--- /dev/null
+From 770093459b9b333380aa71f2c31c60b14895c1df Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Wed, 9 Mar 2022 12:21:37 +0000
+Subject: arm64: mm: Drop 'const' from conditional arm64_dma_phys_limit definition
+
+From: Will Deacon <will@kernel.org>
+
+commit 770093459b9b333380aa71f2c31c60b14895c1df upstream.
+
+Commit 031495635b46 ("arm64: Do not defer reserve_crashkernel() for
+platforms with no DMA memory zones") introduced different definitions
+for 'arm64_dma_phys_limit' depending on CONFIG_ZONE_DMA{,32} based on
+a late suggestion from Pasha. Sadly, this results in a build error when
+passing W=1:
+
+ | arch/arm64/mm/init.c:90:19: error: conflicting type qualifiers for 'arm64_dma_phys_limit'
+
+Drop the 'const' for now and use '__ro_after_init' consistently.
+
+Link: https://lore.kernel.org/r/202203090241.aj7paWeX-lkp@intel.com
+Link: https://lore.kernel.org/r/CA+CK2bDbbx=8R=UthkMesWOST8eJMtOGJdfMRTFSwVmo0Vn0EA@mail.gmail.com
+Fixes: 031495635b46 ("arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones")
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/init.c
++++ b/arch/arm64/mm/init.c
+@@ -87,7 +87,7 @@ EXPORT_SYMBOL(memstart_addr);
+ #if IS_ENABLED(CONFIG_ZONE_DMA) || IS_ENABLED(CONFIG_ZONE_DMA32)
+ phys_addr_t __ro_after_init arm64_dma_phys_limit;
+ #else
+-const phys_addr_t arm64_dma_phys_limit = PHYS_MASK + 1;
++phys_addr_t __ro_after_init arm64_dma_phys_limit = PHYS_MASK + 1;
+ #endif
+
+ #ifdef CONFIG_KEXEC_CORE
--- /dev/null
+From ccb4214f7f2a8b75acf493f31128e464ee1a3536 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Thu, 10 Mar 2022 11:00:41 +0800
+Subject: ASoC: soc-compress: Change the check for codec_dai
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+commit ccb4214f7f2a8b75acf493f31128e464ee1a3536 upstream.
+
+It should be better to reverse the check on codec_dai
+and returned early in order to be easier to understand.
+
+Fixes: de2c6f98817f ("ASoC: soc-compress: prevent the potentially use of null pointer")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20220310030041.1556323-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-compress.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/sound/soc/soc-compress.c
++++ b/sound/soc/soc-compress.c
+@@ -567,16 +567,19 @@ int snd_soc_new_compress(struct snd_soc_
+ return -EINVAL;
+ }
+
+- /* check client and interface hw capabilities */
+- if (codec_dai) {
+- if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_PLAYBACK) &&
+- snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_PLAYBACK))
+- playback = 1;
+- if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_CAPTURE) &&
+- snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_CAPTURE))
+- capture = 1;
++ if (!codec_dai) {
++ dev_err(rtd->card->dev, "Missing codec\n");
++ return -EINVAL;
+ }
+
++ /* check client and interface hw capabilities */
++ if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_PLAYBACK) &&
++ snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_PLAYBACK))
++ playback = 1;
++ if (snd_soc_dai_stream_valid(codec_dai, SNDRV_PCM_STREAM_CAPTURE) &&
++ snd_soc_dai_stream_valid(cpu_dai, SNDRV_PCM_STREAM_CAPTURE))
++ capture = 1;
++
+ /*
+ * Compress devices are unidirectional so only one of the directions
+ * should be set, check for that (xor)
--- /dev/null
+From 5352a761308397a0e6250fdc629bb3f615b94747 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Mon, 28 Mar 2022 21:00:14 +0800
+Subject: ax25: fix UAF bug in ax25_send_control()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 5352a761308397a0e6250fdc629bb3f615b94747 upstream.
