--- /dev/null
+From 651740a502411793327e2f0741104749c4eedcd1 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 13 Dec 2021 14:22:33 -0500
+Subject: btrfs: check WRITE_ERR when trying to read an extent buffer
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 651740a502411793327e2f0741104749c4eedcd1 upstream.
+
+Filipe reported a hang when we have errors on btrfs. This turned out to
+be a side-effect of my fix c2e39305299f01 ("btrfs: clear extent buffer
+uptodate when we fail to write it") which made it so we clear
+EXTENT_BUFFER_UPTODATE on an eb when we fail to write it out.
+
+Below is a paste of Filipe's analysis he got from using drgn to debug
+the hang
+
+"""
+btree readahead code calls read_extent_buffer_pages(), sets ->io_pages to
+a value while writeback of all pages has not yet completed:
+ --> writeback for the first 3 pages finishes, we clear
+ EXTENT_BUFFER_UPTODATE from eb on the first page when we get an
+ error.
+ --> at this point eb->io_pages is 1 and we cleared Uptodate bit from the
+ first 3 pages
+ --> read_extent_buffer_pages() does not see EXTENT_BUFFER_UPTODATE() so
+ it continues, it's able to lock the pages since we obviously don't
+ hold the pages locked during writeback
+ --> read_extent_buffer_pages() then computes 'num_reads' as 3, and sets
+ eb->io_pages to 3, since only the first page does not have Uptodate
+ bit set at this point
+ --> writeback for the remaining page completes, we ended decrementing
+ eb->io_pages by 1, resulting in eb->io_pages == 2, and therefore
+ never calling end_extent_buffer_writeback(), so
+ EXTENT_BUFFER_WRITEBACK remains in the eb's flags
+ --> of course, when the read bio completes, it doesn't and shouldn't
+ call end_extent_buffer_writeback()
+ --> we should clear EXTENT_BUFFER_UPTODATE only after all pages of
+ the eb finished writeback? or maybe make the read pages code
+ wait for writeback of all pages of the eb to complete before
+ checking which pages need to be read, touch ->io_pages, submit
+ read bio, etc
+
+writeback bit never cleared means we can hang when aborting a
+transaction, at:
+
+ btrfs_cleanup_one_transaction()
+ btrfs_destroy_marked_extents()
+ wait_on_extent_buffer_writeback()
+"""
+
+This is a problem because our writes are not synchronized with reads in
+any way. We clear the UPTODATE flag and then we can easily come in and
+try to read the EB while we're still waiting on other bio's to
+complete.
+
+We have two options here, we could lock all the pages, and then check to
+see if eb->io_pages != 0 to know if we've already got an outstanding
+write on the eb.
+
+Or we can simply check to see if we have WRITE_ERR set on this extent
+buffer. We set this bit _before_ we clear UPTODATE, so if the read gets
+triggered because we aren't UPTODATE because of a write error we're
+guaranteed to have WRITE_ERR set, and in this case we can simply return
+-EIO. This will fix the reported hang.
+
+Reported-by: Filipe Manana <fdmanana@suse.com>
+Fixes: c2e39305299f01 ("btrfs: clear extent buffer uptodate when we fail to write it")
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -6547,6 +6547,14 @@ int read_extent_buffer_pages(struct exte
+ if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
+ return 0;
+
++ /*
++ * We could have had EXTENT_BUFFER_UPTODATE cleared by the write
++ * operation, which could potentially still be in flight. In this case
++ * we simply want to return an error.
++ */
++ if (unlikely(test_bit(EXTENT_BUFFER_WRITE_ERR, &eb->bflags)))
++ return -EIO;
++
+ if (eb->fs_info->sectorsize < PAGE_SIZE)
+ return read_extent_buffer_subpage(eb, wait, mirror_num);
+
--- /dev/null
+From 33fab972497ae66822c0b6846d4f9382938575b6 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 10 Dec 2021 19:02:18 +0000
+Subject: btrfs: fix double free of anon_dev after failure to create subvolume
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 33fab972497ae66822c0b6846d4f9382938575b6 upstream.
+
+When creating a subvolume, at create_subvol(), we allocate an anonymous
+device and later call btrfs_get_new_fs_root(), which in turn just calls
+btrfs_get_root_ref(). There we call btrfs_init_fs_root() which assigns
+the anonymous device to the root, but if after that call there's an error,
+when we jump to 'fail' label, we call btrfs_put_root(), which frees the
+anonymous device and then returns an error that is propagated back to
+create_subvol(). Than create_subvol() frees the anonymous device again.
+
+When this happens, if the anonymous device was not reallocated after
+the first time it was freed with btrfs_put_root(), we get a kernel
+message like the following:
+
+ (...)
+ [13950.282466] BTRFS: error (device dm-0) in create_subvol:663: errno=-5 IO failure
+ [13950.283027] ida_free called for id=65 which is not allocated.
+ [13950.285974] BTRFS info (device dm-0): forced readonly
+ (...)
+
+If the anonymous device gets reallocated by another btrfs filesystem
+or any other kernel subsystem, then bad things can happen.
+
+So fix this by setting the root's anonymous device to 0 at
+btrfs_get_root_ref(), before we call btrfs_put_root(), if an error
+happened.
+
+Fixes: 2dfb1e43f57dd3 ("btrfs: preallocate anon block device at first phase of snapshot creation")
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1731,6 +1731,14 @@ again:
+ }
+ return root;
+ fail:
++ /*
++ * If our caller provided us an anonymous device, then it's his
++ * responsability to free it in case we fail. So we have to set our
++ * root's anon_dev to 0 to avoid a double free, once by btrfs_put_root()
++ * and once again by our caller.
++ */
++ if (anon_dev)
++ root->anon_dev = 0;
+ btrfs_put_root(root);
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From 7a1636089acfee7562fe79aff7d1b4c57869896d Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 13 Dec 2021 08:45:12 +0000
+Subject: btrfs: fix invalid delayed ref after subvolume creation failure
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 7a1636089acfee7562fe79aff7d1b4c57869896d upstream.
+
+When creating a subvolume, at ioctl.c:create_subvol(), if we fail to
+insert the new root's root item into the root tree, we are freeing the
+metadata extent we reserved for the new root to prevent a metadata
+extent leak, as we don't abort the transaction at that point (since
+there is nothing at that point that is irreversible).
+
+However we allocated the metadata extent for the new root which we are
+creating for the new subvolume, so its delayed reference refers to the
+ID of this new root. But when we free the metadata extent we pass the
+root of the subvolume where the new subvolume is located to
+btrfs_free_tree_block() - this is incorrect because this will generate
+a delayed reference that refers to the ID of the parent subvolume's root,
+and not to ID of the new root.
+
+This results in a failure when running delayed references that leads to
+a transaction abort and a trace like the following:
+
+[3868.738042] RIP: 0010:__btrfs_free_extent+0x709/0x950 [btrfs]
+[3868.739857] Code: 68 0f 85 e6 fb ff (...)
+[3868.742963] RSP: 0018:ffffb0e9045cf910 EFLAGS: 00010246
+[3868.743908] RAX: 00000000fffffffe RBX: 00000000fffffffe RCX: 0000000000000002
+[3868.745312] RDX: 00000000fffffffe RSI: 0000000000000002 RDI: ffff90b0cd793b88
+[3868.746643] RBP: 000000000e5d8000 R08: 0000000000000000 R09: ffff90b0cd793b88
+[3868.747979] R10: 0000000000000002 R11: 00014ded97944d68 R12: 0000000000000000
+[3868.749373] R13: ffff90b09afe4a28 R14: 0000000000000000 R15: ffff90b0cd793b88
+[3868.750725] FS: 00007f281c4a8b80(0000) GS:ffff90b3ada00000(0000) knlGS:0000000000000000
+[3868.752275] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[3868.753515] CR2: 00007f281c6a5000 CR3: 0000000108a42006 CR4: 0000000000370ee0
+[3868.754869] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[3868.756228] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[3868.757803] Call Trace:
+[3868.758281] <TASK>
+[3868.758655] ? btrfs_merge_delayed_refs+0x178/0x1c0 [btrfs]
+[3868.759827] __btrfs_run_delayed_refs+0x2b1/0x1250 [btrfs]
+[3868.761047] btrfs_run_delayed_refs+0x86/0x210 [btrfs]
+[3868.762069] ? lock_acquired+0x19f/0x420
+[3868.762829] btrfs_commit_transaction+0x69/0xb20 [btrfs]
+[3868.763860] ? _raw_spin_unlock+0x29/0x40
+[3868.764614] ? btrfs_block_rsv_release+0x1c2/0x1e0 [btrfs]
+[3868.765870] create_subvol+0x1d8/0x9a0 [btrfs]
+[3868.766766] btrfs_mksubvol+0x447/0x4c0 [btrfs]
+[3868.767669] ? preempt_count_add+0x49/0xa0
+[3868.768444] __btrfs_ioctl_snap_create+0x123/0x190 [btrfs]
+[3868.769639] ? _copy_from_user+0x66/0xa0
+[3868.770391] btrfs_ioctl_snap_create_v2+0xbb/0x140 [btrfs]
+[3868.771495] btrfs_ioctl+0xd1e/0x35c0 [btrfs]
+[3868.772364] ? __slab_free+0x10a/0x360
+[3868.773198] ? rcu_read_lock_sched_held+0x12/0x60
+[3868.774121] ? lock_release+0x223/0x4a0
+[3868.774863] ? lock_acquired+0x19f/0x420
+[3868.775634] ? rcu_read_lock_sched_held+0x12/0x60
+[3868.776530] ? trace_hardirqs_on+0x1b/0xe0
+[3868.777373] ? _raw_spin_unlock_irqrestore+0x3e/0x60
+[3868.778280] ? kmem_cache_free+0x321/0x3c0
+[3868.779011] ? __x64_sys_ioctl+0x83/0xb0
+[3868.779718] __x64_sys_ioctl+0x83/0xb0
+[3868.780387] do_syscall_64+0x3b/0xc0
+[3868.781059] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[3868.781953] RIP: 0033:0x7f281c59e957
+[3868.782585] Code: 3c 1c 48 f7 d8 4c (...)
+[3868.785867] RSP: 002b:00007ffe1f83e2b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[3868.787198] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281c59e957
+[3868.788450] RDX: 00007ffe1f83e2c0 RSI: 0000000050009418 RDI: 0000000000000003
+[3868.789748] RBP: 00007ffe1f83f300 R08: 0000000000000000 R09: 00007ffe1f83fe36
+[3868.791214] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003
+[3868.792468] R13: 0000000000000003 R14: 00007ffe1f83e2c0 R15: 00000000000003cc
+[3868.793765] </TASK>
+[3868.794037] irq event stamp: 0
+[3868.794548] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+[3868.795670] hardirqs last disabled at (0): [<ffffffff98294214>] copy_process+0x934/0x2040
+[3868.797086] softirqs last enabled at (0): [<ffffffff98294214>] copy_process+0x934/0x2040
+[3868.798309] softirqs last disabled at (0): [<0000000000000000>] 0x0
+[3868.799284] ---[ end trace be24c7002fe27747 ]---
+[3868.799928] BTRFS info (device dm-0): leaf 241188864 gen 1268 total ptrs 214 free space 469 owner 2
+[3868.801133] BTRFS info (device dm-0): refs 2 lock_owner 225627 current 225627
+[3868.802056] item 0 key (237436928 169 0) itemoff 16250 itemsize 33
+[3868.802863] extent refs 1 gen 1265 flags 2
+[3868.803447] ref#0: tree block backref root 1610
+(...)
+[3869.064354] item 114 key (241008640 169 0) itemoff 12488 itemsize 33
+[3869.065421] extent refs 1 gen 1268 flags 2
+[3869.066115] ref#0: tree block backref root 1689
+(...)
+[3869.403834] BTRFS error (device dm-0): unable to find ref byte nr 241008640 parent 0 root 1622 owner 0 offset 0
+[3869.405641] BTRFS: error (device dm-0) in __btrfs_free_extent:3076: errno=-2 No such entry
+[3869.407138] BTRFS: error (device dm-0) in btrfs_run_delayed_refs:2159: errno=-2 No such entry
+
+Fix this by passing the new subvolume's root ID to btrfs_free_tree_block().
+This requires changing the root argument of btrfs_free_tree_block() from
+struct btrfs_root * to a u64, since at this point during the subvolume
+creation we have not yet created the struct btrfs_root for the new
+subvolume, and btrfs_free_tree_block() only needs a root ID and nothing
+else from a struct btrfs_root.
