--- /dev/null
+From aa45f6e30cf1334daa5fede67c8d05a73309e715 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 18:38:01 -0700
+Subject: ACPI: bgrt: Fix CFI violation
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit f37ccf8fce155d08ae2a4fb3db677911ced0c21a ]
+
+clang's Control Flow Integrity requires that every indirect call has a
+valid target, which is based on the type of the function pointer. The
+*_show() functions in this file are written as if they will be called
+from dev_attr_show(); however, they will be called from
+sysfs_kf_seq_show() because the files were created by
+sysfs_create_group() and the sysfs ops are based on kobj_sysfs_ops
+because of kobject_add_and_create(). Because the *_show() functions do
+not match the type of the show() member in struct kobj_attribute, there
+is a CFI violation.
+
+$ cat /sys/firmware/acpi/bgrt/{status,type,version,{x,y}offset}}
+1
+0
+1
+522
+307
+
+$ dmesg | grep "CFI failure"
+[ 267.761825] CFI failure (target: type_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8):
+[ 267.762246] CFI failure (target: xoffset_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8):
+[ 267.762584] CFI failure (target: status_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8):
+[ 267.762973] CFI failure (target: yoffset_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8):
+[ 267.763330] CFI failure (target: version_show.d5e1ad21498a5fd14edbc5c320906598.cfi_jt+0x0/0x8):
+
+Convert these functions to the type of the show() member in struct
+kobj_attribute so that there is no more CFI violation. Because these
+functions are all so similar, combine them into a macro.
+
+Fixes: d1ff4b1cdbab ("ACPI: Add support for exposing BGRT data")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1406
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/bgrt.c | 57 ++++++++++++++-------------------------------
+ 1 file changed, 18 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
+index 19bb7f870204..e0d14017706e 100644
+--- a/drivers/acpi/bgrt.c
++++ b/drivers/acpi/bgrt.c
+@@ -15,40 +15,19 @@
+ static void *bgrt_image;
+ static struct kobject *bgrt_kobj;
+
+-static ssize_t version_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.version);
+-}
+-static DEVICE_ATTR_RO(version);
+-
+-static ssize_t status_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.status);
+-}
+-static DEVICE_ATTR_RO(status);
+-
+-static ssize_t type_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.image_type);
+-}
+-static DEVICE_ATTR_RO(type);
+-
+-static ssize_t xoffset_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.image_offset_x);
+-}
+-static DEVICE_ATTR_RO(xoffset);
+-
+-static ssize_t yoffset_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.image_offset_y);
+-}
+-static DEVICE_ATTR_RO(yoffset);
++#define BGRT_SHOW(_name, _member) \
++ static ssize_t _name##_show(struct kobject *kobj, \
++ struct kobj_attribute *attr, char *buf) \
++ { \
++ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab._member); \
++ } \
++ struct kobj_attribute bgrt_attr_##_name = __ATTR_RO(_name)
++
++BGRT_SHOW(version, version);
++BGRT_SHOW(status, status);
++BGRT_SHOW(type, image_type);
++BGRT_SHOW(xoffset, image_offset_x);
++BGRT_SHOW(yoffset, image_offset_y);
+
+ static ssize_t image_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *attr, char *buf, loff_t off, size_t count)
+@@ -60,11 +39,11 @@ static ssize_t image_read(struct file *file, struct kobject *kobj,
+ static BIN_ATTR_RO(image, 0); /* size gets filled in later */
+
+ static struct attribute *bgrt_attributes[] = {
+- &dev_attr_version.attr,
+- &dev_attr_status.attr,
+- &dev_attr_type.attr,
+- &dev_attr_xoffset.attr,
+- &dev_attr_yoffset.attr,
++ &bgrt_attr_version.attr,
++ &bgrt_attr_status.attr,
++ &bgrt_attr_type.attr,
++ &bgrt_attr_xoffset.attr,
++ &bgrt_attr_yoffset.attr,
+ NULL,
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 115e53dd82ea757fd4439bc1d8d80870d9a163a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 17:36:50 +0800
+Subject: ACPI: bus: Call kobject_put() in acpi_init() error path
+
+From: Hanjun Guo <guohanjun@huawei.com>
+
+[ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ]
+
+Although the system will not be in a good condition or it will not
+boot if acpi_bus_init() fails, it is still necessary to put the
+kobject in the error path before returning to avoid leaking memory.
+
+Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/bus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
+index 54002670cb7a..bbd9c93fc4c2 100644
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -1240,6 +1240,7 @@ static int __init acpi_init(void)
+
+ result = acpi_bus_init();
+ if (result) {
++ kobject_put(acpi_kobj);
+ disable_acpi();
+ return result;
+ }
+--
+2.30.2
+
--- /dev/null
+From 487d53a77b2c3711a2a93c645914b9998930e29d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 11:09:50 +0800
+Subject: ACPI: EC: Make more Asus laptops use ECDT _GPE
+
+From: Chris Chiu <chris.chiu@canonical.com>
+
+[ Upstream commit 6306f0431914beaf220634ad36c08234006571d5 ]
+
+More ASUS laptops have the _GPE define in the DSDT table with a
+different value than the _GPE number in the ECDT.
+
+This is causing media keys not working on ASUS X505BA/BP, X542BA/BP
+
+Add model info to the quirks list.
+
+Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
+Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index c64001e789ed..258a8df235cf 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1826,6 +1826,22 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "GL702VMK"),}, NULL},
+ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BA", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BA"),}, NULL},
++ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BP", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BP"),}, NULL},
++ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BA", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BA"),}, NULL},
++ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BP", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BP"),}, NULL},
++ {
+ ec_honor_ecdt_gpe, "ASUS X550VXK", {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X550VXK"),}, NULL},
+--
+2.30.2
+
--- /dev/null
+From 746d3ab63ab8f7c2eeff43059760711d1ba8103c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 17:15:14 -0500
+Subject: ACPI: processor idle: Fix up C-state latency if not ordered
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ]
+
+Generally, the C-state latency is provided by the _CST method or
+FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh,
+and Cezanne set the C2 latency greater than C3's which causes the
+C2 state to be skipped.
+
+That will block the core entering PC6, which prevents S0ix working
+properly on Linux systems.
+
+In other operating systems, the latency values are not validated and
+this does not cause problems by skipping states.
+
+To avoid this issue on Linux, detect when latencies are not an
+arithmetic progression and sort them.
+
+Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174
+Suggested-by: Prike Liang <Prike.Liang@amd.com>
+Suggested-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
+index ed56c6d20b08..53ae679c00f0 100644
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -16,6 +16,7 @@
+ #include <linux/acpi.h>
+ #include <linux/dmi.h>
+ #include <linux/sched.h> /* need_resched() */
++#include <linux/sort.h>
+ #include <linux/tick.h>
+ #include <linux/cpuidle.h>
+ #include <linux/cpu.h>
+@@ -540,10 +541,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr,
+ return;
+ }
+
++static int acpi_cst_latency_cmp(const void *a, const void *b)
++{
++ const struct acpi_processor_cx *x = a, *y = b;
++
++ if (!(x->valid && y->valid))
++ return 0;
++ if (x->latency > y->latency)
++ return 1;
++ if (x->latency < y->latency)
++ return -1;
++ return 0;
++}
++static void acpi_cst_latency_swap(void *a, void *b, int n)
++{
++ struct acpi_processor_cx *x = a, *y = b;
++ u32 tmp;
++
++ if (!(x->valid && y->valid))
++ return;
++ tmp = x->latency;
++ x->latency = y->latency;
++ y->latency = tmp;
++}
++
+ static int acpi_processor_power_verify(struct acpi_processor *pr)
+ {
+ unsigned int i;
+ unsigned int working = 0;
++ unsigned int last_latency = 0;
++ unsigned int last_type = 0;
++ bool buggy_latency = false;
+
+ pr->power.timer_broadcast_on_state = INT_MAX;
+
+@@ -567,12 +595,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr)
+ }
+ if (!cx->valid)
+ continue;
++ if (cx->type >= last_type && cx->latency < last_latency)
++ buggy_latency = true;
++ last_latency = cx->latency;
++ last_type = cx->type;
+
+ lapic_timer_check_state(i, pr, cx);
+ tsc_check_state(cx->type);
+ working++;
+ }
+
++ if (buggy_latency) {
++ pr_notice("FW issue: working around C-state latencies out of order\n");
++ sort(&pr->power.states[1], max_cstate,
++ sizeof(struct acpi_processor_cx),
++ acpi_cst_latency_cmp,
++ acpi_cst_latency_swap);
++ }
++
+ lapic_timer_propagate_broadcast(pr);
+
+ return (working);
+--
+2.30.2
+
--- /dev/null
+From a891ccbaba57fe5d10098e0e9b6f6dbee72c5766 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 10:14:42 +0800
+Subject: ACPI: resources: Add checks for ACPI IRQ override
+
+From: Hui Wang <hui.wang@canonical.com>
+
+[ Upstream commit 0ec4e55e9f571f08970ed115ec0addc691eda613 ]
+
+The laptop keyboard doesn't work on many MEDION notebooks, but the
+keyboard works well under Windows and Unix.
+
+Through debugging, we found this log in the dmesg:
+
+ ACPI: IRQ 1 override to edge, high
+ pnp 00:03: Plug and Play ACPI device, IDs PNP0303 (active)
+
+ And we checked the IRQ definition in the DSDT, it is:
+
+ IRQ (Level, ActiveLow, Exclusive, )
+ {1}
+
+So the BIOS defines the keyboard IRQ to Level_Low, but the Linux
+kernel override it to Edge_High. If the Linux kernel is modified
+to skip the IRQ override, the keyboard will work normally.
+
+From the existing comment in acpi_dev_get_irqresource(), the override
+function only needs to be called when IRQ() or IRQNoFlags() is used
+to populate the resource descriptor, and according to Section 6.4.2.1
+of ACPI 6.4 [1], if IRQ() is empty or IRQNoFlags() is used, the IRQ
+is High true, edge sensitive and non-shareable. ACPICA also assumes
+that to be the case (see acpi_rs_set_irq[] in rsirq.c).
+
+In accordance with the above, check 3 additional conditions
+(EdgeSensitive, ActiveHigh and Exclusive) when deciding whether or
+not to treat an ACPI_RESOURCE_TYPE_IRQ resource as "legacy", in which
+case the IRQ override is applicable to it.
+
+Link: https://uefi.org/specs/ACPI/6.4/06_Device_Configuration/Device_Configuration.html#irq-descriptor # [1]
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213031
+BugLink: http://bugs.launchpad.net/bugs/1909814
+Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reported-by: Manuel Krause <manuelkrause@netscape.net>
+Tested-by: Manuel Krause <manuelkrause@netscape.net>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+[ rjw: Subject rewrite, changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index 48ca9a844f06..55c57b703ea3 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -430,6 +430,13 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi,
+ }
+ }
+
++static bool irq_is_legacy(struct acpi_resource_irq *irq)
++{
++ return irq->triggering == ACPI_EDGE_SENSITIVE &&
++ irq->polarity == ACPI_ACTIVE_HIGH &&
++ irq->shareable == ACPI_EXCLUSIVE;
++}
++
+ /**
+ * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information.
+ * @ares: Input ACPI resource object.
+@@ -468,7 +475,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index,
+ }
+ acpi_dev_get_irqresource(res, irq->interrupts[index],
+ irq->triggering, irq->polarity,
+- irq->shareable, true);
++ irq->shareable, irq_is_legacy(irq));
+ break;
+ case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ ext_irq = &ares->data.extended_irq;
+--
+2.30.2
+
--- /dev/null
+From 14942ccca6d7f52718b77c203764acf5342f4a24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 17:12:01 +0000
+Subject: ACPI: sysfs: Fix a buffer overrun problem with description_show()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Wilczyński <kw@linux.com>
+
+[ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ]
+
+Currently, a device description can be obtained using ACPI, if the _STR
+method exists for a particular device, and then exposed to the userspace
+via a sysfs object as a string value.
+
+If the _STR method is available for a given device then the data
+(usually a Unicode string) is read and stored in a buffer (of the
+ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the
+struct acpi_device_pnp for later access.
+
+The description_show() function is responsible for exposing the device
+description to the userspace via a corresponding sysfs object and
+internally calls the utf16s_to_utf8s() function with a pointer to the
+buffer that contains the Unicode string so that it can be converted from
+UTF16 encoding to UTF8 and thus allowing for the value to be safely
+stored and later displayed.
+
+When invoking the utf16s_to_utf8s() function, the description_show()
+function also sets a limit of the data that can be saved into a provided
+buffer as a result of the character conversion to be a total of
+PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns
+an integer value denoting the number of bytes that have been written
+into the provided buffer.
+
+Following the execution of the utf16s_to_utf8s() a newline character
+will be added at the end of the resulting buffer so that when the value
+is read in the userspace through the sysfs object then it would include
+newline making it more accessible when working with the sysfs file
+system in the shell, etc. Normally, this wouldn't be a problem, but if
+the function utf16s_to_utf8s() happens to return the number of bytes
+written to be precisely PAGE_SIZE, then we would overrun the buffer and
+write the newline character outside the allotted space which can have
+undefined consequences or result in a failure.
+
+To fix this buffer overrun, ensure that there always is enough space
+left for the newline character to be safely appended.
+
+Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description")
+Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/device_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
+index bfca116482b8..75e412b2b660 100644
+--- a/drivers/acpi/device_sysfs.c
++++ b/drivers/acpi/device_sysfs.c
+@@ -446,7 +446,7 @@ static ssize_t description_show(struct device *dev,
+ (wchar_t *)acpi_dev->pnp.str_obj->buffer.pointer,
+ acpi_dev->pnp.str_obj->buffer.length,
+ UTF16_LITTLE_ENDIAN, buf,
+- PAGE_SIZE);
++ PAGE_SIZE - 1);
+
+ buf[result++] = '\n';
+
+--
+2.30.2
+
--- /dev/null
+From fa73d5d3620ab6698a1fd9c66737dbf4a58aa043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 16:24:33 +0100
+Subject: ACPI: tables: Add custom DSDT file as makefile prerequisite
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit d1059c1b1146870c52f3dac12cb7b6cbf39ed27f ]
+
+A custom DSDT file is mostly used during development or debugging,
+and in that case it is quite likely to want to rebuild the kernel
+after changing ONLY the content of the DSDT.
+
+This patch adds the custom DSDT as a prerequisite to tables.o
+to ensure a rebuild if the DSDT file is updated. Make will merge
+the prerequisites from multiple rules for the same target.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
+index ef1ac4d127da..1c81504046d4 100644
+--- a/drivers/acpi/Makefile
++++ b/drivers/acpi/Makefile
+@@ -8,6 +8,11 @@ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
+ #
+ # ACPI Boot-Time Table Parsing
+ #
++ifeq ($(CONFIG_ACPI_CUSTOM_DSDT),y)
++tables.o: $(src)/../../include/$(subst $\",,$(CONFIG_ACPI_CUSTOM_DSDT_FILE)) ;
++
++endif
++
+ obj-$(CONFIG_ACPI) += tables.o
+ obj-$(CONFIG_X86) += blacklist.o
+
+--
+2.30.2
+
--- /dev/null
+From 8e6a7451aaa214f6d943748e424746fa60d1e989 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Dec 2020 18:15:36 +0530
+Subject: ACPI: Use DEVICE_ATTR_<RW|RO|WO> macros
+
+From: Dwaipayan Ray <dwaipayanray1@gmail.com>
+
+[ Upstream commit 0f39ee8324e75c9d370e84a61323ceb194641a18 ]
+
+Instead of open coding DEVICE_ATTR(), use the
+DEVICE_ATTR_RW(), DEVICE_ATTR_RO() and DEVICE_ATTR_WO()
+macros wherever possible.
+
+This required a few functions to be renamed but the
+functionality itself is unchanged.
+
+Signed-off-by: Dwaipayan Ray <dwaipayanray1@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_pad.c | 24 ++++++++------------
+ drivers/acpi/acpi_tad.c | 14 ++++++------
+ drivers/acpi/bgrt.c | 20 ++++++++---------
+ drivers/acpi/device_sysfs.c | 44 ++++++++++++++++++-------------------
+ drivers/acpi/dock.c | 26 +++++++++++-----------
+ drivers/acpi/power.c | 9 ++++----
+ 6 files changed, 66 insertions(+), 71 deletions(-)
+
+diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c
+index e7dc0133f817..c11d736a8db7 100644
+--- a/drivers/acpi/acpi_pad.c
++++ b/drivers/acpi/acpi_pad.c
+@@ -262,7 +262,7 @@ static uint32_t acpi_pad_idle_cpus_num(void)
+ return ps_tsk_num;
+ }
+
+-static ssize_t acpi_pad_rrtime_store(struct device *dev,
++static ssize_t rrtime_store(struct device *dev,
+ struct device_attribute *attr, const char *buf, size_t count)
+ {
+ unsigned long num;
+@@ -276,16 +276,14 @@ static ssize_t acpi_pad_rrtime_store(struct device *dev,
+ return count;
+ }
+
+-static ssize_t acpi_pad_rrtime_show(struct device *dev,
++static ssize_t rrtime_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return scnprintf(buf, PAGE_SIZE, "%d\n", round_robin_time);
+ }
+-static DEVICE_ATTR(rrtime, S_IRUGO|S_IWUSR,
+- acpi_pad_rrtime_show,
+- acpi_pad_rrtime_store);
++static DEVICE_ATTR_RW(rrtime);
+
+-static ssize_t acpi_pad_idlepct_store(struct device *dev,
++static ssize_t idlepct_store(struct device *dev,
+ struct device_attribute *attr, const char *buf, size_t count)
+ {
+ unsigned long num;
+@@ -299,16 +297,14 @@ static ssize_t acpi_pad_idlepct_store(struct device *dev,
+ return count;
+ }
+
+-static ssize_t acpi_pad_idlepct_show(struct device *dev,
++static ssize_t idlepct_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return scnprintf(buf, PAGE_SIZE, "%d\n", idle_pct);
+ }
+-static DEVICE_ATTR(idlepct, S_IRUGO|S_IWUSR,
+- acpi_pad_idlepct_show,
+- acpi_pad_idlepct_store);
++static DEVICE_ATTR_RW(idlepct);
+
+-static ssize_t acpi_pad_idlecpus_store(struct device *dev,
++static ssize_t idlecpus_store(struct device *dev,
+ struct device_attribute *attr, const char *buf, size_t count)
+ {
+ unsigned long num;
+@@ -320,16 +316,14 @@ static ssize_t acpi_pad_idlecpus_store(struct device *dev,
+ return count;
+ }
+
+-static ssize_t acpi_pad_idlecpus_show(struct device *dev,
++static ssize_t idlecpus_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return cpumap_print_to_pagebuf(false, buf,
+ to_cpumask(pad_busy_cpus_bits));
+ }
+
+-static DEVICE_ATTR(idlecpus, S_IRUGO|S_IWUSR,
+- acpi_pad_idlecpus_show,
+- acpi_pad_idlecpus_store);
++static DEVICE_ATTR_RW(idlecpus);
+
+ static int acpi_pad_add_sysfs(struct acpi_device *device)
+ {
+diff --git a/drivers/acpi/acpi_tad.c b/drivers/acpi/acpi_tad.c
+index 33a4bcdaa4d7..bab8583443a6 100644
+--- a/drivers/acpi/acpi_tad.c
++++ b/drivers/acpi/acpi_tad.c
+@@ -237,7 +237,7 @@ static ssize_t time_show(struct device *dev, struct device_attribute *attr,
+ rt.tz, rt.daylight);
+ }
+
+-static DEVICE_ATTR(time, S_IRUSR | S_IWUSR, time_show, time_store);
++static DEVICE_ATTR_RW(time);
+
+ static struct attribute *acpi_tad_time_attrs[] = {
+ &dev_attr_time.attr,
+@@ -446,7 +446,7 @@ static ssize_t ac_alarm_show(struct device *dev, struct device_attribute *attr,
+ return acpi_tad_alarm_read(dev, buf, ACPI_TAD_AC_TIMER);
+ }
+
+-static DEVICE_ATTR(ac_alarm, S_IRUSR | S_IWUSR, ac_alarm_show, ac_alarm_store);
++static DEVICE_ATTR_RW(ac_alarm);
+
+ static ssize_t ac_policy_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+@@ -462,7 +462,7 @@ static ssize_t ac_policy_show(struct device *dev, struct device_attribute *attr,
+ return acpi_tad_policy_read(dev, buf, ACPI_TAD_AC_TIMER);
+ }
+
+-static DEVICE_ATTR(ac_policy, S_IRUSR | S_IWUSR, ac_policy_show, ac_policy_store);
++static DEVICE_ATTR_RW(ac_policy);
+
+ static ssize_t ac_status_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+@@ -478,7 +478,7 @@ static ssize_t ac_status_show(struct device *dev, struct device_attribute *attr,
+ return acpi_tad_status_read(dev, buf, ACPI_TAD_AC_TIMER);
+ }
+
+-static DEVICE_ATTR(ac_status, S_IRUSR | S_IWUSR, ac_status_show, ac_status_store);
++static DEVICE_ATTR_RW(ac_status);
+
+ static struct attribute *acpi_tad_attrs[] = {
+ &dev_attr_caps.attr,
+@@ -505,7 +505,7 @@ static ssize_t dc_alarm_show(struct device *dev, struct device_attribute *attr,
+ return acpi_tad_alarm_read(dev, buf, ACPI_TAD_DC_TIMER);
+ }
+
+-static DEVICE_ATTR(dc_alarm, S_IRUSR | S_IWUSR, dc_alarm_show, dc_alarm_store);
++static DEVICE_ATTR_RW(dc_alarm);
+
+ static ssize_t dc_policy_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+@@ -521,7 +521,7 @@ static ssize_t dc_policy_show(struct device *dev, struct device_attribute *attr,
+ return acpi_tad_policy_read(dev, buf, ACPI_TAD_DC_TIMER);
+ }
+
+-static DEVICE_ATTR(dc_policy, S_IRUSR | S_IWUSR, dc_policy_show, dc_policy_store);
++static DEVICE_ATTR_RW(dc_policy);
+
+ static ssize_t dc_status_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+@@ -537,7 +537,7 @@ static ssize_t dc_status_show(struct device *dev, struct device_attribute *attr,
+ return acpi_tad_status_read(dev, buf, ACPI_TAD_DC_TIMER);
+ }
+
+-static DEVICE_ATTR(dc_status, S_IRUSR | S_IWUSR, dc_status_show, dc_status_store);
++static DEVICE_ATTR_RW(dc_status);
+
+ static struct attribute *acpi_tad_dc_attrs[] = {
+ &dev_attr_dc_alarm.attr,
+diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
+index 251f961c28cc..19bb7f870204 100644
+--- a/drivers/acpi/bgrt.c
++++ b/drivers/acpi/bgrt.c
+@@ -15,40 +15,40 @@
+ static void *bgrt_image;
+ static struct kobject *bgrt_kobj;
+
+-static ssize_t show_version(struct device *dev,
++static ssize_t version_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.version);
+ }
+-static DEVICE_ATTR(version, S_IRUGO, show_version, NULL);
++static DEVICE_ATTR_RO(version);
+
+-static ssize_t show_status(struct device *dev,
++static ssize_t status_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.status);
+ }
+-static DEVICE_ATTR(status, S_IRUGO, show_status, NULL);
++static DEVICE_ATTR_RO(status);
+
+-static ssize_t show_type(struct device *dev,
++static ssize_t type_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.image_type);
+ }
+-static DEVICE_ATTR(type, S_IRUGO, show_type, NULL);
++static DEVICE_ATTR_RO(type);
+
+-static ssize_t show_xoffset(struct device *dev,
++static ssize_t xoffset_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.image_offset_x);
+ }
+-static DEVICE_ATTR(xoffset, S_IRUGO, show_xoffset, NULL);
++static DEVICE_ATTR_RO(xoffset);
+
+-static ssize_t show_yoffset(struct device *dev,
++static ssize_t yoffset_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab.image_offset_y);
+ }
+-static DEVICE_ATTR(yoffset, S_IRUGO, show_yoffset, NULL);
++static DEVICE_ATTR_RO(yoffset);
+
+ static ssize_t image_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *attr, char *buf, loff_t off, size_t count)
+diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
+index 75e412b2b660..fe8c7e79f472 100644
+--- a/drivers/acpi/device_sysfs.c
++++ b/drivers/acpi/device_sysfs.c
+@@ -325,11 +325,11 @@ int acpi_device_modalias(struct device *dev, char *buf, int size)
+ EXPORT_SYMBOL_GPL(acpi_device_modalias);
+
+ static ssize_t
+-acpi_device_modalias_show(struct device *dev, struct device_attribute *attr, char *buf)
++modalias_show(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+ return __acpi_device_modalias(to_acpi_device(dev), buf, 1024);
+ }
+-static DEVICE_ATTR(modalias, 0444, acpi_device_modalias_show, NULL);
++static DEVICE_ATTR_RO(modalias);
+
+ static ssize_t real_power_state_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+@@ -358,8 +358,8 @@ static ssize_t power_state_show(struct device *dev,
+ static DEVICE_ATTR_RO(power_state);
+
+ static ssize_t
+-acpi_eject_store(struct device *d, struct device_attribute *attr,
+- const char *buf, size_t count)
++eject_store(struct device *d, struct device_attribute *attr,
++ const char *buf, size_t count)
+ {
+ struct acpi_device *acpi_device = to_acpi_device(d);
+ acpi_object_type not_used;
+@@ -387,28 +387,28 @@ acpi_eject_store(struct device *d, struct device_attribute *attr,
+ return status == AE_NO_MEMORY ? -ENOMEM : -EAGAIN;
+ }
+
+-static DEVICE_ATTR(eject, 0200, NULL, acpi_eject_store);
++static DEVICE_ATTR_WO(eject);
+
+ static ssize_t
+-acpi_device_hid_show(struct device *dev, struct device_attribute *attr, char *buf)
++hid_show(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+ struct acpi_device *acpi_dev = to_acpi_device(dev);
+
+ return sprintf(buf, "%s\n", acpi_device_hid(acpi_dev));
+ }
+-static DEVICE_ATTR(hid, 0444, acpi_device_hid_show, NULL);
++static DEVICE_ATTR_RO(hid);
+
+-static ssize_t acpi_device_uid_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t uid_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ struct acpi_device *acpi_dev = to_acpi_device(dev);
+
+ return sprintf(buf, "%s\n", acpi_dev->pnp.unique_id);
+ }
+-static DEVICE_ATTR(uid, 0444, acpi_device_uid_show, NULL);
++static DEVICE_ATTR_RO(uid);
+
+-static ssize_t acpi_device_adr_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t adr_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ struct acpi_device *acpi_dev = to_acpi_device(dev);
+
+@@ -417,16 +417,16 @@ static ssize_t acpi_device_adr_show(struct device *dev,
+ else
+ return sprintf(buf, "0x%08llx\n", acpi_dev->pnp.bus_address);
+ }
+-static DEVICE_ATTR(adr, 0444, acpi_device_adr_show, NULL);
++static DEVICE_ATTR_RO(adr);
+
+-static ssize_t acpi_device_path_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t path_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ struct acpi_device *acpi_dev = to_acpi_device(dev);
+
+ return acpi_object_path(acpi_dev->handle, buf);
+ }
+-static DEVICE_ATTR(path, 0444, acpi_device_path_show, NULL);
++static DEVICE_ATTR_RO(path);
+
+ /* sysfs file that shows description text from the ACPI _STR method */
+ static ssize_t description_show(struct device *dev,
+@@ -455,8 +455,8 @@ static ssize_t description_show(struct device *dev,
+ static DEVICE_ATTR_RO(description);
+
+ static ssize_t
+-acpi_device_sun_show(struct device *dev, struct device_attribute *attr,
+- char *buf) {
++sun_show(struct device *dev, struct device_attribute *attr,
++ char *buf) {
+ struct acpi_device *acpi_dev = to_acpi_device(dev);
+ acpi_status status;
+ unsigned long long sun;
+@@ -467,11 +467,11 @@ acpi_device_sun_show(struct device *dev, struct device_attribute *attr,
+
+ return sprintf(buf, "%llu\n", sun);
+ }
+-static DEVICE_ATTR(sun, 0444, acpi_device_sun_show, NULL);
++static DEVICE_ATTR_RO(sun);
+
+ static ssize_t
+-acpi_device_hrv_show(struct device *dev, struct device_attribute *attr,
+- char *buf) {
++hrv_show(struct device *dev, struct device_attribute *attr,
++ char *buf) {
+ struct acpi_device *acpi_dev = to_acpi_device(dev);
+ acpi_status status;
+ unsigned long long hrv;
+@@ -482,7 +482,7 @@ acpi_device_hrv_show(struct device *dev, struct device_attribute *attr,
+
+ return sprintf(buf, "%llu\n", hrv);
+ }
+-static DEVICE_ATTR(hrv, 0444, acpi_device_hrv_show, NULL);
++static DEVICE_ATTR_RO(hrv);
+
+ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
+ char *buf) {
+diff --git a/drivers/acpi/dock.c b/drivers/acpi/dock.c
+index e3414131bfca..9bb42a772bee 100644
+--- a/drivers/acpi/dock.c
++++ b/drivers/acpi/dock.c
+@@ -485,7 +485,7 @@ int dock_notify(struct acpi_device *adev, u32 event)
+ /*
+ * show_docked - read method for "docked" file in sysfs
+ */
+-static ssize_t show_docked(struct device *dev,
++static ssize_t docked_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct dock_station *dock_station = dev->platform_data;
+@@ -494,25 +494,25 @@ static ssize_t show_docked(struct device *dev,
+ acpi_bus_get_device(dock_station->handle, &adev);
+ return snprintf(buf, PAGE_SIZE, "%u\n", acpi_device_enumerated(adev));
+ }
+-static DEVICE_ATTR(docked, S_IRUGO, show_docked, NULL);
++static DEVICE_ATTR_RO(docked);
+
+ /*
+ * show_flags - read method for flags file in sysfs
+ */
+-static ssize_t show_flags(struct device *dev,
++static ssize_t flags_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct dock_station *dock_station = dev->platform_data;
+ return snprintf(buf, PAGE_SIZE, "%d\n", dock_station->flags);
+
+ }
+-static DEVICE_ATTR(flags, S_IRUGO, show_flags, NULL);
++static DEVICE_ATTR_RO(flags);
+
+ /*
+ * write_undock - write method for "undock" file in sysfs
+ */
+-static ssize_t write_undock(struct device *dev, struct device_attribute *attr,
+- const char *buf, size_t count)
++static ssize_t undock_store(struct device *dev, struct device_attribute *attr,
++ const char *buf, size_t count)
+ {
+ int ret;
+ struct dock_station *dock_station = dev->platform_data;
+@@ -526,13 +526,13 @@ static ssize_t write_undock(struct device *dev, struct device_attribute *attr,
+ acpi_scan_lock_release();
+ return ret ? ret: count;
+ }
+-static DEVICE_ATTR(undock, S_IWUSR, NULL, write_undock);
++static DEVICE_ATTR_WO(undock);
+
+ /*
+ * show_dock_uid - read method for "uid" file in sysfs
+ */
+-static ssize_t show_dock_uid(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t uid_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ unsigned long long lbuf;
+ struct dock_station *dock_station = dev->platform_data;
+@@ -543,10 +543,10 @@ static ssize_t show_dock_uid(struct device *dev,
+
+ return snprintf(buf, PAGE_SIZE, "%llx\n", lbuf);
+ }
+-static DEVICE_ATTR(uid, S_IRUGO, show_dock_uid, NULL);
++static DEVICE_ATTR_RO(uid);
+
+-static ssize_t show_dock_type(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t type_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ struct dock_station *dock_station = dev->platform_data;
+ char *type;
+@@ -562,7 +562,7 @@ static ssize_t show_dock_type(struct device *dev,
+
+ return snprintf(buf, PAGE_SIZE, "%s\n", type);
+ }
+-static DEVICE_ATTR(type, S_IRUGO, show_dock_type, NULL);
++static DEVICE_ATTR_RO(type);
+
+ static struct attribute *dock_attributes[] = {
+ &dev_attr_docked.attr,
+diff --git a/drivers/acpi/power.c b/drivers/acpi/power.c
+index fe1e7bc91a5e..3261cffdd5e0 100644
+--- a/drivers/acpi/power.c
++++ b/drivers/acpi/power.c
+@@ -888,15 +888,16 @@ static void acpi_release_power_resource(struct device *dev)
+ kfree(resource);
+ }
+
+-static ssize_t acpi_power_in_use_show(struct device *dev,
+- struct device_attribute *attr,
+- char *buf) {
++static ssize_t resource_in_use_show(struct device *dev,
++ struct device_attribute *attr,
++ char *buf)
++{
+ struct acpi_power_resource *resource;
+
+ resource = to_power_resource(to_acpi_device(dev));
+ return sprintf(buf, "%u\n", !!resource->ref_count);
+ }
+-static DEVICE_ATTR(resource_in_use, 0444, acpi_power_in_use_show, NULL);
++static DEVICE_ATTR_RO(resource_in_use);
+
+ static void acpi_power_sysfs_remove(struct acpi_device *device)
+ {
+--
+2.30.2
+
--- /dev/null
+From b703fce5b25034e36c16fc48e0188102b3c047a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 14:25:57 -0700
+Subject: ACPICA: Fix memory leak caused by _CID repair function
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit c27bac0314131b11bccd735f7e8415ac6444b667 ]
+
+ACPICA commit 180cb53963aa876c782a6f52cc155d951b26051a
+
+According to the ACPI spec, _CID returns a package containing
+hardware ID's. Each element of an ASL package contains a reference
+count from the parent package as well as the element itself.
+
+Name (TEST, Package() {
+ "String object" // this package element has a reference count of 2
+})
+
+A memory leak was caused in the _CID repair function because it did
+not decrement the reference count created by the package. Fix the
+memory leak by calling acpi_ut_remove_reference on _CID package elements
+that represent a hardware ID (_HID).
+
+Link: https://github.com/acpica/acpica/commit/180cb539
+Tested-by: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/nsrepair2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c
+index 663d85e0adba..b7c408ce340c 100644
+--- a/drivers/acpi/acpica/nsrepair2.c
++++ b/drivers/acpi/acpica/nsrepair2.c
+@@ -375,6 +375,13 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
+
+ (*element_ptr)->common.reference_count =
+ original_ref_count;
++
++ /*
++ * The original_element holds a reference from the package object
++ * that represents _HID. Since a new element was created by _HID,
++ * remove the reference from the _CID package.
++ */
++ acpi_ut_remove_reference(original_element);
+ }
+
+ element_ptr++;
+--
+2.30.2
+
--- /dev/null
+From e624cadf88ec800623502051c6190611ee96821b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 10:22:29 +0000
+Subject: arm64: consistently use reserved_pg_dir
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 833be850f1cabd0e3b5337c0fcab20a6e936dd48 ]
+
+Depending on configuration options and specific code paths, we either
+use the empty_zero_page or the configuration-dependent reserved_ttbr0
+as a reserved value for TTBR{0,1}_EL1.
+
+To simplify this code, let's always allocate and use the same
+reserved_pg_dir, replacing reserved_ttbr0. Note that this is allocated
+(and hence pre-zeroed), and is also marked as read-only in the kernel
+Image mapping.
+
+Keeping this separate from the empty_zero_page potentially helps with
+robustness as the empty_zero_page is used in a number of cases where a
+failure to map it read-only could allow it to become corrupted.
+
+The (presently unused) swapper_pg_end symbol is also removed, and
+comments are added wherever we rely on the offsets between the
+pre-allocated pg_dirs to keep these cases easily identifiable.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20201103102229.8542-1-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/asm-uaccess.h | 4 ++--
+ arch/arm64/include/asm/kernel-pgtable.h | 6 ------
+ arch/arm64/include/asm/mmu_context.h | 6 +++---
+ arch/arm64/include/asm/pgtable.h | 1 +
+ arch/arm64/include/asm/uaccess.h | 4 ++--
+ arch/arm64/kernel/entry.S | 6 ++++--
+ arch/arm64/kernel/setup.c | 2 +-
+ arch/arm64/kernel/vmlinux.lds.S | 8 +++-----
+ arch/arm64/mm/proc.S | 2 +-
+ 9 files changed, 17 insertions(+), 22 deletions(-)
+
+diff --git a/arch/arm64/include/asm/asm-uaccess.h b/arch/arm64/include/asm/asm-uaccess.h
+index c764cc8fb3b6..9bf56e30f4a8 100644
+--- a/arch/arm64/include/asm/asm-uaccess.h
++++ b/arch/arm64/include/asm/asm-uaccess.h
+@@ -15,10 +15,10 @@
+ .macro __uaccess_ttbr0_disable, tmp1
+ mrs \tmp1, ttbr1_el1 // swapper_pg_dir
+ bic \tmp1, \tmp1, #TTBR_ASID_MASK
+- sub \tmp1, \tmp1, #RESERVED_TTBR0_SIZE // reserved_ttbr0 just before swapper_pg_dir
++ sub \tmp1, \tmp1, #PAGE_SIZE // reserved_pg_dir just before swapper_pg_dir
+ msr ttbr0_el1, \tmp1 // set reserved TTBR0_EL1
+ isb
+- add \tmp1, \tmp1, #RESERVED_TTBR0_SIZE
++ add \tmp1, \tmp1, #PAGE_SIZE
+ msr ttbr1_el1, \tmp1 // set reserved ASID
+ isb
+ .endm
+diff --git a/arch/arm64/include/asm/kernel-pgtable.h b/arch/arm64/include/asm/kernel-pgtable.h
+index a6e5da755359..817efd95d539 100644
+--- a/arch/arm64/include/asm/kernel-pgtable.h
++++ b/arch/arm64/include/asm/kernel-pgtable.h
+@@ -89,12 +89,6 @@
+ #define INIT_DIR_SIZE (PAGE_SIZE * EARLY_PAGES(KIMAGE_VADDR + TEXT_OFFSET, _end))
+ #define IDMAP_DIR_SIZE (IDMAP_PGTABLE_LEVELS * PAGE_SIZE)
+
+-#ifdef CONFIG_ARM64_SW_TTBR0_PAN
+-#define RESERVED_TTBR0_SIZE (PAGE_SIZE)
+-#else
+-#define RESERVED_TTBR0_SIZE (0)
+-#endif
+-
+ /* Initial memory map size */
+ #if ARM64_SWAPPER_USES_SECTION_MAPS
+ #define SWAPPER_BLOCK_SHIFT SECTION_SHIFT
+diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h
+index 3a5d9f1c91b6..1355205e5da5 100644
+--- a/arch/arm64/include/asm/mmu_context.h
++++ b/arch/arm64/include/asm/mmu_context.h
+@@ -36,11 +36,11 @@ static inline void contextidr_thread_switch(struct task_struct *next)
+ }
+
+ /*
+- * Set TTBR0 to empty_zero_page. No translations will be possible via TTBR0.
++ * Set TTBR0 to reserved_pg_dir. No translations will be possible via TTBR0.
+ */
+ static inline void cpu_set_reserved_ttbr0(void)
+ {
+- unsigned long ttbr = phys_to_ttbr(__pa_symbol(empty_zero_page));
++ unsigned long ttbr = phys_to_ttbr(__pa_symbol(reserved_pg_dir));
+
+ write_sysreg(ttbr, ttbr0_el1);
+ isb();
+@@ -184,7 +184,7 @@ static inline void update_saved_ttbr0(struct task_struct *tsk,
+ return;
+
+ if (mm == &init_mm)
+- ttbr = __pa_symbol(empty_zero_page);
++ ttbr = __pa_symbol(reserved_pg_dir);
+ else
+ ttbr = virt_to_phys(mm->pgd) | ASID(mm) << 48;
+
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index 8c420f916fe2..a92a187ec891 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -466,6 +466,7 @@ extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
+ extern pgd_t idmap_pg_dir[PTRS_PER_PGD];
+ extern pgd_t idmap_pg_end[];
+ extern pgd_t tramp_pg_dir[PTRS_PER_PGD];
++extern pgd_t reserved_pg_dir[PTRS_PER_PGD];
+
+ extern void set_swapper_pgd(pgd_t *pgdp, pgd_t pgd);
+
+diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
+index 32fc8061aa76..b9a37a415bf9 100644
+--- a/arch/arm64/include/asm/uaccess.h
++++ b/arch/arm64/include/asm/uaccess.h
+@@ -112,8 +112,8 @@ static inline void __uaccess_ttbr0_disable(void)
+ local_irq_save(flags);
+ ttbr = read_sysreg(ttbr1_el1);
+ ttbr &= ~TTBR_ASID_MASK;
+- /* reserved_ttbr0 placed before swapper_pg_dir */
+- write_sysreg(ttbr - RESERVED_TTBR0_SIZE, ttbr0_el1);
++ /* reserved_pg_dir placed before swapper_pg_dir */
++ write_sysreg(ttbr - PAGE_SIZE, ttbr0_el1);
+ isb();
+ /* Set reserved ASID */
+ write_sysreg(ttbr, ttbr1_el1);
+diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
+index cf3bd2976e57..db137746c6fa 100644
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -1018,9 +1018,10 @@ ENDPROC(el0_svc)
+ */
+ .pushsection ".entry.tramp.text", "ax"
+
++ // Move from tramp_pg_dir to swapper_pg_dir
+ .macro tramp_map_kernel, tmp
+ mrs \tmp, ttbr1_el1
+- add \tmp, \tmp, #(PAGE_SIZE + RESERVED_TTBR0_SIZE)
++ add \tmp, \tmp, #(2 * PAGE_SIZE)
+ bic \tmp, \tmp, #USER_ASID_FLAG
+ msr ttbr1_el1, \tmp
+ #ifdef CONFIG_QCOM_FALKOR_ERRATUM_1003
+@@ -1037,9 +1038,10 @@ alternative_else_nop_endif
+ #endif /* CONFIG_QCOM_FALKOR_ERRATUM_1003 */
+ .endm
+
++ // Move from swapper_pg_dir to tramp_pg_dir
+ .macro tramp_unmap_kernel, tmp
+ mrs \tmp, ttbr1_el1
+- sub \tmp, \tmp, #(PAGE_SIZE + RESERVED_TTBR0_SIZE)
++ sub \tmp, \tmp, #(2 * PAGE_SIZE)
+ orr \tmp, \tmp, #USER_ASID_FLAG
+ msr ttbr1_el1, \tmp
+ /*
+diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
+index d98987b82874..203a0c31f260 100644
+--- a/arch/arm64/kernel/setup.c
++++ b/arch/arm64/kernel/setup.c
+@@ -356,7 +356,7 @@ void __init setup_arch(char **cmdline_p)
+ * faults in case uaccess_enable() is inadvertently called by the init
+ * thread.
+ */
+- init_task.thread_info.ttbr0 = __pa_symbol(empty_zero_page);
++ init_task.thread_info.ttbr0 = __pa_symbol(reserved_pg_dir);
+ #endif
+
+ #ifdef CONFIG_VT
+diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
+index 0bab37b1acbe..1f82cf631c3c 100644
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -157,13 +157,11 @@ SECTIONS
+ . += PAGE_SIZE;
+ #endif
+
+-#ifdef CONFIG_ARM64_SW_TTBR0_PAN
+- reserved_ttbr0 = .;
+- . += RESERVED_TTBR0_SIZE;
+-#endif
++ reserved_pg_dir = .;
++ . += PAGE_SIZE;
++
+ swapper_pg_dir = .;
+ . += PAGE_SIZE;
+- swapper_pg_end = .;
+
+ . = ALIGN(SEGMENT_ALIGN);
+ __init_begin = .;
+diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
+index a1e0592d1fbc..13e78a5d8690 100644
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -166,7 +166,7 @@ ENDPROC(cpu_do_switch_mm)
+ .pushsection ".idmap.text", "awx"
+
+ .macro __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2
+- adrp \tmp1, empty_zero_page
++ adrp \tmp1, reserved_pg_dir
+ phys_to_ttbr \tmp2, \tmp1
+ offset_ttbr1 \tmp2, \tmp1
+ msr ttbr1_el1, \tmp2
+--
+2.30.2
+
--- /dev/null
+From c9827f0457a35319526f5688868f9957a751f7a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 00:49:04 +0200
+Subject: arm64: dts: marvell: armada-37xx: Fix reg for standard variant of
+ UART
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2cbfdedef39fb5994b8f1e1df068eb8440165975 ]
+
+UART1 (standard variant with DT node name 'uart0') has register space
+0x12000-0x12018 and not whole size 0x200. So fix also this in example.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: c737abc193d1 ("arm64: dts: marvell: Fix A37xx UART0 register size")
+Link: https://lore.kernel.org/r/20210624224909.6350-6-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+index 28ad59ee6c34..6cb1278613c5 100644
+--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+@@ -134,7 +134,7 @@
+
+ uart0: serial@12000 {
+ compatible = "marvell,armada-3700-uart";
+- reg = <0x12000 0x200>;
++ reg = <0x12000 0x18>;
+ clocks = <&xtalclk>;
+ interrupts =
+ <GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>,
+--
+2.30.2
+
--- /dev/null
+From d5b7291da5600da0db7135f5a1442a98f3910b9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 15:02:58 +0530
+Subject: arm64/mm: Fix ttbr0 values stored in struct thread_info for
+ software-pan
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 9163f01130304fab1f74683d7d44632da7bda637 ]
+
+When using CONFIG_ARM64_SW_TTBR0_PAN, a task's thread_info::ttbr0 must be
+the TTBR0_EL1 value used to run userspace. With 52-bit PAs, the PA must be
+packed into the TTBR using phys_to_ttbr(), but we forget to do this in some
+of the SW PAN code. Thus, if the value is installed into TTBR0_EL1 (as may
+happen in the uaccess routines), this could result in UNPREDICTABLE
+behaviour.
+
+Since hardware with 52-bit PA support almost certainly has HW PAN, which
+will be used in preference, this shouldn't be a practical issue, but let's
+fix this for consistency.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Fixes: 529c4b05a3cb ("arm64: handle 52-bit addresses in TTBR")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/1623749578-11231-1-git-send-email-anshuman.khandual@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/mmu_context.h | 4 ++--
+ arch/arm64/kernel/setup.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h
+index 1355205e5da5..fb564de90aa7 100644
+--- a/arch/arm64/include/asm/mmu_context.h
++++ b/arch/arm64/include/asm/mmu_context.h
+@@ -184,9 +184,9 @@ static inline void update_saved_ttbr0(struct task_struct *tsk,
+ return;
+
+ if (mm == &init_mm)
+- ttbr = __pa_symbol(reserved_pg_dir);
++ ttbr = phys_to_ttbr(__pa_symbol(reserved_pg_dir));
+ else
+- ttbr = virt_to_phys(mm->pgd) | ASID(mm) << 48;
++ ttbr = phys_to_ttbr(virt_to_phys(mm->pgd)) | ASID(mm) << 48;
+
+ WRITE_ONCE(task_thread_info(tsk)->ttbr0, ttbr);
+ }
+diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
+index 203a0c31f260..f55f4a15a905 100644
+--- a/arch/arm64/kernel/setup.c
++++ b/arch/arm64/kernel/setup.c
+@@ -356,7 +356,7 @@ void __init setup_arch(char **cmdline_p)
+ * faults in case uaccess_enable() is inadvertently called by the init
+ * thread.
+ */
+- init_task.thread_info.ttbr0 = __pa_symbol(reserved_pg_dir);
++ init_task.thread_info.ttbr0 = phys_to_ttbr(__pa_symbol(reserved_pg_dir));
+ #endif
+
+ #ifdef CONFIG_VT
+--
+2.30.2
+
--- /dev/null
+From 997129ef78d8ea9985cc48f7d63de19c9c746d03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 18:07:41 +0300
+Subject: ASoC: atmel-i2s: Fix usage of capture and playback at the same time
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+[ Upstream commit 3b7961a326f8a7e03f54a19f02fedae8d488b80f ]
+
+For both capture and playback streams to work at the same time, only the
+needed values from a register need to be updated. Also, clocks should be
+enabled only when the first stream is started and stopped when there is no
+running stream.
+
+Fixes: b543e467d1a9 ("ASoC: atmel-i2s: add driver for the new Atmel I2S controller")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Link: https://lore.kernel.org/r/20210618150741.401739-2-codrin.ciubotariu@microchip.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/atmel/atmel-i2s.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/atmel/atmel-i2s.c b/sound/soc/atmel/atmel-i2s.c
+index bbe2b638abb5..d870f56c44cf 100644
+--- a/sound/soc/atmel/atmel-i2s.c
++++ b/sound/soc/atmel/atmel-i2s.c
+@@ -200,6 +200,7 @@ struct atmel_i2s_dev {
+ unsigned int fmt;
+ const struct atmel_i2s_gck_param *gck_param;
+ const struct atmel_i2s_caps *caps;
++ int clk_use_no;
+ };
+
+ static irqreturn_t atmel_i2s_interrupt(int irq, void *dev_id)
+@@ -321,9 +322,16 @@ static int atmel_i2s_hw_params(struct snd_pcm_substream *substream,
+ {
+ struct atmel_i2s_dev *dev = snd_soc_dai_get_drvdata(dai);
+ bool is_playback = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK);
+- unsigned int mr = 0;
++ unsigned int mr = 0, mr_mask;
+ int ret;
+
++ mr_mask = ATMEL_I2SC_MR_FORMAT_MASK | ATMEL_I2SC_MR_MODE_MASK |
++ ATMEL_I2SC_MR_DATALENGTH_MASK;
++ if (is_playback)
++ mr_mask |= ATMEL_I2SC_MR_TXMONO;
++ else
++ mr_mask |= ATMEL_I2SC_MR_RXMONO;
++
+ switch (dev->fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+ mr |= ATMEL_I2SC_MR_FORMAT_I2S;
+@@ -402,7 +410,7 @@ static int atmel_i2s_hw_params(struct snd_pcm_substream *substream,
+ return -EINVAL;
+ }
+
+- return regmap_write(dev->regmap, ATMEL_I2SC_MR, mr);
++ return regmap_update_bits(dev->regmap, ATMEL_I2SC_MR, mr_mask, mr);
+ }
+
+ static int atmel_i2s_switch_mck_generator(struct atmel_i2s_dev *dev,
+@@ -495,18 +503,28 @@ static int atmel_i2s_trigger(struct snd_pcm_substream *substream, int cmd,
+ is_master = (mr & ATMEL_I2SC_MR_MODE_MASK) == ATMEL_I2SC_MR_MODE_MASTER;
+
+ /* If master starts, enable the audio clock. */
+- if (is_master && mck_enabled)
+- err = atmel_i2s_switch_mck_generator(dev, true);
+- if (err)
+- return err;
++ if (is_master && mck_enabled) {
++ if (!dev->clk_use_no) {
++ err = atmel_i2s_switch_mck_generator(dev, true);
++ if (err)
++ return err;
++ }
++ dev->clk_use_no++;
++ }
+
+ err = regmap_write(dev->regmap, ATMEL_I2SC_CR, cr);
+ if (err)
+ return err;
+
+ /* If master stops, disable the audio clock. */
+- if (is_master && !mck_enabled)
+- err = atmel_i2s_switch_mck_generator(dev, false);
++ if (is_master && !mck_enabled) {
++ if (dev->clk_use_no == 1) {
++ err = atmel_i2s_switch_mck_generator(dev, false);
++ if (err)
++ return err;
++ }
++ dev->clk_use_no--;
++ }
+
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From e5cedf3836e89e4f563758e740e1001638d03811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 14:56:04 +0100
+Subject: ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit fac165f22ac947b55407cd3a60a2a9824f905235 ]
+
+The definition of CS42L42_ADC_PDN_MASK was incorrectly defined
+as the HP_PDN bit.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210616135604.19363-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.h b/sound/soc/codecs/cs42l42.h
+index 866d7c873e3c..ca2019732013 100644
+--- a/sound/soc/codecs/cs42l42.h
++++ b/sound/soc/codecs/cs42l42.h
+@@ -77,7 +77,7 @@
+ #define CS42L42_HP_PDN_SHIFT 3
+ #define CS42L42_HP_PDN_MASK (1 << CS42L42_HP_PDN_SHIFT)
+ #define CS42L42_ADC_PDN_SHIFT 2
+-#define CS42L42_ADC_PDN_MASK (1 << CS42L42_HP_PDN_SHIFT)
++#define CS42L42_ADC_PDN_MASK (1 << CS42L42_ADC_PDN_SHIFT)
+ #define CS42L42_PDN_ALL_SHIFT 0
+ #define CS42L42_PDN_ALL_MASK (1 << CS42L42_PDN_ALL_SHIFT)
+
+--
+2.30.2
+
--- /dev/null
+From 402901cce5083031ad889532ef71164998fa695f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 12:45:14 +0800
+Subject: ASoC: hisilicon: fix missing clk_disable_unprepare() on error in
+ hi6210_i2s_startup()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 375904e3931955fcf0a847f029b2492a117efc43 ]
+
+After calling clk_prepare_enable(), clk_disable_unprepare() need
+be called when calling clk_set_rate() failed.
+
+Fixes: 0bf750f4cbe1 ("ASoC: hisilicon: Add hi6210 i2s audio driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210518044514.607010-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/hisilicon/hi6210-i2s.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/hisilicon/hi6210-i2s.c b/sound/soc/hisilicon/hi6210-i2s.c
+index ab3b76d298b3..03470e8f3008 100644
+--- a/sound/soc/hisilicon/hi6210-i2s.c
++++ b/sound/soc/hisilicon/hi6210-i2s.c
+@@ -102,18 +102,15 @@ static int hi6210_i2s_startup(struct snd_pcm_substream *substream,
+
+ for (n = 0; n < i2s->clocks; n++) {
+ ret = clk_prepare_enable(i2s->clk[n]);
+- if (ret) {
+- while (n--)
+- clk_disable_unprepare(i2s->clk[n]);
+- return ret;
+- }
++ if (ret)
++ goto err_unprepare_clk;
+ }
+
+ ret = clk_set_rate(i2s->clk[CLK_I2S_BASE], 49152000);
+ if (ret) {
+ dev_err(i2s->dev, "%s: setting 49.152MHz base rate failed %d\n",
+ __func__, ret);
+- return ret;
++ goto err_unprepare_clk;
+ }
+
+ /* enable clock before frequency division */
+@@ -165,6 +162,11 @@ static int hi6210_i2s_startup(struct snd_pcm_substream *substream,
+ hi6210_write_reg(i2s, HII2S_SW_RST_N, val);
+
+ return 0;
++
++err_unprepare_clk:
++ while (n--)
++ clk_disable_unprepare(i2s->clk[n]);
++ return ret;
+ }
+
+ static void hi6210_i2s_shutdown(struct snd_pcm_substream *substream,
+--
+2.30.2
+
--- /dev/null
+From 38f1692fa7286ed034f9ca5d7d04e0bf513eb0cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jun 2021 16:31:09 +0200
+Subject: ASoC: mediatek: mtk-btcvsd: Fix an error handling path in
+ 'mtk_btcvsd_snd_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b6052c3c7a78f5e2b9756c92ef77c0b56435f107 ]
+
+If an error occurs after a successful 'of_iomap()' call, it must be undone
+by a corresponding 'iounmap()' call, as already done in the remove
+function.
+
+While at it, remove the useless initialization of 'ret' at the beginning of
+the function.
+
+Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/0c2ba562c3364e61bfbd5b3013a99dfa0d9045d7.1622989685.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/common/mtk-btcvsd.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/mediatek/common/mtk-btcvsd.c b/sound/soc/mediatek/common/mtk-btcvsd.c
+index d00608c73c6e..b66f7dee1e14 100644
+--- a/sound/soc/mediatek/common/mtk-btcvsd.c
++++ b/sound/soc/mediatek/common/mtk-btcvsd.c
+@@ -1302,7 +1302,7 @@ static const struct snd_soc_component_driver mtk_btcvsd_snd_platform = {
+
+ static int mtk_btcvsd_snd_probe(struct platform_device *pdev)
+ {
+- int ret = 0;
++ int ret;
+ int irq_id;
+ u32 offset[5] = {0, 0, 0, 0, 0};
+ struct mtk_btcvsd_snd *btcvsd;
+@@ -1358,7 +1358,8 @@ static int mtk_btcvsd_snd_probe(struct platform_device *pdev)
+ btcvsd->bt_sram_bank2_base = of_iomap(dev->of_node, 1);
+ if (!btcvsd->bt_sram_bank2_base) {
+ dev_err(dev, "iomap bt_sram_bank2_base fail\n");
+- return -EIO;
++ ret = -EIO;
++ goto unmap_pkv_err;
+ }
+
+ btcvsd->infra = syscon_regmap_lookup_by_phandle(dev->of_node,
+@@ -1366,7 +1367,8 @@ static int mtk_btcvsd_snd_probe(struct platform_device *pdev)
+ if (IS_ERR(btcvsd->infra)) {
+ dev_err(dev, "cannot find infra controller: %ld\n",
+ PTR_ERR(btcvsd->infra));
+- return PTR_ERR(btcvsd->infra);
++ ret = PTR_ERR(btcvsd->infra);
++ goto unmap_bank2_err;
+ }
+
+ /* get offset */
+@@ -1375,7 +1377,7 @@ static int mtk_btcvsd_snd_probe(struct platform_device *pdev)
+ ARRAY_SIZE(offset));
+ if (ret) {
+ dev_warn(dev, "%s(), get offset fail, ret %d\n", __func__, ret);
+- return ret;
++ goto unmap_bank2_err;
+ }
+ btcvsd->infra_misc_offset = offset[0];
+ btcvsd->conn_bt_cvsd_mask = offset[1];
+@@ -1394,8 +1396,18 @@ static int mtk_btcvsd_snd_probe(struct platform_device *pdev)
+ mtk_btcvsd_snd_set_state(btcvsd, btcvsd->tx, BT_SCO_STATE_IDLE);
+ mtk_btcvsd_snd_set_state(btcvsd, btcvsd->rx, BT_SCO_STATE_IDLE);
+
+- return devm_snd_soc_register_component(dev, &mtk_btcvsd_snd_platform,
+- NULL, 0);
++ ret = devm_snd_soc_register_component(dev, &mtk_btcvsd_snd_platform,
++ NULL, 0);
++ if (ret)
++ goto unmap_bank2_err;
++
++ return 0;
++
++unmap_bank2_err:
++ iounmap(btcvsd->bt_sram_bank2_base);
++unmap_pkv_err:
++ iounmap(btcvsd->bt_pkv_base);
++ return ret;
+ }
+
+ static int mtk_btcvsd_snd_remove(struct platform_device *pdev)
+--
+2.30.2
+
--- /dev/null
+From 7e12eb7494ec99fa177537dbe85e52b54c7cb9b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 15:58:47 +0800
+Subject: ASoC: rk3328: fix missing clk_disable_unprepare() on error in
+ rk3328_platform_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit d14eece945a8068a017995f7512ea2beac21e34b ]
+
+Fix the missing clk_disable_unprepare() before return
+from rk3328_platform_probe() in the error handling case.
+
+Fixes: c32759035ad2 ("ASoC: rockchip: support ACODEC for rk3328")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210518075847.1116983-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rk3328_codec.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/codecs/rk3328_codec.c b/sound/soc/codecs/rk3328_codec.c
+index 287c962ba00d..514ebe16bbfa 100644
+--- a/sound/soc/codecs/rk3328_codec.c
++++ b/sound/soc/codecs/rk3328_codec.c
+@@ -472,7 +472,8 @@ static int rk3328_platform_probe(struct platform_device *pdev)
+ rk3328->pclk = devm_clk_get(&pdev->dev, "pclk");
+ if (IS_ERR(rk3328->pclk)) {
+ dev_err(&pdev->dev, "can't get acodec pclk\n");
+- return PTR_ERR(rk3328->pclk);
++ ret = PTR_ERR(rk3328->pclk);
++ goto err_unprepare_mclk;
+ }
+
+ ret = clk_prepare_enable(rk3328->pclk);
+@@ -482,19 +483,34 @@ static int rk3328_platform_probe(struct platform_device *pdev)
+ }
+
+ base = devm_platform_ioremap_resource(pdev, 0);
+- if (IS_ERR(base))
+- return PTR_ERR(base);
++ if (IS_ERR(base)) {
++ ret = PTR_ERR(base);
++ goto err_unprepare_pclk;
++ }
+
+ rk3328->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+ &rk3328_codec_regmap_config);
+- if (IS_ERR(rk3328->regmap))
+- return PTR_ERR(rk3328->regmap);
++ if (IS_ERR(rk3328->regmap)) {
++ ret = PTR_ERR(rk3328->regmap);
++ goto err_unprepare_pclk;
++ }
+
+ platform_set_drvdata(pdev, rk3328);
+
+- return devm_snd_soc_register_component(&pdev->dev, &soc_codec_rk3328,
++ ret = devm_snd_soc_register_component(&pdev->dev, &soc_codec_rk3328,
+ rk3328_dai,
+ ARRAY_SIZE(rk3328_dai));
++ if (ret)
++ goto err_unprepare_pclk;
++
++ return 0;
++
++err_unprepare_pclk:
++ clk_disable_unprepare(rk3328->pclk);
++
++err_unprepare_mclk:
++ clk_disable_unprepare(rk3328->mclk);
++ return ret;
+ }
+
+ static const struct of_device_id rk3328_codec_of_match[] = {
+--
+2.30.2
+
--- /dev/null
+From 58c80c03d1868bfe770d6d4fffd807ab49b783ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 15:12:09 +0900
+Subject: ASoC: rsnd: tidyup loop on rsnd_adg_clk_query()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit cf9d5c6619fadfc41cf8f5154cb990cc38e3da85 ]
+
+commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under
+atomic context") used saved clk_rate, thus for_each_rsnd_clk()
+is no longer needed. This patch fixes it.
+
+Fixes: 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context")
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87v978oe2u.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/adg.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/sh/rcar/adg.c b/sound/soc/sh/rcar/adg.c
+index b9aacf3d3b29..7532ab27a48d 100644
+--- a/sound/soc/sh/rcar/adg.c
++++ b/sound/soc/sh/rcar/adg.c
+@@ -289,7 +289,6 @@ static void rsnd_adg_set_ssi_clk(struct rsnd_mod *ssi_mod, u32 val)
+ int rsnd_adg_clk_query(struct rsnd_priv *priv, unsigned int rate)
+ {
+ struct rsnd_adg *adg = rsnd_priv_to_adg(priv);
+- struct clk *clk;
+ int i;
+ int sel_table[] = {
+ [CLKA] = 0x1,
+@@ -302,10 +301,9 @@ int rsnd_adg_clk_query(struct rsnd_priv *priv, unsigned int rate)
+ * find suitable clock from
+ * AUDIO_CLKA/AUDIO_CLKB/AUDIO_CLKC/AUDIO_CLKI.
+ */
+- for_each_rsnd_clk(clk, adg, i) {
++ for (i = 0; i < CLKMAX; i++)
+ if (rate == adg->clk_rate[i])
+ return sel_table[i];
+- }
+
+ /*
+ * find divided clock from BRGA/BRGB
+--
+2.30.2
+
--- /dev/null
+From 1564be8f91518b867a781f098bf9bf29c94d527c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 17:41:28 +0300
+Subject: ath10k: add missing error return code in ath10k_pci_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e2783e2f39ba99178dedfc1646d5cc0979d1bab3 ]
+
+When chip_id is not supported, the resources will be freed
+on path err_unsupported, these resources will also be freed
+when calling ath10k_pci_remove(), it will cause double free,
+so return -ENODEV when it doesn't support the device with wrong
+chip_id.
+
+Fixes: c0c378f9907c ("ath10k: remove target soc ps code")
+Fixes: 7505f7c3ec1d ("ath10k: create a chip revision whitelist")
+Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210522105822.1091848-3-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index 53c791cc69a1..0f055e577749 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -3647,8 +3647,10 @@ static int ath10k_pci_probe(struct pci_dev *pdev,
+ ath10k_pci_soc_read32(ar, SOC_CHIP_ID_ADDRESS);
+ if (bus_params.chip_id != 0xffffffff) {
+ if (!ath10k_pci_chip_is_supported(pdev->device,
+- bus_params.chip_id))
++ bus_params.chip_id)) {
++ ret = -ENODEV;
+ goto err_unsupported;
++ }
+ }
+ }
+
+@@ -3659,11 +3661,15 @@ static int ath10k_pci_probe(struct pci_dev *pdev,
+ }
+
+ bus_params.chip_id = ath10k_pci_soc_read32(ar, SOC_CHIP_ID_ADDRESS);
+- if (bus_params.chip_id == 0xffffffff)
++ if (bus_params.chip_id == 0xffffffff) {
++ ret = -ENODEV;
+ goto err_unsupported;
++ }
+
+- if (!ath10k_pci_chip_is_supported(pdev->device, bus_params.chip_id))
++ if (!ath10k_pci_chip_is_supported(pdev->device, bus_params.chip_id)) {
++ ret = -ENODEV;
+ goto err_unsupported;
++ }
+
+ ret = ath10k_core_register(ar, &bus_params);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From 3963d1ad051b034e2d108d0134d14c6003044add Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 18:46:17 +0800
+Subject: ath10k: Fix an error code in ath10k_add_interface()
+
+From: Yang Li <yang.lee@linux.alibaba.com>
+
+[ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ]
+
+When the code execute this if statement, the value of ret is 0.
+However, we can see from the ath10k_warn() log that the value of
+ret should be -EINVAL.
+
+Clean up smatch warning:
+
+drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn:
+missing error code 'ret'
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine")
+Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 47b733fdf4fc..20e248fd4364 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5267,6 +5267,7 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
+
+ if (arvif->nohwcrypt &&
+ !test_bit(ATH10K_FLAG_RAW_MODE, &ar->dev_flags)) {
++ ret = -EINVAL;
+ ath10k_warn(ar, "cryptmode module param needed for sw crypto\n");
+ goto err;
+ }
+--
+2.30.2
+
--- /dev/null
+From d5a24324fba166e66494caf00e6325f626cefc10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 17:41:28 +0300
+Subject: ath10k: go to path err_unsupported when chip id is not supported
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 9e88dd431d2345acdb7a549f3e88aaf4c2a307a1 ]
+
+When chip id is not supported, it go to path err_unsupported
+to print the error message.
+
+Fixes: f8914a14623a ("ath10k: restore QCA9880-AR1A (v1) detection")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210522105822.1091848-2-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
+index fd49d3419e79..53c791cc69a1 100644
+--- a/drivers/net/wireless/ath/ath10k/pci.c
++++ b/drivers/net/wireless/ath/ath10k/pci.c
+@@ -3663,7 +3663,7 @@ static int ath10k_pci_probe(struct pci_dev *pdev,
+ goto err_unsupported;
+
+ if (!ath10k_pci_chip_is_supported(pdev->device, bus_params.chip_id))
+- goto err_free_irq;
++ goto err_unsupported;
+
+ ret = ath10k_core_register(ar, &bus_params);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From 0fb7796ede730d73f6c5bc0873977d4bed789bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 12:57:16 +0300
+Subject: backlight: lm3630a_bl: Put fwnode in error case during ->probe()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 6d1c32dbedd7d7e7372aa38033ec8782c39f6379 ]
+
+device_for_each_child_node() bumps a reference counting of a returned variable.
+We have to balance it whenever we return to the caller.
+
+Cc: Brian Masney <masneyb@onstation.org>
+Cc: Dan Murphy <dmurphy@ti.com>
+Fixes: 8fbce8efe15cd ("backlight: lm3630a: Add firmware node support")
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Brian Masney <masneyb@onstation.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/lm3630a_bl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c
+index 2d8e8192e4e2..f03ffe2bb237 100644
+--- a/drivers/video/backlight/lm3630a_bl.c
++++ b/drivers/video/backlight/lm3630a_bl.c
+@@ -480,8 +480,10 @@ static int lm3630a_parse_node(struct lm3630a_chip *pchip,
+
+ device_for_each_child_node(pchip->dev, node) {
+ ret = lm3630a_parse_bank(pdata, node, &seen_led_sources);
+- if (ret)
++ if (ret) {
++ fwnode_handle_put(node);
+ return ret;
++ }
+ }
+
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 0917d0dbba2a88b51bed01af6898487052945041 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 17:36:59 +0800
+Subject: blk-wbt: introduce a new disable state to prevent false positive by
+ rwb_enabled()
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 1d0903d61e9645c6330b94247b96dd873dfc11c8 ]
+
+Now that we disable wbt by simply zero out rwb->wb_normal in
+wbt_disable_default() when switch elevator to bfq, but it's not safe
+because it will become false positive if we change queue depth. If it
+become false positive between wbt_wait() and wbt_track() when submit
+write request, it will lead to drop rqw->inflight to -1 in wbt_done(),
+which will end up trigger IO hung. Fix this issue by introduce a new
+state which mean the wbt was disabled.
+
+Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt")
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://lore.kernel.org/r/20210619093700.920393-2-yi.zhang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-wbt.c | 5 +++--
+ block/blk-wbt.h | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-wbt.c b/block/blk-wbt.c
+index 8641ba9793c5..7c7dd5c14391 100644
+--- a/block/blk-wbt.c
++++ b/block/blk-wbt.c
+@@ -77,7 +77,8 @@ enum {
+
+ static inline bool rwb_enabled(struct rq_wb *rwb)
+ {
+- return rwb && rwb->wb_normal != 0;
++ return rwb && rwb->enable_state != WBT_STATE_OFF_DEFAULT &&
++ rwb->wb_normal != 0;
+ }
+
+ static void wb_timestamp(struct rq_wb *rwb, unsigned long *var)
+@@ -710,7 +711,7 @@ void wbt_disable_default(struct request_queue *q)
+ rwb = RQWB(rqos);
+ if (rwb->enable_state == WBT_STATE_ON_DEFAULT) {
+ blk_stat_deactivate(rwb->cb);
+- rwb->wb_normal = 0;
++ rwb->enable_state = WBT_STATE_OFF_DEFAULT;
+ }
+ }
+ EXPORT_SYMBOL_GPL(wbt_disable_default);
+diff --git a/block/blk-wbt.h b/block/blk-wbt.h
+index 8e4e37660971..d8d9f41b42f9 100644
+--- a/block/blk-wbt.h
++++ b/block/blk-wbt.h
+@@ -34,6 +34,7 @@ enum {
+ enum {
+ WBT_STATE_ON_DEFAULT = 1,
+ WBT_STATE_ON_MANUAL = 2,
++ WBT_STATE_OFF_DEFAULT
+ };
+
+ struct rq_wb {
+--
+2.30.2
+
--- /dev/null
+From 71e80ec92cbee6a64ef1fa6bbd127a63ce505ba2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 17:37:00 +0800
+Subject: blk-wbt: make sure throttle is enabled properly
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 76a8040817b4b9c69b53f9b326987fa891b4082a ]
+
+After commit a79050434b45 ("blk-rq-qos: refactor out common elements of
+blk-wbt"), if throttle was disabled by wbt_disable_default(), we could
+not enable again, fix this by set enable_state back to
+WBT_STATE_ON_DEFAULT.
+
+Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt")
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://lore.kernel.org/r/20210619093700.920393-3-yi.zhang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-wbt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-wbt.c b/block/blk-wbt.c
+index 7c7dd5c14391..ee708c1bc352 100644
+--- a/block/blk-wbt.c
++++ b/block/blk-wbt.c
+@@ -645,9 +645,13 @@ void wbt_set_write_cache(struct request_queue *q, bool write_cache_on)
+ void wbt_enable_default(struct request_queue *q)
+ {
+ struct rq_qos *rqos = wbt_rq_qos(q);
++
+ /* Throttling already enabled? */
+- if (rqos)
++ if (rqos) {
++ if (RQWB(rqos)->enable_state == WBT_STATE_OFF_DEFAULT)
++ RQWB(rqos)->enable_state = WBT_STATE_ON_DEFAULT;
+ return;
++ }
+
+ /* Queue not registered? Maybe shutting down... */
+ if (!blk_queue_registered(q))
+--
+2.30.2
+
--- /dev/null
+From 75c3470dcb6c858c9b14a5c5b34f7ebc96081521 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 10:33:12 +0800
+Subject: block: fix discard request merge
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 2705dfb2094777e405e065105e307074af8965c1 ]
+
+ll_new_hw_segment() is reached only in case of single range discard
+merge, and we don't have max discard segment size limit actually, so
+it is wrong to run the following check:
+
+if (req->nr_phys_segments + nr_phys_segs > blk_rq_get_max_segments(req))
+
+it may be always false since req->nr_phys_segments is initialized as
+one, and bio's segment count is still 1, blk_rq_get_max_segments(reg)
+is 1 too.
+
+Fix the issue by not doing the check and bypassing the calculation of
+discard request's nr_phys_segments.
+
+Based on analysis from Wang Shanker.
+
+Cc: Christoph Hellwig <hch@lst.de>
+Reported-by: Wang Shanker <shankerwangmiao@gmail.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20210628023312.1903255-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-merge.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-merge.c b/block/blk-merge.c
+index 03959bfe961c..4b022f0c49d2 100644
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -571,10 +571,14 @@ static inline unsigned int blk_rq_get_max_segments(struct request *rq)
+ static inline int ll_new_hw_segment(struct request *req, struct bio *bio,
+ unsigned int nr_phys_segs)
+ {
+- if (req->nr_phys_segments + nr_phys_segs > blk_rq_get_max_segments(req))
++ if (blk_integrity_merge_bio(req->q, req, bio) == false)
+ goto no_merge;
+
+- if (blk_integrity_merge_bio(req->q, req, bio) == false)
++ /* discard request merge won't add new segment */
++ if (req_op(req) == REQ_OP_DISCARD)
++ return 1;
++
++ if (req->nr_phys_segments + nr_phys_segs > blk_rq_get_max_segments(req))
+ goto no_merge;
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From cae19e3cfdf9103637ac8b755dd08ae91d595419 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 09:58:21 +0800
+Subject: block: fix race between adding/removing rq qos and normal IO
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 2cafe29a8d03f02a3d16193bdaae2f3e82a423f9 ]
+
+Yi reported several kernel panics on:
+
+[16687.001777] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
+...
+[16687.163549] pc : __rq_qos_track+0x38/0x60
+
+or
+
+[ 997.690455] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+...
+[ 997.850347] pc : __rq_qos_done+0x2c/0x50
+
+Turns out it is caused by race between adding rq qos(wbt) and normal IO
+because rq_qos_add can be run when IO is being submitted, fix this issue
+by freezing queue before adding/deleting rq qos to queue.
+
+rq_qos_exit() needn't to freeze queue because it is called after queue
+has been frozen.
+
+iolatency calls rq_qos_add() during allocating queue, so freezing won't
+add delay because queue usage refcount works at atomic mode at that
+time.
+
+iocost calls rq_qos_add() when writing cgroup attribute file, that is
+fine to freeze queue at that time since we usually freeze queue when
+storing to queue sysfs attribute, meantime iocost only exists on the
+root cgroup.
+
+wbt_init calls it in blk_register_queue() and queue sysfs attribute
+store(queue_wb_lat_store() when write it 1st time in case of !BLK_WBT_MQ),
+the following patch will speedup the queue freezing in wbt_init.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Yi Zhang <yi.zhang@redhat.com>
+Link: https://lore.kernel.org/r/20210609015822.103433-2-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-rq-qos.h | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/block/blk-rq-qos.h b/block/blk-rq-qos.h
+index 2bc43e94f4c4..2bcb3495e376 100644
+--- a/block/blk-rq-qos.h
++++ b/block/blk-rq-qos.h
+@@ -7,6 +7,7 @@
+ #include <linux/blk_types.h>
+ #include <linux/atomic.h>
+ #include <linux/wait.h>
++#include <linux/blk-mq.h>
+
+ #include "blk-mq-debugfs.h"
+
+@@ -99,8 +100,21 @@ static inline void rq_wait_init(struct rq_wait *rq_wait)
+
+ static inline void rq_qos_add(struct request_queue *q, struct rq_qos *rqos)
+ {
++ /*
++ * No IO can be in-flight when adding rqos, so freeze queue, which
++ * is fine since we only support rq_qos for blk-mq queue.
++ *
++ * Reuse ->queue_lock for protecting against other concurrent
++ * rq_qos adding/deleting
++ */
++ blk_mq_freeze_queue(q);
++
++ spin_lock_irq(&q->queue_lock);
+ rqos->next = q->rq_qos;
+ q->rq_qos = rqos;
++ spin_unlock_irq(&q->queue_lock);
++
++ blk_mq_unfreeze_queue(q);
+
+ if (rqos->ops->debugfs_attrs)
+ blk_mq_debugfs_register_rqos(rqos);
+@@ -110,12 +124,22 @@ static inline void rq_qos_del(struct request_queue *q, struct rq_qos *rqos)
+ {
+ struct rq_qos **cur;
+
++ /*
++ * See comment in rq_qos_add() about freezing queue & using
++ * ->queue_lock.
++ */
++ blk_mq_freeze_queue(q);
++
++ spin_lock_irq(&q->queue_lock);
+ for (cur = &q->rq_qos; *cur; cur = &(*cur)->next) {
+ if (*cur == rqos) {
+ *cur = rqos->next;
+ break;
+ }
+ }
++ spin_unlock_irq(&q->queue_lock);
++
++ blk_mq_unfreeze_queue(q);
+
+ blk_mq_debugfs_unregister_rqos(rqos);
+ }
+--
+2.30.2
+
--- /dev/null
+From 211fe7a6b1a14b2f4cfbe6b9ab5ddd42660f9fba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Mar 2021 11:01:44 +0800
+Subject: block_dump: remove block_dump feature in mark_inode_dirty()
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ]
+
+block_dump is an old debugging interface, one of it's functions is used
+to print the information about who write which file on disk. If we
+enable block_dump through /proc/sys/vm/block_dump and turn on debug log
+level, we can gather information about write process name, target file
+name and disk from kernel message. This feature is realized in
+block_dump___mark_inode_dirty(), it print above information into kernel
+message directly when marking inode dirty, so it is noisy and can easily
+trigger log storm. At the same time, get the dentry refcount is also not
+safe, we found it will lead to deadlock on ext4 file system with
+data=journal mode.
+
+After tracepoints has been introduced into the kernel, we got a
+tracepoint in __mark_inode_dirty(), which is a better replacement of
+block_dump___mark_inode_dirty(). The only downside is that it only trace
+the inode number and not a file name, but it probably doesn't matter
+because the original printed file name in block_dump is not accurate in
+some cases, and we can still find it through the inode number and device
+id. So this patch delete the dirting inode part of block_dump feature.
+
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index a2cf2db0d3de..fd6b50582c87 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -2196,28 +2196,6 @@ int dirtytime_interval_handler(struct ctl_table *table, int write,
+ return ret;
+ }
+
+-static noinline void block_dump___mark_inode_dirty(struct inode *inode)
+-{
+- if (inode->i_ino || strcmp(inode->i_sb->s_id, "bdev")) {
+- struct dentry *dentry;
+- const char *name = "?";
+-
+- dentry = d_find_alias(inode);
+- if (dentry) {
+- spin_lock(&dentry->d_lock);
+- name = (const char *) dentry->d_name.name;
+- }
+- printk(KERN_DEBUG
+- "%s(%d): dirtied inode %lu (%s) on %s\n",
+- current->comm, task_pid_nr(current), inode->i_ino,
+- name, inode->i_sb->s_id);
+- if (dentry) {
+- spin_unlock(&dentry->d_lock);
+- dput(dentry);
+- }
+- }
+-}
+-
+ /**
+ * __mark_inode_dirty - internal function
+ *
+@@ -2277,9 +2255,6 @@ void __mark_inode_dirty(struct inode *inode, int flags)
+ (dirtytime && (inode->i_state & I_DIRTY_INODE)))
+ return;
+
+- if (unlikely(block_dump))
+- block_dump___mark_inode_dirty(inode);
+-
+ spin_lock(&inode->i_lock);
+ if (dirtytime && (inode->i_state & I_DIRTY_INODE))
+ goto out_unlock_inode;
+--
+2.30.2
+
--- /dev/null
+From da0c68ecd134be87944e9045c3254ebfa49ebb8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 20:59:02 -0700
+Subject: Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 23837a6d7a1a61818ed94a6b8af552d6cf7d32d5 ]
+
+Error status of this event means that it has ended due reasons other
+than a connection:
+
+ 'If advertising has terminated as a result of the advertising duration
+ elapsing, the Status parameter shall be set to the error code
+ Advertising Timeout (0x3C).'
+
+ 'If advertising has terminated because the
+ Max_Extended_Advertising_Events was reached, the Status parameter
+ shall be set to the error code Limit Reached (0x43).'
+
+Fixes: acf0aeae431a0 ("Bluetooth: Handle ADv set terminated event")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index bd678ffdaef7..e8e7f108b016 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5101,8 +5101,19 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
+
+ BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+- if (ev->status)
++ if (ev->status) {
++ struct adv_info *adv;
++
++ adv = hci_find_adv_instance(hdev, ev->handle);
++ if (!adv)
++ return;
++
++ /* Remove advertising as it has been terminated */
++ hci_remove_adv_instance(hdev, ev->handle);
++ mgmt_advertising_removed(NULL, hdev, ev->handle);
++
+ return;
++ }
+
+ conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
+ if (conn) {
+--
+2.30.2
+
--- /dev/null
+From 996b93fb967b6031be5846e0f61ac59b8e4333b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 11:45:02 -0700
+Subject: Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 799acb9347915bfe4eac0ff2345b468f0a1ca207 ]
+
+This fixes parsing of LTV entries when the length is 0.
+
+Found with:
+
+tools/mgmt-tester -s "Add Advertising - Success (ScRsp only)"
+
+Add Advertising - Success (ScRsp only) - run
+ Sending Add Advertising (0x003e)
+ Test condition added, total 1
+[ 11.004577] ==================================================================
+[ 11.005292] BUG: KASAN: slab-out-of-bounds in tlv_data_is_valid+0x87/0xe0
+[ 11.005984] Read of size 1 at addr ffff888002c695b0 by task mgmt-tester/87
+[ 11.006711]
+[ 11.007176]
+[ 11.007429] Allocated by task 87:
+[ 11.008151]
+[ 11.008438] The buggy address belongs to the object at ffff888002c69580
+[ 11.008438] which belongs to the cache kmalloc-64 of size 64
+[ 11.010526] The buggy address is located 48 bytes inside of
+[ 11.010526] 64-byte region [ffff888002c69580, ffff888002c695c0)
+[ 11.012423] The buggy address belongs to the page:
+[ 11.013291]
+[ 11.013544] Memory state around the buggy address:
+[ 11.014359] ffff888002c69480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 11.015453] ffff888002c69500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 11.016232] >ffff888002c69580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+[ 11.017010] ^
+[ 11.017547] ffff888002c69600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+[ 11.018296] ffff888002c69680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 11.019116] ==================================================================
+
+Fixes: 2bb36870e8cb2 ("Bluetooth: Unify advertising instance flags check")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 5fce559a61bf..db525321da1f 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -6461,6 +6461,9 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
+ for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
+ cur_len = data[i];
+
++ if (!cur_len)
++ continue;
++
+ if (data[i + 1] == EIR_FLAGS &&
+ (!is_adv_data || flags_managed(adv_flags)))
+ return false;
+--
+2.30.2
+
--- /dev/null
+From 0b69e2e93353755a22bf7493eb4949c0b100b5c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:09:51 -0700
+Subject: bpf: Do not change gso_size during bpf_skb_change_proto()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 364745fbe981a4370f50274475da4675661104df ]
+
+This is technically a backwards incompatible change in behaviour, but I'm
+going to argue that it is very unlikely to break things, and likely to fix
+*far* more then it breaks.
