--- /dev/null
+From 615a22f7fe352da25764366e14f43060965dccdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 13:14:40 +0100
+Subject: 6lowpan: iphc: Fix an off-by-one check of array index
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9af417610b6142e826fd1ee8ba7ff3e9a2133a5a ]
+
+The bounds check of id is off-by-one and the comparison should
+be >= rather >. Currently the WARN_ON_ONCE check does not stop
+the out of range indexing of &ldev->ctx.table[id] so also add
+a return path if the bounds are out of range.
+
+Addresses-Coverity: ("Illegal address computation").
+Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/6lowpan/debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/6lowpan/debugfs.c b/net/6lowpan/debugfs.c
+index 24915e0bb9ea..2a05c5b5005b 100644
+--- a/net/6lowpan/debugfs.c
++++ b/net/6lowpan/debugfs.c
+@@ -176,7 +176,8 @@ static int lowpan_dev_debugfs_ctx_init(struct net_device *dev,
+ struct dentry *dentry, *root;
+ char buf[32];
+
+- WARN_ON_ONCE(id > LOWPAN_IPHC_CTX_TABLE_SIZE);
++ if (WARN_ON_ONCE(id >= LOWPAN_IPHC_CTX_TABLE_SIZE))
++ return;
+
+ sprintf(buf, "%d", id);
+
+--
+2.30.2
+
--- /dev/null
+From 1a50e1b8cfa93bc6d5e0d0527a2c6aa081307bf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 09:21:10 +0200
+Subject: arm64: dts: exynos: correct GIC CPU interfaces address range on
+ Exynos7
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 01c72cad790cb6cd3ccbe4c1402b6cb6c6bbffd0 ]
+
+The GIC-400 CPU interfaces address range is defined as 0x2000-0x3FFF (by
+ARM).
+
+Reported-by: Sam Protsenko <semen.protsenko@linaro.org>
+Reported-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7")
+Link: https://lore.kernel.org/r/20210805072110.4730-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/exynos7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/exynos/exynos7.dtsi b/arch/arm64/boot/dts/exynos/exynos7.dtsi
+index 875297a470da..331dcf94acf0 100644
+--- a/arch/arm64/boot/dts/exynos/exynos7.dtsi
++++ b/arch/arm64/boot/dts/exynos/exynos7.dtsi
+@@ -94,7 +94,7 @@
+ #address-cells = <0>;
+ interrupt-controller;
+ reg = <0x11001000 0x1000>,
+- <0x11002000 0x1000>,
++ <0x11002000 0x2000>,
+ <0x11004000 0x2000>,
+ <0x11006000 0x2000>;
+ };
+--
+2.30.2
+
--- /dev/null
+From 5d16d1d2e3f3e79e633d8f735da3de9eef012cb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 14:34:38 +0300
+Subject: ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fd6729ec534cffbbeb3917761e6d1fe6a412d3fe ]
+
+This error path is unlikely because of it checked for NULL and
+returned -ENOMEM earlier in the function. But it should return
+an error code here as well if we ever do hit it because of a
+race condition or something.
+
+Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210813113438.GB30697@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index f80f1757b58f..66df6f8bc0de 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -2513,8 +2513,10 @@ static int ath6kl_wmi_sync_point(struct wmi *wmi, u8 if_idx)
+ goto free_data_skb;
+
+ for (index = 0; index < num_pri_streams; index++) {
+- if (WARN_ON(!data_sync_bufs[index].skb))
++ if (WARN_ON(!data_sync_bufs[index].skb)) {
++ ret = -ENOMEM;
+ goto free_data_skb;
++ }
+
+ ep_id = ath6kl_ac2_endpoint_id(wmi->parent_dev,
+ data_sync_bufs[index].
+--
+2.30.2
+
--- /dev/null
+From 154c2eab17eb06b965d2b1149cfb3a0be25dffcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 10:52:31 +0800
+Subject: bcma: Fix memory leak for internally-handled cores
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit b63aed3ff195130fef12e0af590f4838cf0201d8 ]
+
+kmemleak reported that dev_name() of internally-handled cores were leaked
+on driver unbinding. Let's use device_initialize() to take refcounts for
+them and put_device() to properly free the related stuff.
+
+While looking at it, there's another potential issue for those which should
+be *registered* into driver core. If device_register() failed, we put
+device once and freed bcma_device structures. In bcma_unregister_cores(),
+they're treated as unregistered and we hit both UAF and double-free. That
+smells not good and has also been fixed now.
+
+Fixes: ab54bc8460b5 ("bcma: fill core details for every device")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210727025232.663-2-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bcma/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
+index e6986c7608f1..b1783f5b5cb5 100644
+--- a/drivers/bcma/main.c
++++ b/drivers/bcma/main.c
+@@ -236,6 +236,7 @@ EXPORT_SYMBOL(bcma_core_irq);
+
+ void bcma_prepare_core(struct bcma_bus *bus, struct bcma_device *core)
+ {
++ device_initialize(&core->dev);
+ core->dev.release = bcma_release_core_dev;
+ core->dev.bus = &bcma_bus_type;
+ dev_set_name(&core->dev, "bcma%d:%d", bus->num, core->core_index);
+@@ -299,11 +300,10 @@ static void bcma_register_core(struct bcma_bus *bus, struct bcma_device *core)
+ {
+ int err;
+
+- err = device_register(&core->dev);
++ err = device_add(&core->dev);
+ if (err) {
+ bcma_err(bus, "Could not register dev for core 0x%03X\n",
+ core->id.id);
+- put_device(&core->dev);
+ return;
+ }
+ core->dev_registered = true;
+@@ -394,7 +394,7 @@ void bcma_unregister_cores(struct bcma_bus *bus)
+ /* Now noone uses internally-handled cores, we can free them */
+ list_for_each_entry_safe(core, tmp, &bus->cores, list) {
+ list_del(&core->list);
+- kfree(core);
++ put_device(&core->dev);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 551ad7865ff8cccb874d7153265eff803b256ece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 12:15:01 +0300
+Subject: block: nbd: add sanity check for first_minor
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b1a811633f7321cf1ae2bb76a66805b7720e44c9 ]
+
+Syzbot hit WARNING in internal_create_group(). The problem was in
+too big disk->first_minor.
+
+disk->first_minor is initialized by value, which comes from userspace
+and there wasn't any sanity checks about value correctness. It can cause
+duplicate creation of sysfs files/links, because disk->first_minor will
+be passed to MKDEV() which causes truncation to byte. Since maximum
+minor value is 0xff, let's check if first_minor is correct minor number.
+
+NOTE: the root case of the reported warning was in wrong error handling
+in register_disk(), but we can avoid passing knowingly wrong values to
+sysfs API, because sysfs error messages can confuse users. For example:
+user passed 1048576 as index, but sysfs complains about duplicate
+creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0.
+Log and reproducer for above example can be found on syzkaller bug
+report page.
+
+Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1
+Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
+Reported-by: syzbot+9937dc42271cd87d4b98@syzkaller.appspotmail.com
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 826b3877a157..9a8175c057a9 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1668,7 +1668,17 @@ static int nbd_dev_add(int index)
+ refcount_set(&nbd->refs, 1);
+ INIT_LIST_HEAD(&nbd->list);
+ disk->major = NBD_MAJOR;
++
++ /* Too big first_minor can cause duplicate creation of
++ * sysfs files/links, since first_minor will be truncated to
++ * byte in __device_add_disk().
++ */
+ disk->first_minor = index << part_shift;
++ if (disk->first_minor > 0xff) {
++ err = -EINVAL;
++ goto out_free_idr;
++ }
++
+ disk->fops = &nbd_fops;
+ disk->private_data = nbd;
+ sprintf(disk->disk_name, "nbd%d", index);
+--
+2.30.2
+
--- /dev/null
+From bd4255240e6603055f090dab368c3a692f634f50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 18:15:21 +0300
+Subject: Bluetooth: add timeout sanity check to hci_inquiry
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 ]
+
+Syzbot hit "task hung" bug in hci_req_sync(). The problem was in
+unreasonable huge inquiry timeout passed from userspace.
+Fix it by adding sanity check for timeout value to hci_inquiry().
+
+Since hci_inquiry() is the only user of hci_req_sync() with user
+controlled timeout value, it makes sense to check timeout value in
+hci_inquiry() and don't touch hci_req_sync().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 89f4b9fc9bcc..1906adfd553a 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1258,6 +1258,12 @@ int hci_inquiry(void __user *arg)
+ goto done;
+ }
+
++ /* Restrict maximum inquiry length to 60 seconds */
++ if (ir.length > 60) {
++ err = -EINVAL;
++ goto done;
++ }
++
+ hci_dev_lock(hdev);
+ if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
+ inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
+--
+2.30.2
+
--- /dev/null
+From 0d40de5ba0eee807ee5ce0be40b3b73c344c4959 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:14:10 +0800
+Subject: Bluetooth: fix repeated calls to sco_sock_kill
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+[ Upstream commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 ]
+
+In commit 4e1a720d0312 ("Bluetooth: avoid killing an already killed
+socket"), a check was added to sco_sock_kill to skip killing a socket
+if the SOCK_DEAD flag was set.
+
+This was done after a trace for a use-after-free bug showed that the
+same sock pointer was being killed twice.
+
+Unfortunately, this check prevents sco_sock_kill from running on any
+socket. sco_sock_kill kills a socket only if it's zapped and orphaned,
+however sock_orphan announces that the socket is dead before detaching
+it. i.e., orphaned sockets have the SOCK_DEAD flag set.
+
+To fix this, we remove the check for SOCK_DEAD, and avoid repeated
+calls to sco_sock_kill by removing incorrect calls in:
+
+1. sco_sock_timeout. The socket should not be killed on timeout as
+further processing is expected to be done. For example,
+sco_sock_connect sets the timer then waits for the socket to be
+connected or for an error to be returned.
+
+2. sco_conn_del. This function should clean up resources for the
+connection, but the socket itself should be cleaned up in
+sco_sock_release.
+
+3. sco_sock_close. Calls to sco_sock_close in sco_sock_cleanup_listen
+and sco_sock_release are followed by sco_sock_kill. Hence the
+duplicated call should be removed.
+
+Fixes: 4e1a720d0312 ("Bluetooth: avoid killing an already killed socket")
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 930828ec2afb..f4b997fb33d6 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -84,7 +84,6 @@ static void sco_sock_timeout(unsigned long arg)
+ sk->sk_state_change(sk);
+ bh_unlock_sock(sk);
+
+- sco_sock_kill(sk);
+ sock_put(sk);
+ }
+
+@@ -176,7 +175,6 @@ static void sco_conn_del(struct hci_conn *hcon, int err)
+ sco_sock_clear_timer(sk);
+ sco_chan_del(sk, err);
+ bh_unlock_sock(sk);
+- sco_sock_kill(sk);
+ sock_put(sk);
+ }
+
+@@ -393,8 +391,7 @@ static void sco_sock_cleanup_listen(struct sock *parent)
+ */
+ static void sco_sock_kill(struct sock *sk)
+ {
+- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
+- sock_flag(sk, SOCK_DEAD))
++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
+ return;
+
+ BT_DBG("sk %p state %d", sk, sk->sk_state);
+@@ -446,7 +443,6 @@ static void sco_sock_close(struct sock *sk)
+ lock_sock(sk);
+ __sco_sock_close(sk);
+ release_sock(sk);
+- sco_sock_kill(sk);
+ }
+
+ static void sco_sock_init(struct sock *sk, struct sock *parent)
+--
+2.30.2
+
--- /dev/null
+From c29c6790bb8f24143139c68bca20106680445e62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 16:09:51 +0100
+Subject: Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer
+ overflow
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d ]
+
+An earlier commit replaced using batostr to using %pMR sprintf for the
+construction of session->name. Static analysis detected that this new
+method can use a total of 21 characters (including the trailing '\0')
+so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
+buffer overflows.
+
+Addresses-Coverity: ("Out-of-bounds write")
+Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/cmtp/cmtp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
+index c32638dddbf9..f6b9dc4e408f 100644
+--- a/net/bluetooth/cmtp/cmtp.h
++++ b/net/bluetooth/cmtp/cmtp.h
+@@ -26,7 +26,7 @@
+ #include <linux/types.h>
+ #include <net/bluetooth/bluetooth.h>
+
+-#define BTNAMSIZ 18
++#define BTNAMSIZ 21
+
+ /* CMTP ioctl defines */
+ #define CMTPCONNADD _IOW('C', 200, int)
+--
+2.30.2
+
--- /dev/null
+From d60ea4858b35d36f66edc2020b35542e71f8699b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 12:53:15 +0800
+Subject: Bluetooth: Move shutdown callback before flushing tx and rx queue
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 0ea53674d07fb6db2dd7a7ec2fdc85a12eb246c2 ]
+
+Commit 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues
+are flushed or cancelled") introduced a regression that makes mtkbtsdio
+driver stops working:
+[ 36.593956] Bluetooth: hci0: Firmware already downloaded
+[ 46.814613] Bluetooth: hci0: Execution of wmt command timed out
+[ 46.814619] Bluetooth: hci0: Failed to send wmt func ctrl (-110)
+
+The shutdown callback depends on the result of hdev->rx_work, so we
+should call it before flushing rx_work:
+-> btmtksdio_shutdown()
+ -> mtk_hci_wmt_sync()
+ -> __hci_cmd_send()
+ -> wait for BTMTKSDIO_TX_WAIT_VND_EVT gets cleared
+
+-> btmtksdio_recv_event()
+ -> hci_recv_frame()
+ -> queue_work(hdev->workqueue, &hdev->rx_work)
+ -> clears BTMTKSDIO_TX_WAIT_VND_EVT
+
+So move the shutdown callback before flushing TX/RX queue to resolve the
+issue.
+
+Reported-and-tested-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Tested-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Fixes: 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues are flushed or cancelled")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 3b2dd98e9fd6..89f4b9fc9bcc 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1582,6 +1582,14 @@ int hci_dev_do_close(struct hci_dev *hdev)
+ hci_request_cancel_all(hdev);
+ hci_req_sync_lock(hdev);
+
++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
++ test_bit(HCI_UP, &hdev->flags)) {
++ /* Execute vendor specific shutdown routine */
++ if (hdev->shutdown)
++ hdev->shutdown(hdev);
++ }
++
+ if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
+ hci_req_sync_unlock(hdev);
+--
+2.30.2
+
--- /dev/null
+From 43ef663271ba8f9e075d03af88ed532ca8897f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 18:00:09 +0300
+Subject: Bluetooth: sco: prevent information leak in sco_conn_defer_accept()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 59da0b38bc2ea570ede23a3332ecb3e7574ce6b2 ]
+
+Smatch complains that some of these struct members are not initialized
+leading to a stack information disclosure:
+
+ net/bluetooth/sco.c:778 sco_conn_defer_accept() warn:
+ check that 'cp.retrans_effort' doesn't leak information
+
+This seems like a valid warning. I've added a default case to fix
+this issue.