+
+There are UAF bugs in ax25_send_control(), when we call ax25_release()
+to deallocate ax25_dev. The possible race condition is shown below:
+
+ (Thread 1) | (Thread 2)
+ax25_dev_device_up() //(1) |
+ | ax25_kill_by_device()
+ax25_bind() //(2) |
+ax25_connect() | ...
+ ax25->state = AX25_STATE_1 |
+ ... | ax25_dev_device_down() //(3)
+
+ (Thread 3)
+ax25_release() |
+ ax25_dev_put() //(4) FREE |
+ case AX25_STATE_1: |
+ ax25_send_control() |
+ alloc_skb() //USE |
+
+The refcount of ax25_dev increases in position (1) and (2), and
+decreases in position (3) and (4). The ax25_dev will be freed
+before dereference sites in ax25_send_control().
+
+The following is part of the report:
+
+[ 102.297448] BUG: KASAN: use-after-free in ax25_send_control+0x33/0x210
+[ 102.297448] Read of size 8 at addr ffff888009e6e408 by task ax25_close/602
+[ 102.297448] Call Trace:
+[ 102.303751] ax25_send_control+0x33/0x210
+[ 102.303751] ax25_release+0x356/0x450
+[ 102.305431] __sock_release+0x6d/0x120
+[ 102.305431] sock_close+0xf/0x20
+[ 102.305431] __fput+0x11f/0x420
+[ 102.305431] task_work_run+0x86/0xd0
+[ 102.307130] get_signal+0x1075/0x1220
+[ 102.308253] arch_do_signal_or_restart+0x1df/0xc00
+[ 102.308253] exit_to_user_mode_prepare+0x150/0x1e0
+[ 102.308253] syscall_exit_to_user_mode+0x19/0x50
+[ 102.308253] do_syscall_64+0x48/0x90
+[ 102.308253] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 102.308253] RIP: 0033:0x405ae7
+
+This patch defers the free operation of ax25_dev and net_device after
+all corresponding dereference sites in ax25_release() to avoid UAF.
+
+Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -991,10 +991,6 @@ static int ax25_release(struct socket *s
+ sock_orphan(sk);
+ ax25 = sk_to_ax25(sk);
+ ax25_dev = ax25->ax25_dev;
+- if (ax25_dev) {
+- dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
+- ax25_dev_put(ax25_dev);
+- }
+
+ if (sk->sk_type == SOCK_SEQPACKET) {
+ switch (ax25->state) {
+@@ -1056,6 +1052,10 @@ static int ax25_release(struct socket *s
+ sk->sk_state_change(sk);
+ ax25_destroy_socket(ax25);
+ }
++ if (ax25_dev) {
++ dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
++ ax25_dev_put(ax25_dev);
++ }
+
+ sock->sk = NULL;
+ release_sock(sk);
--- /dev/null
+From 70868c6b8fd80db585da57a264c50a69af8fd3c3 Mon Sep 17 00:00:00 2001
+From: Wan Jiabing <wanjiabing@vivo.com>
+Date: Mon, 28 Feb 2022 10:56:41 +0800
+Subject: docs: fix 'make htmldocs' warning in SCTP.rst
+
+From: Wan Jiabing <wanjiabing@vivo.com>
+
+commit 70868c6b8fd80db585da57a264c50a69af8fd3c3 upstream.
+
+Fix following 'make htmldocs' warnings:
+./Documentation/security/SCTP.rst:123: WARNING: Title underline too short.
+security_sctp_assoc_established()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./Documentation/security/SCTP.rst:123: WARNING: Title underline too short.
+security_sctp_assoc_established()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./Documentation/security/SCTP.rst:273: WARNING: Title underline too short.
+security_sctp_assoc_established()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./Documentation/security/SCTP.rst:273: WARNING: Title underline too short.
