--- /dev/null
+From ed68a10a632664393971e78bee03ae77d0689684 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 15:26:00 +0800
+Subject: ACPI / hotplug / PCI: Fix reference count leak in enable_slot()
+
+From: Feilong Lin <linfeilong@huawei.com>
+
+[ Upstream commit 3bbfd319034ddce59e023837a4aa11439460509b ]
+
+In enable_slot(), if pci_get_slot() returns NULL, we clear the SLOT_ENABLED
+flag. When pci_get_slot() finds a device, it increments the device's
+reference count. In this case, we did not call pci_dev_put() to decrement
+the reference count, so the memory of the device (struct pci_dev type) will
+eventually leak.
+
+Call pci_dev_put() to decrement its reference count when pci_get_slot()
+returns a PCI device.
+
+Link: https://lore.kernel.org/r/b411af88-5049-a1c6-83ac-d104a1f429be@huawei.com
+Signed-off-by: Feilong Lin <linfeilong@huawei.com>
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/acpiphp_glue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
+index 3365c93abf0e..f031302ad401 100644
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -533,6 +533,7 @@ static void enable_slot(struct acpiphp_slot *slot, bool bridge)
+ slot->flags &= ~SLOT_ENABLED;
+ continue;
+ }
++ pci_dev_put(dev);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b81c10ca3c9857d537dfbf6aedbbb483428a4d4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 15:39:17 +0800
+Subject: ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP
+
+From: Hui Wang <hui.wang@canonical.com>
+
+[ Upstream commit f48652bbe3ae62ba2835a396b7e01f063e51c4cd ]
+
+Without this change, the DAC ctl's name could be changed only when
+the machine has both Speaker and Headphone, but we met some machines
+which only has Lineout and Headhpone, and the Lineout and Headphone
+share the Audio Mixer0 and DAC0, the ctl's name is set to "Front".
+
+On most of machines, the "Front" is used for Speaker only or Lineout
+only, but on this machine it is shared by Lineout and Headphone,
+This introduces an issue in the pipewire and pulseaudio, suppose users
+want the Headphone to be on and the Speaker/Lineout to be off, they
+could turn off the "Front", this works on most of the machines, but on
+this machine, the "Front" couldn't be turned off otherwise the
+headphone will be off too. Here we do some change to let the ctl's
+name change to "Headphone+LO" on this machine, and pipewire and
+pulseaudio already could handle "Headphone+LO" and "Speaker+LO".
+(https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/747)
+
+BugLink: http://bugs.launchpad.net/bugs/804178
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Link: https://lore.kernel.org/r/20210504073917.22406-1-hui.wang@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_generic.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 96903295a967..7c49a7e92dd2 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -1202,11 +1202,17 @@ static const char *get_line_out_pfx(struct hda_codec *codec, int ch,
+ *index = ch;
+ return "Headphone";
+ case AUTO_PIN_LINE_OUT:
+- /* This deals with the case where we have two DACs and
+- * one LO, one HP and one Speaker */
+- if (!ch && cfg->speaker_outs && cfg->hp_outs) {
+- bool hp_lo_shared = !path_has_mixer(codec, spec->hp_paths[0], ctl_type);
+- bool spk_lo_shared = !path_has_mixer(codec, spec->speaker_paths[0], ctl_type);
++ /* This deals with the case where one HP or one Speaker or
++ * one HP + one Speaker need to share the DAC with LO
++ */
++ if (!ch) {
++ bool hp_lo_shared = false, spk_lo_shared = false;
++
++ if (cfg->speaker_outs)
++ spk_lo_shared = !path_has_mixer(codec,
++ spec->speaker_paths[0], ctl_type);
++ if (cfg->hp_outs)
++ hp_lo_shared = !path_has_mixer(codec, spec->hp_paths[0], ctl_type);
+ if (hp_lo_shared && spk_lo_shared)
+ return spec->vmaster_mute.hook ? "PCM" : "Master";
+ if (hp_lo_shared)
+--
+2.30.2
+
--- /dev/null
+From 42ec025524da9bb6f61e3335db044aeabe53ffea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 00:34:35 -0400
+Subject: amdgpu/pm: Prevent force of DCEFCLK on NAVI10 and SIENNA_CICHLID
+
+From: Darren Powell <darren.powell@amd.com>
+
+[ Upstream commit b117b3964f38a988cb79825950dbd607c02237f3 ]
+
+Writing to dcefclk causes the gpu to become unresponsive, and requires a reboot.
+Patch ignores a .force_clk_levels(SMU_DCEFCLK) call and issues an
+info message.
+
+Signed-off-by: Darren Powell <darren.powell@amd.com>
+Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 ++++-
+ drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 4 +++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+index f2c8719b8395..52df6202a954 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+@@ -1110,7 +1110,6 @@ static int navi10_force_clk_levels(struct smu_context *smu,
+ case SMU_SOCCLK:
+ case SMU_MCLK:
+ case SMU_UCLK:
+- case SMU_DCEFCLK:
+ case SMU_FCLK:
+ /* There is only 2 levels for fine grained DPM */
+ if (navi10_is_support_fine_grained_dpm(smu, clk_type)) {
+@@ -1130,6 +1129,10 @@ static int navi10_force_clk_levels(struct smu_context *smu,
+ if (ret)
+ return size;
+ break;
++ case SMU_DCEFCLK:
++ dev_info(smu->adev->dev,"Setting DCEFCLK min/max dpm level is not supported!\n");
++ break;
++
+ default:
+ break;
+ }
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
+index 31da8fae6fa9..471bbb78884b 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
+@@ -1018,7 +1018,6 @@ static int sienna_cichlid_force_clk_levels(struct smu_context *smu,
+ case SMU_SOCCLK:
+ case SMU_MCLK:
+ case SMU_UCLK:
+- case SMU_DCEFCLK:
+ case SMU_FCLK:
+ /* There is only 2 levels for fine grained DPM */
+ if (sienna_cichlid_is_support_fine_grained_dpm(smu, clk_type)) {
+@@ -1038,6 +1037,9 @@ static int sienna_cichlid_force_clk_levels(struct smu_context *smu,
+ if (ret)
+ goto forec_level_out;
+ break;
++ case SMU_DCEFCLK:
++ dev_info(smu->adev->dev,"Setting DCEFCLK min/max dpm level is not supported!\n");
++ break;
+ default:
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From e686c90563715ad9984f94801019f3eb5f1ddf36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 09:23:09 +0100
+Subject: ARM: 9058/1: cache-v7: refactor v7_invalidate_l1 to avoid clobbering
+ r5/r6
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit f9e7a99fb6b86aa6a00e53b34ee6973840e005aa ]
+
+The cache invalidation code in v7_invalidate_l1 can be tweaked to
+re-read the associativity from CCSIDR, and keep the way identifier
+component in a single register that is assigned in the outer loop. This
+way, we need 2 registers less.
+
+Given that the number of sets is typically much larger than the
+associativity, rearrange the code so that the outer loop has the fewer
+number of iterations, ensuring that the re-read of CCSIDR only occurs a
+handful of times in practice.
+
+Fix the whitespace while at it, and update the comment to indicate that
+this code is no longer a clone of anything else.
+
+Acked-by: Nicolas Pitre <nico@fluxnic.net>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/cache-v7.S | 51 +++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 26 deletions(-)
+
+diff --git a/arch/arm/mm/cache-v7.S b/arch/arm/mm/cache-v7.S
+index dc8f152f3556..e3bc1d6e13d0 100644
+--- a/arch/arm/mm/cache-v7.S
++++ b/arch/arm/mm/cache-v7.S
+@@ -33,41 +33,40 @@ icache_size:
+ * processor. We fix this by performing an invalidate, rather than a
+ * clean + invalidate, before jumping into the kernel.
+ *
+- * This function is cloned from arch/arm/mach-tegra/headsmp.S, and needs
+- * to be called for both secondary cores startup and primary core resume
+- * procedures.
++ * This function needs to be called for both secondary cores startup and
++ * primary core resume procedures.
+ */
+ ENTRY(v7_invalidate_l1)
+ mov r0, #0
+ mcr p15, 2, r0, c0, c0, 0
+ mrc p15, 1, r0, c0, c0, 0
+
+- movw r1, #0x7fff
+- and r2, r1, r0, lsr #13
++ movw r3, #0x3ff
++ and r3, r3, r0, lsr #3 @ 'Associativity' in CCSIDR[12:3]
++ clz r1, r3 @ WayShift
++ mov r2, #1
++ mov r3, r3, lsl r1 @ NumWays-1 shifted into bits [31:...]
++ movs r1, r2, lsl r1 @ #1 shifted left by same amount
++ moveq r1, #1 @ r1 needs value > 0 even if only 1 way
+
+- movw r1, #0x3ff
++ and r2, r0, #0x7
++ add r2, r2, #4 @ SetShift
+
+- and r3, r1, r0, lsr #3 @ NumWays - 1
+- add r2, r2, #1 @ NumSets
++1: movw r4, #0x7fff
++ and r0, r4, r0, lsr #13 @ 'NumSets' in CCSIDR[27:13]
+
+- and r0, r0, #0x7
+- add r0, r0, #4 @ SetShift
+-
+- clz r1, r3 @ WayShift
+- add r4, r3, #1 @ NumWays
+-1: sub r2, r2, #1 @ NumSets--
+- mov r3, r4 @ Temp = NumWays
+-2: subs r3, r3, #1 @ Temp--
+- mov r5, r3, lsl r1
+- mov r6, r2, lsl r0
+- orr r5, r5, r6 @ Reg = (Temp<<WayShift)|(NumSets<<SetShift)
+- mcr p15, 0, r5, c7, c6, 2
+- bgt 2b
+- cmp r2, #0
+- bgt 1b
+- dsb st
+- isb
+- ret lr
++2: mov r4, r0, lsl r2 @ NumSet << SetShift
++ orr r4, r4, r3 @ Reg = (Temp<<WayShift)|(NumSets<<SetShift)
++ mcr p15, 0, r4, c7, c6, 2
++ subs r0, r0, #1 @ Set--
++ bpl 2b
++ subs r3, r3, r1 @ Way--
++ bcc 3f
++ mrc p15, 1, r0, c0, c0, 0 @ re-read cache geometry from CCSIDR
++ b 1b
++3: dsb st
++ isb
++ ret lr
+ ENDPROC(v7_invalidate_l1)
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 5a5f1cf8852f60edae8410d330359c33fb92d366 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Feb 2021 13:25:53 +0100
+Subject: ARM: 9066/1: ftrace: pause/unpause function graph tracer in
+ cpu_suspend()
+
+From: louis.wang <liang26812@gmail.com>
+
+[ Upstream commit 8252ca87c7a2111502ee13994956f8c309faad7f ]
+
+Enabling function_graph tracer on ARM causes kernel panic, because the
+function graph tracer updates the "return address" of a function in order
+to insert a trace callback on function exit, it saves the function's
+original return address in a return trace stack, but cpu_suspend() may not
+return through the normal return path.
+
+cpu_suspend() will resume directly via the cpu_resume path, but the return
+trace stack has been set-up by the subfunctions of cpu_suspend(), which
+makes the "return address" inconsistent with cpu_suspend().
+
+This patch refers to Commit de818bd4522c40ea02a81b387d2fa86f989c9623
+("arm64: kernel: pause/unpause function graph tracer in cpu_suspend()"),
+
+fixes the issue by pausing/resuming the function graph tracer on the thread
+executing cpu_suspend(), so that the function graph tracer state is kept
+consistent across functions that enter power down states and never return
+by effectively disabling graph tracer while they are executing.
+
+Signed-off-by: louis.wang <liang26812@gmail.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/suspend.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/suspend.c b/arch/arm/kernel/suspend.c
+index 24bd20564be7..43f0a3ebf390 100644
+--- a/arch/arm/kernel/suspend.c
++++ b/arch/arm/kernel/suspend.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#include <linux/ftrace.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/mm_types.h>
+@@ -25,6 +26,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ if (!idmap_pgd)
+ return -EINVAL;
+
++ /*
++ * Function graph tracer state gets incosistent when the kernel
++ * calls functions that never return (aka suspend finishers) hence
++ * disable graph tracing during their execution.
++ */
++ pause_graph_tracing();
++
+ /*
+ * Provide a temporary page table with an identity mapping for
+ * the MMU-enable code, required for resuming. On successful
+@@ -32,6 +40,9 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ * back to the correct page tables.
+ */
+ ret = __cpu_suspend(arg, fn, __mpidr);
++
++ unpause_graph_tracing();
++
+ if (ret == 0) {
+ cpu_switch_mm(mm->pgd, mm);
+ local_flush_bp_all();
+@@ -45,7 +56,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
+ {
+ u32 __mpidr = cpu_logical_map(smp_processor_id());
+- return __cpu_suspend(arg, fn, __mpidr);
++ int ret;
++
++ pause_graph_tracing();
++ ret = __cpu_suspend(arg, fn, __mpidr);
++ unpause_graph_tracing();
++
++ return ret;
+ }
+ #define idmap_pgd NULL
+ #endif
+--
+2.30.2
+
--- /dev/null
+From cdfb28534e5d42387087fd1ece2235c71df1eb11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 04:41:16 +0100
+Subject: ARM: 9075/1: kernel: Fix interrupted SMC calls
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 57ac51667d8cd62731223d687e5fe7b41c502f89 ]
+
+On Qualcomm ARM32 platforms, the SMC call can return before it has
+completed. If this occurs, the call can be restarted, but it requires
+using the returned session ID value from the interrupted SMC call.
+
+The ARM32 SMCC code already has the provision to add platform specific
+quirks for things like this. So let's make use of it and add the
+Qualcomm specific quirk (ARM_SMCCC_QUIRK_QCOM_A6) used by the QCOM_SCM
+driver.
