--- /dev/null
+From 604671ed05bbc253678181f8a34658f7e951912f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 22:00:33 -0700
+Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to
+ volatile
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ]
+
+Some drivers pass a pointer to volatile data to virt_to_bus() and
+virt_to_phys(), and that works fine. One exception is alpha. This
+results in a number of compile errors such as
+
+ drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset':
+ drivers/net/wan/lmc/lmc_main.c:1782:50: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+ drivers/atm/ambassador.c: In function 'do_loader_command':
+ drivers/atm/ambassador.c:1747:58: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+Declare the parameter of virt_to_phys and virt_to_bus as pointer to
+volatile to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/asm/io.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h
+index 103270d5a9fc..66a384a4ddba 100644
+--- a/arch/alpha/include/asm/io.h
++++ b/arch/alpha/include/asm/io.h
+@@ -61,7 +61,7 @@ extern inline void set_hae(unsigned long new_hae)
+ * Change virtual addresses to physical addresses and vv.
+ */
+ #ifdef USE_48_BIT_KSEG
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ return (unsigned long)address - IDENT_ADDR;
+ }
+@@ -71,7 +71,7 @@ static inline void * phys_to_virt(unsigned long address)
+ return (void *) (address + IDENT_ADDR);
+ }
+ #else
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ unsigned long phys = (unsigned long)address;
+
+@@ -107,7 +107,7 @@ static inline void * phys_to_virt(unsigned long address)
+ extern unsigned long __direct_map_base;
+ extern unsigned long __direct_map_size;
+
+-static inline unsigned long __deprecated virt_to_bus(void *address)
++static inline unsigned long __deprecated virt_to_bus(volatile void *address)
+ {
+ unsigned long phys = virt_to_phys(address);
+ unsigned long bus = phys + __direct_map_base;
+--
+2.33.0
+
--- /dev/null
+From 864a911b6e4a7fddb28a1df0ab6b13c8c393cb71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 17:44:02 +0800
+Subject: arm64: Mark __stack_chk_guard as __ro_after_init
+
+From: Dan Li <ashimida@linux.alibaba.com>
+
+[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ]
+
+__stack_chk_guard is setup once while init stage and never changed
+after that.
+
+Although the modification of this variable at runtime will usually
+cause the kernel to crash (so does the attacker), it should be marked
+as __ro_after_init, and it should not affect performance if it is
+placed in the ro_after_init section.
+
+Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 7d7cfa128b71..f61ef46ebff7 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -56,7 +56,7 @@
+
+ #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK)
+ #include <linux/stackprotector.h>
+-unsigned long __stack_chk_guard __read_mostly;
++unsigned long __stack_chk_guard __ro_after_init;
+ EXPORT_SYMBOL(__stack_chk_guard);
+ #endif
+
+--
+2.33.0
+
--- /dev/null
+From c72d60ff0cf42f2b1bc1f1124f6246a1cf555c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 12:26:05 +0800
+Subject: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd
+
+From: Li Jinlin <lijinlin3@huawei.com>
+
+[ Upstream commit 858560b27645e7e97aca37ee8f232cccd658fbd2 ]
+
+KASAN reports a use-after-free report when doing fuzz test:
+
+[693354.104835] ==================================================================
+[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338
+
+[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147
+[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018
+[693354.105612] Call Trace:
+[693354.105621] dump_stack+0xf1/0x19b
+[693354.105626] ? show_regs_print_info+0x5/0x5
+[693354.105634] ? printk+0x9c/0xc3
+[693354.105638] ? cpumask_weight+0x1f/0x1f
+[693354.105648] print_address_description+0x70/0x360
+[693354.105654] kasan_report+0x1b2/0x330
+[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105675] ? bfq_cpd_init+0x20/0x20
+[693354.105683] cgroup_file_write+0x3aa/0x510
+[693354.105693] ? ___slab_alloc+0x507/0x540
+[693354.105698] ? cgroup_file_poll+0x60/0x60
+[693354.105702] ? 0xffffffff89600000
+[693354.105708] ? usercopy_abort+0x90/0x90
+[693354.105716] ? mutex_lock+0xef/0x180
+[693354.105726] kernfs_fop_write+0x1ab/0x280
+[693354.105732] ? cgroup_file_poll+0x60/0x60
+[693354.105738] vfs_write+0xe7/0x230
+[693354.105744] ksys_write+0xb0/0x140
+[693354.105749] ? __ia32_sys_read+0x50/0x50
+[693354.105760] do_syscall_64+0x112/0x370
+[693354.105766] ? syscall_return_slowpath+0x260/0x260
+[693354.105772] ? do_page_fault+0x9b/0x270
+[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0
+[693354.105784] ? enter_from_user_mode+0x30/0x30
+[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+[693354.105875] Allocated by task 1453337:
+[693354.106001] kasan_kmalloc+0xa0/0xd0
+[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220
+[693354.106010] bfq_pd_alloc+0x96/0x120
+[693354.106015] blkcg_activate_policy+0x1b7/0x2b0
+[693354.106020] bfq_create_group_hierarchy+0x1e/0x80
+[693354.106026] bfq_init_queue+0x678/0x8c0
+[693354.106031] blk_mq_init_sched+0x1f8/0x460
+[693354.106037] elevator_switch_mq+0xe1/0x240
+[693354.106041] elevator_switch+0x25/0x40
+[693354.106045] elv_iosched_store+0x1a1/0x230
+[693354.106049] queue_attr_store+0x78/0xb0
+[693354.106053] kernfs_fop_write+0x1ab/0x280
+[693354.106056] vfs_write+0xe7/0x230
+[693354.106060] ksys_write+0xb0/0x140
+[693354.106064] do_syscall_64+0x112/0x370
+[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+[693354.106114] Freed by task 1453336:
+[693354.106225] __kasan_slab_free+0x130/0x180
+[693354.106229] kfree+0x90/0x1b0
+[693354.106233] blkcg_deactivate_policy+0x12c/0x220
+[693354.106238] bfq_exit_queue+0xf5/0x110
+[693354.106241] blk_mq_exit_sched+0x104/0x130
+[693354.106245] __elevator_exit+0x45/0x60
+[693354.106249] elevator_switch_mq+0xd6/0x240
+[693354.106253] elevator_switch+0x25/0x40
+[693354.106257] elv_iosched_store+0x1a1/0x230
+[693354.106261] queue_attr_store+0x78/0xb0
+[693354.106264] kernfs_fop_write+0x1ab/0x280
+[693354.106268] vfs_write+0xe7/0x230
+[693354.106271] ksys_write+0xb0/0x140
+[693354.106275] do_syscall_64+0x112/0x370
+[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+[693354.106329] The buggy address belongs to the object at ffff888be0a35580
+ which belongs to the cache kmalloc-1k of size 1024
+[693354.106736] The buggy address is located 228 bytes inside of
+ 1024-byte region [ffff888be0a35580, ffff888be0a35980)
+[693354.107114] The buggy address belongs to the page:
+[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0
+[693354.107606] flags: 0x17ffffc0008100(slab|head)
+[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080
+[693354.108020] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000
+[693354.108278] page dumped because: kasan: bad access detected
+
+[693354.108511] Memory state around the buggy address:
+[693354.108671] ffff888be0a35500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[693354.116396] ffff888be0a35580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.124473] >ffff888be0a35600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.132421] ^
+[693354.140284] ffff888be0a35680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.147912] ffff888be0a35700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.155281] ==================================================================
+
+blkgs are protected by both queue and blkcg locks and holding
+either should stabilize them. However, the path of destroying
+blkg policy data is only protected by queue lock in
+blkcg_activate_policy()/blkcg_deactivate_policy(). Other tasks
+can get the blkg policy data before the blkg policy data is
+destroyed, and use it after destroyed, which will result in a
+use-after-free.
+
+CPU0 CPU1
+blkcg_deactivate_policy
+ spin_lock_irq(&q->queue_lock)
+ bfq_io_set_weight_legacy
+ spin_lock_irq(&blkcg->lock)
+ blkg_to_bfqg(blkg)
+ pd_to_bfqg(blkg->pd[pol->plid])
+ ^^^^^^blkg->pd[pol->plid] != NULL
+ bfqg != NULL
+ pol->pd_free_fn(blkg->pd[pol->plid])
+ pd_to_bfqg(blkg->pd[pol->plid])
+ bfqg_put(bfqg)
+ kfree(bfqg)
+ blkg->pd[pol->plid] = NULL
+ spin_unlock_irq(q->queue_lock);
+ bfq_group_set_weight(bfqg, val, 0)
+ bfqg->entity.new_weight
+ ^^^^^^trigger uaf here
+ spin_unlock_irq(&blkcg->lock);
+
+Fix by grabbing the matching blkcg lock before trying to
+destroy blkg policy data.