+
+This was triggered by test case generic/475 from fstests.
+
+Fixes: 67addf29004c5b ("btrfs: fix metadata extent leak after failure to create subvolume")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 17 +++++++++--------
+ fs/btrfs/ctree.h | 7 ++++++-
+ fs/btrfs/extent-tree.c | 13 +++++++------
+ fs/btrfs/free-space-tree.c | 4 ++--
+ fs/btrfs/ioctl.c | 9 +++++----
+ fs/btrfs/qgroup.c | 3 ++-
+ 6 files changed, 31 insertions(+), 22 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 74c8e18f3720..64599625c7d7 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -462,8 +462,8 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans,
+ BUG_ON(ret < 0);
+ rcu_assign_pointer(root->node, cow);
+
+- btrfs_free_tree_block(trans, root, buf, parent_start,
+- last_ref);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), buf,
++ parent_start, last_ref);
+ free_extent_buffer(buf);
+ add_root_to_dirty_list(root);
+ } else {
+@@ -484,8 +484,8 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans,
+ return ret;
+ }
+ }
+- btrfs_free_tree_block(trans, root, buf, parent_start,
+- last_ref);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), buf,
++ parent_start, last_ref);
+ }
+ if (unlock_orig)
+ btrfs_tree_unlock(buf);
+@@ -926,7 +926,7 @@ static noinline int balance_level(struct btrfs_trans_handle *trans,
+ free_extent_buffer(mid);
+
+ root_sub_used(root, mid->len);
+- btrfs_free_tree_block(trans, root, mid, 0, 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), mid, 0, 1);
+ /* once for the root ptr */
+ free_extent_buffer_stale(mid);
+ return 0;
+@@ -985,7 +985,8 @@ static noinline int balance_level(struct btrfs_trans_handle *trans,
+ btrfs_tree_unlock(right);
+ del_ptr(root, path, level + 1, pslot + 1);
+ root_sub_used(root, right->len);
+- btrfs_free_tree_block(trans, root, right, 0, 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), right,
++ 0, 1);
+ free_extent_buffer_stale(right);
+ right = NULL;
+ } else {
+@@ -1030,7 +1031,7 @@ static noinline int balance_level(struct btrfs_trans_handle *trans,
+ btrfs_tree_unlock(mid);
+ del_ptr(root, path, level + 1, pslot);
+ root_sub_used(root, mid->len);
+- btrfs_free_tree_block(trans, root, mid, 0, 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), mid, 0, 1);
+ free_extent_buffer_stale(mid);
+ mid = NULL;
+ } else {
+@@ -4031,7 +4032,7 @@ static noinline void btrfs_del_leaf(struct btrfs_trans_handle *trans,
+ root_sub_used(root, leaf->len);
+
+ atomic_inc(&leaf->refs);
+- btrfs_free_tree_block(trans, root, leaf, 0, 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), leaf, 0, 1);
+ free_extent_buffer_stale(leaf);
+ }
+ /*
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 7553e9dc5f93..5fe5eccb3c87 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2257,6 +2257,11 @@ static inline bool btrfs_root_dead(const struct btrfs_root *root)
+ return (root->root_item.flags & cpu_to_le64(BTRFS_ROOT_SUBVOL_DEAD)) != 0;
+ }
+
++static inline u64 btrfs_root_id(const struct btrfs_root *root)
++{
++ return root->root_key.objectid;
++}
++
+ /* struct btrfs_root_backup */
+ BTRFS_SETGET_STACK_FUNCS(backup_tree_root, struct btrfs_root_backup,
+ tree_root, 64);
+@@ -2719,7 +2724,7 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans,
+ u64 empty_size,
+ enum btrfs_lock_nesting nest);
+ void btrfs_free_tree_block(struct btrfs_trans_handle *trans,
+- struct btrfs_root *root,
++ u64 root_id,
+ struct extent_buffer *buf,
+ u64 parent, int last_ref);
+ int btrfs_alloc_reserved_file_extent(struct btrfs_trans_handle *trans,
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index fc4895e6a62c..25ef6e3fd306 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -3275,20 +3275,20 @@ static noinline int check_ref_cleanup(struct btrfs_trans_handle *trans,
+ }
+
+ void btrfs_free_tree_block(struct btrfs_trans_handle *trans,
+- struct btrfs_root *root,
++ u64 root_id,
+ struct extent_buffer *buf,
+ u64 parent, int last_ref)
+ {
+- struct btrfs_fs_info *fs_info = root->fs_info;
++ struct btrfs_fs_info *fs_info = trans->fs_info;
+ struct btrfs_ref generic_ref = { 0 };
+ int ret;
+
+ btrfs_init_generic_ref(&generic_ref, BTRFS_DROP_DELAYED_REF,
+ buf->start, buf->len, parent);
+ btrfs_init_tree_ref(&generic_ref, btrfs_header_level(buf),
+- root->root_key.objectid, 0, false);
++ root_id, 0, false);
+
+- if (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID) {
++ if (root_id != BTRFS_TREE_LOG_OBJECTID) {
+ btrfs_ref_tree_mod(fs_info, &generic_ref);
+ ret = btrfs_add_delayed_tree_ref(trans, &generic_ref, NULL);
+ BUG_ON(ret); /* -ENOMEM */
+@@ -3298,7 +3298,7 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans,
+ struct btrfs_block_group *cache;
+ bool must_pin = false;
+
+- if (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID) {
++ if (root_id != BTRFS_TREE_LOG_OBJECTID) {
+ ret = check_ref_cleanup(trans, buf->start);
+ if (!ret) {
+ btrfs_redirty_list_add(trans->transaction, buf);
+@@ -5472,7 +5472,8 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans,
+ goto owner_mismatch;
+ }
+
+- btrfs_free_tree_block(trans, root, eb, parent, wc->refs[level] == 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(root), eb, parent,
++ wc->refs[level] == 1);
+ out:
+ wc->refs[level] = 0;
+ wc->flags[level] = 0;
+diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c
+index a33bca94d133..3abec44c6255 100644
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -1256,8 +1256,8 @@ int btrfs_clear_free_space_tree(struct btrfs_fs_info *fs_info)
+ btrfs_tree_lock(free_space_root->node);
+ btrfs_clean_tree_block(free_space_root->node);
+ btrfs_tree_unlock(free_space_root->node);
+- btrfs_free_tree_block(trans, free_space_root, free_space_root->node,
+- 0, 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(free_space_root),
++ free_space_root->node, 0, 1);
+
+ btrfs_put_root(free_space_root);
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 1b85d98df66b..a7533416370a 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -617,11 +617,12 @@ static noinline int create_subvol(struct user_namespace *mnt_userns,
+ * Since we don't abort the transaction in this case, free the
+ * tree block so that we don't leak space and leave the
+ * filesystem in an inconsistent state (an extent item in the
+- * extent tree without backreferences). Also no need to have
+- * the tree block locked since it is not in any tree at this
+- * point, so no other task can find it and use it.
++ * extent tree with a backreference for a root that does not
++ * exists). Also no need to have the tree block locked since it
++ * is not in any tree at this point, so no other task can find
++ * it and use it.
+ */
+- btrfs_free_tree_block(trans, root, leaf, 0, 1);
++ btrfs_free_tree_block(trans, objectid, leaf, 0, 1);
+ free_extent_buffer(leaf);
+ goto fail;
+ }
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index db680f5be745..6c037f1252b7 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -1219,7 +1219,8 @@ int btrfs_quota_disable(struct btrfs_fs_info *fs_info)
+ btrfs_tree_lock(quota_root->node);
+ btrfs_clean_tree_block(quota_root->node);
+ btrfs_tree_unlock(quota_root->node);
+- btrfs_free_tree_block(trans, quota_root, quota_root->node, 0, 1);
++ btrfs_free_tree_block(trans, btrfs_root_id(quota_root),
++ quota_root->node, 0, 1);
+
+ btrfs_put_root(quota_root);
+
+--
+2.34.1
+
--- /dev/null
+From f35838a6930296fc1988764cfa54cb3f705c0665 Mon Sep 17 00:00:00 2001
+From: Jianglei Nie <niejianglei2021@163.com>
+Date: Thu, 9 Dec 2021 14:56:31 +0800
+Subject: btrfs: fix memory leak in __add_inode_ref()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+commit f35838a6930296fc1988764cfa54cb3f705c0665 upstream.
+
+Line 1169 (#3) allocates a memory chunk for victim_name by kmalloc(),
+but when the function returns in line 1184 (#4) victim_name allocated
+by line 1169 (#3) is not freed, which will lead to a memory leak.
+There is a similar snippet of code in this function as allocating a memory
+chunk for victim_name in line 1104 (#1) as well as releasing the memory
+in line 1116 (#2).
+
+We should kfree() victim_name when the return value of backref_in_log()
+is less than zero and before the function returns in line 1184 (#4).
+
+1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+1058 struct btrfs_root *root,
+1059 struct btrfs_path *path,
+1060 struct btrfs_root *log_root,
+1061 struct btrfs_inode *dir,
+1062 struct btrfs_inode *inode,
+1063 u64 inode_objectid, u64 parent_objectid,
+1064 u64 ref_index, char *name, int namelen,
+1065 int *search_done)
+1066 {
+
+1104 victim_name = kmalloc(victim_name_len, GFP_NOFS);
+ // #1: kmalloc (victim_name-1)
+1105 if (!victim_name)
+1106 return -ENOMEM;
+
+1112 ret = backref_in_log(log_root, &search_key,
+1113 parent_objectid, victim_name,
+1114 victim_name_len);
+1115 if (ret < 0) {
+1116 kfree(victim_name); // #2: kfree (victim_name-1)
+1117 return ret;
+1118 } else if (!ret) {
+
+1169 victim_name = kmalloc(victim_name_len, GFP_NOFS);
+ // #3: kmalloc (victim_name-2)
+1170 if (!victim_name)
+1171 return -ENOMEM;
+
+1180 ret = backref_in_log(log_root, &search_key,
+1181 parent_objectid, victim_name,
+1182 victim_name_len);
+1183 if (ret < 0) {
+1184 return ret; // #4: missing kfree (victim_name-2)
+1185 } else if (!ret) {
+
+1241 return 0;
+1242 }
+
+Fixes: d3316c8233bb ("btrfs: Properly handle backref_in_log retval")
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1153,6 +1153,7 @@ again:
+ parent_objectid, victim_name,
+ victim_name_len);
+ if (ret < 0) {
++ kfree(victim_name);
+ return ret;
+ } else if (!ret) {
+ ret = -ENOENT;
--- /dev/null
+From 4989d4a0aed3fb30f5b48787a689d7090de6f86d Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Wed, 15 Dec 2021 19:38:43 +0900
+Subject: btrfs: fix missing blkdev_put() call in btrfs_scan_one_device()
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 4989d4a0aed3fb30f5b48787a689d7090de6f86d upstream.
+
+The function btrfs_scan_one_device() calls blkdev_get_by_path() and
+blkdev_put() to get and release its target block device. However, when
+btrfs_sb_log_location_bdev() fails, blkdev_put() is not called and the
+block device is left without clean up. This triggered failure of fstests
+generic/085. Fix the failure path of btrfs_sb_log_location_bdev() to
+call blkdev_put().
+
+Fixes: 12659251ca5df ("btrfs: implement log-structured superblock for ZONED mode")
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1366,8 +1366,10 @@ struct btrfs_device *btrfs_scan_one_devi
+
+ bytenr_orig = btrfs_sb_offset(0);
+ ret = btrfs_sb_log_location_bdev(bdev, 0, READ, &bytenr);
+- if (ret)
+- return ERR_PTR(ret);
++ if (ret) {
++ device = ERR_PTR(ret);
++ goto error_bdev_put;
++ }
+
+ disk_super = btrfs_read_disk_super(bdev, bytenr, bytenr_orig);
+ if (IS_ERR(disk_super)) {
--- /dev/null
+From a31080899d5fdafcccf7f39dd214a814a2c82626 Mon Sep 17 00:00:00 2001
+From: Thiago Rafael Becker <trbecker@gmail.com>
+Date: Fri, 17 Dec 2021 15:20:22 -0300
+Subject: cifs: sanitize multiple delimiters in prepath
+
+From: Thiago Rafael Becker <trbecker@gmail.com>
+
+commit a31080899d5fdafcccf7f39dd214a814a2c82626 upstream.
