--- /dev/null
+From 36321bb4ae4d9831fed71238b076d1eb4a8bba8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 17:30:27 +0800
+Subject: arm: mach-spear: Add missing of_node_put() in time.c
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 2c629dd2d14fd7f64a553f809eda6d0b3a4f615a ]
+
+In spear_setup_of_timer(), of_find_matching_node() will return a
+node pointer with refcount incrementd. We should use of_node_put()
+in each fail path or when it is not used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://lore.kernel.org/r/20220616093027.3984903-1-windhl@126.com'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-spear/time.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/mach-spear/time.c b/arch/arm/mach-spear/time.c
+index aaaa6781b9fe..57b77c7effa9 100644
+--- a/arch/arm/mach-spear/time.c
++++ b/arch/arm/mach-spear/time.c
+@@ -223,13 +223,13 @@ void __init spear_setup_of_timer(void)
+ irq = irq_of_parse_and_map(np, 0);
+ if (!irq) {
+ pr_err("%s: No irq passed for timer via DT\n", __func__);
+- return;
++ goto err_put_np;
+ }
+
+ gpt_base = of_iomap(np, 0);
+ if (!gpt_base) {
+ pr_err("%s: of iomap failed\n", __func__);
+- return;
++ goto err_put_np;
+ }
+
+ gpt_clk = clk_get_sys("gpt0", NULL);
+@@ -244,6 +244,8 @@ void __init spear_setup_of_timer(void)
+ goto err_prepare_enable_clk;
+ }
+
++ of_node_put(np);
++
+ spear_clockevent_init(irq);
+ spear_clocksource_init();
+
+@@ -253,4 +255,6 @@ void __init spear_setup_of_timer(void)
+ clk_put(gpt_clk);
+ err_iomap:
+ iounmap(gpt_base);
++err_put_np:
++ of_node_put(np);
+ }
+--
+2.35.1
+
--- /dev/null
+From b8e2810ec3b386975ca5c2a205f7e0d0e1671e50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jun 2022 22:14:54 +0800
+Subject: drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in
+ vxge-main.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wentao_Liang <Wentao_Liang_g@163.com>
+
+[ Upstream commit 8fc74d18639a2402ca52b177e990428e26ea881f ]
+
+The pointer vdev points to a memory region adjacent to a net_device
+structure ndev, which is a field of hldev. At line 4740, the invocation
+to vxge_device_unregister unregisters device hldev, and it also releases
+the memory region pointed by vdev->bar0. At line 4743, the freed memory
+region is referenced (i.e., iounmap(vdev->bar0)), resulting in a
+use-after-free vulnerability. We can fix the bug by calling iounmap
+before vxge_device_unregister.
+
+4721. static void vxge_remove(struct pci_dev *pdev)
+4722. {
+4723. struct __vxge_hw_device *hldev;
+4724. struct vxgedev *vdev;
+…
+4731. vdev = netdev_priv(hldev->ndev);
+…
+4740. vxge_device_unregister(hldev);
+4741. /* Do not call pci_disable_sriov here, as it
+ will break child devices */
+4742. vxge_hw_device_terminate(hldev);
+4743. iounmap(vdev->bar0);
+…
+4749 vxge_debug_init(vdev->level_trace, "%s:%d
+ Device unregistered",
+4750 __func__, __LINE__);
+4751 vxge_debug_entryexit(vdev->level_trace, "%s:%d
+ Exiting...", __func__,
+4752 __LINE__);
+4753. }
+
+This is the screenshot when the vulnerability is triggered by using
+KASAN. We can see that there is a use-after-free reported by KASAN.