+
+Suggested-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Li Jinlin <lijinlin3@huawei.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20210914042605.3260596-1-lijinlin3@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-cgroup.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index cb3d44d20005..dde8d0acfb34 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1462,10 +1462,14 @@ enomem:
+ /* alloc failed, nothing's initialized yet, free everything */
+ spin_lock_irq(&q->queue_lock);
+ list_for_each_entry(blkg, &q->blkg_list, q_node) {
++ struct blkcg *blkcg = blkg->blkcg;
++
++ spin_lock(&blkcg->lock);
+ if (blkg->pd[pol->plid]) {
+ pol->pd_free_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid] = NULL;
+ }
++ spin_unlock(&blkcg->lock);
+ }
+ spin_unlock_irq(&q->queue_lock);
+ ret = -ENOMEM;
+@@ -1497,12 +1501,16 @@ void blkcg_deactivate_policy(struct request_queue *q,
+ __clear_bit(pol->plid, q->blkcg_pols);
+
+ list_for_each_entry(blkg, &q->blkg_list, q_node) {
++ struct blkcg *blkcg = blkg->blkcg;
++
++ spin_lock(&blkcg->lock);
+ if (blkg->pd[pol->plid]) {
+ if (pol->pd_offline_fn)
+ pol->pd_offline_fn(blkg->pd[pol->plid]);
+ pol->pd_free_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid] = NULL;
+ }
++ spin_unlock(&blkcg->lock);
+ }
+
+ spin_unlock_irq(&q->queue_lock);
+--
+2.33.0
+
--- /dev/null
+From f01569da8b7923cca5ccb5c557b5deeefde22ca6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 21:49:21 +0800
+Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]
+
+There is an use-after-free problem triggered by following process:
+
+ P1(sda) P2(sdb)
+ echo 0 > /sys/block/sdb/trace/enable
+ blk_trace_remove_queue
+ synchronize_rcu
+ blk_trace_free
+ relay_close
+rcu_read_lock
+__blk_add_trace
+ trace_note_tsk
+ (Iterate running_trace_list)
+ relay_close_buf
+ relay_destroy_buf
+ kfree(buf)
+ trace_note(sdb's bt)
+ relay_reserve
+ buf->offset <- nullptr deference (use-after-free) !!!
+rcu_read_unlock
+
+[ 502.714379] BUG: kernel NULL pointer dereference, address:
+0000000000000010
+[ 502.715260] #PF: supervisor read access in kernel mode
+[ 502.715903] #PF: error_code(0x0000) - not-present page
+[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
+[ 502.717252] Oops: 0000 [#1] SMP
+[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
+[ 502.732872] Call Trace:
+[ 502.733193] __blk_add_trace.cold+0x137/0x1a3
+[ 502.733734] blk_add_trace_rq+0x7b/0xd0
+[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0
+[ 502.734755] blk_mq_start_request+0xde/0x1b0
+[ 502.735287] scsi_queue_rq+0x528/0x1140
+...
+[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0
+[ 502.747501] sg_ioctl+0x466/0x1100
+
+Reproduce method:
+ ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sda, BLKTRACESTART)
+ ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sdb, BLKTRACESTART)
+
+ echo 0 > /sys/block/sdb/trace/enable &
+ // Add delay(mdelay/msleep) before kernel enters blk_trace_free()
+
+ ioctl$SG_IO(/dev/sda, SG_IO, ...)
+ // Enters trace_note_tsk() after blk_trace_free() returned
+ // Use mdelay in rcu region rather than msleep(which may schedule out)
+
+Remove blk_trace from running_list before calling blk_trace_free() by
+sysfs if blk_trace is at Blktrace_running state.
+
+Fixes: c71a896154119f ("blktrace: add ftrace plugin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/blktrace.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
+index 884333b9fc76..749b27851f45 100644
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -1656,6 +1656,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
+ if (bt == NULL)
+ return -EINVAL;
+
++ if (bt->trace_state == Blktrace_running) {
++ bt->trace_state = Blktrace_stopped;
++ spin_lock_irq(&running_trace_lock);
++ list_del_init(&bt->running_list);
++ spin_unlock_irq(&running_trace_lock);
++ relay_flush(bt->rchan);
++ }
++
+ put_probe_ref();
+ synchronize_rcu();
+ blk_trace_free(bt);
+--
+2.33.0
+
--- /dev/null
+From 6e112afb7ca9a5369403ea480ee76445059a1b58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Sep 2021 08:55:57 +0800
+Subject: bpf: Add oversize check before call kvcalloc()
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ]
+
+Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the
+oversize check. When the allocation is larger than what kmalloc() supports,
+the following warning triggered:
+
+WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
+Modules linked in:
+CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
+Call Trace:
+ kvmalloc include/linux/mm.h:806 [inline]
+ kvmalloc_array include/linux/mm.h:824 [inline]
+ kvcalloc include/linux/mm.h:829 [inline]
+ check_btf_line kernel/bpf/verifier.c:9925 [inline]
+ check_btf_info kernel/bpf/verifier.c:10049 [inline]
+ bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
+ bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
+ __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
+ __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
+ __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
+ __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 60383b28549b..9c5fa5c52903 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6839,6 +6839,8 @@ static int check_btf_line(struct bpf_verifier_env *env,
+ nr_linfo = attr->line_info_cnt;
+ if (!nr_linfo)
+ return 0;
++ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info))
++ return -EINVAL;
+
+ rec_size = attr->line_info_rec_size;
+ if (rec_size < MIN_BPF_LINEINFO_SIZE ||
+--
+2.33.0
+
--- /dev/null
+From c727ab98842b45b98a789b26d57eba1efe74a9a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 23:33:35 +0300
+Subject: cifs: fix a sign extension bug
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e946d3c887a9dc33aa82a349c6284f4a084163f4 ]
+
+The problem is the mismatched types between "ctx->total_len" which is
+an unsigned int, "rc" which is an int, and "ctx->rc" which is a
+ssize_t. The code does:
+
+ ctx->rc = (rc == 0) ? ctx->total_len : rc;
+
+We want "ctx->rc" to store the negative "rc" error code. But what
+happens is that "rc" is type promoted to a high unsigned int and
+'ctx->rc" will store the high positive value instead of a negative
+value.
+
+The fix is to change "rc" from an int to a ssize_t.
+
+Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 1aac8d38f887..a9746af5a44d 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -2989,7 +2989,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx)
+ struct cifs_tcon *tcon;
+ struct cifs_sb_info *cifs_sb;
+ struct dentry *dentry = ctx->cfile->dentry;
+- int rc;
++ ssize_t rc;
+
+ tcon = tlink_tcon(ctx->cfile->tlink);
+ cifs_sb = CIFS_SB(dentry->d_sb);
+--
+2.33.0
+
--- /dev/null
+From 30c9fe53039de1c7291d290c0b24906101579e79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:24 -0700
+Subject: compiler.h: Introduce absolute_pointer macro
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ]
+
+absolute_pointer() disassociates a pointer from its originating symbol
+type and context. Use it to prevent compiler warnings/errors such as
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Such warnings may be reported by gcc 11.x for string and memory
+operations on fixed addresses.
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 9446e8fbe55c..bce983406aaf 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -233,6 +233,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ (typeof(ptr)) (__ptr + (off)); })
+ #endif
+
++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0)
++
+ #ifndef OPTIMIZER_HIDE_VAR
+ /* Make the optimizer believe the variable can be manipulated arbitrarily. */
+ #define OPTIMIZER_HIDE_VAR(var) \
+--
+2.33.0
+
--- /dev/null
+From fca1adb69b87b5e9046197cc459efe6cbb81ac4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 14:40:42 +0800
+Subject: fpga: machxo2-spi: Fix missing error code in machxo2_write_complete()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit a1e4470823d99e75b596748086e120dea169ed3c ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'ret'.
+
+Eliminate the follow smatch warning:
+
+drivers/fpga/machxo2-spi.c:341 machxo2_write_complete()
+ warn: missing error code 'ret'.