+
+Fixes: 2f69a82acf6f ("Bluetooth: Use voice setting in deferred SCO connection request")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 2d23b29ce00d..930828ec2afb 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -762,6 +762,11 @@ static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting)
+ cp.max_latency = cpu_to_le16(0xffff);
+ cp.retrans_effort = 0xff;
+ break;
++ default:
++ /* use CVSD settings as fallback */
++ cp.max_latency = cpu_to_le16(0xffff);
++ cp.retrans_effort = 0xff;
++ break;
+ }
+
+ hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
+--
+2.30.2
+
--- /dev/null
+From 41240427ee20a54c75dbf8c648f97d83aca3a7b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 17:34:20 -0400
+Subject: certs: Trigger creation of RSA module signing key if it's not an RSA
+ key
+
+From: Stefan Berger <stefanb@linux.ibm.com>
+
+[ Upstream commit ea35e0d5df6c92fa2e124bb1b91d09b2240715ba ]
+
+Address a kbuild issue where a developer created an ECDSA key for signing
+kernel modules and then builds an older version of the kernel, when bi-
+secting the kernel for example, that does not support ECDSA keys.
+
+If openssl is installed, trigger the creation of an RSA module signing
+key if it is not an RSA key.
+
+Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
+Cc: David Howells <dhowells@redhat.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ certs/Makefile | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/certs/Makefile b/certs/Makefile
+index 5d0999b9e21b..ca3c71e3a3d9 100644
+--- a/certs/Makefile
++++ b/certs/Makefile
+@@ -46,11 +46,19 @@ endif
+ redirect_openssl = 2>&1
+ quiet_redirect_openssl = 2>&1
+ silent_redirect_openssl = 2>/dev/null
++openssl_available = $(shell openssl help 2>/dev/null && echo yes)
+
+ # We do it this way rather than having a boolean option for enabling an
+ # external private key, because 'make randconfig' might enable such a
+ # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
+ ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
++
++ifeq ($(openssl_available),yes)
++X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
++
++$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
++endif
++
+ $(obj)/signing_key.pem: $(obj)/x509.genkey
+ @$(kecho) "###"
+ @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
+--
+2.30.2
+
--- /dev/null
+From 49bfe659290324a8e1d10d600821be233998cad7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 12:27:09 +0200
+Subject: CIFS: Fix a potencially linear read overflow
+
+From: Len Baker <len.baker@gmx.com>
+
+[ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ]
+
+strlcpy() reads the entire source buffer first. This read may exceed the
+destination size limit. This is both inefficient and can lead to linear
+read overflows if a source string is not NUL-terminated.
+
+Also, the strnlen() call does not avoid the read overflow in the strlcpy
+function when a not NUL-terminated string is passed.
+
+So, replace this block by a call to kstrndup() that avoids this type of
+overflow and does the same.
+
+Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions")
+Signed-off-by: Len Baker <len.baker@gmx.com>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifs_unicode.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
+index 9986817532b1..7932e20555d2 100644
+--- a/fs/cifs/cifs_unicode.c
++++ b/fs/cifs/cifs_unicode.c
+@@ -371,14 +371,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen,
+ if (!dst)
+ return NULL;
+ cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
+- NO_MAP_UNI_RSVD);
++ NO_MAP_UNI_RSVD);
+ } else {
+- len = strnlen(src, maxlen);
+- len++;
+- dst = kmalloc(len, GFP_KERNEL);
+- if (!dst)
+- return NULL;
+- strlcpy(dst, src, len);
++ dst = kstrndup(src, maxlen, GFP_KERNEL);
+ }
+
+ return dst;
+--
+2.30.2
+
--- /dev/null
+From 06f32ec98518fb063e8aa96396ec699e0daf1ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 14:34:43 +0200
+Subject: clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ
+ for clock source channel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Phong Hoang <phong.hoang.wz@renesas.com>
+
+[ Upstream commit be83c3b6e7b8ff22f72827a613bf6f3aa5afadbb ]
+
+If CMT instance has at least two channels, one channel will be used
+as a clock source and another one used as a clock event device.
+In that case, IRQ is not requested for clock source channel so
+sh_cmt_clock_event_program_verify() might work incorrectly.
+Besides, when a channel is only used for clock source, don't need to
+re-set the next match_value since it should be maximum timeout as
+it still is.
+
+On the other hand, due to no IRQ, total_cycles is not counted up
+when reaches compare match time (timer counter resets to zero),
+so sh_cmt_clocksource_read() returns unexpected value.
+Therefore, use 64-bit clocksoure's mask for 32-bit or 16-bit variants
+will also lead to wrong delta calculation. Hence, this mask should
+correspond to timer counter width, and above function just returns
+the raw value of timer counter register.
+
+Fixes: bfa76bb12f23 ("clocksource: sh_cmt: Request IRQ for clock event device only")
+Fixes: 37e7742c55ba ("clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines")
+Signed-off-by: Phong Hoang <phong.hoang.wz@renesas.com>
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210422123443.73334-1-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/sh_cmt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c
+index 3cd62f7c33e3..48eeee53a586 100644
+--- a/drivers/clocksource/sh_cmt.c
++++ b/drivers/clocksource/sh_cmt.c
+@@ -570,7 +570,8 @@ static int sh_cmt_start(struct sh_cmt_channel *ch, unsigned long flag)
+ ch->flags |= flag;
+
+ /* setup timeout if no clockevent */
+- if ((flag == FLAG_CLOCKSOURCE) && (!(ch->flags & FLAG_CLOCKEVENT)))
++ if (ch->cmt->num_channels == 1 &&
++ flag == FLAG_CLOCKSOURCE && (!(ch->flags & FLAG_CLOCKEVENT)))
+ __sh_cmt_set_next(ch, ch->max_match_value);
+ out:
+ raw_spin_unlock_irqrestore(&ch->lock, flags);
+@@ -606,20 +607,25 @@ static struct sh_cmt_channel *cs_to_sh_cmt(struct clocksource *cs)
+ static u64 sh_cmt_clocksource_read(struct clocksource *cs)
+ {
+ struct sh_cmt_channel *ch = cs_to_sh_cmt(cs);
+- unsigned long flags;
+ u32 has_wrapped;
+- u64 value;
+- u32 raw;
+
+- raw_spin_lock_irqsave(&ch->lock, flags);
+- value = ch->total_cycles;
+- raw = sh_cmt_get_counter(ch, &has_wrapped);
++ if (ch->cmt->num_channels == 1) {
++ unsigned long flags;
++ u64 value;
++ u32 raw;
+
+- if (unlikely(has_wrapped))
+- raw += ch->match_value + 1;
+- raw_spin_unlock_irqrestore(&ch->lock, flags);
++ raw_spin_lock_irqsave(&ch->lock, flags);
++ value = ch->total_cycles;
++ raw = sh_cmt_get_counter(ch, &has_wrapped);
++
++ if (unlikely(has_wrapped))
++ raw += ch->match_value + 1;
++ raw_spin_unlock_irqrestore(&ch->lock, flags);
++
++ return value + raw;
++ }
+
+- return value + raw;
++ return sh_cmt_get_counter(ch, &has_wrapped);
+ }
+
+ static int sh_cmt_clocksource_enable(struct clocksource *cs)
+@@ -682,7 +688,7 @@ static int sh_cmt_register_clocksource(struct sh_cmt_channel *ch,
+ cs->disable = sh_cmt_clocksource_disable;
+ cs->suspend = sh_cmt_clocksource_suspend;
+ cs->resume = sh_cmt_clocksource_resume;
+- cs->mask = CLOCKSOURCE_MASK(sizeof(u64) * 8);
++ cs->mask = CLOCKSOURCE_MASK(ch->cmt->info->width);
+ cs->flags = CLOCK_SOURCE_IS_CONTINUOUS;
+
+ dev_info(&ch->cmt->pdev->dev, "ch%u: used as clock source\n",
+--
+2.30.2
+
--- /dev/null
+From 1c8b9a5ba0cc26c5835ea41ed58f898842168138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 14:56:37 -0400
+Subject: crypto: mxs-dcp - Check for DMA mapping errors
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit df6313d707e575a679ada3313358289af24454c0 ]
+
+After calling dma_map_single(), we must also call dma_mapping_error().
+This fixes the following warning when compiling with CONFIG_DMA_API_DEBUG:
+
+[ 311.241478] WARNING: CPU: 0 PID: 428 at kernel/dma/debug.c:1027 check_unmap+0x79c/0x96c
+[ 311.249547] DMA-API: mxs-dcp 2280000.crypto: device driver failed to check map error[device address=0x00000000860cb080] [size=32 bytes] [mapped as single]
+
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mxs-dcp.c | 45 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
+index eb569cf06309..96b6808847c7 100644
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -167,15 +167,19 @@ static struct dcp *global_sdcp;
+
+ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx)
+ {
++ int dma_err;
+ struct dcp *sdcp = global_sdcp;
+ const int chan = actx->chan;
+ uint32_t stat;
+ unsigned long ret;
+ struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan];
+-
+ dma_addr_t desc_phys = dma_map_single(sdcp->dev, desc, sizeof(*desc),
+ DMA_TO_DEVICE);
+
++ dma_err = dma_mapping_error(sdcp->dev, desc_phys);
++ if (dma_err)
++ return dma_err;
++
+ reinit_completion(&sdcp->completion[chan]);
+
+ /* Clear status register. */
+@@ -213,18 +217,29 @@ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx)
+ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx,
+ struct ablkcipher_request *req, int init)
+ {
++ dma_addr_t key_phys, src_phys, dst_phys;
+ struct dcp *sdcp = global_sdcp;
+ struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan];
+ struct dcp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
+ int ret;
+
+- dma_addr_t key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key,
+- 2 * AES_KEYSIZE_128,
+- DMA_TO_DEVICE);
+- dma_addr_t src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf,
+- DCP_BUF_SZ, DMA_TO_DEVICE);
+- dma_addr_t dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf,
+- DCP_BUF_SZ, DMA_FROM_DEVICE);
++ key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key,
++ 2 * AES_KEYSIZE_128, DMA_TO_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, key_phys);
++ if (ret)
++ return ret;
++
++ src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf,
++ DCP_BUF_SZ, DMA_TO_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, src_phys);
++ if (ret)
++ goto err_src;
++
++ dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf,
++ DCP_BUF_SZ, DMA_FROM_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, dst_phys);
++ if (ret)
++ goto err_dst;
+
+ if (actx->fill % AES_BLOCK_SIZE) {
+ dev_err(sdcp->dev, "Invalid block size!\n");
+@@ -262,10 +277,12 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx,
+ ret = mxs_dcp_start_dma(actx);
+
+ aes_done_run:
++ dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE);
++err_dst:
++ dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE);
++err_src:
+ dma_unmap_single(sdcp->dev, key_phys, 2 * AES_KEYSIZE_128,
+ DMA_TO_DEVICE);
+- dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE);
+- dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE);
+
+ return ret;
+ }
+@@ -565,6 +582,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req)
+ dma_addr_t buf_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_in_buf,
+ DCP_BUF_SZ, DMA_TO_DEVICE);
+
++ ret = dma_mapping_error(sdcp->dev, buf_phys);
++ if (ret)
++ return ret;
++
+ /* Fill in the DMA descriptor. */
+ desc->control0 = MXS_DCP_CONTROL0_DECR_SEMAPHORE |
+ MXS_DCP_CONTROL0_INTERRUPT |
+@@ -597,6 +618,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req)
+ if (rctx->fini) {
+ digest_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_out_buf,
+ DCP_SHA_PAY_SZ, DMA_FROM_DEVICE);
++ ret = dma_mapping_error(sdcp->dev, digest_phys);
++ if (ret)
++ goto done_run;
++
+ desc->control0 |= MXS_DCP_CONTROL0_HASH_TERM;
+ desc->payload = digest_phys;
+ }
+--
+2.30.2
+
--- /dev/null
+From 92bc5242c88e5afac1f917a3225b11fa58a86519 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 13:23:34 +0300
+Subject: crypto: omap-sham - clear dma flags only after
+ omap_sham_update_dma_stop()
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit fe28140b3393b0ba1eb95cc109f974a7e58b26fd ]
+
+We should not clear FLAGS_DMA_ACTIVE before omap_sham_update_dma_stop() is
+done calling dma_unmap_sg(). We already clear FLAGS_DMA_ACTIVE at the
+end of omap_sham_update_dma_stop().
+
+The early clearing of FLAGS_DMA_ACTIVE is not causing issues as we do not
+need to defer anything based on FLAGS_DMA_ACTIVE currently. So this can be
+applied as clean-up.
+
+Cc: Lokesh Vutla <lokeshvutla@ti.com>
+Cc: Tero Kristo <kristo@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-sham.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
+index e34e9561e77d..adf958956982 100644
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -1746,7 +1746,7 @@ static void omap_sham_done_task(unsigned long data)
+ if (test_and_clear_bit(FLAGS_OUTPUT_READY, &dd->flags))
+ goto finish;
+ } else if (test_bit(FLAGS_DMA_READY, &dd->flags)) {
+- if (test_and_clear_bit(FLAGS_DMA_ACTIVE, &dd->flags)) {
++ if (test_bit(FLAGS_DMA_ACTIVE, &dd->flags)) {
+ omap_sham_update_dma_stop(dd);
+ if (dd->err) {
+ err = dd->err;
+--
+2.30.2
+
--- /dev/null
+From b1233ae7c75fba7c509609ddd0cb9eba6c87821b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:28 +0100
+Subject: crypto: qat - do not export adf_iov_putmsg()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 645ae0af1840199086c33e4f841892ebee73f615 ]
+
+The function adf_iov_putmsg() is only used inside the intel_qat module
+therefore should not be exported.
+Remove EXPORT_SYMBOL for the function adf_iov_putmsg().
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index 9dab2cc11fdf..c64481160b71 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -231,7 +231,6 @@ int adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr)
+
+ return ret;
+ }
+-EXPORT_SYMBOL_GPL(adf_iov_putmsg);
+
+ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info)
+ {
+--
+2.30.2
+
--- /dev/null
+From a1e19a9887be0d6ce404836f36b1cdbba5dc2901 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:13 +0100
+Subject: crypto: qat - do not ignore errors from enable_vf2pf_comms()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 5147f0906d50a9d26f2b8698cd06b5680e9867ff ]
+
+The function adf_dev_init() ignores the error code reported by
+enable_vf2pf_comms(). If the latter fails, e.g. the VF is not compatible
+with the pf, then the load of the VF driver progresses.
+This patch changes adf_dev_init() so that the error code from
+enable_vf2pf_comms() is returned to the caller.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c
+index 26556c713049..7a7d43c47534 100644
+--- a/drivers/crypto/qat/qat_common/adf_init.c
++++ b/drivers/crypto/qat/qat_common/adf_init.c
+@@ -105,6 +105,7 @@ int adf_dev_init(struct adf_accel_dev *accel_dev)
+ struct service_hndl *service;
+ struct list_head *list_itr;
+ struct adf_hw_device_data *hw_data = accel_dev->hw_device;
++ int ret;
+
+ if (!hw_data) {
+ dev_err(&GET_DEV(accel_dev),
+@@ -171,9 +172,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev)
+ }
+
+ hw_data->enable_error_correction(accel_dev);
+- hw_data->enable_vf2pf_comms(accel_dev);
++ ret = hw_data->enable_vf2pf_comms(accel_dev);
+
+- return 0;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(adf_dev_init);
+
+--
+2.30.2
+
--- /dev/null
+From 9c4f103822593799c5c0cbc6315ff78be1c9c233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:22 +0100
+Subject: crypto: qat - fix naming for init/shutdown VF to PF notifications
+
+From: Marco Chiappero <marco.chiappero@intel.com>
+
+[ Upstream commit b90c1c4d3fa8cd90f4e8245b13564380fd0bfad1 ]
+
+At start and shutdown, VFs notify the PF about their state. These
+notifications are carried out through a message exchange using the PFVF
+protocol.