+
+/***************************start**************************/
+
+root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove
+[ 178.296316] vxge_remove
+[ 182.057081]
+ ==================================================================
+[ 182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c
+[ 182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119
+[ 182.057983]
+[ 182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5
+[ 182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+[ 182.059463] Call Trace:
+[ 182.059726] <TASK>
+[ 182.060017] dump_stack_lvl+0x34/0x44
+[ 182.060316] print_report.cold+0xb2/0x6b7
+[ 182.060401] ? kfree+0x89/0x290
+[ 182.060478] ? vxge_remove+0xe0/0x15c
+[ 182.060545] kasan_report+0xa9/0x120
+[ 182.060629] ? vxge_remove+0xe0/0x15c
+[ 182.060706] vxge_remove+0xe0/0x15c
+[ 182.060793] pci_device_remove+0x5d/0xe0
+[ 182.060968] device_release_driver_internal+0xf1/0x180
+[ 182.061063] pci_stop_bus_device+0xae/0xe0
+[ 182.061150] pci_stop_and_remove_bus_device_locked+0x11/0x20
+[ 182.061236] remove_store+0xc6/0xe0
+[ 182.061297] ? subordinate_bus_number_show+0xc0/0xc0
+[ 182.061359] ? __mutex_lock_slowpath+0x10/0x10
+[ 182.061438] ? sysfs_kf_write+0x6d/0xa0
+[ 182.061525] kernfs_fop_write_iter+0x1b0/0x260
+[ 182.061610] ? sysfs_kf_bin_read+0xf0/0xf0
+[ 182.061695] new_sync_write+0x209/0x310
+[ 182.061789] ? new_sync_read+0x310/0x310
+[ 182.061865] ? cgroup_rstat_updated+0x5c/0x170
+[ 182.061937] ? preempt_count_sub+0xf/0xb0
+[ 182.061995] ? pick_next_entity+0x13a/0x220
+[ 182.062063] ? __inode_security_revalidate+0x44/0x80
+[ 182.062155] ? security_file_permission+0x46/0x2a0
+[ 182.062230] vfs_write+0x33f/0x3e0
+[ 182.062303] ksys_write+0xb4/0x150
+[ 182.062369] ? __ia32_sys_read+0x40/0x40
+[ 182.062451] do_syscall_64+0x3b/0x90
+[ 182.062531] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+[ 182.062894] RIP: 0033:0x7f3f37d17274
+[ 182.063558] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f
+80 00 00 00 00 48 8d 05 89 54 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f
+05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53
+[ 182.063797] RSP: 002b:00007ffd5ba9e178 EFLAGS: 00000246
+ORIG_RAX: 0000000000000001
+[ 182.064117] RAX: ffffffffffffffda RBX: 0000000000000002
+RCX: 00007f3f37d17274
+[ 182.064219] RDX: 0000000000000002 RSI: 000055bbec327180
+RDI: 0000000000000001
+[ 182.064315] RBP: 000055bbec327180 R08: 000000000000000a
+R09: 00007f3f37de7cf0
+[ 182.064414] R10: 000000000000000a R11: 0000000000000246
+R12: 00007f3f37de8760
+[ 182.064513] R13: 0000000000000002 R14: 00007f3f37de3760
+R15: 0000000000000002
+[ 182.064691] </TASK>
+[ 182.064916]
+[ 182.065224] The buggy address belongs to the physical page:
+[ 182.065804] page:00000000ef31e4f4 refcount:0 mapcount:0
+mapping:0000000000000000 index:0x0 pfn:0x6c76
+[ 182.067419] flags: 0x100000000000000(node=0|zone=1)
+[ 182.068997] raw: 0100000000000000 0000000000000000
+ffffea00001b1d88 0000000000000000
+[ 182.069118] raw: 0000000000000000 0000000000000000
+00000000ffffffff 0000000000000000
+[ 182.069294] page dumped because: kasan: bad access detected
+[ 182.069331]
+[ 182.069360] Memory state around the buggy address:
+[ 182.070006] ffff888006c76480: ff ff ff ff ff ff ff ff ff ff ff
+ ff ff ff ff ff
+[ 182.070136] ffff888006c76500: ff ff ff ff ff ff ff ff ff ff ff
+ ff ff ff ff ff
+[ 182.070230] >ffff888006c76580: ff ff ff ff ff ff ff ff ff ff ff
+ ff ff ff ff ff
+[ 182.070305] ^
+[ 182.070456] ffff888006c76600: ff ff ff ff ff ff ff ff ff ff ff
+ ff ff ff ff ff
+[ 182.070505] ffff888006c76680: ff ff ff ff ff ff ff ff ff ff ff
+ ff ff ff ff ff
+[ 182.070606]
+==================================================================
+[ 182.071374] Disabling lock debugging due to kernel taint
+
+/*****************************end*****************************/
+
+After fixing the bug as done in the patch, we can find KASAN do not report
+ the bug and the device(00:03.0) has been successfully removed.