+
+In no particular order, various reasons follow:
+
+(a) I've long had a bug assigned to myself to debug a super rare kernel crash
+on Android Pixel phones which can (per stacktrace) be traced back to BPF clat
+IPv6 to IPv4 protocol conversion causing some sort of ugly failure much later
+on during transmit deep in the GSO engine, AFAICT precisely because of this
+change to gso_size, though I've never been able to manually reproduce it. I
+believe it may be related to the particular network offload support of attached
+USB ethernet dongle being used for tethering off of an IPv6-only cellular
+connection. The reason might be we end up with more segments than max permitted,
+or with a GSO packet with only one segment... (either way we break some
+assumption and hit a BUG_ON)
+
+(b) There is no check that the gso_size is > 20 when reducing it by 20, so we
+might end up with a negative (or underflowing) gso_size or a gso_size of 0.
+This can't possibly be good. Indeed this is probably somehow exploitable (or
+at least can result in a kernel crash) by delivering crafted packets and perhaps
+triggering an infinite loop or a divide by zero... As a reminder: gso_size (MSS)
+is related to MTU, but not directly derived from it: gso_size/MSS may be
+significantly smaller then one would get by deriving from local MTU. And on
+some NICs (which do loose MTU checking on receive, it may even potentially be
+larger, for example my work pc with 1500 MTU can receive 1520 byte frames [and
+sometimes does due to bugs in a vendor plat46 implementation]). Indeed even just
+going from 21 to 1 is potentially problematic because it increases the number
+of segments by a factor of 21 (think DoS, or some other crash due to too many
+segments).
+
+(c) It's always safe to not increase the gso_size, because it doesn't result in
+the max packet size increasing. So the skb_increase_gso_size() call was always
+unnecessary for correctness (and outright undesirable, see later). As such the
+only part which is potentially dangerous (ie. could cause backwards compatibility
+issues) is the removal of the skb_decrease_gso_size() call.
+
+(d) If the packets are ultimately destined to the local device, then there is
+absolutely no benefit to playing around with gso_size. It only matters if the
+packets will egress the device. ie. we're either forwarding, or transmitting
+from the device.
+
+(e) This logic only triggers for packets which are GSO. It does not trigger for
+skbs which are not GSO. It will not convert a non-GSO MTU sized packet into a
+GSO packet (and you don't even know what the MTU is, so you can't even fix it).
+As such your transmit path must *already* be able to handle an MTU 20 bytes
+larger then your receive path (for IPv4 to IPv6 translation) - and indeed 28
+bytes larger due to IPv4 fragments. Thus removing the skb_decrease_gso_size()
+call doesn't actually increase the size of the packets your transmit side must
+be able to handle. ie. to handle non-GSO max-MTU packets, the IPv4/IPv6 device/
+route MTUs must already be set correctly. Since for example with an IPv4 egress
+MTU of 1500, IPv4 to IPv6 translation will already build 1520 byte IPv6 frames,
+so you need a 1520 byte device MTU. This means if your IPv6 device's egress
+MTU is 1280, your IPv4 route must be 1260 (and actually 1252, because of the
+need to handle fragments). This is to handle normal non-GSO packets. Thus the
+reduction is simply not needed for GSO packets, because when they're correctly
+built, they will already be the right size.
+
+(f) TSO/GSO should be able to exactly undo GRO: the number of packets (TCP
+segments) should not be modified, so that TCP's MSS counting works correctly
+(this matters for congestion control). If protocol conversion changes the
+gso_size, then the number of TCP segments may increase or decrease. Packet loss
+after protocol conversion can result in partial loss of MSS segments that the
+sender sent. How's the sending TCP stack going to react to receiving ACKs/SACKs
+in the middle of the segments it sent?
+
+(g) skb_{decrease,increase}_gso_size() are already no-ops for GSO_BY_FRAGS
+case (besides triggering WARN_ON_ONCE). This means you already cannot guarantee
+that gso_size (and thus resulting packet MTU) is changed. ie. you must assume
+it won't be changed.
+
+(h) changing gso_size is outright buggy for UDP GSO packets, where framing
+matters (I believe that's also the case for SCTP, but it's already excluded
+by [g]). So the only remaining case is TCP, which also doesn't want it
+(see [f]).
+
+(i) see also the reasoning on the previous attempt at fixing this
+(commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e) which shows that the current
+behaviour causes TCP packet loss:
+
+ In the forwarding path GRO -> BPF 6 to 4 -> GSO for TCP traffic, the
+ coalesced packet payload can be > MSS, but < MSS + 20.
+
+ bpf_skb_proto_6_to_4() will upgrade the MSS and it can be > the payload
+ length. After then tcp_gso_segment checks for the payload length if it
+ is <= MSS. The condition is causing the packet to be dropped.
+
+ tcp_gso_segment():
+ [...]
+ mss = skb_shinfo(skb)->gso_size;
+ if (unlikely(skb->len <= mss)) goto out;
+ [...]
+
+Thus changing the gso_size is simply a very bad idea. Increasing is unnecessary
+and buggy, and decreasing can go negative.
+
+Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper")
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Dongseok Yi <dseok.yi@samsung.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/bpf/CANP3RGfjLikQ6dg=YpBU0OeHvyv7JOki7CyOUS9modaXAi-9vQ@mail.gmail.com
+Link: https://lore.kernel.org/bpf/20210617000953.2787453-2-zenczykowski@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 108bcf600052..0e161a6dff7e 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2861,8 +2861,6 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
+ shinfo->gso_type |= SKB_GSO_TCPV6;
+ }
+
+- /* Due to IPv6 header, MSS needs to be downgraded. */
+- skb_decrease_gso_size(shinfo, len_diff);
+ /* Header must be checked, and gso_segs recomputed. */
+ shinfo->gso_type |= SKB_GSO_DODGY;
+ shinfo->gso_segs = 0;
+@@ -2902,8 +2900,6 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
+ shinfo->gso_type |= SKB_GSO_TCPV4;
+ }
+
+- /* Due to IPv4 header, MSS can be upgraded. */
+- skb_increase_gso_size(shinfo, len_diff);
+ /* Header must be checked, and gso_segs recomputed. */
+ shinfo->gso_type |= SKB_GSO_DODGY;
+ shinfo->gso_segs = 0;
+--
+2.30.2
+
--- /dev/null
+From 17df97e1da3751e3565c448f28767c328e323d4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 12:09:18 +0800
+Subject: bpfilter: Specify the log level for the kmsg message
+
+From: Gary Lin <glin@suse.com>
+
+[ Upstream commit a196fa78a26571359740f701cf30d774eb8a72cb ]
+
+Per the kmsg document [0], if we don't specify the log level with a
+prefix "<N>" in the message string, the default log level will be
+applied to the message. Since the default level could be warning(4),
+this would make the log utility such as journalctl treat the message,
+"Started bpfilter", as a warning. To avoid confusion, this commit
+adds the prefix "<5>" to make the message always a notice.
+
+ [0] https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg
+
+Fixes: 36c4357c63f3 ("net: bpfilter: print umh messages to /dev/kmsg")
+Reported-by: Martin Loviska <mloviska@suse.com>
+Signed-off-by: Gary Lin <glin@suse.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Dmitrii Banshchikov <me@ubique.spb.ru>
+Link: https://lore.kernel.org/bpf/20210623040918.8683-1-glin@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpfilter/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bpfilter/main.c b/net/bpfilter/main.c
+index 05e1cfc1e5cd..291a92546246 100644
+--- a/net/bpfilter/main.c
++++ b/net/bpfilter/main.c
+@@ -57,7 +57,7 @@ int main(void)
+ {
+ debug_f = fopen("/dev/kmsg", "w");
+ setvbuf(debug_f, 0, _IOLBF, 0);
+- fprintf(debug_f, "Started bpfilter\n");
++ fprintf(debug_f, "<5>Started bpfilter\n");
+ loop();
+ fclose(debug_f);
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From e5cf0cf1040209429695b922cb63a6409d2a7897 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 13:20:12 +0000
+Subject: brcmfmac: correctly report average RSSI in station info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alvin Šipraga <ALSI@bang-olufsen.dk>
+
+[ Upstream commit 9a1590934d9a02e570636432b93052c0c035f31f ]
+
+The rx_lastpkt_rssi field provided by the firmware is suitable for
+NL80211_STA_INFO_{SIGNAL,CHAIN_SIGNAL}, while the rssi field is an
+average. Fix up the assignments and set the correct STA_INFO bits. This
+lets userspace know that the average RSSI is part of the station info.
+
+Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.")
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210506132010.3964484-2-alsi@bang-olufsen.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c | 36 ++++++++++---------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 626449c1e897..6439adcd2f99 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -2612,8 +2612,9 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev,
+ struct brcmf_sta_info_le sta_info_le;
+ u32 sta_flags;
+ u32 is_tdls_peer;
+- s32 total_rssi;
+- s32 count_rssi;
++ s32 total_rssi_avg = 0;
++ s32 total_rssi = 0;
++ s32 count_rssi = 0;
+ int rssi;
+ u32 i;
+
+@@ -2679,24 +2680,27 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev,
+ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
+ sinfo->rx_bytes = le64_to_cpu(sta_info_le.rx_tot_bytes);
+ }
+- total_rssi = 0;
+- count_rssi = 0;
+ for (i = 0; i < BRCMF_ANT_MAX; i++) {
+- if (sta_info_le.rssi[i]) {
+- sinfo->chains |= BIT(count_rssi);
+- sinfo->chain_signal_avg[count_rssi] =
+- sta_info_le.rssi[i];
+- sinfo->chain_signal[count_rssi] =
+- sta_info_le.rssi[i];
+- total_rssi += sta_info_le.rssi[i];
+- count_rssi++;
+- }
++ if (sta_info_le.rssi[i] == 0 ||
++ sta_info_le.rx_lastpkt_rssi[i] == 0)
++ continue;
++ sinfo->chains |= BIT(count_rssi);
++ sinfo->chain_signal[count_rssi] =
++ sta_info_le.rx_lastpkt_rssi[i];
++ sinfo->chain_signal_avg[count_rssi] =
++ sta_info_le.rssi[i];
++ total_rssi += sta_info_le.rx_lastpkt_rssi[i];
++ total_rssi_avg += sta_info_le.rssi[i];
++ count_rssi++;
+ }
+ if (count_rssi) {
+- sinfo->filled |= BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
+ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
+- total_rssi /= count_rssi;
+- sinfo->signal = total_rssi;
++ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
++ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
++ sinfo->filled |=
++ BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
++ sinfo->signal = total_rssi / count_rssi;
++ sinfo->signal_avg = total_rssi_avg / count_rssi;
+ } else if (test_bit(BRCMF_VIF_STATUS_CONNECTED,
+ &ifp->vif->sme_state)) {
+ memset(&scb_val, 0, sizeof(scb_val));
+--
+2.30.2
+
--- /dev/null
+From 8a31681b2d787122f1817bcda18f7dd4d8105b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 13:20:12 +0000
+Subject: brcmfmac: fix setting of station info chains bitmask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alvin Šipraga <ALSI@bang-olufsen.dk>
+
+[ Upstream commit feb45643762172110cb3a44f99dd54304f33b711 ]
+
+The sinfo->chains field is a bitmask for filled values in chain_signal
+and chain_signal_avg, not a count. Treat it as such so that the driver
+can properly report per-chain RSSI information.
+
+Before (MIMO mode):
+
+ $ iw dev wlan0 station dump
+ ...
+ signal: -51 [-51] dBm
+
+After (MIMO mode):
+
+ $ iw dev wlan0 station dump
+ ...
+ signal: -53 [-53, -54] dBm
+
+Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.")
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210506132010.3964484-1-alsi@bang-olufsen.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index cd813c69a178..626449c1e897 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -2683,6 +2683,7 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev,
+ count_rssi = 0;
+ for (i = 0; i < BRCMF_ANT_MAX; i++) {
+ if (sta_info_le.rssi[i]) {
++ sinfo->chains |= BIT(count_rssi);
+ sinfo->chain_signal_avg[count_rssi] =
+ sta_info_le.rssi[i];
+ sinfo->chain_signal[count_rssi] =
+@@ -2693,8 +2694,6 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev,
+ }
+ if (count_rssi) {
+ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
+- sinfo->chains = count_rssi;
+-
+ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
+ total_rssi /= count_rssi;
+ sinfo->signal = total_rssi;
+--
+2.30.2
+
--- /dev/null
+From 90ffc8e5e82093492684c9ef5d9cce8c415c9060 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 22:58:30 +0200
+Subject: brcmsmac: mac80211_if: Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ]
+
+If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()'
+as already done in the remove function.
+
+Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 6188275b17e5..288d4d4d4454 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -1223,6 +1223,7 @@ static int brcms_bcma_probe(struct bcma_device *pdev)
+ {
+ struct brcms_info *wl;
+ struct ieee80211_hw *hw;
++ int ret;
+
+ dev_info(&pdev->dev, "mfg %x core %x rev %d class %d irq %d\n",
+ pdev->id.manuf, pdev->id.id, pdev->id.rev, pdev->id.class,
+@@ -1247,11 +1248,16 @@ static int brcms_bcma_probe(struct bcma_device *pdev)
+ wl = brcms_attach(pdev);
+ if (!wl) {
+ pr_err("%s: brcms_attach failed!\n", __func__);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_free_ieee80211;
+ }
+ brcms_led_register(wl);
+
+ return 0;
++
++err_free_ieee80211:
++ ieee80211_free_hw(hw);
++ return ret;
+ }
+
+ static int brcms_suspend(struct bcma_device *pdev)
+--
+2.30.2
+
--- /dev/null
+From b1db3ddaa58b50c874fef993a0a6ea00547e92f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 16:44:09 -0400
+Subject: btrfs: abort transaction if we fail to update the delayed inode
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 04587ad9bef6ce9d510325b4ba9852b6129eebdb ]
+
+If we fail to update the delayed inode we need to abort the transaction,
+because we could leave an inode with the improper counts or some other
+such corruption behind.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index c93254c9d67a..3dccbbe4a658 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -1074,6 +1074,14 @@ err_out:
+ btrfs_delayed_inode_release_metadata(fs_info, node, (ret < 0));
+ btrfs_release_delayed_inode(node);
+
++ /*
++ * If we fail to update the delayed inode we need to abort the
++ * transaction, because we could leave the inode with the improper
++ * counts behind.
++ */
++ if (ret && ret != -ENOENT)
++ btrfs_abort_transaction(trans, ret);
++
+ return ret;
+
+ search:
+--
+2.30.2
+
--- /dev/null
+From ab1621327666dc4ffc84c349c750bd0223cbc345 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 18:38:05 +0200
+Subject: btrfs: clear log tree recovering status if starting transaction fails
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 1aeb6b563aea18cd55c73cf666d1d3245a00f08c ]
+
+When a log recovery is in progress, lots of operations have to take that
+into account, so we keep this status per tree during the operation. Long
+time ago error handling revamp patch 79787eaab461 ("btrfs: replace many
+BUG_ONs with proper error handling") removed clearing of the status in
+an error branch. Add it back as was intended in e02119d5a7b4 ("Btrfs:
+Add a write ahead tree log to optimize synchronous operations").
+
+There are probably no visible effects, log replay is done only during
+mount and if it fails all structures are cleared so the stale status
+won't be kept.
+
+Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 4ff381c23cef..afc6731bb692 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6327,6 +6327,7 @@ next:
+ error:
+ if (wc.trans)
+ btrfs_end_transaction(wc.trans);
++ clear_bit(BTRFS_FS_LOG_RECOVERING, &fs_info->flags);
+ btrfs_free_path(path);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From da37aaf6e747684cdb611272a5d9050348337ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 05:23:02 +0000
+Subject: btrfs: disable build on platforms having page size 256K
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ]
+
+With a config having PAGE_SIZE set to 256K, BTRFS build fails
+with the following message
+
+ include/linux/compiler_types.h:326:38: error: call to
+ '__compiletime_assert_791' declared with attribute error:
+ BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0
+
+BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with
+256K pages at the time being.
+
+There are two platforms that can select 256K pages:
+ - hexagon
+ - powerpc
+
+Disable BTRFS when 256K page size is selected. Supporting this would
+require changes to the subpage mode that's currently being developed.
+Given that 256K is many times larger than page sizes commonly used and
+for what the algorithms and structures have been tuned, it's out of
+scope and disabling build is a reasonable option.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig
+index 38651fae7f21..0aa1bee24d80 100644
+--- a/fs/btrfs/Kconfig
++++ b/fs/btrfs/Kconfig
+@@ -14,6 +14,8 @@ config BTRFS_FS
+ select RAID6_PQ
+ select XOR_BLOCKS
+ select SRCU
++ depends on !PPC_256K_PAGES # powerpc
++ depends on !PAGE_SIZE_256KB # hexagon
+
+ help
+ Btrfs is a general purpose copy-on-write filesystem with extents,
+--
+2.30.2
+
--- /dev/null
+From 3c122de97b45621c871d8297958a175d6b103d67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 16:44:08 -0400
+Subject: btrfs: fix error handling in __btrfs_update_delayed_inode
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit bb385bedded3ccbd794559600de4a09448810f4a ]
+
+If we get an error while looking up the inode item we'll simply bail
+without cleaning up the delayed node. This results in this style of
+warning happening on commit:
+
+ WARNING: CPU: 0 PID: 76403 at fs/btrfs/delayed-inode.c:1365 btrfs_assert_delayed_root_empty+0x5b/0x90
+ CPU: 0 PID: 76403 Comm: fsstress Tainted: G W 5.13.0-rc1+ #373
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+ RIP: 0010:btrfs_assert_delayed_root_empty+0x5b/0x90
+ RSP: 0018:ffffb8bb815a7e50 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: ffff95d6d07e1888 RCX: ffff95d6c0fa3000
+ RDX: 0000000000000002 RSI: 000000000029e91c RDI: ffff95d6c0fc8060
+ RBP: ffff95d6c0fc8060 R08: 00008d6d701a2c1d R09: 0000000000000000
+ R10: ffff95d6d1760ea0 R11: 0000000000000001 R12: ffff95d6c15a4d00
+ R13: ffff95d6c0fa3000 R14: 0000000000000000 R15: ffffb8bb815a7e90
+ FS: 00007f490e8dbb80(0000) GS:ffff95d73bc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f6e75555cb0 CR3: 00000001101ce001 CR4: 0000000000370ef0
+ Call Trace:
+ btrfs_commit_transaction+0x43c/0xb00
+ ? finish_wait+0x80/0x80
+ ? vfs_fsync_range+0x90/0x90
+ iterate_supers+0x8c/0x100
+ ksys_sync+0x50/0x90
+ __do_sys_sync+0xa/0x10
+ do_syscall_64+0x3d/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Because the iref isn't dropped and this leaves an elevated node->count,
+so any release just re-queues it onto the delayed inodes list. Fix this
+by going to the out label to handle the proper cleanup of the delayed
+node.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 7dad8794ee38..c93254c9d67a 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -1033,12 +1033,10 @@ static int __btrfs_update_delayed_inode(struct btrfs_trans_handle *trans,
+ nofs_flag = memalloc_nofs_save();
+ ret = btrfs_lookup_inode(trans, root, path, &key, mod);
+ memalloc_nofs_restore(nofs_flag);
+- if (ret > 0) {
+- btrfs_release_path(path);
+- return -ENOENT;
+- } else if (ret < 0) {
+- return ret;
+- }
++ if (ret > 0)
++ ret = -ENOENT;
++ if (ret < 0)
++ goto out;
+
+ leaf = path->nodes[0];
+ inode_item = btrfs_item_ptr(leaf, path->slots[0],
+--
+2.30.2
+
--- /dev/null
+From 10014a1ddf64b0dd5ec940b59fa8981c7f8c5e22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 16:50:54 +0800
+Subject: btrfs: fix the filemap_range_has_page() call in
+ btrfs_punch_hole_lock_range()
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 0528476b6ac7832f31e2ed740a57ae31316b124e ]
+
+[BUG]
+With current subpage RW support, the following script can hang the fs
+with 64K page size.
+
+ # mkfs.btrfs -f -s 4k $dev
+ # mount $dev -o nospace_cache $mnt
+ # fsstress -w -n 50 -p 1 -s 1607749395 -d $mnt
+
+The kernel will do an infinite loop in btrfs_punch_hole_lock_range().
+
+[CAUSE]
+In btrfs_punch_hole_lock_range() we:
+
+- Truncate page cache range
+- Lock extent io tree
+- Wait any ordered extents in the range.
+
+We exit the loop until we meet all the following conditions:
+
+- No ordered extent in the lock range
+- No page is in the lock range
+
+The latter condition has a pitfall, it only works for sector size ==
+PAGE_SIZE case.
+
+While can't handle the following subpage case:
+
+ 0 32K 64K 96K 128K
+ | |///////||//////| ||
+
+lockstart=32K
+lockend=96K - 1
+
+In this case, although the range crosses 2 pages,
+truncate_pagecache_range() will invalidate no page at all, but only zero
+the [32K, 96K) range of the two pages.
+
+Thus filemap_range_has_page(32K, 96K-1) will always return true, thus we
+will never meet the loop exit condition.
+
+[FIX]
+Fix the problem by doing page alignment for the lock range.
+
+Function filemap_range_has_page() has already handled lend < lstart
+case, we only need to round up @lockstart, and round_down @lockend for
+truncate_pagecache_range().
+
+This modification should not change any thing for sector size ==
+PAGE_SIZE case, as in that case our range is already page aligned.
+
+Tested-by: Ritesh Harjani <riteshh@linux.ibm.com> # [ppc64]
+Tested-by: Anand Jain <anand.jain@oracle.com> # [aarch64]
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index f6308a7b761d..b678bf7692d5 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2439,6 +2439,17 @@ static int btrfs_punch_hole_lock_range(struct inode *inode,
+ const u64 lockend,
+ struct extent_state **cached_state)
+ {
++ /*
++ * For subpage case, if the range is not at page boundary, we could
++ * have pages at the leading/tailing part of the range.
++ * This could lead to dead loop since filemap_range_has_page()
++ * will always return true.
++ * So here we need to do extra page alignment for
++ * filemap_range_has_page().
++ */
++ const u64 page_lockstart = round_up(lockstart, PAGE_SIZE);
++ const u64 page_lockend = round_down(lockend + 1, PAGE_SIZE) - 1;
++
+ while (1) {
+ struct btrfs_ordered_extent *ordered;
+ int ret;
+@@ -2458,7 +2469,7 @@ static int btrfs_punch_hole_lock_range(struct inode *inode,
+ (ordered->file_offset + ordered->len <= lockstart ||
+ ordered->file_offset > lockend)) &&
+ !filemap_range_has_page(inode->i_mapping,
+- lockstart, lockend)) {
++ page_lockstart, page_lockend)) {
+ if (ordered)
+ btrfs_put_ordered_extent(ordered);
+ break;
+--
+2.30.2
+
--- /dev/null
+From f571b2e55b83eda34c88af8bf6f13f951abfe458 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 20:06:17 +0800
+Subject: char: pcmcia: error out if 'num_bytes_read' is greater than 4 in
+ set_protocol()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ]
+
+Theoretically, it will cause index out of bounds error if
+'num_bytes_read' is greater than 4. As we expect it(and was tested)
+never to be greater than 4, error out if it happens.
+
+Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/pcmcia/cm4000_cs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
+index 15bf585af5d3..44117169db91 100644
+--- a/drivers/char/pcmcia/cm4000_cs.c
++++ b/drivers/char/pcmcia/cm4000_cs.c
+@@ -544,6 +544,10 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq)
+ io_read_num_rec_bytes(iobase, &num_bytes_read);
+ if (num_bytes_read >= 4) {
+ DEBUGP(2, dev, "NumRecBytes = %i\n", num_bytes_read);
++ if (num_bytes_read > 4) {
++ rc = -EIO;
++ goto exit_setprotocol;
++ }
+ break;
+ }
+ usleep_range(10000, 11000);
+--
+2.30.2
+
--- /dev/null
+From 04f1a442b64a589128358f14474d1ad6bc203f31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 15:28:04 -0500
+Subject: cifs: fix missing spinlock around update to ses->status
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 0060a4f28a9ef45ae8163c0805e944a2b1546762 ]
+
+In the other places where we update ses->status we protect the
+updates via GlobalMid_Lock. So to be consistent add the same
+locking around it in cifs_put_smb_ses where it was missing.
+
+Addresses-Coverity: 1268904 ("Data race condition")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsglob.h | 3 ++-
+ fs/cifs/connect.c | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
+index b16c994414ab..9c0e348cb00f 100644
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -964,7 +964,7 @@ struct cifs_ses {
+ struct mutex session_mutex;
+ struct TCP_Server_Info *server; /* pointer to server info */
+ int ses_count; /* reference counter */
+- enum statusEnum status;
++ enum statusEnum status; /* updates protected by GlobalMid_Lock */
+ unsigned overrideSecFlg; /* if non-zero override global sec flags */
+ char *serverOS; /* name of operating system underlying server */
+ char *serverNOS; /* name of network operating system of server */
+@@ -1814,6 +1814,7 @@ require use of the stronger protocol */
+ * list operations on pending_mid_q and oplockQ
+ * updates to XID counters, multiplex id and SMB sequence numbers
+ * list operations on global DnotifyReqList
++ * updates to ses->status
+ * tcp_ses_lock protects:
+ * list operations on tcp and SMB session lists
+ * tcon->open_file_lock protects the list of open files hanging off the tcon
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index ab9eeb5ff8e5..da0720f41ebc 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3049,9 +3049,12 @@ void cifs_put_smb_ses(struct cifs_ses *ses)
+ spin_unlock(&cifs_tcp_ses_lock);
+ return;
+ }
++ spin_unlock(&cifs_tcp_ses_lock);
++
++ spin_lock(&GlobalMid_Lock);
+ if (ses->status == CifsGood)
+ ses->status = CifsExiting;
+- spin_unlock(&cifs_tcp_ses_lock);
++ spin_unlock(&GlobalMid_Lock);
+
+ cifs_free_ipc(ses);
+
+--
+2.30.2
+
--- /dev/null
+From 86b39687fec9c135d188f6e6c21dc8b0dc7a2544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 23:05:23 +0300
+Subject: clk: actions: Fix bisp_factor_table based clocks on Owl S500 SoC
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+[ Upstream commit a8f1f03caa51aa7a69c671aa87c475034db7d368 ]
+
+The following clocks of the Actions Semi Owl S500 SoC have been defined
+to use a shared clock factor table 'bisp_factor_table[]': DE[1-2], VCE,
+VDE, BISP, SENSOR[0-1]
+
+There are several issues involved in this approach:
+
+* 'bisp_factor_table[]' describes the configuration of a regular 8-rates
+ divider, so its usage is redundant. Additionally, judging by the BISP
+ clock context, it is incomplete since it maps only 8 out of 12
+ possible entries.
+
+* The clocks mentioned above are not identical in terms of the available
+ rates, therefore cannot rely on the same factor table. Specifically,
+ BISP and SENSOR* are standard 12-rate dividers so their configuration
+ should rely on a proper clock div table, while VCE and VDE require a
+ factor table that is a actually a subset of the one needed for DE[1-2]
+ clocks.
+
+Let's fix this by implementing the following:
+
+* Add new factor tables 'de_factor_table' and 'hde_factor_table' to
+ properly handle DE[1-2], VCE and VDE clocks.
+
+* Add a common div table 'std12rate_div_table' for BISP and SENSOR[0-1]
+ clocks converted to OWL_COMP_DIV.
+
+* Drop the now unused 'bisp_factor_table[]'.
+
+Additionally, drop the CLK_IGNORE_UNUSED flag for SENSOR[0-1] since
+there is no reason to always keep ON those clocks.
+
+Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/e675820a46cd9930d8d576c6cae61d41c1a8416f.1623354574.git.cristian.ciocaltea@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/actions/owl-s500.c | 44 ++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/clk/actions/owl-s500.c b/drivers/clk/actions/owl-s500.c
+index d2396b2396ff..0528536ed9eb 100644
+--- a/drivers/clk/actions/owl-s500.c
++++ b/drivers/clk/actions/owl-s500.c
+@@ -138,9 +138,16 @@ static struct clk_factor_table sd_factor_table[] = {
+ { 0, 0, 0 },
+ };
+
+-static struct clk_factor_table bisp_factor_table[] = {
+- { 0, 1, 1 }, { 1, 1, 2 }, { 2, 1, 3 }, { 3, 1, 4 },
+- { 4, 1, 5 }, { 5, 1, 6 }, { 6, 1, 7 }, { 7, 1, 8 },
++static struct clk_factor_table de_factor_table[] = {
++ { 0, 1, 1 }, { 1, 2, 3 }, { 2, 1, 2 }, { 3, 2, 5 },
++ { 4, 1, 3 }, { 5, 1, 4 }, { 6, 1, 6 }, { 7, 1, 8 },
++ { 8, 1, 12 },
++ { 0, 0, 0 },
++};
++
++static struct clk_factor_table hde_factor_table[] = {
++ { 0, 1, 1 }, { 1, 2, 3 }, { 2, 1, 2 }, { 3, 2, 5 },
++ { 4, 1, 3 }, { 5, 1, 4 }, { 6, 1, 6 }, { 7, 1, 8 },
+ { 0, 0, 0 },
+ };
+
+@@ -154,6 +161,13 @@ static struct clk_div_table rmii_ref_div_table[] = {
+ { 0, 0 },
+ };
+
++static struct clk_div_table std12rate_div_table[] = {
++ { 0, 1 }, { 1, 2 }, { 2, 3 }, { 3, 4 },
++ { 4, 5 }, { 5, 6 }, { 6, 7 }, { 7, 8 },
++ { 8, 9 }, { 9, 10 }, { 10, 11 }, { 11, 12 },
++ { 0, 0 },
++};
++
+ static struct clk_div_table i2s_div_table[] = {
+ { 0, 1 }, { 1, 2 }, { 2, 3 }, { 3, 4 },
+ { 4, 6 }, { 5, 8 }, { 6, 12 }, { 7, 16 },
+@@ -186,39 +200,39 @@ static OWL_DIVIDER(rmii_ref_clk, "rmii_ref_clk", "ethernet_pll_clk", CMU_ETHERNE
+
+ /* factor clocks */
+ static OWL_FACTOR(ahb_clk, "ahb_clk", "h_clk", CMU_BUSCLK1, 2, 2, ahb_factor_table, 0, 0);
+-static OWL_FACTOR(de1_clk, "de_clk1", "de_clk", CMU_DECLK, 0, 3, bisp_factor_table, 0, 0);
+-static OWL_FACTOR(de2_clk, "de_clk2", "de_clk", CMU_DECLK, 4, 3, bisp_factor_table, 0, 0);
++static OWL_FACTOR(de1_clk, "de_clk1", "de_clk", CMU_DECLK, 0, 4, de_factor_table, 0, 0);
++static OWL_FACTOR(de2_clk, "de_clk2", "de_clk", CMU_DECLK, 4, 4, de_factor_table, 0, 0);
+
+ /* composite clocks */
+ static OWL_COMP_FACTOR(vce_clk, "vce_clk", hde_clk_mux_p,
+ OWL_MUX_HW(CMU_VCECLK, 4, 2),
+ OWL_GATE_HW(CMU_DEVCLKEN0, 26, 0),
+- OWL_FACTOR_HW(CMU_VCECLK, 0, 3, 0, bisp_factor_table),
++ OWL_FACTOR_HW(CMU_VCECLK, 0, 3, 0, hde_factor_table),
+ 0);
+
+ static OWL_COMP_FACTOR(vde_clk, "vde_clk", hde_clk_mux_p,
+ OWL_MUX_HW(CMU_VDECLK, 4, 2),
+ OWL_GATE_HW(CMU_DEVCLKEN0, 25, 0),
+- OWL_FACTOR_HW(CMU_VDECLK, 0, 3, 0, bisp_factor_table),
++ OWL_FACTOR_HW(CMU_VDECLK, 0, 3, 0, hde_factor_table),
+ 0);
+
+-static OWL_COMP_FACTOR(bisp_clk, "bisp_clk", bisp_clk_mux_p,
++static OWL_COMP_DIV(bisp_clk, "bisp_clk", bisp_clk_mux_p,
+ OWL_MUX_HW(CMU_BISPCLK, 4, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN0, 14, 0),
+- OWL_FACTOR_HW(CMU_BISPCLK, 0, 3, 0, bisp_factor_table),
++ OWL_DIVIDER_HW(CMU_BISPCLK, 0, 4, 0, std12rate_div_table),
+ 0);
+
+-static OWL_COMP_FACTOR(sensor0_clk, "sensor0_clk", sensor_clk_mux_p,
++static OWL_COMP_DIV(sensor0_clk, "sensor0_clk", sensor_clk_mux_p,
+ OWL_MUX_HW(CMU_SENSORCLK, 4, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN0, 14, 0),
+- OWL_FACTOR_HW(CMU_SENSORCLK, 0, 3, 0, bisp_factor_table),
+- CLK_IGNORE_UNUSED);
++ OWL_DIVIDER_HW(CMU_SENSORCLK, 0, 4, 0, std12rate_div_table),
++ 0);
+
+-static OWL_COMP_FACTOR(sensor1_clk, "sensor1_clk", sensor_clk_mux_p,
++static OWL_COMP_DIV(sensor1_clk, "sensor1_clk", sensor_clk_mux_p,
+ OWL_MUX_HW(CMU_SENSORCLK, 4, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN0, 14, 0),
+- OWL_FACTOR_HW(CMU_SENSORCLK, 8, 3, 0, bisp_factor_table),
+- CLK_IGNORE_UNUSED);
++ OWL_DIVIDER_HW(CMU_SENSORCLK, 8, 4, 0, std12rate_div_table),
++ 0);
+
+ static OWL_COMP_FACTOR(sd0_clk, "sd0_clk", sd_clk_mux_p,
+ OWL_MUX_HW(CMU_SD0CLK, 9, 1),
+--
+2.30.2
+
--- /dev/null
+From 4e8c00208c004d453dcde9c5b421bb5a78b4c4f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 23:05:22 +0300
+Subject: clk: actions: Fix SD clocks factor table on Owl S500 SoC
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+[ Upstream commit fe1f71e338d77814da3ef44e9f64d32981a6ccdf ]
+
+Drop the unsupported entries in the factor table used for the SD[0-2]
+clocks definitions on the Actions Semi Owl S500 SoC.
+
+Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/196c948d708a22b8198c95f064a0f6b6820f9980.1623354574.git.cristian.ciocaltea@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/actions/owl-s500.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/actions/owl-s500.c b/drivers/clk/actions/owl-s500.c
+index 6eeb7e290f40..d2396b2396ff 100644
+--- a/drivers/clk/actions/owl-s500.c
++++ b/drivers/clk/actions/owl-s500.c
+@@ -125,8 +125,7 @@ static struct clk_factor_table sd_factor_table[] = {
+ { 12, 1, 13 }, { 13, 1, 14 }, { 14, 1, 15 }, { 15, 1, 16 },
+ { 16, 1, 17 }, { 17, 1, 18 }, { 18, 1, 19 }, { 19, 1, 20 },
+ { 20, 1, 21 }, { 21, 1, 22 }, { 22, 1, 23 }, { 23, 1, 24 },
+- { 24, 1, 25 }, { 25, 1, 26 }, { 26, 1, 27 }, { 27, 1, 28 },
+- { 28, 1, 29 }, { 29, 1, 30 }, { 30, 1, 31 }, { 31, 1, 32 },
++ { 24, 1, 25 },
+
+ /* bit8: /128 */
+ { 256, 1, 1 * 128 }, { 257, 1, 2 * 128 }, { 258, 1, 3 * 128 }, { 259, 1, 4 * 128 },
+@@ -135,8 +134,7 @@ static struct clk_factor_table sd_factor_table[] = {
+ { 268, 1, 13 * 128 }, { 269, 1, 14 * 128 }, { 270, 1, 15 * 128 }, { 271, 1, 16 * 128 },
+ { 272, 1, 17 * 128 }, { 273, 1, 18 * 128 }, { 274, 1, 19 * 128 }, { 275, 1, 20 * 128 },
+ { 276, 1, 21 * 128 }, { 277, 1, 22 * 128 }, { 278, 1, 23 * 128 }, { 279, 1, 24 * 128 },
+- { 280, 1, 25 * 128 }, { 281, 1, 26 * 128 }, { 282, 1, 27 * 128 }, { 283, 1, 28 * 128 },
+- { 284, 1, 29 * 128 }, { 285, 1, 30 * 128 }, { 286, 1, 31 * 128 }, { 287, 1, 32 * 128 },
++ { 280, 1, 25 * 128 },
+ { 0, 0, 0 },
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 7a80532a76341feecf4a101dd61067ed2b4ee93d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 23:05:21 +0300
+Subject: clk: actions: Fix UART clock dividers on Owl S500 SoC
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+[ Upstream commit 2dca2a619a907579e3e65e7c1789230c2b912e88 ]
+
+Use correct divider registers for the Actions Semi Owl S500 SoC's UART
+clocks.
+
+Fixes: ed6b4795ece4 ("clk: actions: Add clock driver for S500 SoC")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/4714d05982b19ac5fec2ed74f54be42d8238e392.1623354574.git.cristian.ciocaltea@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/actions/owl-s500.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/actions/owl-s500.c b/drivers/clk/actions/owl-s500.c
+index 0eb83a0b70bc..6eeb7e290f40 100644
+--- a/drivers/clk/actions/owl-s500.c
++++ b/drivers/clk/actions/owl-s500.c
+@@ -300,7 +300,7 @@ static OWL_COMP_FIXED_FACTOR(i2c3_clk, "i2c3_clk", "ethernet_pll_clk",
+ static OWL_COMP_DIV(uart0_clk, "uart0_clk", uart_clk_mux_p,
+ OWL_MUX_HW(CMU_UART0CLK, 16, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN1, 6, 0),
+- OWL_DIVIDER_HW(CMU_UART1CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
++ OWL_DIVIDER_HW(CMU_UART0CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
+ CLK_IGNORE_UNUSED);
+
+ static OWL_COMP_DIV(uart1_clk, "uart1_clk", uart_clk_mux_p,
+@@ -312,31 +312,31 @@ static OWL_COMP_DIV(uart1_clk, "uart1_clk", uart_clk_mux_p,
+ static OWL_COMP_DIV(uart2_clk, "uart2_clk", uart_clk_mux_p,
+ OWL_MUX_HW(CMU_UART2CLK, 16, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN1, 8, 0),
+- OWL_DIVIDER_HW(CMU_UART1CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
++ OWL_DIVIDER_HW(CMU_UART2CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
+ CLK_IGNORE_UNUSED);
+
+ static OWL_COMP_DIV(uart3_clk, "uart3_clk", uart_clk_mux_p,
+ OWL_MUX_HW(CMU_UART3CLK, 16, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN1, 19, 0),
+- OWL_DIVIDER_HW(CMU_UART1CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
++ OWL_DIVIDER_HW(CMU_UART3CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
+ CLK_IGNORE_UNUSED);
+
+ static OWL_COMP_DIV(uart4_clk, "uart4_clk", uart_clk_mux_p,
+ OWL_MUX_HW(CMU_UART4CLK, 16, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN1, 20, 0),
+- OWL_DIVIDER_HW(CMU_UART1CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
++ OWL_DIVIDER_HW(CMU_UART4CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
+ CLK_IGNORE_UNUSED);
+
+ static OWL_COMP_DIV(uart5_clk, "uart5_clk", uart_clk_mux_p,
+ OWL_MUX_HW(CMU_UART5CLK, 16, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN1, 21, 0),
+- OWL_DIVIDER_HW(CMU_UART1CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
++ OWL_DIVIDER_HW(CMU_UART5CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
+ CLK_IGNORE_UNUSED);
+
+ static OWL_COMP_DIV(uart6_clk, "uart6_clk", uart_clk_mux_p,
+ OWL_MUX_HW(CMU_UART6CLK, 16, 1),
+ OWL_GATE_HW(CMU_DEVCLKEN1, 18, 0),
+- OWL_DIVIDER_HW(CMU_UART1CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
++ OWL_DIVIDER_HW(CMU_UART6CLK, 0, 8, CLK_DIVIDER_ROUND_CLOSEST, NULL),
+ CLK_IGNORE_UNUSED);
+
+ static OWL_COMP_DIV(i2srx_clk, "i2srx_clk", i2s_clk_mux_p,
+--
+2.30.2
+
--- /dev/null
+From ac36587e09ff5ad67601ad0189e7bd9931f8d382 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 11:03:25 +0200
+Subject: clk: meson: g12a: fix gp0 and hifi ranges
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit bc794f8c56abddf709f1f84fcb2a3c9e7d9cc9b4 ]
+
+While some SoC samples are able to lock with a PLL factor of 55, others
+samples can't. ATM, a minimum of 60 appears to work on all the samples
+I have tried.
+
+Even with 60, it sometimes takes a long time for the PLL to eventually
+lock. The documentation says that the minimum rate of these PLLs DCO
+should be 3GHz, a factor of 125. Let's use that to be on the safe side.
+
+With factor range changed, the PLL seems to lock quickly (enough) so far.
+It is still unclear if the range was the only reason for the delay.
+
+Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20210429090325.60970-1-jbrunet@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/g12a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
+index 3143e16065de..a55b22ebf103 100644
+--- a/drivers/clk/meson/g12a.c
++++ b/drivers/clk/meson/g12a.c
+@@ -1602,7 +1602,7 @@ static struct clk_regmap g12b_cpub_clk_trace = {
+ };
+
+ static const struct pll_mult_range g12a_gp0_pll_mult_range = {
+- .min = 55,
++ .min = 125,
+ .max = 255,
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 661908cf09ce0ea63d1e7c28493edc1f1b4e2f2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 13:26:37 -0600
+Subject: clk: si5341: Avoid divide errors due to bogus register contents
+
+From: Robert Hancock <robert.hancock@calian.com>
+
+[ Upstream commit 78f6f406026d688868223d5dbeb197a4f7e9a9fd ]
+
+If the Si5341 is being initially programmed and has no stored NVM
+configuration, some of the register contents may contain unexpected
+values, such as zeros, which could cause divide by zero errors during
+driver initialization. Trap errors caused by zero registers or zero clock
+rates which could result in divide errors later in the code.
+
+Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver")
+Signed-off-by: Robert Hancock <robert.hancock@calian.com>
+Link: https://lore.kernel.org/r/20210325192643.2190069-4-robert.hancock@calian.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-si5341.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c
+index 6e780c2a9e6b..ae8960188826 100644
+--- a/drivers/clk/clk-si5341.c
++++ b/drivers/clk/clk-si5341.c
+@@ -482,6 +482,9 @@ static unsigned long si5341_synth_clk_recalc_rate(struct clk_hw *hw,
+ SI5341_SYNTH_N_NUM(synth->index), &n_num, &n_den);
+ if (err < 0)
+ return err;
++ /* Check for bogus/uninitialized settings */
++ if (!n_num || !n_den)
++ return 0;
+
+ /*
+ * n_num and n_den are shifted left as much as possible, so to prevent
+@@ -665,6 +668,9 @@ static long si5341_output_clk_round_rate(struct clk_hw *hw, unsigned long rate,
+ {
+ unsigned long r;
+
++ if (!rate)
++ return 0;
++
+ r = *parent_rate >> 1;
+
+ /* If rate is an even divisor, no changes to parent required */
+@@ -693,11 +699,16 @@ static int si5341_output_clk_set_rate(struct clk_hw *hw, unsigned long rate,
+ unsigned long parent_rate)
+ {
+ struct clk_si5341_output *output = to_clk_si5341_output(hw);
+- /* Frequency divider is (r_div + 1) * 2 */
+- u32 r_div = (parent_rate / rate) >> 1;
++ u32 r_div;
+ int err;
+ u8 r[3];
+
++ if (!rate)
++ return -EINVAL;
++
++ /* Frequency divider is (r_div + 1) * 2 */
++ r_div = (parent_rate / rate) >> 1;
++
+ if (r_div <= 1)
+ r_div = 0;
+ else if (r_div >= BIT(24))
+--
+2.30.2
+
--- /dev/null
+From b12a8797763e9cc609bb519dd552dec5b7b2bc67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 13:26:39 -0600
+Subject: clk: si5341: Update initialization magic
+
+From: Robert Hancock <robert.hancock@calian.com>
+
+[ Upstream commit 3c9b49b0031aefb81adfdba5ab0ddf3ca3a2cdc9 ]
+
+Update the default register settings to include the VCO_RESET_CALCODE
+settings (set by the SiLabs ClockBuilder software but not described in
+the datasheet). Also update part of the initialization sequence to match
+ClockBuilder and the datasheet.
+
+Fixes: 3044a860fd ("clk: Add Si5341/Si5340 driver")
+Signed-off-by: Robert Hancock <robert.hancock@calian.com>
+Link: https://lore.kernel.org/r/20210325192643.2190069-6-robert.hancock@calian.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-si5341.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c
+index ae8960188826..8f9f3d4a54fd 100644
+--- a/drivers/clk/clk-si5341.c
++++ b/drivers/clk/clk-si5341.c
+@@ -304,6 +304,8 @@ static const struct si5341_reg_default si5341_reg_defaults[] = {
+ { 0x094A, 0x00 }, /* INx_TO_PFD_EN (disabled) */
+ { 0x0A02, 0x00 }, /* Not in datasheet */
+ { 0x0B44, 0x0F }, /* PDIV_ENB (datasheet does not mention what it is) */
++ { 0x0B57, 0x10 }, /* VCO_RESET_CALCODE (not described in datasheet) */
++ { 0x0B58, 0x05 }, /* VCO_RESET_CALCODE (not described in datasheet) */
+ };
+
+ /* Read and interpret a 44-bit followed by a 32-bit value in the regmap */
+@@ -935,7 +937,7 @@ static const struct si5341_reg_default si5341_preamble[] = {
+ { 0x0B25, 0x00 },
+ { 0x0502, 0x01 },
+ { 0x0505, 0x03 },
+- { 0x0957, 0x1F },
++ { 0x0957, 0x17 },
+ { 0x0B4E, 0x1A },
+ };
+
+--
+2.30.2
+
--- /dev/null
+From f22d43e3b03baf5fd9ee2e57a1967df6ffcbe3e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 12:01:19 -0700
+Subject: clocksource: Retry clock read if long delays detected
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit db3a34e17433de2390eb80d436970edcebd0ca3e ]
+
+When the clocksource watchdog marks a clock as unstable, this might be due
+to that clock being unstable or it might be due to delays that happen to
+occur between the reads of the two clocks. Yes, interrupts are disabled
+across those two reads, but there are no shortage of things that can delay
+interrupts-disabled regions of code ranging from SMI handlers to vCPU
+preemption. It would be good to have some indication as to why the clock
+was marked unstable.
+
+Therefore, re-read the watchdog clock on either side of the read from the
+clock under test. If the watchdog clock shows an excessive time delta
+between its pair of reads, the reads are retried.
+
+The maximum number of retries is specified by a new kernel boot parameter
+clocksource.max_cswd_read_retries, which defaults to three, that is, up to
+four reads, one initial and up to three retries. If more than one retry
+was required, a message is printed on the console (the occasional single
+retry is expected behavior, especially in guest OSes). If the maximum
+number of retries is exceeded, the clock under test will be marked
+unstable. However, the probability of this happening due to various sorts
+of delays is quite small. In addition, the reason (clock-read delays) for
+the unstable marking will be apparent.
+
+Reported-by: Chris Mason <clm@fb.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Feng Tang <feng.tang@intel.com>
+Link: https://lore.kernel.org/r/20210527190124.440372-1-paulmck@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 6 +++
+ kernel/time/clocksource.c | 53 ++++++++++++++++---
+ 2 files changed, 53 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index a19ae163c058..dbb68067ba4e 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -567,6 +567,12 @@
+ loops can be debugged more effectively on production
+ systems.
+
++ clocksource.max_cswd_read_retries= [KNL]
++ Number of clocksource_watchdog() retries due to
++ external delays before the clock will be marked
++ unstable. Defaults to three retries, that is,
++ four attempts to read the clock under test.
++
+ clearcpuid=BITNUM[,BITNUM...] [X86]
+ Disable CPUID feature X for the kernel. See
+ arch/x86/include/asm/cpufeatures.h for the valid bit
+diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
+index 428beb69426a..6863a054c970 100644
+--- a/kernel/time/clocksource.c
++++ b/kernel/time/clocksource.c
+@@ -124,6 +124,13 @@ static void __clocksource_change_rating(struct clocksource *cs, int rating);
+ #define WATCHDOG_INTERVAL (HZ >> 1)
+ #define WATCHDOG_THRESHOLD (NSEC_PER_SEC >> 4)
+
++/*
++ * Maximum permissible delay between two readouts of the watchdog
++ * clocksource surrounding a read of the clocksource being validated.
++ * This delay could be due to SMIs, NMIs, or to VCPU preemptions.
++ */
++#define WATCHDOG_MAX_SKEW (100 * NSEC_PER_USEC)
++
+ static void clocksource_watchdog_work(struct work_struct *work)
+ {
+ /*
+@@ -184,12 +191,45 @@ void clocksource_mark_unstable(struct clocksource *cs)
+ spin_unlock_irqrestore(&watchdog_lock, flags);
+ }
+
++static ulong max_cswd_read_retries = 3;
++module_param(max_cswd_read_retries, ulong, 0644);
++
++static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
++{
++ unsigned int nretries;
++ u64 wd_end, wd_delta;
++ int64_t wd_delay;
++
++ for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
++ local_irq_disable();
++ *wdnow = watchdog->read(watchdog);
++ *csnow = cs->read(cs);
++ wd_end = watchdog->read(watchdog);
++ local_irq_enable();
++
++ wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
++ wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
++ watchdog->shift);
++ if (wd_delay <= WATCHDOG_MAX_SKEW) {
++ if (nretries > 1 || nretries >= max_cswd_read_retries) {
++ pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
++ smp_processor_id(), watchdog->name, nretries);
++ }
++ return true;
++ }
++ }
++
++ pr_warn("timekeeping watchdog on CPU%d: %s read-back delay of %lldns, attempt %d, marking unstable\n",
++ smp_processor_id(), watchdog->name, wd_delay, nretries);
++ return false;
++}
++
+ static void clocksource_watchdog(struct timer_list *unused)
+ {
+- struct clocksource *cs;
+ u64 csnow, wdnow, cslast, wdlast, delta;
+- int64_t wd_nsec, cs_nsec;
+ int next_cpu, reset_pending;
++ int64_t wd_nsec, cs_nsec;
++ struct clocksource *cs;
+
+ spin_lock(&watchdog_lock);
+ if (!watchdog_running)
+@@ -206,10 +246,11 @@ static void clocksource_watchdog(struct timer_list *unused)
+ continue;
+ }
+
+- local_irq_disable();
+- csnow = cs->read(cs);
+- wdnow = watchdog->read(watchdog);
+- local_irq_enable();
++ if (!cs_watchdog_read(cs, &csnow, &wdnow)) {
++ /* Clock readout unreliable, so give it up. */
++ __clocksource_unstable(cs);
++ continue;
++ }
+
+ /* Clocksource initialized ? */
+ if (!(cs->flags & CLOCK_SOURCE_WATCHDOG) ||
+--
+2.30.2
+
--- /dev/null
+From 88762ab934adb280fa608c5faaf01802cb96f8c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 15:59:25 +0800
+Subject: configfs: fix memleak in configfs_release_bin_file
+
+From: Chung-Chiang Cheng <shepjeng@gmail.com>
+
+[ Upstream commit 3c252b087de08d3cb32468b54a158bd7ad0ae2f7 ]
+
+When reading binary attributes in progress, buffer->bin_buffer is setup in
+configfs_read_bin_file() but never freed.
+
+Fixes: 03607ace807b4 ("configfs: implement binary attributes")
+Signed-off-by: Chung-Chiang Cheng <cccheng@synology.com>
+[hch: move the vfree rather than duplicating it]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/configfs/file.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/fs/configfs/file.c b/fs/configfs/file.c
+index 84b4d58fc65f..66fae1853d99 100644
+--- a/fs/configfs/file.c
++++ b/fs/configfs/file.c
+@@ -482,13 +482,13 @@ static int configfs_release_bin_file(struct inode *inode, struct file *file)
+ buffer->bin_buffer_size);
+ }
+ up_read(&frag->frag_sem);
+- /* vfree on NULL is safe */
+- vfree(buffer->bin_buffer);
+- buffer->bin_buffer = NULL;
+- buffer->bin_buffer_size = 0;
+- buffer->needs_read_fill = 1;
+ }
+
++ vfree(buffer->bin_buffer);
++ buffer->bin_buffer = NULL;
++ buffer->bin_buffer_size = 0;
++ buffer->needs_read_fill = 1;
++
+ configfs_release(inode, file);
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From ceceb0729904db86a0ac3383e46a9a2304c48d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 21:11:39 +0200
+Subject: cpufreq: Make cpufreq_online() call driver->offline() on errors
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 3b7180573c250eb6e2a7eec54ae91f27472332ea ]
+
+In the CPU removal path the ->offline() callback provided by the
+driver is always invoked before ->exit(), but in the cpufreq_online()
+error path it is not, so ->exit() is expected to somehow know the
+context in which it has been called and act accordingly.
+
+That is less than straightforward, so make cpufreq_online() invoke
+the driver's ->offline() callback, if present, on errors before
+->exit() too.
+
+This only potentially affects intel_pstate.
+
+Fixes: 91a12e91dc39 ("cpufreq: Allow light-weight tear down and bring up of CPUs")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 194a6587a1de..c4e928375c40 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1361,9 +1361,14 @@ static int cpufreq_online(unsigned int cpu)
+ goto out_free_policy;
+ }
+
++ /*
++ * The initialization has succeeded and the policy is online.
++ * If there is a problem with its frequency table, take it
++ * offline and drop it.
++ */
+ ret = cpufreq_table_validate_and_sort(policy);
+ if (ret)
+- goto out_exit_policy;
++ goto out_offline_policy;
+
+ /* related_cpus should at least include policy->cpus. */
+ cpumask_copy(policy->related_cpus, policy->cpus);
+@@ -1507,6 +1512,10 @@ out_destroy_policy:
+
+ up_write(&policy->rwsem);
+
++out_offline_policy:
++ if (cpufreq_driver->offline)
++ cpufreq_driver->offline(policy);
++
+ out_exit_policy:
+ if (cpufreq_driver->exit)
+ cpufreq_driver->exit(policy);
+--
+2.30.2
+
--- /dev/null
+From 09f79b773b19985476231e31181b3ad002cb9213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 08:58:04 +0200
+Subject: crypto: ccp - Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a6f8e68e238a15bb15f1726b35c695136c64eaba ]
+
+If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be
+called as already done in the error handling path.
+
+Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: John Allen <john.allen@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
+index b29d2e663e10..f607b19ff4d2 100644
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -213,7 +213,7 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (ret) {
+ dev_err(dev, "dma_set_mask_and_coherent failed (%d)\n",
+ ret);
+- goto e_err;
++ goto free_irqs;
+ }
+ }
+
+@@ -221,10 +221,12 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ ret = sp_init(sp);
+ if (ret)
+- goto e_err;
++ goto free_irqs;
+
+ return 0;
+
++free_irqs:
++ sp_free_irqs(sp);
+ e_err:
+ dev_notice(dev, "initialization failed\n");
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From b3de0c3714d9707287ff25da80dcf2d8c1aa0031 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 20:26:08 +0000
+Subject: crypto: ixp4xx - dma_unmap the correct address
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 9395c58fdddd79cdd3882132cdd04e8ac7ad525f ]
+
+Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error:
+DMA-API: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes]
+
+This is due to dma_unmap using the wrong address.
+
+Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers")
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ixp4xx_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
+index acaa504d5a79..e02ff2b205d0 100644
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -329,7 +329,7 @@ static void free_buf_chain(struct device *dev, struct buffer_desc *buf,
+
+ buf1 = buf->next;
+ phys1 = buf->phys_next;
+- dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir);
++ dma_unmap_single(dev, buf->phys_addr, buf->buf_len, buf->dir);
+ dma_pool_free(buffer_pool, buf, phys);
+ buf = buf1;
+ phys = phys1;
+--
+2.30.2
+
--- /dev/null
+From c05dbf98f55f6e38e22a8242ae136db44a68bc88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 18:01:55 +0800
+Subject: crypto: nitrox - fix unchecked variable in nitrox_register_interrupts
+
+From: Tong Tiangen <tongtiangen@huawei.com>
+
+[ Upstream commit 57c126661f50b884d3812e7db6e00f2e778eccfb ]
+
+Function nitrox_register_interrupts leaves variable 'nr_vecs' unchecked, which
+would be use as kcalloc parameter later.
+
+Fixes: 5155e118dda9 ("crypto: cavium/nitrox - use pci_alloc_irq_vectors() while enabling MSI-X.")
+Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/nitrox/nitrox_isr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/crypto/cavium/nitrox/nitrox_isr.c b/drivers/crypto/cavium/nitrox/nitrox_isr.c
+index 3dec570a190a..10e3408bf704 100644
+--- a/drivers/crypto/cavium/nitrox/nitrox_isr.c
++++ b/drivers/crypto/cavium/nitrox/nitrox_isr.c
+@@ -306,6 +306,10 @@ int nitrox_register_interrupts(struct nitrox_device *ndev)
+ * Entry 192: NPS_CORE_INT_ACTIVE
+ */
+ nr_vecs = pci_msix_vec_count(pdev);
++ if (nr_vecs < 0) {
++ dev_err(DEV(ndev), "Error in getting vec count %d\n", nr_vecs);
++ return nr_vecs;
++ }
+
+ /* Enable MSI-X */
+ ret = pci_alloc_irq_vectors(pdev, nr_vecs, nr_vecs, PCI_IRQ_MSIX);
+--
+2.30.2
+
--- /dev/null
+From c56a87c4f492734d21c48ba88769ded29831aaba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 11:14:55 +0800
+Subject: crypto: nx - add missing MODULE_DEVICE_TABLE
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/nx-842-pseries.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
+index 2de5e3672e42..258c5e38a551 100644
+--- a/drivers/crypto/nx/nx-842-pseries.c
++++ b/drivers/crypto/nx/nx-842-pseries.c
+@@ -1071,6 +1071,7 @@ static const struct vio_device_id nx842_vio_driver_ids[] = {
+ {"ibm,compression-v1", "ibm,compression"},
+ {"", ""},
+ };
++MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids);
+
+ static struct vio_driver nx842_vio_driver = {
+ .name = KBUILD_MODNAME,
+--
+2.30.2
+
--- /dev/null
+From 2d2dd1828c75bd20059ce8cc53502786088e6675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 15:57:12 +0800
+Subject: crypto: nx - Fix RCU warning in nx842_OF_upd_status
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ]
+
+The function nx842_OF_upd_status triggers a sparse RCU warning when
+it directly dereferences the RCU-protected devdata. This appears
+to be an accident as there was another variable of the same name
+that was passed in from the caller.
+
+After it was removed (because the main purpose of using it, to
+update the status member was itself removed) the global variable
+unintenionally stood in as its replacement.
+
+This patch restores the devdata parameter.
+
+Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/nx-842-pseries.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
+index 258c5e38a551..c5ec50a28f30 100644
+--- a/drivers/crypto/nx/nx-842-pseries.c
++++ b/drivers/crypto/nx/nx-842-pseries.c
+@@ -538,13 +538,15 @@ static int nx842_OF_set_defaults(struct nx842_devdata *devdata)
+ * The status field indicates if the device is enabled when the status
+ * is 'okay'. Otherwise the device driver will be disabled.
+ *
+- * @prop - struct property point containing the maxsyncop for the update
++ * @devdata: struct nx842_devdata to use for dev_info
++ * @prop: struct property point containing the maxsyncop for the update
+ *
+ * Returns:
+ * 0 - Device is available
+ * -ENODEV - Device is not available
+ */
+-static int nx842_OF_upd_status(struct property *prop)
++static int nx842_OF_upd_status(struct nx842_devdata *devdata,
++ struct property *prop)
+ {
+ const char *status = (const char *)prop->value;
+
+@@ -758,7 +760,7 @@ static int nx842_OF_upd(struct property *new_prop)
+ goto out;
+
+ /* Perform property updates */
+- ret = nx842_OF_upd_status(status);
++ ret = nx842_OF_upd_status(new_devdata, status);
+ if (ret)
+ goto error_out;
+
+--
+2.30.2
+
--- /dev/null
+From 43ce5ff6042d2d2b8911a188cc08211dd338e690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 22:51:18 +0800
+Subject: crypto: omap-sham - Fix PM reference leak in omap sham ops
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit ca323b2c61ec321eb9f2179a405b9c34cdb4f553 ]
+
+pm_runtime_get_sync will increment pm usage counter
+even it failed. Forgetting to putting operation will
+result in reference leak here. We fix it by replacing
+it with pm_runtime_resume_and_get to keep usage counter
+balanced.
+
+Fixes: 604c31039dae4 ("crypto: omap-sham - Check for return value from pm_runtime_get_sync")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-sham.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
+index d7c0c982ba43..f80db1eb2994 100644
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -364,7 +364,7 @@ static int omap_sham_hw_init(struct omap_sham_dev *dd)
+ {
+ int err;
+
+- err = pm_runtime_get_sync(dd->dev);
++ err = pm_runtime_resume_and_get(dd->dev);
+ if (err < 0) {
+ dev_err(dd->dev, "failed to get sync: %d\n", err);
+ return err;
+@@ -2236,7 +2236,7 @@ static int omap_sham_suspend(struct device *dev)
+
+ static int omap_sham_resume(struct device *dev)
+ {
+- int err = pm_runtime_get_sync(dev);
++ int err = pm_runtime_resume_and_get(dev);
+ if (err < 0) {
+ dev_err(dev, "failed to get sync: %d\n", err);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From d8845e4ae36c620e40355bef4ada6acaf3f34978 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 05:13:15 -0400
+Subject: crypto: qat - check return code of qat_hal_rd_rel_reg()
+
+From: Jack Xu <jack.xu@intel.com>
+
+[ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ]
+
+Check the return code of the function qat_hal_rd_rel_reg() and return it
+to the caller.
+
+This is to fix the following warning when compiling the driver with
+clang scan-build:
+
+ drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value
+
+Signed-off-by: Jack Xu <jack.xu@intel.com>
+Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c
+index dac130bb807a..eda692271f0c 100644
+--- a/drivers/crypto/qat/qat_common/qat_hal.c
++++ b/drivers/crypto/qat/qat_common/qat_hal.c
+@@ -1256,7 +1256,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle,
+ pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr);
+ return -EINVAL;
+ }
+- qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
++ status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
++ if (status) {
++ pr_err("QAT: failed to read register");
++ return status;
++ }
+ gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum);
+ data16low = 0xffff & data;
+ data16hi = 0xffff & (data >> 0x10);
+--
+2.30.2
+
--- /dev/null
+From 6dd699dfa3d0cc4fca81f06def8685c66a9032d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 05:13:16 -0400
+Subject: crypto: qat - remove unused macro in FW loader
+
+From: Jack Xu <jack.xu@intel.com>
+
+[ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ]
+
+Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware
+loader.
+
+This is to fix the following warning when compiling the driver using the
+clang compiler with CC=clang W=2:
+
+ drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros]
+
+Signed-off-by: Jack Xu <jack.xu@intel.com>
+Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/qat_uclo.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c
+index aeb03081415c..9542423bb7ca 100644
+--- a/drivers/crypto/qat/qat_common/qat_uclo.c
++++ b/drivers/crypto/qat/qat_common/qat_uclo.c
+@@ -385,7 +385,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle,
+ return 0;
+ }
+
+-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000
+ static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle,
+ struct icp_qat_uof_initmem *init_mem)
+ {
+--
+2.30.2
+
--- /dev/null
+From 66bc3f45ec28d781e62575ef49473c75225768df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 08:21:50 +0200
+Subject: crypto: shash - avoid comparing pointers to exported functions under
+ CFI
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ]
+
+crypto_shash_alg_has_setkey() is implemented by testing whether the
+.setkey() member of a struct shash_alg points to the default version,
+called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static
+inline, this requires shash_no_setkey() to be exported to modules.
+
+Unfortunately, when building with CFI, function pointers are routed
+via CFI stubs which are private to each module (or to the kernel proper)
+and so this function pointer comparison may fail spuriously.
+
+Let's fix this by turning crypto_shash_alg_has_setkey() into an out of
+line function.
+
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/shash.c | 18 +++++++++++++++---
+ include/crypto/internal/hash.h | 8 +-------
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/crypto/shash.c b/crypto/shash.c
+index e83c5124f6eb..9c4cdfd8550e 100644
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -20,12 +20,24 @@
+
+ static const struct crypto_type crypto_shash_type;
+
+-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen)
++static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen)
+ {
+ return -ENOSYS;
+ }
+-EXPORT_SYMBOL_GPL(shash_no_setkey);
++
++/*
++ * Check whether an shash algorithm has a setkey function.
++ *
++ * For CFI compatibility, this must not be an inline function. This is because
++ * when CFI is enabled, modules won't get the same address for shash_no_setkey
++ * (if it were exported, which inlining would require) as the core kernel will.
++ */
++bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
++{
++ return alg->setkey != shash_no_setkey;
++}
++EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey);
+
+ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
+diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
+index bfc9db7b100d..9cc7f1c02d27 100644
+--- a/include/crypto/internal/hash.h
++++ b/include/crypto/internal/hash.h
+@@ -77,13 +77,7 @@ int ahash_register_instance(struct crypto_template *tmpl,
+ struct ahash_instance *inst);
+ void ahash_free_instance(struct crypto_instance *inst);
+
+-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen);
+-
+-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
+-{
+- return alg->setkey != shash_no_setkey;
+-}
++bool crypto_shash_alg_has_setkey(struct shash_alg *alg);
+
+ bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
+
+--
+2.30.2
+
--- /dev/null
+From 3e1120398ff8c82c7741d133bb2e68a40ef26dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 15:00:49 +0800
+Subject: crypto: ux500 - Fix error return code in hash_hw_final()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit b01360384009ab066940b45f34880991ea7ccbfb ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ux500/hash/hash_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
+index c172a6953477..38a66aceca2a 100644
+--- a/drivers/crypto/ux500/hash/hash_core.c
++++ b/drivers/crypto/ux500/hash/hash_core.c
+@@ -1009,6 +1009,7 @@ static int hash_hw_final(struct ahash_request *req)
+ goto out;
+ }
+ } else if (req->nbytes == 0 && ctx->keylen > 0) {
++ ret = -EPERM;
+ dev_err(device_data->dev, "%s: Empty message with keylength > 0, NOT supported\n",
+ __func__);
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From 6458c093c5eb65205c82171ccc94a2a40d48f678 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:35:04 -0700
+Subject: dax: fix ENOMEM handling in grab_mapping_entry()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 1a14e3779dd58c16b30e56558146e5cc850ba8b0 ]
+
+grab_mapping_entry() has a bug in handling of ENOMEM condition. Suppose
+we have a PMD entry at index i which we are downgrading to a PTE entry.
+grab_mapping_entry() will set pmd_downgrade to true, lock the entry, clear
+the entry in xarray, and decrement mapping->nrpages. The it will call:
+
+ entry = dax_make_entry(pfn_to_pfn_t(0), flags);
+ dax_lock_entry(xas, entry);
+
+which inserts new PTE entry into xarray. However this may fail allocating
+the new node. We handle this by:
+
+ if (xas_nomem(xas, mapping_gfp_mask(mapping) & ~__GFP_HIGHMEM))
+ goto retry;
+
+however pmd_downgrade stays set to true even though 'entry' returned from
+get_unlocked_entry() will be NULL now. And we will go again through the
+downgrade branch. This is mostly harmless except that mapping->nrpages is
+decremented again and we temporarily have an invalid entry stored in
+xarray. Fix the problem by setting pmd_downgrade to false each time we
+lookup the entry we work with so that it matches the entry we found.
+
+Link: https://lkml.kernel.org/r/20210622160015.18004-1-jack@suse.cz
+Fixes: b15cd800682f ("dax: Convert page fault handlers to XArray")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dax.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/dax.c b/fs/dax.c
+index 3b0e5da96d54..12953e892bb2 100644
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -477,10 +477,11 @@ static void *grab_mapping_entry(struct xa_state *xas,
+ struct address_space *mapping, unsigned int order)
+ {
+ unsigned long index = xas->xa_index;
+- bool pmd_downgrade = false; /* splitting PMD entry into PTE entries? */
++ bool pmd_downgrade; /* splitting PMD entry into PTE entries? */
+ void *entry;
+
+ retry:
++ pmd_downgrade = false;
+ xas_lock_irq(xas);
+ entry = get_unlocked_entry(xas, order);
+
+--
+2.30.2
+
--- /dev/null
+From d41abddfbbcc60678a95c340508790d6eb33f9dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 20:26:14 +0800
+Subject: drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit d96b1b8c9f79b6bb234a31c80972a6f422079376 ]
+
+ddr_perf_probe() misses to call ida_simple_remove() in an error path.
+Jump to cpuhp_state_err to fix it.
+
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
+Link: https://lore.kernel.org/r/20210617122614.166823-1-jingxiangfeng@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/fsl_imx8_ddr_perf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/perf/fsl_imx8_ddr_perf.c b/drivers/perf/fsl_imx8_ddr_perf.c
+index 09f44c6e2eaf..726ed8f59868 100644
+--- a/drivers/perf/fsl_imx8_ddr_perf.c
++++ b/drivers/perf/fsl_imx8_ddr_perf.c
+@@ -562,8 +562,10 @@ static int ddr_perf_probe(struct platform_device *pdev)
+
+ name = devm_kasprintf(&pdev->dev, GFP_KERNEL, DDR_PERF_DEV_NAME "%d",
+ num);
+- if (!name)
+- return -ENOMEM;
++ if (!name) {
++ ret = -ENOMEM;
++ goto cpuhp_state_err;
++ }
+
+ pmu->devtype_data = of_device_get_match_data(&pdev->dev);
+
+--
+2.30.2
+
--- /dev/null
+From 8f2e67bfbe9253dd9d98c3edb17d73ebf715d10c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 17:13:13 +0100
+Subject: drm: qxl: ensure surf.data is ininitialized
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ]
+
+The object surf is not fully initialized and the uninitialized
+field surf.data is being copied by the call to qxl_bo_create
+via the call to qxl_gem_object_create. Set surf.data to zero
+to ensure garbage data from the stack is not being copied.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/qxl/qxl_dumb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c
+index 272d19b677d8..4a0dc1348097 100644
+--- a/drivers/gpu/drm/qxl/qxl_dumb.c
++++ b/drivers/gpu/drm/qxl/qxl_dumb.c
+@@ -58,6 +58,8 @@ int qxl_mode_dumb_create(struct drm_file *file_priv,
+ surf.height = args->height;
+ surf.stride = pitch;
+ surf.format = format;
++ surf.data = 0;
++
+ r = qxl_gem_object_create_with_handle(qdev, file_priv,
+ QXL_GEM_DOMAIN_SURFACE,
+ args->size, &surf, &qobj,
+--
+2.30.2
+
--- /dev/null
+From 00e1d9e0ede297c508c9ac9980c5050007c5bc49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 21:49:28 +0800
+Subject: drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on
+ error in cdn_dp_grf_write()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ae41d925c75b53798f289c69ee8d9f7d36432f6d ]
+
+After calling clk_prepare_enable(), clk_disable_unprepare() need
+be called when calling regmap_write() failed.
+
+Fixes: 1a0f7ed3abe2 ("drm/rockchip: cdn-dp: add cdn DP support for rk3399")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210519134928.2696617-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/cdn-dp-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+index d505ea7d5384..8f299d76b69b 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+@@ -72,6 +72,7 @@ static int cdn_dp_grf_write(struct cdn_dp_device *dp,
+ ret = regmap_write(dp->grf, reg, val);
+ if (ret) {
+ DRM_DEV_ERROR(dp->dev, "Could not write to GRF: %d\n", ret);
++ clk_disable_unprepare(dp->grf_clk);
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 810014b2871852f922a165beb4e7faaf3a74d5a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 19:04:10 -0700
+Subject: drm/rockchip: dsi: move all lane config except LCDC mux to bind()
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+[ Upstream commit 43c2de1002d2b70fb5941fa14e97a34e3dc214d4 ]
+
+When we first enable the DSI encoder, we currently program some per-chip
+configuration that we look up in rk3399_chip_data based on the device
+tree compatible we match. This data configures various parameters of the
+MIPI lanes, including on RK3399 whether DSI1 is slaved to DSI0 in a
+dual-mode configuration. It also selects which LCDC (i.e. VOP) to scan
+out from.
+
+This causes a problem in RK3399 dual-mode configurations, though: panel
+prepare() callbacks run before the encoder gets enabled and expect to be
+able to write commands to the DSI bus, but the bus isn't fully
+functional until the lane and master/slave configuration have been
+programmed. As a result, dual-mode panels (and possibly others too) fail
+to turn on when the rockchipdrm driver is initially loaded.
+
+Because the LCDC mux is the only thing we don't know until enable time
+(and is the only thing that can ever change), we can actually move most
+of the initialization to bind() and get it out of the way early. That's
+what this change does. (Rockchip's 4.4 BSP kernel does it in mode_set(),
+which also avoids the issue, but bind() seems like the more correct
+place to me.)
+
+Tested on a Google Scarlet board (Acer Chromebook Tab 10), which has a
+Kingdisplay KD097D04 dual-mode panel. Prior to this change, the panel's
+backlight would turn on but no image would appear when initially loading
+rockchipdrm. If I kept rockchipdrm loaded and reloaded the panel driver,
+it would come on. With this change, the panel successfully turns on
+during initial rockchipdrm load as expected.
+
+Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver")
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Tested-by: Jonathan Liu <net147@gmail.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/55fe7f3454d8c91dc3837ba5aa741d4a0e67378f.1618797813.git.tommyhebb@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 36 ++++++++++++++-----
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+index bc073ec5c183..ecb59dc6c8b8 100644
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -564,13 +564,8 @@ static const struct dw_mipi_dsi_phy_ops dw_mipi_dsi_rockchip_phy_ops = {
+ .get_lane_mbps = dw_mipi_dsi_get_lane_mbps,
+ };
+
+-static void dw_mipi_dsi_rockchip_config(struct dw_mipi_dsi_rockchip *dsi,
+- int mux)
++static void dw_mipi_dsi_rockchip_config(struct dw_mipi_dsi_rockchip *dsi)
+ {
+- if (dsi->cdata->lcdsel_grf_reg)
+- regmap_write(dsi->grf_regmap, dsi->cdata->lcdsel_grf_reg,
+- mux ? dsi->cdata->lcdsel_lit : dsi->cdata->lcdsel_big);
+-
+ if (dsi->cdata->lanecfg1_grf_reg)
+ regmap_write(dsi->grf_regmap, dsi->cdata->lanecfg1_grf_reg,
+ dsi->cdata->lanecfg1);
+@@ -584,6 +579,13 @@ static void dw_mipi_dsi_rockchip_config(struct dw_mipi_dsi_rockchip *dsi,
+ dsi->cdata->enable);
+ }
+
++static void dw_mipi_dsi_rockchip_set_lcdsel(struct dw_mipi_dsi_rockchip *dsi,
++ int mux)
++{
++ regmap_write(dsi->grf_regmap, dsi->cdata->lcdsel_grf_reg,
++ mux ? dsi->cdata->lcdsel_lit : dsi->cdata->lcdsel_big);
++}
++
+ static int
+ dw_mipi_dsi_encoder_atomic_check(struct drm_encoder *encoder,
+ struct drm_crtc_state *crtc_state,
+@@ -639,9 +641,9 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder)
+ return;
+ }
+
+- dw_mipi_dsi_rockchip_config(dsi, mux);
++ dw_mipi_dsi_rockchip_set_lcdsel(dsi, mux);
+ if (dsi->slave)
+- dw_mipi_dsi_rockchip_config(dsi->slave, mux);
++ dw_mipi_dsi_rockchip_set_lcdsel(dsi->slave, mux);
+
+ clk_disable_unprepare(dsi->grf_clk);
+ }
+@@ -800,6 +802,24 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev,
+ return ret;
+ }
+
++ /*
++ * With the GRF clock running, write lane and dual-mode configurations
++ * that won't change immediately. If we waited until enable() to do
++ * this, things like panel preparation would not be able to send
++ * commands over DSI.
++ */
++ ret = clk_prepare_enable(dsi->grf_clk);
++ if (ret) {
++ DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret);
++ return ret;
++ }
++
++ dw_mipi_dsi_rockchip_config(dsi);
++ if (dsi->slave)
++ dw_mipi_dsi_rockchip_config(dsi->slave);
++
++ clk_disable_unprepare(dsi->grf_clk);
++
+ ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev);
+ if (ret) {
+ DRM_DEV_ERROR(dev, "Failed to create drm encoder\n");
+--
+2.30.2
+
--- /dev/null
+From b44fc11a80d4c9b69634583695beeff67aac5a46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 12:02:48 -0700
+Subject: e1000e: Check the PCIm state
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit 2e7256f12cdb16eaa2515b6231d665044a07c51a ]
+
+Complete to commit def4ec6dce393e ("e1000e: PCIm function state support")
+Check the PCIm state only on CSME systems. There is no point to do this
+check on non CSME systems.
+This patch fixes a generation a false-positive warning:
+"Error in exiting dmoff"
+
+Fixes: def4ec6dce39 ("e1000e: PCIm function state support")
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 24 ++++++++++++----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index c2feedfd321d..a06d514215ed 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -5199,18 +5199,20 @@ static void e1000_watchdog_task(struct work_struct *work)
+ pm_runtime_resume(netdev->dev.parent);
+
+ /* Checking if MAC is in DMoff state*/
+- pcim_state = er32(STATUS);
+- while (pcim_state & E1000_STATUS_PCIM_STATE) {
+- if (tries++ == dmoff_exit_timeout) {
+- e_dbg("Error in exiting dmoff\n");
+- break;
+- }
+- usleep_range(10000, 20000);
++ if (er32(FWSM) & E1000_ICH_FWSM_FW_VALID) {
+ pcim_state = er32(STATUS);
+-
+- /* Checking if MAC exited DMoff state */
+- if (!(pcim_state & E1000_STATUS_PCIM_STATE))
+- e1000_phy_hw_reset(&adapter->hw);
++ while (pcim_state & E1000_STATUS_PCIM_STATE) {
++ if (tries++ == dmoff_exit_timeout) {
++ e_dbg("Error in exiting dmoff\n");
++ break;
++ }
++ usleep_range(10000, 20000);
++ pcim_state = er32(STATUS);
++
++ /* Checking if MAC exited DMoff state */
++ if (!(pcim_state & E1000_STATUS_PCIM_STATE))
++ e1000_phy_hw_reset(&adapter->hw);
++ }
+ }
+
+ /* update snapshot of PHY registers on LSC */
+--
+2.30.2
+
--- /dev/null
+From 50512d6d4695a39329ce6fcd5383c6921b130932 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 10:44:19 -0700
+Subject: EDAC/Intel: Do not load EDAC driver when running as a guest
+
+From: Luck, Tony <tony.luck@intel.com>
+
+[ Upstream commit f0a029fff4a50eb01648810a77ba1873e829fdd4 ]
+
+There's little to no point in loading an EDAC driver running in a guest:
+1) The CPU model reported by CPUID may not represent actual h/w
+2) The hypervisor likely does not pass in access to memory controller devices
+3) Hypervisors generally do not pass corrected error details to guests
+
+Add a check in each of the Intel EDAC drivers for X86_FEATURE_HYPERVISOR
+and simply return -ENODEV in the init routine.
+
+Acked-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20210615174419.GA1087688@agluck-desk2.amr.corp.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/i10nm_base.c | 3 +++
+ drivers/edac/pnd2_edac.c | 3 +++
+ drivers/edac/sb_edac.c | 3 +++
+ drivers/edac/skx_base.c | 3 +++
+ 4 files changed, 12 insertions(+)
+
+diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c
+index dfcde7ed9500..f72be5f94e6f 100644
+--- a/drivers/edac/i10nm_base.c
++++ b/drivers/edac/i10nm_base.c
+@@ -249,6 +249,9 @@ static int __init i10nm_init(void)
+ if (owner && strncmp(owner, EDAC_MOD_STR, sizeof(EDAC_MOD_STR)))
+ return -EBUSY;
+
++ if (cpu_feature_enabled(X86_FEATURE_HYPERVISOR))
++ return -ENODEV;
++
+ id = x86_match_cpu(i10nm_cpuids);
+ if (!id)
+ return -ENODEV;
+diff --git a/drivers/edac/pnd2_edac.c b/drivers/edac/pnd2_edac.c
+index dac45e2071b3..e054eb038903 100644
+--- a/drivers/edac/pnd2_edac.c
++++ b/drivers/edac/pnd2_edac.c
+@@ -1555,6 +1555,9 @@ static int __init pnd2_init(void)
+ if (owner && strncmp(owner, EDAC_MOD_STR, sizeof(EDAC_MOD_STR)))
+ return -EBUSY;
+
++ if (cpu_feature_enabled(X86_FEATURE_HYPERVISOR))
++ return -ENODEV;
++
+ id = x86_match_cpu(pnd2_cpuids);
+ if (!id)
+ return -ENODEV;
+diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c
+index b557a53c75c4..d39f5bfb8bd9 100644
+--- a/drivers/edac/sb_edac.c
++++ b/drivers/edac/sb_edac.c
+@@ -3512,6 +3512,9 @@ static int __init sbridge_init(void)
+ if (owner && strncmp(owner, EDAC_MOD_STR, sizeof(EDAC_MOD_STR)))
+ return -EBUSY;
+
++ if (cpu_feature_enabled(X86_FEATURE_HYPERVISOR))
++ return -ENODEV;
++
+ id = x86_match_cpu(sbridge_cpuids);
+ if (!id)
+ return -ENODEV;
+diff --git a/drivers/edac/skx_base.c b/drivers/edac/skx_base.c
+index 77cd370bd62f..b1d717cb8df9 100644
+--- a/drivers/edac/skx_base.c
++++ b/drivers/edac/skx_base.c
+@@ -605,6 +605,9 @@ static int __init skx_init(void)
+ if (owner && strncmp(owner, EDAC_MOD_STR, sizeof(EDAC_MOD_STR)))
+ return -EBUSY;
+
++ if (cpu_feature_enabled(X86_FEATURE_HYPERVISOR))
++ return -ENODEV;
++
+ id = x86_match_cpu(skx_cpuids);
+ if (!id)
+ return -ENODEV;
+--
+2.30.2
+
--- /dev/null
+From 5bce1d1c1027ab5584fb75deee68d606789921a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 11:37:27 +0800
+Subject: EDAC/ti: Add missing MODULE_DEVICE_TABLE
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 0a37f32ba5272b2d4ec8c8d0f6b212b81b578f7e ]
+
+The module misses MODULE_DEVICE_TABLE() for of_device_id tables and thus
+never autoloads on ID matches.