+security_sctp_assoc_established()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: 5e50f5d4ff31 ("security: add sctp_assoc_established hook")
+Signed-off-by: Wan Jiabing <wanjiabing@vivo.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/security/SCTP.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/security/SCTP.rst
++++ b/Documentation/security/SCTP.rst
+@@ -120,7 +120,7 @@ calls **sctp_peeloff**\(3).
+
+
+ security_sctp_assoc_established()
+-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Called when a COOKIE ACK is received, and the peer secid will be
+ saved into ``@asoc->peer_secid`` for client::
+
+@@ -270,7 +270,7 @@ sockets sid and peer sid to that contain
+
+
+ security_sctp_assoc_established()
+-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Called when a COOKIE ACK is received where it sets the connection's peer sid
+ to that in ``@skb``::
+
--- /dev/null
+From dca384a3bf5af1c781cfa6aec63904bdb5018c36 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime@cerno.tech>
+Date: Wed, 2 Feb 2022 10:43:40 +0100
+Subject: drm/connector: Fix typo in documentation
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+commit dca384a3bf5af1c781cfa6aec63904bdb5018c36 upstream.
+
+Commit 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and
+YUV444") introduced two new variables in struct drm_display_info and
+their documentation, but the documentation part had a typo resulting in
+a doc build warning.
+
+Fixes: 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and YUV444")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Simon Ser <contact@emersion.fr>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220202094340.875190-1-maxime@cerno.tech
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/drm/drm_connector.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/drm/drm_connector.h
++++ b/include/drm/drm_connector.h
+@@ -592,13 +592,13 @@ struct drm_display_info {
+ bool rgb_quant_range_selectable;
+
+ /**
+- * @edid_hdmi_dc_rgb444_modes: Mask of supported hdmi deep color modes
++ * @edid_hdmi_rgb444_dc_modes: Mask of supported hdmi deep color modes
+ * in RGB 4:4:4. Even more stuff redundant with @bus_formats.
+ */
+ u8 edid_hdmi_rgb444_dc_modes;
+
+ /**
+- * @edid_hdmi_dc_ycbcr444_modes: Mask of supported hdmi deep color
++ * @edid_hdmi_ycbcr444_dc_modes: Mask of supported hdmi deep color
+ * modes in YCbCr 4:4:4. Even more stuff redundant with @bus_formats.
+ */
+ u8 edid_hdmi_ycbcr444_dc_modes;
--- /dev/null
+From 0dacc3df898e219fa774f39e5e10d686364e0a27 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Tue, 22 Mar 2022 19:24:45 +0200
+Subject: KVM: x86: SVM: fix avic spec based definitions again
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+commit 0dacc3df898e219fa774f39e5e10d686364e0a27 upstream.
+
+Due to wrong rebase, commit
+4a204f7895878 ("KVM: SVM: Allow AVIC support on system w/ physical APIC ID > 255")
+
+moved avic spec #defines back to avic.c.