+
+/*****************************start***************************/
+
+root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove
+root@kernel:~#
+
+/******************************end****************************/
+
+Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/vxge/vxge-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c
+index c6950e580883..7fa71a66f19c 100644
+--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c
++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c
+@@ -4790,10 +4790,10 @@ static void vxge_remove(struct pci_dev *pdev)
+ for (i = 0; i < vdev->no_of_vpath; i++)
+ vxge_free_mac_add_list(&vdev->vpaths[i]);
+
++ iounmap(vdev->bar0);
+ vxge_device_unregister(hldev);
+ /* Do not call pci_disable_sriov here, as it will break child devices */
+ vxge_hw_device_terminate(hldev);
+- iounmap(vdev->bar0);
+ pci_release_region(pdev, 0);
+ pci_disable_device(pdev);
+ driver_config->config_dev_cnt--;
+--
+2.35.1
+
--- /dev/null
+From 22a5352f0089cd3d622a96fcd2c002bf8fc0bdc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jun 2022 13:51:44 +0200
+Subject: drm/vc4: crtc: Use an union to store the page flip callback
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 2523e9dcc3be91bf9fdc0d1e542557ca00bbef42 ]
+
+We'll need to extend the vc4_async_flip_state structure to rely on
+another callback implementation, so let's move the current one into a
+union.
+
+Reviewed-by: Melissa Wen <mwen@igalia.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220610115149.964394-10-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_crtc.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c
+index 51d34e7275ab..9d97f535a4d6 100644
+--- a/drivers/gpu/drm/vc4/vc4_crtc.c
++++ b/drivers/gpu/drm/vc4/vc4_crtc.c
+@@ -717,17 +717,17 @@ struct vc4_async_flip_state {
+ struct drm_framebuffer *fb;
+ struct drm_pending_vblank_event *event;
+
+- struct vc4_seqno_cb cb;
++ union {
++ struct vc4_seqno_cb seqno;
++ } cb;
+ };
+
+ /* Called when the V3D execution for the BO being flipped to is done, so that
+ * we can actually update the plane's address to point to it.
+ */
+ static void
+-vc4_async_page_flip_complete(struct vc4_seqno_cb *cb)
++vc4_async_page_flip_complete(struct vc4_async_flip_state *flip_state)
+ {
+- struct vc4_async_flip_state *flip_state =
+- container_of(cb, struct vc4_async_flip_state, cb);
+ struct drm_crtc *crtc = flip_state->crtc;
+ struct drm_device *dev = crtc->dev;
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+@@ -749,6 +749,14 @@ vc4_async_page_flip_complete(struct vc4_seqno_cb *cb)
+ up(&vc4->async_modeset);
+ }
+
++static void vc4_async_page_flip_seqno_complete(struct vc4_seqno_cb *cb)
++{
++ struct vc4_async_flip_state *flip_state =
++ container_of(cb, struct vc4_async_flip_state, cb.seqno);
++
++ vc4_async_page_flip_complete(flip_state);
++}
++
+ /* Implements async (non-vblank-synced) page flips.
+ *
+ * The page flip ioctl needs to return immediately, so we grab the
+@@ -794,8 +802,8 @@ static int vc4_async_page_flip(struct drm_crtc *crtc,
+ drm_atomic_set_fb_for_plane(plane->state, fb);
+ plane->fb = fb;
+
+- vc4_queue_seqno_cb(dev, &flip_state->cb, bo->seqno,
+- vc4_async_page_flip_complete);
++ vc4_queue_seqno_cb(dev, &flip_state->cb.seqno, bo->seqno,
++ vc4_async_page_flip_seqno_complete);
+
+ /* Driver takes ownership of state on successful async commit. */
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 1c315afdf95d3009f791d5692315cfbf3edf846a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jun 2022 23:41:25 +0800
+Subject: mips: lantiq: Add missing of_node_put() in irq.c
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 3748d2185ac4c2c6f80989672253aad909ecaf95 ]
+
+In icu_of_init(), of_find_compatible_node() will return a node
+pointer with refcount incremented. We should use of_node_put()
+when it is not used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/irq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
+index e64f678ca12c..e29dc58271b2 100644
+--- a/arch/mips/lantiq/irq.c
++++ b/arch/mips/lantiq/irq.c
+@@ -460,6 +460,7 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent)
+ if (!ltq_eiu_membase)
+ panic("Failed to remap eiu memory");
+ }
++ of_node_put(eiu_node);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 08a37afa007c6a1b844d3f214c0bfdaead5c3c8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 20:19:58 +0800
+Subject: mips: lantiq: falcon: Fix refcount leak bug in sysctrl
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 72a2af539fff975caadd9a4db3f99963569bd9c9 ]
+
+In ltq_soc_init(), of_find_compatible_node() will return a node pointer
+with refcount incremented. We should use of_node_put() when it is not