+
+Function names lead to believe they do perform init or shutdown logic.
+This is to fix the naming to better reflect their purpose.
+
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c | 4 ++--
+ drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c | 4 ++--
+ drivers/crypto/qat/qat_common/adf_common_drv.h | 8 ++++----
+ drivers/crypto/qat/qat_common/adf_vf2pf_msg.c | 12 ++++++------
+ .../qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c | 4 ++--
+ 5 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c b/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c
+index d2d0ae445fd8..7c7d49a8a403 100644
+--- a/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c
++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c
+@@ -123,10 +123,10 @@ void adf_init_hw_data_c3xxxiov(struct adf_hw_device_data *hw_data)
+ hw_data->enable_error_correction = adf_vf_void_noop;
+ hw_data->init_admin_comms = adf_vf_int_noop;
+ hw_data->exit_admin_comms = adf_vf_void_noop;
+- hw_data->send_admin_init = adf_vf2pf_init;
++ hw_data->send_admin_init = adf_vf2pf_notify_init;
+ hw_data->init_arb = adf_vf_int_noop;
+ hw_data->exit_arb = adf_vf_void_noop;
+- hw_data->disable_iov = adf_vf2pf_shutdown;
++ hw_data->disable_iov = adf_vf2pf_notify_shutdown;
+ hw_data->get_accel_mask = get_accel_mask;
+ hw_data->get_ae_mask = get_ae_mask;
+ hw_data->get_num_accels = get_num_accels;
+diff --git a/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c b/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c
+index 38e4bc04f407..90e8a7564756 100644
+--- a/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c
++++ b/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c
+@@ -123,10 +123,10 @@ void adf_init_hw_data_c62xiov(struct adf_hw_device_data *hw_data)
+ hw_data->enable_error_correction = adf_vf_void_noop;
+ hw_data->init_admin_comms = adf_vf_int_noop;
+ hw_data->exit_admin_comms = adf_vf_void_noop;
+- hw_data->send_admin_init = adf_vf2pf_init;
++ hw_data->send_admin_init = adf_vf2pf_notify_init;
+ hw_data->init_arb = adf_vf_int_noop;
+ hw_data->exit_arb = adf_vf_void_noop;
+- hw_data->disable_iov = adf_vf2pf_shutdown;
++ hw_data->disable_iov = adf_vf2pf_notify_shutdown;
+ hw_data->get_accel_mask = get_accel_mask;
+ hw_data->get_ae_mask = get_ae_mask;
+ hw_data->get_num_accels = get_num_accels;
+diff --git a/drivers/crypto/qat/qat_common/adf_common_drv.h b/drivers/crypto/qat/qat_common/adf_common_drv.h
+index d78f8d5c89c3..289dd7e48d4a 100644
+--- a/drivers/crypto/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h
+@@ -239,8 +239,8 @@ void adf_enable_vf2pf_interrupts(struct adf_accel_dev *accel_dev,
+ void adf_enable_pf2vf_interrupts(struct adf_accel_dev *accel_dev);
+ void adf_disable_pf2vf_interrupts(struct adf_accel_dev *accel_dev);
+
+-int adf_vf2pf_init(struct adf_accel_dev *accel_dev);
+-void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev);
++int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev);
++void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev);
+ int adf_init_pf_wq(void);
+ void adf_exit_pf_wq(void);
+ int adf_init_vf_wq(void);
+@@ -263,12 +263,12 @@ static inline void adf_disable_pf2vf_interrupts(struct adf_accel_dev *accel_dev)
+ {
+ }
+
+-static inline int adf_vf2pf_init(struct adf_accel_dev *accel_dev)
++static inline int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev)
+ {
+ return 0;
+ }
+
+-static inline void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev)
++static inline void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev)
+ {
+ }
+
+diff --git a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c
+index cd5f37dffe8a..1830194567e8 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c
+@@ -49,14 +49,14 @@
+ #include "adf_pf2vf_msg.h"
+
+ /**
+- * adf_vf2pf_init() - send init msg to PF
++ * adf_vf2pf_notify_init() - send init msg to PF
+ * @accel_dev: Pointer to acceleration VF device.
+ *
+ * Function sends an init messge from the VF to a PF
+ *
+ * Return: 0 on success, error code otherwise.
+ */
+-int adf_vf2pf_init(struct adf_accel_dev *accel_dev)
++int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev)
+ {
+ u32 msg = (ADF_VF2PF_MSGORIGIN_SYSTEM |
+ (ADF_VF2PF_MSGTYPE_INIT << ADF_VF2PF_MSGTYPE_SHIFT));
+@@ -69,17 +69,17 @@ int adf_vf2pf_init(struct adf_accel_dev *accel_dev)
+ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+ return 0;
+ }
+-EXPORT_SYMBOL_GPL(adf_vf2pf_init);
++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_init);
+
+ /**
+- * adf_vf2pf_shutdown() - send shutdown msg to PF
++ * adf_vf2pf_notify_shutdown() - send shutdown msg to PF
+ * @accel_dev: Pointer to acceleration VF device.
+ *
+ * Function sends a shutdown messge from the VF to a PF
+ *
+ * Return: void
+ */
+-void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev)
++void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev)
+ {
+ u32 msg = (ADF_VF2PF_MSGORIGIN_SYSTEM |
+ (ADF_VF2PF_MSGTYPE_SHUTDOWN << ADF_VF2PF_MSGTYPE_SHIFT));
+@@ -89,4 +89,4 @@ void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev)
+ dev_err(&GET_DEV(accel_dev),
+ "Failed to send Shutdown event to PF\n");
+ }
+-EXPORT_SYMBOL_GPL(adf_vf2pf_shutdown);
++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_shutdown);
+diff --git a/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c b/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c
+index a3b4dd8099a7..3a8361c83f0b 100644
+--- a/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c
++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c
+@@ -123,10 +123,10 @@ void adf_init_hw_data_dh895xcciov(struct adf_hw_device_data *hw_data)
+ hw_data->enable_error_correction = adf_vf_void_noop;
+ hw_data->init_admin_comms = adf_vf_int_noop;
+ hw_data->exit_admin_comms = adf_vf_void_noop;
+- hw_data->send_admin_init = adf_vf2pf_init;
++ hw_data->send_admin_init = adf_vf2pf_notify_init;
+ hw_data->init_arb = adf_vf_int_noop;
+ hw_data->exit_arb = adf_vf_void_noop;
+- hw_data->disable_iov = adf_vf2pf_shutdown;
++ hw_data->disable_iov = adf_vf2pf_notify_shutdown;
+ hw_data->get_accel_mask = get_accel_mask;
+ hw_data->get_ae_mask = get_ae_mask;
+ hw_data->get_num_accels = get_num_accels;
+--
+2.30.2
+
--- /dev/null
+From 49901026044cebece7139179b4714dff9b267f72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:19 +0100
+Subject: crypto: qat - fix reuse of completion variable
+
+From: Marco Chiappero <marco.chiappero@intel.com>
+
+[ Upstream commit 3d655732b0199562267a05c7ff69ecdd11632939 ]
+
+Use reinit_completion() to set to a clean state a completion variable,
+used to coordinate the VF to PF request-response flow, before every
+new VF request.
+
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index b3875fdf6cd7..9dab2cc11fdf 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -361,6 +361,8 @@ static int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev)
+ msg |= ADF_PFVF_COMPATIBILITY_VERSION << ADF_VF2PF_COMPAT_VER_REQ_SHIFT;
+ BUILD_BUG_ON(ADF_PFVF_COMPATIBILITY_VERSION > 255);
+
++ reinit_completion(&accel_dev->vf.iov_msg_completion);
++
+ /* Send request from VF to PF */
+ ret = adf_iov_putmsg(accel_dev, msg, 0);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From b4b6e611422f295d66c46d6e942536531a0df67d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:14 +0100
+Subject: crypto: qat - handle both source of interrupt in VF ISR
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 0a73c762e1eee33a5e5dc0e3488f1b7cd17249b3 ]
+
+The top half of the VF drivers handled only a source at the time.
+If an interrupt for PF2VF and bundle occurred at the same time, the ISR
+scheduled only the bottom half for PF2VF.
+This patch fixes the VF top half so that if both sources of interrupt
+trigger at the same time, both bottom halves are scheduled.
+
+This patch is based on earlier work done by Conor McLoughlin.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_vf_isr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+index df9a1f35b832..ef90902c8200 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+@@ -203,6 +203,7 @@ static irqreturn_t adf_isr(int irq, void *privdata)
+ struct adf_bar *pmisc =
+ &GET_BARS(accel_dev)[hw_data->get_misc_bar_id(hw_data)];
+ void __iomem *pmisc_bar_addr = pmisc->virt_addr;
++ bool handled = false;
+ u32 v_int;
+
+ /* Read VF INT source CSR to determine the source of VF interrupt */
+@@ -215,7 +216,7 @@ static irqreturn_t adf_isr(int irq, void *privdata)
+
+ /* Schedule tasklet to handle interrupt BH */
+ tasklet_hi_schedule(&accel_dev->vf.pf2vf_bh_tasklet);
+- return IRQ_HANDLED;
++ handled = true;
+ }
+
+ /* Check bundle interrupt */
+@@ -227,10 +228,10 @@ static irqreturn_t adf_isr(int irq, void *privdata)
+ WRITE_CSR_INT_FLAG_AND_COL(bank->csr_addr, bank->bank_number,
+ 0);
+ tasklet_hi_schedule(&bank->resp_handler);
+- return IRQ_HANDLED;
++ handled = true;
+ }
+
+- return IRQ_NONE;
++ return handled ? IRQ_HANDLED : IRQ_NONE;
+ }
+
+ static int adf_request_msi_irq(struct adf_accel_dev *accel_dev)
+--
+2.30.2
+
--- /dev/null
+From b4305e92f6ce8ed97a33393106e566f13666afc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 21:21:10 +0100
+Subject: crypto: qat - use proper type for vf_mask
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 462354d986b6a89c6449b85f17aaacf44e455216 ]
+
+Replace vf_mask type with unsigned long to avoid a stack-out-of-bound.
+
+This is to fix the following warning reported by KASAN the first time
+adf_msix_isr_ae() gets called.
+
+ [ 692.091987] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x28/0x50
+ [ 692.092017] Read of size 8 at addr ffff88afdf789e60 by task swapper/32/0
+ [ 692.092076] Call Trace:
+ [ 692.092089] <IRQ>
+ [ 692.092101] dump_stack+0x9c/0xcf
+ [ 692.092132] print_address_description.constprop.0+0x18/0x130
+ [ 692.092164] ? find_first_bit+0x28/0x50
+ [ 692.092185] kasan_report.cold+0x7f/0x111
+ [ 692.092213] ? static_obj+0x10/0x80
+ [ 692.092234] ? find_first_bit+0x28/0x50
+ [ 692.092262] find_first_bit+0x28/0x50
+ [ 692.092288] adf_msix_isr_ae+0x16e/0x230 [intel_qat]
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Reviewed-by: Fiona Trahe <fiona.trahe@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_isr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_isr.c b/drivers/crypto/qat/qat_common/adf_isr.c
+index 2c0be14309cf..7877ba677220 100644
+--- a/drivers/crypto/qat/qat_common/adf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_isr.c
+@@ -59,6 +59,8 @@
+ #include "adf_transport_access_macros.h"
+ #include "adf_transport_internal.h"
+
++#define ADF_MAX_NUM_VFS 32
++
+ static int adf_enable_msix(struct adf_accel_dev *accel_dev)
+ {
+ struct adf_accel_pci *pci_dev_info = &accel_dev->accel_pci_dev;
+@@ -111,7 +113,7 @@ static irqreturn_t adf_msix_isr_ae(int irq, void *dev_ptr)
+ struct adf_bar *pmisc =
+ &GET_BARS(accel_dev)[hw_data->get_misc_bar_id(hw_data)];
+ void __iomem *pmisc_bar_addr = pmisc->virt_addr;
+- u32 vf_mask;
++ unsigned long vf_mask;
+
+ /* Get the interrupt sources triggered by VFs */
+ vf_mask = ((ADF_CSR_RD(pmisc_bar_addr, ADF_ERRSOU5) &
+@@ -132,8 +134,7 @@ static irqreturn_t adf_msix_isr_ae(int irq, void *dev_ptr)
+ * unless the VF is malicious and is attempting to
+ * flood the host OS with VF2PF interrupts.
+ */
+- for_each_set_bit(i, (const unsigned long *)&vf_mask,
+- (sizeof(vf_mask) * BITS_PER_BYTE)) {
++ for_each_set_bit(i, &vf_mask, ADF_MAX_NUM_VFS) {
+ vf_info = accel_dev->pf.vf_info + i;
+
+ if (!__ratelimit(&vf_info->vf2pf_ratelimit)) {
+--
+2.30.2
+
--- /dev/null
+From 131a49e2a7cf59bc0591f7c744546739c7952cbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 11:15:13 +0200
+Subject: drm/msm/dsi: Fix some reference counted resource leaks
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6977cc89c87506ff17e6c05f0e37f46752256e82 ]
+
+'of_find_device_by_node()' takes a reference that must be released when
+not needed anymore.
+This is expected to be done in 'dsi_destroy()'.
+
+However, there are 2 issues in 'dsi_get_phy()'.
+
+First, if 'of_find_device_by_node()' succeeds but 'platform_get_drvdata()'
+returns NULL, 'msm_dsi->phy_dev' will still be NULL, and the reference
+won't be released in 'dsi_destroy()'.
+
+Secondly, as 'of_find_device_by_node()' already takes a reference, there is
+no need for an additional 'get_device()'.
+
+Move the assignment to 'msm_dsi->phy_dev' a few lines above and remove the
+unneeded 'get_device()' to solve both issues.
+
+Fixes: ec31abf6684e ("drm/msm/dsi: Separate PHY to another platform device")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/f15bc57648a00e7c99f943903468a04639d50596.1628241097.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c
+index 98742d7af6dc..bacb33eec0fa 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi.c
++++ b/drivers/gpu/drm/msm/dsi/dsi.c
+@@ -34,8 +34,10 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi)
+ }
+
+ phy_pdev = of_find_device_by_node(phy_node);
+- if (phy_pdev)
++ if (phy_pdev) {
+ msm_dsi->phy = platform_get_drvdata(phy_pdev);
++ msm_dsi->phy_dev = &phy_pdev->dev;
++ }
+
+ of_node_put(phy_node);
+
+@@ -44,8 +46,6 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi)
+ return -EPROBE_DEFER;
+ }
+
+- msm_dsi->phy_dev = get_device(&phy_pdev->dev);
+-
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2e7202c165e36ddbb9b3a2688a70359f12c6a139 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 22:13:45 +0300
+Subject: i2c: highlander: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit f16a3bb69aa6baabf8f0aca982c8cf21e2a4f6bc ]
+
+The driver is written as if platform_get_irq() returns 0 on errors (while
+actually it returns a negative error code), blithely passing these error
+codes to request_irq() (which takes *unsigned* IRQ #) -- which fails with
+-EINVAL. Add the necessary error check to the pre-existing *if* statement
+forcing the driver into the polling mode...
