--- /dev/null
+From e7cabbcf072bb1784329d687bf721f33cc8c6f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 22:00:33 -0700
+Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to
+ volatile
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ]
+
+Some drivers pass a pointer to volatile data to virt_to_bus() and
+virt_to_phys(), and that works fine. One exception is alpha. This
+results in a number of compile errors such as
+
+ drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset':
+ drivers/net/wan/lmc/lmc_main.c:1782:50: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+ drivers/atm/ambassador.c: In function 'do_loader_command':
+ drivers/atm/ambassador.c:1747:58: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+Declare the parameter of virt_to_phys and virt_to_bus as pointer to
+volatile to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/asm/io.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h
+index 355aec0867f4..e55a5e6ab460 100644
+--- a/arch/alpha/include/asm/io.h
++++ b/arch/alpha/include/asm/io.h
+@@ -60,7 +60,7 @@ extern inline void set_hae(unsigned long new_hae)
+ * Change virtual addresses to physical addresses and vv.
+ */
+ #ifdef USE_48_BIT_KSEG
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ return (unsigned long)address - IDENT_ADDR;
+ }
+@@ -70,7 +70,7 @@ static inline void * phys_to_virt(unsigned long address)
+ return (void *) (address + IDENT_ADDR);
+ }
+ #else
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ unsigned long phys = (unsigned long)address;
+
+@@ -111,7 +111,7 @@ static inline dma_addr_t __deprecated isa_page_to_bus(struct page *page)
+ extern unsigned long __direct_map_base;
+ extern unsigned long __direct_map_size;
+
+-static inline unsigned long __deprecated virt_to_bus(void *address)
++static inline unsigned long __deprecated virt_to_bus(volatile void *address)
+ {
+ unsigned long phys = virt_to_phys(address);
+ unsigned long bus = phys + __direct_map_base;
+--
+2.33.0
+
--- /dev/null
+From 6168ccb6944746f80a7a9968d6423f814be821eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 17:44:02 +0800
+Subject: arm64: Mark __stack_chk_guard as __ro_after_init
+
+From: Dan Li <ashimida@linux.alibaba.com>
+
+[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ]
+
+__stack_chk_guard is setup once while init stage and never changed
+after that.
+
+Although the modification of this variable at runtime will usually
+cause the kernel to crash (so does the attacker), it should be marked
+as __ro_after_init, and it should not affect performance if it is
+placed in the ro_after_init section.
+
+Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 10d6627673cb..6cd79888944e 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -55,7 +55,7 @@
+
+ #ifdef CONFIG_CC_STACKPROTECTOR
+ #include <linux/stackprotector.h>
+-unsigned long __stack_chk_guard __read_mostly;
++unsigned long __stack_chk_guard __ro_after_init;
+ EXPORT_SYMBOL(__stack_chk_guard);
+ #endif
+
+--
+2.33.0
+
--- /dev/null
+From e9ea1de8ed1d72834c3b45d31a7ad4bb30b14f86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 21:49:21 +0800
+Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]
+
+There is an use-after-free problem triggered by following process:
+
+ P1(sda) P2(sdb)
+ echo 0 > /sys/block/sdb/trace/enable
+ blk_trace_remove_queue
+ synchronize_rcu
+ blk_trace_free
+ relay_close
+rcu_read_lock
+__blk_add_trace
+ trace_note_tsk
+ (Iterate running_trace_list)
+ relay_close_buf
+ relay_destroy_buf
+ kfree(buf)
+ trace_note(sdb's bt)
+ relay_reserve
+ buf->offset <- nullptr deference (use-after-free) !!!