+
+Move them back, and while at it extend AVIC_DOORBELL_PHYSICAL_ID_MASK to 12
+bits as well (it will be used in nested avic)
+
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Message-Id: <20220322172449.235575-5-mlevitsk@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/svm.h | 8 +++++---
+ arch/x86/kvm/svm/svm.h | 11 -----------
+ 2 files changed, 5 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/include/asm/svm.h
++++ b/arch/x86/include/asm/svm.h
+@@ -222,7 +222,7 @@ struct __attribute__ ((__packed__)) vmcb
+
+
+ /* AVIC */
+-#define AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK (0xFF)
++#define AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK (0xFFULL)
+ #define AVIC_LOGICAL_ID_ENTRY_VALID_BIT 31
+ #define AVIC_LOGICAL_ID_ENTRY_VALID_MASK (1 << 31)
+
+@@ -230,9 +230,11 @@ struct __attribute__ ((__packed__)) vmcb
+ #define AVIC_PHYSICAL_ID_ENTRY_BACKING_PAGE_MASK (0xFFFFFFFFFFULL << 12)
+ #define AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK (1ULL << 62)
+ #define AVIC_PHYSICAL_ID_ENTRY_VALID_MASK (1ULL << 63)
+-#define AVIC_PHYSICAL_ID_TABLE_SIZE_MASK (0xFF)
++#define AVIC_PHYSICAL_ID_TABLE_SIZE_MASK (0xFFULL)
+
+-#define AVIC_DOORBELL_PHYSICAL_ID_MASK (0xFF)
++#define AVIC_DOORBELL_PHYSICAL_ID_MASK GENMASK_ULL(11, 0)
++
++#define VMCB_AVIC_APIC_BAR_MASK 0xFFFFFFFFFF000ULL
+
+ #define AVIC_UNACCEL_ACCESS_WRITE_MASK 1
+ #define AVIC_UNACCEL_ACCESS_OFFSET_MASK 0xFF0
+--- a/arch/x86/kvm/svm/svm.h
++++ b/arch/x86/kvm/svm/svm.h
+@@ -558,17 +558,6 @@ extern struct kvm_x86_nested_ops svm_nes
+
+ /* avic.c */
+
+-#define AVIC_LOGICAL_ID_ENTRY_GUEST_PHYSICAL_ID_MASK (0xFF)
+-#define AVIC_LOGICAL_ID_ENTRY_VALID_BIT 31
+-#define AVIC_LOGICAL_ID_ENTRY_VALID_MASK (1 << 31)
+-
+-#define AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK GENMASK_ULL(11, 0)
+-#define AVIC_PHYSICAL_ID_ENTRY_BACKING_PAGE_MASK (0xFFFFFFFFFFULL << 12)
+-#define AVIC_PHYSICAL_ID_ENTRY_IS_RUNNING_MASK (1ULL << 62)
+-#define AVIC_PHYSICAL_ID_ENTRY_VALID_MASK (1ULL << 63)
+-
+-#define VMCB_AVIC_APIC_BAR_MASK 0xFFFFFFFFFF000ULL
+-
+ int avic_ga_log_notifier(u32 ga_tag);
+ void avic_vm_destroy(struct kvm *kvm);
+ int avic_vm_init(struct kvm *kvm);
--- /dev/null
+From 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 28 Mar 2022 11:37:05 -0700
+Subject: Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 upstream.
+
+Halil Pasic points out [1] that the full revert of that commit (revert
+in bddac7c1e02b), and that a partial revert that only reverts the
+problematic case, but still keeps some of the cleanups is probably
+better. 
+
+And that partial revert [2] had already been verified by Oleksandr
+Natalenko to also fix the issue, I had just missed that in the long
+discussion.
+
+So let's reinstate the cleanups from commit aa6f8dcbab47 ("swiotlb:
+rework "fix info leak with DMA_FROM_DEVICE""), and effectively only
+revert the part that caused problems.
+
+Link: https://lore.kernel.org/all/20220328013731.017ae3e3.pasic@linux.ibm.com/ [1]
+Link: https://lore.kernel.org/all/20220324055732.GB12078@lst.de/ [2]
+Link: https://lore.kernel.org/all/4386660.LvFx2qVVIh@natalenko.name/ [3]
+Suggested-by: Halil Pasic <pasic@linux.ibm.com>
+Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Cc: Christoph Hellwig" <hch@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/core-api/dma-attributes.rst | 8 --------
+ include/linux/dma-mapping.h | 8 --------
+ kernel/dma/swiotlb.c | 12 ++++++++----
+ 3 files changed, 8 insertions(+), 20 deletions(-)
+
+--- a/Documentation/core-api/dma-attributes.rst
++++ b/Documentation/core-api/dma-attributes.rst
+@@ -130,11 +130,3 @@ accesses to DMA buffers in both privileg
+ subsystem that the buffer is fully accessible at the elevated privilege
+ level (and ideally inaccessible or at least read-only at the
+ lesser-privileged levels).