+used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/falcon/sysctrl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c
+index 714d92659489..665739bd4190 100644
+--- a/arch/mips/lantiq/falcon/sysctrl.c
++++ b/arch/mips/lantiq/falcon/sysctrl.c
+@@ -210,6 +210,12 @@ void __init ltq_soc_init(void)
+ of_address_to_resource(np_sysgpe, 0, &res_sys[2]))
+ panic("Failed to get core resources");
+
++ of_node_put(np_status);
++ of_node_put(np_ebu);
++ of_node_put(np_sys1);
++ of_node_put(np_syseth);
++ of_node_put(np_sysgpe);
++
+ if ((request_mem_region(res_status.start, resource_size(&res_status),
+ res_status.name) < 0) ||
+ (request_mem_region(res_ebu.start, resource_size(&res_ebu),
+--
+2.35.1
+
--- /dev/null
+From b3ff2f4b52221161b17864edb6ba5a78b03a3fba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 20:25:05 +0800
+Subject: mips: lantiq: xway: Fix refcount leak bug in sysctrl
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 76695592711ef1e215cc24ed3e1cd857d7fc3098 ]
+
+In ltq_soc_init(), of_find_compatible_node() will return a node
+pointer with refcount incremented. We should use of_node_put() when
+it is not used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/xway/sysctrl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c
+index dd7c36a193e3..6891456a7603 100644
+--- a/arch/mips/lantiq/xway/sysctrl.c
++++ b/arch/mips/lantiq/xway/sysctrl.c
+@@ -457,6 +457,10 @@ void __init ltq_soc_init(void)
+ of_address_to_resource(np_ebu, 0, &res_ebu))
+ panic("Failed to get core resources");
+
++ of_node_put(np_pmu);
++ of_node_put(np_cgu);
++ of_node_put(np_ebu);
++
+ if (!request_mem_region(res_pmu.start, resource_size(&res_pmu),
+ res_pmu.name) ||
+ !request_mem_region(res_cgu.start, resource_size(&res_cgu),
+--
+2.35.1
+
--- /dev/null
+From ebbab11defed7127dbf9a060f088c08cad67f455 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jun 2022 12:54:27 +0800
+Subject: mips/pic32/pic32mzda: Fix refcount leak bugs
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
+
+of_find_matching_node(), of_find_compatible_node() and
+of_find_node_by_path() will return node pointers with refcout
+incremented. We should call of_node_put() when they are not
+used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/pic32/pic32mzda/init.c | 7 ++++++-
+ arch/mips/pic32/pic32mzda/time.c | 3 +++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c
+index 406c6c5cec29..f8985d4573e6 100644
+--- a/arch/mips/pic32/pic32mzda/init.c
++++ b/arch/mips/pic32/pic32mzda/init.c
+@@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
+ np = of_find_compatible_node(NULL, NULL, lookup->compatible);
+ if (np) {
+ lookup->name = (char *)np->name;
+- if (lookup->phys_addr)
++ if (lookup->phys_addr) {
++ of_node_put(np);
+ continue;
++ }
+ if (!of_address_to_resource(np, 0, &res))
+ lookup->phys_addr = res.start;
++ of_node_put(np);
+ }
+ }
+
++ of_node_put(root);
++
+ return 0;
+ }
+
+diff --git a/arch/mips/pic32/pic32mzda/time.c b/arch/mips/pic32/pic32mzda/time.c
+index 62a0a78b6c64..bfafe241c1b5 100644
+--- a/arch/mips/pic32/pic32mzda/time.c
++++ b/arch/mips/pic32/pic32mzda/time.c
+@@ -40,6 +40,9 @@ static unsigned int pic32_xlate_core_timer_irq(void)
+ goto default_map;
+
+ irq = irq_of_parse_and_map(node, 0);
++
++ of_node_put(node);
++
+ if (!irq)
+ goto default_map;
+
+--
+2.35.1
+
parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch
cifs-don-t-send-down-the-destination-address-to-sendmsg-for-a-sock_stream.patch
+spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch
+spi-cadence-detect-transmit-fifo-depth.patch
+drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch
+drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch
+video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch
+video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch
+video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch
+video-fbdev-simplefb-check-before-clk_put-not-needed.patch
+mips-lantiq-falcon-fix-refcount-leak-bug-in-sysctrl.patch
+mips-lantiq-xway-fix-refcount-leak-bug-in-sysctrl.patch
+mips-pic32-pic32mzda-fix-refcount-leak-bugs.patch
+mips-lantiq-add-missing-of_node_put-in-irq.c.patch
+arm-mach-spear-add-missing-of_node_put-in-time.c.patch
--- /dev/null
+From 2991f161280d1acb79edbfa5e241d18415f16dc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 May 2022 11:11:43 +0200
+Subject: spi: cadence: Detect transmit FIFO depth
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+[ Upstream commit 7b40322f7183a92c4303457528ae7cda571c60b9 ]
+
+The depth of the transmit FIFO for the Cadence SPI controller is currently
+hardcoded to 128. But the depth is a synthesis configuration parameter of
+the core and can vary between different SoCs.