+
+[mdf@kernel.org: Reworded commit message]
+Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support")
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/machxo2-spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c
+index 2fd097c3994b..37e54e375528 100644
+--- a/drivers/fpga/machxo2-spi.c
++++ b/drivers/fpga/machxo2-spi.c
+@@ -334,6 +334,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr,
+ break;
+ if (++refreshloop == MACHXO2_MAX_REFRESH_LOOP) {
+ machxo2_cleanup(mgr);
++ ret = -EINVAL;
+ goto fail;
+ }
+ } while (1);
+--
+2.33.0
+
--- /dev/null
+From 3fa20fd4655771f1f5fa7b02cc334e13edfa75ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 09:40:36 -0700
+Subject: fpga: machxo2-spi: Return an error on failure
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 34331739e19fd6a293d488add28832ad49c9fc54 ]
+
+Earlier successes leave 'ret' in a non error state, so these errors are
+not reported. Set ret to -EINVAL before going to the error handler.
+
+This addresses two issues reported by smatch:
+drivers/fpga/machxo2-spi.c:229 machxo2_write_init()
+ warn: missing error code 'ret'
+
+drivers/fpga/machxo2-spi.c:316 machxo2_write_complete()
+ warn: missing error code 'ret'
+
+[mdf@kernel.org: Reworded commit message]
+Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/machxo2-spi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c
+index 4d8a87641587..2fd097c3994b 100644
+--- a/drivers/fpga/machxo2-spi.c
++++ b/drivers/fpga/machxo2-spi.c
+@@ -223,8 +223,10 @@ static int machxo2_write_init(struct fpga_manager *mgr,
+ goto fail;
+
+ get_status(spi, &status);
+- if (test_bit(FAIL, &status))
++ if (test_bit(FAIL, &status)) {
++ ret = -EINVAL;
+ goto fail;
++ }
+ dump_status_reg(&status);
+
+ spi_message_init(&msg);
+@@ -310,6 +312,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr,
+ dump_status_reg(&status);
+ if (!test_bit(DONE, &status)) {
+ machxo2_cleanup(mgr);
++ ret = -EINVAL;
+ goto fail;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 37073983a482f96c20a32f6729d2b65615a825b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 16:39:18 +0800
+Subject: ipv6: delay fib6_sernum increase in fib6_add
+
+From: zhang kai <zhangkaiheb@126.com>
+
+[ Upstream commit e87b5052271e39d62337ade531992b7e5d8c2cfa ]
+
+only increase fib6_sernum in net namespace after add fib6_info
+successfully.
+
+Signed-off-by: zhang kai <zhangkaiheb@126.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index bb68290ad68d..9a6f66e0e9a2 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1310,7 +1310,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
+ int err = -ENOMEM;
+ int allow_create = 1;
+ int replace_required = 0;
+- int sernum = fib6_new_sernum(info->nl_net);
+
+ if (info->nlh) {
+ if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
+@@ -1410,7 +1409,7 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
+ if (!err) {
+ if (rt->nh)
+ list_add(&rt->nh_list, &rt->nh->f6i_list);
+- __fib6_update_sernum_upto_root(rt, sernum);
++ __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net));
+ fib6_start_gc(info->nl_net, rt);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From bdb4c44f8c061a327b8f208cd43fdf26289616f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 10:20:55 +0800
+Subject: irqchip/gic-v3-its: Fix potential VPE leak on error
+
+From: Kaige Fu <kaige.fu@linux.alibaba.com>
+
+[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ]
+
+In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error,
+there is an off-by-one in the number of VPEs to be freed.
+
+Fix it by simply passing the number of VPEs allocated, which is the
+index of the loop iterating over the VPEs.
+
+Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
+Signed-off-by: Kaige Fu <kaige.fu@linux.alibaba.com>
+[maz: fixed commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index f298313b87ac..398c54387988 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3123,7 +3123,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+
+ if (err) {
+ if (i > 0)
+- its_vpe_irq_domain_free(domain, virq, i - 1);
++ its_vpe_irq_domain_free(domain, virq, i);
+
+ its_lpi_free(bitmap, base, nr_ids);
+ its_free_prop_table(vprop_page);
+--
+2.33.0
+
--- /dev/null
+From 7fe00b1f42b40bd775f81a5069d92cb58cba03d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Sep 2021 09:25:19 -0700
+Subject: irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 969ac78db78c723a24e9410666b457cc1b0cb3c3 ]
+
+irq-goldfish-pic uses GENERIC_IRQ_CHIP interfaces so select that symbol
+to fix build errors.
+
+Fixes these build errors:
+
+mips-linux-ld: drivers/irqchip/irq-goldfish-pic.o: in function `goldfish_pic_of_init':
+irq-goldfish-pic.c:(.init.text+0xc0): undefined reference to `irq_alloc_generic_chip'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf4): undefined reference to `irq_gc_unmask_enable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf8): undefined reference to `irq_gc_unmask_enable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x100): undefined reference to `irq_gc_mask_disable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x104): undefined reference to `irq_gc_mask_disable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x11c): undefined reference to `irq_setup_generic_chip'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x168): undefined reference to `irq_remove_generic_chip'
+
+Fixes: 4235ff50cf98 ("irqchip/irq-goldfish-pic: Add Goldfish PIC driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Goran Ferenc <goran.ferenc@mips.com>
+Cc: Aleksandar Markovic <aleksandar.markovic@mips.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210905162519.21507-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
+index 97f9c001d8ff..20f44ef9c4c9 100644
+--- a/drivers/irqchip/Kconfig
++++ b/drivers/irqchip/Kconfig
+@@ -415,6 +415,7 @@ config MESON_IRQ_GPIO
+ config GOLDFISH_PIC
+ bool "Goldfish programmable interrupt controller"
+ depends on MIPS && (GOLDFISH || COMPILE_TEST)
++ select GENERIC_IRQ_CHIP
+ select IRQ_DOMAIN
+ help
+ Say yes here to enable Goldfish interrupt controller driver used
+--
+2.33.0
+
--- /dev/null
+From 143303c8d0d4d749a1fb1beda3e517b2c0295ad8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 23:07:29 -0700
+Subject: m68k: Double cast io functions to unsigned long
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ]
+
+m68k builds fail widely with errors such as
+
+arch/m68k/include/asm/raw_io.h:20:19: error:
+ cast to pointer from integer of different size
+arch/m68k/include/asm/raw_io.h:30:32: error:
+ cast to pointer from integer of different size [-Werror=int-to-p
+
+On m68k, io functions are defined as macros. The problem is seen if the
+macro parameter variable size differs from the size of a pointer. Cast
+the parameter of all io macros to unsigned long before casting it to
+a pointer to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/raw_io.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h
+index 8a6dc6e5a279..8ab3c350bd53 100644
+--- a/arch/m68k/include/asm/raw_io.h
++++ b/arch/m68k/include/asm/raw_io.h
+@@ -17,21 +17,21 @@
+ * two accesses to memory, which may be undesirable for some devices.
+ */
+ #define in_8(addr) \
+- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; })
++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; })
+ #define in_be16(addr) \
+- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; })
++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; })
+ #define in_be32(addr) \
+- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; })
++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; })
+ #define in_le16(addr) \
+- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; })
++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; })
+ #define in_le32(addr) \
+- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; })
++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; })
+
+-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b))
+-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w))
+-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l))
+-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w))
+-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l))
++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b))
++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w))
++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l))
++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w))
++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l))
+
+ #define raw_inb in_8
+ #define raw_inw in_be16
+--
+2.33.0
+
--- /dev/null
+From 290d0b5fc0846d83477ec64aade0d58df4fe0686 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 13:38:29 +0200
+Subject: md: fix a lock order reversal in md_alloc
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ]
+
+Commit b0140891a8cea3 ("md: Fix race when creating a new md device.")
+not only moved assigning mddev->gendisk before calling add_disk, which
+fixes the races described in the commit log, but also added a
+mddev->open_mutex critical section over add_disk and creation of the
+md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk
+right after adding it, but md already prevents against that by holding
+a mddev->active reference.
+
+On the other hand taking this lock added a lock order reversal with what
+is not disk->open_mutex (used to be bdev->bd_mutex when the commit was
+added) for partition devices, which need that lock for the internal open
+for the partition scan, and a recent commit also takes it for
+non-partitioned devices, leading to further lockdep splatter.
+
+Fixes: b0140891a8ce ("md: Fix race when creating a new md device.")