+
+mount.cifs can pass a device with multiple delimiters in it. This will
+cause rename(2) to fail with ENOENT.
+
+V2:
+ - Make sanitize_path more readable.
+ - Fix multiple delimiters between UNC and prepath.
+ - Avoid a memory leak if a bad user starts putting a lot of delimiters
+ in the path on purpose.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=2031200
+Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
+Cc: stable@vger.kernel.org # 5.11+
+Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Thiago Rafael Becker <trbecker@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/fs_context.c | 38 +++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -432,6 +432,42 @@ out:
+ }
+
+ /*
++ * Remove duplicate path delimiters. Windows is supposed to do that
++ * but there are some bugs that prevent rename from working if there are
++ * multiple delimiters.
++ *
++ * Returns a sanitized duplicate of @path. The caller is responsible for
++ * cleaning up the original.
++ */
++#define IS_DELIM(c) ((c) == '/' || (c) == '\\')
++static char *sanitize_path(char *path)
++{
++ char *cursor1 = path, *cursor2 = path;
++
++ /* skip all prepended delimiters */
++ while (IS_DELIM(*cursor1))
++ cursor1++;
++
++ /* copy the first letter */
++ *cursor2 = *cursor1;
++
++ /* copy the remainder... */
++ while (*(cursor1++)) {
++ /* ... skipping all duplicated delimiters */
++ if (IS_DELIM(*cursor1) && IS_DELIM(*cursor2))
++ continue;
++ *(++cursor2) = *cursor1;
++ }
++
++ /* if the last character is a delimiter, skip it */
++ if (IS_DELIM(*(cursor2 - 1)))
++ cursor2--;
++
++ *(cursor2) = '\0';
++ return kstrdup(path, GFP_KERNEL);
++}
++
++/*
+ * Parse a devname into substrings and populate the ctx->UNC and ctx->prepath
+ * fields with the result. Returns 0 on success and an error otherwise
+ * (e.g. ENOMEM or EINVAL)
+@@ -490,7 +526,7 @@ smb3_parse_devname(const char *devname,
+ if (!*pos)
+ return 0;
+
+- ctx->prepath = kstrdup(pos, GFP_KERNEL);
++ ctx->prepath = sanitize_path(pos);
+ if (!ctx->prepath)
+ return -ENOMEM;
+
--- /dev/null
+From dcd10d879a9d1d4e929d374c2f24aba8fac3252b Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 9 Dec 2021 12:13:53 -0600
+Subject: drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit dcd10d879a9d1d4e929d374c2f24aba8fac3252b upstream.
+
+This value does not get cached into adev->pm.fw_version during
+startup for smu13 like it does for other SMU like smu12.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+@@ -197,6 +197,7 @@ int smu_v13_0_check_fw_status(struct smu
+
+ int smu_v13_0_check_fw_version(struct smu_context *smu)
+ {
++ struct amdgpu_device *adev = smu->adev;
+ uint32_t if_version = 0xff, smu_version = 0xff;
+ uint16_t smu_major;
+ uint8_t smu_minor, smu_debug;
+@@ -209,6 +210,8 @@ int smu_v13_0_check_fw_version(struct sm
+ smu_major = (smu_version >> 16) & 0xffff;
+ smu_minor = (smu_version >> 8) & 0xff;
+ smu_debug = (smu_version >> 0) & 0xff;
++ if (smu->is_apu)
++ adev->pm.fw_version = smu_version;
+
+ switch (smu->adev->asic_type) {
+ case CHIP_ALDEBARAN:
--- /dev/null
+From f3a8076eb28cae1553958c629aecec479394bbe2 Mon Sep 17 00:00:00 2001
+From: Le Ma <le.ma@amd.com>
+Date: Sat, 4 Dec 2021 18:59:08 +0800
+Subject: drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
+
+From: Le Ma <le.ma@amd.com>
+
+commit f3a8076eb28cae1553958c629aecec479394bbe2 upstream.
+
+should count on GC IP base address
+
+Signed-off-by: Le Ma <le.ma@amd.com>
+Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -3061,8 +3061,8 @@ static void gfx_v9_0_init_pg(struct amdg
+ AMD_PG_SUPPORT_CP |
+ AMD_PG_SUPPORT_GDS |
+ AMD_PG_SUPPORT_RLC_SMU_HS)) {
+- WREG32(mmRLC_JUMP_TABLE_RESTORE,
+- adev->gfx.rlc.cp_table_gpu_addr >> 8);
++ WREG32_SOC15(GC, 0, mmRLC_JUMP_TABLE_RESTORE,
++ adev->gfx.rlc.cp_table_gpu_addr >> 8);
+ gfx_v9_0_init_gfx_power_gating(adev);
+ }
+ }
--- /dev/null
+From 841933d5b8aa853abe68e63827f68f50fab37226 Mon Sep 17 00:00:00 2001
+From: Hawking Zhang <Hawking.Zhang@amd.com>
+Date: Sat, 4 Dec 2021 19:22:12 +0800
+Subject: drm/amdgpu: don't override default ECO_BITs setting
+
+From: Hawking Zhang <Hawking.Zhang@amd.com>
+
+commit 841933d5b8aa853abe68e63827f68f50fab37226 upstream.
+
+Leave this bit as hardware default setting
+
+Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c | 1 -
+ drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c | 2 --
+ 8 files changed, 9 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c
+@@ -162,7 +162,6 @@ static void gfxhub_v1_0_init_tlb_regs(st
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC);/* XXX for emulation. */
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ATC_EN, 1);
+--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c
+@@ -196,7 +196,6 @@ static void gfxhub_v2_0_init_tlb_regs(st
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC); /* UC, uncached */
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c
+@@ -197,7 +197,6 @@ static void gfxhub_v2_1_init_tlb_regs(st
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC); /* UC, uncached */
+
+--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
+@@ -145,7 +145,6 @@ static void mmhub_v1_0_init_tlb_regs(str
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC);/* XXX for emulation. */
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ATC_EN, 1);
+--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c
++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c
+@@ -165,7 +165,6 @@ static void mmhub_v1_7_init_tlb_regs(str
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC);/* XXX for emulation. */
+ tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ATC_EN, 1);
+--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c
+@@ -269,7 +269,6 @@ static void mmhub_v2_0_init_tlb_regs(str
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC); /* UC, uncached */
+
+--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c
++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c
+@@ -194,7 +194,6 @@ static void mmhub_v2_3_init_tlb_regs(str
+ ENABLE_ADVANCED_DRIVER_MODEL, 1);
+ tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+- tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
+ tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC); /* UC, uncached */
+
+--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c
++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c
+@@ -190,8 +190,6 @@ static void mmhub_v9_4_init_tlb_regs(str
+ tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
+ SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
+ tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
+- ECO_BITS, 0);
+- tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
+ MTYPE, MTYPE_UC);/* XXX for emulation. */
+ tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
+ ATC_EN, 1);
--- /dev/null
+From edaa26334c117a584add6053f48d63a988d25a6e Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 13 Dec 2021 14:14:43 -1000
+Subject: iocost: Fix divide-by-zero on donation from low hweight cgroup
+
+From: Tejun Heo <tj@kernel.org>
+
+commit edaa26334c117a584add6053f48d63a988d25a6e upstream.
+
+The donation calculation logic assumes that the donor has non-zero
+after-donation hweight, so the lowest active hweight a donating cgroup can
+have is 2 so that it can donate 1 while keeping the other 1 for itself.
+Earlier, we only donated from cgroups with sizable surpluses so this
+condition was always true. However, with the precise donation algorithm
+implemented, f1de2439ec43 ("blk-iocost: revamp donation amount
+determination") made the donation amount calculation exact enabling even low
+hweight cgroups to donate.
+
+This means that in rare occasions, a cgroup with active hweight of 1 can
+enter donation calculation triggering the following warning and then a
+divide-by-zero oops.
+
+ WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867]
+ ...
+ RIP: 0010:transfer_surpluses.cold+0x0/0x53
+ Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0
+4
+ ...
+ Call Trace:
+ <IRQ>
+ ioc_timer_fn+0x1043/0x1390
+ call_timer_fn+0xa1/0x2c0
+ __run_timers.part.0+0x1ec/0x2e0
+ run_timer_softirq+0x35/0x70
+ ...
+ iocg: invalid donation weights in /a/b: active=1 donating=1 after=0
+
+Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding
+these extreme low hweight donations shouldn't affect work conservation in
+any meaningful way.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: f1de2439ec43 ("blk-iocost: revamp donation amount determination")
+Cc: stable@vger.kernel.org # v5.10+
+Link: https://lore.kernel.org/r/Ybfh86iSvpWKxhVM@slm.duckdns.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-iocost.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/block/blk-iocost.c
++++ b/block/blk-iocost.c
+@@ -2311,7 +2311,14 @@ static void ioc_timer_fn(struct timer_li
+ hwm = current_hweight_max(iocg);
+ new_hwi = hweight_after_donation(iocg, old_hwi, hwm,
+ usage, &now);
+- if (new_hwi < hwm) {
++ /*
++ * Donation calculation assumes hweight_after_donation
++ * to be positive, a condition that a donor w/ hwa < 2
++ * can't meet. Don't bother with donation if hwa is
++ * below 2. It's not gonna make a meaningful difference
++ * anyway.
++ */
++ if (new_hwi < hwm && hwa >= 2) {
+ iocg->hweight_donating = hwa;
+ iocg->hweight_after_donation = new_hwi;
+ list_add(&iocg->surplus_list, &surpluses);
--- /dev/null
+From 5da5231bb47864e5dd6c6731151e98b6ee498827 Mon Sep 17 00:00:00 2001
+From: George Kennedy <george.kennedy@oracle.com>
+Date: Tue, 14 Dec 2021 09:45:10 -0500
+Subject: libata: if T_LENGTH is zero, dma direction should be DMA_NONE
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+commit 5da5231bb47864e5dd6c6731151e98b6ee498827 upstream.
+
+Avoid data corruption by rejecting pass-through commands where
+T_LENGTH is zero (No data is transferred) and the dma direction
+is not DMA_NONE.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzkaller<syzkaller@googlegroups.com>
+Signed-off-by: George Kennedy<george.kennedy@oracle.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2826,8 +2826,19 @@ static unsigned int ata_scsi_pass_thru(s
+ goto invalid_fld;
+ }
+
+- if (ata_is_ncq(tf->protocol) && (cdb[2 + cdb_offset] & 0x3) == 0)
+- tf->protocol = ATA_PROT_NCQ_NODATA;
++ if ((cdb[2 + cdb_offset] & 0x3) == 0) {
++ /*
++ * When T_LENGTH is zero (No data is transferred), dir should
++ * be DMA_NONE.
++ */
++ if (scmd->sc_data_direction != DMA_NONE) {
++ fp = 2 + cdb_offset;
++ goto invalid_fld;
++ }
++
++ if (ata_is_ncq(tf->protocol))
++ tf->protocol = ATA_PROT_NCQ_NODATA;
++ }
+
+ /* enable LBA */
+ tf->flags |= ATA_TFLAG_LBA;
--- /dev/null
+From 8f556a326c93213927e683fc32bbf5be1b62540a Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang1.zhang@intel.com>
+Date: Fri, 17 Dec 2021 15:42:07 +0800
+Subject: locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner()
+
+From: Zqiang <qiang1.zhang@intel.com>
+
+commit 8f556a326c93213927e683fc32bbf5be1b62540a upstream.
+
+Optimistic spinning needs to be terminated when the spinning waiter is not
+longer the top waiter on the lock, but the condition is negated. It
+terminates if the waiter is the top waiter, which is defeating the whole
+purpose.
+
+Fixes: c3123c431447 ("locking/rtmutex: Dont dereference waiter lockless")
+Signed-off-by: Zqiang <qiang1.zhang@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211217074207.77425-1-qiang1.zhang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/rtmutex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1373,7 +1373,7 @@ static bool rtmutex_spin_on_owner(struct
+ * - the VCPU on which owner runs is preempted
+ */
+ if (!owner->on_cpu || need_resched() ||
+- rt_mutex_waiter_is_top_waiter(lock, waiter) ||
++ !rt_mutex_waiter_is_top_waiter(lock, waiter) ||
+ vcpu_is_preempted(task_cpu(owner))) {
+ res = false;
+ break;
--- /dev/null
+From 94185adbfad56815c2c8401e16d81bdb74a79201 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 14 Dec 2021 12:42:14 +0100
+Subject: PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 94185adbfad56815c2c8401e16d81bdb74a79201 upstream.