+
+If the configured FIFO size is less than 128 the driver will busy loop in
+the cdns_spi_fill_tx_fifo() function waiting for FIFO space to become
+available.
+
+Depending on the length and speed of the transfer it can spin for a
+significant amount of time. The cdns_spi_fill_tx_fifo() function is called
+from the drivers interrupt handler, so it can leave interrupts disabled for
+a prolonged amount of time.
+
+In addition the read FIFO will also overflow and data will be discarded.
+
+To avoid this detect the actual size of the FIFO and use that rather than
+the hardcoded value.
+
+To detect the FIFO size the FIFO threshold register is used. The register
+is sized so that it can hold FIFO size - 1 as its maximum value. Bits that
+are not needed to hold the threshold value will always read 0. By writing
+0xffff to the register and then reading back the value in the register we
+get the FIFO size.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Link: https://lore.kernel.org/r/20220527091143.3780378-1-lars@metafoo.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
+index 6d294a1fa5e5..733724e71a30 100644
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -96,9 +96,6 @@
+ #define CDNS_SPI_ER_ENABLE 0x00000001 /* SPI Enable Bit Mask */
+ #define CDNS_SPI_ER_DISABLE 0x0 /* SPI Disable Bit Mask */
+
+-/* SPI FIFO depth in bytes */
+-#define CDNS_SPI_FIFO_DEPTH 128
+-
+ /* Default number of chip select lines */
+ #define CDNS_SPI_DEFAULT_NUM_CS 4
+
+@@ -114,6 +111,7 @@
+ * @rx_bytes: Number of bytes requested
+ * @dev_busy: Device busy flag
+ * @is_decoded_cs: Flag for decoder property set or not
++ * @tx_fifo_depth: Depth of the TX FIFO
+ */
+ struct cdns_spi {
+ void __iomem *regs;
+@@ -127,6 +125,7 @@ struct cdns_spi {
+ int rx_bytes;
+ u8 dev_busy;
+ u32 is_decoded_cs;
++ unsigned int tx_fifo_depth;
+ };
+
+ /* Macros for the SPI controller read/write */
+@@ -308,7 +307,7 @@ static void cdns_spi_fill_tx_fifo(struct cdns_spi *xspi)
+ {
+ unsigned long trans_cnt = 0;
+
+- while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) &&
++ while ((trans_cnt < xspi->tx_fifo_depth) &&
+ (xspi->tx_bytes > 0)) {
+ if (xspi->txbuf)
+ cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++);
+@@ -463,6 +462,24 @@ static int cdns_unprepare_transfer_hardware(struct spi_master *master)
+ return 0;
+ }
+
++/**
++ * cdns_spi_detect_fifo_depth - Detect the FIFO depth of the hardware
++ * @xspi: Pointer to the cdns_spi structure
++ *
++ * The depth of the TX FIFO is a synthesis configuration parameter of the SPI
++ * IP. The FIFO threshold register is sized so that its maximum value can be the
++ * FIFO size - 1. This is used to detect the size of the FIFO.
