--- /dev/null
+From 1d7c29b77725d05faff6754d2f5e7c147aedcf93 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 26 Nov 2021 22:35:45 +0100
+Subject: parisc: Fix KBUILD_IMAGE for self-extracting kernel
+
+From: Helge Deller <deller@gmx.de>
+
+commit 1d7c29b77725d05faff6754d2f5e7c147aedcf93 upstream.
+
+Default KBUILD_IMAGE to $(boot)/bzImage if a self-extracting
+(CONFIG_PARISC_SELF_EXTRACT=y) kernel is to be built.
+This fixes the bindeb-pkg make target.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/parisc/Makefile
++++ b/arch/parisc/Makefile
+@@ -17,7 +17,12 @@
+ # Mike Shaver, Helge Deller and Martin K. Petersen
+ #
+
++ifdef CONFIG_PARISC_SELF_EXTRACT
++boot := arch/parisc/boot
++KBUILD_IMAGE := $(boot)/bzImage
++else
+ KBUILD_IMAGE := vmlinuz
++endif
+
+ NM = sh $(srctree)/arch/parisc/nm
+ CHECKFLAGS += -D__hppa__=1
--- /dev/null
+From 0f9fee4cdebfbe695c297e5b603a275e2557c1cc Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 4 Dec 2021 21:14:40 +0100
+Subject: parisc: Fix "make install" on newer debian releases
+
+From: Helge Deller <deller@gmx.de>
+
+commit 0f9fee4cdebfbe695c297e5b603a275e2557c1cc upstream.
+
+On newer debian releases the debian-provided "installkernel" script is
+installed in /usr/sbin. Fix the kernel install.sh script to look for the
+script in this directory as well.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v3.13+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/install.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/parisc/install.sh
++++ b/arch/parisc/install.sh
+@@ -39,6 +39,7 @@ verify "$3"
+ if [ -n "${INSTALLKERNEL}" ]; then
+ if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi
+ if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi
++ if [ -x /usr/sbin/${INSTALLKERNEL} ]; then exec /usr/sbin/${INSTALLKERNEL} "$@"; fi
+ fi
+
+ # Default install
--- /dev/null
+From afdb4a5b1d340e4afffc65daa21cc71890d7d589 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 4 Dec 2021 21:21:46 +0100
+Subject: parisc: Mark cr16 CPU clocksource unstable on all SMP machines
+
+From: Helge Deller <deller@gmx.de>
+
+commit afdb4a5b1d340e4afffc65daa21cc71890d7d589 upstream.
+
+In commit c8c3735997a3 ("parisc: Enhance detection of synchronous cr16
+clocksources") I assumed that CPUs on the same physical core are syncronous.
+While booting up the kernel on two different C8000 machines, one with a
+dual-core PA8800 and one with a dual-core PA8900 CPU, this turned out to be
+wrong. The symptom was that I saw a jump in the internal clocks printed to the
+syslog and strange overall behaviour. On machines which have 4 cores (2
+dual-cores) the problem isn't visible, because the current logic already marked
+the cr16 clocksource unstable in this case.
+
+This patch now marks the cr16 interval timers unstable if we have more than one
+CPU in the system, and it fixes this issue.
+
+Fixes: c8c3735997a3 ("parisc: Enhance detection of synchronous cr16 clocksources")
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v5.15+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/time.c | 28 +++++++---------------------
+ 1 file changed, 7 insertions(+), 21 deletions(-)
+
+--- a/arch/parisc/kernel/time.c
++++ b/arch/parisc/kernel/time.c
+@@ -249,30 +249,16 @@ void __init time_init(void)
+ static int __init init_cr16_clocksource(void)
+ {
+ /*
+- * The cr16 interval timers are not syncronized across CPUs on
+- * different sockets, so mark them unstable and lower rating on
+- * multi-socket SMP systems.
++ * The cr16 interval timers are not syncronized across CPUs, even if
++ * they share the same socket.
+ */
+ if (num_online_cpus() > 1 && !running_on_qemu) {
+- int cpu;
+- unsigned long cpu0_loc;
+- cpu0_loc = per_cpu(cpu_data, 0).cpu_loc;
++ /* mark sched_clock unstable */
++ clear_sched_clock_stable();
+
+- for_each_online_cpu(cpu) {
+- if (cpu == 0)
+- continue;
+- if ((cpu0_loc != 0) &&
+- (cpu0_loc == per_cpu(cpu_data, cpu).cpu_loc))
+- continue;
+-
+- /* mark sched_clock unstable */
+- clear_sched_clock_stable();
+-
+- clocksource_cr16.name = "cr16_unstable";
+- clocksource_cr16.flags = CLOCK_SOURCE_UNSTABLE;
+- clocksource_cr16.rating = 0;
+- break;
+- }
++ clocksource_cr16.name = "cr16_unstable";
++ clocksource_cr16.flags = CLOCK_SOURCE_UNSTABLE;
++ clocksource_cr16.rating = 0;
+ }
+
+ /* register at clocksource framework */
--- /dev/null
+From f85e04503f369b3f2be28c83fc48b74e19936ebc Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 22 Nov 2021 16:58:24 +0100
+Subject: serial: 8250: Fix RTS modem control while in rs485 mode
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit f85e04503f369b3f2be28c83fc48b74e19936ebc upstream.
+
+Commit f45709df7731 ("serial: 8250: Don't touch RTS modem control while
+in rs485 mode") sought to prevent user space from interfering with rs485
+communication by ignoring a TIOCMSET ioctl() which changes RTS polarity.
+
+It did so in serial8250_do_set_mctrl(), which turns out to be too deep
+in the call stack: When a uart_port is opened, RTS polarity is set by
+the rs485-aware function uart_port_dtr_rts(). It calls down to
+serial8250_do_set_mctrl() and that particular RTS polarity change should
+*not* be ignored.
+
+The user-visible result is that on 8250_omap ports which use rs485 with
+inverse polarity (RTS bit in MCR register is 1 to receive, 0 to send),
+a newly opened port initially sets up RTS for sending instead of
+receiving. That's because omap_8250_startup() sets the cached value
+up->mcr to 0 and omap_8250_restore_regs() subsequently writes it to the
+MCR register. Due to the commit, serial8250_do_set_mctrl() preserves
+that incorrect register value:
+
+do_sys_openat2
+ do_filp_open
+ path_openat
+ vfs_open
+ do_dentry_open
+ chrdev_open
+ tty_open
+ uart_open
+ tty_port_open
+ uart_port_activate
+ uart_startup
+ uart_port_startup
+ serial8250_startup
+ omap_8250_startup # up->mcr = 0
+ uart_change_speed
+ serial8250_set_termios
+ omap_8250_set_termios
+ omap_8250_restore_regs
+ serial8250_out_MCR # up->mcr written
+ tty_port_block_til_ready
+ uart_dtr_rts
+ uart_port_dtr_rts
+ serial8250_set_mctrl
+ omap8250_set_mctrl
+ serial8250_do_set_mctrl # mcr[1] = 1 ignored
+
+Fix by intercepting RTS changes from user space in uart_tiocmset()
+instead.