+Fixes: d62633873590 ("block: support delayed holder registration")
+Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com
+Reviewed-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 761d43829b2b..c178b2f406de 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5535,10 +5535,6 @@ static int md_alloc(dev_t dev, char *name)
+ */
+ disk->flags |= GENHD_FL_EXT_DEVT;
+ mddev->gendisk = disk;
+- /* As soon as we call add_disk(), another thread could get
+- * through to md_open, so make sure it doesn't get too far
+- */
+- mutex_lock(&mddev->open_mutex);
+ add_disk(disk);
+
+ error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");
+@@ -5553,7 +5549,6 @@ static int md_alloc(dev_t dev, char *name)
+ if (mddev->kobj.sd &&
+ sysfs_create_group(&mddev->kobj, &md_bitmap_group))
+ pr_debug("pointless warning\n");
+- mutex_unlock(&mddev->open_mutex);
+ abort:
+ mutex_unlock(&disks_mutex);
+ if (!error && mddev->kobj.sd) {
+--
+2.33.0
+
--- /dev/null
+From a7f362f271a5e417ca41e5e762e3c50bc8c2c3da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 20:57:43 -0700
+Subject: net: 6pack: Fix tx timeout and slot time
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ]
+
+tx timeout and slot time are currently specified in units of HZ. On
+Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this
+results in the following error message.
+
+ drivers/net/hamradio/6pack.c: In function 'sixpack_open':
+ drivers/net/hamradio/6pack.c:71:41: error:
+ unsigned conversion from 'int' to 'unsigned char'
+ changes value from '256' to '0'
+
+In the 6PACK protocol, tx timeout is specified in units of 10 ms and
+transmitted over the wire:
+
+ https://www.linux-ax25.org/wiki/6PACK
+
+Defining a value dependent on HZ doesn't really make sense, and
+presumably comes from the (very historical) situation where HZ was
+originally 100.
+
+Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity:
+
+ mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100);
+
+and the SIXP_TXDELAY walue is sent as a byte over the wire.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
+index da13683d52d1..bd0beb16d68a 100644
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -68,9 +68,9 @@
+ #define SIXP_DAMA_OFF 0
+
+ /* default level 2 parameters */
+-#define SIXP_TXDELAY (HZ/4) /* in 1 s */
++#define SIXP_TXDELAY 25 /* 250 ms */
+ #define SIXP_PERSIST 50 /* in 256ths */
+-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */
++#define SIXP_SLOTTIME 10 /* 100 ms */
+ #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */
+ #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */
+
+--
+2.33.0
+
--- /dev/null
+From 6c1b5c47aee490735a04c9c06a4e8a47a8f1fc66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:25 -0700
+Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory
+ location
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ]
+
+gcc 11.x reports the following compiler warning/error.
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Use absolute_pointer() to work around the problem.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/82596.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c
+index 92929750f832..54d5b402b0e8 100644
+--- a/drivers/net/ethernet/i825xx/82596.c
++++ b/drivers/net/ethernet/i825xx/82596.c
+@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit)
+ err = -ENODEV;
+ goto out;
+ }
+- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */
++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */
+ dev->base_addr = MVME_I596_BASE;
+ dev->irq = (unsigned) MVME16x_IRQ_I596;
+ goto found;
+--
+2.33.0
+
--- /dev/null
+From ab221aee6a81c0e68f3666693ca3d6f9b21bc4ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 12:02:32 -0700
+Subject: net: macb: fix use after free on rmmod
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ]
+
+plat_dev->dev->platform_data is released by platform_device_unregister(),
+use of pclk and hclk is a use-after-free. Since device unregister won't
+need a clk device we adjust the function call sequence to fix this issue.
+
+[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
+[ 31.275563] Freed by task 306:
+[ 30.276782] platform_device_release+0x25/0x80
+
+Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
+index 617b3b728dd0..94f3babfad30 100644
+--- a/drivers/net/ethernet/cadence/macb_pci.c
++++ b/drivers/net/ethernet/cadence/macb_pci.c
+@@ -112,9 +112,9 @@ static void macb_remove(struct pci_dev *pdev)
+ struct platform_device *plat_dev = pci_get_drvdata(pdev);
+ struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
+
+- platform_device_unregister(plat_dev);
+ clk_unregister(plat_data->pclk);
+ clk_unregister(plat_data->hclk);
++ platform_device_unregister(plat_dev);
+ }
+
+ static const struct pci_device_id dev_id_table[] = {
+--
+2.33.0
+
--- /dev/null
+From 60af33f4902a75b36091cc53bcf8ca943e6f534d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 21:55:34 +0200
+Subject: net: stmmac: allow CSR clock of 300MHz
+
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+
+[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ]
+
+The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC.
+The divisor used is set in the MAC_MDIO_Address register field CR
+(Clock Rate)
+
+The divisor is there to change the CSR clock into a clock that falls
+below the IEEE 802.3 specified max frequency of 2.5MHz.
+
+If the CSR clock is 300MHz, the code falls back to using the reset
+value in the MAC_MDIO_Address register, as described in the comment
+above this code.
+
+However, 300MHz is actually an allowed value and the proper divider
+can be estimated quite easily (it's just 1Hz difference!)
+
+A CSR frequency of 300MHz with the maximum clock rate value of 0x5
+(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around
+~2.42MHz which is below the IEEE 802.3 specified maximum.
+
+For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz,
+and unfortunately, the reset-value of the MAC_MDIO_Address CR field
+is 0x0.
+
+This leads to a clock rate of zero and a divisor of 42, and gives an
+MDC frequency of ~7.14MHz.
+
+Allow CSR clock of 300MHz by making the comparison inclusive.
+
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 4e7cfd3bfcd2..e09851c7da9b 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -225,7 +225,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv)
+ priv->clk_csr = STMMAC_CSR_100_150M;
+ else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M))
+ priv->clk_csr = STMMAC_CSR_150_250M;
+- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M))
++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M))
+ priv->clk_csr = STMMAC_CSR_250_300M;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From b6c24ffcf8344d5b8724c67f9c079bd01be5b720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Sep 2021 12:54:57 -0600
+Subject: nvme-multipath: fix ANA state updates when a namespace is not present
+
+From: Anton Eidelman <anton.eidelman@gmail.com>
+
+[ Upstream commit 79f528afa93918519574773ea49a444c104bc1bd ]
+
+nvme_update_ana_state() has a deficiency that results in a failure to
+properly update the ana state for a namespace in the following case:
+
+ NSIDs in ctrl->namespaces: 1, 3, 4
+ NSIDs in desc->nsids: 1, 2, 3, 4
+
+Loop iteration 0:
+ ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH.
+Loop iteration 1:
+ ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH.
+Loop iteration 2:
+ ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH.
+
+Where the update to the ANA state of NSID 3 is missed. To fix this
+increment n and retry the update with the same ns when ns->head->ns_id is
+higher than nsid,
+
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 590b040e90a3..016a67fd4198 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -522,14 +522,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl,
+
+ down_read(&ctrl->namespaces_rwsem);
+ list_for_each_entry(ns, &ctrl->namespaces, list) {
+- unsigned nsid = le32_to_cpu(desc->nsids[n]);
+-
++ unsigned nsid;
++again:
++ nsid = le32_to_cpu(desc->nsids[n]);
+ if (ns->head->ns_id < nsid)
+ continue;
+ if (ns->head->ns_id == nsid)
+ nvme_update_ns_ana_state(desc, ns);
+ if (++n == nr_nsids)
+ break;
++ if (ns->head->ns_id > nsid)
++ goto again;
+ }
+ up_read(&ctrl->namespaces_rwsem);
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From 798ca6e5e43d40d05bc670b19c4b398a4612ee77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 08:35:42 +0200
+Subject: parisc: Use absolute_pointer() to define PAGE0
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ]
+
+Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning:
+
+ arch/parisc/kernel/setup.c: In function 'start_parisc':
+ error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Co-Developed-by: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/page.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h
+index 93caf17ac5e2..9ebf3b0413d5 100644
+--- a/arch/parisc/include/asm/page.h
++++ b/arch/parisc/include/asm/page.h
+@@ -181,7 +181,7 @@ extern int npmem_ranges;
+ #include <asm-generic/getorder.h>
+ #include <asm/pdc.h>
+
+-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET)
++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET))
+
+ /* DEFINITION OF THE ZERO-PAGE (PAG0) */
+ /* based on work by Jason Eckhardt (jason@equator.com) */
+--
+2.33.0
+
--- /dev/null
+From 6ba61e3553152e26de95667c7a419a252b04a60e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 13:56:37 -0700
+Subject: qnx4: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ]
+
+The qnx4 directory entries are 64-byte blocks that have different
+contents depending on the a status byte that is in the last byte of the
+block.