+
+PCI_MSIX_FLAGS_MASKALL is set in the MSI-X control register at MSI-X
+interrupt setup time. It's cleared on success, but the error handling path
+only clears the PCI_MSIX_FLAGS_ENABLE bit.
+
+That's incorrect as the reset state of the PCI_MSIX_FLAGS_MASKALL bit is
+zero. That can be observed via lspci:
+
+ Capabilities: [b0] MSI-X: Enable- Count=67 Masked+
+
+Clear the bit in the error path to restore the reset state.
+
+Fixes: 438553958ba1 ("PCI/MSI: Enable and mask MSI-X early")
+Reported-by: Stefan Roese <sr@denx.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Stefan Roese <sr@denx.de>
+Cc: linux-pci@vger.kernel.org
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Michal Simek <michal.simek@xilinx.com>
+Cc: Marek Vasut <marex@denx.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/87tufevoqx.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -776,7 +776,7 @@ out_free:
+ free_msi_irqs(dev);
+
+ out_disable:
+- pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_ENABLE, 0);
++ pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL | PCI_MSIX_FLAGS_ENABLE, 0);
+
+ return ret;
+ }
--- /dev/null
+From 83dbf898a2d45289be875deb580e93050ba67529 Mon Sep 17 00:00:00 2001
+From: Stefan Roese <sr@denx.de>
+Date: Tue, 14 Dec 2021 12:49:32 +0100
+Subject: PCI/MSI: Mask MSI-X vectors only on success
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Roese <sr@denx.de>
+
+commit 83dbf898a2d45289be875deb580e93050ba67529 upstream.
+
+Masking all unused MSI-X entries is done to ensure that a crash kernel
+starts from a clean slate, which correponds to the reset state of the
+device as defined in the PCI-E specificion 3.0 and later:
+
+ Vector Control for MSI-X Table Entries
+ --------------------------------------
+
+ "00: Mask bit: When this bit is set, the function is prohibited from
+ sending a message using this MSI-X Table entry.
+ ...
+ This bit’s state after reset is 1 (entry is masked)."
+
+A Marvell NVME device fails to deliver MSI interrupts after trying to
+enable MSI-X interrupts due to that masking. It seems to take the MSI-X
+mask bits into account even when MSI-X is disabled.
+
+While not specification compliant, this can be cured by moving the masking
+into the success path, so that the MSI-X table entries stay in device reset
+state when the MSI-X setup fails.
+
+[ tglx: Move it into the success path, add comment and amend changelog ]
+
+Fixes: aa8092c1d1f1 ("PCI/MSI: Mask all unused MSI-X entries")
+Signed-off-by: Stefan Roese <sr@denx.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-pci@vger.kernel.org
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Michal Simek <michal.simek@xilinx.com>
+Cc: Marek Vasut <marex@denx.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211210161025.3287927-1-sr@denx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/msi.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -721,9 +721,6 @@ static int msix_capability_init(struct p
+ goto out_disable;
+ }
+
+- /* Ensure that all table entries are masked. */
+- msix_mask_all(base, tsize);
+-
+ ret = msix_setup_entries(dev, base, entries, nvec, affd);
+ if (ret)
+ goto out_disable;
+@@ -750,6 +747,16 @@ static int msix_capability_init(struct p
+ /* Set MSI-X enabled bits and unmask the function */
+ pci_intx_for_msi(dev, 0);
+ dev->msix_enabled = 1;
++
++ /*
++ * Ensure that all table entries are masked to prevent
++ * stale entries from firing in a crash kernel.
++ *
++ * Done late to deal with a broken Marvell NVME device
++ * which takes the MSI-X mask bits into account even
++ * when MSI-X is disabled, which prevents MSI delivery.
++ */
++ msix_mask_all(base, tsize);
+ pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL, 0);
+
+ pcibios_free_irq(dev);
--- /dev/null
+From 0c8e32fe48f549eef27c8c6b0a63530f83c3a643 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 13 Dec 2021 10:48:28 +0200
+Subject: perf inject: Fix segfault due to close without open
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 0c8e32fe48f549eef27c8c6b0a63530f83c3a643 upstream.
+
+The fixed commit attempts to close inject.output even if it was never
+opened e.g.
+
+ $ perf record uname
+ Linux
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
+ $ perf inject -i perf.data --vm-time-correlation=dry-run
+ Segmentation fault (core dumped)
+ $ gdb --quiet perf
+ Reading symbols from perf...
+ (gdb) r inject -i perf.data --vm-time-correlation=dry-run
+ Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
+ [Thread debugging using libthread_db enabled]
+ Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
+ 48 iofclose.c: No such file or directory.
+ (gdb) bt
+ #0 0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
+ #1 0x0000557fc7b74f92 in perf_data__close (data=data@entry=0x7ffcdafa6578) at util/data.c:376
+ #2 0x0000557fc7a6b807 in cmd_inject (argc=<optimized out>, argv=<optimized out>) at builtin-inject.c:1085
+ #3 0x0000557fc7ac4783 in run_builtin (p=0x557fc8074878 <commands+600>, argc=4, argv=0x7ffcdafb6a60) at perf.c:313
+ #4 0x0000557fc7a25d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
+ #5 run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
+ #6 main (argc=4, argv=0x7ffcdafb6a60) at perf.c:539
+ (gdb)
+
+Fixes: 02e6246f5364d526 ("perf inject: Close inject.output on exit")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Riccardo Mancini <rickyman7@gmail.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20211213084829.114772-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-inject.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/builtin-inject.c
++++ b/tools/perf/builtin-inject.c
+@@ -1069,7 +1069,8 @@ out_delete:
+ zstd_fini(&(inject.session->zstd_data));
+ perf_session__delete(inject.session);
+ out_close_output:
+- perf_data__close(&inject.output);
++ if (!inject.in_place_update)
++ perf_data__close(&inject.output);
+ free(inject.itrace_synth_opts.vm_tm_corr_args);
+ return ret;
+ }
--- /dev/null
+From c271a55b0c6029fed0cac909fa57999a11467132 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 13 Dec 2021 10:48:29 +0200
+Subject: perf inject: Fix segfault due to perf_data__fd() without open
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit c271a55b0c6029fed0cac909fa57999a11467132 upstream.
+
+The fixed commit attempts to get the output file descriptor even if the
+file was never opened e.g.
+
+ $ perf record uname
+ Linux
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
+ $ perf inject -i perf.data --vm-time-correlation=dry-run
+ Segmentation fault (core dumped)
+ $ gdb --quiet perf
+ Reading symbols from perf...
+ (gdb) r inject -i perf.data --vm-time-correlation=dry-run
+ Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
+ [Thread debugging using libthread_db enabled]
+ Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+ Program received signal SIGSEGV, Segmentation fault.
+ __GI___fileno (fp=0x0) at fileno.c:35
+ 35 fileno.c: No such file or directory.
+ (gdb) bt
+ #0 __GI___fileno (fp=0x0) at fileno.c:35
+ #1 0x00005621e48dd987 in perf_data__fd (data=0x7fff4c68bd08) at util/data.h:72
+ #2 perf_data__fd (data=0x7fff4c68bd08) at util/data.h:69
+ #3 cmd_inject (argc=<optimized out>, argv=0x7fff4c69c1f0) at builtin-inject.c:1017
+ #4 0x00005621e4936783 in run_builtin (p=0x5621e4ee6878 <commands+600>, argc=4, argv=0x7fff4c69c1f0) at perf.c:313
+ #5 0x00005621e4897d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
+ #6 run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
+ #7 main (argc=4, argv=0x7fff4c69c1f0) at perf.c:539
+ (gdb)
+
+Fixes: 0ae03893623dd1dd ("perf tools: Pass a fd to perf_file_header__read_pipe()")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Riccardo Mancini <rickyman7@gmail.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20211213084829.114772-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/builtin-inject.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/tools/perf/builtin-inject.c
++++ b/tools/perf/builtin-inject.c
+@@ -755,12 +755,16 @@ static int parse_vm_time_correlation(con
+ return inject->itrace_synth_opts.vm_tm_corr_args ? 0 : -ENOMEM;
+ }
+
++static int output_fd(struct perf_inject *inject)
++{
++ return inject->in_place_update ? -1 : perf_data__fd(&inject->output);
++}
++
+ static int __cmd_inject(struct perf_inject *inject)
+ {
+ int ret = -EINVAL;
+ struct perf_session *session = inject->session;
+- struct perf_data *data_out = &inject->output;
+- int fd = inject->in_place_update ? -1 : perf_data__fd(data_out);
++ int fd = output_fd(inject);
+ u64 output_data_offset;
+
+ signal(SIGINT, sig_handler);
+@@ -1006,7 +1010,7 @@ int cmd_inject(int argc, const char **ar
+ }
+
+ inject.session = __perf_session__new(&data, repipe,
+- perf_data__fd(&inject.output),
++ output_fd(&inject),
+ &inject.tool);
+ if (IS_ERR(inject.session)) {
+ ret = PTR_ERR(inject.session);
--- /dev/null
+From 8734b41b3efe0fc6082c1937b0e88556c396dc96 Mon Sep 17 00:00:00 2001
+From: Russell Currey <ruscur@russell.cc>
+Date: Tue, 23 Nov 2021 18:15:20 +1000
+Subject: powerpc/module_64: Fix livepatching for RO modules
+
+From: Russell Currey <ruscur@russell.cc>
+
+commit 8734b41b3efe0fc6082c1937b0e88556c396dc96 upstream.
+
+Livepatching a loaded module involves applying relocations through
+apply_relocate_add(), which attempts to write to read-only memory when
+CONFIG_STRICT_MODULE_RWX=y. Work around this by performing these
+writes through the text poke area by using patch_instruction().
+
+R_PPC_REL24 is the only relocation type generated by the kpatch-build
+userspace tool or klp-convert kernel tree that I observed applying a
+relocation to a post-init module.
+
+A more comprehensive solution is planned, but using patch_instruction()
+for R_PPC_REL24 on should serve as a sufficient fix.
+
+This does have a performance impact, I observed ~15% overhead in
+module_load() on POWER8 bare metal with checksum verification off.
+
+Fixes: c35717c71e98 ("powerpc: Set ARCH_HAS_STRICT_MODULE_RWX")
+Cc: stable@vger.kernel.org # v5.14+
+Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+Tested-by: Joe Lawrence <joe.lawrence@redhat.com>
+[mpe: Check return codes from patch_instruction()]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211214121248.777249-1-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/module_64.c | 42 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 34 insertions(+), 8 deletions(-)
+
+--- a/arch/powerpc/kernel/module_64.c
++++ b/arch/powerpc/kernel/module_64.c
+@@ -422,11 +422,17 @@ static inline int create_stub(const Elf6
+ const char *name)
+ {
+ long reladdr;
++ func_desc_t desc;
++ int i;
+
+ if (is_mprofile_ftrace_call(name))
+ return create_ftrace_stub(entry, addr, me);
+
+- memcpy(entry->jump, ppc64_stub_insns, sizeof(ppc64_stub_insns));
++ for (i = 0; i < sizeof(ppc64_stub_insns) / sizeof(u32); i++) {
++ if (patch_instruction(&entry->jump[i],
++ ppc_inst(ppc64_stub_insns[i])))
++ return 0;
++ }
+
+ /* Stub uses address relative to r2. */
+ reladdr = (unsigned long)entry - my_r2(sechdrs, me);
+@@ -437,10 +443,24 @@ static inline int create_stub(const Elf6
+ }
+ pr_debug("Stub %p get data from reladdr %li\n", entry, reladdr);
+
+- entry->jump[0] |= PPC_HA(reladdr);
+- entry->jump[1] |= PPC_LO(reladdr);
+- entry->funcdata = func_desc(addr);
+- entry->magic = STUB_MAGIC;
++ if (patch_instruction(&entry->jump[0],
++ ppc_inst(entry->jump[0] | PPC_HA(reladdr))))
++ return 0;
++
++ if (patch_instruction(&entry->jump[1],
++ ppc_inst(entry->jump[1] | PPC_LO(reladdr))))
++ return 0;
++
++ // func_desc_t is 8 bytes if ABIv2, else 16 bytes
++ desc = func_desc(addr);
++ for (i = 0; i < sizeof(func_desc_t) / sizeof(u32); i++) {
++ if (patch_instruction(((u32 *)&entry->funcdata) + i,
++ ppc_inst(((u32 *)(&desc))[i])))
++ return 0;
++ }
++
++ if (patch_instruction(&entry->magic, ppc_inst(STUB_MAGIC)))
++ return 0;
+
+ return 1;
+ }
+@@ -495,8 +515,11 @@ static int restore_r2(const char *name,
+ me->name, *instruction, instruction);
+ return 0;
+ }
++
+ /* ld r2,R2_STACK_OFFSET(r1) */
+- *instruction = PPC_INST_LD_TOC;
++ if (patch_instruction(instruction, ppc_inst(PPC_INST_LD_TOC)))
++ return 0;
++
+ return 1;
+ }
+
+@@ -636,9 +659,12 @@ int apply_relocate_add(Elf64_Shdr *sechd
+ }
+
+ /* Only replace bits 2 through 26 */
+- *(uint32_t *)location
+- = (*(uint32_t *)location & ~0x03fffffc)
++ value = (*(uint32_t *)location & ~0x03fffffc)
+ | (value & 0x03fffffc);
++
++ if (patch_instruction((u32 *)location, ppc_inst(value)))
++ return -EFAULT;
++
+ break;
+
+ case R_PPC64_REL64:
--- /dev/null
+From 6331b8765cd0634a4e4cdcc1a6f1a74196616b94 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bin.meng@windriver.com>
+Date: Wed, 16 Jun 2021 15:46:44 +0800
+Subject: riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot
+
+From: Bin Meng <bin.meng@windriver.com>
+
+commit 6331b8765cd0634a4e4cdcc1a6f1a74196616b94 upstream.