+
+This change is similar to the below one added for ARM64 a while ago:
+commit 82bcd087029f ("firmware: qcom: scm: Fix interrupted SCM calls")
+
+Without this change, the Qualcomm ARM32 platforms like SDX55 will return
+-EINVAL for SMC calls used for modem firmware loading and validation.
+
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/asm-offsets.c | 3 +++
+ arch/arm/kernel/smccc-call.S | 11 ++++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/asm-offsets.c b/arch/arm/kernel/asm-offsets.c
+index be8050b0c3df..70993af22d80 100644
+--- a/arch/arm/kernel/asm-offsets.c
++++ b/arch/arm/kernel/asm-offsets.c
+@@ -24,6 +24,7 @@
+ #include <asm/vdso_datapage.h>
+ #include <asm/hardware/cache-l2x0.h>
+ #include <linux/kbuild.h>
++#include <linux/arm-smccc.h>
+ #include "signal.h"
+
+ /*
+@@ -148,6 +149,8 @@ int main(void)
+ DEFINE(SLEEP_SAVE_SP_PHYS, offsetof(struct sleep_save_sp, save_ptr_stash_phys));
+ DEFINE(SLEEP_SAVE_SP_VIRT, offsetof(struct sleep_save_sp, save_ptr_stash));
+ #endif
++ DEFINE(ARM_SMCCC_QUIRK_ID_OFFS, offsetof(struct arm_smccc_quirk, id));
++ DEFINE(ARM_SMCCC_QUIRK_STATE_OFFS, offsetof(struct arm_smccc_quirk, state));
+ BLANK();
+ DEFINE(DMA_BIDIRECTIONAL, DMA_BIDIRECTIONAL);
+ DEFINE(DMA_TO_DEVICE, DMA_TO_DEVICE);
+diff --git a/arch/arm/kernel/smccc-call.S b/arch/arm/kernel/smccc-call.S
+index 00664c78faca..931df62a7831 100644
+--- a/arch/arm/kernel/smccc-call.S
++++ b/arch/arm/kernel/smccc-call.S
+@@ -3,7 +3,9 @@
+ * Copyright (c) 2015, Linaro Limited
+ */
+ #include <linux/linkage.h>
++#include <linux/arm-smccc.h>
+
++#include <asm/asm-offsets.h>
+ #include <asm/opcodes-sec.h>
+ #include <asm/opcodes-virt.h>
+ #include <asm/unwind.h>
+@@ -27,7 +29,14 @@ UNWIND( .fnstart)
+ UNWIND( .save {r4-r7})
+ ldm r12, {r4-r7}
+ \instr
+- pop {r4-r7}
++ ldr r4, [sp, #36]
++ cmp r4, #0
++ beq 1f // No quirk structure
++ ldr r5, [r4, #ARM_SMCCC_QUIRK_ID_OFFS]
++ cmp r5, #ARM_SMCCC_QUIRK_QCOM_A6
++ bne 1f // No quirk present
++ str r6, [r4, #ARM_SMCCC_QUIRK_STATE_OFFS]
++1: pop {r4-r7}
+ ldr r12, [sp, #(4 * 4)]
+ stm r12, {r0-r3}
+ bx lr
+--
+2.30.2
+
--- /dev/null
+From 172ec08415bc6f3399c050b7fde6877bca511276 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 15:18:07 +0800
+Subject: block: reexpand iov_iter after read/write
+
+From: yangerkun <yangerkun@huawei.com>
+
+[ Upstream commit cf7b39a0cbf6bf57aa07a008d46cf695add05b4c ]
+
+We get a bug:
+
+BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x11c/0x404
+lib/iov_iter.c:1139
+Read of size 8 at addr ffff0000d3fb11f8 by task
+
+CPU: 0 PID: 12582 Comm: syz-executor.2 Not tainted
+5.10.0-00843-g352c8610ccd2 #2
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+ dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132
+ show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x110/0x164 lib/dump_stack.c:118
+ print_address_description+0x78/0x5c8 mm/kasan/report.c:385
+ __kasan_report mm/kasan/report.c:545 [inline]
+ kasan_report+0x148/0x1e4 mm/kasan/report.c:562
+ check_memory_region_inline mm/kasan/generic.c:183 [inline]
+ __asan_load8+0xb4/0xbc mm/kasan/generic.c:252
+ iov_iter_revert+0x11c/0x404 lib/iov_iter.c:1139
+ io_read fs/io_uring.c:3421 [inline]
+ io_issue_sqe+0x2344/0x2d64 fs/io_uring.c:5943
+ __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260
+ io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326
+ io_submit_sqe fs/io_uring.c:6395 [inline]
+ io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624
+ __do_sys_io_uring_enter fs/io_uring.c:9013 [inline]
+ __se_sys_io_uring_enter fs/io_uring.c:8960 [inline]
+ __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960
+ __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
+ el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]
+ do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227
+ el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367
+ el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383
+ el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
+
+Allocated by task 12570:
+ stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121
+ kasan_save_stack mm/kasan/common.c:48 [inline]
+ kasan_set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461
+ kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475
+ __kmalloc+0x23c/0x334 mm/slub.c:3970
+ kmalloc include/linux/slab.h:557 [inline]
+ __io_alloc_async_data+0x68/0x9c fs/io_uring.c:3210
+ io_setup_async_rw fs/io_uring.c:3229 [inline]
+ io_read fs/io_uring.c:3436 [inline]
+ io_issue_sqe+0x2954/0x2d64 fs/io_uring.c:5943
+ __io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260
+ io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326
+ io_submit_sqe fs/io_uring.c:6395 [inline]
+ io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624
+ __do_sys_io_uring_enter fs/io_uring.c:9013 [inline]
+ __se_sys_io_uring_enter fs/io_uring.c:8960 [inline]
+ __arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960
+ __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
+ el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]
+ do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227
+ el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367
+ el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383
+ el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
+
+Freed by task 12570:
+ stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121
+ kasan_save_stack mm/kasan/common.c:48 [inline]
+ kasan_set_track+0x38/0x6c mm/kasan/common.c:56
+ kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355
+ __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422
+ kasan_slab_free+0x10/0x1c mm/kasan/common.c:431
+ slab_free_hook mm/slub.c:1544 [inline]
+ slab_free_freelist_hook mm/slub.c:1577 [inline]
+ slab_free mm/slub.c:3142 [inline]
+ kfree+0x104/0x38c mm/slub.c:4124
+ io_dismantle_req fs/io_uring.c:1855 [inline]
+ __io_free_req+0x70/0x254 fs/io_uring.c:1867
+ io_put_req_find_next fs/io_uring.c:2173 [inline]
+ __io_queue_sqe+0x1fc/0x520 fs/io_uring.c:6279
+ __io_req_task_submit+0x154/0x21c fs/io_uring.c:2051
+ io_req_task_submit+0x2c/0x44 fs/io_uring.c:2063
+ task_work_run+0xdc/0x128 kernel/task_work.c:151
+ get_signal+0x6f8/0x980 kernel/signal.c:2562
+ do_signal+0x108/0x3a4 arch/arm64/kernel/signal.c:658
+ do_notify_resume+0xbc/0x25c arch/arm64/kernel/signal.c:722
+ work_pending+0xc/0x180
+
+blkdev_read_iter can truncate iov_iter's count since the count + pos may
+exceed the size of the blkdev. This will confuse io_read that we have
+consume the iovec. And once we do the iov_iter_revert in io_read, we
+will trigger the slab-out-of-bounds. Fix it by reexpand the count with
+size has been truncated.
+
+blkdev_write_iter can trigger the problem too.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Acked-by: Pavel Begunkov <asml.silencec@gmail.com>
+Link: https://lore.kernel.org/r/20210401071807.3328235-1-yangerkun@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/block_dev.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 718533f0fb90..cacea6bafc22 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -1903,6 +1903,7 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ struct inode *bd_inode = bdev_file_inode(file);
+ loff_t size = i_size_read(bd_inode);
+ struct blk_plug plug;
++ size_t shorted = 0;
+ ssize_t ret;
+
+ if (bdev_read_only(I_BDEV(bd_inode)))
+@@ -1920,12 +1921,17 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ if ((iocb->ki_flags & (IOCB_NOWAIT | IOCB_DIRECT)) == IOCB_NOWAIT)
+ return -EOPNOTSUPP;
+
+- iov_iter_truncate(from, size - iocb->ki_pos);
++ size -= iocb->ki_pos;
++ if (iov_iter_count(from) > size) {
++ shorted = iov_iter_count(from) - size;
++ iov_iter_truncate(from, size);
++ }
+
+ blk_start_plug(&plug);
+ ret = __generic_file_write_iter(iocb, from);
+ if (ret > 0)
+ ret = generic_write_sync(iocb, ret);
++ iov_iter_reexpand(from, iov_iter_count(from) + shorted);
+ blk_finish_plug(&plug);
+ return ret;
+ }
+@@ -1937,13 +1943,21 @@ ssize_t blkdev_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ struct inode *bd_inode = bdev_file_inode(file);
+ loff_t size = i_size_read(bd_inode);
+ loff_t pos = iocb->ki_pos;
++ size_t shorted = 0;
++ ssize_t ret;
+
+ if (pos >= size)
+ return 0;
+
+ size -= pos;
+- iov_iter_truncate(to, size);
+- return generic_file_read_iter(iocb, to);
++ if (iov_iter_count(to) > size) {
++ shorted = iov_iter_count(to) - size;
++ iov_iter_truncate(to, size);
++ }
++
++ ret = generic_file_read_iter(iocb, to);
++ iov_iter_reexpand(to, iov_iter_count(to) + shorted);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(blkdev_read_iter);
+
+--
+2.30.2
+
--- /dev/null
+From d022da91cea68f044284a61b6b2cb6558ef8db89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 22:38:14 +0800
+Subject: bridge: Fix possible races between assigning rx_handler_data and
+ setting IFF_BRIDGE_PORT bit
+
+From: Zhang Zhengming <zhangzhengming@huawei.com>
+
+[ Upstream commit 59259ff7a81b9eb6213891c6451221e567f8f22f ]
+
+There is a crash in the function br_get_link_af_size_filtered,
+as the port_exists(dev) is true and the rx_handler_data of dev is NULL.
+But the rx_handler_data of dev is correct saved in vmcore.
+
+The oops looks something like:
+ ...
+ pc : br_get_link_af_size_filtered+0x28/0x1c8 [bridge]
+ ...
+ Call trace:
+ br_get_link_af_size_filtered+0x28/0x1c8 [bridge]
+ if_nlmsg_size+0x180/0x1b0
+ rtnl_calcit.isra.12+0xf8/0x148
+ rtnetlink_rcv_msg+0x334/0x370
+ netlink_rcv_skb+0x64/0x130
+ rtnetlink_rcv+0x28/0x38
+ netlink_unicast+0x1f0/0x250
+ netlink_sendmsg+0x310/0x378
+ sock_sendmsg+0x4c/0x70
+ __sys_sendto+0x120/0x150
+ __arm64_sys_sendto+0x30/0x40
+ el0_svc_common+0x78/0x130
+ el0_svc_handler+0x38/0x78
+ el0_svc+0x8/0xc
+
+In br_add_if(), we found there is no guarantee that
+assigning rx_handler_data to dev->rx_handler_data
+will before setting the IFF_BRIDGE_PORT bit of priv_flags.
+So there is a possible data competition:
+
+CPU 0: CPU 1:
+(RCU read lock) (RTNL lock)
+rtnl_calcit() br_add_slave()
+ if_nlmsg_size() br_add_if()
+ br_get_link_af_size_filtered() -> netdev_rx_handler_register
+ ...
+ // The order is not guaranteed
+ ... -> dev->priv_flags |= IFF_BRIDGE_PORT;
+ // The IFF_BRIDGE_PORT bit of priv_flags has been set
+ -> if (br_port_exists(dev)) {
+ // The dev->rx_handler_data has NOT been assigned
+ -> p = br_port_get_rcu(dev);
+ ....
+ -> rcu_assign_pointer(dev->rx_handler_data, rx_handler_data);
+ ...
+
+Fix it in br_get_link_af_size_filtered, using br_port_get_check_rcu() and checking the return value.
+
+Signed-off-by: Zhang Zhengming <zhangzhengming@huawei.com>
+Reviewed-by: Zhao Lei <zhaolei69@huawei.com>
+Reviewed-by: Wang Xiaogang <wangxiaogang3@huawei.com>
+Suggested-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index 92d64abffa87..73f71c22f4c0 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -99,8 +99,9 @@ static size_t br_get_link_af_size_filtered(const struct net_device *dev,
+
+ rcu_read_lock();
+ if (netif_is_bridge_port(dev)) {
+- p = br_port_get_rcu(dev);
+- vg = nbp_vlan_group_rcu(p);
++ p = br_port_get_check_rcu(dev);
++ if (p)
++ vg = nbp_vlan_group_rcu(p);
+ } else if (dev->priv_flags & IFF_EBRIDGE) {
+ br = netdev_priv(dev);
+ vg = br_vlan_group_rcu(br);
+--
+2.30.2
+
--- /dev/null
+From 7cfb7091aa64ecb0ff830eae4f231d9ea3cbe9e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 13:55:11 -0400
+Subject: ceph: don't allow access to MDS-private inodes
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit d4f6b31d721779d91b5e2f8072478af73b196c34 ]
+
+The MDS reserves a set of inodes for its own usage, and these should
+never be accessible to clients. Add a new helper to vet a proposed
+inode number against that range, and complain loudly and refuse to
+create or look it up if it's in it.
+
+Also, ensure that the MDS doesn't try to delegate inodes that are in
+that range or lower. Print a warning if it does, and don't save the
+range in the xarray.