+
+Add the missing declaration.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Tero Kristo <kristo@kernel.org>
+Link: https://lkml.kernel.org/r/20210512033727.26701-1-cuibixuan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ti_edac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c
+index 324768946743..9ab9fa0a911b 100644
+--- a/drivers/edac/ti_edac.c
++++ b/drivers/edac/ti_edac.c
+@@ -197,6 +197,7 @@ static const struct of_device_id ti_edac_of_match[] = {
+ { .compatible = "ti,emif-dra7xx", .data = (void *)EMIF_TYPE_DRA7 },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, ti_edac_of_match);
+
+ static int _emif_get_id(struct device_node *node)
+ {
+--
+2.30.2
+
--- /dev/null
+From 52733693dd288d8f82cb5e49729adbdd71bf9e91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 01:17:55 +0300
+Subject: eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 3f6ee1c095156a74ab2df605af13020f1ce3e600 ]
+
+device_get_next_child_node() bumps a reference counting of a returned variable.
+We have to balance it whenever we return to the caller.
+
+Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing")
+Cc: Huy Duong <qhuyduong@hotmail.com>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210607221757.81465-1-andy.shevchenko@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/idt_89hpesx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c
+index 81c70e5bc168..45a61a1f9e98 100644
+--- a/drivers/misc/eeprom/idt_89hpesx.c
++++ b/drivers/misc/eeprom/idt_89hpesx.c
+@@ -1161,6 +1161,7 @@ static void idt_get_fw_data(struct idt_89hpesx_dev *pdev)
+ else /* if (!fwnode_property_read_bool(node, "read-only")) */
+ pdev->eero = false;
+
++ fwnode_handle_put(fwnode);
+ dev_info(dev, "EEPROM of %d bytes found by 0x%x",
+ pdev->eesize, pdev->eeaddr);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8cb3a78aacf7040f2af48f7d9a39da08b416df01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 01:17:56 +0300
+Subject: eeprom: idt_89hpesx: Restore printing the unsupported fwnode name
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit e0db3deea73ba418bf5dc21f5a4e32ca87d16dde ]
+
+When iterating over child firmware nodes restore printing the name of ones
+that are not supported.
+
+While at it, refactor loop body to clearly show that we stop at the first match.
+
+Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing")
+Cc: Huy Duong <qhuyduong@hotmail.com>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210607221757.81465-2-andy.shevchenko@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/idt_89hpesx.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c
+index 45a61a1f9e98..3e4a594c110b 100644
+--- a/drivers/misc/eeprom/idt_89hpesx.c
++++ b/drivers/misc/eeprom/idt_89hpesx.c
+@@ -1126,11 +1126,10 @@ static void idt_get_fw_data(struct idt_89hpesx_dev *pdev)
+
+ device_for_each_child_node(dev, fwnode) {
+ ee_id = idt_ee_match_id(fwnode);
+- if (!ee_id) {
+- dev_warn(dev, "Skip unsupported EEPROM device");
+- continue;
+- } else
++ if (ee_id)
+ break;
++
++ dev_warn(dev, "Skip unsupported EEPROM device %pfw\n", fwnode);
+ }
+
+ /* If there is no fwnode EEPROM device, then set zero size */
+--
+2.30.2
+
--- /dev/null
+From 6684af436cebdeccc8ba321005e6d374943efbd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 16:55:55 +0800
+Subject: ehea: fix error return code in ehea_restart_qps()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ]
+
+Fix to return -EFAULT from the error handling case instead of 0, as done
+elsewhere in this function.
+
+By the way, when get_zeroed_page() fails, directly return -ENOMEM to
+simplify code.
+
+Fixes: 2c69448bbced ("ehea: DLPAR memory add fix")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+index 13e30eba5349..1fd2b84e2e91 100644
+--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+@@ -2617,10 +2617,8 @@ static int ehea_restart_qps(struct net_device *dev)
+ u16 dummy16 = 0;
+
+ cb0 = (void *)get_zeroed_page(GFP_KERNEL);
+- if (!cb0) {
+- ret = -ENOMEM;
+- goto out;
+- }
++ if (!cb0)
++ return -ENOMEM;
+
+ for (i = 0; i < (port->num_def_qps); i++) {
+ struct ehea_port_res *pr = &port->port_res[i];
+@@ -2640,6 +2638,7 @@ static int ehea_restart_qps(struct net_device *dev)
+ cb0);
+ if (hret != H_SUCCESS) {
+ netdev_err(dev, "query_ehea_qp failed (1)\n");
++ ret = -EFAULT;
+ goto out;
+ }
+
+@@ -2652,6 +2651,7 @@ static int ehea_restart_qps(struct net_device *dev)
+ &dummy64, &dummy16, &dummy16);
+ if (hret != H_SUCCESS) {
+ netdev_err(dev, "modify_ehea_qp failed (1)\n");
++ ret = -EFAULT;
+ goto out;
+ }
+
+@@ -2660,6 +2660,7 @@ static int ehea_restart_qps(struct net_device *dev)
+ cb0);
+ if (hret != H_SUCCESS) {
+ netdev_err(dev, "query_ehea_qp failed (2)\n");
++ ret = -EFAULT;
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From fda0b3657052b95a7fd24f3fbe1b9e70276ab4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Apr 2021 18:13:45 -0400
+Subject: evm: fix writing <securityfs>/evm overflow
+
+From: Mimi Zohar <zohar@linux.ibm.com>
+
+[ Upstream commit 49219d9b8785ba712575c40e48ce0f7461254626 ]
+
+EVM_SETUP_COMPLETE is defined as 0x80000000, which is larger than INT_MAX.
+The "-fno-strict-overflow" compiler option properly prevents signaling
+EVM that the EVM policy setup is complete. Define and read an unsigned
+int.
+
+Fixes: f00d79750712 ("EVM: Allow userspace to signal an RSA key has been loaded")
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/evm/evm_secfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
+index f93b688037b1..d7f12ed19183 100644
+--- a/security/integrity/evm/evm_secfs.c
++++ b/security/integrity/evm/evm_secfs.c
+@@ -68,12 +68,13 @@ static ssize_t evm_read_key(struct file *filp, char __user *buf,
+ static ssize_t evm_write_key(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- int i, ret;
++ unsigned int i;
++ int ret;
+
+ if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP_COMPLETE))
+ return -EPERM;
+
+- ret = kstrtoint_from_user(buf, count, 0, &i);
++ ret = kstrtouint_from_user(buf, count, 0, &i);
+
+ if (ret)
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 3f727565ceb4a6cc250f832c867c318320debd91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 13:10:31 +0300
+Subject: extcon: extcon-max8997: Fix IRQ freeing at error path
+
+From: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+
+[ Upstream commit 610bdc04830a864115e6928fc944f1171dfff6f3 ]
+
+If reading MAX8997_MUIC_REG_STATUS1 fails at probe the driver exits
+without freeing the requested IRQs.
+
+Free the IRQs prior returning if reading the status fails.
+
+Fixes: 3e34c8198960 ("extcon: max8997: Avoid forcing UART path on drive probe")
+Signed-off-by: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Link: https://lore.kernel.org/r/27ee4a48ee775c3f8c9d90459c18b6f2b15edc76.1623146580.git.matti.vaittinen@fi.rohmeurope.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-max8997.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c
+index 172e116ac1ce..ac1633adb55d 100644
+--- a/drivers/extcon/extcon-max8997.c
++++ b/drivers/extcon/extcon-max8997.c
+@@ -729,7 +729,7 @@ static int max8997_muic_probe(struct platform_device *pdev)
+ 2, info->status);
+ if (ret) {
+ dev_err(info->dev, "failed to read MUIC register\n");
+- return ret;
++ goto err_irq;
+ }
+ cable_type = max8997_muic_get_cable_type(info,
+ MAX8997_CABLE_GROUP_ADC, &attached);
+--
+2.30.2
+
--- /dev/null
+From b3dfda471bba2e853b21669503e631b7fa14e835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 22:46:24 +0200
+Subject: extcon: max8997: Add missing modalias string
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ]
+
+The platform device driver name is "max8997-muic", so advertise it
+properly in the modalias string. This fixes automated module loading when
+this driver is compiled as a module.
+
+Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-max8997.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c
+index ac1633adb55d..cac36ef59e45 100644
+--- a/drivers/extcon/extcon-max8997.c
++++ b/drivers/extcon/extcon-max8997.c
+@@ -784,3 +784,4 @@ module_platform_driver(max8997_muic_driver);
+ MODULE_DESCRIPTION("Maxim MAX8997 Extcon driver");
+ MODULE_AUTHOR("Donggeun Kim <dg77.kim@samsung.com>");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS("platform:max8997-muic");
+--
+2.30.2
+
--- /dev/null
+From c2e67af79b71427662682f8a1737c04dabb1993a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 15:34:35 +0200
+Subject: extcon: sm5502: Drop invalid register write in sm5502_reg_data
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ]
+
+When sm5502_init_dev_type() iterates over sm5502_reg_data to
+initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data).
+There is no need to add another empty element to sm5502_reg_data.
+
+Having the additional empty element in sm5502_reg_data will just
+result in writing 0xff to register 0x00, which does not really
+make sense.
+
+Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-sm5502.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c
+index b3d93baf4fc5..f883992800b3 100644
+--- a/drivers/extcon/extcon-sm5502.c
++++ b/drivers/extcon/extcon-sm5502.c
+@@ -88,7 +88,6 @@ static struct reg_data sm5502_reg_data[] = {
+ | SM5502_REG_INTM2_MHL_MASK,
+ .invert = true,
+ },
+- { }
+ };
+
+ /* List of detectable cables */
+--
+2.30.2
+
--- /dev/null
+From b42b0f34730b665e7d84a732f39698544aa9034a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 20:22:15 +0200
+Subject: firmware: stratix10-svc: Fix a resource leak in an error handling
+ path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d99247f9b542533ddbf87a3481a05473b8e48194 ]
+
+If an error occurs after a successful 'kfifo_alloc()' call, it must be
+undone by a corresponding 'kfifo_free()' call, as already done in the
+remove function.
+
+While at it, move the 'platform_device_put()' call to this new error
+handling path and explicitly return 0 in the success path.
+
+Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/0ca3f3ab139c53e846804455a1e7599ee8ae896a.1621621271.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/stratix10-svc.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
+index b485321189e1..b2b4ba240fb1 100644
+--- a/drivers/firmware/stratix10-svc.c
++++ b/drivers/firmware/stratix10-svc.c
+@@ -1026,24 +1026,32 @@ static int stratix10_svc_drv_probe(struct platform_device *pdev)
+
+ /* add svc client device(s) */
+ svc = devm_kzalloc(dev, sizeof(*svc), GFP_KERNEL);
+- if (!svc)
+- return -ENOMEM;
++ if (!svc) {
++ ret = -ENOMEM;
++ goto err_free_kfifo;
++ }
+
+ svc->stratix10_svc_rsu = platform_device_alloc(STRATIX10_RSU, 0);
+ if (!svc->stratix10_svc_rsu) {
+ dev_err(dev, "failed to allocate %s device\n", STRATIX10_RSU);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_free_kfifo;
+ }
+
+ ret = platform_device_add(svc->stratix10_svc_rsu);
+- if (ret) {
+- platform_device_put(svc->stratix10_svc_rsu);
+- return ret;
+- }
++ if (ret)
++ goto err_put_device;
++
+ dev_set_drvdata(dev, svc);
+
+ pr_info("Intel Service Layer Driver Initialized\n");
+
++ return 0;
++
++err_put_device:
++ platform_device_put(svc->stratix10_svc_rsu);
++err_free_kfifo:
++ kfifo_free(&controller->svc_fifo);
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 634635458e655bfa9941a95326fbc2b1e838a864 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 15:08:38 -0400
+Subject: fs: dlm: cancel work sync othercon
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ]
+
+These rx tx flags arguments are for signaling close_connection() from
+which worker they are called. Obviously the receive worker cannot cancel
+itself and vice versa for swork. For the othercon the receive worker
+should only be used, however to avoid deadlocks we should pass the same
+flags as the original close_connection() was called.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lowcomms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 3951d39b9b75..d9202ba665ce 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -607,7 +607,7 @@ static void close_connection(struct connection *con, bool and_other,
+ }
+ if (con->othercon && and_other) {
+ /* Will only re-enter once. */
+- close_connection(con->othercon, false, true, true);
++ close_connection(con->othercon, false, tx, rx);
+ }
+ if (con->rx_page) {
+ __free_page(con->rx_page);
+--
+2.30.2
+
--- /dev/null
+From 85a201dc9805c3140d4d9c7ea3423cd0d677071e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 09:45:16 -0400
+Subject: fs: dlm: fix memory leak when fenced
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 700ab1c363c7b54c9ea3222379b33fc00ab02f7b ]
+
+I got some kmemleak report when a node was fenced. The user space tool
+dlm_controld will therefore run some rmdir() in dlm configfs which was
+triggering some memleaks. This patch stores the sps and cms attributes
+which stores some handling for subdirectories of the configfs cluster
+entry and free them if they get released as the parent directory gets
+freed.
+
+unreferenced object 0xffff88810d9e3e00 (size 192):
+ comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 73 70 61 63 65 73 00 00 ........spaces..
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000db8b640b>] make_cluster+0x5d/0x360
+ [<000000006a571db4>] configfs_mkdir+0x274/0x730
+ [<00000000b094501c>] vfs_mkdir+0x27e/0x340
+ [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0
+ [<00000000d1ffd156>] do_syscall_64+0x40/0x80
+ [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+unreferenced object 0xffff88810d9e3a00 (size 192):
+ comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 63 6f 6d 6d 73 00 00 00 ........comms...
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000a7ef6ad2>] make_cluster+0x82/0x360
+ [<000000006a571db4>] configfs_mkdir+0x274/0x730
+ [<00000000b094501c>] vfs_mkdir+0x27e/0x340
+ [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0
+ [<00000000d1ffd156>] do_syscall_64+0x40/0x80
+ [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/config.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/dlm/config.c b/fs/dlm/config.c
+index 3b1012a3c439..b7e288cf3f5f 100644
+--- a/fs/dlm/config.c
++++ b/fs/dlm/config.c
+@@ -78,6 +78,9 @@ struct dlm_cluster {
+ unsigned int cl_new_rsb_count;
+ unsigned int cl_recover_callbacks;
+ char cl_cluster_name[DLM_LOCKSPACE_LEN];
++
++ struct dlm_spaces *sps;
++ struct dlm_comms *cms;
+ };
+
+ static struct dlm_cluster *config_item_to_cluster(struct config_item *i)
+@@ -354,6 +357,9 @@ static struct config_group *make_cluster(struct config_group *g,
+ if (!cl || !sps || !cms)
+ goto fail;
+
++ cl->sps = sps;
++ cl->cms = cms;
++
+ config_group_init_type_name(&cl->group, name, &cluster_type);
+ config_group_init_type_name(&sps->ss_group, "spaces", &spaces_type);
+ config_group_init_type_name(&cms->cs_group, "comms", &comms_type);
+@@ -403,6 +409,9 @@ static void drop_cluster(struct config_group *g, struct config_item *i)
+ static void release_cluster(struct config_item *i)
+ {
+ struct dlm_cluster *cl = config_item_to_cluster(i);
++
++ kfree(cl->sps);
++ kfree(cl->cms);
+ kfree(cl);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 1af86907d5d764832037430aa927da2460e9073c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 13:28:12 +0100
+Subject: fsi: core: Fix return of error values on failures
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 910810945707fe9877ca86a0dca4e585fd05e37b ]
+
+Currently the cfam_read and cfam_write functions return the provided
+number of bytes given in the count parameter and not the error return
+code in variable rc, hence all failures of read/writes are being
+silently ignored. Fix this by returning the error code in rc.
+
+Addresses-Coverity: ("Unused value")
+Fixes: d1dcd6782576 ("fsi: Add cfam char devices")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Jeremy Kerr <jk@ozlabs.org>
+Link: https://lore.kernel.org/r/20210603122812.83587-1-colin.king@canonical.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
+index 9282239b4d95..cb980a60af0e 100644
+--- a/drivers/fsi/fsi-core.c
++++ b/drivers/fsi/fsi-core.c
+@@ -718,7 +718,7 @@ static ssize_t cfam_read(struct file *filep, char __user *buf, size_t count,
+ rc = count;
+ fail:
+ *offset = off;
+- return count;
++ return rc;
+ }
+
+ static ssize_t cfam_write(struct file *filep, const char __user *buf,
+@@ -755,7 +755,7 @@ static ssize_t cfam_write(struct file *filep, const char __user *buf,
+ rc = count;
+ fail:
+ *offset = off;
+- return count;
++ return rc;
+ }
+
+ static loff_t cfam_llseek(struct file *file, loff_t offset, int whence)
+--
+2.30.2
+
--- /dev/null
+From 7f419215937bcfe4699c8826487e44cf2c7fe77a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Feb 2021 11:12:32 -0600
+Subject: fsi: occ: Don't accept response from un-initialized OCC
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit 8a4659be08576141f47d47d94130eb148cb5f0df ]
+
+If the OCC is not initialized and responds as such, the driver
+should continue waiting for a valid response until the timeout
+expires.
+
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Fixes: 7ed98dddb764 ("fsi: Add On-Chip Controller (OCC) driver")
+Link: https://lore.kernel.org/r/20210209171235.20624-2-eajames@linux.ibm.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-occ.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/fsi/fsi-occ.c b/drivers/fsi/fsi-occ.c
+index 7da9c81759ac..8f1644804570 100644
+--- a/drivers/fsi/fsi-occ.c
++++ b/drivers/fsi/fsi-occ.c
+@@ -445,6 +445,7 @@ int fsi_occ_submit(struct device *dev, const void *request, size_t req_len,
+ goto done;
+
+ if (resp->return_status == OCC_RESP_CMD_IN_PRG ||
++ resp->return_status == OCC_RESP_CRIT_INIT ||
+ resp->seq_no != seq_no) {
+ rc = -ETIMEDOUT;
+
+--
+2.30.2
+
--- /dev/null
+From 3fa9abc2e8ef8b5b8d8a85fee8c6caa9fc12327a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 16:45:17 +0930
+Subject: fsi/sbefifo: Clean up correct FIFO when receiving reset request from
+ SBE
+
+From: Joachim Fenkes <FENKES@de.ibm.com>
+
+[ Upstream commit 95152433e46fdb36652ebdbea442356a16ae1fa6 ]
+
+When the SBE requests a reset via the down FIFO, that is also the
+FIFO we should go and reset ;)
+
+Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO")
+Signed-off-by: Joachim Fenkes <FENKES@de.ibm.com>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20200724071518.430515-2-joel@jms.id.au
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-sbefifo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
+index f54df9ebc8b3..655b45c1f6ba 100644
+--- a/drivers/fsi/fsi-sbefifo.c
++++ b/drivers/fsi/fsi-sbefifo.c
+@@ -400,7 +400,7 @@ static int sbefifo_cleanup_hw(struct sbefifo *sbefifo)
+ /* The FIFO already contains a reset request from the SBE ? */
+ if (down_status & SBEFIFO_STS_RESET_REQ) {
+ dev_info(dev, "Cleanup: FIFO reset request set, resetting\n");
+- rc = sbefifo_regw(sbefifo, SBEFIFO_UP, SBEFIFO_PERFORM_RESET);
++ rc = sbefifo_regw(sbefifo, SBEFIFO_DOWN, SBEFIFO_PERFORM_RESET);
+ if (rc) {
+ sbefifo->broken = true;
+ dev_err(dev, "Cleanup: Reset reg write failed, rc=%d\n", rc);
+--
+2.30.2
+
--- /dev/null
+From 356b1515346fe0ea2e9f50f99c117a312a93445d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 16:45:18 +0930
+Subject: fsi/sbefifo: Fix reset timeout
+
+From: Joachim Fenkes <FENKES@de.ibm.com>
+
+[ Upstream commit 9ab1428dfe2c66b51e0b41337cd0164da0ab6080 ]
+
+On BMCs with lower timer resolution than 1ms, msleep(1) will take
+way longer than 1ms, so looping 10k times won't wait for 10s but
+significantly longer.
+
+Fix this by using jiffies like the rest of the code.
+
+Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO")
+Signed-off-by: Joachim Fenkes <fenkes@de.ibm.com>
+Link: https://lore.kernel.org/r/20200724071518.430515-3-joel@jms.id.au
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-sbefifo.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
+index 655b45c1f6ba..c8ccc99e214f 100644
+--- a/drivers/fsi/fsi-sbefifo.c
++++ b/drivers/fsi/fsi-sbefifo.c
+@@ -325,7 +325,8 @@ static int sbefifo_up_write(struct sbefifo *sbefifo, __be32 word)
+ static int sbefifo_request_reset(struct sbefifo *sbefifo)
+ {
+ struct device *dev = &sbefifo->fsi_dev->dev;
+- u32 status, timeout;
++ unsigned long end_time;
++ u32 status;
+ int rc;
+
+ dev_dbg(dev, "Requesting FIFO reset\n");
+@@ -341,7 +342,8 @@ static int sbefifo_request_reset(struct sbefifo *sbefifo)
+ }
+
+ /* Wait for it to complete */
+- for (timeout = 0; timeout < SBEFIFO_RESET_TIMEOUT; timeout++) {
++ end_time = jiffies + msecs_to_jiffies(SBEFIFO_RESET_TIMEOUT);
++ while (!time_after(jiffies, end_time)) {
+ rc = sbefifo_regr(sbefifo, SBEFIFO_UP | SBEFIFO_STS, &status);
+ if (rc) {
+ dev_err(dev, "Failed to read UP fifo status during reset"
+@@ -355,7 +357,7 @@ static int sbefifo_request_reset(struct sbefifo *sbefifo)
+ return 0;
+ }
+
+- msleep(1);
++ cond_resched();
+ }
+ dev_err(dev, "FIFO reset timed out\n");
+
+--
+2.30.2
+
--- /dev/null
+From fdfd2ac094f5d75b699fc98bbf022197df1b7948 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 10:13:44 -0500
+Subject: fsi: scom: Reset the FSI2PIB engine for any error
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit a5c317dac5567206ca7b6bc9d008dd6890c8bced ]
+
+The error bits in the FSI2PIB status are only cleared by a reset. So
+the driver needs to perform a reset after seeing any of the FSI2PIB
+errors, otherwise subsequent operations will also look like failures.
+
+Fixes: 6b293258cded ("fsi: scom: Major overhaul")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20210329151344.14246-1-eajames@linux.ibm.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-scom.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/fsi/fsi-scom.c b/drivers/fsi/fsi-scom.c
+index 004dc03ccf09..918367621086 100644
+--- a/drivers/fsi/fsi-scom.c
++++ b/drivers/fsi/fsi-scom.c
+@@ -38,9 +38,10 @@
+ #define SCOM_STATUS_PIB_RESP_MASK 0x00007000
+ #define SCOM_STATUS_PIB_RESP_SHIFT 12
+
+-#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_PROTECTION | \
+- SCOM_STATUS_PARITY | \
+- SCOM_STATUS_PIB_ABORT | \
++#define SCOM_STATUS_FSI2PIB_ERROR (SCOM_STATUS_PROTECTION | \
++ SCOM_STATUS_PARITY | \
++ SCOM_STATUS_PIB_ABORT)
++#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_FSI2PIB_ERROR | \
+ SCOM_STATUS_PIB_RESP_MASK)
+ /* SCOM address encodings */
+ #define XSCOM_ADDR_IND_FLAG BIT_ULL(63)
+@@ -240,13 +241,14 @@ static int handle_fsi2pib_status(struct scom_device *scom, uint32_t status)
+ {
+ uint32_t dummy = -1;
+
+- if (status & SCOM_STATUS_PROTECTION)
+- return -EPERM;
+- if (status & SCOM_STATUS_PARITY) {
++ if (status & SCOM_STATUS_FSI2PIB_ERROR)
+ fsi_device_write(scom->fsi_dev, SCOM_FSI2PIB_RESET_REG, &dummy,
+ sizeof(uint32_t));
++
++ if (status & SCOM_STATUS_PROTECTION)
++ return -EPERM;
++ if (status & SCOM_STATUS_PARITY)
+ return -EIO;
+- }
+ /* Return -EBUSY on PIB abort to force a retry */
+ if (status & SCOM_STATUS_PIB_ABORT)
+ return -EBUSY;
+--
+2.30.2
+
--- /dev/null
+From 0839d2e1a6ec47e589808ec4bba7cd3477b6d46b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 19:55:41 -0700
+Subject: gve: Fix swapped vars when fetching max queues
+
+From: Bailey Forrest <bcf@google.com>
+
+[ Upstream commit 1db1a862a08f85edc36aad091236ac9b818e949e ]
+
+Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC")
+Signed-off-by: Bailey Forrest <bcf@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 6ea0975d74a1..1c4b35b1b359 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1118,8 +1118,8 @@ static int gve_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ gve_write_version(®_bar->driver_version);
+ /* Get max queues to alloc etherdev */
+- max_rx_queues = ioread32be(®_bar->max_tx_queues);
+- max_tx_queues = ioread32be(®_bar->max_rx_queues);
++ max_tx_queues = ioread32be(®_bar->max_tx_queues);
++ max_rx_queues = ioread32be(®_bar->max_rx_queues);
+ /* Alloc and setup the netdev and priv */
+ dev = alloc_etherdev_mqs(sizeof(*priv), max_tx_queues, max_rx_queues);
+ if (!dev) {
+--
+2.30.2
+
--- /dev/null
+From baa2dbb4620cad209f9610c3562a4e30ddbd69b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 17:27:16 -0700
+Subject: HID: do not use down_interruptible() when unbinding devices
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 ]
+
+Action of unbinding driver from a device is not cancellable and should not
+fail, and driver core does not pay attention to the result of "remove"
+method, therefore using down_interruptible() in hid_device_remove() does
+not make sense.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 550fff6e41ec..b6740ad773ee 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -2299,12 +2299,8 @@ static int hid_device_remove(struct device *dev)
+ {
+ struct hid_device *hdev = to_hid_device(dev);
+ struct hid_driver *hdrv;
+- int ret = 0;
+
+- if (down_interruptible(&hdev->driver_input_lock)) {
+- ret = -EINTR;
+- goto end;
+- }
++ down(&hdev->driver_input_lock);
+ hdev->io_started = false;
+
+ hdrv = hdev->driver;
+@@ -2319,8 +2315,8 @@ static int hid_device_remove(struct device *dev)
+
+ if (!hdev->io_started)
+ up(&hdev->driver_input_lock);
+-end:
+- return ret;
++
++ return 0;
+ }
+
+ static ssize_t modalias_show(struct device *dev, struct device_attribute *a,
+--
+2.30.2
+
--- /dev/null
+From 01ba2be4aa1aa5c5647f004ad475c45662e998b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 09:58:09 -0700
+Subject: HID: wacom: Correct base usage for capacitive ExpressKey status bits
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+[ Upstream commit 424d8237945c6c448c8b3f23885d464fb5685c97 ]
+
+The capacitive status of ExpressKeys is reported with usages beginning
+at 0x940, not 0x950. Bring our driver into alignment with reality.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
+index 195910dd2154..e3835407e8d2 100644
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -122,7 +122,7 @@
+ #define WACOM_HID_WD_TOUCHONOFF (WACOM_HID_UP_WACOMDIGITIZER | 0x0454)
+ #define WACOM_HID_WD_BATTERY_LEVEL (WACOM_HID_UP_WACOMDIGITIZER | 0x043b)
+ #define WACOM_HID_WD_EXPRESSKEY00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0910)
+-#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0950)
++#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0940)
+ #define WACOM_HID_WD_MODE_CHANGE (WACOM_HID_UP_WACOMDIGITIZER | 0x0980)
+ #define WACOM_HID_WD_MUTE_DEVICE (WACOM_HID_UP_WACOMDIGITIZER | 0x0981)
+ #define WACOM_HID_WD_CONTROLPANEL (WACOM_HID_UP_WACOMDIGITIZER | 0x0982)
+--
+2.30.2
+
--- /dev/null
+From 684c26b2a0f80f8793e5b66e310aa5d5f5af01e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 15:01:16 +0800
+Subject: hv_utils: Fix passing zero to 'PTR_ERR' warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit c6a8625fa4c6b0a97860d053271660ccedc3d1b3 ]
+
+Sparse warn this:
+
+drivers/hv/hv_util.c:753 hv_timesync_init() warn:
+ passing zero to 'PTR_ERR'
+
+Use PTR_ERR_OR_ZERO instead of PTR_ERR to fix this.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20210514070116.16800-1-yuehaibing@huawei.com
+[ wei: change %ld to %d ]
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/hv_util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hv/hv_util.c b/drivers/hv/hv_util.c
+index e32681ee7b9f..1671f6f9ea80 100644
+--- a/drivers/hv/hv_util.c
++++ b/drivers/hv/hv_util.c
+@@ -537,8 +537,8 @@ static int hv_timesync_init(struct hv_util_service *srv)
+ */
+ hv_ptp_clock = ptp_clock_register(&ptp_hyperv_info, NULL);
+ if (IS_ERR_OR_NULL(hv_ptp_clock)) {
+- pr_err("cannot register PTP clock: %ld\n",
+- PTR_ERR(hv_ptp_clock));
++ pr_err("cannot register PTP clock: %d\n",
++ PTR_ERR_OR_ZERO(hv_ptp_clock));
+ hv_ptp_clock = NULL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 6e209423683d22b6a25d2fcbeb40d05b0848fa85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 09:50:25 -0700
+Subject: hwmon: (max31722) Remove non-standard ACPI device IDs
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 97387c2f06bcfd79d04a848d35517b32ee6dca7c ]
+
+Valid Maxim Integrated ACPI device IDs would start with MXIM,
+not with MAX1. On top of that, ACPI device IDs reflecting chip names
+are almost always invalid.
+
+Remove the invalid ACPI IDs.
+
+Fixes: 04e1e70afec6 ("hwmon: (max31722) Add support for MAX31722/MAX31723 temperature sensors")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max31722.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/hwmon/max31722.c b/drivers/hwmon/max31722.c
+index 062eceb7be0d..613338cbcb17 100644
+--- a/drivers/hwmon/max31722.c
++++ b/drivers/hwmon/max31722.c
+@@ -6,7 +6,6 @@
+ * Copyright (c) 2016, Intel Corporation.
+ */
+
+-#include <linux/acpi.h>
+ #include <linux/hwmon.h>
+ #include <linux/hwmon-sysfs.h>
+ #include <linux/kernel.h>
+@@ -133,20 +132,12 @@ static const struct spi_device_id max31722_spi_id[] = {
+ {"max31723", 0},
+ {}
+ };
+-
+-static const struct acpi_device_id __maybe_unused max31722_acpi_id[] = {
+- {"MAX31722", 0},
+- {"MAX31723", 0},
+- {}
+-};
+-
+ MODULE_DEVICE_TABLE(spi, max31722_spi_id);
+
+ static struct spi_driver max31722_driver = {
+ .driver = {
+ .name = "max31722",
+ .pm = &max31722_pm_ops,
+- .acpi_match_table = ACPI_PTR(max31722_acpi_id),
+ },
+ .probe = max31722_probe,
+ .remove = max31722_remove,
+--
+2.30.2
+
--- /dev/null
+From 53532b8d71173323ea99e55f35b7d6b144c78d74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 08:40:16 -0700
+Subject: hwmon: (max31790) Fix fan speed reporting for fan7..12
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit cbbf244f0515af3472084f22b6213121b4a63835 ]
+
+Fans 7..12 do not have their own set of configuration registers.
+So far the code ignored that and read beyond the end of the configuration
+register range to get the tachometer period. This resulted in more or less
+random fan speed values for those fans.
+
+The datasheet is quite vague when it comes to defining the tachometer
+period for fans 7..12. Experiments confirm that the period is the same
+for both fans associated with a given set of configuration registers.
+
+Fixes: 54187ff9d766 ("hwmon: (max31790) Convert to use new hwmon registration API")
+Fixes: 195a4b4298a7 ("hwmon: Driver for Maxim MAX31790")
+Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
+Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Cc: Václav Kubernát <kubernat@cesnet.cz>
+Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210526154022.3223012-2-linux@roeck-us.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max31790.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c
+index 21b6b63b1c07..2baf88ead0aa 100644
+--- a/drivers/hwmon/max31790.c
++++ b/drivers/hwmon/max31790.c
+@@ -171,7 +171,7 @@ static int max31790_read_fan(struct device *dev, u32 attr, int channel,
+
+ switch (attr) {
+ case hwmon_fan_input:
+- sr = get_tach_period(data->fan_dynamics[channel]);
++ sr = get_tach_period(data->fan_dynamics[channel % NR_CHANNEL]);
+ rpm = RPM_FROM_REG(data->tach[channel], sr);
+ *val = rpm;
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 71ae58c2344075e191a0ac097e8eda7170c198b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 08:40:18 -0700
+Subject: hwmon: (max31790) Fix pwmX_enable attributes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 148c847c9e5a54b99850617bf9c143af9a344f92 ]
+
+pwmX_enable supports three possible values:
+
+0: Fan control disabled. Duty cycle is fixed to 0%
+1: Fan control enabled, pwm mode. Duty cycle is determined by
+ values written into Target Duty Cycle registers.
+2: Fan control enabled, rpm mode
+ Duty cycle is adjusted such that fan speed matches
+ the values in Target Count registers
+
+The current code does not do this; instead, it mixes pwm control
+configuration with fan speed monitoring configuration. Worse, it
+reports that pwm control would be disabled (pwmX_enable==0) when
+it is in fact enabled in pwm mode. Part of the problem may be that
+the chip sets the "TACH input enable" bit on its own whenever the
+mode bit is set to RPM mode, but that doesn't mean that "TACH input
+enable" accurately reflects the pwm mode.
+
+Fix it up and only handle pwm control with the pwmX_enable attributes.
+In the documentation, clarify that disabling pwm control (pwmX_enable=0)
+sets the pwm duty cycle to 0%. In the code, explain why TACH_INPUT_EN
+is set together with RPM_MODE.
+
+While at it, only update the configuration register if the configuration
+has changed, and only update the cached configuration if updating the
+chip configuration was successful.
+
+Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
+Cc: Václav Kubernát <kubernat@cesnet.cz>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Václav Kubernát <kubernat@cesnet.cz>
+Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Link: https://lore.kernel.org/r/20210526154022.3223012-4-linux@roeck-us.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/hwmon/max31790.rst | 2 +-
+ drivers/hwmon/max31790.c | 41 ++++++++++++++++++++------------
+ 2 files changed, 27 insertions(+), 16 deletions(-)
+
+diff --git a/Documentation/hwmon/max31790.rst b/Documentation/hwmon/max31790.rst
+index 9f12aac4fab5..f4749c44cfb8 100644
+--- a/Documentation/hwmon/max31790.rst
++++ b/Documentation/hwmon/max31790.rst
+@@ -38,7 +38,7 @@ Sysfs entries
+ fan[1-12]_input RO fan tachometer speed in RPM
+ fan[1-12]_fault RO fan experienced fault
+ fan[1-6]_target RW desired fan speed in RPM
+-pwm[1-6]_enable RW regulator mode, 0=disabled, 1=manual mode, 2=rpm mode
++pwm[1-6]_enable RW regulator mode, 0=disabled (duty cycle=0%), 1=manual mode, 2=rpm mode
+ pwm[1-6] RW read: current pwm duty cycle,
+ write: target pwm duty cycle (0-255)
+ ================== === =======================================================
+diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c
+index 344be7829d58..21b6b63b1c07 100644
+--- a/drivers/hwmon/max31790.c
++++ b/drivers/hwmon/max31790.c
+@@ -27,6 +27,7 @@
+
+ /* Fan Config register bits */
+ #define MAX31790_FAN_CFG_RPM_MODE 0x80
++#define MAX31790_FAN_CFG_CTRL_MON 0x10
+ #define MAX31790_FAN_CFG_TACH_INPUT_EN 0x08
+ #define MAX31790_FAN_CFG_TACH_INPUT 0x01
+
+@@ -271,12 +272,12 @@ static int max31790_read_pwm(struct device *dev, u32 attr, int channel,
+ *val = data->pwm[channel] >> 8;
+ return 0;
+ case hwmon_pwm_enable:
+- if (fan_config & MAX31790_FAN_CFG_RPM_MODE)
++ if (fan_config & MAX31790_FAN_CFG_CTRL_MON)
++ *val = 0;
++ else if (fan_config & MAX31790_FAN_CFG_RPM_MODE)
+ *val = 2;
+- else if (fan_config & MAX31790_FAN_CFG_TACH_INPUT_EN)
+- *val = 1;
+ else
+- *val = 0;
++ *val = 1;
+ return 0;
+ default:
+ return -EOPNOTSUPP;
+@@ -307,23 +308,33 @@ static int max31790_write_pwm(struct device *dev, u32 attr, int channel,
+ case hwmon_pwm_enable:
+ fan_config = data->fan_config[channel];
+ if (val == 0) {
+- fan_config &= ~(MAX31790_FAN_CFG_TACH_INPUT_EN |
+- MAX31790_FAN_CFG_RPM_MODE);
++ fan_config |= MAX31790_FAN_CFG_CTRL_MON;
++ /*
++ * Disable RPM mode; otherwise disabling fan speed
++ * monitoring is not possible.
++ */
++ fan_config &= ~MAX31790_FAN_CFG_RPM_MODE;
+ } else if (val == 1) {
+- fan_config = (fan_config |
+- MAX31790_FAN_CFG_TACH_INPUT_EN) &
+- ~MAX31790_FAN_CFG_RPM_MODE;
++ fan_config &= ~(MAX31790_FAN_CFG_CTRL_MON | MAX31790_FAN_CFG_RPM_MODE);
+ } else if (val == 2) {
+- fan_config |= MAX31790_FAN_CFG_TACH_INPUT_EN |
+- MAX31790_FAN_CFG_RPM_MODE;
++ fan_config &= ~MAX31790_FAN_CFG_CTRL_MON;
++ /*
++ * The chip sets MAX31790_FAN_CFG_TACH_INPUT_EN on its
++ * own if MAX31790_FAN_CFG_RPM_MODE is set.
++ * Do it here as well to reflect the actual register
++ * value in the cache.
++ */
++ fan_config |= (MAX31790_FAN_CFG_RPM_MODE | MAX31790_FAN_CFG_TACH_INPUT_EN);
+ } else {
+ err = -EINVAL;
+ break;
+ }
+- data->fan_config[channel] = fan_config;
+- err = i2c_smbus_write_byte_data(client,
+- MAX31790_REG_FAN_CONFIG(channel),
+- fan_config);
++ if (fan_config != data->fan_config[channel]) {
++ err = i2c_smbus_write_byte_data(client, MAX31790_REG_FAN_CONFIG(channel),
++ fan_config);
++ if (!err)
++ data->fan_config[channel] = fan_config;
++ }
+ break;
+ default:
+ err = -EOPNOTSUPP;
+--
+2.30.2
+
--- /dev/null
+From 062c6ccc66c137f5818939af5068e915bb85cb35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 08:40:17 -0700
+Subject: hwmon: (max31790) Report correct current pwm duty cycles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 897f6339893b741a5d68ae8e2475df65946041c2 ]
+
+The MAX31790 has two sets of registers for pwm duty cycles, one to request
+a duty cycle and one to read the actual current duty cycle. Both do not
+have to be the same.
+
+When reporting the pwm duty cycle to the user, the actual pwm duty cycle
+from pwm duty cycle registers needs to be reported. When setting it, the
+pwm target duty cycle needs to be written. Since we don't know the actual
+pwm duty cycle after a target pwm duty cycle has been written, set the
+valid flag to false to indicate that actual pwm duty cycle should be read
+from the chip instead of using cached values.
+
+Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
+Cc: Václav Kubernát <kubernat@cesnet.cz>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Václav Kubernát <kubernat@ceesnet.cz>
+Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Link: https://lore.kernel.org/r/20210526154022.3223012-3-linux@roeck-us.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/hwmon/max31790.rst | 3 ++-
+ drivers/hwmon/max31790.c | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/hwmon/max31790.rst b/Documentation/hwmon/max31790.rst
+index 84c62a12ef3a..9f12aac4fab5 100644
+--- a/Documentation/hwmon/max31790.rst
++++ b/Documentation/hwmon/max31790.rst
+@@ -39,5 +39,6 @@ fan[1-12]_input RO fan tachometer speed in RPM
+ fan[1-12]_fault RO fan experienced fault
+ fan[1-6]_target RW desired fan speed in RPM
+ pwm[1-6]_enable RW regulator mode, 0=disabled, 1=manual mode, 2=rpm mode
+-pwm[1-6] RW fan target duty cycle (0-255)
++pwm[1-6] RW read: current pwm duty cycle,
++ write: target pwm duty cycle (0-255)
+ ================== === =======================================================
+diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c
+index 117fb79ef294..344be7829d58 100644
+--- a/drivers/hwmon/max31790.c
++++ b/drivers/hwmon/max31790.c
+@@ -104,7 +104,7 @@ static struct max31790_data *max31790_update_device(struct device *dev)
+ data->tach[NR_CHANNEL + i] = rv;
+ } else {
+ rv = i2c_smbus_read_word_swapped(client,
+- MAX31790_REG_PWMOUT(i));
++ MAX31790_REG_PWM_DUTY_CYCLE(i));
+ if (rv < 0)
+ goto abort;
+ data->pwm[i] = rv;
+@@ -299,10 +299,10 @@ static int max31790_write_pwm(struct device *dev, u32 attr, int channel,
+ err = -EINVAL;
+ break;
+ }
+- data->pwm[channel] = val << 8;
++ data->valid = false;
+ err = i2c_smbus_write_word_swapped(client,
+ MAX31790_REG_PWMOUT(channel),
+- data->pwm[channel]);
++ val << 8);
+ break;
+ case hwmon_pwm_enable:
+ fan_config = data->fan_config[channel];
+--
+2.30.2
+
--- /dev/null
+From 315a2694c9aedd2484dfe4488441c868e9d2de97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 20:29:14 +0200
+Subject: hwrng: exynos - Fix runtime PM imbalance on error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Stelmach <l.stelmach@samsung.com>
+
+[ Upstream commit 0cdbabf8bb7a6147f5adf37dbc251e92a1bbc2c7 ]
+
+pm_runtime_resume_and_get() wraps around pm_runtime_get_sync() and
+decrements the runtime PM usage counter in case the latter function
+fails and keeps the counter balanced.
+
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/exynos-trng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/hw_random/exynos-trng.c b/drivers/char/hw_random/exynos-trng.c
+index b4b52ab23b6b..b4e931dbff66 100644
+--- a/drivers/char/hw_random/exynos-trng.c
++++ b/drivers/char/hw_random/exynos-trng.c
+@@ -134,7 +134,7 @@ static int exynos_trng_probe(struct platform_device *pdev)
+ return PTR_ERR(trng->mem);
+
+ pm_runtime_enable(&pdev->dev);
+- ret = pm_runtime_get_sync(&pdev->dev);
++ ret = pm_runtime_resume_and_get(&pdev->dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Could not get runtime PM.\n");
+ goto err_pm_get;
+@@ -167,7 +167,7 @@ err_register:
+ clk_disable_unprepare(trng->clk);
+
+ err_clock:
+- pm_runtime_put_sync(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
+
+ err_pm_get:
+ pm_runtime_disable(&pdev->dev);
+--
+2.30.2
+
--- /dev/null
+From 05f1f063ff22b9f2d65a4a104cc750c10fb9b9ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 11:12:54 +0000
+Subject: i40e: Fix autoneg disabling for non-10GBaseT links
+
+From: Mateusz Palczewski <mateusz.palczewski@intel.com>
+
+[ Upstream commit 9262793e59f0423437166a879a73d056b1fe6f9a ]
+
+Disabling autonegotiation was allowed only for 10GBaseT PHY.
+The condition was changed to check if link media type is BaseT.
+
+Fixes: 3ce12ee9d8f9 ("i40e: Fix order of checks when enabling/disabling autoneg in ethtool")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Karen Sornek <karen.sornek@intel.com>
+Signed-off-by: Dawid Lukwinski <dawid.lukwinski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index e4d0b7747e84..2288a3855e52 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -1259,8 +1259,7 @@ static int i40e_set_link_ksettings(struct net_device *netdev,
+ if (ethtool_link_ksettings_test_link_mode(&safe_ks,
+ supported,
+ Autoneg) &&
+- hw->phy.link_info.phy_type !=
+- I40E_PHY_TYPE_10GBASE_T) {
++ hw->phy.media_type != I40E_MEDIA_TYPE_BASET) {
+ netdev_info(netdev, "Autoneg cannot be disabled on this phy\n");
+ err = -EINVAL;
+ goto done;
+--
+2.30.2
+
--- /dev/null
+From cb7ce855507ab0572daaeef0efbb9196c18a88ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Feb 2021 19:50:58 +0800
+Subject: i40e: Fix error handling in i40e_vsi_open
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ]
+
+When vsi->type == I40E_VSI_FDIR, we have caught the return value of
+i40e_vsi_request_irq() but without further handling. Check and execute
+memory clean on failure just like the other i40e_vsi_request_irq().
+
+Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index a1b4e995f2b7..4f4ec1f166ef 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -8292,6 +8292,8 @@ int i40e_vsi_open(struct i40e_vsi *vsi)
+ dev_driver_string(&pf->pdev->dev),
+ dev_name(&pf->pdev->dev));
+ err = i40e_vsi_request_irq(vsi, int_name);
++ if (err)
++ goto err_setup_rx;
+
+ } else {
+ err = -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 98cf6aa47277a1391fd6c46cc6c430ec40953d8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:33:41 -0700
+Subject: ia64: mca_drv: fix incorrect array size calculation
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c5f320ff8a79501bb59338278336ec43acb9d7e2 ]
+
+gcc points out a mistake in the mca driver that goes back to before the
+git history:
+
+arch/ia64/kernel/mca_drv.c: In function 'init_record_index_pools':
+arch/ia64/kernel/mca_drv.c:346:54: error: expression does not compute the number of elements in this array; element typ
+e is 'int', not 'size_t' {aka 'long unsigned int'} [-Werror=sizeof-array-div]
+ 346 | for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++)
+ | ^
+
+This is the same as sizeof(size_t), which is two shorter than the actual
+array. Use the ARRAY_SIZE() macro to get the correct calculation instead.
+
+Link: https://lkml.kernel.org/r/20210514214123.875971-1-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/kernel/mca_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/ia64/kernel/mca_drv.c b/arch/ia64/kernel/mca_drv.c
+index 4d0ab323dee8..2a40268c3d49 100644
+--- a/arch/ia64/kernel/mca_drv.c
++++ b/arch/ia64/kernel/mca_drv.c
+@@ -343,7 +343,7 @@ init_record_index_pools(void)
+
+ /* - 2 - */
+ sect_min_size = sal_log_sect_min_sizes[0];
+- for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++)
++ for (i = 1; i < ARRAY_SIZE(sal_log_sect_min_sizes); i++)
+ if (sect_min_size > sal_log_sect_min_sizes[i])
+ sect_min_size = sal_log_sect_min_sizes[i];
+
+--
+2.30.2
+
--- /dev/null
+From 2aab198f7948fe5d3379d9bc8acf8204b6c76857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 21:13:15 -0700
+Subject: ibmvnic: free tx_pool if tso_pool alloc fails
+
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+
+[ Upstream commit f6ebca8efa52e4ae770f0325d618e7bcf08ada0c ]
+
+Free tx_pool and clear it, if allocation of tso_pool fails.
+
+release_tx_pools() assumes we have both tx and tso_pools if ->tx_pool is
+non-NULL. If allocation of tso_pool fails in init_tx_pools(), the assumption
+will not be true and we would end up dereferencing ->tx_buff, ->free_map
+fields from a NULL pointer.
+
+Fixes: 3205306c6b8d ("ibmvnic: Update TX pool initialization routine")
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index a3d64e61035e..ecfe588f330e 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -694,8 +694,11 @@ static int init_tx_pools(struct net_device *netdev)
+
+ adapter->tso_pool = kcalloc(tx_subcrqs,
+ sizeof(struct ibmvnic_tx_pool), GFP_KERNEL);
+- if (!adapter->tso_pool)
++ if (!adapter->tso_pool) {
++ kfree(adapter->tx_pool);
++ adapter->tx_pool = NULL;
+ return -1;
++ }
+
+ adapter->num_active_tx_pools = tx_subcrqs;
+
+--
+2.30.2
+
--- /dev/null
+From ff44d9b9a5a9970058106d23568b20b5ee7d03fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 11:02:44 -0700
+Subject: ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0303b30375dff5351a79cc2c3c87dfa4fda29bed ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE
+must be present to avoid a crash.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Alexander Aring <alex.aring@gmail.com>
+Cc: Stefan Schmidt <stefan@datenfreihafen.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210621180244.882076-1-eric.dumazet@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index b6d967ae6b41..79d74763cf24 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -480,7 +480,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ struct hwsim_edge *e;
+ u32 v0, v1;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From c66e67c03e292ecd464f8988a299cf673aaf0ece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 10:09:01 +0800
+Subject: ieee802154: hwsim: Fix memory leak in hwsim_add_one
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 28a5501c3383f0e6643012c187b7c2027ef42aea ]
+
+No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
+remove the entry in the edges list. Take the example below, phy0, phy1
+and e0 will be deleted, resulting in e1 not freed and accessed in the
+future.
+
+ hwsim_phys
+ |
+ ------------------------------
+ | |
+phy0 (edges) phy1 (edges)
+ ----> e1 (idx = 1) ----> e0 (idx = 0)
+
+Fix this by deleting and freeing all the entries in the edges list
+between hwsim_edge_unsubscribe_me and list_del(&phy->list).
+
+Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
+Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210616020901.2759466-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index bf5ddd12a6f0..b6d967ae6b41 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -824,12 +824,17 @@ err_pib:
+ static void hwsim_del(struct hwsim_phy *phy)
+ {
+ struct hwsim_pib *pib;
++ struct hwsim_edge *e;
+
+ hwsim_edge_unsubscribe_me(phy);
+
+ list_del(&phy->list);
+
+ rcu_read_lock();
++ list_for_each_entry_rcu(e, &phy->edges, list) {
++ list_del_rcu(&e->list);
++ hwsim_free_edge(e);
++ }
+ pib = rcu_dereference(phy->pib);
+ rcu_read_unlock();
+
+--
+2.30.2
+
--- /dev/null
+From 191038fdae1d7081066c70c6937f51d739e9f87c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 09:58:12 +0800
+Subject: ieee802154: hwsim: Fix possible memory leak in
+ hwsim_subscribe_all_others
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit ab372c2293f5d0b279f31c8d768566ea37602dc9 ]
+
+In hwsim_subscribe_all_others, the error handling code performs
+incorrectly if the second hwsim_alloc_edge fails. When this issue occurs,
+it goes to sub_fail, without cleaning the edges allocated before.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210611015812.1626999-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index c20e7ef18bc9..bf5ddd12a6f0 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -715,6 +715,8 @@ static int hwsim_subscribe_all_others(struct hwsim_phy *phy)
+
+ return 0;
+
++sub_fail:
++ hwsim_edge_unsubscribe_me(phy);
+ me_fail:
+ rcu_read_lock();
+ list_for_each_entry_rcu(e, &phy->edges, list) {
+@@ -722,8 +724,6 @@ me_fail:
+ hwsim_free_edge(e);
+ }
+ rcu_read_unlock();
+-sub_fail:
+- hwsim_edge_unsubscribe_me(phy);
+ return -ENOMEM;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From dcd85c78933a708c06e1ed7a0e4ca37a7bf0ac21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:03 +0100
+Subject: iio: accel: bma180: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Peter Meerwald <pmeerw@pmeerw.net>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bma180.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c
+index 1574e4604a4f..aa301c606346 100644
+--- a/drivers/iio/accel/bma180.c
++++ b/drivers/iio/accel/bma180.c
+@@ -119,7 +119,11 @@ struct bma180_data {
+ int scale;
+ int bw;
+ bool pmode;
+- u8 buff[16]; /* 3x 16-bit + 8-bit + padding + timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chan[4];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ enum bma180_chan {
+@@ -675,12 +679,12 @@ static irqreturn_t bma180_trigger_handler(int irq, void *p)
+ mutex_unlock(&data->mutex);
+ goto err;
+ }
+- ((s16 *)data->buff)[i++] = ret;
++ data->scan.chan[i++] = ret;
+ }
+
+ mutex_unlock(&data->mutex);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buff, time_ns);
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, time_ns);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+
+--
+2.30.2
+
--- /dev/null
+From 0ed881fa077900a049b4bfa69f5dfb608e045a3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:04 +0100
+Subject: iio: accel: bma220: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 151dbf0078da98206817ee0b87d499035479ef11 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 194dc4c71413 ("iio: accel: Add triggered buffer support for BMA220")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-3-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bma220_spi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/bma220_spi.c b/drivers/iio/accel/bma220_spi.c
+index cae905039cb6..71ee42b0266d 100644
+--- a/drivers/iio/accel/bma220_spi.c
++++ b/drivers/iio/accel/bma220_spi.c
+@@ -73,7 +73,11 @@ static const int bma220_scale_table[][4] = {
+ struct bma220_data {
+ struct spi_device *spi_device;
+ struct mutex lock;
+- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 8x8 timestamp */
++ struct {
++ s8 chans[3];
++ /* Ensure timestamp is naturally aligned. */
++ s64 timestamp __aligned(8);
++ } scan;
+ u8 tx_buf[2] ____cacheline_aligned;
+ };
+
+@@ -104,12 +108,12 @@ static irqreturn_t bma220_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->lock);
+ data->tx_buf[0] = BMA220_REG_ACCEL_X | BMA220_READ_MASK;
+- ret = spi_write_then_read(spi, data->tx_buf, 1, data->buffer,
++ ret = spi_write_then_read(spi, data->tx_buf, 1, &data->scan.chans,
+ ARRAY_SIZE(bma220_channels) - 1);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ mutex_unlock(&data->lock);
+--
+2.30.2
+
--- /dev/null
+From c464252ba8aab8b47dbdecc854d5e36e6558d637 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:05 +0100
+Subject: iio: accel: hid: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit c6559bf796ccdb3a0c79db846af96c8f7046880b ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+Note this matches what was done in all the other hid sensor drivers.
+This one was missed previously due to an extra level of indirection.
+
+Found during an audit of all calls of this function.
+
+Fixes: a96cd0f901ee ("iio: accel: hid-sensor-accel-3d: Add timestamp")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-4-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/hid-sensor-accel-3d.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c
+index 0d9e2def2b25..f908476fa095 100644
+--- a/drivers/iio/accel/hid-sensor-accel-3d.c
++++ b/drivers/iio/accel/hid-sensor-accel-3d.c
+@@ -29,8 +29,11 @@ struct accel_3d_state {
+ struct hid_sensor_hub_callbacks callbacks;
+ struct hid_sensor_common common_attributes;
+ struct hid_sensor_hub_attribute_info accel[ACCEL_3D_CHANNEL_MAX];
+- /* Reserve for 3 channels + padding + timestamp */
+- u32 accel_val[ACCEL_3D_CHANNEL_MAX + 3];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u32 accel_val[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ int scale_pre_decml;
+ int scale_post_decml;
+ int scale_precision;
+@@ -241,8 +244,8 @@ static int accel_3d_proc_event(struct hid_sensor_hub_device *hsdev,
+ accel_state->timestamp = iio_get_time_ns(indio_dev);
+
+ hid_sensor_push_data(indio_dev,
+- accel_state->accel_val,
+- sizeof(accel_state->accel_val),
++ &accel_state->scan,
++ sizeof(accel_state->scan),
+ accel_state->timestamp);
+
+ accel_state->timestamp = 0;
+@@ -267,7 +270,7 @@ static int accel_3d_capture_sample(struct hid_sensor_hub_device *hsdev,
+ case HID_USAGE_SENSOR_ACCEL_Y_AXIS:
+ case HID_USAGE_SENSOR_ACCEL_Z_AXIS:
+ offset = usage_id - HID_USAGE_SENSOR_ACCEL_X_AXIS;
+- accel_state->accel_val[CHANNEL_SCAN_INDEX_X + offset] =
++ accel_state->scan.accel_val[CHANNEL_SCAN_INDEX_X + offset] =
+ *(u32 *)raw_data;
+ ret = 0;
+ break;
+--
+2.30.2
+
--- /dev/null
+From 08d449295c512270ad29f4a5aa6cc8d1c67e05a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:06 +0100
+Subject: iio: accel: kxcjk-1013: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 3ab3aa2e7bd57497f9a7c6275c00dce237d2c9ba ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 1a4fbf6a9286 ("iio: accel: kxcjk1013 3-axis accelerometer driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-5-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/kxcjk-1013.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c
+index da9452e81105..57db60bf2d4c 100644
+--- a/drivers/iio/accel/kxcjk-1013.c
++++ b/drivers/iio/accel/kxcjk-1013.c
+@@ -132,12 +132,23 @@ enum kx_acpi_type {
+ ACPI_KIOX010A,
+ };
+
++enum kxcjk1013_axis {
++ AXIS_X,
++ AXIS_Y,
++ AXIS_Z,
++ AXIS_MAX
++};
++
+ struct kxcjk1013_data {
+ struct i2c_client *client;
+ struct iio_trigger *dready_trig;
+ struct iio_trigger *motion_trig;
+ struct mutex mutex;
+- s16 buffer[8];
++ /* Ensure timestamp naturally aligned */
++ struct {
++ s16 chans[AXIS_MAX];
++ s64 timestamp __aligned(8);
++ } scan;
+ u8 odr_bits;
+ u8 range;
+ int wake_thres;
+@@ -151,13 +162,6 @@ struct kxcjk1013_data {
+ enum kx_acpi_type acpi_type;
+ };
+
+-enum kxcjk1013_axis {
+- AXIS_X,
+- AXIS_Y,
+- AXIS_Z,
+- AXIS_MAX,
+-};
+-
+ enum kxcjk1013_mode {
+ STANDBY,
+ OPERATION,
+@@ -1078,12 +1082,12 @@ static irqreturn_t kxcjk1013_trigger_handler(int irq, void *p)
+ ret = i2c_smbus_read_i2c_block_data_or_emulated(data->client,
+ KXCJK1013_REG_XOUT_L,
+ AXIS_MAX * 2,
+- (u8 *)data->buffer);
++ (u8 *)data->scan.chans);
+ mutex_unlock(&data->mutex);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ data->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From 3ae5a02839662fd71ac8f5c2cedeac658be70b3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2020 19:03:16 +0100
+Subject: iio:accel:mxc4005: Drop unnecessary explicit casts in
+ regmap_bulk_read calls
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit b01401a228bc4997b0d4bcb669fced448f7a15ca ]
+
+regmap_bulk_read takes a void * for its val parameter. It certainly
+makes no sense to cast to a (u8 *) + no need to explicitly cast
+at all when converting another pointer type to void *.
+
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mxc4005.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c
+index 3d5bea651923..9d07642c0de1 100644
+--- a/drivers/iio/accel/mxc4005.c
++++ b/drivers/iio/accel/mxc4005.c
+@@ -135,7 +135,7 @@ static int mxc4005_read_xyz(struct mxc4005_data *data)
+ int ret;
+
+ ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER,
+- (u8 *) data->buffer, sizeof(data->buffer));
++ data->buffer, sizeof(data->buffer));
+ if (ret < 0) {
+ dev_err(data->dev, "failed to read axes\n");
+ return ret;
+@@ -150,7 +150,7 @@ static int mxc4005_read_axis(struct mxc4005_data *data,
+ __be16 reg;
+ int ret;
+
+- ret = regmap_bulk_read(data->regmap, addr, (u8 *) ®, sizeof(reg));
++ ret = regmap_bulk_read(data->regmap, addr, ®, sizeof(reg));
+ if (ret < 0) {
+ dev_err(data->dev, "failed to read reg %02x\n", addr);
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From a8264a6c290ef3546f00fc6961422b122bffe28f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:07 +0100
+Subject: iio: accel: mxc4005: Fix overread of data and alignment issue.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit f65802284a3a337510d7f8f916c97d66c74f2e71 ]
+
+The bulk read size is based on the size of an array that also has
+space for the timestamp alongside the channels.
+Fix that and also fix alignment of the buffer passed
+to iio_push_to_buffers_with_timestamp.
+
+Found during an audit of all calls to this function.
+
+Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mxc4005.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c
+index 9d07642c0de1..d81b02642a0b 100644
+--- a/drivers/iio/accel/mxc4005.c
++++ b/drivers/iio/accel/mxc4005.c
+@@ -56,7 +56,11 @@ struct mxc4005_data {
+ struct mutex mutex;
+ struct regmap *regmap;
+ struct iio_trigger *dready_trig;
+- __be16 buffer[8];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ __be16 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ bool trigger_enabled;
+ };
+
+@@ -135,7 +139,7 @@ static int mxc4005_read_xyz(struct mxc4005_data *data)
+ int ret;
+
+ ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER,
+- data->buffer, sizeof(data->buffer));
++ data->scan.chans, sizeof(data->scan.chans));
+ if (ret < 0) {
+ dev_err(data->dev, "failed to read axes\n");
+ return ret;
+@@ -301,7 +305,7 @@ static irqreturn_t mxc4005_trigger_handler(int irq, void *private)
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+
+ err:
+--
+2.30.2
+
--- /dev/null
+From 29a1de83dd175242c247a26fe0dd77be58199bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:08 +0100
+Subject: iio: accel: stk8312: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/stk8312.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/accel/stk8312.c b/drivers/iio/accel/stk8312.c
+index 58c160ccdee7..be66b8523977 100644
+--- a/drivers/iio/accel/stk8312.c
++++ b/drivers/iio/accel/stk8312.c
+@@ -103,7 +103,11 @@ struct stk8312_data {
+ u8 mode;
+ struct iio_trigger *dready_trig;
+ bool dready_trigger_on;
+- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 64-bit timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s8 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static IIO_CONST_ATTR(in_accel_scale_available, STK8312_SCALE_AVAIL);
+@@ -438,7 +442,7 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p)
+ ret = i2c_smbus_read_i2c_block_data(data->client,
+ STK8312_REG_XOUT,
+ STK8312_ALL_CHANNEL_SIZE,
+- data->buffer);
++ data->scan.chans);
+ if (ret < STK8312_ALL_CHANNEL_SIZE) {
+ dev_err(&data->client->dev, "register read failed\n");
+ mutex_unlock(&data->lock);
+@@ -452,12 +456,12 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p)
+ mutex_unlock(&data->lock);
+ goto err;
+ }
+- data->buffer[i++] = ret;
++ data->scan.chans[i++] = ret;
+ }
+ }
+ mutex_unlock(&data->lock);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From aa2d68549f37d370a2102afd604350620c56a3cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:09 +0100
+Subject: iio: accel: stk8ba50: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/stk8ba50.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/iio/accel/stk8ba50.c b/drivers/iio/accel/stk8ba50.c
+index c70ddec29eb4..edba3c13a979 100644
+--- a/drivers/iio/accel/stk8ba50.c
++++ b/drivers/iio/accel/stk8ba50.c
+@@ -91,12 +91,11 @@ struct stk8ba50_data {
+ u8 sample_rate_idx;
+ struct iio_trigger *dready_trig;
+ bool dready_trigger_on;
+- /*
+- * 3 x 16-bit channels (10-bit data, 6-bit padding) +
+- * 1 x 16 padding +
+- * 4 x 16 64-bit timestamp
+- */
+- s16 buffer[8];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chans[3];
++ s64 timetamp __aligned(8);
++ } scan;
+ };
+
+ #define STK8BA50_ACCEL_CHANNEL(index, reg, axis) { \
+@@ -324,7 +323,7 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p)
+ ret = i2c_smbus_read_i2c_block_data(data->client,
+ STK8BA50_REG_XOUT,
+ STK8BA50_ALL_CHANNEL_SIZE,
+- (u8 *)data->buffer);
++ (u8 *)data->scan.chans);
+ if (ret < STK8BA50_ALL_CHANNEL_SIZE) {
+ dev_err(&data->client->dev, "register read failed\n");
+ goto err;
+@@ -337,10 +336,10 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto err;
+
+- data->buffer[i++] = ret;
++ data->scan.chans[i++] = ret;
+ }
+ }
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ mutex_unlock(&data->lock);
+--
+2.30.2
+
--- /dev/null
+From a7a2217abe3afd30b2bda1d531d664117dbedbb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:22:54 +0100
+Subject: iio: adc: at91-sama5d2: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 8f884758966259fa8c50c137ac6d4ce9bb7859db ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Eugen Hristev <eugen.hristev@microchip.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-2-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index bafb9dded0ea..def4abeb47ca 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -400,7 +400,8 @@ struct at91_adc_state {
+ struct at91_adc_dma dma_st;
+ struct at91_adc_touch touch_st;
+ struct iio_dev *indio_dev;
+- u16 buffer[AT91_BUFFER_MAX_HWORDS];
++ /* Ensure naturally aligned timestamp */
++ u16 buffer[AT91_BUFFER_MAX_HWORDS] __aligned(8);
+ /*
+ * lock to prevent concurrent 'single conversion' requests through
+ * sysfs.
+--
+2.30.2
+
--- /dev/null
+From b3d8b121b982effaaaad3bed7ed313c822d2024e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:22:55 +0100
+Subject: iio: adc: hx711: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit afe2a789fbf7acd1a05407fc7839cc08d23825e3 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: d3bf60450d47 ("iio: hx711: add triggered buffer support")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Andreas Klinger <ak@it-klinger.de>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-3-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/hx711.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/hx711.c b/drivers/iio/adc/hx711.c
+index 62e6c8badd22..a3265166fd83 100644
+--- a/drivers/iio/adc/hx711.c
++++ b/drivers/iio/adc/hx711.c
+@@ -85,9 +85,9 @@ struct hx711_data {
+ struct mutex lock;
+ /*
+ * triggered buffer
+- * 2x32-bit channel + 64-bit timestamp
++ * 2x32-bit channel + 64-bit naturally aligned timestamp
+ */
+- u32 buffer[4];
++ u32 buffer[4] __aligned(8);
+ /*
+ * delay after a rising edge on SCK until the data is ready DOUT
+ * this is dependent on the hx711 where the datasheet tells a
+--
+2.30.2
+
--- /dev/null
+From 79f4386efa0d07a4b3ea7ab5e2d670618e19b218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:22:56 +0100
+Subject: iio: adc: mxs-lradc: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 6a6be221b8bd561b053f0701ec752a5ed9007f69 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+Add a comment on why the buffer is the size it is as not immediately
+obvious.
+
+Found during an audit of all calls of this function.
+
+Fixes: 6dd112b9f85e ("iio: adc: mxs-lradc: Add support for ADC driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Andreas Klinger <ak@it-klinger.de>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-4-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/mxs-lradc-adc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/mxs-lradc-adc.c b/drivers/iio/adc/mxs-lradc-adc.c
+index 9d2f74c2489a..01f85bbe6a2e 100644
+--- a/drivers/iio/adc/mxs-lradc-adc.c
++++ b/drivers/iio/adc/mxs-lradc-adc.c
+@@ -115,7 +115,8 @@ struct mxs_lradc_adc {
+ struct device *dev;
+
+ void __iomem *base;
+- u32 buffer[10];
++ /* Maximum of 8 channels + 8 byte ts */
++ u32 buffer[10] __aligned(8);
+ struct iio_trigger *trig;
+ struct completion completion;
+ spinlock_t lock;
+--
+2.30.2
+
--- /dev/null
+From 1562f99dfd121a5b69f99cfde4b987dd6b638775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:10 +0100
+Subject: iio: adc: ti-ads1015: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit d85d71dd1ab67eaa7351f69fec512d8f09d164e1 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Daniel Baluta <daniel.baluta@nxp.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-9-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ti-ads1015.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ti-ads1015.c b/drivers/iio/adc/ti-ads1015.c
+index 871690a47661..7929891f568e 100644
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -388,10 +388,14 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p)
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct ads1015_data *data = iio_priv(indio_dev);
+- s16 buf[8]; /* 1x s16 ADC val + 3x s16 padding + 4x s16 timestamp */
++ /* Ensure natural alignment of timestamp */
++ struct {
++ s16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ int chan, ret, res;
+
+- memset(buf, 0, sizeof(buf));
++ memset(&scan, 0, sizeof(scan));
+
+ mutex_lock(&data->lock);
+ chan = find_first_bit(indio_dev->active_scan_mask,
+@@ -402,10 +406,10 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p)
+ goto err;
+ }
+
+- buf[0] = res;
++ scan.chan = res;
+ mutex_unlock(&data->lock);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, buf,
++ iio_push_to_buffers_with_timestamp(indio_dev, &scan,
+ iio_get_time_ns(indio_dev));
+
+ err:
+--
+2.30.2
+
--- /dev/null
+From fd7da859978c52799c0872504216d4238a03533b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:22:57 +0100
+Subject: iio: adc: ti-ads8688: Fix alignment of buffer in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 ]
+
+Add __aligned(8) to ensure the buffer passed to
+iio_push_to_buffers_with_timestamp() is suitable for the naturally
+aligned timestamp that will be inserted.
+
+Fixes: f214ff521fb1 ("iio: ti-ads8688: Update buffer allocation for timestamps")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-5-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ti-ads8688.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/ti-ads8688.c b/drivers/iio/adc/ti-ads8688.c
+index 14fe7c320b52..55a2d619d6dd 100644
+--- a/drivers/iio/adc/ti-ads8688.c
++++ b/drivers/iio/adc/ti-ads8688.c
+@@ -383,7 +383,8 @@ static irqreturn_t ads8688_trigger_handler(int irq, void *p)
+ {
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+- u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)];
++ /* Ensure naturally aligned timestamp */
++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8);
+ int i, j = 0;
+
+ for (i = 0; i < indio_dev->masklength; i++) {
+--
+2.30.2
+
--- /dev/null
+From 3740acf058553fd0dcaa0154fe06f1f40d5cb955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:11 +0100
+Subject: iio: adc: vf610: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 7765dfaa22ea08abf0c175e7553826ba2a939632 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 0010d6b44406 ("iio: adc: vf610: Add IIO buffer support for Vybrid ADC")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Stefan-Gabriel Mirea <stefan-gabriel.mirea@nxp.com>
+Cc: Sanchayan Maity <maitysanchayan@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-10-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/vf610_adc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/adc/vf610_adc.c b/drivers/iio/adc/vf610_adc.c
+index 98b30475bbc6..0d29fe974d70 100644
+--- a/drivers/iio/adc/vf610_adc.c
++++ b/drivers/iio/adc/vf610_adc.c
+@@ -167,7 +167,11 @@ struct vf610_adc {
+ u32 sample_freq_avail[5];
+
+ struct completion completion;
+- u16 buffer[8];
++ /* Ensure the timestamp is naturally aligned */
++ struct {
++ u16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static const u32 vf610_hw_avgs[] = { 1, 4, 8, 16, 32 };
+@@ -579,9 +583,9 @@ static irqreturn_t vf610_adc_isr(int irq, void *dev_id)
+ if (coco & VF610_ADC_HS_COCO0) {
+ info->value = vf610_adc_read_data(info);
+ if (iio_buffer_enabled(indio_dev)) {
+- info->buffer[0] = info->value;
++ info->scan.chan = info->value;
+ iio_push_to_buffers_with_timestamp(indio_dev,
+- info->buffer,
++ &info->scan,
+ iio_get_time_ns(indio_dev));
+ iio_trigger_notify_done(indio_dev->trig);
+ } else
+--
+2.30.2
+
--- /dev/null
+From 79cfcc038ea73174da6c0cc5087eed29baf0ed0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 12:19:04 +0200
+Subject: iio: adis16400: do not return ints in irq handlers
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit ab3df79782e7d8a27a58576c9b4e8c6c4879ad79 ]
+
+On an IRQ handler we should not return normal error codes as 'irqreturn_t'
+is expected.
+
+Not necessary to apply to stable as the original check cannot fail and
+as such the bug cannot actually occur.
+
+Fixes: 5eda3550a3cc1 ("staging:iio:adis16400: Preallocate transfer message")
+Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210422101911.135630-3-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis16400.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/iio/imu/adis16400.c b/drivers/iio/imu/adis16400.c
+index 59e33302042c..afa9d26362da 100644
+--- a/drivers/iio/imu/adis16400.c
++++ b/drivers/iio/imu/adis16400.c
+@@ -651,9 +651,6 @@ static irqreturn_t adis16400_trigger_handler(int irq, void *p)
+ void *buffer;
+ int ret;
+
+- if (!adis->buffer)
+- return -ENOMEM;
+-
+ if (!(st->variant->flags & ADIS16400_NO_BURST) &&
+ st->adis.spi->max_speed_hz > ADIS16400_SPI_BURST) {
+ st->adis.spi->max_speed_hz = ADIS16400_SPI_BURST;
+--
+2.30.2
+
--- /dev/null
+From 243703f1a7e5737c05bbcea2a54e098e2950caab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 12:19:03 +0200
+Subject: iio: adis_buffer: do not return ints in irq handlers
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ]
+
+On an IRQ handler we should not return normal error codes as 'irqreturn_t'
+is expected.
+
+Not necessarily stable material as the old check cannot fail, so it's a bug
+we can not hit.
+
+Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library")
+Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis_buffer.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
+index 4998a89d083d..8f8c1a87567b 100644
+--- a/drivers/iio/imu/adis_buffer.c
++++ b/drivers/iio/imu/adis_buffer.c
+@@ -125,9 +125,6 @@ static irqreturn_t adis_trigger_handler(int irq, void *p)
+ struct adis *adis = iio_device_get_drvdata(indio_dev);
+ int ret;
+
+- if (!adis->buffer)
+- return -ENOMEM;
+-
+ if (adis->data->has_paging) {
+ mutex_lock(&adis->txrx_lock);
+ if (adis->current_page != 0) {
+--
+2.30.2
+
--- /dev/null
+From 82a8ae6b73fe5d5768e3d7bbb27e344592813943 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2020 13:53:41 +0300
+Subject: iio: at91-sama5d2_adc: remove usage of iio_priv_to_dev() helper
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+[ Upstream commit ebf35aad0baa05823df31fda42df4b67f72e6e72 ]
+
+We may want to get rid of the iio_priv_to_dev() helper. The reason is that
+we will hide some of the members of the iio_dev structure (to prevent
+drivers from accessing them directly), and that will also mean hiding the
+implementation of the iio_priv_to_dev() helper inside the IIO core.
+
+Hiding the implementation of iio_priv_to_dev() implies that some fast-paths
+may not be fast anymore, so a general idea is to try to get rid of the
+iio_priv_to_dev() altogether.
+The iio_priv() helper won't be affected by the rework, as the iio_dev
+struct will keep a reference to the private information.
+
+For this driver, not using iio_priv_to_dev(), means reworking some paths to
+pass the iio device and using iio_priv() to access the private information,
+and also keeping a reference to the iio device for some quirky paths.
+
+One [quirky] path is the at91_adc_workq_handler() which requires the IIO
+device & the state struct to push to buffers.
+Since this requires the back-ref to the IIO device, the
+at91_adc_touch_pos() also uses it. This simplifies the patch a bit. The
+information required in this function is mostly for debugging purposes.
+Replacing it with a reference to the IIO device would have been a slightly
+bigger change, which may not be worth it (for just the debugging purpose
+and given that we need the back-ref to the IIO device anyway).
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index 2c01963a6a5c..bafb9dded0ea 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -399,6 +399,7 @@ struct at91_adc_state {
+ wait_queue_head_t wq_data_available;
+ struct at91_adc_dma dma_st;
+ struct at91_adc_touch touch_st;
++ struct iio_dev *indio_dev;
+ u16 buffer[AT91_BUFFER_MAX_HWORDS];
+ /*
+ * lock to prevent concurrent 'single conversion' requests through
+@@ -624,13 +625,13 @@ static u16 at91_adc_touch_pos(struct at91_adc_state *st, int reg)
+ /* first half of register is the x or y, second half is the scale */
+ val = at91_adc_readl(st, reg);
+ if (!val)
+- dev_dbg(&iio_priv_to_dev(st)->dev, "pos is 0\n");
++ dev_dbg(&st->indio_dev->dev, "pos is 0\n");
+
+ pos = val & AT91_SAMA5D2_XYZ_MASK;
+ result = (pos << AT91_SAMA5D2_MAX_POS_BITS) - pos;
+ scale = (val >> 16) & AT91_SAMA5D2_XYZ_MASK;
+ if (scale == 0) {
+- dev_err(&iio_priv_to_dev(st)->dev, "scale is 0\n");
++ dev_err(&st->indio_dev->dev, "scale is 0\n");
+ return 0;
+ }
+ result /= scale;
+@@ -1154,9 +1155,9 @@ static unsigned at91_adc_startup_time(unsigned startup_time_min,
+ return i;
+ }
+
+-static void at91_adc_setup_samp_freq(struct at91_adc_state *st, unsigned freq)
++static void at91_adc_setup_samp_freq(struct iio_dev *indio_dev, unsigned freq)
+ {
+- struct iio_dev *indio_dev = iio_priv_to_dev(st);
++ struct at91_adc_state *st = iio_priv(indio_dev);
+ unsigned f_per, prescal, startup, mr;
+
+ f_per = clk_get_rate(st->per_clk);
+@@ -1225,9 +1226,9 @@ static void at91_adc_pen_detect_interrupt(struct at91_adc_state *st)
+ st->touch_st.touching = true;
+ }
+
+-static void at91_adc_no_pen_detect_interrupt(struct at91_adc_state *st)
++static void at91_adc_no_pen_detect_interrupt(struct iio_dev *indio_dev)
+ {
+- struct iio_dev *indio_dev = iio_priv_to_dev(st);
++ struct at91_adc_state *st = iio_priv(indio_dev);
+
+ at91_adc_writel(st, AT91_SAMA5D2_TRGR,
+ AT91_SAMA5D2_TRGR_TRGMOD_NO_TRIGGER);
+@@ -1247,7 +1248,7 @@ static void at91_adc_workq_handler(struct work_struct *workq)
+ struct at91_adc_touch, workq);
+ struct at91_adc_state *st = container_of(touch_st,
+ struct at91_adc_state, touch_st);
+- struct iio_dev *indio_dev = iio_priv_to_dev(st);
++ struct iio_dev *indio_dev = st->indio_dev;
+
+ iio_push_to_buffers(indio_dev, st->buffer);
+ }
+@@ -1268,7 +1269,7 @@ static irqreturn_t at91_adc_interrupt(int irq, void *private)
+ at91_adc_pen_detect_interrupt(st);
+ } else if ((status & AT91_SAMA5D2_IER_NOPEN)) {
+ /* nopen detected IRQ */
+- at91_adc_no_pen_detect_interrupt(st);
++ at91_adc_no_pen_detect_interrupt(indio);
+ } else if ((status & AT91_SAMA5D2_ISR_PENS) &&
+ ((status & rdy_mask) == rdy_mask)) {
+ /* periodic trigger IRQ - during pen sense */
+@@ -1435,7 +1436,7 @@ static int at91_adc_write_raw(struct iio_dev *indio_dev,
+ val > st->soc_info.max_sample_rate)
+ return -EINVAL;
+
+- at91_adc_setup_samp_freq(st, val);
++ at91_adc_setup_samp_freq(indio_dev, val);
+ return 0;
+ default:
+ return -EINVAL;
+@@ -1573,8 +1574,10 @@ static int at91_adc_update_scan_mode(struct iio_dev *indio_dev,
+ return 0;
+ }
+
+-static void at91_adc_hw_init(struct at91_adc_state *st)
++static void at91_adc_hw_init(struct iio_dev *indio_dev)
+ {
++ struct at91_adc_state *st = iio_priv(indio_dev);
++
+ at91_adc_writel(st, AT91_SAMA5D2_CR, AT91_SAMA5D2_CR_SWRST);
+ at91_adc_writel(st, AT91_SAMA5D2_IDR, 0xffffffff);
+ /*
+@@ -1584,7 +1587,7 @@ static void at91_adc_hw_init(struct at91_adc_state *st)
+ at91_adc_writel(st, AT91_SAMA5D2_MR,
+ AT91_SAMA5D2_MR_TRANSFER(2) | AT91_SAMA5D2_MR_ANACH);
+
+- at91_adc_setup_samp_freq(st, st->soc_info.min_sample_rate);
++ at91_adc_setup_samp_freq(indio_dev, st->soc_info.min_sample_rate);
+
+ /* configure extended mode register */
+ at91_adc_config_emr(st);
+@@ -1667,6 +1670,7 @@ static int at91_adc_probe(struct platform_device *pdev)
+ indio_dev->num_channels = ARRAY_SIZE(at91_adc_channels);
+
+ st = iio_priv(indio_dev);
++ st->indio_dev = indio_dev;
+
+ bitmap_set(&st->touch_st.channels_bitmask,
+ AT91_SAMA5D2_TOUCH_X_CHAN_IDX, 1);
+@@ -1778,7 +1782,7 @@ static int at91_adc_probe(struct platform_device *pdev)
+ goto vref_disable;
+ }
+
+- at91_adc_hw_init(st);
++ at91_adc_hw_init(indio_dev);
+
+ ret = clk_prepare_enable(st->per_clk);
+ if (ret)
+@@ -1894,7 +1898,7 @@ static __maybe_unused int at91_adc_resume(struct device *dev)
+ if (ret)
+ goto vref_disable_resume;
+
+- at91_adc_hw_init(st);
++ at91_adc_hw_init(indio_dev);
+
+ /* reconfiguring trigger hardware state */
+ if (!iio_buffer_enabled(indio_dev))
+--
+2.30.2
+
--- /dev/null
+From 5d0228c443914944cc5d0c5849d01160ea530648 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:13:47 +0100
+Subject: iio: cros_ec_sensors: Fix alignment of buffer in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 8dea228b174ac9637b567e5ef54f4c40db4b3c41 ]
+
+The samples buffer is passed to iio_push_to_buffers_with_timestamp()
+which requires a buffer aligned to 8 bytes as it is assumed that
+the timestamp will be naturally aligned if present.
+
+Fixes tag is inaccurate but prior to that likely manual backporting needed
+(for anything before 4.18) Earlier than that the include file to fix is
+drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.h:
+commit 974e6f02e27 ("iio: cros_ec_sensors_core: Add common functions
+for the ChromeOS EC Sensor Hub.") present since kernel stable 4.10.