+
+Per HiFive Unleashed schematics, the card detect signal of the
+micro SD card is connected to gpio pin #11, which should be
+reflected in the DT via the <gpios> property, as described in
+Documentation/devicetree/bindings/mmc/mmc-spi-slot.txt.
+
+[1] https://sifive.cdn.prismic.io/sifive/c52a8e32-05ce-4aaf-95c8-7bf8453f8698_hifive-unleashed-a00-schematics-1.pdf
+
+Signed-off-by: Bin Meng <bin.meng@windriver.com>
+Fixes: d573b5558abb ("riscv: dts: add initial board data for the SiFive HiFive Unmatched")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts
++++ b/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts
+@@ -80,6 +80,7 @@
+ spi-max-frequency = <20000000>;
+ voltage-ranges = <3300 3300>;
+ disable-wp;
++ gpios = <&gpio 11 GPIO_ACTIVE_LOW>;
+ };
+ };
+
--- /dev/null
+From 298d03c2d7f1b5daacb6d4f4053fd3d677d67087 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bin.meng@windriver.com>
+Date: Wed, 16 Jun 2021 15:46:45 +0800
+Subject: riscv: dts: unmatched: Add gpio card detect to mmc-spi-slot
+
+From: Bin Meng <bin.meng@windriver.com>
+
+commit 298d03c2d7f1b5daacb6d4f4053fd3d677d67087 upstream.
+
+Per HiFive Unmatched schematics, the card detect signal of the
+micro SD card is connected to gpio pin #15, which should be
+reflected in the DT via the <gpios> property, as described in
+Documentation/devicetree/bindings/mmc/mmc-spi-slot.txt.
+
+[1] https://sifive.cdn.prismic.io/sifive/6a06d6c0-6e66-49b5-8e9e-e68ce76f4192_hifive-unmatched-schematics-v3.pdf
+
+Signed-off-by: Bin Meng <bin.meng@windriver.com>
+Fixes: d573b5558abb ("riscv: dts: add initial board data for the SiFive HiFive Unmatched")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts
++++ b/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts
+@@ -2,6 +2,7 @@
+ /* Copyright (c) 2020 SiFive, Inc */
+
+ #include "fu740-c000.dtsi"
++#include <dt-bindings/gpio/gpio.h>
+ #include <dt-bindings/interrupt-controller/irq.h>
+
+ /* Clock frequency (in Hz) of the PCB crystal for rtcclk */
+@@ -228,6 +229,7 @@
+ spi-max-frequency = <20000000>;
+ voltage-ranges = <3300 3300>;
+ disable-wp;
++ gpios = <&gpio 15 GPIO_ACTIVE_LOW>;
+ };
+ };
+
--- /dev/null
+From cc274ae7763d9700a56659f3228641d7069e7a3f Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Wed, 15 Dec 2021 16:28:40 -0500
+Subject: selinux: fix sleeping function called from invalid context
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit cc274ae7763d9700a56659f3228641d7069e7a3f upstream.
+
+selinux_sb_mnt_opts_compat() is called via sget_fc() under the sb_lock
+spinlock, so it can't use GFP_KERNEL allocations:
+
+[ 868.565200] BUG: sleeping function called from invalid context at
+ include/linux/sched/mm.h:230
+[ 868.568246] in_atomic(): 1, irqs_disabled(): 0,
+ non_block: 0, pid: 4914, name: mount.nfs
+[ 868.569626] preempt_count: 1, expected: 0
+[ 868.570215] RCU nest depth: 0, expected: 0
+[ 868.570809] Preemption disabled at:
+[ 868.570810] [<0000000000000000>] 0x0
+[ 868.571848] CPU: 1 PID: 4914 Comm: mount.nfs Kdump: loaded
+ Tainted: G W 5.16.0-rc5.2585cf9dfa #1
+[ 868.573273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
+ BIOS 1.14.0-4.fc34 04/01/2014
+[ 868.574478] Call Trace:
+[ 868.574844] <TASK>
+[ 868.575156] dump_stack_lvl+0x34/0x44
+[ 868.575692] __might_resched.cold+0xd6/0x10f
+[ 868.576308] slab_pre_alloc_hook.constprop.0+0x89/0xf0
+[ 868.577046] __kmalloc_track_caller+0x72/0x420
+[ 868.577684] ? security_context_to_sid_core+0x48/0x2b0
+[ 868.578569] kmemdup_nul+0x22/0x50
+[ 868.579108] security_context_to_sid_core+0x48/0x2b0
+[ 868.579854] ? _nfs4_proc_pathconf+0xff/0x110 [nfsv4]
+[ 868.580742] ? nfs_reconfigure+0x80/0x80 [nfs]
+[ 868.581355] security_context_str_to_sid+0x36/0x40
+[ 868.581960] selinux_sb_mnt_opts_compat+0xb5/0x1e0
+[ 868.582550] ? nfs_reconfigure+0x80/0x80 [nfs]
+[ 868.583098] security_sb_mnt_opts_compat+0x2a/0x40
+[ 868.583676] nfs_compare_super+0x113/0x220 [nfs]
+[ 868.584249] ? nfs_try_mount_request+0x210/0x210 [nfs]
+[ 868.584879] sget_fc+0xb5/0x2f0
+[ 868.585267] nfs_get_tree_common+0x91/0x4a0 [nfs]
+[ 868.585834] vfs_get_tree+0x25/0xb0
+[ 868.586241] fc_mount+0xe/0x30
+[ 868.586605] do_nfs4_mount+0x130/0x380 [nfsv4]
+[ 868.587160] nfs4_try_get_tree+0x47/0xb0 [nfsv4]
+[ 868.587724] vfs_get_tree+0x25/0xb0
+[ 868.588193] do_new_mount+0x176/0x310
+[ 868.588782] __x64_sys_mount+0x103/0x140
+[ 868.589388] do_syscall_64+0x3b/0x90
+[ 868.589935] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 868.590699] RIP: 0033:0x7f2b371c6c4e
+[ 868.591239] Code: 48 8b 0d dd 71 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
+ 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00
+ 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d aa 71
+ 0e 00 f7 d8 64 89 01 48
+[ 868.593810] RSP: 002b:00007ffc83775d88 EFLAGS: 00000246
+ ORIG_RAX: 00000000000000a5
+[ 868.594691] RAX: ffffffffffffffda RBX: 00007ffc83775f10 RCX: 00007f2b371c6c4e
+[ 868.595504] RDX: 0000555d517247a0 RSI: 0000555d51724700 RDI: 0000555d51724540
+[ 868.596317] RBP: 00007ffc83775f10 R08: 0000555d51726890 R09: 0000555d51726890
+[ 868.597162] R10: 0000000000000000 R11: 0000000000000246 R12: 0000555d51726890
+[ 868.598005] R13: 0000000000000003 R14: 0000555d517246e0 R15: 0000555d511ac925
+[ 868.598826] </TASK>
+
+Cc: stable@vger.kernel.org
+Fixes: 69c4a42d72eb ("lsm,selinux: add new hook to compare new mount to an existing mount")
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+[PM: cleanup/line-wrap the backtrace]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -611,10 +611,11 @@ static int bad_option(struct superblock_
+ return 0;
+ }
+
+-static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
++static int parse_sid(struct super_block *sb, const char *s, u32 *sid,
++ gfp_t gfp)
+ {
+ int rc = security_context_str_to_sid(&selinux_state, s,
+- sid, GFP_KERNEL);
++ sid, gfp);
+ if (rc)
+ pr_warn("SELinux: security_context_str_to_sid"
+ "(%s) failed for (dev %s, type %s) errno=%d\n",
+@@ -685,7 +686,8 @@ static int selinux_set_mnt_opts(struct s
+ */
+ if (opts) {
+ if (opts->fscontext) {
+- rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
++ rc = parse_sid(sb, opts->fscontext, &fscontext_sid,
++ GFP_KERNEL);
+ if (rc)
+ goto out;
+ if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
+@@ -694,7 +696,8 @@ static int selinux_set_mnt_opts(struct s
+ sbsec->flags |= FSCONTEXT_MNT;
+ }
+ if (opts->context) {
+- rc = parse_sid(sb, opts->context, &context_sid);
++ rc = parse_sid(sb, opts->context, &context_sid,
++ GFP_KERNEL);
+ if (rc)
+ goto out;
+ if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
+@@ -703,7 +706,8 @@ static int selinux_set_mnt_opts(struct s
+ sbsec->flags |= CONTEXT_MNT;
+ }
+ if (opts->rootcontext) {
+- rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
++ rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid,
++ GFP_KERNEL);
+ if (rc)
+ goto out;
+ if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
+@@ -712,7 +716,8 @@ static int selinux_set_mnt_opts(struct s
+ sbsec->flags |= ROOTCONTEXT_MNT;
+ }
+ if (opts->defcontext) {
+- rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
++ rc = parse_sid(sb, opts->defcontext, &defcontext_sid,
++ GFP_KERNEL);
+ if (rc)
+ goto out;
+ if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
+@@ -2701,14 +2706,14 @@ static int selinux_sb_mnt_opts_compat(st
+ return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
+
+ if (opts->fscontext) {
+- rc = parse_sid(sb, opts->fscontext, &sid);
++ rc = parse_sid(sb, opts->fscontext, &sid, GFP_NOWAIT);
+ if (rc)
+ return 1;
+ if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
+ return 1;
+ }
+ if (opts->context) {
+- rc = parse_sid(sb, opts->context, &sid);
++ rc = parse_sid(sb, opts->context, &sid, GFP_NOWAIT);
+ if (rc)
+ return 1;
+ if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
+@@ -2718,14 +2723,14 @@ static int selinux_sb_mnt_opts_compat(st
+ struct inode_security_struct *root_isec;
+
+ root_isec = backing_inode_security(sb->s_root);
+- rc = parse_sid(sb, opts->rootcontext, &sid);
++ rc = parse_sid(sb, opts->rootcontext, &sid, GFP_NOWAIT);
+ if (rc)
+ return 1;
+ if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
+ return 1;
+ }
+ if (opts->defcontext) {
+- rc = parse_sid(sb, opts->defcontext, &sid);
++ rc = parse_sid(sb, opts->defcontext, &sid, GFP_NOWAIT);
+ if (rc)
+ return 1;
+ if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
+@@ -2748,14 +2753,14 @@ static int selinux_sb_remount(struct sup
+ return 0;
+
+ if (opts->fscontext) {
+- rc = parse_sid(sb, opts->fscontext, &sid);
++ rc = parse_sid(sb, opts->fscontext, &sid, GFP_KERNEL);
+ if (rc)
+ return rc;
+ if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
+ goto out_bad_option;
+ }
+ if (opts->context) {
+- rc = parse_sid(sb, opts->context, &sid);
++ rc = parse_sid(sb, opts->context, &sid, GFP_KERNEL);
+ if (rc)
+ return rc;
+ if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
+@@ -2764,14 +2769,14 @@ static int selinux_sb_remount(struct sup
+ if (opts->rootcontext) {
+ struct inode_security_struct *root_isec;
+ root_isec = backing_inode_security(sb->s_root);
+- rc = parse_sid(sb, opts->rootcontext, &sid);
++ rc = parse_sid(sb, opts->rootcontext, &sid, GFP_KERNEL);
+ if (rc)
+ return rc;
+ if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
+ goto out_bad_option;
+ }
+ if (opts->defcontext) {
+- rc = parse_sid(sb, opts->defcontext, &sid);
++ rc = parse_sid(sb, opts->defcontext, &sid, GFP_KERNEL);
+ if (rc)
+ return rc;
+ if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
--- /dev/null
+From 6c33ff728812aa18792afffaf2c9873b898e7512 Mon Sep 17 00:00:00 2001
+From: "Ji-Ze Hong (Peter Hong)" <hpeter@gmail.com>
+Date: Wed, 15 Dec 2021 15:58:35 +0800
+Subject: serial: 8250_fintek: Fix garbled text for console
+
+From: Ji-Ze Hong (Peter Hong) <hpeter@gmail.com>
+
+commit 6c33ff728812aa18792afffaf2c9873b898e7512 upstream.
