--- /dev/null
+From 50cb99fa89aa2bec2cab2f9917010bbd7769bfa3 Mon Sep 17 00:00:00 2001
+From: Alexandru Elisei <alexandru.elisei@arm.com>
+Date: Tue, 24 Aug 2021 16:45:23 +0100
+Subject: arm64: Do not trap PMSNEVFR_EL1
+
+From: Alexandru Elisei <alexandru.elisei@arm.com>
+
+commit 50cb99fa89aa2bec2cab2f9917010bbd7769bfa3 upstream.
+
+Commit 31c00d2aeaa2 ("arm64: Disable fine grained traps on boot") zeroed
+the fine grained trap registers to prevent unwanted register traps from
+occuring. However, for the PMSNEVFR_EL1 register, the corresponding
+HDFG{R,W}TR_EL2.nPMSNEVFR_EL1 fields must be 1 to disable trapping. Set
+both fields to 1 if FEAT_SPEv1p2 is detected to disable read and write
+traps.
+
+Fixes: 31c00d2aeaa2 ("arm64: Disable fine grained traps on boot")
+Cc: <stable@vger.kernel.org> # 5.13.x
+Signed-off-by: Alexandru Elisei <alexandru.elisei@arm.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210824154523.906270-1-alexandru.elisei@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/el2_setup.h | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/el2_setup.h
++++ b/arch/arm64/include/asm/el2_setup.h
+@@ -149,8 +149,17 @@
+ ubfx x1, x1, #ID_AA64MMFR0_FGT_SHIFT, #4
+ cbz x1, .Lskip_fgt_\@
+
+- msr_s SYS_HDFGRTR_EL2, xzr
+- msr_s SYS_HDFGWTR_EL2, xzr
++ mov x0, xzr
++ mrs x1, id_aa64dfr0_el1
++ ubfx x1, x1, #ID_AA64DFR0_PMSVER_SHIFT, #4
++ cmp x1, #3
++ b.lt .Lset_fgt_\@
++ /* Disable PMSNEVFR_EL1 read and write traps */
++ orr x0, x0, #(1 << 62)
++
++.Lset_fgt_\@:
++ msr_s SYS_HDFGRTR_EL2, x0
++ msr_s SYS_HDFGWTR_EL2, x0
+ msr_s SYS_HFGRTR_EL2, xzr
+ msr_s SYS_HFGWTR_EL2, xzr
+ msr_s SYS_HFGITR_EL2, xzr
--- /dev/null
+From 90268574a3e8a6b883bd802d702a2738577e1006 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 23 Aug 2021 11:12:53 +0100
+Subject: arm64: head: avoid over-mapping in map_memory
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 90268574a3e8a6b883bd802d702a2738577e1006 upstream.
+
+The `compute_indices` and `populate_entries` macros operate on inclusive
+bounds, and thus the `map_memory` macro which uses them also operates
+on inclusive bounds.
+
+We pass `_end` and `_idmap_text_end` to `map_memory`, but these are
+exclusive bounds, and if one of these is sufficiently aligned (as a
+result of kernel configuration, physical placement, and KASLR), then:
+
+* In `compute_indices`, the computed `iend` will be in the page/block *after*
+ the final byte of the intended mapping.
+
+* In `populate_entries`, an unnecessary entry will be created at the end
+ of each level of table. At the leaf level, this entry will map up to
+ SWAPPER_BLOCK_SIZE bytes of physical addresses that we did not intend
+ to map.
+
+As we may map up to SWAPPER_BLOCK_SIZE bytes more than intended, we may
+violate the boot protocol and map physical address past the 2MiB-aligned
+end address we are permitted to map. As we map these with Normal memory
+attributes, this may result in further problems depending on what these
+physical addresses correspond to.
+
+The final entry at each level may require an additional table at that
+level. As EARLY_ENTRIES() calculates an inclusive bound, we allocate
+enough memory for this.
+
+Avoid the extraneous mapping by having map_memory convert the exclusive
+end address to an inclusive end address by subtracting one, and do
+likewise in EARLY_ENTRIES() when calculating the number of required
+tables. For clarity, comments are updated to more clearly document which
+boundaries the macros operate on. For consistency with the other
+macros, the comments in map_memory are also updated to describe `vstart`
+and `vend` as virtual addresses.
+
+Fixes: 0370b31e4845 ("arm64: Extend early page table code to allow for larger kernels")
+Cc: <stable@vger.kernel.org> # 4.16.x
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Steve Capper <steve.capper@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20210823101253.55567-1-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kernel-pgtable.h | 4 ++--
+ arch/arm64/kernel/head.S | 11 ++++++-----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/include/asm/kernel-pgtable.h
++++ b/arch/arm64/include/asm/kernel-pgtable.h
+@@ -65,8 +65,8 @@
+ #define EARLY_KASLR (0)
+ #endif
+
+-#define EARLY_ENTRIES(vstart, vend, shift) (((vend) >> (shift)) \
+- - ((vstart) >> (shift)) + 1 + EARLY_KASLR)
++#define EARLY_ENTRIES(vstart, vend, shift) \
++ ((((vend) - 1) >> (shift)) - ((vstart) >> (shift)) + 1 + EARLY_KASLR)
+
+ #define EARLY_PGDS(vstart, vend) (EARLY_ENTRIES(vstart, vend, PGDIR_SHIFT))
+
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -176,7 +176,7 @@ SYM_CODE_END(preserve_boot_args)
+ * to be composed of multiple pages. (This effectively scales the end index).
+ *
+ * vstart: virtual address of start of range
+- * vend: virtual address of end of range
++ * vend: virtual address of end of range - we map [vstart, vend]
+ * shift: shift used to transform virtual address into index
+ * ptrs: number of entries in page table
+ * istart: index in table corresponding to vstart
+@@ -213,17 +213,18 @@ SYM_CODE_END(preserve_boot_args)
+ *
+ * tbl: location of page table
+ * rtbl: address to be used for first level page table entry (typically tbl + PAGE_SIZE)
+- * vstart: start address to map
+- * vend: end address to map - we map [vstart, vend]
++ * vstart: virtual address of start of range
++ * vend: virtual address of end of range - we map [vstart, vend - 1]
+ * flags: flags to use to map last level entries
+ * phys: physical address corresponding to vstart - physical memory is contiguous
+ * pgds: the number of pgd entries
+ *
+ * Temporaries: istart, iend, tmp, count, sv - these need to be different registers
+- * Preserves: vstart, vend, flags
+- * Corrupts: tbl, rtbl, istart, iend, tmp, count, sv
++ * Preserves: vstart, flags
++ * Corrupts: tbl, rtbl, vend, istart, iend, tmp, count, sv
+ */
+ .macro map_memory, tbl, rtbl, vstart, vend, flags, phys, pgds, istart, iend, tmp, count, sv
++ sub \vend, \vend, #1
+ add \rtbl, \tbl, #PAGE_SIZE
+ mov \sv, \rtbl
+ mov \count, #0
--- /dev/null
+From 5e10f9887ed85d4f59266d5c60dd09be96b5dbd4 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 6 Aug 2021 12:31:04 +0100
+Subject: arm64: mm: Fix TLBI vs ASID rollover
+
+From: Will Deacon <will@kernel.org>
+
+commit 5e10f9887ed85d4f59266d5c60dd09be96b5dbd4 upstream.
+
+When switching to an 'mm_struct' for the first time following an ASID
+rollover, a new ASID may be allocated and assigned to 'mm->context.id'.
+This reassignment can happen concurrently with other operations on the
+mm, such as unmapping pages and subsequently issuing TLB invalidation.
+
+Consequently, we need to ensure that (a) accesses to 'mm->context.id'
+are atomic and (b) all page-table updates made prior to a TLBI using the
+old ASID are guaranteed to be visible to CPUs running with the new ASID.
+
+This was found by inspection after reviewing the VMID changes from
+Shameer but it looks like a real (yet hard to hit) bug.
+
+Cc: <stable@vger.kernel.org>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Jade Alglave <jade.alglave@arm.com>
+Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/20210806113109.2475-2-will@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/mmu.h | 29 +++++++++++++++++++++++++----
+ arch/arm64/include/asm/tlbflush.h | 11 ++++++-----
+ 2 files changed, 31 insertions(+), 9 deletions(-)
+
+--- a/arch/arm64/include/asm/mmu.h
++++ b/arch/arm64/include/asm/mmu.h
+@@ -27,11 +27,32 @@ typedef struct {
+ } mm_context_t;
+
+ /*
+- * This macro is only used by the TLBI and low-level switch_mm() code,
+- * neither of which can race with an ASID change. We therefore don't
+- * need to reload the counter using atomic64_read().
++ * We use atomic64_read() here because the ASID for an 'mm_struct' can
++ * be reallocated when scheduling one of its threads following a
++ * rollover event (see new_context() and flush_context()). In this case,
++ * a concurrent TLBI (e.g. via try_to_unmap_one() and ptep_clear_flush())
++ * may use a stale ASID. This is fine in principle as the new ASID is
++ * guaranteed to be clean in the TLB, but the TLBI routines have to take
++ * care to handle the following race:
++ *
++ * CPU 0 CPU 1 CPU 2
++ *
++ * // ptep_clear_flush(mm)
++ * xchg_relaxed(pte, 0)
++ * DSB ISHST
++ * old = ASID(mm)
++ * | <rollover>
++ * | new = new_context(mm)
++ * \-----------------> atomic_set(mm->context.id, new)
++ * cpu_switch_mm(mm)
++ * // Hardware walk of pte using new ASID
++ * TLBI(old)
++ *
++ * In this scenario, the barrier on CPU 0 and the dependency on CPU 1
++ * ensure that the page-table walker on CPU 1 *must* see the invalid PTE
++ * written by CPU 0.
+ */
+-#define ASID(mm) ((mm)->context.id.counter & 0xffff)
++#define ASID(mm) (atomic64_read(&(mm)->context.id) & 0xffff)
+
+ static inline bool arm64_kernel_unmapped_at_el0(void)
+ {
+--- a/arch/arm64/include/asm/tlbflush.h
++++ b/arch/arm64/include/asm/tlbflush.h
+@@ -245,9 +245,10 @@ static inline void flush_tlb_all(void)
+
+ static inline void flush_tlb_mm(struct mm_struct *mm)
+ {
+- unsigned long asid = __TLBI_VADDR(0, ASID(mm));
++ unsigned long asid;
+
+ dsb(ishst);
++ asid = __TLBI_VADDR(0, ASID(mm));
+ __tlbi(aside1is, asid);
+ __tlbi_user(aside1is, asid);
+ dsb(ish);
+@@ -256,9 +257,10 @@ static inline void flush_tlb_mm(struct m
+ static inline void flush_tlb_page_nosync(struct vm_area_struct *vma,
+ unsigned long uaddr)
+ {
+- unsigned long addr = __TLBI_VADDR(uaddr, ASID(vma->vm_mm));
++ unsigned long addr;
+
+ dsb(ishst);
++ addr = __TLBI_VADDR(uaddr, ASID(vma->vm_mm));
+ __tlbi(vale1is, addr);
+ __tlbi_user(vale1is, addr);
+ }
+@@ -283,9 +285,7 @@ static inline void __flush_tlb_range(str
+ {
+ int num = 0;
+ int scale = 0;
+- unsigned long asid = ASID(vma->vm_mm);
+- unsigned long addr;
+- unsigned long pages;
++ unsigned long asid, addr, pages;
+
+ start = round_down(start, stride);
+ end = round_up(end, stride);
+@@ -305,6 +305,7 @@ static inline void __flush_tlb_range(str
+ }
+
+ dsb(ishst);
++ asid = ASID(vma->vm_mm);
+
+ /*
+ * When the CPU does not support TLB range operations, flush the TLB
--- /dev/null
+From eb48d154cd0dade56a0e244f0cfa198ea2925ed3 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Mon, 2 Aug 2021 13:38:29 +0100
+Subject: arm64: Move .hyp.rodata outside of the _sdata.._edata range
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit eb48d154cd0dade56a0e244f0cfa198ea2925ed3 upstream.