++ */
++static void cdns_spi_detect_fifo_depth(struct cdns_spi *xspi)
++{
++ /* The MSBs will get truncated giving us the size of the FIFO */
++ cdns_spi_write(xspi, CDNS_SPI_THLD, 0xffff);
++ xspi->tx_fifo_depth = cdns_spi_read(xspi, CDNS_SPI_THLD) + 1;
++
++ /* Reset to default */
++ cdns_spi_write(xspi, CDNS_SPI_THLD, 0x1);
++}
++
+ /**
+ * cdns_spi_probe - Probe method for the SPI driver
+ * @pdev: Pointer to the platform_device structure
+@@ -536,6 +553,8 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ if (ret < 0)
+ xspi->is_decoded_cs = 0;
+
++ cdns_spi_detect_fifo_depth(xspi);
++
+ /* SPI controller initializations */
+ cdns_spi_init_hw(xspi);
+
+--
+2.35.1
+
--- /dev/null
+From a2874c7fe4294710fe1f347212f4d8c262cb3a7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jun 2022 11:55:25 +0530
+Subject: spi: spi-cadence: Fix SPI CS gets toggling sporadically
+
+From: Sai Krishna Potthuri <lakshmi.sai.krishna.potthuri@xilinx.com>
+
+[ Upstream commit 21b511ddee09a78909035ec47a6a594349fe3296 ]
+
+As part of unprepare_transfer_hardware, SPI controller will be disabled
+which will indirectly deassert the CS line. This will create a problem
+in some of the devices where message will be transferred with
+cs_change flag set(CS should not be deasserted).
+As per SPI controller implementation, if SPI controller is disabled then
+all output enables are inactive and all pins are set to input mode which
+means CS will go to default state high(deassert). This leads to an issue
+when core explicitly ask not to deassert the CS (cs_change = 1). This
+patch fix the above issue by checking the Slave select status bits from
+configuration register before disabling the SPI.
+
+Signed-off-by: Sai Krishna Potthuri <lakshmi.sai.krishna.potthuri@xilinx.com>
+Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
+Link: https://lore.kernel.org/r/20220606062525.18447-1-amit.kumar-mahapatra@xilinx.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
+index e383c6368915..6d294a1fa5e5 100644
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -72,6 +72,7 @@
+ #define CDNS_SPI_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift in CR */
+ #define CDNS_SPI_SS_SHIFT 10 /* Slave Select field shift in CR */
+ #define CDNS_SPI_SS0 0x1 /* Slave Select zero */
++#define CDNS_SPI_NOSS 0x3C /* No Slave select */
+
+ /*
+ * SPI Interrupt Registers bit Masks
+@@ -444,15 +445,20 @@ static int cdns_prepare_transfer_hardware(struct spi_master *master)
+ * @master: Pointer to the spi_master structure which provides
+ * information about the controller.
+ *
+- * This function disables the SPI master controller.
++ * This function disables the SPI master controller when no slave selected.
+ *
+ * Return: 0 always
+ */
+ static int cdns_unprepare_transfer_hardware(struct spi_master *master)
+ {
+ struct cdns_spi *xspi = spi_master_get_devdata(master);
++ u32 ctrl_reg;
+
+- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
++ /* Disable the SPI if slave is deselected */
++ ctrl_reg = cdns_spi_read(xspi, CDNS_SPI_CR);
++ ctrl_reg = (ctrl_reg & CDNS_SPI_CR_SSCTRL) >> CDNS_SPI_SS_SHIFT;
++ if (ctrl_reg == CDNS_SPI_NOSS)
++ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From fe558347385f2a003ed12fe5a8807db4fb9148dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 15:38:04 +0200
+Subject: video: fbdev: intelfb: Use aperture size from pci_resource_len
+
+From: Petr Cvek <petrcvekcz@gmail.com>
+
+[ Upstream commit 25c9a15fb7bbfafb94dd3b4e3165c18b8e1bd039 ]
+
+Aperture size for i9x5 variants is determined from PCI base address.
+
+ if (pci_resource_start(pdev, 2) & 0x08000000)
+ *aperture_size = MB(128);
+ ...
+
+This condition is incorrect as 128 MiB address can have the address
+set as 0x?8000000 or 0x?0000000. Also the code can be simplified to just
+use pci_resource_len().
+
+The true settings of the aperture size is in the MSAC register, which
+could be used instead. However the value is used only as an info message,
+so it doesn't matter.