+
+Commit fab8a02b73eb ("serial: 8250_fintek: Enable high speed mode on Fintek F81866")
+introduced support to use high baudrate with Fintek SuperIO UARTs. It'll
+change clocksources when the UART probed.
+
+But when user add kernel parameter "console=ttyS0,115200 console=tty0" to make
+the UART as console output, the console will output garbled text after the
+following kernel message.
+
+[ 3.681188] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled
+
+The issue is occurs in following step:
+ probe_setup_port() -> fintek_8250_goto_highspeed()
+
+It change clocksource from 115200 to 921600 with wrong time, it should change
+clocksource in set_termios() not in probed. The following 3 patches are
+implemented change clocksource in fintek_8250_set_termios().
+
+Commit 58178914ae5b ("serial: 8250_fintek: UART dynamic clocksource on Fintek F81216H")
+Commit 195638b6d44f ("serial: 8250_fintek: UART dynamic clocksource on Fintek F81866")
+Commit 423d9118c624 ("serial: 8250_fintek: Add F81966 Support")
+
+Due to the high baud rate had implemented above 3 patches and the patch
+Commit fab8a02b73eb ("serial: 8250_fintek: Enable high speed mode on Fintek F81866")
+is bugged, So this patch will remove it.
+
+Fixes: fab8a02b73eb ("serial: 8250_fintek: Enable high speed mode on Fintek F81866")
+Signed-off-by: Ji-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
+Link: https://lore.kernel.org/r/20211215075835.2072-1-hpeter+linux_kernel@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_fintek.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_fintek.c
++++ b/drivers/tty/serial/8250/8250_fintek.c
+@@ -290,25 +290,6 @@ static void fintek_8250_set_max_fifo(str
+ }
+ }
+
+-static void fintek_8250_goto_highspeed(struct uart_8250_port *uart,
+- struct fintek_8250 *pdata)
+-{
+- sio_write_reg(pdata, LDN, pdata->index);
+-
+- switch (pdata->pid) {
+- case CHIP_ID_F81966:
+- case CHIP_ID_F81866: /* set uart clock for high speed serial mode */
+- sio_write_mask_reg(pdata, F81866_UART_CLK,
+- F81866_UART_CLK_MASK,
+- F81866_UART_CLK_14_769MHZ);
+-
+- uart->port.uartclk = 921600 * 16;
+- break;
+- default: /* leave clock speed untouched */
+- break;
+- }
+-}
+-
+ static void fintek_8250_set_termios(struct uart_port *port,
+ struct ktermios *termios,
+ struct ktermios *old)
+@@ -430,7 +411,6 @@ static int probe_setup_port(struct finte
+
+ fintek_8250_set_irq_mode(pdata, level_mode);
+ fintek_8250_set_max_fifo(pdata);
+- fintek_8250_goto_highspeed(uart, pdata);
+
+ fintek_8250_exit_key(addr[i]);
+
usb-gadget-brequesttype-is-a-bitfield-not-a-enum.patch
revert-usb-early-convert-to-readl_poll_timeout_atomi.patch
kvm-x86-drop-guest-cpuid-check-for-host-initiated-wr.patch
+tty-n_hdlc-make-n_hdlc_tty_wakeup-asynchronous.patch
+usb-no_lpm-quirk-lenovo-usb-c-to-ethernet-adapher-rtl8153-04.patch
+usb-dwc2-fix-stm-id-vbus-detection-startup-delay-in-dwc2_driver_probe.patch
+pci-msi-clear-pci_msix_flags_maskall-on-error.patch
+pci-msi-mask-msi-x-vectors-only-on-success.patch
+usb-xhci-mtk-fix-list_del-warning-when-enable-list-debug.patch
+usb-xhci-extend-support-for-runtime-power-management-for-amd-s-yellow-carp.patch
+usb-cdnsp-fix-incorrect-status-for-control-request.patch
+usb-cdnsp-fix-incorrect-calling-of-cdnsp_died-function.patch
+usb-cdnsp-fix-issue-in-cdnsp_log_ep-trace-event.patch
+usb-cdnsp-fix-lack-of-spin_lock_irqsave-spin_lock_restore.patch
+usb-typec-tcpm-fix-tcpm-unregister-port-but-leave-a-pending-timer.patch
+usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch
+usb-serial-cp210x-fix-cp2105-gpio-registration.patch
+usb-serial-option-add-telit-fn990-compositions.patch
+selinux-fix-sleeping-function-called-from-invalid-context.patch
+btrfs-fix-memory-leak-in-__add_inode_ref.patch
+btrfs-fix-double-free-of-anon_dev-after-failure-to-create-subvolume.patch
+btrfs-check-write_err-when-trying-to-read-an-extent-buffer.patch
+btrfs-fix-missing-blkdev_put-call-in-btrfs_scan_one_device.patch
+zonefs-add-module_alias_fs.patch
+iocost-fix-divide-by-zero-on-donation-from-low-hweight-cgroup.patch
+serial-8250_fintek-fix-garbled-text-for-console.patch
+timekeeping-really-make-sure-wall_to_monotonic-isn-t-positive.patch
+cifs-sanitize-multiple-delimiters-in-prepath.patch
+locking-rtmutex-fix-incorrect-condition-in-rtmutex_spin_on_owner.patch
+riscv-dts-unleashed-add-gpio-card-detect-to-mmc-spi-slot.patch
+riscv-dts-unmatched-add-gpio-card-detect-to-mmc-spi-slot.patch
+perf-inject-fix-segfault-due-to-close-without-open.patch
+perf-inject-fix-segfault-due-to-perf_data__fd-without-open.patch
+libata-if-t_length-is-zero-dma-direction-should-be-dma_none.patch
+powerpc-module_64-fix-livepatching-for-ro-modules.patch
+drm-amdgpu-correct-register-access-for-rlc_jump_table_restore.patch
+drm-amdgpu-don-t-override-default-eco_bits-setting.patch
+drm-amd-pm-fix-reading-smu-fw-version-from-amdgpu_firmware_info-on-yc.patch
+btrfs-fix-invalid-delayed-ref-after-subvolume-creation-failure.patch
--- /dev/null
+From 4e8c11b6b3f0b6a283e898344f154641eda94266 Mon Sep 17 00:00:00 2001
+From: Yu Liao <liaoyu15@huawei.com>
+Date: Mon, 13 Dec 2021 21:57:27 +0800
+Subject: timekeeping: Really make sure wall_to_monotonic isn't positive
+
+From: Yu Liao <liaoyu15@huawei.com>
+
+commit 4e8c11b6b3f0b6a283e898344f154641eda94266 upstream.
+
+Even after commit e1d7ba873555 ("time: Always make sure wall_to_monotonic
+isn't positive") it is still possible to make wall_to_monotonic positive
+by running the following code:
+
+ int main(void)
+ {
+ struct timespec time;
+
+ clock_gettime(CLOCK_MONOTONIC, &time);
+ time.tv_nsec = 0;
+ clock_settime(CLOCK_REALTIME, &time);
+ return 0;
+ }
+
+The reason is that the second parameter of timespec64_compare(), ts_delta,
+may be unnormalized because the delta is calculated with an open coded
+substraction which causes the comparison of tv_sec to yield the wrong
+result:
+
+ wall_to_monotonic = { .tv_sec = -10, .tv_nsec = 900000000 }
+ ts_delta = { .tv_sec = -9, .tv_nsec = -900000000 }
+
+That makes timespec64_compare() claim that wall_to_monotonic < ts_delta,
+but actually the result should be wall_to_monotonic > ts_delta.
+
+After normalization, the result of timespec64_compare() is correct because
+the tv_sec comparison is not longer misleading:
+
+ wall_to_monotonic = { .tv_sec = -10, .tv_nsec = 900000000 }
+ ts_delta = { .tv_sec = -10, .tv_nsec = 100000000 }
+
+Use timespec64_sub() to ensure that ts_delta is normalized, which fixes the
+issue.
+
+Fixes: e1d7ba873555 ("time: Always make sure wall_to_monotonic isn't positive")
+Signed-off-by: Yu Liao <liaoyu15@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211213135727.1656662-1-liaoyu15@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/time/timekeeping.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -1306,8 +1306,7 @@ int do_settimeofday64(const struct times
+ timekeeping_forward_now(tk);
+
+ xt = tk_xtime(tk);
+- ts_delta.tv_sec = ts->tv_sec - xt.tv_sec;
+- ts_delta.tv_nsec = ts->tv_nsec - xt.tv_nsec;
++ ts_delta = timespec64_sub(*ts, xt);
+
+ if (timespec64_compare(&tk->wall_to_monotonic, &ts_delta) > 0) {
+ ret = -EINVAL;
--- /dev/null
+From 1ee33b1ca2b8dabfcc17198ffd049a6b55674a86 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Wed, 15 Dec 2021 20:52:40 +0900
+Subject: tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 1ee33b1ca2b8dabfcc17198ffd049a6b55674a86 upstream.
+
+syzbot is reporting that an unprivileged user who logged in from tty
+console can crash the system using a reproducer shown below [1], for
+n_hdlc_tty_wakeup() is synchronously calling n_hdlc_send_frames().
+
+----------
+ #include <sys/ioctl.h>
+ #include <unistd.h>
+
+ int main(int argc, char *argv[])
+ {
+ const int disc = 0xd;
+
+ ioctl(1, TIOCSETD, &disc);
+ while (1) {
+ ioctl(1, TCXONC, 0);
+ write(1, "", 1);
+ ioctl(1, TCXONC, 1); /* Kernel panic - not syncing: scheduling while atomic */
+ }
+ }
+----------
+
+Linus suspected that "struct tty_ldisc"->ops->write_wakeup() must not
+sleep, and Jiri confirmed it from include/linux/tty_ldisc.h. Thus, defer
+n_hdlc_send_frames() from n_hdlc_tty_wakeup() to a WQ context like
+net/nfc/nci/uart.c does.