+
+In particular, a directory entry can be either a "link info" entry with
+a 48-byte name and pointers to the real inode information, or an "inode
+entry" with a smaller 16-byte name and the full inode information.
+
+But the code was written to always just treat the directory name as if
+it was part of that "inode entry", and just extend the name to the
+longer case if the status byte said it was a link entry.
+
+That work just fine and gives the right results, but now that gcc is
+tracking data structure accesses much more, the code can trigger a
+compiler error about using up to 48 bytes (the long name) in a structure
+that only has that shorter name in it:
+
+ fs/qnx4/dir.c: In function ‘qnx4_readdir’:
+ fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread]
+ 51 | size = strnlen(de->di_fname, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from fs/qnx4/qnx4.h:3,
+ from fs/qnx4/dir.c:16:
+ include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here
+ 45 | char di_fname[QNX4_SHORT_NAME_MAX];
+ | ^~~~~~~~
+
+which is because the source code doesn't really make this whole "one of
+two different types" explicit.
+
+Fix this by introducing a very explicit union of the two types, and
+basically explaining to the compiler what is really going on.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c
+index a6ee23aadd28..2a66844b7ff8 100644
+--- a/fs/qnx4/dir.c
++++ b/fs/qnx4/dir.c
+@@ -15,13 +15,27 @@
+ #include <linux/buffer_head.h>
+ #include "qnx4.h"
+
++/*
++ * A qnx4 directory entry is an inode entry or link info
++ * depending on the status field in the last byte. The
++ * first byte is where the name start either way, and a
++ * zero means it's empty.
++ */
++union qnx4_directory_entry {
++ struct {
++ char de_name;
++ char de_pad[62];
++ char de_status;
++ };
++ struct qnx4_inode_entry inode;
++ struct qnx4_link_info link;
++};
++
+ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ {
+ struct inode *inode = file_inode(file);
+ unsigned int offset;
+ struct buffer_head *bh;
+- struct qnx4_inode_entry *de;
+- struct qnx4_link_info *le;
+ unsigned long blknum;
+ int ix, ino;
+ int size;
+@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ }
+ ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK;
+ for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) {
++ union qnx4_directory_entry *de;
++ const char *name;
++
+ offset = ix * QNX4_DIR_ENTRY_SIZE;
+- de = (struct qnx4_inode_entry *) (bh->b_data + offset);
+- if (!de->di_fname[0])
++ de = (union qnx4_directory_entry *) (bh->b_data + offset);
++
++ if (!de->de_name)
+ continue;
+- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
+ continue;
+- if (!(de->di_status & QNX4_FILE_LINK))
+- size = QNX4_SHORT_NAME_MAX;
+- else
+- size = QNX4_NAME_MAX;
+- size = strnlen(de->di_fname, size);
+- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname));
+- if (!(de->di_status & QNX4_FILE_LINK))
++ if (!(de->de_status & QNX4_FILE_LINK)) {
++ size = sizeof(de->inode.di_fname);
++ name = de->inode.di_fname;
+ ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1;
+- else {
+- le = (struct qnx4_link_info*)de;
+- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) *
++ } else {
++ size = sizeof(de->link.dl_fname);
++ name = de->link.dl_fname;
++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) *
+ QNX4_INODES_PER_BLOCK +
+- le->dl_inode_ndx;
++ de->link.dl_inode_ndx;
+ }
+- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) {
++ size = strnlen(name, size);
++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name));
++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) {
+ brelse(bh);
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 0f20b976b7612bb18adff751ea0b38f211b09fa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 16:53:36 +0800
+Subject: scsi: iscsi: Adjust iface sysfs attr detection
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ]
+
+ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of
+iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call
+into the driver, we might not match and return that we don't want attr
+visible in sysfs. Found in code review.
+
+Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com
+Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection")
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 77bba91b5714..6f21cb75d95f 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -434,9 +434,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct iscsi_transport *t = iface->transport;
+ int param = -1;
+
+- if (attr == &dev_attr_iface_enabled.attr)
+- param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+ param = ISCSI_IFACE_PARAM_HDRDGST_EN;
+@@ -476,7 +474,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ if (param != -1)
+ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
+
+- if (attr == &dev_attr_iface_vlan_id.attr)
++ if (attr == &dev_attr_iface_enabled.attr)
++ param = ISCSI_NET_PARAM_IFACE_ENABLE;
++ else if (attr == &dev_attr_iface_vlan_id.attr)
+ param = ISCSI_NET_PARAM_VLAN_ID;
+ else if (attr == &dev_attr_iface_vlan_priority.attr)
+ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+--
+2.33.0
+
--- /dev/null
+From ac3331b546155c9f6117dfb9327c6b0715410693 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 16:23:31 +0300
+Subject: scsi: lpfc: Use correct scnprintf() limit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 6dacc371b77f473770ec646e220303a84fe96c11 ]
+
+The limit should be "PAGE_SIZE - len" instead of "PAGE_SIZE". We're not
+going to hit the limit so this fix will not affect runtime.
+
+Link: https://lore.kernel.org/r/20210916132331.GE25094@kili
+Fixes: 5b9e70b22cc5 ("scsi: lpfc: raise sg count for nvme to use available sg resources")
+Reviewed-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index 45db19e31b34..f0ecfe565660 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -5881,7 +5881,8 @@ lpfc_sg_seg_cnt_show(struct device *dev, struct device_attribute *attr,
+ len = scnprintf(buf, PAGE_SIZE, "SGL sz: %d total SGEs: %d\n",
+ phba->cfg_sg_dma_buf_size, phba->cfg_total_seg_cnt);
+
+- len += scnprintf(buf + len, PAGE_SIZE, "Cfg: %d SCSI: %d NVME: %d\n",
++ len += scnprintf(buf + len, PAGE_SIZE - len,
++ "Cfg: %d SCSI: %d NVME: %d\n",
+ phba->cfg_sg_seg_cnt, phba->cfg_scsi_seg_cnt,
+ phba->cfg_nvme_seg_cnt);
+ return len;
+--
+2.33.0
+
--- /dev/null
+From 6acf9e4fc38ce1413441507fc2656bcb6ef126c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 18:32:39 +0300
+Subject: scsi: qla2xxx: Restore initiator in dual mode
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 5f8579038842d77e6ce05e1df6bf9dd493b0e3ef ]
+
+In dual mode in case of disabling the target, the whole port goes offline
+and initiator is turned off too.
+
+Fix restoring initiator mode after disabling target in dual mode.
+
+Link: https://lore.kernel.org/r/20210915153239.8035-1-d.bogdanov@yadro.com
+Fixes: 0645cb8350cd ("scsi: qla2xxx: Add mode control for each physical port")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 643b8ae36cbe..5dae7ac0d3ef 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -6803,7 +6803,8 @@ qla2x00_abort_isp(scsi_qla_host_t *vha)
+ return 0;
+ break;
+ case QLA2XXX_INI_MODE_DUAL:
+- if (!qla_dual_mode_enabled(vha))
++ if (!qla_dual_mode_enabled(vha) &&
++ !qla_ini_mode_enabled(vha))
+ return 0;
+ break;
+ case QLA2XXX_INI_MODE_ENABLED:
+--
+2.33.0
+
gpio-uniphier-fix-void-functions-to-remove-return-va.patch
qed-rdma-don-t-wait-for-resources-under-hw-error-rec.patch
net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch
+scsi-iscsi-adjust-iface-sysfs-attr-detection.patch
+tty-synclink_gt-drop-unneeded-forward-declarations.patch
+tty-synclink_gt-rename-a-conflicting-function-name.patch
+fpga-machxo2-spi-return-an-error-on-failure.patch
+fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch
+thermal-core-potential-buffer-overflow-in-thermal_bu.patch
+cifs-fix-a-sign-extension-bug.patch
+scsi-qla2xxx-restore-initiator-in-dual-mode.patch
+scsi-lpfc-use-correct-scnprintf-limit.patch
+irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch
+irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch
+md-fix-a-lock-order-reversal-in-md_alloc.patch
+blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch
+net-macb-fix-use-after-free-on-rmmod.patch
+net-stmmac-allow-csr-clock-of-300mhz.patch
+m68k-double-cast-io-functions-to-unsigned-long.patch
+ipv6-delay-fib6_sernum-increase-in-fib6_add.patch
+bpf-add-oversize-check-before-call-kvcalloc.patch
+xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch
+nvme-multipath-fix-ana-state-updates-when-a-namespac.patch
+sparc32-page-align-size-in-arch_dma_alloc.patch
+blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch
+compiler.h-introduce-absolute_pointer-macro.patch
+net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch
+sparc-avoid-stringop-overread-errors.patch
+qnx4-avoid-stringop-overread-errors.patch
+parisc-use-absolute_pointer-to-define-page0.patch
+arm64-mark-__stack_chk_guard-as-__ro_after_init.patch
+alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch
+net-6pack-fix-tx-timeout-and-slot-time.patch
+spi-fix-tegra20-build-with-config_pm-n.patch
--- /dev/null
+From 6ce53f7562a377e4cb151add6b6133ecdeb985c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 16:06:04 -0700
+Subject: sparc: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ]
+
+The sparc mdesc code does pointer games with 'struct mdesc_hdr', but
+didn't describe to the compiler how that header is then followed by the
+data that the header describes.