+
+The HYP rodata section is currently lumped together with the BSS,
+which isn't exactly what is expected (it gets registered with
+kmemleak, for example).
+
+Move it away so that it is actually marked RO. As an added
+benefit, it isn't registered with kmemleak anymore.
+
+Fixes: 380e18ade4a5 ("KVM: arm64: Introduce a BSS section for use at Hyp")
+Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org #5.13
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/20210802123830.2195174-2-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/vmlinux.lds.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -181,6 +181,8 @@ SECTIONS
+ /* everything from this point to __init_begin will be marked RO NX */
+ RO_DATA(PAGE_SIZE)
+
++ HYPERVISOR_DATA_SECTIONS
++
+ idmap_pg_dir = .;
+ . += IDMAP_DIR_SIZE;
+ idmap_pg_end = .;
+@@ -260,8 +262,6 @@ SECTIONS
+ _sdata = .;
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN)
+
+- HYPERVISOR_DATA_SECTIONS
+-
+ /*
+ * Data written with the MMU off but read with the MMU on requires
+ * cache lines to be invalidated, discarding up to a Cache Writeback
--- /dev/null
+From a680dd72ec336b81511e3bff48efac6dbfa563e7 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Wed, 11 Aug 2021 12:36:57 +0900
+Subject: block: bfq: fix bfq_set_next_ioprio_data()
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit a680dd72ec336b81511e3bff48efac6dbfa563e7 upstream.
+
+For a request that has a priority level equal to or larger than
+IOPRIO_BE_NR, bfq_set_next_ioprio_data() prints a critical warning but
+defaults to setting the request new_ioprio field to IOPRIO_BE_NR. This
+is not consistent with the warning and the allowed values for priority
+levels. Fix this by setting the request new_ioprio field to
+IOPRIO_BE_NR - 1, the lowest priority level allowed.
+
+Cc: <stable@vger.kernel.org>
+Fixes: aee69d78dec0 ("block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler")
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20210811033702.368488-2-damien.lemoal@wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5258,7 +5258,7 @@ bfq_set_next_ioprio_data(struct bfq_queu
+ if (bfqq->new_ioprio >= IOPRIO_BE_NR) {
+ pr_crit("bfq_set_next_ioprio_data: new_ioprio %d\n",
+ bfqq->new_ioprio);
+- bfqq->new_ioprio = IOPRIO_BE_NR;
++ bfqq->new_ioprio = IOPRIO_BE_NR - 1;
+ }
+
+ bfqq->entity.new_weight = bfq_ioprio_to_weight(bfqq->new_ioprio);
--- /dev/null
+From d17929eb1066d1c1653aae9bb4396a9f1d6602ac Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Tue, 13 Jul 2021 09:46:21 -0500
+Subject: clk: socfpga: agilex: add the bypass register for s2f_usr0 clock
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit d17929eb1066d1c1653aae9bb4396a9f1d6602ac upstream.
+
+Add the bypass register for the s2f_user0_clk.
+
+Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kris Chaplin <kris.chaplin@intel.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Link: https://lore.kernel.org/r/20210713144621.605140-3-dinguyen@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/socfpga/clk-agilex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/socfpga/clk-agilex.c
++++ b/drivers/clk/socfpga/clk-agilex.c
+@@ -280,7 +280,7 @@ static const struct stratix10_perip_cnt_
+ { AGILEX_SDMMC_FREE_CLK, "sdmmc_free_clk", NULL, sdmmc_free_mux,
+ ARRAY_SIZE(sdmmc_free_mux), 0, 0xE4, 0, 0, 0},
+ { AGILEX_S2F_USER0_FREE_CLK, "s2f_user0_free_clk", NULL, s2f_usr0_free_mux,
+- ARRAY_SIZE(s2f_usr0_free_mux), 0, 0xE8, 0, 0, 0},
++ ARRAY_SIZE(s2f_usr0_free_mux), 0, 0xE8, 0, 0x30, 2},
+ { AGILEX_S2F_USER1_FREE_CLK, "s2f_user1_free_clk", NULL, s2f_usr1_free_mux,
+ ARRAY_SIZE(s2f_usr1_free_mux), 0, 0xEC, 0, 0x88, 5},
+ { AGILEX_PSI_REF_FREE_CLK, "psi_ref_free_clk", NULL, psi_ref_free_mux,
--- /dev/null
+From 9d563236cca43fc4fe190b3be173444bd48e2a3b Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Tue, 13 Jul 2021 09:46:19 -0500
+Subject: clk: socfpga: agilex: fix the parents of the psi_ref_clk
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit 9d563236cca43fc4fe190b3be173444bd48e2a3b upstream.
+
+The psi_ref_clk comes from the C2 node of the main_pll and periph_pll,
+not the C3.
+
+Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kris Chaplin <kris.chaplin@intel.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Link: https://lore.kernel.org/r/20210713144621.605140-1-dinguyen@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/socfpga/clk-agilex.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/clk/socfpga/clk-agilex.c
++++ b/drivers/clk/socfpga/clk-agilex.c
+@@ -107,10 +107,10 @@ static const struct clk_parent_data gpio
+ };
+
+ static const struct clk_parent_data psi_ref_free_mux[] = {
+- { .fw_name = "main_pll_c3",
+- .name = "main_pll_c3", },
+- { .fw_name = "peri_pll_c3",
+- .name = "peri_pll_c3", },
++ { .fw_name = "main_pll_c2",
++ .name = "main_pll_c2", },
++ { .fw_name = "peri_pll_c2",
++ .name = "peri_pll_c2", },
+ { .fw_name = "osc1",
+ .name = "osc1", },
+ { .fw_name = "cb-intosc-hs-div2-clk",
--- /dev/null
+From f817c132db679d492d96c60993fa2f2c67ab18d0 Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Tue, 13 Jul 2021 09:46:20 -0500
+Subject: clk: socfpga: agilex: fix up s2f_user0_clk representation
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit f817c132db679d492d96c60993fa2f2c67ab18d0 upstream.
+
+Correct the s2f_user0_mux clock representation.
+
+Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kris Chaplin <kris.chaplin@intel.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Link: https://lore.kernel.org/r/20210713144621.605140-2-dinguyen@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/socfpga/clk-agilex.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/clk/socfpga/clk-agilex.c
++++ b/drivers/clk/socfpga/clk-agilex.c
+@@ -195,6 +195,13 @@ static const struct clk_parent_data sdmm
+ .name = "boot_clk", },
+ };
+
++static const struct clk_parent_data s2f_user0_mux[] = {
++ { .fw_name = "s2f_user0_free_clk",
++ .name = "s2f_user0_free_clk", },
++ { .fw_name = "boot_clk",
++ .name = "boot_clk", },
++};
++
+ static const struct clk_parent_data s2f_user1_mux[] = {
+ { .fw_name = "s2f_user1_free_clk",
+ .name = "s2f_user1_free_clk", },
+@@ -319,6 +326,8 @@ static const struct stratix10_gate_clock
+ 4, 0x98, 0, 16, 0x88, 3, 0},
+ { AGILEX_SDMMC_CLK, "sdmmc_clk", NULL, sdmmc_mux, ARRAY_SIZE(sdmmc_mux), 0, 0x7C,
+ 5, 0, 0, 0, 0x88, 4, 4},
++ { AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_user0_mux, ARRAY_SIZE(s2f_user0_mux), 0, 0x24,
++ 6, 0, 0, 0, 0x30, 2, 0},
+ { AGILEX_S2F_USER1_CLK, "s2f_user1_clk", NULL, s2f_user1_mux, ARRAY_SIZE(s2f_user1_mux), 0, 0x7C,
+ 6, 0, 0, 0, 0x88, 5, 0},
+ { AGILEX_PSI_REF_CLK, "psi_ref_clk", NULL, psi_mux, ARRAY_SIZE(psi_mux), 0, 0x7C,
--- /dev/null
+From e5c6b312ce3cc97e90ea159446e6bfa06645364d Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Thu, 5 Aug 2021 15:29:17 +0800
+Subject: cpufreq: schedutil: Use kobject release() method to free sugov_tunables
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit e5c6b312ce3cc97e90ea159446e6bfa06645364d upstream.
+
+The struct sugov_tunables is protected by the kobject, so we can't free
+it directly. Otherwise we would get a call trace like this:
+ ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30
+ WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100
+ Modules linked in:
+ CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507
+ Hardware name: Marvell OcteonTX CN96XX board (DT)
+ pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)
+ pc : debug_print_object+0xb8/0x100
+ lr : debug_print_object+0xb8/0x100
+ sp : ffff80001ecaf910
+ x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80
+ x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000
+ x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20
+ x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010
+ x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365
+ x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69
+ x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0
+ x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001
+ x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000
+ x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000
+ Call trace:
+ debug_print_object+0xb8/0x100
+ __debug_check_no_obj_freed+0x1c0/0x230
+ debug_check_no_obj_freed+0x20/0x88
+ slab_free_freelist_hook+0x154/0x1c8
+ kfree+0x114/0x5d0
+ sugov_exit+0xbc/0xc0
+ cpufreq_exit_governor+0x44/0x90
+ cpufreq_set_policy+0x268/0x4a8
+ store_scaling_governor+0xe0/0x128
+ store+0xc0/0xf0
+ sysfs_kf_write+0x54/0x80
+ kernfs_fop_write_iter+0x128/0x1c0
+ new_sync_write+0xf0/0x190
+ vfs_write+0x2d4/0x478
+ ksys_write+0x74/0x100
+ __arm64_sys_write+0x24/0x30
+ invoke_syscall.constprop.0+0x54/0xe0
+ do_el0_svc+0x64/0x158
+ el0_svc+0x2c/0xb0
+ el0t_64_sync_handler+0xb0/0xb8
+ el0t_64_sync+0x198/0x19c
+ irq event stamp: 5518
+ hardirqs last enabled at (5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8
+ hardirqs last disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0
+ softirqs last enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0
+ softirqs last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8
+
+So split the original sugov_tunables_free() into two functions,
+sugov_clear_global_tunables() is just used to clear the global_tunables
+and the new sugov_tunables_free() is used as kobj_type::release to
+release the sugov_tunables safely.
+
+Fixes: 9bdcb44e391d ("cpufreq: schedutil: New governor based on scheduler utilization data")
+Cc: 4.7+ <stable@vger.kernel.org> # 4.7+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -536,9 +536,17 @@ static struct attribute *sugov_attrs[] =
+ };
+ ATTRIBUTE_GROUPS(sugov);
+
++static void sugov_tunables_free(struct kobject *kobj)
++{
++ struct gov_attr_set *attr_set = container_of(kobj, struct gov_attr_set, kobj);
++
++ kfree(to_sugov_tunables(attr_set));
++}
++
+ static struct kobj_type sugov_tunables_ktype = {
+ .default_groups = sugov_groups,
+ .sysfs_ops = &governor_sysfs_ops,
++ .release = &sugov_tunables_free,
+ };
+
+ /********************** cpufreq governor interface *********************/
+@@ -638,12 +646,10 @@ static struct sugov_tunables *sugov_tuna
+ return tunables;
+ }
+
+-static void sugov_tunables_free(struct sugov_tunables *tunables)
++static void sugov_clear_global_tunables(void)
+ {
+ if (!have_governor_per_policy())
+ global_tunables = NULL;
+-
+- kfree(tunables);
+ }
+
+ static int sugov_init(struct cpufreq_policy *policy)
+@@ -706,7 +712,7 @@ out:
+ fail:
+ kobject_put(&tunables->attr_set.kobj);
+ policy->governor_data = NULL;
+- sugov_tunables_free(tunables);
++ sugov_clear_global_tunables();
+
+ stop_kthread:
+ sugov_kthread_stop(sg_policy);
+@@ -733,7 +739,7 @@ static void sugov_exit(struct cpufreq_po
+ count = gov_attr_set_put(&tunables->attr_set, &sg_policy->tunables_hook);
+ policy->governor_data = NULL;
+ if (!count)
+- sugov_tunables_free(tunables);
++ sugov_clear_global_tunables();
+
+ mutex_unlock(&global_tunables_lock);
+
--- /dev/null
+From 5441a07a127f106c9936e4f9fa1a8a93e3f31828 Mon Sep 17 00:00:00 2001
+From: Brijesh Singh <brijesh.singh@amd.com>
+Date: Wed, 28 Jul 2021 10:15:21 -0500
+Subject: crypto: ccp - shutdown SEV firmware on kexec
+
+From: Brijesh Singh <brijesh.singh@amd.com>
+
+commit 5441a07a127f106c9936e4f9fa1a8a93e3f31828 upstream.