+
+Link: https://syzkaller.appspot.com/bug?extid=5f47a8cea6a12b77a876 [1]
+Reported-by: syzbot <syzbot+5f47a8cea6a12b77a876@syzkaller.appspotmail.com>
+Cc: stable <stable@vger.kernel.org>
+Analyzed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Confirmed-by: Jiri Slaby <jirislaby@kernel.org>
+Reviewed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Link: https://lore.kernel.org/r/40de8b7e-a3be-4486-4e33-1b1d1da452f8@i-love.sakura.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_hdlc.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -140,6 +140,8 @@ struct n_hdlc {
+ struct n_hdlc_buf_list rx_buf_list;
+ struct n_hdlc_buf_list tx_free_buf_list;
+ struct n_hdlc_buf_list rx_free_buf_list;
++ struct work_struct write_work;
++ struct tty_struct *tty_for_write_work;
+ };
+
+ /*
+@@ -154,6 +156,7 @@ static struct n_hdlc_buf *n_hdlc_buf_get
+ /* Local functions */
+
+ static struct n_hdlc *n_hdlc_alloc(void);
++static void n_hdlc_tty_write_work(struct work_struct *work);
+
+ /* max frame size for memory allocations */
+ static int maxframe = 4096;
+@@ -210,6 +213,8 @@ static void n_hdlc_tty_close(struct tty_
+ wake_up_interruptible(&tty->read_wait);
+ wake_up_interruptible(&tty->write_wait);
+
++ cancel_work_sync(&n_hdlc->write_work);
++
+ n_hdlc_free_buf_list(&n_hdlc->rx_free_buf_list);
+ n_hdlc_free_buf_list(&n_hdlc->tx_free_buf_list);
+ n_hdlc_free_buf_list(&n_hdlc->rx_buf_list);
+@@ -241,6 +246,8 @@ static int n_hdlc_tty_open(struct tty_st
+ return -ENFILE;
+ }
+
++ INIT_WORK(&n_hdlc->write_work, n_hdlc_tty_write_work);
++ n_hdlc->tty_for_write_work = tty;
+ tty->disc_data = n_hdlc;
+ tty->receive_room = 65536;
+
+@@ -335,6 +342,20 @@ check_again:
+ } /* end of n_hdlc_send_frames() */
+
+ /**
++ * n_hdlc_tty_write_work - Asynchronous callback for transmit wakeup
++ * @work: pointer to work_struct
++ *
++ * Called when low level device driver can accept more send data.
++ */
++static void n_hdlc_tty_write_work(struct work_struct *work)
++{
++ struct n_hdlc *n_hdlc = container_of(work, struct n_hdlc, write_work);
++ struct tty_struct *tty = n_hdlc->tty_for_write_work;
++
++ n_hdlc_send_frames(n_hdlc, tty);
++} /* end of n_hdlc_tty_write_work() */
++
++/**
+ * n_hdlc_tty_wakeup - Callback for transmit wakeup
+ * @tty: pointer to associated tty instance data
+ *
+@@ -344,7 +365,7 @@ static void n_hdlc_tty_wakeup(struct tty
+ {
+ struct n_hdlc *n_hdlc = tty->disc_data;
+
+- n_hdlc_send_frames(n_hdlc, tty);
++ schedule_work(&n_hdlc->write_work);
+ } /* end of n_hdlc_tty_wakeup() */
+
+ /**
--- /dev/null
+From 16f00d969afe60e233c1a91af7ac840df60d3536 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Fri, 10 Dec 2021 12:29:45 +0100
+Subject: usb: cdnsp: Fix incorrect calling of cdnsp_died function
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 16f00d969afe60e233c1a91af7ac840df60d3536 upstream.
+
+Patch restrict calling of cdnsp_died function during removing modules
+or software disconnect.
+This function was called because after transition controller to HALT
+state the driver starts handling the deferred interrupt.
+In this case such interrupt can be simple ignored.
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+cc: <stable@vger.kernel.org>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20211210112945.660-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-ring.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/cdns3/cdnsp-ring.c
++++ b/drivers/usb/cdns3/cdnsp-ring.c
+@@ -1525,7 +1525,14 @@ irqreturn_t cdnsp_thread_irq_handler(int
+ spin_lock_irqsave(&pdev->lock, flags);
+
+ if (pdev->cdnsp_state & (CDNSP_STATE_HALTED | CDNSP_STATE_DYING)) {
+- cdnsp_died(pdev);
++ /*
++ * While removing or stopping driver there may still be deferred
++ * not handled interrupt which should not be treated as error.
++ * Driver should simply ignore it.
++ */
++ if (pdev->gadget_driver)
++ cdnsp_died(pdev);
++
+ spin_unlock_irqrestore(&pdev->lock, flags);
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 99ea221f2e2f2743314e348b25c1e2574b467528 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Tue, 7 Dec 2021 10:18:38 +0100
+Subject: usb: cdnsp: Fix incorrect status for control request
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 99ea221f2e2f2743314e348b25c1e2574b467528 upstream.
+
+Patch fixes incorrect status for control request.
+Without this fix all usb_request objects were returned to upper drivers
+with usb_reqest->status field set to -EINPROGRESS.
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+cc: <stable@vger.kernel.org>
+Reported-by: Ken (Jian) He <jianhe@ambarella.com>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20211207091838.39572-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-ring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/cdns3/cdnsp-ring.c
++++ b/drivers/usb/cdns3/cdnsp-ring.c
+@@ -1029,6 +1029,8 @@ static void cdnsp_process_ctrl_td(struct
+ return;
+ }
+
++ *status = 0;
++
+ cdnsp_finish_td(pdev, td, event, pep, status);
+ }
+
--- /dev/null
+From 50931ba27d1665c8b038cd1d16c5869301f32fd6 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Mon, 13 Dec 2021 06:06:09 +0100
+Subject: usb: cdnsp: Fix issue in cdnsp_log_ep trace event
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 50931ba27d1665c8b038cd1d16c5869301f32fd6 upstream.
+
+Patch fixes incorrect order of __entry->stream_id and __entry->state
+parameters in TP_printk macro.
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+cc: <stable@vger.kernel.org>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20211213050609.22640-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-trace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-trace.h
++++ b/drivers/usb/cdns3/cdnsp-trace.h
+@@ -57,9 +57,9 @@ DECLARE_EVENT_CLASS(cdnsp_log_ep,
+ __entry->first_prime_det = pep->stream_info.first_prime_det;
+ __entry->drbls_count = pep->stream_info.drbls_count;
+ ),
+- TP_printk("%s: SID: %08x ep state: %x stream: enabled: %d num %d "
++ TP_printk("%s: SID: %08x, ep state: %x, stream: enabled: %d num %d "
+ "tds %d, first prime: %d drbls %d",
+- __get_str(name), __entry->state, __entry->stream_id,
++ __get_str(name), __entry->stream_id, __entry->state,
+ __entry->enabled, __entry->num_streams, __entry->td_count,
+ __entry->first_prime_det, __entry->drbls_count)
+ );
--- /dev/null
+From 4c4e162d9cf38528c4f13df09d5755cbc06f6c77 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Tue, 14 Dec 2021 05:55:27 +0100
+Subject: usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 4c4e162d9cf38528c4f13df09d5755cbc06f6c77 upstream.
+
+Patch puts content of cdnsp_gadget_pullup function inside
+spin_lock_irqsave and spin_lock_restore section.
+This construction is required here to keep the data consistency,
+otherwise some data can be changed e.g. from interrupt context.
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Reported-by: Ken (Jian) He <jianhe@ambarella.com>
+cc: <stable@vger.kernel.org>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20211214045527.26823-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-gadget.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/usb/cdns3/cdnsp-gadget.c
++++ b/drivers/usb/cdns3/cdnsp-gadget.c
+@@ -1541,15 +1541,27 @@ static int cdnsp_gadget_pullup(struct us
+ {
+ struct cdnsp_device *pdev = gadget_to_cdnsp(gadget);
+ struct cdns *cdns = dev_get_drvdata(pdev->dev);
++ unsigned long flags;
+
+ trace_cdnsp_pullup(is_on);
+
++ /*
++ * Disable events handling while controller is being
++ * enabled/disabled.
++ */
++ disable_irq(cdns->dev_irq);
++ spin_lock_irqsave(&pdev->lock, flags);
++
+ if (!is_on) {
+ cdnsp_reset_device(pdev);
+ cdns_clear_vbus(cdns);
+ } else {
+ cdns_set_vbus(cdns);
+ }
++
++ spin_unlock_irqrestore(&pdev->lock, flags);
++ enable_irq(cdns->dev_irq);
++
+ return 0;
+ }
+
--- /dev/null
+From fac6bf87c55f7f0733efb0375565fb6a50cf2caf Mon Sep 17 00:00:00 2001
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Date: Tue, 7 Dec 2021 13:45:10 +0100
+Subject: usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe
+
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+
+commit fac6bf87c55f7f0733efb0375565fb6a50cf2caf upstream.
+
+When activate_stm_id_vb_detection is enabled, ID and Vbus detection relies
+on sensing comparators. This detection needs time to stabilize.
+A delay was already applied in dwc2_resume() when reactivating the
+detection, but it wasn't done in dwc2_probe().
+This patch adds delay after enabling STM ID/VBUS detection. Then, ID state
+is good when initializing gadget and host, and avoid to get a wrong
+Connector ID Status Change interrupt.
+
+Fixes: a415083a11cc ("usb: dwc2: add support for STM32MP15 SoCs USB OTG HS and FS")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/20211207124510.268841-1-amelie.delaunay@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/platform.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc2/platform.c
++++ b/drivers/usb/dwc2/platform.c
+@@ -575,6 +575,9 @@ static int dwc2_driver_probe(struct plat
+ ggpio |= GGPIO_STM32_OTG_GCCFG_IDEN;
+ ggpio |= GGPIO_STM32_OTG_GCCFG_VBDEN;
+ dwc2_writel(hsotg, ggpio, GGPIO);
++
++ /* ID/VBUS detection startup time */
++ usleep_range(5000, 7000);
+ }
+
+ retval = dwc2_drd_init(hsotg);
--- /dev/null
+From 890d5b40908bfd1a79be018d2d297cf9df60f4ee Mon Sep 17 00:00:00 2001
+From: Marian Postevca <posteuca@mutex.one>
+Date: Sat, 4 Dec 2021 23:49:12 +0200
+Subject: usb: gadget: u_ether: fix race in setting MAC address in setup phase
+
+From: Marian Postevca <posteuca@mutex.one>
+
+commit 890d5b40908bfd1a79be018d2d297cf9df60f4ee upstream.
+
+When listening for notifications through netlink of a new interface being
+registered, sporadically, it is possible for the MAC to be read as zero.
+The zero MAC address lasts a short period of time and then switches to a
+valid random MAC address.
+
+This causes problems for netd in Android, which assumes that the interface
+is malfunctioning and will not use it.
+
+In the good case we get this log:
+InterfaceController::getCfg() ifName usb0
+ hwAddr 92:a8:f0:73:79:5b ipv4Addr 0.0.0.0 flags 0x1002
+
+In the error case we get these logs:
+InterfaceController::getCfg() ifName usb0
+ hwAddr 00:00:00:00:00:00 ipv4Addr 0.0.0.0 flags 0x1002
+
+netd : interfaceGetCfg("usb0")
+netd : interfaceSetCfg() -> ServiceSpecificException
+ (99, "[Cannot assign requested address] : ioctl() failed")
+
+The reason for the issue is the order in which the interface is setup,
+it is first registered through register_netdev() and after the MAC
+address is set.
+
+Fixed by first setting the MAC address of the net_device and after that
+calling register_netdev().
+
+Fixes: bcd4a1c40bee885e ("usb: gadget: u_ether: construct with default values and add setters/getters")
+Cc: stable@vger.kernel.org
+Signed-off-by: Marian Postevca <posteuca@mutex.one>
+Link: https://lore.kernel.org/r/20211204214912.17627-1-posteuca@mutex.one
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -17,6 +17,7 @@
+ #include <linux/etherdevice.h>
+ #include <linux/ethtool.h>
+ #include <linux/if_vlan.h>
++#include <linux/etherdevice.h>
+
+ #include "u_ether.h"
+
+@@ -861,19 +862,23 @@ int gether_register_netdev(struct net_de
+ {
+ struct eth_dev *dev;
+ struct usb_gadget *g;
+- struct sockaddr sa;
+ int status;
+
+ if (!net->dev.parent)
+ return -EINVAL;
+ dev = netdev_priv(net);
+ g = dev->gadget;
++
++ net->addr_assign_type = NET_ADDR_RANDOM;
++ eth_hw_addr_set(net, dev->dev_mac);
++
+ status = register_netdev(net);
+ if (status < 0) {
+ dev_dbg(&g->dev, "register_netdev failed, %d\n", status);
+ return status;
+ } else {
+ INFO(dev, "HOST MAC %pM\n", dev->host_mac);
++ INFO(dev, "MAC %pM\n", dev->dev_mac);
+
+ /* two kinds of host-initiated state changes:
+ * - iff DATA transfer is active, carrier is "on"
+@@ -881,15 +886,6 @@ int gether_register_netdev(struct net_de
+ */
+ netif_carrier_off(net);
+ }
+- sa.sa_family = net->type;
+- memcpy(sa.sa_data, dev->dev_mac, ETH_ALEN);
+- rtnl_lock();
+- status = dev_set_mac_address(net, &sa, NULL);
+- rtnl_unlock();
+- if (status)
+- pr_warn("cannot set self ethernet address: %d\n", status);
+- else
+- INFO(dev, "MAC %pM\n", dev->dev_mac);
+
+ return status;
+ }
--- /dev/null
+From 0ad3bd562bb91853b9f42bda145b5db6255aee90 Mon Sep 17 00:00:00 2001
+From: Jimmy Wang <wangjm221@gmail.com>
+Date: Tue, 14 Dec 2021 09:26:50 +0800
+Subject: USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
+
+From: Jimmy Wang <wangjm221@gmail.com>
+
+commit 0ad3bd562bb91853b9f42bda145b5db6255aee90 upstream.