+rcu_read_unlock
+
+[ 502.714379] BUG: kernel NULL pointer dereference, address:
+0000000000000010
+[ 502.715260] #PF: supervisor read access in kernel mode
+[ 502.715903] #PF: error_code(0x0000) - not-present page
+[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
+[ 502.717252] Oops: 0000 [#1] SMP
+[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
+[ 502.732872] Call Trace:
+[ 502.733193] __blk_add_trace.cold+0x137/0x1a3
+[ 502.733734] blk_add_trace_rq+0x7b/0xd0
+[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0
+[ 502.734755] blk_mq_start_request+0xde/0x1b0
+[ 502.735287] scsi_queue_rq+0x528/0x1140
+...
+[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0
+[ 502.747501] sg_ioctl+0x466/0x1100
+
+Reproduce method:
+ ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sda, BLKTRACESTART)
+ ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sdb, BLKTRACESTART)
+
+ echo 0 > /sys/block/sdb/trace/enable &
+ // Add delay(mdelay/msleep) before kernel enters blk_trace_free()
+
+ ioctl$SG_IO(/dev/sda, SG_IO, ...)
+ // Enters trace_note_tsk() after blk_trace_free() returned
+ // Use mdelay in rcu region rather than msleep(which may schedule out)
+
+Remove blk_trace from running_list before calling blk_trace_free() by
+sysfs if blk_trace is at Blktrace_running state.
+
+Fixes: c71a896154119f ("blktrace: add ftrace plugin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/blktrace.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
+index 8ac3663e0012..c142e100840e 100644
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -1581,6 +1581,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
+ if (bt == NULL)
+ return -EINVAL;
+
++ if (bt->trace_state == Blktrace_running) {
++ bt->trace_state = Blktrace_stopped;
++ spin_lock_irq(&running_trace_lock);
++ list_del_init(&bt->running_list);
++ spin_unlock_irq(&running_trace_lock);
++ relay_flush(bt->rchan);
++ }
++
+ put_probe_ref();
+ synchronize_rcu();
+ blk_trace_free(bt);
+--
+2.33.0
+
--- /dev/null
+From 652b97e85a6240edf58959504a254dcce823d6c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:24 -0700
+Subject: compiler.h: Introduce absolute_pointer macro
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ]
+
+absolute_pointer() disassociates a pointer from its originating symbol
+type and context. Use it to prevent compiler warnings/errors such as
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Such warnings may be reported by gcc 11.x for string and memory
+operations on fixed addresses.
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 7cabe0cc8665..bc8077e5e688 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -208,6 +208,8 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+ (typeof(ptr)) (__ptr + (off)); })
+ #endif
+
++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0)
++
+ #ifndef OPTIMIZER_HIDE_VAR
+ #define OPTIMIZER_HIDE_VAR(var) barrier()
+ #endif
+--
+2.33.0
+
--- /dev/null
+From ea8d3942225921c736d8807e2d8aac3628c9e3dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 23:07:29 -0700
+Subject: m68k: Double cast io functions to unsigned long
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ]
+
+m68k builds fail widely with errors such as
+
+arch/m68k/include/asm/raw_io.h:20:19: error:
+ cast to pointer from integer of different size
+arch/m68k/include/asm/raw_io.h:30:32: error:
+ cast to pointer from integer of different size [-Werror=int-to-p
+
+On m68k, io functions are defined as macros. The problem is seen if the
+macro parameter variable size differs from the size of a pointer. Cast
+the parameter of all io macros to unsigned long before casting it to
+a pointer to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/raw_io.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h
+index 932faa35655b..2238232c360e 100644
+--- a/arch/m68k/include/asm/raw_io.h
++++ b/arch/m68k/include/asm/raw_io.h
+@@ -30,21 +30,21 @@ extern void __iounmap(void *addr, unsigned long size);
+ * two accesses to memory, which may be undesirable for some devices.