+(Thanks to Gwendal for tracking this down)
+
+Fixes: 5a0b8cb46624c ("iio: cros_ec: Move cros_ec_sensors_core.h in /include")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Gwendal Grignou <gwendal@chromium.org
+Link: https://lore.kernel.org/r/20210501171352.512953-7-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/iio/common/cros_ec_sensors_core.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/iio/common/cros_ec_sensors_core.h b/include/linux/iio/common/cros_ec_sensors_core.h
+index bb331e6356a9..a321531539dd 100644
+--- a/include/linux/iio/common/cros_ec_sensors_core.h
++++ b/include/linux/iio/common/cros_ec_sensors_core.h
+@@ -68,7 +68,7 @@ struct cros_ec_sensors_core_state {
+ u16 scale;
+ } calib[CROS_EC_SENSOR_MAX_AXIS];
+ s8 sign[CROS_EC_SENSOR_MAX_AXIS];
+- u8 samples[CROS_EC_SAMPLE_SIZE];
++ u8 samples[CROS_EC_SAMPLE_SIZE] __aligned(8);
+
+ int (*read_ec_sensors_data)(struct iio_dev *indio_dev,
+ unsigned long scan_mask, s16 *data);
+--
+2.30.2
+
--- /dev/null
+From ec65cac84f38cafb19e006fd58eac4fe192aa0f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:12 +0100
+Subject: iio: gyro: bmg160: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 06778d881f3798ce93ffbbbf801234292250b598 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 13426454b649 ("iio: bmg160: Separate i2c and core driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-11-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/gyro/bmg160_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
+index 428ddfc13acb..276bed47e8d6 100644
+--- a/drivers/iio/gyro/bmg160_core.c
++++ b/drivers/iio/gyro/bmg160_core.c
+@@ -96,7 +96,11 @@ struct bmg160_data {
+ struct iio_trigger *motion_trig;
+ struct iio_mount_matrix orientation;
+ struct mutex mutex;
+- s16 buffer[8];
++ /* Ensure naturally aligned timestamp */
++ struct {
++ s16 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ u32 dps_range;
+ int ev_enable_state;
+ int slope_thres;
+@@ -880,12 +884,12 @@ static irqreturn_t bmg160_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->mutex);
+ ret = regmap_bulk_read(data->regmap, BMG160_REG_XOUT_L,
+- data->buffer, AXIS_MAX * 2);
++ data->scan.chans, AXIS_MAX * 2);
+ mutex_unlock(&data->mutex);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From 3f091a054d667e1929b22c94e416ec4a404116c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:13 +0100
+Subject: iio: humidity: am2315: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit f4ca2e2595d9fee65d5ce0d218b22ce00e5b2915 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 0d96d5ead3f7 ("iio: humidity: Add triggered buffer support for AM2315")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-12-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/humidity/am2315.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/humidity/am2315.c b/drivers/iio/humidity/am2315.c
+index 3bac98e731d9..894922a315fe 100644
+--- a/drivers/iio/humidity/am2315.c
++++ b/drivers/iio/humidity/am2315.c
+@@ -33,7 +33,11 @@
+ struct am2315_data {
+ struct i2c_client *client;
+ struct mutex lock;
+- s16 buffer[8]; /* 2x16-bit channels + 2x16 padding + 4x16 timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chans[2];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ struct am2315_sensor_data {
+@@ -167,20 +171,20 @@ static irqreturn_t am2315_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->lock);
+ if (*(indio_dev->active_scan_mask) == AM2315_ALL_CHANNEL_MASK) {
+- data->buffer[0] = sensor_data.hum_data;
+- data->buffer[1] = sensor_data.temp_data;
++ data->scan.chans[0] = sensor_data.hum_data;
++ data->scan.chans[1] = sensor_data.temp_data;
+ } else {
+ i = 0;
+ for_each_set_bit(bit, indio_dev->active_scan_mask,
+ indio_dev->masklength) {
+- data->buffer[i] = (bit ? sensor_data.temp_data :
+- sensor_data.hum_data);
++ data->scan.chans[i] = (bit ? sensor_data.temp_data :
++ sensor_data.hum_data);
+ i++;
+ }
+ }
+ mutex_unlock(&data->lock);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From ea630e269959296b0fcde66e45b59d5993ee17d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:19 +0100
+Subject: iio: light: isl29125: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 3d4725194de6935dba2ad7c9cc075c885008f747 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 6c25539cbc46 ("iio: Add Intersil isl29125 digital color light sensor driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-18-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/isl29125.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/light/isl29125.c b/drivers/iio/light/isl29125.c
+index e37894f0ae0b..15906925e588 100644
+--- a/drivers/iio/light/isl29125.c
++++ b/drivers/iio/light/isl29125.c
+@@ -51,7 +51,11 @@
+ struct isl29125_data {
+ struct i2c_client *client;
+ u8 conf1;
+- u16 buffer[8]; /* 3x 16-bit, padding, 8 bytes timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ #define ISL29125_CHANNEL(_color, _si) { \
+@@ -184,10 +188,10 @@ static irqreturn_t isl29125_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto done;
+
+- data->buffer[j++] = ret;
++ data->scan.chans[j++] = ret;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From ab899fd2423eef3d58548423a6fed3e4325f3d95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:20 +0100
+Subject: iio: light: tcs3414: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit ff08fbc22ab32ccc6690c21b0e5e1d402dcc076f ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: a244e7b57f0f ("iio: Add driver for AMS/TAOS tcs3414 digital color sensor")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-19-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/tcs3414.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/light/tcs3414.c b/drivers/iio/light/tcs3414.c
+index 7c0291c5fe76..85bfe3b63f4f 100644
+--- a/drivers/iio/light/tcs3414.c
++++ b/drivers/iio/light/tcs3414.c
+@@ -53,7 +53,11 @@ struct tcs3414_data {
+ u8 control;
+ u8 gain;
+ u8 timing;
+- u16 buffer[8]; /* 4x 16-bit + 8 bytes timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chans[4];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ #define TCS3414_CHANNEL(_color, _si, _addr) { \
+@@ -209,10 +213,10 @@ static irqreturn_t tcs3414_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto done;
+
+- data->buffer[j++] = ret;
++ data->scan.chans[j++] = ret;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From 1db1d68e7f769ed021e06e22f94e71f68b4f3a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:21 +0100
+Subject: iio: light: tcs3472: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit df2f37cffd6ed486d613e7ee22aadc8e49ae2dd3 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp().
+
+Fixes tag is not strictly accurate as prior to that patch there was
+potentially an unaligned write. However, any backport past there will
+need to be done manually.
+
+Fixes: 0624bf847dd0 ("iio:tcs3472: Use iio_push_to_buffers_with_timestamp()")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-20-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/tcs3472.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/light/tcs3472.c b/drivers/iio/light/tcs3472.c
+index a30ad151653f..9ea543c5cf5e 100644
+--- a/drivers/iio/light/tcs3472.c
++++ b/drivers/iio/light/tcs3472.c
+@@ -64,7 +64,11 @@ struct tcs3472_data {
+ u8 control;
+ u8 atime;
+ u8 apers;
+- u16 buffer[8]; /* 4 16-bit channels + 64-bit timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chans[4];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static const struct iio_event_spec tcs3472_events[] = {
+@@ -386,10 +390,10 @@ static irqreturn_t tcs3472_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto done;
+
+- data->buffer[j++] = ret;
++ data->scan.chans[j++] = ret;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From 08eae05bd1aa45cab2e644bb1bbe9161d51d6180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:23:00 +0100
+Subject: iio: light: vcnl4035: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit ec90b52c07c0403a6db60d752484ec08d605ead0 ]
+
+Add __aligned(8) to ensure the buffer passed to
+iio_push_to_buffers_with_timestamp() is suitable for the naturally
+aligned timestamp that will be inserted.
+
+Here an explicit structure is not used, because the holes would
+necessitate the addition of an explict memset(), to avoid a potential
+kernel data leak, making for a less minimal fix.
+
+Fixes: 55707294c4eb ("iio: light: Add support for vishay vcnl4035")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Parthiban Nallathambi <pn@denx.de>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-8-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/vcnl4035.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/light/vcnl4035.c b/drivers/iio/light/vcnl4035.c
+index cca4db312bd3..234623ab3817 100644
+--- a/drivers/iio/light/vcnl4035.c
++++ b/drivers/iio/light/vcnl4035.c
+@@ -102,7 +102,8 @@ static irqreturn_t vcnl4035_trigger_consumer_handler(int irq, void *p)
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct vcnl4035_data *data = iio_priv(indio_dev);
+- u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)];
++ /* Ensure naturally aligned timestamp */
++ u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8);
+ int ret;
+
+ ret = regmap_read(data->regmap, VCNL4035_ALS_DATA, (int *)buffer);
+--
+2.30.2
+
--- /dev/null
+From 94421bda755c19f9d523f18313988949847c23d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:18 +0100
+Subject: iio: magn: bmc150: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 7692088f72865c41b6b531fd09486ee99a5da930 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: c91746a2361d ("iio: magn: Add support for BMC150 magnetometer")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Stephan Gerhold <stephan@gerhold.net>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-17-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/bmc150_magn.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/magnetometer/bmc150_magn.c b/drivers/iio/magnetometer/bmc150_magn.c
+index d4de16750b10..48685d785c1b 100644
+--- a/drivers/iio/magnetometer/bmc150_magn.c
++++ b/drivers/iio/magnetometer/bmc150_magn.c
+@@ -136,8 +136,11 @@ struct bmc150_magn_data {
+ struct mutex mutex;
+ struct regmap *regmap;
+ struct iio_mount_matrix orientation;
+- /* 4 x 32 bits for x, y z, 4 bytes align, 64 bits timestamp */
+- s32 buffer[6];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s32 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ struct iio_trigger *dready_trig;
+ bool dready_trigger_on;
+ int max_odr;
+@@ -673,11 +676,11 @@ static irqreturn_t bmc150_magn_trigger_handler(int irq, void *p)
+ int ret;
+
+ mutex_lock(&data->mutex);
+- ret = bmc150_magn_read_xyz(data, data->buffer);
++ ret = bmc150_magn_read_xyz(data, data->scan.chans);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+
+ err:
+--
+2.30.2
+
--- /dev/null
+From 99923a1465d17ea78b936c3b191be2189d578f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:17 +0100
+Subject: iio: magn: hmc5843: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 1ef2f51e9fe424ccecca5bb0373d71b900c2cd41 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 7247645f6865 ("iio: hmc5843: Move hmc5843 out of staging")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-16-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/hmc5843.h | 8 ++++++--
+ drivers/iio/magnetometer/hmc5843_core.c | 4 ++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/magnetometer/hmc5843.h b/drivers/iio/magnetometer/hmc5843.h
+index b0dee87a8b20..b68bb55909e1 100644
+--- a/drivers/iio/magnetometer/hmc5843.h
++++ b/drivers/iio/magnetometer/hmc5843.h
+@@ -33,7 +33,8 @@ enum hmc5843_ids {
+ * @lock: update and read regmap data
+ * @regmap: hardware access register maps
+ * @variant: describe chip variants
+- * @buffer: 3x 16-bit channels + padding + 64-bit timestamp
++ * @scan: buffer to pack data for passing to
++ * iio_push_to_buffers_with_timestamp()
+ */
+ struct hmc5843_data {
+ struct device *dev;
+@@ -41,7 +42,10 @@ struct hmc5843_data {
+ struct regmap *regmap;
+ const struct hmc5843_chip_info *variant;
+ struct iio_mount_matrix orientation;
+- __be16 buffer[8];
++ struct {
++ __be16 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ int hmc5843_common_probe(struct device *dev, struct regmap *regmap,
+diff --git a/drivers/iio/magnetometer/hmc5843_core.c b/drivers/iio/magnetometer/hmc5843_core.c
+index c44a4292da92..aef78275260f 100644
+--- a/drivers/iio/magnetometer/hmc5843_core.c
++++ b/drivers/iio/magnetometer/hmc5843_core.c
+@@ -446,13 +446,13 @@ static irqreturn_t hmc5843_trigger_handler(int irq, void *p)
+ }
+
+ ret = regmap_bulk_read(data->regmap, HMC5843_DATA_OUT_MSB_REGS,
+- data->buffer, 3 * sizeof(__be16));
++ data->scan.chans, sizeof(data->scan.chans));
+
+ mutex_unlock(&data->lock);
+ if (ret < 0)
+ goto done;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From 13945506e0faec5bd076fa19c9ba0c7a19f8aa67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:22:58 +0100
+Subject: iio: magn: rm3100: Fix alignment of buffer in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit b8f939fd20690623cb24845a563e7bc1e4a21482 ]
+
+Add __aligned(8) to ensure the buffer passed to
+iio_push_to_buffers_with_timestamp() is suitable for the naturally
+aligned timestamp that will be inserted.
+
+Here an explicit structure is not used, because this buffer is used in
+a non-trivial way for data repacking.
+
+Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Song Qiang <songqiang1304521@gmail.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-6-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/rm3100-core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/magnetometer/rm3100-core.c b/drivers/iio/magnetometer/rm3100-core.c
+index 7c20918d8108..f31ff225fe61 100644
+--- a/drivers/iio/magnetometer/rm3100-core.c
++++ b/drivers/iio/magnetometer/rm3100-core.c
+@@ -76,7 +76,8 @@ struct rm3100_data {
+ bool use_interrupt;
+ int conversion_time;
+ int scale;
+- u8 buffer[RM3100_SCAN_BYTES];
++ /* Ensure naturally aligned timestamp */
++ u8 buffer[RM3100_SCAN_BYTES] __aligned(8);
+ struct iio_trigger *drdy_trig;
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 579121eb59a6b42d6b20fad60d50752792628bcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:13:48 +0100
+Subject: iio: potentiostat: lmp91000: Fix alignment of buffer in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 8979b67ec61abc232636400ee8c758a16a73c95f ]
+
+Add __aligned(8) to ensure the buffer passed to
+iio_push_to_buffers_with_timestamp() is suitable for the naturally
+aligned timestamp that will be inserted.
+
+Here structure is not used, because this buffer is also used
+elsewhere in the driver.
+
+Fixes: 67e17300dc1d ("iio: potentiostat: add LMP91000 support")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Matt Ranostay <matt.ranostay@konsulko.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Link: https://lore.kernel.org/r/20210501171352.512953-8-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/potentiostat/lmp91000.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/potentiostat/lmp91000.c b/drivers/iio/potentiostat/lmp91000.c
+index a0e5f530faa9..d6db07264a7b 100644
+--- a/drivers/iio/potentiostat/lmp91000.c
++++ b/drivers/iio/potentiostat/lmp91000.c
+@@ -71,8 +71,8 @@ struct lmp91000_data {
+
+ struct completion completion;
+ u8 chan_select;
+-
+- u32 buffer[4]; /* 64-bit data + 64-bit timestamp */
++ /* 64-bit data + 64-bit naturally aligned timestamp */
++ u32 buffer[4] __aligned(8);
+ };
+
+ static const struct iio_chan_spec lmp91000_channels[] = {
+--
+2.30.2
+
--- /dev/null
+From f4cfcb7811b2f2af889bdddf9774e489278f816d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:16 +0100
+Subject: iio: prox: as3935: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 37eb8d8c64f2ecb3a5521ba1cc1fad973adfae41 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 37b1ba2c68cf ("iio: proximity: as3935: fix buffer stack trashing")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Matt Ranostay <matt.ranostay@konsulko.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-15-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/as3935.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/proximity/as3935.c b/drivers/iio/proximity/as3935.c
+index b591c63bd6c4..718150a93133 100644
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -61,7 +61,11 @@ struct as3935_state {
+ unsigned long noise_tripped;
+ u32 tune_cap;
+ u32 nflwdth_reg;
+- u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u8 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ u8 buf[2] ____cacheline_aligned;
+ };
+
+@@ -227,8 +231,8 @@ static irqreturn_t as3935_trigger_handler(int irq, void *private)
+ if (ret)
+ goto err_read;
+
+- st->buffer[0] = val & AS3935_DATA_MASK;
+- iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer,
++ st->scan.chan = val & AS3935_DATA_MASK;
++ iio_push_to_buffers_with_timestamp(indio_dev, &st->scan,
+ iio_get_time_ns(indio_dev));
+ err_read:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From ec00f2a0a0374352dfccab87a446114d0b782ff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:23:01 +0100
+Subject: iio: prox: isl29501: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 92babc9938ebbf4050f2fba774836f7edc16a570 ]
+
+Add __aligned(8) to ensure the buffer passed to
+iio_push_to_buffers_with_timestamp() is suitable for the naturally
+aligned timestamp that will be inserted.
+
+Here an explicit structure is not used, because the holes would
+necessitate the addition of an explict memset(), to avoid a kernel
+data leak, making for a less minimal fix.
+
+Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Mathieu Othacehe <m.othacehe@gmail.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-9-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/isl29501.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/proximity/isl29501.c b/drivers/iio/proximity/isl29501.c
+index 5ae549075b27..56d6e9f927f4 100644
+--- a/drivers/iio/proximity/isl29501.c
++++ b/drivers/iio/proximity/isl29501.c
+@@ -938,7 +938,7 @@ static irqreturn_t isl29501_trigger_handler(int irq, void *p)
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct isl29501_private *isl29501 = iio_priv(indio_dev);
+ const unsigned long *active_mask = indio_dev->active_scan_mask;
+- u32 buffer[4] = {}; /* 1x16-bit + ts */
++ u32 buffer[4] __aligned(8) = {}; /* 1x16-bit + naturally aligned ts */
+
+ if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask))
+ isl29501_register_read(isl29501, REG_DISTANCE, buffer);
+--
+2.30.2
+
--- /dev/null
+From e4e48fa6707a978536d7ad733e0444237d5d2341 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:15 +0100
+Subject: iio: prox: pulsed-light: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 679cc377a03ff1944491eafc7355c1eb1fad4109 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: cb119d535083 ("iio: proximity: add support for PulsedLight LIDAR")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Matt Ranostay <matt.ranostay@konsulko.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-14-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/pulsedlight-lidar-lite-v2.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
+index 67f85268b63d..0c7617022407 100644
+--- a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
++++ b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
+@@ -43,7 +43,11 @@ struct lidar_data {
+ int (*xfer)(struct lidar_data *data, u8 reg, u8 *val, int len);
+ int i2c_enabled;
+
+- u16 buffer[8]; /* 2 byte distance + 8 byte timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static const struct iio_chan_spec lidar_channels[] = {
+@@ -228,9 +232,9 @@ static irqreturn_t lidar_trigger_handler(int irq, void *private)
+ struct lidar_data *data = iio_priv(indio_dev);
+ int ret;
+
+- ret = lidar_get_measurement(data, data->buffer);
++ ret = lidar_get_measurement(data, &data->scan.chan);
+ if (!ret) {
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+ } else if (ret != -EINVAL) {
+ dev_err(&data->client->dev, "cannot read LIDAR measurement");
+--
+2.30.2
+
--- /dev/null
+From 335df7d2d07d0a8ccbc03947f5baeb4421995ad1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:14 +0100
+Subject: iio: prox: srf08: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 19f1a254fe4949fff1e67db386409f48cf438bd7 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 78f839029e1d ("iio: distance: srf08: add IIO driver for us ranger")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Andreas Klinger <ak@it-klinger.de>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-13-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/srf08.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iio/proximity/srf08.c b/drivers/iio/proximity/srf08.c
+index b23ce446b7be..c99bc514c5e1 100644
+--- a/drivers/iio/proximity/srf08.c
++++ b/drivers/iio/proximity/srf08.c
+@@ -63,11 +63,11 @@ struct srf08_data {
+ int range_mm;
+ struct mutex lock;
+
+- /*
+- * triggered buffer
+- * 1x16-bit channel + 3x16 padding + 4x16 timestamp
+- */
+- s16 buffer[8];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+
+ /* Sensor-Type */
+ enum srf08_sensor_type sensor_type;
+@@ -190,9 +190,9 @@ static irqreturn_t srf08_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->lock);
+
+- data->buffer[0] = sensor_data;
++ data->scan.chan = sensor_data;
+ iio_push_to_buffers_with_timestamp(indio_dev,
+- data->buffer, pf->timestamp);
++ &data->scan, pf->timestamp);
+
+ mutex_unlock(&data->lock);
+ err:
+--
+2.30.2
+
--- /dev/null
+From fcda270c6d8e0e5bdf8759676a73dcec729f05a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 11:52:42 -0700
+Subject: Input: hil_kbd - fix error return code in hil_dev_connect()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ]
+
+Return error code -EINVAL rather than '0' when the combo devices are not
+supported.
+
+Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/hil_kbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/keyboard/hil_kbd.c b/drivers/input/keyboard/hil_kbd.c
+index bb29a7c9a1c0..54afb38601b9 100644
+--- a/drivers/input/keyboard/hil_kbd.c
++++ b/drivers/input/keyboard/hil_kbd.c
+@@ -512,6 +512,7 @@ static int hil_dev_connect(struct serio *serio, struct serio_driver *drv)
+ HIL_IDD_NUM_AXES_PER_SET(*idd)) {
+ printk(KERN_INFO PREFIX
+ "combo devices are not supported.\n");
++ error = -EINVAL;
+ goto bail1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 7e4e904e5b225f2c901a7ddccd358fcc01837c88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 12:53:19 +0530
+Subject: iommu/dma: Fix IOVA reserve dma ranges
+
+From: Srinath Mannam <srinath.mannam@broadcom.com>
+
+[ Upstream commit 571f316074a203e979ea90211d9acf423dfe5f46 ]
+
+Fix IOVA reserve failure in the case when address of first memory region
+listed in dma-ranges is equal to 0x0.
+
+Fixes: aadad097cd46f ("iommu/dma: Reserve IOVA for PCIe inaccessible DMA address")
+Signed-off-by: Srinath Mannam <srinath.mannam@broadcom.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Sven Peter <sven@svenpeter.dev>
+Link: https://lore.kernel.org/r/20200914072319.6091-1-srinath.mannam@broadcom.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/dma-iommu.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
+index 76bd2309e023..d3b6898626e7 100644
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -216,9 +216,11 @@ resv_iova:
+ lo = iova_pfn(iovad, start);
+ hi = iova_pfn(iovad, end);
+ reserve_iova(iovad, lo, hi);
+- } else {
++ } else if (end < start) {
+ /* dma_ranges list should be sorted */
+- dev_err(&dev->dev, "Failed to reserve IOVA\n");
++ dev_err(&dev->dev,
++ "Failed to reserve IOVA [%#010llx-%#010llx]\n",
++ start, end);
+ return -EINVAL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 093f9c243e504aaeaead71c2d59223e3128268f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 08:27:00 -0700
+Subject: ipv6: exthdrs: do not blindly use init_net
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit bcc3f2a829b9edbe3da5fb117ee5a63686d31834 ]
+
+I see no reason why max_dst_opts_cnt and max_hbh_opts_cnt
+are fetched from the initial net namespace.
+
+The other sysctls (max_dst_opts_len & max_hbh_opts_len)
+are in fact already using the current ns.
+
+Note: it is not clear why ipv6_destopt_rcv() use two ways to
+get to the netns :
+
+ 1) dev_net(dst->dev)
+ Originally used to increment IPSTATS_MIB_INHDRERRORS
+
+ 2) dev_net(skb->dev)
+ Tom used this variant in his patch.
+
+Maybe this calls to use ipv6_skb_net() instead ?
+
+Fixes: 47d3d7ac656a ("ipv6: Implement limits on Hop-by-Hop and Destination options")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Tom Herbert <tom@quantonium.net>
+Cc: Coco Li <lixiaoyan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/exthdrs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
+index ab5add0fe6b4..413a47ca43e9 100644
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -305,7 +305,7 @@ fail_and_free:
+ #endif
+
+ if (ip6_parse_tlv(tlvprocdestopt_lst, skb,
+- init_net.ipv6.sysctl.max_dst_opts_cnt)) {
++ net->ipv6.sysctl.max_dst_opts_cnt)) {
+ skb->transport_header += extlen;
+ opt = IP6CB(skb);
+ #if IS_ENABLED(CONFIG_IPV6_MIP6)
+@@ -844,7 +844,7 @@ fail_and_free:
+
+ opt->flags |= IP6SKB_HOPBYHOP;
+ if (ip6_parse_tlv(tlvprochopopt_lst, skb,
+- init_net.ipv6.sysctl.max_hbh_opts_cnt)) {
++ net->ipv6.sysctl.max_hbh_opts_cnt)) {
+ skb->transport_header += extlen;
+ opt = IP6CB(skb);
+ opt->nhoff = sizeof(struct ipv6hdr);
+--
+2.30.2
+
--- /dev/null
+From 6e1c4c4a24c08b1ca711868b50bd6165dd67d5cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 03:07:20 -0700
+Subject: ipv6: fix out-of-bound access in ip6_parse_tlv()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 624085a31c1ad6a80b1e53f686bf6ee92abbf6e8 ]
+
+First problem is that optlen is fetched without checking
+there is more than one byte to parse.
+
+Fix this by taking care of IPV6_TLV_PAD1 before
+fetching optlen (under appropriate sanity checks against len)
+
+Second problem is that IPV6_TLV_PADN checks of zero
+padding are performed before the check of remaining length.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Fixes: c1412fce7ecc ("net/ipv6/exthdrs.c: Strict PadN option checking")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Tom Herbert <tom@herbertland.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/exthdrs.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
+index 413a47ca43e9..69128000bc31 100644
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -134,18 +134,23 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
+ len -= 2;
+
+ while (len > 0) {
+- int optlen = nh[off + 1] + 2;
+- int i;
++ int optlen, i;
+
+- switch (nh[off]) {
+- case IPV6_TLV_PAD1:
+- optlen = 1;
++ if (nh[off] == IPV6_TLV_PAD1) {
+ padlen++;
+ if (padlen > 7)
+ goto bad;
+- break;
++ off++;
++ len--;
++ continue;
++ }
++ if (len < 2)
++ goto bad;
++ optlen = nh[off + 1] + 2;
++ if (optlen > len)
++ goto bad;
+
+- case IPV6_TLV_PADN:
++ if (nh[off] == IPV6_TLV_PADN) {
+ /* RFC 2460 states that the purpose of PadN is
+ * to align the containing header to multiples
+ * of 8. 7 is therefore the highest valid value.
+@@ -162,12 +167,7 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
+ if (nh[off + i] != 0)
+ goto bad;
+ }
+- break;
+-
+- default: /* Other TLV code so scan list */
+- if (optlen > len)
+- goto bad;
+-
++ } else {
+ tlv_count++;
+ if (tlv_count > max_count)
+ goto bad;
+@@ -187,7 +187,6 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
+ return false;
+
+ padlen = 0;
+- break;
+ }
+ off += optlen;
+ len -= optlen;
+--
+2.30.2
+
--- /dev/null
+From e0779d518df743f3c37e844fcb842fc28bf72d70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 18:59:15 -0500
+Subject: kbuild: Fix objtool dependency for 'OBJECT_FILES_NON_STANDARD_<obj>
+ := n'
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit 8852c552402979508fdc395ae07aa8761aa46045 ]
+
+"OBJECT_FILES_NON_STANDARD_vma.o := n" has a dependency bug. When
+objtool source is updated, the affected object doesn't get re-analyzed
+by objtool.
+
+Peter's new variable-sized jump label feature relies on objtool
+rewriting the object file. Otherwise the system can fail to boot. That
+effectively upgrades this minor dependency issue to a major bug.
+
+The problem is that variables in prerequisites are expanded early,
+during the read-in phase. The '$(objtool_dep)' variable indirectly uses
+'$@', which isn't yet available when the target prerequisites are
+evaluated.
+
+Use '.SECONDEXPANSION:' which causes '$(objtool_dep)' to be expanded in
+a later phase, after the target-specific '$@' variable has been defined.
+
+Fixes: b9ab5ebb14ec ("objtool: Add CONFIG_STACK_VALIDATION option")
+Fixes: ab3257042c26 ("jump_label, x86: Allow short NOPs")
+Reported-by: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.build | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index 03df22412f86..1261f75cb4e7 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -257,7 +257,8 @@ define rule_as_o_S
+ endef
+
+ # Built-in and composite module parts
+-$(obj)/%.o: $(src)/%.c $(recordmcount_source) $(objtool_dep) FORCE
++.SECONDEXPANSION:
++$(obj)/%.o: $(src)/%.c $(recordmcount_source) $$(objtool_dep) FORCE
+ $(call if_changed_rule,cc_o_c)
+ $(call cmd,force_checksrc)
+
+@@ -340,7 +341,7 @@ cmd_modversions_S = \
+ fi
+ endif
+
+-$(obj)/%.o: $(src)/%.S $(objtool_dep) FORCE
++$(obj)/%.o: $(src)/%.S $$(objtool_dep) FORCE
+ $(call if_changed_rule,as_o_S)
+
+ targets += $(filter-out $(subdir-obj-y), $(real-obj-y)) $(real-obj-m) $(lib-y)
+--
+2.30.2
+
--- /dev/null
+From c8ef8ebe5f38d27ab7536e6b8525539d06f7e5a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jun 2020 17:45:12 +0200
+Subject: kbuild: run the checker after the compiler
+
+From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
+
+[ Upstream commit 0c33f125732d0d33392ba6774d85469d565d3496 ]
+
+Since the pre-git time the checker is run first, before the compiler.
+But if the source file contains some syntax error, the warnings from
+the compiler are more useful than those from sparse (and other
+checker most probably too).
+
+So move the 'check' command to run after the compiler.
+
+Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.build | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index 9c689d011bce..03df22412f86 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -240,9 +240,9 @@ undefined_syms = $(NM) $< | $(AWK) '$$1 == "U" { printf("%s%s", x++ ? " " : "",
+ endif
+
+ define rule_cc_o_c
+- $(call cmd,checksrc)
+ $(call cmd_and_fixdep,cc_o_c)
+ $(call cmd,gen_ksymdeps)
++ $(call cmd,checksrc)
+ $(call cmd,checkdoc)
+ $(call cmd,objtool)
+ $(call cmd,modversions_c)
+@@ -258,8 +258,8 @@ endef
+
+ # Built-in and composite module parts
+ $(obj)/%.o: $(src)/%.c $(recordmcount_source) $(objtool_dep) FORCE
+- $(call cmd,force_checksrc)
+ $(call if_changed_rule,cc_o_c)
++ $(call cmd,force_checksrc)
+
+ cmd_mod = { \
+ echo $(if $($*-objs)$($*-y)$($*-m), $(addprefix $(obj)/, $($*-objs) $($*-y) $($*-m)), $(@:.mod=.o)); \
+--
+2.30.2
+
--- /dev/null
+From 85e517bb7d3e9285af44a273b61f31e6ce3557fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:33:35 -0700
+Subject: kthread_worker: fix return value when kthread_mod_delayed_work()
+ races with kthread_cancel_delayed_work_sync()
+
+From: Petr Mladek <pmladek@suse.com>
+
+[ Upstream commit d71ba1649fa3c464c51ec7163e4b817345bff2c7 ]
+
+kthread_mod_delayed_work() might race with
+kthread_cancel_delayed_work_sync() or another kthread_mod_delayed_work()
+call. The function lets the other operation win when it sees
+work->canceling counter set. And it returns @false.
+
+But it should return @true as it is done by the related workqueue API, see
+mod_delayed_work_on().
+
+The reason is that the return value might be used for reference counting.
+It has to distinguish the case when the number of queued works has changed
+or stayed the same.
+
+The change is safe. kthread_mod_delayed_work() return value is not
+checked anywhere at the moment.
+
+Link: https://lore.kernel.org/r/20210521163526.GA17916@redhat.com
+Link: https://lkml.kernel.org/r/20210610133051.15337-4-pmladek@suse.com
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Minchan Kim <minchan@google.com>
+Cc: <jenhaochen@google.com>
+Cc: Martin Liu <liumartin@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kthread.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index 2eb8d7550324..b2bac5d929d2 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -1083,14 +1083,14 @@ static bool __kthread_cancel_work(struct kthread_work *work)
+ * modify @dwork's timer so that it expires after @delay. If @delay is zero,
+ * @work is guaranteed to be queued immediately.
+ *
+- * Return: %true if @dwork was pending and its timer was modified,
+- * %false otherwise.
++ * Return: %false if @dwork was idle and queued, %true otherwise.
+ *
+ * A special case is when the work is being canceled in parallel.
+ * It might be caused either by the real kthread_cancel_delayed_work_sync()
+ * or yet another kthread_mod_delayed_work() call. We let the other command
+- * win and return %false here. The caller is supposed to synchronize these
+- * operations a reasonable way.
++ * win and return %true here. The return value can be used for reference
++ * counting and the number of queued works stays the same. Anyway, the caller
++ * is supposed to synchronize these operations a reasonable way.
+ *
+ * This function is safe to call from any context including IRQ handler.
+ * See __kthread_cancel_work() and kthread_delayed_work_timer_fn()
+@@ -1102,13 +1102,15 @@ bool kthread_mod_delayed_work(struct kthread_worker *worker,
+ {
+ struct kthread_work *work = &dwork->work;
+ unsigned long flags;
+- int ret = false;
++ int ret;
+
+ raw_spin_lock_irqsave(&worker->lock, flags);
+
+ /* Do not bother with canceling when never queued. */
+- if (!work->worker)
++ if (!work->worker) {
++ ret = false;
+ goto fast_queue;
++ }
+
+ /* Work must not be used with >1 worker, see kthread_queue_work() */
+ WARN_ON_ONCE(work->worker != worker);
+@@ -1126,8 +1128,11 @@ bool kthread_mod_delayed_work(struct kthread_worker *worker,
+ * be used for reference counting.
+ */
+ kthread_cancel_delayed_work_timer(work, &flags);
+- if (work->canceling)
++ if (work->canceling) {
++ /* The number of works in the queue does not change. */
++ ret = true;
+ goto out;
++ }
+ ret = __kthread_cancel_work(work);
+
+ fast_queue:
+--
+2.30.2
+
--- /dev/null
+From 45a652822a80256fc8a9f1af12c8300cbba61778 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 16:42:22 -0700
+Subject: KVM: nVMX: Ensure 64-bit shift when checking VMFUNC bitmap
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 0e75225dfa4c5d5d51291f54a3d2d5895bad38da ]
+
+Use BIT_ULL() instead of an open-coded shift to check whether or not a
+function is enabled in L1's VMFUNC bitmap. This is a benign bug as KVM
+supports only bit 0, and will fail VM-Enter if any other bits are set,
+i.e. bits 63:32 are guaranteed to be zero.
+
+Note, "function" is bounded by hardware as VMFUNC will #UD before taking
+a VM-Exit if the function is greater than 63.
+
+Before:
+ if ((vmcs12->vm_function_control & (1 << function)) == 0)
+ 0x000000000001a916 <+118>: mov $0x1,%eax
+ 0x000000000001a91b <+123>: shl %cl,%eax
+ 0x000000000001a91d <+125>: cltq
+ 0x000000000001a91f <+127>: and 0x128(%rbx),%rax
+
+After:
+ if (!(vmcs12->vm_function_control & BIT_ULL(function & 63)))
+ 0x000000000001a955 <+117>: mov 0x128(%rbx),%rdx
+ 0x000000000001a95c <+124>: bt %rax,%rdx
+
+Fixes: 27c42a1bb867 ("KVM: nVMX: Enable VMFUNC for the L1 hypervisor")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210609234235.1244004-3-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 3f63bd7421ac..023bd3e1aa0d 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -5099,7 +5099,7 @@ static int handle_vmfunc(struct kvm_vcpu *vcpu)
+ }
+
+ vmcs12 = get_vmcs12(vcpu);
+- if ((vmcs12->vm_function_control & (1 << function)) == 0)
++ if (!(vmcs12->vm_function_control & BIT_ULL(function)))
+ goto fail;
+
+ switch (function) {
+--
+2.30.2
+
--- /dev/null
+From 46c2a6da084ae006cd38dc181123516ac1d2f101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 14:04:41 +1000
+Subject: KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10
+ processors
+
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+
+[ Upstream commit 77bbbc0cf84834ed130838f7ac1988567f4d0288 ]
+
+The POWER9 vCPU TLB management code assumes all threads in a core share
+a TLB, and that TLBIEL execued by one thread will invalidate TLBs for
+all threads. This is not the case for SMT8 capable POWER9 and POWER10
+(big core) processors, where the TLB is split between groups of threads.
+This results in TLB multi-hits, random data corruption, etc.
+
+Fix this by introducing cpu_first_tlb_thread_sibling etc., to determine
+which siblings share TLBs, and use that in the guest TLB flushing code.
+
+[npiggin@gmail.com: add changelog and comment]
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210602040441.3984352-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/cputhreads.h | 30 +++++++++++++++++++++++++++
+ arch/powerpc/kvm/book3s_hv.c | 13 ++++++------
+ arch/powerpc/kvm/book3s_hv_builtin.c | 2 +-
+ arch/powerpc/kvm/book3s_hv_rm_mmu.c | 2 +-
+ 4 files changed, 39 insertions(+), 8 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/cputhreads.h b/arch/powerpc/include/asm/cputhreads.h
+index deb99fd6e060..51f533b6ece0 100644
+--- a/arch/powerpc/include/asm/cputhreads.h
++++ b/arch/powerpc/include/asm/cputhreads.h
+@@ -99,6 +99,36 @@ static inline int cpu_last_thread_sibling(int cpu)
+ return cpu | (threads_per_core - 1);
+ }
+
++/*
++ * tlb_thread_siblings are siblings which share a TLB. This is not
++ * architected, is not something a hypervisor could emulate and a future
++ * CPU may change behaviour even in compat mode, so this should only be
++ * used on PowerNV, and only with care.
++ */
++static inline int cpu_first_tlb_thread_sibling(int cpu)
++{
++ if (cpu_has_feature(CPU_FTR_ARCH_300) && (threads_per_core == 8))
++ return cpu & ~0x6; /* Big Core */
++ else
++ return cpu_first_thread_sibling(cpu);
++}
++
++static inline int cpu_last_tlb_thread_sibling(int cpu)
++{
++ if (cpu_has_feature(CPU_FTR_ARCH_300) && (threads_per_core == 8))
++ return cpu | 0x6; /* Big Core */
++ else
++ return cpu_last_thread_sibling(cpu);
++}
++
++static inline int cpu_tlb_thread_sibling_step(void)
++{
++ if (cpu_has_feature(CPU_FTR_ARCH_300) && (threads_per_core == 8))
++ return 2; /* Big Core */
++ else
++ return 1;
++}
++
+ static inline u32 get_tensr(void)
+ {
+ #ifdef CONFIG_BOOKE
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 6938b793a015..9011857c0434 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2536,7 +2536,7 @@ static void radix_flush_cpu(struct kvm *kvm, int cpu, struct kvm_vcpu *vcpu)
+ cpumask_t *cpu_in_guest;
+ int i;
+
+- cpu = cpu_first_thread_sibling(cpu);
++ cpu = cpu_first_tlb_thread_sibling(cpu);
+ if (nested) {
+ cpumask_set_cpu(cpu, &nested->need_tlb_flush);
+ cpu_in_guest = &nested->cpu_in_guest;
+@@ -2550,9 +2550,10 @@ static void radix_flush_cpu(struct kvm *kvm, int cpu, struct kvm_vcpu *vcpu)
+ * the other side is the first smp_mb() in kvmppc_run_core().
+ */
+ smp_mb();
+- for (i = 0; i < threads_per_core; ++i)
+- if (cpumask_test_cpu(cpu + i, cpu_in_guest))
+- smp_call_function_single(cpu + i, do_nothing, NULL, 1);
++ for (i = cpu; i <= cpu_last_tlb_thread_sibling(cpu);
++ i += cpu_tlb_thread_sibling_step())
++ if (cpumask_test_cpu(i, cpu_in_guest))
++ smp_call_function_single(i, do_nothing, NULL, 1);
+ }
+
+ static void kvmppc_prepare_radix_vcpu(struct kvm_vcpu *vcpu, int pcpu)
+@@ -2583,8 +2584,8 @@ static void kvmppc_prepare_radix_vcpu(struct kvm_vcpu *vcpu, int pcpu)
+ */
+ if (prev_cpu != pcpu) {
+ if (prev_cpu >= 0 &&
+- cpu_first_thread_sibling(prev_cpu) !=
+- cpu_first_thread_sibling(pcpu))
++ cpu_first_tlb_thread_sibling(prev_cpu) !=
++ cpu_first_tlb_thread_sibling(pcpu))
+ radix_flush_cpu(kvm, prev_cpu, vcpu);
+ if (nested)
+ nested->prev_cpu[vcpu->arch.nested_vcpu_id] = pcpu;
+diff --git a/arch/powerpc/kvm/book3s_hv_builtin.c b/arch/powerpc/kvm/book3s_hv_builtin.c
+index 7c1909657b55..4a91b543a854 100644
+--- a/arch/powerpc/kvm/book3s_hv_builtin.c
++++ b/arch/powerpc/kvm/book3s_hv_builtin.c
+@@ -847,7 +847,7 @@ void kvmppc_check_need_tlb_flush(struct kvm *kvm, int pcpu,
+ * Thus we make all 4 threads use the same bit.
+ */
+ if (cpu_has_feature(CPU_FTR_ARCH_300))
+- pcpu = cpu_first_thread_sibling(pcpu);
++ pcpu = cpu_first_tlb_thread_sibling(pcpu);
+
+ if (nested)
+ need_tlb_flush = &nested->need_tlb_flush;
+diff --git a/arch/powerpc/kvm/book3s_hv_rm_mmu.c b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
+index 220305454c23..9bf3be438ac5 100644
+--- a/arch/powerpc/kvm/book3s_hv_rm_mmu.c
++++ b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
+@@ -67,7 +67,7 @@ static int global_invalidates(struct kvm *kvm)
+ * so use the bit for the first thread to represent the core.
+ */
+ if (cpu_has_feature(CPU_FTR_ARCH_300))
+- cpu = cpu_first_thread_sibling(cpu);
++ cpu = cpu_first_tlb_thread_sibling(cpu);
+ cpumask_clear_cpu(cpu, &kvm->arch.need_tlb_flush);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2565a25f906c3d6684050370646c4d99503398bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 16:03:56 +0200
+Subject: KVM: s390: get rid of register asm usage
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 4fa3b91bdee1b08348c82660668ca0ca34e271ad ]
+
+Using register asm statements has been proven to be very error prone,
+especially when using code instrumentation where gcc may add function
+calls, which clobbers register contents in an unexpected way.
+
+Therefore get rid of register asm statements in kvm code, even though
+there is currently nothing wrong with them. This way we know for sure
+that this bug class won't be introduced here.
+
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210621140356.1210771-1-hca@linux.ibm.com
+[borntraeger@de.ibm.com: checkpatch strict fix]
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/kvm-s390.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index d08e13c6dc98..20ba8537dbcc 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -318,31 +318,31 @@ static void allow_cpu_feat(unsigned long nr)
+
+ static inline int plo_test_bit(unsigned char nr)
+ {
+- register unsigned long r0 asm("0") = (unsigned long) nr | 0x100;
++ unsigned long function = (unsigned long)nr | 0x100;
+ int cc;
+
+ asm volatile(
++ " lgr 0,%[function]\n"
+ /* Parameter registers are ignored for "test bit" */
+ " plo 0,0,0,0(0)\n"
+ " ipm %0\n"
+ " srl %0,28\n"
+ : "=d" (cc)
+- : "d" (r0)
+- : "cc");
++ : [function] "d" (function)
++ : "cc", "0");
+ return cc == 0;
+ }
+
+ static __always_inline void __insn32_query(unsigned int opcode, u8 *query)
+ {
+- register unsigned long r0 asm("0") = 0; /* query function */
+- register unsigned long r1 asm("1") = (unsigned long) query;
+-
+ asm volatile(
+- /* Parameter regs are ignored */
++ " lghi 0,0\n"
++ " lgr 1,%[query]\n"
++ /* Parameter registers are ignored */
+ " .insn rrf,%[opc] << 16,2,4,6,0\n"
+ :
+- : "d" (r0), "a" (r1), [opc] "i" (opcode)
+- : "cc", "memory");
++ : [query] "d" ((unsigned long)query), [opc] "i" (opcode)
++ : "cc", "memory", "0", "1");
+ }
+
+ #define INSN_SORTL 0xb938
+--
+2.30.2
+
--- /dev/null
+From 918a4afd2a325418a507a63bce86b8b6d812e1b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 11:06:46 +0800
+Subject: leds: as3645a: Fix error return code in as3645a_parse_node()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 96a30960a2c5246c8ffebe8a3c9031f9df094d97 ]
+
+Return error code -ENODEV rather than '0' when the indicator node can not
+be found.
+
+Fixes: a56ba8fbcb55 ("media: leds: as3645a: Add LED flash class driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-as3645a.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/leds-as3645a.c b/drivers/leds/leds-as3645a.c
+index b7e0ae1af8fa..1dc6f1b24ddb 100644
+--- a/drivers/leds/leds-as3645a.c
++++ b/drivers/leds/leds-as3645a.c
+@@ -544,6 +544,7 @@ static int as3645a_parse_node(struct as3645a *flash,
+ if (!flash->indicator_node) {
+ dev_warn(&flash->client->dev,
+ "can't find indicator node\n");
++ rval = -ENODEV;
+ goto out_err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 3922ea6143e7ccf42c7bac3ad85728471b77118f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 13:21:01 +0200
+Subject: leds: ktd2692: Fix an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ee78b9360e14c276f5ceaa4a0d06f790f04ccdad ]
+
+In 'ktd2692_parse_dt()', if an error occurs after a successful
+'regulator_enable()' call, we should call 'regulator_enable()'.
+
+This is the same in 'ktd2692_probe()', if an error occurs after a
+successful 'ktd2692_parse_dt()' call.
+
+Instead of adding 'regulator_enable()' in several places, implement a
+resource managed solution and simplify the remove function accordingly.
+
+Fixes: b7da8c5c725c ("leds: Add ktd2692 flash LED driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-ktd2692.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/leds/leds-ktd2692.c b/drivers/leds/leds-ktd2692.c
+index 670efee9b131..cd30b3b46e76 100644
+--- a/drivers/leds/leds-ktd2692.c
++++ b/drivers/leds/leds-ktd2692.c
+@@ -256,6 +256,17 @@ static void ktd2692_setup(struct ktd2692_context *led)
+ | KTD2692_REG_FLASH_CURRENT_BASE);
+ }
+
++static void regulator_disable_action(void *_data)
++{
++ struct device *dev = _data;
++ struct ktd2692_context *led = dev_get_drvdata(dev);
++ int ret;
++
++ ret = regulator_disable(led->regulator);
++ if (ret)
++ dev_err(dev, "Failed to disable supply: %d\n", ret);
++}
++
+ static int ktd2692_parse_dt(struct ktd2692_context *led, struct device *dev,
+ struct ktd2692_led_config_data *cfg)
+ {
+@@ -286,8 +297,14 @@ static int ktd2692_parse_dt(struct ktd2692_context *led, struct device *dev,
+
+ if (led->regulator) {
+ ret = regulator_enable(led->regulator);
+- if (ret)
++ if (ret) {
+ dev_err(dev, "Failed to enable supply: %d\n", ret);
++ } else {
++ ret = devm_add_action_or_reset(dev,
++ regulator_disable_action, dev);
++ if (ret)
++ return ret;
++ }
+ }
+
+ child_node = of_get_next_available_child(np, NULL);
+@@ -377,17 +394,9 @@ static int ktd2692_probe(struct platform_device *pdev)
+ static int ktd2692_remove(struct platform_device *pdev)
+ {
+ struct ktd2692_context *led = platform_get_drvdata(pdev);
+- int ret;
+
+ led_classdev_flash_unregister(&led->fled_cdev);
+
+- if (led->regulator) {
+- ret = regulator_disable(led->regulator);
+- if (ret)
+- dev_err(&pdev->dev,
+- "Failed to disable supply: %d\n", ret);
+- }
+-
+ mutex_destroy(&led->lock);
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From e4fd50e9cbeaee6cca9a0b85f6b62cfa114487ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 12:50:31 +0300
+Subject: leds: lm3532: select regmap I2C API
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 99be74f61cb0292b518f5e6d7e5c6611555c2ec7 ]
+
+Regmap APIs should be selected, otherwise link can fail
+
+ERROR: modpost: "__devm_regmap_init_i2c" [drivers/leds/leds-lm3532.ko] undefined!
+
+Fixes: bc1b8492c764 ("leds: lm3532: Introduce the lm3532 LED driver")
+Cc: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/Kconfig b/drivers/leds/Kconfig
+index 1988de1d64c0..2cbf66d1c300 100644
+--- a/drivers/leds/Kconfig
++++ b/drivers/leds/Kconfig
+@@ -144,6 +144,7 @@ config LEDS_LM3530
+
+ config LEDS_LM3532
+ tristate "LCD Backlight driver for LM3532"
++ select REGMAP_I2C
+ depends on LEDS_CLASS
+ depends on I2C
+ help
+--
+2.30.2
+
--- /dev/null
+From e0505ca9b32a159d16fc8f2ee975db6fa2152289 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Sep 2020 20:02:56 +0200
+Subject: leds: lm36274: cosmetic: rename lm36274_data to chip
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <marek.behun@nic.cz>
+
+[ Upstream commit d3ab963cf980151f5f0ba16d842ddc80b232d9c0 ]
+
+Rename this variable so that it is easier to read and easier to write in
+80 columns. Also rename variable of this type in lm36274_brightness_set
+from led to chip, to be consistent.
+
+Signed-off-by: Marek Behún <marek.behun@nic.cz>
+Tested-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lm36274.c | 82 ++++++++++++++++++-------------------
+ 1 file changed, 40 insertions(+), 42 deletions(-)
+
+diff --git a/drivers/leds/leds-lm36274.c b/drivers/leds/leds-lm36274.c
+index db842eeb7ca2..6c143551f10a 100644
+--- a/drivers/leds/leds-lm36274.c
++++ b/drivers/leds/leds-lm36274.c
+@@ -41,37 +41,36 @@ struct lm36274 {
+ };
+
+ static int lm36274_brightness_set(struct led_classdev *led_cdev,
+- enum led_brightness brt_val)
++ enum led_brightness brt_val)
+ {
+- struct lm36274 *led = container_of(led_cdev, struct lm36274, led_dev);
++ struct lm36274 *chip = container_of(led_cdev, struct lm36274, led_dev);
+
+- return ti_lmu_common_set_brightness(&led->lmu_data, brt_val);
++ return ti_lmu_common_set_brightness(&chip->lmu_data, brt_val);
+ }
+
+-static int lm36274_init(struct lm36274 *lm36274_data)
++static int lm36274_init(struct lm36274 *chip)
+ {
+ int enable_val = 0;
+ int i;
+
+- for (i = 0; i < lm36274_data->num_leds; i++)
+- enable_val |= (1 << lm36274_data->led_sources[i]);
++ for (i = 0; i < chip->num_leds; i++)
++ enable_val |= (1 << chip->led_sources[i]);
+
+ if (!enable_val) {
+- dev_err(lm36274_data->dev, "No LEDs were enabled\n");
++ dev_err(chip->dev, "No LEDs were enabled\n");
+ return -EINVAL;
+ }
+
+ enable_val |= LM36274_BL_EN;
+
+- return regmap_write(lm36274_data->regmap, LM36274_REG_BL_EN,
+- enable_val);
++ return regmap_write(chip->regmap, LM36274_REG_BL_EN, enable_val);
+ }
+
+-static int lm36274_parse_dt(struct lm36274 *lm36274_data)
++static int lm36274_parse_dt(struct lm36274 *chip)
+ {
+ struct fwnode_handle *child = NULL;
+ char label[LED_MAX_NAME_SIZE];
+- struct device *dev = &lm36274_data->pdev->dev;
++ struct device *dev = &chip->pdev->dev;
+ const char *name;
+ int child_cnt;
+ int ret = -EINVAL;
+@@ -84,37 +83,37 @@ static int lm36274_parse_dt(struct lm36274 *lm36274_data)
+ device_for_each_child_node(dev, child) {
+ ret = fwnode_property_read_string(child, "label", &name);
+ if (ret)
+- snprintf(label, sizeof(label),
+- "%s::", lm36274_data->pdev->name);
++ snprintf(label, sizeof(label), "%s::",
++ chip->pdev->name);
+ else
+- snprintf(label, sizeof(label),
+- "%s:%s", lm36274_data->pdev->name, name);
++ snprintf(label, sizeof(label), "%s:%s",
++ chip->pdev->name, name);
+
+- lm36274_data->num_leds = fwnode_property_count_u32(child, "led-sources");
+- if (lm36274_data->num_leds <= 0)
++ chip->num_leds = fwnode_property_count_u32(child, "led-sources");
++ if (chip->num_leds <= 0)
+ return -ENODEV;
+
+ ret = fwnode_property_read_u32_array(child, "led-sources",
+- lm36274_data->led_sources,
+- lm36274_data->num_leds);
++ chip->led_sources,
++ chip->num_leds);
+ if (ret) {
+ dev_err(dev, "led-sources property missing\n");
+ return ret;
+ }
+
+ fwnode_property_read_string(child, "linux,default-trigger",
+- &lm36274_data->led_dev.default_trigger);
++ &chip->led_dev.default_trigger);
+
+ }
+
+- lm36274_data->lmu_data.regmap = lm36274_data->regmap;
+- lm36274_data->lmu_data.max_brightness = MAX_BRIGHTNESS_11BIT;
+- lm36274_data->lmu_data.msb_brightness_reg = LM36274_REG_BRT_MSB;
+- lm36274_data->lmu_data.lsb_brightness_reg = LM36274_REG_BRT_LSB;
++ chip->lmu_data.regmap = chip->regmap;
++ chip->lmu_data.max_brightness = MAX_BRIGHTNESS_11BIT;
++ chip->lmu_data.msb_brightness_reg = LM36274_REG_BRT_MSB;
++ chip->lmu_data.lsb_brightness_reg = LM36274_REG_BRT_LSB;
+
+- lm36274_data->led_dev.name = label;
+- lm36274_data->led_dev.max_brightness = MAX_BRIGHTNESS_11BIT;
+- lm36274_data->led_dev.brightness_set_blocking = lm36274_brightness_set;
++ chip->led_dev.name = label;
++ chip->led_dev.max_brightness = MAX_BRIGHTNESS_11BIT;
++ chip->led_dev.brightness_set_blocking = lm36274_brightness_set;
+
+ return 0;
+ }
+@@ -122,39 +121,38 @@ static int lm36274_parse_dt(struct lm36274 *lm36274_data)
+ static int lm36274_probe(struct platform_device *pdev)
+ {
+ struct ti_lmu *lmu = dev_get_drvdata(pdev->dev.parent);
+- struct lm36274 *lm36274_data;
++ struct lm36274 *chip;
+ int ret;
+
+- lm36274_data = devm_kzalloc(&pdev->dev, sizeof(*lm36274_data),
+- GFP_KERNEL);
+- if (!lm36274_data)
++ chip = devm_kzalloc(&pdev->dev, sizeof(*chip), GFP_KERNEL);
++ if (!chip)
+ return -ENOMEM;
+
+- lm36274_data->pdev = pdev;
+- lm36274_data->dev = lmu->dev;
+- lm36274_data->regmap = lmu->regmap;
+- platform_set_drvdata(pdev, lm36274_data);
++ chip->pdev = pdev;
++ chip->dev = lmu->dev;
++ chip->regmap = lmu->regmap;
++ platform_set_drvdata(pdev, chip);
+
+- ret = lm36274_parse_dt(lm36274_data);
++ ret = lm36274_parse_dt(chip);
+ if (ret) {
+- dev_err(lm36274_data->dev, "Failed to parse DT node\n");
++ dev_err(chip->dev, "Failed to parse DT node\n");
+ return ret;
+ }
+
+- ret = lm36274_init(lm36274_data);
++ ret = lm36274_init(chip);
+ if (ret) {
+- dev_err(lm36274_data->dev, "Failed to init the device\n");
++ dev_err(chip->dev, "Failed to init the device\n");
+ return ret;
+ }
+
+- return led_classdev_register(lm36274_data->dev, &lm36274_data->led_dev);
++ return led_classdev_register(chip->dev, &chip->led_dev);
+ }
+
+ static int lm36274_remove(struct platform_device *pdev)
+ {
+- struct lm36274 *lm36274_data = platform_get_drvdata(pdev);
++ struct lm36274 *chip = platform_get_drvdata(pdev);
+
+- led_classdev_unregister(&lm36274_data->led_dev);
++ led_classdev_unregister(&chip->led_dev);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From df5721c040eee8b4cb9a29e409c7ddde8ed90757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 12:50:35 +0300
+Subject: leds: lm3692x: Put fwnode in any case during ->probe()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit f55db1c7fadc2a29c9fa4ff3aec98dbb111f2206 ]
+
+device_get_next_child_node() bumps a reference counting of a returned variable.
+We have to balance it whenever we return to the caller.
+
+Fixes: 9a5c1c64ac0a ("leds: lm3692x: Change DT calls to fwnode calls")
+Cc: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lm3692x.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/leds/leds-lm3692x.c b/drivers/leds/leds-lm3692x.c
+index 1ac9a44570ee..cc77ea048d9b 100644
+--- a/drivers/leds/leds-lm3692x.c
++++ b/drivers/leds/leds-lm3692x.c
+@@ -358,6 +358,7 @@ static int lm3692x_probe_dt(struct lm3692x_led *led)
+
+ ret = fwnode_property_read_u32(child, "reg", &led->led_enable);
+ if (ret) {
++ fwnode_handle_put(child);
+ dev_err(&led->client->dev, "reg DT property missing\n");
+ return ret;
+ }
+@@ -368,12 +369,11 @@ static int lm3692x_probe_dt(struct lm3692x_led *led)
+
+ ret = devm_led_classdev_register_ext(&led->client->dev, &led->led_dev,
+ &init_data);
+- if (ret) {
++ if (ret)
+ dev_err(&led->client->dev, "led register err: %d\n", ret);
+- return ret;
+- }
+
+- return 0;
++ fwnode_handle_put(init_data.fwnode);
++ return ret;
+ }
+
+ static int lm3692x_probe(struct i2c_client *client,
+--
+2.30.2
+
--- /dev/null
+From f4540888d0d515be041a7580f92e9d404bfcc4f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 17:12:04 +0100
+Subject: lib: vsprintf: Fix handling of number field widths in vsscanf
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 ]
+
+The existing code attempted to handle numbers by doing a strto[u]l(),
+ignoring the field width, and then repeatedly dividing to extract the
+field out of the full converted value. If the string contains a run of
+valid digits longer than will fit in a long or long long, this would
+overflow and no amount of dividing can recover the correct value.
+
+This patch fixes vsscanf() to obey number field widths when parsing
+the number.
+
+A new _parse_integer_limit() is added that takes a limit for the number
+of characters to parse. The number field conversion in vsscanf is changed
+to use this new function.
+
+If a number starts with a radix prefix, the field width must be long
+enough for at last one digit after the prefix. If not, it will be handled
+like this:
+
+ sscanf("0x4", "%1i", &i): i=0, scanning continues with the 'x'
+ sscanf("0x4", "%2i", &i): i=0, scanning continues with the '4'
+
+This is consistent with the observed behaviour of userland sscanf.
+
+Note that this patch does NOT fix the problem of a single field value
+overflowing the target type. So for example:
+
+ sscanf("123456789abcdef", "%x", &i);
+
+Will not produce the correct result because the value obviously overflows
+INT_MAX. But sscanf will report a successful conversion.
+
+Note that where a very large number is used to mean "unlimited", the value
+INT_MAX is used for consistency with the behaviour of vsnprintf().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210514161206.30821-2-rf@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kstrtox.c | 13 ++++++--
+ lib/kstrtox.h | 2 ++
+ lib/vsprintf.c | 82 +++++++++++++++++++++++++++++---------------------
+ 3 files changed, 60 insertions(+), 37 deletions(-)
+
+diff --git a/lib/kstrtox.c b/lib/kstrtox.c
+index 1006bf70bf74..95c7234ad467 100644
+--- a/lib/kstrtox.c
++++ b/lib/kstrtox.c
+@@ -39,20 +39,22 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base)
+
+ /*
+ * Convert non-negative integer string representation in explicitly given radix
+- * to an integer.
++ * to an integer. A maximum of max_chars characters will be converted.
++ *
+ * Return number of characters consumed maybe or-ed with overflow bit.
+ * If overflow occurs, result integer (incorrect) is still returned.
+ *
+ * Don't you dare use this function.
+ */
+-unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p)
++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p,
++ size_t max_chars)
+ {
+ unsigned long long res;
+ unsigned int rv;
+
+ res = 0;
+ rv = 0;
+- while (1) {
++ while (max_chars--) {
+ unsigned int c = *s;
+ unsigned int lc = c | 0x20; /* don't tolower() this line */
+ unsigned int val;
+@@ -82,6 +84,11 @@ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long
+ return rv;
+ }
+
++unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p)
++{
++ return _parse_integer_limit(s, base, p, INT_MAX);
++}
++
+ static int _kstrtoull(const char *s, unsigned int base, unsigned long long *res)
+ {
+ unsigned long long _res;
+diff --git a/lib/kstrtox.h b/lib/kstrtox.h
+index 3b4637bcd254..158c400ca865 100644
+--- a/lib/kstrtox.h
++++ b/lib/kstrtox.h
+@@ -4,6 +4,8 @@
+
+ #define KSTRTOX_OVERFLOW (1U << 31)
+ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base);
++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *res,
++ size_t max_chars);
+ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *res);
+
+ #endif
+diff --git a/lib/vsprintf.c b/lib/vsprintf.c
+index fb4af73142b4..2766d1b2c301 100644
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -50,6 +50,31 @@
+ #include <linux/string_helpers.h>
+ #include "kstrtox.h"
+
++static unsigned long long simple_strntoull(const char *startp, size_t max_chars,
++ char **endp, unsigned int base)
++{
++ const char *cp;
++ unsigned long long result = 0ULL;
++ size_t prefix_chars;
++ unsigned int rv;
++
++ cp = _parse_integer_fixup_radix(startp, &base);
++ prefix_chars = cp - startp;
++ if (prefix_chars < max_chars) {
++ rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
++ /* FIXME */
++ cp += (rv & ~KSTRTOX_OVERFLOW);
++ } else {
++ /* Field too short for prefix + digit, skip over without converting */
++ cp = startp + max_chars;
++ }
++
++ if (endp)
++ *endp = (char *)cp;
++
++ return result;
++}
++
+ /**
+ * simple_strtoull - convert a string to an unsigned long long
+ * @cp: The start of the string
+@@ -60,18 +85,7 @@
+ */
+ unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base)
+ {
+- unsigned long long result;
+- unsigned int rv;
+-
+- cp = _parse_integer_fixup_radix(cp, &base);
+- rv = _parse_integer(cp, base, &result);
+- /* FIXME */
+- cp += (rv & ~KSTRTOX_OVERFLOW);
+-
+- if (endp)
+- *endp = (char *)cp;
+-
+- return result;
++ return simple_strntoull(cp, INT_MAX, endp, base);
+ }
+ EXPORT_SYMBOL(simple_strtoull);
+
+@@ -106,6 +120,21 @@ long simple_strtol(const char *cp, char **endp, unsigned int base)
+ }
+ EXPORT_SYMBOL(simple_strtol);
+
++static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
++ unsigned int base)
++{
++ /*
++ * simple_strntoull() safely handles receiving max_chars==0 in the
++ * case cp[0] == '-' && max_chars == 1.
++ * If max_chars == 0 we can drop through and pass it to simple_strntoull()
++ * and the content of *cp is irrelevant.
++ */
++ if (*cp == '-' && max_chars > 0)
++ return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
++
++ return simple_strntoull(cp, max_chars, endp, base);
++}
++
+ /**
+ * simple_strtoll - convert a string to a signed long long
+ * @cp: The start of the string
+@@ -116,10 +145,7 @@ EXPORT_SYMBOL(simple_strtol);
+ */
+ long long simple_strtoll(const char *cp, char **endp, unsigned int base)
+ {
+- if (*cp == '-')
+- return -simple_strtoull(cp + 1, endp, base);
+-
+- return simple_strtoull(cp, endp, base);
++ return simple_strntoll(cp, INT_MAX, endp, base);
+ }
+ EXPORT_SYMBOL(simple_strtoll);
+
+@@ -3343,25 +3369,13 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
+ break;
+
+ if (is_sign)
+- val.s = qualifier != 'L' ?
+- simple_strtol(str, &next, base) :
+- simple_strtoll(str, &next, base);
++ val.s = simple_strntoll(str,
++ field_width >= 0 ? field_width : INT_MAX,
++ &next, base);
+ else
+- val.u = qualifier != 'L' ?
+- simple_strtoul(str, &next, base) :
+- simple_strtoull(str, &next, base);
+-
+- if (field_width > 0 && next - str > field_width) {
+- if (base == 0)
+- _parse_integer_fixup_radix(str, &base);
+- while (next - str > field_width) {
+- if (is_sign)
+- val.s = div_s64(val.s, base);
+- else
+- val.u = div_u64(val.u, base);
+- --next;
+- }
+- }
++ val.u = simple_strntoull(str,
++ field_width >= 0 ? field_width : INT_MAX,
++ &next, base);
+
+ switch (qualifier) {
+ case 'H': /* that's 'hh' in format */
+--
+2.30.2
+
--- /dev/null
+From e1edb70a0ae3ee1e79233991a8307d4cbb9b1630 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 01:01:09 +0800
+Subject: lockding/lockdep: Avoid to find wrong lock dep path in
+ check_irq_usage()
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+[ Upstream commit 7b1f8c6179769af6ffa055e1169610b51d71edd5 ]
+
+In the step #3 of check_irq_usage(), we seach backwards to find a lock
+whose usage conflicts the usage of @target_entry1 on safe/unsafe.
+However, we should only keep the irq-unsafe usage of @target_entry1 into
+consideration, because it could be a case where a lock is hardirq-unsafe
+but soft-safe, and in check_irq_usage() we find it because its
+hardirq-unsafe could result into a hardirq-safe-unsafe deadlock, but
+currently since we don't filter out the other usage bits, so we may find
+a lock dependency path softirq-unsafe -> softirq-safe, which in fact
+doesn't cause a deadlock. And this may cause misleading lockdep splats.
+
+Fix this by only keeping LOCKF_ENABLED_IRQ_ALL bits when we try the
+backwards search.
+
+Reported-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210618170110.3699115-4-boqun.feng@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index df43bf53e7c5..3ec8fd2e80e5 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -2377,8 +2377,18 @@ static int check_irq_usage(struct task_struct *curr, struct held_lock *prev,
+ * Step 3: we found a bad match! Now retrieve a lock from the backward
+ * list whose usage mask matches the exclusive usage mask from the
+ * lock found on the forward list.
++ *
++ * Note, we should only keep the LOCKF_ENABLED_IRQ_ALL bits, considering
++ * the follow case:
++ *
++ * When trying to add A -> B to the graph, we find that there is a
++ * hardirq-safe L, that L -> ... -> A, and another hardirq-unsafe M,
++ * that B -> ... -> M. However M is **softirq-safe**, if we use exact
++ * invert bits of M's usage_mask, we will find another lock N that is
++ * **softirq-unsafe** and N -> ... -> A, however N -> .. -> M will not
++ * cause a inversion deadlock.
+ */
+- backward_mask = original_mask(target_entry1->class->usage_mask);
++ backward_mask = original_mask(target_entry1->class->usage_mask & LOCKF_ENABLED_IRQ_ALL);
+
+ ret = find_usage_backwards(&this, backward_mask, &target_entry);
+ if (ret < 0) {
+--
+2.30.2
+
--- /dev/null
+From 3f5d14f6aa4e75cd50fe8eb25ef9f75a80b9a3dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 01:01:07 +0800
+Subject: locking/lockdep: Fix the dep path printing for backwards BFS
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+[ Upstream commit 69c7a5fb2482636f525f016c8333fdb9111ecb9d ]
+
+We use the same code to print backwards lock dependency path as the
+forwards lock dependency path, and this could result into incorrect
+printing because for a backwards lock_list ->trace is not the call trace
+where the lock of ->class is acquired.
+
+Fix this by introducing a separate function on printing the backwards
+dependency path. Also add a few comments about the printing while we are
+at it.
+
+Reported-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210618170110.3699115-2-boqun.feng@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 108 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 106 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index 7429f1571755..df43bf53e7c5 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -1941,7 +1941,56 @@ static void print_lock_class_header(struct lock_class *class, int depth)
+ }
+
+ /*
+- * printk the shortest lock dependencies from @start to @end in reverse order:
++ * Dependency path printing:
++ *
++ * After BFS we get a lock dependency path (linked via ->parent of lock_list),
++ * printing out each lock in the dependency path will help on understanding how
++ * the deadlock could happen. Here are some details about dependency path
++ * printing:
++ *
++ * 1) A lock_list can be either forwards or backwards for a lock dependency,
++ * for a lock dependency A -> B, there are two lock_lists:
++ *
++ * a) lock_list in the ->locks_after list of A, whose ->class is B and
++ * ->links_to is A. In this case, we can say the lock_list is
++ * "A -> B" (forwards case).
++ *
++ * b) lock_list in the ->locks_before list of B, whose ->class is A
++ * and ->links_to is B. In this case, we can say the lock_list is
++ * "B <- A" (bacwards case).
++ *
++ * The ->trace of both a) and b) point to the call trace where B was
++ * acquired with A held.
++ *
++ * 2) A "helper" lock_list is introduced during BFS, this lock_list doesn't
++ * represent a certain lock dependency, it only provides an initial entry
++ * for BFS. For example, BFS may introduce a "helper" lock_list whose
++ * ->class is A, as a result BFS will search all dependencies starting with
++ * A, e.g. A -> B or A -> C.
++ *
++ * The notation of a forwards helper lock_list is like "-> A", which means
++ * we should search the forwards dependencies starting with "A", e.g A -> B
++ * or A -> C.
++ *
++ * The notation of a bacwards helper lock_list is like "<- B", which means
++ * we should search the backwards dependencies ending with "B", e.g.
++ * B <- A or B <- C.
++ */
++
++/*
++ * printk the shortest lock dependencies from @root to @leaf in reverse order.
++ *
++ * We have a lock dependency path as follow:
++ *
++ * @root @leaf
++ * | |
++ * V V
++ * ->parent ->parent
++ * | lock_list | <--------- | lock_list | ... | lock_list | <--------- | lock_list |
++ * | -> L1 | | L1 -> L2 | ... |Ln-2 -> Ln-1| | Ln-1 -> Ln|
++ *
++ * , so it's natural that we start from @leaf and print every ->class and
++ * ->trace until we reach the @root.
+ */
+ static void __used
+ print_shortest_lock_dependencies(struct lock_list *leaf,
+@@ -1969,6 +2018,61 @@ print_shortest_lock_dependencies(struct lock_list *leaf,
+ } while (entry && (depth >= 0));
+ }
+
++/*
++ * printk the shortest lock dependencies from @leaf to @root.
++ *
++ * We have a lock dependency path (from a backwards search) as follow:
++ *
++ * @leaf @root
++ * | |
++ * V V
++ * ->parent ->parent
++ * | lock_list | ---------> | lock_list | ... | lock_list | ---------> | lock_list |
++ * | L2 <- L1 | | L3 <- L2 | ... | Ln <- Ln-1 | | <- Ln |
++ *
++ * , so when we iterate from @leaf to @root, we actually print the lock
++ * dependency path L1 -> L2 -> .. -> Ln in the non-reverse order.
++ *
++ * Another thing to notice here is that ->class of L2 <- L1 is L1, while the
++ * ->trace of L2 <- L1 is the call trace of L2, in fact we don't have the call
++ * trace of L1 in the dependency path, which is alright, because most of the
++ * time we can figure out where L1 is held from the call trace of L2.
++ */
++static void __used
++print_shortest_lock_dependencies_backwards(struct lock_list *leaf,
++ struct lock_list *root)
++{
++ struct lock_list *entry = leaf;
++ const struct lock_trace *trace = NULL;
++ int depth;
++
++ /*compute depth from generated tree by BFS*/
++ depth = get_lock_depth(leaf);
++
++ do {
++ print_lock_class_header(entry->class, depth);
++ if (trace) {
++ printk("%*s ... acquired at:\n", depth, "");
++ print_lock_trace(trace, 2);
++ printk("\n");
++ }
++
++ /*
++ * Record the pointer to the trace for the next lock_list
++ * entry, see the comments for the function.
++ */
++ trace = entry->trace;
++
++ if (depth == 0 && (entry != root)) {
++ printk("lockdep:%s bad path found in chain graph\n", __func__);
++ break;
++ }
++
++ entry = get_lock_parent(entry);
++ depth--;
++ } while (entry && (depth >= 0));
++}
++
+ static void
+ print_irq_lock_scenario(struct lock_list *safe_entry,
+ struct lock_list *unsafe_entry,
+@@ -2086,7 +2190,7 @@ print_bad_irq_dependency(struct task_struct *curr,
+ prev_root->trace = save_trace();
+ if (!prev_root->trace)
+ return;
+- print_shortest_lock_dependencies(backwards_entry, prev_root);
++ print_shortest_lock_dependencies_backwards(backwards_entry, prev_root);
+
+ pr_warn("\nthe dependencies between the lock to be acquired");
+ pr_warn(" and %s-irq-unsafe lock:\n", irqclass);
+--
+2.30.2
+
--- /dev/null
+From 945fbdd67f7f0cc7c92e1dd95786e19431e94590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 17:12:51 -0700
+Subject: m68k: atari: Fix ATARI_KBD_CORE kconfig unmet dependency warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c1367ee016e3550745315fb9a2dd1e4ce02cdcf6 ]
+
+Since the code for ATARI_KBD_CORE does not use drivers/input/keyboard/
+code, just move ATARI_KBD_CORE to arch/m68k/Kconfig.machine to remove
+the dependency on INPUT_KEYBOARD.
+
+Removes this kconfig warning:
+
+ WARNING: unmet direct dependencies detected for ATARI_KBD_CORE
+ Depends on [n]: !UML && INPUT [=y] && INPUT_KEYBOARD [=n]
+ Selected by [y]:
+ - MOUSE_ATARI [=y] && !UML && INPUT [=y] && INPUT_MOUSE [=y] && ATARI [=y]
+
+Fixes: c04cb856e20a ("m68k: Atari keyboard and mouse support.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Suggested-by: Michael Schmitz <schmitzmic@gmail.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/20210527001251.8529-1-rdunlap@infradead.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.machine | 3 +++
+ drivers/input/keyboard/Kconfig | 3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine
+index c01e103492fd..1bbe0dd0c4fe 100644
+--- a/arch/m68k/Kconfig.machine
++++ b/arch/m68k/Kconfig.machine
+@@ -23,6 +23,9 @@ config ATARI
+ this kernel on an Atari, say Y here and browse the material
+ available in <file:Documentation/m68k>; otherwise say N.
+
++config ATARI_KBD_CORE
++ bool
++
+ config MAC
+ bool "Macintosh support"
+ depends on MMU
+diff --git a/drivers/input/keyboard/Kconfig b/drivers/input/keyboard/Kconfig
+index 8911bc2ec42a..ae0bdc439105 100644
+--- a/drivers/input/keyboard/Kconfig
++++ b/drivers/input/keyboard/Kconfig
+@@ -68,9 +68,6 @@ config KEYBOARD_AMIGA
+ To compile this driver as a module, choose M here: the
+ module will be called amikbd.
+
+-config ATARI_KBD_CORE
+- bool
+-
+ config KEYBOARD_APPLESPI
+ tristate "Apple SPI keyboard and trackpad"
+ depends on ACPI && EFI
+--
+2.30.2
+
--- /dev/null
+From 2815f332a153c721ff394f32a0ecae27bc2620d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 21:48:25 +0800
+Subject: mac80211: remove iwlwifi specific workaround NDPs of null_response
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 744757e46bf13ec3a7b3507d17ab3faab9516d43 ]
+
+Remove the remaining workaround that is not removed by the
+commit e41eb3e408de ("mac80211: remove iwlwifi specific workaround
+that broke sta NDP tx")
+
+Fixes: 41cbb0f5a295 ("mac80211: add support for HE")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20210623134826.10318-1-pkshih@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 82a1dd7b7d68..7b2e8c890381 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1395,11 +1395,6 @@ static void ieee80211_send_null_response(struct sta_info *sta, int tid,
+ struct ieee80211_tx_info *info;
+ struct ieee80211_chanctx_conf *chanctx_conf;
+
+- /* Don't send NDPs when STA is connected HE */
+- if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+- !(sdata->u.mgd.flags & IEEE80211_STA_DISABLE_HE))
+- return;
+-
+ if (qos) {
+ fc = cpu_to_le16(IEEE80211_FTYPE_DATA |
+ IEEE80211_STYPE_QOS_NULLFUNC |
+--
+2.30.2
+
--- /dev/null
+From a303834c073207933c06e1954aca87d09e4b93c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 18:26:24 -0700
+Subject: Makefile: fix GDB warning with CONFIG_RELR
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit 27f2a4db76e8d8a8b601fc1c6a7a17f88bd907ab ]
+
+GDB produces the following warning when debugging kernels built with
+CONFIG_RELR:
+
+BFD: /android0/linux-next/vmlinux: unknown type [0x13] section `.relr.dyn'
+
+when loading a kernel built with CONFIG_RELR into GDB. It can also
+prevent debugging symbols using such relocations.
+
+Peter sugguests:
+ [That flag] means that lld will use dynamic tags and section type
+ numbers in the OS-specific range rather than the generic range. The
+ kernel itself doesn't care about these numbers; it determines the
+ location of the RELR section using symbols defined by a linker script.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1057
+Suggested-by: Peter Collingbourne <pcc@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/r/20210522012626.2811297-1-ndesaulniers@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 2 +-
+ scripts/tools-support-relr.sh | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 5e8716dbbadc..78efac6021b6 100644
+--- a/Makefile
++++ b/Makefile
+@@ -937,7 +937,7 @@ LDFLAGS_vmlinux += $(call ld-option, -X,)
+ endif
+
+ ifeq ($(CONFIG_RELR),y)
+-LDFLAGS_vmlinux += --pack-dyn-relocs=relr
++LDFLAGS_vmlinux += --pack-dyn-relocs=relr --use-android-relr-tags
+ endif
+
+ # make the checker run with the right architecture
+diff --git a/scripts/tools-support-relr.sh b/scripts/tools-support-relr.sh
+index 45e8aa360b45..cb55878bd5b8 100755
+--- a/scripts/tools-support-relr.sh
++++ b/scripts/tools-support-relr.sh
+@@ -7,7 +7,8 @@ trap "rm -f $tmp_file.o $tmp_file $tmp_file.bin" EXIT
+ cat << "END" | $CC -c -x c - -o $tmp_file.o >/dev/null 2>&1
+ void *p = &p;
+ END
+-$LD $tmp_file.o -shared -Bsymbolic --pack-dyn-relocs=relr -o $tmp_file
++$LD $tmp_file.o -shared -Bsymbolic --pack-dyn-relocs=relr \
++ --use-android-relr-tags -o $tmp_file
+
+ # Despite printing an error message, GNU nm still exits with exit code 0 if it
+ # sees a relr section. So we need to check that nothing is printed to stderr.
+--
+2.30.2
+
--- /dev/null
+From b62a10c41d495a15bdd85949e784e578eaa9d2ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 16:20:38 +0200
+Subject: media: au0828: fix a NULL vs IS_ERR() check
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8f2e452730d2bcd59fe05246f0e19a4c52e0012d ]
+
+The media_device_usb_allocate() function returns error pointers when
+it's enabled and something goes wrong. It can return NULL as well, but
+only if CONFIG_MEDIA_CONTROLLER is disabled so that doesn't apply here.
+
+Fixes: 812658d88d26 ("media: change au0828 to use Media Device Allocator API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
+index a8a72d5fbd12..caefac07af92 100644
+--- a/drivers/media/usb/au0828/au0828-core.c
++++ b/drivers/media/usb/au0828/au0828-core.c
+@@ -199,8 +199,8 @@ static int au0828_media_device_init(struct au0828_dev *dev,
+ struct media_device *mdev;
+
+ mdev = media_device_usb_allocate(udev, KBUILD_MODNAME, THIS_MODULE);
+- if (!mdev)
+- return -ENOMEM;
++ if (IS_ERR(mdev))
++ return PTR_ERR(mdev);
+
+ dev->media_dev = mdev;
+ #endif
+--
+2.30.2
+
--- /dev/null
+From 88495486a5865d3741f5e480d0c31390e0734671 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 17:18:36 +0200
+Subject: media: bt8xx: Fix a missing check bug in bt878_probe
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ]
+
+In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is
+set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'.
+However, this two drivers are separate. The user may not load the
+'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet
+has not been initialized when 'tasklet_schedule' is called, so it is
+necessary to check whether the tasklet is initialized in 'bt878_probe'.
+
+Fix this by adding a check at the end of bt878_probe.
+
+The KASAN's report reveals it:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0
+Oops: 0010 [#1] PREEMPT SMP KASAN PTI
+CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177-
+gdba4159c14ef-dirty #40
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-
+gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+RIP: 0010: (null)
+Code: Bad RIP value.
+RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
+RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
+RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
+R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
+R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
+FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
+0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522
+ tasklet_action+0x50/0x70 kernel/softirq.c:540
+ __do_softirq+0x224/0x92c kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:372 [inline]
+ irq_exit+0x15a/0x180 kernel/softirq.c:412
+ exiting_irq arch/x86/include/asm/apic.h:535 [inline]
+ do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
+ </IRQ>
+RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline]
+RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline]
+RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584
+Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8
+14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad
+24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec
+RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde
+RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000
+RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0
+RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58
+R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000
+ do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4692a9
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f
+RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
+RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60
+R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0
+Modules linked in:
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+CR2: 0000000000000000
+---[ end trace 68e5849c3f77cbb6 ]---
+RIP: 0010: (null)
+Code: Bad RIP value.
+RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
+RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
+RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
+R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
+R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
+FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
+0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Reported-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/bt8xx/bt878.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
+index 53af26ad1dfb..1a741b47eaa1 100644
+--- a/drivers/media/pci/bt8xx/bt878.c
++++ b/drivers/media/pci/bt8xx/bt878.c
+@@ -477,6 +477,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ btwrite(0, BT878_AINT_MASK);
+ bt878_num++;
+
++ if (!bt->tasklet.func)
++ tasklet_disable(&bt->tasklet);
++
+ return 0;
+
+ fail2:
+--
+2.30.2
+
--- /dev/null
+From 321b523623013eef44d4ea29b4208d34cc903f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 10:00:49 +0200
+Subject: media: cobalt: fix race condition in setting HPD
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 3d37ef41bed0854805ab9af22c422267510e1344 ]
+
+The cobalt_s_bit_sysctrl reads the old register value over PCI,
+then changes a bit and sets writes the new value to the register.
+
+This is used among other things for setting the HPD output pin.
+
+But if the HPD is changed for multiple inputs at the same time,
+then this causes a race condition where a stale value is read.