+-
+-DMA_ATTR_OVERWRITE
+-------------------
+-
+-This is a hint to the DMA-mapping subsystem that the device is expected to
+-overwrite the entire mapped size, thus the caller does not require any of the
+-previous buffer contents to be preserved. This allows bounce-buffering
+-implementations to optimise DMA_FROM_DEVICE transfers.
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -62,14 +62,6 @@
+ #define DMA_ATTR_PRIVILEGED (1UL << 9)
+
+ /*
+- * This is a hint to the DMA-mapping subsystem that the device is expected
+- * to overwrite the entire mapped size, thus the caller does not require any
+- * of the previous buffer contents to be preserved. This allows
+- * bounce-buffering implementations to optimise DMA_FROM_DEVICE transfers.
+- */
+-#define DMA_ATTR_OVERWRITE (1UL << 10)
+-
+-/*
+ * A dma_addr_t can hold any valid DMA or bus address for the platform. It can
+ * be given to a device to use as a DMA source or target. It is specific to a
+ * given device and there may be a translation between the CPU physical address
+--- a/kernel/dma/swiotlb.c
++++ b/kernel/dma/swiotlb.c
+@@ -627,10 +627,14 @@ phys_addr_t swiotlb_tbl_map_single(struc
+ for (i = 0; i < nr_slots(alloc_size + offset); i++)
+ mem->slots[index + i].orig_addr = slot_addr(orig_addr, i);
+ tlb_addr = slot_addr(mem->start, index) + offset;
+- if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
+- (!(attrs & DMA_ATTR_OVERWRITE) || dir == DMA_TO_DEVICE ||
+- dir == DMA_BIDIRECTIONAL))
+- swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE);
++ /*
++ * When dir == DMA_FROM_DEVICE we could omit the copy from the orig
++ * to the tlb buffer, if we knew for sure the device will
++ * overwirte the entire current content. But we don't. Thus
++ * unconditional bounce may prevent leaking swiotlb content (i.e.
++ * kernel memory) to user-space.
++ */
++ swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE);
+ return tlb_addr;
+ }
+
--- /dev/null
+From 49b729f58e7a98a006a8a0c1dcca8a1a4f58d2a8 Mon Sep 17 00:00:00 2001
+From: Saurav Kashyap <skashyap@marvell.com>
+Date: Tue, 8 Feb 2022 01:39:46 -0800
+Subject: scsi: qla2xxx: Add qla2x00_async_done() for async routines
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+commit 49b729f58e7a98a006a8a0c1dcca8a1a4f58d2a8 upstream.
+
+This done routine will delete the timer and check for its return value and
+decrease the reference count accordingly. This prevents boot hangs reported
+after commit 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB")
+was merged.
+
+Link: https://lore.kernel.org/r/20220208093946.4471-1-njavali@marvell.com
+Fixes: 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB")
+Reported-by: Ewan Milne <emilne@redhat.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -2560,6 +2560,20 @@ qla24xx_tm_iocb(srb_t *sp, struct tsk_mg
+ }
+ }
+
++static void
++qla2x00_async_done(struct srb *sp, int res)
++{
++ if (del_timer(&sp->u.iocb_cmd.timer)) {
++ /*
++ * Successfully cancelled the timeout handler
++ * ref: TMR
++ */
++ if (kref_put(&sp->cmd_kref, qla2x00_sp_release))
++ return;
++ }
++ sp->async_done(sp, res);
++}
++
+ void
+ qla2x00_sp_release(struct kref *kref)
+ {
+@@ -2573,7 +2587,8 @@ qla2x00_init_async_sp(srb_t *sp, unsigne
+ void (*done)(struct srb *sp, int res))
+ {
+ timer_setup(&sp->u.iocb_cmd.timer, qla2x00_sp_timeout, 0);
+- sp->done = done;
++ sp->done = qla2x00_async_done;
++ sp->async_done = done;
+ sp->free = qla2x00_sp_free;
+ sp->u.iocb_cmd.timeout = qla2x00_async_iocb_timeout;
+ sp->u.iocb_cmd.timer.expires = jiffies + tmo * HZ;
proc-bootconfig-add-null-pointer-check.patch
