index 35b2ba07f3c6f..379db35838b64 100644
+--- a/kernel/trace/tracing_map.c
++++ b/kernel/trace/tracing_map.c
+@@ -703,29 +703,35 @@ int tracing_map_init(struct tracing_map *map)
+ return err;
+ }
+
+-static int cmp_entries_dup(const struct tracing_map_sort_entry **a,
+- const struct tracing_map_sort_entry **b)
++static int cmp_entries_dup(const void *A, const void *B)
+ {
++ const struct tracing_map_sort_entry *a, *b;
+ int ret = 0;
+
+- if (memcmp((*a)->key, (*b)->key, (*a)->elt->map->key_size))
++ a = *(const struct tracing_map_sort_entry **)A;
++ b = *(const struct tracing_map_sort_entry **)B;
++
++ if (memcmp(a->key, b->key, a->elt->map->key_size))
+ ret = 1;
+
+ return ret;
+ }
+
+-static int cmp_entries_sum(const struct tracing_map_sort_entry **a,
+- const struct tracing_map_sort_entry **b)
++static int cmp_entries_sum(const void *A, const void *B)
+ {
+ const struct tracing_map_elt *elt_a, *elt_b;
++ const struct tracing_map_sort_entry *a, *b;
+ struct tracing_map_sort_key *sort_key;
+ struct tracing_map_field *field;
+ tracing_map_cmp_fn_t cmp_fn;
+ void *val_a, *val_b;
+ int ret = 0;
+
+- elt_a = (*a)->elt;
+- elt_b = (*b)->elt;
++ a = *(const struct tracing_map_sort_entry **)A;
++ b = *(const struct tracing_map_sort_entry **)B;
++
++ elt_a = a->elt;
++ elt_b = b->elt;
+
+ sort_key = &elt_a->map->sort_key;
+
+@@ -742,18 +748,21 @@ static int cmp_entries_sum(const struct tracing_map_sort_entry **a,
+ return ret;
+ }
+
+-static int cmp_entries_key(const struct tracing_map_sort_entry **a,
+- const struct tracing_map_sort_entry **b)
++static int cmp_entries_key(const void *A, const void *B)
+ {
+ const struct tracing_map_elt *elt_a, *elt_b;
++ const struct tracing_map_sort_entry *a, *b;
+ struct tracing_map_sort_key *sort_key;
+ struct tracing_map_field *field;
+ tracing_map_cmp_fn_t cmp_fn;
+ void *val_a, *val_b;
+ int ret = 0;
+
+- elt_a = (*a)->elt;
+- elt_b = (*b)->elt;
++ a = *(const struct tracing_map_sort_entry **)A;
++ b = *(const struct tracing_map_sort_entry **)B;
++
++ elt_a = a->elt;
++ elt_b = b->elt;
+
+ sort_key = &elt_a->map->sort_key;
+
+@@ -926,10 +935,8 @@ static void sort_secondary(struct tracing_map *map,
+ struct tracing_map_sort_key *primary_key,
+ struct tracing_map_sort_key *secondary_key)
+ {
+- int (*primary_fn)(const struct tracing_map_sort_entry **,
+- const struct tracing_map_sort_entry **);
+- int (*secondary_fn)(const struct tracing_map_sort_entry **,
+- const struct tracing_map_sort_entry **);
++ int (*primary_fn)(const void *, const void *);
++ int (*secondary_fn)(const void *, const void *);
+ unsigned i, start = 0, n_sub = 1;
+
+ if (is_key(map, primary_key->field_idx))
+@@ -998,8 +1005,7 @@ int tracing_map_sort_entries(struct tracing_map *map,
+ unsigned int n_sort_keys,
+ struct tracing_map_sort_entry ***sort_entries)
+ {
+- int (*cmp_entries_fn)(const struct tracing_map_sort_entry **,
+- const struct tracing_map_sort_entry **);
++ int (*cmp_entries_fn)(const void *, const void *);
+ struct tracing_map_sort_entry *sort_entry, **entries;
+ int i, n_entries, ret;
+
+--
+2.33.0
+
--- /dev/null
+From ec5f6aabea912db4fb282c0f221afdcd60536c7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Oct 2021 15:37:39 +0300
+Subject: usb: gadget: hid: fix error code in do_config()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 68e7c510fdf4f6167404609da52e1979165649f6 ]
+
+Return an error code if usb_get_function() fails. Don't return success.