+
+Serialize this function with a mutex.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cobalt/cobalt-driver.c | 1 +
+ drivers/media/pci/cobalt/cobalt-driver.h | 7 ++++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c
+index 0695078ef812..1bd8bbe57a30 100644
+--- a/drivers/media/pci/cobalt/cobalt-driver.c
++++ b/drivers/media/pci/cobalt/cobalt-driver.c
+@@ -667,6 +667,7 @@ static int cobalt_probe(struct pci_dev *pci_dev,
+ return -ENOMEM;
+ cobalt->pci_dev = pci_dev;
+ cobalt->instance = i;
++ mutex_init(&cobalt->pci_lock);
+
+ retval = v4l2_device_register(&pci_dev->dev, &cobalt->v4l2_dev);
+ if (retval) {
+diff --git a/drivers/media/pci/cobalt/cobalt-driver.h b/drivers/media/pci/cobalt/cobalt-driver.h
+index bca68572b324..12c33e035904 100644
+--- a/drivers/media/pci/cobalt/cobalt-driver.h
++++ b/drivers/media/pci/cobalt/cobalt-driver.h
+@@ -251,6 +251,8 @@ struct cobalt {
+ int instance;
+ struct pci_dev *pci_dev;
+ struct v4l2_device v4l2_dev;
++ /* serialize PCI access in cobalt_s_bit_sysctrl() */
++ struct mutex pci_lock;
+
+ void __iomem *bar0, *bar1;
+
+@@ -320,10 +322,13 @@ static inline u32 cobalt_g_sysctrl(struct cobalt *cobalt)
+ static inline void cobalt_s_bit_sysctrl(struct cobalt *cobalt,
+ int bit, int val)
+ {
+- u32 ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE);
++ u32 ctrl;
+
++ mutex_lock(&cobalt->pci_lock);
++ ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE);
+ cobalt_write_bar1(cobalt, COBALT_SYS_CTRL_BASE,
+ (ctrl & ~(1UL << bit)) | (val << bit));
++ mutex_unlock(&cobalt->pci_lock);
+ }
+
+ static inline u32 cobalt_g_sysstat(struct cobalt *cobalt)
+--
+2.30.2
+
--- /dev/null
+From 9d686c2725f5746a7ce782d71f97e0aae290c7b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 21:43:45 +0200
+Subject: media: cpia2: fix memory leak in cpia2_usb_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ]
+
+syzbot reported leak in cpia2 usb driver. The problem was
+in invalid error handling.
+
+v4l2_device_register() is called in cpia2_init_camera_struct(), but
+all error cases after cpia2_init_camera_struct() did not call the
+v4l2_device_unregister()
+
+Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/cpia2/cpia2.h | 1 +
+ drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++
+ drivers/media/usb/cpia2/cpia2_usb.c | 13 +++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h
+index 50835f5f7512..57b7f1ea68da 100644
+--- a/drivers/media/usb/cpia2/cpia2.h
++++ b/drivers/media/usb/cpia2/cpia2.h
+@@ -429,6 +429,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd);
+ int cpia2_do_command(struct camera_data *cam,
+ unsigned int command,
+ unsigned char direction, unsigned char param);
++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf);
+ struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf);
+ int cpia2_init_camera(struct camera_data *cam);
+ int cpia2_allocate_buffers(struct camera_data *cam);
+diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
+index 20c50c2d042e..f8c6e0b211a5 100644
+--- a/drivers/media/usb/cpia2/cpia2_core.c
++++ b/drivers/media/usb/cpia2/cpia2_core.c
+@@ -2163,6 +2163,18 @@ static void reset_camera_struct(struct camera_data *cam)
+ cam->height = cam->params.roi.height;
+ }
+
++/******************************************************************************
++ *
++ * cpia2_init_camera_struct
++ *
++ * Deinitialize camera struct
++ *****************************************************************************/
++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf)
++{
++ v4l2_device_unregister(&cam->v4l2_dev);
++ kfree(cam);
++}
++
+ /******************************************************************************
+ *
+ * cpia2_init_camera_struct
+diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
+index 3ab80a7b4498..76aac06f9fb8 100644
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -844,15 +844,13 @@ static int cpia2_usb_probe(struct usb_interface *intf,
+ ret = set_alternate(cam, USBIF_CMDONLY);
+ if (ret < 0) {
+ ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret);
+- kfree(cam);
+- return ret;
++ goto alt_err;
+ }
+
+
+ if((ret = cpia2_init_camera(cam)) < 0) {
+ ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret);
+- kfree(cam);
+- return ret;
++ goto alt_err;
+ }
+ LOG(" CPiA Version: %d.%02d (%d.%d)\n",
+ cam->params.version.firmware_revision_hi,
+@@ -872,11 +870,14 @@ static int cpia2_usb_probe(struct usb_interface *intf,
+ ret = cpia2_register_camera(cam);
+ if (ret < 0) {
+ ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret);
+- kfree(cam);
+- return ret;
++ goto alt_err;
+ }
+
+ return 0;
++
++alt_err:
++ cpia2_deinit_camera_struct(cam, intf);
++ return ret;
+ }
+
+ /******************************************************************************
+--
+2.30.2
+
--- /dev/null
+From 2d7e044d7c4a7b32e777b9982a2d1b386cc1bfb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 13:13:54 +0200
+Subject: media: dvb_net: avoid speculation from net slot
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ]
+
+The risk of especulation is actually almost-non-existing here,
+as there are very few users of TCP/IP using the DVB stack,
+as, this is mainly used with DVB-S/S2 cards, and only by people
+that receives TCP/IP from satellite connections, which limits
+a lot the number of users of such feature(*).
+
+(*) In thesis, DVB-C cards could also benefit from it, but I'm
+yet to see a hardware that supports it.
+
+Yet, fixing it is trivial.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c
+index 630509ecee20..9fed06ba88ef 100644
+--- a/drivers/media/dvb-core/dvb_net.c
++++ b/drivers/media/dvb-core/dvb_net.c
+@@ -45,6 +45,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/netdevice.h>
++#include <linux/nospec.h>
+ #include <linux/etherdevice.h>
+ #include <linux/dvb/net.h>
+ #include <linux/uio.h>
+@@ -1462,14 +1463,20 @@ static int dvb_net_do_ioctl(struct file *file,
+ struct net_device *netdev;
+ struct dvb_net_priv *priv_data;
+ struct dvb_net_if *dvbnetif = parg;
++ int if_num = dvbnetif->if_num;
+
+- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
+- !dvbnet->state[dvbnetif->if_num]) {
++ if (if_num >= DVB_NET_DEVICES_MAX) {
+ ret = -EINVAL;
+ goto ioctl_error;
+ }
++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
+
+- netdev = dvbnet->device[dvbnetif->if_num];
++ if (!dvbnet->state[if_num]) {
++ ret = -EINVAL;
++ goto ioctl_error;
++ }
++
++ netdev = dvbnet->device[if_num];
+
+ priv_data = netdev_priv(netdev);
+ dvbnetif->pid=priv_data->pid;
+@@ -1522,14 +1529,20 @@ static int dvb_net_do_ioctl(struct file *file,
+ struct net_device *netdev;
+ struct dvb_net_priv *priv_data;
+ struct __dvb_net_if_old *dvbnetif = parg;
++ int if_num = dvbnetif->if_num;
++
++ if (if_num >= DVB_NET_DEVICES_MAX) {
++ ret = -EINVAL;
++ goto ioctl_error;
++ }
++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
+
+- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
+- !dvbnet->state[dvbnetif->if_num]) {
++ if (!dvbnet->state[if_num]) {
+ ret = -EINVAL;
+ goto ioctl_error;
+ }
+
+- netdev = dvbnet->device[dvbnetif->if_num];
++ netdev = dvbnet->device[if_num];
+
+ priv_data = netdev_priv(netdev);
+ dvbnetif->pid=priv_data->pid;
+--
+2.30.2
+
--- /dev/null
+From 6fdb3242a3eebaec8498327619a22650886f4d07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 15:06:52 +0200
+Subject: media: dvd_usb: memory leak in cinergyt2_fe_attach
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 9ad1efee086e0e913914fa2b2173efb830bad68c ]
+
+When the driver fails to talk with the hardware with dvb_usb_generic_rw,
+it will return an error to dvb_usb_adapter_frontend_init. However, the
+driver forgets to free the resource (e.g., struct cinergyt2_fe_state),
+which leads to a memory leak.
+
+Fix this by freeing struct cinergyt2_fe_state when dvb_usb_generic_rw
+fails in cinergyt2_frontend_attach.
+
+backtrace:
+ [<0000000056e17b1a>] kmalloc include/linux/slab.h:552 [inline]
+ [<0000000056e17b1a>] kzalloc include/linux/slab.h:682 [inline]
+ [<0000000056e17b1a>] cinergyt2_fe_attach+0x21/0x80 drivers/media/usb/dvb-usb/cinergyT2-fe.c:271
+ [<00000000ae0b1711>] cinergyt2_frontend_attach+0x21/0x70 drivers/media/usb/dvb-usb/cinergyT2-core.c:74
+ [<00000000d0254861>] dvb_usb_adapter_frontend_init+0x11b/0x1b0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290
+ [<0000000002e08ac6>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:84 [inline]
+ [<0000000002e08ac6>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:173 [inline]
+ [<0000000002e08ac6>] dvb_usb_device_init.cold+0x4d0/0x6ae drivers/media/usb/dvb-usb/dvb-usb-init.c:287
+
+Reported-by: syzbot+e1de8986786b3722050e@syzkaller.appspotmail.com
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/cinergyT2-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 969a7ec71dff..4116ba5c45fc 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -78,6 +78,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+
+ ret = dvb_usb_generic_rw(d, st->data, 1, st->data, 3, 0);
+ if (ret < 0) {
++ if (adap->fe_adap[0].fe)
++ adap->fe_adap[0].fe->ops.release(adap->fe_adap[0].fe);
+ deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep state info\n");
+ }
+ mutex_unlock(&d->data_mutex);
+--
+2.30.2
+
--- /dev/null
+From 2b39dd590557e14d64806acd84c2d136a57813f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 20:32:49 +0200
+Subject: media: em28xx: Fix possible memory leak of em28xx struct
+
+From: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
+
+[ Upstream commit ac5688637144644f06ed1f3c6d4dd8bb7db96020 ]
+
+The em28xx struct kref isn't being decreased after an error in the
+em28xx_ir_init, leading to a possible memory leak.
+
+A kref_put and em28xx_shutdown_buttons is added to the error handler code.
+
+Signed-off-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-input.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
+index 5aa15a7a49de..59529cbf9cd0 100644
+--- a/drivers/media/usb/em28xx/em28xx-input.c
++++ b/drivers/media/usb/em28xx/em28xx-input.c
+@@ -720,7 +720,8 @@ static int em28xx_ir_init(struct em28xx *dev)
+ dev->board.has_ir_i2c = 0;
+ dev_warn(&dev->intf->dev,
+ "No i2c IR remote control device found.\n");
+- return -ENODEV;
++ err = -ENODEV;
++ goto ref_put;
+ }
+ }
+
+@@ -735,7 +736,7 @@ static int em28xx_ir_init(struct em28xx *dev)
+
+ ir = kzalloc(sizeof(*ir), GFP_KERNEL);
+ if (!ir)
+- return -ENOMEM;
++ goto ref_put;
+ rc = rc_allocate_device(RC_DRIVER_SCANCODE);
+ if (!rc)
+ goto error;
+@@ -839,6 +840,9 @@ error:
+ dev->ir = NULL;
+ rc_free_device(rc);
+ kfree(ir);
++ref_put:
++ em28xx_shutdown_buttons(dev);
++ kref_put(&dev->ref, em28xx_free_device);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From db7b082294927160c05ec9b1fae8eea71ebaf831 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:19:18 +0200
+Subject: media: exynos-gsc: fix pm_runtime_get_sync() usage count
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 59087b66ea6730c130c57d23bd9fd139b78c1ba5 ]
+
+The pm_runtime_get_sync() internally increments the
+dev->power.usage_count without decrementing it, even on errors.
+Replace it by the new pm_runtime_resume_and_get(), introduced by:
+commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+in order to properly decrement the usage counter, avoiding
+a potential PM usage counter leak.
+
+As a bonus, as pm_runtime_get_sync() always return 0 on
+success, the logic can be simplified.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos-gsc/gsc-m2m.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/exynos-gsc/gsc-m2m.c b/drivers/media/platform/exynos-gsc/gsc-m2m.c
+index 35a1d0d6dd66..42d1e4496efa 100644
+--- a/drivers/media/platform/exynos-gsc/gsc-m2m.c
++++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c
+@@ -56,10 +56,8 @@ static void __gsc_m2m_job_abort(struct gsc_ctx *ctx)
+ static int gsc_m2m_start_streaming(struct vb2_queue *q, unsigned int count)
+ {
+ struct gsc_ctx *ctx = q->drv_priv;
+- int ret;
+
+- ret = pm_runtime_get_sync(&ctx->gsc_dev->pdev->dev);
+- return ret > 0 ? 0 : ret;
++ return pm_runtime_resume_and_get(&ctx->gsc_dev->pdev->dev);
+ }
+
+ static void __gsc_m2m_cleanup_queue(struct gsc_ctx *ctx)
+--
+2.30.2
+
--- /dev/null
+From 8c24d505f2bda15cc90587d512a9370d7caf6e2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 10:12:31 +0200
+Subject: media: exynos4-is: Fix a use after free in isp_video_release
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 01fe904c9afd26e79c1f73aa0ca2e3d785e5e319 ]
+
+In isp_video_release, file->private_data is freed via
+_vb2_fop_release()->v4l2_fh_release(). But the freed
+file->private_data is still used in v4l2_fh_is_singular_file()
+->v4l2_fh_is_singular(file->private_data), which is a use
+after free bug.
+
+My patch uses a variable 'is_singular_file' to avoid the uaf.
+v3: https://lore.kernel.org/patchwork/patch/1419058/
+
+Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp-video.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+index d2cbcdca0463..370cdf007012 100644
+--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+@@ -305,17 +305,20 @@ static int isp_video_release(struct file *file)
+ struct fimc_is_video *ivc = &isp->video_capture;
+ struct media_entity *entity = &ivc->ve.vdev.entity;
+ struct media_device *mdev = entity->graph_obj.mdev;
++ bool is_singular_file;
+
+ mutex_lock(&isp->video_lock);
+
+- if (v4l2_fh_is_singular_file(file) && ivc->streaming) {
++ is_singular_file = v4l2_fh_is_singular_file(file);
++
++ if (is_singular_file && ivc->streaming) {
+ media_pipeline_stop(entity);
+ ivc->streaming = 0;
+ }
+
+ _vb2_fop_release(file, NULL);
+
+- if (v4l2_fh_is_singular_file(file)) {
++ if (is_singular_file) {
+ fimc_pipeline_call(&ivc->ve, close);
+
+ mutex_lock(&mdev->graph_mutex);
+--
+2.30.2
+
--- /dev/null
+From 566b10ee892dc10912807818384a9f60bff36126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:19:06 +0200
+Subject: media: Fix Media Controller API config checks
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 50e7a31d30e8221632675abed3be306382324ca2 ]
+
+Smatch static checker warns that "mdev" can be null:
+
+sound/usb/media.c:287 snd_media_device_create()
+ warn: 'mdev' can also be NULL
+
+If CONFIG_MEDIA_CONTROLLER is disabled, this file should not be included
+in the build.
+
+The below conditions in the sound/usb/Makefile are in place to ensure that
+media.c isn't included in the build.
+
+sound/usb/Makefile:
+snd-usb-audio-$(CONFIG_SND_USB_AUDIO_USE_MEDIA_CONTROLLER) += media.o
+
+select SND_USB_AUDIO_USE_MEDIA_CONTROLLER if MEDIA_CONTROLLER &&
+ (MEDIA_SUPPORT=y || MEDIA_SUPPORT=SND_USB_AUDIO)
+
+The following config check in include/media/media-dev-allocator.h is
+in place to enable the API only when CONFIG_MEDIA_CONTROLLER and
+CONFIG_USB are enabled.
+
+ #if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB)
+
+This check doesn't work as intended when CONFIG_USB=m. When CONFIG_USB=m,
+CONFIG_USB_MODULE is defined and CONFIG_USB is not. The above config check
+doesn't catch that CONFIG_USB is defined as a module and disables the API.
+This results in sound/usb enabling Media Controller specific ALSA driver
+code, while Media disables the Media Controller API.
+
+Fix the problem requires two changes:
+
+1. Change the check to use IS_ENABLED to detect when CONFIG_USB is enabled
+ as a module or static. Since CONFIG_MEDIA_CONTROLLER is a bool, leave
+ the check unchanged to be consistent with drivers/media/Makefile.
+
+2. Change the drivers/media/mc/Makefile to include mc-dev-allocator.o
+ in mc-objs when CONFIG_USB is enabled.
+
+Link: https://lore.kernel.org/alsa-devel/YLeAvT+R22FQ%2FEyw@mwanda/
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/mc/Makefile | 2 +-
+ include/media/media-dev-allocator.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/mc/Makefile b/drivers/media/mc/Makefile
+index 119037f0e686..2b7af42ba59c 100644
+--- a/drivers/media/mc/Makefile
++++ b/drivers/media/mc/Makefile
+@@ -3,7 +3,7 @@
+ mc-objs := mc-device.o mc-devnode.o mc-entity.o \
+ mc-request.o
+
+-ifeq ($(CONFIG_USB),y)
++ifneq ($(CONFIG_USB),)
+ mc-objs += mc-dev-allocator.o
+ endif
+
+diff --git a/include/media/media-dev-allocator.h b/include/media/media-dev-allocator.h
+index b35ea6062596..2ab54d426c64 100644
+--- a/include/media/media-dev-allocator.h
++++ b/include/media/media-dev-allocator.h
+@@ -19,7 +19,7 @@
+
+ struct usb_device;
+
+-#if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB)
++#if defined(CONFIG_MEDIA_CONTROLLER) && IS_ENABLED(CONFIG_USB)
+ /**
+ * media_device_usb_allocate() - Allocate and return struct &media device
+ *
+--
+2.30.2
+
--- /dev/null
+From 486b13c098277ba64c0ff1cb227556e8f935c202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 13:09:18 +0200
+Subject: media: gspca/gl860: fix zero-length control requests
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 8ed339f23d41e21660a389adf2e7b2966d457ff6 ]
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Control transfers without a data stage are treated as OUT requests by
+the USB stack and should be using usb_sndctrlpipe(). Failing to do so
+will now trigger a warning.
+
+Fix the gl860_RTx() helper so that zero-length control reads fail with
+an error message instead. Note that there are no current callers that
+would trigger this.
+
+Fixes: 4f7cb8837cec ("V4L/DVB (12954): gspca - gl860: Addition of GL860 based webcams")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gl860/gl860.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/gspca/gl860/gl860.c b/drivers/media/usb/gspca/gl860/gl860.c
+index 2c05ea2598e7..ce4ee8bc75c8 100644
+--- a/drivers/media/usb/gspca/gl860/gl860.c
++++ b/drivers/media/usb/gspca/gl860/gl860.c
+@@ -561,8 +561,8 @@ int gl860_RTx(struct gspca_dev *gspca_dev,
+ len, 400 + 200 * (len > 1));
+ memcpy(pdata, gspca_dev->usb_buf, len);
+ } else {
+- r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+- req, pref, val, index, NULL, len, 400);
++ gspca_err(gspca_dev, "zero-length read request\n");
++ r = -EINVAL;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e62cdf942e39c23369375605db683727c13a9317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 22:19:55 +0200
+Subject: media: I2C: change 'RST' to "RSET" to fix multiple build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 8edcb5049ac29aa3c8acc5ef15dd4036543d747e ]
+
+The use of an enum named 'RST' conflicts with a #define macro
+named 'RST' in arch/mips/include/asm/mach-rc32434/rb.h.
+
+The MIPS use of RST was there first (AFAICT), so change the
+media/i2c/ uses of RST to be named 'RSET'.
+'git grep -w RSET' does not report any naming conflicts with the
+new name.
+
+This fixes multiple build errors:
+
+arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
+ 15 | #define RST (1 << 15)
+ | ^
+drivers/media/i2c/s5c73m3/s5c73m3.h:356:2: note: in expansion of macro 'RST'
+ 356 | RST,
+ | ^~~
+
+../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
+ 15 | #define RST (1 << 15)
+ | ^
+../drivers/media/i2c/s5k6aa.c:180:2: note: in expansion of macro 'RST'
+ 180 | RST,
+ | ^~~
+
+../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
+ 15 | #define RST (1 << 15)
+ | ^
+../drivers/media/i2c/s5k5baf.c:238:2: note: in expansion of macro 'RST'
+ 238 | RST,
+ | ^~~
+
+and some others that I have trimmed.
+
+Fixes: cac47f1822fc ("[media] V4L: Add S5C73M3 camera driver")
+Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor")
+Fixes: 7d459937dc09 ("[media] Add driver for Samsung S5K5BAF camera sensor")
+Fixes: bfa8dd3a0524 ("[media] v4l: Add v4l2 subdev driver for S5K6AAFX sensor")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
+Cc: Andrzej Hajda <a.hajda@samsung.com>
+Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Cc: Sangwook Lee <sangwook.lee@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/s5c73m3/s5c73m3-core.c | 6 +++---
+ drivers/media/i2c/s5c73m3/s5c73m3.h | 2 +-
+ drivers/media/i2c/s5k4ecgx.c | 10 +++++-----
+ drivers/media/i2c/s5k5baf.c | 6 +++---
+ drivers/media/i2c/s5k6aa.c | 10 +++++-----
+ 5 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/media/i2c/s5c73m3/s5c73m3-core.c b/drivers/media/i2c/s5c73m3/s5c73m3-core.c
+index 5b4c4a3547c9..71804a70bc6d 100644
+--- a/drivers/media/i2c/s5c73m3/s5c73m3-core.c
++++ b/drivers/media/i2c/s5c73m3/s5c73m3-core.c
+@@ -1386,7 +1386,7 @@ static int __s5c73m3_power_on(struct s5c73m3 *state)
+ s5c73m3_gpio_deassert(state, STBY);
+ usleep_range(100, 200);
+
+- s5c73m3_gpio_deassert(state, RST);
++ s5c73m3_gpio_deassert(state, RSET);
+ usleep_range(50, 100);
+
+ return 0;
+@@ -1401,7 +1401,7 @@ static int __s5c73m3_power_off(struct s5c73m3 *state)
+ {
+ int i, ret;
+
+- if (s5c73m3_gpio_assert(state, RST))
++ if (s5c73m3_gpio_assert(state, RSET))
+ usleep_range(10, 50);
+
+ if (s5c73m3_gpio_assert(state, STBY))
+@@ -1606,7 +1606,7 @@ static int s5c73m3_get_platform_data(struct s5c73m3 *state)
+
+ state->mclk_frequency = pdata->mclk_frequency;
+ state->gpio[STBY] = pdata->gpio_stby;
+- state->gpio[RST] = pdata->gpio_reset;
++ state->gpio[RSET] = pdata->gpio_reset;
+ return 0;
+ }
+
+diff --git a/drivers/media/i2c/s5c73m3/s5c73m3.h b/drivers/media/i2c/s5c73m3/s5c73m3.h
+index ef7e85b34263..c3fcfdd3ea66 100644
+--- a/drivers/media/i2c/s5c73m3/s5c73m3.h
++++ b/drivers/media/i2c/s5c73m3/s5c73m3.h
+@@ -353,7 +353,7 @@ struct s5c73m3_ctrls {
+
+ enum s5c73m3_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ GPIO_NUM,
+ };
+
+diff --git a/drivers/media/i2c/s5k4ecgx.c b/drivers/media/i2c/s5k4ecgx.c
+index b2d53417badf..4e97309a67f4 100644
+--- a/drivers/media/i2c/s5k4ecgx.c
++++ b/drivers/media/i2c/s5k4ecgx.c
+@@ -173,7 +173,7 @@ static const char * const s5k4ecgx_supply_names[] = {
+
+ enum s5k4ecgx_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ GPIO_NUM,
+ };
+
+@@ -476,7 +476,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv)
+ if (s5k4ecgx_gpio_set_value(priv, STBY, priv->gpio[STBY].level))
+ usleep_range(30, 50);
+
+- if (s5k4ecgx_gpio_set_value(priv, RST, priv->gpio[RST].level))
++ if (s5k4ecgx_gpio_set_value(priv, RSET, priv->gpio[RSET].level))
+ usleep_range(30, 50);
+
+ return 0;
+@@ -484,7 +484,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv)
+
+ static int __s5k4ecgx_power_off(struct s5k4ecgx *priv)
+ {
+- if (s5k4ecgx_gpio_set_value(priv, RST, !priv->gpio[RST].level))
++ if (s5k4ecgx_gpio_set_value(priv, RSET, !priv->gpio[RSET].level))
+ usleep_range(30, 50);
+
+ if (s5k4ecgx_gpio_set_value(priv, STBY, !priv->gpio[STBY].level))
+@@ -872,7 +872,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv,
+ int ret;
+
+ priv->gpio[STBY].gpio = -EINVAL;
+- priv->gpio[RST].gpio = -EINVAL;
++ priv->gpio[RSET].gpio = -EINVAL;
+
+ ret = s5k4ecgx_config_gpio(gpio->gpio, gpio->level, "S5K4ECGX_STBY");
+
+@@ -891,7 +891,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv,
+ s5k4ecgx_free_gpios(priv);
+ return ret;
+ }
+- priv->gpio[RST] = *gpio;
++ priv->gpio[RSET] = *gpio;
+ if (gpio_is_valid(gpio->gpio))
+ gpio_set_value(gpio->gpio, 0);
+
+diff --git a/drivers/media/i2c/s5k5baf.c b/drivers/media/i2c/s5k5baf.c
+index cdfe008ba39f..ac5ab3392073 100644
+--- a/drivers/media/i2c/s5k5baf.c
++++ b/drivers/media/i2c/s5k5baf.c
+@@ -235,7 +235,7 @@ struct s5k5baf_gpio {
+
+ enum s5k5baf_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ NUM_GPIOS,
+ };
+
+@@ -970,7 +970,7 @@ static int s5k5baf_power_on(struct s5k5baf *state)
+
+ s5k5baf_gpio_deassert(state, STBY);
+ usleep_range(50, 100);
+- s5k5baf_gpio_deassert(state, RST);
++ s5k5baf_gpio_deassert(state, RSET);
+ return 0;
+
+ err_reg_dis:
+@@ -988,7 +988,7 @@ static int s5k5baf_power_off(struct s5k5baf *state)
+ state->apply_cfg = 0;
+ state->apply_crop = 0;
+
+- s5k5baf_gpio_assert(state, RST);
++ s5k5baf_gpio_assert(state, RSET);
+ s5k5baf_gpio_assert(state, STBY);
+
+ if (!IS_ERR(state->clock))
+diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c
+index 72439fae7968..6516e205e9a3 100644
+--- a/drivers/media/i2c/s5k6aa.c
++++ b/drivers/media/i2c/s5k6aa.c
+@@ -177,7 +177,7 @@ static const char * const s5k6aa_supply_names[] = {
+
+ enum s5k6aa_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ GPIO_NUM,
+ };
+
+@@ -841,7 +841,7 @@ static int __s5k6aa_power_on(struct s5k6aa *s5k6aa)
+ ret = s5k6aa->s_power(1);
+ usleep_range(4000, 5000);
+
+- if (s5k6aa_gpio_deassert(s5k6aa, RST))
++ if (s5k6aa_gpio_deassert(s5k6aa, RSET))
+ msleep(20);
+
+ return ret;
+@@ -851,7 +851,7 @@ static int __s5k6aa_power_off(struct s5k6aa *s5k6aa)
+ {
+ int ret;
+
+- if (s5k6aa_gpio_assert(s5k6aa, RST))
++ if (s5k6aa_gpio_assert(s5k6aa, RSET))
+ usleep_range(100, 150);
+
+ if (s5k6aa->s_power) {
+@@ -1510,7 +1510,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa,
+ int ret;
+
+ s5k6aa->gpio[STBY].gpio = -EINVAL;
+- s5k6aa->gpio[RST].gpio = -EINVAL;
++ s5k6aa->gpio[RSET].gpio = -EINVAL;
+
+ gpio = &pdata->gpio_stby;
+ if (gpio_is_valid(gpio->gpio)) {
+@@ -1533,7 +1533,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa,
+ if (ret < 0)
+ return ret;
+
+- s5k6aa->gpio[RST] = *gpio;
++ s5k6aa->gpio[RSET] = *gpio;
+ }
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 64e03306643bec519c2116044b9ccab7edf64c93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:29:23 +0200
+Subject: media: imx-csi: Skip first few frames from a BT.656 source
+
+From: Steve Longerbeam <slongerbeam@gmail.com>
+
+[ Upstream commit e198be37e52551bb863d07d2edc535d0932a3c4f ]
+
+Some BT.656 sensors (e.g. ADV718x) transmit frames with unstable BT.656
+sync codes after initial power on. This confuses the imx CSI,resulting
+in vertical and/or horizontal sync issues. Skip the first 20 frames
+to avoid the unstable sync codes.
+
+[fabio: fixed checkpatch warning and increased the frame skipping to 20]
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-csi.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c
+index 367e39f5b382..40b7e60f4a47 100644
+--- a/drivers/staging/media/imx/imx-media-csi.c
++++ b/drivers/staging/media/imx/imx-media-csi.c
+@@ -753,9 +753,10 @@ static int csi_setup(struct csi_priv *priv)
+
+ static int csi_start(struct csi_priv *priv)
+ {
+- struct v4l2_fract *output_fi;
++ struct v4l2_fract *input_fi, *output_fi;
+ int ret;
+
++ input_fi = &priv->frame_interval[CSI_SINK_PAD];
+ output_fi = &priv->frame_interval[priv->active_output_pad];
+
+ /* start upstream */
+@@ -764,6 +765,17 @@ static int csi_start(struct csi_priv *priv)
+ if (ret)
+ return ret;
+
++ /* Skip first few frames from a BT.656 source */
++ if (priv->upstream_ep.bus_type == V4L2_MBUS_BT656) {
++ u32 delay_usec, bad_frames = 20;
++
++ delay_usec = DIV_ROUND_UP_ULL((u64)USEC_PER_SEC *
++ input_fi->numerator * bad_frames,
++ input_fi->denominator);
++
++ usleep_range(delay_usec, delay_usec + 1000);
++ }
++
+ if (priv->dest == IPU_CSI_DEST_IDMAC) {
+ ret = csi_idmac_start(priv);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From ac2a32454afd08dc70e33cee0934e761995e59e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 04:29:52 +0200
+Subject: media: imx: imx7_mipi_csis: Fix logging of only error event counters
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit d2fcc9c2de1191ea80366e3658711753738dd10a ]
+
+The mipi_csis_events array ends with 6 non-error events, not 4. Update
+mipi_csis_log_counters() accordingly. While at it, log event counters in
+forward order, as there's no reason to log them backward.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Tested-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx7-mipi-csis.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx7-mipi-csis.c b/drivers/staging/media/imx/imx7-mipi-csis.c
+index 021bbd420390..63bc78e4cac8 100644
+--- a/drivers/staging/media/imx/imx7-mipi-csis.c
++++ b/drivers/staging/media/imx/imx7-mipi-csis.c
+@@ -528,13 +528,15 @@ static void mipi_csis_clear_counters(struct csi_state *state)
+
+ static void mipi_csis_log_counters(struct csi_state *state, bool non_errors)
+ {
+- int i = non_errors ? MIPI_CSIS_NUM_EVENTS : MIPI_CSIS_NUM_EVENTS - 4;
++ unsigned int num_events = non_errors ? MIPI_CSIS_NUM_EVENTS
++ : MIPI_CSIS_NUM_EVENTS - 6;
+ struct device *dev = &state->pdev->dev;
+ unsigned long flags;
++ unsigned int i;
+
+ spin_lock_irqsave(&state->slock, flags);
+
+- for (i--; i >= 0; i--) {
++ for (i = 0; i < num_events; ++i) {
+ if (state->events[i].counter > 0 || state->debug)
+ dev_info(dev, "%s events: %d\n", state->events[i].name,
+ state->events[i].counter);
+--
+2.30.2
+
--- /dev/null
+From 270563f0e22d34b3b0fe567c63c524633e016dd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 16:57:16 +0200
+Subject: media: mdk-mdp: fix pm_runtime_get_sync() usage count
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit d07bb9702cf5f5ccf3fb661e6cab54bbc33cd23f ]
+
+The pm_runtime_get_sync() internally increments the
+dev->power.usage_count without decrementing it, even on errors.
+Replace it by the new pm_runtime_resume_and_get(), introduced by:
+commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+in order to properly decrement the usage counter, avoiding
+a potential PM usage counter leak.
+
+While here, fix the return contition of mtk_mdp_m2m_start_streaming(),
+as it doesn't make any sense to return 0 if the PM runtime failed
+to resume.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c b/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c
+index 7c9e2d69e21a..34bc2949e1d6 100644
+--- a/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c
++++ b/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c
+@@ -402,12 +402,12 @@ static int mtk_mdp_m2m_start_streaming(struct vb2_queue *q, unsigned int count)
+ struct mtk_mdp_ctx *ctx = q->drv_priv;
+ int ret;
+
+- ret = pm_runtime_get_sync(&ctx->mdp_dev->pdev->dev);
++ ret = pm_runtime_resume_and_get(&ctx->mdp_dev->pdev->dev);
+ if (ret < 0)
+- mtk_mdp_dbg(1, "[%d] pm_runtime_get_sync failed:%d",
++ mtk_mdp_dbg(1, "[%d] pm_runtime_resume_and_get failed:%d",
+ ctx->id, ret);
+
+- return 0;
++ return ret;
+ }
+
+ static void *mtk_mdp_m2m_buf_remove(struct mtk_mdp_ctx *ctx,
+--
+2.30.2
+
--- /dev/null
+From 6654855999abc5fd13d41d98710ff8e62c7084b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:19:09 +0200
+Subject: media: mtk-vcodec: fix PM runtime get logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 908711f542c17fe61e5d653da1beb8e5ab5c7b50 ]
+
+Currently, the driver just assumes that PM runtime logic
+succeded resuming the device.
+
+That may not be the case, as pm_runtime_get_sync()
+can fail (but keeping the usage count incremented).
+
+Replace the code to use pm_runtime_resume_and_get(),
+and letting it return the error code.
+
+This way, if mtk_vcodec_dec_pw_on() fails, the logic
+under fops_vcodec_open() will do the right thing and
+return an error, instead of just assuming that the
+device is ready to be used.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c | 4 +++-
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c | 8 +++++---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
+index 00d090df11bb..4cde1a54e725 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
+@@ -142,7 +142,9 @@ static int fops_vcodec_open(struct file *file)
+ mtk_vcodec_dec_set_default_params(ctx);
+
+ if (v4l2_fh_is_singular(&ctx->fh)) {
+- mtk_vcodec_dec_pw_on(&dev->pm);
++ ret = mtk_vcodec_dec_pw_on(&dev->pm);
++ if (ret < 0)
++ goto err_load_fw;
+ /*
+ * vpu_load_firmware checks if it was loaded already and
+ * does nothing in that case
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c
+index f9bbd0000bf3..34e9e067de20 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c
+@@ -89,13 +89,15 @@ void mtk_vcodec_release_dec_pm(struct mtk_vcodec_dev *dev)
+ put_device(dev->pm.larbvdec);
+ }
+
+-void mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm)
++int mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm)
+ {
+ int ret;
+
+- ret = pm_runtime_get_sync(pm->dev);
++ ret = pm_runtime_resume_and_get(pm->dev);
+ if (ret)
+- mtk_v4l2_err("pm_runtime_get_sync fail %d", ret);
++ mtk_v4l2_err("pm_runtime_resume_and_get fail %d", ret);
++
++ return ret;
+ }
+
+ void mtk_vcodec_dec_pw_off(struct mtk_vcodec_pm *pm)
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h
+index 872d8bf8cfaf..280aeaefdb65 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h
+@@ -12,7 +12,7 @@
+ int mtk_vcodec_init_dec_pm(struct mtk_vcodec_dev *dev);
+ void mtk_vcodec_release_dec_pm(struct mtk_vcodec_dev *dev);
+
+-void mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm);
++int mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm);
+ void mtk_vcodec_dec_pw_off(struct mtk_vcodec_pm *pm);
+ void mtk_vcodec_dec_clock_on(struct mtk_vcodec_pm *pm);
+ void mtk_vcodec_dec_clock_off(struct mtk_vcodec_pm *pm);
+--
+2.30.2
+
--- /dev/null
+From 6edc01806d16d98c2ec0d48d870aaba0224f4d73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 19:08:58 +0200
+Subject: media: pvrusb2: fix warning in pvr2_i2c_core_done
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+[ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ]
+
+syzbot has reported the following warning in pvr2_i2c_done:
+
+ sysfs group 'power' not found for kobject '1-0043'
+
+When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
+not unregistered along with the USB and v4l2 teardown. As part of the USB
+device disconnect, the sysfs files of the subdevices are also deleted.
+So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the
+sysfs files have been deleted.
+
+To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
+the device deregistration code shared by calling pvr_hdw_disconnect from
+pvr2_hdw_destroy.
+
+Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
+Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+index 1cfb7cf64131..4c991eae53cd 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -2677,9 +2677,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
+ pvr2_stream_destroy(hdw->vid_stream);
+ hdw->vid_stream = NULL;
+ }
+- pvr2_i2c_core_done(hdw);
+ v4l2_device_unregister(&hdw->v4l2_dev);
+- pvr2_hdw_remove_usb_stuff(hdw);
++ pvr2_hdw_disconnect(hdw);
+ mutex_lock(&pvr2_unit_mtx);
+ do {
+ if ((hdw->unit_number >= 0) &&
+@@ -2706,6 +2705,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
+ {
+ pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
+ LOCK_TAKE(hdw->big_lock);
++ pvr2_i2c_core_done(hdw);
+ LOCK_TAKE(hdw->ctl_lock);
+ pvr2_hdw_remove_usb_stuff(hdw);
+ LOCK_GIVE(hdw->ctl_lock);
+--
+2.30.2
+
--- /dev/null
+From cfdac10de7546826b39aadbdcc17293e8787218d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 07:38:56 +0200
+Subject: media: rc: i2c: Fix an error message
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 9c87ae1a0dbeb5794957421157fd266d38a869b4 ]
+
+'ret' is known to be 1 here. In fact 'i' is expected instead.
+Store the return value of 'i2c_master_recv()' in 'ret' so that the error
+message print the correct error code.
+
+Fixes: acaa34bf06e9 ("media: rc: implement zilog transmitter")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ir-kbd-i2c.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/ir-kbd-i2c.c b/drivers/media/i2c/ir-kbd-i2c.c
+index e8119ad0bc71..92376592455e 100644
+--- a/drivers/media/i2c/ir-kbd-i2c.c
++++ b/drivers/media/i2c/ir-kbd-i2c.c
+@@ -678,8 +678,8 @@ static int zilog_tx(struct rc_dev *rcdev, unsigned int *txbuf,
+ goto out_unlock;
+ }
+
+- i = i2c_master_recv(ir->tx_c, buf, 1);
+- if (i != 1) {
++ ret = i2c_master_recv(ir->tx_c, buf, 1);
++ if (ret != 1) {
+ dev_err(&ir->rc->dev, "i2c_master_recv failed with %d\n", ret);
+ ret = -EIO;
+ goto out_unlock;
+--
+2.30.2
+
--- /dev/null
+From c5af695b39caa2551d8cd3c06094ab339fc2e34b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:04:23 +0200
+Subject: media: s5p: fix pm_runtime_get_sync() usage count
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit fdc34e82c0f968ac4c157bd3d8c299ebc24c9c63 ]
+
+The pm_runtime_get_sync() internally increments the
+dev->power.usage_count without decrementing it, even on errors.
+Replace it by the new pm_runtime_resume_and_get(), introduced by:
+commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+in order to properly decrement the usage counter, avoiding
+a potential PM usage counter leak.
+
+While here, check if the PM runtime error was caught at
+s5p_cec_adap_enable().
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-cec/s5p_cec.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c
+index 6ddcc35b0bbd..5e80352f506b 100644
+--- a/drivers/media/platform/s5p-cec/s5p_cec.c
++++ b/drivers/media/platform/s5p-cec/s5p_cec.c
+@@ -35,10 +35,13 @@ MODULE_PARM_DESC(debug, "debug level (0-2)");
+
+ static int s5p_cec_adap_enable(struct cec_adapter *adap, bool enable)
+ {
++ int ret;
+ struct s5p_cec_dev *cec = cec_get_drvdata(adap);
+
+ if (enable) {
+- pm_runtime_get_sync(cec->dev);
++ ret = pm_runtime_resume_and_get(cec->dev);
++ if (ret < 0)
++ return ret;
+
+ s5p_cec_reset(cec);
+
+--
+2.30.2
+
--- /dev/null
+From cbb12dadbaaa22355272dc03dfc363e389fc826e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 17:18:32 +0200
+Subject: media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
+
+From: Dillon Min <dillon.minfei@gmail.com>
+
+[ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ]
+
+The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open()
+should be freed from g2d_release() when it's not used.
+
+Fix it
+
+Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family")
+Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-g2d/g2d.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c
+index f5f05ea9f521..6cfc2debfd9a 100644
+--- a/drivers/media/platform/s5p-g2d/g2d.c
++++ b/drivers/media/platform/s5p-g2d/g2d.c
+@@ -276,6 +276,9 @@ static int g2d_release(struct file *file)
+ struct g2d_dev *dev = video_drvdata(file);
+ struct g2d_ctx *ctx = fh2ctx(file->private_data);
+
++ mutex_lock(&dev->mutex);
++ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
++ mutex_unlock(&dev->mutex);
+ v4l2_ctrl_handler_free(&ctx->ctrl_handler);
+ v4l2_fh_del(&ctx->fh);
+ v4l2_fh_exit(&ctx->fh);
+--
+2.30.2
+
--- /dev/null
+From b2ec14267b5465237aca64042d52e7a2d81b27c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:19:10 +0200
+Subject: media: s5p-jpeg: fix pm_runtime_get_sync() usage count
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 10343de268d10cf07b092b8b525e12ad558ead77 ]
+
+The pm_runtime_get_sync() internally increments the
+dev->power.usage_count without decrementing it, even on errors.
+Replace it by the new pm_runtime_resume_and_get(), introduced by:
+commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+in order to properly decrement the usage counter, avoiding
+a potential PM usage counter leak.
+
+As a plus, pm_runtime_resume_and_get() doesn't return
+positive numbers, so the return code validation can
+be removed.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Acked-by: Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-jpeg/jpeg-core.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c
+index 8dbbd5f2a40a..06e17946bbb6 100644
+--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
+@@ -2579,11 +2579,8 @@ static void s5p_jpeg_buf_queue(struct vb2_buffer *vb)
+ static int s5p_jpeg_start_streaming(struct vb2_queue *q, unsigned int count)
+ {
+ struct s5p_jpeg_ctx *ctx = vb2_get_drv_priv(q);
+- int ret;
+-
+- ret = pm_runtime_get_sync(ctx->jpeg->dev);
+
+- return ret > 0 ? 0 : ret;
++ return pm_runtime_resume_and_get(ctx->jpeg->dev);
+ }
+
+ static void s5p_jpeg_stop_streaming(struct vb2_queue *q)
+--
+2.30.2
+
--- /dev/null
+From 0a4616b4cf59472736f0622dcc8b85a2ffee55f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 09:38:56 +0200
+Subject: media: s5p_cec: decrement usage count if disabled
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 747bad54a677d8633ec14b39dfbeb859c821d7f2 ]
+
+There's a bug at s5p_cec_adap_enable(): if called to
+disable the device, it should call pm_runtime_put()
+instead of pm_runtime_disable(), as the goal here is to
+decrement the usage_count and not to disable PM runtime.
+
+Reported-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Fixes: 1bcbf6f4b6b0 ("[media] cec: s5p-cec: Add s5p-cec driver")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-cec/s5p_cec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c
+index 5e80352f506b..828792b854f5 100644
+--- a/drivers/media/platform/s5p-cec/s5p_cec.c
++++ b/drivers/media/platform/s5p-cec/s5p_cec.c
+@@ -54,7 +54,7 @@ static int s5p_cec_adap_enable(struct cec_adapter *adap, bool enable)
+ } else {
+ s5p_cec_mask_tx_interrupts(cec);
+ s5p_cec_mask_rx_interrupts(cec);
+- pm_runtime_disable(cec->dev);
++ pm_runtime_put(cec->dev);
+ }
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 0707bcc67e03ca922fa9f28b3a43dd23dc3cd83e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:07:41 +0200
+Subject: media: sh_vou: fix pm_runtime_get_sync() usage count
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 6e8b1526db164c9d4b9dacfb9bc48e365d7c4860 ]
+
+The pm_runtime_get_sync() internally increments the
+dev->power.usage_count without decrementing it, even on errors.
+Replace it by the new pm_runtime_resume_and_get(), introduced by:
+commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+in order to properly decrement the usage counter, avoiding
+a potential PM usage counter leak.
+
+While here, check if the PM runtime error was caught at open time.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sh_vou.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sh_vou.c b/drivers/media/platform/sh_vou.c
+index 2236702c21b4..84c4b19fb107 100644
+--- a/drivers/media/platform/sh_vou.c
++++ b/drivers/media/platform/sh_vou.c
+@@ -1133,7 +1133,11 @@ static int sh_vou_open(struct file *file)
+ if (v4l2_fh_is_singular_file(file) &&
+ vou_dev->status == SH_VOU_INITIALISING) {
+ /* First open */
+- pm_runtime_get_sync(vou_dev->v4l2_dev.dev);
++ err = pm_runtime_resume_and_get(vou_dev->v4l2_dev.dev);
++ if (err < 0) {
++ v4l2_fh_release(file);
++ goto done_open;
++ }
+ err = sh_vou_hw_init(vou_dev);
+ if (err < 0) {
+ pm_runtime_put(vou_dev->v4l2_dev.dev);
+--
+2.30.2
+
--- /dev/null
+From 38d014bf3ed705c12b0c09e29f10d772bbaa0358 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 08:57:02 +0200
+Subject: media: siano: fix device register error path
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 5368b1ee2939961a16e74972b69088433fc52195 ]
+
+As reported by smatch:
+ drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list
+
+If an error occur at the end of the registration logic, it won't
+drop the device from the list.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/siano/smsdvb-main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c
+index ae17407e477a..7cc654bc52d3 100644
+--- a/drivers/media/common/siano/smsdvb-main.c
++++ b/drivers/media/common/siano/smsdvb-main.c
+@@ -1176,6 +1176,10 @@ static int smsdvb_hotplug(struct smscore_device_t *coredev,
+ return 0;
+
+ media_graph_error:
++ mutex_lock(&g_smsdvb_clientslock);
++ list_del(&client->entry);
++ mutex_unlock(&g_smsdvb_clientslock);
++
+ smsdvb_debugfs_release(client);
+
+ client_error:
+--
+2.30.2
+
--- /dev/null
+From e8a07ec07ba2221faf21a0c8ee32893d11b88f93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 19:40:43 -0600
+Subject: media: siano: Fix out-of-bounds warnings in
+ smscore_load_firmware_family2()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ]
+
+Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of
+its msg_data array from 4 to 5 elements. Notice that at some point
+the 5th element of msg_data is being accessed in function
+smscore_load_firmware_family2():
+
+1006 trigger_msg->msg_data[4] = 4; /* Task ID */
+
+Also, there is no need for the object _trigger_msg_ of type struct
+sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data
+in struct sms_msg_data is a one-element array, which causes multiple
+out-of-bounds warnings when accessing beyond its first element
+in function smscore_load_firmware_family2():
+
+ 992 struct sms_msg_data *trigger_msg =
+ 993 (struct sms_msg_data *) msg;
+ 994
+ 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n");
+ 996 SMS_INIT_MSG(&msg->x_msg_header,
+ 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ,
+ 998 sizeof(struct sms_msg_hdr) +
+ 999 sizeof(u32) * 5);
+1000
+1001 trigger_msg->msg_data[0] = firmware->start_address;
+1002 /* Entry point */
+1003 trigger_msg->msg_data[1] = 6; /* Priority */
+1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */
+1005 trigger_msg->msg_data[3] = 0; /* Parameter */
+1006 trigger_msg->msg_data[4] = 4; /* Task ID */
+
+even when enough dynamic memory is allocated for _msg_:
+
+ 929 /* PAGE_SIZE buffer shall be enough and dma aligned */
+ 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags);
+
+but as _msg_ is casted to (struct sms_msg_data *):
+
+ 992 struct sms_msg_data *trigger_msg =
+ 993 (struct sms_msg_data *) msg;
+
+the out-of-bounds warnings are actually valid and should be addressed.
+
+Fix this by declaring object _msg_ of type struct sms_msg_data5 *,
+which contains a 5-elements array, instead of just 4. And use
+_msg_ directly, instead of creating object trigger_msg.
+
+This helps with the ongoing efforts to enable -Warray-bounds by fixing
+the following warnings:
+
+ CC [M] drivers/media/common/siano/smscoreapi.o
+drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’:
+drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1003 | trigger_msg->msg_data[1] = 6; /* Priority */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+
+Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares")
+Co-developed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/siano/smscoreapi.c | 22 +++++++++-------------
+ drivers/media/common/siano/smscoreapi.h | 4 ++--
+ 2 files changed, 11 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
+index 0ba51dacc580..ce94b5205fd6 100644
+--- a/drivers/media/common/siano/smscoreapi.c
++++ b/drivers/media/common/siano/smscoreapi.c
+@@ -908,7 +908,7 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev,
+ void *buffer, size_t size)
+ {
+ struct sms_firmware *firmware = (struct sms_firmware *) buffer;
+- struct sms_msg_data4 *msg;
++ struct sms_msg_data5 *msg;
+ u32 mem_address, calc_checksum = 0;
+ u32 i, *ptr;
+ u8 *payload = firmware->payload;
+@@ -989,24 +989,20 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev,
+ goto exit_fw_download;
+
+ if (coredev->mode == DEVICE_MODE_NONE) {
+- struct sms_msg_data *trigger_msg =
+- (struct sms_msg_data *) msg;
+-
+ pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n");
+ SMS_INIT_MSG(&msg->x_msg_header,
+ MSG_SMS_SWDOWNLOAD_TRIGGER_REQ,
+- sizeof(struct sms_msg_hdr) +
+- sizeof(u32) * 5);
++ sizeof(*msg));
+
+- trigger_msg->msg_data[0] = firmware->start_address;
++ msg->msg_data[0] = firmware->start_address;
+ /* Entry point */
+- trigger_msg->msg_data[1] = 6; /* Priority */
+- trigger_msg->msg_data[2] = 0x200; /* Stack size */
+- trigger_msg->msg_data[3] = 0; /* Parameter */
+- trigger_msg->msg_data[4] = 4; /* Task ID */
++ msg->msg_data[1] = 6; /* Priority */
++ msg->msg_data[2] = 0x200; /* Stack size */
++ msg->msg_data[3] = 0; /* Parameter */
++ msg->msg_data[4] = 4; /* Task ID */
+
+- rc = smscore_sendrequest_and_wait(coredev, trigger_msg,
+- trigger_msg->x_msg_header.msg_length,
++ rc = smscore_sendrequest_and_wait(coredev, msg,
++ msg->x_msg_header.msg_length,
+ &coredev->trigger_done);
+ } else {
+ SMS_INIT_MSG(&msg->x_msg_header, MSG_SW_RELOAD_EXEC_REQ,
+diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h
+index a2f95f4899c2..cd6c981eb1f9 100644
+--- a/drivers/media/common/siano/smscoreapi.h
++++ b/drivers/media/common/siano/smscoreapi.h
+@@ -629,9 +629,9 @@ struct sms_msg_data2 {
+ u32 msg_data[2];
+ };
+
+-struct sms_msg_data4 {
++struct sms_msg_data5 {
+ struct sms_msg_hdr x_msg_header;
+- u32 msg_data[4];
++ u32 msg_data[5];
+ };
+
+ struct sms_data_download {
+--
+2.30.2
+
--- /dev/null
+From a7d94b7d32b5928124a76b01538ecd28da14d66c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 14:04:49 +0200
+Subject: media: st-hva: Fix potential NULL pointer dereferences
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit b7fdd208687ba59ebfb09b2199596471c63b69e3 ]
+
+When ctx_id >= HVA_MAX_INSTANCES in hva_hw_its_irq_thread() it tries to
+access fields of ctx that is NULL at that point. The patch gets rid of
+these accesses.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/hva/hva-hw.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
+index 43f279e2a6a3..cf4c891bf619 100644
+--- a/drivers/media/platform/sti/hva/hva-hw.c
++++ b/drivers/media/platform/sti/hva/hva-hw.c
+@@ -130,8 +130,7 @@ static irqreturn_t hva_hw_its_irq_thread(int irq, void *arg)
+ ctx_id = (hva->sts_reg & 0xFF00) >> 8;
+ if (ctx_id >= HVA_MAX_INSTANCES) {
+ dev_err(dev, "%s %s: bad context identifier: %d\n",
+- ctx->name, __func__, ctx_id);
+- ctx->hw_err = true;
++ HVA_PREFIX, __func__, ctx_id);
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e6ac5de791428f9abc4b4de69611e6f41106999c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:19:21 +0200
+Subject: media: sti/bdisp: fix pm_runtime_get_sync() usage count
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit c44eac5b72e23c31eefc0e10a71d9650036b8341 ]
+
+The pm_runtime_get_sync() internally increments the
+dev->power.usage_count without decrementing it, even on errors.
+
+The bdisp_start_streaming() doesn't take it into account, which
+would unbalance PM usage counter at bdisp_stop_streaming().
+
+The logic at bdisp_probe() is correct, but the best is to use
+the same call along the driver.
+
+So, replace it by the new pm_runtime_resume_and_get(), introduced by:
+commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
+in order to properly decrement the usage counter, avoiding
+a potential PM usage counter leak.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+index a55ddf8d185d..16a097f93b42 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+@@ -499,7 +499,7 @@ static int bdisp_start_streaming(struct vb2_queue *q, unsigned int count)
+ {
+ struct bdisp_ctx *ctx = q->drv_priv;
+ struct vb2_v4l2_buffer *buf;
+- int ret = pm_runtime_get_sync(ctx->bdisp_dev->dev);
++ int ret = pm_runtime_resume_and_get(ctx->bdisp_dev->dev);
+
+ if (ret < 0) {
+ dev_err(ctx->bdisp_dev->dev, "failed to set runtime PM\n");
+@@ -1364,10 +1364,10 @@ static int bdisp_probe(struct platform_device *pdev)
+
+ /* Power management */
+ pm_runtime_enable(dev);
+- ret = pm_runtime_get_sync(dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0) {
+ dev_err(dev, "failed to set PM\n");
+- goto err_pm;
++ goto err_remove;
+ }
+
+ /* Filters */
+@@ -1395,6 +1395,7 @@ err_filter:
+ bdisp_hw_free_filters(bdisp->dev);
+ err_pm:
+ pm_runtime_put(dev);
++err_remove:
+ bdisp_debugfs_remove(bdisp);
+ err_v4l2:
+ v4l2_device_unregister(&bdisp->v4l2_dev);
+--
+2.30.2
+
--- /dev/null
+From 00dde888338b3d1ad4a9e876e43665332d85d00a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 11:26:31 +0200
+Subject: media: sti: fix obj-$(config) targets
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 56c1f0876293888f686e31278d183d4af2cac3c3 ]
+
+The right thing to do is to add a new object to the building
+system when a certain config option is selected, and *not*
+override them.
+
+So, fix obj-$(config) logic at sti makefiles, using "+=",
+instead of ":=".
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/Makefile | 2 +-
+ drivers/media/platform/sti/delta/Makefile | 2 +-
+ drivers/media/platform/sti/hva/Makefile | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/Makefile b/drivers/media/platform/sti/bdisp/Makefile
+index caf7ccd193ea..39ade0a34723 100644
+--- a/drivers/media/platform/sti/bdisp/Makefile
++++ b/drivers/media/platform/sti/bdisp/Makefile
+@@ -1,4 +1,4 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+-obj-$(CONFIG_VIDEO_STI_BDISP) := bdisp.o
++obj-$(CONFIG_VIDEO_STI_BDISP) += bdisp.o
+
+ bdisp-objs := bdisp-v4l2.o bdisp-hw.o bdisp-debug.o
+diff --git a/drivers/media/platform/sti/delta/Makefile b/drivers/media/platform/sti/delta/Makefile
+index 92b37e216f00..32412fa4c632 100644
+--- a/drivers/media/platform/sti/delta/Makefile
++++ b/drivers/media/platform/sti/delta/Makefile
+@@ -1,5 +1,5 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+-obj-$(CONFIG_VIDEO_STI_DELTA_DRIVER) := st-delta.o
++obj-$(CONFIG_VIDEO_STI_DELTA_DRIVER) += st-delta.o
+ st-delta-y := delta-v4l2.o delta-mem.o delta-ipc.o delta-debug.o
+
+ # MJPEG support
+diff --git a/drivers/media/platform/sti/hva/Makefile b/drivers/media/platform/sti/hva/Makefile
+index 74b41ec52f97..b5a5478bdd01 100644
+--- a/drivers/media/platform/sti/hva/Makefile
++++ b/drivers/media/platform/sti/hva/Makefile
+@@ -1,4 +1,4 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+-obj-$(CONFIG_VIDEO_STI_HVA) := st-hva.o
++obj-$(CONFIG_VIDEO_STI_HVA) += st-hva.o
+ st-hva-y := hva-v4l2.o hva-hw.o hva-mem.o hva-h264.o
+ st-hva-$(CONFIG_VIDEO_STI_HVA_DEBUGFS) += hva-debugfs.o
+--
+2.30.2
+
--- /dev/null
+From 8f51632f31d3bcefdce6c2340c4445c9615f2851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 08:58:30 +0200
+Subject: media: tc358743: Fix error return code in tc358743_probe_of()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ]
+
+When the CSI bps per lane is not in the valid range, an appropriate error
+code -EINVAL should be returned. However, we currently do not explicitly
+assign this error code to 'ret'. As a result, 0 was incorrectly returned.
+
+Fixes: 256148246852 ("[media] tc358743: support probe from device tree")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index 114c084c4aec..76c443067ec2 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1973,6 +1973,7 @@ static int tc358743_probe_of(struct tc358743_state *state)
+ bps_pr_lane = 2 * endpoint.link_frequencies[0];
+ if (bps_pr_lane < 62500000U || bps_pr_lane > 1000000000U) {
+ dev_err(dev, "unsupported bps per lane: %u bps\n", bps_pr_lane);
++ ret = -EINVAL;
+ goto disable_clk;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 1531ef94695ba53cc6dcf44f9a2f9eb0d617a9f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 10:24:02 +0200
+Subject: media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ]
+
+A use after free bug caused by the dangling pointer
+filp->privitate_data in v4l2_fh_release.
+See https://lore.kernel.org/patchwork/patch/1419058/.
+
+My patch sets the dangling pointer to NULL to provide
+robust.
+
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-fh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c
+index 684574f58e82..90eec79ee995 100644
+--- a/drivers/media/v4l2-core/v4l2-fh.c
++++ b/drivers/media/v4l2-core/v4l2-fh.c
+@@ -96,6 +96,7 @@ int v4l2_fh_release(struct file *filp)
+ v4l2_fh_del(fh);
+ v4l2_fh_exit(fh);
+ kfree(fh);
++ filp->private_data = NULL;
+ }
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 94f2ed30f7389493fe6d980c83dde4a23ffe3f00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 12:39:45 -0400
+Subject: memstick: rtsx_usb_ms: fix UAF
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ]
+
+This patch fixes the following issues:
+1. memstick_free_host() will free the host, so the use of ms_dev(host) after
+it will be a problem. To fix this, move memstick_free_host() after when we
+are done with ms_dev(host).
+2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove
+and free host otherwise memstick_check will be called and UAF will
+happen.
+
+[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
+[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
+[ 11.357376] platform_remove+0x2a/0x50
+[ 11.367531] Freed by task 298:
+[ 11.368537] kfree+0xa4/0x2a0
+[ 11.368711] device_release+0x51/0xe0
+[ 11.368905] kobject_put+0xa2/0x120
+[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]
+[ 11.369386] platform_remove+0x2a/0x50
+
+[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0
+[ 12.045432] mutex_lock+0xc9/0xd0
+[ 12.046080] memstick_check+0x6a/0x578 [memstick]
+[ 12.046509] process_one_work+0x46d/0x750
+[ 12.052107] Freed by task 297:
+[ 12.053115] kfree+0xa4/0x2a0
+[ 12.053272] device_release+0x51/0xe0
+[ 12.053463] kobject_put+0xa2/0x120
+[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]
+[ 12.053939] platform_remove+0x2a/0x50
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memstick/host/rtsx_usb_ms.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c
+index 102dbb8080da..29271ad4728a 100644
+--- a/drivers/memstick/host/rtsx_usb_ms.c
++++ b/drivers/memstick/host/rtsx_usb_ms.c
+@@ -799,9 +799,9 @@ static int rtsx_usb_ms_drv_probe(struct platform_device *pdev)
+
+ return 0;
+ err_out:
+- memstick_free_host(msh);
+ pm_runtime_disable(ms_dev(host));
+ pm_runtime_put_noidle(ms_dev(host));
++ memstick_free_host(msh);
+ return err;
+ }
+
+@@ -828,9 +828,6 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
+ }
+ mutex_unlock(&host->host_mutex);
+
+- memstick_remove_host(msh);
+- memstick_free_host(msh);
+-
+ /* Balance possible unbalanced usage count
+ * e.g. unconditional module removal
+ */
+@@ -838,10 +835,11 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
+ pm_runtime_put(ms_dev(host));
+
+ pm_runtime_disable(ms_dev(host));
+- platform_set_drvdata(pdev, NULL);
+-
++ memstick_remove_host(msh);
+ dev_dbg(ms_dev(host),
+ ": Realtek USB Memstick controller has been removed\n");
++ memstick_free_host(msh);
++ platform_set_drvdata(pdev, NULL);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From f60b49937c659ab7ffb834d7d8393c49618c96dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 22:14:20 +0800
+Subject: MIPS: Fix PKMAP with 32-bit MIPS huge page support
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit cf02ce742f09188272bcc8b0e62d789eb671fc4c ]
+
+When 32-bit MIPS huge page support is enabled, we halve the number of
+pointers a PTE page holds, making its last half go to waste.
+Correspondingly, we should halve the number of kmap entries, as we just
+initialized only a single pte table for that in pagetable_init().
+
+Fixes: 35476311e529 ("MIPS: Add partial 32-bit huge page support")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/highmem.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/highmem.h b/arch/mips/include/asm/highmem.h
+index 9d84aafc33d0..9a6bf4f011b5 100644
+--- a/arch/mips/include/asm/highmem.h
++++ b/arch/mips/include/asm/highmem.h
+@@ -36,7 +36,7 @@ extern pte_t *pkmap_page_table;
+ * easily, subsequent pte tables have to be allocated in one physical
+ * chunk of RAM.
+ */
+-#ifdef CONFIG_PHYS_ADDR_T_64BIT
++#if defined(CONFIG_PHYS_ADDR_T_64BIT) || defined(CONFIG_MIPS_HUGE_TLB_SUPPORT)
+ #define LAST_PKMAP 512
+ #else
+ #define LAST_PKMAP 1024
+--
+2.30.2
+
--- /dev/null
+From 5bee82cbadc870373c2c122e3f43f4a4b4166232 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:47:57 -0700
+Subject: mm/huge_memory.c: don't discard hugepage if other processes are
+ mapping it
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit babbbdd08af98a59089334eb3effbed5a7a0cf7f ]
+
+If other processes are mapping any other subpages of the hugepage, i.e.
+in pte-mapped thp case, page_mapcount() will return 1 incorrectly. Then
+we would discard the page while other processes are still mapping it. Fix
+it by using total_mapcount() which can tell whether other processes are
+still mapping it.
+
+Link: https://lkml.kernel.org/r/20210511134857.1581273-6-linmiaohe@huawei.com
+Fixes: b8d3c4c3009d ("mm/huge_memory.c: don't split THP page when MADV_FREE syscall is called")
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.ibm.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Ralph Campbell <rcampbell@nvidia.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: William Kucharski <william.kucharski@oracle.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/huge_memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 87a07aa61be0..e50799d7002e 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1723,7 +1723,7 @@ bool madvise_free_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ * If other processes are mapping this page, we couldn't discard
+ * the page unless they all do MADV_FREE so let's skip the page.
+ */
+- if (page_mapcount(page) != 1)
++ if (total_mapcount(page) != 1)
+ goto out;
+
+ if (!trylock_page(page))
+--
+2.30.2
+
--- /dev/null
+From 05924487af1026a4ac76496957d8c919fc8afdf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:50:36 -0700
+Subject: mm/z3fold: fix potential memory leak in z3fold_destroy_pool()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit dac0d1cfda56472378d330b1b76b9973557a7b1d ]
+
+There is a memory leak in z3fold_destroy_pool() as it forgets to
+free_percpu pool->unbuddied. Call free_percpu for pool->unbuddied to fix
+this issue.
+
+Link: https://lkml.kernel.org/r/20210619093151.1492174-6-linmiaohe@huawei.com
+Fixes: d30561c56f41 ("z3fold: use per-cpu unbuddied lists")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Vitaly Wool <vitaly.wool@konsulko.com>
+Cc: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/z3fold.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/z3fold.c b/mm/z3fold.c
+index 6d3d3f698ebb..e97143713021 100644
+--- a/mm/z3fold.c
++++ b/mm/z3fold.c
+@@ -839,6 +839,7 @@ static void z3fold_destroy_pool(struct z3fold_pool *pool)
+ destroy_workqueue(pool->compact_wq);
+ destroy_workqueue(pool->release_wq);
+ z3fold_unregister_migration(pool);
++ free_percpu(pool->unbuddied);
+ kfree(pool);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b32bb9a8899be2a2bb68b7d4a65129fee64dba82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 11:54:03 +0200
+Subject: mmc: sdhci-sprd: use sdhci_sprd_writew
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 961470820021e6f9d74db4837bd6831a1a30341b ]
+
+The sdhci_sprd_writew() was defined by never used in sdhci_ops:
+
+ drivers/mmc/host/sdhci-sprd.c:134:20: warning: unused function 'sdhci_sprd_writew'
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20210601095403.236007-2-krzysztof.kozlowski@canonical.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-sprd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/sdhci-sprd.c b/drivers/mmc/host/sdhci-sprd.c
+index 10705e5fa90e..a999d2089d3d 100644
+--- a/drivers/mmc/host/sdhci-sprd.c
++++ b/drivers/mmc/host/sdhci-sprd.c
+@@ -382,6 +382,7 @@ static unsigned int sdhci_sprd_get_ro(struct sdhci_host *host)
+ static struct sdhci_ops sdhci_sprd_ops = {
+ .read_l = sdhci_sprd_readl,
+ .write_l = sdhci_sprd_writel,
++ .write_w = sdhci_sprd_writew,
+ .write_b = sdhci_sprd_writeb,
+ .set_clock = sdhci_sprd_set_clock,
+ .get_max_clock = sdhci_sprd_get_max_clock,
+--
+2.30.2
+
--- /dev/null
+From 906a35ec8b9f0365866589a33d4c25a5aaceea3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 10:03:21 +0800
+Subject: mmc: usdhi6rol0: fix error return code in usdhi6_probe()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ]
+
+Fix to return a negative error code from the error handling case instead
+of 0, as done elsewhere in this function.
+
+Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/usdhi6rol0.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c
+index 6eba2441c7ef..96b0f81a2032 100644
+--- a/drivers/mmc/host/usdhi6rol0.c
++++ b/drivers/mmc/host/usdhi6rol0.c
+@@ -1803,6 +1803,7 @@ static int usdhi6_probe(struct platform_device *pdev)
+
+ version = usdhi6_read(host, USDHI6_VERSION);
+ if ((version & 0xfff) != 0xa0d) {
++ ret = -EPERM;
+ dev_err(dev, "Version not recognized %x\n", version);
+ goto e_clk_off;
+ }
+--
+2.30.2
+
--- /dev/null
+From ae6ee5fd4177853c7f1bb04f55a6c7df7fe464e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 13:33:20 +0000
+Subject: mmc: via-sdmmc: add a check against NULL pointer dereference
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ]
+
+Before referencing 'host->data', the driver needs to check whether it is
+null pointer, otherwise it will cause a null pointer reference.
+
+This log reveals it:
+
+[ 29.355199] BUG: kernel NULL pointer dereference, address:
+0000000000000014
+[ 29.357323] #PF: supervisor write access in kernel mode
+[ 29.357706] #PF: error_code(0x0002) - not-present page
+[ 29.358088] PGD 0 P4D 0
+[ 29.358280] Oops: 0002 [#1] PREEMPT SMP PTI
+[ 29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-
+g70e7f0549188-dirty #102
+[ 29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
+BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410
+[ 29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
+10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
+18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
+[ 29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
+[ 29.362042] RAX: 0000000000000000 RBX: ffff888107d77880
+RCX: 0000000000000000
+[ 29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb
+RDI: 00000000ffffffff
+[ 29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001
+R09: 0000000000000001
+[ 29.363604] R10: 0000000000000000 R11: 0000000000000001
+R12: 0000000000008600
+[ 29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200
+R15: 0000000000008000
+[ 29.364651] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000)
+knlGS:0000000000000000
+[ 29.365235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000
+CR4: 00000000000006e0
+[ 29.366170] DR0: 0000000000000000 DR1: 0000000000000000
+DR2: 0000000000000000
+[ 29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0
+DR7: 0000000000000400
+[ 29.367197] Call Trace:
+[ 29.367381] <IRQ>
+[ 29.367537] __handle_irq_event_percpu+0x53/0x3e0
+[ 29.367916] handle_irq_event_percpu+0x35/0x90
+[ 29.368247] handle_irq_event+0x39/0x60
+[ 29.368632] handle_fasteoi_irq+0xc2/0x1d0
+[ 29.368950] __common_interrupt+0x7f/0x150
+[ 29.369254] common_interrupt+0xb4/0xd0
+[ 29.369547] </IRQ>
+[ 29.369708] asm_common_interrupt+0x1e/0x40
+[ 29.370016] RIP: 0010:native_safe_halt+0x17/0x20
+[ 29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00
+00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb
+f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91
+[ 29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
+[ 29.372079] RAX: 0000000000000000 RBX: 0000000000000002
+RCX: 0000000000000000
+[ 29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4
+RDI: ffffffff85403406
+[ 29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001
+R09: 0000000000000001
+[ 29.373646] R10: 0000000000000000 R11: 0000000000000001
+R12: ffffffff86009188
+[ 29.374160] R13: 0000000000000000 R14: 0000000000000000
+R15: ffff888100258000
+[ 29.374690] default_idle+0x9/0x10
+[ 29.374944] arch_cpu_idle+0xa/0x10
+[ 29.375198] default_idle_call+0x6e/0x250
+[ 29.375491] do_idle+0x1f0/0x2d0
+[ 29.375740] cpu_startup_entry+0x18/0x20
+[ 29.376034] start_secondary+0x11f/0x160
+[ 29.376328] secondary_startup_64_no_verify+0xb0/0xbb
+[ 29.376705] Modules linked in:
+[ 29.376939] Dumping ftrace buffer:
+[ 29.377187] (ftrace buffer empty)
+[ 29.377460] CR2: 0000000000000014
+[ 29.377712] ---[ end trace 51a473dffb618c47 ]---
+[ 29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410
+[ 29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
+10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
+18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
+[ 29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
+[ 29.380098] RAX: 0000000000000000 RBX: ffff888107d77880
+RCX: 0000000000000000
+[ 29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb
+RDI: 00000000ffffffff
+[ 29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001
+R09: 0000000000000001
+[ 29.381653] R10: 0000000000000000 R11: 0000000000000001
+R12: 0000000000008600
+[ 29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200
+R15: 0000000000008000
+[ 29.382697] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000)
+knlGS:0000000000000000
+[ 29.383277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000
+CR4: 00000000000006e0
+[ 29.384223] DR0: 0000000000000000 DR1: 0000000000000000
+DR2: 0000000000000000
+[ 29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0
+DR7: 0000000000000400
+[ 29.385260] Kernel panic - not syncing: Fatal exception in interrupt
+[ 29.385882] Dumping ftrace buffer:
+[ 29.386135] (ftrace buffer empty)
+[ 29.386401] Kernel Offset: disabled
+[ 29.386656] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/via-sdmmc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
+index d12a068b0f9e..721e5dd1eb7d 100644
+--- a/drivers/mmc/host/via-sdmmc.c
++++ b/drivers/mmc/host/via-sdmmc.c
+@@ -857,6 +857,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask)
+ {
+ BUG_ON(intmask == 0);
+
++ if (!host->data)
++ return;
++
+ if (intmask & VIA_CRDR_SDSTS_DT)
+ host->data->error = -ETIMEDOUT;
+ else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC))
+--
+2.30.2
+
--- /dev/null
+From 7d29868123ae93fbf2ea296761d82fd46e3b3a8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 11:48:50 +0000
+Subject: mtd: partitions: redboot: seek fis-index-block in the right node
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 237960880960863fb41888763d635b384cffb104 ]
+
+fis-index-block is seeked in the master node and not in the partitions node.
+For following binding and current usage, the driver need to check the
+partitions subnode.
+
+Fixes: c0e118c8a1a3 ("mtd: partitions: Add OF support to RedBoot partitions")
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210520114851.1274609-1-clabbe@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/parsers/redboot.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
+index 91146bdc4713..3ccd6363ee8c 100644
+--- a/drivers/mtd/parsers/redboot.c
++++ b/drivers/mtd/parsers/redboot.c
+@@ -45,6 +45,7 @@ static inline int redboot_checksum(struct fis_image_desc *img)
+ static void parse_redboot_of(struct mtd_info *master)
+ {
+ struct device_node *np;
++ struct device_node *npart;
+ u32 dirblock;
+ int ret;
+
+@@ -52,7 +53,11 @@ static void parse_redboot_of(struct mtd_info *master)
+ if (!np)
+ return;
+
+- ret = of_property_read_u32(np, "fis-index-block", &dirblock);
++ npart = of_get_child_by_name(np, "partitions");
++ if (!npart)
++ return;
++
++ ret = of_property_read_u32(npart, "fis-index-block", &dirblock);
+ if (ret)
+ return;
+
+--
+2.30.2
+
--- /dev/null
+From 688b809ffc021bb0f698a4b86f83ece81fd11f32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 20:58:14 +0800
+Subject: mtd: rawnand: marvell: add missing clk_disable_unprepare() on error
+ in marvell_nfc_resume()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ae94c49527aa9bd3b563349adc4b5617747ca6bd ]
+
+Add clk_disable_unprepare() on error path in marvell_nfc_resume().
+
+Fixes: bd9c3f9b3c00 ("mtd: rawnand: marvell: add suspend and resume hooks")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210601125814.3260364-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/marvell_nand.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c
+index ee4afa17d8a3..ef163ff1edf7 100644
+--- a/drivers/mtd/nand/raw/marvell_nand.c
++++ b/drivers/mtd/nand/raw/marvell_nand.c
+@@ -2980,8 +2980,10 @@ static int __maybe_unused marvell_nfc_resume(struct device *dev)
+ return ret;
+
+ ret = clk_prepare_enable(nfc->reg_clk);
+- if (ret < 0)
++ if (ret < 0) {
++ clk_disable_unprepare(nfc->core_clk);
+ return ret;
++ }
+
+ /*
+ * Reset nfc->selected_chip so the next command will cause the timing
+--
+2.30.2
+
--- /dev/null
+From bb15d5fb5587b76e19f836307a2fd712f4f51f18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 00:07:55 +0200
+Subject: mwifiex: re-fix for unaligned accesses
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8f4e3d48bb50765ab27ae5bebed2595b20de80a1 ]
+
+A patch from 2017 changed some accesses to DMA memory to use
+get_unaligned_le32() and similar interfaces, to avoid problems
+with doing unaligned accesson uncached memory.
+
+However, the change in the mwifiex_pcie_alloc_sleep_cookie_buf()
+function ended up changing the size of the access instead,
+as it operates on a pointer to u8.
+
+Change this function back to actually access the entire 32 bits.
+Note that the pointer is aligned by definition because it came
+from dma_alloc_coherent().
+
+Fixes: 92c70a958b0b ("mwifiex: fix for unaligned reads")
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
+index 58c9623c3a91..bc46a0aa06eb 100644
+--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
+@@ -1080,7 +1080,7 @@ static int mwifiex_pcie_delete_cmdrsp_buf(struct mwifiex_adapter *adapter)
+ static int mwifiex_pcie_alloc_sleep_cookie_buf(struct mwifiex_adapter *adapter)
+ {
+ struct pcie_service_card *card = adapter->card;
+- u32 tmp;
++ u32 *cookie;
+
+ card->sleep_cookie_vbase = pci_alloc_consistent(card->dev, sizeof(u32),
+ &card->sleep_cookie_pbase);
+@@ -1089,13 +1089,11 @@ static int mwifiex_pcie_alloc_sleep_cookie_buf(struct mwifiex_adapter *adapter)
+ "pci_alloc_consistent failed!\n");
+ return -ENOMEM;
+ }
++ cookie = (u32 *)card->sleep_cookie_vbase;
+ /* Init val of Sleep Cookie */
+- tmp = FW_AWAKE_COOKIE;
+- put_unaligned(tmp, card->sleep_cookie_vbase);
++ *cookie = FW_AWAKE_COOKIE;
+
+- mwifiex_dbg(adapter, INFO,
+- "alloc_scook: sleep cookie=0x%x\n",
+- get_unaligned(card->sleep_cookie_vbase));
++ mwifiex_dbg(adapter, INFO, "alloc_scook: sleep cookie=0x%x\n", *cookie);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From c08d8a179b318fd1d076db7946ab0049216d1dcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 11:28:03 +0800
+Subject: net: bcmgenet: Fix attaching to PYH failed on RPi 4B
+
+From: Jian-Hong Pan <jhp@endlessos.org>
+
+[ Upstream commit b2ac9800cfe0f8da16abc4e74e003440361c112e ]
+
+The Broadcom UniMAC MDIO bus from mdio-bcm-unimac module comes too late.
+So, GENET cannot find the ethernet PHY on UniMAC MDIO bus. This leads
+GENET fail to attach the PHY as following log:
+
+bcmgenet fd580000.ethernet: GENET 5.0 EPHY: 0x0000
+...
+could not attach to PHY
+bcmgenet fd580000.ethernet eth0: failed to connect to PHY
+uart-pl011 fe201000.serial: no DMA platform data
+libphy: bcmgenet MII bus: probed
+...
+unimac-mdio unimac-mdio.-19: Broadcom UniMAC MDIO bus
+
+This patch adds the soft dependency to load mdio-bcm-unimac module
+before genet module to avoid the issue.
+
+Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver")
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=213485
+Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index b27da024aa9d..21669a42718c 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3741,3 +3741,4 @@ MODULE_AUTHOR("Broadcom Corporation");
+ MODULE_DESCRIPTION("Broadcom GENET Ethernet controller driver");
+ MODULE_ALIAS("platform:bcmgenet");
+ MODULE_LICENSE("GPL");
++MODULE_SOFTDEP("pre: mdio-bcm-unimac");
+--
+2.30.2
+
--- /dev/null
+From 5fcce652a3918dfc5efb8d0497d13904f4a3dff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 17:57:31 +0300
+Subject: net: ethernet: aeroflex: fix UAF in greth_of_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ]
+
+static int greth_of_remove(struct platform_device *of_dev)
+{
+...
+ struct greth_private *greth = netdev_priv(ndev);
+...
+ unregister_netdev(ndev);
+ free_netdev(ndev);
+
+ of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
+...
+}
+
+greth is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing greth
+pointer. So, fix it by moving free_netdev() after of_iounmap()
+call.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index 2a9f8643629c..907904c0a288 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -1541,10 +1541,11 @@ static int greth_of_remove(struct platform_device *of_dev)
+ mdiobus_unregister(greth->mdio);
+
+ unregister_netdev(ndev);
+- free_netdev(ndev);
+
+ of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
+
++ free_netdev(ndev);
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 37c6d0f6be79418996ae6031e0f1feccc5ce98af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 19:14:47 +0300
+Subject: net: ethernet: ezchip: fix error handling
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ]
+
+As documented at drivers/base/platform.c for platform_get_irq:
+
+ * Gets an IRQ for a platform device and prints an error message if finding the
+ * IRQ fails. Device drivers should check the return value for errors so as to
+ * not pass a negative integer value to the request_irq() APIs.
+
+So, the driver should check that platform_get_irq() return value
+is _negative_, not that it's equal to zero, because -ENXIO (return
+value from request_irq() if irq was not found) will
+pass this check and it leads to passing negative irq to request_irq()
+
+Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ezchip/nps_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
+index 026a3ec19b6e..3d74401b4f10 100644
+--- a/drivers/net/ethernet/ezchip/nps_enet.c
++++ b/drivers/net/ethernet/ezchip/nps_enet.c
+@@ -610,7 +610,7 @@ static s32 nps_enet_probe(struct platform_device *pdev)
+
+ /* Get IRQ number */
+ priv->irq = platform_get_irq(pdev, 0);
+- if (!priv->irq) {
++ if (priv->irq < 0) {
+ dev_err(dev, "failed to retrieve <irq Rx-Tx> value from device tree\n");
+ err = -ENODEV;
+ goto out_netdev;
+--
+2.30.2
+
--- /dev/null
+From f0e15f099f971a33786a2ad957a1cac9c1c3cc35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 19:14:31 +0300
+Subject: net: ethernet: ezchip: fix UAF in nps_enet_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ]
+
+priv is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing priv
+pointer. So, fix it by moving free_netdev() after netif_napi_del()
+call.
+
+Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ezchip/nps_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
+index 815fb62c4b02..026a3ec19b6e 100644
+--- a/drivers/net/ethernet/ezchip/nps_enet.c
++++ b/drivers/net/ethernet/ezchip/nps_enet.c
+@@ -645,8 +645,8 @@ static s32 nps_enet_remove(struct platform_device *pdev)
+ struct nps_enet_priv *priv = netdev_priv(ndev);
+
+ unregister_netdev(ndev);
+- free_netdev(ndev);
+ netif_napi_del(&priv->napi);
++ free_netdev(ndev);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 499e122e27fba6131667254b95b718160c902346 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 May 2021 20:02:46 +0800
+Subject: net: ftgmac100: add missing error return code in ftgmac100_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 52af13a41489d7bbc1932d17583eff6e5fffc820 ]
+
+The variables will be free on path err_phy_connect, it should
+return error code, or it will cause double free when calling
+ftgmac100_remove().