+
+Link: https://lore.kernel.org/linux-serial/20211027111644.1996921-1-baocheng.su@siemens.com/
+Fixes: f45709df7731 ("serial: 8250: Don't touch RTS modem control while in rs485 mode")
+Cc: Chao Zeng <chao.zeng@siemens.com>
+Cc: stable@vger.kernel.org # v5.7+
+Reported-by: Su Bao Cheng <baocheng.su@siemens.com>
+Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
+Tested-by: Su Bao Cheng <baocheng.su@siemens.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://lore.kernel.org/r/21170e622a1aaf842a50b32146008b5374b3dd1d.1637596432.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 7 -------
+ drivers/tty/serial/serial_core.c | 5 +++++
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2024,13 +2024,6 @@ void serial8250_do_set_mctrl(struct uart
+ struct uart_8250_port *up = up_to_u8250p(port);
+ unsigned char mcr;
+
+- if (port->rs485.flags & SER_RS485_ENABLED) {
+- if (serial8250_in_MCR(up) & UART_MCR_RTS)
+- mctrl |= TIOCM_RTS;
+- else
+- mctrl &= ~TIOCM_RTS;
+- }
+-
+ mcr = serial8250_TIOCM_to_MCR(mctrl);
+
+ mcr = (mcr & up->mcr_mask) | up->mcr_force | up->mcr;
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -1075,6 +1075,11 @@ uart_tiocmset(struct tty_struct *tty, un
+ goto out;
+
+ if (!tty_io_error(tty)) {
++ if (uport->rs485.flags & SER_RS485_ENABLED) {
++ set &= ~TIOCM_RTS;
++ clear &= ~TIOCM_RTS;
++ }
++
+ uart_update_mctrl(uport, set, clear);
+ ret = 0;
+ }
--- /dev/null
+From c525c5d2437f93520388920baac6d9340c65d239 Mon Sep 17 00:00:00 2001
+From: Jay Dolan <jay.dolan@accesio.com>
+Date: Mon, 22 Nov 2021 14:06:03 +0200
+Subject: serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
+
+From: Jay Dolan <jay.dolan@accesio.com>
+
+commit c525c5d2437f93520388920baac6d9340c65d239 upstream.
+
+Fix error in table for PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S that caused it
+and PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 to be missing their fourth port.
+
+Fixes: 78d3820b9bd3 ("serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20211122120604.3909-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -2317,11 +2317,18 @@ static struct pci_serial_quirk pci_seria
+ .setup = pci_pericom_setup_four_at_eight,
+ },
+ {
+- .vendor = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
++ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup_four_at_eight,
++ },
++ {
++ .vendor = PCI_VENDOR_ID_ACCESIO,
++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
++ .subvendor = PCI_ANY_ID,
++ .subdevice = PCI_ANY_ID,
++ .setup = pci_pericom_setup_four_at_eight,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
--- /dev/null
+From bb1201d4b38ec67bd9a871cf86b0cc10f28b15b5 Mon Sep 17 00:00:00 2001
+From: Jay Dolan <jay.dolan@accesio.com>
+Date: Mon, 22 Nov 2021 14:06:04 +0200
+Subject: serial: 8250_pci: rewrite pericom_do_set_divisor()
+
+From: Jay Dolan <jay.dolan@accesio.com>
+
+commit bb1201d4b38ec67bd9a871cf86b0cc10f28b15b5 upstream.
+
+Have pericom_do_set_divisor() use the uartclk instead of a hard coded
+value to work with different speed crystals. Tested with 14.7456 and 24
+MHz crystals.
+
+Have pericom_do_set_divisor() always calculate the divisor rather than
+call serial8250_do_set_divisor() for rates below baud_base.
+
+Do not write registers or call serial8250_do_set_divisor() if valid
+divisors could not be found.
+
+Fixes: 6bf4e42f1d19 ("serial: 8250: Add support for higher baud rates to Pericom chips")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20211122120604.3909-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1349,29 +1349,33 @@ pericom_do_set_divisor(struct uart_port
+ {
+ int scr;
+ int lcr;
+- int actual_baud;
+- int tolerance;
+
+- for (scr = 5 ; scr <= 15 ; scr++) {
+- actual_baud = 921600 * 16 / scr;
+- tolerance = actual_baud / 50;
++ for (scr = 16; scr > 4; scr--) {
++ unsigned int maxrate = port->uartclk / scr;
++ unsigned int divisor = max(maxrate / baud, 1U);
++ int delta = maxrate / divisor - baud;
+
+- if ((baud < actual_baud + tolerance) &&
+- (baud > actual_baud - tolerance)) {
++ if (baud > maxrate + baud / 50)
++ continue;
+
++ if (delta > baud / 50)
++ divisor++;
++
++ if (divisor > 0xffff)
++ continue;
++
++ /* Update delta due to possible divisor change */
++ delta = maxrate / divisor - baud;
++ if (abs(delta) < baud / 50) {
+ lcr = serial_port_in(port, UART_LCR);
+ serial_port_out(port, UART_LCR, lcr | 0x80);
+-
+- serial_port_out(port, UART_DLL, 1);
+- serial_port_out(port, UART_DLM, 0);
++ serial_port_out(port, UART_DLL, divisor & 0xff);
++ serial_port_out(port, UART_DLM, divisor >> 8 & 0xff);
+ serial_port_out(port, 2, 16 - scr);
+ serial_port_out(port, UART_LCR, lcr);
+ return;
+- } else if (baud > actual_baud) {
+- break;
+ }
+ }
+- serial8250_do_set_divisor(port, baud, quot, quot_frac);
+ }
+ static int pci_pericom_setup(struct serial_private *priv,
+ const struct pciserial_board *board,
--- /dev/null
+From 00de977f9e0aa9760d9a79d1e41ff780f74e3424 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 8 Nov 2021 09:54:31 +0100
+Subject: serial: core: fix transmit-buffer reset and memleak
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 00de977f9e0aa9760d9a79d1e41ff780f74e3424 upstream.
+
+Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use
+tty_port_close") converted serial core to use tty_port_close() but
+failed to notice that the transmit buffer still needs to be freed on
+final close.
+
+Not freeing the transmit buffer means that the buffer is no longer
+cleared on next open so that any ioctl() waiting for the buffer to drain
+might wait indefinitely (e.g. on termios changes) or that stale data can
+end up being transmitted in case tx is restarted.
+
+Furthermore, the buffer of any port that has been opened would leak on
+driver unbind.
+
+Note that the port lock is held when clearing the buffer pointer due to
+the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race
+between uart_put_char() and uart_shutdown()").
+
+Also note that the tty-port shutdown() callback is not called for
+console ports so it is not strictly necessary to free the buffer page
+after releasing the lock (cf. d72402145ace ("tty/serial: do not free
+trasnmit buffer page under port lock")).