+
+The commit 97f9ac3db6612 ("crypto: ccp - Add support for SEV-ES to the
+PSP driver") added support to allocate Trusted Memory Region (TMR)
+used during the SEV-ES firmware initialization. The TMR gets locked
+during the firmware initialization and unlocked during the shutdown.
+While the TMR is locked, access to it is disallowed.
+
+Currently, the CCP driver does not shutdown the firmware during the
+kexec reboot, leaving the TMR memory locked.
+
+Register a callback to shutdown the SEV firmware on the kexec boot.
+
+Fixes: 97f9ac3db6612 ("crypto: ccp - Add support for SEV-ES to the PSP driver")
+Reported-by: Lucas Nussbaum <lucas.nussbaum@inria.fr>
+Tested-by: Lucas Nussbaum <lucas.nussbaum@inria.fr>
+Cc: <stable@kernel.org>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 49 ++++++++++++++++++++-----------------------
+ drivers/crypto/ccp/sp-pci.c | 12 ++++++++++
+ 2 files changed, 35 insertions(+), 26 deletions(-)
+
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -300,6 +300,9 @@ static int __sev_platform_shutdown_locke
+ struct sev_device *sev = psp_master->sev_data;
+ int ret;
+
++ if (sev->state == SEV_STATE_UNINIT)
++ return 0;
++
+ ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error);
+ if (ret)
+ return ret;
+@@ -1019,6 +1022,20 @@ e_err:
+ return ret;
+ }
+
++static void sev_firmware_shutdown(struct sev_device *sev)
++{
++ sev_platform_shutdown(NULL);
++
++ if (sev_es_tmr) {
++ /* The TMR area was encrypted, flush it from the cache */
++ wbinvd_on_all_cpus();
++
++ free_pages((unsigned long)sev_es_tmr,
++ get_order(SEV_ES_TMR_SIZE));
++ sev_es_tmr = NULL;
++ }
++}
++
+ void sev_dev_destroy(struct psp_device *psp)
+ {
+ struct sev_device *sev = psp->sev_data;
+@@ -1026,6 +1043,8 @@ void sev_dev_destroy(struct psp_device *
+ if (!sev)
+ return;
+
++ sev_firmware_shutdown(sev);
++
+ if (sev->misc)
+ kref_put(&misc_dev->refcount, sev_exit);
+
+@@ -1056,21 +1075,6 @@ void sev_pci_init(void)
+ if (sev_get_api_version())
+ goto err;
+
+- /*
+- * If platform is not in UNINIT state then firmware upgrade and/or
+- * platform INIT command will fail. These command require UNINIT state.
+- *
+- * In a normal boot we should never run into case where the firmware
+- * is not in UNINIT state on boot. But in case of kexec boot, a reboot
+- * may not go through a typical shutdown sequence and may leave the
+- * firmware in INIT or WORKING state.
+- */
+-
+- if (sev->state != SEV_STATE_UNINIT) {
+- sev_platform_shutdown(NULL);
+- sev->state = SEV_STATE_UNINIT;
+- }
+-
+ if (sev_version_greater_or_equal(0, 15) &&
+ sev_update_firmware(sev->dev) == 0)
+ sev_get_api_version();
+@@ -1115,17 +1119,10 @@ err:
+
+ void sev_pci_exit(void)
+ {
+- if (!psp_master->sev_data)
+- return;
+-
+- sev_platform_shutdown(NULL);
++ struct sev_device *sev = psp_master->sev_data;
+
+- if (sev_es_tmr) {
+- /* The TMR area was encrypted, flush it from the cache */
+- wbinvd_on_all_cpus();
++ if (!sev)
++ return;
+
+- free_pages((unsigned long)sev_es_tmr,
+- get_order(SEV_ES_TMR_SIZE));
+- sev_es_tmr = NULL;
+- }
++ sev_firmware_shutdown(sev);
+ }
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -241,6 +241,17 @@ e_err:
+ return ret;
+ }
+
++static void sp_pci_shutdown(struct pci_dev *pdev)
++{
++ struct device *dev = &pdev->dev;
++ struct sp_device *sp = dev_get_drvdata(dev);
++
++ if (!sp)
++ return;
++
++ sp_destroy(sp);
++}
++
+ static void sp_pci_remove(struct pci_dev *pdev)
+ {
+ struct device *dev = &pdev->dev;
+@@ -371,6 +382,7 @@ static struct pci_driver sp_pci_driver =
+ .id_table = sp_pci_table,
+ .probe = sp_pci_probe,
+ .remove = sp_pci_remove,
++ .shutdown = sp_pci_shutdown,
+ .driver.pm = &sp_pci_pm_ops,
+ };
+
--- /dev/null
+From f985911b7bc75d5c98ed24d8aaa8b94c590f7c6a Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@bytedance.com>
+Date: Thu, 19 Aug 2021 20:37:10 +0800
+Subject: crypto: public_key: fix overflow during implicit conversion
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+commit f985911b7bc75d5c98ed24d8aaa8b94c590f7c6a upstream.
+
+Hit kernel warning like this, it can be reproduced by verifying 256
+bytes datafile by keyctl command, run script:
+RAWDATA=rawdata
+SIGDATA=sigdata
+
+modprobe pkcs8_key_parser
+
+rm -rf *.der *.pem *.pfx
+rm -rf $RAWDATA
+dd if=/dev/random of=$RAWDATA bs=256 count=1
+
+openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
+ -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=xx.com/emailAddress=yy@xx.com"
+
+KEY_ID=`openssl pkcs8 -in key.pem -topk8 -nocrypt -outform DER | keyctl \
+ padd asymmetric 123 @s`
+
+keyctl pkey_sign $KEY_ID 0 $RAWDATA enc=pkcs1 hash=sha1 > $SIGDATA
+keyctl pkey_verify $KEY_ID 0 $RAWDATA $SIGDATA enc=pkcs1 hash=sha1
+
+Then the kernel reports:
+ WARNING: CPU: 5 PID: 344556 at crypto/rsa-pkcs1pad.c:540
+ pkcs1pad_verify+0x160/0x190
+ ...
+ Call Trace:
+ public_key_verify_signature+0x282/0x380
+ ? software_key_query+0x12d/0x180
+ ? keyctl_pkey_params_get+0xd6/0x130
+ asymmetric_key_verify_signature+0x66/0x80
+ keyctl_pkey_verify+0xa5/0x100
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The reason of this issue, in function 'asymmetric_key_verify_signature':
+'.digest_size(u8) = params->in_len(u32)' leads overflow of an u8 value,
+so use u32 instead of u8 for digest_size field. And reorder struct
+public_key_signature, it saves 8 bytes on a 64-bit machine.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/public_key.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/crypto/public_key.h
++++ b/include/crypto/public_key.h
+@@ -38,9 +38,9 @@ extern void public_key_free(struct publi
+ struct public_key_signature {
+ struct asymmetric_key_id *auth_ids[2];
+ u8 *s; /* Signature */
+- u32 s_size; /* Number of bytes in signature */
+ u8 *digest;
+- u8 digest_size; /* Number of bytes in digest */
++ u32 s_size; /* Number of bytes in signature */
++ u32 digest_size; /* Number of bytes in digest */
+ const char *pkey_algo;
+ const char *hash_algo;
+ const char *encoding;
--- /dev/null
+From 528b16bfc3ae5f11638e71b3b63a81f9999df727 Mon Sep 17 00:00:00 2001
+From: Arne Welzel <arne.welzel@corelight.com>
+Date: Sat, 14 Aug 2021 00:40:38 +0200
+Subject: dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc()
+
+From: Arne Welzel <arne.welzel@corelight.com>
+
+commit 528b16bfc3ae5f11638e71b3b63a81f9999df727 upstream.
+
+On systems with many cores using dm-crypt, heavy spinlock contention in
+percpu_counter_compare() can be observed when the page allocation limit
+for a given device is reached or close to be reached. This is due
+to percpu_counter_compare() taking a spinlock to compute an exact
+result on potentially many CPUs at the same time.
+
+Switch to non-exact comparison of allocated and allowed pages by using
+the value returned by percpu_counter_read_positive() to avoid taking
+the percpu_counter spinlock.
+
+This may over/under estimate the actual number of allocated pages by at
+most (batch-1) * num_online_cpus().
+
+Currently, batch is bounded by 32. The system on which this issue was
+first observed has 256 CPUs and 512GB of RAM. With a 4k page size, this
+change may over/under estimate by 31MB. With ~10G (2%) allowed dm-crypt
+allocations, this seems an acceptable error. Certainly preferred over
+running into the spinlock contention.
+
+This behavior was reproduced on an EC2 c5.24xlarge instance with 96 CPUs
+and 192GB RAM as follows, but can be provoked on systems with less CPUs
+as well.
+
+ * Disable swap
+ * Tune vm settings to promote regular writeback
+ $ echo 50 > /proc/sys/vm/dirty_expire_centisecs
+ $ echo 25 > /proc/sys/vm/dirty_writeback_centisecs
+ $ echo $((128 * 1024 * 1024)) > /proc/sys/vm/dirty_background_bytes
+
+ * Create 8 dmcrypt devices based on files on a tmpfs
+ * Create and mount an ext4 filesystem on each crypt devices
+ * Run stress-ng --hdd 8 within one of above filesystems
+
+Total %system usage collected from sysstat goes to ~35%. Write throughput
+on the underlying loop device is ~2GB/s. perf profiling an individual
+kworker kcryptd thread shows the following profile, indicating spinlock
+contention in percpu_counter_compare():
+
+ 99.98% 0.00% kworker/u193:46 [kernel.kallsyms] [k] ret_from_fork
+ |
+ --ret_from_fork
+ kthread
+ worker_thread
+ |
+ --99.92%--process_one_work
+ |
+ |--80.52%--kcryptd_crypt
+ | |
+ | |--62.58%--mempool_alloc
+ | | |
+ | | --62.24%--crypt_page_alloc
+ | | |
+ | | --61.51%--__percpu_counter_compare
+ | | |
+ | | --61.34%--__percpu_counter_sum
+ | | |
+ | | |--58.68%--_raw_spin_lock_irqsave
+ | | | |
+ | | | --58.30%--native_queued_spin_lock_slowpath
+ | | |
+ | | --0.69%--cpumask_next
+ | | |
+ | | --0.51%--_find_next_bit
+ | |
+ | |--10.61%--crypt_convert
+ | | |
+ | | |--6.05%--xts_crypt
+ ...
+
+After applying this patch and running the same test, %system usage is
+lowered to ~7% and write throughput on the loop device increases
+to ~2.7GB/s. perf report shows mempool_alloc() as ~8% rather than ~62%
+in the profile and not hitting the percpu_counter() spinlock anymore.