+
+Fixes: 4bc8a33f2407 ("usb: gadget: hid: convert to new interface of f_hid")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211011123739.GC15188@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/legacy/hid.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c
+index cccbb948821b2..a55d3761d777c 100644
+--- a/drivers/usb/gadget/legacy/hid.c
++++ b/drivers/usb/gadget/legacy/hid.c
+@@ -103,8 +103,10 @@ static int do_config(struct usb_configuration *c)
+
+ list_for_each_entry(e, &hidg_func_list, node) {
+ e->f = usb_get_function(e->fi);
+- if (IS_ERR(e->f))
++ if (IS_ERR(e->f)) {
++ status = PTR_ERR(e->f);
+ goto put;
++ }
+ status = usb_add_function(c, e->f);
+ if (status < 0) {
+ usb_put_function(e->f);
+--
+2.33.0
+
--- /dev/null
+From eaa73b5bb3b87beed6d9cb920c9fa972c44e0bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 15:34:35 +0200
+Subject: video: fbdev: chipsfb: use memset_io() instead of memset()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f2719b26ae27282c145202ffd656d5ff1fe737cc ]
+
+While investigating a lockup at startup on Powerbook 3400C, it was
+identified that the fbdev driver generates alignment exception at
+startup:
+
+ --- interrupt: 600 at memset+0x60/0xc0
+ NIP: c0021414 LR: c03fc49c CTR: 00007fff
+ REGS: ca021c10 TRAP: 0600 Tainted: G W (5.14.2-pmac-00727-g12a41fa69492)
+ MSR: 00009032 <EE,ME,IR,DR,RI> CR: 44008442 XER: 20000100
+ DAR: cab80020 DSISR: 00017c07
+ GPR00: 00000007 ca021cd0 c14412e0 cab80000 00000000 00100000 cab8001c 00000004
+ GPR08: 00100000 00007fff 00000000 00000000 84008442 00000000 c0006fb4 00000000
+ GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000
+ GPR24: 00000000 81800000 00000320 c15fa400 c14d1878 00000000 c14d1800 c094e19c
+ NIP [c0021414] memset+0x60/0xc0
+ LR [c03fc49c] chipsfb_pci_init+0x160/0x580
+ --- interrupt: 600
+ [ca021cd0] [c03fc46c] chipsfb_pci_init+0x130/0x580 (unreliable)
+ [ca021d20] [c03a3a70] pci_device_probe+0xf8/0x1b8
+ [ca021d50] [c043d584] really_probe.part.0+0xac/0x388
+ [ca021d70] [c043d914] __driver_probe_device+0xb4/0x170
+ [ca021d90] [c043da18] driver_probe_device+0x48/0x144
+ [ca021dc0] [c043e318] __driver_attach+0x11c/0x1c4
+ [ca021de0] [c043ad30] bus_for_each_dev+0x88/0xf0
+ [ca021e10] [c043c724] bus_add_driver+0x190/0x22c
+ [ca021e40] [c043ee94] driver_register+0x9c/0x170
+ [ca021e60] [c0006c28] do_one_initcall+0x54/0x1ec
+ [ca021ed0] [c08246e4] kernel_init_freeable+0x1c0/0x270
+ [ca021f10] [c0006fdc] kernel_init+0x28/0x11c
+ [ca021f30] [c0017148] ret_from_kernel_thread+0x14/0x1c
+ Instruction dump:
+ 7d4601a4 39490777 7d4701a4 39490888 7d4801a4 39490999 7d4901a4 39290aaa
+ 7d2a01a4 4c00012c 4bfffe88 0fe00000 <4bfffe80> 9421fff0 38210010 48001970
+
+This is due to 'dcbz' instruction being used on non-cached memory.
+'dcbz' instruction is used by memset() to zeroize a complete
+cacheline at once, and memset() is not expected to be used on non
+cached memory.
+
+When performing a 'sparse' check on fbdev driver, it also appears
+that the use of memset() is unexpected:
+
+ drivers/video/fbdev/chipsfb.c:334:17: warning: incorrect type in argument 1 (different address spaces)
+ drivers/video/fbdev/chipsfb.c:334:17: expected void *
+ drivers/video/fbdev/chipsfb.c:334:17: got char [noderef] __iomem *screen_base
+ drivers/video/fbdev/chipsfb.c:334:15: warning: memset with byte count of 1048576
+
+Use fb_memset() instead of memset(). fb_memset() is defined as
+memset_io() for powerpc.
+
+Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK")
+Reported-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/884a54f1e5cb774c1d9b4db780209bee5d4f6718.1631712563.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/chipsfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c
+index 314b7eceb81c5..84a3778552eba 100644
+--- a/drivers/video/fbdev/chipsfb.c
++++ b/drivers/video/fbdev/chipsfb.c
+@@ -332,7 +332,7 @@ static struct fb_var_screeninfo chipsfb_var = {
+
+ static void init_chips(struct fb_info *p, unsigned long addr)
+ {
+- memset(p->screen_base, 0, 0x100000);
++ fb_memset(p->screen_base, 0, 0x100000);
+
+ p->fix = chipsfb_fix;
+ p->fix.smem_start = addr;
+--
+2.33.0
+
--- /dev/null
+From 5781dfe8ff5262be1ba7da1af199143e5fac30a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 00:15:02 +0000
+Subject: vsock: prevent unnecessary refcnt inc for nonblocking connect
+
+From: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
+
+[ Upstream commit c7cd82b90599fa10915f41e3dd9098a77d0aa7b6 ]
+
+Currently vosck_connect() increments sock refcount for nonblocking
+socket each time it's called, which can lead to memory leak if
+it's called multiple times because connect timeout function decrements
+sock refcount only once.