+
+URL: https://tracker.ceph.com/issues/49922
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/export.c | 8 ++++++++
+ fs/ceph/inode.c | 3 +++
+ fs/ceph/mds_client.c | 7 +++++++
+ fs/ceph/super.h | 24 ++++++++++++++++++++++++
+ 4 files changed, 42 insertions(+)
+
+diff --git a/fs/ceph/export.c b/fs/ceph/export.c
+index baa6368bece5..042bb4a02c0a 100644
+--- a/fs/ceph/export.c
++++ b/fs/ceph/export.c
+@@ -129,6 +129,10 @@ static struct inode *__lookup_inode(struct super_block *sb, u64 ino)
+
+ vino.ino = ino;
+ vino.snap = CEPH_NOSNAP;
++
++ if (ceph_vino_is_reserved(vino))
++ return ERR_PTR(-ESTALE);
++
+ inode = ceph_find_inode(sb, vino);
+ if (!inode) {
+ struct ceph_mds_request *req;
+@@ -214,6 +218,10 @@ static struct dentry *__snapfh_to_dentry(struct super_block *sb,
+ vino.ino = sfh->ino;
+ vino.snap = sfh->snapid;
+ }
++
++ if (ceph_vino_is_reserved(vino))
++ return ERR_PTR(-ESTALE);
++
+ inode = ceph_find_inode(sb, vino);
+ if (inode)
+ return d_obtain_alias(inode);
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 790433cb849e..346fcdfcd3e9 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -56,6 +56,9 @@ struct inode *ceph_get_inode(struct super_block *sb, struct ceph_vino vino)
+ {
+ struct inode *inode;
+
++ if (ceph_vino_is_reserved(vino))
++ return ERR_PTR(-EREMOTEIO);
++
+ inode = iget5_locked(sb, (unsigned long)vino.ino, ceph_ino_compare,
+ ceph_set_ino_cb, &vino);
+ if (!inode)
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 8f1d7500a7ec..d560752b764d 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -433,6 +433,13 @@ static int ceph_parse_deleg_inos(void **p, void *end,
+
+ ceph_decode_64_safe(p, end, start, bad);
+ ceph_decode_64_safe(p, end, len, bad);
++
++ /* Don't accept a delegation of system inodes */
++ if (start < CEPH_INO_SYSTEM_BASE) {
++ pr_warn_ratelimited("ceph: ignoring reserved inode range delegation (start=0x%llx len=0x%llx)\n",
++ start, len);
++ continue;
++ }
+ while (len--) {
+ int err = xa_insert(&s->s_delegated_inos, ino = start++,
+ DELEGATED_INO_AVAILABLE,
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 482473e4cce1..c33f744a8e11 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -529,10 +529,34 @@ static inline int ceph_ino_compare(struct inode *inode, void *data)
+ ci->i_vino.snap == pvino->snap;
+ }
+
++/*
++ * The MDS reserves a set of inodes for its own usage. These should never
++ * be accessible by clients, and so the MDS has no reason to ever hand these
++ * out. The range is CEPH_MDS_INO_MDSDIR_OFFSET..CEPH_INO_SYSTEM_BASE.
++ *
++ * These come from src/mds/mdstypes.h in the ceph sources.
++ */
++#define CEPH_MAX_MDS 0x100
++#define CEPH_NUM_STRAY 10
++#define CEPH_MDS_INO_MDSDIR_OFFSET (1 * CEPH_MAX_MDS)
++#define CEPH_INO_SYSTEM_BASE ((6*CEPH_MAX_MDS) + (CEPH_MAX_MDS * CEPH_NUM_STRAY))
++
++static inline bool ceph_vino_is_reserved(const struct ceph_vino vino)
++{
++ if (vino.ino < CEPH_INO_SYSTEM_BASE &&
++ vino.ino >= CEPH_MDS_INO_MDSDIR_OFFSET) {
++ WARN_RATELIMIT(1, "Attempt to access reserved inode number 0x%llx", vino.ino);
++ return true;
++ }
++ return false;
++}
+
+ static inline struct inode *ceph_find_inode(struct super_block *sb,
+ struct ceph_vino vino)
+ {
++ if (ceph_vino_is_reserved(vino))
++ return NULL;
++
+ /*
+ * NB: The hashval will be run through the fs/inode.c hash function
+ * anyway, so there is no need to squash the inode number down to
+--
+2.30.2
+
--- /dev/null
+From 01192bc07f1b2408f5c8abb51e3d76db7ba4b3e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 07:38:01 -0500
+Subject: ceph: don't clobber i_snap_caps on non-I_NEW inode
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit d3c51ae1b8cce5bdaf91a1ce32b33cf5626075dc ]
+
+We want the snapdir to mirror the non-snapped directory's attributes for
+most things, but i_snap_caps represents the caps granted on the snapshot
+directory by the MDS itself. A misbehaving MDS could issue different
+caps for the snapdir and we lose them here.
+
+Only reset i_snap_caps when the inode is I_NEW. Also, move the setting
+of i_op and i_fop inside the if block since they should never change
+anyway.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/inode.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 6bd2a6ced22a..790433cb849e 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -87,14 +87,15 @@ struct inode *ceph_get_snapdir(struct inode *parent)
+ inode->i_mtime = parent->i_mtime;
+ inode->i_ctime = parent->i_ctime;
+ inode->i_atime = parent->i_atime;
+- inode->i_op = &ceph_snapdir_iops;
+- inode->i_fop = &ceph_snapdir_fops;
+- ci->i_snap_caps = CEPH_CAP_PIN; /* so we can open */
+ ci->i_rbytes = 0;
+ ci->i_btime = ceph_inode(parent)->i_btime;
+
+- if (inode->i_state & I_NEW)
++ if (inode->i_state & I_NEW) {
++ inode->i_op = &ceph_snapdir_iops;
++ inode->i_fop = &ceph_snapdir_fops;
++ ci->i_snap_caps = CEPH_CAP_PIN; /* so we can open */
+ unlock_new_inode(inode);
++ }
+
+ return inode;
+ }
+--
+2.30.2
+
--- /dev/null
+From 1d2e2b0119f720b7a65f0d15ab65e3ff979a9547 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 18:05:37 -0500
+Subject: ceph: fix fscache invalidation
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 10a7052c7868bc7bc72d947f5aac6f768928db87 ]
+
+Ensure that we invalidate the fscache whenever we invalidate the
+pagecache.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/caps.c | 1 +
+ fs/ceph/inode.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 576d01275bbd..e4fc99afa25a 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1866,6 +1866,7 @@ static int try_nonblocking_invalidate(struct inode *inode)
+ u32 invalidating_gen = ci->i_rdcache_gen;
+
+ spin_unlock(&ci->i_ceph_lock);
++ ceph_fscache_invalidate(inode);
+ invalidate_mapping_pages(&inode->i_data, 0, -1);
+ spin_lock(&ci->i_ceph_lock);
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 2462a9a84b95..6bd2a6ced22a 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1912,6 +1912,7 @@ static void ceph_do_invalidate_pages(struct inode *inode)
+ orig_gen = ci->i_rdcache_gen;
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_fscache_invalidate(inode);
+ if (invalidate_inode_pages2(inode->i_mapping) < 0) {
+ pr_err("invalidate_pages %p fails\n", inode);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8cdb1f3d5dbaaab20ca020116d590015aeca6137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 20:04:06 +0100
+Subject: dmaengine: dw-edma: Fix crash on loading/unloading driver
+
+From: Gustavo Pimentel <Gustavo.Pimentel@synopsys.com>
+
+[ Upstream commit e970dcc4bd8e0a1376e794fc81d41d0fc98262dd ]
+
+When the driver is compiled as a module and loaded if we try to unload
+it, the Kernel shows a crash log. This Kernel crash is due to the
+dma_async_device_unregister() call done after deleting the channels,
+this patch fixes this issue.
+
+Signed-off-by: Gustavo Pimentel <gustavo.pimentel@synopsys.com>
+Link: https://lore.kernel.org/r/4aa850c035cf7ee488f1d3fb6dee0e37be0dce0a.1613674948.git.gustavo.pimentel@synopsys.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dw-edma/dw-edma-core.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/dma/dw-edma/dw-edma-core.c b/drivers/dma/dw-edma/dw-edma-core.c
+index 08d71dafa001..58c8cc8fe0e1 100644
+--- a/drivers/dma/dw-edma/dw-edma-core.c
++++ b/drivers/dma/dw-edma/dw-edma-core.c
+@@ -937,22 +937,21 @@ int dw_edma_remove(struct dw_edma_chip *chip)
+ /* Power management */
+ pm_runtime_disable(dev);
+
++ /* Deregister eDMA device */
++ dma_async_device_unregister(&dw->wr_edma);
+ list_for_each_entry_safe(chan, _chan, &dw->wr_edma.channels,
+ vc.chan.device_node) {
+- list_del(&chan->vc.chan.device_node);
+ tasklet_kill(&chan->vc.task);
++ list_del(&chan->vc.chan.device_node);
+ }
+
++ dma_async_device_unregister(&dw->rd_edma);
+ list_for_each_entry_safe(chan, _chan, &dw->rd_edma.channels,
+ vc.chan.device_node) {
+- list_del(&chan->vc.chan.device_node);
+ tasklet_kill(&chan->vc.task);
++ list_del(&chan->vc.chan.device_node);
+ }
+
+- /* Deregister eDMA device */
+- dma_async_device_unregister(&dw->wr_edma);
+- dma_async_device_unregister(&dw->rd_edma);
+-
+ /* Turn debugfs off */
+ dw_edma_v0_core_debugfs_off();
+
+--
+2.30.2
+
--- /dev/null
+From 5ab595ecd014a4022bd09a57a0bafd5cb626a0bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 20:06:04 -0400
+Subject: drm/amd/display: Fix two cursor duplication when using overlay
+
+From: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+
+[ Upstream commit 16e9b3e58bc3fce7391539e0eb3fd167cbf9951f ]
+
+Our driver supports overlay planes, and as expected, some userspace
+compositor takes advantage of these features. If the userspace is not
+enabling the cursor, they can use multiple planes as they please.
+Nevertheless, we start to have constraints when userspace tries to
+enable hardware cursor with various planes. Basically, we cannot draw
+the cursor at the same size and position on two separated pipes since it
+uses extra bandwidth and DML only run with one cursor.
+
+For those reasons, when we enable hardware cursor and multiple planes,
+our driver should accept variations like the ones described below:
+
+ +-------------+ +--------------+
+ | +---------+ | | |
+ | |Primary | | | Primary |
+ | | | | | Overlay |
+ | +---------+ | | |
+ |Overlay | | |
+ +-------------+ +--------------+
+
+In this scenario, we can have the desktop UI in the overlay and some
+other framebuffer attached to the primary plane (e.g., video). However,
+userspace needs to obey some rules and avoid scenarios like the ones
+described below (when enabling hw cursor):
+
+ +--------+
+ |Overlay |
+ +-------------+ +-----+-------+ +-| |--+
+ | +--------+ | +--------+ | | +--------+ |
+ | |Overlay | | |Overlay | | | |
+ | | | | | | | | |
+ | +--------+ | +--------+ | | |
+ | Primary | | Primary | | Primary |
+ +-------------+ +-------------+ +-------------+
+
+ +-------------+ +-------------+
+ | +--------+ | Primary |
+ | |Overlay | | |
+ | | | | |
+ | +--------+ | +--------+ |
+ | Primary | | |Overlay | |
+ +-------------+ +-| |--+
+ +--------+
+
+If the userspace violates some of the above scenarios, our driver needs
+to reject the commit; otherwise, we can have unexpected behavior. Since
+we don't have a proper driver validation for the above case, we can see
+some problems like a duplicate cursor in applications that use multiple
+planes. This commit fixes the cursor issue and others by adding adequate
+verification for multiple planes.
+
+Change since V1 (Harry and Sean):
+- Remove cursor verification from the equation.
+
+Cc: Louis Li <Ching-shih.Li@amd.com>
+Cc: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Cc: Harry Wentland <Harry.Wentland@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 51 +++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 8180894bbd1e..fbbb1bde6b06 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8611,6 +8611,53 @@ static int add_affected_mst_dsc_crtcs(struct drm_atomic_state *state, struct drm
+ }
+ #endif
+
++static int validate_overlay(struct drm_atomic_state *state)
++{
++ int i;
++ struct drm_plane *plane;
++ struct drm_plane_state *old_plane_state, *new_plane_state;
++ struct drm_plane_state *primary_state, *overlay_state = NULL;
++
++ /* Check if primary plane is contained inside overlay */
++ for_each_oldnew_plane_in_state_reverse(state, plane, old_plane_state, new_plane_state, i) {
++ if (plane->type == DRM_PLANE_TYPE_OVERLAY) {
++ if (drm_atomic_plane_disabling(plane->state, new_plane_state))
++ return 0;
++
++ overlay_state = new_plane_state;
++ continue;
++ }
++ }
++
++ /* check if we're making changes to the overlay plane */
++ if (!overlay_state)
++ return 0;
++
++ /* check if overlay plane is enabled */
++ if (!overlay_state->crtc)
++ return 0;
++
++ /* find the primary plane for the CRTC that the overlay is enabled on */
++ primary_state = drm_atomic_get_plane_state(state, overlay_state->crtc->primary);
++ if (IS_ERR(primary_state))
++ return PTR_ERR(primary_state);
++
++ /* check if primary plane is enabled */
++ if (!primary_state->crtc)
++ return 0;
++
++ /* Perform the bounds check to ensure the overlay plane covers the primary */
++ if (primary_state->crtc_x < overlay_state->crtc_x ||
++ primary_state->crtc_y < overlay_state->crtc_y ||
++ primary_state->crtc_x + primary_state->crtc_w > overlay_state->crtc_x + overlay_state->crtc_w ||
++ primary_state->crtc_y + primary_state->crtc_h > overlay_state->crtc_y + overlay_state->crtc_h) {
++ DRM_DEBUG_ATOMIC("Overlay plane is enabled with hardware cursor but does not fully cover primary plane\n");
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ /**
+ * amdgpu_dm_atomic_check() - Atomic check implementation for AMDgpu DM.