+
+Fixes: 4ad48e6ab18c ("i2c: Renesas Highlander FPGA SMBus support")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-highlander.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-highlander.c b/drivers/i2c/busses/i2c-highlander.c
+index 56dc69e7349f..9ad031ea3300 100644
+--- a/drivers/i2c/busses/i2c-highlander.c
++++ b/drivers/i2c/busses/i2c-highlander.c
+@@ -382,7 +382,7 @@ static int highlander_i2c_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, dev);
+
+ dev->irq = platform_get_irq(pdev, 0);
+- if (iic_force_poll)
++ if (dev->irq < 0 || iic_force_poll)
+ dev->irq = 0;
+
+ if (dev->irq) {
+--
+2.30.2
+
--- /dev/null
+From dd7ec68ab575ba30e1c9ce413ffc566dc5ae17e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 23:35:09 +0300
+Subject: i2c: iop3xx: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit a1299505162ad00def3573260c2c68b9c8e8d697 ]
+
+When adding the code to handle platform_get_irq*() errors in the commit
+489447380a29 ("handle errors returned by platform_get_irq*()"), the
+actual error code was enforced to be -ENXIO in the driver for some
+strange reason. This didn't matter much until the deferred probing was
+introduced -- which requires an actual error code to be propagated
+upstream from the failure site.
+
+While fixing this, also stop overriding the errors from request_irq() to
+-EIO (done since the pre-git era).
+
+Fixes: 489447380a29 ("[PATCH] handle errors returned by platform_get_irq*()")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-iop3xx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-iop3xx.c b/drivers/i2c/busses/i2c-iop3xx.c
+index 85cbe4b55578..d4fe7ccccb22 100644
+--- a/drivers/i2c/busses/i2c-iop3xx.c
++++ b/drivers/i2c/busses/i2c-iop3xx.c
+@@ -456,16 +456,14 @@ iop3xx_i2c_probe(struct platform_device *pdev)
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
+- ret = -ENXIO;
++ ret = irq;
+ goto unmap;
+ }
+ ret = request_irq(irq, iop3xx_i2c_irq_handler, 0,
+ pdev->name, adapter_data);
+
+- if (ret) {
+- ret = -EIO;
++ if (ret)
+ goto unmap;
+- }
+
+ memcpy(new_adapter->name, pdev->name, strlen(pdev->name));
+ new_adapter->owner = THIS_MODULE;
+--
+2.30.2
+
--- /dev/null
+From cbcdb5c1c820a5dca01e319594341a61f356f405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jul 2021 17:38:45 +0300
+Subject: i2c: mt65xx: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 58fb7c643d346e2364404554f531cfa6a1a3917c ]
+
+Iff platform_get_irq() returns 0, the driver's probe() method will return 0
+early (as if the method's call was successful). Let's consider IRQ0 valid
+for simplicity -- devm_request_irq() can always override that decision...
+
+Fixes: ce38815d39ea ("I2C: mediatek: Add driver for MediaTek I2C controller")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Reviewed-by: Qii Wang <qii.wang@mediatek.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mt65xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c
+index 09d288ce0ddb..cbcf76ea9c19 100644
+--- a/drivers/i2c/busses/i2c-mt65xx.c
++++ b/drivers/i2c/busses/i2c-mt65xx.c
+@@ -740,7 +740,7 @@ static int mtk_i2c_probe(struct platform_device *pdev)
+ return PTR_ERR(i2c->pdmabase);
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0)
++ if (irq < 0)
+ return irq;
+
+ init_completion(&i2c->msg_complete);
+--
+2.30.2
+
--- /dev/null
+From 7ab1e3514dd9a08a898c0f1fdbd0d6eac87298cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jul 2021 17:45:25 +0300
+Subject: i2c: s3c2410: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit d6840a5e370b7ea4fde16ce2caf431bcc87f9a75 ]
+
+Iff platform_get_irq() returns 0, the driver's probe() method will return 0
+early (as if the method's call was successful). Let's consider IRQ0 valid
+for simplicity -- devm_request_irq() can always override that decision...
+
+Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-s3c2410.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
+index de10ca40aebc..911f8628128e 100644
+--- a/drivers/i2c/busses/i2c-s3c2410.c
++++ b/drivers/i2c/busses/i2c-s3c2410.c
+@@ -1181,7 +1181,7 @@ static int s3c24xx_i2c_probe(struct platform_device *pdev)
+ */
+ if (!(i2c->quirks & QUIRK_POLL)) {
+ i2c->irq = ret = platform_get_irq(pdev, 0);
+- if (ret <= 0) {
++ if (ret < 0) {
+ dev_err(&pdev->dev, "cannot find IRQ\n");
+ clk_unprepare(i2c->clk);
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 39be1e7f06c6ed1f0194acc83eaad7199d42526d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 15:16:15 -0700
+Subject: ipv4: make exception cache less predictible
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ]
+
+Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in
+fnhe_hashfun()"), an attacker can still use brute force to learn
+some secrets from a victim linux host.
+
+One way to defeat these attacks is to make the max depth of the hash
+table bucket a random value.
+
+Before this patch, each bucket of the hash table used to store exceptions
+could contain 6 items under attack.
+
+After the patch, each bucket would contains a random number of items,
+between 6 and 10. The attacker can no longer infer secrets.
+
+This is slightly increasing memory size used by the hash table,
+by 50% in average, we do not expect this to be a problem.
+
+This patch is more complex than the prior one (IPv6 equivalent),
+because IPv4 was reusing the oldest entry.
+Since we need to be able to evict more than one entry per
+update_or_create_fnhe() call, I had to replace
+fnhe_oldest() with fnhe_remove_oldest().
+
+Also note that we will queue extra kfree_rcu() calls under stress,
+which hopefully wont be a too big issue.
+
+Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Keyu Man <kman001@ucr.edu>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Tested-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 46 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 81901b052907..d67d424be919 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -619,18 +619,25 @@ static void fnhe_flush_routes(struct fib_nh_exception *fnhe)
+ }
+ }
+
+-static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash)
++static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash)
+ {
+- struct fib_nh_exception *fnhe, *oldest;
++ struct fib_nh_exception __rcu **fnhe_p, **oldest_p;
++ struct fib_nh_exception *fnhe, *oldest = NULL;
+
+- oldest = rcu_dereference(hash->chain);
+- for (fnhe = rcu_dereference(oldest->fnhe_next); fnhe;
+- fnhe = rcu_dereference(fnhe->fnhe_next)) {
+- if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp))
++ for (fnhe_p = &hash->chain; ; fnhe_p = &fnhe->fnhe_next) {
++ fnhe = rcu_dereference_protected(*fnhe_p,
++ lockdep_is_held(&fnhe_lock));
++ if (!fnhe)
++ break;
++ if (!oldest ||
++ time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) {
+ oldest = fnhe;
++ oldest_p = fnhe_p;
++ }
+ }
+ fnhe_flush_routes(oldest);
+- return oldest;
++ *oldest_p = oldest->fnhe_next;
++ kfree_rcu(oldest, rcu);
+ }
+
+ static inline u32 fnhe_hashfun(__be32 daddr)
+@@ -707,16 +714,21 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
+ if (rt)
+ fill_route_from_fnhe(rt, fnhe);
+ } else {
+- if (depth > FNHE_RECLAIM_DEPTH)
+- fnhe = fnhe_oldest(hash);
+- else {
+- fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC);
+- if (!fnhe)
+- goto out_unlock;
+-
+- fnhe->fnhe_next = hash->chain;
+- rcu_assign_pointer(hash->chain, fnhe);
++ /* Randomize max depth to avoid some side channels attacks. */
++ int max_depth = FNHE_RECLAIM_DEPTH +
++ prandom_u32_max(FNHE_RECLAIM_DEPTH);
++
++ while (depth > max_depth) {
++ fnhe_remove_oldest(hash);
++ depth--;
+ }
++
++ fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC);
++ if (!fnhe)
++ goto out_unlock;
++
++ fnhe->fnhe_next = hash->chain;
++
+ fnhe->fnhe_genid = genid;
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+@@ -724,6 +736,8 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
+ fnhe->fnhe_mtu_locked = lock;
+ fnhe->fnhe_expires = max(1UL, expires);
+
++ rcu_assign_pointer(hash->chain, fnhe);
++
+ /* Exception created; mark the cached routes for the nexthop
+ * stale, so anyone caching it rechecks if this exception
+ * applies to them.
+--
+2.30.2
+
--- /dev/null
+From 2794e61eb007f639139f7b3173bb1340749adc22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 18:24:37 +0200
+Subject: isofs: joliet: Fix iocharset=utf8 mount option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 28ce50f8d96ec9035f60c9348294ea26b94db944 ]
+
+Currently iocharset=utf8 mount option is broken. To use UTF-8 as iocharset,
+it is required to use utf8 mount option.
+
+Fix iocharset=utf8 mount option to use be equivalent to the utf8 mount
+option.
+
+If UTF-8 as iocharset is used then s_nls_iocharset is set to NULL. So
+simplify code around, remove s_utf8 field as to distinguish between UTF-8
+and non-UTF-8 it is needed just to check if s_nls_iocharset is set to NULL
+or not.
+
+Link: https://lore.kernel.org/r/20210808162453.1653-5-pali@kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/isofs/inode.c | 27 +++++++++++++--------------
+ fs/isofs/isofs.h | 1 -
+ fs/isofs/joliet.c | 4 +---
+ 3 files changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
+index a4994e25e19e..f1134752cea3 100644
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -157,7 +157,6 @@ struct iso9660_options{
+ unsigned int overriderockperm:1;
+ unsigned int uid_set:1;
+ unsigned int gid_set:1;
+- unsigned int utf8:1;
+ unsigned char map;
+ unsigned char check;
+ unsigned int blocksize;
+@@ -357,7 +356,6 @@ static int parse_options(char *options, struct iso9660_options *popt)
+ popt->gid = GLOBAL_ROOT_GID;
+ popt->uid = GLOBAL_ROOT_UID;
+ popt->iocharset = NULL;
+- popt->utf8 = 0;
+ popt->overriderockperm = 0;
+ popt->session=-1;
+ popt->sbsector=-1;
+@@ -390,10 +388,13 @@ static int parse_options(char *options, struct iso9660_options *popt)
+ case Opt_cruft:
+ popt->cruft = 1;
+ break;
++#ifdef CONFIG_JOLIET
+ case Opt_utf8:
+- popt->utf8 = 1;
++ kfree(popt->iocharset);
++ popt->iocharset = kstrdup("utf8", GFP_KERNEL);
++ if (!popt->iocharset)
++ return 0;
+ break;
+-#ifdef CONFIG_JOLIET
+ case Opt_iocharset:
+ kfree(popt->iocharset);
+ popt->iocharset = match_strdup(&args[0]);
+@@ -496,7 +497,6 @@ static int isofs_show_options(struct seq_file *m, struct dentry *root)
+ if (sbi->s_nocompress) seq_puts(m, ",nocompress");
+ if (sbi->s_overriderockperm) seq_puts(m, ",overriderockperm");
+ if (sbi->s_showassoc) seq_puts(m, ",showassoc");
+- if (sbi->s_utf8) seq_puts(m, ",utf8");
+
+ if (sbi->s_check) seq_printf(m, ",check=%c", sbi->s_check);
+ if (sbi->s_mapping) seq_printf(m, ",map=%c", sbi->s_mapping);
+@@ -519,9 +519,10 @@ static int isofs_show_options(struct seq_file *m, struct dentry *root)
+ seq_printf(m, ",fmode=%o", sbi->s_fmode);
+
+ #ifdef CONFIG_JOLIET
+- if (sbi->s_nls_iocharset &&
+- strcmp(sbi->s_nls_iocharset->charset, CONFIG_NLS_DEFAULT) != 0)
++ if (sbi->s_nls_iocharset)
+ seq_printf(m, ",iocharset=%s", sbi->s_nls_iocharset->charset);
++ else
++ seq_puts(m, ",iocharset=utf8");
+ #endif
+ return 0;
+ }
+@@ -865,14 +866,13 @@ root_found:
+ sbi->s_nls_iocharset = NULL;
+
+ #ifdef CONFIG_JOLIET
+- if (joliet_level && opt.utf8 == 0) {
++ if (joliet_level) {
+ char *p = opt.iocharset ? opt.iocharset : CONFIG_NLS_DEFAULT;
+- sbi->s_nls_iocharset = load_nls(p);
+- if (! sbi->s_nls_iocharset) {
+- /* Fail only if explicit charset specified */
+- if (opt.iocharset)
++ if (strcmp(p, "utf8") != 0) {
++ sbi->s_nls_iocharset = opt.iocharset ?
++ load_nls(opt.iocharset) : load_nls_default();
++ if (!sbi->s_nls_iocharset)
+ goto out_freesbi;
+- sbi->s_nls_iocharset = load_nls_default();
+ }
+ }
+ #endif
+@@ -888,7 +888,6 @@ root_found:
+ sbi->s_gid = opt.gid;
+ sbi->s_uid_set = opt.uid_set;
+ sbi->s_gid_set = opt.gid_set;
+- sbi->s_utf8 = opt.utf8;
+ sbi->s_nocompress = opt.nocompress;
+ sbi->s_overriderockperm = opt.overriderockperm;
+ /*
+diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
+index 8e42b4fbefdc..b4b9d4861c9d 100644
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -44,7 +44,6 @@ struct isofs_sb_info {
+ unsigned char s_session;
+ unsigned int s_high_sierra:1;
+ unsigned int s_rock:2;
+- unsigned int s_utf8:1;
+ unsigned int s_cruft:1; /* Broken disks with high byte of length
+ * containing junk */
+ unsigned int s_nocompress:1;
+diff --git a/fs/isofs/joliet.c b/fs/isofs/joliet.c
+index be8b6a9d0b92..c0f04a1e7f69 100644
+--- a/fs/isofs/joliet.c
++++ b/fs/isofs/joliet.c
+@@ -41,14 +41,12 @@ uni16_to_x8(unsigned char *ascii, __be16 *uni, int len, struct nls_table *nls)
+ int
+ get_joliet_filename(struct iso_directory_record * de, unsigned char *outname, struct inode * inode)
+ {
+- unsigned char utf8;
+ struct nls_table *nls;
+ unsigned char len = 0;
+
+- utf8 = ISOFS_SB(inode->i_sb)->s_utf8;
+ nls = ISOFS_SB(inode->i_sb)->s_nls_iocharset;
+
+- if (utf8) {
++ if (!nls) {
+ len = utf16s_to_utf8s((const wchar_t *) de->name,
+ de->name_len[0] >> 1, UTF16_BIG_ENDIAN,
+ outname, PAGE_SIZE);
+--
+2.30.2
+
--- /dev/null
+From 5870a8007bb29cca2047206aa6a714812d8cdfbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 10:44:47 +0900
+Subject: libata: fix ata_host_start()
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+[ Upstream commit 355a8031dc174450ccad2a61c513ad7222d87a97 ]
+
+The loop on entry of ata_host_start() may not initialize host->ops to a
+non NULL value. The test on the host_stop field of host->ops must then
+be preceded by a check that host->ops is not NULL.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20210816014456.2191776-3-damien.lemoal@wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index c28b0ca24907..0f0ed04de886 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -6339,7 +6339,7 @@ int ata_host_start(struct ata_host *host)
+ have_stop = 1;
+ }
+
+- if (host->ops->host_stop)
++ if (host->ops && host->ops->host_stop)
+ have_stop = 1;
+
+ if (have_stop) {
+--
+2.30.2
+
--- /dev/null
+From 597ba74ecff4dbe91256b358af2a7c12a721d3f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 23:47:27 +0300
+Subject: m68k: emu: Fix invalid free in nfeth_cleanup()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 761608f5cf70e8876c2f0e39ca54b516bdcb7c12 ]
+
+In the for loop all nfeth_dev array members should be freed, not only
+the first one. Freeing only the first array member can cause
+double-free bugs and memory leaks.