+
+Link: https://lore.kernel.org/r/319321886d97c456203d5c6a576a5480d07c3478.1635781688.git.baruch@tkos.co.il
+Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
+Cc: stable@vger.kernel.org # 4.9
+Cc: Rob Herring <robh@kernel.org>
+Reported-by: Baruch Siach <baruch@tkos.co.il>
+Tested-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211108085431.12637-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial_core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -1549,6 +1549,7 @@ static void uart_tty_port_shutdown(struc
+ {
+ struct uart_state *state = container_of(port, struct uart_state, port);
+ struct uart_port *uport = uart_port_check(state);
++ char *buf;
+
+ /*
+ * At this point, we stop accepting input. To do this, we
+@@ -1570,8 +1571,18 @@ static void uart_tty_port_shutdown(struc
+ */
+ tty_port_set_suspended(port, 0);
+
+- uart_change_pm(state, UART_PM_STATE_OFF);
++ /*
++ * Free the transmit buffer.
++ */
++ spin_lock_irq(&uport->lock);
++ buf = state->xmit.buf;
++ state->xmit.buf = NULL;
++ spin_unlock_irq(&uport->lock);
++
++ if (buf)
++ free_page((unsigned long)buf);
+
++ uart_change_pm(state, UART_PM_STATE_OFF);
+ }
+
+ static void uart_wait_until_sent(struct tty_struct *tty, int timeout)
--- /dev/null
+From dd5e90b16cca8a697cbe17b72e2a5f49291cabb2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 17 Nov 2021 11:05:11 +0100
+Subject: serial: liteuart: fix minor-number leak on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit dd5e90b16cca8a697cbe17b72e2a5f49291cabb2 upstream.
+
+Make sure to release the allocated minor number before returning on
+probe errors.
+
+Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver")
+Cc: stable@vger.kernel.org # 5.11
+Cc: Filip Kokosinski <fkokosinski@antmicro.com>
+Cc: Mateusz Holenko <mholenko@antmicro.com>
+Reviewed-by: Stafford Horne <shorne@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211117100512.5058-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/liteuart.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/liteuart.c
++++ b/drivers/tty/serial/liteuart.c
+@@ -270,8 +270,10 @@ static int liteuart_probe(struct platfor
+
+ /* get membase */
+ port->membase = devm_platform_get_and_ioremap_resource(pdev, 0, NULL);
+- if (IS_ERR(port->membase))
+- return PTR_ERR(port->membase);
++ if (IS_ERR(port->membase)) {
++ ret = PTR_ERR(port->membase);
++ goto err_erase_id;
++ }
+
+ /* values not from device tree */
+ port->dev = &pdev->dev;
+@@ -287,7 +289,16 @@ static int liteuart_probe(struct platfor
+
+ platform_set_drvdata(pdev, port);
+
+- return uart_add_one_port(&liteuart_driver, &uart->port);
++ ret = uart_add_one_port(&liteuart_driver, &uart->port);
++ if (ret)
++ goto err_erase_id;
++
++ return 0;
++
++err_erase_id:
++ xa_erase(&liteuart_array, uart->id);
++
++ return ret;
+ }
+
+ static int liteuart_remove(struct platform_device *pdev)
--- /dev/null
+From 0f55f89d98c8b3e12b4f55f71c127a173e29557c Mon Sep 17 00:00:00 2001
+From: Ilia Sergachev <silia@ethz.ch>
+Date: Mon, 15 Nov 2021 22:49:44 +0100
+Subject: serial: liteuart: Fix NULL pointer dereference in ->remove()
+
+From: Ilia Sergachev <silia@ethz.ch>
+
+commit 0f55f89d98c8b3e12b4f55f71c127a173e29557c upstream.
+
+drvdata has to be set in _probe() - otherwise platform_get_drvdata()
+causes null pointer dereference BUG in _remove().
+
+Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ilia Sergachev <silia@ethz.ch>
+Link: https://lore.kernel.org/r/20211115224944.23f8c12b@dtkw
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/liteuart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/liteuart.c
++++ b/drivers/tty/serial/liteuart.c
+@@ -285,6 +285,8 @@ static int liteuart_probe(struct platfor
+ port->line = dev_id;
+ spin_lock_init(&port->lock);
+
++ platform_set_drvdata(pdev, port);
++
+ return uart_add_one_port(&liteuart_driver, &uart->port);
+ }
+
--- /dev/null
+From 05f929b395dec8957b636ff14e66b277ed022ed9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 17 Nov 2021 11:05:10 +0100
+Subject: serial: liteuart: fix use-after-free and memleak on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 05f929b395dec8957b636ff14e66b277ed022ed9 upstream.
+
+Deregister the port when unbinding the driver to prevent it from being
+used after releasing the driver data and leaking memory allocated by
+serial core.
+
+Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver")
+Cc: stable@vger.kernel.org # 5.11
+Cc: Filip Kokosinski <fkokosinski@antmicro.com>
+Cc: Mateusz Holenko <mholenko@antmicro.com>
+Reviewed-by: Stafford Horne <shorne@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211117100512.5058-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/liteuart.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/liteuart.c
++++ b/drivers/tty/serial/liteuart.c
+@@ -295,6 +295,7 @@ static int liteuart_remove(struct platfo
+ struct uart_port *port = platform_get_drvdata(pdev);
+ struct liteuart_port *uart = to_liteuart_port(port);
+
++ uart_remove_one_port(&liteuart_driver, port);
+ xa_erase(&liteuart_array, uart->id);
+
+ return 0;
--- /dev/null
+From ac442a077acf9a6bf1db4320ec0c3f303be092b3 Mon Sep 17 00:00:00 2001
+From: Pierre Gondois <Pierre.Gondois@arm.com>
+Date: Tue, 9 Nov 2021 17:22:48 +0000
+Subject: serial: pl011: Add ACPI SBSA UART match id
+
+From: Pierre Gondois <Pierre.Gondois@arm.com>
+
+commit ac442a077acf9a6bf1db4320ec0c3f303be092b3 upstream.
+
+The document 'ACPI for Arm Components 1.0' defines the following
+_HID mappings:
+-'Prime cell UART (PL011)': ARMH0011
+-'SBSA UART': ARMHB000
+
+Use the sbsa-uart driver when a device is described with
+the 'ARMHB000' _HID.
+
+Note:
+PL011 devices currently use the sbsa-uart driver instead of the
+uart-pl011 driver. Indeed, PL011 devices are not bound to a clock
+in ACPI. It is not possible to change their baudrate.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
+Link: https://lore.kernel.org/r/20211109172248.19061-1-Pierre.Gondois@arm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/amba-pl011.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -2947,6 +2947,7 @@ MODULE_DEVICE_TABLE(of, sbsa_uart_of_mat
+
+ static const struct acpi_device_id __maybe_unused sbsa_uart_acpi_match[] = {
+ { "ARMH0011", 0 },
++ { "ARMHB000", 0 },
+ {},
+ };
+ MODULE_DEVICE_TABLE(acpi, sbsa_uart_acpi_match);
--- /dev/null
+From b40de7469ef135161c80af0e8c462298cc5dac00 Mon Sep 17 00:00:00 2001
+From: Patrik John <patrik.john@u-blox.com>
+Date: Tue, 23 Nov 2021 14:27:38 +0100
+Subject: serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30
+
+From: Patrik John <patrik.john@u-blox.com>
+
+commit b40de7469ef135161c80af0e8c462298cc5dac00 upstream.