+ * @dev: The DRM device
+@@ -8789,6 +8836,10 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ goto fail;
+ }
+
++ ret = validate_overlay(state);
++ if (ret)
++ goto fail;
++
+ /* Add new/modified planes */
+ for_each_oldnew_plane_in_state_reverse(state, plane, old_plane_state, new_plane_state, i) {
+ ret = dm_update_plane_state(dc, state, plane,
+--
+2.30.2
+
--- /dev/null
+From 5780ddf42c426049f00ccb6b116660b1927b38cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 18:27:40 +0200
+Subject: gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro
+ 5055
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit da91ece226729c76f60708efc275ebd4716ad089 ]
+
+Like some other Bay and Cherry Trail SoC based devices the Dell Venue
+10 Pro 5055 has an embedded-controller which uses ACPI GPIO events to
+report events instead of using the standard ACPI EC interface for this.
+
+The EC interrupt is only used to report battery-level changes and
+it keeps doing this while the system is suspended, causing the system
+to not stay suspended.
+
+Add an ignore-wake quirk for the GPIO pin used by the EC to fix the
+spurious wakeups from suspend.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
+index 863f059bc498..6f11714ce023 100644
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -1407,6 +1407,20 @@ static const struct dmi_system_id gpiolib_acpi_quirks[] __initconst = {
+ .no_edge_events_on_boot = true,
+ },
+ },
++ {
++ /*
++ * The Dell Venue 10 Pro 5055, with Bay Trail SoC + TI PMIC uses an
++ * external embedded-controller connected via I2C + an ACPI GPIO
++ * event handler on INT33FFC:02 pin 12, causing spurious wakeups.
++ */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Venue 10 Pro 5055"),
++ },
++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
++ .ignore_wake = "INT33FC:02@12",
++ },
++ },
+ {
+ /*
+ * HP X2 10 models with Cherry Trail SoC + TI PMIC use an
+--
+2.30.2
+
--- /dev/null
+From 5fe2cde63039fcd7279b02562a59aa2be12331ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 22:29:07 -0700
+Subject: Input: elants_i2c - do not bind to i2c-hid compatible ACPI
+ instantiated devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 65299e8bfb24774e6340e93ae49f6626598917c8 ]
+
+Several users have been reporting that elants_i2c gives several errors
+during probe and that their touchscreen does not work on their Lenovo AMD
+based laptops with a touchscreen with a ELAN0001 ACPI hardware-id:
+
+[ 0.550596] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vcc33 not found, using dummy regulator
+[ 0.551836] elants_i2c i2c-ELAN0001:00: i2c-ELAN0001:00 supply vccio not found, using dummy regulator
+[ 0.560932] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121
+[ 0.562427] elants_i2c i2c-ELAN0001:00: software reset failed: -121
+[ 0.595925] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121
+[ 0.597974] elants_i2c i2c-ELAN0001:00: software reset failed: -121
+[ 0.621893] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (77 77 77 77): -121
+[ 0.622504] elants_i2c i2c-ELAN0001:00: software reset failed: -121
+[ 0.632650] elants_i2c i2c-ELAN0001:00: elants_i2c_send failed (4d 61 69 6e): -121
+[ 0.634256] elants_i2c i2c-ELAN0001:00: boot failed: -121
+[ 0.699212] elants_i2c i2c-ELAN0001:00: invalid 'hello' packet: 00 00 ff ff
+[ 1.630506] elants_i2c i2c-ELAN0001:00: Failed to read fw id: -121
+[ 1.645508] elants_i2c i2c-ELAN0001:00: unknown packet 00 00 ff ff
+
+Despite these errors, the elants_i2c driver stays bound to the device
+(it returns 0 from its probe method despite the errors), blocking the
+i2c-hid driver from binding.
+
+Manually unbinding the elants_i2c driver and binding the i2c-hid driver
+makes the touchscreen work.
+
+Check if the ACPI-fwnode for the touchscreen contains one of the i2c-hid
+compatiblity-id strings and if it has the I2C-HID spec's DSM to get the
+HID descriptor address, If it has both then make elants_i2c not bind,
+so that the i2c-hid driver can bind.
+
+This assumes that non of the (older) elan touchscreens which actually
+need the elants_i2c driver falsely advertise an i2c-hid compatiblity-id
++ DSM in their ACPI-fwnodes. If some of them actually do have this
+false advertising, then this change may lead to regressions.
+
+While at it also drop the unnecessary DEVICE_NAME prefixing of the
+"I2C check functionality error", dev_err already outputs the driver-name.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207759
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210405202756.16830-1-hdegoede@redhat.com
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/elants_i2c.c | 44 ++++++++++++++++++++++++--
+ 1 file changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
+index 50c348297e38..03a482535944 100644
+--- a/drivers/input/touchscreen/elants_i2c.c
++++ b/drivers/input/touchscreen/elants_i2c.c
+@@ -38,6 +38,7 @@
+ #include <linux/of.h>
+ #include <linux/gpio/consumer.h>
+ #include <linux/regulator/consumer.h>
++#include <linux/uuid.h>
+ #include <asm/unaligned.h>
+
+ /* Device, Driver information */
+@@ -1224,6 +1225,40 @@ static void elants_i2c_power_off(void *_data)
+ }
+ }
+
++#ifdef CONFIG_ACPI
++static const struct acpi_device_id i2c_hid_ids[] = {
++ {"ACPI0C50", 0 },
++ {"PNP0C50", 0 },
++ { },
++};
++
++static const guid_t i2c_hid_guid =
++ GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555,
++ 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE);
++
++static bool elants_acpi_is_hid_device(struct device *dev)
++{
++ acpi_handle handle = ACPI_HANDLE(dev);
++ union acpi_object *obj;
++
++ if (acpi_match_device_ids(ACPI_COMPANION(dev), i2c_hid_ids))
++ return false;
++
++ obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL, ACPI_TYPE_INTEGER);
++ if (obj) {
++ ACPI_FREE(obj);
++ return true;
++ }
++
++ return false;
++}
++#else
++static bool elants_acpi_is_hid_device(struct device *dev)
++{
++ return false;
++}
++#endif
++
+ static int elants_i2c_probe(struct i2c_client *client,
+ const struct i2c_device_id *id)
+ {
+@@ -1232,9 +1267,14 @@ static int elants_i2c_probe(struct i2c_client *client,
+ unsigned long irqflags;
+ int error;
+
++ /* Don't bind to i2c-hid compatible devices, these are handled by the i2c-hid drv. */
++ if (elants_acpi_is_hid_device(&client->dev)) {
++ dev_warn(&client->dev, "This device appears to be an I2C-HID device, not binding\n");
++ return -ENODEV;
++ }
++
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
+- dev_err(&client->dev,
+- "%s: i2c check functionality error\n", DEVICE_NAME);
++ dev_err(&client->dev, "I2C check functionality error\n");
+ return -ENXIO;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 390845918d687b8b1879b10bb9a92b5a28b3b3c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 22:29:49 -0700
+Subject: Input: silead - add workaround for x86 BIOS-es which bring the chip
+ up in a stuck state
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit e479187748a8f151a85116a7091c599b121fdea5 ]
+
+Some buggy BIOS-es bring up the touchscreen-controller in a stuck
+state where it blocks the I2C bus. Specifically this happens on
+the Jumper EZpad 7 tablet model.
+
+After much poking at this problem I have found that the following steps
+are necessary to unstuck the chip / bus:
+
+1. Turn off the Silead chip.
+2. Try to do an I2C transfer with the chip, this will fail in response to
+ which the I2C-bus-driver will call: i2c_recover_bus() which will unstuck
+ the I2C-bus. Note the unstuck-ing of the I2C bus only works if we first
+ drop the chip of the bus by turning it off.
+3. Turn the chip back on.
+
+On the x86/ACPI systems were this problem is seen, step 1. and 3. require
+making ACPI calls and dealing with ACPI Power Resources. This commit adds
+a workaround which runtime-suspends the chip to turn it off, leaving it up
+to the ACPI subsystem to deal with all the ACPI specific details.
+
+There is no good way to detect this bug, so the workaround gets activated
+by a new "silead,stuck-controller-bug" boolean device-property. Since this
+is only used on x86/ACPI, this will be set by model specific device-props
+set by drivers/platform/x86/touchscreen_dmi.c. Therefor this new
+device-property is not documented in the DT-bindings.
+
+Dmesg will contain the following messages on systems where the workaround
+is activated:
+
+[ 54.309029] silead_ts i2c-MSSL1680:00: [Firmware Bug]: Stuck I2C bus: please ignore the next 'controller timed out' error
+[ 55.373593] i2c_designware 808622C1:04: controller timed out
+[ 55.582186] silead_ts i2c-MSSL1680:00: Silead chip ID: 0x80360000
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210405202745.16777-1-hdegoede@redhat.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/silead.c | 44 +++++++++++++++++++++++++++---
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c
+index 8fa2f3b7cfd8..e8b6c3137420 100644
+--- a/drivers/input/touchscreen/silead.c
++++ b/drivers/input/touchscreen/silead.c
+@@ -20,6 +20,7 @@
+ #include <linux/input/mt.h>
+ #include <linux/input/touchscreen.h>
+ #include <linux/pm.h>
++#include <linux/pm_runtime.h>
+ #include <linux/irq.h>
+ #include <linux/regulator/consumer.h>
+
+@@ -335,10 +336,8 @@ static int silead_ts_get_id(struct i2c_client *client)
+
+ error = i2c_smbus_read_i2c_block_data(client, SILEAD_REG_ID,
+ sizeof(chip_id), (u8 *)&chip_id);
+- if (error < 0) {
+- dev_err(&client->dev, "Chip ID read error %d\n", error);
++ if (error < 0)
+ return error;
+- }
+
+ data->chip_id = le32_to_cpu(chip_id);
+ dev_info(&client->dev, "Silead chip ID: 0x%8X", data->chip_id);
+@@ -351,12 +350,49 @@ static int silead_ts_setup(struct i2c_client *client)
+ int error;
+ u32 status;
+
++ /*
++ * Some buggy BIOS-es bring up the chip in a stuck state where it
++ * blocks the I2C bus. The following steps are necessary to
++ * unstuck the chip / bus:
++ * 1. Turn off the Silead chip.
++ * 2. Try to do an I2C transfer with the chip, this will fail in
++ * response to which the I2C-bus-driver will call:
++ * i2c_recover_bus() which will unstuck the I2C-bus. Note the
++ * unstuck-ing of the I2C bus only works if we first drop the
++ * chip off the bus by turning it off.
++ * 3. Turn the chip back on.
++ *
++ * On the x86/ACPI systems were this problem is seen, step 1. and
++ * 3. require making ACPI calls and dealing with ACPI Power
++ * Resources. The workaround below runtime-suspends the chip to
++ * turn it off, leaving it up to the ACPI subsystem to deal with
++ * this.
++ */
++
++ if (device_property_read_bool(&client->dev,
++ "silead,stuck-controller-bug")) {
++ pm_runtime_set_active(&client->dev);
++ pm_runtime_enable(&client->dev);
++ pm_runtime_allow(&client->dev);
++
++ pm_runtime_suspend(&client->dev);
++
++ dev_warn(&client->dev, FW_BUG "Stuck I2C bus: please ignore the next 'controller timed out' error\n");
++ silead_ts_get_id(client);
++
++ /* The forbid will also resume the device */
++ pm_runtime_forbid(&client->dev);
++ pm_runtime_disable(&client->dev);
++ }
++
+ silead_ts_set_power(client, SILEAD_POWER_OFF);
+ silead_ts_set_power(client, SILEAD_POWER_ON);
+
+ error = silead_ts_get_id(client);
+- if (error)
++ if (error) {
++ dev_err(&client->dev, "Chip ID read error %d\n", error);
+ return error;
++ }
+
+ error = silead_ts_init(client);
+ if (error)
+--
+2.30.2
+
--- /dev/null
+From c92f5a475d23f204f4cd600a0857693cc955435a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 18:03:40 -0700
+Subject: lib: stackdepot: turn depot_lock spinlock to raw_spinlock
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+[ Upstream commit 78564b9434878d686c5f88c4488b20cccbcc42bc ]
+
+In RT system, the spin_lock will be replaced by sleepable rt_mutex lock,
+in __call_rcu(), disable interrupts before calling
+kasan_record_aux_stack(), will trigger this calltrace:
+
+ BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:951
+ in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 19, name: pgdatinit0
+ Call Trace:
+ ___might_sleep.cold+0x1b2/0x1f1
+ rt_spin_lock+0x3b/0xb0
+ stack_depot_save+0x1b9/0x440
+ kasan_save_stack+0x32/0x40
+ kasan_record_aux_stack+0xa5/0xb0
+ __call_rcu+0x117/0x880
+ __exit_signal+0xafb/0x1180
+ release_task+0x1d6/0x480
+ exit_notify+0x303/0x750
+ do_exit+0x678/0xcf0
+ kthread+0x364/0x4f0
+ ret_from_fork+0x22/0x30
+
+Replace spinlock with raw_spinlock.