+
+Fixes: bd466c3fb5a4 ("net/faraday: Support NCSI mode")
+Fixes: 39bfab8844a0 ("net: ftgmac100: Add support for DT phy-handle property")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/faraday/ftgmac100.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
+index 4050f81f788c..2c06cdcd3e75 100644
+--- a/drivers/net/ethernet/faraday/ftgmac100.c
++++ b/drivers/net/ethernet/faraday/ftgmac100.c
+@@ -1821,14 +1821,17 @@ static int ftgmac100_probe(struct platform_device *pdev)
+ if (np && of_get_property(np, "use-ncsi", NULL)) {
+ if (!IS_ENABLED(CONFIG_NET_NCSI)) {
+ dev_err(&pdev->dev, "NCSI stack not enabled\n");
++ err = -EINVAL;
+ goto err_ncsi_dev;
+ }
+
+ dev_info(&pdev->dev, "Using NCSI interface\n");
+ priv->use_ncsi = true;
+ priv->ndev = ncsi_register_dev(netdev, ftgmac100_ncsi_handler);
+- if (!priv->ndev)
++ if (!priv->ndev) {
++ err = -EINVAL;
+ goto err_ncsi_dev;
++ }
+ } else if (np && of_get_property(np, "phy-handle", NULL)) {
+ struct phy_device *phy;
+
+@@ -1836,6 +1839,7 @@ static int ftgmac100_probe(struct platform_device *pdev)
+ &ftgmac100_adjust_link);
+ if (!phy) {
+ dev_err(&pdev->dev, "Failed to connect to phy\n");
++ err = -EINVAL;
+ goto err_setup_mdio;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e4e572a67fbd0c3f3669999d6168d7251cb52efd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 12:24:50 +0800
+Subject: net/ipv4: swap flow ports when validating source
+
+From: Miao Wang <shankerwangmiao@gmail.com>
+
+[ Upstream commit c69f114d09891adfa3e301a35d9e872b8b7b5a50 ]
+
+When doing source address validation, the flowi4 struct used for
+fib_lookup should be in the reverse direction to the given skb.
+fl4_dport and fl4_sport returned by fib4_rules_early_flow_dissect
+should thus be swapped.
+
+Fixes: 5a847a6e1477 ("net/ipv4: Initialize proto and ports in flow struct")
+Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_frontend.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 2ce191019526..b875b98820ed 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -381,6 +381,8 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ fl4.flowi4_proto = 0;
+ fl4.fl4_sport = 0;
+ fl4.fl4_dport = 0;
++ } else {
++ swap(fl4.fl4_sport, fl4.fl4_dport);
+ }
+
+ if (fib_lookup(net, &fl4, &res, 0))
+--
+2.30.2
+
--- /dev/null
+From a367b62eded866e688584e7372e732fa3f156efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 19:21:39 +0300
+Subject: net: lwtunnel: handle MTU calculation in forwading
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+[ Upstream commit fade56410c22cacafb1be9f911a0afd3701d8366 ]
+
+Commit 14972cbd34ff ("net: lwtunnel: Handle fragmentation") moved
+fragmentation logic away from lwtunnel by carry encap headroom and
+use it in output MTU calculation. But the forwarding part was not
+covered and created difference in MTU for output and forwarding and
+further to silent drops on ipv4 forwarding path. Fix it by taking
+into account lwtunnel encap headroom.
+
+The same commit also introduced difference in how to treat RTAX_MTU
+in IPv4 and IPv6 where latter explicitly removes lwtunnel encap
+headroom from route MTU. Make IPv4 version do the same.
+
+Fixes: 14972cbd34ff ("net: lwtunnel: Handle fragmentation")
+Suggested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip.h | 12 ++++++++----
+ include/net/ip6_route.h | 16 ++++++++++++----
+ net/ipv4/route.c | 3 ++-
+ 3 files changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 0278d63c1527..52abfc00b5e3 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -30,6 +30,7 @@
+ #include <net/flow.h>
+ #include <net/flow_dissector.h>
+ #include <net/netns/hash.h>
++#include <net/lwtunnel.h>
+
+ #define IPV4_MAX_PMTU 65535U /* RFC 2675, Section 5.1 */
+ #define IPV4_MIN_MTU 68 /* RFC 791 */
+@@ -448,22 +449,25 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
+
+ /* 'forwarding = true' case should always honour route mtu */
+ mtu = dst_metric_raw(dst, RTAX_MTU);
+- if (mtu)
+- return mtu;
++ if (!mtu)
++ mtu = min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU);
+
+- return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU);
++ return mtu - lwtunnel_headroom(dst->lwtstate, mtu);
+ }
+
+ static inline unsigned int ip_skb_dst_mtu(struct sock *sk,
+ const struct sk_buff *skb)
+ {
++ unsigned int mtu;
++
+ if (!sk || !sk_fullsock(sk) || ip_sk_use_pmtu(sk)) {
+ bool forwarding = IPCB(skb)->flags & IPSKB_FORWARDED;
+
+ return ip_dst_mtu_maybe_forward(skb_dst(skb), forwarding);
+ }
+
+- return min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU);
++ mtu = min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU);
++ return mtu - lwtunnel_headroom(skb_dst(skb)->lwtstate, mtu);
+ }
+
+ struct dst_metrics *ip_fib_metrics_init(struct net *net, struct nlattr *fc_mx,
+diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
+index 2d0d91070268..40602def3fe7 100644
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -263,11 +263,18 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+
+ static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
+ {
++ int mtu;
++
+ struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
+ inet6_sk(skb->sk) : NULL;
+
+- return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ?
+- skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
++ if (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) {
++ mtu = READ_ONCE(skb_dst(skb)->dev->mtu);
++ mtu -= lwtunnel_headroom(skb_dst(skb)->lwtstate, mtu);
++ } else
++ mtu = dst_mtu(skb_dst(skb));
++
++ return mtu;
+ }
+
+ static inline bool ip6_sk_accept_pmtu(const struct sock *sk)
+@@ -315,7 +322,7 @@ static inline unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst)
+ if (dst_metric_locked(dst, RTAX_MTU)) {
+ mtu = dst_metric_raw(dst, RTAX_MTU);
+ if (mtu)
+- return mtu;
++ goto out;
+ }
+
+ mtu = IPV6_MIN_MTU;
+@@ -325,7 +332,8 @@ static inline unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst)
+ mtu = idev->cnf.mtu6;
+ rcu_read_unlock();
+
+- return mtu;
++out:
++ return mtu - lwtunnel_headroom(dst->lwtstate, mtu);
+ }
+
+ u32 ip6_mtu_from_fib6(const struct fib6_result *res,
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 3ff702380b62..0e976848d4bb 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1321,7 +1321,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
+ mtu = dst_metric_raw(dst, RTAX_MTU);
+
+ if (mtu)
+- return mtu;
++ goto out;
+
+ mtu = READ_ONCE(dst->dev->mtu);
+
+@@ -1330,6 +1330,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
+ mtu = 576;
+ }
+
++out:
+ mtu = min_t(unsigned int, mtu, IP_MAX_MTU);
+
+ return mtu - lwtunnel_headroom(dst->lwtstate, mtu);
+--
+2.30.2
+
--- /dev/null
+From a82c2f9217f1897b2e24dfd805736f4677999088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 12:58:05 +0300
+Subject: net: mvpp2: Put fwnode in error case during ->probe()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 71f0891c84dfdc448736082ab0a00acd29853896 ]
+
+In each iteration fwnode_for_each_available_child_node() bumps a reference
+counting of a loop variable followed by dropping in on a next iteration,
+
+Since in error case the loop is broken, we have to drop a reference count
+by ourselves. Do it for port_fwnode in error case during ->probe().
+
+Fixes: 248122212f68 ("net: mvpp2: use device_*/fwnode_* APIs instead of of_*")
+Cc: Marcin Wojtas <mw@semihalf.com>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 491bcfd36ac2..7857ebff92e8 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5910,6 +5910,8 @@ static int mvpp2_probe(struct platform_device *pdev)
+ return 0;
+
+ err_port_probe:
++ fwnode_handle_put(port_fwnode);
++
+ i = 0;
+ fwnode_for_each_available_child_node(fwnode, port_fwnode) {
+ if (priv->port_list[i])
+--
+2.30.2
+
--- /dev/null
+From 95a4f2e80b33744da817c24f838ab5e4f424a8bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 19:39:27 +0300
+Subject: net: pch_gbe: Propagate error from devm_gpio_request_one()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ]
+
+If GPIO controller is not available yet we need to defer
+the probe of GBE until provider will become available.
+
+While here, drop GPIOF_EXPORT because it's deprecated and
+may not be available.
+
+Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Flavio Suligoi <f.suligoi@asem.it>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 18e6d87c607b..f1269fe4ac72 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -2535,9 +2535,13 @@ static int pch_gbe_probe(struct pci_dev *pdev,
+ adapter->pdev = pdev;
+ adapter->hw.back = adapter;
+ adapter->hw.reg = pcim_iomap_table(pdev)[PCH_GBE_PCI_BAR];
++
+ adapter->pdata = (struct pch_gbe_privdata *)pci_id->driver_data;
+- if (adapter->pdata && adapter->pdata->platform_init)
+- adapter->pdata->platform_init(pdev);
++ if (adapter->pdata && adapter->pdata->platform_init) {
++ ret = adapter->pdata->platform_init(pdev);
++ if (ret)
++ goto err_free_netdev;
++ }
+
+ adapter->ptp_pdev =
+ pci_get_domain_bus_and_slot(pci_domain_nr(adapter->pdev->bus),
+@@ -2632,7 +2636,7 @@ err_free_netdev:
+ */
+ static int pch_gbe_minnow_platform_init(struct pci_dev *pdev)
+ {
+- unsigned long flags = GPIOF_DIR_OUT | GPIOF_INIT_HIGH | GPIOF_EXPORT;
++ unsigned long flags = GPIOF_OUT_INIT_HIGH;
+ unsigned gpio = MINNOW_PHY_RESET_GPIO;
+ int ret;
+
+--
+2.30.2
+
--- /dev/null
+From 836abac666a7f1d0da27739c9b80211ff87bb9d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 15:30:50 +0300
+Subject: net/sched: act_vlan: Fix modify to allow 0
+
+From: Boris Sukholitko <boris.sukholitko@broadcom.com>
+
+[ Upstream commit 9c5eee0afca09cbde6bd00f77876754aaa552970 ]
+
+Currently vlan modification action checks existence of vlan priority by
+comparing it to 0. Therefore it is impossible to modify existing vlan
+tag to have priority 0.
+
+For example, the following tc command will change the vlan id but will
+not affect vlan priority:
+
+tc filter add dev eth1 ingress matchall action vlan modify id 300 \
+ priority 0 pipe mirred egress redirect dev eth2
+
+The incoming packet on eth1:
+
+ethertype 802.1Q (0x8100), vlan 200, p 4, ethertype IPv4
+
+will be changed to:
+
+ethertype 802.1Q (0x8100), vlan 300, p 4, ethertype IPv4
+
+although the user has intended to have p == 0.
+
+The fix is to add tcfv_push_prio_exists flag to struct tcf_vlan_params
+and rely on it when deciding to set the priority.
+
+Fixes: 45a497f2d149a4a8061c (net/sched: act_vlan: Introduce TCA_VLAN_ACT_MODIFY vlan action)
+Signed-off-by: Boris Sukholitko <boris.sukholitko@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tc_act/tc_vlan.h | 1 +
+ net/sched/act_vlan.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/tc_act/tc_vlan.h b/include/net/tc_act/tc_vlan.h
+index 4e2502408c31..add6fb50dd33 100644
+--- a/include/net/tc_act/tc_vlan.h
++++ b/include/net/tc_act/tc_vlan.h
+@@ -14,6 +14,7 @@ struct tcf_vlan_params {
+ u16 tcfv_push_vid;
+ __be16 tcfv_push_proto;
+ u8 tcfv_push_prio;
++ bool tcfv_push_prio_exists;
+ struct rcu_head rcu;
+ };
+
+diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
+index 3c26042f4ea6..7dc76c68ec52 100644
+--- a/net/sched/act_vlan.c
++++ b/net/sched/act_vlan.c
+@@ -70,7 +70,7 @@ static int tcf_vlan_act(struct sk_buff *skb, const struct tc_action *a,
+ /* replace the vid */
+ tci = (tci & ~VLAN_VID_MASK) | p->tcfv_push_vid;
+ /* replace prio bits, if tcfv_push_prio specified */
+- if (p->tcfv_push_prio) {
++ if (p->tcfv_push_prio_exists) {
+ tci &= ~VLAN_PRIO_MASK;
+ tci |= p->tcfv_push_prio << VLAN_PRIO_SHIFT;
+ }
+@@ -107,6 +107,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
+ struct tc_action_net *tn = net_generic(net, vlan_net_id);
+ struct nlattr *tb[TCA_VLAN_MAX + 1];
+ struct tcf_chain *goto_ch = NULL;
++ bool push_prio_exists = false;
+ struct tcf_vlan_params *p;
+ struct tc_vlan *parm;
+ struct tcf_vlan *v;
+@@ -175,7 +176,8 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
+ push_proto = htons(ETH_P_8021Q);
+ }
+
+- if (tb[TCA_VLAN_PUSH_VLAN_PRIORITY])
++ push_prio_exists = !!tb[TCA_VLAN_PUSH_VLAN_PRIORITY];
++ if (push_prio_exists)
+ push_prio = nla_get_u8(tb[TCA_VLAN_PUSH_VLAN_PRIORITY]);
+ break;
+ default:
+@@ -216,6 +218,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
+ p->tcfv_action = action;
+ p->tcfv_push_vid = push_vid;
+ p->tcfv_push_prio = push_prio;
++ p->tcfv_push_prio_exists = push_prio_exists || action == TCA_VLAN_ACT_PUSH;
+ p->tcfv_push_proto = push_proto;
+
+ spin_lock_bh(&v->tcf_lock);
+--
+2.30.2
+
--- /dev/null
+From 40ef3fe1c167916c6fd767b222e55d514f3e77fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 09:04:14 +0800
+Subject: net: sched: add barrier to ensure correct ordering for lockless qdisc
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit 89837eb4b2463c556a123437f242d6c2bc62ce81 ]
+
+The spin_trylock() was assumed to contain the implicit
+barrier needed to ensure the correct ordering between
+STATE_MISSED setting/clearing and STATE_MISSED checking
+in commit a90c57f2cedd ("net: sched: fix packet stuck
+problem for lockless qdisc").
+
+But it turns out that spin_trylock() only has load-acquire
+semantic, for strongly-ordered system(like x86), the compiler
+barrier implicitly contained in spin_trylock() seems enough
+to ensure the correct ordering. But for weakly-orderly system
+(like arm64), the store-release semantic is needed to ensure
+the correct ordering as clear_bit() and test_bit() is store
+operation, see queued_spin_lock().
+
+So add the explicit barrier to ensure the correct ordering
+for the above case.
+
+Fixes: a90c57f2cedd ("net: sched: fix packet stuck problem for lockless qdisc")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 0852f3e51360..0cb0a4bcb544 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -160,6 +160,12 @@ static inline bool qdisc_run_begin(struct Qdisc *qdisc)
+ if (spin_trylock(&qdisc->seqlock))
+ goto nolock_empty;
+
++ /* Paired with smp_mb__after_atomic() to make sure
++ * STATE_MISSED checking is synchronized with clearing
++ * in pfifo_fast_dequeue().
++ */
++ smp_mb__before_atomic();
++
+ /* If the MISSED flag is set, it means other thread has
+ * set the MISSED flag before second spin_trylock(), so
+ * we can return false here to avoid multi cpus doing
+@@ -177,6 +183,12 @@ static inline bool qdisc_run_begin(struct Qdisc *qdisc)
+ */
+ set_bit(__QDISC_STATE_MISSED, &qdisc->state);
+
++ /* spin_trylock() only has load-acquire semantic, so use
++ * smp_mb__after_atomic() to ensure STATE_MISSED is set
++ * before doing the second spin_trylock().
++ */
++ smp_mb__after_atomic();
++
+ /* Retry again in case other CPU may not see the new flag
+ * after it releases the lock at the end of qdisc_run_end().
+ */
+--
+2.30.2
+
--- /dev/null
+From 9226c67aa6b67f68aac87bb36490ef3444eee5b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 23:23:48 +0300
+Subject: net: sched: fix warning in tcindex_alloc_perfect_hash
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 3f2db250099f46988088800052cdf2332c7aba61 ]
+
+Syzbot reported warning in tcindex_alloc_perfect_hash. The problem
+was in too big cp->hash, which triggers warning in kmalloc. Since
+cp->hash comes from userspace, there is no need to warn if value
+is not correct
+
+Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
+Reported-and-tested-by: syzbot+1071ad60cd7df39fdadb@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Acked-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_tcindex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index c9399e81c505..3e81f87d0c89 100644
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -304,7 +304,7 @@ static int tcindex_alloc_perfect_hash(struct net *net, struct tcindex_data *cp)
+ int i, err = 0;
+
+ cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (!cp->perfect)
+ return -ENOMEM;
+
+--
+2.30.2
+
--- /dev/null
+From 511f0aedf09a160596ddd79f06561472c507d851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 20:20:30 +0200
+Subject: netfilter: nft_exthdr: check for IPv6 packet before further
+ processing
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ]
+
+ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a
+sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet
+is passed for parsing.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index 427d77b111b1..00f4323cfeb8 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -42,6 +42,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+ unsigned int offset = 0;
+ int err;
+
++ if (pkt->skb->protocol != htons(ETH_P_IPV6))
++ goto err;
++
+ err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+ nft_reg_store8(dest, err >= 0);
+--
+2.30.2
+
--- /dev/null
+From 68a34c17e9447375957bc86e4e1ab2315e336682 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 20:20:31 +0200
+Subject: netfilter: nft_osf: check for TCP packet before further processing
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 8f518d43f89ae00b9cf5460e10b91694944ca1a8 ]
+
+The osf expression only supports for TCP packets, add a upfront sanity
+check to skip packet parsing if this is not a TCP packet.
+
+Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_osf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
+index b42247aa48a9..4911f8eb394f 100644
+--- a/net/netfilter/nft_osf.c
++++ b/net/netfilter/nft_osf.c
+@@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ struct nf_osf_data data;
+ struct tcphdr _tcph;
+
++ if (pkt->tprot != IPPROTO_TCP) {
++ regs->verdict.code = NFT_BREAK;
++ return;
++ }
++
+ tcp = skb_header_pointer(skb, ip_hdrlen(skb),
+ sizeof(struct tcphdr), &_tcph);
+ if (!tcp) {
+--
+2.30.2
+
--- /dev/null
+From 3a240e7969bfa10fd113fe7a382390f69e1150ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 19:26:56 +0200
+Subject: netfilter: nft_tproxy: restrict support to TCP and UDP transport
+ protocols
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ]
+
+Add unfront check for TCP and UDP packets before performing further
+processing.
+
+Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tproxy.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
+index 95980154ef02..b97ab1198b03 100644
+--- a/net/netfilter/nft_tproxy.c
++++ b/net/netfilter/nft_tproxy.c
+@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
+ __be16 tport = 0;
+ struct sock *sk;
+
++ if (pkt->tprot != IPPROTO_TCP &&
++ pkt->tprot != IPPROTO_UDP) {
++ regs->verdict.code = NFT_BREAK;
++ return;
++ }
++
+ hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
+ if (!hp) {
+ regs->verdict.code = NFT_BREAK;
+@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
+
+ memset(&taddr, 0, sizeof(taddr));
+
+- if (!pkt->tprot_set) {
++ if (pkt->tprot != IPPROTO_TCP &&
++ pkt->tprot != IPPROTO_UDP) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+--
+2.30.2
+
--- /dev/null
+From 8d296710e66e2cce52b8310768a586c2074d77eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 10:14:44 +0800
+Subject: netlabel: Fix memory leak in netlbl_mgmt_add_common
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ]
+
+Hulk Robot reported memory leak in netlbl_mgmt_add_common.
+The problem is non-freed map in case of netlbl_domhsh_add() failed.
+
+BUG: memory leak
+unreferenced object 0xffff888100ab7080 (size 96):
+ comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s)
+ hex dump (first 32 bytes):
+ 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
+ backtrace:
+ [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40
+ [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0
+ [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320
+ [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0
+ [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0
+ [<0000000020e96fdd>] genl_rcv+0x24/0x40
+ [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0
+ [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70
+ [<000000006e43415f>] sock_sendmsg+0x139/0x170
+ [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0
+ [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170
+ [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190
+ [<00000000643ac172>] do_syscall_64+0x37/0x90
+ [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_mgmt.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
+index e7a25fbfaf8b..a92ed37d0922 100644
+--- a/net/netlabel/netlabel_mgmt.c
++++ b/net/netlabel/netlabel_mgmt.c
+@@ -76,6 +76,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
+ static int netlbl_mgmt_add_common(struct genl_info *info,
+ struct netlbl_audit *audit_info)
+ {
++ void *pmap = NULL;
+ int ret_val = -EINVAL;
+ struct netlbl_domaddr_map *addrmap = NULL;
+ struct cipso_v4_doi *cipsov4 = NULL;
+@@ -175,6 +176,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ ret_val = -ENOMEM;
+ goto add_free_addrmap;
+ }
++ pmap = map;
+ map->list.addr = addr->s_addr & mask->s_addr;
+ map->list.mask = mask->s_addr;
+ map->list.valid = 1;
+@@ -183,10 +185,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ map->def.cipso = cipsov4;
+
+ ret_val = netlbl_af4list_add(&map->list, &addrmap->list4);
+- if (ret_val != 0) {
+- kfree(map);
+- goto add_free_addrmap;
+- }
++ if (ret_val != 0)
++ goto add_free_map;
+
+ entry->family = AF_INET;
+ entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
+@@ -223,6 +223,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ ret_val = -ENOMEM;
+ goto add_free_addrmap;
+ }
++ pmap = map;
+ map->list.addr = *addr;
+ map->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
+ map->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
+@@ -235,10 +236,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ map->def.calipso = calipso;
+
+ ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
+- if (ret_val != 0) {
+- kfree(map);
+- goto add_free_addrmap;
+- }
++ if (ret_val != 0)
++ goto add_free_map;
+
+ entry->family = AF_INET6;
+ entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
+@@ -248,10 +247,12 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+
+ ret_val = netlbl_domhsh_add(entry, audit_info);
+ if (ret_val != 0)
+- goto add_free_addrmap;
++ goto add_free_map;
+
+ return 0;
+
++add_free_map:
++ kfree(pmap);
+ add_free_addrmap:
+ kfree(addrmap);
+ add_doi_put_def:
+--
+2.30.2
+
--- /dev/null
+From da630c30e39d39136de2622821003ba6c5c44e44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 14:54:14 +0200
+Subject: nvmet-fc: do not check for invalid target port in
+ nvmet_fc_handle_fcp_rqst()
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 2a4a910aa4f0acc428dc8d10227c42e14ed21d10 ]
+
+When parsing a request in nvmet_fc_handle_fcp_rqst() we should not
+check for invalid target ports; if we do the command is aborted
+from the fcp layer, causing the host to assume a transport error.
+Rather we should still forward this request to the nvmet layer, which
+will then correctly fail the command with an appropriate error status.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fc.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
+index fc35f7ae67b0..9b07e8c7689a 100644
+--- a/drivers/nvme/target/fc.c
++++ b/drivers/nvme/target/fc.c
+@@ -2151,13 +2151,6 @@ nvmet_fc_handle_fcp_rqst(struct nvmet_fc_tgtport *tgtport,
+ u32 xfrlen = be32_to_cpu(cmdiu->data_len);
+ int ret;
+
+- /*
+- * if there is no nvmet mapping to the targetport there
+- * shouldn't be requests. just terminate them.
+- */
+- if (!tgtport->pe)
+- goto transport_error;
+-
+ /*
+ * Fused commands are currently not supported in the linux
+ * implementation.
+@@ -2185,7 +2178,8 @@ nvmet_fc_handle_fcp_rqst(struct nvmet_fc_tgtport *tgtport,
+
+ fod->req.cmd = &fod->cmdiubuf.sqe;
+ fod->req.cqe = &fod->rspiubuf.cqe;
+- fod->req.port = tgtport->pe->port;
++ if (tgtport->pe)
++ fod->req.port = tgtport->pe->port;
+
+ /* clear any response payload */
+ memset(&fod->rspiubuf, 0, sizeof(fod->rspiubuf));
+--
+2.30.2
+
--- /dev/null
+From a2f82292bb4b439e45b5d84f9f132182c6914384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:34:01 -0700
+Subject: ocfs2: fix snprintf() checking
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 54e948c60cc843b6e84dc44496edc91f51d2a28e ]
+
+The snprintf() function returns the number of bytes which would have been
+printed if the buffer was large enough. In other words it can return ">=
+remain" but this code assumes it returns "== remain".
+
+The run time impact of this bug is not very severe. The next iteration
+through the loop would trigger a WARN() when we pass a negative limit to
+snprintf(). We would then return success instead of -E2BIG.
+
+The kernel implementation of snprintf() will never return negatives so
+there is no need to check and I have deleted that dead code.
+
+Link: https://lkml.kernel.org/r/20210511135350.GV1955@kadam
+Fixes: a860f6eb4c6a ("ocfs2: sysfile interfaces for online file check")
+Fixes: 74ae4e104dfc ("ocfs2: Create stack glue sysfs files.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/filecheck.c | 6 +-----
+ fs/ocfs2/stackglue.c | 8 ++------
+ 2 files changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/fs/ocfs2/filecheck.c b/fs/ocfs2/filecheck.c
+index 50f11bfdc8c2..82a3edc4aea4 100644
+--- a/fs/ocfs2/filecheck.c
++++ b/fs/ocfs2/filecheck.c
+@@ -328,11 +328,7 @@ static ssize_t ocfs2_filecheck_attr_show(struct kobject *kobj,
+ ret = snprintf(buf + total, remain, "%lu\t\t%u\t%s\n",
+ p->fe_ino, p->fe_done,
+ ocfs2_filecheck_error(p->fe_status));
+- if (ret < 0) {
+- total = ret;
+- break;
+- }
+- if (ret == remain) {
++ if (ret >= remain) {
+ /* snprintf() didn't fit */
+ total = -E2BIG;
+ break;
+diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
+index 8aa6a667860c..188038760136 100644
+--- a/fs/ocfs2/stackglue.c
++++ b/fs/ocfs2/stackglue.c
+@@ -502,11 +502,7 @@ static ssize_t ocfs2_loaded_cluster_plugins_show(struct kobject *kobj,
+ list_for_each_entry(p, &ocfs2_stack_list, sp_list) {
+ ret = snprintf(buf, remain, "%s\n",
+ p->sp_name);
+- if (ret < 0) {
+- total = ret;
+- break;
+- }
+- if (ret == remain) {
++ if (ret >= remain) {
+ /* snprintf() didn't fit */
+ total = -E2BIG;
+ break;
+@@ -533,7 +529,7 @@ static ssize_t ocfs2_active_cluster_plugin_show(struct kobject *kobj,
+ if (active_stack) {
+ ret = snprintf(buf, PAGE_SIZE, "%s\n",
+ active_stack->sp_name);
+- if (ret == PAGE_SIZE)
++ if (ret >= PAGE_SIZE)
+ ret = -E2BIG;
+ }
+ spin_unlock(&ocfs2_stack_lock);
+--
+2.30.2
+
--- /dev/null
+From e14084901401e18565cf4ec4e5b0e86a61129686 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 11:27:44 +0200
+Subject: of: Fix truncation of memory sizes on 32-bit platforms
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 2892d8a00d23d511a0591ac4b2ff3f050ae1f004 ]
+
+Variable "size" has type "phys_addr_t", which can be either 32-bit or
+64-bit on 32-bit systems, while "unsigned long" is always 32-bit on
+32-bit systems. Hence the cast in
+
+ (unsigned long)size / SZ_1M
+
+may truncate a 64-bit size to 32-bit, as casts have a higher operator
+precedence than divisions.
+
+Fix this by inverting the order of the cast and division, which should
+be safe for memory blocks smaller than 4 PiB. Note that the division is
+actually a shift, as SZ_1M is a power-of-two constant, hence there is no
+need to use div_u64().
+
+While at it, use "%lu" to format "unsigned long".
+
+Fixes: e8d9d1f5485b52ec ("drivers: of: add initialization code for static reserved memory")
+Fixes: 3f0c8206644836e4 ("drivers: of: add initialization code for dynamic reserved memory")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/4a1117e72d13d26126f57be034c20dac02f1e915.1623835273.git.geert+renesas@glider.be
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/fdt.c | 8 ++++----
+ drivers/of/of_reserved_mem.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index 223d617ecfe1..943d2a60bfdf 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -501,11 +501,11 @@ static int __init __reserved_mem_reserve_reg(unsigned long node,
+
+ if (size &&
+ early_init_dt_reserve_memory_arch(base, size, nomap) == 0)
+- pr_debug("Reserved memory: reserved region for node '%s': base %pa, size %ld MiB\n",
+- uname, &base, (unsigned long)size / SZ_1M);
++ pr_debug("Reserved memory: reserved region for node '%s': base %pa, size %lu MiB\n",
++ uname, &base, (unsigned long)(size / SZ_1M));
+ else
+- pr_info("Reserved memory: failed to reserve memory for node '%s': base %pa, size %ld MiB\n",
+- uname, &base, (unsigned long)size / SZ_1M);
++ pr_info("Reserved memory: failed to reserve memory for node '%s': base %pa, size %lu MiB\n",
++ uname, &base, (unsigned long)(size / SZ_1M));
+
+ len -= t_len;
+ if (first) {
+diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
+index 3fb5d8caffd5..6ed3ffd0a629 100644
+--- a/drivers/of/of_reserved_mem.c
++++ b/drivers/of/of_reserved_mem.c
+@@ -134,9 +134,9 @@ static int __init __reserved_mem_alloc_size(unsigned long node,
+ ret = early_init_dt_alloc_reserved_memory_arch(size,
+ align, start, end, nomap, &base);
+ if (ret == 0) {
+- pr_debug("allocated memory for '%s' node: base %pa, size %ld MiB\n",
++ pr_debug("allocated memory for '%s' node: base %pa, size %lu MiB\n",
+ uname, &base,
+- (unsigned long)size / SZ_1M);
++ (unsigned long)(size / SZ_1M));
+ break;
+ }
+ len -= t_len;
+@@ -146,8 +146,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node,
+ ret = early_init_dt_alloc_reserved_memory_arch(size, align,
+ 0, 0, nomap, &base);
+ if (ret == 0)
+- pr_debug("allocated memory for '%s' node: base %pa, size %ld MiB\n",
+- uname, &base, (unsigned long)size / SZ_1M);
++ pr_debug("allocated memory for '%s' node: base %pa, size %lu MiB\n",
++ uname, &base, (unsigned long)(size / SZ_1M));
+ }
+
+ if (base == 0) {
+--
+2.30.2
+
--- /dev/null
+From f5de174303a986b8472f546d275f32fc2bd6f0d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 23:32:38 +0300
+Subject: pata_ep93xx: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Propagate the error code
+upstream, as it should have been done from the start...
+
+Fixes: 2fff27512600 ("PATA host controller driver for ep93xx")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_ep93xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_ep93xx.c b/drivers/ata/pata_ep93xx.c
+index badab6708893..46208ececbb6 100644
+--- a/drivers/ata/pata_ep93xx.c
++++ b/drivers/ata/pata_ep93xx.c
+@@ -928,7 +928,7 @@ static int ep93xx_pata_probe(struct platform_device *pdev)
+ /* INT[3] (IRQ_EP93XX_EXT3) line connected as pull down */
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
+- err = -ENXIO;
++ err = irq;
+ goto err_rel_gpio;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a8a763a116871950b82377a0dd26cfdc5b65a9d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 23:38:54 +0300
+Subject: pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ]
+
+Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode
+has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler'
+parameter being non-NULL if the polling mode is selected. Let's only set
+the pointer to the driver's IRQ handler if platform_get_irq() returns a
+valid IRQ # -- this should avoid the unnecessary WARN_ON()...
+
+Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_octeon_cf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c
+index d3d851b014a3..ac3b1fda820f 100644
+--- a/drivers/ata/pata_octeon_cf.c
++++ b/drivers/ata/pata_octeon_cf.c
+@@ -898,10 +898,11 @@ static int octeon_cf_probe(struct platform_device *pdev)
+ return -EINVAL;
+ }
+
+- irq_handler = octeon_cf_interrupt;
+ i = platform_get_irq(dma_dev, 0);
+- if (i > 0)
++ if (i > 0) {
+ irq = i;
++ irq_handler = octeon_cf_interrupt;
++ }
+ }
+ of_node_put(dma_node);
+ }
+--
+2.30.2
+
--- /dev/null
+From 255da4a01884329420378dc9c1f35f0d97d864a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 14:46:53 +0300
+Subject: pata_rb532_cf: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 2d3a62fbae8e5badc2342388f65ab2191c209cc0 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENOENT, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error code upstream, still checking/overriding IRQ0 as libata regards it
+as "no IRQ" (thus polling) anyway...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/771ced55-3efb-21f5-f21c-b99920aae611@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_rb532_cf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_rb532_cf.c b/drivers/ata/pata_rb532_cf.c
+index deae466395de..1e6d61dc966a 100644
+--- a/drivers/ata/pata_rb532_cf.c
++++ b/drivers/ata/pata_rb532_cf.c
+@@ -115,10 +115,12 @@ static int rb532_pata_driver_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0) {
++ if (irq < 0) {
+ dev_err(&pdev->dev, "no IRQ resource found\n");
+- return -ENOENT;
++ return irq;
+ }
++ if (!irq)
++ return -EINVAL;
+
+ gpiod = devm_gpiod_get(&pdev->dev, NULL, GPIOD_IN);
+ if (IS_ERR(gpiod)) {
+--
+2.30.2
+
--- /dev/null
+From a2d103bcab4603e15169c74e6d4c33fa61ff50d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 16:17:33 -0700
+Subject: PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv()
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 7d815f4afa87f2032b650ae1bba7534b550a6b8b ]
+
+Add check for hv_is_hyperv_initialized() at the top of
+init_hv_pci_drv(), so if the pci-hyperv driver is force-loaded on non
+Hyper-V platforms, the init_hv_pci_drv() will exit immediately, without
+any side effects, like assignments to hvpci_block_ops, etc.
+
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reported-and-tested-by: Mohammad Alqayeem <mohammad.alqyeem@nutanix.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Link: https://lore.kernel.org/r/1621984653-1210-1-git-send-email-haiyangz@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index f1f300218fab..8c45d6c32c30 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -3121,6 +3121,9 @@ static void __exit exit_hv_pci_drv(void)
+
+ static int __init init_hv_pci_drv(void)
+ {
++ if (!hv_is_hyperv_initialized())
++ return -ENODEV;
++
+ /* Set the invalid domain number's bit, so it will not be used */
+ set_bit(HVPCI_DOM_INVALID, hvpci_dom_map);
+
+--
+2.30.2
+
--- /dev/null
+From 451702ae30b8b72a97783d54fb96bd8db409a664 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 14:20:58 -0300
+Subject: perf llvm: Return -ENOMEM when asprintf() fails
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit c435c166dcf526ac827bc964d82cc0d5e7a1fd0b ]
+
+Zhihao sent a patch but it made llvm__compile_bpf() return what
+asprintf() returns on error, which is just -1, but since this function
+returns -errno, fix it by returning -ENOMEM for this case instead.
+
+Fixes: cb76371441d098 ("perf llvm: Allow passing options to llc ...")
+Fixes: 5eab5a7ee032ac ("perf llvm: Display eBPF compiling command ...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Andrii Nakryiko <andrii@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Yu Kuai <yukuai3@huawei.com>
+Cc: clang-built-linux@googlegroups.com
+Link: http://lore.kernel.org/lkml/20210609115945.2193194-1-chengzhihao1@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/llvm-utils.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/llvm-utils.c b/tools/perf/util/llvm-utils.c
+index 8b14e4a7f1dc..e7c7e3232fc5 100644
+--- a/tools/perf/util/llvm-utils.c
++++ b/tools/perf/util/llvm-utils.c
+@@ -502,6 +502,7 @@ int llvm__compile_bpf(const char *path, void **p_obj_buf,
+ goto errout;
+ }
+
++ err = -ENOMEM;
+ if (asprintf(&pipe_template, "%s -emit-llvm | %s -march=bpf %s -filetype=obj -o -",
+ template, llc_path, opts) < 0) {
+ pr_err("ERROR:\tnot enough memory to setup command line\n");
+@@ -522,6 +523,7 @@ int llvm__compile_bpf(const char *path, void **p_obj_buf,
+
+ pr_debug("llvm compiling command template: %s\n", template);
+
++ err = -ENOMEM;
+ if (asprintf(&command_echo, "echo -n \"%s\"", template) < 0)
+ goto errout;
+
+--
+2.30.2
+
--- /dev/null
+From c1176d25e284944ded307257924e6eb63a48f30c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 15:17:43 +0200
+Subject: phy: ti: dm816x: Fix the error handling path in
+ 'dm816x_usb_phy_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ]
+
+Add an error handling path in the probe to release some resources, as
+already done in the remove function.
+
+Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-dm816x-usb.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/ti/phy-dm816x-usb.c b/drivers/phy/ti/phy-dm816x-usb.c
+index cbcce7cf0028..2ed5fe20d779 100644
+--- a/drivers/phy/ti/phy-dm816x-usb.c
++++ b/drivers/phy/ti/phy-dm816x-usb.c
+@@ -246,19 +246,28 @@ static int dm816x_usb_phy_probe(struct platform_device *pdev)
+
+ pm_runtime_enable(phy->dev);
+ generic_phy = devm_phy_create(phy->dev, NULL, &ops);
+- if (IS_ERR(generic_phy))
+- return PTR_ERR(generic_phy);
++ if (IS_ERR(generic_phy)) {
++ error = PTR_ERR(generic_phy);
++ goto clk_unprepare;
++ }
+
+ phy_set_drvdata(generic_phy, phy);
+
+ phy_provider = devm_of_phy_provider_register(phy->dev,
+ of_phy_simple_xlate);
+- if (IS_ERR(phy_provider))
+- return PTR_ERR(phy_provider);
++ if (IS_ERR(phy_provider)) {
++ error = PTR_ERR(phy_provider);
++ goto clk_unprepare;
++ }
+
+ usb_add_phy_dev(&phy->phy);
+
+ return 0;
++
++clk_unprepare:
++ pm_runtime_disable(phy->dev);
++ clk_unprepare(phy->refclk);
++ return error;
+ }
+
+ static int dm816x_usb_phy_remove(struct platform_device *pdev)
+--
+2.30.2
+
--- /dev/null
+From b4d2142176699d39b6e4a850df9289028a7bd60a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 12:50:42 +0900
+Subject: phy: uniphier-pcie: Fix updating phy parameters
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 4a90bbb478dbf18ecdec9dcf8eb708e319d24264 ]
+
+The current driver uses a value from register TEST_O as the original
+value for register TEST_I, though, the value is overwritten by "param",
+so there is a bug that the original value isn't no longer used.
+
+The value of TEST_O[7:0] should be masked with "mask", replaced with
+"param", and placed in the bitfield TESTI_DAT_MASK as new TEST_I value.
+
+Fixes: c6d9b1324159 ("phy: socionext: add PCIe PHY driver support")
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/1623037842-19363-1-git-send-email-hayashi.kunihiko@socionext.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/socionext/phy-uniphier-pcie.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/socionext/phy-uniphier-pcie.c b/drivers/phy/socionext/phy-uniphier-pcie.c
+index 93ffbd2940fa..0bad0e01279a 100644
+--- a/drivers/phy/socionext/phy-uniphier-pcie.c
++++ b/drivers/phy/socionext/phy-uniphier-pcie.c
+@@ -20,11 +20,13 @@
+
+ /* PHY */
+ #define PCL_PHY_TEST_I 0x2000
+-#define PCL_PHY_TEST_O 0x2004
+ #define TESTI_DAT_MASK GENMASK(13, 6)
+ #define TESTI_ADR_MASK GENMASK(5, 1)
+ #define TESTI_WR_EN BIT(0)
+
++#define PCL_PHY_TEST_O 0x2004
++#define TESTO_DAT_MASK GENMASK(7, 0)
++
+ #define PCL_PHY_RESET 0x200c
+ #define PCL_PHY_RESET_N_MNMODE BIT(8) /* =1:manual */
+ #define PCL_PHY_RESET_N BIT(0) /* =1:deasssert */
+@@ -72,11 +74,12 @@ static void uniphier_pciephy_set_param(struct uniphier_pciephy_priv *priv,
+ val = FIELD_PREP(TESTI_DAT_MASK, 1);
+ val |= FIELD_PREP(TESTI_ADR_MASK, reg);
+ uniphier_pciephy_testio_write(priv, val);
+- val = readl(priv->base + PCL_PHY_TEST_O);
++ val = readl(priv->base + PCL_PHY_TEST_O) & TESTO_DAT_MASK;
+
+ /* update value */
+- val &= ~FIELD_PREP(TESTI_DAT_MASK, mask);
+- val = FIELD_PREP(TESTI_DAT_MASK, mask & param);
++ val &= ~mask;
++ val |= mask & param;
++ val = FIELD_PREP(TESTI_DAT_MASK, val);
+ val |= FIELD_PREP(TESTI_ADR_MASK, reg);
+ uniphier_pciephy_testio_write(priv, val);
+ uniphier_pciephy_testio_write(priv, val | TESTI_WR_EN);
+--
+2.30.2
+
--- /dev/null
+From 8bafe17c7f96781ba72e10e3a855864d6dfcb0b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 14:31:00 +0200
+Subject: pinctrl: renesas: r8a7796: Add missing bias for PRESET# pin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 2cee31cd49733e89dfedf4f68a56839fc2e42040 ]
+
+R-Car Gen3 Hardware Manual Errata for Rev. 0.52 of Nov 30, 2016, added
+the configuration bit for bias pull-down control for the PRESET# pin on
+R-Car M3-W. Add driver support for controlling pull-down on this pin.
+
+Fixes: 2d40bd24274d2577 ("pinctrl: sh-pfc: r8a7796: Add bias pinconf support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/c479de5b3f235c2f7d5faea9e7e08e6fccb135df.1619785375.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
+index 61db7c7a35ec..60d35a2c14ba 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c
+@@ -68,6 +68,7 @@
+ PIN_NOGP_CFG(QSPI1_MOSI_IO0, "QSPI1_MOSI_IO0", fn, CFG_FLAGS), \
+ PIN_NOGP_CFG(QSPI1_SPCLK, "QSPI1_SPCLK", fn, CFG_FLAGS), \
+ PIN_NOGP_CFG(QSPI1_SSL, "QSPI1_SSL", fn, CFG_FLAGS), \
++ PIN_NOGP_CFG(PRESET_N, "PRESET#", fn, SH_PFC_PIN_CFG_PULL_DOWN),\
+ PIN_NOGP_CFG(RPC_INT_N, "RPC_INT#", fn, CFG_FLAGS), \
+ PIN_NOGP_CFG(RPC_RESET_N, "RPC_RESET#", fn, CFG_FLAGS), \
+ PIN_NOGP_CFG(RPC_WP_N, "RPC_WP#", fn, CFG_FLAGS), \
+@@ -6109,7 +6110,7 @@ static const struct pinmux_bias_reg pinmux_bias_regs[] = {
+ [ 4] = RCAR_GP_PIN(6, 29), /* USB30_OVC */
+ [ 5] = RCAR_GP_PIN(6, 30), /* GP6_30 */
+ [ 6] = RCAR_GP_PIN(6, 31), /* GP6_31 */
+- [ 7] = SH_PFC_PIN_NONE,
++ [ 7] = PIN_PRESET_N, /* PRESET# */
+ [ 8] = SH_PFC_PIN_NONE,
+ [ 9] = SH_PFC_PIN_NONE,
+ [10] = SH_PFC_PIN_NONE,
+--
+2.30.2
+
--- /dev/null
+From 62f659f90b9f0b4723210f18018f1b6bccebe9ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 14:31:01 +0200
+Subject: pinctrl: renesas: r8a77990: JTAG pins do not have pull-down
+ capabilities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 702a5fa2fe4d7e7f28fed92a170b540acfff9d34 ]
+
+Hence remove the SH_PFC_PIN_CFG_PULL_DOWN flags from their pin
+descriptions.
+
+Fixes: 83f6941a42a5e773 ("pinctrl: sh-pfc: r8a77990: Add bias pinconf support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/da4b2d69955840a506412f1e8099607a0da97ecc.1619785375.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sh-pfc/pfc-r8a77990.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/sh-pfc/pfc-r8a77990.c b/drivers/pinctrl/sh-pfc/pfc-r8a77990.c
+index 5200dadd6b3e..f4b51e5e7e02 100644
+--- a/drivers/pinctrl/sh-pfc/pfc-r8a77990.c
++++ b/drivers/pinctrl/sh-pfc/pfc-r8a77990.c
+@@ -54,10 +54,10 @@
+ PIN_NOGP_CFG(FSCLKST_N, "FSCLKST_N", fn, CFG_FLAGS), \
+ PIN_NOGP_CFG(MLB_REF, "MLB_REF", fn, CFG_FLAGS), \
+ PIN_NOGP_CFG(PRESETOUT_N, "PRESETOUT_N", fn, CFG_FLAGS), \
+- PIN_NOGP_CFG(TCK, "TCK", fn, CFG_FLAGS), \
+- PIN_NOGP_CFG(TDI, "TDI", fn, CFG_FLAGS), \
+- PIN_NOGP_CFG(TMS, "TMS", fn, CFG_FLAGS), \
+- PIN_NOGP_CFG(TRST_N, "TRST_N", fn, CFG_FLAGS)
++ PIN_NOGP_CFG(TCK, "TCK", fn, SH_PFC_PIN_CFG_PULL_UP), \
++ PIN_NOGP_CFG(TDI, "TDI", fn, SH_PFC_PIN_CFG_PULL_UP), \
++ PIN_NOGP_CFG(TMS, "TMS", fn, SH_PFC_PIN_CFG_PULL_UP), \
++ PIN_NOGP_CFG(TRST_N, "TRST_N", fn, SH_PFC_PIN_CFG_PULL_UP)
+
+ /*
+ * F_() : just information
+--
+2.30.2
+
--- /dev/null
+From 4261ab4937d3054dc7b75bd9c2859c03fef79ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 10:54:49 -0700
+Subject: pkt_sched: sch_qfq: fix qfq_change_class() error path
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0cd58e5c53babb9237b741dbef711f0a9eb6d3fd ]
+
+If qfq_change_class() is unable to allocate memory for qfq_aggregate,
+it frees the class that has been inserted in the class hash table,
+but does not unhash it.
+
+Defer the insertion after the problematic allocation.
+
+BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:884 [inline]
+BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731
+Write of size 8 at addr ffff88814a534f10 by task syz-executor.4/31478
+
+CPU: 0 PID: 31478 Comm: syz-executor.4 Not tainted 5.13.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233
+ __kasan_report mm/kasan/report.c:419 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
+ hlist_add_head include/linux/list.h:884 [inline]
+ qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731
+ qfq_change_class+0x96c/0x1990 net/sched/sch_qfq.c:489
+ tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x4665d9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fdc7b5f0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
+RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
+RBP: 00007fdc7b5f01d0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
+R13: 00007ffcf7310b3f R14: 00007fdc7b5f0300 R15: 0000000000022000
+
+Allocated by task 31445:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:428 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:507 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:466 [inline]
+ __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:516
+ kmalloc include/linux/slab.h:556 [inline]
+ kzalloc include/linux/slab.h:686 [inline]
+ qfq_change_class+0x705/0x1990 net/sched/sch_qfq.c:464
+ tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Freed by task 31445:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
+ kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
+ kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
+ ____kasan_slab_free mm/kasan/common.c:360 [inline]
+ ____kasan_slab_free mm/kasan/common.c:325 [inline]
+ __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368
+ kasan_slab_free include/linux/kasan.h:212 [inline]
+ slab_free_hook mm/slub.c:1583 [inline]
+ slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1608
+ slab_free mm/slub.c:3168 [inline]
+ kfree+0xe5/0x7f0 mm/slub.c:4212
+ qfq_change_class+0x10fb/0x1990 net/sched/sch_qfq.c:518
+ tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff88814a534f00
+ which belongs to the cache kmalloc-128 of size 128
+The buggy address is located 16 bytes inside of
+ 128-byte region [ffff88814a534f00, ffff88814a534f80)
+The buggy address belongs to the page:
+page:ffffea0005294d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a534
+flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
+raw: 057ff00000000200 ffffea00004fee00 0000000600000006 ffff8880110418c0
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 29797, ts 604817765317, free_ts 604810151744
+ prep_new_page mm/page_alloc.c:2358 [inline]
+ get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994
+ __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200
+ alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272
+ alloc_slab_page mm/slub.c:1646 [inline]
+ allocate_slab+0x2c5/0x4c0 mm/slub.c:1786
+ new_slab mm/slub.c:1849 [inline]
+ new_slab_objects mm/slub.c:2595 [inline]
+ ___slab_alloc+0x4a1/0x810 mm/slub.c:2758
+ __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2798
+ slab_alloc_node mm/slub.c:2880 [inline]
+ slab_alloc mm/slub.c:2922 [inline]
+ __kmalloc+0x315/0x330 mm/slub.c:4050
+ kmalloc include/linux/slab.h:561 [inline]
+ kzalloc include/linux/slab.h:686 [inline]
+ __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1318
+ mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421
+ mpls_add_dev net/mpls/af_mpls.c:1472 [inline]
+ mpls_dev_notify+0x214/0x8b0 net/mpls/af_mpls.c:1588
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121
+ call_netdevice_notifiers_extack net/core/dev.c:2133 [inline]
+ call_netdevice_notifiers net/core/dev.c:2147 [inline]
+ register_netdevice+0x106b/0x1500 net/core/dev.c:10312
+ veth_newlink+0x585/0xac0 drivers/net/veth.c:1547
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3452
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1298 [inline]
+ free_pcp_prepare+0x223/0x300 mm/page_alloc.c:1342
+ free_unref_page_prepare mm/page_alloc.c:3250 [inline]
+ free_unref_page+0x12/0x1d0 mm/page_alloc.c:3298
+ __vunmap+0x783/0xb60 mm/vmalloc.c:2566
+ free_work+0x58/0x70 mm/vmalloc.c:80
+ process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
+ worker_thread+0x64c/0x1120 kernel/workqueue.c:2422
+ kthread+0x3b1/0x4a0 kernel/kthread.c:313
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+
+Memory state around the buggy address:
+ ffff88814a534e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88814a534e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88814a534f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88814a534f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88814a535000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 0b05ac7c848e..b046fd3cac2c 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -485,11 +485,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+
+ if (cl->qdisc != &noop_qdisc)
+ qdisc_hash_add(cl->qdisc, true);
+- sch_tree_lock(sch);
+- qdisc_class_hash_insert(&q->clhash, &cl->common);
+- sch_tree_unlock(sch);
+-
+- qdisc_class_hash_grow(sch, &q->clhash);
+
+ set_change_agg:
+ sch_tree_lock(sch);
+@@ -507,8 +502,11 @@ set_change_agg:
+ }
+ if (existing)
+ qfq_deact_rm_from_agg(q, cl);
++ else
++ qdisc_class_hash_insert(&q->clhash, &cl->common);
+ qfq_add_to_agg(q, new_agg, cl);
+ sch_tree_unlock(sch);
++ qdisc_class_hash_grow(sch, &q->clhash);
+
+ *arg = (unsigned long)cl;
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From b7939a282cc039261dd86a5affac9783cae28891 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 18:05:48 +0800
+Subject: platform/x86: toshiba_acpi: Fix missing error code in
+ toshiba_acpi_setup_keyboard()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'error'.
+
+Eliminate the follow smatch warning:
+
+drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard()
+warn: missing error code 'error'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/toshiba_acpi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c
+index 71a969fc3b20..f202fc0dd1ff 100644
+--- a/drivers/platform/x86/toshiba_acpi.c
++++ b/drivers/platform/x86/toshiba_acpi.c
+@@ -2841,6 +2841,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev)
+
+ if (!dev->info_supported && !dev->system_event_supported) {
+ pr_warn("No hotkey query interface found\n");
++ error = -EINVAL;
+ goto err_remove_filter;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 21472584b86cdbe83ff6cfd544cc454cc699e8a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 14:12:45 +1000
+Subject: powerpc: Offline CPU in stop_this_cpu()
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bab26238bbd44d5a4687c0a64fd2c7f2755ea937 ]
+
+printk_safe_flush_on_panic() has special lock breaking code for the case
+where we panic()ed with the console lock held. It relies on panic IPI
+causing other CPUs to mark themselves offline.
+
+Do as most other architectures do.
+
+This effectively reverts commit de6e5d38417e ("powerpc: smp_send_stop do
+not offline stopped CPUs"), unfortunately it may result in some false
+positive warnings, but the alternative is more situations where we can
+crash without getting messages out.
+
+Fixes: de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210623041245.865134-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/smp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
+index b24d860bbab9..c06cac543f18 100644
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -588,6 +588,8 @@ static void nmi_stop_this_cpu(struct pt_regs *regs)
+ /*
+ * IRQs are already hard disabled by the smp_handle_nmi_ipi.
+ */
++ set_cpu_online(smp_processor_id(), false);
++
+ spin_begin();
+ while (1)
+ spin_cpu_relax();
+@@ -603,6 +605,15 @@ void smp_send_stop(void)
+ static void stop_this_cpu(void *dummy)
+ {
+ hard_irq_disable();
++
++ /*
++ * Offlining CPUs in stop_this_cpu can result in scheduler warnings,
++ * (see commit de6e5d38417e), but printk_safe_flush_on_panic() wants
++ * to know other CPUs are offline before it breaks locks to flush
++ * printk buffers, in case we panic()ed while holding the lock.
++ */
++ set_cpu_online(smp_processor_id(), false);
++
+ spin_begin();
+ while (1)
+ spin_cpu_relax();
+--
+2.30.2
+
--- /dev/null
+From b1208419e75038f38bdbeca1e09441ce64f239c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 13:20:12 +0100
+Subject: random32: Fix implicit truncation warning in prandom_seed_state()
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ]
+
+sparse generates the following warning:
+
+ include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from
+ constant value
+
+This is because the 64-bit seed value is manipulated and then placed in a
+u32, causing an implicit cast and truncation. A forced cast to u32 doesn't
+prevent this warning, which is reasonable because a typecast doesn't prove
+that truncation was expected.
+
+Logical-AND the value with 0xffffffff to make explicit that truncation to
+32-bit is intended.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/prandom.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/prandom.h b/include/linux/prandom.h
+index cc1e71334e53..e20339c78a84 100644
+--- a/include/linux/prandom.h
++++ b/include/linux/prandom.h
+@@ -93,7 +93,7 @@ static inline u32 __seed(u32 x, u32 m)
+ */
+ static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
+ {
+- u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
++ u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL;
+
+ state->s1 = __seed(i, 2U);
+ state->s2 = __seed(i, 8U);
+--
+2.30.2
+
--- /dev/null
+From 116b5f6fb888be1214faaaa81e957068cb4f8b98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 10:59:05 -0700
+Subject: rcu: Invoke rcu_spawn_core_kthreads() from rcu_spawn_gp_kthread()
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 8e4b1d2bc198e34b48fc7cc3a3c5a2fcb269e271 ]
+
+Currently, rcu_spawn_core_kthreads() is invoked via an early_initcall(),
+which works, except that rcu_spawn_gp_kthread() is also invoked via an
+early_initcall() and rcu_spawn_core_kthreads() relies on adjustments to
+kthread_prio that are carried out by rcu_spawn_gp_kthread(). There is
+no guaranttee of ordering among early_initcall() handlers, and thus no
+guarantee that kthread_prio will be properly checked and range-limited
+at the time that rcu_spawn_core_kthreads() needs it.
+
+In most cases, this bug is harmless. After all, the only reason that
+rcu_spawn_gp_kthread() adjusts the value of kthread_prio is if the user
+specified a nonsensical value for this boot parameter, which experience
+indicates is rare.
+
+Nevertheless, a bug is a bug. This commit therefore causes the
+rcu_spawn_core_kthreads() function to be invoked directly from
+rcu_spawn_gp_kthread() after any needed adjustments to kthread_prio have
+been carried out.
+
+Fixes: 48d07c04b4cc ("rcu: Enable elimination of Tree-RCU softirq processing")
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 4dfa9dd47223..fd37827eca5b 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -2498,7 +2498,6 @@ static int __init rcu_spawn_core_kthreads(void)
+ "%s: Could not start rcuc kthread, OOM is now expected behavior\n", __func__);
+ return 0;
+ }
+-early_initcall(rcu_spawn_core_kthreads);
+
+ /*
+ * Handle any core-RCU processing required by a call_rcu() invocation.
+@@ -3315,6 +3314,7 @@ static int __init rcu_spawn_gp_kthread(void)
+ wake_up_process(t);
+ rcu_spawn_nocb_kthreads();
+ rcu_spawn_boost_kthreads();
++ rcu_spawn_core_kthreads();
+ return 0;
+ }
+ early_initcall(rcu_spawn_gp_kthread);
+--
+2.30.2
+
--- /dev/null
+From 5466e79c40c280b8a1242b5a367ba547b82936aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 11:37:31 +0300
+Subject: RDMA/core: Sanitize WQ state received from the userspace
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit f97442887275d11c88c2899e720fe945c1f61488 ]
+
+The mlx4 and mlx5 implemented differently the WQ input checks. Instead of
+duplicating mlx4 logic in the mlx5, let's prepare the input in the central
+place.
+
+The mlx5 implementation didn't check for validity of state input. It is
+not real bug because our FW checked that, but still worth to fix.
+
+Fixes: f213c0527210 ("IB/uverbs: Add WQ support")
+Link: https://lore.kernel.org/r/ac41ad6a81b095b1a8ad453dcf62cf8d3c5da779.1621413310.git.leonro@nvidia.com
+Reported-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 21 +++++++++++++++++++--
+ drivers/infiniband/hw/mlx4/qp.c | 9 ++-------
+ drivers/infiniband/hw/mlx5/qp.c | 6 ++----
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index c398d1a64614..d413dafb9211 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -3031,12 +3031,29 @@ static int ib_uverbs_ex_modify_wq(struct uverbs_attr_bundle *attrs)
+ if (!wq)
+ return -EINVAL;
+
+- wq_attr.curr_wq_state = cmd.curr_wq_state;
+- wq_attr.wq_state = cmd.wq_state;
+ if (cmd.attr_mask & IB_WQ_FLAGS) {
+ wq_attr.flags = cmd.flags;
+ wq_attr.flags_mask = cmd.flags_mask;
+ }
++
++ if (cmd.attr_mask & IB_WQ_CUR_STATE) {
++ if (cmd.curr_wq_state > IB_WQS_ERR)
++ return -EINVAL;
++
++ wq_attr.curr_wq_state = cmd.curr_wq_state;
++ } else {
++ wq_attr.curr_wq_state = wq->state;
++ }
++
++ if (cmd.attr_mask & IB_WQ_STATE) {
++ if (cmd.wq_state > IB_WQS_ERR)
++ return -EINVAL;
++
++ wq_attr.wq_state = cmd.wq_state;
++ } else {
++ wq_attr.wq_state = wq_attr.curr_wq_state;
++ }
++
+ ret = wq->device->ops.modify_wq(wq, &wq_attr, cmd.attr_mask,
+ &attrs->driver_udata);
+ uobj_put_obj_read(wq);
+diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
+index 6e2b3e2f83f1..17ce928e41bd 100644
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -4294,13 +4294,8 @@ int mlx4_ib_modify_wq(struct ib_wq *ibwq, struct ib_wq_attr *wq_attr,
+ if (wq_attr_mask & IB_WQ_FLAGS)
+ return -EOPNOTSUPP;
+
+- cur_state = wq_attr_mask & IB_WQ_CUR_STATE ? wq_attr->curr_wq_state :
+- ibwq->state;
+- new_state = wq_attr_mask & IB_WQ_STATE ? wq_attr->wq_state : cur_state;
+-
+- if (cur_state < IB_WQS_RESET || cur_state > IB_WQS_ERR ||
+- new_state < IB_WQS_RESET || new_state > IB_WQS_ERR)
+- return -EINVAL;
++ cur_state = wq_attr->curr_wq_state;
++ new_state = wq_attr->wq_state;
+
+ if ((new_state == IB_WQS_RDY) && (cur_state == IB_WQS_ERR))
+ return -EINVAL;
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index 09e29c6cb66d..4540835e05bd 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -6317,10 +6317,8 @@ int mlx5_ib_modify_wq(struct ib_wq *wq, struct ib_wq_attr *wq_attr,
+
+ rqc = MLX5_ADDR_OF(modify_rq_in, in, ctx);
+
+- curr_wq_state = (wq_attr_mask & IB_WQ_CUR_STATE) ?
+- wq_attr->curr_wq_state : wq->state;
+- wq_state = (wq_attr_mask & IB_WQ_STATE) ?
+- wq_attr->wq_state : curr_wq_state;
++ curr_wq_state = wq_attr->curr_wq_state;
++ wq_state = wq_attr->wq_state;
+ if (curr_wq_state == IB_WQS_ERR)
+ curr_wq_state = MLX5_RQC_STATE_ERR;
+ if (wq_state == IB_WQS_ERR)
+--
+2.30.2
+
--- /dev/null
+From 486e9f1c5de909975da462919451a9e4d3b53bac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 11:51:38 +0300
+Subject: RDMA/mlx5: Don't access NULL-cleared mpi pointer
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 4a754d7637026b42b0c9ba5787ad5ee3bc2ff77f ]
+
+The "dev->port[i].mp.mpi" is set to NULL during mlx5_ib_unbind_slave_port()
+execution, however that field is needed to add device to unaffiliated list.
+
+Such flow causes to the following kernel panic while unloading mlx5_ib
+module in multi-port mode, hence the device should be added to the list
+prior to unbind call.
+
+ RPC: Unregistered rdma transport module.
+ RPC: Unregistered rdma backchannel transport module.
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 0 P4D 0
+ Oops: 0002 [#1] SMP NOPTI
+ CPU: 4 PID: 1904 Comm: modprobe Not tainted 5.13.0-rc7_for_upstream_min_debug_2021_06_24_12_08 #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:mlx5_ib_cleanup_multiport_master+0x18b/0x2d0 [mlx5_ib]
+ Code: 00 04 0f 85 c4 00 00 00 48 89 df e8 ef fa ff ff 48 8b 83 40 0d 00 00 48 8b 15 b9 e8 05 00 4a 8b 44 28 20 48 89 05 ad e8 05 00 <48> c7 00 d0 57 c5 a0 48 89 50 08 48 89 02 39 ab 88 0a 00 00 0f 86
+ RSP: 0018:ffff888116ee3df8 EFLAGS: 00010296
+ RAX: 0000000000000000 RBX: ffff8881154f6000 RCX: 0000000000000080
+ RDX: ffffffffa0c557d0 RSI: ffff88810b69d200 RDI: 000000000002d8a0
+ RBP: 0000000000000002 R08: ffff888110780408 R09: 0000000000000000
+ R10: ffff88812452e1c0 R11: fffffffffff7e028 R12: 0000000000000000
+ R13: 0000000000000080 R14: ffff888102c58000 R15: 0000000000000000
+ FS: 00007f884393a740(0000) GS:ffff8882f5a00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000001249f6004 CR4: 0000000000370ea0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ mlx5_ib_stage_init_cleanup+0x16/0xd0 [mlx5_ib]
+ __mlx5_ib_remove+0x33/0x90 [mlx5_ib]
+ mlx5r_remove+0x22/0x30 [mlx5_ib]
+ auxiliary_bus_remove+0x18/0x30
+ __device_release_driver+0x177/0x220
+ driver_detach+0xc4/0x100
+ bus_remove_driver+0x58/0xd0
+ auxiliary_driver_unregister+0x12/0x20
+ mlx5_ib_cleanup+0x13/0x897 [mlx5_ib]
+ __x64_sys_delete_module+0x154/0x230
+ ? exit_to_user_mode_prepare+0x104/0x140
+ do_syscall_64+0x3f/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f8842e095c7
+ Code: 73 01 c3 48 8b 0d d9 48 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 48 2c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffc68f6e758 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+ RAX: ffffffffffffffda RBX: 00005638207929c0 RCX: 00007f8842e095c7
+ RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000563820792a28
+ RBP: 00005638207929c0 R08: 00007ffc68f6d701 R09: 0000000000000000
+ R10: 00007f8842e82880 R11: 0000000000000206 R12: 0000563820792a28
+ R13: 0000000000000001 R14: 0000563820792a28 R15: 00007ffc68f6fb40
+ Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter overlay rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_ipoib ib_cm ib_umad mlx5_ib(-) mlx4_ib ib_uverbs ib_core mlx4_en mlx4_core mlx5_core ptp pps_core [last unloaded: rpcrdma]
+ CR2: 0000000000000000
+ ---[ end trace a0bb7e20804e9e9b ]---
+
+Fixes: 7ce6095e3bff ("RDMA/mlx5: Don't add slave port to unaffiliated list")
+Link: https://lore.kernel.org/r/899ac1b33a995be5ec0e16a4765c4e43c2b1ba5b.1624956444.git.leonro@nvidia.com
+Reviewed-by: Itay Aveksis <itayav@nvidia.com>
+Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index be624e613719..9025086a8932 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -6023,9 +6023,9 @@ static void mlx5_ib_cleanup_multiport_master(struct mlx5_ib_dev *dev)
+ dev->port[i].mp.mpi = NULL;
+ } else {
+ mlx5_ib_dbg(dev, "unbinding port_num: %d\n", i + 1);
+- mlx5_ib_unbind_slave_port(dev, dev->port[i].mp.mpi);
+ list_add_tail(&dev->port[i].mp.mpi->list,
+ &mlx5_ib_unaffiliated_port_list);
++ mlx5_ib_unbind_slave_port(dev, dev->port[i].mp.mpi);
+ }
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From c403fbca1a927457063d90e0d8291626b1d11957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 19:04:44 +0300
+Subject: RDMA/mlx5: Don't add slave port to unaffiliated list
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 7ce6095e3bff8e20ce018b050960b527e298f7df ]
+
+The mlx5_ib_bind_slave_port() doesn't remove multiport device from the
+unaffiliated list, but mlx5_ib_unbind_slave_port() did it. This unbalanced
+flow caused to the situation where mlx5_ib_unaffiliated_port_list was
+changed during iteration.
+
+Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE")
+Link: https://lore.kernel.org/r/2726e6603b1e6ecfe76aa5a12a063af72173bcf7.1622477058.git.leonro@nvidia.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index a173737cb022..be624e613719 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -5871,8 +5871,6 @@ static void mlx5_ib_unbind_slave_port(struct mlx5_ib_dev *ibdev,
+
+ port->mp.mpi = NULL;
+
+- list_add_tail(&mpi->list, &mlx5_ib_unaffiliated_port_list);
+-
+ spin_unlock(&port->mp.mpi_lock);
+
+ err = mlx5_nic_vport_unaffiliate_multiport(mpi->mdev);
+@@ -6026,6 +6024,8 @@ static void mlx5_ib_cleanup_multiport_master(struct mlx5_ib_dev *dev)
+ } else {
+ mlx5_ib_dbg(dev, "unbinding port_num: %d\n", i + 1);
+ mlx5_ib_unbind_slave_port(dev, dev->port[i].mp.mpi);
++ list_add_tail(&dev->port[i].mp.mpi->list,
++ &mlx5_ib_unaffiliated_port_list);
+ }
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 6bef5af5063a83bef3ca77db792869b7185d5dd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 12:01:12 +0300
+Subject: RDMA/rxe: Fix failure during driver load
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 ]
+
+To avoid the following failure when trying to load the rdma_rxe module
+while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the
+failure, also delete the needless debug print from rxe_setup_udp_tunnel().
+
+$ modprobe rdma_rxe
+modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted
+
+Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel")
+Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_net.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
+index d41135682891..7d1df737c655 100644
+--- a/drivers/infiniband/sw/rxe/rxe_net.c
++++ b/drivers/infiniband/sw/rxe/rxe_net.c
+@@ -251,10 +251,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net *net, __be16 port,
+
+ /* Create UDP socket */
+ err = udp_sock_create(net, &udp_cfg, &sock);
+- if (err < 0) {
+- pr_err("failed to create udp socket. err = %d\n", err);
++ if (err < 0)
+ return ERR_PTR(err);
+- }
+
+ tnl_cfg.encap_type = 1;
+ tnl_cfg.encap_rcv = rxe_udp_encap_recv;
+@@ -660,6 +658,12 @@ static int rxe_net_ipv6_init(void)
+
+ recv_sockets.sk6 = rxe_setup_udp_tunnel(&init_net,
+ htons(ROCE_V2_UDP_DPORT), true);
++ if (PTR_ERR(recv_sockets.sk6) == -EAFNOSUPPORT) {
++ recv_sockets.sk6 = NULL;
++ pr_warn("IPv6 is not supported, can not create a UDPv6 socket\n");
++ return 0;
++ }
++
+ if (IS_ERR(recv_sockets.sk6)) {
+ recv_sockets.sk6 = NULL;
+ pr_err("Failed to create IPv6 UDP tunnel\n");
+--
+2.30.2
+
--- /dev/null
+From b8fff85c97cebf0aa79fc25b2d9048bc62968e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 18:05:59 -0500
+Subject: RDMA/rxe: Fix qp reference counting for atomic ops
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+[ Upstream commit 15ae1375ea91ae2dee6f12d71a79d8c0a10a30bf ]
+
+Currently the rdma_rxe driver attempts to protect atomic responder
+resources by taking a reference to the qp which is only freed when the
+resource is recycled for a new read or atomic operation. This means that
+in normal circumstances there is almost always an extra qp reference once
+an atomic operation has been executed which prevents cleaning up the qp
+and associated pd and cqs when the qp is destroyed.
+
+This patch removes the call to rxe_add_ref() in send_atomic_ack() and the
+call to rxe_drop_ref() in free_rd_atomic_resource(). If the qp is
+destroyed while a peer is retrying an atomic op it will cause the
+operation to fail which is acceptable.
+
+Link: https://lore.kernel.org/r/20210604230558.4812-1-rpearsonhpe@gmail.com
+Reported-by: Zhu Yanjun <zyjzyj2000@gmail.com>
+Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone")
+Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 1 -
+ drivers/infiniband/sw/rxe/rxe_resp.c | 2 --
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index d427a343c09f..53166b9ae67e 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -152,7 +152,6 @@ static void free_rd_atomic_resources(struct rxe_qp *qp)
+ void free_rd_atomic_resource(struct rxe_qp *qp, struct resp_res *res)
+ {
+ if (res->type == RXE_ATOMIC_MASK) {
+- rxe_drop_ref(qp);
+ kfree_skb(res->atomic.skb);
+ } else if (res->type == RXE_READ_MASK) {
+ if (res->read.mr)
+diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
+index c4a8195bf670..186152bf7951 100644
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -993,8 +993,6 @@ static int send_atomic_ack(struct rxe_qp *qp, struct rxe_pkt_info *pkt,
+ goto out;
+ }
+
+- rxe_add_ref(qp);
+-
+ res = &qp->resp.resources[qp->resp.res_head];
+ free_rd_atomic_resource(qp, res);
+ rxe_advance_resp_resource(qp);
+--
+2.30.2
+
--- /dev/null
+From e7d06f2af339b8c0456b9967110912279e603e43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 22:14:11 +0800
+Subject: regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ]
+
+Use DIV_ROUND_UP to prevent truncation by integer division issue.
+This ensures we return enough delay time.
+
+Also fix returning negative value when new_sel < old_sel.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9052-regulator.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c
+index e18d291c7f21..23fa429ebe76 100644
+--- a/drivers/regulator/da9052-regulator.c
++++ b/drivers/regulator/da9052-regulator.c
+@@ -250,7 +250,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev,
+ case DA9052_ID_BUCK3:
+ case DA9052_ID_LDO2:
+ case DA9052_ID_LDO3:
+- ret = (new_sel - old_sel) * info->step_uV / 6250;
++ ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV,
++ 6250);
+ break;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 49068e712f189826e4623a1ea8c7a74479ea6860 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 21:27:15 +0800
+Subject: regulator: hi655x: Fix pass wrong pointer to config.driver_data
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit 61eb1b24f9e4f4e0725aa5f8164a932c933f3339 ]
+
+Current code sets config.driver_data to a zero initialized regulator
+which is obviously wrong. Fix it.
+
+Fixes: 4618119b9be5 ("regulator: hi655x: enable regulator for hi655x PMIC")
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210620132715.60215-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/hi655x-regulator.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/regulator/hi655x-regulator.c b/drivers/regulator/hi655x-regulator.c
+index ac2ee2030211..b44f492a2b83 100644
+--- a/drivers/regulator/hi655x-regulator.c
++++ b/drivers/regulator/hi655x-regulator.c
+@@ -72,7 +72,7 @@ enum hi655x_regulator_id {
+ static int hi655x_is_enabled(struct regulator_dev *rdev)
+ {
+ unsigned int value = 0;
+- struct hi655x_regulator *regulator = rdev_get_drvdata(rdev);
++ const struct hi655x_regulator *regulator = rdev_get_drvdata(rdev);
+
+ regmap_read(rdev->regmap, regulator->status_reg, &value);
+ return (value & rdev->desc->enable_mask);
+@@ -80,7 +80,7 @@ static int hi655x_is_enabled(struct regulator_dev *rdev)
+
+ static int hi655x_disable(struct regulator_dev *rdev)
+ {
+- struct hi655x_regulator *regulator = rdev_get_drvdata(rdev);
++ const struct hi655x_regulator *regulator = rdev_get_drvdata(rdev);
+
+ return regmap_write(rdev->regmap, regulator->disable_reg,
+ rdev->desc->enable_mask);
+@@ -169,7 +169,6 @@ static const struct hi655x_regulator regulators[] = {
+ static int hi655x_regulator_probe(struct platform_device *pdev)
+ {
+ unsigned int i;
+- struct hi655x_regulator *regulator;
+ struct hi655x_pmic *pmic;
+ struct regulator_config config = { };
+ struct regulator_dev *rdev;
+@@ -180,22 +179,17 @@ static int hi655x_regulator_probe(struct platform_device *pdev)
+ return -ENODEV;
+ }
+
+- regulator = devm_kzalloc(&pdev->dev, sizeof(*regulator), GFP_KERNEL);
+- if (!regulator)
+- return -ENOMEM;
+-
+- platform_set_drvdata(pdev, regulator);
+-
+ config.dev = pdev->dev.parent;
+ config.regmap = pmic->regmap;
+- config.driver_data = regulator;
+ for (i = 0; i < ARRAY_SIZE(regulators); i++) {
++ config.driver_data = (void *) ®ulators[i];
++
+ rdev = devm_regulator_register(&pdev->dev,
+ ®ulators[i].rdesc,
+ &config);
+ if (IS_ERR(rdev)) {
+ dev_err(&pdev->dev, "failed to register regulator %s\n",
+- regulator->rdesc.name);
++ regulators[i].rdesc.name);
+ return PTR_ERR(rdev);
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 67edfba8addd37fd3be9403c315bf71d165d717e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 12:56:09 +0800
+Subject: regulator: mt6358: Fix vdram2 .vsel_mask
+
+From: Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com>
+
+[ Upstream commit 50c9462edcbf900f3d5097ca3ad60171346124de ]
+
+The valid vsel value are 0 and 12, so the .vsel_mask should be 0xf.
+
+Signed-off-by: Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com>
+Reviewed-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/1624424169-510-1-git-send-email-hsin-hsiung.wang@mediatek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/mt6358-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/mt6358-regulator.c b/drivers/regulator/mt6358-regulator.c
+index ba42682e06f3..40e09b1d323d 100644
+--- a/drivers/regulator/mt6358-regulator.c
++++ b/drivers/regulator/mt6358-regulator.c
+@@ -457,7 +457,7 @@ static struct mt6358_regulator_info mt6358_regulators[] = {
+ MT6358_REG_FIXED("ldo_vaud28", VAUD28,
+ MT6358_LDO_VAUD28_CON0, 0, 2800000),
+ MT6358_LDO("ldo_vdram2", VDRAM2, vdram2_voltages, vdram2_idx,
+- MT6358_LDO_VDRAM2_CON0, 0, MT6358_LDO_VDRAM2_ELR0, 0x10, 0),
++ MT6358_LDO_VDRAM2_CON0, 0, MT6358_LDO_VDRAM2_ELR0, 0xf, 0),
+ MT6358_LDO("ldo_vsim1", VSIM1, vsim_voltages, vsim_idx,
+ MT6358_LDO_VSIM1_CON0, 0, MT6358_VSIM1_ANA_CON0, 0xf00, 8),
+ MT6358_LDO("ldo_vibr", VIBR, vibr_voltages, vibr_idx,
+--
+2.30.2
+
--- /dev/null
+From 58a04b1c4f445f6ea901f6cf85edc7509c6b2147 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 11:53:18 +0800
+Subject: regulator: uniphier: Add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit d019f38a1af3c6015cde6a47951a3ec43beeed80 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Link: https://lore.kernel.org/r/1620705198-104566-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/uniphier-regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/uniphier-regulator.c b/drivers/regulator/uniphier-regulator.c
+index 2311924c3103..2904c7bb4767 100644
+--- a/drivers/regulator/uniphier-regulator.c
++++ b/drivers/regulator/uniphier-regulator.c
+@@ -203,6 +203,7 @@ static const struct of_device_id uniphier_regulator_match[] = {
+ },
+ { /* Sentinel */ },
+ };
++MODULE_DEVICE_TABLE(of, uniphier_regulator_match);
+
+ static struct platform_driver uniphier_regulator_driver = {
+ .probe = uniphier_regulator_probe,
+--
+2.30.2
+
--- /dev/null
+From 1d9580cd6bedffd56f0fb9655653f36190025dec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 10:27:45 +0200
+Subject: Revert "be2net: disable bh with spin_lock in be_process_mcc"
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit d6765985a42a660f078896d5c5b27f97c580a490 ]
+
+Patch was based on wrong presumption that be_poll can be called only
+from bh context. It reintroducing old regression (also reverted) and
+causing deadlock when we use netconsole with benet in bonding.
+
+Old revert: commit 072a9c486004 ("netpoll: revert 6bdb7fe3104 and fix
+be_poll() instead")
+
+[ 331.269715] bond0: (slave enp0s7f0): Releasing backup interface
+[ 331.270121] CPU: 4 PID: 1479 Comm: ifenslave Not tainted 5.13.0-rc7+ #2
+[ 331.270122] Call Trace:
+[ 331.270122] [c00000001789f200] [c0000000008c505c] dump_stack+0x100/0x174 (unreliable)
+[ 331.270124] [c00000001789f240] [c008000001238b9c] be_poll+0x64/0xe90 [be2net]
+[ 331.270125] [c00000001789f330] [c000000000d1e6e4] netpoll_poll_dev+0x174/0x3d0
+[ 331.270127] [c00000001789f400] [c008000001bc167c] bond_poll_controller+0xb4/0x130 [bonding]
+[ 331.270128] [c00000001789f450] [c000000000d1e624] netpoll_poll_dev+0xb4/0x3d0
+[ 331.270129] [c00000001789f520] [c000000000d1ed88] netpoll_send_skb+0x448/0x470
+[ 331.270130] [c00000001789f5d0] [c0080000011f14f8] write_msg+0x180/0x1b0 [netconsole]
+[ 331.270131] [c00000001789f640] [c000000000230c0c] console_unlock+0x54c/0x790
+[ 331.270132] [c00000001789f7b0] [c000000000233098] vprintk_emit+0x2d8/0x450
+[ 331.270133] [c00000001789f810] [c000000000234758] vprintk+0xc8/0x270
+[ 331.270134] [c00000001789f850] [c000000000233c28] printk+0x40/0x54
+[ 331.270135] [c00000001789f870] [c000000000ccf908] __netdev_printk+0x150/0x198
+[ 331.270136] [c00000001789f910] [c000000000ccfdb4] netdev_info+0x68/0x94
+[ 331.270137] [c00000001789f950] [c008000001bcbd70] __bond_release_one+0x188/0x6b0 [bonding]
+[ 331.270138] [c00000001789faa0] [c008000001bcc6f4] bond_do_ioctl+0x42c/0x490 [bonding]
+[ 331.270139] [c00000001789fb60] [c000000000d0d17c] dev_ifsioc+0x17c/0x400
+[ 331.270140] [c00000001789fbc0] [c000000000d0db70] dev_ioctl+0x390/0x890
+[ 331.270141] [c00000001789fc10] [c000000000c7c76c] sock_do_ioctl+0xac/0x1b0
+[ 331.270142] [c00000001789fc90] [c000000000c7ffac] sock_ioctl+0x31c/0x6e0
+[ 331.270143] [c00000001789fd60] [c0000000005b9728] sys_ioctl+0xf8/0x150
+[ 331.270145] [c00000001789fdb0] [c0000000000336c0] system_call_exception+0x160/0x2f0
+[ 331.270146] [c00000001789fe10] [c00000000000d35c] system_call_common+0xec/0x278
+[ 331.270147] --- interrupt: c00 at 0x7fffa6c6ec00
+[ 331.270147] NIP: 00007fffa6c6ec00 LR: 0000000105c4185c CTR: 0000000000000000
+[ 331.270148] REGS: c00000001789fe80 TRAP: 0c00 Not tainted (5.13.0-rc7+)
+[ 331.270148] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 28000428 XER: 00000000
+[ 331.270155] IRQMASK: 0
+[ 331.270156] GPR00: 0000000000000036 00007fffd494d5b0 00007fffa6d57100 0000000000000003
+[ 331.270158] GPR04: 0000000000008991 00007fffd494d6d0 0000000000000008 00007fffd494f28c
+[ 331.270161] GPR08: 0000000000000003 0000000000000000 0000000000000000 0000000000000000
+[ 331.270164] GPR12: 0000000000000000 00007fffa6dfa220 0000000000000000 0000000000000000
+[ 331.270167] GPR16: 0000000105c44880 0000000000000000 0000000105c60088 0000000105c60318
+[ 331.270170] GPR20: 0000000105c602c0 0000000105c44560 0000000000000000 0000000000000000
+[ 331.270172] GPR24: 00007fffd494dc50 00007fffd494d6a8 0000000105c60008 00007fffd494d6d0
+[ 331.270175] GPR28: 00007fffd494f27e 0000000105c6026c 00007fffd494f284 0000000000000000
+[ 331.270178] NIP [00007fffa6c6ec00] 0x7fffa6c6ec00
+[ 331.270178] LR [0000000105c4185c] 0x105c4185c
+[ 331.270179] --- interrupt: c00
+
+This reverts commit d0d006a43e9a7a796f6f178839c92fcc222c564d.
