--- /dev/null
+From 78c276f5495aa53a8beebb627e5bf6a54f0af34f Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <namjae.jeon@samsung.com>
+Date: Mon, 1 Feb 2021 09:23:37 +0900
+Subject: exfat: fix shift-out-of-bounds in exfat_fill_super()
+
+From: Namjae Jeon <namjae.jeon@samsung.com>
+
+commit 78c276f5495aa53a8beebb627e5bf6a54f0af34f upstream.
+
+syzbot reported a warning which could cause shift-out-of-bounds issue.
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x183/0x22e lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:148 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
+ exfat_read_boot_sector fs/exfat/super.c:471 [inline]
+ __exfat_fill_super fs/exfat/super.c:556 [inline]
+ exfat_fill_super+0x2acb/0x2d00 fs/exfat/super.c:624
+ get_tree_bdev+0x406/0x630 fs/super.c:1291
+ vfs_get_tree+0x86/0x270 fs/super.c:1496
+ do_new_mount fs/namespace.c:2881 [inline]
+ path_mount+0x1937/0x2c50 fs/namespace.c:3211
+ do_mount fs/namespace.c:3224 [inline]
+ __do_sys_mount fs/namespace.c:3432 [inline]
+ __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3409
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+exfat specification describe sect_per_clus_bits field of boot sector
+could be at most 25 - sect_size_bits and at least 0. And sect_size_bits
+can also affect this calculation, It also needs validation.
+This patch add validation for sect_per_clus_bits and sect_size_bits
+field of boot sector.
+
+Fixes: 719c1e182916 ("exfat: add super block operations")
+Cc: stable@vger.kernel.org # v5.9+
+Reported-by: syzbot+da4fe66aaadd3c2e2d1c@syzkaller.appspotmail.com
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/exfat_raw.h | 4 ++++
+ fs/exfat/super.c | 31 ++++++++++++++++++++++++++-----
+ 2 files changed, 30 insertions(+), 5 deletions(-)
+
+--- a/fs/exfat/exfat_raw.h
++++ b/fs/exfat/exfat_raw.h
+@@ -77,6 +77,10 @@
+
+ #define EXFAT_FILE_NAME_LEN 15
+
++#define EXFAT_MIN_SECT_SIZE_BITS 9
++#define EXFAT_MAX_SECT_SIZE_BITS 12
++#define EXFAT_MAX_SECT_PER_CLUS_BITS(x) (25 - (x)->sect_size_bits)
++
+ /* EXFAT: Main and Backup Boot Sector (512 bytes) */
+ struct boot_sector {
+ __u8 jmp_boot[BOOTSEC_JUMP_BOOT_LEN];
+--- a/fs/exfat/super.c
++++ b/fs/exfat/super.c
+@@ -381,8 +381,7 @@ static int exfat_calibrate_blocksize(str
+ {
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+
+- if (!is_power_of_2(logical_sect) ||
+- logical_sect < 512 || logical_sect > 4096) {
++ if (!is_power_of_2(logical_sect)) {
+ exfat_err(sb, "bogus logical sector size %u", logical_sect);
+ return -EIO;
+ }
+@@ -451,6 +450,25 @@ static int exfat_read_boot_sector(struct
+ return -EINVAL;
+ }
+
++ /*
++ * sect_size_bits could be at least 9 and at most 12.
++ */
++ if (p_boot->sect_size_bits < EXFAT_MIN_SECT_SIZE_BITS ||
++ p_boot->sect_size_bits > EXFAT_MAX_SECT_SIZE_BITS) {
++ exfat_err(sb, "bogus sector size bits : %u\n",
++ p_boot->sect_size_bits);
++ return -EINVAL;
++ }
++
++ /*
++ * sect_per_clus_bits could be at least 0 and at most 25 - sect_size_bits.
++ */
++ if (p_boot->sect_per_clus_bits > EXFAT_MAX_SECT_PER_CLUS_BITS(p_boot)) {
++ exfat_err(sb, "bogus sectors bits per cluster : %u\n",
++ p_boot->sect_per_clus_bits);
++ return -EINVAL;
++ }
++
+ sbi->sect_per_clus = 1 << p_boot->sect_per_clus_bits;
+ sbi->sect_per_clus_bits = p_boot->sect_per_clus_bits;
+ sbi->cluster_size_bits = p_boot->sect_per_clus_bits +
+@@ -477,16 +495,19 @@ static int exfat_read_boot_sector(struct
+ sbi->used_clusters = EXFAT_CLUSTERS_UNTRACKED;
+
+ /* check consistencies */
+- if (sbi->num_FAT_sectors << p_boot->sect_size_bits <
+- sbi->num_clusters * 4) {
++ if ((u64)sbi->num_FAT_sectors << p_boot->sect_size_bits <
++ (u64)sbi->num_clusters * 4) {
+ exfat_err(sb, "bogus fat length");
+ return -EINVAL;
+ }
++
+ if (sbi->data_start_sector <
+- sbi->FAT1_start_sector + sbi->num_FAT_sectors * p_boot->num_fats) {
++ (u64)sbi->FAT1_start_sector +
++ (u64)sbi->num_FAT_sectors * p_boot->num_fats) {
+ exfat_err(sb, "bogus data start sector");
+ return -EINVAL;
+ }
++
+ if (sbi->vol_flags & VOLUME_DIRTY)
+ exfat_warn(sb, "Volume was not properly unmounted. Some data may be corrupt. Please run fsck.");
+ if (sbi->vol_flags & MEDIA_FAILURE)
--- /dev/null
+From a8002a35935aaefcd6a42ad3289f62bab947f2ca Mon Sep 17 00:00:00 2001
+From: Maxim Kiselev <bigunclemax@gmail.com>
+Date: Wed, 17 Feb 2021 14:10:00 +0100
+Subject: gpio: pcf857x: Fix missing first interrupt
+
+From: Maxim Kiselev <bigunclemax@gmail.com>
+
+commit a8002a35935aaefcd6a42ad3289f62bab947f2ca upstream.
+
+If no n_latch value will be provided at driver probe then all pins will
+be used as an input:
+
+ gpio->out = ~n_latch;
+
+In that case initial state for all pins is "one":
+
+ gpio->status = gpio->out;
+
+So if pcf857x IRQ happens with change pin value from "zero" to "one"
+then we miss it, because of "one" from IRQ and "one" from initial state
+leaves corresponding pin unchanged:
+change = (gpio->status ^ status) & gpio->irq_enabled;
+
+The right solution will be to read actual state at driver probe.
+
+Cc: stable@vger.kernel.org
+Fixes: 6e20a0a429bd ("gpio: pcf857x: enable gpio_to_irq() support")
+Signed-off-by: Maxim Kiselev <bigunclemax@gmail.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-pcf857x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-pcf857x.c
++++ b/drivers/gpio/gpio-pcf857x.c
+@@ -332,7 +332,7 @@ static int pcf857x_probe(struct i2c_clie
+ * reset state. Otherwise it flags pins to be driven low.