+
+ |--8.15%--mempool_alloc
+ | |
+ | |--3.93%--crypt_page_alloc
+ | | |
+ | | --3.75%--__alloc_pages
+ | | |
+ | | --3.62%--get_page_from_freelist
+ | | |
+ | | --3.22%--rmqueue_bulk
+ | | |
+ | | --2.59%--_raw_spin_lock
+ | | |
+ | | --2.57%--native_queued_spin_lock_slowpath
+ | |
+ | --3.05%--_raw_spin_lock_irqsave
+ | |
+ | --2.49%--native_queued_spin_lock_slowpath
+
+Suggested-by: DJ Gregor <dj@corelight.com>
+Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Arne Welzel <arne.welzel@corelight.com>
+Fixes: 5059353df86e ("dm crypt: limit the number of allocated pages")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-crypt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2661,7 +2661,12 @@ static void *crypt_page_alloc(gfp_t gfp_
+ struct crypt_config *cc = pool_data;
+ struct page *page;
+
+- if (unlikely(percpu_counter_compare(&cc->n_allocated_pages, dm_crypt_pages_per_client) >= 0) &&
++ /*
++ * Note, percpu_counter_read_positive() may over (and under) estimate
++ * the current usage by at most (batch - 1) * num_online_cpus() pages,
++ * but avoids potential spinlock contention of an exact result.
++ */
++ if (unlikely(percpu_counter_read_positive(&cc->n_allocated_pages) >= dm_crypt_pages_per_client) &&
+ likely(gfp_mask & __GFP_NORETRY))
+ return NULL;
+
--- /dev/null
+From e555a03b112838883fdd8185d613c35d043732f2 Mon Sep 17 00:00:00 2001
+From: Robin Gong <yibin.gong@nxp.com>
+Date: Wed, 14 Jul 2021 18:20:44 +0800
+Subject: dmaengine: imx-sdma: remove duplicated sdma_load_context
+
+From: Robin Gong <yibin.gong@nxp.com>
+
+commit e555a03b112838883fdd8185d613c35d043732f2 upstream.
+
+Since sdma_transfer_init() will do sdma_load_context before any
+sdma transfer, no need once more in sdma_config_channel().
+
+Fixes: ad0d92d7ba6a ("dmaengine: imx-sdma: refine to load context only once")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Acked-by: Vinod Koul <vkoul@kernel.org>
+Tested-by: Richard Leitner <richard.leitner@skidata.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/imx-sdma.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -1107,7 +1107,6 @@ static void sdma_set_watermarklevel_for_
+ static int sdma_config_channel(struct dma_chan *chan)
+ {
+ struct sdma_channel *sdmac = to_sdma_chan(chan);
+- int ret;
+
+ sdma_disable_channel(chan);
+
+@@ -1147,9 +1146,7 @@ static int sdma_config_channel(struct dm
+ sdmac->watermark_level = 0; /* FIXME: M3_BASE_ADDRESS */
+ }
+
+- ret = sdma_load_context(sdmac);
+-
+- return ret;
++ return 0;
+ }
+
+ static int sdma_set_channel_priority(struct sdma_channel *sdmac,
--- /dev/null
+From b76d26d69ecc97ebb24aaf40427a13c808a4f488 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Wed, 11 Aug 2021 15:32:20 +0200
+Subject: iio: ltc2983: fix device probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit b76d26d69ecc97ebb24aaf40427a13c808a4f488 upstream.
+
+There is no reason to assume that the IRQ rising edge (indicating that
+the device start up phase is done) will happen after we request the IRQ.
+If the device is already up by the time we request it, the call to
+'wait_for_completion_timeout()' will timeout and we will fail the device
+probe even though there's nothing wrong.
+
+Fix it by just polling the status register until we get the indication that
+the device is up and running. As a side effect of this fix, requesting the
+IRQ is also moved to after the setup function.
+
+Fixes: f110f3188e563 ("iio: temperature: Add support for LTC2983")
+Reported-and-tested-by: Drew Fustini <drew@pdp7.com>
+Reviewed-by: Drew Fustini <drew@pdp7.com>
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210811133220.190264-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/temperature/ltc2983.c | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+--- a/drivers/iio/temperature/ltc2983.c
++++ b/drivers/iio/temperature/ltc2983.c
+@@ -89,6 +89,8 @@
+
+ #define LTC2983_STATUS_START_MASK BIT(7)
+ #define LTC2983_STATUS_START(x) FIELD_PREP(LTC2983_STATUS_START_MASK, x)
++#define LTC2983_STATUS_UP_MASK GENMASK(7, 6)
++#define LTC2983_STATUS_UP(reg) FIELD_GET(LTC2983_STATUS_UP_MASK, reg)
+
+ #define LTC2983_STATUS_CHAN_SEL_MASK GENMASK(4, 0)
+ #define LTC2983_STATUS_CHAN_SEL(x) \
+@@ -1362,17 +1364,16 @@ put_child:
+
+ static int ltc2983_setup(struct ltc2983_data *st, bool assign_iio)
+ {
+- u32 iio_chan_t = 0, iio_chan_v = 0, chan, iio_idx = 0;
++ u32 iio_chan_t = 0, iio_chan_v = 0, chan, iio_idx = 0, status;
+ int ret;
+- unsigned long time;
+-
+- /* make sure the device is up */
+- time = wait_for_completion_timeout(&st->completion,
+- msecs_to_jiffies(250));
+
+- if (!time) {
++ /* make sure the device is up: start bit (7) is 0 and done bit (6) is 1 */
++ ret = regmap_read_poll_timeout(st->regmap, LTC2983_STATUS_REG, status,
++ LTC2983_STATUS_UP(status) == 1, 25000,
++ 25000 * 10);
++ if (ret) {
+ dev_err(&st->spi->dev, "Device startup timed out\n");
+- return -ETIMEDOUT;
++ return ret;
+ }
+
+ st->iio_chan = devm_kzalloc(&st->spi->dev,
+@@ -1492,10 +1493,11 @@ static int ltc2983_probe(struct spi_devi
+ ret = ltc2983_parse_dt(st);
+ if (ret)
+ return ret;
+- /*
+- * let's request the irq now so it is used to sync the device
+- * startup in ltc2983_setup()
+- */
++
++ ret = ltc2983_setup(st, true);
++ if (ret)
++ return ret;
++
+ ret = devm_request_irq(&spi->dev, spi->irq, ltc2983_irq_handler,
+ IRQF_TRIGGER_RISING, name, st);
+ if (ret) {
+@@ -1503,10 +1505,6 @@ static int ltc2983_probe(struct spi_devi
+ return ret;
+ }
+
+- ret = ltc2983_setup(st, true);
+- if (ret)
+- return ret;
+-
+ indio_dev->name = name;
+ indio_dev->num_channels = st->iio_channels;
+ indio_dev->channels = st->iio_chan;
--- /dev/null
+From 6b7f554be8c92319d7e6df92fd247ebb9beb4a45 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sat, 3 Jul 2021 15:37:17 +0200
+Subject: media: rc-loopback: return number of emitters rather than error
+
+From: Sean Young <sean@mess.org>
+
+commit 6b7f554be8c92319d7e6df92fd247ebb9beb4a45 upstream.
+
+The LIRC_SET_TRANSMITTER_MASK ioctl should return the number of emitters
+if an invalid list was set.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/rc-loopback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/rc-loopback.c
++++ b/drivers/media/rc/rc-loopback.c
+@@ -42,7 +42,7 @@ static int loop_set_tx_mask(struct rc_de
+
+ if ((mask & (RXMASK_REGULAR | RXMASK_LEARNING)) != mask) {
+ dprintk("invalid tx mask: %u\n", mask);
+- return -EINVAL;
++ return 2;
+ }
+
+ dprintk("setting tx mask: %u\n", mask);
--- /dev/null
+From 1a10d7fdb6d0e235e9d230916244cc2769d3f170 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Thu, 17 Jun 2021 14:33:29 +0200
+Subject: media: uvc: don't do DMA on stack
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 1a10d7fdb6d0e235e9d230916244cc2769d3f170 upstream.
+
+As warned by smatch:
+ drivers/media/usb/uvc/uvc_v4l2.c:911 uvc_ioctl_g_input() error: doing dma on the stack (&i)
+ drivers/media/usb/uvc/uvc_v4l2.c:943 uvc_ioctl_s_input() error: doing dma on the stack (&i)
+
+those two functions call uvc_query_ctrl passing a pointer to
+a data at the DMA stack. those are used to send URBs via
+usb_control_msg(). Using DMA stack is not supported and should
+not work anymore on modern Linux versions.
+
+So, use a kmalloc'ed buffer.
+
+Cc: stable@vger.kernel.org # Kernel 4.9 and upper
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -899,8 +899,8 @@ static int uvc_ioctl_g_input(struct file
+ {
+ struct uvc_fh *handle = fh;
+ struct uvc_video_chain *chain = handle->chain;
++ u8 *buf;
+ int ret;
+- u8 i;
+
+ if (chain->selector == NULL ||
+ (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) {
+@@ -908,22 +908,27 @@ static int uvc_ioctl_g_input(struct file
+ return 0;
+ }
+
++ buf = kmalloc(1, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
+ ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, chain->selector->id,
+ chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL,
+- &i, 1);
+- if (ret < 0)
+- return ret;
++ buf, 1);
++ if (!ret)
++ *input = *buf - 1;
+
+- *input = i - 1;
+- return 0;
++ kfree(buf);
++
++ return ret;
+ }
+
+ static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input)
+ {
+ struct uvc_fh *handle = fh;
+ struct uvc_video_chain *chain = handle->chain;
++ u8 *buf;
+ int ret;
+- u32 i;
+
+ ret = uvc_acquire_privileges(handle);
+ if (ret < 0)
+@@ -939,10 +944,17 @@ static int uvc_ioctl_s_input(struct file
+ if (input >= chain->selector->bNrInPins)
+ return -EINVAL;
+
+- i = input + 1;
+- return uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id,
+- chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL,
+- &i, 1);
++ buf = kmalloc(1, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ *buf = input + 1;
++ ret = uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id,
++ chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL,
++ buf, 1);
++ kfree(buf);
++
++ return ret;
+ }
+
+ static int uvc_ioctl_queryctrl(struct file *file, void *fh,
--- /dev/null
+From de0534df93474f268486c486ea7e01b44a478026 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 6 Aug 2021 09:59:47 +0100
+Subject: nvmem: core: fix error handling while validating keepout regions
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit de0534df93474f268486c486ea7e01b44a478026 upstream.
+
+Current error path on failure of validating keepout regions is calling
+put_device, eventhough the device is not even registered at that point.
+
+Fix this by adding proper error handling of freeing ida and nvmem.
+
+Fixes: fd3bb8f54a88 ("nvmem: core: Add support for keepout regions")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210806085947.22682-5-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -818,8 +818,11 @@ struct nvmem_device *nvmem_register(cons
+
+ if (nvmem->nkeepout) {
+ rval = nvmem_validate_keepouts(nvmem);
+- if (rval)
+- goto err_put_device;
++ if (rval) {
++ ida_free(&nvmem_ida, nvmem->id);
++ kfree(nvmem);
++ return ERR_PTR(rval);
++ }
+ }
+
+ dev_dbg(&nvmem->dev, "Registering nvmem device %s\n", config->name);
--- /dev/null
+From 7261851e938f4b0fe8c0f5a8e627ae90e1ba9875 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sat, 17 Jul 2021 18:48:35 +0100
+Subject: pinctrl: ingenic: Fix bias config for X2000(E)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 7261851e938f4b0fe8c0f5a8e627ae90e1ba9875 upstream.
+
+The ingenic_set_bias() function's "bias" argument is not a
+"enum pin_config_param", so its value should not be compared against
+values of that enum.
+
+This should fix the bias config not working on the X2000(E) SoCs.
+
+Fixes: 943e0da15370 ("pinctrl: Ingenic: Add pinctrl driver for X2000.")