+
+Fixes: d0d006a43e9a7a ("be2net: disable bh with spin_lock in be_process_mcc")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_cmds.c | 6 ++++--
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 ++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
+index 701c12c9e033..649c5c429bd7 100644
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
+@@ -550,7 +550,7 @@ int be_process_mcc(struct be_adapter *adapter)
+ int num = 0, status = 0;
+ struct be_mcc_obj *mcc_obj = &adapter->mcc_obj;
+
+- spin_lock_bh(&adapter->mcc_cq_lock);
++ spin_lock(&adapter->mcc_cq_lock);
+
+ while ((compl = be_mcc_compl_get(adapter))) {
+ if (compl->flags & CQE_FLAGS_ASYNC_MASK) {
+@@ -566,7 +566,7 @@ int be_process_mcc(struct be_adapter *adapter)
+ if (num)
+ be_cq_notify(adapter, mcc_obj->cq.id, mcc_obj->rearm_cq, num);
+
+- spin_unlock_bh(&adapter->mcc_cq_lock);
++ spin_unlock(&adapter->mcc_cq_lock);
+ return status;
+ }
+
+@@ -581,7 +581,9 @@ static int be_mcc_wait_compl(struct be_adapter *adapter)
+ if (be_check_error(adapter, BE_ERROR_ANY))
+ return -EIO;
+
++ local_bh_disable();
+ status = be_process_mcc(adapter);
++ local_bh_enable();
+
+ if (atomic_read(&mcc_obj->q.used) == 0)
+ break;
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 9aebb121365f..552877590a8a 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -5631,7 +5631,9 @@ static void be_worker(struct work_struct *work)
+ * mcc completions
+ */
+ if (!netif_running(adapter->netdev)) {
++ local_bh_disable();
+ be_process_mcc(adapter);
++ local_bh_enable();
+ goto reschedule;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d622878aca1fcbf1e680cf8859e692dc3989fd9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 21:13:11 -0700
+Subject: Revert "ibmvnic: remove duplicate napi_schedule call in open
+ function"
+
+From: Dany Madden <drt@linux.ibm.com>
+
+[ Upstream commit 2ca220f92878470c6ba03f9946e412323093cc94 ]
+
+This reverts commit 7c451f3ef676c805a4b77a743a01a5c21a250a73.
+
+When a vnic interface is taken down and then up, connectivity is not
+restored. We bisected it to this commit. Reverting this commit until
+we can fully investigate the issue/benefit of the change.
+
+Fixes: 7c451f3ef676 ("ibmvnic: remove duplicate napi_schedule call in open function")
+Reported-by: Cristobal Forno <cforno12@linux.ibm.com>
+Reported-by: Abdul Haleem <abdhalee@in.ibm.com>
+Signed-off-by: Dany Madden <drt@linux.ibm.com>
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index a2b7b982ee29..a3d64e61035e 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1088,6 +1088,11 @@ static int __ibmvnic_open(struct net_device *netdev)
+
+ netif_tx_start_all_queues(netdev);
+
++ if (prev_state == VNIC_CLOSED) {
++ for (i = 0; i < adapter->req_rx_queues; i++)
++ napi_schedule(&adapter->napi[i]);
++ }
++
+ adapter->state = VNIC_OPEN;
+ return rc;
+ }
+--
+2.30.2
+
--- /dev/null
+From 82791e7bd86592529a3b6a28207b8cabb7271ebf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 17:24:20 -0700
+Subject: s390: appldata depends on PROC_SYSCTL
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ]
+
+APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS.
+Building with PROC_FS but not PROC_SYSCTL causes a build error,
+since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c.
+
+arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler':
+appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals'
+
+Fixes: c185b783b099 ("[S390] Remove config options.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: linux-s390@vger.kernel.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
+index 43a81d0ad507..0023b78391f1 100644
+--- a/arch/s390/Kconfig
++++ b/arch/s390/Kconfig
+@@ -920,7 +920,7 @@ config CMM_IUCV
+ config APPLDATA_BASE
+ def_bool n
+ prompt "Linux - VM Monitor Stream, base infrastructure"
+- depends on PROC_FS
++ depends on PROC_SYSCTL
+ help
+ This provides a kernel interface for creating and updating z/VM APPLDATA
+ monitor records. The monitor records are updated at certain time
+--
+2.30.2
+
--- /dev/null
+From 28023021454cb88ae7071d3faea6eab89905e5d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:25:34 +0800
+Subject: samples/bpf: Fix the error return code of xdp_redirect's main()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 7c6090ee2a7b3315410cfc83a94c3eb057407b25 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+If bpf_map_update_elem() failed, main() should return a negative error.
+
+Fixes: 832622e6bd18 ("xdp: sample program for new bpf_redirect helper")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210616042534.315097-1-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp_redirect_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/xdp_redirect_user.c b/samples/bpf/xdp_redirect_user.c
+index 5440cd620607..b7bc2a339d77 100644
+--- a/samples/bpf/xdp_redirect_user.c
++++ b/samples/bpf/xdp_redirect_user.c
+@@ -216,5 +216,5 @@ int main(int argc, char **argv)
+ poll_stats(2, ifindex_out);
+
+ out:
+- return 0;
++ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2e024464a5e8147a2910dd77da1acce936d6ec17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Mar 2021 23:34:27 +0300
+Subject: sata_highbank: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 4a24efa16e7db02306fb5db84518bb0a7ada5a46 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error code upstream, still checking/overriding IRQ0 as libata regards it
+as "no IRQ" (thus polling) anyway...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/105b456d-1199-f6e9-ceb7-ffc5ba551d1a@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_highbank.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/sata_highbank.c b/drivers/ata/sata_highbank.c
+index ad3893c62572..bcf705f512f0 100644
+--- a/drivers/ata/sata_highbank.c
++++ b/drivers/ata/sata_highbank.c
+@@ -469,10 +469,12 @@ static int ahci_highbank_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0) {
++ if (irq < 0) {
+ dev_err(dev, "no irq\n");
+- return -EINVAL;
++ return irq;
+ }
++ if (!irq)
++ return -EINVAL;
+
+ hpriv = devm_kzalloc(dev, sizeof(*hpriv), GFP_KERNEL);
+ if (!hpriv) {
+--
+2.30.2
+
--- /dev/null
+From 4e0f060e875fa27b5bdcaef032018e2c5b85df51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 14:52:02 +0200
+Subject: sched/fair: Fix ascii art by relpacing tabs
+
+From: Odin Ugedal <odin@uged.al>
+
+[ Upstream commit 08f7c2f4d0e9f4283f5796b8168044c034a1bfcb ]
+
+When using something other than 8 spaces per tab, this ascii art
+makes not sense, and the reader might end up wondering what this
+advanced equation "is".
+
+Signed-off-by: Odin Ugedal <odin@uged.al>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20210518125202.78658-4-odin@uged.al
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index d3f4113e87de..d2ba080ea742 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -2927,7 +2927,7 @@ void reweight_task(struct task_struct *p, int prio)
+ *
+ * tg->weight * grq->load.weight
+ * ge->load.weight = ----------------------------- (1)
+- * \Sum grq->load.weight
++ * \Sum grq->load.weight
+ *
+ * Now, because computing that sum is prohibitively expensive to compute (been
+ * there, done that) we approximate it with this average stuff. The average
+@@ -2941,7 +2941,7 @@ void reweight_task(struct task_struct *p, int prio)
+ *
+ * tg->weight * grq->avg.load_avg
+ * ge->load.weight = ------------------------------ (3)
+- * tg->load_avg
++ * tg->load_avg
+ *
+ * Where: tg->load_avg ~= \Sum grq->avg.load_avg
+ *
+@@ -2957,7 +2957,7 @@ void reweight_task(struct task_struct *p, int prio)
+ *
+ * tg->weight * grq->load.weight
+ * ge->load.weight = ----------------------------- = tg->weight (4)
+- * grp->load.weight
++ * grp->load.weight
+ *
+ * That is, the sum collapses because all other CPUs are idle; the UP scenario.
+ *
+@@ -2976,7 +2976,7 @@ void reweight_task(struct task_struct *p, int prio)
+ *
+ * tg->weight * grq->load.weight
+ * ge->load.weight = ----------------------------- (6)
+- * tg_load_avg'
++ * tg_load_avg'
+ *
+ * Where:
+ *
+--
+2.30.2
+
--- /dev/null
+From 06822b1242b268c8e9de495ac59033dbda6711f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 11:37:52 +0100
+Subject: sched/rt: Fix Deadline utilization tracking during policy change
+
+From: Vincent Donnefort <vincent.donnefort@arm.com>
+
+[ Upstream commit d7d607096ae6d378b4e92d49946d22739c047d4c ]
+
+DL keeps track of the utilization on a per-rq basis with the structure
+avg_dl. This utilization is updated during task_tick_dl(),
+put_prev_task_dl() and set_next_task_dl(). However, when the current
+running task changes its policy, set_next_task_dl() which would usually
+take care of updating the utilization when the rq starts running DL
+tasks, will not see a such change, leaving the avg_dl structure outdated.
+When that very same task will be dequeued later, put_prev_task_dl() will
+then update the utilization, based on a wrong last_update_time, leading to
+a huge spike in the DL utilization signal.
+
+The signal would eventually recover from this issue after few ms. Even
+if no DL tasks are run, avg_dl is also updated in
+__update_blocked_others(). But as the CPU capacity depends partly on the
+avg_dl, this issue has nonetheless a significant impact on the scheduler.
+
+Fix this issue by ensuring a load update when a running task changes
+its policy to DL.
+
+Fixes: 3727e0e ("sched/dl: Add dl_rq utilization tracking")
+Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lore.kernel.org/r/1624271872-211872-3-git-send-email-vincent.donnefort@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 4ce8c11e5e4a..3cf776d5bce8 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2392,6 +2392,8 @@ static void switched_to_dl(struct rq *rq, struct task_struct *p)
+ check_preempt_curr_dl(rq, p, 0);
+ else
+ resched_curr(rq);
++ } else {
++ update_dl_rq_load_avg(rq_clock_pelt(rq), rq, 0);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e90651b9064cbb23a9911229dc00d1bff765cabb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 11:37:51 +0100
+Subject: sched/rt: Fix RT utilization tracking during policy change
+
+From: Vincent Donnefort <vincent.donnefort@arm.com>
+
+[ Upstream commit fecfcbc288e9f4923f40fd23ca78a6acdc7fdf6c ]
+
+RT keeps track of the utilization on a per-rq basis with the structure
+avg_rt. This utilization is updated during task_tick_rt(),
+put_prev_task_rt() and set_next_task_rt(). However, when the current
+running task changes its policy, set_next_task_rt() which would usually
+take care of updating the utilization when the rq starts running RT tasks,
+will not see a such change, leaving the avg_rt structure outdated. When
+that very same task will be dequeued later, put_prev_task_rt() will then
+update the utilization, based on a wrong last_update_time, leading to a
+huge spike in the RT utilization signal.
+
+The signal would eventually recover from this issue after few ms. Even if
+no RT tasks are run, avg_rt is also updated in __update_blocked_others().
+But as the CPU capacity depends partly on the avg_rt, this issue has
+nonetheless a significant impact on the scheduler.
+
+Fix this issue by ensuring a load update when a running task changes
+its policy to RT.
+
+Fixes: 371bf427 ("sched/rt: Add rt_rq utilization tracking")
+Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lore.kernel.org/r/1624271872-211872-2-git-send-email-vincent.donnefort@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/rt.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index 5b04bba4500d..2dffb8762e16 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -2221,13 +2221,20 @@ void __init init_sched_rt_class(void)
+ static void switched_to_rt(struct rq *rq, struct task_struct *p)
+ {
+ /*
+- * If we are already running, then there's nothing
+- * that needs to be done. But if we are not running
+- * we may need to preempt the current running task.
+- * If that current running task is also an RT task
++ * If we are running, update the avg_rt tracking, as the running time
++ * will now on be accounted into the latter.
++ */
++ if (task_current(rq, p)) {
++ update_rt_rq_load_avg(rq_clock_pelt(rq), rq, 0);
++ return;
++ }
++
++ /*
++ * If we are not running we may need to preempt the current
++ * running task. If that current running task is also an RT task
+ * then see if we can move to another run queue.
+ */
+- if (task_on_rq_queued(p) && rq->curr != p) {
++ if (task_on_rq_queued(p)) {
+ #ifdef CONFIG_SMP
+ if (p->nr_cpus_allowed > 1 && rq->rt.overloaded)
+ rt_queue_push_tasks(rq);
+--
+2.30.2
+
--- /dev/null
+From d1aa4d928702e02794fd97d505ae49a219e70ddb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 15:50:32 +0100
+Subject: sched/uclamp: Fix locking around cpu_util_update_eff()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 93b73858701fd01de26a4a874eb95f9b7156fd4b ]
+
+cpu_cgroup_css_online() calls cpu_util_update_eff() without holding the
+uclamp_mutex or rcu_read_lock() like other call sites, which is
+a mistake.
+
+The uclamp_mutex is required to protect against concurrent reads and
+writes that could update the cgroup hierarchy.
+
+The rcu_read_lock() is required to traverse the cgroup data structures
+in cpu_util_update_eff().
+
+Surround the caller with the required locks and add some asserts to
+better document the dependency in cpu_util_update_eff().
+
+Fixes: 7226017ad37a ("sched/uclamp: Fix a bug in propagating uclamp value in new cgroups")
+Reported-by: Quentin Perret <qperret@google.com>
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210510145032.1934078-3-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 9a01e51b25f4..b23e70db3b6e 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7199,7 +7199,11 @@ static int cpu_cgroup_css_online(struct cgroup_subsys_state *css)
+
+ #ifdef CONFIG_UCLAMP_TASK_GROUP
+ /* Propagate the effective uclamp value for the new group */
++ mutex_lock(&uclamp_mutex);
++ rcu_read_lock();
+ cpu_util_update_eff(css);
++ rcu_read_unlock();
++ mutex_unlock(&uclamp_mutex);
+ #endif
+
+ return 0;
+@@ -7289,6 +7293,9 @@ static void cpu_util_update_eff(struct cgroup_subsys_state *css)
+ enum uclamp_id clamp_id;
+ unsigned int clamps;
+
++ lockdep_assert_held(&uclamp_mutex);
++ SCHED_WARN_ON(!rcu_read_lock_held());
++
+ css_for_each_descendant_pre(css, top_css) {
+ uc_parent = css_tg(css)->parent
+ ? css_tg(css)->parent->uclamp : NULL;
+--
+2.30.2
+
--- /dev/null
+From eca626be638d2e1471d7f955f347f9e399ba2406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 17:51:55 +0100
+Subject: sched/uclamp: Fix uclamp_tg_restrict()
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 0213b7083e81f4acd69db32cb72eb4e5f220329a ]
+
+Now cpu.uclamp.min acts as a protection, we need to make sure that the
+uclamp request of the task is within the allowed range of the cgroup,
+that is it is clamp()'ed correctly by tg->uclamp[UCLAMP_MIN] and
+tg->uclamp[UCLAMP_MAX].
+
+As reported by Xuewen [1] we can have some corner cases where there's
+inversion between uclamp requested by task (p) and the uclamp values of
+the taskgroup it's attached to (tg). Following table demonstrates
+2 corner cases:
+
+ | p | tg | effective
+ -----------+-----+------+-----------
+ CASE 1
+ -----------+-----+------+-----------
+ uclamp_min | 60% | 0% | 60%
+ -----------+-----+------+-----------
+ uclamp_max | 80% | 50% | 50%
+ -----------+-----+------+-----------
+ CASE 2
+ -----------+-----+------+-----------
+ uclamp_min | 0% | 30% | 30%
+ -----------+-----+------+-----------
+ uclamp_max | 20% | 50% | 20%
+ -----------+-----+------+-----------
+
+With this fix we get:
+
+ | p | tg | effective
+ -----------+-----+------+-----------
+ CASE 1
+ -----------+-----+------+-----------
+ uclamp_min | 60% | 0% | 50%
+ -----------+-----+------+-----------
+ uclamp_max | 80% | 50% | 50%
+ -----------+-----+------+-----------
+ CASE 2
+ -----------+-----+------+-----------
+ uclamp_min | 0% | 30% | 30%
+ -----------+-----+------+-----------
+ uclamp_max | 20% | 50% | 30%
+ -----------+-----+------+-----------
+
+Additionally uclamp_update_active_tasks() must now unconditionally
+update both UCLAMP_MIN/MAX because changing the tg's UCLAMP_MAX for
+instance could have an impact on the effective UCLAMP_MIN of the tasks.
+
+ | p | tg | effective
+ -----------+-----+------+-----------
+ old
+ -----------+-----+------+-----------
+ uclamp_min | 60% | 0% | 50%
+ -----------+-----+------+-----------
+ uclamp_max | 80% | 50% | 50%
+ -----------+-----+------+-----------
+ *new*
+ -----------+-----+------+-----------
+ uclamp_min | 60% | 0% | *60%*
+ -----------+-----+------+-----------
+ uclamp_max | 80% |*70%* | *70%*
+ -----------+-----+------+-----------
+
+[1] https://lore.kernel.org/lkml/CAB8ipk_a6VFNjiEnHRHkUMBKbA+qzPQvhtNjJ_YNzQhqV_o8Zw@mail.gmail.com/
+
+Fixes: 0c18f2ecfcc2 ("sched/uclamp: Fix wrong implementation of cpu.uclamp.min")
+Reported-by: Xuewen Yan <xuewen.yan94@gmail.com>
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210617165155.3774110-1-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 49 +++++++++++++++++----------------------------
+ 1 file changed, 18 insertions(+), 31 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index b23e70db3b6e..8294debf68c4 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -894,8 +894,10 @@ unsigned int uclamp_rq_max_value(struct rq *rq, enum uclamp_id clamp_id,
+ static inline struct uclamp_se
+ uclamp_tg_restrict(struct task_struct *p, enum uclamp_id clamp_id)
+ {
++ /* Copy by value as we could modify it */
+ struct uclamp_se uc_req = p->uclamp_req[clamp_id];
+ #ifdef CONFIG_UCLAMP_TASK_GROUP
++ unsigned int tg_min, tg_max, value;
+
+ /*
+ * Tasks in autogroups or root task group will be
+@@ -906,23 +908,11 @@ uclamp_tg_restrict(struct task_struct *p, enum uclamp_id clamp_id)
+ if (task_group(p) == &root_task_group)
+ return uc_req;
+
+- switch (clamp_id) {
+- case UCLAMP_MIN: {
+- struct uclamp_se uc_min = task_group(p)->uclamp[clamp_id];
+- if (uc_req.value < uc_min.value)
+- return uc_min;
+- break;
+- }
+- case UCLAMP_MAX: {
+- struct uclamp_se uc_max = task_group(p)->uclamp[clamp_id];
+- if (uc_req.value > uc_max.value)
+- return uc_max;
+- break;
+- }
+- default:
+- WARN_ON_ONCE(1);
+- break;
+- }
++ tg_min = task_group(p)->uclamp[UCLAMP_MIN].value;
++ tg_max = task_group(p)->uclamp[UCLAMP_MAX].value;
++ value = uc_req.value;
++ value = clamp(value, tg_min, tg_max);
++ uclamp_se_set(&uc_req, value, false);
+ #endif
+
+ return uc_req;
+@@ -1121,8 +1111,9 @@ static inline void uclamp_rq_dec(struct rq *rq, struct task_struct *p)
+ }
+
+ static inline void
+-uclamp_update_active(struct task_struct *p, enum uclamp_id clamp_id)
++uclamp_update_active(struct task_struct *p)
+ {
++ enum uclamp_id clamp_id;
+ struct rq_flags rf;
+ struct rq *rq;
+
+@@ -1142,9 +1133,11 @@ uclamp_update_active(struct task_struct *p, enum uclamp_id clamp_id)
+ * affecting a valid clamp bucket, the next time it's enqueued,
+ * it will already see the updated clamp bucket value.
+ */
+- if (p->uclamp[clamp_id].active) {
+- uclamp_rq_dec_id(rq, p, clamp_id);
+- uclamp_rq_inc_id(rq, p, clamp_id);
++ for_each_clamp_id(clamp_id) {
++ if (p->uclamp[clamp_id].active) {
++ uclamp_rq_dec_id(rq, p, clamp_id);
++ uclamp_rq_inc_id(rq, p, clamp_id);
++ }
+ }
+
+ task_rq_unlock(rq, p, &rf);
+@@ -1152,20 +1145,14 @@ uclamp_update_active(struct task_struct *p, enum uclamp_id clamp_id)
+
+ #ifdef CONFIG_UCLAMP_TASK_GROUP
+ static inline void
+-uclamp_update_active_tasks(struct cgroup_subsys_state *css,
+- unsigned int clamps)
++uclamp_update_active_tasks(struct cgroup_subsys_state *css)
+ {
+- enum uclamp_id clamp_id;
+ struct css_task_iter it;
+ struct task_struct *p;
+
+ css_task_iter_start(css, 0, &it);
+- while ((p = css_task_iter_next(&it))) {
+- for_each_clamp_id(clamp_id) {
+- if ((0x1 << clamp_id) & clamps)
+- uclamp_update_active(p, clamp_id);
+- }
+- }
++ while ((p = css_task_iter_next(&it)))
++ uclamp_update_active(p);
+ css_task_iter_end(&it);
+ }
+
+@@ -7328,7 +7315,7 @@ static void cpu_util_update_eff(struct cgroup_subsys_state *css)
+ }
+
+ /* Immediately update descendants RUNNABLE tasks */
+- uclamp_update_active_tasks(css, clamps);
++ uclamp_update_active_tasks(css);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2c2c59093faec126da1544d499c5726e12a35bf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 15:50:31 +0100
+Subject: sched/uclamp: Fix wrong implementation of cpu.uclamp.min
+
+From: Qais Yousef <qais.yousef@arm.com>
+
+[ Upstream commit 0c18f2ecfcc274a4bcc1d122f79ebd4001c3b445 ]
+
+cpu.uclamp.min is a protection as described in cgroup-v2 Resource
+Distribution Model
+
+ Documentation/admin-guide/cgroup-v2.rst
+
+which means we try our best to preserve the minimum performance point of
+tasks in this group. See full description of cpu.uclamp.min in the
+cgroup-v2.rst.
+
+But the current implementation makes it a limit, which is not what was
+intended.
+
+For example:
+
+ tg->cpu.uclamp.min = 20%
+
+ p0->uclamp[UCLAMP_MIN] = 0
+ p1->uclamp[UCLAMP_MIN] = 50%
+
+ Previous Behavior (limit):
+
+ p0->effective_uclamp = 0
+ p1->effective_uclamp = 20%
+
+ New Behavior (Protection):
+
+ p0->effective_uclamp = 20%
+ p1->effective_uclamp = 50%
+
+Which is inline with how protections should work.
+
+With this change the cgroup and per-task behaviors are the same, as
+expected.
+
+Additionally, we remove the confusing relationship between cgroup and
+!user_defined flag.
+
+We don't want for example RT tasks that are boosted by default to max to
+change their boost value when they attach to a cgroup. If a cgroup wants
+to limit the max performance point of tasks attached to it, then
+cpu.uclamp.max must be set accordingly.
+
+Or if they want to set different boost value based on cgroup, then
+sysctl_sched_util_clamp_min_rt_default must be used to NOT boost to max
+and set the right cpu.uclamp.min for each group to let the RT tasks
+obtain the desired boost value when attached to that group.
+
+As it stands the dependency on !user_defined flag adds an extra layer of
+complexity that is not required now cpu.uclamp.min behaves properly as
+a protection.
+
+The propagation model of effective cpu.uclamp.min in child cgroups as
+implemented by cpu_util_update_eff() is still correct. The parent
+protection sets an upper limit of what the child cgroups will
+effectively get.
+
+Fixes: 3eac870a3247 (sched/uclamp: Use TG's clamps to restrict TASK's clamps)
+Signed-off-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210510145032.1934078-2-qais.yousef@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index a3e95d7779e1..9a01e51b25f4 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -896,7 +896,6 @@ uclamp_tg_restrict(struct task_struct *p, enum uclamp_id clamp_id)
+ {
+ struct uclamp_se uc_req = p->uclamp_req[clamp_id];
+ #ifdef CONFIG_UCLAMP_TASK_GROUP
+- struct uclamp_se uc_max;
+
+ /*
+ * Tasks in autogroups or root task group will be
+@@ -907,9 +906,23 @@ uclamp_tg_restrict(struct task_struct *p, enum uclamp_id clamp_id)
+ if (task_group(p) == &root_task_group)
+ return uc_req;
+
+- uc_max = task_group(p)->uclamp[clamp_id];
+- if (uc_req.value > uc_max.value || !uc_req.user_defined)
+- return uc_max;
++ switch (clamp_id) {
++ case UCLAMP_MIN: {
++ struct uclamp_se uc_min = task_group(p)->uclamp[clamp_id];
++ if (uc_req.value < uc_min.value)
++ return uc_min;
++ break;
++ }
++ case UCLAMP_MAX: {
++ struct uclamp_se uc_max = task_group(p)->uclamp[clamp_id];
++ if (uc_req.value > uc_max.value)
++ return uc_max;
++ break;
++ }
++ default:
++ WARN_ON_ONCE(1);
++ break;
++ }
+ #endif
+
+ return uc_req;
+--
+2.30.2
+
--- /dev/null
+From 7136cb4f4438a77b57ed3543efd0470c7c9d2b4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 May 2021 16:48:57 -0700
+Subject: scsi: FlashPoint: Rename si_flags field
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ]
+
+The BusLogic driver has build errors on ia64 due to a name collision (in
+the #included FlashPoint.c file). Rename the struct field in struct
+sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build.
+
+This is the first problem. There are 50+ others after this one:
+
+In file included from ../include/uapi/linux/signal.h:6,
+ from ../include/linux/signal_types.h:10,
+ from ../include/linux/sched.h:29,
+ from ../include/linux/hardirq.h:9,
+ from ../include/linux/interrupt.h:11,
+ from ../drivers/scsi/BusLogic.c:27:
+../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token
+ 15 | #define si_flags _sifields._sigfault._flags
+ | ^
+../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags'
+ 43 | u16 si_flags;
+ | ^~~~~~~~
+In file included from ../drivers/scsi/BusLogic.c:51:
+../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter':
+../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields'
+ 1076 | pCardInfo->si_flags = 0x0000;
+ | ^~
+../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields'
+
+Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org
+Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.")
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Khalid Aziz <khalid.aziz@oracle.com>
+Cc: Khalid Aziz <khalid@gonehiking.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/FlashPoint.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/scsi/FlashPoint.c b/drivers/scsi/FlashPoint.c
+index 0f17bd51088a..3b15fb25b5e6 100644
+--- a/drivers/scsi/FlashPoint.c
++++ b/drivers/scsi/FlashPoint.c
+@@ -40,7 +40,7 @@ struct sccb_mgr_info {
+ u16 si_per_targ_ultra_nego;
+ u16 si_per_targ_no_disc;
+ u16 si_per_targ_wide_nego;
+- u16 si_flags;
++ u16 si_mflags;
+ unsigned char si_card_family;
+ unsigned char si_bustype;
+ unsigned char si_card_model[3];
+@@ -1070,22 +1070,22 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+ ScamFlg =
+ (unsigned char)FPT_utilEERead(ioport, SCAM_CONFIG / 2);
+
+- pCardInfo->si_flags = 0x0000;
++ pCardInfo->si_mflags = 0x0000;
+
+ if (i & 0x01)
+- pCardInfo->si_flags |= SCSI_PARITY_ENA;
++ pCardInfo->si_mflags |= SCSI_PARITY_ENA;
+
+ if (!(i & 0x02))
+- pCardInfo->si_flags |= SOFT_RESET;
++ pCardInfo->si_mflags |= SOFT_RESET;
+
+ if (i & 0x10)
+- pCardInfo->si_flags |= EXTENDED_TRANSLATION;
++ pCardInfo->si_mflags |= EXTENDED_TRANSLATION;
+
+ if (ScamFlg & SCAM_ENABLED)
+- pCardInfo->si_flags |= FLAG_SCAM_ENABLED;
++ pCardInfo->si_mflags |= FLAG_SCAM_ENABLED;
+
+ if (ScamFlg & SCAM_LEVEL2)
+- pCardInfo->si_flags |= FLAG_SCAM_LEVEL2;
++ pCardInfo->si_mflags |= FLAG_SCAM_LEVEL2;
+
+ j = (RD_HARPOON(ioport + hp_bm_ctrl) & ~SCSI_TERM_ENA_L);
+ if (i & 0x04) {
+@@ -1101,7 +1101,7 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+
+ if (!(RD_HARPOON(ioport + hp_page_ctrl) & NARROW_SCSI_CARD))
+
+- pCardInfo->si_flags |= SUPPORT_16TAR_32LUN;
++ pCardInfo->si_mflags |= SUPPORT_16TAR_32LUN;
+
+ pCardInfo->si_card_family = HARPOON_FAMILY;
+ pCardInfo->si_bustype = BUSTYPE_PCI;
+@@ -1137,15 +1137,15 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+
+ if (pCardInfo->si_card_model[1] == '3') {
+ if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
+- pCardInfo->si_flags |= LOW_BYTE_TERM;
++ pCardInfo->si_mflags |= LOW_BYTE_TERM;
+ } else if (pCardInfo->si_card_model[2] == '0') {
+ temp = RD_HARPOON(ioport + hp_xfer_pad);
+ WR_HARPOON(ioport + hp_xfer_pad, (temp & ~BIT(4)));
+ if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
+- pCardInfo->si_flags |= LOW_BYTE_TERM;
++ pCardInfo->si_mflags |= LOW_BYTE_TERM;
+ WR_HARPOON(ioport + hp_xfer_pad, (temp | BIT(4)));
+ if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
+- pCardInfo->si_flags |= HIGH_BYTE_TERM;
++ pCardInfo->si_mflags |= HIGH_BYTE_TERM;
+ WR_HARPOON(ioport + hp_xfer_pad, temp);
+ } else {
+ temp = RD_HARPOON(ioport + hp_ee_ctrl);
+@@ -1163,9 +1163,9 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+ WR_HARPOON(ioport + hp_ee_ctrl, temp);
+ WR_HARPOON(ioport + hp_xfer_pad, temp2);
+ if (!(temp3 & BIT(7)))
+- pCardInfo->si_flags |= LOW_BYTE_TERM;
++ pCardInfo->si_mflags |= LOW_BYTE_TERM;
+ if (!(temp3 & BIT(6)))
+- pCardInfo->si_flags |= HIGH_BYTE_TERM;
++ pCardInfo->si_mflags |= HIGH_BYTE_TERM;
+ }
+
+ ARAM_ACCESS(ioport);
+@@ -1272,7 +1272,7 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info
+ WR_HARPOON(ioport + hp_arb_id, pCardInfo->si_id);
+ CurrCard->ourId = pCardInfo->si_id;
+
+- i = (unsigned char)pCardInfo->si_flags;
++ i = (unsigned char)pCardInfo->si_mflags;
+ if (i & SCSI_PARITY_ENA)
+ WR_HARPOON(ioport + hp_portctrl_1, (HOST_MODE8 | CHK_SCSI_P));
+
+@@ -1286,14 +1286,14 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info
+ j |= SCSI_TERM_ENA_H;
+ WR_HARPOON(ioport + hp_ee_ctrl, j);
+
+- if (!(pCardInfo->si_flags & SOFT_RESET)) {
++ if (!(pCardInfo->si_mflags & SOFT_RESET)) {
+
+ FPT_sresb(ioport, thisCard);
+
+ FPT_scini(thisCard, pCardInfo->si_id, 0);
+ }
+
+- if (pCardInfo->si_flags & POST_ALL_UNDERRRUNS)
++ if (pCardInfo->si_mflags & POST_ALL_UNDERRRUNS)
+ CurrCard->globalFlags |= F_NO_FILTER;
+
+ if (pCurrNvRam) {
+--
+2.30.2
+
--- /dev/null
+From 7656d5a45639731725959717b3763b6825ec62ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 16:13:00 +0800
+Subject: scsi: mpt3sas: Fix error return value in _scsih_expander_add()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ]
+
+When an expander does not contain any 'phys', an appropriate error code -1
+should be returned, as done elsewhere in this function. However, we
+currently do not explicitly assign this error code to 'rc'. As a result, 0
+was incorrectly returned.
+
+Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com
+Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index aff630fccb07..3654cfc4376f 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -5728,8 +5728,10 @@ _scsih_expander_add(struct MPT3SAS_ADAPTER *ioc, u16 handle)
+ handle, parent_handle,
+ (u64)sas_expander->sas_address, sas_expander->num_phys);
+
+- if (!sas_expander->num_phys)
++ if (!sas_expander->num_phys) {
++ rc = -1;
+ goto out_fail;
++ }
+ sas_expander->phy = kcalloc(sas_expander->num_phys,
+ sizeof(struct _sas_phy), GFP_KERNEL);
+ if (!sas_expander->phy) {
+--
+2.30.2
+
--- /dev/null
+From 49f4720aa582c20ed2004a2a71872e4823d886e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:56:53 -0700
+Subject: selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really
+ random
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit f36ef407628835a7d7fb3d235b1f1aac7022d9a3 ]
+
+Patch series "selftests/vm/pkeys: Bug fixes and a new test".
+
+There has been a lot of activity on the x86 front around the XSAVE
+architecture which is used to context-switch processor state (among other
+things). In addition, AMD has recently joined the protection keys club by
+adding processor support for PKU.
+
+The AMD implementation helped uncover a kernel bug around the PKRU "init
+state", which actually applied to Intel's implementation but was just
+harder to hit. This series adds a test which is expected to help find
+this class of bug both on AMD and Intel. All the work around pkeys on x86
+also uncovered a few bugs in the selftest.
+
+This patch (of 4):
+
+The "random" pkey allocation code currently does the good old:
+
+ srand((unsigned int)time(NULL));
+
+*But*, it unfortunately does this on every random pkey allocation.
+
+There may be thousands of these a second. time() has a one second
+resolution. So, each time alloc_random_pkey() is called, the PRNG is
+*RESET* to time(). This is nasty. Normally, if you do:
+
+ srand(<ANYTHING>);
+ foo = rand();
+ bar = rand();
+
+You'll be quite guaranteed that 'foo' and 'bar' are different. But, if
+you do:
+
+ srand(1);
+ foo = rand();
+ srand(1);
+ bar = rand();
+
+You are quite guaranteed that 'foo' and 'bar' are the *SAME*. The recent
+"fix" effectively forced the test case to use the same "random" pkey for
+the whole test, unless the test run crossed a second boundary.
+
+Only run srand() once at program startup.
+
+This explains some very odd and persistent test failures I've been seeing.
+
+Link: https://lkml.kernel.org/r/20210611164153.91B76FB8@viggo.jf.intel.com
+Link: https://lkml.kernel.org/r/20210611164155.192D00FF@viggo.jf.intel.com
+Fixes: 6e373263ce07 ("selftests/vm/pkeys: fix alloc_random_pkey() to make it really random")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Sandipan Das <sandipan@linux.ibm.com>
+Cc: Florian Weimer <fweimer@redhat.com>
+Cc: "Desnes A. Nunes do Rosario" <desnesn@linux.vnet.ibm.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Michal Suchanek <msuchanek@suse.de>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c
+index 47191af46617..a3602148e2ea 100644
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -613,7 +613,6 @@ int alloc_random_pkey(void)
+ int nr_alloced = 0;
+ int random_index;
+ memset(alloced_pkeys, 0, sizeof(alloced_pkeys));
+- srand((unsigned int)time(NULL));
+
+ /* allocate every possible key and make a note of which ones we got */
+ max_nr_pkey_allocs = NR_PKEYS;
+@@ -1479,6 +1478,8 @@ int main(void)
+ {
+ int nr_iterations = 22;
+
++ srand((unsigned int)time(NULL));
++
+ setup_handlers();
+
+ printf("has pku: %d\n", cpu_has_pku());
+--
+2.30.2
+
--- /dev/null
+From cd8c8f44661b93bef1e6a4a1ebe196f4233d5a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 20:38:34 +0200
+Subject: serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+[ Upstream commit 78bcae8616ac277d6cb7f38e211493948ed73e30 ]
+
+Support for magic baud rate divisors of 32770 and 32769 used with SMSC
+Super I/O chips for extra baud rates of 230400 and 460800 respectively
+where base rate is 115200[1] has been added around Linux 2.5.64, which
+predates our repo history, but the origin could be identified as commit
+2a717aad772f ("Merge with Linux 2.5.64.") with the old MIPS/Linux repo
+also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>.
+
+Code that is now in `serial8250_do_get_divisor' was added back then to
+`serial8250_get_divisor', but that code would only ever trigger if one
+of the higher baud rates was actually requested, and that cannot ever
+happen, because the earlier call to `serial8250_get_baud_rate' never
+returns them. This is because it calls `uart_get_baud_rate' with the
+maximum requested being the base rate, that is clk/16 or 115200 for SMSC
+chips at their nominal clock rate.
+
+Fix it then and allow UPF_MAGIC_MULTIPLIER baud rates to be selected, by
+requesting the maximum baud rate of clk/4 rather than clk/16 if the flag
+has been set. Also correct the minimum baud rate, observing that these
+ports only support actual (non-magic) divisors of up to 32767 only.
+
+References:
+
+[1] "FDC37M81x, PC98/99 Compliant Enhanced Super I/O Controller with
+ Keyboard/Mouse Wake-Up", Standard Microsystems Corporation, Rev.
+ 03/27/2000, Table 31 - "Baud Rates", p. 77
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2105190412280.29169@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index 5b673077639b..6e93aa3623d9 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2557,6 +2557,21 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port,
+ struct ktermios *old)
+ {
+ unsigned int tolerance = port->uartclk / 100;
++ unsigned int min;
++ unsigned int max;
++
++ /*
++ * Handle magic divisors for baud rates above baud_base on SMSC
++ * Super I/O chips. Enable custom rates of clk/4 and clk/8, but
++ * disable divisor values beyond 32767, which are unavailable.
++ */
++ if (port->flags & UPF_MAGIC_MULTIPLIER) {
++ min = port->uartclk / 16 / UART_DIV_MAX >> 1;
++ max = (port->uartclk + tolerance) / 4;
++ } else {
++ min = port->uartclk / 16 / UART_DIV_MAX;
++ max = (port->uartclk + tolerance) / 16;
++ }
+
+ /*
+ * Ask the core to calculate the divisor for us.
+@@ -2564,9 +2579,7 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port,
+ * slower than nominal still match standard baud rates without
+ * causing transmission errors.
+ */
+- return uart_get_baud_rate(port, termios, old,
+- port->uartclk / 16 / UART_DIV_MAX,
+- (port->uartclk + tolerance) / 16);
++ return uart_get_baud_rate(port, termios, old, min, max);
+ }
+
+ void
+--
+2.30.2
+
--- /dev/null
+From 6bcd71c91bee254f10801557fb90be77f4045da5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 00:49:02 +0200
+Subject: serial: mvebu-uart: correctly calculate minimal possible baudrate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit deeaf963569a0d9d1b08babb771f61bb501a5704 ]
+
+For default (x16) scheme which is currently used by mvebu-uart.c driver,
+maximal divisor of UART base clock is 1023*16. Therefore there is limit for
+minimal supported baudrate. This change calculate it correctly and prevents
+setting invalid divisor 0 into hardware registers.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate")
+Link: https://lore.kernel.org/r/20210624224909.6350-4-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/mvebu-uart.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c
+index 57929b54e46a..51b4d8d1dcac 100644
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -481,7 +481,7 @@ static void mvebu_uart_set_termios(struct uart_port *port,
+ struct ktermios *old)
+ {
+ unsigned long flags;
+- unsigned int baud;
++ unsigned int baud, min_baud, max_baud;
+
+ spin_lock_irqsave(&port->lock, flags);
+
+@@ -500,16 +500,21 @@ static void mvebu_uart_set_termios(struct uart_port *port,
+ port->ignore_status_mask |= STAT_RX_RDY(port) | STAT_BRK_ERR;
+
+ /*
++ * Maximal divisor is 1023 * 16 when using default (x16) scheme.
+ * Maximum achievable frequency with simple baudrate divisor is 230400.
+ * Since the error per bit frame would be of more than 15%, achieving
+ * higher frequencies would require to implement the fractional divisor
+ * feature.
+ */
+- baud = uart_get_baud_rate(port, termios, old, 0, 230400);
++ min_baud = DIV_ROUND_UP(port->uartclk, 1023 * 16);
++ max_baud = 230400;
++
++ baud = uart_get_baud_rate(port, termios, old, min_baud, max_baud);
+ if (mvebu_uart_baud_rate_set(port, baud)) {
+ /* No clock available, baudrate cannot be changed */
+ if (old)
+- baud = uart_get_baud_rate(port, old, NULL, 0, 230400);
++ baud = uart_get_baud_rate(port, old, NULL,
++ min_baud, max_baud);
+ } else {
+ tty_termios_encode_baud_rate(termios, baud, baud);
+ uart_update_timeout(port, termios->c_cflag, baud);
+--
+2.30.2
+
--- /dev/null
+From 9dc26d203483e9261e917c0e55d8a14e4a78b52a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 00:49:01 +0200
+Subject: serial: mvebu-uart: do not allow changing baudrate when uartclk is
+ not available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit ecd6b010d81f97b06b2f64d2d4f50ebf5acddaa9 ]
+
+Testing mvuart->clk for non-error is not enough as mvuart->clk may contain
+valid clk pointer but when clk_prepare_enable(mvuart->clk) failed then
+port->uartclk is zero.
+
+When mvuart->clk is not available then port->uartclk is zero too.
+
+Parent clock rate port->uartclk is needed to calculate UART clock divisor
+and without it is not possible to change baudrate.
+
+So fix test condition when it is possible to change baudrate.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate")
+Link: https://lore.kernel.org/r/20210624224909.6350-3-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/mvebu-uart.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c
+index fb42d5304a68..57929b54e46a 100644
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -445,12 +445,11 @@ static void mvebu_uart_shutdown(struct uart_port *port)
+
+ static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud)
+ {
+- struct mvebu_uart *mvuart = to_mvuart(port);
+ unsigned int d_divisor, m_divisor;
+ u32 brdv, osamp;
+
+- if (IS_ERR(mvuart->clk))
+- return -PTR_ERR(mvuart->clk);
++ if (!port->uartclk)
++ return -EOPNOTSUPP;
+
+ /*
+ * The baudrate is derived from the UART clock thanks to two divisors:
+--
+2.30.2
+
fuse-ignore-pg_workingset-after-stealing.patch
fuse-check-connected-before-queueing-on-fpq-io.patch
fuse-reject-internal-errno.patch
+spi-make-of_register_spi_device-also-set-the-fwnode.patch
+media-mdk-mdp-fix-pm_runtime_get_sync-usage-count.patch
+media-s5p-fix-pm_runtime_get_sync-usage-count.patch
+media-sh_vou-fix-pm_runtime_get_sync-usage-count.patch
+media-mtk-vcodec-fix-pm-runtime-get-logic.patch
+media-s5p-jpeg-fix-pm_runtime_get_sync-usage-count.patch
+media-sti-bdisp-fix-pm_runtime_get_sync-usage-count.patch
+media-exynos-gsc-fix-pm_runtime_get_sync-usage-count.patch
+spi-spi-loopback-test-fix-tx_buf-might-be-rx_buf.patch
+spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch
+spi-omap-100k-fix-the-length-judgment-problem.patch
+regulator-uniphier-add-missing-module_device_table.patch
+hwrng-exynos-fix-runtime-pm-imbalance-on-error.patch
+crypto-nx-add-missing-module_device_table.patch
+media-sti-fix-obj-config-targets.patch
+media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch
+media-cobalt-fix-race-condition-in-setting-hpd.patch
+media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch
+media-imx-imx7_mipi_csis-fix-logging-of-only-error-e.patch
+crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch
+crypto-qat-remove-unused-macro-in-fw-loader.patch
+sched-fair-fix-ascii-art-by-relpacing-tabs.patch
+media-em28xx-fix-possible-memory-leak-of-em28xx-stru.patch
+media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch
+media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch
+media-st-hva-fix-potential-null-pointer-dereferences.patch
+makefile-fix-gdb-warning-with-config_relr.patch
+media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch
+memstick-rtsx_usb_ms-fix-uaf.patch
+mmc-sdhci-sprd-use-sdhci_sprd_writew.patch
+mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch
+crypto-shash-avoid-comparing-pointers-to-exported-fu.patch
+media-dvb_net-avoid-speculation-from-net-slot.patch
+media-siano-fix-device-register-error-path.patch
+media-imx-csi-skip-first-few-frames-from-a-bt.656-so.patch
+hwmon-max31790-report-correct-current-pwm-duty-cycle.patch
+hwmon-max31790-fix-pwmx_enable-attributes.patch
+drivers-perf-fix-the-missed-ida_simple_remove-in-ddr.patch
+kvm-ppc-book3s-hv-fix-tlb-management-on-smt8-power9-.patch
+btrfs-fix-error-handling-in-__btrfs_update_delayed_i.patch
+btrfs-abort-transaction-if-we-fail-to-update-the-del.patch
+btrfs-fix-the-filemap_range_has_page-call-in-btrfs_p.patch
+btrfs-disable-build-on-platforms-having-page-size-25.patch
+locking-lockdep-fix-the-dep-path-printing-for-backwa.patch
+lockding-lockdep-avoid-to-find-wrong-lock-dep-path-i.patch
+kvm-s390-get-rid-of-register-asm-usage.patch
+regulator-mt6358-fix-vdram2-.vsel_mask.patch
+regulator-da9052-ensure-enough-delay-time-for-.set_v.patch
+media-fix-media-controller-api-config-checks.patch
+hid-do-not-use-down_interruptible-when-unbinding-dev.patch
+edac-ti-add-missing-module_device_table.patch
+acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch
+hv_utils-fix-passing-zero-to-ptr_err-warning.patch
+lib-vsprintf-fix-handling-of-number-field-widths-in-.patch
+acpi-ec-make-more-asus-laptops-use-ecdt-_gpe.patch
+block_dump-remove-block_dump-feature-in-mark_inode_d.patch
+fs-dlm-cancel-work-sync-othercon.patch
+random32-fix-implicit-truncation-warning-in-prandom_.patch
+fs-dlm-fix-memory-leak-when-fenced.patch
+acpica-fix-memory-leak-caused-by-_cid-repair-functio.patch
+acpi-bus-call-kobject_put-in-acpi_init-error-path.patch
+acpi-resources-add-checks-for-acpi-irq-override.patch
+block-fix-race-between-adding-removing-rq-qos-and-no.patch
+platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch
+nvmet-fc-do-not-check-for-invalid-target-port-in-nvm.patch
+edac-intel-do-not-load-edac-driver-when-running-as-a.patch
+pci-hv-add-check-for-hyperv_initialized-in-init_hv_p.patch
+clocksource-retry-clock-read-if-long-delays-detected.patch
+acpi-tables-add-custom-dsdt-file-as-makefile-prerequ.patch
+hid-wacom-correct-base-usage-for-capacitive-expressk.patch
+cifs-fix-missing-spinlock-around-update-to-ses-statu.patch
+block-fix-discard-request-merge.patch
+kthread_worker-fix-return-value-when-kthread_mod_del.patch
+ia64-mca_drv-fix-incorrect-array-size-calculation.patch
+writeback-cgroup-increment-isw_nr_in_flight-before-g.patch
+media-s5p_cec-decrement-usage-count-if-disabled.patch
+crypto-ixp4xx-dma_unmap-the-correct-address.patch
+crypto-ux500-fix-error-return-code-in-hash_hw_final.patch
+sata_highbank-fix-deferred-probing.patch
+pata_rb532_cf-fix-deferred-probing.patch
+media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch
+sched-uclamp-fix-wrong-implementation-of-cpu.uclamp..patch
+sched-uclamp-fix-locking-around-cpu_util_update_eff.patch
+kbuild-run-the-checker-after-the-compiler.patch
+kbuild-fix-objtool-dependency-for-object_files_non_s.patch
+pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch
+evm-fix-writing-securityfs-evm-overflow.patch
+crypto-ccp-fix-a-resource-leak-in-an-error-handling-.patch
+media-rc-i2c-fix-an-error-message.patch
+pata_ep93xx-fix-deferred-probing.patch
+media-exynos4-is-fix-a-use-after-free-in-isp_video_r.patch
+media-au0828-fix-a-null-vs-is_err-check.patch
+media-tc358743-fix-error-return-code-in-tc358743_pro.patch
+media-gspca-gl860-fix-zero-length-control-requests.patch
+m68k-atari-fix-atari_kbd_core-kconfig-unmet-dependen.patch
+media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch
+crypto-nitrox-fix-unchecked-variable-in-nitrox_regis.patch
+crypto-omap-sham-fix-pm-reference-leak-in-omap-sham-.patch
+mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch
+arm64-consistently-use-reserved_pg_dir.patch
+arm64-mm-fix-ttbr0-values-stored-in-struct-thread_in.patch
+media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch
+hwmon-max31722-remove-non-standard-acpi-device-ids.patch
+hwmon-max31790-fix-fan-speed-reporting-for-fan7.12.patch
+kvm-nvmx-ensure-64-bit-shift-when-checking-vmfunc-bi.patch
+regulator-hi655x-fix-pass-wrong-pointer-to-config.dr.patch
+btrfs-clear-log-tree-recovering-status-if-starting-t.patch
+sched-rt-fix-rt-utilization-tracking-during-policy-c.patch
+sched-rt-fix-deadline-utilization-tracking-during-po.patch
+sched-uclamp-fix-uclamp_tg_restrict.patch
+spi-spi-sun6i-fix-chipselect-clock-bug.patch
+crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch
+acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch
+extcon-extcon-max8997-fix-irq-freeing-at-error-path.patch
+blk-wbt-introduce-a-new-disable-state-to-prevent-fal.patch
+blk-wbt-make-sure-throttle-is-enabled-properly.patch
+acpi-use-device_attr_-rw-ro-wo-macros.patch
+acpi-bgrt-fix-cfi-violation.patch
+cpufreq-make-cpufreq_online-call-driver-offline-on-e.patch
+ocfs2-fix-snprintf-checking.patch
+dax-fix-enomem-handling-in-grab_mapping_entry.patch
+xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch
+video-fbdev-imxfb-fix-an-error-message.patch
+net-mvpp2-put-fwnode-in-error-case-during-probe.patch
+net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch
+pinctrl-renesas-r8a7796-add-missing-bias-for-preset-.patch
+pinctrl-renesas-r8a77990-jtag-pins-do-not-have-pull-.patch
+clk-meson-g12a-fix-gp0-and-hifi-ranges.patch
+net-ftgmac100-add-missing-error-return-code-in-ftgma.patch
+drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch
+drm-rockchip-dsi-move-all-lane-config-except-lcdc-mu.patch
+ehea-fix-error-return-code-in-ehea_restart_qps.patch
+net-sched-act_vlan-fix-modify-to-allow-0.patch
+rdma-core-sanitize-wq-state-received-from-the-usersp.patch
+rdma-rxe-fix-failure-during-driver-load.patch
+drm-qxl-ensure-surf.data-is-ininitialized.patch
+tools-bpftool-fix-error-return-code-in-do_batch.patch
+ath10k-go-to-path-err_unsupported-when-chip-id-is-no.patch
+ath10k-add-missing-error-return-code-in-ath10k_pci_p.patch
+wireless-carl9170-fix-leds-build-errors-warnings.patch
+ieee802154-hwsim-fix-possible-memory-leak-in-hwsim_s.patch
+wcn36xx-move-hal_buf-allocation-to-devm_kmalloc-in-p.patch
+ssb-fix-error-return-code-in-ssb_bus_scan.patch
+brcmfmac-fix-setting-of-station-info-chains-bitmask.patch
+brcmfmac-correctly-report-average-rssi-in-station-in.patch
+brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch
+ath10k-fix-an-error-code-in-ath10k_add_interface.patch
+netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch
+rdma-mlx5-don-t-add-slave-port-to-unaffiliated-list.patch
+netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch
+netfilter-nft_osf-check-for-tcp-packet-before-furthe.patch
+netfilter-nft_tproxy-restrict-support-to-tcp-and-udp.patch
+rdma-rxe-fix-qp-reference-counting-for-atomic-ops.patch
+samples-bpf-fix-the-error-return-code-of-xdp_redirec.patch
+net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch
+net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch
+net-ethernet-ezchip-fix-error-handling.patch
+vrf-do-not-push-non-nd-strict-packets-with-a-source-.patch
+net-sched-add-barrier-to-ensure-correct-ordering-for.patch
+tls-prevent-oversized-sendfile-hangs-by-ignoring-msg.patch
+pkt_sched-sch_qfq-fix-qfq_change_class-error-path.patch
+vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch
+net-ipv4-swap-flow-ports-when-validating-source.patch
+tc-testing-fix-list-handling.patch
+ieee802154-hwsim-fix-memory-leak-in-hwsim_add_one.patch
+ieee802154-hwsim-avoid-possible-crash-in-hwsim_del_e.patch
+mac80211-remove-iwlwifi-specific-workaround-ndps-of-.patch
+net-bcmgenet-fix-attaching-to-pyh-failed-on-rpi-4b.patch
+ipv6-exthdrs-do-not-blindly-use-init_net.patch
+bpf-do-not-change-gso_size-during-bpf_skb_change_pro.patch
+i40e-fix-error-handling-in-i40e_vsi_open.patch
+i40e-fix-autoneg-disabling-for-non-10gbaset-links.patch
+revert-ibmvnic-remove-duplicate-napi_schedule-call-i.patch
+ibmvnic-free-tx_pool-if-tso_pool-alloc-fails.patch
+ipv6-fix-out-of-bound-access-in-ip6_parse_tlv.patch
+e1000e-check-the-pcim-state.patch
+bpfilter-specify-the-log-level-for-the-kmsg-message.patch
+gve-fix-swapped-vars-when-fetching-max-queues.patch
+revert-be2net-disable-bh-with-spin_lock-in-be_proces.patch
+bluetooth-mgmt-fix-slab-out-of-bounds-in-tlv_data_is.patch
+bluetooth-fix-handling-of-hci_le_advertising_set_ter.patch
+clk-actions-fix-uart-clock-dividers-on-owl-s500-soc.patch
+clk-actions-fix-sd-clocks-factor-table-on-owl-s500-s.patch
+clk-actions-fix-bisp_factor_table-based-clocks-on-ow.patch
+clk-si5341-avoid-divide-errors-due-to-bogus-register.patch
+clk-si5341-update-initialization-magic.patch
+writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch
+net-lwtunnel-handle-mtu-calculation-in-forwading.patch
+net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch
+rdma-mlx5-don-t-access-null-cleared-mpi-pointer.patch
+mips-fix-pkmap-with-32-bit-mips-huge-page-support.patch
+staging-fbtft-rectify-gpio-handling.patch
+rcu-invoke-rcu_spawn_core_kthreads-from-rcu_spawn_gp.patch
+tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch
+mwifiex-re-fix-for-unaligned-accesses.patch
+iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch
+iio-adis16400-do-not-return-ints-in-irq-handlers.patch
+iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch
+iio-accel-bma220-fix-buffer-alignment-in-iio_push_to.patch
+iio-accel-hid-fix-buffer-alignment-in-iio_push_to_bu.patch
+iio-accel-kxcjk-1013-fix-buffer-alignment-in-iio_pus.patch
+iio-accel-mxc4005-drop-unnecessary-explicit-casts-in.patch
+iio-accel-mxc4005-fix-overread-of-data-and-alignment.patch
+iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch
+iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch
+iio-adc-ti-ads1015-fix-buffer-alignment-in-iio_push_.patch
+iio-adc-vf610-fix-buffer-alignment-in-iio_push_to_bu.patch
+iio-gyro-bmg160-fix-buffer-alignment-in-iio_push_to_.patch
+iio-humidity-am2315-fix-buffer-alignment-in-iio_push.patch
+iio-prox-srf08-fix-buffer-alignment-in-iio_push_to_b.patch
+iio-prox-pulsed-light-fix-buffer-alignment-in-iio_pu.patch
+iio-prox-as3935-fix-buffer-alignment-in-iio_push_to_.patch
+iio-magn-hmc5843-fix-buffer-alignment-in-iio_push_to.patch
+iio-magn-bmc150-fix-buffer-alignment-in-iio_push_to_.patch
+iio-light-isl29125-fix-buffer-alignment-in-iio_push_.patch
+iio-light-tcs3414-fix-buffer-alignment-in-iio_push_t.patch
+iio-light-tcs3472-fix-buffer-alignment-in-iio_push_t.patch
+iio-cros_ec_sensors-fix-alignment-of-buffer-in-iio_p.patch
+iio-potentiostat-lmp91000-fix-alignment-of-buffer-in.patch
+asoc-rk3328-fix-missing-clk_disable_unprepare-on-err.patch
+asoc-hisilicon-fix-missing-clk_disable_unprepare-on-.patch
+backlight-lm3630a_bl-put-fwnode-in-error-case-during.patch
+asoc-rsnd-tidyup-loop-on-rsnd_adg_clk_query.patch
+input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch
+mtd-partitions-redboot-seek-fis-index-block-in-the-r.patch
+char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch
+firmware-stratix10-svc-fix-a-resource-leak-in-an-err.patch
+tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch
+leds-lm3532-select-regmap-i2c-api.patch
+leds-lm36274-cosmetic-rename-lm36274_data-to-chip.patch
+leds-lm3692x-put-fwnode-in-any-case-during-probe.patch
+scsi-flashpoint-rename-si_flags-field.patch
+fsi-core-fix-return-of-error-values-on-failures.patch
+fsi-scom-reset-the-fsi2pib-engine-for-any-error.patch
+fsi-occ-don-t-accept-response-from-un-initialized-oc.patch
+fsi-sbefifo-clean-up-correct-fifo-when-receiving-res.patch
+fsi-sbefifo-fix-reset-timeout.patch
+visorbus-fix-error-return-code-in-visorchipset_init.patch
+s390-appldata-depends-on-proc_sysctl.patch
+iommu-dma-fix-iova-reserve-dma-ranges.patch
+asoc-mediatek-mtk-btcvsd-fix-an-error-handling-path-.patch
+usb-gadget-f_fs-fix-setting-of-device-and-driver-dat.patch
+usb-dwc2-don-t-reset-the-core-after-setting-turnarou.patch
+eeprom-idt_89hpesx-put-fwnode-in-matching-case-durin.patch
+eeprom-idt_89hpesx-restore-printing-the-unsupported-.patch
+iio-at91-sama5d2_adc-remove-usage-of-iio_priv_to_dev.patch
+iio-adc-at91-sama5d2-fix-buffer-alignment-in-iio_pus.patch
+iio-adc-hx711-fix-buffer-alignment-in-iio_push_to_bu.patch
+iio-adc-mxs-lradc-fix-buffer-alignment-in-iio_push_t.patch
+iio-adc-ti-ads8688-fix-alignment-of-buffer-in-iio_pu.patch
+iio-magn-rm3100-fix-alignment-of-buffer-in-iio_push_.patch
+staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch
+staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch
+staging-rtl8712-remove-redundant-check-in-r871xu_drv.patch
+staging-rtl8712-fix-memory-leak-in-rtl871x_load_fw_c.patch
+staging-mt7621-dts-fix-pci-address-for-pci-memory-ra.patch
+serial-8250-actually-allow-upf_magic_multiplier-baud.patch
+iio-light-vcnl4035-fix-buffer-alignment-in-iio_push_.patch
+iio-prox-isl29501-fix-buffer-alignment-in-iio_push_t.patch
+asoc-cs42l42-correct-definition-of-cs42l42_adc_pdn_m.patch
+of-fix-truncation-of-memory-sizes-on-32-bit-platform.patch
+mtd-rawnand-marvell-add-missing-clk_disable_unprepar.patch
+scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch
+soundwire-stream-fix-test-for-dp-prepare-complete.patch
+phy-uniphier-pcie-fix-updating-phy-parameters.patch
+phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch
+extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch
+extcon-max8997-add-missing-modalias-string.patch
+asoc-atmel-i2s-fix-usage-of-capture-and-playback-at-.patch
+configfs-fix-memleak-in-configfs_release_bin_file.patch
+leds-as3645a-fix-error-return-code-in-as3645a_parse_.patch
+leds-ktd2692-fix-an-error-handling-path.patch
+powerpc-offline-cpu-in-stop_this_cpu.patch
+serial-mvebu-uart-do-not-allow-changing-baudrate-whe.patch
+serial-mvebu-uart-correctly-calculate-minimal-possib.patch
+arm64-dts-marvell-armada-37xx-fix-reg-for-standard-v.patch
+vfio-pci-handle-concurrent-vma-faults.patch
+mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch
+mm-z3fold-fix-potential-memory-leak-in-z3fold_destro.patch
+selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch
+perf-llvm-return-enomem-when-asprintf-fails.patch
--- /dev/null
+From 874a46ec87f8339f7bbba90c1deb9a77f085a941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 15:47:45 +0100
+Subject: soundwire: stream: Fix test for DP prepare complete
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 3d3e88e336338834086278236d42039f3cde50e1 ]
+
+In sdw_prep_deprep_slave_ports(), after the wait_for_completion()
+the DP prepare status register is read. If this indicates that the
+port is now prepared, the code should continue with the port setup.
+It is irrelevant whether the wait_for_completion() timed out if the
+port is now ready.
+
+The previous implementation would always fail if the
+wait_for_completion() timed out, even if the port was reporting
+successful prepare.
+
+This patch also fixes a minor bug where the return from sdw_read()
+was not checked for error - any error code with LSBits clear could
+be misinterpreted as a successful port prepare.
+
+Fixes: 79df15b7d37c ("soundwire: Add helpers for ports operations")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210618144745.30629-1-rf@opensource.cirrus.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/stream.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
+index 23accfedbf4d..f7ca1f7a68f0 100644
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -420,7 +420,6 @@ static int sdw_prep_deprep_slave_ports(struct sdw_bus *bus,
+ struct completion *port_ready;
+ struct sdw_dpn_prop *dpn_prop;
+ struct sdw_prepare_ch prep_ch;
+- unsigned int time_left;
+ bool intr = false;
+ int ret = 0, val;
+ u32 addr;
+@@ -477,15 +476,15 @@ static int sdw_prep_deprep_slave_ports(struct sdw_bus *bus,
+
+ /* Wait for completion on port ready */
+ port_ready = &s_rt->slave->port_ready[prep_ch.num];
+- time_left = wait_for_completion_timeout(port_ready,
+- msecs_to_jiffies(dpn_prop->ch_prep_timeout));
++ wait_for_completion_timeout(port_ready,
++ msecs_to_jiffies(dpn_prop->ch_prep_timeout));
+
+ val = sdw_read(s_rt->slave, SDW_DPN_PREPARESTATUS(p_rt->num));
+- val &= p_rt->ch_mask;
+- if (!time_left || val) {
++ if ((val < 0) || (val & p_rt->ch_mask)) {
++ ret = (val < 0) ? val : -ETIMEDOUT;
+ dev_err(&s_rt->slave->dev,
+- "Chn prep failed for port:%d\n", prep_ch.num);
+- return -ETIMEDOUT;
++ "Chn prep failed for port %d: %d\n", prep_ch.num, ret);
++ return ret;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 9897dd2ee37b25d66dbaaf851c9fdfd2292890a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 11:14:02 +0100
+Subject: spi: Make of_register_spi_device also set the fwnode
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 0e793ba77c18382f08e440260fe72bc6fce2a3cb ]
+
+Currently, the SPI core doesn't set the struct device fwnode pointer
+when it creates a new SPI device. This means when the device is
+registered the fwnode is NULL and the check in device_add which sets
+the fwnode->dev pointer is skipped. This wasn't previously an issue,
+however these two patches:
+
+commit 4731210c09f5 ("gpiolib: Bind gpio_device to a driver to enable
+fw_devlink=on by default")
+commit ced2af419528 ("gpiolib: Don't probe gpio_device if it's not the
+primary device")
+
+Added some code to the GPIO core which relies on using that
+fwnode->dev pointer to determine if a driver is bound to the fwnode
+and if not bind a stub GPIO driver. This means the GPIO providers
+behind SPI will get both the expected driver and this stub driver
+causing the stub driver to fail if it attempts to request any pin
+configuration. For example on my system:
+
+madera-pinctrl madera-pinctrl: pin gpio5 already requested by madera-pinctrl; cannot claim for gpiochip3
+madera-pinctrl madera-pinctrl: pin-4 (gpiochip3) status -22
+madera-pinctrl madera-pinctrl: could not request pin 4 (gpio5) from group aif1 on device madera-pinctrl
+gpio_stub_drv gpiochip3: Error applying setting, reverse things back
+gpio_stub_drv: probe of gpiochip3 failed with error -22
+
+The firmware node on the device created by the GPIO framework is set
+through the of_node pointer hence things generally actually work,
+however that fwnode->dev is never set, as the check was skipped at
+device_add time. This fix appears to match how the I2C subsystem
+handles the same situation.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210421101402.8468-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index f8f3434d5ab1..ac05c9c86488 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1849,6 +1849,7 @@ of_register_spi_device(struct spi_controller *ctlr, struct device_node *nc)
+ /* Store a pointer to the node in the device structure */
+ of_node_get(nc);
+ spi->dev.of_node = nc;
++ spi->dev.fwnode = of_fwnode_handle(nc);
+
+ /* Register the new device */
+ rc = spi_add_device(spi);
+--
+2.30.2
+
--- /dev/null
+From 544b3117db0a3bbb4a1ecda0f01a61efede30f55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 19:20:48 +0800
+Subject: spi: omap-100k: Fix the length judgment problem
+
+From: Tian Tao <tiantao6@hisilicon.com>
+
+[ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ]
+
+word_len should be checked in the omap1_spi100k_setup_transfer
+function to see if it exceeds 32.
+
+Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
+Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index b8e201c09484..f64d030c760a 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -242,7 +242,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi,
+ else
+ word_len = spi->bits_per_word;
+
+- if (spi->bits_per_word > 32)
++ if (word_len > 32)
+ return -EINVAL;
+ cs->word_len = word_len;
+
+--
+2.30.2
+
--- /dev/null
+From 43682b632e1878a51351918485d070fd8d869e67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 14:58:23 +0800
+Subject: spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
+
+From: Jay Fang <f.fangjian@huawei.com>
+
+[ Upstream commit 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 ]
+
+In function 'spi_test_run_iter': Value 'tx_buf' might be 'rx_buf'.
+
+Signed-off-by: Jay Fang <f.fangjian@huawei.com>
+Link: https://lore.kernel.org/r/1620629903-15493-5-git-send-email-f.fangjian@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-loopback-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c
+index 51633b2b6437..69a9df2cbbcf 100644
+--- a/drivers/spi/spi-loopback-test.c
++++ b/drivers/spi/spi-loopback-test.c
+@@ -868,7 +868,7 @@ static int spi_test_run_iter(struct spi_device *spi,
+ test.transfers[i].len = len;
+ if (test.transfers[i].tx_buf)
+ test.transfers[i].tx_buf += tx_off;
+- if (test.transfers[i].tx_buf)
++ if (test.transfers[i].rx_buf)
+ test.transfers[i].rx_buf += rx_off;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 42a8058782c265c293af1c92fab27be4b694bd56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 16:45:07 +0200
+Subject: spi: spi-sun6i: Fix chipselect/clock bug
+
+From: Mirko Vogt <mirko-dev|linux@nanl.de>
+
+[ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ]
+
+The current sun6i SPI implementation initializes the transfer too early,
+resulting in SCK going high before the transfer. When using an additional
+(gpio) chipselect with sun6i, the chipselect is asserted at a time when
+clock is high, making the SPI transfer fail.
+
+This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into
+SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer
+function, hence, right before the transfer starts, mitigates that
+problem.
+
+Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver)
+Signed-off-by: Mirko Vogt <mirko-dev|linux@nanl.de>
+Signed-off-by: Ralf Schlatterbeck <rsc@runtux.com>
+Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sun6i.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c
+index 956df79035d5..3a8acd78308f 100644
+--- a/drivers/spi/spi-sun6i.c
++++ b/drivers/spi/spi-sun6i.c
+@@ -297,6 +297,10 @@ static int sun6i_spi_transfer_one(struct spi_master *master,
+ }
+
+ sun6i_spi_write(sspi, SUN6I_CLK_CTL_REG, reg);
++ /* Finally enable the bus - doing so before might raise SCK to HIGH */
++ reg = sun6i_spi_read(sspi, SUN6I_GBL_CTL_REG);
++ reg |= SUN6I_GBL_CTL_BUS_ENABLE;
++ sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, reg);
+
+ /* Setup the transfer now... */
+ if (sspi->tx_buf)
+@@ -405,7 +409,7 @@ static int sun6i_spi_runtime_resume(struct device *dev)
+ }
+
+ sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG,
+- SUN6I_GBL_CTL_BUS_ENABLE | SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP);
++ SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP);
+
+ return 0;
+
+--
+2.30.2
+
--- /dev/null
+From 6a971fbea3c24e15262de07adc4713576ed814e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 15:08:08 +0800
+Subject: spi: spi-topcliff-pch: Fix potential double free in
+ pch_spi_process_messages()
+
+From: Jay Fang <f.fangjian@huawei.com>
+
+[ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ]
+
+pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for
+data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will
+free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after
+kfree() to avoid double free.
+
+Signed-off-by: Jay Fang <f.fangjian@huawei.com>
+Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-topcliff-pch.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
+index f88cbb94ce12..181ea30c416a 100644
+--- a/drivers/spi/spi-topcliff-pch.c
++++ b/drivers/spi/spi-topcliff-pch.c
+@@ -576,8 +576,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw)
+ data->pkt_tx_buff = kzalloc(size, GFP_KERNEL);
+ if (data->pkt_tx_buff != NULL) {
+ data->pkt_rx_buff = kzalloc(size, GFP_KERNEL);
+- if (!data->pkt_rx_buff)
++ if (!data->pkt_rx_buff) {
+ kfree(data->pkt_tx_buff);
++ data->pkt_tx_buff = NULL;
++ }
+ }
+
+ if (!data->pkt_rx_buff) {
+--
+2.30.2
+
--- /dev/null
+From f983017cb5efd1f632625cbd24cdae03748bc193 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 15:29:49 +0800
+Subject: ssb: Fix error return code in ssb_bus_scan()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 77a0989baa427dbd242c5784d05a53ca3d197d43 ]
+
+Fix to return -EINVAL from the error handling case instead of 0, as done
+elsewhere in this function.
+
+Fixes: 61e115a56d1a ("[SSB]: add Sonics Silicon Backplane bus support")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210515072949.7151-1-thunder.leizhen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ssb/scan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ssb/scan.c b/drivers/ssb/scan.c
+index 6ceee98ed6ff..5c7e61cafd19 100644
+--- a/drivers/ssb/scan.c
++++ b/drivers/ssb/scan.c
+@@ -325,6 +325,7 @@ int ssb_bus_scan(struct ssb_bus *bus,
+ if (bus->nr_devices > ARRAY_SIZE(bus->devices)) {
+ pr_err("More than %d ssb cores found (%d)\n",
+ SSB_MAX_NR_CORES, bus->nr_devices);
++ err = -EINVAL;
+ goto err_unmap;
+ }
+ if (bus->bustype == SSB_BUSTYPE_SSB) {
+--
+2.30.2
+
--- /dev/null
+From 7c572c756433f1850912f3cd6748a3d8b84a64f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 20:21:10 +0300
+Subject: staging: fbtft: Rectify GPIO handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ec03c2104365ead0a33627c05e685093eed3eaef ]
+
+The infamous commit c440eee1a7a1 ("Staging: staging: fbtft: Switch to
+the GPIO descriptor interface") broke GPIO handling completely.
+It has already four commits to rectify and it seems not enough.
+In order to fix the mess here we:
+
+ 1) Set default to "inactive" for all requested pins
+
+ 2) Fix CS#, RD#, and WR# pins polarity since it's active low
+ and GPIO descriptor interface takes it into consideration
+ from the Device Tree or ACPI
+
+ 3) Consolidate chip activation (CS# assertion) under default
+ ->reset() callback
+
+To summarize the expectations about polarity for GPIOs:
+
+ RD# Low
+ WR# Low
+ CS# Low
+ RESET# Low
+ DC or RS High
+ RW High
+ Data 0 .. 15 High
+
+See also Adafruit learning course [1] for the example of the schematics.
+
+While at it, drop unneeded NULL checks, since GPIO API is tolerant to that.
+
+[1]: https://learn.adafruit.com/adafruit-2-8-and-3-2-color-tft-touchscreen-breakout-v2/downloads
+
+Fixes: 92e3e884887c ("Staging: fbtft: Fix GPIO handling")
+Fixes: b918d1c27066 ("Staging: fbtft: Fix reset assertion when using gpio descriptor")
+Fixes: dbc4f989c878 ("Staging: fbtft: Fix probing of gpio descriptor")
+Fixes: c440eee1a7a1 ("Staging: fbtft: Switch to the gpio descriptor interface")
+Cc: Jan Sebastian Götte <linux@jaseg.net>
+Cc: Nishad Kamdar <nishadkamdar@gmail.com>
+Reviewed-by: Phil Reid <preid@electromag.com.au>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210503172114.27891-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/fbtft/fb_agm1264k-fl.c | 20 ++++++++++----------
+ drivers/staging/fbtft/fb_bd663474.c | 4 ----
+ drivers/staging/fbtft/fb_ili9163.c | 4 ----
+ drivers/staging/fbtft/fb_ili9320.c | 1 -
+ drivers/staging/fbtft/fb_ili9325.c | 4 ----
+ drivers/staging/fbtft/fb_ili9340.c | 1 -
+ drivers/staging/fbtft/fb_s6d1121.c | 4 ----
+ drivers/staging/fbtft/fb_sh1106.c | 1 -
+ drivers/staging/fbtft/fb_ssd1289.c | 4 ----
+ drivers/staging/fbtft/fb_ssd1325.c | 2 --
+ drivers/staging/fbtft/fb_ssd1331.c | 6 ++----
+ drivers/staging/fbtft/fb_ssd1351.c | 1 -
+ drivers/staging/fbtft/fb_upd161704.c | 4 ----
+ drivers/staging/fbtft/fb_watterott.c | 1 -
+ drivers/staging/fbtft/fbtft-bus.c | 3 +--
+ drivers/staging/fbtft/fbtft-core.c | 13 ++++++-------
+ drivers/staging/fbtft/fbtft-io.c | 12 ++++++------
+ 17 files changed, 25 insertions(+), 60 deletions(-)
+
+diff --git a/drivers/staging/fbtft/fb_agm1264k-fl.c b/drivers/staging/fbtft/fb_agm1264k-fl.c
+index eeeeec97ad27..b545c2ca80a4 100644
+--- a/drivers/staging/fbtft/fb_agm1264k-fl.c
++++ b/drivers/staging/fbtft/fb_agm1264k-fl.c
+@@ -84,9 +84,9 @@ static void reset(struct fbtft_par *par)
+
+ dev_dbg(par->info->device, "%s()\n", __func__);
+
+- gpiod_set_value(par->gpio.reset, 0);
+- udelay(20);
+ gpiod_set_value(par->gpio.reset, 1);
++ udelay(20);
++ gpiod_set_value(par->gpio.reset, 0);
+ mdelay(120);
+ }
+
+@@ -194,12 +194,12 @@ static void write_reg8_bus8(struct fbtft_par *par, int len, ...)
+ /* select chip */
+ if (*buf) {
+ /* cs1 */
+- gpiod_set_value(par->CS0, 1);
+- gpiod_set_value(par->CS1, 0);
+- } else {
+- /* cs0 */
+ gpiod_set_value(par->CS0, 0);
+ gpiod_set_value(par->CS1, 1);
++ } else {
++ /* cs0 */
++ gpiod_set_value(par->CS0, 1);
++ gpiod_set_value(par->CS1, 0);
+ }
+
+ gpiod_set_value(par->RS, 0); /* RS->0 (command mode) */
+@@ -397,8 +397,8 @@ static int write_vmem(struct fbtft_par *par, size_t offset, size_t len)
+ }
+ kfree(convert_buf);
+
+- gpiod_set_value(par->CS0, 1);
+- gpiod_set_value(par->CS1, 1);
++ gpiod_set_value(par->CS0, 0);
++ gpiod_set_value(par->CS1, 0);
+
+ return ret;
+ }
+@@ -419,10 +419,10 @@ static int write(struct fbtft_par *par, void *buf, size_t len)
+ for (i = 0; i < 8; ++i)
+ gpiod_set_value(par->gpio.db[i], data & (1 << i));
+ /* set E */
+- gpiod_set_value(par->EPIN, 1);
++ gpiod_set_value(par->EPIN, 0);
+ udelay(5);
+ /* unset E - write */
+- gpiod_set_value(par->EPIN, 0);
++ gpiod_set_value(par->EPIN, 1);
+ udelay(1);
+ }
+
+diff --git a/drivers/staging/fbtft/fb_bd663474.c b/drivers/staging/fbtft/fb_bd663474.c
+index e2c7646588f8..1629c2c440a9 100644
+--- a/drivers/staging/fbtft/fb_bd663474.c
++++ b/drivers/staging/fbtft/fb_bd663474.c
+@@ -12,7 +12,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+
+ #include "fbtft.h"
+@@ -24,9 +23,6 @@
+
+ static int init_display(struct fbtft_par *par)
+ {
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+-
+ par->fbtftops.reset(par);
+
+ /* Initialization sequence from Lib_UTFT */
+diff --git a/drivers/staging/fbtft/fb_ili9163.c b/drivers/staging/fbtft/fb_ili9163.c
+index 05648c3ffe47..6582a2c90aaf 100644
+--- a/drivers/staging/fbtft/fb_ili9163.c
++++ b/drivers/staging/fbtft/fb_ili9163.c
+@@ -11,7 +11,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+ #include <video/mipi_display.h>
+
+@@ -77,9 +76,6 @@ static int init_display(struct fbtft_par *par)
+ {
+ par->fbtftops.reset(par);
+
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+-
+ write_reg(par, MIPI_DCS_SOFT_RESET); /* software reset */
+ mdelay(500);
+ write_reg(par, MIPI_DCS_EXIT_SLEEP_MODE); /* exit sleep */
+diff --git a/drivers/staging/fbtft/fb_ili9320.c b/drivers/staging/fbtft/fb_ili9320.c
+index f2e72d14431d..a8f4c618b754 100644
+--- a/drivers/staging/fbtft/fb_ili9320.c
++++ b/drivers/staging/fbtft/fb_ili9320.c
+@@ -8,7 +8,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/spi/spi.h>
+ #include <linux/delay.h>
+
+diff --git a/drivers/staging/fbtft/fb_ili9325.c b/drivers/staging/fbtft/fb_ili9325.c
+index c9aa4cb43123..16d3b17ca279 100644
+--- a/drivers/staging/fbtft/fb_ili9325.c
++++ b/drivers/staging/fbtft/fb_ili9325.c
+@@ -10,7 +10,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+
+ #include "fbtft.h"
+@@ -85,9 +84,6 @@ static int init_display(struct fbtft_par *par)
+ {
+ par->fbtftops.reset(par);
+
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+-
+ bt &= 0x07;
+ vc &= 0x07;
+ vrh &= 0x0f;
+diff --git a/drivers/staging/fbtft/fb_ili9340.c b/drivers/staging/fbtft/fb_ili9340.c
+index 415183c7054a..704236bcaf3f 100644
+--- a/drivers/staging/fbtft/fb_ili9340.c
++++ b/drivers/staging/fbtft/fb_ili9340.c
+@@ -8,7 +8,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+ #include <video/mipi_display.h>
+
+diff --git a/drivers/staging/fbtft/fb_s6d1121.c b/drivers/staging/fbtft/fb_s6d1121.c
+index 8c7de3290343..62f27172f844 100644
+--- a/drivers/staging/fbtft/fb_s6d1121.c
++++ b/drivers/staging/fbtft/fb_s6d1121.c
+@@ -12,7 +12,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+
+ #include "fbtft.h"
+@@ -29,9 +28,6 @@ static int init_display(struct fbtft_par *par)
+ {
+ par->fbtftops.reset(par);
+
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+-
+ /* Initialization sequence from Lib_UTFT */
+
+ write_reg(par, 0x0011, 0x2004);
+diff --git a/drivers/staging/fbtft/fb_sh1106.c b/drivers/staging/fbtft/fb_sh1106.c
+index 6f7249493ea3..7b9ab39e1c1a 100644
+--- a/drivers/staging/fbtft/fb_sh1106.c
++++ b/drivers/staging/fbtft/fb_sh1106.c
+@@ -9,7 +9,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+
+ #include "fbtft.h"
+diff --git a/drivers/staging/fbtft/fb_ssd1289.c b/drivers/staging/fbtft/fb_ssd1289.c
+index 7a3fe022cc69..f27bab38b3ec 100644
+--- a/drivers/staging/fbtft/fb_ssd1289.c
++++ b/drivers/staging/fbtft/fb_ssd1289.c
+@@ -10,7 +10,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+
+ #include "fbtft.h"
+
+@@ -28,9 +27,6 @@ static int init_display(struct fbtft_par *par)
+ {
+ par->fbtftops.reset(par);
+
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+-
+ write_reg(par, 0x00, 0x0001);
+ write_reg(par, 0x03, 0xA8A4);
+ write_reg(par, 0x0C, 0x0000);
+diff --git a/drivers/staging/fbtft/fb_ssd1325.c b/drivers/staging/fbtft/fb_ssd1325.c
+index 8a3140d41d8b..796a2ac3e194 100644
+--- a/drivers/staging/fbtft/fb_ssd1325.c
++++ b/drivers/staging/fbtft/fb_ssd1325.c
+@@ -35,8 +35,6 @@ static int init_display(struct fbtft_par *par)
+ {
+ par->fbtftops.reset(par);
+
+- gpiod_set_value(par->gpio.cs, 0);
+-
+ write_reg(par, 0xb3);
+ write_reg(par, 0xf0);
+ write_reg(par, 0xae);
+diff --git a/drivers/staging/fbtft/fb_ssd1331.c b/drivers/staging/fbtft/fb_ssd1331.c
+index 37622c9462aa..ec5eced7f8cb 100644
+--- a/drivers/staging/fbtft/fb_ssd1331.c
++++ b/drivers/staging/fbtft/fb_ssd1331.c
+@@ -81,8 +81,7 @@ static void write_reg8_bus8(struct fbtft_par *par, int len, ...)
+ va_start(args, len);
+
+ *buf = (u8)va_arg(args, unsigned int);
+- if (par->gpio.dc)
+- gpiod_set_value(par->gpio.dc, 0);
++ gpiod_set_value(par->gpio.dc, 0);
+ ret = par->fbtftops.write(par, par->buf, sizeof(u8));
+ if (ret < 0) {
+ va_end(args);
+@@ -104,8 +103,7 @@ static void write_reg8_bus8(struct fbtft_par *par, int len, ...)