x86-fpu-xstate-fix-the-arch_req_xcomp_perm-implementation.patch
x86-sev-unroll-string-mmio-with-cc_attr_guest_unroll_string_io.patch
+drm-connector-fix-typo-in-documentation.patch
+scsi-qla2xxx-add-qla2x00_async_done-for-async-routines.patch
+staging-mt7621-dts-fix-pinctrl-0-items-to-be-size-1-items-on-ethernet.patch
+docs-fix-make-htmldocs-warning-in-sctp.rst.patch
+arm64-mm-drop-const-from-conditional-arm64_dma_phys_limit-definition.patch
+asoc-soc-compress-change-the-check-for-codec_dai.patch
+kvm-x86-svm-fix-avic-spec-based-definitions-again.patch
+ax25-fix-uaf-bug-in-ax25_send_control.patch
+reinstate-some-of-swiotlb-rework-fix-info-leak-with-dma_from_device.patch
+tracing-have-type-enum-modifications-copy-the-strings.patch
--- /dev/null
+From 25e4f5220efead592c83200241e098e757d37e1f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ar=C4=B1n=C3=A7=20=C3=9CNAL?= <arinc.unal@arinc9.com>
+Date: Tue, 15 Feb 2022 11:17:24 +0300
+Subject: staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+commit 25e4f5220efead592c83200241e098e757d37e1f upstream.
+
+Fix pinctrl-0 items under the ethernet node to be size-1 items.
+Current notation would be used on specifications with non-zero cells.
+
+Fixes: 0a93c0d75809 ("staging: mt7621-dts: fix pinctrl properties for ethernet")
+Reported-by: Sander Vanheule <sander@svanheule.net>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20220215081725.3463-1-arinc.unal@arinc9.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/mt7621-dts/mt7621.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/mt7621-dts/mt7621.dtsi
++++ b/drivers/staging/mt7621-dts/mt7621.dtsi
+@@ -326,7 +326,7 @@
+ mediatek,ethsys = <&sysc>;
+
+ pinctrl-names = "default";
+- pinctrl-0 = <&rgmii1_pins &rgmii2_pins &mdio_pins>;
++ pinctrl-0 = <&mdio_pins>, <&rgmii1_pins>, <&rgmii2_pins>;
+
+ gmac0: mac@0 {
+ compatible = "mediatek,eth-mac";
--- /dev/null
+From 795301d3c28996219d555023ac6863401b6076bc Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Fri, 18 Mar 2022 15:34:32 -0400
+Subject: tracing: Have type enum modifications copy the strings
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit 795301d3c28996219d555023ac6863401b6076bc upstream.
+
+When an enum is used in the visible parts of a trace event that is
+exported to user space, the user space applications like perf and
+trace-cmd do not have a way to know what the value of the enum is. To
+solve this, at boot up (or module load) the printk formats are modified to
+replace the enum with their numeric value in the string output.
+
+Array fields of the event are defined by [<nr-elements>] in the type
+portion of the format file so that the user space parsers can correctly
+parse the array into the appropriate size chunks. But in some trace
+events, an enum is used in defining the size of the array, which once
+again breaks the parsing of user space tooling.
+
+This was solved the same way as the print formats were, but it modified
+the type strings of the trace event. This caused crashes in some
+architectures because, as supposed to the print string, is a const string
+value. This was not detected on x86, as it appears that const strings are
+still writable (at least in boot up), but other architectures this is not
+the case, and writing to a const string will cause a kernel fault.
+
+To fix this, use kstrdup() to copy the type before modifying it. If the
+trace event is for the core kernel there's no need to free it because the
+string will be in use for the life of the machine being on line. For
+modules, create a link list to store all the strings being allocated for
+modules and when the module is removed, free them.