+
+The current implementation uses 0 as lower limit for the baud rate
+tolerance for tegra20 and tegra30 chips which causes isses on UART
+initialization as soon as baud rate clock is lower than required even
+when within the standard UART tolerance of +/- 4%.
+
+This fix aligns the implementation with the initial commit description
+of +/- 4% tolerance for tegra chips other than tegra186 and
+tegra194.
+
+Fixes: d781ec21bae6 ("serial: tegra: report clk rate errors")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Patrik John <patrik.john@u-blox.com>
+Link: https://lore.kernel.org/r/sig.19614244f8.20211123132737.88341-1-patrik.john@u-blox.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial-tegra.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/serial-tegra.c
++++ b/drivers/tty/serial/serial-tegra.c
+@@ -1506,7 +1506,7 @@ static struct tegra_uart_chip_data tegra
+ .fifo_mode_enable_status = false,
+ .uart_max_port = 5,
+ .max_dma_burst_bytes = 4,
+- .error_tolerance_low_range = 0,
++ .error_tolerance_low_range = -4,
+ .error_tolerance_high_range = 4,
+ };
+
+@@ -1517,7 +1517,7 @@ static struct tegra_uart_chip_data tegra
+ .fifo_mode_enable_status = false,
+ .uart_max_port = 5,
+ .max_dma_burst_bytes = 4,
+- .error_tolerance_low_range = 0,
++ .error_tolerance_low_range = -4,
+ .error_tolerance_high_range = 4,
+ };
+
net-mlx5e-rename-tir-lro-functions-to-tir-packet-mer.patch
net-mlx5e-sync-tir-params-updates-against-concurrent.patch
serial-8250_bcm7271-uart-errors-after-resuming-from-.patch
+parisc-fix-kbuild_image-for-self-extracting-kernel.patch
+parisc-fix-make-install-on-newer-debian-releases.patch
+parisc-mark-cr16-cpu-clocksource-unstable-on-all-smp-machines.patch
+vgacon-propagate-console-boot-parameters-before-calling-vc_resize.patch
+xhci-fix-commad-ring-abort-write-all-64-bits-to-crcr-register.patch
+usb-no_lpm-quirk-lenovo-powered-usb-c-travel-hub.patch
+usb-typec-tcpm-wait-in-snk_debounced-until-disconnect.patch
+usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-cancel-previous-requests.patch
+usb-cdnsp-fix-a-null-pointer-dereference-in-cdnsp_endpoint_init.patch
+x86-tsc-add-a-timer-to-make-sure-tsc_adjust-is-always-checked.patch
+x86-tsc-disable-clocksource-watchdog-for-tsc-on-qualified-platorms.patch
+x86-64-mm-map-all-kernel-memory-into-trampoline_pgd.patch
+tty-serial-msm_serial-deactivate-rx-dma-for-polling-support.patch
+serial-pl011-add-acpi-sbsa-uart-match-id.patch
+serial-tegra-change-lower-tolerance-baud-rate-limit-for-tegra20-and-tegra30.patch
+serial-core-fix-transmit-buffer-reset-and-memleak.patch
+serial-8250_pci-fix-acces-entries-in-pci_serial_quirks-array.patch
+serial-8250_pci-rewrite-pericom_do_set_divisor.patch
+serial-8250-fix-rts-modem-control-while-in-rs485-mode.patch
+serial-liteuart-fix-null-pointer-dereference-in-remove.patch
+serial-liteuart-fix-use-after-free-and-memleak-on-unbind.patch
+serial-liteuart-fix-minor-number-leak-on-probe-errors.patch
--- /dev/null
+From 7492ffc90fa126afb67d4392d56cb4134780194a Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 13 Nov 2021 13:10:50 +0100
+Subject: tty: serial: msm_serial: Deactivate RX DMA for polling support
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 7492ffc90fa126afb67d4392d56cb4134780194a upstream.
+
+The CONSOLE_POLLING mode is used for tools like k(g)db. In this kind of
+setup, it is often sharing a serial device with the normal system console.
+This is usually no problem because the polling helpers can consume input
+values directly (when in kgdb context) and the normal Linux handlers can
+only consume new input values after kgdb switched back.
+
+This is not true anymore when RX DMA is enabled for UARTDM controllers.
+Single input values can no longer be received correctly. Instead following
+seems to happen:
+
+* on 1. input, some old input is read (continuously)
+* on 2. input, two old inputs are read (continuously)
+* on 3. input, three old input values are read (continuously)
+* on 4. input, 4 previous inputs are received
+
+This repeats then for each group of 4 input values.
+
+This behavior changes slightly depending on what state the controller was
+when the first input was received. But this makes working with kgdb
+basically impossible because control messages are always corrupted when
+kgdboc tries to parse them.
+
+RX DMA should therefore be off when CONSOLE_POLLING is enabled to avoid
+these kind of problems. No such problem was noticed for TX DMA.
+
+Fixes: 99693945013a ("tty: serial: msm: Add RX DMA support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Link: https://lore.kernel.org/r/20211113121050.7266-1-sven@narfation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/msm_serial.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -598,6 +598,9 @@ static void msm_start_rx_dma(struct msm_
+ u32 val;
+ int ret;
+
++ if (IS_ENABLED(CONFIG_CONSOLE_POLL))
++ return;
++
+ if (!dma->chan)
+ return;
+
--- /dev/null
+From 387c2b6ba197c6df28e75359f7d892f7c8dec204 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Tue, 30 Nov 2021 09:42:39 -0600
+Subject: usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 387c2b6ba197c6df28e75359f7d892f7c8dec204 upstream.
+
+This issue was found at android12 MTP.
+1. MTP submit many out urb request.
+2. Cancel left requests (>20) when enough data get from host
+3. Send ACK by IN endpoint.
+4. MTP submit new out urb request.
+5. 4's urb never complete.
+
+TRACE LOG:
+
+MtpServer-2157 [000] d..3 1287.150391: cdns3_ep_dequeue: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -115, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:1 SID: 0
+MtpServer-2157 [000] d..3 1287.150410: cdns3_gadget_giveback: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -104, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:0 SID: 0
+MtpServer-2157 [000] d..3 1287.150433: cdns3_ep_dequeue: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -115, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:1 SID: 0
+MtpServer-2157 [000] d..3 1287.150446: cdns3_gadget_giveback: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -104, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:0 SID: 0
+ ....
+MtpServer-2157 [000] d..1 1293.630410: cdns3_alloc_request: ep1out: req: 00000000afbccb7d, req buff 0000000000000000, length: 0/0 zsi, status: 0, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0
+MtpServer-2157 [000] d..2 1293.630421: cdns3_ep_queue: ep1out: req: 00000000afbccb7d, req buff 00000000871caf90, length: 0/512 zsi, status: -115, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0
+MtpServer-2157 [000] d..2 1293.630445: cdns3_wa1: WA1: ep1out set guard
+MtpServer-2157 [000] d..2 1293.630450: cdns3_wa1: WA1: ep1out restore cycle bit
+MtpServer-2157 [000] d..2 1293.630453: cdns3_prepare_trb: ep1out: trb 000000007317b3ee, dma buf: 0xffd5bc00, size: 512, burst: 128 ctrl: 0x00000424 (C=0, T=0, ISP, IOC, Normal) SID:0 LAST_SID:0
+MtpServer-2157 [000] d..2 1293.630460: cdns3_doorbell_epx: ep1out, ep_trbaddr ffd50414
+ ....