+Cc: <stable@vger.kernel.org> # v5.12
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: 周琰杰 (Zhou Yanjie)<zhouyanjie@wanyeetech.com>
+Link: https://lore.kernel.org/r/20210717174836.14776-2-paul@crapouillou.net
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-ingenic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-ingenic.c
++++ b/drivers/pinctrl/pinctrl-ingenic.c
+@@ -3441,17 +3441,17 @@ static void ingenic_set_bias(struct inge
+ {
+ if (jzpc->info->version >= ID_X2000) {
+ switch (bias) {
+- case PIN_CONFIG_BIAS_PULL_UP:
++ case GPIO_PULL_UP:
+ ingenic_config_pin(jzpc, pin, X2000_GPIO_PEPD, false);
+ ingenic_config_pin(jzpc, pin, X2000_GPIO_PEPU, true);
+ break;
+
+- case PIN_CONFIG_BIAS_PULL_DOWN:
++ case GPIO_PULL_DOWN:
+ ingenic_config_pin(jzpc, pin, X2000_GPIO_PEPU, false);
+ ingenic_config_pin(jzpc, pin, X2000_GPIO_PEPD, true);
+ break;
+
+- case PIN_CONFIG_BIAS_DISABLE:
++ case GPIO_PULL_DIS:
+ default:
+ ingenic_config_pin(jzpc, pin, X2000_GPIO_PEPU, false);
+ ingenic_config_pin(jzpc, pin, X2000_GPIO_PEPD, false);
--- /dev/null
+From d5e931403942b3af39212960c2592b5ba741b2bf Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sat, 17 Jul 2021 18:48:34 +0100
+Subject: pinctrl: ingenic: Fix incorrect pull up/down info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit d5e931403942b3af39212960c2592b5ba741b2bf upstream.
+
+Fix the pull up/down info for both the JZ4760 and JZ4770 SoCs, as the
+previous values sometimes contradicted what's written in the programming
+manual.
+
+Fixes: b5c23aa46537 ("pinctrl: add a pinctrl driver for the Ingenic jz47xx SoCs")
+Cc: <stable@vger.kernel.org> # v4.12
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: 周琰杰 (Zhou Yanjie)<zhouyanjie@wanyeetech.com>
+Link: https://lore.kernel.org/r/20210717174836.14776-1-paul@crapouillou.net
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-ingenic.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-ingenic.c
++++ b/drivers/pinctrl/pinctrl-ingenic.c
+@@ -710,7 +710,7 @@ static const struct ingenic_chip_info jz
+ };
+
+ static const u32 jz4760_pull_ups[6] = {
+- 0xffffffff, 0xfffcf3ff, 0xffffffff, 0xffffcfff, 0xfffffb7c, 0xfffff00f,
++ 0xffffffff, 0xfffcf3ff, 0xffffffff, 0xffffcfff, 0xfffffb7c, 0x0000000f,
+ };
+
+ static const u32 jz4760_pull_downs[6] = {
+@@ -936,11 +936,11 @@ static const struct ingenic_chip_info jz
+ };
+
+ static const u32 jz4770_pull_ups[6] = {
+- 0x3fffffff, 0xfff0030c, 0xffffffff, 0xffff4fff, 0xfffffb7c, 0xffa7f00f,
++ 0x3fffffff, 0xfff0f3fc, 0xffffffff, 0xffff4fff, 0xfffffb7c, 0x0024f00f,
+ };
+
+ static const u32 jz4770_pull_downs[6] = {
+- 0x00000000, 0x000f0c03, 0x00000000, 0x0000b000, 0x00000483, 0x00580ff0,
++ 0x00000000, 0x000f0c03, 0x00000000, 0x0000b000, 0x00000483, 0x005b0ff0,
+ };
+
+ static int jz4770_uart0_data_pins[] = { 0xa0, 0xa3, };
--- /dev/null
+From 1b73e588f47397dee6e4bdfd953e0306c60b5fe5 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sun, 25 Jul 2021 19:08:30 +0100
+Subject: pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 1b73e588f47397dee6e4bdfd953e0306c60b5fe5 upstream.
+
+Casting a small array of u8 to an unsigned long is *never* OK:
+
+- it does funny thing when the array size is less than that of a long,
+ as it accesses random places in the stack
+- it makes everything even more fun with a BE kernel
+
+Fix this by building the unsigned long used as a bitmap byte by byte,
+in a way that works across endianess and has no undefined behaviours.
+
+An extra BUILD_BUG_ON() catches the unlikely case where the array
+would be larger than a single unsigned long.
+
+Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver")
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Cc: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com>
+Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Link: https://lore.kernel.org/r/20210725180830.250218-1-maz@kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-stmfx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-stmfx.c
++++ b/drivers/pinctrl/pinctrl-stmfx.c
+@@ -566,7 +566,7 @@ static irqreturn_t stmfx_pinctrl_irq_thr
+ u8 pending[NR_GPIO_REGS];
+ u8 src[NR_GPIO_REGS] = {0, 0, 0};
+ unsigned long n, status;
+- int ret;
++ int i, ret;
+
+ ret = regmap_bulk_read(pctl->stmfx->map, STMFX_REG_IRQ_GPI_PENDING,
+ &pending, NR_GPIO_REGS);
+@@ -576,7 +576,9 @@ static irqreturn_t stmfx_pinctrl_irq_thr
+ regmap_bulk_write(pctl->stmfx->map, STMFX_REG_IRQ_GPI_SRC,
+ src, NR_GPIO_REGS);
+
+- status = *(unsigned long *)pending;
++ BUILD_BUG_ON(NR_GPIO_REGS > sizeof(status));
++ for (i = 0, status = 0; i < NR_GPIO_REGS; i++)
++ status |= (unsigned long)pending[i] << (i * 8);
+ for_each_set_bit(n, &status, gc->ngpio) {
+ handle_nested_irq(irq_find_mapping(gc->irq.domain, n));
+ stmfx_pinctrl_irq_toggle_trigger(pctl, n);
--- /dev/null
+From 54784ffa5b267f57161eb8fbb811499f22a0a0bf Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Mon, 16 Aug 2021 10:27:14 +0200
+Subject: power: supply: max17042: handle fails of reading status register
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 54784ffa5b267f57161eb8fbb811499f22a0a0bf upstream.
+
+Reading status register can fail in the interrupt handler. In such
+case, the regmap_read() will not store anything useful under passed
+'val' variable and random stack value will be used to determine type of
+interrupt.
+
+Handle the regmap_read() failure to avoid handling interrupt type and
+triggering changed power supply event based on random stack value.
+
+Fixes: 39e7213edc4f ("max17042_battery: Support regmap to access device's registers")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/max17042_battery.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -869,8 +869,12 @@ static irqreturn_t max17042_thread_handl
+ {
+ struct max17042_chip *chip = dev;
+ u32 val;
++ int ret;
++
++ ret = regmap_read(chip->regmap, MAX17042_STATUS, &val);
++ if (ret)
++ return IRQ_HANDLED;
+
+- regmap_read(chip->regmap, MAX17042_STATUS, &val);
+ if ((val & STATUS_INTR_SOCMIN_BIT) ||
+ (val & STATUS_INTR_SOCMAX_BIT)) {
+ dev_info(&chip->client->dev, "SOC threshold INTR\n");
--- /dev/null
+From 8592f02464d52776c5cfae4627c6413b0ae7602d Mon Sep 17 00:00:00 2001
+From: Robin Gong <yibin.gong@nxp.com>
+Date: Wed, 14 Jul 2021 18:20:43 +0800
+Subject: Revert "dmaengine: imx-sdma: refine to load context only once"
+
+From: Robin Gong <yibin.gong@nxp.com>
+
+commit 8592f02464d52776c5cfae4627c6413b0ae7602d upstream.
+
+This reverts commit ad0d92d7ba6aecbe2705907c38ff8d8be4da1e9c, because
+in spi-imx case, burst length may be changed dynamically.
+
+Fixes: ad0d92d7ba6a ("dmaengine: imx-sdma: refine to load context only once")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
+Tested-by: Richard Leitner <richard.leitner@skidata.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/imx-sdma.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -379,7 +379,6 @@ struct sdma_channel {
+ unsigned long watermark_level;
+ u32 shp_addr, per_addr;
+ enum dma_status status;
+- bool context_loaded;
+ struct imx_dma_data data;
+ struct work_struct terminate_worker;
+ };
+@@ -954,9 +953,6 @@ static int sdma_load_context(struct sdma
+ int ret;
+ unsigned long flags;
+
+- if (sdmac->context_loaded)
+- return 0;
+-
+ if (sdmac->direction == DMA_DEV_TO_MEM)
+ load_address = sdmac->pc_from_device;
+ else if (sdmac->direction == DMA_DEV_TO_DEV)
+@@ -999,8 +995,6 @@ static int sdma_load_context(struct sdma
+
+ spin_unlock_irqrestore(&sdma->channel_0_lock, flags);
+
+- sdmac->context_loaded = true;
+-
+ return ret;
+ }
+
+@@ -1039,7 +1033,6 @@ static void sdma_channel_terminate_work(
+ vchan_get_all_descriptors(&sdmac->vc, &head);
+ spin_unlock_irqrestore(&sdmac->vc.lock, flags);
+ vchan_dma_desc_free_list(&sdmac->vc, &head);
+- sdmac->context_loaded = false;
+ }
+
+ static int sdma_terminate_all(struct dma_chan *chan)
+@@ -1307,7 +1300,6 @@ static void sdma_free_chan_resources(str
+
+ sdmac->event_id0 = 0;
+ sdmac->event_id1 = 0;
+- sdmac->context_loaded = false;
+
+ sdma_set_channel_priority(sdmac, 0);
+
--- /dev/null
+From 1c1dc8bda3a05c60877a6649775894db5343bdea Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 31 May 2021 18:33:02 +0300
+Subject: s390/qdio: cancel the ESTABLISH ccw after timeout
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+commit 1c1dc8bda3a05c60877a6649775894db5343bdea upstream.
+
+When the ESTABLISH ccw does not complete within the specified timeout,
+try our best to cancel the ccw program that is still active on the
+device. Otherwise the IO subsystem might be accessing it even after
+the driver eg. called qdio_free().