+ */
+ #define in_8(addr) \
+- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; })
++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; })
+ #define in_be16(addr) \
+- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; })
++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; })
+ #define in_be32(addr) \
+- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; })
++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; })
+ #define in_le16(addr) \
+- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; })
++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; })
+ #define in_le32(addr) \
+- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; })
++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; })
+
+-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b))
+-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w))
+-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l))
+-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w))
+-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l))
++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b))
++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w))
++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l))
++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w))
++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l))
+
+ #define raw_inb in_8
+ #define raw_inw in_be16
+--
+2.33.0
+
--- /dev/null
+From 6dd23d7700c0f9db95aa3a44cb0084115179cb26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 20:57:43 -0700
+Subject: net: 6pack: Fix tx timeout and slot time
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ]
+
+tx timeout and slot time are currently specified in units of HZ. On
+Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this
+results in the following error message.
+
+ drivers/net/hamradio/6pack.c: In function 'sixpack_open':
+ drivers/net/hamradio/6pack.c:71:41: error:
+ unsigned conversion from 'int' to 'unsigned char'
+ changes value from '256' to '0'
+
+In the 6PACK protocol, tx timeout is specified in units of 10 ms and
+transmitted over the wire:
+
+ https://www.linux-ax25.org/wiki/6PACK
+
+Defining a value dependent on HZ doesn't really make sense, and
+presumably comes from the (very historical) situation where HZ was
+originally 100.
+
+Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity:
+
+ mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100);
+
+and the SIXP_TXDELAY walue is sent as a byte over the wire.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
+index cce901add654..908de9e45394 100644
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -68,9 +68,9 @@
+ #define SIXP_DAMA_OFF 0
+
+ /* default level 2 parameters */
+-#define SIXP_TXDELAY (HZ/4) /* in 1 s */
++#define SIXP_TXDELAY 25 /* 250 ms */
+ #define SIXP_PERSIST 50 /* in 256ths */
+-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */
++#define SIXP_SLOTTIME 10 /* 100 ms */
+ #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */
+ #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */
+
+--
+2.33.0
+
--- /dev/null
+From c81de58ca6ca734f959b8b32e3b644844706ede5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:25 -0700
+Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory
+ location
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ]
+
+gcc 11.x reports the following compiler warning/error.
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Use absolute_pointer() to work around the problem.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/82596.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c
+index 7ce6379fd1a3..1500027ae18b 100644
+--- a/drivers/net/ethernet/i825xx/82596.c
++++ b/drivers/net/ethernet/i825xx/82596.c
+@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit)
+ err = -ENODEV;
+ goto out;
+ }
+- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */
++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */
+ dev->base_addr = MVME_I596_BASE;
+ dev->irq = (unsigned) MVME16x_IRQ_I596;
+ goto found;
+--
+2.33.0
+
--- /dev/null
+From 0625c64de6502ce71c834abbc3dd990880e54a33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 08:35:42 +0200
+Subject: parisc: Use absolute_pointer() to define PAGE0
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ]
+
+Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning:
+
+ arch/parisc/kernel/setup.c: In function 'start_parisc':
+ error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Co-Developed-by: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/page.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h
+index 80e742a1c162..088888fcf8df 100644
+--- a/arch/parisc/include/asm/page.h
++++ b/arch/parisc/include/asm/page.h
+@@ -174,7 +174,7 @@ extern int npmem_ranges;
+ #include <asm-generic/getorder.h>
+ #include <asm/pdc.h>
+
+-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET)
++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET))
+
+ /* DEFINITION OF THE ZERO-PAGE (PAG0) */
+ /* based on work by Jason Eckhardt (jason@equator.com) */
+--
+2.33.0
+
--- /dev/null
+From 125318ed643d3241c7357a92f22e405502b0dcea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 13:56:37 -0700
+Subject: qnx4: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ]
+
+The qnx4 directory entries are 64-byte blocks that have different
+contents depending on the a status byte that is in the last byte of the
+block.
+
+In particular, a directory entry can be either a "link info" entry with
+a 48-byte name and pointers to the real inode information, or an "inode
+entry" with a smaller 16-byte name and the full inode information.