+irq/241-5b13000-2154 [000] d..1 1293.680849: cdns3_epx_irq: IRQ for ep1out: 01000408 ISP , ep_traddr: ffd508ac ep_last_sid: 00000000 use_streams: 0
+irq/241-5b13000-2154 [000] d..1 1293.680858: cdns3_complete_trb: ep1out: trb 0000000021a11b54, dma buf: 0xffd50420, size: 16384, burst: 128 ctrl: 0x00001810 (C=0, T=0, CHAIN, LINK) SID:0 LAST_SID:0
+irq/241-5b13000-2154 [000] d..1 1293.680865: cdns3_request_handled: Req: 00000000afbccb7d not handled, DMA pos: 185, ep deq: 88, ep enq: 185, start trb: 184, end trb: 184
+
+Actually DMA pos already bigger than previous submit request afbccb7d's TRB (184-184). The reason of (not handled) is that deq position is wrong.
+
+The TRB link is below when irq happen.
+
+ DEQ LINK LINK LINK LINK LINK .... TRB(afbccb7d):START DMA(EP_TRADDR).
+
+Original code check LINK TRB, but DEQ just move one step.
+
+ LINK DEQ LINK LINK LINK LINK .... TRB(afbccb7d):START DMA(EP_TRADDR).
+
+This patch skip all LINK TRB and sync DEQ to trb's start.
+
+ LINK LINK LINK LINK LINK .... DEQ = TRB(afbccb7d):START DMA(EP_TRADDR).
+
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Jun Li <jun.li@nxp.com>
+Link: https://lore.kernel.org/r/20211130154239.8029-1-Frank.Li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-gadget.c | 20 ++++----------------
+ 1 file changed, 4 insertions(+), 16 deletions(-)
+
+--- a/drivers/usb/cdns3/cdns3-gadget.c
++++ b/drivers/usb/cdns3/cdns3-gadget.c
+@@ -337,19 +337,6 @@ static void cdns3_ep_inc_deq(struct cdns
+ cdns3_ep_inc_trb(&priv_ep->dequeue, &priv_ep->ccs, priv_ep->num_trbs);
+ }
+
+-static void cdns3_move_deq_to_next_trb(struct cdns3_request *priv_req)
+-{
+- struct cdns3_endpoint *priv_ep = priv_req->priv_ep;
+- int current_trb = priv_req->start_trb;
+-
+- while (current_trb != priv_req->end_trb) {
+- cdns3_ep_inc_deq(priv_ep);
+- current_trb = priv_ep->dequeue;
+- }
+-
+- cdns3_ep_inc_deq(priv_ep);
+-}
+-
+ /**
+ * cdns3_allow_enable_l1 - enable/disable permits to transition to L1.
+ * @priv_dev: Extended gadget object
+@@ -1517,10 +1504,11 @@ static void cdns3_transfer_completed(str
+
+ trb = priv_ep->trb_pool + priv_ep->dequeue;
+
+- /* Request was dequeued and TRB was changed to TRB_LINK. */
+- if (TRB_FIELD_TO_TYPE(le32_to_cpu(trb->control)) == TRB_LINK) {
++ /* The TRB was changed as link TRB, and the request was handled at ep_dequeue */
++ while (TRB_FIELD_TO_TYPE(le32_to_cpu(trb->control)) == TRB_LINK) {
+ trace_cdns3_complete_trb(priv_ep, trb);
+- cdns3_move_deq_to_next_trb(priv_req);
++ cdns3_ep_inc_deq(priv_ep);
++ trb = priv_ep->trb_pool + priv_ep->dequeue;
+ }
+
+ if (!request->stream_id) {
--- /dev/null
+From 37307f7020ab38dde0892a578249bf63d00bca64 Mon Sep 17 00:00:00 2001
+From: Zhou Qingyang <zhou1615@umn.edu>
+Date: Wed, 1 Dec 2021 01:27:00 +0800
+Subject: usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+commit 37307f7020ab38dde0892a578249bf63d00bca64 upstream.
+
+In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
+and there is a dereference of it in cdnsp_endpoint_init(), which could
+lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
+
+Fix this bug by adding a check of pep->ring.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Pawel Laszczak <pawell@cadence.com>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Link: https://lore.kernel.org/r/20211130172700.206650-1-zhou1615@umn.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-mem.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/cdns3/cdnsp-mem.c
++++ b/drivers/usb/cdns3/cdnsp-mem.c
+@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_dev
+
+ /* Set up the endpoint ring. */
+ pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
++ if (!pep->ring)
++ return -ENOMEM;
++
+ pep->skip = false;
+
+ /* Fill the endpoint context */
--- /dev/null
+From d2a004037c3c6afd36d40c384d2905f47cd51c57 Mon Sep 17 00:00:00 2001
+From: Ole Ernst <olebowle@gmx.com>
+Date: Sat, 27 Nov 2021 10:05:45 +0100
+Subject: USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
+
+From: Ole Ernst <olebowle@gmx.com>
+
+commit d2a004037c3c6afd36d40c384d2905f47cd51c57 upstream.
+
+This is another branded 8153 device that doesn't work well with LPM:
+r8152 2-2.1:1.0 enp0s13f0u2u1: Stop submitting intr, status -71
+
+Disable LPM to resolve the issue.
+
+Signed-off-by: Ole Ernst <olebowle@gmx.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211127090546.52072-1-olebowle@gmx.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -434,6 +434,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1532, 0x0116), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Lenovo Powered USB-C Travel Hub (4X90S92381, RTL8153 GigE) */
++ { USB_DEVICE(0x17ef, 0x721e), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* Lenovo ThinkCenter A630Z TI024Gen3 usb-audio */
+ { USB_DEVICE(0x17ef, 0xa012), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
--- /dev/null
+From fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Mon, 29 Nov 2021 16:18:25 -0800
+Subject: usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit fbcd13df1e78eb2ba83a3c160eefe2d6f574beaf upstream.
+
+Stub from the spec:
+"4.5.2.2.4.2 Exiting from AttachWait.SNK State
+A Sink shall transition to Unattached.SNK when the state of both
+the CC1 and CC2 pins is SNK.Open for at least tPDDebounce.
+A DRP shall transition to Unattached.SRC when the state of both
+the CC1 and CC2 pins is SNK.Open for at least tPDDebounce."
+
+This change makes TCPM to wait in SNK_DEBOUNCED state until
+CC1 and CC2 pins is SNK.Open for at least tPDDebounce. Previously,
+TCPM resets the port if vbus is not present in PD_T_PS_SOURCE_ON.
+This causes TCPM to loop continuously when connected to a
+faulty power source that does not present vbus. Waiting in
+SNK_DEBOUNCED also ensures that TCPM is adherant to
+"4.5.2.2.4.2 Exiting from AttachWait.SNK State" requirements.