+
+Link: https://lkml.kernel.org/r/20210329084009.27013-1-qiang.zhang@windriver.com
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Reported-by: Andrew Halaney <ahalaney@redhat.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: Vijayanand Jitta <vjitta@codeaurora.org>
+Cc: Vinayak Menon <vinmenon@codeaurora.org>
+Cc: Yogesh Lal <ylal@codeaurora.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/stackdepot.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/stackdepot.c b/lib/stackdepot.c
+index 2caffc64e4c8..25bbac46605e 100644
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -70,7 +70,7 @@ static void *stack_slabs[STACK_ALLOC_MAX_SLABS];
+ static int depot_index;
+ static int next_slab_inited;
+ static size_t depot_offset;
+-static DEFINE_SPINLOCK(depot_lock);
++static DEFINE_RAW_SPINLOCK(depot_lock);
+
+ static bool init_stack_slab(void **prealloc)
+ {
+@@ -281,7 +281,7 @@ depot_stack_handle_t stack_depot_save(unsigned long *entries,
+ prealloc = page_address(page);
+ }
+
+- spin_lock_irqsave(&depot_lock, flags);
++ raw_spin_lock_irqsave(&depot_lock, flags);
+
+ found = find_stack(*bucket, entries, nr_entries, hash);
+ if (!found) {
+@@ -305,7 +305,7 @@ depot_stack_handle_t stack_depot_save(unsigned long *entries,
+ WARN_ON(!init_stack_slab(&prealloc));
+ }
+
+- spin_unlock_irqrestore(&depot_lock, flags);
++ raw_spin_unlock_irqrestore(&depot_lock, flags);
+ exit:
+ if (prealloc) {
+ /* Nobody used this memory, ok to free it. */
+--
+2.30.2
+
--- /dev/null
+From 8cfdbe14110cb0aa3d97bdf18b638c6cf3ad7df7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 14:54:50 +0200
+Subject: net:CXGB4: fix leak if sk_buff is not used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 52bfcdd87e83d9e69d22da5f26b1512ffc81deed ]
+
+An sk_buff is allocated to send a flow control message, but it's not
+sent in all cases: in case the state is not appropiate to send it or if
+it can't be enqueued.
+
+In the first of these 2 cases, the sk_buff was discarded but not freed,
+producing a memory leak.
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/sge.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+index 3334c9e2152a..546301272271 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -2559,12 +2559,12 @@ int cxgb4_ethofld_send_flowc(struct net_device *dev, u32 eotid, u32 tc)
+ spin_lock_bh(&eosw_txq->lock);
+ if (tc != FW_SCHED_CLS_NONE) {
+ if (eosw_txq->state != CXGB4_EO_STATE_CLOSED)
+- goto out_unlock;
++ goto out_free_skb;
+
+ next_state = CXGB4_EO_STATE_FLOWC_OPEN_SEND;
+ } else {
+ if (eosw_txq->state != CXGB4_EO_STATE_ACTIVE)
+- goto out_unlock;
++ goto out_free_skb;
+
+ next_state = CXGB4_EO_STATE_FLOWC_CLOSE_SEND;
+ }
+@@ -2600,17 +2600,19 @@ int cxgb4_ethofld_send_flowc(struct net_device *dev, u32 eotid, u32 tc)
+ eosw_txq_flush_pending_skbs(eosw_txq);
+
+ ret = eosw_txq_enqueue(eosw_txq, skb);
+- if (ret) {
+- dev_consume_skb_any(skb);
+- goto out_unlock;
+- }
++ if (ret)
++ goto out_free_skb;
+
+ eosw_txq->state = next_state;
+ eosw_txq->flowc_idx = eosw_txq->pidx;
+ eosw_txq_advance(eosw_txq, 1);
+ ethofld_xmit(dev, eosw_txq);
+
+-out_unlock:
++ spin_unlock_bh(&eosw_txq->lock);
++ return 0;
++
++out_free_skb:
++ dev_consume_skb_any(skb);
+ spin_unlock_bh(&eosw_txq->lock);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 6983bd337551a4816009d6e07b30885bc4024f7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 May 2021 22:34:42 +0100
+Subject: net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info
+
+From: Phillip Potter <phil@philpotter.co.uk>
+
+[ Upstream commit 2e9f60932a2c19e8a11b4a69d419f107024b05a0 ]
+
+Check at start of fill_frame_info that the MAC header in the supplied
+skb is large enough to fit a struct hsr_ethhdr, as otherwise this is
+not a valid HSR frame. If it is too small, return an error which will
+then cause the callers to clean up the skb. Fixes a KMSAN-found
+uninit-value bug reported by syzbot at:
+https://syzkaller.appspot.com/bug?id=f7e9b601f1414f814f7602a82b6619a8d80bce3f
+
+Reported-by: syzbot+e267bed19bfc5478fb33@syzkaller.appspotmail.com
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index b4e06ae08834..90c72e4c0a8f 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -493,6 +493,10 @@ static int fill_frame_info(struct hsr_frame_info *frame,
+ struct ethhdr *ethhdr;
+ __be16 proto;
+
++ /* Check if skb contains hsr_ethhdr */
++ if (skb->mac_len < sizeof(struct hsr_ethhdr))
++ return -EINVAL;
++
+ memset(frame, 0, sizeof(*frame));
+ frame->is_supervision = is_supervision_frame(port->hsr, skb);
+ frame->node_src = hsr_get_node(port, &hsr->node_db, skb,
+--
+2.30.2
+
--- /dev/null
+From 2f674593afe16f024edb088d38a2d92053f0999c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 16:33:12 +0200
+Subject: net: stmmac: Do not enable RX FIFO overflow interrupts
+
+From: Yannick Vignon <yannick.vignon@nxp.com>
+
+[ Upstream commit 8a7cb245cf28cb3e541e0d6c8624b95d079e155b ]
+
+The RX FIFO overflows when the system is not able to process all received
+packets and they start accumulating (first in the DMA queue in memory,
+then in the FIFO). An interrupt is then raised for each overflowing packet
+and handled in stmmac_interrupt(). This is counter-productive, since it
+brings the system (or more likely, one CPU core) to its knees to process
+the FIFO overflow interrupts.
+
+stmmac_interrupt() handles overflow interrupts by writing the rx tail ptr
+into the corresponding hardware register (according to the MAC spec, this
+has the effect of restarting the MAC DMA). However, without freeing any rx
+descriptors, the DMA stops right away, and another overflow interrupt is
+raised as the FIFO overflows again. Since the DMA is already restarted at
+the end of stmmac_rx_refill() after freeing descriptors, disabling FIFO
+overflow interrupts and the corresponding handling code has no side effect,
+and eliminates the interrupt storm when the RX FIFO overflows.
+
+Signed-off-by: Yannick Vignon <yannick.vignon@nxp.com>
+Link: https://lore.kernel.org/r/20210506143312.20784-1-yannick.vignon@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 7 +------
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 14 ++------------
+ 2 files changed, 3 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+index 62aa0e95beb7..a7249e4071f1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+@@ -222,7 +222,7 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ unsigned int rqs = fifosz / 256 - 1;
+- u32 mtl_rx_op, mtl_rx_int;
++ u32 mtl_rx_op;
+
+ mtl_rx_op = readl(ioaddr + MTL_CHAN_RX_OP_MODE(channel));
+
+@@ -283,11 +283,6 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
+ }
+
+ writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(channel));
+-
+- /* Enable MTL RX overflow */
+- mtl_rx_int = readl(ioaddr + MTL_CHAN_INT_CTRL(channel));
+- writel(mtl_rx_int | MTL_RX_OVERFLOW_INT_EN,
+- ioaddr + MTL_CHAN_INT_CTRL(channel));
+ }
+
+ static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode,
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 5b9478dffe10..4374ce4671ad 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -4138,7 +4138,6 @@ static irqreturn_t stmmac_interrupt(int irq, void *dev_id)
+ /* To handle GMAC own interrupts */
+ if ((priv->plat->has_gmac) || xmac) {
+ int status = stmmac_host_irq_status(priv, priv->hw, &priv->xstats);
+- int mtl_status;
+
+ if (unlikely(status)) {
+ /* For LPI we need to save the tx status */
+@@ -4149,17 +4148,8 @@ static irqreturn_t stmmac_interrupt(int irq, void *dev_id)
+ }
+
+ for (queue = 0; queue < queues_count; queue++) {
+- struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue];
+-
+- mtl_status = stmmac_host_mtl_irq_status(priv, priv->hw,
+- queue);
+- if (mtl_status != -EINVAL)
+- status |= mtl_status;
+-
+- if (status & CORE_IRQ_MTL_RX_OVERFLOW)
+- stmmac_set_rx_tail_ptr(priv, priv->ioaddr,
+- rx_q->rx_tail_addr,
+- queue);
++ status = stmmac_host_mtl_irq_status(priv, priv->hw,
++ queue);
+ }
+
+ /* PCS link status */
+--
+2.30.2
+
--- /dev/null
+From b0e1fbd97fa005fd6f3d7122a227beebfad669a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 20:46:36 -0400
+Subject: NFS: NFS_INO_REVAL_PAGECACHE should mark the change attribute invalid
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 50c7a7994dd20af56e4d47e90af10bab71b71001 ]
+
+When we're looking to revalidate the page cache, we should just ensure
+that we mark the change attribute invalid.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 6e2e948f1475..dc2cbca98fb0 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -207,7 +207,8 @@ static void nfs_set_cache_invalid(struct inode *inode, unsigned long flags)
+ | NFS_INO_INVALID_SIZE
+ | NFS_INO_REVAL_PAGECACHE
+ | NFS_INO_INVALID_XATTR);
+- }
++ } else if (flags & NFS_INO_REVAL_PAGECACHE)
++ flags |= NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_SIZE;
+
+ if (inode->i_mapping->nrpages == 0)
+ flags &= ~(NFS_INO_INVALID_DATA|NFS_INO_DATA_INVAL_DEFER);
+--
+2.30.2
+
--- /dev/null
+From c512838c531c1c4772b135f993c87297357d8c10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 21:25:58 -0700
+Subject: nvmet: remove unsupported command noise
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 4a20342572f66c5b20a1ee680f5ac0a13703748f ]
+
+Nothing can stop a host from submitting invalid commands. The target
+just needs to respond with an appropriate status, but that's not a
+target error. Demote invalid command messages to the debug level so
+these events don't spam the kernel logs.
+
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/admin-cmd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/target/admin-cmd.c b/drivers/nvme/target/admin-cmd.c
+index e20dea5c44f7..6a8274caa3bc 100644
+--- a/drivers/nvme/target/admin-cmd.c
++++ b/drivers/nvme/target/admin-cmd.c
+@@ -313,7 +313,7 @@ static void nvmet_execute_get_log_page(struct nvmet_req *req)
+ case NVME_LOG_ANA:
+ return nvmet_execute_get_log_page_ana(req);
+ }
+- pr_err("unhandled lid %d on qid %d\n",
++ pr_debug("unhandled lid %d on qid %d\n",
+ req->cmd->get_log_page.lid, req->sq->qid);
+ req->error_loc = offsetof(struct nvme_get_log_page_command, lid);
+ nvmet_req_complete(req, NVME_SC_INVALID_FIELD | NVME_SC_DNR);
+@@ -657,7 +657,7 @@ static void nvmet_execute_identify(struct nvmet_req *req)
+ return nvmet_execute_identify_desclist(req);
+ }
+
+- pr_err("unhandled identify cns %d on qid %d\n",
++ pr_debug("unhandled identify cns %d on qid %d\n",
+ req->cmd->identify.cns, req->sq->qid);
+ req->error_loc = offsetof(struct nvme_identify, cns);
+ nvmet_req_complete(req, NVME_SC_INVALID_FIELD | NVME_SC_DNR);
+@@ -972,7 +972,7 @@ u16 nvmet_parse_admin_cmd(struct nvmet_req *req)
+ return 0;
+ }
+
+- pr_err("unhandled cmd %d on qid %d\n", cmd->common.opcode,
++ pr_debug("unhandled cmd %d on qid %d\n", cmd->common.opcode,
+ req->sq->qid);
+ req->error_loc = offsetof(struct nvme_common_command, opcode);
+ return NVME_SC_INVALID_OPCODE | NVME_SC_DNR;
+--
+2.30.2
+
--- /dev/null
+From 5c97b19a837f31d2d38fba2a7092c48dff24927f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 19:15:37 +0530
+Subject: PCI: tegra: Add Tegra194 MCFG quirks for ECAM errata
+
+From: Vidya Sagar <vidyas@nvidia.com>
+
+[ Upstream commit 7f100744749e4fe547dece3bb6557fae5f0a7252 ]
+
+The PCIe controller in Tegra194 SoC is not ECAM-compliant. With the
+current hardware design, ECAM can be enabled only for one controller (the
+C5 controller) with bus numbers starting from 160 instead of 0. A different
+approach is taken to avoid this abnormal way of enabling ECAM for just one
+controller but to enable configuration space access for all the other
+controllers. In this approach, ops are added through MCFG quirk mechanism
+which access the configuration spaces by dynamically programming iATU
+(internal AddressTranslation Unit) to generate respective configuration
+accesses just like the way it is done in DesignWare core sub-system.
+
+This issue is specific to Tegra194 and it would be fixed in the future
+generations of Tegra SoCs.