+
+Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Cc: <stable@vger.kernel.org> # 2.6.27
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/qdio_main.c | 51 +++++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -886,6 +886,33 @@ static void qdio_shutdown_queues(struct
+ }
+ }
+
++static int qdio_cancel_ccw(struct qdio_irq *irq, int how)
++{
++ struct ccw_device *cdev = irq->cdev;
++ int rc;
++
++ spin_lock_irq(get_ccwdev_lock(cdev));
++ qdio_set_state(irq, QDIO_IRQ_STATE_CLEANUP);
++ if (how & QDIO_FLAG_CLEANUP_USING_CLEAR)
++ rc = ccw_device_clear(cdev, QDIO_DOING_CLEANUP);
++ else
++ /* default behaviour is halt */
++ rc = ccw_device_halt(cdev, QDIO_DOING_CLEANUP);
++ spin_unlock_irq(get_ccwdev_lock(cdev));
++ if (rc) {
++ DBF_ERROR("%4x SHUTD ERR", irq->schid.sch_no);
++ DBF_ERROR("rc:%4d", rc);
++ return rc;
++ }
++
++ wait_event_interruptible_timeout(cdev->private->wait_q,
++ irq->state == QDIO_IRQ_STATE_INACTIVE ||
++ irq->state == QDIO_IRQ_STATE_ERR,
++ 10 * HZ);
++
++ return 0;
++}
++
+ /**
+ * qdio_shutdown - shut down a qdio subchannel
+ * @cdev: associated ccw device
+@@ -923,27 +950,7 @@ int qdio_shutdown(struct ccw_device *cde
+ qdio_shutdown_queues(irq_ptr);
+ qdio_shutdown_debug_entries(irq_ptr);
+
+- /* cleanup subchannel */
+- spin_lock_irq(get_ccwdev_lock(cdev));
+- qdio_set_state(irq_ptr, QDIO_IRQ_STATE_CLEANUP);
+- if (how & QDIO_FLAG_CLEANUP_USING_CLEAR)
+- rc = ccw_device_clear(cdev, QDIO_DOING_CLEANUP);
+- else
+- /* default behaviour is halt */
+- rc = ccw_device_halt(cdev, QDIO_DOING_CLEANUP);
+- spin_unlock_irq(get_ccwdev_lock(cdev));
+- if (rc) {
+- DBF_ERROR("%4x SHUTD ERR", irq_ptr->schid.sch_no);
+- DBF_ERROR("rc:%4d", rc);
+- goto no_cleanup;
+- }
+-
+- wait_event_interruptible_timeout(cdev->private->wait_q,
+- irq_ptr->state == QDIO_IRQ_STATE_INACTIVE ||
+- irq_ptr->state == QDIO_IRQ_STATE_ERR,
+- 10 * HZ);
+-
+-no_cleanup:
++ rc = qdio_cancel_ccw(irq_ptr, how);
+ qdio_shutdown_thinint(irq_ptr);
+ qdio_shutdown_irq(irq_ptr);
+
+@@ -1153,10 +1160,12 @@ int qdio_establish(struct ccw_device *cd
+ return 0;
+
+ err_ccw_timeout:
++ qdio_cancel_ccw(irq_ptr, QDIO_FLAG_CLEANUP_USING_CLEAR);
+ err_ccw_start:
+ qdio_shutdown_thinint(irq_ptr);
+ err_thinint:
+ qdio_shutdown_irq(irq_ptr);
++ qdio_set_state(irq_ptr, QDIO_IRQ_STATE_INACTIVE);
+ mutex_unlock(&irq_ptr->setup_mutex);
+ return rc;
+ }
--- /dev/null
+From 2c197870e4701610ec3b1143808d4e31152caf30 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Mon, 31 May 2021 18:40:06 +0300
+Subject: s390/qdio: fix roll-back after timeout on ESTABLISH ccw
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+commit 2c197870e4701610ec3b1143808d4e31152caf30 upstream.
+
+When qdio_establish() times out while waiting for the ESTABLISH ccw to
+complete, it calls qdio_shutdown() to roll back all of its previous
+actions. But at this point the qdio_irq's state is still
+QDIO_IRQ_STATE_INACTIVE, so qdio_shutdown() will exit immediately
+without doing any actual work.
+
+Which means that eg. the qdio_irq's thinint-indicator stays registered,
+and cdev->handler isn't restored to its old value. And since
+commit 954d6235be41 ("s390/qdio: make thinint registration symmetric")
+the qdio_irq also stays on the tiq_list, so on the next qdio_establish()
+we might get a helpful BUG from the list-debugging code:
+
+...
+[ 4633.512591] list_add double add: new=00000000005a4110, prev=00000001b357db78, next=00000000005a4110.
+[ 4633.512621] ------------[ cut here ]------------
+[ 4633.512623] kernel BUG at lib/list_debug.c:29!
+...
+[ 4633.512796] [<00000001b2c6ee9a>] __list_add_valid+0x82/0xa0
+[ 4633.512798] ([<00000001b2c6ee96>] __list_add_valid+0x7e/0xa0)
+[ 4633.512800] [<00000001b2fcecce>] qdio_establish_thinint+0x116/0x190
+[ 4633.512805] [<00000001b2fcbe58>] qdio_establish+0x128/0x498
+...
+
+Fix this by extracting a goto-chain from the existing error exits in
+qdio_establish(), and check the return value of the wait_event_...()
+to detect the timeout condition.
+
+Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.")
+Root-caused-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Cc: <stable@vger.kernel.org> # 2.6.27
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/qdio_main.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -1079,6 +1079,7 @@ int qdio_establish(struct ccw_device *cd
+ {
+ struct qdio_irq *irq_ptr = cdev->private->qdio_data;
+ struct subchannel_id schid;
++ long timeout;
+ int rc;
+
+ ccw_device_get_schid(cdev, &schid);
+@@ -1107,11 +1108,8 @@ int qdio_establish(struct ccw_device *cd
+ qdio_setup_irq(irq_ptr, init_data);
+
+ rc = qdio_establish_thinint(irq_ptr);
+- if (rc) {
+- qdio_shutdown_irq(irq_ptr);
+- mutex_unlock(&irq_ptr->setup_mutex);
+- return rc;
+- }
++ if (rc)
++ goto err_thinint;
+
+ /* establish q */
+ irq_ptr->ccw.cmd_code = irq_ptr->equeue.cmd;
+@@ -1127,15 +1125,16 @@ int qdio_establish(struct ccw_device *cd
+ if (rc) {
+ DBF_ERROR("%4x est IO ERR", irq_ptr->schid.sch_no);
+ DBF_ERROR("rc:%4x", rc);
+- qdio_shutdown_thinint(irq_ptr);
+- qdio_shutdown_irq(irq_ptr);
+- mutex_unlock(&irq_ptr->setup_mutex);
+- return rc;
++ goto err_ccw_start;
+ }
+
+- wait_event_interruptible_timeout(cdev->private->wait_q,
+- irq_ptr->state == QDIO_IRQ_STATE_ESTABLISHED ||
+- irq_ptr->state == QDIO_IRQ_STATE_ERR, HZ);
++ timeout = wait_event_interruptible_timeout(cdev->private->wait_q,
++ irq_ptr->state == QDIO_IRQ_STATE_ESTABLISHED ||
++ irq_ptr->state == QDIO_IRQ_STATE_ERR, HZ);
++ if (timeout <= 0) {
++ rc = (timeout == -ERESTARTSYS) ? -EINTR : -ETIME;
++ goto err_ccw_timeout;
++ }
+
+ if (irq_ptr->state != QDIO_IRQ_STATE_ESTABLISHED) {
+ mutex_unlock(&irq_ptr->setup_mutex);
+@@ -1152,6 +1151,14 @@ int qdio_establish(struct ccw_device *cd
+ qdio_print_subchannel_info(irq_ptr);
+ qdio_setup_debug_entries(irq_ptr);
+ return 0;
++
++err_ccw_timeout:
++err_ccw_start:
++ qdio_shutdown_thinint(irq_ptr);
++err_thinint:
++ qdio_shutdown_irq(irq_ptr);
++ mutex_unlock(&irq_ptr->setup_mutex);
++ return rc;
+ }
+ EXPORT_SYMBOL_GPL(qdio_establish);
+
--- /dev/null
+From 210f9df02611cbe641ced3239122b270fd907d86 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 20 Aug 2021 16:46:47 -0400
+Subject: selftests/ftrace: Fix requirement check of README file
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 210f9df02611cbe641ced3239122b270fd907d86 upstream.
+
+The selftest for ftrace checks some features by checking if the README has
+text that states the feature is supported by that kernel. Unfortunately,
+this check gives false positives because it many not be checked if there's
+spaces in the string to check. This is due to the compare between the
+required variable with the ":README" string stripped, because neither has
+quotes around them.
+
+Link: https://lkml.kernel.org/r/20210820204742.087177341@goodmis.org
+
+Cc: "Tzvetomir Stoyanov" <tz.stoyanov@gmail.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: linux-kselftest@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 1b8eec510ba64 ("selftests/ftrace: Support ":README" suffix for requires")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/ftrace/test.d/functions | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/ftrace/test.d/functions
++++ b/tools/testing/selftests/ftrace/test.d/functions
+@@ -115,7 +115,7 @@ check_requires() { # Check required file
+ echo "Required tracer $t is not configured."
+ exit_unsupported
+ fi
+- elif [ $r != $i ]; then
++ elif [ "$r" != "$i" ]; then
+ if ! grep -Fq "$r" README ; then
+ echo "Required feature pattern \"$r\" is not in README."
+ exit_unsupported
9p-xen-fix-end-of-loop-tests-for-list_for_each_entry.patch
ceph-fix-dereference-of-null-pointer-cf.patch
input-elan_i2c-reduce-the-resume-time-for-controller-in-whitebox.patch
+selftests-ftrace-fix-requirement-check-of-readme-file.patch
+tools-thermal-tmon-add-cross-compiling-support.patch
+clk-socfpga-agilex-fix-the-parents-of-the-psi_ref_clk.patch
+clk-socfpga-agilex-fix-up-s2f_user0_clk-representation.patch
+clk-socfpga-agilex-add-the-bypass-register-for-s2f_usr0-clock.patch
+pinctrl-stmfx-fix-hazardous-u8-to-unsigned-long-cast.patch
+pinctrl-ingenic-fix-incorrect-pull-up-down-info.patch
+pinctrl-ingenic-fix-bias-config-for-x2000-e.patch
+soc-mediatek-mmsys-fix-missing-ufoe-component-in-mt8173-table-routing.patch
+soc-qcom-aoss-fix-the-out-of-bound-usage-of-cooling_devs.patch
+soc-aspeed-lpc-ctrl-fix-boundary-check-for-mmap.patch
+soc-aspeed-p2a-ctrl-fix-boundary-check-for-mmap.patch
+arm64-move-.hyp.rodata-outside-of-the-_sdata.._edata-range.patch
+arm64-mm-fix-tlbi-vs-asid-rollover.patch
+arm64-head-avoid-over-mapping-in-map_memory.patch
+arm64-do-not-trap-pmsnevfr_el1.patch
+iio-ltc2983-fix-device-probe.patch
+wcn36xx-ensure-finish-scan-is-not-requested-before-start-scan.patch
+crypto-public_key-fix-overflow-during-implicit-conversion.patch
+block-bfq-fix-bfq_set_next_ioprio_data.patch
+power-supply-max17042-handle-fails-of-reading-status-register.patch
+cpufreq-schedutil-use-kobject-release-method-to-free-sugov_tunables.patch
+dm-crypt-avoid-percpu_counter-spinlock-contention-in-crypt_page_alloc.patch
+crypto-ccp-shutdown-sev-firmware-on-kexec.patch
+spi-fsi-reduce-max-transfer-size-to-8-bytes.patch
+vmci-fix-null-pointer-dereference-when-unmapping-queue-pair.patch
+media-uvc-don-t-do-dma-on-stack.patch
+media-rc-loopback-return-number-of-emitters-rather-than-error.patch
+nvmem-core-fix-error-handling-while-validating-keepout-regions.patch
+s390-qdio-fix-roll-back-after-timeout-on-establish-ccw.patch
+s390-qdio-cancel-the-establish-ccw-after-timeout.patch
+revert-dmaengine-imx-sdma-refine-to-load-context-only-once.patch
+dmaengine-imx-sdma-remove-duplicated-sdma_load_context.patch
--- /dev/null
+From b49a0e69a7b1a68c8d3f64097d06dabb770fec96 Mon Sep 17 00:00:00 2001
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+Date: Wed, 4 Aug 2021 01:48:18 +0200
+Subject: soc: aspeed: lpc-ctrl: Fix boundary check for mmap
+
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+
+commit b49a0e69a7b1a68c8d3f64097d06dabb770fec96 upstream.
+
+The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one
+side of the comparison, and uses resource address (rather than just the
+resource size) on the other side of the comparison.
+This can allow malicious userspace to easily bypass the boundary check and
+map pages that are located outside memory-region reserved by the driver.