+
+As a result, gcc is now unhappy since it does stricter pointer range
+tracking, and doesn't understand about how these things work. This
+results in various errors like:
+
+ arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’:
+ arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
+ 647 | if (!strcmp(names + ep[ret].name_offset, name))
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+which are easily avoided by just describing 'struct mdesc_hdr' better,
+and making the node_block() helper function look into that unsized
+data[] that follows the header.
+
+This makes the sparc64 build happy again at least for my cross-compiler
+version (gcc version 11.2.1).
+
+Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/mdesc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
+index 8e645ddac58e..30f171b7b00c 100644
+--- a/arch/sparc/kernel/mdesc.c
++++ b/arch/sparc/kernel/mdesc.c
+@@ -39,6 +39,7 @@ struct mdesc_hdr {
+ u32 node_sz; /* node block size */
+ u32 name_sz; /* name block size */
+ u32 data_sz; /* data block size */
++ char data[];
+ } __attribute__((aligned(16)));
+
+ struct mdesc_elem {
+@@ -612,7 +613,7 @@ EXPORT_SYMBOL(mdesc_get_node_info);
+
+ static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc)
+ {
+- return (struct mdesc_elem *) (mdesc + 1);
++ return (struct mdesc_elem *) mdesc->data;
+ }
+
+ static void *name_block(struct mdesc_hdr *mdesc)
+--
+2.33.0
+
--- /dev/null
+From 575fabb2ee3efdcb62a23c118bb49523ecf140eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 09:48:22 +0200
+Subject: sparc32: page align size in arch_dma_alloc
+
+From: Andreas Larsson <andreas@gaisler.com>
+
+[ Upstream commit 59583f747664046aaae5588d56d5954fab66cce8 ]
+
+Commit 53b7670e5735 ("sparc: factor the dma coherent mapping into
+helper") lost the page align for the calls to dma_make_coherent and
+srmmu_unmapiorange. The latter cannot handle a non page aligned len
+argument.
+
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/ioport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c
+index f89603855f1e..b87e0002131d 100644
+--- a/arch/sparc/kernel/ioport.c
++++ b/arch/sparc/kernel/ioport.c
+@@ -356,7 +356,9 @@ err_nomem:
+ void arch_dma_free(struct device *dev, size_t size, void *cpu_addr,
+ dma_addr_t dma_addr, unsigned long attrs)
+ {
+- if (!sparc_dma_free_resource(cpu_addr, PAGE_ALIGN(size)))
++ size = PAGE_ALIGN(size);
++
++ if (!sparc_dma_free_resource(cpu_addr, size))
+ return;
+
+ dma_make_coherent(dma_addr, size);
+--
+2.33.0
+
--- /dev/null
+From 50fe3ffa5ab3a67388c8cb03131712d37facb13b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 10:05:06 -0700
+Subject: spi: Fix tegra20 build with CONFIG_PM=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ]
+
+Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being
+empty, and the only use of tegra_slink_runtime_{resume,suspend} goes
+away, resulting in
+
+ drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function]
+ 1200 | static int tegra_slink_runtime_resume(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function]
+ 1188 | static int tegra_slink_runtime_suspend(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+mark the functions __maybe_unused to make the build happy.
+
+This hits the alpha allmodconfig build (and others).
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra20-slink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c
+index 2a1905c43a0b..9b59539c8735 100644
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1205,7 +1205,7 @@ static int tegra_slink_resume(struct device *dev)
+ }
+ #endif
+
+-static int tegra_slink_runtime_suspend(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+@@ -1217,7 +1217,7 @@ static int tegra_slink_runtime_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int tegra_slink_runtime_resume(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+--
+2.33.0
+
--- /dev/null
+From 185376edb9ac0b771f3a692e5f65ebf6739b71fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 16:13:42 +0300
+Subject: thermal/core: Potential buffer overflow in
+ thermal_build_list_of_policies()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ]
+
+After printing the list of thermal governors, then this function prints
+a newline character. The problem is that "size" has not been updated
+after printing the last governor. This means that it can write one
+character (the NUL terminator) beyond the end of the buffer.
+
+Get rid of the "size" variable and just use "PAGE_SIZE - count" directly.
+
+Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210916131342.GB25094@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index f526ce31f5a2..20eab56b02cb 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -228,15 +228,14 @@ int thermal_build_list_of_policies(char *buf)
+ {
+ struct thermal_governor *pos;
+ ssize_t count = 0;
+- ssize_t size = PAGE_SIZE;
+
+ mutex_lock(&thermal_governor_lock);
+
+ list_for_each_entry(pos, &thermal_governor_list, governor_list) {
+- size = PAGE_SIZE - count;
+- count += scnprintf(buf + count, size, "%s ", pos->name);
++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ",
++ pos->name);
+ }
+- count += scnprintf(buf + count, size, "\n");
++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n");
+
+ mutex_unlock(&thermal_governor_lock);
+
+--
+2.33.0
+
--- /dev/null
+From cd6ae09e1f880c0ad2b81dea3602adc431304ca5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 07:22:09 +0100
+Subject: tty: synclink_gt, drop unneeded forward declarations
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit b9b90fe655c0bd816847ac1bcbf179cfa2981ecb ]
+
+Forward declarations make the code larger and rewrites harder. Harder as
+they are often omitted from global changes. Remove forward declarations
+which are not really needed, i.e. the definition of the function is
+before its first use.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20210302062214.29627-39-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclink_gt.c | 57 +--------------------------------------
+ 1 file changed, 1 insertion(+), 56 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index 36f1a4d870eb..4ef84ed54ea5 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -137,37 +137,14 @@ MODULE_PARM_DESC(maxframe, "Maximum frame size used by device (4096 to 65535)");
+ */
+ static struct tty_driver *serial_driver;
+
+-static int open(struct tty_struct *tty, struct file * filp);
+-static void close(struct tty_struct *tty, struct file * filp);
+-static void hangup(struct tty_struct *tty);
+-static void set_termios(struct tty_struct *tty, struct ktermios *old_termios);
+-
+-static int write(struct tty_struct *tty, const unsigned char *buf, int count);
+-static int put_char(struct tty_struct *tty, unsigned char ch);
+-static void send_xchar(struct tty_struct *tty, char ch);
+ static void wait_until_sent(struct tty_struct *tty, int timeout);
+-static int write_room(struct tty_struct *tty);
+-static void flush_chars(struct tty_struct *tty);
+ static void flush_buffer(struct tty_struct *tty);
+-static void tx_hold(struct tty_struct *tty);
+ static void tx_release(struct tty_struct *tty);
+
+-static int ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg);
+-static int chars_in_buffer(struct tty_struct *tty);
+-static void throttle(struct tty_struct * tty);
+-static void unthrottle(struct tty_struct * tty);
+-static int set_break(struct tty_struct *tty, int break_state);
+-
+ /*
+- * generic HDLC support and callbacks
++ * generic HDLC support
+ */
+-#if SYNCLINK_GENERIC_HDLC
+ #define dev_to_port(D) (dev_to_hdlc(D)->priv)
+-static void hdlcdev_tx_done(struct slgt_info *info);
+-static void hdlcdev_rx(struct slgt_info *info, char *buf, int size);
+-static int hdlcdev_init(struct slgt_info *info);
+-static void hdlcdev_exit(struct slgt_info *info);
+-#endif
+
+
+ /*
+@@ -186,9 +163,6 @@ struct cond_wait {
+ wait_queue_entry_t wait;
+ unsigned int data;
+ };
+-static void init_cond_wait(struct cond_wait *w, unsigned int data);