+ */
+ gpio->out = ~n_latch;
+- gpio->status = gpio->out;
++ gpio->status = gpio->read(gpio->client);
+
+ /* Enable irqchip if we have an interrupt */
+ if (client->irq) {
--- /dev/null
+From bfe3911a91047557eb0e620f95a370aee6a248c7 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 5 Feb 2021 22:00:12 +0000
+Subject: kcmp: Support selection of SYS_kcmp without CHECKPOINT_RESTORE
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit bfe3911a91047557eb0e620f95a370aee6a248c7 upstream.
+
+Userspace has discovered the functionality offered by SYS_kcmp and has
+started to depend upon it. In particular, Mesa uses SYS_kcmp for
+os_same_file_description() in order to identify when two fd (e.g. device
+or dmabuf) point to the same struct file. Since they depend on it for
+core functionality, lift SYS_kcmp out of the non-default
+CONFIG_CHECKPOINT_RESTORE into the selectable syscall category.
+
+Rasmus Villemoes also pointed out that systemd uses SYS_kcmp to
+deduplicate the per-service file descriptor store.
+
+Note that some distributions such as Ubuntu are already enabling
+CHECKPOINT_RESTORE in their configs and so, by extension, SYS_kcmp.
+
+References: https://gitlab.freedesktop.org/drm/intel/-/issues/3046
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Will Drewry <wad@chromium.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Airlie <airlied@gmail.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Lucas Stach <l.stach@pengutronix.de>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Cyrill Gorcunov <gorcunov@gmail.com>
+Cc: stable@vger.kernel.org
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch> # DRM depends on kcmp
+Acked-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> # systemd uses kcmp
+Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210205220012.1983-1-chris@chris-wilson.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/Kconfig | 3 +++
+ fs/eventpoll.c | 4 ++--
+ include/linux/eventpoll.h | 2 +-
+ init/Kconfig | 11 +++++++++++
+ kernel/Makefile | 2 +-
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +-
+ 6 files changed, 19 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/Kconfig
++++ b/drivers/gpu/drm/Kconfig
+@@ -15,6 +15,9 @@ menuconfig DRM
+ select I2C_ALGOBIT
+ select DMA_SHARED_BUFFER
+ select SYNC_FILE
++# gallium uses SYS_kcmp for os_same_file_description() to de-duplicate
++# device and dmabuf fd. Let's make sure that is available for our userspace.
++ select KCMP
+ help
+ Kernel-level support for the Direct Rendering Infrastructure (DRI)
+ introduced in XFree86 4.0. If you say Y here, you need to select
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -979,7 +979,7 @@ static struct epitem *ep_find(struct eve
+ return epir;
+ }
+
+-#ifdef CONFIG_CHECKPOINT_RESTORE
++#ifdef CONFIG_KCMP
+ static struct epitem *ep_find_tfd(struct eventpoll *ep, int tfd, unsigned long toff)
+ {
+ struct rb_node *rbp;
+@@ -1021,7 +1021,7 @@ struct file *get_epoll_tfile_raw_ptr(str
+
+ return file_raw;
+ }
+-#endif /* CONFIG_CHECKPOINT_RESTORE */
++#endif /* CONFIG_KCMP */
+
+ /**
+ * Adds a new entry to the tail of the list in a lockless way, i.e.
+--- a/include/linux/eventpoll.h
++++ b/include/linux/eventpoll.h
+@@ -18,7 +18,7 @@ struct file;
+
+ #ifdef CONFIG_EPOLL
+
+-#ifdef CONFIG_CHECKPOINT_RESTORE
++#ifdef CONFIG_KCMP
+ struct file *get_epoll_tfile_raw_ptr(struct file *file, int tfd, unsigned long toff);
+ #endif
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1193,6 +1193,7 @@ endif # NAMESPACES
+ config CHECKPOINT_RESTORE
+ bool "Checkpoint/restore support"
+ select PROC_CHILDREN
++ select KCMP
+ default n
+ help
+ Enables additional kernel features in a sake of checkpoint/restore.
+@@ -1736,6 +1737,16 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS
+ config ARCH_HAS_MEMBARRIER_SYNC_CORE
+ bool
+
++config KCMP
++ bool "Enable kcmp() system call" if EXPERT
++ help
++ Enable the kernel resource comparison system call. It provides
++ user-space with the ability to compare two processes to see if they
++ share a common resource, such as a file descriptor or even virtual
++ memory space.
++
++ If unsure, say N.
++
+ config RSEQ
+ bool "Enable rseq() system call" if EXPERT
+ default y
+--- a/kernel/Makefile
++++ b/kernel/Makefile
+@@ -51,7 +51,7 @@ obj-y += livepatch/
+ obj-y += dma/
+ obj-y += entry/
+
+-obj-$(CONFIG_CHECKPOINT_RESTORE) += kcmp.o
++obj-$(CONFIG_KCMP) += kcmp.o
+ obj-$(CONFIG_FREEZER) += freezer.o
+ obj-$(CONFIG_PROFILING) += profile.o
+ obj-$(CONFIG_STACKTRACE) += stacktrace.o
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -315,7 +315,7 @@ TEST(kcmp)
+ ret = __filecmp(getpid(), getpid(), 1, 1);
+ EXPECT_EQ(ret, 0);
+ if (ret != 0 && errno == ENOSYS)
+- SKIP(return, "Kernel does not support kcmp() (missing CONFIG_CHECKPOINT_RESTORE?)");
++ SKIP(return, "Kernel does not support kcmp() (missing CONFIG_KCMP?)");
+ }
+
+ TEST(mode_strict_support)
--- /dev/null
+From b398d53cd421454d64850f8b1f6d609ede9042d9 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 8 Feb 2021 17:06:48 +0200
+Subject: mei: bus: block send with vtag on non-conformat FW
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit b398d53cd421454d64850f8b1f6d609ede9042d9 upstream.
+
+Block data send with vtag if either transport layer or
+FW client are not supporting vtags.
+
+Cc: <stable@vger.kernel.org> # v5.10+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20210208150649.141358-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/bus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -60,6 +60,13 @@ ssize_t __mei_cl_send(struct mei_cl *cl,
+ goto out;
+ }
+
++ if (vtag) {
++ /* Check if vtag is supported by client */
++ rets = mei_cl_vt_support_check(cl);
++ if (rets)
++ goto out;
++ }
++
+ if (length > mei_cl_mtu(cl)) {
+ rets = -EFBIG;
+ goto out;
--- /dev/null
+From 1309ecc90f16ee9cc3077761e7f4474369747e6e Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Fri, 29 Jan 2021 14:07:46 +0200
+Subject: mei: fix transfer over dma with extended header
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 1309ecc90f16ee9cc3077761e7f4474369747e6e upstream.