+
+But the code was written to always just treat the directory name as if
+it was part of that "inode entry", and just extend the name to the
+longer case if the status byte said it was a link entry.
+
+That work just fine and gives the right results, but now that gcc is
+tracking data structure accesses much more, the code can trigger a
+compiler error about using up to 48 bytes (the long name) in a structure
+that only has that shorter name in it:
+
+ fs/qnx4/dir.c: In function ‘qnx4_readdir’:
+ fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread]
+ 51 | size = strnlen(de->di_fname, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from fs/qnx4/qnx4.h:3,
+ from fs/qnx4/dir.c:16:
+ include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here
+ 45 | char di_fname[QNX4_SHORT_NAME_MAX];
+ | ^~~~~~~~
+
+which is because the source code doesn't really make this whole "one of
+two different types" explicit.
+
+Fix this by introducing a very explicit union of the two types, and
+basically explaining to the compiler what is really going on.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c
+index b218f965817b..41edf28192cb 100644
+--- a/fs/qnx4/dir.c
++++ b/fs/qnx4/dir.c
+@@ -14,13 +14,27 @@
+ #include <linux/buffer_head.h>
+ #include "qnx4.h"
+
++/*
++ * A qnx4 directory entry is an inode entry or link info
++ * depending on the status field in the last byte. The
++ * first byte is where the name start either way, and a
++ * zero means it's empty.
++ */
++union qnx4_directory_entry {
++ struct {
++ char de_name;
++ char de_pad[62];
++ char de_status;
++ };
++ struct qnx4_inode_entry inode;
++ struct qnx4_link_info link;
++};
++
+ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ {
+ struct inode *inode = file_inode(file);
+ unsigned int offset;
+ struct buffer_head *bh;
+- struct qnx4_inode_entry *de;
+- struct qnx4_link_info *le;
+ unsigned long blknum;
+ int ix, ino;
+ int size;
+@@ -37,27 +51,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ }
+ ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK;
+ for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) {
++ union qnx4_directory_entry *de;
++ const char *name;
++
+ offset = ix * QNX4_DIR_ENTRY_SIZE;
+- de = (struct qnx4_inode_entry *) (bh->b_data + offset);
+- if (!de->di_fname[0])
++ de = (union qnx4_directory_entry *) (bh->b_data + offset);
++
++ if (!de->de_name)
+ continue;
+- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
+ continue;
+- if (!(de->di_status & QNX4_FILE_LINK))
+- size = QNX4_SHORT_NAME_MAX;
+- else
+- size = QNX4_NAME_MAX;
+- size = strnlen(de->di_fname, size);
+- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname));
+- if (!(de->di_status & QNX4_FILE_LINK))
++ if (!(de->de_status & QNX4_FILE_LINK)) {
++ size = sizeof(de->inode.di_fname);
++ name = de->inode.di_fname;
+ ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1;
+- else {
+- le = (struct qnx4_link_info*)de;
+- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) *
++ } else {
++ size = sizeof(de->link.dl_fname);
++ name = de->link.dl_fname;
++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) *
+ QNX4_INODES_PER_BLOCK +
+- le->dl_inode_ndx;
++ de->link.dl_inode_ndx;
+ }
+- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) {
++ size = strnlen(name, size);
++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name));
++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) {
+ brelse(bh);
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From d151a70cfef7c36f1a3a08c1f87eb7d046f3f177 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 16:53:36 +0800
+Subject: scsi: iscsi: Adjust iface sysfs attr detection
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ]
+
+ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of
+iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call
+into the driver, we might not match and return that we don't want attr
+visible in sysfs. Found in code review.