+
+Fixes: 9cd7b148312f ("m68k/atari: ARAnyM - Add support for network access")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20210705204727.10743-1-paskripkin@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/emu/nfeth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/m68k/emu/nfeth.c b/arch/m68k/emu/nfeth.c
+index e45ce4243aaa..76262dc40e79 100644
+--- a/arch/m68k/emu/nfeth.c
++++ b/arch/m68k/emu/nfeth.c
+@@ -258,8 +258,8 @@ static void __exit nfeth_cleanup(void)
+
+ for (i = 0; i < MAX_UNIT; i++) {
+ if (nfeth_dev[i]) {
+- unregister_netdev(nfeth_dev[0]);
+- free_netdev(nfeth_dev[0]);
++ unregister_netdev(nfeth_dev[i]);
++ free_netdev(nfeth_dev[i]);
+ }
+ }
+ free_irq(nfEtherIRQ, nfeth_interrupt);
+--
+2.30.2
+
--- /dev/null
+From 5f7afee6a8a999d092d3c6f2cda6c410cd5c2a66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 16:51:28 +0800
+Subject: mac80211: Fix insufficient headroom issue for AMSDU
+
+From: Chih-Kang Chang <gary.chang@realtek.com>
+
+[ Upstream commit f50d2ff8f016b79a2ff4acd5943a1eda40c545d4 ]
+
+ieee80211_amsdu_realloc_pad() fails to account for extra_tx_headroom,
+the original reserved headroom might be eaten. Add the necessary
+extra_tx_headroom.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20210816085128.10931-2-pkshih@realtek.com
+[fix indentation]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index c7e8935224c0..e7b63ba8c184 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3080,7 +3080,9 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
+ if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
+ return true;
+
+- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
++ if (!ieee80211_amsdu_realloc_pad(local, skb,
++ sizeof(*amsdu_hdr) +
++ local->hw.extra_tx_headroom))
+ return false;
+
+ data = skb_push(skb, sizeof(*amsdu_hdr));
+--
+2.30.2
+
--- /dev/null
+From 9e8011f48635b1fc4495c3191908eaa781ddb164 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 07:33:27 +0200
+Subject: media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit c5453769f77ce19a5b03f1f49946fd3f8a374009 ]
+
+If dibusb_read_eeprom_byte fails, the mac address is not initialized.
+And nova_t_read_mac_address does not handle this failure, which leads to
+the uninit-value in dvb_usb_adapter_dvb_init.
+
+Fix this by handling the failure of dibusb_read_eeprom_byte.
+
+Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com
+Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/nova-t-usb2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/nova-t-usb2.c b/drivers/media/usb/dvb-usb/nova-t-usb2.c
+index 1babd3341910..016a6d1ad279 100644
+--- a/drivers/media/usb/dvb-usb/nova-t-usb2.c
++++ b/drivers/media/usb/dvb-usb/nova-t-usb2.c
+@@ -133,7 +133,7 @@ ret:
+
+ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6])
+ {
+- int i;
++ int i, ret;
+ u8 b;
+
+ mac[0] = 0x00;
+@@ -142,7 +142,9 @@ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6])
+
+ /* this is a complete guess, but works for my box */
+ for (i = 136; i < 139; i++) {
+- dibusb_read_eeprom_byte(d,i, &b);
++ ret = dibusb_read_eeprom_byte(d, i, &b);
++ if (ret)
++ return ret;
+
+ mac[5 - (i - 136)] = b;
+ }
+--
+2.30.2
+
--- /dev/null
+From a29f6ecc961b9f4eaa40b38a210d3d6a31d101de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 07:59:04 +0200
+Subject: media: dvb-usb: fix uninit-value in vp702x_read_mac_addr
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 797c061ad715a9a1480eb73f44b6939fbe3209ed ]
+
+If vp702x_usb_in_op fails, the mac address is not initialized.
+And vp702x_read_mac_addr does not handle this failure, which leads to
+the uninit-value in dvb_usb_adapter_dvb_init.
+
+Fix this by handling the failure of vp702x_usb_in_op.
+
+Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/vp702x.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/vp702x.c b/drivers/media/usb/dvb-usb/vp702x.c
+index 40de33de90a7..5c3b0a7ca27e 100644
+--- a/drivers/media/usb/dvb-usb/vp702x.c
++++ b/drivers/media/usb/dvb-usb/vp702x.c
+@@ -294,16 +294,22 @@ static int vp702x_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ static int vp702x_read_mac_addr(struct dvb_usb_device *d,u8 mac[6])
+ {
+ u8 i, *buf;
++ int ret;
+ struct vp702x_device_state *st = d->priv;
+
+ mutex_lock(&st->buf_mutex);
+ buf = st->buf;
+- for (i = 6; i < 12; i++)
+- vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, &buf[i - 6], 1);
++ for (i = 6; i < 12; i++) {
++ ret = vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1,
++ &buf[i - 6], 1);
++ if (ret < 0)
++ goto err;
++ }
+
+ memcpy(mac, buf, 6);
++err:
+ mutex_unlock(&st->buf_mutex);
+- return 0;
++ return ret;
+ }
+
+ static int vp702x_frontend_attach(struct dvb_usb_adapter *adap)
+--
+2.30.2
+
--- /dev/null
+From 87fa5a653bca8c23bcd44220bc53b33b5361e1ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 11:34:09 +0200
+Subject: media: em28xx-input: fix refcount bug in em28xx_usb_disconnect
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 6fa54bc713c262e1cfbc5613377ef52280d7311f ]
+
+If em28xx_ir_init fails, it would decrease the refcount of dev. However,
+in the em28xx_ir_fini, when ir is NULL, it goes to ref_put and decrease
+the refcount of dev. This will lead to a refcount bug.
+
+Fix this bug by removing the kref_put in the error handling code
+of em28xx_ir_init.
+
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x18e/0x1a0 lib/refcount.c:28
+Modules linked in:
+CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.13.0 #3
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:refcount_warn_saturate+0x18e/0x1a0 lib/refcount.c:28
+Call Trace:
+ kref_put.constprop.0+0x60/0x85 include/linux/kref.h:69
+ em28xx_usb_disconnect.cold+0xd7/0xdc drivers/media/usb/em28xx/em28xx-cards.c:4150
+ usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458
+ __device_release_driver drivers/base/dd.c:1201 [inline]
+ device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1232
+ bus_remove_device+0x108/0x160 drivers/base/bus.c:529
+ device_del+0x1fe/0x510 drivers/base/core.c:3540
+ usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419
+ usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2221
+ hub_port_connect drivers/usb/core/hub.c:5151 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5440 [inline]
+ port_event drivers/usb/core/hub.c:5586 [inline]
+ hub_event+0xf81/0x1d40 drivers/usb/core/hub.c:5668
+ process_one_work+0x2c9/0x610 kernel/workqueue.c:2276
+ process_scheduled_works kernel/workqueue.c:2338 [inline]
+ worker_thread+0x333/0x5b0 kernel/workqueue.c:2424
+ kthread+0x188/0x1d0 kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Fixes: ac5688637144 ("media: em28xx: Fix possible memory leak of em28xx struct")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-input.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
+index b8c94b4ad232..0be2fb751705 100644
+--- a/drivers/media/usb/em28xx/em28xx-input.c
++++ b/drivers/media/usb/em28xx/em28xx-input.c
+@@ -839,7 +839,6 @@ error:
+ kfree(ir);
+ ref_put:
+ em28xx_shutdown_buttons(dev);
+- kref_put(&dev->ref, em28xx_free_device);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From fbf5b794a0ee3d858fe1c62dfc38ca277dceb918 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 21:45:42 +0200
+Subject: media: go7007: remove redundant initialization
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 6f5885a7750545973bf1a942d2f0f129aef0aa06 ]
+
+In go7007_alloc() kzalloc() is used for struct go7007
+allocation. It means that there is no need in zeroing
+any members, because kzalloc will take care of it.
+
+Removing these reduntant initialization steps increases
+execution speed a lot:
+
+ Before:
+ + 86.802 us | go7007_alloc();
+ After:
+ + 29.595 us | go7007_alloc();
+
+Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-driver.c | 26 ------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c
+index 05b1126f263e..d861d7225f49 100644
+--- a/drivers/media/usb/go7007/go7007-driver.c
++++ b/drivers/media/usb/go7007/go7007-driver.c
+@@ -698,49 +698,23 @@ struct go7007 *go7007_alloc(const struct go7007_board_info *board,
+ struct device *dev)
+ {
+ struct go7007 *go;
+- int i;
+
+ go = kzalloc(sizeof(struct go7007), GFP_KERNEL);
+ if (go == NULL)
+ return NULL;
+ go->dev = dev;
+ go->board_info = board;
+- go->board_id = 0;
+ go->tuner_type = -1;
+- go->channel_number = 0;
+- go->name[0] = 0;
+ mutex_init(&go->hw_lock);
+ init_waitqueue_head(&go->frame_waitq);
+ spin_lock_init(&go->spinlock);
+ go->status = STATUS_INIT;
+- memset(&go->i2c_adapter, 0, sizeof(go->i2c_adapter));
+- go->i2c_adapter_online = 0;
+- go->interrupt_available = 0;
+ init_waitqueue_head(&go->interrupt_waitq);
+- go->input = 0;
+ go7007_update_board(go);
+- go->encoder_h_halve = 0;
+- go->encoder_v_halve = 0;
+- go->encoder_subsample = 0;
+ go->format = V4L2_PIX_FMT_MJPEG;
+ go->bitrate = 1500000;
+ go->fps_scale = 1;
+- go->pali = 0;
+ go->aspect_ratio = GO7007_RATIO_1_1;
+- go->gop_size = 0;
+- go->ipb = 0;
+- go->closed_gop = 0;
+- go->repeat_seqhead = 0;
+- go->seq_header_enable = 0;
+- go->gop_header_enable = 0;
+- go->dvd_mode = 0;
+- go->interlace_coding = 0;
+- for (i = 0; i < 4; ++i)
+- go->modet[i].enable = 0;
+- for (i = 0; i < 1624; ++i)
+- go->modet_map[i] = 0;
+- go->audio_deliver = NULL;
+- go->audio_enabled = 0;
+
+ return go;
+ }
+--
+2.30.2
+
--- /dev/null
+From b74d95f627ea2fc925afd0c07e3396520841eedc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:16:43 +0300
+Subject: mmc: dw_mmc: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit c3ff0189d3bc9c03845fe37472c140f0fefd0c79 ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For dw_mmc, this is probably not currently an issue but is still good to
+fix though.
+
+Fixes: 3fc7eaef44db ("mmc: dw_mmc: Add external dma interface support")
+Cc: Shawn Lin <shawn.lin@rock-chips.com>
+Cc: Jaehoon Chung <jh80.chung@samsung.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210810081644.19353-2-tony@atomide.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/dw_mmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
+index bd994a8fce14..44d317d71b4c 100644
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -832,6 +832,7 @@ static int dw_mci_edmac_start_dma(struct dw_mci *host,
+ int ret = 0;
+
+ /* Set external dma config: burst size, burst width */
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.dst_addr = host->phy_regs + fifo_offset;
+ cfg.src_addr = cfg.dst_addr;
+ cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+--
+2.30.2
+
--- /dev/null
+From a73e92b0e6eebd00408fb8dfdbf935855c48c30e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:16:44 +0300
+Subject: mmc: moxart: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit ee5165354d498e5bceb0b386e480ac84c5f8c28c ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For moxart, this is probably not currently an issue but is still good to
+fix though.
+
+Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver")
+Cc: Jonas Jensen <jonas.jensen@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210810081644.19353-3-tony@atomide.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
+index a0670e9cd012..5553a5643f40 100644
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -631,6 +631,7 @@ static int moxart_probe(struct platform_device *pdev)
+ host->dma_chan_tx, host->dma_chan_rx);
+ host->have_dma = true;
+
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+ cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+
+--
+2.30.2
+
--- /dev/null
+From d353196e4d5472c7e0a2e31aab76f1620e90d663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 19:35:30 +0300
+Subject: net: cipso: fix warnings in netlbl_cipsov4_add_std
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 8ca34a13f7f9b3fa2c464160ffe8cc1a72088204 ]
+
+Syzbot reported warning in netlbl_cipsov4_add(). The
+problem was in too big doi_def->map.std->lvl.local_size
+passed to kcalloc(). Since this value comes from userpace there is
+no need to warn if value is not correct.
+
+The same problem may occur with other kcalloc() calls in
+this function, so, I've added __GFP_NOWARN flag to all
+kcalloc() calls there.
+
+Reported-and-tested-by: syzbot+cdd51ee2e6b0b2e18c0d@syzkaller.appspotmail.com
+Fixes: 96cb8e3313c7 ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_cipso_v4.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
+index 3e3494c8d42f..0559d442ad80 100644
+--- a/net/netlabel/netlabel_cipso_v4.c
++++ b/net/netlabel/netlabel_cipso_v4.c
+@@ -198,14 +198,14 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ }
+ doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->lvl.local == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+ }
+ doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->lvl.cipso == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+@@ -273,7 +273,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ doi_def->map.std->cat.local = kcalloc(
+ doi_def->map.std->cat.local_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->cat.local == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+@@ -281,7 +281,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info,
+ doi_def->map.std->cat.cipso = kcalloc(
+ doi_def->map.std->cat.cipso_size,
+ sizeof(u32),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (doi_def->map.std->cat.cipso == NULL) {
+ ret_val = -ENOMEM;
+ goto add_std_failure;
+--
+2.30.2
+
--- /dev/null
+From 000f393ed5f8396fa3715a0dea8780abab4e7839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Aug 2021 16:23:15 +0200
+Subject: net: qualcomm: fix QCA7000 checksum handling
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 429205da6c834447a57279af128bdd56ccd5225e ]
+
+Based on tests the QCA7000 doesn't support checksum offloading. So assume
+ip_summed is CHECKSUM_NONE and let the kernel take care of the checksum
+handling. This fixes data transfer issues in noisy environments.