+
+Signed-off-by: Petr Cvek <petrcvekcz@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/intelfb/intelfbhw.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/video/fbdev/intelfb/intelfbhw.c b/drivers/video/fbdev/intelfb/intelfbhw.c
+index d31ed4e2c46f..3aa93565e935 100644
+--- a/drivers/video/fbdev/intelfb/intelfbhw.c
++++ b/drivers/video/fbdev/intelfb/intelfbhw.c
+@@ -199,13 +199,11 @@ int intelfbhw_get_memory(struct pci_dev *pdev, int *aperture_size,
+ case PCI_DEVICE_ID_INTEL_945GME:
+ case PCI_DEVICE_ID_INTEL_965G:
+ case PCI_DEVICE_ID_INTEL_965GM:
+- /* 915, 945 and 965 chipsets support a 256MB aperture.
+- Aperture size is determined by inspected the
+- base address of the aperture. */
+- if (pci_resource_start(pdev, 2) & 0x08000000)
+- *aperture_size = MB(128);
+- else
+- *aperture_size = MB(256);
++ /*
++ * 915, 945 and 965 chipsets support 64MB, 128MB or 256MB
++ * aperture. Determine size from PCI resource length.
++ */
++ *aperture_size = pci_resource_len(pdev, 2);
+ break;
+ default:
+ if ((tmp & INTEL_GMCH_MEM_MASK) == INTEL_GMCH_MEM_64M)
+--
+2.35.1
+
--- /dev/null
+From 06b856a78321aedeacaa0fbb60105aec841e90b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 07:17:46 -0700
+Subject: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]
+
+In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
+type int. Then, copy_from_user() may cause a heap overflow because it is used
+as the third argument of copy_from_user().
+
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa3xx-gcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
+index 184773b6b9e4..2cca4b763d8d 100644
+--- a/drivers/video/fbdev/pxa3xx-gcu.c
++++ b/drivers/video/fbdev/pxa3xx-gcu.c
+@@ -391,7 +391,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
+ struct pxa3xx_gcu_batch *buffer;
+ struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);
+
+- int words = count / 4;
++ size_t words = count / 4;
+
+ /* Does not need to be atomic. There's a lock in user space,
+ * but anyhow, this is just for statistics. */
+--
+2.35.1
+
--- /dev/null
+From 502b7bbb7aaf38fe36919b4d57cf696d48a8a061 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jun 2022 02:42:18 -0700
+Subject: video: fbdev: simplefb: Check before clk_put() not needed
+
+From: Yihao Han <hanyihao@vivo.com>
+
+[ Upstream commit 5491424d17bdeb7b7852a59367858251783f8398 ]
+
+clk_put() already checks the clk ptr using !clk and IS_ERR()
+so there is no need to check it again before calling it.
+
+Signed-off-by: Yihao Han <hanyihao@vivo.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/simplefb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c
+index 61f799a515dc..1efdbbc20f99 100644
+--- a/drivers/video/fbdev/simplefb.c
++++ b/drivers/video/fbdev/simplefb.c
+@@ -231,8 +231,7 @@ static int simplefb_clocks_init(struct simplefb_par *par,
+ if (IS_ERR(clock)) {
+ if (PTR_ERR(clock) == -EPROBE_DEFER) {
+ while (--i >= 0) {
+- if (par->clks[i])
+- clk_put(par->clks[i]);
++ clk_put(par->clks[i]);
+ }
+ kfree(par->clks);
+ return -EPROBE_DEFER;
+--
+2.35.1
+
--- /dev/null
+From 56e18b696e76f7df745950e4fe75c6adb35e28c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jun 2022 16:59:13 +0800
+Subject: video: fbdev: skeletonfb: Fix syntax errors in comments
+
+From: Xiang wangx <wangxiang@cdjrlc.com>
+
+[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ]
+
+Delete the redundant word 'its'.
+
+Signed-off-by: Xiang wangx <wangxiang@cdjrlc.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/skeletonfb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/skeletonfb.c b/drivers/video/fbdev/skeletonfb.c
+index f948baa16d82..254bb6e2187c 100644
+--- a/drivers/video/fbdev/skeletonfb.c
++++ b/drivers/video/fbdev/skeletonfb.c
+@@ -96,7 +96,7 @@ static struct fb_fix_screeninfo xxxfb_fix = {
+
+ /*
+ * Modern graphical hardware not only supports pipelines but some
+- * also support multiple monitors where each display can have its
++ * also support multiple monitors where each display can have
+ * its own unique data. In this case each display could be
+ * represented by a separate framebuffer device thus a separate
+ * struct fb_info. Now the struct xxx_par represents the graphics
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