+ return;
+ }
+ }
+- if (par->gpio.dc)
+- gpiod_set_value(par->gpio.dc, 1);
++ gpiod_set_value(par->gpio.dc, 1);
+ va_end(args);
+ }
+
+diff --git a/drivers/staging/fbtft/fb_ssd1351.c b/drivers/staging/fbtft/fb_ssd1351.c
+index 900b28d826b2..cf263a58a148 100644
+--- a/drivers/staging/fbtft/fb_ssd1351.c
++++ b/drivers/staging/fbtft/fb_ssd1351.c
+@@ -2,7 +2,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/spi/spi.h>
+ #include <linux/delay.h>
+
+diff --git a/drivers/staging/fbtft/fb_upd161704.c b/drivers/staging/fbtft/fb_upd161704.c
+index c77832ae5e5b..c680160d6380 100644
+--- a/drivers/staging/fbtft/fb_upd161704.c
++++ b/drivers/staging/fbtft/fb_upd161704.c
+@@ -12,7 +12,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+
+ #include "fbtft.h"
+@@ -26,9 +25,6 @@ static int init_display(struct fbtft_par *par)
+ {
+ par->fbtftops.reset(par);
+
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+-
+ /* Initialization sequence from Lib_UTFT */
+
+ /* register reset */
+diff --git a/drivers/staging/fbtft/fb_watterott.c b/drivers/staging/fbtft/fb_watterott.c
+index 27cc8eabcbe9..fc65ce876155 100644
+--- a/drivers/staging/fbtft/fb_watterott.c
++++ b/drivers/staging/fbtft/fb_watterott.c
+@@ -8,7 +8,6 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+-#include <linux/gpio/consumer.h>
+ #include <linux/delay.h>
+
+ #include "fbtft.h"
+diff --git a/drivers/staging/fbtft/fbtft-bus.c b/drivers/staging/fbtft/fbtft-bus.c
+index 63c65dd67b17..3d422bc11641 100644
+--- a/drivers/staging/fbtft/fbtft-bus.c
++++ b/drivers/staging/fbtft/fbtft-bus.c
+@@ -135,8 +135,7 @@ int fbtft_write_vmem16_bus8(struct fbtft_par *par, size_t offset, size_t len)
+ remain = len / 2;
+ vmem16 = (u16 *)(par->info->screen_buffer + offset);
+
+- if (par->gpio.dc)
+- gpiod_set_value(par->gpio.dc, 1);
++ gpiod_set_value(par->gpio.dc, 1);
+
+ /* non buffered write */
+ if (!par->txbuf.buf)
+diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
+index 61f0286fb157..bc53d68bfcaa 100644
+--- a/drivers/staging/fbtft/fbtft-core.c
++++ b/drivers/staging/fbtft/fbtft-core.c
+@@ -37,8 +37,7 @@ int fbtft_write_buf_dc(struct fbtft_par *par, void *buf, size_t len, int dc)
+ {
+ int ret;
+
+- if (par->gpio.dc)
+- gpiod_set_value(par->gpio.dc, dc);
++ gpiod_set_value(par->gpio.dc, dc);
+
+ ret = par->fbtftops.write(par, buf, len);
+ if (ret < 0)
+@@ -79,7 +78,7 @@ static int fbtft_request_one_gpio(struct fbtft_par *par,
+ int ret = 0;
+
+ *gpiop = devm_gpiod_get_index_optional(dev, name, index,
+- GPIOD_OUT_HIGH);
++ GPIOD_OUT_LOW);
+ if (IS_ERR(*gpiop)) {
+ ret = PTR_ERR(*gpiop);
+ dev_err(dev,
+@@ -230,11 +229,15 @@ static void fbtft_reset(struct fbtft_par *par)
+ {
+ if (!par->gpio.reset)
+ return;
++
+ fbtft_par_dbg(DEBUG_RESET, par, "%s()\n", __func__);
++
+ gpiod_set_value_cansleep(par->gpio.reset, 1);
+ usleep_range(20, 40);
+ gpiod_set_value_cansleep(par->gpio.reset, 0);
+ msleep(120);
++
++ gpiod_set_value_cansleep(par->gpio.cs, 1); /* Activate chip */
+ }
+
+ static void fbtft_update_display(struct fbtft_par *par, unsigned int start_line,
+@@ -921,8 +924,6 @@ static int fbtft_init_display_dt(struct fbtft_par *par)
+ return -EINVAL;
+
+ par->fbtftops.reset(par);
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+
+ while (p) {
+ if (val & FBTFT_OF_INIT_CMD) {
+@@ -1012,8 +1013,6 @@ int fbtft_init_display(struct fbtft_par *par)
+ }
+
+ par->fbtftops.reset(par);
+- if (par->gpio.cs)
+- gpiod_set_value(par->gpio.cs, 0); /* Activate chip */
+
+ i = 0;
+ while (i < FBTFT_MAX_INIT_SEQUENCE) {
+diff --git a/drivers/staging/fbtft/fbtft-io.c b/drivers/staging/fbtft/fbtft-io.c
+index 0863d257d762..de1904a443c2 100644
+--- a/drivers/staging/fbtft/fbtft-io.c
++++ b/drivers/staging/fbtft/fbtft-io.c
+@@ -142,12 +142,12 @@ int fbtft_write_gpio8_wr(struct fbtft_par *par, void *buf, size_t len)
+ data = *(u8 *)buf;
+
+ /* Start writing by pulling down /WR */
+- gpiod_set_value(par->gpio.wr, 0);
++ gpiod_set_value(par->gpio.wr, 1);
+
+ /* Set data */
+ #ifndef DO_NOT_OPTIMIZE_FBTFT_WRITE_GPIO
+ if (data == prev_data) {
+- gpiod_set_value(par->gpio.wr, 0); /* used as delay */
++ gpiod_set_value(par->gpio.wr, 1); /* used as delay */
+ } else {
+ for (i = 0; i < 8; i++) {
+ if ((data & 1) != (prev_data & 1))
+@@ -165,7 +165,7 @@ int fbtft_write_gpio8_wr(struct fbtft_par *par, void *buf, size_t len)
+ #endif
+
+ /* Pullup /WR */
+- gpiod_set_value(par->gpio.wr, 1);
++ gpiod_set_value(par->gpio.wr, 0);
+
+ #ifndef DO_NOT_OPTIMIZE_FBTFT_WRITE_GPIO
+ prev_data = *(u8 *)buf;
+@@ -192,12 +192,12 @@ int fbtft_write_gpio16_wr(struct fbtft_par *par, void *buf, size_t len)
+ data = *(u16 *)buf;
+
+ /* Start writing by pulling down /WR */
+- gpiod_set_value(par->gpio.wr, 0);
++ gpiod_set_value(par->gpio.wr, 1);
+
+ /* Set data */
+ #ifndef DO_NOT_OPTIMIZE_FBTFT_WRITE_GPIO
+ if (data == prev_data) {
+- gpiod_set_value(par->gpio.wr, 0); /* used as delay */
++ gpiod_set_value(par->gpio.wr, 1); /* used as delay */
+ } else {
+ for (i = 0; i < 16; i++) {
+ if ((data & 1) != (prev_data & 1))
+@@ -215,7 +215,7 @@ int fbtft_write_gpio16_wr(struct fbtft_par *par, void *buf, size_t len)
+ #endif
+
+ /* Pullup /WR */
+- gpiod_set_value(par->gpio.wr, 1);
++ gpiod_set_value(par->gpio.wr, 0);
+
+ #ifndef DO_NOT_OPTIMIZE_FBTFT_WRITE_GPIO
+ prev_data = *(u16 *)buf;
+--
+2.30.2
+
--- /dev/null
+From d03b88a1300b889fe8dc3aa4e73ad254b4a0a21a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 12:55:35 +0300
+Subject: staging: gdm724x: check for buffer overflow in
+ gdm_lte_multi_sdu_pkt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ]
+
+There needs to be a check to verify that we don't read beyond the end
+of "buf". This function is called from do_rx(). The "buf" is the USB
+transfer_buffer and "len" is "urb->actual_length".
+
+Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gdm724x/gdm_lte.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
+index db11498f6fc7..182a77de2d04 100644
+--- a/drivers/staging/gdm724x/gdm_lte.c
++++ b/drivers/staging/gdm724x/gdm_lte.c
+@@ -677,6 +677,7 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
+ struct sdu *sdu = NULL;
+ u8 endian = phy_dev->get_endian(phy_dev->priv_dev);
+ u8 *data = (u8 *)multi_sdu->data;
++ int copied;
+ u16 i = 0;
+ u16 num_packet;
+ u16 hci_len;
+@@ -688,6 +689,12 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
+ num_packet = gdm_dev16_to_cpu(endian, multi_sdu->num_packet);
+
+ for (i = 0; i < num_packet; i++) {
++ copied = data - multi_sdu->data;
++ if (len < copied + sizeof(*sdu)) {
++ pr_err("rx prevent buffer overflow");
++ return;
++ }
++
+ sdu = (struct sdu *)data;
+
+ cmd_evt = gdm_dev16_to_cpu(endian, sdu->cmd_evt);
+@@ -698,7 +705,8 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
+ pr_err("rx sdu wrong hci %04x\n", cmd_evt);
+ return;
+ }
+- if (hci_len < 12) {
++ if (hci_len < 12 ||
++ len < copied + sizeof(*sdu) + (hci_len - 12)) {
+ pr_err("rx sdu invalid len %d\n", hci_len);
+ return;
+ }
+--
+2.30.2
+
--- /dev/null
+From fa2e4c98145c0ff91095aa4018f72d1f526f6509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 12:58:36 +0300
+Subject: staging: gdm724x: check for overflow in gdm_lte_netif_rx()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ]
+
+This code assumes that "len" is at least 62 bytes, but we need a check
+to prevent a read overflow.
+
+Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gdm724x/gdm_lte.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
+index 182a77de2d04..8093d0608638 100644
+--- a/drivers/staging/gdm724x/gdm_lte.c
++++ b/drivers/staging/gdm724x/gdm_lte.c
+@@ -611,10 +611,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf,
+ * bytes (99,130,83,99 dec)
+ */
+ } __packed;
+- void *addr = buf + sizeof(struct iphdr) +
+- sizeof(struct udphdr) +
+- offsetof(struct dhcp_packet, chaddr);
+- ether_addr_copy(nic->dest_mac_addr, addr);
++ int offset = sizeof(struct iphdr) +
++ sizeof(struct udphdr) +
++ offsetof(struct dhcp_packet, chaddr);
++ if (offset + ETH_ALEN > len)
++ return;
++ ether_addr_copy(nic->dest_mac_addr, buf + offset);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e70e2ef87d344f1619879f4ff847a901bfabf935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 12:06:17 +0200
+Subject: staging: mt7621-dts: fix pci address for PCI memory range
+
+From: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+
+[ Upstream commit 5b4f167ef3555ec4c334a8dc89c1b44bb2c6bff5 ]
+
+Driver code call 'devm_of_pci_get_host_bridge_resources'
+to get resources and properly fill 'bridge->windows' and
+'bridge->dma_ranges'. After parsing the ranges and store
+as resources, at the end it makes a call to pci function
+'pci_add_resource_offset' to set the offset for the
+memory resource. To calculate offset, resource start address
+subtracts pci address of the range. MT7621 does not need
+any offset for the memory resource. Moreover, setting an
+offset got into 'WARN_ON' calls from pci devices driver code.
+Until now memory range pci_addr was being '0x00000000' and
+res->start is '0x60000000' but becase pci controller driver
+was manually setting resources and adding them using pci function
+'pci_add_resource' where a zero is passed as offset, things
+was properly working. Since PCI_IOBASE is defined now for
+ralink we don't set nothing manually anymore so we have to
+properly fix PCI address for this range to make things work
+and the new pci address must be set to '0x60000000'. Doing
+in this way the subtract result obtain zero as offset
+and pci device driver code properly works.
+
+Fixes: d59578da2bb8 ("staging: mt7621-dts: add dts files")
+Signed-off-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Link: https://lore.kernel.org/r/20210614100617.28753-4-sergio.paracuellos@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/mt7621-dts/mt7621.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/mt7621-dts/mt7621.dtsi b/drivers/staging/mt7621-dts/mt7621.dtsi
+index a4c08110094b..5ca8607c5dbb 100644
+--- a/drivers/staging/mt7621-dts/mt7621.dtsi
++++ b/drivers/staging/mt7621-dts/mt7621.dtsi
+@@ -520,7 +520,7 @@
+
+ bus-range = <0 255>;
+ ranges = <
+- 0x02000000 0 0x00000000 0x60000000 0 0x10000000 /* pci memory */
++ 0x02000000 0 0x60000000 0x60000000 0 0x10000000 /* pci memory */
+ 0x01000000 0 0x00000000 0x1e160000 0 0x00010000 /* io space */
+ >;
+
+--
+2.30.2
+
--- /dev/null
+From 07400feec2c2ccb52644f43fd2a00febb231f2c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 01:00:19 +0300
+Subject: staging: rtl8712: fix memory leak in rtl871x_load_fw_cb
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit e02a3b945816a77702a2769a70ef5f9b06e49d54 ]
+
+There is a leak in rtl8712 driver.
+The problem was in non-freed adapter data if
+firmware load failed.
+
+This leak can be reproduced with this code:
+https://syzkaller.appspot.com/text?tag=ReproC&x=16612f02d00000,
+Autoload must fail (to not hit memory leak reported by syzkaller)
+
+There are 2 possible ways how rtl871x_load_fw_cb() and
+r871xu_dev_remove() can be called (in case of fw load error).
+
+1st case:
+ r871xu_dev_remove() then rtl871x_load_fw_cb()
+
+ In this case r871xu_dev_remove() will wait for
+ completion and then will jump to the end, because
+ rtl871x_load_fw_cb() set intfdata to NULL:
+
+ if (pnetdev) {
+ struct _adapter *padapter = netdev_priv(pnetdev);
+
+ /* never exit with a firmware callback pending */
+ wait_for_completion(&padapter->rtl8712_fw_ready);
+ pnetdev = usb_get_intfdata(pusb_intf);
+ usb_set_intfdata(pusb_intf, NULL);
+ if (!pnetdev)
+ goto firmware_load_fail;
+
+ ... clean up code here ...
+ }
+
+2nd case:
+ rtl871x_load_fw_cb() then r871xu_dev_remove()
+
+ In this case pnetdev (from code snippet above) will
+ be zero (because rtl871x_load_fw_cb() set it to NULL)
+ And clean up code won't be executed again.
+
+So, in all cases we need to free adapted data in rtl871x_load_fw_cb(),
+because disconnect function cannot take care of it. And there won't be
+any race conditions, because complete() call happens after setting
+intfdata to NULL.
+
+In previous patch I moved out free_netdev() from r8712_free_drv_sw()
+and that's why now it's possible to free adapter data and then call
+complete.
+
+Fixes: 8c213fa59199 ("staging: r8712u: Use asynchronous firmware loading")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/81e68fe0194499cc2e7692d35bc4dcf167827d8f.1623620630.git.paskripkin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8712/hal_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/rtl8712/hal_init.c b/drivers/staging/rtl8712/hal_init.c
+index 42c0a3c947f1..301b99060bc2 100644
+--- a/drivers/staging/rtl8712/hal_init.c
++++ b/drivers/staging/rtl8712/hal_init.c
+@@ -40,7 +40,10 @@ static void rtl871x_load_fw_cb(const struct firmware *firmware, void *context)
+ dev_err(&udev->dev, "r8712u: Firmware request failed\n");
+ usb_put_dev(udev);
+ usb_set_intfdata(usb_intf, NULL);
++ r8712_free_drv_sw(adapter);
++ adapter->dvobj_deinit(adapter);
+ complete(&adapter->rtl8712_fw_ready);
++ free_netdev(adapter->pnetdev);
+ return;
+ }
+ adapter->fw = firmware;
+--
+2.30.2
+
--- /dev/null
+From 9dcb21e04d2cb4bc93a0f373b66396bb6d277a36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 01:00:07 +0300
+Subject: staging: rtl8712: remove redundant check in r871xu_drv_init
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 69d998f1e552f6e2e7b55f5058ce1ac7a72903f9 ]
+
+padapter->dvobj_init is initialized rigth before
+initialization check. There is no need for any
+branching here.
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/d367e5f39f22af44c545f8710cc18fb00f10e66c.1623620630.git.paskripkin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8712/usb_intf.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
+index 2fcd65260f4c..bc421925e84c 100644
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -380,13 +380,11 @@ static int r871xu_drv_init(struct usb_interface *pusb_intf,
+ /* step 3.
+ * initialize the dvobj_priv
+ */
+- if (!padapter->dvobj_init) {
++
++ status = padapter->dvobj_init(padapter);
++ if (status != _SUCCESS)
+ goto error;
+- } else {
+- status = padapter->dvobj_init(padapter);
+- if (status != _SUCCESS)
+- goto error;
+- }
++
+ /* step 4. */
+ status = r8712_init_drv_sw(padapter);
+ if (status)
+--
+2.30.2
+
--- /dev/null
+From 6e7b1822e8754e05aed53158f9c85bd2aa987049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 12:05:00 -0300
+Subject: tc-testing: fix list handling
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit b4fd096cbb871340be837491fa1795864a48b2d9 ]
+
+python lists don't have an 'add' method, but 'append'.
+
+Fixes: 14e5175e9e04 ("tc-testing: introduce scapyPlugin for basic traffic")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/tc-testing/plugin-lib/scapyPlugin.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/tc-testing/plugin-lib/scapyPlugin.py b/tools/testing/selftests/tc-testing/plugin-lib/scapyPlugin.py
+index 229ee185b27e..a7b21658af9b 100644
+--- a/tools/testing/selftests/tc-testing/plugin-lib/scapyPlugin.py
++++ b/tools/testing/selftests/tc-testing/plugin-lib/scapyPlugin.py
+@@ -36,7 +36,7 @@ class SubPlugin(TdcPlugin):
+ for k in scapy_keys:
+ if k not in scapyinfo:
+ keyfail = True
+- missing_keys.add(k)
++ missing_keys.append(k)
+ if keyfail:
+ print('{}: Scapy block present in the test, but is missing info:'
+ .format(self.sub_class))
+--
+2.30.2
+
--- /dev/null
+From 9e25db311a3b919a20b34d696dd4e1ca7588342a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 13:34:06 -0700
+Subject: tls: prevent oversized sendfile() hangs by ignoring MSG_MORE
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit d452d48b9f8b1a7f8152d33ef52cfd7fe1735b0a ]
+
+We got multiple reports that multi_chunk_sendfile test
+case from tls selftest fails. This was sort of expected,
+as the original fix was never applied (see it in the first
+Link:). The test in question uses sendfile() with count
+larger than the size of the underlying file. This will
+make splice set MSG_MORE on all sendpage calls, meaning
+TLS will never close and flush the last partial record.
+
+Eric seem to have addressed a similar problem in
+commit 35f9c09fe9c7 ("tcp: tcp_sendpages() should call tcp_push() once")
+by introducing MSG_SENDPAGE_NOTLAST. Unlike MSG_MORE
+MSG_SENDPAGE_NOTLAST is not set on the last call
+of a "pipefull" of data (PIPE_DEF_BUFFERS == 16,
+so every 16 pages or whenever we run out of data).
+
+Having a break every 16 pages should be fine, TLS
+can pack exactly 4 pages into a record, so for
+aligned reads there should be no difference,
+unaligned may see one extra record per sendpage().
+
+Sticking to TCP semantics seems preferable to modifying
+splice, but we can revisit it if real life scenarios
+show a regression.
+
+Reported-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Reported-by: Seth Forshee <seth.forshee@canonical.com>
+Link: https://lore.kernel.org/netdev/1591392508-14592-1-git-send-email-pooja.trivedi@stackpath.com/
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Tested-by: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index cdb65aa54be7..7fb5c067f429 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1150,7 +1150,7 @@ static int tls_sw_do_sendpage(struct sock *sk, struct page *page,
+ int ret = 0;
+ bool eor;
+
+- eor = !(flags & (MSG_MORE | MSG_SENDPAGE_NOTLAST));
++ eor = !(flags & MSG_SENDPAGE_NOTLAST);
+ sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);
+
+ /* Call the sk_stream functions to manage the sndbuf mem. */
+--
+2.30.2
+
--- /dev/null
+From cb17d58741952ceeb8e7212f20c077379c7495e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 19:59:16 +0800
+Subject: tools/bpftool: Fix error return code in do_batch()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit ca16b429f39b4ce013bfa7e197f25681e65a2a42 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 668da745af3c2 ("tools: bpftool: add support for quotations ...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Link: https://lore.kernel.org/bpf/20210609115916.2186872-1-chengzhihao1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
+index 93d008687020..7d3cfb0ccbe6 100644
+--- a/tools/bpf/bpftool/main.c
++++ b/tools/bpf/bpftool/main.c
+@@ -303,8 +303,10 @@ static int do_batch(int argc, char **argv)
+ n_argc = make_args(buf, n_argv, BATCH_ARG_NB_MAX, lines);
+ if (!n_argc)
+ continue;
+- if (n_argc < 0)
++ if (n_argc < 0) {
++ err = n_argc;
+ goto err_close;
++ }
+
+ if (json_output) {
+ jsonw_start_object(json_wtr);
+--
+2.30.2
+
--- /dev/null
+From 62a3f7a8481d1c33a0ee2f1c731d0fc7ee57b039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 19:22:33 +0200
+Subject: tty: nozomi: Fix a resource leak in an error handling function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ]
+
+A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in
+the error handling path, as already done in the remove function.
+
+Add it.
+
+Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result")
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/nozomi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
+index ed99948f3b7f..50590e50c3fe 100644
+--- a/drivers/tty/nozomi.c
++++ b/drivers/tty/nozomi.c
+@@ -1437,6 +1437,7 @@ err_free_tty:
+ tty_unregister_device(ntty_driver, dc->index_start + i);
+ tty_port_destroy(&dc->port[i].port);
+ }
++ free_irq(pdev->irq, dc);
+ err_free_kfifo:
+ for (i = 0; i < MAX_PORT; i++)
+ kfifo_free(&dc->port[i].fifo_ul);
+--
+2.30.2
+
--- /dev/null
+From 883b5001e5591905d8ed33c187a7761d6230ca59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 20:51:57 +0200
+Subject: tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ]
+
+The error handling path is broken and we may un-register things that have
+never been registered.
+
+Update the loops index accordingly.
+
+Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/nozomi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
+index 50590e50c3fe..af9b00918e4e 100644
+--- a/drivers/tty/nozomi.c
++++ b/drivers/tty/nozomi.c
+@@ -1395,7 +1395,7 @@ static int nozomi_card_init(struct pci_dev *pdev,
+ NOZOMI_NAME, dc);
+ if (unlikely(ret)) {
+ dev_err(&pdev->dev, "can't request irq %d\n", pdev->irq);
+- goto err_free_kfifo;
++ goto err_free_all_kfifo;
+ }
+
+ DBG1("base_addr: %p", dc->base_addr);
+@@ -1433,13 +1433,15 @@ static int nozomi_card_init(struct pci_dev *pdev,
+ return 0;
+
+ err_free_tty:
+- for (i = 0; i < MAX_PORT; ++i) {
++ for (i--; i >= 0; i--) {
+ tty_unregister_device(ntty_driver, dc->index_start + i);
+ tty_port_destroy(&dc->port[i].port);
+ }
+ free_irq(pdev->irq, dc);
++err_free_all_kfifo:
++ i = MAX_PORT;
+ err_free_kfifo:
+- for (i = 0; i < MAX_PORT; i++)
++ for (i--; i >= PORT_MDM; i--)
+ kfifo_free(&dc->port[i].fifo_ul);
+ err_free_sbuf:
+ kfree(dc->send_buf);
+--
+2.30.2
+
--- /dev/null
+From 5c0e524fa0b1a98f1cc7dc124584be2152c97093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 17:59:21 +0200
+Subject: usb: dwc2: Don't reset the core after setting turnaround time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Lassieur <clement@lassieur.org>
+
+[ Upstream commit aafe93516b8567ab5864e1f4cd3eeabc54fb0e5a ]
+
+Every time the hub signals a reset while we (device) are hsotg->connected,
+dwc2_hsotg_core_init_disconnected() is called, which in turn calls
+dwc2_hs_phy_init().
+
+GUSBCFG.USBTrdTim is cleared upon Core Soft Reset, so if
+hsotg->params.phy_utmi_width is 8-bit, the value of GUSBCFG.USBTrdTim (the
+default one: 0x5, corresponding to 16-bit) is always different from
+hsotg->params.phy_utmi_width, thus dwc2_core_reset() is called every
+time (usbcfg != usbcfg_old), which causes 2 issues:
+
+1) The call to dwc2_core_reset() does another reset 300us after the initial
+Chirp K of the first reset (which should last at least Tuch = 1ms), and
+messes up the High-speed Detection Handshake: both hub and device drive
+current into the D+ and D- lines at the same time.
+
+2) GUSBCFG.USBTrdTim is cleared by the second reset, so its value is always
+the default one (0x5).
+
+Setting GUSBCFG.USBTrdTim after the potential call to dwc2_core_reset()
+fixes both issues. It is now set even when select_phy is false because the
+cost of the Core Soft Reset is removed.
+
+Fixes: 1e868545f2bb ("usb: dwc2: gadget: Move gadget phy init into core phy init")
+Signed-off-by: Clément Lassieur <clement@lassieur.org>
+Link: https://lore.kernel.org/r/20210603155921.940651-1-clement@lassieur.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/core.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/dwc2/core.c b/drivers/usb/dwc2/core.c
+index 78a4925aa118..093980481c4d 100644
+--- a/drivers/usb/dwc2/core.c
++++ b/drivers/usb/dwc2/core.c
+@@ -1152,15 +1152,6 @@ static int dwc2_hs_phy_init(struct dwc2_hsotg *hsotg, bool select_phy)
+ usbcfg &= ~(GUSBCFG_ULPI_UTMI_SEL | GUSBCFG_PHYIF16);
+ if (hsotg->params.phy_utmi_width == 16)
+ usbcfg |= GUSBCFG_PHYIF16;
+-
+- /* Set turnaround time */
+- if (dwc2_is_device_mode(hsotg)) {
+- usbcfg &= ~GUSBCFG_USBTRDTIM_MASK;
+- if (hsotg->params.phy_utmi_width == 16)
+- usbcfg |= 5 << GUSBCFG_USBTRDTIM_SHIFT;
+- else
+- usbcfg |= 9 << GUSBCFG_USBTRDTIM_SHIFT;
+- }
+ break;
+ default:
+ dev_err(hsotg->dev, "FS PHY selected at HS!\n");
+@@ -1182,6 +1173,24 @@ static int dwc2_hs_phy_init(struct dwc2_hsotg *hsotg, bool select_phy)
+ return retval;
+ }
+
++static void dwc2_set_turnaround_time(struct dwc2_hsotg *hsotg)
++{
++ u32 usbcfg;
++
++ if (hsotg->params.phy_type != DWC2_PHY_TYPE_PARAM_UTMI)
++ return;
++
++ usbcfg = dwc2_readl(hsotg, GUSBCFG);
++
++ usbcfg &= ~GUSBCFG_USBTRDTIM_MASK;
++ if (hsotg->params.phy_utmi_width == 16)
++ usbcfg |= 5 << GUSBCFG_USBTRDTIM_SHIFT;
++ else
++ usbcfg |= 9 << GUSBCFG_USBTRDTIM_SHIFT;
++
++ dwc2_writel(hsotg, usbcfg, GUSBCFG);
++}
++
+ int dwc2_phy_init(struct dwc2_hsotg *hsotg, bool select_phy)
+ {
+ u32 usbcfg;
+@@ -1199,6 +1208,9 @@ int dwc2_phy_init(struct dwc2_hsotg *hsotg, bool select_phy)
+ retval = dwc2_hs_phy_init(hsotg, select_phy);
+ if (retval)
+ return retval;
++
++ if (dwc2_is_device_mode(hsotg))
++ dwc2_set_turnaround_time(hsotg);
+ }
+
+ if (hsotg->hw_params.hs_phy_type == GHWCFG2_HS_PHY_TYPE_ULPI &&
+--
+2.30.2
+
--- /dev/null
+From 27e39b49fd0b23952ddc27dec00976ebb2655332 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 12:15:07 -0500
+Subject: usb: gadget: f_fs: Fix setting of device and driver data
+ cross-references
+
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+
+[ Upstream commit ecfbd7b9054bddb12cea07fda41bb3a79a7b0149 ]
+
+FunctionFS device structure 'struct ffs_dev' and driver data structure
+'struct ffs_data' are bound to each other with cross-reference pointers
+'ffs_data->private_data' and 'ffs_dev->ffs_data'. While the first one
+is supposed to be valid through the whole life of 'struct ffs_data'
+(and while 'struct ffs_dev' exists non-freed), the second one is cleared
+in 'ffs_closed()' (called from 'ffs_data_reset()' or the last
+'ffs_data_put()'). This can be called several times, alternating in
+different order with 'ffs_free_inst()', that, if possible, clears
+the other cross-reference.
+
+As a result, different cases of these calls order may leave stale
+cross-reference pointers, used when the pointed structure is already
+freed. Even if it occasionally doesn't cause kernel crash, this error
+is reported by KASAN-enabled kernel configuration.
+
+For example, the case [last 'ffs_data_put()' - 'ffs_free_inst()'] was
+fixed by commit cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in
+ffs_free_inst").
+
+The other case ['ffs_data_reset()' - 'ffs_free_inst()' - 'ffs_data_put()']
+now causes KASAN reported error [1], when 'ffs_data_reset()' clears
+'ffs_dev->ffs_data', then 'ffs_free_inst()' frees the 'struct ffs_dev',
+but can't clear 'ffs_data->private_data', which is then accessed
+in 'ffs_closed()' called from 'ffs_data_put()'. This happens since
+'ffs_dev->ffs_data' reference is cleared too early.
+
+Moreover, one more use case, when 'ffs_free_inst()' is called immediately
+after mounting FunctionFS device (that is before the descriptors are
+written and 'ffs_ready()' is called), and then 'ffs_data_reset()'
+or 'ffs_data_put()' is called from accessing "ep0" file or unmounting
+the device. This causes KASAN error report like [2], since
+'ffs_dev->ffs_data' is not yet set when 'ffs_free_inst()' can't properly
+clear 'ffs_data->private_data', that is later accessed to freed structure.
+
+Fix these (and may be other) cases of stale pointers access by moving
+setting and clearing of the mentioned cross-references to the single
+places, setting both of them when 'struct ffs_data' is created and
+bound to 'struct ffs_dev', and clearing both of them when one of the
+structures is destroyed. It seems convenient to make this pointer
+initialization and structures binding in 'ffs_acquire_dev()' and
+make pointers clearing in 'ffs_release_dev()'. This required some
+changes in these functions parameters and return types.
+
+Also, 'ffs_release_dev()' calling requires some cleanup, fixing minor
+issues, like (1) 'ffs_release_dev()' is not called if 'ffs_free_inst()'
+is called without unmounting the device, and "release_dev" callback
+is not called at all, or (2) "release_dev" callback is called before
+"ffs_closed" callback on unmounting, which seems to be not correctly
+nested with "acquire_dev" and "ffs_ready" callbacks.
+Make this cleanup togther with other mentioned 'ffs_release_dev()' changes.
+
+[1]
+==================================================================
+root@rcar-gen3:~# mkdir /dev/cfs
+root@rcar-gen3:~# mkdir /dev/ffs
+root@rcar-gen3:~# modprobe libcomposite
+root@rcar-gen3:~# mount -t configfs none /dev/cfs
+root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1
+root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
+[ 64.340664] file system registered
+root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs
+root@rcar-gen3:~# cd /dev/ffs
+root@rcar-gen3:/dev/ffs# /home/root/ffs-test
+ffs-test: info: ep0: writing descriptors (in v2 format)
+[ 83.181442] read descriptors
+[ 83.186085] read strings
+ffs-test: info: ep0: writing strings
+ffs-test: dbg: ep1: starting
+ffs-test: dbg: ep2: starting
+ffs-test: info: ep1: starts
+ffs-test: info: ep2: starts
+ffs-test: info: ep0: starts
+
+^C
+root@rcar-gen3:/dev/ffs# cd /home/root/
+root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
+[ 98.935061] unloading
+root@rcar-gen3:~# umount /dev/ffs
+[ 102.734301] ==================================================================
+[ 102.742059] BUG: KASAN: use-after-free in ffs_release_dev+0x64/0xa8 [usb_f_fs]
+[ 102.749683] Write of size 1 at addr ffff0004d46ff549 by task umount/2997
+[ 102.756709]
+[ 102.758311] CPU: 0 PID: 2997 Comm: umount Not tainted 5.13.0-rc4+ #8
+[ 102.764971] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
+[ 102.772179] Call trace:
+[ 102.774779] dump_backtrace+0x0/0x330
+[ 102.778653] show_stack+0x20/0x2c
+[ 102.782152] dump_stack+0x11c/0x1ac
+[ 102.785833] print_address_description.constprop.0+0x30/0x274
+[ 102.791862] kasan_report+0x14c/0x1c8
+[ 102.795719] __asan_report_store1_noabort+0x34/0x58
+[ 102.800840] ffs_release_dev+0x64/0xa8 [usb_f_fs]
+[ 102.805801] ffs_fs_kill_sb+0x50/0x84 [usb_f_fs]
+[ 102.810663] deactivate_locked_super+0xa0/0xf0
+[ 102.815339] deactivate_super+0x98/0xac
+[ 102.819378] cleanup_mnt+0xd0/0x1b0
+[ 102.823057] __cleanup_mnt+0x1c/0x28
+[ 102.826823] task_work_run+0x104/0x180
+[ 102.830774] do_notify_resume+0x458/0x14e0
+[ 102.835083] work_pending+0xc/0x5f8
+[ 102.838762]
+[ 102.840357] Allocated by task 2988:
+[ 102.844032] kasan_save_stack+0x28/0x58
+[ 102.848071] kasan_set_track+0x28/0x3c
+[ 102.852016] ____kasan_kmalloc+0x84/0x9c
+[ 102.856142] __kasan_kmalloc+0x10/0x1c
+[ 102.860088] __kmalloc+0x214/0x2f8
+[ 102.863678] kzalloc.constprop.0+0x14/0x20 [usb_f_fs]
+[ 102.868990] ffs_alloc_inst+0x8c/0x208 [usb_f_fs]
+[ 102.873942] try_get_usb_function_instance+0xf0/0x164 [libcomposite]
+[ 102.880629] usb_get_function_instance+0x64/0x68 [libcomposite]
+[ 102.886858] function_make+0x128/0x1ec [libcomposite]
+[ 102.892185] configfs_mkdir+0x330/0x590 [configfs]
+[ 102.897245] vfs_mkdir+0x12c/0x1bc
+[ 102.900835] do_mkdirat+0x180/0x1d0
+[ 102.904513] __arm64_sys_mkdirat+0x80/0x94
+[ 102.908822] invoke_syscall+0xf8/0x25c
+[ 102.912772] el0_svc_common.constprop.0+0x150/0x1a0
+[ 102.917891] do_el0_svc+0xa0/0xd4
+[ 102.921386] el0_svc+0x24/0x34
+[ 102.924613] el0_sync_handler+0xcc/0x154
+[ 102.928743] el0_sync+0x198/0x1c0
+[ 102.932238]
+[ 102.933832] Freed by task 2996:
+[ 102.937144] kasan_save_stack+0x28/0x58
+[ 102.941181] kasan_set_track+0x28/0x3c
+[ 102.945128] kasan_set_free_info+0x28/0x4c
+[ 102.949435] ____kasan_slab_free+0x104/0x118
+[ 102.953921] __kasan_slab_free+0x18/0x24
+[ 102.958047] slab_free_freelist_hook+0x148/0x1f0
+[ 102.962897] kfree+0x318/0x440
+[ 102.966123] ffs_free_inst+0x164/0x2d8 [usb_f_fs]
+[ 102.971075] usb_put_function_instance+0x84/0xa4 [libcomposite]
+[ 102.977302] ffs_attr_release+0x18/0x24 [usb_f_fs]
+[ 102.982344] config_item_put+0x140/0x1a4 [configfs]
+[ 102.987486] configfs_rmdir+0x3fc/0x518 [configfs]
+[ 102.992535] vfs_rmdir+0x114/0x234
+[ 102.996122] do_rmdir+0x274/0x2b0
+[ 102.999617] __arm64_sys_unlinkat+0x94/0xc8
+[ 103.004015] invoke_syscall+0xf8/0x25c
+[ 103.007961] el0_svc_common.constprop.0+0x150/0x1a0
+[ 103.013080] do_el0_svc+0xa0/0xd4
+[ 103.016575] el0_svc+0x24/0x34
+[ 103.019801] el0_sync_handler+0xcc/0x154
+[ 103.023930] el0_sync+0x198/0x1c0
+[ 103.027426]
+[ 103.029020] The buggy address belongs to the object at ffff0004d46ff500
+[ 103.029020] which belongs to the cache kmalloc-128 of size 128
+[ 103.042079] The buggy address is located 73 bytes inside of
+[ 103.042079] 128-byte region [ffff0004d46ff500, ffff0004d46ff580)
+[ 103.054236] The buggy address belongs to the page:
+[ 103.059262] page:0000000021aa849b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0004d46fee00 pfn:0x5146fe
+[ 103.070437] head:0000000021aa849b order:1 compound_mapcount:0
+[ 103.076456] flags: 0x8000000000010200(slab|head|zone=2)
+[ 103.081948] raw: 8000000000010200 fffffc0013521a80 0000000d0000000d ffff0004c0002300
+[ 103.090052] raw: ffff0004d46fee00 000000008020001e 00000001ffffffff 0000000000000000
+[ 103.098150] page dumped because: kasan: bad access detected
+[ 103.103985]
+[ 103.105578] Memory state around the buggy address:
+[ 103.110602] ffff0004d46ff400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 103.118161] ffff0004d46ff480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 103.125726] >ffff0004d46ff500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 103.133284] ^
+[ 103.139120] ffff0004d46ff580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 103.146679] ffff0004d46ff600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 103.154238] ==================================================================
+[ 103.161792] Disabling lock debugging due to kernel taint
+[ 103.167319] Unable to handle kernel paging request at virtual address 0037801d6000018e
+[ 103.175406] Mem abort info:
+[ 103.178457] ESR = 0x96000004
+[ 103.181609] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 103.187020] SET = 0, FnV = 0
+[ 103.190185] EA = 0, S1PTW = 0
+[ 103.193417] Data abort info:
+[ 103.196385] ISV = 0, ISS = 0x00000004
+[ 103.200315] CM = 0, WnR = 0
+[ 103.203366] [0037801d6000018e] address between user and kernel address ranges
+[ 103.210611] Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 103.216231] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk sata_rc4
+[ 103.259233] CPU: 0 PID: 2997 Comm: umount Tainted: G B 5.13.0-rc4+ #8
+[ 103.267031] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
+[ 103.273951] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
+[ 103.280001] pc : ffs_data_clear+0x138/0x370 [usb_f_fs]
+[ 103.285197] lr : ffs_data_clear+0x124/0x370 [usb_f_fs]
+[ 103.290385] sp : ffff800014777a80
+[ 103.293725] x29: ffff800014777a80 x28: ffff0004d7649c80 x27: 0000000000000000
+[ 103.300931] x26: ffff800014777fb0 x25: ffff60009aec9394 x24: ffff0004d7649ca4
+[ 103.308136] x23: 1fffe0009a3d063a x22: dfff800000000000 x21: ffff0004d1e831d0
+[ 103.315340] x20: e1c000eb00000bb4 x19: ffff0004d1e83000 x18: 0000000000000000
+[ 103.322545] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+[ 103.329748] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000012ef658
+[ 103.336952] x11: ffff7000012ef658 x10: 0720072007200720 x9 : ffff800011322648
+[ 103.344157] x8 : ffff800014777818 x7 : ffff80000977b2c7 x6 : 0000000000000000
+[ 103.351359] x5 : 0000000000000001 x4 : ffff7000012ef659 x3 : 0000000000000001
+[ 103.358562] x2 : 0000000000000000 x1 : 1c38001d6000018e x0 : e1c000eb00000c70
+[ 103.365766] Call trace:
+[ 103.368235] ffs_data_clear+0x138/0x370 [usb_f_fs]
+[ 103.373076] ffs_data_reset+0x20/0x304 [usb_f_fs]
+[ 103.377829] ffs_data_closed+0x1ec/0x244 [usb_f_fs]
+[ 103.382755] ffs_fs_kill_sb+0x70/0x84 [usb_f_fs]
+[ 103.387420] deactivate_locked_super+0xa0/0xf0
+[ 103.391905] deactivate_super+0x98/0xac
+[ 103.395776] cleanup_mnt+0xd0/0x1b0
+[ 103.399299] __cleanup_mnt+0x1c/0x28
+[ 103.402906] task_work_run+0x104/0x180
+[ 103.406691] do_notify_resume+0x458/0x14e0
+[ 103.410823] work_pending+0xc/0x5f8
+[ 103.414351] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821)
+[ 103.420490] ---[ end trace 57b43a50e8244f57 ]---
+Segmentation fault
+root@rcar-gen3:~#
+==================================================================
+
+[2]
+==================================================================
+root@rcar-gen3:~# mkdir /dev/ffs
+root@rcar-gen3:~# modprobe libcomposite
+root@rcar-gen3:~#
+root@rcar-gen3:~# mount -t configfs none /dev/cfs
+root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1
+root@rcar-gen3:~# mkdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
+[ 54.766480] file system registered
+root@rcar-gen3:~# mount -t functionfs ffs /dev/ffs
+root@rcar-gen3:~# rmdir /dev/cfs/usb_gadget/g1/functions/ffs.ffs
+[ 63.197597] unloading
+root@rcar-gen3:~# cat /dev/ffs/ep0
+cat: read error:[ 67.213506] ==================================================================
+[ 67.222095] BUG: KASAN: use-after-free in ffs_data_clear+0x70/0x370 [usb_f_fs]
+[ 67.229699] Write of size 1 at addr ffff0004c26e974a by task cat/2994
+[ 67.236446]
+[ 67.238045] CPU: 0 PID: 2994 Comm: cat Not tainted 5.13.0-rc4+ #8
+[ 67.244431] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
+[ 67.251624] Call trace:
+[ 67.254212] dump_backtrace+0x0/0x330
+[ 67.258081] show_stack+0x20/0x2c
+[ 67.261579] dump_stack+0x11c/0x1ac
+[ 67.265260] print_address_description.constprop.0+0x30/0x274
+[ 67.271286] kasan_report+0x14c/0x1c8
+[ 67.275143] __asan_report_store1_noabort+0x34/0x58
+[ 67.280265] ffs_data_clear+0x70/0x370 [usb_f_fs]
+[ 67.285220] ffs_data_reset+0x20/0x304 [usb_f_fs]
+[ 67.290172] ffs_data_closed+0x240/0x244 [usb_f_fs]
+[ 67.295305] ffs_ep0_release+0x40/0x54 [usb_f_fs]
+[ 67.300256] __fput+0x304/0x580
+[ 67.303576] ____fput+0x18/0x24
+[ 67.306893] task_work_run+0x104/0x180
+[ 67.310846] do_notify_resume+0x458/0x14e0
+[ 67.315154] work_pending+0xc/0x5f8
+[ 67.318834]
+[ 67.320429] Allocated by task 2988:
+[ 67.324105] kasan_save_stack+0x28/0x58
+[ 67.328144] kasan_set_track+0x28/0x3c
+[ 67.332090] ____kasan_kmalloc+0x84/0x9c
+[ 67.336217] __kasan_kmalloc+0x10/0x1c
+[ 67.340163] __kmalloc+0x214/0x2f8
+[ 67.343754] kzalloc.constprop.0+0x14/0x20 [usb_f_fs]
+[ 67.349066] ffs_alloc_inst+0x8c/0x208 [usb_f_fs]
+[ 67.354017] try_get_usb_function_instance+0xf0/0x164 [libcomposite]
+[ 67.360705] usb_get_function_instance+0x64/0x68 [libcomposite]
+[ 67.366934] function_make+0x128/0x1ec [libcomposite]
+[ 67.372260] configfs_mkdir+0x330/0x590 [configfs]
+[ 67.377320] vfs_mkdir+0x12c/0x1bc
+[ 67.380911] do_mkdirat+0x180/0x1d0
+[ 67.384589] __arm64_sys_mkdirat+0x80/0x94
+[ 67.388899] invoke_syscall+0xf8/0x25c
+[ 67.392850] el0_svc_common.constprop.0+0x150/0x1a0
+[ 67.397969] do_el0_svc+0xa0/0xd4
+[ 67.401464] el0_svc+0x24/0x34
+[ 67.404691] el0_sync_handler+0xcc/0x154
+[ 67.408819] el0_sync+0x198/0x1c0
+[ 67.412315]
+[ 67.413909] Freed by task 2993:
+[ 67.417220] kasan_save_stack+0x28/0x58
+[ 67.421257] kasan_set_track+0x28/0x3c
+[ 67.425204] kasan_set_free_info+0x28/0x4c
+[ 67.429513] ____kasan_slab_free+0x104/0x118
+[ 67.434001] __kasan_slab_free+0x18/0x24
+[ 67.438128] slab_free_freelist_hook+0x148/0x1f0
+[ 67.442978] kfree+0x318/0x440
+[ 67.446205] ffs_free_inst+0x164/0x2d8 [usb_f_fs]
+[ 67.451156] usb_put_function_instance+0x84/0xa4 [libcomposite]
+[ 67.457385] ffs_attr_release+0x18/0x24 [usb_f_fs]
+[ 67.462428] config_item_put+0x140/0x1a4 [configfs]
+[ 67.467570] configfs_rmdir+0x3fc/0x518 [configfs]
+[ 67.472626] vfs_rmdir+0x114/0x234
+[ 67.476215] do_rmdir+0x274/0x2b0
+[ 67.479710] __arm64_sys_unlinkat+0x94/0xc8
+[ 67.484108] invoke_syscall+0xf8/0x25c
+[ 67.488055] el0_svc_common.constprop.0+0x150/0x1a0
+[ 67.493175] do_el0_svc+0xa0/0xd4
+[ 67.496671] el0_svc+0x24/0x34
+[ 67.499896] el0_sync_handler+0xcc/0x154
+[ 67.504024] el0_sync+0x198/0x1c0
+[ 67.507520]
+[ 67.509114] The buggy address belongs to the object at ffff0004c26e9700
+[ 67.509114] which belongs to the cache kmalloc-128 of size 128
+[ 67.522171] The buggy address is located 74 bytes inside of
+[ 67.522171] 128-byte region [ffff0004c26e9700, ffff0004c26e9780)
+[ 67.534328] The buggy address belongs to the page:
+[ 67.539355] page:000000003177a217 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5026e8
+[ 67.549175] head:000000003177a217 order:1 compound_mapcount:0
+[ 67.555195] flags: 0x8000000000010200(slab|head|zone=2)
+[ 67.560687] raw: 8000000000010200 fffffc0013037100 0000000c00000002 ffff0004c0002300
+[ 67.568791] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
+[ 67.576890] page dumped because: kasan: bad access detected
+[ 67.582725]
+[ 67.584318] Memory state around the buggy address:
+[ 67.589343] ffff0004c26e9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 67.596903] ffff0004c26e9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 67.604463] >ffff0004c26e9700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 67.612022] ^
+[ 67.617860] ffff0004c26e9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 67.625421] ffff0004c26e9800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.632981] ==================================================================
+[ 67.640535] Disabling lock debugging due to kernel taint
+ File descriptor[ 67.646100] Unable to handle kernel paging request at virtual address fabb801d4000018d
+ in bad state
+[ 67.655456] Mem abort info:
+[ 67.659619] ESR = 0x96000004
+[ 67.662801] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 67.668225] SET = 0, FnV = 0
+[ 67.671375] EA = 0, S1PTW = 0
+[ 67.674613] Data abort info:
+[ 67.677587] ISV = 0, ISS = 0x00000004
+[ 67.681522] CM = 0, WnR = 0
+[ 67.684588] [fabb801d4000018d] address between user and kernel address ranges
+[ 67.691849] Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 67.697470] Modules linked in: usb_f_fs libcomposite configfs ath9k_htc led_class mac80211 libarc4 ath9k_common ath9k_hw ath cfg80211 aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce gf128mul sha2_ce sha1_ce evdev sata_rcar libata xhci_plat_hcd scsi_mod xhci_hcd rene4
+[ 67.740467] CPU: 0 PID: 2994 Comm: cat Tainted: G B 5.13.0-rc4+ #8
+[ 67.748005] Hardware name: Renesas Salvator-X board based on r8a77951 (DT)
+[ 67.754924] pstate: 00000005 (nzcv daif -PAN -UAO -TCO BTYPE=--)
+[ 67.760974] pc : ffs_data_clear+0x138/0x370 [usb_f_fs]
+[ 67.766178] lr : ffs_data_clear+0x124/0x370 [usb_f_fs]
+[ 67.771365] sp : ffff800014767ad0
+[ 67.774706] x29: ffff800014767ad0 x28: ffff800009cf91c0 x27: ffff0004c54861a0
+[ 67.781913] x26: ffff0004dc90b288 x25: 1fffe00099ec10f5 x24: 00000000000a801d
+[ 67.789118] x23: 1fffe00099f6953a x22: dfff800000000000 x21: ffff0004cfb4a9d0
+[ 67.796322] x20: d5e000ea00000bb1 x19: ffff0004cfb4a800 x18: 0000000000000000
+[ 67.803526] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+[ 67.810730] x14: 0720072007200720 x13: 0720072007200720 x12: 1ffff000028ecefa
+[ 67.817934] x11: ffff7000028ecefa x10: 0720072007200720 x9 : ffff80001132c014
+[ 67.825137] x8 : ffff8000147677d8 x7 : ffff8000147677d7 x6 : 0000000000000000
+[ 67.832341] x5 : 0000000000000001 x4 : ffff7000028ecefb x3 : 0000000000000001
+[ 67.839544] x2 : 0000000000000005 x1 : 1abc001d4000018d x0 : d5e000ea00000c6d
+[ 67.846748] Call trace:
+[ 67.849218] ffs_data_clear+0x138/0x370 [usb_f_fs]
+[ 67.854058] ffs_data_reset+0x20/0x304 [usb_f_fs]
+[ 67.858810] ffs_data_closed+0x240/0x244 [usb_f_fs]
+[ 67.863736] ffs_ep0_release+0x40/0x54 [usb_f_fs]
+[ 67.868488] __fput+0x304/0x580
+[ 67.871665] ____fput+0x18/0x24
+[ 67.874837] task_work_run+0x104/0x180
+[ 67.878622] do_notify_resume+0x458/0x14e0
+[ 67.882754] work_pending+0xc/0x5f8
+[ 67.886282] Code: b4000a54 9102f280 12000802 d343fc01 (38f66821)
+[ 67.892422] ---[ end trace 6d7cedf53d7abbea ]---
+Segmentation fault
+root@rcar-gen3:~#
+==================================================================
+
+Fixes: 4b187fceec3c ("usb: gadget: FunctionFS: add devices management code")
+Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference")
+Fixes: cdafb6d8b8da ("usb: gadget: f_fs: Fix use-after-free in ffs_free_inst")
+Reported-by: Bhuvanesh Surachari <bhuvanesh_surachari@mentor.com>
+Tested-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Link: https://lore.kernel.org/r/20210603171507.22514-1-andrew_gabbasov@mentor.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 65 +++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 3126f5b08bd4..94ccf43368df 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -250,8 +250,8 @@ EXPORT_SYMBOL_GPL(ffs_lock);
+ static struct ffs_dev *_ffs_find_dev(const char *name);
+ static struct ffs_dev *_ffs_alloc_dev(void);
+ static void _ffs_free_dev(struct ffs_dev *dev);
+-static void *ffs_acquire_dev(const char *dev_name);
+-static void ffs_release_dev(struct ffs_data *ffs_data);
++static int ffs_acquire_dev(const char *dev_name, struct ffs_data *ffs_data);
++static void ffs_release_dev(struct ffs_dev *ffs_dev);
+ static int ffs_ready(struct ffs_data *ffs);
+ static void ffs_closed(struct ffs_data *ffs);
+
+@@ -1572,8 +1572,8 @@ unmapped_value:
+ static int ffs_fs_get_tree(struct fs_context *fc)
+ {
+ struct ffs_sb_fill_data *ctx = fc->fs_private;
+- void *ffs_dev;
+ struct ffs_data *ffs;
++ int ret;
+
+ ENTER();
+
+@@ -1592,13 +1592,12 @@ static int ffs_fs_get_tree(struct fs_context *fc)
+ return -ENOMEM;
+ }
+
+- ffs_dev = ffs_acquire_dev(ffs->dev_name);
+- if (IS_ERR(ffs_dev)) {
++ ret = ffs_acquire_dev(ffs->dev_name, ffs);
++ if (ret) {
+ ffs_data_put(ffs);
+- return PTR_ERR(ffs_dev);
++ return ret;
+ }
+
+- ffs->private_data = ffs_dev;
+ ctx->ffs_data = ffs;
+ return get_tree_nodev(fc, ffs_sb_fill);
+ }
+@@ -1609,7 +1608,6 @@ static void ffs_fs_free_fc(struct fs_context *fc)
+
+ if (ctx) {
+ if (ctx->ffs_data) {
+- ffs_release_dev(ctx->ffs_data);
+ ffs_data_put(ctx->ffs_data);
+ }
+
+@@ -1648,10 +1646,8 @@ ffs_fs_kill_sb(struct super_block *sb)
+ ENTER();
+
+ kill_litter_super(sb);
+- if (sb->s_fs_info) {
+- ffs_release_dev(sb->s_fs_info);
++ if (sb->s_fs_info)
+ ffs_data_closed(sb->s_fs_info);
+- }
+ }
+
+ static struct file_system_type ffs_fs_type = {
+@@ -1721,6 +1717,7 @@ static void ffs_data_put(struct ffs_data *ffs)
+ if (unlikely(refcount_dec_and_test(&ffs->ref))) {
+ pr_info("%s(): freeing\n", __func__);
+ ffs_data_clear(ffs);
++ ffs_release_dev(ffs->private_data);
+ BUG_ON(waitqueue_active(&ffs->ev.waitq) ||
+ waitqueue_active(&ffs->ep0req_completion.wait) ||
+ waitqueue_active(&ffs->wait));
+@@ -3050,6 +3047,7 @@ static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
+ struct ffs_function *func = ffs_func_from_usb(f);
+ struct f_fs_opts *ffs_opts =
+ container_of(f->fi, struct f_fs_opts, func_inst);
++ struct ffs_data *ffs_data;
+ int ret;
+
+ ENTER();
+@@ -3064,12 +3062,13 @@ static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
+ if (!ffs_opts->no_configfs)
+ ffs_dev_lock();
+ ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV;
+- func->ffs = ffs_opts->dev->ffs_data;
++ ffs_data = ffs_opts->dev->ffs_data;
+ if (!ffs_opts->no_configfs)
+ ffs_dev_unlock();
+ if (ret)
+ return ERR_PTR(ret);
+
++ func->ffs = ffs_data;
+ func->conf = c;
+ func->gadget = c->cdev->gadget;
+
+@@ -3524,6 +3523,7 @@ static void ffs_free_inst(struct usb_function_instance *f)
+ struct f_fs_opts *opts;
+
+ opts = to_f_fs_opts(f);
++ ffs_release_dev(opts->dev);
+ ffs_dev_lock();
+ _ffs_free_dev(opts->dev);
+ ffs_dev_unlock();
+@@ -3711,47 +3711,48 @@ static void _ffs_free_dev(struct ffs_dev *dev)
+ {
+ list_del(&dev->entry);
+
+- /* Clear the private_data pointer to stop incorrect dev access */
+- if (dev->ffs_data)
+- dev->ffs_data->private_data = NULL;
+-
+ kfree(dev);
+ if (list_empty(&ffs_devices))
+ functionfs_cleanup();
+ }
+
+-static void *ffs_acquire_dev(const char *dev_name)
++static int ffs_acquire_dev(const char *dev_name, struct ffs_data *ffs_data)
+ {
++ int ret = 0;
+ struct ffs_dev *ffs_dev;
+
+ ENTER();
+ ffs_dev_lock();
+
+ ffs_dev = _ffs_find_dev(dev_name);
+- if (!ffs_dev)
+- ffs_dev = ERR_PTR(-ENOENT);
+- else if (ffs_dev->mounted)
+- ffs_dev = ERR_PTR(-EBUSY);
+- else if (ffs_dev->ffs_acquire_dev_callback &&
+- ffs_dev->ffs_acquire_dev_callback(ffs_dev))
+- ffs_dev = ERR_PTR(-ENOENT);
+- else
++ if (!ffs_dev) {
++ ret = -ENOENT;
++ } else if (ffs_dev->mounted) {
++ ret = -EBUSY;
++ } else if (ffs_dev->ffs_acquire_dev_callback &&
++ ffs_dev->ffs_acquire_dev_callback(ffs_dev)) {
++ ret = -ENOENT;
++ } else {
+ ffs_dev->mounted = true;
++ ffs_dev->ffs_data = ffs_data;
++ ffs_data->private_data = ffs_dev;
++ }
+
+ ffs_dev_unlock();
+- return ffs_dev;
++ return ret;
+ }
+
+-static void ffs_release_dev(struct ffs_data *ffs_data)
++static void ffs_release_dev(struct ffs_dev *ffs_dev)
+ {
+- struct ffs_dev *ffs_dev;
+-
+ ENTER();
+ ffs_dev_lock();
+
+- ffs_dev = ffs_data->private_data;
+- if (ffs_dev) {
++ if (ffs_dev && ffs_dev->mounted) {
+ ffs_dev->mounted = false;
++ if (ffs_dev->ffs_data) {
++ ffs_dev->ffs_data->private_data = NULL;
++ ffs_dev->ffs_data = NULL;
++ }
+
+ if (ffs_dev->ffs_release_dev_callback)
+ ffs_dev->ffs_release_dev_callback(ffs_dev);
+@@ -3779,7 +3780,6 @@ static int ffs_ready(struct ffs_data *ffs)
+ }
+
+ ffs_obj->desc_ready = true;
+- ffs_obj->ffs_data = ffs;
+
+ if (ffs_obj->ffs_ready_callback) {
+ ret = ffs_obj->ffs_ready_callback(ffs);
+@@ -3807,7 +3807,6 @@ static void ffs_closed(struct ffs_data *ffs)
+ goto done;
+
+ ffs_obj->desc_ready = false;
+- ffs_obj->ffs_data = NULL;
+
+ if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) &&
+ ffs_obj->ffs_closed_callback)
+--
+2.30.2
+
--- /dev/null
+From 999ff026453ec01e6995d2fd31d78ff2fbcfc9e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 14:08:12 -0600
+Subject: vfio/pci: Handle concurrent vma faults
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit 6a45ece4c9af473555f01f0f8b97eba56e3c7d0d ]
+
+io_remap_pfn_range() will trigger a BUG_ON if it encounters a
+populated pte within the mapping range. This can occur because we map
+the entire vma on fault and multiple faults can be blocked behind the
+vma_lock. This leads to traces like the one reported below.
+
+We can use our vma_list to test whether a given vma is mapped to avoid
+this issue.
+
+[ 1591.733256] kernel BUG at mm/memory.c:2177!
+[ 1591.739515] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+[ 1591.747381] Modules linked in: vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O)
+[ 1591.760536] CPU: 2 PID: 227 Comm: lcore-worker-2 Tainted: G O 5.11.0-rc3+ #1
+[ 1591.770735] Hardware name: , BIOS HixxxxFPGA 1P B600 V121-1
+[ 1591.778872] pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)
+[ 1591.786134] pc : remap_pfn_range+0x214/0x340
+[ 1591.793564] lr : remap_pfn_range+0x1b8/0x340
+[ 1591.799117] sp : ffff80001068bbd0
+[ 1591.803476] x29: ffff80001068bbd0 x28: 0000042eff6f0000
+[ 1591.810404] x27: 0000001100910000 x26: 0000001300910000
+[ 1591.817457] x25: 0068000000000fd3 x24: ffffa92f1338e358
+[ 1591.825144] x23: 0000001140000000 x22: 0000000000000041
+[ 1591.832506] x21: 0000001300910000 x20: ffffa92f141a4000
+[ 1591.839520] x19: 0000001100a00000 x18: 0000000000000000
+[ 1591.846108] x17: 0000000000000000 x16: ffffa92f11844540
+[ 1591.853570] x15: 0000000000000000 x14: 0000000000000000
+[ 1591.860768] x13: fffffc0000000000 x12: 0000000000000880
+[ 1591.868053] x11: ffff0821bf3d01d0 x10: ffff5ef2abd89000
+[ 1591.875932] x9 : ffffa92f12ab0064 x8 : ffffa92f136471c0
+[ 1591.883208] x7 : 0000001140910000 x6 : 0000000200000000
+[ 1591.890177] x5 : 0000000000000001 x4 : 0000000000000001
+[ 1591.896656] x3 : 0000000000000000 x2 : 0168044000000fd3
+[ 1591.903215] x1 : ffff082126261880 x0 : fffffc2084989868
+[ 1591.910234] Call trace:
+[ 1591.914837] remap_pfn_range+0x214/0x340
+[ 1591.921765] vfio_pci_mmap_fault+0xac/0x130 [vfio_pci]
+[ 1591.931200] __do_fault+0x44/0x12c
+[ 1591.937031] handle_mm_fault+0xcc8/0x1230
+[ 1591.942475] do_page_fault+0x16c/0x484
+[ 1591.948635] do_translation_fault+0xbc/0xd8
+[ 1591.954171] do_mem_abort+0x4c/0xc0
+[ 1591.960316] el0_da+0x40/0x80
+[ 1591.965585] el0_sync_handler+0x168/0x1b0
+[ 1591.971608] el0_sync+0x174/0x180
+[ 1591.978312] Code: eb1b027f 540000c0 f9400022 b4fffe02 (d4210000)
+
+Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking")
+Reported-by: Zeng Tao <prime.zeng@hisilicon.com>
+Suggested-by: Zeng Tao <prime.zeng@hisilicon.com>
+Link: https://lore.kernel.org/r/162497742783.3883260.3282953006487785034.stgit@omen
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
+index a603f363835c..b06d76216599 100644
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -1430,6 +1430,7 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
+ {
+ struct vm_area_struct *vma = vmf->vma;
+ struct vfio_pci_device *vdev = vma->vm_private_data;
++ struct vfio_pci_mmap_vma *mmap_vma;
+ vm_fault_t ret = VM_FAULT_NOPAGE;
+
+ mutex_lock(&vdev->vma_lock);
+@@ -1437,24 +1438,36 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
+
+ if (!__vfio_pci_memory_enabled(vdev)) {
+ ret = VM_FAULT_SIGBUS;
+- mutex_unlock(&vdev->vma_lock);
+ goto up_out;
+ }
+
+- if (__vfio_pci_add_vma(vdev, vma)) {
+- ret = VM_FAULT_OOM;
+- mutex_unlock(&vdev->vma_lock);
+- goto up_out;
++ /*
++ * We populate the whole vma on fault, so we need to test whether
++ * the vma has already been mapped, such as for concurrent faults
++ * to the same vma. io_remap_pfn_range() will trigger a BUG_ON if
++ * we ask it to fill the same range again.
++ */
++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
++ if (mmap_vma->vma == vma)
++ goto up_out;
+ }
+
+- mutex_unlock(&vdev->vma_lock);
+-
+ if (io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
+- vma->vm_end - vma->vm_start, vma->vm_page_prot))
++ vma->vm_end - vma->vm_start,
++ vma->vm_page_prot)) {
+ ret = VM_FAULT_SIGBUS;
++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
++ goto up_out;
++ }
++
++ if (__vfio_pci_add_vma(vdev, vma)) {
++ ret = VM_FAULT_OOM;
++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
++ }
+
+ up_out:
+ up_read(&vdev->memory_lock);
++ mutex_unlock(&vdev->vma_lock);
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 739248d038c0c890e03777a9cb06933b6a6256f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 20:57:05 +0200
+Subject: video: fbdev: imxfb: Fix an error message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 767d724a160eb1cd00c86fb8c2e21fa1ab3c37ac ]
+
+'ret' is known to be 0 here.
+No error code is available, so just remove it from the error message.
+
+Fixes: 72330b0eeefc ("i.MX Framebuffer: Use readl/writel instead of direct pointer deref")
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/d7b25026f82659da3c6f7159eea480faa9d738be.1620327302.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/imxfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
+index b3286d1fa543..ffde3107104b 100644
+--- a/drivers/video/fbdev/imxfb.c
++++ b/drivers/video/fbdev/imxfb.c
+@@ -977,7 +977,7 @@ static int imxfb_probe(struct platform_device *pdev)
+ info->screen_buffer = dma_alloc_wc(&pdev->dev, fbi->map_size,
+ &fbi->map_dma, GFP_KERNEL);
+ if (!info->screen_buffer) {
+- dev_err(&pdev->dev, "Failed to allocate video RAM: %d\n", ret);
++ dev_err(&pdev->dev, "Failed to allocate video RAM\n");
+ ret = -ENOMEM;
+ goto failed_map;
+ }
+--
+2.30.2
+
--- /dev/null
+From 607645450c15dba3b6bdb61328de76afefeb60af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 16:26:14 +0800
+Subject: visorbus: fix error return code in visorchipset_init()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit ce52ec5beecc1079c251f60e3973b3758f60eb59 ]
+
+Commit 1366a3db3dcf ("staging: unisys: visorbus: visorchipset_init clean
+up gotos") assigns the initial value -ENODEV to the local variable 'err',
+and the first several error branches will return this value after "goto
+error". But commit f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate
+controlvm channel creation.") overwrites 'err' in the middle of the way.
+As a result, some error branches do not successfully return the initial
+value -ENODEV of 'err', but return 0.
+
+In addition, when kzalloc() fails, -ENOMEM should be returned instead of
+-ENODEV.
+
+Fixes: f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate controlvm channel creation.")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210528082614.9337-1-thunder.leizhen@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/visorbus/visorchipset.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/visorbus/visorchipset.c b/drivers/visorbus/visorchipset.c
+index cb1eb7e05f87..5668cad86e37 100644
+--- a/drivers/visorbus/visorchipset.c
++++ b/drivers/visorbus/visorchipset.c
+@@ -1561,7 +1561,7 @@ schedule_out:
+
+ static int visorchipset_init(struct acpi_device *acpi_device)
+ {
+- int err = -ENODEV;
++ int err = -ENOMEM;
+ struct visorchannel *controlvm_channel;
+
+ chipset_dev = kzalloc(sizeof(*chipset_dev), GFP_KERNEL);
+@@ -1584,8 +1584,10 @@ static int visorchipset_init(struct acpi_device *acpi_device)
+ "controlvm",
+ sizeof(struct visor_controlvm_channel),
+ VISOR_CONTROLVM_CHANNEL_VERSIONID,
+- VISOR_CHANNEL_SIGNATURE))
++ VISOR_CHANNEL_SIGNATURE)) {
++ err = -ENODEV;
+ goto error_delete_groups;
++ }
+ /* if booting in a crash kernel */
+ if (is_kdump_kernel())
+ INIT_DELAYED_WORK(&chipset_dev->periodic_controlvm_work,
+--
+2.30.2
+
--- /dev/null
+From 2a04d5a3a74641d82c113ae8eb5e143cfcc2ee9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 17:15:53 +0200
+Subject: vrf: do not push non-ND strict packets with a source LLA through
+ packet taps again
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 603113c514e95c3350598bc3cccbd03af7ea4ab2 ]
+
+Non-ND strict packets with a source LLA go through the packet taps
+again, while non-ND strict packets with other source addresses do not,
+and we can see a clone of those packets on the vrf interface (we should
+not). This is due to a series of changes:
+
+Commit 6f12fa775530[1] made non-ND strict packets not being pushed again
+in the packet taps. This changed with commit 205704c618af[2] for those
+packets having a source LLA, as they need a lookup with the orig_iif.
+
+The issue now is those packets do not skip the 'vrf_ip6_rcv' function to
+the end (as the ones without a source LLA) and go through the check to
+call packet taps again. This check was changed by commit 6f12fa775530[1]
+and do not exclude non-strict packets anymore. Packets matching
+'need_strict && !is_ndisc && is_ll_src' are now being sent through the
+packet taps again. This can be seen by dumping packets on the vrf
+interface.
+
+Fix this by having the same code path for all non-ND strict packets and
+selectively lookup with the orig_iif for those with a source LLA. This
+has the effect to revert to the pre-205704c618af[2] condition, which
+should also be easier to maintain.
+
+[1] 6f12fa775530 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
+[2] 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
+
+Fixes: 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index 1267786d2931..f08ed52d51f3 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -1035,22 +1035,22 @@ static struct sk_buff *vrf_ip6_rcv(struct net_device *vrf_dev,
+ int orig_iif = skb->skb_iif;
+ bool need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
+ bool is_ndisc = ipv6_ndisc_frame(skb);
+- bool is_ll_src;
+
+ /* loopback, multicast & non-ND link-local traffic; do not push through
+ * packet taps again. Reset pkt_type for upper layers to process skb.
+- * for packets with lladdr src, however, skip so that the dst can be
+- * determine at input using original ifindex in the case that daddr
+- * needs strict
++ * For strict packets with a source LLA, determine the dst using the
++ * original ifindex.
+ */
+- is_ll_src = ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL;
+- if (skb->pkt_type == PACKET_LOOPBACK ||
+- (need_strict && !is_ndisc && !is_ll_src)) {
++ if (skb->pkt_type == PACKET_LOOPBACK || (need_strict && !is_ndisc)) {
+ skb->dev = vrf_dev;
+ skb->skb_iif = vrf_dev->ifindex;
+ IP6CB(skb)->flags |= IP6SKB_L3SLAVE;
++
+ if (skb->pkt_type == PACKET_LOOPBACK)
+ skb->pkt_type = PACKET_HOST;
++ else if (ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)
++ vrf_ip6_input_dst(skb, vrf_dev, orig_iif);
++
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 844c301a2120af67ce65b611de3b01d651a3ec25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 07:44:17 -0700
+Subject: vxlan: add missing rcu_read_lock() in neigh_reduce()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ]
+
+syzbot complained in neigh_reduce(), because rcu_read_lock_bh()
+is treated differently than rcu_read_lock()
+
+WARNING: suspicious RCU usage
+5.13.0-rc6-syzkaller #0 Not tainted
+-----------------------------
+include/net/addrconf.h:313 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+3 locks held by kworker/0:0/5:
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247
+ #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251
+ #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180
+
+stack backtrace:
+CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events ipvlan_process_multicast
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ __in6_dev_get include/net/addrconf.h:313 [inline]
+ __in6_dev_get include/net/addrconf.h:311 [inline]
+ neigh_reduce drivers/net/vxlan.c:2167 [inline]
+ vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919
+ __netdev_start_xmit include/linux/netdevice.h:4944 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4958 [inline]
+ xmit_one net/core/dev.c:3654 [inline]
+ dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670
+ __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246
+ ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287
+ process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
+ worker_thread+0x64c/0x1120 kernel/workqueue.c:2422
+ kthread+0x3b1/0x4a0 kernel/kthread.c:313
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+
+Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 8443df79fabc..c5991e31c557 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1995,6 +1995,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ struct neighbour *n;
+ struct nd_msg *msg;
+
++ rcu_read_lock();
+ in6_dev = __in6_dev_get(dev);
+ if (!in6_dev)
+ goto out;
+@@ -2046,6 +2047,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ }
+
+ out:
++ rcu_read_unlock();
+ consume_skb(skb);
+ return NETDEV_TX_OK;
+ }
+--
+2.30.2
+
--- /dev/null
+From 0a4786da2347d5761d6a7171876bd5ba0994caea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 18:33:47 +0100
+Subject: wcn36xx: Move hal_buf allocation to devm_kmalloc in probe
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit ef48667557c53d4b51a1ee3090eab7699324c9de ]
+
+Right now wcn->hal_buf is allocated in wcn36xx_start(). This is a problem
+since we should have setup all of the buffers we required by the time
+ieee80211_register_hw() is called.
+
+struct ieee80211_ops callbacks may run prior to mac_start() and therefore
+wcn->hal_buf must be initialized.
+
+This is easily remediated by moving the allocation to probe() taking the
+opportunity to tidy up freeing memory by using devm_kmalloc().
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210605173347.2266003-1-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index 46ae4ec4ad47..556ba3c6c5d8 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -293,23 +293,16 @@ static int wcn36xx_start(struct ieee80211_hw *hw)
+ goto out_free_dxe_pool;
+ }
+
+- wcn->hal_buf = kmalloc(WCN36XX_HAL_BUF_SIZE, GFP_KERNEL);
+- if (!wcn->hal_buf) {
+- wcn36xx_err("Failed to allocate smd buf\n");
+- ret = -ENOMEM;
+- goto out_free_dxe_ctl;
+- }
+-
+ ret = wcn36xx_smd_load_nv(wcn);
+ if (ret) {
+ wcn36xx_err("Failed to push NV to chip\n");
+- goto out_free_smd_buf;
++ goto out_free_dxe_ctl;
+ }
+
+ ret = wcn36xx_smd_start(wcn);
+ if (ret) {
+ wcn36xx_err("Failed to start chip\n");
+- goto out_free_smd_buf;
++ goto out_free_dxe_ctl;
+ }
+
+ if (!wcn36xx_is_fw_version(wcn, 1, 2, 2, 24)) {
+@@ -336,8 +329,6 @@ static int wcn36xx_start(struct ieee80211_hw *hw)
+
+ out_smd_stop:
+ wcn36xx_smd_stop(wcn);
+-out_free_smd_buf:
+- kfree(wcn->hal_buf);
+ out_free_dxe_ctl:
+ wcn36xx_dxe_free_ctl_blks(wcn);
+ out_free_dxe_pool:
+@@ -374,8 +365,6 @@ static void wcn36xx_stop(struct ieee80211_hw *hw)
+
+ wcn36xx_dxe_free_mem_pools(wcn);
+ wcn36xx_dxe_free_ctl_blks(wcn);
+-
+- kfree(wcn->hal_buf);
+ }
+
+ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed)
+@@ -1322,6 +1311,12 @@ static int wcn36xx_probe(struct platform_device *pdev)
+ mutex_init(&wcn->hal_mutex);
+ mutex_init(&wcn->scan_lock);
+
++ wcn->hal_buf = devm_kmalloc(wcn->dev, WCN36XX_HAL_BUF_SIZE, GFP_KERNEL);
++ if (!wcn->hal_buf) {
++ ret = -ENOMEM;
++ goto out_wq;
++ }
++
+ ret = dma_set_mask_and_coherent(wcn->dev, DMA_BIT_MASK(32));
+ if (ret < 0) {
+ wcn36xx_err("failed to set DMA mask: %d\n", ret);
+--
+2.30.2
+
--- /dev/null
+From d0be94d7f0a0b9d73ef1ddcedacb67bfbb3ca086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 17:41:28 +0300
+Subject: wireless: carl9170: fix LEDS build errors & warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ]
+
+kernel test robot reports over 200 build errors and warnings
+that are due to this Kconfig problem when CARL9170=m,
+MAC80211=y, and LEDS_CLASS=m.
+
+WARNING: unmet direct dependencies detected for MAC80211_LEDS
+ Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y])
+ Selected by [m]:
+ - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m]
+
+CARL9170_LEDS selects MAC80211_LEDS even though its kconfig
+dependencies are not met. This happens because 'select' does not follow
+any Kconfig dependency chains.
+
+Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where
+the latter supplies any needed dependencies on LEDS_CLASS.
+
+Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: Christian Lamparter <chunkeey@googlemail.com>
+Cc: linux-wireless@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Suggested-by: Christian Lamparter <chunkeey@googlemail.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/carl9170/Kconfig | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/carl9170/Kconfig b/drivers/net/wireless/ath/carl9170/Kconfig
+index b1bce7aad399..c2641edab0bc 100644
+--- a/drivers/net/wireless/ath/carl9170/Kconfig
++++ b/drivers/net/wireless/ath/carl9170/Kconfig
+@@ -16,13 +16,11 @@ config CARL9170
+
+ config CARL9170_LEDS
+ bool "SoftLED Support"
+- depends on CARL9170
+- select MAC80211_LEDS
+- select LEDS_CLASS
+- select NEW_LEDS
+ default y
++ depends on CARL9170
++ depends on MAC80211_LEDS
+ help
+- This option is necessary, if you want your device' LEDs to blink
++ This option is necessary, if you want your device's LEDs to blink.
+
+ Say Y, unless you need the LEDs for firmware debugging.
+
+--
+2.30.2
+
--- /dev/null
+From 94f7055f17a00f27e826dbf8b44965b8429e8b05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:35:47 -0700
+Subject: writeback, cgroup: increment isw_nr_in_flight before grabbing an
+ inode
+
+From: Roman Gushchin <guro@fb.com>
+
+[ Upstream commit 8826ee4fe75051f8cbfa5d4a9aa70565938e724c ]
+
+isw_nr_in_flight is used to determine whether the inode switch queue
+should be flushed from the umount path. Currently it's increased after
+grabbing an inode and even scheduling the switch work. It means the
+umount path can walk past cleanup_offline_cgwb() with active inode
+references, which can result in a "Busy inodes after unmount." message and
+use-after-free issues (with inode->i_sb which gets freed).
+
+Fix it by incrementing isw_nr_in_flight before doing anything with the
+inode and decrementing in the case when switching wasn't scheduled.
+
+The problem hasn't yet been seen in the real life and was discovered by
+Jan Kara by looking into the code.
+
+Link: https://lkml.kernel.org/r/20210608230225.2078447-4-guro@fb.com
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Suggested-by: Jan Kara <jack@suse.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Dave Chinner <dchinner@redhat.com>
+Cc: Dennis Zhou <dennis@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index fd6b50582c87..3a0d7b8af141 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -505,6 +505,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+ if (!isw)
+ return;
+
++ atomic_inc(&isw_nr_in_flight);
++
+ /* find and pin the new wb */
+ rcu_read_lock();
+ memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
+@@ -535,11 +537,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+ * Let's continue after I_WB_SWITCH is guaranteed to be visible.
+ */
+ call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
+-
+- atomic_inc(&isw_nr_in_flight);
+ return;
+
+ out_free:
++ atomic_dec(&isw_nr_in_flight);
+ if (isw->new_wb)
+ wb_put(isw->new_wb);
+ kfree(isw);
+--
+2.30.2
+
--- /dev/null
+From 6d1e41d837f1202a7d1b80929eaa2f2119b770d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 17:11:45 +0800
+Subject: writeback: fix obtain a reference to a freeing memcg css
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+[ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ]
+
+The caller of wb_get_create() should pin the memcg, because
+wb_get_create() relies on this guarantee. The rcu read lock
+only can guarantee that the memcg css returned by css_from_id()
+cannot be released, but the reference of the memcg can be zero.
+
+ rcu_read_lock()
+ memcg_css = css_from_id()
+ wb_get_create(memcg_css)
+ cgwb_create(memcg_css)
+ // css_get can change the ref counter from 0 back to 1
+ css_get(memcg_css)
+ rcu_read_unlock()
+
+Fix it by holding a reference to the css before calling
+wb_get_create(). This is not a problem I encountered in the
+real world. Just the result of a code review.
+
+Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates")
+Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 3a0d7b8af141..22e9c88f3960 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -510,9 +510,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+ /* find and pin the new wb */
+ rcu_read_lock();
+ memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
+- if (memcg_css)
+- isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
++ if (memcg_css && !css_tryget(memcg_css))
++ memcg_css = NULL;
+ rcu_read_unlock();
++ if (!memcg_css)
++ goto out_free;
++
++ isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
++ css_put(memcg_css);
+ if (!isw->new_wb)
+ goto out_free;
+
+--
+2.30.2
+
--- /dev/null
+From 697bbdc402da19587344260db8f71b998eef24bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 11:27:59 +0200
+Subject: xfrm: xfrm_state_mtu should return at least 1280 for ipv6
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit b515d2637276a3810d6595e10ab02c13bfd0b63a ]
+
+Jianwen reported that IPv6 Interoperability tests are failing in an
+IPsec case where one of the links between the IPsec peers has an MTU
+of 1280. The peer generates a packet larger than this MTU, the router
+replies with a "Packet too big" message indicating an MTU of 1280.
+When the peer tries to send another large packet, xfrm_state_mtu
+returns 1280 - ipsec_overhead, which causes ip6_setup_cork to fail
+with EINVAL.
+
+We can fix this by forcing xfrm_state_mtu to return IPV6_MIN_MTU when
+IPv6 is used. After going through IPsec, the packet will then be
+fragmented to obey the actual network's PMTU, just before leaving the
+host.
+
+Currently, TFC padding is capped to PMTU - overhead to avoid
+fragementation: after padding and encapsulation, we still fit within
+the PMTU. That behavior is preserved in this patch.
+
+Fixes: 91657eafb64b ("xfrm: take net hdr len into account for esp payload size calculation")
+Reported-by: Jianwen Ji <jiji@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 1 +
+ net/ipv4/esp4.c | 2 +-
+ net/ipv6/esp6.c | 2 +-
+ net/xfrm/xfrm_state.c | 14 ++++++++++++--
+ 4 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 614f19bbad74..8ce63850d6d0 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1543,6 +1543,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
+ void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
+ u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
+ int xfrm_init_replay(struct xfrm_state *x);
++u32 __xfrm_state_mtu(struct xfrm_state *x, int mtu);
+ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
+ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
+ int xfrm_init_state(struct xfrm_state *x);
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index 00210e55b4cd..86c836fa2145 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -499,7 +499,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb);
+ u32 padto;
+
+- padto = min(x->tfcpad, xfrm_state_mtu(x, dst->child_mtu_cached));
++ padto = min(x->tfcpad, __xfrm_state_mtu(x, dst->child_mtu_cached));
+ if (skb->len < padto)
+ esp.tfclen = padto - skb->len;
+ }
+diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
+index 7a739f16d82b..12570a73def8 100644
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -440,7 +440,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
+ struct xfrm_dst *dst = (struct xfrm_dst *)skb_dst(skb);
+ u32 padto;
+
+- padto = min(x->tfcpad, xfrm_state_mtu(x, dst->child_mtu_cached));
++ padto = min(x->tfcpad, __xfrm_state_mtu(x, dst->child_mtu_cached));
+ if (skb->len < padto)
+ esp.tfclen = padto - skb->len;
+ }
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 1423e2b7cb42..c6b2c99b501b 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2440,7 +2440,7 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x)
+ }
+ EXPORT_SYMBOL(xfrm_state_delete_tunnel);
+
+-u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
++u32 __xfrm_state_mtu(struct xfrm_state *x, int mtu)
+ {
+ const struct xfrm_type *type = READ_ONCE(x->type);
+ struct crypto_aead *aead;
+@@ -2471,7 +2471,17 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
+ return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
+ net_adj) & ~(blksize - 1)) + net_adj - 2;
+ }
+-EXPORT_SYMBOL_GPL(xfrm_state_mtu);
++EXPORT_SYMBOL_GPL(__xfrm_state_mtu);
++
++u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
++{
++ mtu = __xfrm_state_mtu(x, mtu);
++
++ if (x->props.family == AF_INET6 && mtu < IPV6_MIN_MTU)
++ return IPV6_MIN_MTU;
++
++ return mtu;
++}
+
+ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
+ {
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