+
+Reported-by: Michael Heimpold <michael.heimpold@in-tech.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 2 +-
+ drivers/net/ethernet/qualcomm/qca_uart.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index 1c87178fc485..1ca1f72474ab 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -413,7 +413,7 @@ qcaspi_receive(struct qcaspi *qca)
+ skb_put(qca->rx_skb, retcode);
+ qca->rx_skb->protocol = eth_type_trans(
+ qca->rx_skb, qca->rx_skb->dev);
+- qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
++ skb_checksum_none_assert(qca->rx_skb);
+ netif_rx_ni(qca->rx_skb);
+ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
+ net_dev->mtu + VLAN_ETH_HLEN);
+diff --git a/drivers/net/ethernet/qualcomm/qca_uart.c b/drivers/net/ethernet/qualcomm/qca_uart.c
+index db6068cd7a1f..466e9d07697a 100644
+--- a/drivers/net/ethernet/qualcomm/qca_uart.c
++++ b/drivers/net/ethernet/qualcomm/qca_uart.c
+@@ -107,7 +107,7 @@ qca_tty_receive(struct serdev_device *serdev, const unsigned char *data,
+ skb_put(qca->rx_skb, retcode);
+ qca->rx_skb->protocol = eth_type_trans(
+ qca->rx_skb, qca->rx_skb->dev);
+- qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
++ skb_checksum_none_assert(qca->rx_skb);
+ netif_rx_ni(qca->rx_skb);
+ qca->rx_skb = netdev_alloc_skb_ip_align(netdev,
+ netdev->mtu +
+--
+2.30.2
+
--- /dev/null
+From 880a60167c4fdc681bf6a1547a2fd5f33be10290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 23:58:01 +0800
+Subject: net: sched: Fix qdisc_rate_table refcount leak when get tcf_block
+ failed
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit c66070125837900163b81a03063ddd657a7e9bfb ]
+
+The reference counting issue happens in one exception handling path of
+cbq_change_class(). When failing to get tcf_block, the function forgets
+to decrease the refcount of "rtab" increased by qdisc_put_rtab(),
+causing a refcount leak.
+
+Fix this issue by jumping to "failure" label when get tcf_block failed.
+
+Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/r/1630252681-71588-1-git-send-email-xiyuyang19@fudan.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cbq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
+index 40fd1ee0095c..dea125d8aac7 100644
+--- a/net/sched/sch_cbq.c
++++ b/net/sched/sch_cbq.c
+@@ -1590,7 +1590,7 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t
+ err = tcf_block_get(&cl->block, &cl->filter_list);
+ if (err) {
+ kfree(cl);
+- return err;
++ goto failure;
+ }
+
+ if (tca[TCA_RATE]) {
+--
+2.30.2
+
--- /dev/null
+From e53a57650243eca204c55d281fd584b31931cced Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 17:41:20 +0800
+Subject: nvme-rdma: don't update queue count when failing to set io queues
+
+From: Ruozhu Li <liruozhu@huawei.com>
+
+[ Upstream commit 85032874f80ba17bf187de1d14d9603bf3f582b8 ]
+
+We update ctrl->queue_count and schedule another reconnect when io queue
+count is zero.But we will never try to create any io queue in next reco-
+nnection, because ctrl->queue_count already set to zero.We will end up
+having an admin-only session in Live state, which is exactly what we try
+to avoid in the original patch.
+Update ctrl->queue_count after queue_count zero checking to fix it.
+
+Signed-off-by: Ruozhu Li <liruozhu@huawei.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 57e1c0dd63c4..11fd3a7484ac 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -654,13 +654,13 @@ static int nvme_rdma_alloc_io_queues(struct nvme_rdma_ctrl *ctrl)
+ if (ret)
+ return ret;
+
+- ctrl->ctrl.queue_count = nr_io_queues + 1;
+- if (ctrl->ctrl.queue_count < 2) {
++ if (nr_io_queues == 0) {
+ dev_err(ctrl->ctrl.device,
+ "unable to set any I/O queues\n");
+ return -ENOMEM;
+ }
+
++ ctrl->ctrl.queue_count = nr_io_queues + 1;
+ dev_info(ctrl->ctrl.device,
+ "creating %d I/O queues.\n", nr_io_queues);
+
+--
+2.30.2
+
--- /dev/null
+From 67e9bead14d6c8a0b57e53d47c8facfd655e11e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 17:54:28 +0200
+Subject: PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit da9f2150684ea684a7ddd6d7f0e38b2bdf43dcd8 ]
+
+It is inconsistent to return PCI_D0 from pci_target_state() instead
+of the original target state if 'wakeup' is true and the device
+cannot signal PME from D0.
+
+This only happens when the device cannot signal PME from the original
+target state and any shallower power states (including D0) and that
+case is effectively equivalent to the one in which PME singaling is
+not supported at all. Since the original target state is returned in
+the latter case, make the function do that in the former one too.
+
+Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/
+Fixes: 666ff6f83e1d ("PCI/PM: Avoid using device_may_wakeup() for runtime PM")
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reported-by: Utkarsh H Patel <utkarsh.h.patel@intel.com>
+Reported-by: Koba Ko <koba.ko@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index c847b5554db6..ac2c9d0c02fe 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2054,17 +2054,21 @@ static pci_power_t pci_target_state(struct pci_dev *dev, bool wakeup)
+ if (dev->current_state == PCI_D3cold)
+ target_state = PCI_D3cold;
+
+- if (wakeup) {
++ if (wakeup && dev->pme_support) {
++ pci_power_t state = target_state;
++
+ /*
+ * Find the deepest state from which the device can generate
+ * wake-up events, make it the target state and enable device
+ * to generate PME#.
+ */
+- if (dev->pme_support) {
+- while (target_state
+- && !(dev->pme_support & (1 << target_state)))
+- target_state--;
+- }
++ while (state && !(dev->pme_support & (1 << state)))
++ state--;
++
++ if (state)
++ return state;
++ else if (dev->pme_support & 1)
++ return PCI_D0;
+ }
+
+ return target_state;
+--
+2.30.2
+
--- /dev/null
+From be5b88e0035c7edf8ebf6c825dc55f0511c8a125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:49:10 +0200
+Subject: PCI: PM: Enable PME if it can be signaled from D3cold
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 0e00392a895c95c6d12d42158236c8862a2f43f2 ]
+
+PME signaling is only enabled by __pci_enable_wake() if the target
+device can signal PME from the given target power state (to avoid
+pointless reconfiguration of the device), but if the hierarchy above
+the device goes into D3cold, the device itself will end up in D3cold
+too, so if it can signal PME from D3cold, it should be enabled to
+do so in __pci_enable_wake().
+
+[Note that if the device does not end up in D3cold and it cannot
+ signal PME from the original target power state, it will not signal
+ PME, so in that case the behavior does not change.]
+
+Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/
+Fixes: 5bcc2fb4e815 ("PCI PM: Simplify PCI wake-up code")
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reported-by: Utkarsh H Patel <utkarsh.h.patel@intel.com>
+Reported-by: Koba Ko <koba.ko@canonical.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index ac2c9d0c02fe..1c5c0937c5da 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1950,7 +1950,14 @@ static int __pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable
+ if (enable) {
+ int error;
+
+- if (pci_pme_capable(dev, state))
++ /*
++ * Enable PME signaling if the device can signal PME from
++ * D3cold regardless of whether or not it can signal PME from
++ * the current target state, because that will allow it to
++ * signal PME when the hierarchy above it goes into D3cold and
++ * the device itself ends up in D3cold as a result of that.
++ */
++ if (pci_pme_capable(dev, state) || pci_pme_capable(dev, PCI_D3cold))
+ pci_pme_active(dev, true);
+ else
+ ret = 1;
+--
+2.30.2
+
--- /dev/null
+From 9419160e66d8f2158a05f08d147eaecd9bf7968c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 14:55:10 +0200
+Subject: posix-cpu-timers: Force next expiration recalc after itimer reset
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 406dd42bd1ba0c01babf9cde169bb319e52f6147 ]
+
+When an itimer deactivates a previously armed expiration, it simply doesn't
+do anything. As a result the process wide cputime counter keeps running and
+the tick dependency stays set until it reaches the old ghost expiration
+value.
+
+This can be reproduced with the following snippet:
+
+ void trigger_process_counter(void)
+ {
+ struct itimerval n = {};
+
+ n.it_value.tv_sec = 100;
+ setitimer(ITIMER_VIRTUAL, &n, NULL);
+ n.it_value.tv_sec = 0;
+ setitimer(ITIMER_VIRTUAL, &n, NULL);
+ }
+
+Fix this with resetting the relevant base expiration. This is similar to
+disarming a timer.
+
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20210726125513.271824-4-frederic@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/posix-cpu-timers.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
+index fb5a57ffb98c..495d690cc92b 100644
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -1207,8 +1207,6 @@ void set_process_cpu_timer(struct task_struct *tsk, unsigned int clock_idx,
+ }
+ }
+
+- if (!*newval)
+- return;
+ *newval += now;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 19b84505d0b89ae030cfb58a659938ba432b176f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 15:30:59 +0200
+Subject: power: supply: axp288_fuel_gauge: Report register-address on readb /
+ writeb errors
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit caa534c3ba40c6e8352b42cbbbca9ba481814ac8 ]
+
+When fuel_gauge_reg_readb()/_writeb() fails, report which register we
+were trying to read / write when the error happened.
+
+Also reword the message a bit:
+- Drop the axp288 prefix, dev_err() already prints this
+- Switch from telegram / abbreviated style to a normal sentence, aligning
+ the message with those from fuel_gauge_read_*bit_word()
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/axp288_fuel_gauge.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c
+index a8dcabc32721..1fe18c365c87 100644
+--- a/drivers/power/supply/axp288_fuel_gauge.c
++++ b/drivers/power/supply/axp288_fuel_gauge.c
+@@ -142,7 +142,7 @@ static int fuel_gauge_reg_readb(struct axp288_fg_info *info, int reg)
+ }
+
+ if (ret < 0) {
+- dev_err(&info->pdev->dev, "axp288 reg read err:%d\n", ret);
++ dev_err(&info->pdev->dev, "Error reading reg 0x%02x err: %d\n", reg, ret);
+ return ret;
+ }
+
+@@ -156,7 +156,7 @@ static int fuel_gauge_reg_writeb(struct axp288_fg_info *info, int reg, u8 val)
+ ret = regmap_write(info->regmap, reg, (unsigned int)val);
+
+ if (ret < 0)
+- dev_err(&info->pdev->dev, "axp288 reg write err:%d\n", ret);
++ dev_err(&info->pdev->dev, "Error writing reg 0x%02x err: %d\n", reg, ret);
+
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 9214f878d529025b846e6138cb3af0ec35a1b3c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 18:50:14 +0200
+Subject: power: supply: max17042_battery: fix typo in MAx17042_TOFF
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit ed0d0a0506025f06061325cedae1bbebd081620a ]
+
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max17042_battery.c | 2 +-
+ include/linux/power/max17042_battery.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c
+index 911d42366ef1..e824ab19318a 100644
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -717,7 +717,7 @@ static inline void max17042_override_por_values(struct max17042_chip *chip)
+ struct max17042_config_data *config = chip->pdata->config_data;
+
+ max17042_override_por(map, MAX17042_TGAIN, config->tgain);
+- max17042_override_por(map, MAx17042_TOFF, config->toff);
++ max17042_override_por(map, MAX17042_TOFF, config->toff);
+ max17042_override_por(map, MAX17042_CGAIN, config->cgain);
+ max17042_override_por(map, MAX17042_COFF, config->coff);
+
+diff --git a/include/linux/power/max17042_battery.h b/include/linux/power/max17042_battery.h
+index a7ed29baf44a..86e5ad8aeee4 100644
+--- a/include/linux/power/max17042_battery.h
++++ b/include/linux/power/max17042_battery.h
+@@ -82,7 +82,7 @@ enum max17042_register {
+ MAX17042_RelaxCFG = 0x2A,
+ MAX17042_MiscCFG = 0x2B,
+ MAX17042_TGAIN = 0x2C,
+- MAx17042_TOFF = 0x2D,
++ MAX17042_TOFF = 0x2D,
+ MAX17042_CGAIN = 0x2E,
+ MAX17042_COFF = 0x2F,
+
+--
+2.30.2
+
--- /dev/null
+From 041010bd78e6dc260da737da5f8e142f42de80a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 23:26:30 +0900
+Subject: regmap: fix the offset of register error log
+
+From: Jeongtae Park <jeongtae.park@gmail.com>
+
+[ Upstream commit 1852f5ed358147095297a09cc3c6f160208a676d ]
+
+This patch fixes the offset of register error log
+by using regmap_get_offset().
+
+Signed-off-by: Jeongtae Park <jeongtae.park@gmail.com>
+Link: https://lore.kernel.org/r/20210701142630.44936-1-jeongtae.park@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index 4e0cc40ad9ce..1c5ff22d92f1 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1378,7 +1378,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg,
+ if (ret) {
+ dev_err(map->dev,
+ "Error in caching of register: %x ret: %d\n",
+- reg + i, ret);
++ reg + regmap_get_offset(map, i), ret);
+ return ret;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From f906bdb63625e2589ed4480edeb199807d88cd37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Apr 2021 10:52:38 +0200
+Subject: s390/cio: add dev_busid sysfs entry for each subchannel
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit d3683c055212bf910d4e318f7944910ce10dbee6 ]
+
+Introduce dev_busid, which exports the device-id associated with the
+io-subchannel (and message-subchannel). The dev_busid indicates that of
+the device which may be physically installed on the corrosponding
+subchannel. The dev_busid value "none" indicates that the subchannel
+is not valid, there is no I/O device currently associated with the
+subchannel.
+
+The dev_busid information would be helpful to write device-specific
+udev-rules associated with the subchannel. The dev_busid interface would
+be available even when the sch is not bound to any driver or if there is
+no operational device connected on it. Hence this attribute can be used to
+write udev-rules which are specific to the device associated with the
+subchannel.