+
+The size in header field for packet transferred over DMA
+includes size of the extended header.
+Include extended header in size check.
+Add size and sanity checks on extended header.
+
+Cc: <stable@vger.kernel.org> # v5.10+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20210129120752.850325-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/interrupt.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+--- a/drivers/misc/mei/interrupt.c
++++ b/drivers/misc/mei/interrupt.c
+@@ -295,12 +295,17 @@ static inline bool hdr_is_fixed(struct m
+ static inline int hdr_is_valid(u32 msg_hdr)
+ {
+ struct mei_msg_hdr *mei_hdr;
++ u32 expected_len = 0;
+
+ mei_hdr = (struct mei_msg_hdr *)&msg_hdr;
+ if (!msg_hdr || mei_hdr->reserved)
+ return -EBADMSG;
+
+- if (mei_hdr->dma_ring && mei_hdr->length != MEI_SLOT_SIZE)
++ if (mei_hdr->dma_ring)
++ expected_len += MEI_SLOT_SIZE;
++ if (mei_hdr->extended)
++ expected_len += MEI_SLOT_SIZE;
++ if (mei_hdr->length < expected_len)
+ return -EBADMSG;
+
+ return 0;
+@@ -324,6 +329,8 @@ int mei_irq_read_handler(struct mei_devi
+ struct mei_cl *cl;
+ int ret;
+ u32 ext_meta_hdr_u32;
++ u32 hdr_size_left;
++ u32 hdr_size_ext;
+ int i;
+ int ext_hdr_end;
+
+@@ -353,6 +360,7 @@ int mei_irq_read_handler(struct mei_devi
+ }
+
+ ext_hdr_end = 1;
++ hdr_size_left = mei_hdr->length;
+
+ if (mei_hdr->extended) {
+ if (!dev->rd_msg_hdr[1]) {
+@@ -363,8 +371,21 @@ int mei_irq_read_handler(struct mei_devi
+ dev_dbg(dev->dev, "extended header is %08x\n",
+ ext_meta_hdr_u32);
+ }
+- meta_hdr = ((struct mei_ext_meta_hdr *)
+- dev->rd_msg_hdr + 1);
++ meta_hdr = ((struct mei_ext_meta_hdr *)dev->rd_msg_hdr + 1);
++ if (check_add_overflow((u32)sizeof(*meta_hdr),
++ mei_slots2data(meta_hdr->size),
++ &hdr_size_ext)) {
++ dev_err(dev->dev, "extended message size too big %d\n",
++ meta_hdr->size);
++ return -EBADMSG;
++ }
++ if (hdr_size_left < hdr_size_ext) {
++ dev_err(dev->dev, "corrupted message header len %d\n",
++ mei_hdr->length);
++ return -EBADMSG;
++ }
++ hdr_size_left -= hdr_size_ext;
++
+ ext_hdr_end = meta_hdr->size + 2;
+ for (i = dev->rd_msg_hdr_count; i < ext_hdr_end; i++) {
+ dev->rd_msg_hdr[i] = mei_read_hdr(dev);
+@@ -376,6 +397,12 @@ int mei_irq_read_handler(struct mei_devi
+ }
+
+ if (mei_hdr->dma_ring) {
++ if (hdr_size_left != sizeof(dev->rd_msg_hdr[ext_hdr_end])) {
++ dev_err(dev->dev, "corrupted message header len %d\n",
++ mei_hdr->length);
++ return -EBADMSG;
++ }
++
+ dev->rd_msg_hdr[ext_hdr_end] = mei_read_hdr(dev);
+ dev->rd_msg_hdr_count++;
+ (*slots)--;
--- /dev/null
+From 930c922a987a02936000f15ea62988b7a39c27f5 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Fri, 29 Jan 2021 14:07:52 +0200
+Subject: mei: me: add adler lake point LP DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 930c922a987a02936000f15ea62988b7a39c27f5 upstream.
+
+Add Adler Lake LP device id.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20210129120752.850325-7-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 1 +
+ drivers/misc/mei/pci-me.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -104,6 +104,7 @@
+ #define MEI_DEV_ID_EBG 0x1BE0 /* Emmitsburg WS */
+
+ #define MEI_DEV_ID_ADP_S 0x7AE8 /* Alder Lake Point S */
++#define MEI_DEV_ID_ADP_LP 0x7A60 /* Alder Lake Point LP */
+
+ /*
+ * MEI HW Section
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -110,6 +110,7 @@ static const struct pci_device_id mei_me
+ {MEI_PCI_DEVICE(MEI_DEV_ID_EBG, MEI_ME_PCH15_SPS_CFG)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ADP_S, MEI_ME_PCH15_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_ADP_LP, MEI_ME_PCH15_CFG)},
+
+ /* required last entry */
+ {0, }
--- /dev/null
+From f7545efaf7950b240de6b8a20b9c3ffd7278538e Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Fri, 29 Jan 2021 14:07:51 +0200
+Subject: mei: me: add adler lake point S DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit f7545efaf7950b240de6b8a20b9c3ffd7278538e upstream.
+
+Add Adler Lake S device id.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20210129120752.850325-6-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -103,6 +103,8 @@
+
+ #define MEI_DEV_ID_EBG 0x1BE0 /* Emmitsburg WS */
+
++#define MEI_DEV_ID_ADP_S 0x7AE8 /* Alder Lake Point S */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -109,6 +109,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_EBG, MEI_ME_PCH15_SPS_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_ADP_S, MEI_ME_PCH15_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From 372726cb3957dbd69ded9a4e3419d5c6c3bc648e Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Fri, 29 Jan 2021 14:07:50 +0200
+Subject: mei: me: emmitsburg workstation DID
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 372726cb3957dbd69ded9a4e3419d5c6c3bc648e upstream.
+
+Add Emmitsburg workstation DID.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20210129120752.850325-5-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -101,6 +101,8 @@
+ #define MEI_DEV_ID_MCC 0x4B70 /* Mule Creek Canyon (EHL) */
+ #define MEI_DEV_ID_MCC_4 0x4B75 /* Mule Creek Canyon 4 (EHL) */
+
++#define MEI_DEV_ID_EBG 0x1BE0 /* Emmitsburg WS */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -107,6 +107,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CDF, MEI_ME_PCH8_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_EBG, MEI_ME_PCH15_SPS_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From 8d9bf3c3e1451fc8de7b590040a868ade26d6b22 Mon Sep 17 00:00:00 2001
+From: Tim Harvey <tharvey@gateworks.com>
+Date: Mon, 28 Dec 2020 13:10:04 -0800
+Subject: mfd: gateworks-gsc: Fix interrupt type
+
+From: Tim Harvey <tharvey@gateworks.com>
+
+commit 8d9bf3c3e1451fc8de7b590040a868ade26d6b22 upstream.