+
+Link: https://lore.kernel.org/r/20210416134537.19474-1-vidyas@nvidia.com
+Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pci_mcfg.c | 7 ++
+ drivers/pci/controller/dwc/Makefile | 2 +-
+ drivers/pci/controller/dwc/pcie-tegra194.c | 102 +++++++++++++++++++++
+ include/linux/pci-ecam.h | 1 +
+ 4 files changed, 111 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/pci_mcfg.c b/drivers/acpi/pci_mcfg.c
+index 95f23acd5b80..53cab975f612 100644
+--- a/drivers/acpi/pci_mcfg.c
++++ b/drivers/acpi/pci_mcfg.c
+@@ -116,6 +116,13 @@ static struct mcfg_fixup mcfg_quirks[] = {
+ THUNDER_ECAM_QUIRK(2, 12),
+ THUNDER_ECAM_QUIRK(2, 13),
+
++ { "NVIDIA", "TEGRA194", 1, 0, MCFG_BUS_ANY, &tegra194_pcie_ops},
++ { "NVIDIA", "TEGRA194", 1, 1, MCFG_BUS_ANY, &tegra194_pcie_ops},
++ { "NVIDIA", "TEGRA194", 1, 2, MCFG_BUS_ANY, &tegra194_pcie_ops},
++ { "NVIDIA", "TEGRA194", 1, 3, MCFG_BUS_ANY, &tegra194_pcie_ops},
++ { "NVIDIA", "TEGRA194", 1, 4, MCFG_BUS_ANY, &tegra194_pcie_ops},
++ { "NVIDIA", "TEGRA194", 1, 5, MCFG_BUS_ANY, &tegra194_pcie_ops},
++
+ #define XGENE_V1_ECAM_MCFG(rev, seg) \
+ {"APM ", "XGENE ", rev, seg, MCFG_BUS_ANY, \
+ &xgene_v1_pcie_ecam_ops }
+diff --git a/drivers/pci/controller/dwc/Makefile b/drivers/pci/controller/dwc/Makefile
+index a751553fa0db..dbb981876556 100644
+--- a/drivers/pci/controller/dwc/Makefile
++++ b/drivers/pci/controller/dwc/Makefile
+@@ -17,7 +17,6 @@ obj-$(CONFIG_PCIE_INTEL_GW) += pcie-intel-gw.o
+ obj-$(CONFIG_PCIE_KIRIN) += pcie-kirin.o
+ obj-$(CONFIG_PCIE_HISI_STB) += pcie-histb.o
+ obj-$(CONFIG_PCI_MESON) += pci-meson.o
+-obj-$(CONFIG_PCIE_TEGRA194) += pcie-tegra194.o
+ obj-$(CONFIG_PCIE_UNIPHIER) += pcie-uniphier.o
+ obj-$(CONFIG_PCIE_UNIPHIER_EP) += pcie-uniphier-ep.o
+
+@@ -34,4 +33,5 @@ obj-$(CONFIG_PCIE_UNIPHIER_EP) += pcie-uniphier-ep.o
+ ifdef CONFIG_PCI
+ obj-$(CONFIG_ARM64) += pcie-al.o
+ obj-$(CONFIG_ARM64) += pcie-hisi.o
++obj-$(CONFIG_ARM64) += pcie-tegra194.o
+ endif
+diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
+index d788f4d7f9aa..b3b00dcd4e77 100644
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -22,6 +22,8 @@
+ #include <linux/of_irq.h>
+ #include <linux/of_pci.h>
+ #include <linux/pci.h>
++#include <linux/pci-acpi.h>
++#include <linux/pci-ecam.h>
+ #include <linux/phy/phy.h>
+ #include <linux/pinctrl/consumer.h>
+ #include <linux/platform_device.h>
+@@ -311,6 +313,104 @@ struct tegra_pcie_dw_of_data {
+ enum dw_pcie_device_mode mode;
+ };
+
++#if defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS)
++struct tegra194_pcie_ecam {
++ void __iomem *config_base;
++ void __iomem *iatu_base;
++ void __iomem *dbi_base;
++};
++
++static int tegra194_acpi_init(struct pci_config_window *cfg)
++{
++ struct device *dev = cfg->parent;
++ struct tegra194_pcie_ecam *pcie_ecam;
++
++ pcie_ecam = devm_kzalloc(dev, sizeof(*pcie_ecam), GFP_KERNEL);
++ if (!pcie_ecam)
++ return -ENOMEM;
++
++ pcie_ecam->config_base = cfg->win;
++ pcie_ecam->iatu_base = cfg->win + SZ_256K;
++ pcie_ecam->dbi_base = cfg->win + SZ_512K;
++ cfg->priv = pcie_ecam;
++
++ return 0;
++}
++
++static void atu_reg_write(struct tegra194_pcie_ecam *pcie_ecam, int index,
++ u32 val, u32 reg)
++{
++ u32 offset = PCIE_GET_ATU_OUTB_UNR_REG_OFFSET(index);
++
++ writel(val, pcie_ecam->iatu_base + offset + reg);
++}
++
++static void program_outbound_atu(struct tegra194_pcie_ecam *pcie_ecam,
++ int index, int type, u64 cpu_addr,
++ u64 pci_addr, u64 size)
++{
++ atu_reg_write(pcie_ecam, index, lower_32_bits(cpu_addr),
++ PCIE_ATU_LOWER_BASE);
++ atu_reg_write(pcie_ecam, index, upper_32_bits(cpu_addr),
++ PCIE_ATU_UPPER_BASE);
++ atu_reg_write(pcie_ecam, index, lower_32_bits(pci_addr),
++ PCIE_ATU_LOWER_TARGET);
++ atu_reg_write(pcie_ecam, index, lower_32_bits(cpu_addr + size - 1),
++ PCIE_ATU_LIMIT);
++ atu_reg_write(pcie_ecam, index, upper_32_bits(pci_addr),
++ PCIE_ATU_UPPER_TARGET);
++ atu_reg_write(pcie_ecam, index, type, PCIE_ATU_CR1);
++ atu_reg_write(pcie_ecam, index, PCIE_ATU_ENABLE, PCIE_ATU_CR2);
++}
++
++static void __iomem *tegra194_map_bus(struct pci_bus *bus,
++ unsigned int devfn, int where)
++{
++ struct pci_config_window *cfg = bus->sysdata;
++ struct tegra194_pcie_ecam *pcie_ecam = cfg->priv;
++ u32 busdev;
++ int type;
++
++ if (bus->number < cfg->busr.start || bus->number > cfg->busr.end)
++ return NULL;
++
++ if (bus->number == cfg->busr.start) {
++ if (PCI_SLOT(devfn) == 0)
++ return pcie_ecam->dbi_base + where;
++ else
++ return NULL;
++ }
++
++ busdev = PCIE_ATU_BUS(bus->number) | PCIE_ATU_DEV(PCI_SLOT(devfn)) |
++ PCIE_ATU_FUNC(PCI_FUNC(devfn));
++
++ if (bus->parent->number == cfg->busr.start) {
++ if (PCI_SLOT(devfn) == 0)
++ type = PCIE_ATU_TYPE_CFG0;
++ else
++ return NULL;
++ } else {
++ type = PCIE_ATU_TYPE_CFG1;
++ }
++
++ program_outbound_atu(pcie_ecam, 0, type, cfg->res.start, busdev,
++ SZ_256K);
++
++ return pcie_ecam->config_base + where;
++}
++
++const struct pci_ecam_ops tegra194_pcie_ops = {
++ .init = tegra194_acpi_init,
++ .pci_ops = {
++ .map_bus = tegra194_map_bus,
++ .read = pci_generic_config_read,
++ .write = pci_generic_config_write,
++ }
++};
++#endif /* defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS) */
++
++#ifdef CONFIG_PCIE_TEGRA194
++
+ static inline struct tegra_pcie_dw *to_tegra_pcie(struct dw_pcie *pci)
+ {
+ return container_of(pci, struct tegra_pcie_dw, pci);
+@@ -2339,3 +2439,5 @@ MODULE_DEVICE_TABLE(of, tegra_pcie_dw_of_match);
+ MODULE_AUTHOR("Vidya Sagar <vidyas@nvidia.com>");
+ MODULE_DESCRIPTION("NVIDIA PCIe host controller driver");
+ MODULE_LICENSE("GPL v2");
++
++#endif /* CONFIG_PCIE_TEGRA194 */
+diff --git a/include/linux/pci-ecam.h b/include/linux/pci-ecam.h
+index 033ce74f02e8..ccbf3c38c6e6 100644
+--- a/include/linux/pci-ecam.h
++++ b/include/linux/pci-ecam.h
+@@ -58,6 +58,7 @@ extern const struct pci_ecam_ops pci_thunder_ecam_ops; /* Cavium ThunderX 1.x */
+ extern const struct pci_ecam_ops xgene_v1_pcie_ecam_ops; /* APM X-Gene PCIe v1 */
+ extern const struct pci_ecam_ops xgene_v2_pcie_ecam_ops; /* APM X-Gene PCIe v2.x */
+ extern const struct pci_ecam_ops al_pcie_ops; /* Amazon Annapurna Labs PCIe */
++extern const struct pci_ecam_ops tegra194_pcie_ops; /* Tegra194 PCIe */
+ #endif
+
+ #if IS_ENABLED(CONFIG_PCI_HOST_COMMON)
+--
+2.30.2
+
--- /dev/null
+From 8396a4b21d7d92eb995d3dd57ce4b900bf0cb8d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:26:58 +0800
+Subject: PCI: tegra: Fix runtime PM imbalance in
+ pex_ep_event_pex_rst_deassert()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 5859c926d1f052ee61b5815b14658875c14f6243 ]
+
+pm_runtime_get_sync() will increase the runtime PM counter
+even it returns an error. Thus a pairing decrement is needed
+to prevent refcount leak. Fix this by replacing this API with
+pm_runtime_resume_and_get(), which will not change the runtime
+PM counter on error.
+
+Link: https://lore.kernel.org/r/20210408072700.15791-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
+index f920e7efe118..d788f4d7f9aa 100644
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -1660,7 +1660,7 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
+ if (pcie->ep_state == EP_STATE_ENABLED)
+ return;
+
+- ret = pm_runtime_get_sync(dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0) {
+ dev_err(dev, "Failed to get runtime sync for PCIe dev: %d\n",
+ ret);
+--
+2.30.2
+
--- /dev/null
+From 5a7394a752f7610a1583955b4bf6383dd454f5a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 16:24:47 +0100
+Subject: PCI: thunder: Fix compile testing
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 16f7ae5906dfbeff54f74ec75d0563bb3a87ab0b ]
+
+Compile-testing these drivers is currently broken. Enabling it causes a
+couple of build failures though:
+
+ drivers/pci/controller/pci-thunder-ecam.c:119:30: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ drivers/pci/controller/pci-thunder-pem.c:54:2: error: implicit declaration of function 'writeq' [-Werror,-Wimplicit-function-declaration]
+ drivers/pci/controller/pci-thunder-pem.c:392:8: error: implicit declaration of function 'acpi_get_rc_resources' [-Werror,-Wimplicit-function-declaration]
+
+Fix them with the obvious one-line changes.
+
+Link: https://lore.kernel.org/r/20210308152501.2135937-2-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Robert Richter <rric@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-thunder-ecam.c | 2 +-
+ drivers/pci/controller/pci-thunder-pem.c | 13 +++++++------
+ drivers/pci/pci.h | 6 ++++++
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-thunder-ecam.c b/drivers/pci/controller/pci-thunder-ecam.c
+index 7e8835fee5f7..d79395881d76 100644
+--- a/drivers/pci/controller/pci-thunder-ecam.c
++++ b/drivers/pci/controller/pci-thunder-ecam.c
+@@ -116,7 +116,7 @@ static int thunder_ecam_p2_config_read(struct pci_bus *bus, unsigned int devfn,
+ * the config space access window. Since we are working with
+ * the high-order 32 bits, shift everything down by 32 bits.
+ */
+- node_bits = (cfg->res.start >> 32) & (1 << 12);
++ node_bits = upper_32_bits(cfg->res.start) & (1 << 12);
+
+ v |= node_bits;
+ set_val(v, where, size, val);
+diff --git a/drivers/pci/controller/pci-thunder-pem.c b/drivers/pci/controller/pci-thunder-pem.c
+index 3f847969143e..4b12dd42bf23 100644
+--- a/drivers/pci/controller/pci-thunder-pem.c
++++ b/drivers/pci/controller/pci-thunder-pem.c
+@@ -12,6 +12,7 @@
+ #include <linux/pci-acpi.h>
+ #include <linux/pci-ecam.h>
+ #include <linux/platform_device.h>
++#include <linux/io-64-nonatomic-lo-hi.h>
+ #include "../pci.h"
+
+ #if defined(CONFIG_PCI_HOST_THUNDER_PEM) || (defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS))
+@@ -315,9 +316,9 @@ static int thunder_pem_init(struct device *dev, struct pci_config_window *cfg,
+ * structure here for the BAR.
+ */
+ bar4_start = res_pem->start + 0xf00000;
+- pem_pci->ea_entry[0] = (u32)bar4_start | 2;
+- pem_pci->ea_entry[1] = (u32)(res_pem->end - bar4_start) & ~3u;
+- pem_pci->ea_entry[2] = (u32)(bar4_start >> 32);
++ pem_pci->ea_entry[0] = lower_32_bits(bar4_start) | 2;
++ pem_pci->ea_entry[1] = lower_32_bits(res_pem->end - bar4_start) & ~3u;
++ pem_pci->ea_entry[2] = upper_32_bits(bar4_start);
+
+ cfg->priv = pem_pci;
+ return 0;
+@@ -325,9 +326,9 @@ static int thunder_pem_init(struct device *dev, struct pci_config_window *cfg,
+
+ #if defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS)
+
+-#define PEM_RES_BASE 0x87e0c0000000UL
+-#define PEM_NODE_MASK GENMASK(45, 44)
+-#define PEM_INDX_MASK GENMASK(26, 24)
++#define PEM_RES_BASE 0x87e0c0000000ULL
++#define PEM_NODE_MASK GENMASK_ULL(45, 44)
++#define PEM_INDX_MASK GENMASK_ULL(26, 24)
+ #define PEM_MIN_DOM_IN_NODE 4
+ #define PEM_MAX_DOM_IN_NODE 10
+
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index f86cae9aa1f4..09ebc134d0d7 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -606,6 +606,12 @@ static inline int pci_dev_specific_reset(struct pci_dev *dev, int probe)
+ #if defined(CONFIG_PCI_QUIRKS) && defined(CONFIG_ARM64)
+ int acpi_get_rc_resources(struct device *dev, const char *hid, u16 segment,
+ struct resource *res);
++#else
++static inline int acpi_get_rc_resources(struct device *dev, const char *hid,
++ u16 segment, struct resource *res)
++{
++ return -ENODEV;
++}
+ #endif
+
+ u32 pci_rebar_get_possible_sizes(struct pci_dev *pdev, int bar);
+--
+2.30.2
+
--- /dev/null
+From 734569e1a427f74f590161dbc2c4cdc13df9a4fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 21:21:09 -0700
+Subject: platform/chrome: cros_ec_typec: Add DP mode check
+
+From: Prashant Malani <pmalani@chromium.org>
+
+[ Upstream commit c5bb32f57bf3a30ed03be51f7be0840325ba8b4a ]
+
+There are certain transitional situations where the dp_mode field in the
+PD_CONTROL response might not be populated with the right DP pin
+assignment value yet. Add a check for that to avoid sending an invalid
+value to the Type C mode switch.