+
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/css.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
+index e2026d54dd37..435e804b6b8b 100644
+--- a/drivers/s390/cio/css.c
++++ b/drivers/s390/cio/css.c
+@@ -330,9 +330,26 @@ static ssize_t pimpampom_show(struct device *dev,
+ }
+ static DEVICE_ATTR(pimpampom, 0444, pimpampom_show, NULL);
+
++static ssize_t dev_busid_show(struct device *dev,
++ struct device_attribute *attr,
++ char *buf)
++{
++ struct subchannel *sch = to_subchannel(dev);
++ struct pmcw *pmcw = &sch->schib.pmcw;
++
++ if ((pmcw->st == SUBCHANNEL_TYPE_IO ||
++ pmcw->st == SUBCHANNEL_TYPE_MSG) && pmcw->dnv)
++ return sysfs_emit(buf, "0.%x.%04x\n", sch->schid.ssid,
++ pmcw->dev);
++ else
++ return sysfs_emit(buf, "none\n");
++}
++static DEVICE_ATTR_RO(dev_busid);
++
+ static struct attribute *io_subchannel_type_attrs[] = {
+ &dev_attr_chpids.attr,
+ &dev_attr_pimpampom.attr,
++ &dev_attr_dev_busid.attr,
+ NULL,
+ };
+ ATTRIBUTE_GROUPS(io_subchannel_type);
+--
+2.30.2
+
usb-host-xhci-rcar-don-t-reload-firmware-after-the-completion.patch
x86-reboot-limit-dell-optiplex-990-quirk-to-early-bios-versions.patch
pci-call-max-payload-size-related-fixup-quirks-early.patch
+regmap-fix-the-offset-of-register-error-log.patch
+crypto-mxs-dcp-check-for-dma-mapping-errors.patch
+power-supply-axp288_fuel_gauge-report-register-addre.patch
+crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch
+posix-cpu-timers-force-next-expiration-recalc-after-.patch
+udf-check-lvid-earlier.patch
+isofs-joliet-fix-iocharset-utf8-mount-option.patch
+nvme-rdma-don-t-update-queue-count-when-failing-to-s.patch
+power-supply-max17042_battery-fix-typo-in-max17042_t.patch
+s390-cio-add-dev_busid-sysfs-entry-for-each-subchann.patch
+libata-fix-ata_host_start.patch
+crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch
+crypto-qat-handle-both-source-of-interrupt-in-vf-isr.patch
+crypto-qat-fix-reuse-of-completion-variable.patch
+crypto-qat-fix-naming-for-init-shutdown-vf-to-pf-not.patch
+crypto-qat-do-not-export-adf_iov_putmsg.patch
+udf_get_extendedattr-had-no-boundary-checks.patch
+m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch
+spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch
+spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch
+clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch
+block-nbd-add-sanity-check-for-first_minor.patch
+crypto-qat-use-proper-type-for-vf_mask.patch
+certs-trigger-creation-of-rsa-module-signing-key-if-.patch
+soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch
+media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch
+media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch
+media-go7007-remove-redundant-initialization.patch
+bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch
+6lowpan-iphc-fix-an-off-by-one-check-of-array-index.patch
+tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch
+net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch
+i2c-highlander-add-irq-check.patch
+media-em28xx-input-fix-refcount-bug-in-em28xx_usb_di.patch
+pci-pm-avoid-forcing-pci_d0-for-wakeup-reasons-incon.patch
+pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch
+soc-qcom-smsm-fix-missed-interrupts-if-state-changes.patch
+bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch
+arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch
+bluetooth-fix-repeated-calls-to-sco_sock_kill.patch
+drm-msm-dsi-fix-some-reference-counted-resource-leak.patch
+usb-gadget-udc-at91-add-irq-check.patch
+usb-phy-fsl-usb-add-irq-check.patch
+usb-phy-twl6030-add-irq-checks.patch
+bluetooth-move-shutdown-callback-before-flushing-tx-.patch
+usb-host-ohci-tmio-add-irq-check.patch
+usb-phy-tahvo-add-irq-check.patch
+mac80211-fix-insufficient-headroom-issue-for-amsdu.patch
+usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch
+bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch
+i2c-iop3xx-fix-deferred-probing.patch
+i2c-s3c2410-fix-irq-check.patch
+mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch
+mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch
+cifs-fix-a-potencially-linear-read-overflow.patch
+i2c-mt65xx-fix-irq-check.patch
+usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch
+usb-bdc-fix-an-error-handling-path-in-bdc_probe-when.patch
+tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch
+ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch
+bcma-fix-memory-leak-for-internally-handled-cores.patch
+ipv4-make-exception-cache-less-predictible.patch
+net-sched-fix-qdisc_rate_table-refcount-leak-when-ge.patch
+net-qualcomm-fix-qca7000-checksum-handling.patch
--- /dev/null
+From faf6eddf5b9a631ae0ffd30757b30fc54c5b6347 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 15:57:03 +0200
+Subject: soc: qcom: smsm: Fix missed interrupts if state changes while masked
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit e3d4571955050736bbf3eda0a9538a09d9fcfce8 ]
+
+The SMSM driver detects interrupt edges by tracking the last state
+it has seen (and has triggered the interrupt handler for). This works
+fine, but only if the interrupt does not change state while masked.
+
+For example, if an interrupt is unmasked while the state is HIGH,
+the stored last_value for that interrupt might still be LOW. Then,
+when the remote processor triggers smsm_intr() we assume that nothing
+has changed, even though the state might have changed from HIGH to LOW.
+
+Attempt to fix this by checking the current remote state before
+unmasking an IRQ. Use atomic operations to avoid the interrupt handler
+from interfering with the unmask function.
+
+This fixes modem crashes in some edge cases with the BAM-DMUX driver.
+Specifically, the BAM-DMUX interrupt handler is not called for the
+HIGH -> LOW smsm state transition if the BAM-DMUX driver is loaded
+(and therefore unmasks the interrupt) after the modem was already started:
+
+qcom-q6v5-mss 4080000.remoteproc: fatal error received: a2_task.c:3188:
+ Assert FALSE failed: A2 DL PER deadlock timer expired waiting for Apps ACK
+
+Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20210712135703.324748-2-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/smsm.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c
+index 50214b620865..2b49d2c212da 100644
+--- a/drivers/soc/qcom/smsm.c
++++ b/drivers/soc/qcom/smsm.c
+@@ -117,7 +117,7 @@ struct smsm_entry {
+ DECLARE_BITMAP(irq_enabled, 32);
+ DECLARE_BITMAP(irq_rising, 32);
+ DECLARE_BITMAP(irq_falling, 32);
+- u32 last_value;
++ unsigned long last_value;
+
+ u32 *remote_state;
+ u32 *subscription;
+@@ -212,8 +212,7 @@ static irqreturn_t smsm_intr(int irq, void *data)
+ u32 val;
+
+ val = readl(entry->remote_state);
+- changed = val ^ entry->last_value;
+- entry->last_value = val;
++ changed = val ^ xchg(&entry->last_value, val);
+
+ for_each_set_bit(i, entry->irq_enabled, 32) {
+ if (!(changed & BIT(i)))
+@@ -274,6 +273,12 @@ static void smsm_unmask_irq(struct irq_data *irqd)
+ struct qcom_smsm *smsm = entry->smsm;
+ u32 val;
+
++ /* Make sure our last cached state is up-to-date */
++ if (readl(entry->remote_state) & BIT(irq))
++ set_bit(irq, &entry->last_value);
++ else
++ clear_bit(irq, &entry->last_value);
++
+ set_bit(irq, entry->irq_enabled);
+
+ if (entry->subscription) {
+--
+2.30.2
+
--- /dev/null
+From 51397c6a40f7ba9870b701cda5bfbe1261166d96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Feb 2021 15:38:55 +0100
+Subject: soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 2a1c55d4762dd34a8b0f2e36fb01b7b16b60735b ]
+
+Merely enabling CONFIG_COMPILE_TEST should not enable additional code.
+To fix this, restrict the automatic enabling of ROCKCHIP_GRF to
+ARCH_ROCKCHIP, and ask the user in case of compile-testing.
+
+Fixes: 4c58063d4258f6be ("soc: rockchip: add driver handling grf setup")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20210208143855.418374-1-geert+renesas@glider.be
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/rockchip/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/rockchip/Kconfig b/drivers/soc/rockchip/Kconfig
+index 20da55d9cbb1..d483b0e29b81 100644
+--- a/drivers/soc/rockchip/Kconfig
++++ b/drivers/soc/rockchip/Kconfig
+@@ -5,8 +5,8 @@ if ARCH_ROCKCHIP || COMPILE_TEST
+ #
+
+ config ROCKCHIP_GRF
+- bool
+- default y
++ bool "Rockchip General Register Files support" if COMPILE_TEST
++ default y if ARCH_ROCKCHIP
+ help
+ The General Register Files are a central component providing
+ special additional settings registers for a lot of soc-components.
+--
+2.30.2
+
--- /dev/null
+From ae330d6b75867cafd44a6c1e207a99df8f014945 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:17:26 +0300
+Subject: spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 209ab223ad5b18e437289235e3bde12593b94ac4 ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For spi-fsl-dspi, this is probably not currently an issue but is still
+good to fix though.
+
+Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid")
+Cc: Sanchayan Maity <maitysanchayan@gmail.com>
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20210810081727.19491-1-tony@atomide.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index ed114f00a6d1..59f18e344bfb 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -394,6 +394,7 @@ static int dspi_request_dma(struct fsl_dspi *dspi, phys_addr_t phy_addr)
+ goto err_rx_dma_buf;
+ }
+
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.src_addr = phy_addr + SPI_POPR;
+ cfg.dst_addr = phy_addr + SPI_PUSHR;
+ cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+--
+2.30.2
+
--- /dev/null
+From d67cb0d6227811a3599a22e6601d5f8c54897cd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 11:17:27 +0300
+Subject: spi: spi-pic32: Fix issue with uninitialized dma_slave_config
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 976c1de1de147bb7f4e0d87482f375221c05aeaf ]
+
+Depending on the DMA driver being used, the struct dma_slave_config may
+need to be initialized to zero for the unused data.
+
+For example, we have three DMA drivers using src_port_window_size and
+dst_port_window_size. If these are left uninitialized, it can cause DMA
+failures.
+
+For spi-pic32, this is probably not currently an issue but is still good to
+fix though.
+
+Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver")
+Cc: Purna Chandra Mandal <purna.mandal@microchip.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210810081727.19491-2-tony@atomide.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pic32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-pic32.c b/drivers/spi/spi-pic32.c
+index 661a40c653e9..d8cdb13ce3e4 100644
+--- a/drivers/spi/spi-pic32.c
++++ b/drivers/spi/spi-pic32.c
+@@ -369,6 +369,7 @@ static int pic32_spi_dma_config(struct pic32_spi *pic32s, u32 dma_width)
+ struct dma_slave_config cfg;
+ int ret;
+
++ memset(&cfg, 0, sizeof(cfg));
+ cfg.device_fc = true;
+ cfg.src_addr = pic32s->dma_base + buf_offset;
+ cfg.dst_addr = pic32s->dma_base + buf_offset;
+--
+2.30.2
+
--- /dev/null
+From 531841840d7620d69f2ee9ddace1bef56a6abd87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 13:05:41 -0700
+Subject: tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+[ Upstream commit 525e2f9fd0229eb10cb460a9e6d978257f24804e ]
+
+st->bucket stores the current bucket number.
+st->offset stores the offset within this bucket that is the sk to be
+seq_show(). Thus, st->offset only makes sense within the same
+st->bucket.
+
+These two variables are an optimization for the common no-lseek case.
+When resuming the seq_file iteration (i.e. seq_start()),
+tcp_seek_last_pos() tries to continue from the st->offset
+at bucket st->bucket.
+
+However, it is possible that the bucket pointed by st->bucket
+has changed and st->offset may end up skipping the whole st->bucket
+without finding a sk. In this case, tcp_seek_last_pos() currently
+continues to satisfy the offset condition in the next (and incorrect)
+bucket. Instead, regardless of the offset value, the first sk of the
+next bucket should be returned. Thus, "bucket == st->bucket" check is
+added to tcp_seek_last_pos().
+
+The chance of hitting this is small and the issue is a decade old,
+so targeting for the next tree.
+
+Fixes: a8b690f98baf ("tcp: Fix slowness in read /proc/net/tcp")
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210701200541.1033917-1-kafai@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 146a137ee7ef..744479c8b91f 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2087,6 +2087,7 @@ static void *tcp_get_idx(struct seq_file *seq, loff_t pos)
+ static void *tcp_seek_last_pos(struct seq_file *seq)
+ {
+ struct tcp_iter_state *st = seq->private;
++ int bucket = st->bucket;
+ int offset = st->offset;
+ int orig_num = st->num;
+ void *rc = NULL;
+@@ -2097,7 +2098,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq)
+ break;
+ st->state = TCP_SEQ_STATE_LISTENING;
+ rc = listening_get_next(seq, NULL);
+- while (offset-- && rc)
++ while (offset-- && rc && bucket == st->bucket)
+ rc = listening_get_next(seq, rc);
+ if (rc)
+ break;
+@@ -2108,7 +2109,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq)
+ if (st->bucket > tcp_hashinfo.ehash_mask)
+ break;
+ rc = established_get_first(seq);
+- while (offset-- && rc)
++ while (offset-- && rc && bucket == st->bucket)
+ rc = established_get_next(seq, rc);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 55ff414ade7c464903fba2a8e558b168b6b314ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 10:10:33 +0800
+Subject: tty: serial: fsl_lpuart: fix the wrong mapbase value
+
+From: Andy Duan <fugang.duan@nxp.com>
+
+[ Upstream commit d5c38948448abc2bb6b36dbf85a554bf4748885e ]
+
+Register offset needs to be applied on mapbase also.
+dma_tx/rx_request use the physical address of UARTDATA.
+Register offset is currently only applied to membase (the
+corresponding virtual addr) but not on mapbase.
+
+Fixes: 24b1e5f0e83c ("tty: serial: lpuart: add imx7ulp support")
+Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com>
+Signed-off-by: Adriana Reus <adriana.reus@nxp.com>
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Signed-off-by: Andy Duan <fugang.duan@nxp.com>
+Link: https://lore.kernel.org/r/20210819021033.32606-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 3d5fe53988e5..62d1e4607912 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -2170,7 +2170,7 @@ static int lpuart_probe(struct platform_device *pdev)
+ return PTR_ERR(sport->port.membase);
+
+ sport->port.membase += sdata->reg_off;
+- sport->port.mapbase = res->start;
++ sport->port.mapbase = res->start + sdata->reg_off;
+ sport->port.dev = &pdev->dev;
+ sport->port.type = PORT_LPUART;
+ ret = platform_get_irq(pdev, 0);
+--
+2.30.2
+
--- /dev/null
+From 2a6363735185d6dcdf1c335e7242c17a6dd05e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 11:39:03 +0200
+Subject: udf: Check LVID earlier
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d ]
+
+We were checking validity of LVID entries only when getting
+implementation use information from LVID in udf_sb_lvidiu(). However if
+the LVID is suitably corrupted, it can cause problems also to code such
+as udf_count_free() which doesn't use udf_sb_lvidiu(). So check validity
+of LVID already when loading it from the disk and just disable LVID
+altogether when it is not valid.