+
+[ 6169.280751] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected]
+[ 6169.280759] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS]
+[ 6169.280771] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS]
+[ 6169.282427] CC1: 0 -> 0, CC2: 5 -> 5 [state SNK_ATTACH_WAIT, polarity 0, connected]
+[ 6169.450825] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms]
+[ 6169.450834] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS]
+[ 6169.930892] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms]
+[ 6169.931296] disable vbus discharge ret:0
+[ 6169.931301] Setting usb_comm capable false
+[ 6169.932783] Setting voltage/current limit 0 mV 0 mA
+[ 6169.932802] polarity 0
+[ 6169.933706] Requesting mux state 0, usb-role 0, orientation 0
+[ 6169.936689] cc:=0
+[ 6169.936812] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS]
+[ 6169.937157] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected]
+[ 6170.036880] state change PORT_RESET -> PORT_RESET_WAIT_OFF [delayed 100 ms]
+[ 6170.036890] state change PORT_RESET_WAIT_OFF -> SNK_UNATTACHED [rev2 NONE_AMS]
+[ 6170.036896] Start toggling
+[ 6170.041412] CC1: 0 -> 0, CC2: 0 -> 0 [state TOGGLING, polarity 0, disconnected]
+[ 6170.042973] CC1: 0 -> 0, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected]
+[ 6170.042976] state change TOGGLING -> SNK_ATTACH_WAIT [rev2 NONE_AMS]
+[ 6170.042981] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev2 NONE_AMS]
+[ 6170.213014] state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED [delayed 170 ms]
+[ 6170.213019] pending state change SNK_DEBOUNCED -> PORT_RESET @ 480 ms [rev2 NONE_AMS]
+[ 6170.693068] state change SNK_DEBOUNCED -> PORT_RESET [delayed 480 ms]
+[ 6170.693304] disable vbus discharge ret:0
+[ 6170.693308] Setting usb_comm capable false
+[ 6170.695193] Setting voltage/current limit 0 mV 0 mA
+[ 6170.695210] polarity 0
+[ 6170.695990] Requesting mux state 0, usb-role 0, orientation 0
+[ 6170.701896] cc:=0
+[ 6170.702181] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms [rev2 NONE_AMS]
+[ 6170.703343] CC1: 0 -> 0, CC2: 5 -> 0 [state PORT_RESET, polarity 0, disconnected]
+
+Fixes: f0690a25a140b8 ("staging: typec: USB Type-C Port Manager (tcpm)")
+Cc: stable@vger.kernel.org
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Link: https://lore.kernel.org/r/20211130001825.3142830-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -4110,11 +4110,7 @@ static void run_state_machine(struct tcp
+ tcpm_try_src(port) ? SRC_TRY
+ : SNK_ATTACHED,
+ 0);
+- else
+- /* Wait for VBUS, but not forever */
+- tcpm_set_state(port, PORT_RESET, PD_T_PS_SOURCE_ON);
+ break;
+-
+ case SRC_TRY:
+ port->try_src_count++;
+ tcpm_set_cc(port, tcpm_rp_cc(port));
--- /dev/null
+From 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Tue, 26 Oct 2021 00:26:22 +0200
+Subject: vgacon: Propagate console boot parameters before calling `vc_resize'
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 3dfac26e2ef29ff2abc2a75aa4cd48fce25a2c4b upstream.
+
+Fix a division by zero in `vgacon_resize' with a backtrace like:
+
+vgacon_resize
+vc_do_resize
+vgacon_init
+do_bind_con_driver
+do_unbind_con_driver
+fbcon_fb_unbind
+do_unregister_framebuffer
+do_register_framebuffer
+register_framebuffer
+__drm_fb_helper_initial_config_and_unlock
+drm_helper_hpd_irq_event
+dw_hdmi_irq
+irq_thread
+kthread
+
+caused by `c->vc_cell_height' not having been initialized. This has
+only started to trigger with commit 860dafa90259 ("vt: Fix character
+height handling with VT_RESIZEX"), however the ultimate offender is
+commit 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow
+retaking of the console").
+
+Said commit has added a call to `vc_resize' whenever `vgacon_init' is
+called with the `init' argument set to 0, which did not happen before.
+And the call is made before a key vgacon boot parameter retrieved in
+`vgacon_startup' has been propagated in `vgacon_init' for `vc_resize' to
+use to the console structure being worked on. Previously the parameter
+was `c->vc_font.height' and now it is `c->vc_cell_height'.
+
+In this particular scenario the registration of fbcon has failed and vt
+resorts to vgacon. Now fbcon does have initialized `c->vc_font.height'
+somehow, unlike `c->vc_cell_height', which is why this code did not
+crash before, but either way the boot parameters should have been copied
+to the console structure ahead of the call to `vc_resize' rather than
+afterwards, so that first the call has a chance to use them and second
+they do not change the console structure to something possibly different
+from what was used by `vc_resize'.
+
+Move the propagation of the vgacon boot parameters ahead of the call to
+`vc_resize' then. Adjust the comment accordingly.
+
+Fixes: 50ec42edd978 ("[PATCH] Detaching fbcon: fix vgacon to allow retaking of the console")
+Cc: stable@vger.kernel.org # v2.6.18+
+Reported-by: Wim Osterholt <wim@djo.tudelft.nl>
+Reported-by: Pavel V. Panteleev <panteleev_p@mcst.ru>
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Link: https://lore.kernel.org/r/alpine.DEB.2.21.2110252317110.58149@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/console/vgacon.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -366,11 +366,17 @@ static void vgacon_init(struct vc_data *
+ struct uni_pagedir *p;
+
+ /*
+- * We cannot be loaded as a module, therefore init is always 1,
+- * but vgacon_init can be called more than once, and init will
+- * not be 1.
++ * We cannot be loaded as a module, therefore init will be 1
++ * if we are the default console, however if we are a fallback
++ * console, for example if fbcon has failed registration, then
++ * init will be 0, so we need to make sure our boot parameters
++ * have been copied to the console structure for vgacon_resize
++ * ultimately called by vc_resize. Any subsequent calls to
++ * vgacon_init init will have init set to 0 too.
+ */
+ c->vc_can_do_color = vga_can_do_color;
++ c->vc_scan_lines = vga_scan_lines;
++ c->vc_font.height = c->vc_cell_height = vga_video_font_height;
+
+ /* set dimensions manually if init != 0 since vc_resize() will fail */
+ if (init) {
+@@ -379,8 +385,6 @@ static void vgacon_init(struct vc_data *
+ } else
+ vc_resize(c, vga_video_num_columns, vga_video_num_lines);
+
+- c->vc_scan_lines = vga_scan_lines;
+- c->vc_font.height = c->vc_cell_height = vga_video_font_height;
+ c->vc_complement_mask = 0x7700;
+ if (vga_512_chars)
+ c->vc_hi_font_mask = 0x0800;
--- /dev/null
+From 51523ed1c26758de1af7e58730a656875f72f783 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Thu, 2 Dec 2021 16:32:26 +0100
+Subject: x86/64/mm: Map all kernel memory into trampoline_pgd
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 51523ed1c26758de1af7e58730a656875f72f783 upstream.