+
+Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com
+Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection")
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 39d03300d3d9..9906a3b562e9 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -429,9 +429,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct iscsi_transport *t = iface->transport;
+ int param = -1;
+
+- if (attr == &dev_attr_iface_enabled.attr)
+- param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+ param = ISCSI_IFACE_PARAM_HDRDGST_EN;
+@@ -471,7 +469,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ if (param != -1)
+ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
+
+- if (attr == &dev_attr_iface_vlan_id.attr)
++ if (attr == &dev_attr_iface_enabled.attr)
++ param = ISCSI_NET_PARAM_IFACE_ENABLE;
++ else if (attr == &dev_attr_iface_vlan_id.attr)
+ param = ISCSI_NET_PARAM_VLAN_ID;
+ else if (attr == &dev_attr_iface_vlan_priority.attr)
+ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+--
+2.33.0
+
usb-serial-option-add-device-id-for-foxconn-t99w265.patch
net-hso-fix-muxed-tty-registration.patch
net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch
+scsi-iscsi-adjust-iface-sysfs-attr-detection.patch
+blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch
+m68k-double-cast-io-functions-to-unsigned-long.patch
+compiler.h-introduce-absolute_pointer-macro.patch
+net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch
+sparc-avoid-stringop-overread-errors.patch
+qnx4-avoid-stringop-overread-errors.patch
+parisc-use-absolute_pointer-to-define-page0.patch
+arm64-mark-__stack_chk_guard-as-__ro_after_init.patch
+alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch
+net-6pack-fix-tx-timeout-and-slot-time.patch
+spi-fix-tegra20-build-with-config_pm-n.patch
--- /dev/null
+From f840a65b2f169f8c7b3da79c6f9edd10963f2c0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 16:06:04 -0700
+Subject: sparc: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ]
+
+The sparc mdesc code does pointer games with 'struct mdesc_hdr', but
+didn't describe to the compiler how that header is then followed by the
+data that the header describes.
+
+As a result, gcc is now unhappy since it does stricter pointer range
+tracking, and doesn't understand about how these things work. This
+results in various errors like:
+
+ arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’:
+ arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
+ 647 | if (!strcmp(names + ep[ret].name_offset, name))
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+which are easily avoided by just describing 'struct mdesc_hdr' better,
+and making the node_block() helper function look into that unsized
+data[] that follows the header.
+
+This makes the sparc64 build happy again at least for my cross-compiler
+version (gcc version 11.2.1).
+
+Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/mdesc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
+index 6f80936e0eea..75445ba7e237 100644
+--- a/arch/sparc/kernel/mdesc.c
++++ b/arch/sparc/kernel/mdesc.c
+@@ -37,6 +37,7 @@ struct mdesc_hdr {
+ u32 node_sz; /* node block size */
+ u32 name_sz; /* name block size */
+ u32 data_sz; /* data block size */
++ char data[];
+ } __attribute__((aligned(16)));
+
+ struct mdesc_elem {
+@@ -369,7 +370,7 @@ out:
+
+ static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc)
+ {
+- return (struct mdesc_elem *) (mdesc + 1);
++ return (struct mdesc_elem *) mdesc->data;
+ }
+
+ static void *name_block(struct mdesc_hdr *mdesc)
+--
+2.33.0
+
--- /dev/null
+From a9bd95382875a58995f8dadcae3060d22eac6195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 10:05:06 -0700
+Subject: spi: Fix tegra20 build with CONFIG_PM=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ]
+
+Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being
+empty, and the only use of tegra_slink_runtime_{resume,suspend} goes
+away, resulting in
+
+ drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function]
+ 1200 | static int tegra_slink_runtime_resume(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function]
+ 1188 | static int tegra_slink_runtime_suspend(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+mark the functions __maybe_unused to make the build happy.
+
+This hits the alpha allmodconfig build (and others).
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra20-slink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c
+index 9f14560686b6..88bfe7682a9e 100644
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1210,7 +1210,7 @@ static int tegra_slink_resume(struct device *dev)
+ }
+ #endif
+
+-static int tegra_slink_runtime_suspend(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+@@ -1222,7 +1222,7 @@ static int tegra_slink_runtime_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int tegra_slink_runtime_resume(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