+
+The Gateworks System Controller has an active-low interrupt.
+Fix the interrupt request type.
+
+Cc: <stable@vger.kernel.org>
+Fixes: d85234994b2f ("mfd: Add Gateworks System Controller core driver")
+Signed-off-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/gateworks-gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/gateworks-gsc.c
++++ b/drivers/mfd/gateworks-gsc.c
+@@ -234,7 +234,7 @@ static int gsc_probe(struct i2c_client *
+
+ ret = devm_regmap_add_irq_chip(dev, gsc->regmap, client->irq,
+ IRQF_ONESHOT | IRQF_SHARED |
+- IRQF_TRIGGER_FALLING, 0,
++ IRQF_TRIGGER_LOW, 0,
+ &gsc_irq_chip, &irq_data);
+ if (ret)
+ return ret;
--- /dev/null
+From a56f44138a2c57047f1ea94ea121af31c595132b Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Wed, 10 Feb 2021 12:19:33 -0600
+Subject: mmc: sdhci-esdhc-imx: fix kernel panic when remove module
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit a56f44138a2c57047f1ea94ea121af31c595132b upstream.
+
+In sdhci_esdhc_imx_remove() the SDHCI_INT_STATUS in read. Under some
+circumstances, this may be done while the device is runtime suspended,
+triggering the below splat.
+
+Fix the problem by adding a pm_runtime_get_sync(), before reading the
+register, which will turn on clocks etc making the device accessible again.
+
+[ 1811.323148] mmc1: card aaaa removed
+[ 1811.347483] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
+[ 1811.354988] Modules linked in: sdhci_esdhc_imx(-) sdhci_pltfm sdhci cqhci mmc_block mmc_core [last unloaded: mmc_core]
+[ 1811.365726] CPU: 0 PID: 3464 Comm: rmmod Not tainted 5.10.1-sd-99871-g53835a2e8186 #5
+[ 1811.373559] Hardware name: Freescale i.MX8DXL EVK (DT)
+[ 1811.378705] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
+[ 1811.384723] pc : sdhci_esdhc_imx_remove+0x28/0x15c [sdhci_esdhc_imx]
+[ 1811.391090] lr : platform_drv_remove+0x2c/0x50
+[ 1811.395536] sp : ffff800012c7bcb0
+[ 1811.398855] x29: ffff800012c7bcb0 x28: ffff00002c72b900
+[ 1811.404181] x27: 0000000000000000 x26: 0000000000000000
+[ 1811.409497] x25: 0000000000000000 x24: 0000000000000000
+[ 1811.414814] x23: ffff0000042b3890 x22: ffff800009127120
+[ 1811.420131] x21: ffff00002c4c9580 x20: ffff0000042d0810
+[ 1811.425456] x19: ffff0000042d0800 x18: 0000000000000020
+[ 1811.430773] x17: 0000000000000000 x16: 0000000000000000
+[ 1811.436089] x15: 0000000000000004 x14: ffff000004019c10
+[ 1811.441406] x13: 0000000000000000 x12: 0000000000000020
+[ 1811.446723] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f
+[ 1811.452040] x9 : fefefeff6364626d x8 : 7f7f7f7f7f7f7f7f
+[ 1811.457356] x7 : 78725e6473607372 x6 : 0000000080808080
+[ 1811.462673] x5 : 0000000000000000 x4 : 0000000000000000
+[ 1811.467990] x3 : ffff800011ac1cb0 x2 : 0000000000000000
+[ 1811.473307] x1 : ffff8000091214d4 x0 : ffff8000133a0030
+[ 1811.478624] Call trace:
+[ 1811.481081] sdhci_esdhc_imx_remove+0x28/0x15c [sdhci_esdhc_imx]
+[ 1811.487098] platform_drv_remove+0x2c/0x50
+[ 1811.491198] __device_release_driver+0x188/0x230
+[ 1811.495818] driver_detach+0xc0/0x14c
+[ 1811.499487] bus_remove_driver+0x5c/0xb0
+[ 1811.503413] driver_unregister+0x30/0x60
+[ 1811.507341] platform_driver_unregister+0x14/0x20
+[ 1811.512048] sdhci_esdhc_imx_driver_exit+0x1c/0x3a8 [sdhci_esdhc_imx]
+[ 1811.518495] __arm64_sys_delete_module+0x19c/0x230
+[ 1811.523291] el0_svc_common.constprop.0+0x78/0x1a0
+[ 1811.528086] do_el0_svc+0x24/0x90
+[ 1811.531405] el0_svc+0x14/0x20
+[ 1811.534461] el0_sync_handler+0x1a4/0x1b0
+[ 1811.538474] el0_sync+0x174/0x180
+[ 1811.541801] Code: a9025bf5 f9403e95 f9400ea0 9100c000 (b9400000)
+[ 1811.547902] ---[ end trace 3fb1a3bd48ff7be5 ]---
+
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org # v4.0+
+Link: https://lore.kernel.org/r/20210210181933.29263-1-Frank.Li@nxp.com
+[Ulf: Clarified the commit message a bit]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1666,9 +1666,10 @@ static int sdhci_esdhc_imx_remove(struct
+ struct sdhci_host *host = platform_get_drvdata(pdev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
+- int dead = (readl(host->ioaddr + SDHCI_INT_STATUS) == 0xffffffff);
++ int dead;
+
+ pm_runtime_get_sync(&pdev->dev);
++ dead = (readl(host->ioaddr + SDHCI_INT_STATUS) == 0xffffffff);
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+
--- /dev/null
+From 1ad9f88014ae1d5abccb6fe930bc4c5c311bdc05 Mon Sep 17 00:00:00 2001
+From: Shirley Her <shirley.her@bayhubtech.com>
+Date: Fri, 5 Feb 2021 17:40:51 -0800
+Subject: mmc: sdhci-pci-o2micro: Bug fix for SDR104 HW tuning failure
+
+From: Shirley Her <shirley.her@bayhubtech.com>
+
+commit 1ad9f88014ae1d5abccb6fe930bc4c5c311bdc05 upstream.