+-static void add_cond_wait(struct cond_wait **head, struct cond_wait *w);
+-static void remove_cond_wait(struct cond_wait **head, struct cond_wait *w);
+ static void flush_cond_wait(struct cond_wait **head);
+
+ /*
+@@ -443,12 +417,8 @@ static void shutdown(struct slgt_info *info);
+ static void program_hw(struct slgt_info *info);
+ static void change_params(struct slgt_info *info);
+
+-static int register_test(struct slgt_info *info);
+-static int irq_test(struct slgt_info *info);
+-static int loopback_test(struct slgt_info *info);
+ static int adapter_test(struct slgt_info *info);
+
+-static void reset_adapter(struct slgt_info *info);
+ static void reset_port(struct slgt_info *info);
+ static void async_mode(struct slgt_info *info);
+ static void sync_mode(struct slgt_info *info);
+@@ -457,14 +427,12 @@ static void rx_stop(struct slgt_info *info);
+ static void rx_start(struct slgt_info *info);
+ static void reset_rbufs(struct slgt_info *info);
+ static void free_rbufs(struct slgt_info *info, unsigned int first, unsigned int last);
+-static void rdma_reset(struct slgt_info *info);
+ static bool rx_get_frame(struct slgt_info *info);
+ static bool rx_get_buf(struct slgt_info *info);
+
+ static void tx_start(struct slgt_info *info);
+ static void tx_stop(struct slgt_info *info);
+ static void tx_set_idle(struct slgt_info *info);
+-static unsigned int free_tbuf_count(struct slgt_info *info);
+ static unsigned int tbuf_bytes(struct slgt_info *info);
+ static void reset_tbufs(struct slgt_info *info);
+ static void tdma_reset(struct slgt_info *info);
+@@ -472,26 +440,10 @@ static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count)
+
+ static void get_signals(struct slgt_info *info);
+ static void set_signals(struct slgt_info *info);
+-static void enable_loopback(struct slgt_info *info);
+ static void set_rate(struct slgt_info *info, u32 data_rate);
+
+-static int bh_action(struct slgt_info *info);
+-static void bh_handler(struct work_struct *work);
+ static void bh_transmit(struct slgt_info *info);
+-static void isr_serial(struct slgt_info *info);
+-static void isr_rdma(struct slgt_info *info);
+ static void isr_txeom(struct slgt_info *info, unsigned short status);
+-static void isr_tdma(struct slgt_info *info);
+-
+-static int alloc_dma_bufs(struct slgt_info *info);
+-static void free_dma_bufs(struct slgt_info *info);
+-static int alloc_desc(struct slgt_info *info);
+-static void free_desc(struct slgt_info *info);
+-static int alloc_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count);
+-static void free_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count);
+-
+-static int alloc_tmp_rbuf(struct slgt_info *info);
+-static void free_tmp_rbuf(struct slgt_info *info);
+
+ static void tx_timeout(struct timer_list *t);
+ static void rx_timeout(struct timer_list *t);
+@@ -509,10 +461,6 @@ static int tx_abort(struct slgt_info *info);
+ static int rx_enable(struct slgt_info *info, int enable);
+ static int modem_input_wait(struct slgt_info *info,int arg);
+ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr);
+-static int tiocmget(struct tty_struct *tty);
+-static int tiocmset(struct tty_struct *tty,
+- unsigned int set, unsigned int clear);
+-static int set_break(struct tty_struct *tty, int break_state);
+ static int get_interface(struct slgt_info *info, int __user *if_mode);
+ static int set_interface(struct slgt_info *info, int if_mode);
+ static int set_gpio(struct slgt_info *info, struct gpio_desc __user *gpio);
+@@ -526,9 +474,6 @@ static int set_xctrl(struct slgt_info *info, int if_mode);
+ /*
+ * driver functions
+ */
+-static void add_device(struct slgt_info *info);
+-static void device_init(int adapter_num, struct pci_dev *pdev);
+-static int claim_resources(struct slgt_info *info);
+ static void release_resources(struct slgt_info *info);
+
+ /*
+--
+2.33.0
+
--- /dev/null
+From 92ca76adcc39b991af415194e606d22212899888 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 17:38:06 -0700
+Subject: tty: synclink_gt: rename a conflicting function name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 06e49073dfba24df4b1073a068631b13a0039c34 ]
+
+'set_signals()' in synclink_gt.c conflicts with an exported symbol
+in arch/um/, so change set_signals() to set_gtsignals(). Keep
+the function names similar by also changing get_signals() to
+get_gtsignals().
+
+../drivers/tty/synclink_gt.c:442:13: error: conflicting types for ‘set_signals’
+ static void set_signals(struct slgt_info *info);
+ ^~~~~~~~~~~
+In file included from ../include/linux/irqflags.h:16:0,
+ from ../include/linux/spinlock.h:58,
+ from ../include/linux/mm_types.h:9,
+ from ../include/linux/buildid.h:5,
+ from ../include/linux/module.h:14,
+ from ../drivers/tty/synclink_gt.c:46:
+../arch/um/include/asm/irqflags.h:6:5: note: previous declaration of ‘set_signals’ was here
+ int set_signals(int enable);
+ ^~~~~~~~~~~
+
+Fixes: 705b6c7b34f2 ("[PATCH] new driver synclink_gt")
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Paul Fulghum <paulkf@microgate.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20210902003806.17054-1-rdunlap@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclink_gt.c | 44 +++++++++++++++++++--------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index 4ef84ed54ea5..ff345a8e0fcc 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -438,8 +438,8 @@ static void reset_tbufs(struct slgt_info *info);
+ static void tdma_reset(struct slgt_info *info);
+ static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count);
+
+-static void get_signals(struct slgt_info *info);
+-static void set_signals(struct slgt_info *info);
++static void get_gtsignals(struct slgt_info *info);
++static void set_gtsignals(struct slgt_info *info);
+ static void set_rate(struct slgt_info *info, u32 data_rate);
+
+ static void bh_transmit(struct slgt_info *info);
+@@ -721,7 +721,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios)
+ if ((old_termios->c_cflag & CBAUD) && !C_BAUD(tty)) {
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+@@ -731,7 +731,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios)
+ if (!C_CRTSCTS(tty) || !tty_throttled(tty))
+ info->signals |= SerialSignal_RTS;
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+@@ -1182,7 +1182,7 @@ static inline void line_info(struct seq_file *m, struct slgt_info *info)
+
+ /* output current serial signal states */
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ stat_buf[0] = 0;
+@@ -1282,7 +1282,7 @@ static void throttle(struct tty_struct * tty)
+ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->signals &= ~SerialSignal_RTS;
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -1307,7 +1307,7 @@ static void unthrottle(struct tty_struct * tty)
+ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->signals |= SerialSignal_RTS;
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -1479,7 +1479,7 @@ static int hdlcdev_open(struct net_device *dev)
+
+ /* inform generic HDLC layer of current DCD status */
+ spin_lock_irqsave(&info->lock, flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock, flags);
+ if (info->signals & SerialSignal_DCD)
+ netif_carrier_on(dev);
+@@ -2235,7 +2235,7 @@ static void isr_txeom(struct slgt_info *info, unsigned short status)
+ if (info->params.mode != MGSL_MODE_ASYNC && info->drop_rts_on_tx_done) {
+ info->signals &= ~SerialSignal_RTS;
+ info->drop_rts_on_tx_done = false;
+- set_signals(info);
++ set_gtsignals(info);
+ }
+
+ #if SYNCLINK_GENERIC_HDLC
+@@ -2400,7 +2400,7 @@ static void shutdown(struct slgt_info *info)
+
+ if (!info->port.tty || info->port.tty->termios.c_cflag & HUPCL) {
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_gtsignals(info);
+ }
+
+ flush_cond_wait(&info->gpio_wait_q);
+@@ -2428,7 +2428,7 @@ static void program_hw(struct slgt_info *info)
+ else
+ async_mode(info);
+
+- set_signals(info);
++ set_gtsignals(info);
+
+ info->dcd_chkcount = 0;
+ info->cts_chkcount = 0;
+@@ -2436,7 +2436,7 @@ static void program_hw(struct slgt_info *info)
+ info->dsr_chkcount = 0;