+
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Link: https://lore.kernel.org/r/20210421042108.2002-1-pmalani@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index 31be31161350..036d54dc52e2 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -475,6 +475,11 @@ static int cros_typec_enable_dp(struct cros_typec_data *typec,
+ return -ENOTSUPP;
+ }
+
++ if (!pd_ctrl->dp_mode) {
++ dev_err(typec->dev, "No valid DP mode provided.\n");
++ return -EINVAL;
++ }
++
+ /* Status VDO. */
+ dp_data.status = DP_STATUS_ENABLED;
+ if (port->mux_flags & USB_PD_MUX_HPD_IRQ)
+--
+2.30.2
+
--- /dev/null
+From f58be4d0c1514cea5096ed6b492bc836a9822777 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 14:51:56 -0700
+Subject: riscv: Use $(LD) instead of $(CC) to link vDSO
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 7f3d349065d0c643f7f7013fbf9bc9f2c90b675f ]
+
+Currently, the VDSO is being linked through $(CC). This does not match
+how the rest of the kernel links objects, which is through the $(LD)
+variable.
+
+When linking with clang, there are a couple of warnings about flags that
+will not be used during the link:
+
+clang-12: warning: argument unused during compilation: '-no-pie' [-Wunused-command-line-argument]
+clang-12: warning: argument unused during compilation: '-pg' [-Wunused-command-line-argument]
+
+'-no-pie' was added in commit 85602bea297f ("RISC-V: build vdso-dummy.o
+with -no-pie") to override '-pie' getting added to the ld command from
+distribution versions of GCC that enable PIE by default. It is
+technically no longer needed after commit c2c81bb2f691 ("RISC-V: Fix the
+VDSO symbol generaton for binutils-2.35+"), which removed vdso-dummy.o
+in favor of generating vdso-syms.S from vdso.so with $(NM) but this also
+resolves the issue in case it ever comes back due to having full control
+over the $(LD) command. '-pg' is for function tracing, it is not used
+during linking as clang states.
+
+These flags could be removed/filtered to fix the warnings but it is
+easier to just match the rest of the kernel and use $(LD) directly for
+linking. See commits
+
+ fe00e50b2db8 ("ARM: 8858/1: vdso: use $(LD) instead of $(CC) to link VDSO")
+ 691efbedc60d ("arm64: vdso: use $(LD) instead of $(CC) to link VDSO")
+ 2ff906994b6c ("MIPS: VDSO: Use $(LD) instead of $(CC) to link VDSO")
+ 2b2a25845d53 ("s390/vdso: Use $(LD) instead of $(CC) to link vDSO")
+
+for more information.
+
+The flags are converted to linker flags and '--eh-frame-hdr' is added to
+match what is added by GCC implicitly, which can be seen by adding '-v'
+to GCC's invocation.
+
+Additionally, since this area is being modified, use the $(OBJCOPY)
+variable instead of an open coded $(CROSS_COMPILE)objcopy so that the
+user's choice of objcopy binary is respected.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/803
+Link: https://github.com/ClangBuiltLinux/linux/issues/970
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/vdso/Makefile | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile
+index 71a315e73cbe..ca2b40dfd24b 100644
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -41,11 +41,10 @@ KASAN_SANITIZE := n
+ $(obj)/vdso.o: $(obj)/vdso.so
+
+ # link rule for the .so file, .lds has to be first
+-SYSCFLAGS_vdso.so.dbg = $(c_flags)
+ $(obj)/vdso.so.dbg: $(src)/vdso.lds $(obj-vdso) FORCE
+ $(call if_changed,vdsold)
+-SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \
+- -Wl,--build-id=sha1 -Wl,--hash-style=both
++LDFLAGS_vdso.so.dbg = -shared -s -soname=linux-vdso.so.1 \
++ --build-id=sha1 --hash-style=both --eh-frame-hdr
+
+ # We also create a special relocatable object that should mirror the symbol
+ # table and layout of the linked DSO. With ld --just-symbols we can then
+@@ -60,13 +59,10 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE
+
+ # actual build commands
+ # The DSO images are built using a special linker script
+-# Add -lgcc so rv32 gets static muldi3 and lshrdi3 definitions.
+ # Make sure only to export the intended __vdso_xxx symbol offsets.
+ quiet_cmd_vdsold = VDSOLD $@
+- cmd_vdsold = $(CC) $(KBUILD_CFLAGS) $(call cc-option, -no-pie) -nostdlib -nostartfiles $(SYSCFLAGS_$(@F)) \
+- -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp && \
+- $(CROSS_COMPILE)objcopy \
+- $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@ && \
++ cmd_vdsold = $(LD) $(ld_flags) -T $(filter-out FORCE,$^) -o $@.tmp && \
++ $(OBJCOPY) $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@ && \
+ rm $@.tmp
+
+ # Extracts symbol offsets from the VDSO, converting them into an assembly file
+--
+2.30.2
+
--- /dev/null
+From bbe73e823f404b466ee847f19e12d5c147fd7df2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 15:38:06 -0700
+Subject: riscv: Workaround mcount name prior to clang-13
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 7ce04771503074a7de7f539cc43f5e1b385cb99b ]
+
+Prior to clang 13.0.0, the RISC-V name for the mcount symbol was
+"mcount", which differs from the GCC version of "_mcount", which results
+in the following errors:
+
+riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_level':
+main.c:(.text+0xe): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_start':
+main.c:(.text+0x4e): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `__traceiter_initcall_finish':
+main.c:(.text+0x92): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `.LBB32_28':
+main.c:(.text+0x30c): undefined reference to `mcount'
+riscv64-linux-gnu-ld: init/main.o: in function `free_initmem':
+main.c:(.text+0x54c): undefined reference to `mcount'
+
+This has been corrected in https://reviews.llvm.org/D98881 but the
+minimum supported clang version is 10.0.1. To avoid build errors and to
+gain a working function tracer, adjust the name of the mcount symbol for
+older versions of clang in mount.S and recordmcount.pl.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1331
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/ftrace.h | 14 ++++++++++++--
+ arch/riscv/kernel/mcount.S | 10 +++++-----
+ scripts/recordmcount.pl | 2 +-
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h
+index 845002cc2e57..04dad3380041 100644
+--- a/arch/riscv/include/asm/ftrace.h
++++ b/arch/riscv/include/asm/ftrace.h
+@@ -13,9 +13,19 @@
+ #endif
+ #define HAVE_FUNCTION_GRAPH_RET_ADDR_PTR
+
++/*
++ * Clang prior to 13 had "mcount" instead of "_mcount":
++ * https://reviews.llvm.org/D98881
++ */
++#if defined(CONFIG_CC_IS_GCC) || CONFIG_CLANG_VERSION >= 130000
++#define MCOUNT_NAME _mcount
++#else
++#define MCOUNT_NAME mcount
++#endif
++
+ #define ARCH_SUPPORTS_FTRACE_OPS 1
+ #ifndef __ASSEMBLY__
+-void _mcount(void);
++void MCOUNT_NAME(void);
+ static inline unsigned long ftrace_call_adjust(unsigned long addr)
+ {
+ return addr;
+@@ -36,7 +46,7 @@ struct dyn_arch_ftrace {
+ * both auipc and jalr at the same time.
+ */
+
+-#define MCOUNT_ADDR ((unsigned long)_mcount)
++#define MCOUNT_ADDR ((unsigned long)MCOUNT_NAME)
+ #define JALR_SIGN_MASK (0x00000800)
+ #define JALR_OFFSET_MASK (0x00000fff)
+ #define AUIPC_OFFSET_MASK (0xfffff000)
+diff --git a/arch/riscv/kernel/mcount.S b/arch/riscv/kernel/mcount.S
+index 8a5593ff9ff3..6d462681c9c0 100644
+--- a/arch/riscv/kernel/mcount.S
++++ b/arch/riscv/kernel/mcount.S
+@@ -47,8 +47,8 @@
+
+ ENTRY(ftrace_stub)
+ #ifdef CONFIG_DYNAMIC_FTRACE
+- .global _mcount
+- .set _mcount, ftrace_stub
++ .global MCOUNT_NAME
++ .set MCOUNT_NAME, ftrace_stub
+ #endif
+ ret
+ ENDPROC(ftrace_stub)
+@@ -78,7 +78,7 @@ ENDPROC(return_to_handler)
+ #endif
+
+ #ifndef CONFIG_DYNAMIC_FTRACE
+-ENTRY(_mcount)
++ENTRY(MCOUNT_NAME)
+ la t4, ftrace_stub
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ la t0, ftrace_graph_return
+@@ -124,6 +124,6 @@ do_trace:
+ jalr t5
+ RESTORE_ABI_STATE
+ ret
+-ENDPROC(_mcount)
++ENDPROC(MCOUNT_NAME)
+ #endif
+-EXPORT_SYMBOL(_mcount)
++EXPORT_SYMBOL(MCOUNT_NAME)
+diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
+index 857d5b70b1a9..4f84657f55c2 100755
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -395,7 +395,7 @@ if ($arch eq "x86_64") {
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s_mcount\$";
+ } elsif ($arch eq "riscv") {
+ $function_regex = "^([0-9a-fA-F]+)\\s+<([^.0-9][0-9a-zA-Z_\\.]+)>:";
+- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL(_PLT)?\\s_mcount\$";
++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL(_PLT)?\\s_?mcount\$";
+ $type = ".quad";
+ $alignment = 2;
+ } elsif ($arch eq "nds32") {
+--
+2.30.2
+
--- /dev/null
+From 35960fedfda1adecadab6df5b4f9b5de572cdb53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 15:38:05 -0700
+Subject: scripts/recordmcount.pl: Fix RISC-V regex for clang
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 2f095504f4b9cf75856d6a9cf90299cf75aa46c5 ]
+
+Clang can generate R_RISCV_CALL_PLT relocations to _mcount:
+
+$ llvm-objdump -dr build/riscv/init/main.o | rg mcount
+ 000000000000000e: R_RISCV_CALL_PLT _mcount
+ 000000000000004e: R_RISCV_CALL_PLT _mcount
+
+After this, the __start_mcount_loc section is properly generated and
+function tracing still works.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1331
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
+index 0bafed857e17..857d5b70b1a9 100755
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -395,7 +395,7 @@ if ($arch eq "x86_64") {
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s_mcount\$";
+ } elsif ($arch eq "riscv") {
+ $function_regex = "^([0-9a-fA-F]+)\\s+<([^.0-9][0-9a-zA-Z_\\.]+)>:";
+- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL\\s_mcount\$";
++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\sR_RISCV_CALL(_PLT)?\\s_mcount\$";
+ $type = ".quad";
+ $alignment = 2;
+ } elsif ($arch eq "nds32") {
+--
+2.30.2
+
--- /dev/null
+From fda96d3b639dfd4d252b60a5d6ba75ef100ea552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 16:44:33 -0700
+Subject: scsi: lpfc: Fix illegal memory access on Abort IOCBs
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit e1364711359f3ced054bda9920477c8bf93b74c5 ]
+
+In devloss timer handler and in backend calls to terminate remote port I/O,
+there is logic to walk through all active IOCBs and validate them to
+potentially trigger an abort request. This logic is causing illegal memory
+accesses which leads to a crash. Abort IOCBs, which may be on the list, do
+not have an associated lpfc_io_buf struct. The driver is trying to map an
+lpfc_io_buf struct on the IOCB and which results in a bogus address thus
+the issue.
+
+Fix by skipping over ABORT IOCBs (CLOSE IOCBs are ABORTS that don't send
+ABTS) in the IOCB scan logic.
+
+Link: https://lore.kernel.org/r/20210421234433.102079-1-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 3e5c0718555a..bf171ef61abd 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -11590,13 +11590,20 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_iocbq *iocbq, struct lpfc_vport *vport,
+ lpfc_ctx_cmd ctx_cmd)
+ {
+ struct lpfc_io_buf *lpfc_cmd;
++ IOCB_t *icmd = NULL;
+ int rc = 1;
+
+ if (iocbq->vport != vport)
+ return rc;
+
+- if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
+- !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ))
++ if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
++ !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ) ||
++ iocbq->iocb_flag & LPFC_DRIVER_ABORTED)
++ return rc;
++
++ icmd = &iocbq->iocb;
++ if (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
++ icmd->ulpCommand == CMD_CLOSE_XRI_CN)
+ return rc;
+
+ lpfc_cmd = container_of(iocbq, struct lpfc_io_buf, cur_iocbq);
+--
+2.30.2
+
--- /dev/null
+From 64aeae2375895b2cd45740ee5a13eb11f63d2be7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:01:23 +0200
+Subject: scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id
+ not found
+
+From: Bodo Stroesser <bostroesser@gmail.com>
+
+[ Upstream commit 9814b55cde0588b6d9bc496cee43f87316cbc6f1 ]
+
+If tcmu_handle_completions() finds an invalid cmd_id while looping over cmd
+responses from userspace it sets TCMU_DEV_BIT_BROKEN and breaks the
+loop. This means that it does further handling for the tcmu device.
+
+Skip that handling by replacing 'break' with 'return'.
+
+Additionally change tcmu_handle_completions() from unsigned int to bool,
+since the value used in return already is bool.