+
+Force chip enter L0 power state during SDR104 HW tuning to avoid tuning failure
+
+Signed-off-by: Shirley Her <shirley.her@bayhubtech.com>
+Link: https://lore.kernel.org/r/20210206014051.3418-1-shirley.her@bayhubtech.com
+Fixes: 7b7d897e8898 ("mmc: sdhci-pci-o2micro: Add HW tuning for SDR104 mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-o2micro.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-o2micro.c
++++ b/drivers/mmc/host/sdhci-pci-o2micro.c
+@@ -33,6 +33,8 @@
+ #define O2_SD_ADMA2 0xE7
+ #define O2_SD_INF_MOD 0xF1
+ #define O2_SD_MISC_CTRL4 0xFC
++#define O2_SD_MISC_CTRL 0x1C0
++#define O2_SD_PWR_FORCE_L0 0x0002
+ #define O2_SD_TUNING_CTRL 0x300
+ #define O2_SD_PLL_SETTING 0x304
+ #define O2_SD_MISC_SETTING 0x308
+@@ -300,6 +302,8 @@ static int sdhci_o2_execute_tuning(struc
+ {
+ struct sdhci_host *host = mmc_priv(mmc);
+ int current_bus_width = 0;
++ u32 scratch32 = 0;
++ u16 scratch = 0;
+
+ /*
+ * This handler only implements the eMMC tuning that is specific to
+@@ -312,6 +316,17 @@ static int sdhci_o2_execute_tuning(struc
+ if (WARN_ON((opcode != MMC_SEND_TUNING_BLOCK_HS200) &&
+ (opcode != MMC_SEND_TUNING_BLOCK)))
+ return -EINVAL;
++
++ /* Force power mode enter L0 */
++ scratch = sdhci_readw(host, O2_SD_MISC_CTRL);
++ scratch |= O2_SD_PWR_FORCE_L0;
++ sdhci_writew(host, scratch, O2_SD_MISC_CTRL);
++
++ /* wait DLL lock, timeout value 5ms */
++ if (readx_poll_timeout(sdhci_o2_pll_dll_wdt_control, host,
++ scratch32, (scratch32 & O2_DLL_LOCK_STATUS), 1, 5000))
++ pr_warn("%s: DLL can't lock in 5ms after force L0 during tuning.\n",
++ mmc_hostname(host->mmc));
+ /*
+ * Judge the tuning reason, whether caused by dll shift
+ * If cause by dll shift, should call sdhci_o2_dll_recovery
+@@ -344,6 +359,11 @@ static int sdhci_o2_execute_tuning(struc
+ sdhci_set_bus_width(host, current_bus_width);
+ }
+
++ /* Cancel force power mode enter L0 */
++ scratch = sdhci_readw(host, O2_SD_MISC_CTRL);
++ scratch &= ~(O2_SD_PWR_FORCE_L0);
++ sdhci_writew(host, scratch, O2_SD_MISC_CTRL);
++
+ sdhci_reset(host, SDHCI_RESET_CMD);
+ sdhci_reset(host, SDHCI_RESET_DATA);
+
--- /dev/null
+From ebfac7b778fac8b0e8e92ec91d0b055f046b4604 Mon Sep 17 00:00:00 2001
+From: Fangrui Song <maskray@google.com>
+Date: Fri, 15 Jan 2021 11:52:22 -0800
+Subject: module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols
+
+From: Fangrui Song <maskray@google.com>
+
+commit ebfac7b778fac8b0e8e92ec91d0b055f046b4604 upstream.
+
+clang-12 -fno-pic (since
+https://github.com/llvm/llvm-project/commit/a084c0388e2a59b9556f2de0083333232da3f1d6)
+can emit `call __stack_chk_fail@PLT` instead of `call __stack_chk_fail`
+on x86. The two forms should have identical behaviors on x86-64 but the
+former causes GNU as<2.37 to produce an unreferenced undefined symbol
+_GLOBAL_OFFSET_TABLE_.
+
+(On x86-32, there is an R_386_PC32 vs R_386_PLT32 difference but the
+linker behavior is identical as far as Linux kernel is concerned.)
+
+Simply ignore _GLOBAL_OFFSET_TABLE_ for now, like what
+scripts/mod/modpost.c:ignore_undef_symbol does. This also fixes the
+problem for gcc/clang -fpie and -fpic, which may emit `call foo@PLT` for
+external function calls on x86.
+
+Note: ld -z defs and dynamic loaders do not error for unreferenced
+undefined symbols so the module loader is reading too much. If we ever
+need to ignore more symbols, the code should be refactored to ignore
+unreferenced symbols.
+
+Cc: <stable@vger.kernel.org>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1250
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=27178
+Reported-by: Marco Elver <elver@google.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Tested-by: Marco Elver <elver@google.com>
+Signed-off-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/module.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2348,6 +2348,21 @@ static int verify_exported_symbols(struc
+ return 0;
+ }
+
++static bool ignore_undef_symbol(Elf_Half emachine, const char *name)
++{
++ /*
++ * On x86, PIC code and Clang non-PIC code may have call foo@PLT. GNU as
++ * before 2.37 produces an unreferenced _GLOBAL_OFFSET_TABLE_ on x86-64.
++ * i386 has a similar problem but may not deserve a fix.
++ *
++ * If we ever have to ignore many symbols, consider refactoring the code to
++ * only warn if referenced by a relocation.
++ */
++ if (emachine == EM_386 || emachine == EM_X86_64)
++ return !strcmp(name, "_GLOBAL_OFFSET_TABLE_");
++ return false;
++}
++
+ /* Change all symbols so that st_value encodes the pointer directly. */
+ static int simplify_symbols(struct module *mod, const struct load_info *info)
+ {
+@@ -2395,8 +2410,10 @@ static int simplify_symbols(struct modul
+ break;
+ }
+
+- /* Ok if weak. */
+- if (!ksym && ELF_ST_BIND(sym[i].st_info) == STB_WEAK)
++ /* Ok if weak or ignored. */
++ if (!ksym &&
++ (ELF_ST_BIND(sym[i].st_info) == STB_WEAK ||
++ ignore_undef_symbol(info->hdr->e_machine, name)))
+ break;
+
+ ret = PTR_ERR(ksym) ?: -ENOENT;
--- /dev/null
+From e2057ee29973b9741d43d3f475a6b02fb46a0e61 Mon Sep 17 00:00:00 2001
+From: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+Date: Fri, 5 Feb 2021 10:08:53 +0000
+Subject: nvmem: qcom-spmi-sdam: Fix uninitialized pdev pointer
+
+From: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+
+commit e2057ee29973b9741d43d3f475a6b02fb46a0e61 upstream.
+
+"sdam->pdev" is uninitialized and it is used to print error logs.
+Fix it. Since device pointer can be used from sdam_config, use it
+directly thereby removing pdev pointer.
+
+Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210205100853.32372-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/qcom-spmi-sdam.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/nvmem/qcom-spmi-sdam.c
++++ b/drivers/nvmem/qcom-spmi-sdam.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Copyright (c) 2017, 2020 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2017, 2020-2021, The Linux Foundation. All rights reserved.