+
+Fixes it by making vsock_connect() return -EALREADY immediately when
+sock state is already SS_CONNECTING.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 2fecdfe49bae3..95470d628d34b 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1173,6 +1173,8 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+ * non-blocking call.
+ */
+ err = -EALREADY;
++ if (flags & O_NONBLOCK)
++ goto out;
+ break;
+ default:
+ if ((sk->sk_state == VSOCK_SS_LISTEN) ||
+--
+2.33.0
+
--- /dev/null
+From 243ae8394c170f9f8ae3f2ce707930465dfecc3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:20:31 +0200
+Subject: watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+[ Upstream commit 164483c735190775f29d0dcbac0363adc51a068d ]
+
+The fintek watchdog timer can configure timeouts of second granularity
+only up to 255 seconds. Beyond that, the timeout needs to be configured
+with minute granularity. WDIOC_GETTIMEOUT should report the actual
+timeout configured, not just echo back the timeout configured by the
+user. Do so.
+
+Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG")
+Suggested-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://lore.kernel.org/r/5e17960fe8cc0e3cb2ba53de4730b75d9a0f33d5.1628525954.git-series.a.fatoum@pengutronix.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/f71808e_wdt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c
+index ae4974701e5c7..6fe9daf2367b5 100644
+--- a/drivers/watchdog/f71808e_wdt.c
++++ b/drivers/watchdog/f71808e_wdt.c
+@@ -237,15 +237,17 @@ static int watchdog_set_timeout(int timeout)
+
+ mutex_lock(&watchdog.lock);
+
+- watchdog.timeout = timeout;
+ if (timeout > 0xff) {
+ watchdog.timer_val = DIV_ROUND_UP(timeout, 60);
+ watchdog.minutes_mode = true;
++ timeout = watchdog.timer_val * 60;
+ } else {
+ watchdog.timer_val = timeout;
+ watchdog.minutes_mode = false;
+ }
+
++ watchdog.timeout = timeout;
++
+ mutex_unlock(&watchdog.lock);
+
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From dd7b99e9e48f19daa91a3c381664986fca71b9c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 16:19:46 +0200
+Subject: x86: Increase exception stack sizes
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 7fae4c24a2b84a66c7be399727aca11e7a888462 ]
+
+It turns out that a single page of stack is trivial to overflow with
+all the tracing gunk enabled. Raise the exception stacks to 2 pages,
+which is still half the interrupt stacks, which are at 4 pages.
+
+Reported-by: Michael Wang <yun.wang@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/YUIO9Ye98S5Eb68w@hirez.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/page_64_types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
+index 390fdd39e0e21..5a69eee673536 100644
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -19,7 +19,7 @@
+ #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
+ #define CURRENT_MASK (~(THREAD_SIZE - 1))
+
+-#define EXCEPTION_STACK_ORDER (0 + KASAN_STACK_ORDER)
++#define EXCEPTION_STACK_ORDER (1 + KASAN_STACK_ORDER)
+ #define EXCEPTION_STKSZ (PAGE_SIZE << EXCEPTION_STACK_ORDER)
+
+ #define DEBUG_STACK_ORDER (EXCEPTION_STACK_ORDER + 1)
+--
+2.33.0
+
--- /dev/null
+From e68081925517870d18770b5e46d126503a228d9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 15:44:17 +0800
+Subject: xen-pciback: Fix return in pm_ctrl_init()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 4745ea2628bb43a7ec34b71763b5a56407b33990 ]
+
+Return NULL instead of passing to ERR_PTR while err is zero,
+this fix smatch warnings:
+drivers/xen/xen-pciback/conf_space_capability.c:163
+ pm_ctrl_init() warn: passing zero to 'ERR_PTR'
+
+Fixes: a92336a1176b ("xen/pciback: Drop two backends, squash and cleanup some code.")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20211008074417.8260-1-yuehaibing@huawei.com
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xen-pciback/conf_space_capability.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c
+index b1a1d7de0894e..daa2e89a50fa3 100644
+--- a/drivers/xen/xen-pciback/conf_space_capability.c
++++ b/drivers/xen/xen-pciback/conf_space_capability.c
+@@ -159,7 +159,7 @@ static void *pm_ctrl_init(struct pci_dev *dev, int offset)
+ }
+
+ out:
+- return ERR_PTR(err);
++ return err ? ERR_PTR(err) : NULL;
+ }
+
+ static const struct config_field caplist_pm[] = {
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