+
+The trampoline_pgd only maps the 0xfffffff000000000-0xffffffffffffffff
+range of kernel memory (with 4-level paging). This range contains the
+kernel's text+data+bss mappings and the module mapping space but not the
+direct mapping and the vmalloc area.
+
+This is enough to get the application processors out of real-mode, but
+for code that switches back to real-mode the trampoline_pgd is missing
+important parts of the address space. For example, consider this code
+from arch/x86/kernel/reboot.c, function machine_real_restart() for a
+64-bit kernel:
+
+ #ifdef CONFIG_X86_32
+ load_cr3(initial_page_table);
+ #else
+ write_cr3(real_mode_header->trampoline_pgd);
+
+ /* Exiting long mode will fail if CR4.PCIDE is set. */
+ if (boot_cpu_has(X86_FEATURE_PCID))
+ cr4_clear_bits(X86_CR4_PCIDE);
+ #endif
+
+ /* Jump to the identity-mapped low memory code */
+ #ifdef CONFIG_X86_32
+ asm volatile("jmpl *%0" : :
+ "rm" (real_mode_header->machine_real_restart_asm),
+ "a" (type));
+ #else
+ asm volatile("ljmpl *%0" : :
+ "m" (real_mode_header->machine_real_restart_asm),
+ "D" (type));
+ #endif
+
+The code switches to the trampoline_pgd, which unmaps the direct mapping
+and also the kernel stack. The call to cr4_clear_bits() will find no
+stack and crash the machine. The real_mode_header pointer below points
+into the direct mapping, and dereferencing it also causes a crash.
+
+The reason this does not crash always is only that kernel mappings are
+global and the CR3 switch does not flush those mappings. But if theses
+mappings are not in the TLB already, the above code will crash before it
+can jump to the real-mode stub.
+
+Extend the trampoline_pgd to contain all kernel mappings to prevent
+these crashes and to make code which runs on this page-table more
+robust.
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20211202153226.22946-5-joro@8bytes.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/realmode/init.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/realmode/init.c
++++ b/arch/x86/realmode/init.c
+@@ -72,6 +72,7 @@ static void __init setup_real_mode(void)
+ #ifdef CONFIG_X86_64
+ u64 *trampoline_pgd;
+ u64 efer;
++ int i;
+ #endif
+
+ base = (unsigned char *)real_mode_header;
+@@ -128,8 +129,17 @@ static void __init setup_real_mode(void)
+ trampoline_header->flags = 0;
+
+ trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd);
++
++ /* Map the real mode stub as virtual == physical */
+ trampoline_pgd[0] = trampoline_pgd_entry.pgd;
+- trampoline_pgd[511] = init_top_pgt[511].pgd;
++
++ /*
++ * Include the entirety of the kernel mapping into the trampoline
++ * PGD. This way, all mappings present in the normal kernel page
++ * tables are usable while running on trampoline_pgd.
++ */
++ for (i = pgd_index(__PAGE_OFFSET); i < PTRS_PER_PGD; i++)
++ trampoline_pgd[i] = init_top_pgt[i].pgd;
+ #endif
+
+ sme_sev_setup_real_mode(trampoline_header);
--- /dev/null
+From c7719e79347803b8e3b6b50da8c6db410a3012b5 Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Wed, 17 Nov 2021 10:37:50 +0800
+Subject: x86/tsc: Add a timer to make sure TSC_adjust is always checked
+
+From: Feng Tang <feng.tang@intel.com>
+
+commit c7719e79347803b8e3b6b50da8c6db410a3012b5 upstream.
+
+The TSC_ADJUST register is checked every time a CPU enters idle state, but
+Thomas Gleixner mentioned there is still a caveat that a system won't enter
+idle [1], either because it's too busy or configured purposely to not enter
+idle.
+
+Setup a periodic timer (every 10 minutes) to make sure the check is
+happening on a regular base.
+
+[1] https://lore.kernel.org/lkml/875z286xtk.fsf@nanos.tec.linutronix.de/
+
+Fixes: 6e3cd95234dc ("x86/hpet: Use another crystalball to evaluate HPET usability")
+Requested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211117023751.24190-1-feng.tang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc_sync.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/arch/x86/kernel/tsc_sync.c
++++ b/arch/x86/kernel/tsc_sync.c
+@@ -30,6 +30,7 @@ struct tsc_adjust {
+ };
+
+ static DEFINE_PER_CPU(struct tsc_adjust, tsc_adjust);
++static struct timer_list tsc_sync_check_timer;
+
+ /*
+ * TSC's on different sockets may be reset asynchronously.
+@@ -77,6 +78,46 @@ void tsc_verify_tsc_adjust(bool resume)
+ }
+ }
+
++/*
++ * Normally the tsc_sync will be checked every time system enters idle
++ * state, but there is still caveat that a system won't enter idle,
++ * either because it's too busy or configured purposely to not enter
++ * idle.
++ *
++ * So setup a periodic timer (every 10 minutes) to make sure the check
++ * is always on.
++ */
++
++#define SYNC_CHECK_INTERVAL (HZ * 600)
++
++static void tsc_sync_check_timer_fn(struct timer_list *unused)
++{
++ int next_cpu;
++
++ tsc_verify_tsc_adjust(false);
++
++ /* Run the check for all onlined CPUs in turn */
++ next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask);
++ if (next_cpu >= nr_cpu_ids)
++ next_cpu = cpumask_first(cpu_online_mask);
++
++ tsc_sync_check_timer.expires += SYNC_CHECK_INTERVAL;
++ add_timer_on(&tsc_sync_check_timer, next_cpu);
++}
++
++static int __init start_sync_check_timer(void)
++{
++ if (!cpu_feature_enabled(X86_FEATURE_TSC_ADJUST) || tsc_clocksource_reliable)
++ return 0;
++
++ timer_setup(&tsc_sync_check_timer, tsc_sync_check_timer_fn, 0);
++ tsc_sync_check_timer.expires = jiffies + SYNC_CHECK_INTERVAL;
++ add_timer(&tsc_sync_check_timer);
++
++ return 0;
++}
++late_initcall(start_sync_check_timer);
++
+ static void tsc_sanitize_first_cpu(struct tsc_adjust *cur, s64 bootval,
+ unsigned int cpu, bool bootcpu)
+ {
--- /dev/null
+From b50db7095fe002fa3e16605546cba66bf1b68a3e Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Wed, 17 Nov 2021 10:37:51 +0800
+Subject: x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
+
+From: Feng Tang <feng.tang@intel.com>
+
+commit b50db7095fe002fa3e16605546cba66bf1b68a3e upstream.
+
+There are cases that the TSC clocksource is wrongly judged as unstable by
+the clocksource watchdog mechanism which tries to validate the TSC against
+HPET, PM_TIMER or jiffies. While there is hardly a general reliable way to
+check the validity of a watchdog, Thomas Gleixner proposed [1]:
+
+"I'm inclined to lift that requirement when the CPU has:
+
+ 1) X86_FEATURE_CONSTANT_TSC
+ 2) X86_FEATURE_NONSTOP_TSC
+ 3) X86_FEATURE_NONSTOP_TSC_S3
+ 4) X86_FEATURE_TSC_ADJUST
+ 5) At max. 4 sockets
+
+ After two decades of horrors we're finally at a point where TSC seems
+ to be halfway reliable and less abused by BIOS tinkerers. TSC_ADJUST
+ was really key as we can now detect even small modifications reliably
+ and the important point is that we can cure them as well (not pretty
+ but better than all other options)."