+
+ slgt_irq_on(info, IRQ_DCD | IRQ_CTS | IRQ_DSR | IRQ_RI);
+- get_signals(info);
++ get_gtsignals(info);
+
+ if (info->netcount ||
+ (info->port.tty && info->port.tty->termios.c_cflag & CREAD))
+@@ -2680,7 +2680,7 @@ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr)
+ spin_lock_irqsave(&info->lock,flags);
+
+ /* return immediately if state matches requested events */
+- get_signals(info);
++ get_gtsignals(info);
+ s = info->signals;
+
+ events = mask &
+@@ -3098,7 +3098,7 @@ static int tiocmget(struct tty_struct *tty)
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ result = ((info->signals & SerialSignal_RTS) ? TIOCM_RTS:0) +
+@@ -3137,7 +3137,7 @@ static int tiocmset(struct tty_struct *tty,
+ info->signals &= ~SerialSignal_DTR;
+
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ return 0;
+ }
+@@ -3148,7 +3148,7 @@ static int carrier_raised(struct tty_port *port)
+ struct slgt_info *info = container_of(port, struct slgt_info, port);
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ return (info->signals & SerialSignal_DCD) ? 1 : 0;
+ }
+@@ -3163,7 +3163,7 @@ static void dtr_rts(struct tty_port *port, int on)
+ info->signals |= SerialSignal_RTS | SerialSignal_DTR;
+ else
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+@@ -3962,10 +3962,10 @@ static void tx_start(struct slgt_info *info)
+
+ if (info->params.mode != MGSL_MODE_ASYNC) {
+ if (info->params.flags & HDLC_FLAG_AUTO_RTS) {
+- get_signals(info);
++ get_gtsignals(info);
+ if (!(info->signals & SerialSignal_RTS)) {
+ info->signals |= SerialSignal_RTS;
+- set_signals(info);
++ set_gtsignals(info);
+ info->drop_rts_on_tx_done = true;
+ }
+ }
+@@ -4019,7 +4019,7 @@ static void reset_port(struct slgt_info *info)
+ rx_stop(info);
+
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_gtsignals(info);
+
+ slgt_irq_off(info, IRQ_ALL | IRQ_MASTER);
+ }
+@@ -4441,7 +4441,7 @@ static void tx_set_idle(struct slgt_info *info)
+ /*
+ * get state of V24 status (input) signals
+ */
+-static void get_signals(struct slgt_info *info)
++static void get_gtsignals(struct slgt_info *info)
+ {
+ unsigned short status = rd_reg16(info, SSR);
+
+@@ -4503,7 +4503,7 @@ static void msc_set_vcr(struct slgt_info *info)
+ /*
+ * set state of V24 control (output) signals
+ */
+-static void set_signals(struct slgt_info *info)
++static void set_gtsignals(struct slgt_info *info)
+ {
+ unsigned char val = rd_reg8(info, VCR);
+ if (info->signals & SerialSignal_DTR)
+--
+2.33.0
+
--- /dev/null
+From 076144fbe7ea9659561bf81090305328060a2e23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 14:32:06 +0200
+Subject: xen/balloon: use a kernel thread instead a workqueue
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ]
+
+Today the Xen ballooning is done via delayed work in a workqueue. This
+might result in workqueue hangups being reported in case of large
+amounts of memory are being ballooned in one go (here 16GB):
+
+BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s!
+Showing busy workqueues and worker pools:
+workqueue events: flags=0x0
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3
+ in-flight: 229:balloon_process
+ pending: cache_reap
+workqueue events_freezable_power_: flags=0x84
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
+ pending: disk_events_workfn
+workqueue mm_percpu_wq: flags=0x8
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
+ pending: vmstat_update
+pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43
+
+This can easily be avoided by using a dedicated kernel thread for doing
+the ballooning work.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index ebb05517b6aa..2762d246991b 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -43,6 +43,8 @@
+ #include <linux/sched.h>
+ #include <linux/cred.h>
+ #include <linux/errno.h>
++#include <linux/freezer.h>
++#include <linux/kthread.h>
+ #include <linux/mm.h>
+ #include <linux/memblock.h>
+ #include <linux/pagemap.h>
+@@ -117,7 +119,7 @@ static struct ctl_table xen_root[] = {
+ #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1)
+
+ /*
+- * balloon_process() state:
++ * balloon_thread() state:
+ *
+ * BP_DONE: done or nothing to do,
+ * BP_WAIT: wait to be rescheduled,
+@@ -132,6 +134,8 @@ enum bp_state {
+ BP_ECANCELED
+ };
+
++/* Main waiting point for xen-balloon thread. */
++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq);
+
+ static DEFINE_MUTEX(balloon_mutex);
+
+@@ -146,10 +150,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)];
+ static LIST_HEAD(ballooned_pages);
+ static DECLARE_WAIT_QUEUE_HEAD(balloon_wq);
+
+-/* Main work function, always executed in process context. */
+-static void balloon_process(struct work_struct *work);
+-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
+-
+ /* When ballooning out (allocating memory to return to Xen) we don't really
+ want the kernel to try too hard since that can trigger the oom killer. */
+ #define GFP_BALLOON \
+@@ -383,7 +383,7 @@ static void xen_online_page(struct page *page, unsigned int order)
+ static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v)
+ {
+ if (val == MEM_ONLINE)
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+
+ return NOTIFY_OK;
+ }
+@@ -508,18 +508,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
+ }
+
+ /*
+- * As this is a work item it is guaranteed to run as a single instance only.
++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is
++ * needed, or if the credit has changed while state is BP_EAGAIN.
++ */
++static bool balloon_thread_cond(enum bp_state state, long credit)
++{
++ if (state != BP_EAGAIN)
++ credit = 0;
++
++ return current_credit() != credit || kthread_should_stop();
++}
++
++/*
++ * As this is a kthread it is guaranteed to run as a single instance only.
+ * We may of course race updates of the target counts (which are protected
+ * by the balloon lock), or with changes to the Xen hard limit, but we will
+ * recover from these in time.
+ */
+-static void balloon_process(struct work_struct *work)
++static int balloon_thread(void *unused)
+ {
+ enum bp_state state = BP_DONE;
+ long credit;
++ unsigned long timeout;
++
++ set_freezable();
++ for (;;) {
++ if (state == BP_EAGAIN)
++ timeout = balloon_stats.schedule_delay * HZ;
++ else
++ timeout = 3600 * HZ;
++ credit = current_credit();
+
++ wait_event_interruptible_timeout(balloon_thread_wq,
++ balloon_thread_cond(state, credit), timeout);
++
++ if (kthread_should_stop())
++ return 0;
+
+- do {
+ mutex_lock(&balloon_mutex);
+
+ credit = current_credit();
+@@ -546,12 +571,7 @@ static void balloon_process(struct work_struct *work)
+ mutex_unlock(&balloon_mutex);
+
+ cond_resched();
+-
+- } while (credit && state == BP_DONE);
+-
+- /* Schedule more work if there is some still to be done. */
+- if (state == BP_EAGAIN)
+- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ);
++ }
+ }
+
+ /* Resets the Xen limit, sets new target, and kicks off processing. */
+@@ -559,7 +579,7 @@ void balloon_set_new_target(unsigned long target)
+ {
+ /* No need for lock. Not read-modify-write updates. */
+ balloon_stats.target_pages = target;
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+ }
+ EXPORT_SYMBOL_GPL(balloon_set_new_target);
+
+@@ -664,7 +684,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages)
+
+ /* The balloon may be too large now. Shrink it if needed. */
+ if (current_credit())
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+
+ mutex_unlock(&balloon_mutex);
+ }
+@@ -696,6 +716,8 @@ static void __init balloon_add_region(unsigned long start_pfn,
+
+ static int __init balloon_init(void)
+ {
++ struct task_struct *task;
++
+ if (!xen_domain())
+ return -ENODEV;
+
+@@ -739,6 +761,12 @@ static int __init balloon_init(void)
+ }
+ #endif
+
++ task = kthread_run(balloon_thread, NULL, "xen-balloon");
++ if (IS_ERR(task)) {
++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n");
++ return PTR_ERR(task);
++ }
++
+ /* Init the xen-balloon driver. */
+ xen_balloon_init();
+
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