+
+Reported-by: syzbot+7fbfe5fed73ebb675748@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 2b8147ecd97f..70b56011b823 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -113,16 +113,10 @@ struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(struct super_block *sb)
+ return NULL;
+ lvid = (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data;
+ partnum = le32_to_cpu(lvid->numOfPartitions);
+- if ((sb->s_blocksize - sizeof(struct logicalVolIntegrityDescImpUse) -
+- offsetof(struct logicalVolIntegrityDesc, impUse)) /
+- (2 * sizeof(uint32_t)) < partnum) {
+- udf_err(sb, "Logical volume integrity descriptor corrupted "
+- "(numOfPartitions = %u)!\n", partnum);
+- return NULL;
+- }
+ /* The offset is to skip freeSpaceTable and sizeTable arrays */
+ offset = partnum * 2 * sizeof(uint32_t);
+- return (struct logicalVolIntegrityDescImpUse *)&(lvid->impUse[offset]);
++ return (struct logicalVolIntegrityDescImpUse *)
++ (((uint8_t *)(lvid + 1)) + offset);
+ }
+
+ /* UDF filesystem type */
+@@ -1565,6 +1559,7 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_
+ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct logicalVolIntegrityDesc *lvid;
+ int indirections = 0;
++ u32 parts, impuselen;
+
+ while (++indirections <= UDF_MAX_LVID_NESTING) {
+ final_bh = NULL;
+@@ -1591,15 +1586,27 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_
+
+ lvid = (struct logicalVolIntegrityDesc *)final_bh->b_data;
+ if (lvid->nextIntegrityExt.extLength == 0)
+- return;
++ goto check;
+
+ loc = leea_to_cpu(lvid->nextIntegrityExt);
+ }
+
+ udf_warn(sb, "Too many LVID indirections (max %u), ignoring.\n",
+ UDF_MAX_LVID_NESTING);
++out_err:
+ brelse(sbi->s_lvid_bh);
+ sbi->s_lvid_bh = NULL;
++ return;
++check:
++ parts = le32_to_cpu(lvid->numOfPartitions);
++ impuselen = le32_to_cpu(lvid->lengthOfImpUse);
++ if (parts >= sb->s_blocksize || impuselen >= sb->s_blocksize ||
++ sizeof(struct logicalVolIntegrityDesc) + impuselen +
++ 2 * parts * sizeof(u32) > sb->s_blocksize) {
++ udf_warn(sb, "Corrupted LVID (parts=%u, impuselen=%u), "
++ "ignoring.\n", parts, impuselen);
++ goto out_err;
++ }
+ }
+
+
+--
+2.30.2
+
--- /dev/null
+From 22d15db07ae42ebea795a2e7fd090f887424c0f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Aug 2021 11:33:32 +0200
+Subject: udf_get_extendedattr() had no boundary checks.
+
+From: Stian Skjelstad <stian.skjelstad@gmail.com>
+
+[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ]
+
+When parsing the ExtendedAttr data, malicous or corrupt attribute length
+could cause kernel hangs and buffer overruns in some special cases.
+
+Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com
+Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/misc.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/udf/misc.c b/fs/udf/misc.c
+index 3949c4bec3a3..e5f4dcde309f 100644
+--- a/fs/udf/misc.c
++++ b/fs/udf/misc.c
+@@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type,
+ else
+ offset = le32_to_cpu(eahd->appAttrLocation);
+
+- while (offset < iinfo->i_lenEAttr) {
++ while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
++ uint32_t attrLength;
++
+ gaf = (struct genericFormat *)&ea[offset];
++ attrLength = le32_to_cpu(gaf->attrLength);
++
++ /* Detect undersized elements and buffer overflows */
++ if ((attrLength < sizeof(*gaf)) ||
++ (attrLength > (iinfo->i_lenEAttr - offset)))
++ break;
++
+ if (le32_to_cpu(gaf->attrType) == type &&
+ gaf->attrSubtype == subtype)
+ return gaf;
+ else
+- offset += le32_to_cpu(gaf->attrLength);
++ offset += attrLength;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From c07766fbf963c3260b4e26ab28d967b9a12106d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 21:32:38 +0200
+Subject: usb: bdc: Fix an error handling path in 'bdc_probe()' when no
+ suitable DMA config is available
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d2f42e09393c774ab79088d8e3afcc62b3328fc9 ]
+
+If no suitable DMA configuration is available, a previous 'bdc_phy_init()'
+call must be undone by a corresponding 'bdc_phy_exit()' call.
+
+Branch to the existing error handling path instead of returning
+directly.
+
+Fixes: cc29d4f67757 ("usb: bdc: Add support for USB phy")
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/0c5910979f39225d5d8fe68c9ab1c147c68ddee1.1629314734.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/bdc/bdc_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
+index 58ba04d858ba..23a27eb33c42 100644
+--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
+@@ -573,7 +573,8 @@ static int bdc_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(dev,
+ "No suitable DMA config available, abort\n");
+- return -ENOTSUPP;
++ ret = -ENOTSUPP;
++ goto phycleanup;
+ }
+ dev_dbg(dev, "Using 32-bit address\n");
+ }
+--
+2.30.2
+
--- /dev/null
+From 3d2b3a2d899caa82c07208ed8c494c65c54d9f12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Aug 2021 20:09:02 +0300
+Subject: usb: ehci-orion: Handle errors of clk_prepare_enable() in probe
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit 4720f1bf4ee4a784d9ece05420ba33c9222a3004 ]
+
+ehci_orion_drv_probe() did not account for possible errors of
+clk_prepare_enable() that in particular could cause invocation of
+clk_disable_unprepare() on clocks that were not prepared/enabled yet,
+e.g. in remove or on handling errors of usb_add_hcd() in probe. Though,
+there were several patches fixing different issues with clocks in this
+driver, they did not solve this problem.
+
+Add handling of errors of clk_prepare_enable() in ehci_orion_drv_probe()
+to avoid calls of clk_disable_unprepare() without previous successful
+invocation of clk_prepare_enable().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 8c869edaee07 ("ARM: Orion: EHCI: Add support for enabling clocks")
+Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
+Link: https://lore.kernel.org/r/20210825170902.11234-1-novikov@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-orion.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c
+index 1aec87ec68df..753c73624fb6 100644
+--- a/drivers/usb/host/ehci-orion.c
++++ b/drivers/usb/host/ehci-orion.c
+@@ -253,8 +253,11 @@ static int ehci_orion_drv_probe(struct platform_device *pdev)
+ * the clock does not exists.
+ */
+ priv->clk = devm_clk_get(&pdev->dev, NULL);
+- if (!IS_ERR(priv->clk))
+- clk_prepare_enable(priv->clk);
++ if (!IS_ERR(priv->clk)) {
++ err = clk_prepare_enable(priv->clk);
++ if (err)
++ goto err_put_hcd;
++ }
+
+ priv->phy = devm_phy_optional_get(&pdev->dev, "usb");
+ if (IS_ERR(priv->phy)) {
+@@ -315,6 +318,7 @@ err_phy_init:
+ err_phy_get:
+ if (!IS_ERR(priv->clk))
+ clk_disable_unprepare(priv->clk);
++err_put_hcd:
+ usb_put_hcd(hcd);
+ err:
+ dev_err(&pdev->dev, "init %s fail, %d\n",
+--
+2.30.2
+
--- /dev/null
+From 9848d54378b4d291436ceb46ac7c436802566d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 17:12:47 +0300
+Subject: usb: gadget: mv_u3d: request_irq() after initializing UDC
+
+From: Nadezda Lutovinova <lutovinova@ispras.ru>
+
+[ Upstream commit 2af0c5ffadaf9d13eca28409d4238b4e672942d3 ]
+
+If IRQ occurs between calling request_irq() and mv_u3d_eps_init(),
+then null pointer dereference occurs since u3d->eps[] wasn't
+initialized yet but used in mv_u3d_nuke().
+
+The patch puts registration of the interrupt handler after
+initializing of neccesery data.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
+Link: https://lore.kernel.org/r/20210818141247.4794-1-lutovinova@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/mv_u3d_core.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c
+index 772049afe166..83c6c776a371 100644
+--- a/drivers/usb/gadget/udc/mv_u3d_core.c
++++ b/drivers/usb/gadget/udc/mv_u3d_core.c
+@@ -1925,14 +1925,6 @@ static int mv_u3d_probe(struct platform_device *dev)
+ goto err_get_irq;
+ }
+ u3d->irq = r->start;
+- if (request_irq(u3d->irq, mv_u3d_irq,
+- IRQF_SHARED, driver_name, u3d)) {
+- u3d->irq = 0;
+- dev_err(&dev->dev, "Request irq %d for u3d failed\n",
+- u3d->irq);
+- retval = -ENODEV;
+- goto err_request_irq;
+- }
+
+ /* initialize gadget structure */
+ u3d->gadget.ops = &mv_u3d_ops; /* usb_gadget_ops */
+@@ -1945,6 +1937,15 @@ static int mv_u3d_probe(struct platform_device *dev)
+
+ mv_u3d_eps_init(u3d);
+
++ if (request_irq(u3d->irq, mv_u3d_irq,
++ IRQF_SHARED, driver_name, u3d)) {
++ u3d->irq = 0;
++ dev_err(&dev->dev, "Request irq %d for u3d failed\n",
++ u3d->irq);
++ retval = -ENODEV;
++ goto err_request_irq;
++ }
++
+ /* external vbus detection */
+ if (u3d->vbus) {
+ u3d->clock_gating = 1;
+@@ -1968,8 +1969,8 @@ static int mv_u3d_probe(struct platform_device *dev)
+
+ err_unregister:
+ free_irq(u3d->irq, u3d);
+-err_request_irq:
+ err_get_irq:
++err_request_irq:
+ kfree(u3d->status_req);
+ err_alloc_status_req:
+ kfree(u3d->eps);
+--
+2.30.2
+
--- /dev/null
+From 38ce5f2df8d204a79ff8c37615dd93a40ae6e44d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 23:27:28 +0300
+Subject: usb: gadget: udc: at91: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 50855c31573b02963f0aa2aacfd4ea41c31ae0e0 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original
+error code. Stop calling devm_request_irq() with the invalid IRQ #s.
+
+Fixes: 8b2e76687b39 ("USB: AT91 UDC updates, mostly power management")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Link: https://lore.kernel.org/r/6654a224-739a-1a80-12f0-76d920f87b6c@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/at91_udc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/at91_udc.c b/drivers/usb/gadget/udc/at91_udc.c
+index 8bc78418d40e..cd92cda03d71 100644
+--- a/drivers/usb/gadget/udc/at91_udc.c
++++ b/drivers/usb/gadget/udc/at91_udc.c
+@@ -1895,7 +1895,9 @@ static int at91udc_probe(struct platform_device *pdev)
+ clk_disable(udc->iclk);
+
+ /* request UDC and maybe VBUS irqs */
+- udc->udp_irq = platform_get_irq(pdev, 0);
++ udc->udp_irq = retval = platform_get_irq(pdev, 0);
++ if (retval < 0)
++ goto err_unprepare_iclk;
+ retval = devm_request_irq(dev, udc->udp_irq, at91_udc_irq, 0,
+ driver_name, udc);
+ if (retval) {
+--
+2.30.2
+
--- /dev/null
+From 1764a1898842b38240ae90bce63be9da571dcb6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:30:18 +0300
+Subject: usb: host: ohci-tmio: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 4ac5132e8a4300637a2da8f5d6bc7650db735b8a ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to usb_add_hcd() (which takes
+*unsigned* IRQ #), causing request_irq() that it calls to fail with
+-EINVAL, overriding an original error code. Stop calling usb_add_hcd()
+with the invalid IRQ #s.
+
+Fixes: 78c73414f4f6 ("USB: ohci: add support for tmio-ohci cell")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/402e1a45-a0a4-0e08-566a-7ca1331506b1@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ohci-tmio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/host/ohci-tmio.c b/drivers/usb/host/ohci-tmio.c
+index 16d081a093bb..0cf4b6dc8972 100644
+--- a/drivers/usb/host/ohci-tmio.c
++++ b/drivers/usb/host/ohci-tmio.c
+@@ -202,6 +202,9 @@ static int ohci_hcd_tmio_drv_probe(struct platform_device *dev)
+ if (!cell)
+ return -EINVAL;
+
++ if (irq < 0)
++ return irq;
++
+ hcd = usb_create_hcd(&ohci_tmio_hc_driver, &dev->dev, dev_name(&dev->dev));
+ if (!hcd) {
+ ret = -ENOMEM;
+--
+2.30.2
+
--- /dev/null
+From 90705299c3021f5fd3161c57ff39d07abb5a050c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 23:50:18 +0300
+Subject: usb: phy: fsl-usb: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit ecc2f30dbb25969908115c81ec23650ed982b004 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original
+error code. Stop calling request_irq() with the invalid IRQ #s.
+
+Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/b0a86089-8b8b-122e-fd6d-73e8c2304964@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-fsl-usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/phy/phy-fsl-usb.c b/drivers/usb/phy/phy-fsl-usb.c
+index 9b4354a00ca7..968900c36451 100644
+--- a/drivers/usb/phy/phy-fsl-usb.c
++++ b/drivers/usb/phy/phy-fsl-usb.c
+@@ -886,6 +886,8 @@ int usb_otg_start(struct platform_device *pdev)
+
+ /* request irq */
+ p_otg->irq = platform_get_irq(pdev, 0);
++ if (p_otg->irq < 0)
++ return p_otg->irq;
+ status = request_irq(p_otg->irq, fsl_otg_isr,
+ IRQF_SHARED, driver_name, p_otg);
+ if (status) {
+--
+2.30.2
+
--- /dev/null
+From 51bf0b6e6ca17bf79745e10962b0dd2673f70380 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:32:38 +0300
+Subject: usb: phy: tahvo: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 0d45a1373e669880b8beaecc8765f44cb0241e47 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_threaded_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an
+original error code. Stop calling request_threaded_irq() with the invalid
+IRQ #s.
+
+Fixes: 9ba96ae5074c ("usb: omap1: Tahvo USB transceiver driver")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/8280d6a4-8e9a-7cfe-1aa9-db586dc9afdf@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-tahvo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c
+index 1ec00eae339a..e4fc73bf6ee9 100644
+--- a/drivers/usb/phy/phy-tahvo.c
++++ b/drivers/usb/phy/phy-tahvo.c
+@@ -404,7 +404,9 @@ static int tahvo_usb_probe(struct platform_device *pdev)
+
+ dev_set_drvdata(&pdev->dev, tu);
+
+- tu->irq = platform_get_irq(pdev, 0);
++ tu->irq = ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ return ret;
+ ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt,
+ IRQF_ONESHOT,
+ "tahvo-vbus", tu);
+--
+2.30.2
+
--- /dev/null
+From a741b12947684de2bea3f6ac3598ebca4ea081a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 23:53:16 +0300
+Subject: usb: phy: twl6030: add IRQ checks
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 0881e22c06e66af0b64773c91c8868ead3d01aa1 ]
+
+The driver neglects to check the result of platform_get_irq()'s calls and
+blithely passes the negative error codes to request_threaded_irq() (which
+takes *unsigned* IRQ #), causing them both to fail with -EINVAL, overriding
+an original error code. Stop calling request_threaded_irq() with the
+invalid IRQ #s.
+
+Fixes: c33fad0c3748 ("usb: otg: Adding twl6030-usb transceiver driver for OMAP4430")
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/9507f50b-50f1-6dc4-f57c-3ed4e53a1c25@omp.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/phy/phy-twl6030-usb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/phy/phy-twl6030-usb.c b/drivers/usb/phy/phy-twl6030-usb.c
+index 8e14fa221191..4884c4238b7b 100644
+--- a/drivers/usb/phy/phy-twl6030-usb.c
++++ b/drivers/usb/phy/phy-twl6030-usb.c
+@@ -355,6 +355,11 @@ static int twl6030_usb_probe(struct platform_device *pdev)
+ twl->irq2 = platform_get_irq(pdev, 1);
+ twl->linkstat = MUSB_UNKNOWN;
+
++ if (twl->irq1 < 0)
++ return twl->irq1;
++ if (twl->irq2 < 0)
++ return twl->irq2;
++
+ twl->comparator.set_vbus = twl6030_set_vbus;
+ twl->comparator.start_srp = twl6030_start_srp;
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