+ */
+
+ #include <linux/device.h>
+@@ -18,7 +18,6 @@
+ #define SDAM_PBS_TRIG_CLR 0xE6
+
+ struct sdam_chip {
+- struct platform_device *pdev;
+ struct regmap *regmap;
+ struct nvmem_config sdam_config;
+ unsigned int base;
+@@ -65,7 +64,7 @@ static int sdam_read(void *priv, unsigne
+ size_t bytes)
+ {
+ struct sdam_chip *sdam = priv;
+- struct device *dev = &sdam->pdev->dev;
++ struct device *dev = sdam->sdam_config.dev;
+ int rc;
+
+ if (!sdam_is_valid(sdam, offset, bytes)) {
+@@ -86,7 +85,7 @@ static int sdam_write(void *priv, unsign
+ size_t bytes)
+ {
+ struct sdam_chip *sdam = priv;
+- struct device *dev = &sdam->pdev->dev;
++ struct device *dev = sdam->sdam_config.dev;
+ int rc;
+
+ if (!sdam_is_valid(sdam, offset, bytes)) {
--- /dev/null
+From 3642eb21256a317ac14e9ed560242c6d20cf06d9 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Mon, 8 Feb 2021 07:17:40 +0000
+Subject: powerpc/32: Preserve cr1 in exception prolog stack check to fix build error
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 3642eb21256a317ac14e9ed560242c6d20cf06d9 upstream.
+
+THREAD_ALIGN_SHIFT = THREAD_SHIFT + 1 = PAGE_SHIFT + 1
+Maximum PAGE_SHIFT is 18 for 256k pages so
+THREAD_ALIGN_SHIFT is 19 at the maximum.
+
+No need to clobber cr1, it can be preserved when moving r1
+into CR when we check stack overflow.
+
+This reduces the number of instructions in Machine Check Exception
+prolog and fixes a build failure reported by the kernel test robot
+on v5.10 stable when building with RTAS + VMAP_STACK + KVM. That
+build failure is due to too many instructions in the prolog hence
+not fitting between 0x200 and 0x300. Allthough the problem doesn't
+show up in mainline, it is still worth the change.
+
+Fixes: 98bf2d3f4970 ("powerpc/32s: Fix RTAS machine check with VMAP stack")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/5ae4d545e3ac58e133d2599e0deb88843cb494fc.1612768623.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/head_32.h | 2 +-
+ arch/powerpc/kernel/head_book3s_32.S | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+--- a/arch/powerpc/kernel/head_32.h
++++ b/arch/powerpc/kernel/head_32.h
+@@ -47,7 +47,7 @@
+ lwz r1,TASK_STACK-THREAD(r1)
+ addi r1, r1, THREAD_SIZE - INT_FRAME_SIZE
+ 1:
+- mtcrf 0x7f, r1
++ mtcrf 0x3f, r1
+ bt 32 - THREAD_ALIGN_SHIFT, stack_overflow
+ #else
+ subi r11, r1, INT_FRAME_SIZE /* use r1 if kernel */
+--- a/arch/powerpc/kernel/head_book3s_32.S
++++ b/arch/powerpc/kernel/head_book3s_32.S
+@@ -278,12 +278,6 @@ MachineCheck:
+ 7: EXCEPTION_PROLOG_2
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ #ifdef CONFIG_PPC_CHRP
+-#ifdef CONFIG_VMAP_STACK
+- mfspr r4, SPRN_SPRG_THREAD
+- tovirt(r4, r4)
+- lwz r4, RTAS_SP(r4)
+- cmpwi cr1, r4, 0
+-#endif
+ beq cr1, machine_check_tramp
+ twi 31, 0, 0
+ #else
--- /dev/null
+From 57fdfbce89137ae85cd5cef48be168040a47dd13 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Mon, 8 Feb 2021 15:10:20 +0000
+Subject: powerpc/32s: Add missing call to kuep_lock on syscall entry
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 57fdfbce89137ae85cd5cef48be168040a47dd13 upstream.
+
+Userspace Execution protection and fast syscall entry were implemented
+independently from each other and were both merged in kernel 5.2,
+leading to syscall entry missing userspace execution protection.
+
+On syscall entry, execution of user space memory must be
+locked in the same way as on exception entry.
+
+Fixes: b86fb88855ea ("powerpc/32: implement fast entry for syscalls on non BOOKE")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/c65e105b63aaf74f91a14f845bc77192350b84a6.1612796617.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/entry_32.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/kernel/entry_32.S
++++ b/arch/powerpc/kernel/entry_32.S
+@@ -356,6 +356,9 @@ trace_syscall_entry_irq_off:
+
+ .globl transfer_to_syscall
+ transfer_to_syscall:
++#ifdef CONFIG_PPC_BOOK3S_32
++ kuep_lock r11, r12
++#endif
+ #ifdef CONFIG_TRACE_IRQFLAGS
+ andi. r12,r9,MSR_EE
+ beq- trace_syscall_entry_irq_off
--- /dev/null
+From 2377c92e37fe97bc5b365f55cf60f56dfc4849f5 Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Thu, 4 Feb 2021 17:01:10 +0530
+Subject: powerpc/kexec_file: fix FDT size estimation for kdump kernel
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+commit 2377c92e37fe97bc5b365f55cf60f56dfc4849f5 upstream.
+
+On systems with large amount of memory, loading kdump kernel through
+kexec_file_load syscall may fail with the below error:
+
+ "Failed to update fdt with linux,drconf-usable-memory property"
+
+This happens because the size estimation for kdump kernel's FDT does
+not account for the additional space needed to setup usable memory
+properties. Fix it by accounting for the space needed to include
+linux,usable-memory & linux,drconf-usable-memory properties while
+estimating kdump kernel's FDT size.
+
+Fixes: 6ecd0163d360 ("powerpc/kexec_file: Add appropriate regions for memory reserve map")
+Cc: stable@vger.kernel.org # v5.9+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/161243826811.119001.14083048209224609814.stgit@hbathini
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/kexec.h | 1 +
+ arch/powerpc/kexec/elf_64.c | 2 +-
+ arch/powerpc/kexec/file_load_64.c | 35 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/kexec.h
++++ b/arch/powerpc/include/asm/kexec.h
+@@ -136,6 +136,7 @@ int load_crashdump_segments_ppc64(struct
+ int setup_purgatory_ppc64(struct kimage *image, const void *slave_code,
+ const void *fdt, unsigned long kernel_load_addr,
+ unsigned long fdt_load_addr);
++unsigned int kexec_fdt_totalsize_ppc64(struct kimage *image);
+ int setup_new_fdt_ppc64(const struct kimage *image, void *fdt,
+ unsigned long initrd_load_addr,
+ unsigned long initrd_len, const char *cmdline);
+--- a/arch/powerpc/kexec/elf_64.c
++++ b/arch/powerpc/kexec/elf_64.c
+@@ -102,7 +102,7 @@ static void *elf64_load(struct kimage *i
+ pr_debug("Loaded initrd at 0x%lx\n", initrd_load_addr);
+ }
+
+- fdt_size = fdt_totalsize(initial_boot_params) * 2;
++ fdt_size = kexec_fdt_totalsize_ppc64(image);
+ fdt = kmalloc(fdt_size, GFP_KERNEL);
+ if (!fdt) {
+ pr_err("Not enough memory for the device tree.\n");
+--- a/arch/powerpc/kexec/file_load_64.c
++++ b/arch/powerpc/kexec/file_load_64.c
+@@ -21,6 +21,7 @@
+ #include <linux/memblock.h>
+ #include <linux/slab.h>
+ #include <linux/vmalloc.h>
++#include <asm/setup.h>
+ #include <asm/drmem.h>
+ #include <asm/kexec_ranges.h>
+ #include <asm/crashdump-ppc64.h>
+@@ -926,6 +927,40 @@ out:
+ }
+
+ /**
++ * kexec_fdt_totalsize_ppc64 - Return the estimated size needed to setup FDT
++ * for kexec/kdump kernel.