+
+Fixes: 6c4e97678501 ("drivers/misc: Add Aspeed LPC control driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Tested-by: Andrew Jeffery <andrew@aj.id.au>
+Reviewed-by: Joel Stanley <joel@aj.id.au>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/aspeed/aspeed-lpc-ctrl.c
++++ b/drivers/soc/aspeed/aspeed-lpc-ctrl.c
+@@ -51,7 +51,7 @@ static int aspeed_lpc_ctrl_mmap(struct f
+ unsigned long vsize = vma->vm_end - vma->vm_start;
+ pgprot_t prot = vma->vm_page_prot;
+
+- if (vma->vm_pgoff + vsize > lpc_ctrl->mem_base + lpc_ctrl->mem_size)
++ if (vma->vm_pgoff + vma_pages(vma) > lpc_ctrl->mem_size >> PAGE_SHIFT)
+ return -EINVAL;
+
+ /* ast2400/2500 AHB accesses are not cache coherent */
--- /dev/null
+From 8b07e990fb254fcbaa919616ac77f981cb48c73d Mon Sep 17 00:00:00 2001
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+Date: Wed, 4 Aug 2021 01:48:19 +0200
+Subject: soc: aspeed: p2a-ctrl: Fix boundary check for mmap
+
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+
+commit 8b07e990fb254fcbaa919616ac77f981cb48c73d upstream.
+
+The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one
+side of the comparison, and uses resource address (rather than just the
+resource size) on the other side of the comparison.
+This can allow malicious userspace to easily bypass the boundary check and
+map pages that are located outside memory-region reserved by the driver.
+
+Fixes: 01c60dcea9f7 ("drivers/misc: Add Aspeed P2A control driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Tested-by: Andrew Jeffery <andrew@aj.id.au>
+Reviewed-by: Joel Stanley <joel@aj.id.au>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/aspeed/aspeed-p2a-ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/aspeed/aspeed-p2a-ctrl.c
++++ b/drivers/soc/aspeed/aspeed-p2a-ctrl.c
+@@ -110,7 +110,7 @@ static int aspeed_p2a_mmap(struct file *
+ vsize = vma->vm_end - vma->vm_start;
+ prot = vma->vm_page_prot;
+
+- if (vma->vm_pgoff + vsize > ctrl->mem_base + ctrl->mem_size)
++ if (vma->vm_pgoff + vma_pages(vma) > ctrl->mem_size >> PAGE_SHIFT)
+ return -EINVAL;
+
+ /* ast2400/2500 AHB accesses are not cache coherent */
--- /dev/null
+From 25423731956b3d72bc35d336227c88ada49148e8 Mon Sep 17 00:00:00 2001
+From: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Date: Fri, 25 Jun 2021 08:24:48 +0200
+Subject: soc: mediatek: mmsys: Fix missing UFOE component in mt8173 table routing
+
+From: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+
+commit 25423731956b3d72bc35d336227c88ada49148e8 upstream.
+
+The UFOE (data compression engine) component needs to be enabled to have
+the imgtec gpu driver working. If we don't enable it we see a black screen.
+Looks like when we switched to use and array for setting the routing
+registers in commit 440147639ac7 ("soc: mediatek: mmsys: Use an array for
+setting the routing registers") we missed to add this component in the new
+routing table, it was present before that commit, so fix it by adding
+this component in the mt8173 routing table.
+
+Fixes: 440147639ac7 ("soc: mediatek: mmsys: Use an array for setting the routing registers")
+Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Tested-by: Eizan Miyamoto <eizan@chromium.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210625062448.3462177-1-enric.balletbo@collabora.com
+[mb: taking into account mask value]
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/mediatek/mtk-mmsys.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/soc/mediatek/mtk-mmsys.h
++++ b/drivers/soc/mediatek/mtk-mmsys.h
+@@ -262,6 +262,10 @@ static const struct mtk_mmsys_routes mms
+ DDP_COMPONENT_RDMA2, DDP_COMPONENT_DSI3,
+ DISP_REG_CONFIG_DSIO_SEL_IN, DSI3_SEL_IN_MASK,
+ DSI3_SEL_IN_RDMA2
++ }, {
++ DDP_COMPONENT_UFOE, DDP_COMPONENT_DSI0,
++ DISP_REG_CONFIG_DISP_UFOE_MOUT_EN, UFOE_MOUT_EN_DSI0,
++ UFOE_MOUT_EN_DSI0
+ }
+ };
+
--- /dev/null
+From a89f355e469dcda129c2522be4fdba00c1c74c83 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Tue, 29 Jun 2021 21:02:49 +0530
+Subject: soc: qcom: aoss: Fix the out of bound usage of cooling_devs
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit a89f355e469dcda129c2522be4fdba00c1c74c83 upstream.
+
+In "qmp_cooling_devices_register", the count value is initially
+QMP_NUM_COOLING_RESOURCES, which is 2. Based on the initial count value,
+the memory for cooling_devs is allocated. Then while calling the
+"qmp_cooling_device_add" function, count value is post-incremented for
+each child node.
+
+This makes the out of bound access to the cooling_dev array. Fix it by
+passing the QMP_NUM_COOLING_RESOURCES definition to devm_kzalloc() and
+initializing the count to 0.
+
+While at it, let's also free the memory allocated to cooling_dev if no
+cooling device is found in DT and during unroll phase.
+
+Cc: stable@vger.kernel.org # 5.4
+Fixes: 05589b30b21a ("soc: qcom: Extend AOSS QMP driver to support resources that are used to wake up the SoC.")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20210629153249.73428-1-manivannan.sadhasivam@linaro.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/qcom_aoss.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/soc/qcom/qcom_aoss.c
++++ b/drivers/soc/qcom/qcom_aoss.c
+@@ -476,12 +476,12 @@ static int qmp_cooling_device_add(struct
+ static int qmp_cooling_devices_register(struct qmp *qmp)
+ {
+ struct device_node *np, *child;
+- int count = QMP_NUM_COOLING_RESOURCES;
++ int count = 0;
+ int ret;
+
+ np = qmp->dev->of_node;
+
+- qmp->cooling_devs = devm_kcalloc(qmp->dev, count,
++ qmp->cooling_devs = devm_kcalloc(qmp->dev, QMP_NUM_COOLING_RESOURCES,
+ sizeof(*qmp->cooling_devs),
+ GFP_KERNEL);
+
+@@ -497,12 +497,16 @@ static int qmp_cooling_devices_register(
+ goto unroll;
+ }
+
++ if (!count)
++ devm_kfree(qmp->dev, qmp->cooling_devs);
++
+ return 0;
+
+ unroll:
+ while (--count >= 0)
+ thermal_cooling_device_unregister
+ (qmp->cooling_devs[count].cdev);
++ devm_kfree(qmp->dev, qmp->cooling_devs);
+
+ return ret;
+ }
--- /dev/null
+From 34d34a56a5ea1e54a5af4f34c6ac9df724129351 Mon Sep 17 00:00:00 2001
+From: Eddie James <eajames@linux.ibm.com>
+Date: Fri, 16 Jul 2021 08:39:14 -0500
+Subject: spi: fsi: Reduce max transfer size to 8 bytes
+
+From: Eddie James <eajames@linux.ibm.com>
+
+commit 34d34a56a5ea1e54a5af4f34c6ac9df724129351 upstream.
+
+Security changes have forced the SPI controllers to be limited to
+8 byte reads. Refactor the sequencing to just handle 8 bytes at a
+time.
+
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210716133915.14697-2-eajames@linux.ibm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsi.c | 125 ++++++++------------------------------------------
+ 1 file changed, 22 insertions(+), 103 deletions(-)
+
+--- a/drivers/spi/spi-fsi.c
++++ b/drivers/spi/spi-fsi.c
+@@ -25,16 +25,11 @@
+
+ #define SPI_FSI_BASE 0x70000
+ #define SPI_FSI_INIT_TIMEOUT_MS 1000
+-#define SPI_FSI_MAX_XFR_SIZE 2048
+-#define SPI_FSI_MAX_XFR_SIZE_RESTRICTED 8
++#define SPI_FSI_MAX_RX_SIZE 8
++#define SPI_FSI_MAX_TX_SIZE 40
+
+ #define SPI_FSI_ERROR 0x0
+ #define SPI_FSI_COUNTER_CFG 0x1
+-#define SPI_FSI_COUNTER_CFG_LOOPS(x) (((u64)(x) & 0xffULL) << 32)
+-#define SPI_FSI_COUNTER_CFG_N2_RX BIT_ULL(8)
+-#define SPI_FSI_COUNTER_CFG_N2_TX BIT_ULL(9)
+-#define SPI_FSI_COUNTER_CFG_N2_IMPLICIT BIT_ULL(10)
+-#define SPI_FSI_COUNTER_CFG_N2_RELOAD BIT_ULL(11)
+ #define SPI_FSI_CFG1 0x2
+ #define SPI_FSI_CLOCK_CFG 0x3
+ #define SPI_FSI_CLOCK_CFG_MM_ENABLE BIT_ULL(32)
+@@ -76,8 +71,6 @@ struct fsi_spi {
+ struct device *dev; /* SPI controller device */
+ struct fsi_device *fsi; /* FSI2SPI CFAM engine device */
+ u32 base;
+- size_t max_xfr_size;
+- bool restricted;
+ };
+
+ struct fsi_spi_sequence {
+@@ -241,7 +234,7 @@ static int fsi_spi_reset(struct fsi_spi
+ return fsi_spi_write_reg(ctx, SPI_FSI_STATUS, 0ULL);
+ }
+
+-static int fsi_spi_sequence_add(struct fsi_spi_sequence *seq, u8 val)
++static void fsi_spi_sequence_add(struct fsi_spi_sequence *seq, u8 val)
+ {
+ /*
+ * Add the next byte of instruction to the 8-byte sequence register.