+
+Link: https://lore.kernel.org/r/20210423150123.24468-1-bostroesser@gmail.com
+Signed-off-by: Bodo Stroesser <bostroesser@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_user.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
+index 7d5814a95e1e..c6950f157b99 100644
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -1391,7 +1391,7 @@ static int tcmu_run_tmr_queue(struct tcmu_dev *udev)
+ return 1;
+ }
+
+-static unsigned int tcmu_handle_completions(struct tcmu_dev *udev)
++static bool tcmu_handle_completions(struct tcmu_dev *udev)
+ {
+ struct tcmu_mailbox *mb;
+ struct tcmu_cmd *cmd;
+@@ -1434,7 +1434,7 @@ static unsigned int tcmu_handle_completions(struct tcmu_dev *udev)
+ pr_err("cmd_id %u not found, ring is broken\n",
+ entry->hdr.cmd_id);
+ set_bit(TCMU_DEV_BIT_BROKEN, &udev->flags);
+- break;
++ return false;
+ }
+
+ tcmu_handle_completion(cmd, entry);
+--
+2.30.2
+
usb-sl811-hcd-improve-misleading-indentation.patch
cxgb4-fix-the-wmisleading-indentation-warning.patch
isdn-capi-fix-mismatched-prototypes.patch
+virtio_net-do-not-pull-payload-in-skb-head.patch
+arm-9058-1-cache-v7-refactor-v7_invalidate_l1-to-avo.patch
+pci-thunder-fix-compile-testing.patch
+dmaengine-dw-edma-fix-crash-on-loading-unloading-dri.patch
+arm-9066-1-ftrace-pause-unpause-function-graph-trace.patch
+acpi-hotplug-pci-fix-reference-count-leak-in-enable_.patch
+pci-tegra-fix-runtime-pm-imbalance-in-pex_ep_event_p.patch
+input-elants_i2c-do-not-bind-to-i2c-hid-compatible-a.patch
+input-silead-add-workaround-for-x86-bios-es-which-br.patch
+nfs-nfs_ino_reval_pagecache-should-mark-the-change-a.patch
+um-mark-all-kernel-symbols-as-local.patch
+um-disable-config_gcov-with-modules.patch
+pci-tegra-add-tegra194-mcfg-quirks-for-ecam-errata.patch
+arm-9075-1-kernel-fix-interrupted-smc-calls.patch
+platform-chrome-cros_ec_typec-add-dp-mode-check.patch
+riscv-use-ld-instead-of-cc-to-link-vdso.patch
+scripts-recordmcount.pl-fix-risc-v-regex-for-clang.patch
+riscv-workaround-mcount-name-prior-to-clang-13.patch
+scsi-lpfc-fix-illegal-memory-access-on-abort-iocbs.patch
+ceph-fix-fscache-invalidation.patch
+ceph-don-t-clobber-i_snap_caps-on-non-i_new-inode.patch
+ceph-don-t-allow-access-to-mds-private-inodes.patch
+scsi-target-tcmu-return-from-tcmu_handle_completions.patch
+amdgpu-pm-prevent-force-of-dcefclk-on-navi10-and-sie.patch
+bridge-fix-possible-races-between-assigning-rx_handl.patch
+net-hsr-check-skb-can-contain-struct-hsr_ethhdr-in-f.patch
+nvmet-remove-unsupported-command-noise.patch
+drm-amd-display-fix-two-cursor-duplication-when-usin.patch
+gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-dell-.patch
+net-cxgb4-fix-leak-if-sk_buff-is-not-used.patch
+alsa-hda-generic-change-the-dac-ctl-name-for-lo-spk-.patch
+block-reexpand-iov_iter-after-read-write.patch
+lib-stackdepot-turn-depot_lock-spinlock-to-raw_spinl.patch
+net-stmmac-do-not-enable-rx-fifo-overflow-interrupts.patch
--- /dev/null
+From 55adcb0c3f1f009174d39e6879b9f10fb5ad16a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 23:47:31 +0100
+Subject: um: Disable CONFIG_GCOV with MODULES
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ad3d19911632debc886ef4a992d41d6de7927006 ]
+
+CONFIG_GCOV doesn't work with modules, and for various reasons
+it cannot work, see also
+https://lore.kernel.org/r/d36ea54d8c0a8dd706826ba844a6f27691f45d55.camel@sipsolutions.net
+
+Make CONFIG_GCOV depend on !MODULES to avoid anyone
+running into issues there. This also means we need
+not export the gcov symbols.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/Kconfig.debug | 1 +
+ arch/um/kernel/Makefile | 1 -
+ arch/um/kernel/gmon_syms.c | 16 ----------------
+ 3 files changed, 1 insertion(+), 17 deletions(-)
+ delete mode 100644 arch/um/kernel/gmon_syms.c
+
+diff --git a/arch/um/Kconfig.debug b/arch/um/Kconfig.debug
+index 315d368e63ad..1dfb2959c73b 100644
+--- a/arch/um/Kconfig.debug
++++ b/arch/um/Kconfig.debug
+@@ -17,6 +17,7 @@ config GCOV
+ bool "Enable gcov support"
+ depends on DEBUG_INFO
+ depends on !KCOV
++ depends on !MODULES
+ help
+ This option allows developers to retrieve coverage data from a UML
+ session.
+diff --git a/arch/um/kernel/Makefile b/arch/um/kernel/Makefile
+index 5aa882011e04..e698e0c7dbdc 100644
+--- a/arch/um/kernel/Makefile
++++ b/arch/um/kernel/Makefile
+@@ -21,7 +21,6 @@ obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \
+
+ obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o
+ obj-$(CONFIG_GPROF) += gprof_syms.o
+-obj-$(CONFIG_GCOV) += gmon_syms.o
+ obj-$(CONFIG_EARLY_PRINTK) += early_printk.o
+ obj-$(CONFIG_STACKTRACE) += stacktrace.o
+
+diff --git a/arch/um/kernel/gmon_syms.c b/arch/um/kernel/gmon_syms.c
+deleted file mode 100644
+index 9361a8eb9bf1..000000000000
+--- a/arch/um/kernel/gmon_syms.c
++++ /dev/null
+@@ -1,16 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * Copyright (C) 2001 - 2007 Jeff Dike (jdike@{addtoit,linux.intel}.com)
+- */
+-
+-#include <linux/module.h>
+-
+-extern void __bb_init_func(void *) __attribute__((weak));
+-EXPORT_SYMBOL(__bb_init_func);
+-
+-extern void __gcov_init(void *) __attribute__((weak));
+-EXPORT_SYMBOL(__gcov_init);
+-extern void __gcov_merge_add(void *, unsigned int) __attribute__((weak));
+-EXPORT_SYMBOL(__gcov_merge_add);
+-extern void __gcov_exit(void) __attribute__((weak));
+-EXPORT_SYMBOL(__gcov_exit);
+--
+2.30.2
+
--- /dev/null
+From cf0e412f612a739d2b6bd0eaf083411b97770611 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Mar 2021 21:43:15 +0100
+Subject: um: Mark all kernel symbols as local
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d5027ca63e0e778b641cf23e3f5c6d6212cf412b ]
+
+Ritesh reported a bug [1] against UML, noting that it crashed on
+startup. The backtrace shows the following (heavily redacted):
+
+(gdb) bt
+...
+ #26 0x0000000060015b5d in sem_init () at ipc/sem.c:268
+ #27 0x00007f89906d92f7 in ?? () from /lib/x86_64-linux-gnu/libcom_err.so.2
+ #28 0x00007f8990ab8fb2 in call_init (...) at dl-init.c:72
+...
+ #40 0x00007f89909bf3a6 in nss_load_library (...) at nsswitch.c:359
+...
+ #44 0x00007f8990895e35 in _nss_compat_getgrnam_r (...) at nss_compat/compat-grp.c:486
+ #45 0x00007f8990968b85 in __getgrnam_r [...]
+ #46 0x00007f89909d6b77 in grantpt [...]
+ #47 0x00007f8990a9394e in __GI_openpty [...]
+ #48 0x00000000604a1f65 in openpty_cb (...) at arch/um/os-Linux/sigio.c:407
+ #49 0x00000000604a58d0 in start_idle_thread (...) at arch/um/os-Linux/skas/process.c:598
+ #50 0x0000000060004a3d in start_uml () at arch/um/kernel/skas/process.c:45
+ #51 0x00000000600047b2 in linux_main (...) at arch/um/kernel/um_arch.c:334
+ #52 0x000000006000574f in main (...) at arch/um/os-Linux/main.c:144
+
+indicating that the UML function openpty_cb() calls openpty(),
+which internally calls __getgrnam_r(), which causes the nsswitch
+machinery to get started.
+
+This loads, through lots of indirection that I snipped, the
+libcom_err.so.2 library, which (in an unknown function, "??")
+calls sem_init().
+
+Now, of course it wants to get libpthread's sem_init(), since
+it's linked against libpthread. However, the dynamic linker
+looks up that symbol against the binary first, and gets the
+kernel's sem_init().
+
+Hajime Tazaki noted that "objcopy -L" can localize a symbol,
+so the dynamic linker wouldn't do the lookup this way. I tried,
+but for some reason that didn't seem to work.
+
+Doing the same thing in the linker script instead does seem to
+work, though I cannot entirely explain - it *also* works if I
+just add "VERSION { { global: *; }; }" instead, indicating that
+something else is happening that I don't really understand. It
+may be that explicitly doing that marks them with some kind of
+empty version, and that's different from the default.
+
+Explicitly marking them with a version breaks kallsyms, so that
+doesn't seem to be possible.
+
+Marking all the symbols as local seems correct, and does seem
+to address the issue, so do that. Also do it for static link,
+nsswitch libraries could still be loaded there.
+
+[1] https://bugs.debian.org/983379
+
+Reported-by: Ritesh Raj Sarraf <rrs@debian.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Tested-By: Ritesh Raj Sarraf <rrs@debian.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/kernel/dyn.lds.S | 6 ++++++
+ arch/um/kernel/uml.lds.S | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/arch/um/kernel/dyn.lds.S b/arch/um/kernel/dyn.lds.S
+index dacbfabf66d8..2f2a8ce92f1e 100644
+--- a/arch/um/kernel/dyn.lds.S
++++ b/arch/um/kernel/dyn.lds.S
+@@ -6,6 +6,12 @@ OUTPUT_ARCH(ELF_ARCH)
+ ENTRY(_start)
+ jiffies = jiffies_64;
+
++VERSION {
++ {
++ local: *;
++ };
++}
++
+ SECTIONS
+ {
+ PROVIDE (__executable_start = START);
+diff --git a/arch/um/kernel/uml.lds.S b/arch/um/kernel/uml.lds.S
+index 45d957d7004c..7a8e2b123e29 100644
+--- a/arch/um/kernel/uml.lds.S
++++ b/arch/um/kernel/uml.lds.S
+@@ -7,6 +7,12 @@ OUTPUT_ARCH(ELF_ARCH)
+ ENTRY(_start)
+ jiffies = jiffies_64;
+
++VERSION {
++ {
++ local: *;
++ };
++}
++
+ SECTIONS
+ {
+ /* This must contain the right address - not quite the default ELF one.*/
+--
+2.30.2
+
--- /dev/null
+From d92e85ffe30aa00de60dcc58239246d192ae1d93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 06:26:02 -0700
+Subject: virtio_net: Do not pull payload in skb->head
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db ]
+
+Xuan Zhuo reported that commit 3226b158e67c ("net: avoid 32 x truesize
+under-estimation for tiny skbs") brought a ~10% performance drop.
+
+The reason for the performance drop was that GRO was forced
+to chain sk_buff (using skb_shinfo(skb)->frag_list), which
+uses more memory but also cause packet consumers to go over
+a lot of overhead handling all the tiny skbs.
+
+It turns out that virtio_net page_to_skb() has a wrong strategy :
+It allocates skbs with GOOD_COPY_LEN (128) bytes in skb->head, then
+copies 128 bytes from the page, before feeding the packet to GRO stack.
+
+This was suboptimal before commit 3226b158e67c ("net: avoid 32 x truesize
+under-estimation for tiny skbs") because GRO was using 2 frags per MSS,
+meaning we were not packing MSS with 100% efficiency.
+
+Fix is to pull only the ethernet header in page_to_skb()
+
+Then, we change virtio_net_hdr_to_skb() to pull the missing
+headers, instead of assuming they were already pulled by callers.
+
+This fixes the performance regression, but could also allow virtio_net
+to accept packets with more than 128bytes of headers.
+
+Many thanks to Xuan Zhuo for his report, and his tests/help.
+
+Fixes: 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs")
+Reported-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://www.spinics.net/lists/netdev/msg731397.html
+Co-Developed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: virtualization@lists.linux-foundation.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 10 +++++++---
+ include/linux/virtio_net.h | 14 +++++++++-----
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 038ce4e5e84b..286f836a53bf 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -406,9 +406,13 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi,
+ offset += hdr_padded_len;
+ p += hdr_padded_len;
+
+- copy = len;
+- if (copy > skb_tailroom(skb))
+- copy = skb_tailroom(skb);
++ /* Copy all frame if it fits skb->head, otherwise
++ * we let virtio_net_hdr_to_skb() and GRO pull headers as needed.
++ */
++ if (len <= skb_tailroom(skb))
++ copy = len;
++ else
++ copy = ETH_HLEN + metasize;
+ skb_put_data(skb, p, copy);
+
+ if (metasize) {
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index 98775d7fa696..b465f8f3e554 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -65,14 +65,18 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ skb_reset_mac_header(skb);
+
+ if (hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
+- u16 start = __virtio16_to_cpu(little_endian, hdr->csum_start);
+- u16 off = __virtio16_to_cpu(little_endian, hdr->csum_offset);
++ u32 start = __virtio16_to_cpu(little_endian, hdr->csum_start);
++ u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset);
++ u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16));
++
++ if (!pskb_may_pull(skb, needed))
++ return -EINVAL;
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
+
+ p_off = skb_transport_offset(skb) + thlen;
+- if (p_off > skb_headlen(skb))
++ if (!pskb_may_pull(skb, p_off))
+ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+@@ -102,14 +106,14 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ }
+
+ p_off = keys.control.thoff + thlen;
+- if (p_off > skb_headlen(skb) ||
++ if (!pskb_may_pull(skb, p_off) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
+ } else if (gso_type) {
+ p_off = thlen;
+- if (p_off > skb_headlen(skb))
++ if (!pskb_may_pull(skb, p_off))
+ return -EINVAL;
+ }
+ }
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