++ * @image: kexec image being loaded.
++ *
++ * Returns the estimated size needed for kexec/kdump kernel FDT.
++ */
++unsigned int kexec_fdt_totalsize_ppc64(struct kimage *image)
++{
++ unsigned int fdt_size;
++ u64 usm_entries;
++
++ /*
++ * The below estimate more than accounts for a typical kexec case where
++ * the additional space is to accommodate things like kexec cmdline,
++ * chosen node with properties for initrd start & end addresses and
++ * a property to indicate kexec boot..
++ */
++ fdt_size = fdt_totalsize(initial_boot_params) + (2 * COMMAND_LINE_SIZE);
++ if (image->type != KEXEC_TYPE_CRASH)
++ return fdt_size;
++
++ /*
++ * For kdump kernel, also account for linux,usable-memory and
++ * linux,drconf-usable-memory properties. Get an approximate on the
++ * number of usable memory entries and use for FDT size estimation.
++ */
++ usm_entries = ((memblock_end_of_DRAM() / drmem_lmb_size()) +
++ (2 * (resource_size(&crashk_res) / drmem_lmb_size())));
++ fdt_size += (unsigned int)(usm_entries * sizeof(u64));
++
++ return fdt_size;
++}
++
++/**
+ * setup_new_fdt_ppc64 - Update the flattend device-tree of the kernel
+ * being loaded.
+ * @image: kexec image being loaded.
--- /dev/null
+From 8a8109f303e25a27f92c1d8edd67d7cbbc60a4eb Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Wed, 10 Feb 2021 11:48:23 +0800
+Subject: printk: fix deadlock when kernel panic
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 8a8109f303e25a27f92c1d8edd67d7cbbc60a4eb upstream.
+
+printk_safe_flush_on_panic() caused the following deadlock on our
+server:
+
+CPU0: CPU1:
+panic rcu_dump_cpu_stacks
+ kdump_nmi_shootdown_cpus nmi_trigger_cpumask_backtrace
+ register_nmi_handler(crash_nmi_callback) printk_safe_flush
+ __printk_safe_flush
+ raw_spin_lock_irqsave(&read_lock)
+ // send NMI to other processors
+ apic_send_IPI_allbutself(NMI_VECTOR)
+ // NMI interrupt, dead loop
+ crash_nmi_callback
+ printk_safe_flush_on_panic
+ printk_safe_flush
+ __printk_safe_flush
+ // deadlock
+ raw_spin_lock_irqsave(&read_lock)
+
+DEADLOCK: read_lock is taken on CPU1 and will never get released.
+
+It happens when panic() stops a CPU by NMI while it has been in
+the middle of printk_safe_flush().
+
+Handle the lock the same way as logbuf_lock. The printk_safe buffers
+are flushed only when both locks can be safely taken. It can avoid
+the deadlock _in this particular case_ at expense of losing contents
+of printk_safe buffers.
+
+Note: It would actually be safe to re-init the locks when all CPUs were
+ stopped by NMI. But it would require passing this information
+ from arch-specific code. It is not worth the complexity.
+ Especially because logbuf_lock and printk_safe buffers have been
+ obsoleted by the lockless ring buffer.
+
+Fixes: cf9b1106c81c ("printk/nmi: flush NMI messages on the system panic")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Cc: <stable@vger.kernel.org>
+Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210210034823.64867-1-songmuchun@bytedance.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/printk/printk_safe.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/kernel/printk/printk_safe.c
++++ b/kernel/printk/printk_safe.c
+@@ -45,6 +45,8 @@ struct printk_safe_seq_buf {
+ static DEFINE_PER_CPU(struct printk_safe_seq_buf, safe_print_seq);
+ static DEFINE_PER_CPU(int, printk_context);
+
++static DEFINE_RAW_SPINLOCK(safe_read_lock);
++
+ #ifdef CONFIG_PRINTK_NMI
+ static DEFINE_PER_CPU(struct printk_safe_seq_buf, nmi_print_seq);
+ #endif
+@@ -180,8 +182,6 @@ static void report_message_lost(struct p
+ */
+ static void __printk_safe_flush(struct irq_work *work)
+ {
+- static raw_spinlock_t read_lock =
+- __RAW_SPIN_LOCK_INITIALIZER(read_lock);
+ struct printk_safe_seq_buf *s =
+ container_of(work, struct printk_safe_seq_buf, work);
+ unsigned long flags;
+@@ -195,7 +195,7 @@ static void __printk_safe_flush(struct i
+ * different CPUs. This is especially important when printing
+ * a backtrace.