+@@ -251,8 +244,6 @@ static int fsi_spi_sequence_add(struct f
+ */
+ seq->data |= (u64)val << seq->bit;
+ seq->bit -= 8;
+-
+- return ((64 - seq->bit) / 8) - 2;
+ }
+
+ static void fsi_spi_sequence_init(struct fsi_spi_sequence *seq)
+@@ -261,71 +252,11 @@ static void fsi_spi_sequence_init(struct
+ seq->data = 0ULL;
+ }
+
+-static int fsi_spi_sequence_transfer(struct fsi_spi *ctx,
+- struct fsi_spi_sequence *seq,
+- struct spi_transfer *transfer)
+-{
+- int loops;
+- int idx;
+- int rc;
+- u8 val = 0;
+- u8 len = min(transfer->len, 8U);
+- u8 rem = transfer->len % len;
+-
+- loops = transfer->len / len;
+-
+- if (transfer->tx_buf) {
+- val = SPI_FSI_SEQUENCE_SHIFT_OUT(len);
+- idx = fsi_spi_sequence_add(seq, val);
+-
+- if (rem)
+- rem = SPI_FSI_SEQUENCE_SHIFT_OUT(rem);
+- } else if (transfer->rx_buf) {
+- val = SPI_FSI_SEQUENCE_SHIFT_IN(len);
+- idx = fsi_spi_sequence_add(seq, val);
+-
+- if (rem)
+- rem = SPI_FSI_SEQUENCE_SHIFT_IN(rem);
+- } else {
+- return -EINVAL;
+- }
+-
+- if (ctx->restricted && loops > 1) {
+- dev_warn(ctx->dev,
+- "Transfer too large; no branches permitted.\n");
+- return -EINVAL;
+- }
+-
+- if (loops > 1) {
+- u64 cfg = SPI_FSI_COUNTER_CFG_LOOPS(loops - 1);
+-
+- fsi_spi_sequence_add(seq, SPI_FSI_SEQUENCE_BRANCH(idx));
+-
+- if (transfer->rx_buf)
+- cfg |= SPI_FSI_COUNTER_CFG_N2_RX |
+- SPI_FSI_COUNTER_CFG_N2_TX |
+- SPI_FSI_COUNTER_CFG_N2_IMPLICIT |
+- SPI_FSI_COUNTER_CFG_N2_RELOAD;
+-
+- rc = fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, cfg);
+- if (rc)
+- return rc;
+- } else {
+- fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, 0ULL);
+- }
+-
+- if (rem)
+- fsi_spi_sequence_add(seq, rem);
+-
+- return 0;
+-}
+-
+ static int fsi_spi_transfer_data(struct fsi_spi *ctx,
+ struct spi_transfer *transfer)
+ {
+ int rc = 0;
+ u64 status = 0ULL;
+- u64 cfg = 0ULL;
+
+ if (transfer->tx_buf) {
+ int nb;
+@@ -363,16 +294,6 @@ static int fsi_spi_transfer_data(struct
+ u64 in = 0ULL;
+ u8 *rx = transfer->rx_buf;
+
+- rc = fsi_spi_read_reg(ctx, SPI_FSI_COUNTER_CFG, &cfg);
+- if (rc)
+- return rc;
+-
+- if (cfg & SPI_FSI_COUNTER_CFG_N2_IMPLICIT) {
+- rc = fsi_spi_write_reg(ctx, SPI_FSI_DATA_TX, 0);
+- if (rc)
+- return rc;
+- }
+-
+ while (transfer->len > recv) {
+ do {
+ rc = fsi_spi_read_reg(ctx, SPI_FSI_STATUS,
+@@ -439,6 +360,10 @@ static int fsi_spi_transfer_init(struct
+ }
+ } while (seq_state && (seq_state != SPI_FSI_STATUS_SEQ_STATE_IDLE));
+
++ rc = fsi_spi_write_reg(ctx, SPI_FSI_COUNTER_CFG, 0ULL);
++ if (rc)
++ return rc;
++
+ rc = fsi_spi_read_reg(ctx, SPI_FSI_CLOCK_CFG, &clock_cfg);
+ if (rc)
+ return rc;
+@@ -459,6 +384,7 @@ static int fsi_spi_transfer_one_message(
+ {
+ int rc;
+ u8 seq_slave = SPI_FSI_SEQUENCE_SEL_SLAVE(mesg->spi->chip_select + 1);
++ unsigned int len;
+ struct spi_transfer *transfer;
+ struct fsi_spi *ctx = spi_controller_get_devdata(ctlr);
+
+@@ -471,8 +397,7 @@ static int fsi_spi_transfer_one_message(
+ struct spi_transfer *next = NULL;
+
+ /* Sequencer must do shift out (tx) first. */
+- if (!transfer->tx_buf ||
+- transfer->len > (ctx->max_xfr_size + 8)) {
++ if (!transfer->tx_buf || transfer->len > SPI_FSI_MAX_TX_SIZE) {
+ rc = -EINVAL;
+ goto error;
+ }
+@@ -486,9 +411,13 @@ static int fsi_spi_transfer_one_message(
+ fsi_spi_sequence_init(&seq);
+ fsi_spi_sequence_add(&seq, seq_slave);
+
+- rc = fsi_spi_sequence_transfer(ctx, &seq, transfer);
+- if (rc)
+- goto error;
++ len = transfer->len;
++ while (len > 8) {
++ fsi_spi_sequence_add(&seq,
++ SPI_FSI_SEQUENCE_SHIFT_OUT(8));
++ len -= 8;
++ }
++ fsi_spi_sequence_add(&seq, SPI_FSI_SEQUENCE_SHIFT_OUT(len));
+
+ if (!list_is_last(&transfer->transfer_list,
+ &mesg->transfers)) {
+@@ -496,7 +425,9 @@ static int fsi_spi_transfer_one_message(
+
+ /* Sequencer can only do shift in (rx) after tx. */
+ if (next->rx_buf) {
+- if (next->len > ctx->max_xfr_size) {
++ u8 shift;
++
++ if (next->len > SPI_FSI_MAX_RX_SIZE) {
+ rc = -EINVAL;
+ goto error;
+ }
+@@ -504,10 +435,8 @@ static int fsi_spi_transfer_one_message(
+ dev_dbg(ctx->dev, "Sequence rx of %d bytes.\n",
+ next->len);
+
+- rc = fsi_spi_sequence_transfer(ctx, &seq,
+- next);
+- if (rc)
+- goto error;
++ shift = SPI_FSI_SEQUENCE_SHIFT_IN(next->len);
++ fsi_spi_sequence_add(&seq, shift);
+ } else {
+ next = NULL;
+ }
+@@ -541,9 +470,7 @@ error:
+
+ static size_t fsi_spi_max_transfer_size(struct spi_device *spi)
+ {
+- struct fsi_spi *ctx = spi_controller_get_devdata(spi->controller);
+-
+- return ctx->max_xfr_size;
++ return SPI_FSI_MAX_RX_SIZE;
+ }
+
+ static int fsi_spi_probe(struct device *dev)
+@@ -582,14 +509,6 @@ static int fsi_spi_probe(struct device *
+ ctx->fsi = fsi;
+ ctx->base = base + SPI_FSI_BASE;
+
+- if (of_device_is_compatible(np, "ibm,fsi2spi-restricted")) {
+- ctx->restricted = true;
+- ctx->max_xfr_size = SPI_FSI_MAX_XFR_SIZE_RESTRICTED;
+- } else {
+- ctx->restricted = false;
+- ctx->max_xfr_size = SPI_FSI_MAX_XFR_SIZE;
+- }
+-
+ rc = devm_spi_register_controller(dev, ctlr);
+ if (rc)
+ spi_controller_put(ctlr);
--- /dev/null
+From b5f7912bb604b47a0fe024560488a7556dce8ee7 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eb@emlix.com>
+Date: Fri, 30 Jul 2021 13:51:54 +0200
+Subject: tools/thermal/tmon: Add cross compiling support
+
+From: Rolf Eike Beer <eb@emlix.com>
+
+commit b5f7912bb604b47a0fe024560488a7556dce8ee7 upstream.
+
+Default to prefixed pkg-config when crosscompiling, this matches what
+other parts of the tools/ directory already do.
+
+[dlezcano] : Reworked description
+
+Signed-off-by: Rolf Eike Beer <eb@emlix.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/31302992.qZodDJZGDc@devpool47
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/thermal/tmon/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/thermal/tmon/Makefile
++++ b/tools/thermal/tmon/Makefile
+@@ -10,7 +10,7 @@ override CFLAGS+= $(call cc-option,-O3,-
+ # Add "-fstack-protector" only if toolchain supports it.
+ override CFLAGS+= $(call cc-option,-fstack-protector-strong)
+ CC?= $(CROSS_COMPILE)gcc
+-PKG_CONFIG?= pkg-config
++PKG_CONFIG?= $(CROSS_COMPILE)pkg-config
+
+ override CFLAGS+=-D VERSION=\"$(VERSION)\"
+ LDFLAGS+=
--- /dev/null
+From a30dc6cf0dc51419021550152e435736aaef8799 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Wed, 18 Aug 2021 20:48:45 +0800
+Subject: VMCI: fix NULL pointer dereference when unmapping queue pair
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit a30dc6cf0dc51419021550152e435736aaef8799 upstream.
+
+I got a NULL pointer dereference report when doing fuzz test:
+
+Call Trace:
+ qp_release_pages+0xae/0x130
+ qp_host_unregister_user_memory.isra.25+0x2d/0x80
+ vmci_qp_broker_unmap+0x191/0x320
+ ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
+ vmci_host_unlocked_ioctl+0x59f/0xd50
+ ? do_vfs_ioctl+0x14b/0xa10
+ ? tomoyo_file_ioctl+0x28/0x30
+ ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
+ __x64_sys_ioctl+0xea/0x120
+ do_syscall_64+0x34/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+When a queue pair is created by the following call, it will not
+register the user memory if the page_store is NULL, and the
+entry->state will be set to VMCIQPB_CREATED_NO_MEM.
+
+vmci_host_unlocked_ioctl
+ vmci_host_do_alloc_queuepair
+ vmci_qp_broker_alloc
+ qp_broker_alloc
+ qp_broker_create // set entry->state = VMCIQPB_CREATED_NO_MEM;
+
+When unmapping this queue pair, qp_host_unregister_user_memory() will
+be called to unregister the non-existent user memory, which will
+result in a null pointer reference. It will also change
+VMCIQPB_CREATED_NO_MEM to VMCIQPB_CREATED_MEM, which should not be
+present in this operation.
+
+Only when the qp broker has mem, it can unregister the user
+memory when unmapping the qp broker.
+
+Only when the qp broker has no mem, it can register the user
+memory when mapping the qp broker.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://lore.kernel.org/r/20210818124845.488312-1-wanghai38@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -2243,7 +2243,8 @@ int vmci_qp_broker_map(struct vmci_handl
+
+ result = VMCI_SUCCESS;
+
+- if (context_id != VMCI_HOST_CONTEXT_ID) {
++ if (context_id != VMCI_HOST_CONTEXT_ID &&
++ !QPBROKERSTATE_HAS_MEM(entry)) {
+ struct vmci_qp_page_store page_store;
+
+ page_store.pages = guest_mem;
+@@ -2350,7 +2351,8 @@ int vmci_qp_broker_unmap(struct vmci_han
+ goto out;
+ }
+
+- if (context_id != VMCI_HOST_CONTEXT_ID) {
++ if (context_id != VMCI_HOST_CONTEXT_ID &&
++ QPBROKERSTATE_HAS_MEM(entry)) {
+ qp_acquire_queue_mutex(entry->produce_q);
+ result = qp_save_headers(entry);
+ if (result < VMCI_SUCCESS)
--- /dev/null
+From d195d7aac09bddabc2c8326fb02fcec2b0a2de02 Mon Sep 17 00:00:00 2001
+From: Joseph Gates <jgates@squareup.com>
+Date: Wed, 18 Aug 2021 13:31:43 +0200
+Subject: wcn36xx: Ensure finish scan is not requested before start scan
+
+From: Joseph Gates <jgates@squareup.com>
+
+commit d195d7aac09bddabc2c8326fb02fcec2b0a2de02 upstream.
+
+If the operating channel is the first in the scan list, it was seen that
+a finish scan request would be sent before a start scan request was
+sent, causing the firmware to fail all future scans. Track the current
+channel being scanned to avoid requesting the scan finish before it
+starts.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5973a2947430 ("wcn36xx: Fix software-driven scan")
+Signed-off-by: Joseph Gates <jgates@squareup.com>
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1629286303-13179-1-git-send-email-loic.poulain@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 5 ++++-
+ drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 1 +
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -405,13 +405,14 @@ static int wcn36xx_config(struct ieee802
+ wcn36xx_dbg(WCN36XX_DBG_MAC, "wcn36xx_config channel switch=%d\n",
+ ch);
+
+- if (wcn->sw_scan_opchannel == ch) {
++ if (wcn->sw_scan_opchannel == ch && wcn->sw_scan_channel) {
+ /* If channel is the initial operating channel, we may
+ * want to receive/transmit regular data packets, then
+ * simply stop the scan session and exit PS mode.
+ */
+ wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN,
+ wcn->sw_scan_vif);
++ wcn->sw_scan_channel = 0;
+ } else if (wcn->sw_scan) {
+ /* A scan is ongoing, do not change the operating
+ * channel, but start a scan session on the channel.
+@@ -419,6 +420,7 @@ static int wcn36xx_config(struct ieee802
+ wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN,
+ wcn->sw_scan_vif);
+ wcn36xx_smd_start_scan(wcn, ch);
++ wcn->sw_scan_channel = ch;
+ } else {
+ wcn36xx_change_opchannel(wcn, ch);
+ }
+@@ -699,6 +701,7 @@ static void wcn36xx_sw_scan_start(struct
+
+ wcn->sw_scan = true;
+ wcn->sw_scan_vif = vif;
++ wcn->sw_scan_channel = 0;
+ if (vif_priv->sta_assoc)
+ wcn->sw_scan_opchannel = WCN36XX_HW_CHANNEL(wcn);
+ else
+--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
+@@ -232,6 +232,7 @@ struct wcn36xx {
+ struct cfg80211_scan_request *scan_req;
+ bool sw_scan;
+ u8 sw_scan_opchannel;
++ u8 sw_scan_channel;
+ struct ieee80211_vif *sw_scan_vif;
+ struct mutex scan_lock;
+ bool scan_aborted;
projects / thirdparty / kernel / stable-queue.git / commitdiff