+
+This device doesn't work well with LPM, losing connectivity intermittently.
+Disable LPM to resolve the issue.
+
+Reviewed-by: <markpearson@lenovo.com>
+Signed-off-by: Jimmy Wang <wangjm221@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211214012652.4898-1-wangjm221@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -434,6 +434,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1532, 0x0116), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Lenovo USB-C to Ethernet Adapter RTL8153-04 */
++ { USB_DEVICE(0x17ef, 0x720c), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* Lenovo Powered USB-C Travel Hub (4X90S92381, RTL8153 GigE) */
+ { USB_DEVICE(0x17ef, 0x721e), .driver_info = USB_QUIRK_NO_LPM },
+
--- /dev/null
+From 83b67041f3eaf33f98a075249aa7f4c7617c2f85 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 26 Nov 2021 10:43:48 +0100
+Subject: USB: serial: cp210x: fix CP2105 GPIO registration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 83b67041f3eaf33f98a075249aa7f4c7617c2f85 upstream.
+
+When generalising GPIO support and adding support for CP2102N, the GPIO
+registration for some CP2105 devices accidentally broke. Specifically,
+when all the pins of a port are in "modem" mode, and thus unavailable
+for GPIO use, the GPIO chip would now be registered without having
+initialised the number of GPIO lines. This would in turn be rejected by
+gpiolib and some errors messages would be printed (but importantly probe
+would still succeed).
+
+Fix this by initialising the number of GPIO lines before registering the
+GPIO chip.
+
+Note that as for the other device types, and as when all CP2105 pins are
+muxed for LED function, the GPIO chip is registered also when no pins
+are available for GPIO use.
+
+Reported-by: Maarten Brock <m.brock@vanmierlo.com>
+Link: https://lore.kernel.org/r/5eb560c81d2ea1a2b4602a92d9f48a89@vanmierlo.com
+Fixes: c8acfe0aadbe ("USB: serial: cp210x: implement GPIO support for CP2102N")
+Cc: stable@vger.kernel.org # 4.19
+Cc: Karoly Pados <pados@pados.hu>
+Link: https://lore.kernel.org/r/20211126094348.31698-1-johan@kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Tested-by: Maarten Brock <m.brock@vanmierlo.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -1682,6 +1682,8 @@ static int cp2105_gpioconf_init(struct u
+
+ /* 2 banks of GPIO - One for the pins taken from each serial port */
+ if (intf_num == 0) {
++ priv->gc.ngpio = 2;
++
+ if (mode.eci == CP210X_PIN_MODE_MODEM) {
+ /* mark all GPIOs of this interface as reserved */
+ priv->gpio_altfunc = 0xff;
+@@ -1692,8 +1694,9 @@ static int cp2105_gpioconf_init(struct u
+ priv->gpio_pushpull = (u8)((le16_to_cpu(config.gpio_mode) &
+ CP210X_ECI_GPIO_MODE_MASK) >>
+ CP210X_ECI_GPIO_MODE_OFFSET);
+- priv->gc.ngpio = 2;
+ } else if (intf_num == 1) {
++ priv->gc.ngpio = 3;
++
+ if (mode.sci == CP210X_PIN_MODE_MODEM) {
+ /* mark all GPIOs of this interface as reserved */
+ priv->gpio_altfunc = 0xff;
+@@ -1704,7 +1707,6 @@ static int cp2105_gpioconf_init(struct u
+ priv->gpio_pushpull = (u8)((le16_to_cpu(config.gpio_mode) &
+ CP210X_SCI_GPIO_MODE_MASK) >>
+ CP210X_SCI_GPIO_MODE_OFFSET);
+- priv->gc.ngpio = 3;
+ } else {
+ return -ENODEV;
+ }
--- /dev/null
+From 2b503c8598d1b232e7fc7526bce9326d92331541 Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Fri, 10 Dec 2021 11:07:14 +0100
+Subject: USB: serial: option: add Telit FN990 compositions
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 2b503c8598d1b232e7fc7526bce9326d92331541 upstream.
+
+Add the following Telit FN990 compositions:
+
+0x1070: tty, adb, rmnet, tty, tty, tty, tty
+0x1071: tty, adb, mbim, tty, tty, tty, tty
+0x1072: rndis, tty, adb, tty, tty, tty, tty
+0x1073: tty, adb, ecm, tty, tty, tty, tty
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Link: https://lore.kernel.org/r/20211210100714.22587-1-dnlplm@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1219,6 +1219,14 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(2) | RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1063, 0xff), /* Telit LN920 (ECM) */
+ .driver_info = NCTRL(0) | RSVD(1) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff), /* Telit FN990 (rmnet) */
++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff), /* Telit FN990 (MBIM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff), /* Telit FN990 (RNDIS) */
++ .driver_info = NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990 (ECM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
--- /dev/null
+From ca4d8344a72b91fb9d4c8bfbc22204b4c09c5d8f Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Thu, 9 Dec 2021 18:15:07 +0800
+Subject: usb: typec: tcpm: fix tcpm unregister port but leave a pending timer
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit ca4d8344a72b91fb9d4c8bfbc22204b4c09c5d8f upstream.
+
+In current design, when the tcpm port is unregisterd, the kthread_worker
+will be destroyed in the last step. Inside the kthread_destroy_worker(),
+the worker will flush all the works and wait for them to end. However, if
+one of the works calls hrtimer_start(), this hrtimer will be pending until
+timeout even though tcpm port is removed. Once the hrtimer timeout, many
+strange kernel dumps appear.
+
+Thus, we can first complete kthread_destroy_worker(), then cancel all the
+hrtimers. This will guarantee that no hrtimer is pending at the end.
+
+Fixes: 3ed8e1c2ac99 ("usb: typec: tcpm: Migrate workqueue to RT priority for processing events")
+cc: <stable@vger.kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20211209101507.499096-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -324,6 +324,7 @@ struct tcpm_port {
+
+ bool attached;
+ bool connected;
++ bool registered;
+ bool pd_supported;
+ enum typec_port_type port_type;
+
+@@ -6291,7 +6292,8 @@ static enum hrtimer_restart state_machin
+ {
+ struct tcpm_port *port = container_of(timer, struct tcpm_port, state_machine_timer);
+
+- kthread_queue_work(port->wq, &port->state_machine);
++ if (port->registered)
++ kthread_queue_work(port->wq, &port->state_machine);
+ return HRTIMER_NORESTART;
+ }
+
+@@ -6299,7 +6301,8 @@ static enum hrtimer_restart vdm_state_ma
+ {
+ struct tcpm_port *port = container_of(timer, struct tcpm_port, vdm_state_machine_timer);
+
+- kthread_queue_work(port->wq, &port->vdm_state_machine);
++ if (port->registered)
++ kthread_queue_work(port->wq, &port->vdm_state_machine);
+ return HRTIMER_NORESTART;
+ }
+
+@@ -6307,7 +6310,8 @@ static enum hrtimer_restart enable_frs_t
+ {
+ struct tcpm_port *port = container_of(timer, struct tcpm_port, enable_frs_timer);
+
+- kthread_queue_work(port->wq, &port->enable_frs);
++ if (port->registered)
++ kthread_queue_work(port->wq, &port->enable_frs);
+ return HRTIMER_NORESTART;
+ }
+
+@@ -6315,7 +6319,8 @@ static enum hrtimer_restart send_discove
+ {
+ struct tcpm_port *port = container_of(timer, struct tcpm_port, send_discover_timer);
+
+- kthread_queue_work(port->wq, &port->send_discover_work);
++ if (port->registered)
++ kthread_queue_work(port->wq, &port->send_discover_work);
+ return HRTIMER_NORESTART;
+ }
+
+@@ -6403,6 +6408,7 @@ struct tcpm_port *tcpm_register_port(str
+ typec_port_register_altmodes(port->typec_port,
+ &tcpm_altmode_ops, port,
+ port->port_altmode, ALTMODE_DISCOVERY_MAX);
++ port->registered = true;
+
+ mutex_lock(&port->lock);
+ tcpm_init(port);
+@@ -6424,6 +6430,9 @@ void tcpm_unregister_port(struct tcpm_po
+ {
+ int i;
+
++ port->registered = false;
++ kthread_destroy_worker(port->wq);
++
+ hrtimer_cancel(&port->send_discover_timer);
+ hrtimer_cancel(&port->enable_frs_timer);
+ hrtimer_cancel(&port->vdm_state_machine_timer);
+@@ -6435,7 +6444,6 @@ void tcpm_unregister_port(struct tcpm_po
+ typec_unregister_port(port->typec_port);
+ usb_role_switch_put(port->role_sw);
+ tcpm_debugfs_exit(port);
+- kthread_destroy_worker(port->wq);
+ }
+ EXPORT_SYMBOL_GPL(tcpm_unregister_port);
+
--- /dev/null
+From f886d4fbb7c97b8f5f447c92d2dab99c841803c0 Mon Sep 17 00:00:00 2001
+From: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
+Date: Wed, 15 Dec 2021 15:02:16 +0530
+Subject: usb: xhci: Extend support for runtime power management for AMD's Yellow carp.
+
+From: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
+
+commit f886d4fbb7c97b8f5f447c92d2dab99c841803c0 upstream.
+
+AMD's Yellow Carp platform has few more XHCI controllers,
+enable the runtime power management support for the same.
+
+Signed-off-by: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211215093216.1839065-1-Nehal-Bakulchandra.shah@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -71,6 +71,8 @@
+ #define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 0x161e
+ #define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 0x15d6
+ #define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6 0x15d7
++#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_7 0x161c
++#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_8 0x161f
+
+ #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
+@@ -330,7 +332,9 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_3 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 ||
+ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 ||
+- pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6))
++ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6 ||
++ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_7 ||
++ pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_8))
+ xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW;
+
+ if (xhci->quirks & XHCI_RESET_ON_RESUME)
--- /dev/null
+From ccc14c6cfd346e85c3ecb970975afd5132763437 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Thu, 9 Dec 2021 10:54:22 +0800
+Subject: usb: xhci-mtk: fix list_del warning when enable list debug
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit ccc14c6cfd346e85c3ecb970975afd5132763437 upstream.
+
+There is warning of 'list_del corruption' when enable list debug
+(CONFIG_DEBUG_LIST=y), fix it by using list_del_init()
+
+Fixes: 4ce186665e7c ("usb: xhci-mtk: Do not use xhci's virt_dev in drop_endpoint")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20211209025422.17108-1-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mtk-sch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mtk-sch.c
++++ b/drivers/usb/host/xhci-mtk-sch.c
+@@ -781,7 +781,7 @@ int xhci_mtk_check_bandwidth(struct usb_
+
+ ret = xhci_check_bandwidth(hcd, udev);
+ if (!ret)
+- INIT_LIST_HEAD(&mtk->bw_ep_chk_list);
++ list_del_init(&mtk->bw_ep_chk_list);
+
+ return ret;
+ }
--- /dev/null
+From 8ffea2599f63fdbee968b894eab78170abf3ec2c Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Fri, 17 Dec 2021 15:15:45 +0900
+Subject: zonefs: add MODULE_ALIAS_FS
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 8ffea2599f63fdbee968b894eab78170abf3ec2c upstream.
+
+Add MODULE_ALIAS_FS() to load the module automatically when you do "mount
+-t zonefs".
+
+Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
+Cc: stable <stable@vger.kernel.org> # 5.6+
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: Johannes Thumshirn <jth@kernel.org>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/zonefs/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/zonefs/super.c
++++ b/fs/zonefs/super.c
+@@ -1787,5 +1787,6 @@ static void __exit zonefs_exit(void)
+ MODULE_AUTHOR("Damien Le Moal");
+ MODULE_DESCRIPTION("Zone file system for zoned block devices");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_FS("zonefs");
+ module_init(zonefs_init);
+ module_exit(zonefs_exit);
projects / thirdparty / kernel / stable-queue.git / commitdiff