+ */
+- raw_spin_lock_irqsave(&read_lock, flags);
++ raw_spin_lock_irqsave(&safe_read_lock, flags);
+
+ i = 0;
+ more:
+@@ -232,7 +232,7 @@ more:
+
+ out:
+ report_message_lost(s);
+- raw_spin_unlock_irqrestore(&read_lock, flags);
++ raw_spin_unlock_irqrestore(&safe_read_lock, flags);
+ }
+
+ /**
+@@ -278,6 +278,14 @@ void printk_safe_flush_on_panic(void)
+ raw_spin_lock_init(&logbuf_lock);
+ }
+
++ if (raw_spin_is_locked(&safe_read_lock)) {
++ if (num_online_cpus() > 1)
++ return;
++
++ debug_locks_off();
++ raw_spin_lock_init(&safe_read_lock);
++ }
++
+ printk_safe_flush();
+ }
+
mm-vmscan-restore-zone_reclaim_mode-abi.patch
mm-compaction-make-fast_isolate_freepages-stay-within-zone.patch
kvm-nsvm-fix-running-nested-guests-when-npt-0.patch
+nvmem-qcom-spmi-sdam-fix-uninitialized-pdev-pointer.patch
+module-ignore-_global_offset_table_-when-warning-for-undefined-symbols.patch
+mmc-sdhci-esdhc-imx-fix-kernel-panic-when-remove-module.patch
+mmc-sdhci-pci-o2micro-bug-fix-for-sdr104-hw-tuning-failure.patch
+powerpc-32-preserve-cr1-in-exception-prolog-stack-check-to-fix-build-error.patch
+powerpc-kexec_file-fix-fdt-size-estimation-for-kdump-kernel.patch
+powerpc-32s-add-missing-call-to-kuep_lock-on-syscall-entry.patch
+spmi-spmi-pmic-arb-fix-hw_irq-overflow.patch
+mei-bus-block-send-with-vtag-on-non-conformat-fw.patch
+mei-fix-transfer-over-dma-with-extended-header.patch
+mei-me-emmitsburg-workstation-did.patch
+mei-me-add-adler-lake-point-s-did.patch
+mei-me-add-adler-lake-point-lp-did.patch
+gpio-pcf857x-fix-missing-first-interrupt.patch
+mfd-gateworks-gsc-fix-interrupt-type.patch
+printk-fix-deadlock-when-kernel-panic.patch
+exfat-fix-shift-out-of-bounds-in-exfat_fill_super.patch
+zonefs-fix-file-size-of-zones-in-full-condition.patch
+kcmp-support-selection-of-sys_kcmp-without-checkpoint_restore.patch
+thermal-cpufreq_cooling-freq_qos_update_request-returns-0-on-error.patch
--- /dev/null
+From d19db80a366576d3ffadf2508ed876b4c1faf959 Mon Sep 17 00:00:00 2001
+From: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+Date: Thu, 11 Feb 2021 19:14:17 -0800
+Subject: spmi: spmi-pmic-arb: Fix hw_irq overflow
+
+From: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+
+commit d19db80a366576d3ffadf2508ed876b4c1faf959 upstream.
+
+Currently, when handling the SPMI summary interrupt, the hw_irq
+number is calculated based on SID, Peripheral ID, IRQ index and
+APID. This is then passed to irq_find_mapping() to see if a
+mapping exists for this hw_irq and if available, invoke the
+interrupt handler. Since the IRQ index uses an "int" type, hw_irq
+which is of unsigned long data type can take a large value when
+SID has its MSB set to 1 and the type conversion happens. Because
+of this, irq_find_mapping() returns 0 as there is no mapping
+for this hw_irq. This ends up invoking cleanup_irq() as if
+the interrupt is spurious whereas it is actually a valid
+interrupt. Fix this by using the proper data type (u32) for id.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
+Link: https://lore.kernel.org/r/1612812784-26369-1-git-send-email-subbaram@codeaurora.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20210212031417.3148936-1-sboyd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spmi/spmi-pmic-arb.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/spmi/spmi-pmic-arb.c
++++ b/drivers/spmi/spmi-pmic-arb.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Copyright (c) 2012-2015, 2017, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2015, 2017, 2021, The Linux Foundation. All rights reserved.
+ */
+ #include <linux/bitmap.h>
+ #include <linux/delay.h>
+@@ -505,8 +505,7 @@ static void cleanup_irq(struct spmi_pmic
+ static void periph_interrupt(struct spmi_pmic_arb *pmic_arb, u16 apid)
+ {
+ unsigned int irq;
+- u32 status;
+- int id;
++ u32 status, id;
+ u8 sid = (pmic_arb->apid_data[apid].ppid >> 8) & 0xF;
+ u8 per = pmic_arb->apid_data[apid].ppid & 0xFF;
+
--- /dev/null
+From a51afb13311cd85b2f638c691b2734622277d8f5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Wed, 17 Feb 2021 11:18:58 +0530
+Subject: thermal: cpufreq_cooling: freq_qos_update_request() returns < 0 on error
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit a51afb13311cd85b2f638c691b2734622277d8f5 upstream.
+
+freq_qos_update_request() returns 1 if the effective constraint value
+has changed, 0 if the effective constraint value has not changed, or a
+negative error code on failures.
+
+The frequency constraints for CPUs can be set by different parts of the
+kernel. If the maximum frequency constraint set by other parts of the
+kernel are set at a lower value than the one corresponding to cooling
+state 0, then we will never be able to cool down the system as
+freq_qos_update_request() will keep on returning 0 and we will skip
+updating cpufreq_state and thermal pressure.
+
+Fix that by doing the updates even in the case where
+freq_qos_update_request() returns 0, as we have effectively set the
+constraint to a new value even if the consolidated value of the
+actual constraint is unchanged because of external factors.
+
+Cc: v5.7+ <stable@vger.kernel.org> # v5.7+
+Reported-by: Thara Gopinath <thara.gopinath@linaro.org>
+Fixes: f12e4f66ab6a ("thermal/cpu-cooling: Update thermal pressure in case of a maximum frequency capping")
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Tested-by: Lukasz Luba <lukasz.luba@arm.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: Thara Gopinath<thara.gopinath@linaro.org>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/b2b7e84944937390256669df5a48ce5abba0c1ef.1613540713.git.viresh.kumar@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/cpufreq_cooling.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/thermal/cpufreq_cooling.c
++++ b/drivers/thermal/cpufreq_cooling.c
+@@ -441,7 +441,7 @@ static int cpufreq_set_cur_state(struct
+ frequency = get_state_freq(cpufreq_cdev, state);
+
+ ret = freq_qos_update_request(&cpufreq_cdev->qos_req, frequency);
+- if (ret > 0) {
++ if (ret >= 0) {
+ cpufreq_cdev->cpufreq_state = state;
+ cpus = cpufreq_cdev->policy->cpus;
+ max_capacity = arch_scale_cpu_capacity(cpumask_first(cpus));
--- /dev/null
+From 059c01039c0185dbee7ed080f1f2bd22cb1e4dab Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Wed, 17 Feb 2021 18:58:11 +0900
+Subject: zonefs: Fix file size of zones in full condition
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 059c01039c0185dbee7ed080f1f2bd22cb1e4dab upstream.
+
+Per ZBC/ZAC/ZNS specifications, write pointers may not have valid values
+when zones are in full condition. However, when zonefs mounts a zoned
+block device, zonefs refers write pointers to set file size even when
+the zones are in full condition. This results in wrong file size. To fix
+this, refer maximum file size in place of write pointers for zones in
+full condition.
+
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
+Cc: <stable@vger.kernel.org> # 5.6+
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/zonefs/super.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/zonefs/super.c
++++ b/fs/zonefs/super.c
+@@ -250,6 +250,9 @@ static loff_t zonefs_check_zone_conditio
+ }
+ inode->i_mode &= ~0222;
+ return i_size_read(inode);
++ case BLK_ZONE_COND_FULL:
++ /* The write pointer of full zones is invalid. */
++ return zi->i_max_size;
+ default:
+ if (zi->i_ztype == ZONEFS_ZTYPE_CNV)
+ return zi->i_max_size;
projects / thirdparty / kernel / stable-queue.git / commitdiff