+
+Link: https://lore.kernel.org/all/yt9dr1706b4i.fsf@linux.ibm.com/
+Link: https://lkml.kernel.org/r/20220318153432.3984b871@gandalf.local.home
+
+Tested-by: Marc Zyngier <maz@kernel.org>
+Tested-by: Sven Schnelle <svens@linux.ibm.com>
+Reported-by: Sven Schnelle <svens@linux.ibm.com>
+Fixes: b3bc8547d3be ("tracing: Have TRACE_DEFINE_ENUM affect trace event types as well")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events.c | 62 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -40,6 +40,14 @@ static LIST_HEAD(ftrace_generic_fields);
+ static LIST_HEAD(ftrace_common_fields);
+ static bool eventdir_initialized;
+
++static LIST_HEAD(module_strings);
++
++struct module_string {
++ struct list_head next;
++ struct module *module;
++ char *str;
++};
++
+ #define GFP_TRACE (GFP_KERNEL | __GFP_ZERO)
+
+ static struct kmem_cache *field_cachep;
+@@ -2637,14 +2645,40 @@ static void update_event_printk(struct t
+ }
+ }
+
++static void add_str_to_module(struct module *module, char *str)
++{
++ struct module_string *modstr;
++
++ modstr = kmalloc(sizeof(*modstr), GFP_KERNEL);
++
++ /*
++ * If we failed to allocate memory here, then we'll just
++ * let the str memory leak when the module is removed.
++ * If this fails to allocate, there's worse problems than
++ * a leaked string on module removal.
++ */
++ if (WARN_ON_ONCE(!modstr))
++ return;
++
++ modstr->module = module;
++ modstr->str = str;
++
++ list_add(&modstr->next, &module_strings);
++}
++
+ static void update_event_fields(struct trace_event_call *call,
+ struct trace_eval_map *map)
+ {
+ struct ftrace_event_field *field;
+ struct list_head *head;
+ char *ptr;
++ char *str;
+ int len = strlen(map->eval_string);
+
++ /* Dynamic events should never have field maps */
++ if (WARN_ON_ONCE(call->flags & TRACE_EVENT_FL_DYNAMIC))
++ return;
++
+ head = trace_get_fields(call);
+ list_for_each_entry(field, head, link) {
+ ptr = strchr(field->type, '[');
+@@ -2658,9 +2692,26 @@ static void update_event_fields(struct t
+ if (strncmp(map->eval_string, ptr, len) != 0)
+ continue;
+
++ str = kstrdup(field->type, GFP_KERNEL);
++ if (WARN_ON_ONCE(!str))
++ return;
++ ptr = str + (ptr - field->type);
+ ptr = eval_replace(ptr, map, len);
+ /* enum/sizeof string smaller than value */
+- WARN_ON_ONCE(!ptr);
++ if (WARN_ON_ONCE(!ptr)) {
++ kfree(str);
++ continue;
++ }
++
++ /*
++ * If the event is part of a module, then we need to free the string
++ * when the module is removed. Otherwise, it will stay allocated
++ * until a reboot.
++ */
++ if (call->module)
++ add_str_to_module(call->module, str);
++
++ field->type = str;
+ }
+ }
+
+@@ -2885,6 +2936,7 @@ static void trace_module_add_events(stru
+ static void trace_module_remove_events(struct module *mod)
+ {
+ struct trace_event_call *call, *p;
++ struct module_string *modstr, *m;
+
+ down_write(&trace_event_sem);
+ list_for_each_entry_safe(call, p, &ftrace_events, list) {
+@@ -2893,6 +2945,14 @@ static void trace_module_remove_events(s
+ if (call->module == mod)
+ __trace_remove_event_call(call);
+ }
++ /* Check for any strings allocade for this module */
++ list_for_each_entry_safe(modstr, m, &module_strings, next) {
++ if (modstr->module != mod)
++ continue;
++ list_del(&modstr->next);
++ kfree(modstr->str);
++ kfree(modstr);
++ }
+ up_write(&trace_event_sem);
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