+
+As feature #3 X86_FEATURE_NONSTOP_TSC_S3 only exists on several generations
+of Atom processorz, and is always coupled with X86_FEATURE_CONSTANT_TSC
+and X86_FEATURE_NONSTOP_TSC, skip checking it, and also be more defensive
+to use maximal 2 sockets.
+
+The check is done inside tsc_init() before registering 'tsc-early' and
+'tsc' clocksources, as there were cases that both of them had been
+wrongly judged as unreliable.
+
+For more background of tsc/watchdog, there is a good summary in [2]
+
+[tglx} Update vs. jiffies:
+
+ On systems where the only remaining clocksource aside of TSC is jiffies
+ there is no way to make this work because that creates a circular
+ dependency. Jiffies accuracy depends on not missing a periodic timer
+ interrupt, which is not guaranteed. That could be detected by TSC, but as
+ TSC is not trusted this cannot be compensated. The consequence is a
+ circulus vitiosus which results in shutting down TSC and falling back to
+ the jiffies clocksource which is even more unreliable.
+
+[1]. https://lore.kernel.org/lkml/87eekfk8bd.fsf@nanos.tec.linutronix.de/
+[2]. https://lore.kernel.org/lkml/87a6pimt1f.ffs@nanos.tec.linutronix.de/
+
+[ tglx: Refine comment and amend changelog ]
+
+Fixes: 6e3cd95234dc ("x86/hpet: Use another crystalball to evaluate HPET usability")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211117023751.24190-2-feng.tang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/tsc.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -1180,6 +1180,12 @@ void mark_tsc_unstable(char *reason)
+
+ EXPORT_SYMBOL_GPL(mark_tsc_unstable);
+
++static void __init tsc_disable_clocksource_watchdog(void)
++{
++ clocksource_tsc_early.flags &= ~CLOCK_SOURCE_MUST_VERIFY;
++ clocksource_tsc.flags &= ~CLOCK_SOURCE_MUST_VERIFY;
++}
++
+ static void __init check_system_tsc_reliable(void)
+ {
+ #if defined(CONFIG_MGEODEGX1) || defined(CONFIG_MGEODE_LX) || defined(CONFIG_X86_GENERIC)
+@@ -1196,6 +1202,23 @@ static void __init check_system_tsc_reli
+ #endif
+ if (boot_cpu_has(X86_FEATURE_TSC_RELIABLE))
+ tsc_clocksource_reliable = 1;
++
++ /*
++ * Disable the clocksource watchdog when the system has:
++ * - TSC running at constant frequency
++ * - TSC which does not stop in C-States
++ * - the TSC_ADJUST register which allows to detect even minimal
++ * modifications
++ * - not more than two sockets. As the number of sockets cannot be
++ * evaluated at the early boot stage where this has to be
++ * invoked, check the number of online memory nodes as a
++ * fallback solution which is an reasonable estimate.
++ */
++ if (boot_cpu_has(X86_FEATURE_CONSTANT_TSC) &&
++ boot_cpu_has(X86_FEATURE_NONSTOP_TSC) &&
++ boot_cpu_has(X86_FEATURE_TSC_ADJUST) &&
++ nr_online_nodes <= 2)
++ tsc_disable_clocksource_watchdog();
+ }
+
+ /*
+@@ -1387,9 +1410,6 @@ static int __init init_tsc_clocksource(v
+ if (tsc_unstable)
+ goto unreg;
+
+- if (tsc_clocksource_reliable || no_tsc_watchdog)
+- clocksource_tsc.flags &= ~CLOCK_SOURCE_MUST_VERIFY;
+-
+ if (boot_cpu_has(X86_FEATURE_NONSTOP_TSC_S3))
+ clocksource_tsc.flags |= CLOCK_SOURCE_SUSPEND_NONSTOP;
+
+@@ -1527,7 +1547,7 @@ void __init tsc_init(void)
+ }
+
+ if (tsc_clocksource_reliable || no_tsc_watchdog)
+- clocksource_tsc_early.flags &= ~CLOCK_SOURCE_MUST_VERIFY;
++ tsc_disable_clocksource_watchdog();
+
+ clocksource_register_khz(&clocksource_tsc_early, tsc_khz);
+ detect_art();
--- /dev/null
+From 09f736aa95476631227d2dc0e6b9aeee1ad7ed58 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 26 Nov 2021 14:23:40 +0200
+Subject: xhci: Fix commad ring abort, write all 64 bits to CRCR register.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 09f736aa95476631227d2dc0e6b9aeee1ad7ed58 upstream.
+
+Turns out some xHC controllers require all 64 bits in the CRCR register
+to be written to execute a command abort.
+
+The lower 32 bits containing the command abort bit is written first.
+In case the command ring stops before we write the upper 32 bits then
+hardware may use these upper bits to set the commnd ring dequeue pointer.
+
+Solve this by making sure the upper 32 bits contain a valid command
+ring dequeue pointer.
+
+The original patch that only wrote the first 32 to stop the ring went
+to stable, so this fix should go there as well.
+
+Fixes: ff0e50d3564f ("xhci: Fix command ring pointer corruption while aborting a command")
+Cc: stable@vger.kernel.org
+Tested-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211126122340.1193239-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -366,7 +366,9 @@ static void xhci_handle_stopped_cmd_ring
+ /* Must be called with xhci->lock held, releases and aquires lock back */
+ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)
+ {
+- u32 temp_32;
++ struct xhci_segment *new_seg = xhci->cmd_ring->deq_seg;
++ union xhci_trb *new_deq = xhci->cmd_ring->dequeue;
++ u64 crcr;
+ int ret;
+
+ xhci_dbg(xhci, "Abort command ring\n");
+@@ -375,13 +377,18 @@ static int xhci_abort_cmd_ring(struct xh
+
+ /*
+ * The control bits like command stop, abort are located in lower
+- * dword of the command ring control register. Limit the write
+- * to the lower dword to avoid corrupting the command ring pointer
+- * in case if the command ring is stopped by the time upper dword
+- * is written.
++ * dword of the command ring control register.
++ * Some controllers require all 64 bits to be written to abort the ring.
++ * Make sure the upper dword is valid, pointing to the next command,
++ * avoiding corrupting the command ring pointer in case the command ring
++ * is stopped by the time the upper dword is written.
+ */
+- temp_32 = readl(&xhci->op_regs->cmd_ring);
+- writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);
++ next_trb(xhci, NULL, &new_seg, &new_deq);
++ if (trb_is_link(new_deq))
++ next_trb(xhci, NULL, &new_seg, &new_deq);
++
++ crcr = xhci_trb_virt_to_dma(new_seg, new_deq);
++ xhci_write_64(xhci, crcr | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);
+
+ /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the
+ * completion of the Command Abort operation. If CRR is not negated in 5
projects / thirdparty / kernel / stable-queue.git / commitdiff
